Ubuntu 11.04 - Network and Security (6/6)


General Information
This is the result of personal research through community and official documentation about GNU/Linux and Ubuntu. References used are provided also. It will be presented in 6 posts as listed below:
Network
Linux support standard Internet protocols used for Unix-to-Unix communication, but also implements a number of protocols native to other, non-Unix operating systems. “The system currently supports the Internet protocols, the Xerox Network Systems(tm) protocols, and some of the ISO OSI protocols” (http://manpages.ubuntu.com/manpages/natty/en/man4/net.4freebsd.html) TCP/IP is the most important set of protocols in Linux networking system. (Operating System Concepts, p.838-9)
Internally, networking in the Linux kernel is implemented by three layers of software:
  • The socket interface
All user applications are performed through the socket interface.
  • Protocol drivers
Data can reach at this layer through network devices or user applications. Using the already existing tag in a packet, it decides which device or which application will be used. It has the ability to rewrite, create, split etc packets.
  • Network-device drivers
This layer is responsible for the routing. The routing of packets takes place by using a set of pointers in memory (socket buffer), with tags as mentioned before, linking the device with the appropriate protocol from a hash table. Two tables are used for the implementation of routing.
  • The forwarding information base (FIB), which uses a specific destination address or by specifying destinations according to wildcards.
  • A cache of recent routing decisions
(Operating System Concepts, p.838-9)
Supported Protocols
The command
cat /etc/protocols
provides us with a full list of the supported Internet Protocols
Port usage is described in
“/etc/services” and can be listed using cat command
Overview of the available network applications
  • 6.1. Web browsers
  • 6.2. The mail system
    • SMTP
    • Smarthost – SMTP AUTH
  • 6.3. Mail transport agent (MTA)
  • 6.4. Mail user agent (MUA)
  • 6.5. The remote mail retrieval and forward utility
    • POP3-APOP-IMAP
    • PO3-IMAP4-SDPS
    • mail retriever (POP3) with regex filtering capability
    • mail retriever (POP3) and DMA with filtering capability
  • 6.6. Mail delivery agent (MDA) with filter
    • DMA with filter
    • DMA with Perl filter
    • DMA with structured filtering language
  • 6.7. POP3/IMAP4 server
  • 6.8. The print server and utilities
    • Line printer daemon
    • Common UNIX Printing System
  • 6.9. The remote access server and utility (SSH)
  • 6.10. Other network application servers
    • TELNET Server (telnet protocol)
    • TELNET SSL support
    • Unix file sharing (NFS)
    • Windows file sharing (SMB)
    • Appla/Mac file and printer sharing (AppleTalk) - (ATP)
    • General file download (FTP)
    • General web server (HTTP)
    • General proxy server
    • OpenSLP Server as LDAP server (SLP)
    • IP address of client itself (DHCP)
    • IP address for other hosts (DNS)
    • VPN (PPTP-Cisco VPN-OpenVPN-IPSec PN) (https://wiki.ubuntu.com/VPN)
  • 6.11. Diagnosis of the system daemons
(http://www.debian.org/doc/manuals/debian-reference/ch06.en.html)
Available Networking tools
In Ubuntu GNU/Linux, a user in order to use administrative tools, he must log in as root. The tools for normal user and administrators are the same, but if a simple user does not have root password, then certain tools cannot be accessed or some options are disabled.
Graphical tools
Available graphical network tools can be found in the system settings.
There is a whole category named “Internet and Networks” in “System settings”. This category includes the following sub-categories :
  • Bluetooth settings
  • Personal file sharing settings
  • Remote Desktop settings
  • Network proxy settings and
  • Network connections settings
    Bluetooth settings
Using this tool, root can add bluetooth devices and share files. The GUI is simple and straightforward.
Personal file sharing
Using this tool, root can determine which folders can be shared over the network or via bluetooth, setting privileges and passwords.
Remote Desktop
Using this tool, we can determine if we wish to allow others to use the desktop. We can set passwords, for those we wish to allow, and we also determine the way we will be notified in the main panel, if someone from the list above, is currently logged in.
Network Proxy
Using this tool we can setup the settings to connect to proxy servers.
Network Connections
This tool allow root to create connections and to edit existing ones. 

Adding to the tools above, as far networking is concerned, there are two more that must be mentioned.

            gconf-editor”
It is a configuration tool for the system in general (applications, graphic settings. nautilus etc),  there are  also preferences for networks. The important thing in this tool is that it is the only place where “WORKGROUP” can be setup for samba servers, which affects performance with MS Windows PCs.
Network tools”
Under system settings in control centre, in the system category there is the “network tools” option. With this tool, users can benefit from the use of commands, normally found only through terminal, as listed below, through an easy GUI:
  • ping
  • netstat
  • traceroute
  • postscan
  • lookup
  • whois
  • finger
Firewall
Ubuntu Linux has a built-in firewall called netfilter. (Ubuntu pocket Guide and Reference, 2009). There is no default installed GUI for firewall and mainly it is used through terminal. The recommended GUI tool is the “firestarter” (Ubuntu pocket Guide and Reference, 2009) package which can be found through the control software or though terminal by typing
sudo apt-get install firestarter
Otherwise the command to configure the firewall through terminal is “ufw”.
Firestarter allows two policies. The “whitelist” policy and the “blacklist” one.
If white list policy is used, then all traffic is blocked unless otherwise determined by a rule. Using “blacklist” policy, every transmission in allowed unless otherwise determined by a rule. (Ubuntu pocket Guide and Reference, 2009)
TerminalUsing the terminal offers an advance user ful access to the options available for networking configuration in Ubuntu. Listed below are some of the basic commands for network configuration and information listing.
/proc/sys/net/ipv4 folder
In this folder in the virtual fs of /proc, an advance user can redetermine the TCP’s values, such as the use of acknowledgements, in order to improve performance. eg. if /proc/sys/net/ipv4/tcp_sack value is 1, then acknowledgement is enabled. (Pro Ubuntu server administration, 2009)
Security
Ubuntu security model is closely related to typical Unix security mechanisms (Operating system Concepts, p.840)
It can be classified in two groups:
  • Authentication, and
  • Access control
    Authentication
Authentication is making sure that only authorised people can access the system, proving their identity. Ubuntu uses the pluggable authentication modules (PAM) system, which a mechamism on a shared library making it possible to be used by any system component. (Operating system Concepts, p.840-841)
Access control is providing a mechanism to check whether a user has the right to access a certain object and preventing access if required. In Ubuntu there are three categories of users.
  • User/owner
  • Group
  • The rest
A user is identified by the UID. We can also determine privileges for a group of user, who will be identify by the GID. Root is a special type of user. It is the equivalent of administrator and has full system access.
There are 3 types for permissions in file/folders.
  • Execute (x)
  • Write (w)
  • Read only (r)
The implementation of security scheme in Linux is directly linked, on the physical layer, with the file system. The file system must be able to store the privileges for users and groups in each file. The speciality of Ubuntu, in the implementation of security policy of linux, is that it allows normal users to “borrow” root privileges. Ubuntu encourages a simple user to log in with the minimum privileges required. However, when required, eg to access system tools, files or perform administrative actions in general, he does not have to log out and relogin. A pop up window shows up and the root password is required to proceed, otherwise no action is taken. In terminal, the $ symbol determine a simple user and # character determines that superuser is logged in.
Encyption
Ubuntu offers the ability to encypt the /home folder so that only the current user and the root will have access to the personal files. Additionally the ability to encrypt a file or folder is also available. PGP protocol is used to do so and the keys are 2024-bit long. (Ubuntu Pocket Guide and Reference, p126-128)
Keyring
Keyring a repository for passwords. It is there to help us with password control. Since a simple user may have several passwords for several objects (browsers, sites etc), keying is there to gather all of them. When an application needs to access the keyring to get the correct password, then a popup window appears to enter the default keyring password. It is a helpful attribute of the OS.
Security tools
Graphical
Security tools can be found in the Control center, under the “Other” and “System” category. 
User and Groups tool, allow us to create users and groups, assigning them rights.
Passwords and Encryptions keys is where keying preferences are stored and encryption options can be found. 


Terminal
Below are listed some basic commands to manipulate users and permissions through the terminal
- sudo adduser --home /home/john john
command creates a user with the name john and also creates the Home folder
- deluser --remove-all-files, command will delete the user john as well as all the file sand the Home folder
- sudo adduser john accounts, will add john to the accounts group
- sudo delgroup accounts, will remove accounts group
- sudo deluser john accounts, will remove john from the accounts group
- ls -la, will list all files and folder in a folder with permissions and ownerships
  • chmod {options} filename, command to change ownership and permissions in files and folders
Options
Definition
u
owner
g
group
o
other
a
all (same as ugo)
x
execute
w
write
r
read
+
add permission
-
remove permission
=
set permission

References
  1. Operating System Concepts, 8th Edition, Abraham Silberschatz, Peter B. Galvin, Greg Gange, 2010, Jonh Wiley and Sons
  2. https://wiki.ubuntu.com/VPN, as found on 22nd June 2011
  3. Ubuntu Pocket Guide and Reference, Keir Thomas, 2009, MacFreda
  4. Pro Ubuntu Server Administration, Sander van Vugt, Apress, 2009

Comments