AfNOG E0 - Detailed Course Outline

AfNOG -> Workshops -> 2006 -> Track E0 - Unix System Administration -> Detailed Course Outline

AfNOG 2006 Workshop on Network Technology

Track E0 - Unix System Administration

Detailed Course Outline

[ Jump within this page: Monday | Tuesday | Wednesday | Thursday | Friday ]

General Objectives

After attending this track students will be able to:

Install and upgrade the Unix operating system on standard PC hardware
Provide basic security for a Unix installation
Use Unix to provide some essential Internet services

In addition they will be taught concepts such as:

Basic Internet Protocols and how they work
Some basic Internet services and how they function, including DNS, Web, SSH and E-mail
Designing installations for long-term scalability of services

Resources needed

Local mirror of FreeBSD 6.0 Production Release with selected packages not on the CD-ROM and the distfiles we need for the ports exercises (test all the exercises on one machine, then copy across its distfiles directory).
Possibly a Local FreeBSD cvsup mirror. Note, we can freeze it and therefore be guaranteed that our exercises won't break due to new changes in CVS!
Idealy one PC per two students.
One FreeBSD CD-ROM installation set per student.
Instructor PC with overhead projector.
Useful handout: commands and config files for FreeBSD 6.x.
Student non-root logins on the NOC server, for SSH and mail practice.

Instructors

(HA) Hervey Allen, USA/Chile
(JA) Joe Abley, Canada (Invited speaker)
(NS) Noah Sematimba, Uganda
(PO) Patrick Okui, Uganda
(PR) Phil Reganuld, Denmark

MONDAY

welcome
why use Unix not Windows? (and a bit about the philosophy: small, re-usable components which you can join together. Scripts and remote management rather than a GUI. Security history)
brief Unix history and family tree
overview of the key functions of the O/S
- kernel [device drivers, filesystem, memory management, network stack, pseudo-devices]
- shell
- user processes
- system processes (e.g. cron, syslogd)
- inter-process communication
- user/group security model
- Compare to corresponding Windows components. Not much detail; just see how they fit together.
overview of the standard filesystem layout: /etc, /usr, /var, /boot, /dev
recap on PC architecture, esp BIOS, boot up process, disk partitioning (slicing) and MBR
FreeBSD's disklabel partioning
suggested partitioning strategies
choices of installation media: CD-ROM, network, big pile of floppies!

Session 2: FreeBSD installation practical (Noah Sematimba)

OpenOffice

PDF

PS .gz

suggest from CD-ROM, over the LAN is possible with boot floppies (but need to point at local mirror!)
partition, install 'X-developer', reboot
login as root
- Get a prompt; note that everything you type is 'command [args..]'
- Use 'passwd root' to change root's password
- Note that you can run /stand/sysinstall (some things are useful here, e.g. change keyboard mapping, set up anon ftp, partition a new drive)
where's the documentation?
- man pages
- /usr/share/doc/en/{articles,books}, also on www.freebsd.org (especially the FreeBSD handbook)
- /usr/share/examples
filesystem browsing
- 'pwd', 'cd', 'ls', viewing files using 'less' ('q' to escape), using 'file' to identify type
- check the filetree is how we described it, read some of the examples
- less -Mi, search with slash and n

Session 3: Introductory administration (Patrick Okui)
Presentation: OpenDocument
Handout: PDF | PS .gz

Root and non-root
- How to check who you are: 'id'
- How to create a user: 'pw useradd xxx -m', 'passwd xxx'
- How to delete a user: 'pw userdel xxx -r'
- Using 'su' to become root from non-root; add user into 'wheel' group
- Everybody create a non-root account. Always use it! Then use su when necessary
Simple filesystem commands
- Look at the filesystem status: 'mount', 'df'
- Mount the cdrom, use 'ls' to check contents, unmount it (can't eject until unmounted)
Simple package management commands
- Look at package status: 'pkg_info' (and remember 'man pkg_info')
- Add packages from CD-ROM
  - Install 'bash'
  - List the files it contains with pkg_info -L bash\; note all under /usr/local
  - Type 'bash'; why doesn't it work? 'rehash' first (C shell anomoly)
Editing files with vi
- Edit /etc/rc.conf to set up networking
- Edit /etc/resolv.conf to set up nameserver client
- Test (e.g. ping)
Configure network interface in /etc/rc.conf
Using FTP client
- Fetch joe and lynx-ssl packages into your home directory
- Install them
- Check they work (try editing a file with joe instead of vi)
  - Stick to vi if you want to practice
  - Note that some packages have dependencies which need downloading too; e.g. try installing 'gmake'
Note that /stand/sysinstall lets you install packages, but it's tedious over the network because it downloads a huge INDEX file every time. OK for CD-ROM though.
Practice installing, deleting, and querying packages

Session 4: Tour of Unix basics (Phil Regnauld)
Presentation: OpenOffice
Handout: PDF (2-up) |
Exercises: OpenDocument | PDF (2-up) |
For each session include the commands you need to see the current state (e.g. ps and top, ls -l) and to change the current state (e.g. kill, rm). Some of this may be trimmed...

The Unix process environment (brief)
- arguments, environment variables, already-open files (0-2)
- that's all it gets!
- process id
- signals
The Shell
- different shells: csh, sh, bash
- command and arguments
- quoting
- argument expansion: echo , rm a??, echo ~/foo ~user/foo
- echo $PATH
- the shell is just a program (run 'sh' while in csh, then exit)
- shell job control: ^C versus ^Z (and ^D)
- environment (for a single command, and setting permanently)
  - in ~/.profile: EDITOR=joe; export EDITOR
  - in ~/.cshrc: setenv EDITOR joe
  - (and you can set PAGER=less as well)
- run a command redirecting stdin/stdout/stderr to a file
- run two commands linked by a pipe (ls | less)
Managing files [skipped to make time]
- cp, mv, rm, mkdir/rmdir, rm -rf
- hidden files
- the vi editor
  - why you need to know at least a little; 5 or so basic editing commands [note: rescue CD, and when only root filesystem is mounted]
  - vi /etc/motd (what happens if you are not root? How do you recover?)
  - things to beware of in vi: modes; cursor keys and slow network conns
Security model [some skipped]
- effective uid, gid, supplementary groups
- uid 0 = 'root'
- /etc/passwd, /etc/group, /etc/master.passwd and .db files
- file/device permissions
- directory permissions
- things which only 'root' can do (e.g. bind to ports below 1024)
- how do users change their own passwords?
  - setuid programs, and why care is needed
VFS [skipped]
- look at /etc/fstab
- mount, df -k
- mount and unmount /cdrom. Then mount it somewhere else on the tree.
- fdformat, newfs_msdos -L label, and mount a floppy disk. Copy files to it.
- show a USB memory stick working in the same way
- FreeBSD feature: glabel module
- fsck and the importance of unmounting/shutting down cleanly
- symlinks and hardlinks

TUESDAY

Session 1: Security introduction (Hervey Allen)
Presentation: OpenDocument
Handout: OpenOffice | PDF (6-up) | PS .gz (6-up) | PowerPoint |
Option exercises: [Dir]

problems of privacy, authenticity, integrity
pros and cons of passwords, IP source address authentication, DNS authentication, cryptographic solutions
problems of sniffing, exploits
main points:
- know what's running on your system (netstat, nmap/nessus)
- turn off what's not needed, upgrade what is
- monitor logs
- apply host-based access controls in conjunction with passwords
- monitor alert lists, announcement lists for the O/S and applications you are using
- use cryptographic tools where appropriate

Session 2: IP basics (Patrick Okui)
Presentation: OpenOffice
Handout: PDF | PS .gz

the seven-layer model, overview of purpose of each of the layers and how it corresponds to IP
essential structure of IP datagram
IP numbering rules, localhost, broadcast
brief note on IP forwarding and defaultroute
client-server architecture
- simple example layer 7 protocol: HTTP
- drive it using telnet
how domain names/DNS fit in
testing: ping [-n], traceroute [-n], tcpdump [-n]

Session 3: System startup and recovery (Hervey Allen)
Presentation: OpenOffice
Handout: PDF | PS .gz
Exercise: Text | HTML | PDF | PS .gz

kernel bootstrap
- how to get into single-user mode
  - mount -a, fsck -y
- loadable modules
- /boot/loader.conf, e.g. snd_ich_load="YES"
  - [/boot/defaults/loader.conf - look but don't touch!]
- /boot/device.hints, e.g. hint.acpi.0.disabled="1"
/sbin/init: pid 1
/etc/ttys (/etc/inittab under Linux)
- getty on virtual console, serial ports
/etc/rc, /etc/rc.conf, /etc/rc.d/ (e.g. mount filesystems).
- /etc/defaults/rc.conf - look but don't touch!
system processes
ssh, inetd/telnet
note that sometimes changes have to be made in two ways: once live, and once in /etc/rc.conf so they happen on next boot too
Scripting

Session 4: Building Unix software (Phil Regnauld)
Presentation: OpenOffice
Handout: PDF
Exercise 1: OpenOffice | PDF
Exercise 2: OpenOffice | PDF
Exercise 3: OpenOffice | PDF

what's a binary
- look at a typical compiled program (like /bin/ls) using
  - hexdump -C
  - file
  - strings
- this is the binary which the processor runs directly (and quickly)
how? compiler.
- Example: hello.c
  - gcc -Wall -o hello hello.c
  - ./hello
- see what "open source" means.
automating the build, rebuild only when necessary
- create a simple Makefile to demonstrate
- rebuild hello world
- note that some applications require GNU make (gmake)
Back to 'ls': look in /usr/src/bin/ls; make, make install
example of a huge C program: the kernel itself
- NOTES, make LINT
- copy GENERIC to OTHER and modify it (remove unnecessary device drivers, remove INET6, choose processor)
- config, build, install; check /boot/kernel/ and /boot/kernel.old/
- reboot; check you can reboot with the old kernel too

WEDNESDAY

Session 1: Updating the system (Patrick Okui)

Presentation: OpenOffice
Handout: PDF | PS .gz

security reasons for upgrading
talk about the different branches of FreeBSD: CURRENT, 6_STABLE, 6_0_STABLE etc.
ways to update
- updating by reinstalling a new release
- updating by using the binary upgrade feature (pros/cons)
- updating through source
  - install cvsup-without-gui package
  - upgrade the system source to 6_1_STABLE using cvsup (copy the example supfile, modify it to point to our local cvs mirror!)
Do source update
- read /usr/src/UPDATING (why?)
- follow ALL the steps to build and install new world and kernel (because kernel changes can be tied to the userland utilities)
show updating individual binaries through make / make install (example of a FreeBSD security alert)

Session 2: Installing and upgrading applications through ports (Noah Sematimba)
OpenOffice | PDF

ports overview
- ports are instructions (in a Makefile) to fetch the original source, apply FreeBSD-specific patches, compile and install
- after installation it's just like a package; in fact the binary packages are built from ports
- the ports tree is continually updated; the binary packages are not.
- you can just upgrade from ports, or build your own packages
- required ports are built automatically
configure make.conf to point to your local FreeBSD distfiles mirror
look at the ports Makefile, the md5 checksums, files (patches), the packing list and package description
use cvsup to bring the ports tree up to date (already done)
demonstration
- (find a package which is out of date; Apache perhaps) using make / (make deinstall) / make install / make clean
other examples and practice
tools which assist (e.g. portupgrade)

Session 3: Security Revisited: Cryptography (Hervey Allen)
Presentation: OpenOffice
Handout: PDF | PS .gz
SSH Exercise: HTML | PDF | PS .gz

main cryptographic techniques: private key, hashing, public key
- demonstrate md5/md5sum and discuss sha1sum
approaches to man-in-the-middle
- known hosts (a magic 'fingerprint' learned from the other side)
- [moved to start of next session] certificates
ssh practical
- enable ssh, use it to log onto neighbour's machine, get prompted to accept the host key first time, not second. (Check the host key fingerprint manually on the other side)

Session 4: DNS an introduction (Phil Regnauld)

Presentation: OpenOffice | PDF
Exercices: OpenOffice | PDF

o DNS Session-1 (Fundamentals):
	* DNS Materials.
	* Goal: to understand overall purpse and structure of DNS
	   + IP addresses vs. names
	   + DNS as a distributed, hierarchical database
	   + Domain names and resource records:
	     - A, PTR, MX, CNAME, TXT, SOA/NS
	   + Domain name lookup responses
	   + Reverse DNS
	   + DNS as client-server model
	     - Resolver
	     - Cache
	     - Authoritative server
	   + Testing DNS (dig)
	   + Understanding output from dig 
	   + Practical Exercises:
	     - Configure Unix resolver
	     - Use dig { A, other (e.g. MX), non-existent answer, reverse lookup }
	     - Use tcpdump to show queries being sent to cache

THURSDAY

Session 1: PGP Introduction (Joe Abley)

AfNOG 2006 PGP Materials

Introduction to PGP key management using GNU PGP

Creating keys
Extracting keys
Verifying keys

Why PGP is useful

Session 2: A simple Unix server: Apache (Noah Sematimba)

install apache13 package from FTP
- /etc/rc.conf apache_enable="YES"
- run and test
  - /usr/local/etc/rc.d/apache start
  - use ps to show something is running
  - use lynx-ssl to browse your own server and someone else's
  - use telnet to port 80 to show what's really happening
- look at its log files
- use tcpdump to watch the traffic
- remove the symlinks to data-dist and cgi-bin-dist and make your own content
- note documentation at httpd.apache.org

Session 4: Applying crypto on a Unix server (Noah Sematimba)

Replace apache package with apache+mod_ssl

[Note: doing this requires httpd.conf to be overwritten from httpd.conf-dist; note also dependency on mm]
Create a dummy certificate [would be better if we had built our own CA]
test using openssl s_client and lynx-ssl

Session 5: E-mail (Noah Sematimba)
Internet Mail presentation: OpenDocument | OpenOffice | PowerPoint | PDF (4-up) | PS .gz (4-up)

overview of MTA/MUA, SMTP, POP3/IMAP
- test them using telnet (including forging E-mail!) and reinforce password sniffing problem
choosing an MTA, pros/cons of exim
overview of exim configuration: routers, transports, acls
where to find exim docs

Session 6: building a basic mail server (Patrick Okui)
Handout: HTML

look at the Makefile for exim in ports, look at the build options
install from ports
exim testing: exim -V, -bt addr, -v addr, -bp
replace sendmail with exim
allow relaying from specific netblocks; exim -bh x.x.x.x

FRIDAY

Session 1: pop3, imap, secure authentication (Hervey Allen)

Exercises for Maildir, Courier POP/IMAP, SqWebMail: HTML | PDF | PS .gz

Configure Exim for Maildirs
Install Courier authorize daemon
Install Courier IMAP/POP server
Generate ssl certs for IMAP/POP
Verify functionality on ports 110, 143, 993, 995 using telnet and openssl s_client

Secure Authentication

Presentation: [OpenDocument | OpenOffice | PDF | PS .gz 4-up]

Secure Authentication
Services to consider or replace with secure authentication
Why you want to do this
Review what we are doing and why

Session 2: webmail and virtual mailboxes (Patrick Okui)
Handout: HTML | PDF | PS .gz

install sqwebmail from ports. Discuss maildir and Squirrelmail?
make any necessary apache config tweaks
run it
[configure authdaemon for userdb authentication and exim for userdb lookups (as time allows)]

Session 3: mirroring and backup (Phil Regnauld)
Handouts: Backups: [OpenOffice | PDF] Mirroring: [OpenOffice | PDF]

when backups needed (and not). What to backup. Scheduling choices.
media choices: tape, optical, removable HD, USB/firewire HD, pipe over ssh to another machine
methods: dd [and problems], dump/restore, tar [cpio], rsync/unison, mkisofs/burncd
try backing up filesystems
- using tar over ssh to remote machine
- recover some files
- using dump over ssh to remote machine
the FreeBSD-5.x/6.x GEOM subsystem (if time available)
- glabel, gmirror
- demonstrate with pair of USB drives or with two internal IDE drives

Session 4: scalability, monitoring and performance tuning (Phil Regnauld)
Handout: OpenDocument | PDF

scalability issues; the example of the bad Linux mailserver and solutions
- limits of CPU, disk I/O, disk space, RAM, network bandwidth, fixed size tables, poor data structures (linear searching)
monitoring: review the system monitoring commands covered already and add new ones
syslog, log rotation, configuring cron
tweaking kernel parameters: sysctl
[no time] other monitoring tools: mention snmpd? cricket? Or some scripts for checking partition sizes and mailing alerts?

Session 5: Summary, thank you!, and evaluations (Hervey, Patrick, Noah, Phil)

DESIRABLE TOPICS NOT YET ASSIGNED

Configuring X11: Text | HTML | PDF | PS .gz
using 'patch' (or "what's a patch?") and 'diff'
moving stuff around; e.g. moving /usr/ports and symlinking it
ktrace/kdump
kldload/kldstat/kldunload

OVERFLOW TOPICS, EVENING SESSIONS, QUICK DEMOS, OR NOTES ON HANDOUT

Graphical environment
- FreeBSD 6 comes with Xorg, easier to set up than XFree86
- follow the handbook
- Xorg -configure; mv /root/xorg.conf.new /etc/X11/xorg.conf
- set up monitor frequencies, preferred mode, defaultdepth
- install kde-lite package from the CD-ROM (not ports unless you are very patient!!)
- .xinitrc: exec startkde
- replace Konsole with xterm -sb -sl 500 -ls
- mozilla
Consider adding FAMP: FreeBSD/Apache/MySQL/PHP

Return to Track E0 Main Page

Return to AfNOG Workshop Main Page