#fdiskl/dev/sda Disk/dev/sda:200.0GB,200049647616bytes ....etc....#whichfdisk /sbin/fdisk #echo$PATH /usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin: /sbin:/bin:/usr/sbin:/usr/bin:/root/bin Initially, the fdisk fdisk command by itself did not work because it was not in the command by itself did not work because it was not in the $PATH $PATH variable. Once the user returned to her user sh.e.l.l and used variable. Once the user returned to her user sh.e.l.l and used su su to become to become root root, the $PATH $PATH environment variable then contained the environment variable then contained the /sbin /sbin and and /usr/sbin /usr/sbin directories, so directories, so fdisk fdisk was found. was found.
Name sudo Syntax sudo[OPTION]...[-aauth_type][-ccla.s.s][-pprompt][-uusername]
Description sudo ( (subst.i.tute u user do do) allows a permitted user to execute a command as the superuser or another user, as specified in the /etc/sudoers /etc/sudoers file. file.
Frequently used options -b Run the given command in the background.
-uUSERNAME Attempt to run the command as user USERNAME USERNAME instead of root. instead of root.
The sudo sudo command lives somewhere between SUID and command lives somewhere between SUID and su su. sudo sudo is used when you want to give certain users (or groups of users) access to run certain commands with elevated privileges (usually as is used when you want to give certain users (or groups of users) access to run certain commands with elevated privileges (usually as root root). Sudo Sudo is extremely useful for a number of reasons: is extremely useful for a number of reasons: You don"t have to hand out the root pa.s.sword to people just so they can run a few commands.
It logs every command (completed and attempted).
In the /etc/sudoers /etc/sudoers file, you can limit its use by user account, by group, by machine, or by pathname. file, you can limit its use by user account, by group, by machine, or by pathname.
The design of /etc/sudoers /etc/sudoers is such that you can replicate it across multiple systems without modification of the file. is such that you can replicate it across multiple systems without modification of the file.
The /etc/sudoers /etc/sudoers configuration file is a standard text file (like most other Linux configuration files), but the syntax for the rules that define the behavior of configuration file is a standard text file (like most other Linux configuration files), but the syntax for the rules that define the behavior of sudo sudo is formatted in Extended Backus-Naur Form (EBNF), which is a way to describe the grammar of a language. This is relatively unique to the Linux configuration file world, so your is formatted in Extended Backus-Naur Form (EBNF), which is a way to describe the grammar of a language. This is relatively unique to the Linux configuration file world, so your /etc/sudoers /etc/sudoers file will look quite a bit different than other configuration files you are used to. Because of the security implications of file will look quite a bit different than other configuration files you are used to. Because of the security implications of sudo sudo, and the somewhat challenging format of the file itself, it is recommended that the command visudo visudo be used to edit be used to edit /etc/sudoers /etc/sudoers instead of editing the file directly. instead of editing the file directly. visudo visudo will not only make a backup copy of the will not only make a backup copy of the /etc/sudoers /etc/sudoers file for editing (replacing the previous version of file for editing (replacing the previous version of /etc/sudoers /etc/sudoers when the backup copy is saved), but it also does syntax checking of the format of the file, warning you if the syntax is incorrect. If you prefer an editor other than when the backup copy is saved), but it also does syntax checking of the format of the file, warning you if the syntax is incorrect. If you prefer an editor other than vi vi, just make sure your $EDITOR $EDITOR environment variable contains the path to your preferred editor, and environment variable contains the path to your preferred editor, and visudo visudo will invoke that editor instead of will invoke that editor instead of vi vi.
On the ExamThe configuration options available in /etc/sudoers /etc/sudoers can be very complicated. You will not be required to answer questions about every possible option on the LPI exams. You should know what can be very complicated. You will not be required to answer questions about every possible option on the LPI exams. You should know what sudo sudo is for and some example command-line usage, and have a general idea of what the is for and some example command-line usage, and have a general idea of what the /etc/sudoers /etc/sudoers file should look like. file should look like.
Example 1 A simple /etc/sudoers /etc/sudoers file: file: #Formatis: #userMACHINE=COMMANDS # #TheCOMMANDSsectionmayhaveotheroptionsaddedtoit.
# Defaultsrequiretty,pa.s.swd_timeout=10 #Allowsmembersoftheusersgrouptomountandunmountthecdromasroot %usersALL=/sbin/mount/mnt/cdrom,/sbin/umount/mnt/cdrom #Allowtheuseradamtorunthedumpe2fscommandonanylocallyattached #diskusingscsiemulation(/dev/sd*)onthecomputer"fileserv", #don"tpromptforapa.s.sword adamfileserv=NOPa.s.sWD:/sbin/dumpe2fs/dev/sd*
The NOPa.s.sWD NOPa.s.sWD option will allow the user option will allow the user adam adam to run the to run the dumpe2fs dumpe2fs command without being prompted for a pa.s.sword. Normally, command without being prompted for a pa.s.sword. Normally, sudo sudo will prompt a user for his pa.s.sword (not the root pa.s.sword! If the user knew the root pa.s.sword, he wouldn"t need will prompt a user for his pa.s.sword (not the root pa.s.sword! If the user knew the root pa.s.sword, he wouldn"t need sudo sudo, would he?). Once the user"s pa.s.sword is given correctly, sudo sudo will cache the pa.s.sword and not ask again for a default of five minutes (configurable in the will cache the pa.s.sword and not ask again for a default of five minutes (configurable in the /etc/sudoers /etc/sudoers file). Setting the file). Setting the NOPa.s.sWD NOPa.s.sWD option allows the option allows the sudo sudo command to be called from command to be called from cron cron and other noninteractive, scripted situations. and other noninteractive, scripted situations.
The detailed logging that sudo sudo offers by default is another reason why it is so popular. It is a common scenario to have multiple people acting as system administrators in a corporate environment. If all of these people log in as offers by default is another reason why it is so popular. It is a common scenario to have multiple people acting as system administrators in a corporate environment. If all of these people log in as root root to perform maintenance, there is no way to tell exactly which user was logged in as to perform maintenance, there is no way to tell exactly which user was logged in as root root and ran what command at a certain time. and ran what command at a certain time. sudo sudo handles this for you. It is good practice to use handles this for you. It is good practice to use sudo sudo to run superuser commands when you are in a shared administrator environment. to run superuser commands when you are in a shared administrator environment.
Example 2 A sample log line from sudo sudo: Dec415:07:20fileservsudo:adam:TTY=pts/0;PWD=/sbin;USER=root; COMMAND=/sbin/dumpe2fs/dev/sda3 By default, sudo sudo uses the uses the syslog syslog service to log all events. Depending upon your service to log all events. Depending upon your syslog syslog configuration, these events will probably be logged to either configuration, these events will probably be logged to either /var/log/messages /var/log/messages or or /var/log/secure /var/log/secure.
sudo will also log instances when a user attempts to run a command and is denied, shown next. will also log instances when a user attempts to run a command and is denied, shown next.
Example 3 Sudo denying access to user joe joe, who tried to run sudo /bin/ls /tmp sudo /bin/ls /tmp: Dec415:27:29fileservsudo:joe:userNOTinsudoers;TTY=pts/0; PWD=/home/joe;USER=root;COMMAND=/bin/ls/tmp Other important things to remember about sudo sudo: Be sure you are giving the exact path to applications in the /etc/sudoers /etc/sudoers file. The file. The visudo visudo command will give you an error if you try to use relative path names. command will give you an error if you try to use relative path names.
Be aware of commands that sp.a.w.n subsh.e.l.ls! This is the same issue that was discussed earlier with regards to SUID programs and subsh.e.l.ls. A subsh.e.l.l (or child process) will always inherit the security context of the parent process. So if you have a line in /etc/sudoers /etc/sudoers that looks like this: that looks like this:adamALL=NOPa.s.sWD:/bin/vi then the user "adam" will be able to run /bin/vi /bin/vi as root. By typing as root. By typing !bash !bash in a in a vi vi session, adam will have an interactive sh.e.l.l as root. If you are in a situation where you need to let non-root users edit protected files, use the command session, adam will have an interactive sh.e.l.l as root. If you are in a situation where you need to let non-root users edit protected files, use the command sudoedit sudoedit (an alias to " (an alias to "sudo e"). This tells sudo sudo that a file needs to be edited. The that a file needs to be edited. The sudo sudo command will make a temporary copy of the file and open an editor in the security context of the user (not root). Once the temporary file is saved, command will make a temporary copy of the file and open an editor in the security context of the user (not root). Once the temporary file is saved, sudo sudo will copy the temporarily file over the original file. This bypa.s.ses the root subsh.e.l.l dilemma. will copy the temporarily file over the original file. This bypa.s.ses the root subsh.e.l.l dilemma.
The file /etc/sudoers /etc/sudoers can be a little daunting at first, but remember it was designed to allow you to have one copy of can be a little daunting at first, but remember it was designed to allow you to have one copy of /etc/sudoers /etc/sudoers work across multiple servers. If this is not your situation, you can follow the simple examples above to create and maintain an work across multiple servers. If this is not your situation, you can follow the simple examples above to create and maintain an /etc/sudoers /etc/sudoers file that is a little easier to read. file that is a little easier to read.
Name usermod Syntax chage[OPTIONS][USERNAME]
Description usermod is used to maintain the settings for accounts in is used to maintain the settings for accounts in /etc/pa.s.swd /etc/pa.s.swd and and /etc/group /etc/group (and, by extension, (and, by extension, /etc/shadow /etc/shadow and and /etc/gshadow /etc/gshadow).
Frequently used options -c COMMENT COMMENT Set or change the value of the Comment field (field 5).
-d HOMEDIRECTORY HOMEDIRECTORY Set or change the value of the user"s home directory (field 6).
-g GROUPID GROUPID Set the primary GID (group ID) of the user.
-G comma-delimited GROUPID(S) comma-delimited GROUPID(S) Set the supplementary group ID(s) for a user.
-l USERNAME USERNAME Change the username to USERNAME USERNAME.
-s Sh.e.l.l Sh.e.l.l Change the user"s sh.e.l.l to Sh.e.l.l Sh.e.l.l.
Name chage Syntax chage[OPTIONS][USERNAME]
Description chage (change aging) is used to maintain the pa.s.sword aging limits on a user account. (change aging) is used to maintain the pa.s.sword aging limits on a user account.
Frequently used options -d LASTDAY LASTDAY Set the number of days (since January 1, 1970) when the pa.s.sword was last changed.
-E EXPIREDATE EXPIREDATE Set a user account to expire on a certain date.
-I INACTIVEDAYS INACTIVEDAYS How many days of inactivity after a pa.s.sword has expired must pa.s.s before the account is locked.
-l Show pa.s.sword aging information for an account. A nonprivileged user can run this to view his pa.s.sword aging status.
-m MINDAYS MINDAYS Set the minimum number of days between pa.s.sword changes.
-M MAXDAYS MAXDAYS Set the maximum number of days a pa.s.sword is valid.
-W WARNDAYS WARNDAYS The number of days before the pa.s.sword expiration that the system will start warning the user.
Examples View the pa.s.sword aging information for the root root user: user: #chage-lroot Lastpa.s.swordchange:Jan08,2010 Pa.s.swordexpires:never Pa.s.swordinactive:never Accountexpires:never Minimumnumberofdaysbetweenpa.s.swordchange:0 Maximumnumberofdaysbetweenpa.s.swordchange:99999 Numberofdaysofwarningbeforepa.s.swordexpires:7 Force a user to change his pa.s.sword on the next login: #chage-d0adamh #chage-ladamh Lastpa.s.swordchange:pa.s.swordmustbechanged Pa.s.swordexpires:never Pa.s.swordinactive:never Accountexpires:never Minimumnumberofdaysbetweenpa.s.swordchange:0 Maximumnumberofdaysbetweenpa.s.swordchange:99999 Numberofdaysofwarningbeforepa.s.swordexpires:7 Now when the user adamh adamh next logs in, he will see: next logs in, he will see: loginas:adamh [email protected]"spa.s.sword: Youarerequiredtochangeyourpa.s.swordimmediately(rootenforced) Lastlogin:FriJan814:50:422010from10.0.0.112 WARNING:Yourpa.s.swordhas.e.xpired.Youmustchangeyourpa.s.swordnowandloginagain!
Changingpa.s.swordforuseradamh.
Changingpa.s.swordforadamh.
(current)UNIXpa.s.sword: NewUNIXpa.s.sword: RetypenewUNIXpa.s.sword:On the ExamThe chage chage command can be a little confusing. Take the time to learn its different options and practice configuring different pa.s.sword aging settings on a test Linux system. It is likely that you will encounter questions about the syntax of the command can be a little confusing. Take the time to learn its different options and practice configuring different pa.s.sword aging settings on a test Linux system. It is likely that you will encounter questions about the syntax of the chage chage command on the LPI exams. command on the LPI exams.Name ulimit Syntax ulimit[OPTIONS]limit Description Provides control over the resources available to the sh.e.l.l and to processes started by it, on systems that allow such control.
Frequently used options -a Report all current limits.
-u NUMBER NUMBER The maximum number of processes available to a single user.
-x NUMBER NUMBER The maximum number of file locks.
-v NUMBER NUMBER The maximum amount of memory available to the sh.e.l.l, in kilobytes.
-H Indicates that a hard limit is being specified.
-S Indicates that a soft limit is being specified.
Example View the current limits for a user: $ulimit-a corefilesize(blocks,-c)0 datasegsize(kbytes,-d)unlimited schedulingpriority(-e)0 filesize(blocks,-f)unlimited pendingsignals(-i)8192 maxlockedmemory(kbytes,-l)32 maxmemorysize(kbytes,-m)unlimited openfiles(-n)1024 pipesize(512bytes,-p)8 POSIXmessagequeues(bytes,-q)819200 real-timepriority(-r)0 stacksize(kbytes,-s)10240 cputime(seconds,-t)unlimited maxuserprocesses(-u)8192 virtualmemory(kbytes,-v)unlimited filelocks(-x)unlimited Limits are defined on Linux as being either hard hard or or soft soft limits. A hard limit is set by the superuser for a user or group of users and cannot be exceeded. A soft limit is also set by the superuser, but it may be temporarily overridden by a user if the need arises (by the user calling the limits. A hard limit is set by the superuser for a user or group of users and cannot be exceeded. A soft limit is also set by the superuser, but it may be temporarily overridden by a user if the need arises (by the user calling the ulimit ulimit command). For example, a user may have a soft limit of 100 on the maximum number of open files, with a hard limit of 1,000. If the user is running a short-term process that needs to open 200 files, they can temporarily increase her limit in order for that program to run. That increase lasts only for the life of the user"s sh.e.l.l. Hard and soft limits are set up by the superuser for all users in the file command). For example, a user may have a soft limit of 100 on the maximum number of open files, with a hard limit of 1,000. If the user is running a short-term process that needs to open 200 files, they can temporarily increase her limit in order for that program to run. That increase lasts only for the life of the user"s sh.e.l.l. Hard and soft limits are set up by the superuser for all users in the file /etc/security/limits.conf /etc/security/limits.conf.
The file limits.conf limits.conf takes four values, s.p.a.ce- or Tab-delimited, on each line: takes four values, s.p.a.ce- or Tab-delimited, on each line: - Table22-3 describes the options for entries in describes the options for entries in limits.conf limits.conf.
Table22-3.Options in /etc/security/limits.conf
Field name Possible values Domain Username Group name, prefixed by @ * to indicate the default Type hard soft Item core (limits the core file size, set in KB) (limits the core file size, set in KB) data (maximum data size in KB) (maximum data size in KB) fsize (maximum file size in KB) (maximum file size in KB) memlock (maximum locked-in-memory address s.p.a.ce in KB) (maximum locked-in-memory address s.p.a.ce in KB) nofile (maximum number of open files) (maximum number of open files) rss (maximum resident set size in KB) (maximum resident set size in KB) stack (maximum stack size in KB) (maximum stack size in KB) cpu (maximum CPU time in minutes) (maximum CPU time in minutes) nproc (maximum number of processes (maximum number of processes as (address s.p.a.ce limit in KB) (address s.p.a.ce limit in KB) maxlogins (maximum number of logins for this user) (maximum number of logins for this user) maxsyslogins (maximum number of logins on the system) (maximum number of logins on the system) priority (the priority with which to run the user process) (the priority with which to run the user process) locks (maximum number of file locks the user can hold) (maximum number of file locks the user can hold) sigpending (maximum number of pending signals) (maximum number of pending signals) msgqueue (maximum memory used by POSIX message queues in bytes) (maximum memory used by POSIX message queues in bytes) nice (maximum nice priority allowed) (maximum nice priority allowed) rtprio (maximum real-time priority) (maximum real-time priority) Value Integer
Here are some example lines from a limits.conf limits.conf file: file: #useradamhcannotcreateafilelargerthan200MB adamhhardfsize204800 #useradamhcannotcreateafilelargerthan100MB #unlessheincreaseshisownulimitvalue adamhsoftfsize102400 #don"tcreatecorefilesforanyuserunlessthey #changethisulimitvalueforthemselves *softcore0 #limitallusersinthegroup"students"tonomore #than20processesrunningatonce @studenthardnproc20 #limitallusersinthegroup"faculty"tonomore #than20processesrunningatonce,butallow #themtoincreasetheirownlimittemporarily @facultysoftnproc20 Let"s see ulimit ulimit in action with the user in action with the user adamh adamh, given the example limits.conf limits.conf file just shown. First, prove that user file just shown. First, prove that user adamh adamh cannot create a file larger than 102400 blocks (100 MB, a.s.suming we"re dealing with blocks that are each 1 KB in size): cannot create a file larger than 102400 blocks (100 MB, a.s.suming we"re dealing with blocks that are each 1 KB in size): $whoami adamh $ulimita corefilesize(blocks,-c)0 datasegsize(kbytes,-d)unlimited schedulingpriority(-e)0 filesize(blocks,-f)102400 pendingsignals(-i)8192 maxlockedmemory(kbytes,-l)32 maxmemorysize(kbytes,-m)unlimited openfiles(-n)1024 pipesize(512bytes,-p)8 POSIXmessagequeues(bytes,-q)819200 real-timepriority(-r)0 stacksize(kbytes,-s)10240 cputime(seconds,-t)unlimited maxuserprocesses(-u)8192 virtualmemory(kbytes,-v)unlimited filelocks(-x)unlimited $ddif=/dev/zeroof=largefilebs=1Mcount=200 Filesizelimitexceeded $ls-lhlargefile -rwxrwxrwx1rootroot100M2010-01-0816:09largefile The dd dd command used in this example is attempting to create a 200 MB file by copying the contents of command used in this example is attempting to create a 200 MB file by copying the contents of /dev/zero /dev/zero (a special device that returns zero-valued bytes to all read requests) to the file (a special device that returns zero-valued bytes to all read requests) to the file largefile largefile. It is doing this by attempting to copy 200 1-megabyte segments. After dd dd has reached 100 MB, the copy is aborted and the error "File size limit exceeded" appears. An has reached 100 MB, the copy is aborted and the error "File size limit exceeded" appears. An ls ls of the file shows that user of the file shows that user adamh adamh was allowed to create a 100 MB file, but no larger. Now was allowed to create a 100 MB file, but no larger. Now adamh adamh will use will use ulimit ulimit to increase his file size limit to 200 MB and try the command again: to increase his file size limit to 200 MB and try the command again: $ulimit-f204800 $ulimit-a corefilesize(blocks,-c)0 datasegsize(kbytes,-d)unlimited schedulingpriority(-e)0 filesize(blocks,-f)204800 pendingsignals(-i)8192 maxlockedmemory(kbytes,-l)32 maxmemorysize(kbytes,-m)unlimited openfiles(-n)1024 pipesize(512bytes,-p)8 POSIXmessagequeues(bytes,-q)819200 real-timepriority(-r)0 stacksize(kbytes,-s)10240 cputime(seconds,-t)unlimited maxuserprocesses(-u)8192 virtualmemory(kbytes,-v)unlimited filelocks(-x)unlimited $ddif=/dev/zeroof=largefilebs=1Mcount=200 200+0recordsin 200+0recordsout 209715200bytes(210MB)copied,13.0589s,16.1MB/s $ls-lhlargefile -rwxrwxrwx1rootroot200M2010-01-0816:14largefile This time, the dd dd command completed without an error, and command completed without an error, and adamh adamh was allowed to create a 200 MB file. However, if he tries to use was allowed to create a 200 MB file. However, if he tries to use ulimit ulimit to increase the limit beyond the hard limit, he is denied: to increase the limit beyond the hard limit, he is denied: $ulimit-f204801 -bash:ulimit:filesize:cannotmodifylimit:OperationnotpermittedOn the ExamSetting limits for users is an often-overlooked activity, but it will appear on the LPI exam. Be familiar with the format of the /etc/security/limits.conf /etc/security/limits.conf file and some of the more common options for file and some of the more common options for ulimit ulimit. Also be sure to understand the difference between hard and soft limits and how those differences affect a user"s ability to use system resources.
Name netstat Description The command /bin/netstat /bin/netstat is a generic, all-purpose network information tool. It will give you information about network connections, routing tables, interface statistics, and many other low-level details of your current network configuration. From a security standpoint, one of the most useful options of is a generic, all-purpose network information tool. It will give you information about network connections, routing tables, interface statistics, and many other low-level details of your current network configuration. From a security standpoint, one of the most useful options of netstat netstat is its ability to tell you what network ports are currently "open" on your system, what network connections exist, and what state those connections are in. is its ability to tell you what network ports are currently "open" on your system, what network connections exist, and what state those connections are in. netstat netstat was defined, with examples, in was defined, with examples, in Chapter21 Chapter21. Here are few more examples, focusing on the security-related information provided by netstat netstat.
Examples Show protocol statistics. This is an example from a moderately busy public web server that has been up for 41 days: #netstat-s Ip: 996714394totalpacketsreceived 0forwarded 0incomingpacketsdiscarded 996354233incomingpacketsdelivered 743668424requestssentout Icmp: 308127ICMPmessagesreceived 488inputICMPmessagefailed.
ICMPinputhistogram: destinationunreachable:669 timeoutintransit:2 redirects:277573 ech.o.r.equests:29877 ech.o.r.eplies:6 48625ICMPmessagessent 0ICMPmessagesfailed ICMPoutputhistogram: destinationunreachable:18748 ech.o.r.eplies:29877 Tcp: 4092366activeconnectionopenings 6613024pa.s.siveconnectionopenings 28785failedconnectionattempts 479914connectionresetsreceived 46connectionsestablished 995776060segmentsreceived 742269993segmentssendout 1026415segmentsretransmitted 7056badsegmentsreceived.
135994resetssent Udp: 30804packetsreceived 18657packetstounknownportreceived.
0packetreceiveerrors 323385packetssent TcpExt: 77483invalidSYNcookiesreceived 22981resetsreceivedforembryonicSYN_RECVsockets ArpFilter:0 6555736TCPsocketsfinishedtimewaitinfasttimer 2463timewaitsocketsrecycledbytimestamp 1004packetsrejectsinestablishedconnectionsbecauseoftimestamp 17501900delayedackssent 24177delayedacksfurtherdelayedbecauseoflockedsocket Quickackmodewasactivated92779times 16609timesthelistenqueueofasocketoverflowed 16609SYNstoLISTENsocketsignored 465508199packetsdirectlyqueuedtorecvmsgprequeue.
2188914674packetsdirectlyreceivedfrombacklog 1015042059packetsdirectlyreceivedfromprequeue 414843326packetsheaderpredicted 421778135packetsheaderpredictedanddirectlyqueuedtouser TCPPureAcks:52593173 TCPHPAcks:313477583 TCPRenoRecovery:3251 TCPSackRecovery:109485 TCPSACKReneging:219 TCPFACKReorder:409 TCPSACKReorder:61 TCPRenoReorder:287 TCPTSReorder:1367 TCPFullUndo:1433 TCPPartialUndo:5607 TCPDSACKUndo:75787 TCPLossUndo:60128 TCPLoss:93645 TCPLostRetransmit:31 TCPRenoFailures:1693 TCPSackFailures:44900 TCPLossFailures:10718 TCPFastRetrans:182057 TCPForwardRetrans:21100 TCPSlowStartRetrans:167274 TCPTimeouts:428080 TCPRenoRecoveryFail:2148 TCPSackRecoveryFail:19641 TCPSchedulerFailed:107692 TCPRcvCollapsed:0 TCPDSACKOldSent:89093 TCPDSACKOfoSent:1003 TCPDSACKRecv:165272 TCPDSACKOfoRecv:521 TCPAbortOnSyn:0 TCPAbortOnData:11898 TCPAbortOnClose:2165 TCPAbortOnMemory:0 TCPAbortOnTimeout:11617 TCPAbortOnLinger:0 TCPAbortFailed:0 TCPMemoryPressures:0 Display all the active TCP connections: #netstat--tcp-n ActiveInternetconnections(w/oservers) ProtoRecv-QSend-QLocalAddressForeignAddressState tcp00192.168.23.11:80209.34.195.194:4898SYN_RECV tcp00192.168.23.11:8071.126.90.107:50254SYN_RECV tcp00192.168.23.11:769192.168.23.10:2049ESTABLISHED tcp00192.168.23.11:992192.168.23.10:2049ESTABLISHED tcp00192.168.23.11:8066.199.0.164:32211TIME_WAIT tcp00192.168.23.11:8068.13.184.187:3249ESTABLISHED tcp00192.168.23.11:8068.13.85.103:2972TIME_WAIT tcp00192.168.23.11:8070.165.111.157:14068TIME_WAIT tcp00192.168.23.11:8068.110.27.241:32808TIME_WAIT tcp00192.168.23.11:8071.199.119.34:49469TIME_WAIT This output shows us that there are a number of connections to TCP port 80 on our server (192.168.23.11). These connections are from many different hosts, as is typical with a busy web server. One of the interesting things about a report like this is the "State" information. A TCP connection goes through a number of different states as the connection is requested and created, data is transmitted, and the connection is completed and closed. From a security standpoint, it"s a good idea to be familiar with the different states a TCP connection will be in. Some high-profile denial of service attacks in the past have taken advantage of the relatively long timeout values in TCP connections to completely exhaust the kernel memory of a system, by making thousands of TCP connections but never completing the response, and thus causing the system under attack to hold these thousands of TCP connections open until they finally time out. If you see a lot of connections in the "TIME_WAIT" state for long periods, you may be the victim of such an attack. To modify the default value, edit the file /proc/sys/net/ipv4/tcp_fin_timeout /proc/sys/net/ipv4/tcp_fin_timeout. For more information on the /proc /proc filesystem and how to use it to tune your running system, refer to the text file filesystem and how to use it to tune your running system, refer to the text file Doc.u.mentation/filesystems/proc.txt Doc.u.mentation/filesystems/proc.txt in your Linux kernel source. in your Linux kernel source.Table22-4 displays the different states a TCP connection goes through. displays the different states a TCP connection goes through.
Table22-4.States of a TCP connection
State name Description CLOSED The connection is closed.
LISTEN Listening for an incoming connection.
SYN_RCVD SYN stands for SYNCHRONIZE, used to initiate and establish a connection. Named for the synchronization of sequence numbers that takes place throughout a TCP connection. This state indicates the connection is receiving packets.
SYN_SENT This state indicates the connection is sending packets.
ESTABLISHED In this state, the TCP three-way handshake has been completed, and a TCP connection is now established.
FIN_WAIT_1 FIN stands for FINISH, meaning that one of the devices wants to terminate the connection.
FIN_WAIT_2 After one end receives an acknowledgement (ACK) of a FIN, it goes into state FIN_WAIT_2.
CLOSING The connection is in the process of closing.
CLOSE_WAIT The state a connection is in after sending an ACK in response to an initial FIN.
LAST_ACK One end of the connection is in the process of sending a FIN.
TIME_WAIT After a TCP connection is closed, the kernel will keep the connection around in TIME_WAIT state, waiting for any delayed duplicate packets. This prevents another socket from using this same port and receiving data meant for an old connection.
On the Examnetstat is an important tool that you will encounter often in your Linux career. Become familiar with the more common command-line options, and understand when it is appropriate to use the is an important tool that you will encounter often in your Linux career. Become familiar with the more common command-line options, and understand when it is appropriate to use the netstat netstat command, because you will see a number of references to it on the LPI exams. command, because you will see a number of references to it on the LPI exams.
Name nmap Syntax nmap[scantype][options](targetspecifications) Description nmap (the network mapper) is a very powerful port-scanning tool. Its primary purpose is to scan a remote host (or entire subnet) and report back what TCP or UDP ports are open on each system. However, this powerful tool can do much more, including OS fingerprinting and vulnerability scanning. (the network mapper) is a very powerful port-scanning tool. Its primary purpose is to scan a remote host (or entire subnet) and report back what TCP or UDP ports are open on each system. However, this powerful tool can do much more, including OS fingerprinting and vulnerability scanning.
Frequently used options -sP Don"t port scan; just report what hosts respond to a ping request. This is commonly called a ping sweep ping sweep. See the later examples.