Thursday, May 20, 2010

Howto:Check if service supports TCP wrappers

You have added a correct entry to /etc/hosts.allow to allow certain clients to connect for certain service, you save the changes but nothing happens!
You recheck the syntax, but everything seems to be just right...
What happened here and why? 
Not all services support TCP wrapping, to determine if they do we will need to querry them via "ldd" command and see their shared library dependencies, let's take sshd service as an example:


# ldd `which sshd` |grep -i libwrap
libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f04d29fd000)

The presense of libwrap module in ldd output states that the current service supports TCP wrappers.

Thursday, May 6, 2010

Quick Howto:Linux DHCP

DHCP service allows dynamic host IP allocation, a useful option for desktop, notebooks and any other mobile IP based appliance.
Linux based DHCP (dhcpd v3) is relatively  easy to configure, the main configuration file is:  

/etc/dhcp.conf

The brief configuration of a subnet will look like this:



subnet 192.168.0.0 netmask 255.255.255.0 {

        range 192.168.0.200 192.168.0.229;
        option subnet-mask 255.255.255.0;
        option broadcast-address 192.168.0.255;
        option routers 192.168.0.1;
}


The DHCP protocol has a vast number of options that it can pass to clients to configure them correctly. Some of the most important are shown in the following example:
 
default-lease-time 21600;
max-lease-time 43200;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.254;
option domain-name-servers 192.168.1.1, 192.168.1.2;
option domain-name "example.com";
option ntp-servers 192.168.1.1;

Most of these should be self-explanatory. The lease times are how long the client can hold on to the IP address it is given without reconfirming with the server, in seconds. With the default-lease-time set to 21600, the client is instructed to contact the DHCP server at least every 6 hours. If it has not been in touch within 43,200 seconds, 12 hours, it should consider itself to be out of a lease.


To add a static entry, to ensure a certain station will get permanent IP address (useful for servers, printers etc) use the following syntax:

host chronos {
                hardware ethernet d8:50:2b:4c:a3:82;
                fixed-address 192.168.1.20;
             }
 
 
 
When dhcpd is running it will generate entries in the file:  
/var/lib/dhcp/dhcpd.leases:

The leases file includes active leases for current client hosts + lease details such as lease start and end time , mac address and hostname of the client host:

lease 192.168.1.12 {
 starts 2 2010/04/01 20:07:05;
 ends 3 2010/04/02 08:07:05;
 hardware ethernet 00:00:e8:4a:2c:5c;
 uid 01:00:00:e8:4c:5d:31;
 client-hostname "shiva01";
}
 
When configuration is completed you can run: dhcpd configtest to test whether the configuration is good.

Please note -

1. DHCP server listens on port 68 so be sure to configure your firewall correctly.

2. When DHCP broadcasts need to be forward over routers (happens alot in enterprise environment), a forwarder must be set on the router.
On Cisco systems the option called "ip-helper" and it's used like this:
ip-helper "adress-of-dhcp-server"