LinuxChix Africa -> Unix System Administration -> Detailed Course Outline

LinuxChix Africa Workshop
12 - 16 March, 2007
Nairobi, Kenya

Unix System Administration

Detailed Course Outline

[ Jump within this page: Monday | Tuesday | Wednesday | Thursday | Friday ]

General Objectives

After attending this track students will be able to:

• Install and upgrade the Unix operating system on standard PC hardware
• Provide basic security for a Unix installation
• Use Unix to provide some essential Internet services

In addition they will be taught concepts such as:

• Basic Internet Protocols and how they work
• Some basic Internet services and how they function, including DNS, Web, SSH and E-mail
• Designing installations for long-term scalability of services

Resources needed 

• Local mirror of FreeBSD 6.0 Production Release with selected packages not on the CD-ROM and the distfiles we need for the ports exercises (test all the exercises on one machine, then copy across its distfiles directory).
• Possibly a Local FreeBSD cvsup mirror. Note, we can freeze it and therefore be guaranteed that our exercises won't break due to new changes in CVS!
• Idealy one PC per two students.
• One FreeBSD CD-ROM installation set per student.
• Instructor PC with overhead projector.
• Useful handout: commands and config files for FreeBSD 6.x.
• Student non-root logins on the NOC server, for SSH and mail practice.

Instructors

Binta Audu (BA), Nigeria

Nodumu Dhlamini(ND), Zimbabwe

Sunday Folayan (SF), Nigeria

Isatou Jah, (IJ), Gambia

Dorcas Muthoni (DM), Kenya

Michuki Mwanga (MM), Kenya

Patrick Okui, (PO), Uganda

MONDAY

Session 1: Introduction to Unix (Patrick Okui) 

Presentation: OpenOffice | PowerPoint

Handout: PDF | Powerpoint 

FreeBSD command reference: OpenOffice | PDF 1-up | PDF 2-up | PS .gz 1-up | PS .gz 2-up Topics:

• welcome
• why use Unix not Windows? (and a bit about the philosophy: small, re-usable components which you can join together. Scripts and remote management rather than a GUI. Security history)
• brief Unix history and family tree
• overview of the key functions of the O/S
• kernel [device drivers, filesystem, memory management, network stack, pseudo-devices]
• shell
• user processes
• system processes (e.g. cron, syslogd)
• inter-process communication
• user/group security model
• Compare to corresponding Windows components. Not much detail; just see how they fit together.
• overview of the standard filesystem layout: /etc, /usr, /var, /boot, /dev
• recap on PC architecture, esp BIOS, boot up process, disk partitioning (slicing) and MBR
• FreeBSD's disklabel partioning
• suggested partitioning strategies
• choices of installation media: CD-ROM, network, big pile of floppies!

Session 2: FreeBSD installation practical (Binta Audu) 

• Powerpoint | PDF |
• suggest from CD-ROM, over the LAN is possible with boot floppies (but need to point at local mirror!)
• partition, install 'X-developer', reboot
• login as root
• Get a prompt; note that everything you type is 'command [args..]'
• Use 'passwd root' to change root's password
• Note that you can run /stand/sysinstall (some things are useful here, e.g. change keyboard mapping, set up anon ftp, partition a new drive)
• where's the documentation?
• man pages
• /usr/share/doc/en/{articles,books}, also on www.freebsd.org (especially the FreeBSD handbook)
• /usr/share/examples
• filesystem browsing
• 'pwd', 'cd', 'ls', viewing files using 'less' ('q' to escape), using 'file' to identify type
• check the filetree is how we described it, read some of the examples
• less -Mi, search with slash and n

Session 3: Unix Basics (Patrick Okui)
Presentation: OpenOffice | Powerpoint
Handout: PDF
Exercises: PDF | Rich Text 

• Root and non-root
• How to check who you are: 'id'
• How to create a user: 'pw useradd xxx -m', 'passwd xxx'
• How to delete a user: 'pw userdel xxx -r'
• Using 'su' to become root from non-root; add user into 'wheel' group
• Everybody create a non-root account. Always use it! Then use su when necessary
• Simple filesystem commands
• Look at the filesystem status: 'mount', 'df'
• Mount the cdrom, use 'ls' to check contents, unmount it (can't eject until unmounted)
• Simple package management commands
• Look at package status: 'pkg_info' (and remember 'man pkg_info')
• Add packages from CD-ROM
• Install 'bash'
• List the files it contains with pkg_info -L bash\; note all under /usr/local
• Type 'bash'; why doesn't it work? 'rehash' first (C shell anomoly)
• Editing files with vi
• Edit /etc/rc.conf to set up networking
• Edit /etc/resolv.conf to set up nameserver client
• Test (e.g. ping)
• Configure network interface in /etc/rc.conf
• Using FTP client
• Fetch joe and lynx-ssl packages into your home directory
• Install them
• Check they work (try editing a file with joe instead of vi)
• Stick to vi if you want to practice
• Note that some packages have dependencies which need downloading too; e.g. try installing 'gmake'
• Note that /stand/sysinstall lets you install packages, but it's tedious over the network because it downloads a huge INDEX file every time. OK for CD-ROM though.
• Practice installing, deleting, and querying packages

Session 4: Tour of Unix basics (Sunday Folayan) 

Presentation: OpenOffice

Handout: PDF | 

Exercises: OpenDocument | PDF | 

For each session include the commands you need to see the current state (e.g. ps and top, ls -l) and to change the current state (e.g. kill, rm). Some of this may be trimmed...

• The Unix process environment (brief)
• arguments, environment variables, already-open files (0-2)
• that's all it gets!
• process id
• signals
• The Shell
• different shells: csh, sh, bash
• command and arguments
• quoting
• argument expansion: echo , rm a??, echo ~/foo ~user/foo
• echo $PATH
• the shell is just a program (run 'sh' while in csh, then exit)
• shell job control: ^C versus ^Z (and ^D)
• environment (for a single command, and setting permanently)
• in ~/.profile: EDITOR=joe; export EDITOR
• in ~/.cshrc: setenv EDITOR joe
• (and you can set PAGER=less as well)
• run a command redirecting stdin/stdout/stderr to a file
• run two commands linked by a pipe (ls | less)
• Managing files [skipped to make time]
• cp, mv, rm, mkdir/rmdir, rm -rf
• hidden files
• the vi editor
• why you need to know at least a little; 5 or so basic editing commands [note: rescue CD, and when only root filesystem is mounted]
• vi /etc/motd (what happens if you are not root? How do you recover?)
• things to beware of in vi: modes; cursor keys and slow network conns
• Security model [some skipped]
• effective uid, gid, supplementary groups
• uid 0 = 'root'
• /etc/passwd, /etc/group, /etc/master.passwd and .db files
• file/device permissions
• directory permissions
• things which only 'root' can do (e.g. bind to ports below 1024)
• how do users change their own passwords?
• setuid programs, and why care is needed
• VFS [skipped]
• look at /etc/fstab
• mount, df -k
• mount and unmount /cdrom. Then mount it somewhere else on the tree.
• fdformat, newfs_msdos -L label, and mount a floppy disk. Copy files to it.
• show a USB memory stick working in the same way
• FreeBSD feature: glabel module
• fsck and the importance of unmounting/shutting down cleanly
• symlinks and hardlinks

TUESDAY

Session 1: IP Basics (Isatou Jah) 

Presentation: Powerpoint

Handout: PDF 

• the seven-layer model, overview of purpose of each of the layers and how it corresponds to IP
• essential structure of IP datagram
• IP numbering rules, localhost, broadcast
• brief note on IP forwarding and defaultroute
• client-server architecture
• simple example layer 7 protocol: HTTP
• drive it using telnet
• how domain names/DNS fit in
• testing: ping [-n], traceroute [-n], tcpdump [-n]

Session 2: System Startup and Recovery (Patrick Okui) 

Presentation: OpenOffice 

Handout: PDF 

Exercise: Text | HTML | PDF | PS .gz 

• kernel bootstrap
• how to get into single-user mode
• mount -a, fsck -y
• loadable modules
• /boot/loader.conf, e.g. snd_ich_load="YES"
• [/boot/defaults/loader.conf - look but don't touch!]
• /boot/device.hints, e.g. hint.acpi.0.disabled="1"
• /sbin/init: pid 1
• /etc/ttys (/etc/inittab under Linux)
• getty on virtual console, serial ports
• /etc/rc, /etc/rc.conf, /etc/rc.d/ (e.g. mount filesystems).
• /etc/defaults/rc.conf - look but don't touch!
• system processes
• ssh, inetd/telnet
• note that sometimes changes have to be made in two ways: once live, and once in /etc/rc.conf so they happen on next boot too
• Scripting

Session 3: Building Unix software (Sunday Folayan) 

Presentation: OpenOffice 

Handout: PDF 

Exercise 1: OpenOffice | PDF 

Exercise 2: OpenOffice | PDF 

Exercise 3: OpenOffice | PDF 

• Scripting

• what's a binary
• look at a typical compiled program (like /bin/ls) using
• hexdump -C
• file
• strings
• this is the binary which the processor runs directly (and quickly)
• how? compiler.
• Example: hello.c
• gcc -Wall -o hello hello.c
• ./hello
• see what "open source" means.
• automating the build, rebuild only when necessary
• create a simple Makefile to demonstrate
• rebuild hello world
• note that some applications require GNU make (gmake)
• Back to 'ls': look in /usr/src/bin/ls; make, make install
• example of a huge C program: the kernel itself

• Cron
• NOTES, make LINT
• copy GENERIC to OTHER and modify it (remove unnecessary device drivers, remove INET6, choose processor)
• config, build, install; check /boot/kernel/ and /boot/kernel.old/
• reboot; check you can reboot with the old kernel too

Session 4: Source Updates (Michuki Mwangi)

Presentation: PDF

• security reasons for upgrading
• talk about the different branches of FreeBSD: CURRENT, 6_STABLE, 6_0_STABLE etc.
• ways to update
• updating by reinstalling a new release
• updating by using the binary upgrade feature (pros/cons)
• updating through source
• install cvsup-without-gui package
• upgrade the system source to 6_1_STABLE using cvsup (copy the example supfile, modify it to point to our local cvs mirror!)
• Do source update
• read /usr/src/UPDATING (why?)
• follow ALL the steps to build and install new world and kernel (because kernel changes can be tied to the userland utilities)
• show updating individual binaries through make / make install (example of a FreeBSD security alert)

WEDNESDAY

Session 1: Installing and upgrading applications through ports (Patrick Okui) 

OpenOffice | PowerPoint | PDF

• ports overview
• ports are instructions (in a Makefile) to fetch the original source, apply FreeBSD-specific patches, compile and install
• after installation it's just like a package; in fact the binary packages are built from ports
• the ports tree is continually updated; the binary packages are not.
• you can just upgrade from ports, or build your own packages
• required ports are built automatically
• configure make.conf to point to your local FreeBSD distfiles mirror
• look at the ports Makefile, the md5 checksums, files (patches), the packing list and package description
• use cvsup to bring the ports tree up to date (already done)
• demonstration
• (find a package which is out of date; Apache perhaps) using make / (make deinstall) / make install / make clean
• other examples and practice
• tools which assist (e.g. portupgrade)

Session 2: Security introduction (Sunday Folayan) 

Presentation: OpenDocument

Handout: PDF | 

• problems of privacy, authenticity, integrity
• pros and cons of passwords, IP source address authentication, DNS authentication, cryptographic solutions
• problems of sniffing, exploits
• main points:
• know what's running on your system (netstat, nmap/nessus)
• turn off what's not needed, upgrade what is
• monitor logs
• apply host-based access controls in conjunction with passwords
• monitor alert lists, announcement lists for the O/S and applications you are using
• use cryptographic tools where appropriate

Session 2 Cont: Security Revisited: Cryptography -- Skipped (Sunday Folayan) 

SSH Exercise: HTML | PDF | PS .gz

• main cryptographic techniques: private key, hashing, public key
• demonstrate md5/md5sum and discuss sha1sum
• approaches to man-in-the-middle
• known hosts (a magic 'fingerprint' learned from the other side)
• [moved to start of next session] certificates
• ssh practical
• enable ssh, use it to log onto neighbour's machine, get prompted to accept the host key first time, not second. (Check the host key fingerprint manually on the other side)

Session 2 Contd: PGP Introduction -- Skipped (Sunday Folayan) 

PGP Handout: TXT 

PDF

• Introduction to PGP key management using GNU PGP
• Creating keys
• Extracting keys
• Verifying keys
• Why PGP is useful

Session 3 & 4: DNS an introduction (Isatou Jah)

Presentation: Powerpoint | PDF
Exercices: TXT | PDF

o DNS Session-1 (Fundamentals):

* DNS Materials.

* Goal: to understand overall purpse and structure of DNS

  + IP addresses vs. names

  + DNS as a distributed, hierarchical database

  + Domain names and resource records:

    - A, PTR, MX, CNAME, TXT, SOA/NS

  + Domain name lookup responses

  + Reverse DNS

  + DNS as client-server model

    - Resolver

    - Cache

    - Authoritative server

  + Testing DNS (dig)

  + Understanding output from dig 

  + Practical Exercises:

    - Configure Unix resolver

    - Use dig { A, other (e.g. MX), non-existent answer, reverse lookup }

    - Use tcpdump to show queries being sent to cache

THURSDAY

Session 1: A simple Unix Web Server: Apache (Dorcas Muthoni) 

• OpenOffice | PowerPoint | PDF |

• install apache22 package from FTP
• /etc/rc.conf apache_enable="YES"
• run and test
• /usr/local/etc/rc.d/apache start
• use ps to show something is running
• use lynx-ssl to browse your own server and someone else's
• use telnet to port 80 to show what's really happening
• look at its log files
• note documentation at httpd.apache.org

Session 2: E-mail (Patrick Okui) 

Internet Mail presentation: PowerPoint | PDF 

• overview of MTA/MUA, SMTP, POP3/IMAP
• test them using telnet (including forging E-mail!) and reinforce password sniffing problem
• choosing an MTA, pros/cons of exim
• overview of exim configuration: routers, transports, acls
• where to find exim docs

Session 2 Contd: building a basic mail server (Patrick Okui) 

Handout: HTML | PDF | Word Document 

• look at the Makefile for exim in ports, look at the build options
• install from ports
• exim testing: exim -V, -bt addr, -v addr, -bp
• replace sendmail with exim
• allow relaying from specific netblocks; exim -bh x.x.x.x

Session 3: pop3, imap, secure authentication (Nodumu Dhlamini)

Exercises for Maildir, Courier POP/IMAP, SqWebMail: OpenDocument | PowerPoint | PDF

• Configure Exim for Maildirs
• Install Courier authorize daemon
• Install Courier IMAP/POP server
• Generate ssl certs for IMAP/POP
• Verify functionality on ports 110, 143, 993, 995 using telnet and openssl s_client

Secure Authentication -- Skipped

Presentation: [OpenDocument | OpenOffice | PDF | PS .gz 4-up]

• Secure Authentication
• Services to consider or replace with secure authentication
• Why you want to do this
• Review what we are doing and why

Session 4: webmail and virtual mailboxes (Binta Audu) 

Handout OpenOffice | PDF

• install sqwebmail from ports. Discuss maildir and Squirrelmail?
• make any necessary apache config tweaks
• run it
• [configure authdaemon for userdb authentication and exim for userdb lookups (as time allows)]

FRIDAY

Session 1: mirroring and backup (Michuki Mwangi) 

Handouts: Backups: [OpenOffice | PDF] Mirroring: [OpenOffice | PDF]

• when backups needed (and not). What to backup. Scheduling choices.
• media choices: tape, optical, removable HD, USB/firewire HD, pipe over ssh to another machine
• methods: dd [and problems], dump/restore, tar [cpio], rsync/unison, mkisofs/burncd
• try backing up filesystems
• using tar over ssh to remote machine
• recover some files
• using dump over ssh to remote machine
• the FreeBSD-5.x/6.x GEOM subsystem (if time available)
• glabel, gmirror
• demonstrate with pair of USB drives or with two internal IDE drives

Session 2: scalability, monitoring and performance tuning (Michuki Mwangi) 

Handout: OpenDocument | PDF 

• scalability issues; the example of the bad Linux mailserver and solutions
• limits of CPU, disk I/O, disk space, RAM, network bandwidth, fixed size tables, poor data structures (linear searching)
• monitoring: review the system monitoring commands covered already and add new ones
• syslog, log rotation, configuring cron
• tweaking kernel parameters: sysctl
• [no time] other monitoring tools: mention snmpd? cricket? Or some scripts for checking partition sizes and mailing alerts?

Session 3: Summary, thank you!, and evaluations (Patrick, Sunday, Isatou, Dorcas, Binta, Michuki, Nodumu)

Return to Main Page