CompTIA Linux+ XK0-005 – Unit 09 – Networking Part 5

39. Demo – Installing and Configuring DHCP Server Services

All right, we are going to talk about installing and configuring DHCP services in case you would like to have your system be the DHCP server. So I just minimized my console window. I have to actually install that particular package. So we’re going to make sure we log on here, first of all, as the Oops root account, open up the synaptic package manager. If I can talk and type my password at the same time. There we go. And we are going to install the DHCP, and I’m going to use my search to search for DHCP. You can see that I’m already set up as a client, but there’s the one we want. We want to be the DHCP Three server. So we’re going to set up this part of it. Click apply, apply, wait for that thing to continue on. I’m going to say go ahead and close when it’s done.

All right, so now it’s ready to go. We’re ready to move forward. And it says that this is a nonauthoritative by default, which is something that deals with domain controllers, basically in a lot of your networks today. We can be killed by a rogue DHCP server. And that rogue DHCP server can actually give out addresses to cause man in the middle attacks. They could just cause network outages and everybody getting wrong IPS, wrong gateways, wrong everything, and the whole thing would come crashing down. So having one that’s authoritative means that it’s been approved by basically the administrators through their setup of Active Directory or some other directory service. Okay, looks like it’s closed. I told it to go ahead and close when it was done automatically.

So I’m going to close the manager and we’re going to go back to my command line, and we’re going to take a look now at the Etsy folder and we’re going to look at DHCP Three, which is what should have been installed, and the DHCP daemons configuration file. Now, again, remember, Less gives me a chance to move back and forth through this configuration. And we can see kind of some options that we have globally for all scopes and some of the options that you’ll see here in a second for local scopes. Lease time. So in DHCP, if you’re not familiar with this, when an address is given to you, you can only keep it for a certain length of time, and then you must give it back up. That’s the default lease time. That’s the maximum lease time. And lease time doesn’t mean that you’re never going to have the address again.

It just means you have to renew. You have to renew the lease. And usually that’s done at the halfway point. Hit the page down and it says, no service will be given on a particular subnet. Showing you some examples. Very basic declaration if you want to know how things are not supposed to be used. But anyway, what you’re seeing here are the remark files remember, the REM files are saying this is the information we need to know about how to hand out the different scopes. So as an example, you have a subnet range with a mask, which gives us an idea of the addresses I can give out. I can do another subnet with a net mask. This net mask is a little bit different. It restricts the number of addresses I can give out. I can have a range that actually hard codes the first and last address.

And those ranges are we call them, as I said, scopes. And the reason we call them scopes is that that’s the addresses in which they can hand out. Now, options with DHCP is how we can also add some extra configurations. The options, as an example, can be your default gateway. Options can be which DNS server do I want you to use, what might be your broadcast address. We even see that down here on the bottom half where we have a subnet with a very restrictive mask. And I’m not here to teach you how to do IP subnetting. So if you don’t know what range of addresses that is, that’s okay. You’ll kind of get the ideas if you start looking into how that works.

But here’s a broadcast address option. Let me page down. Here we go. Domain name servers again, telling us where they might be routers for our location of the gateways. And all of this is important stuff because these are the configurations that a PC or client IP end host, I suppose, would be the better name. That’s the information that’s going to be given to the machines that make that request. Now, we can also go out there and reserve addresses for different machines based on their Mac address if we want to. That’s also a nice thing to do as well. Here it says some hosts might have special configuration options. It could be a specific server or something else.

So you can reserve addresses, fix the addresses for them. And as I continue to move through here, you can see just a lot of different options. I mean, there’s a lot of things you can do. All right, so a lot of this gets down into some of the other interesting parts of DHCP where you can actually get into class Identifiers. We can actually set up little Identifiers in your configurations and your cards that if you match certain configurations or Identifiers, you get even different types of communications. Last, I remember playing with this, and I’m not claiming to be a DHCP expert, but you could try to set up Identifiers based on the operating system. Linux machines get this.

Windows machines get that, and that type of option within your settings. So you have a lot of options, I guess, is what I’m trying to say. A lot of things you can deal with in this DHCP. So I’m going to hit Q for quit and we’re going to see if we have any leases that we’ve handed out right now. Be kind of surprised if we are handing those out, because if I am, then I’m going to be in trouble because I might take down the poor lab network that’s dealing with some other stuff right now. So we’ll take a look at this, and I have no leases right now, which is good, and that’s what I expect. I’m hoping that I’m kind of isolated out there, but that’s the way I can check to see what addresses I’ve handed out.

So there you go. It was a very quick tour, I realized, of installing DHCP. I have to tell you that it takes planning. You should know the address ranges, you should know the reserved addresses. You should know the options that you’re going to give and then set it up on your system and make sure that you take care of any issues of authoritative use in today’s most common enterprise networks. I doubt you would just put DHCP on your workstation unless you’re trying to get name recognition by taking the network down. But you can do that very quickly, easily, by just configuring DHCP, as I’ve shown you here.

40. Network Time Services

Another service that we see that’s very common is called the network time services. Now, often that protocol is called NTP. Now, why do we care? Well, a lot of times when we want to set up secure communications, one of the attacks we have to be careful of is called a replay attack. Now, a replay attack is where somebody listens into eavesdrops and copies an encrypted communication and then replace those communications against the server for the hope of trying to get more encrypted traffic. Because generally speaking, one way to break an encryption cycle is to have a whole lot of encrypted information. It actually speeds up the time it takes to be able to figure out the key.

That’s why we often when we set up communications, like IP security, or IPsec as we call it, we set up the key lifetime based on how long the key has been there or sometimes on how much data has been exchanged, because both time and lots of data are ways to attack. All right, so if you want to communicate with me and you’re doing a replay attack, one of the reasons we like NTP is so that I can say, look, your traffic is old. It’s outside my limit or my window of what I consider to be a forgivable time difference. And so the only way we know we can actually do that is if I know both systems have the same time. How do they have the same time? Do you set the time and hope that we’re right? Or do you communicate with a central server that is basically the authoritative time source for the network? That’s what NTP does.

Other systems like the exchange of certificates for authentication, again, will not be allowed if you’re more than five minutes off in time from each other. So, again, we want to make sure we have the same time at least within a few minutes of each other. Another reason we have the NTP server. Now, the NTP server itself could be a client from yet another server. There’s a whole hierarchy with doing it, but we basically have servers and clients. The clients get their time from the servers, so that the hope is that we all are at least within a few seconds of each other, of having the exact same time. Now, the package you would download and install is the NTP package, so that you can either act as a server or act as a client.

41. Date and Time Commands

There are a number of commands that you can use to interrogate what your system sees as your date and time or to set them if you don’t want the NTP service. So the date command is one easy way that you can set your own computer’s clock. The R date is a way that you can connect to a remote server and get their current time and date. Now, R date is not NTP because it doesn’t continue annually. Go out there and make sure that you’re synchronized. One of the things that NTP does is not only does it like our date, set your time to a remote server’s time, but it also periodically checks to see if we’re roughly close to the same time. You can actually have it, say, an hour from now.

Go check the time on that server, and if you’re still within 15 seconds, you can say, yeah, we’re good enough. If it’s outside of 15 seconds, you can say, oh, we’re outdated a little bit and update again, it’s an automatic service. Our date is not unless you schedule it with a cron job. I guess HW clock is your hardware clock. You can set that, or you can start using NTP commands like NTP dates to be able to set your time to the NTP server or the ntpq, where you can monitor and retrieve information from the NTP daemon that’s running. And that’s where I said again, where we can go out and consistently synchronize or check our synchronization against the time server.

42. Demo – Installing NTP and Configuring Time Synchronization

All right, we’re going to install the NTP services and configure our time synchronization. Time is pretty important when it comes down to what we do with a lot of certificates, a lot of encryption, a lot of the communication. So we need to make sure that we are all agreeing on what time it is. It doesn’t matter the time zone. We have to go to our system here and see if we can get to System and open up the Synaptic package manager. And again, I’m going to search for NTP because that’s just so much easier than trying to go through all of the other options that we have. And what I want is the administration time. So let’s see what I have for NTP. It should just be time and date. Well, I don’t see it there. Let’s go back to sections.

Let’s see if I can just find it here real quick under System Administration and go for Time and Date. Went a little too fast with my scrolling down. All right, well, I don’t see Time and Date, so let’s go ahead and go back to the NTP selection and make sure we sort this package here alphabetically. And we’ll just choose NTP Date, and we’ll choose NTP as well. Okay, we’ll apply those. We’ll see what happens here as we go through this process of putting them in. Okay, so we should have those taken care of. And now we’re going to go to System and we’re going to do administration. We’re going to click on Time and Date. And here we go. So now we get to start doing some settings here with our time and Date.

Now, if you were not already logged in as the route or had provided those credentials, you’d probably get a little notice here from the server saying, I need to have your root password and everything else. I just clicked on the time zone, if you didn’t notice that. And I’m going to go to the time zone and click on the Eastern Coast. Now, it is kind of silly the way that we do these time zones. You have to kind of know what time zones these different places are in. Anyway. So anyway, I clicked on American New York so I can be on the East Coast. And here, of course, it says we’re going to try to keep synchronized with Internet servers, or we can do this manually. We’ll stay with those and then I can click even these different types of servers that I stay connected with.

A lot of these are open for you to use. The only thing you want to be careful of is the verification that they actually do exist. So we’ll add those in and then close. Let’s see if I did select those servers. Let’s make sure they’re still there. Okay. And just like that, when you’re done, you can close the setting. And the goal is to make sure that you have the right time. So having set that up as the synchronization, the next thing we want to do is make sure that we actually have that kind of configuration set up. So we’re going to use the less command. We’re going to go to Etsy to the NTP configuration and see what we have set up. All right, so we see here that we’re going to statistics, generate files, clock stats. As I’m scrolling through here, we’re going to go down here.

There we go. We’ve got different servers that we already are set up to use. And then here’s the two that I added on. So those are going to be the servers that we use to keep our time synchronized. The last two are the ones that I added in there. These others from Debian were already part of our configuration. So that looks good for us there. As far as making sure that we are ready to keep time with those. The next thing we’re going to do is type in the command date. We see the current date and time there and then we’re going to try ntpq with the help. So you can see this command and I should have fed that into a more put the more in there. And you can see there are a couple of options and one of the things we can do is put in our peer request and versions. Okay, so again, I can hit the space bar, take a look at some of the options.

But what we’re going to do is we’re going to actually run that NTP queue with the P. We want to look at the peers and the reason we want to do that is to see who we are peered with and knowing the information about basically where we’re going to go out and get our time information from. So there’s the list of my peers. So just like that, we’ve set this up to have a time server. We’re using some of the free ones. Remember, there are some that you might have within your own network that you choose to use. It just depends on your network solution. But these are using ones that are open and available for most everybody. The biggest downside is verifying those are real servers so you don’t get your time information actually skewed for the purpose of having other types of attacks.

43. Internet Super Daemon

Now, the internet super daemon is a kind of in between running every daemon or not running every daemon. And here’s what I mean by that. It helps manage the different types of services that we need in our network without you having to run all of those services. Maybe that’s still not clear. So here’s another example. Let’s say that you on occasion need to have the FTP Damon running, but you very rarely are an FTP server. So the internet super Damon’s job is to intercept that call for FTP when it does happen and then start the FTP daemon for that specific incident, let that daemon run and then shut it back down when you’re done. So it helps manage the dependent services without having to have them all running. Its job then is just to conserve system resources and that’s kind of a nice feature.

Now, some might argue that it makes the server a little slower to respond because you have to wait for daemons to start. And sometimes some daemons take a little bit of time to start. So there’s some truth to that, that it may feel at first of a bit of a slowdown, but once it’s running, everything else is fine. In debian that’s the initvin not it that is found in your daemon and it’s configuration files under Etsy. In the red hat it’s called the Xin ETD for the SuperNet, basically the Internet super daemon. And again its configuration or directory is found under Etsy with the same name of the actual Damon itself. And there may be some other standalone Damon that can do this for you depending on the type of distribution that you’re using.

• Category: Uncategorized