What Is Linux?

For our purposes, Linux is a Unix-like operating system that can run on a PC.  Because its Unix-like qualities, Linux is slightly more difficult to use then Windows 95, 98 or Millennium, and requires a slightly higher learning curve.  However, in the end it gives the users more power by supporting a true multitasking and multi-user environment.  It makes things like file sharing, programing, and networking more affordable and accessible to everyone.  Did I also happen to mention that the Linux Operating System itself is free?

There are many "flavors" of Linux available to consumers.  Some of these include Red Hat Linux, Linux Mandrake, and SuSe.  A full list of all Linux distributors can be found at http://www.linux.org, along with the the most recent Linux news and info.  Another great site for information about Linux is The Linux Documentation Project,  which is dedicated to informing users about new happenings in the linux world.  There are also some free online books located at this site that you can download to read about the operating system.

Dialup Networking Using Linux

Configuring Linux to connect to the internet using a dialup connection can be a bit tricky.  It's not like setting up a Windows machine to dial into Rutgers where all the work is done in the background.  As a Linux user there are certain file permissions that must be changed and files that must be edited before it can run on any network.  At Rutgers though along with the setup there are also certain rules that you must follow for network security reasons.

Things to Do Before using PPP

Before you setup a PPP connection, we highly recommend that you read the Linux "Security HOWTO" at: http://metalab.unc.edu/LDP/HOWTO/Security-HOWTO.html
there is a lot of material in that HOWTO, but in particular, you should read the sections on:

• Local Security
• File Permissions
• Shadow Passwords
• Network Security

You will also need to read the document Using a Modem with Linux on how to set up the modem on your Linux machine.

Secure Your Password File

Your Linux system may be storing password information in the /etc/password file.  While this sounds reasonable (after all, it's called the "password" file) there is a better place for password information to be stored: /etc/shadow.   Check for the existence of the "shadow" file by logging into your system as root and typing:

    ls -l /etc/shadow

If you don't see a shadow file listing similar to this:

    -r-------- 1 root root 639 Nov 16 23:15 /etc/shadow

(note: the file size, 639, and timestamp "Nov 16 23:15,  may be different for your shadow file.  Also the name of the file may be different depending on what flavor of Linux you are using.)

Then type:

    /usr/sbin/pwconv

To convert your password file so that it uses the more secure /etc/shadow file. What this does is remove all the passwords from /etc/password, and store them in a file that only the root user can access.  This isn't foolproof, but it's much more secure than storing password information in /etc/password, which is a file that anyone can read.  Note: DO NOT try to change the permissions on either the password or shadow files, they should be left alone with their default settings.
 
 

Restricting Services

For security purposes the use of certain services must be restricted on your machine.  The two main services that must be restricted are telnet and ftp.

For telnet and ftp services, you have two options for restricting them:

• Completely stop the services by commenting the appropriate lines in /etc/inetd.conf or /etc/xinetd.conf
• Block the services, using tcp_wrappers

Whichever option you choose, you'll need to login as root.  If you have logged into your system by another username you can use the su (super user) command to become root.  To do this type in su at the command prompt, and then when prompted type in the root password.

xinetd.conf vs inetd.conf

Inetd.conf and xinetd.conf are two important files that can only be accessed by root and list all services that are running on you Linux system.  The inetd.conf file is on older versions of linux, and xinetd.conf is on the newer versions.  To find out which file your system has type in: ls /etc/ | more.  This will allow you to browse the files in the /etc directory so you can look for either of these files.  The reason why it is important to know if you have xinetd or inetd is because the way you restrict services is different on each.  The following two sections will go through this process.

inetd.conf

The ined.conf file is an important file that lists all the services that are running on your system.  In order to restrict these services we have to edit the file itself.  We do this by typing:

    pico -w /etc/inetd.conf

Now we can check the entries for the following services: ftp, telnet, gopher, shell, login, talk, ntalk, pop-2, pop-3, imap, and finger (some of these entries may be missing or commented out, if they are, then ignore them).

For option #1, just edit /etc/inetd.conf with the editor of your choice (ie: vi, emacs, or pico..  It doesn't matter as long as the editor does not use word wrapping) and place a # (pound sign) at the beginning of the lines for telnet, ftp, and gopher.

For option #2, make sure that in the sixth column of /etc/inetd.conf  each of the services listed above has:

    /usr/sbin/tcpd

as its entry.

After you make your changes (for either option 1 or 2), type:

    ps -ax | grep inetd

To find out the process number of inetd. The above command should have returned something similar to the following:

    667 ? S 0:00 /usr/sbin/inetd

"667" would be the process number of inetd. Now you must kill the process and restart it:

    kill -9 667
  /usr/sbin/inetd

Do another 'ps -ax | grep inetd' to make sure that inetd has started up again.

If you chose option #2, now you must create two plain text files:

    /etc/hosts.deny
    /etc/hosts.allow

to block certain services using the tcp_wrapper (which is what /usr/sbin/tcpd is).

In /etc/hosts.deny, you should have at least these entries:

    in.ftpd: ALL
    in.telnetd: ALL
    in.rshd: ALL
    in.rlogind: ALL
    in.rexecd: ALL
    in.fingerd: ALL

In /etc/hosts.allow, you want at least:

    in.ftpd: LOCAL
    in.telnetd: LOCAL
    in.rshd: LOCAL
    in.rexecd: LOCAL
    in.rlogind: LOCAL
    in.fingerd: LOCAL

This will allow you to use programs like ftp, telnet, rsh, rexec, rlogin, and finger from your machine to other machines, and from your machine to your machine, but no one will be able to use any of these programs to connect to your machine from outside of it.   (ie: a user on rci or eden, would not be able to telnet, ftp, rlogin, or finger your machine).

There are other things discussed in the Security-HOWTO that you should read about (as mentioned above) before you link your Linux machine up to the network using PPP (or any other method).
 

xinetd.conf

Very recently (as of Redhat 7.0) the inetd.conf file was replaced with xinetd.conf.  Xinetd.conf does the same thing the ined.conf did but it is set up differently.  Instead of being set up like a list it is setup like a series of functions that configure a certain service.  The two files are set up so differently that the way you restrict a service is also different.  First lets open the file for editing by typing: pico -w /etc/xinetd.conf
As you browse this file you will see the different functions pertaining to a specific service.  An example of this is the following:

service telnet
{
disabled     =no
flags        =REUSE
socket_type  =stream
wait         =no
user         =root
server       =/usr/sbin/in.telnetd
log_on_failure +=USERID
}

A function just like this exists for all the different services that are running on your machine. To turn off a specific service you set the "disabled" variable to "yes".

If you want to restrict services so that they are not available to users from the outside you have to add a variable called only_from to the function belonging to that service.  You would add this variable in the following form:

only_from = LOCAL

Now only users on your machine can access those services.

Linuxconf

Another way to restrict or deny services on your machine is to use a graphical program like Linuxconf .  This is available on most versions of Linux however there are a few that do not have it.  Those that do not have it usually have a program similar to linuxconf, however you will have to refer to the users manual of your version of Linux.  Another thing about linuxconf that you should be aware of is that depending on what distribution of Linux you are using the program may look a little different.  Even though the names of the menus may be a little different the basic steps will be the same.    If you want to download the version of linuxconf that was made for your specific distribution go to the Rutgers Linux Resource Page and download it from one of the links. Once you have installed linuxconf you can start the program by opening an x-terminal session, and typing in linuxconf.  When you do this a menu with buttons and tabs will come up.  At this menu you should click on the Control tab followed by the button  named Control Panel.  After doing this the Control Panel menu will come up.  From this menu you want to click on the button named Control Service Activity and then Commands and Deamons.   Now you will be given a list of all services available on your system.  Scan the list for the entry called ftp.  Single click on this and change the choice from enabled to disabled.  Now scan the list for telnet.  Single click on this option and once again change the choice from enabled to disabled.  Now click on ok, and reboot your system.  Now that your Linux system is secure lets set up your dialup connection.
 
 

Starting PPP

Different Linux software publishers provide different tools for using PPP.  Some versions of Linux may have a complement of Xwindows based programs that provide you a with a graphical interface to the PPP dialup. An example of such software is linuxconf which is included with most versions of Linux.

There is a way to configure dialup networking manually with linux. This process is not only tedious, but also has the potential to create a great many security holes if one is not careful. For this reason configuring linux to dial into the Rutgers Network this way is neither supported nor suggested for use.  In the next few sections I'll be going over how to configure your PPP connection using linuxconf. (Note you must be logged in as root in order to use either procedure).

Linuxconf
Linuxconf is a graphical system administration tool, that can be used to set up a PPP connection in Linux.   Because of it's graphical qualities it is an easy tool  for those familiar with Windows  dialup configuration. First make sure you are logged into Linux as the root user. To start the linuxconf program you must open an X-terminal session, and type linuxconf at the prompt and press enter.  This will bring up something similar to this figure:

Notice there are three tabs on the linuxconf main menu screen, the Config tab, the Control tab, and the status tab.
When the Config tab is selected click on Networking to display the Network Configurator menu.

Make sure the client task tab is selected. Click on the PPP/SLIP/PLIP button at the bottom of the client task tab.  This will bring up the PPP/SLIP/PLIP configuration dialog box.

Click on Add and then select the PPP option in the Type Of Interface box.

At the PPP interface box:

type in the following:

phone number = the Rutgers Dialup Number you would like to use (see " Rutgers University Dialup Numbers" Webpage)
modem port = choose the port on which your modem is connected

(see the " Setting Up Your Modem with Linux" document)

PAP authentication = this should be checked
Login Name = type in:
                         username (eden or rci netid)
Password= password for your account

Click on the Accept button.

Now you will be brought back to the PPP/SLIP/PLIP Configurations dialog panel which will now contain an entry for the new connection you just created. Click on the PPP0 connection on the PPP/SLIP/PLIP configurations dialog panel  to display the PPP interface dialog box for this connection.

On the Hardware Tab make sure you select the following options:

-Use hardware flow control and modem lines
-Abort connection on well known errors
-Allow any users to (de)activate the interface

Click on the accept button and click on quit.  Now we are back to the Network Configuration Panel.  Click on the Name Server Specification (DNS) button.  This will bring the Resolver Configuration panel up:

Fill in the following information:

default domain rutgers.edu
IP of nameserver1 128.6.224.114
IP of nameserver2 128.6.216.19

(Note: These dial up numbers are for Rutgers/New Brunswick. If you are dialing into the Newark or Camden campuses please refer to the web page http://www-td.rutgers.edu/services/Network_Service_Systems/index.html and use the DNS numbers for your specific campus.)
Click on accept, and then quit out of the remaining windows. Now your PPP connection has been configured.

Making The Connection:
To start up the PPP connection that you just created you have to use a program called usernet. You can dial into Rutgers by starting up an x-windows session and typing in usernet at the command prompt.  Now a box will come up and have your connection, along with all other ppp connections on your system.  Click on the connection that represents your account at Rutgers.  Now your connection should be established..