BSc CSIT (TU) Science Network and System Administration (BSc CSIT, CSC412) Question Paper 2075 Nepal

Installing and Configuring an Apache Web Server

1. Installation

Apache (the httpd/apache2 package) is installed using the system package manager:

# Debian / Ubuntu
sudo apt update
sudo apt install apache2

# RHEL / CentOS / Fedora
sudo yum install httpd      # or: dnf install httpd

After installation, start and enable the service so it survives reboots:

sudo systemctl start apache2     # httpd on RHEL
sudo systemctl enable apache2
sudo systemctl status apache2

Verify by browsing to http://server-ip/ — the default Apache welcome page should appear.

2. Configuration files

Key directives include Listen 80, ServerName, DocumentRoot, and DirectoryIndex index.html.

3. Virtual Hosting

Virtual hosting lets one server host multiple websites. Two main types:

• Name-based virtual hosting — multiple domains share one IP; Apache selects the site using the HTTP Host: header. Most common.
• IP-based virtual hosting — each site has its own IP address.

Example name-based virtual host:

<VirtualHost *:80>
    ServerName www.site1.com
    DocumentRoot /var/www/site1
    ErrorLog ${APACHE_LOG_DIR}/site1_error.log
</VirtualHost>

<VirtualHost *:80>
    ServerName www.site2.com
    DocumentRoot /var/www/site2
</VirtualHost>

Enable a site with sudo a2ensite site1.conf and reload Apache.

4. Access Control

Access control restricts who may reach a resource. Using <Directory> blocks with mod_authz_core (Apache 2.4):

<Directory /var/www/site1/private>
    # IP / host based control
    Require ip 192.168.1.0/24
    Require all denied
</Directory>

For password (authentication-based) access, use .htaccess with htpasswd:

<Directory /var/www/secure>
    AuthType Basic
    AuthName "Restricted Area"
    AuthUserFile /etc/apache2/.htpasswd
    Require valid-user
</Directory>

sudo htpasswd -c /etc/apache2/.htpasswd admin

5. Apply changes

Always test the syntax and reload:

sudo apachectl configtest
sudo systemctl reload apache2

LDAP (Lightweight Directory Access Protocol)

LDAP is an open, vendor-neutral application protocol for accessing and maintaining distributed directory information services over an IP network. A directory is a specialized, read-optimized database that stores information about users, groups, computers, printers and other network resources in a hierarchical (tree) form. LDAP typically runs on TCP/UDP port 389 (and 636 for LDAPS/secure). Common implementations: OpenLDAP, Microsoft Active Directory, 389 Directory Server.

LDAP Directory Structure (DIT)

The data is organised as a Directory Information Tree (DIT) — an inverted tree of entries:

                dc=example,dc=com          <- root / base DN
               /              \
        ou=People            ou=Groups
          |                      |
   uid=alice,ou=People,dc=example,dc=com   cn=admins,ou=Groups,...

Key terms:

• Entry — a single record (e.g., a user), uniquely identified by its DN (Distinguished Name), e.g. uid=alice,ou=People,dc=example,dc=com.
• RDN (Relative DN) — the leftmost component, e.g. uid=alice.
• Attributes — name/value pairs describing the entry (cn, sn, uid, mail, userPassword).
• objectClass — defines which attributes an entry must/may have (e.g. inetOrgPerson, posixAccount).
• Naming components: dc (domain component), ou (organizational unit), cn (common name), uid (user id).

Centralized Authentication

Instead of every server keeping its own /etc/passwd, user accounts are stored once in the LDAP directory and all servers query it:

1. A user logs into any client machine and supplies username + password.
2. The client performs an LDAP bind operation — it searches for the user's entry (e.g. uid=alice) to obtain the DN, then attempts to bind with that DN and the supplied password.
3. If the bind succeeds, the password is correct and authentication is granted; the entry's posixAccount/posixGroup attributes also supply UID, GID, home directory and shell.
4. On Linux this is wired in via PAM (for authentication) and NSS / nss-pam-ldapd / SSSD (for user and group lookups).

Benefits

• Single source of truth — add/disable a user in one place.
• Consistent identity across many machines and services (mail, VPN, web apps, SSO).
• Easier auditing and password-policy enforcement.
• Use LDAPS / StartTLS to encrypt credentials in transit.

Network Monitoring and Performance Tuning

Network Monitoring

Network monitoring is the continuous process of observing a network's components (links, routers, switches, servers, services) to detect faults, measure utilisation, ensure availability, and trigger alerts when thresholds are crossed. It answers questions such as: Is the host up? How much bandwidth is used? What is the latency, packet loss, CPU and memory load?

Key metrics monitored:

• Bandwidth / throughput and link utilisation
• Latency (RTT) and jitter
• Packet loss / errors / collisions
• CPU, memory, disk I/O and load average of hosts
• Service availability (up/down, response time)

Monitoring approaches: active (sending probes, e.g. ping/SNMP polls) and passive (capturing/analysing live traffic).

Performance Tuning

Performance tuning is adjusting system and network parameters to improve speed, throughput and reliability. Steps:

1. Establish a baseline of normal performance.
2. Identify the bottleneck (network, CPU, memory, disk, or application).
3. Tune the resource, for example:
   • Network: increase MTU/jumbo frames, tune TCP window size (net.ipv4.tcp_* sysctls), enable QoS, upgrade links, balance traffic.
   • System: add RAM, tune swappiness, use faster disks/RAID, optimise the number of worker processes.
4. Re-measure and iterate; document the change.

Tools for Monitoring Network and System Performance

Conclusion

Monitoring detects problems and supplies data; tuning uses that data to remove bottlenecks. Together they keep the network and systems available, fast and reliable.

Role of /etc/passwd and /etc/shadow

/etc/passwd stores basic user-account information and is world-readable. Each line has 7 colon-separated fields:

username:x:UID:GID:GECOS(comment):home_directory:login_shell
alice:x:1001:1001:Alice Sharma:/home/alice:/bin/bash

The x in the second field means the actual password is not stored here but in /etc/shadow.

/etc/shadow stores the encrypted (hashed) passwords and password-aging information. It is readable only by root (mode 640, owner root), which improves security. Its 9 fields are:

username:hashed_password:last_change:min:max:warn:inactive:expire:reserved

• hashed_password — salted hash (e.g. SHA-512, $6$...); * or ! means login disabled.
• aging fields control minimum/maximum days between changes, warning period and account expiry.

Why split them: /etc/passwd must be readable by many programs to map UIDs to names, but exposing password hashes there would allow offline cracking. Moving the hashes to root-only /etc/shadow protects them — this is called shadowing.

Linux Boot Process

The Linux system starts in the following ordered stages:

1. BIOS / UEFI (POST): On power-on, firmware runs the Power-On Self-Test to check hardware, then locates a bootable device and loads the first sector (MBR) or the EFI System Partition.

2. Boot Loader (GRUB): The bootloader (commonly GRUB2) is loaded. It shows the boot menu, lets the user pick a kernel/OS, and loads the selected Linux kernel and the initrd/initramfs into memory.

3. Kernel initialization: The kernel decompresses, initialises hardware and device drivers, mounts the temporary initramfs root filesystem, then mounts the real root filesystem (/) and starts the first user-space process, PID 1.

4. init / systemd (PID 1): The first process — modern systems use systemd (older ones used SysV init with runlevels). It brings the system to the configured target (e.g. multi-user.target or graphical.target), starting required services/daemons in dependency order.

5. Services & Login: systemd starts background services (networking, sshd, etc.) and finally launches getty / a display manager, presenting the login prompt. The user logs in and a shell/desktop session begins.

Summary chain: BIOS/UEFI → GRUB → Kernel + initramfs → systemd(PID 1) → target/services → login.

Cron Job

A cron job is a command or script that is scheduled to run automatically at fixed times, dates or intervals on Unix/Linux systems. The scheduling is managed by the cron daemon (crond), which wakes up every minute and runs any job whose time specification matches the current time. Cron jobs are used for recurring administrative tasks such as backups, log rotation, sending reports and clearing temporary files.

How it is scheduled

Jobs are defined in a crontab (cron table). A user edits their own crontab with:

crontab -e      # edit
crontab -l      # list

Each line has five time fields followed by the command:

┌───── minute (0–59)
│ ┌──── hour (0–23)
│ │ ┌─── day of month (1–31)
│ │ │ ┌── month (1–12)
│ │ │ │ ┌─ day of week (0–7, 0/7 = Sunday)
│ │ │ │ │
* * * * *  command_to_run

Special characters: * = every value, , = list, - = range, */n = every n units.

Examples

30 2 * * *      /home/user/backup.sh      # 2:30 AM every day
0 */6 * * *     /usr/bin/sync.sh          # every 6 hours
0 9 * * 1       /scripts/weekly.sh        # 9 AM every Monday

System-wide jobs live in /etc/crontab and /etc/cron.d/, plus the cron.daily, cron.weekly, cron.monthly directories.

TCP vs UDP

Both TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are Transport-layer protocols, but they differ as follows:

Summary: Use TCP when reliable, ordered, complete delivery is required; use UDP when speed and low latency matter more than guaranteed delivery.

SNMP (Simple Network Management Protocol)

SNMP is a standard application-layer protocol used to monitor and manage network devices — routers, switches, servers, printers — from a central station. It operates over UDP port 161 (manager-to-agent requests) and port 162 (agent traps to the manager).

Components

• Managed device — the network node being monitored.
• Agent — software running on the managed device that exposes management data.
• NMS (Network Management Station) / Manager — software (e.g. Nagios, Zabbix, Cacti, PRTG) that polls agents and presents data.
• MIB (Management Information Base) — a hierarchical database of objects (counters, status values) the device exposes; each object has a unique numeric OID (Object Identifier).

How it is used in network management

1. The manager polls agents with GET / GETNEXT / GETBULK requests to read values such as interface traffic counters, errors, CPU and uptime.
2. The manager can change a configuration value with a SET request.
3. An agent can asynchronously notify the manager of an event (e.g. a link going down) by sending a TRAP (or INFORM) to port 162.
4. Collected values are graphed and trigger alerts when thresholds are exceeded.

Versions

• v1/v2c — use a plain-text community string (public/private) for access — insecure.
• v3 — adds authentication and encryption (USM), the recommended secure version.

SNMP underlies most fault, performance and availability monitoring tools in network administration.

RAID Levels 0, 1 and 5

RAID (Redundant Array of Independent Disks) combines multiple physical disks into one logical unit for improved performance, capacity and/or fault tolerance.

RAID 0 — Striping

• Data is split into blocks and striped across all disks (no redundancy).
• Pros: highest performance, 100% usable capacity (no space lost).
• Cons: no fault tolerance — failure of any single disk loses all data.
• Minimum disks: 2. Usable capacity = $N \times$ disk size.

RAID 1 — Mirroring

• Data is duplicated (mirrored) identically on two (or more) disks.
• Pros: full redundancy — survives the loss of one disk; good read performance.
• Cons: 50% capacity overhead (usable = size of one disk).
• Minimum disks: 2. Usable capacity = $\tfrac{N}{2}$.

RAID 5 — Striping with Distributed Parity

• Data and parity are striped across all disks, parity distributed (not on a single dedicated disk).
• Pros: good balance of performance, capacity and redundancy; tolerates one disk failure (data rebuilt from parity).
• Cons: write penalty due to parity calculation; only one disk of capacity is lost.
• Minimum disks: 3. Usable capacity = $(N-1) \times$ disk size.

Proxy Server

A proxy server is an intermediary server that sits between client computers and the destination servers (e.g. the Internet). Instead of connecting directly, clients send their requests to the proxy, which forwards them on the client's behalf, receives the response and returns it to the client.

Functions / Benefits

• Caching: stores frequently requested web pages locally so repeated requests are served faster and bandwidth is saved.
• Anonymity / privacy: hides the client's real IP address from the destination server.
• Access control / filtering: blocks restricted sites, enforces organisational policy, and logs user activity.
• Security: acts as a barrier, hiding internal network details and helping defend against direct attacks.
• Load distribution / bandwidth control.

Types

• Forward proxy — serves internal clients reaching out to the Internet (the common case, e.g. Squid).
• Reverse proxy — sits in front of web servers, accepting requests from the Internet and forwarding them to back-end servers (e.g. Nginx, HAProxy) for load balancing and SSL termination.
• Transparent proxy — intercepts traffic without client configuration.

Example: Squid is a widely used proxy/caching server on Linux for HTTP/HTTPS/FTP with access-control lists (ACLs).

File Permissions in Linux (chmod)

Every Linux file/directory has permissions for three classes of users:

• u — owner (user)
• g — group
• o — others

and three permission types:

• r (read) = 4
• w (write) = 2
• x (execute) = 1

The ls -l listing shows them as a 10-character string, e.g. -rwxr-xr--:

-  rwx  r-x  r--
│   │    │    └ others: read only
│   │    └ group: read + execute
│   └ owner: read + write + execute
└ file type (- file, d directory, l link)

Changing permissions with chmod

Symbolic mode:

chmod u+x file        # add execute for owner
chmod g-w file        # remove write from group
chmod o=r file        # set others to read only
chmod a+r file        # add read for all

Numeric (octal) mode — sum r=4, w=2, x=1 per class:

chmod 755 script.sh   # rwx r-x r-x  (owner all; group/others read+execute)
chmod 644 file.txt    # rw- r-- r--  (owner read/write; others read)
chmod 700 secret      # rwx --- ---  (owner only)

So 755 = (4+2+1)(4+0+1)(4+0+1). Use chmod -R to apply recursively to a directory tree.

Short Note: Samba

Samba is a free, open-source software suite that implements the SMB/CIFS (Server Message Block / Common Internet File System) protocol on Unix/Linux systems. It enables interoperability between Linux/Unix servers and Windows clients, allowing them to share files and printers seamlessly across a network.

Key features / uses

• File sharing — a Linux machine can act as a file server that Windows users access as a network drive (\\server\share).
• Print sharing — share printers between Linux and Windows.
• Domain / authentication services — Samba can act as a Windows Domain Controller (NT-style, and Active Directory DC with Samba 4) and authenticate users.
• Name resolution — supports NetBIOS/WINS.

Main components

• smbd — daemon handling file and print sharing and authentication.
• nmbd — daemon handling NetBIOS name resolution and browsing.
• smb.conf — main configuration file (/etc/samba/smb.conf) defining [global] settings and individual [share] sections.
• Tools: smbclient (FTP-like client), smbpasswd (manage Samba users), testparm (validate config).

Example share in smb.conf:

[data]
   path = /srv/samba/data
   read only = no
   valid users = alice

Thus Samba bridges Linux and Windows networks, making a Linux box behave like a Windows file/print server.