BSc CSIT (TU) Science Network and System Administration (BSc CSIT, CSC412) Question Paper 2079 Nepal

User and Resource Management in a Multi-User System

In a multi-user system, many users share the same hardware and software resources simultaneously. The administrator's job is to give each user a private, secure working environment while protecting system resources and ensuring fair sharing.

1. User Management

• Users and groups: Each user has a unique UID and login account; related users are placed in groups (GID) for shared permissions. In Linux this information lives in /etc/passwd, /etc/shadow (encrypted passwords) and /etc/group.
• Account creation/maintenance: useradd, usermod, userdel, passwd, groupadd. Each account has a home directory, a default shell and a skeleton profile copied from /etc/skel.

2. Quota Management

Disk quotas prevent a single user or group from consuming all storage, ensuring fair use.

• Soft limit: can be exceeded temporarily during a grace period.
• Hard limit: absolute ceiling that can never be crossed.
• Limits apply to blocks (disk space) and inodes (number of files).
• Linux workflow: enable usrquota,grpquota mount options in /etc/fstab, run quotacheck, turn on with quotaon, and set limits with edquota / setquota; users check usage with quota.

edquota -u alice      # set block/inode soft & hard limits for user alice
quotaon /home          # activate quotas on the filesystem

3. Account Policies

Rules that enforce security and consistency across accounts:

• Password policy: minimum length, complexity, expiry/ageing (chage, /etc/login.defs), history and lockout after failed attempts (PAM modules).
• Login policy: allowed login times, idle-session timeout, restricted shells, disabling unused/expired accounts.
• Naming and lifecycle: standard naming conventions, provisioning on joining and de-provisioning on leaving.

4. Access Control

Determines who can do what to which resource.

• Discretionary Access Control (DAC): owner sets permissions. Standard UNIX rwx permissions for owner/group/others, set via chmod, chown, chgrp.
• Access Control Lists (ACLs): fine-grained per-user/per-group permissions using setfacl/getfacl.
• Mandatory Access Control (MAC): system-enforced policy via SELinux or AppArmor.
• Role-Based Access Control (RBAC): permissions assigned to roles, users assigned to roles; e.g. controlled privilege escalation with sudo and /etc/sudoers.

Conclusion

Effective administration combines user/group management, quotas for fair resource sharing, strong account policies, and layered access control (DAC + ACL + MAC/RBAC) to keep a multi-user system secure, fair and manageable.

Domain Name System (DNS)

The Domain Name System (DNS) is a hierarchical, distributed naming database that translates human-readable domain names (e.g. www.example.com) into IP addresses (e.g. 93.184.216.34) and vice versa. It works on UDP/TCP port 53 and follows a tree structure: root → top-level domains (.com, .org, .np) → second-level domains → hosts. Resolution is performed by resolvers querying name servers recursively/iteratively.

Forward Lookup Zone

Maps names → IP addresses. This is the most common lookup. Key resource records:

• A – name to IPv4 address; AAAA – name to IPv6.
• CNAME – alias to another name.
• MX – mail exchanger; NS – name server; SOA – start of authority.

Example: a query for mail.example.com returns its A record 203.0.113.5.

Reverse Lookup Zone

Maps IP addresses → names, used for logging, anti-spam and verification. It uses the special in-addr.arpa domain (IPv6 uses ip6.arpa) with the octets reversed, and a PTR record.

Example: 203.0.113.5 is looked up as 5.113.0.203.in-addr.arpa and returns mail.example.com.

Configuring a Caching-Only DNS Server (BIND)

A caching-only server hosts no zones of its own; it forwards/resolves queries on behalf of clients and caches answers to speed up subsequent lookups.

Install and edit /etc/named.conf (or /etc/bind/named.conf.options):

options {
    directory "/var/named";
    listen-on port 53 { 127.0.0.1; 192.168.1.0/24; };
    allow-query     { localhost; 192.168.1.0/24; };
    recursion yes;                 // required for caching/resolving
    forwarders { 8.8.8.8; 1.1.1.1; };   // optional: forward to upstream
    dnssec-validation auto;
};

Steps:

yum install bind bind-utils       # or: apt install bind9
named-checkconf                    # validate configuration syntax
systemctl enable --now named       # start the DNS service
firewall-cmd --add-service=dns --permanent && firewall-cmd --reload
dig @localhost www.google.com      # test resolution (2nd query is cached/faster)

Point clients at this server (nameserver <ip> in /etc/resolv.conf). Because recursion yes is set and no local zones are defined, it simply resolves and caches results.

Conclusion

DNS underpins all name-based communication. Forward zones resolve names to IPs, reverse zones (via in-addr.arpa/PTR) resolve IPs to names, and a caching-only server improves performance by recursively resolving queries and storing the answers.

Network Security Threats and Countermeasures

Network security protects the confidentiality, integrity and availability (CIA) of data and resources against unauthorized access and attacks.

Common Threats

• Malware: viruses, worms, trojans, ransomware.
• DoS / DDoS: flooding a service to exhaust resources and deny availability.
• Man-in-the-Middle (MITM): intercepting/altering traffic between two parties.
• Spoofing: forging IP/MAC/email identities; Phishing/social engineering.
• Eavesdropping / sniffing of unencrypted traffic; SQL injection / XSS on applications; password attacks (brute force, dictionary).

General Countermeasures

Defense in depth: strong authentication, least-privilege access control, patching/hardening, segmentation (VLANs/DMZ), logging and monitoring, backups, and user awareness training.

Firewalls

A firewall filters traffic between networks based on rules.

• Packet-filtering: inspects IP/port/protocol headers (e.g. iptables).
• Stateful: tracks connection state for context-aware decisions.
• Application/proxy and Next-Gen (NGFW): deep inspection, application awareness.
• Often placed at the perimeter and used to build a DMZ for public-facing servers.

IDS / IPS

• IDS (Intrusion Detection System): passively monitors traffic and alerts on suspicious activity (e.g. Snort in detection mode).
• IPS (Intrusion Prevention System): sits inline and can actively block/drop malicious traffic in real time.
• Detection methods: signature-based (known patterns) and anomaly-based (deviation from normal baseline).

Role of Encryption

Encryption converts plaintext into ciphertext so only authorized parties can read it, protecting confidentiality and integrity.

• Symmetric (AES): fast, one shared key for bulk data.
• Asymmetric (RSA/ECC): public/private key pair for key exchange and digital signatures.
• In transit: TLS/SSL (HTTPS), IPSec/VPN, SSH protect data on the wire and defeat eavesdropping and MITM.
• At rest: disk/file encryption protects stored data.

Conclusion

No single tool is sufficient. A layered approach combining firewalls (control traffic), IDS/IPS (detect and block intrusions), and encryption (protect data in transit and at rest), backed by good policies, provides robust network security.

The kernel is the core of the operating system that runs in privileged (supervisor) mode and acts as the bridge between application software and the hardware. Its main roles are:

• Process management: creating, scheduling and terminating processes, and handling context switching and inter-process communication.
• Memory management: allocating/freeing RAM, virtual memory and paging, and isolating each process's address space.
• Device management: controlling hardware through device drivers and handling interrupts.
• File system management: organizing storage and providing read/write access to files.
• System calls and protection: exposing a controlled interface to user programs and enforcing security between user space and kernel space.

In short, the kernel manages all system resources and provides a safe, abstracted environment in which applications run.

DHCP Relay Agent

DHCP clients discover servers by broadcasting DHCPDISCOVER messages. However, routers do not forward broadcasts between subnets, so a client cannot reach a DHCP server located on a different network segment.

A DHCP relay agent solves this. It is a host or router interface configured to listen for DHCP broadcast messages on a local subnet and forward them as unicast to a DHCP server on another subnet (and relay the server's replies back to the client).

Working:

1. The client broadcasts DHCPDISCOVER on its local LAN.
2. The relay agent receives it, fills the giaddr (gateway IP address) field with its own interface address (so the server knows which subnet/scope to assign from), and unicasts it to the configured DHCP server.
3. The server selects an address from the correct scope and replies (DHCPOFFER/DHCPACK) to the relay agent.
4. The relay agent delivers the reply to the client.

Benefit: A single centralized DHCP server can serve multiple subnets, avoiding the cost of one server per network. On Linux this is provided by dhcrelay; on Cisco routers by the ip helper-address <server-ip> command.

Use of the iptables Command

iptables is the command-line utility used to configure the Linux kernel netfilter firewall. It controls how network packets are filtered, modified (NAT) and accounted for as they pass through the system.

It organizes rules into tables, each containing chains:

• filter table – packet filtering with chains INPUT, OUTPUT, FORWARD.
• nat table – address translation with PREROUTING, POSTROUTING (used for SNAT/DNAT/masquerading).
• mangle table – specialized packet header modification.

Each rule has a match (source/destination IP, port, protocol, interface) and a target/action: ACCEPT, DROP, REJECT, LOG. Packets are checked top-down; a default policy applies if no rule matches.

Common uses: allow/block traffic, build a host or gateway firewall, set up NAT/port forwarding, and rate-limit connections.

iptables -A INPUT -p tcp --dport 22 -j ACCEPT   # allow SSH
iptables -A INPUT -p tcp --dport 80 -j ACCEPT   # allow HTTP
iptables -P INPUT DROP                            # default-deny incoming
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE  # NAT/share connection
iptables -L -n -v                                # list rules

Static vs Dynamic Routing

Both determine the path packets take, but differ in how routes are created and maintained.

Summary: Static routing is simple, predictable and secure but not scalable and requires manual updates. Dynamic routing scales well and adapts automatically to network changes at the cost of extra overhead and complexity. Many networks combine both (e.g. static default route plus dynamic routing internally).

Digital Certificate

A digital certificate is an electronic document that binds a public key to the verified identity of its owner (a person, server or organization). It is issued and digitally signed by a trusted Certificate Authority (CA), allowing others to trust that the public key genuinely belongs to the named entity.

Most certificates follow the X.509 standard and typically contain:

• The subject's identity (e.g. domain name / organization).
• The public key of the subject.
• The issuer (CA) name and the CA's digital signature.
• A serial number, and validity period (not-before / not-after dates).
• The signature algorithm used.

Purpose: Digital certificates enable authentication, confidentiality and integrity in secure communications. They are central to TLS/SSL (HTTPS), code signing and secure email (S/MIME). A client verifies a certificate by checking the CA's signature against a trusted root, confirming validity dates, and ensuring it has not been revoked (CRL/OCSP).

Working of NFS (Network File System)

NFS is a distributed file-system protocol (developed by Sun) that lets a client access files on a remote server over the network as if they were stored locally. It follows a client–server model and is transparent to applications.

Working:

1. Export on the server: The administrator lists directories to be shared in /etc/exports (with client/permission options) and runs exportfs -a; the nfsd daemon serves them.
2. Mount on the client: The client mounts the exported directory into its local tree, e.g. mount server:/data /mnt/data. After mounting it appears as a normal local directory.
3. RPC and protocols: NFS uses Remote Procedure Call (RPC) and originally the XDR data representation. rpcbind (portmapper) maps RPC services to ports; the mountd daemon handles mount requests and nfsd handles file operations (read, write, lookup, etc.).
4. File access: When the client reads/writes a file, the request is sent as an RPC to the server, which performs the operation on its real filesystem and returns the result. NFSv2/v3 were largely stateless; NFSv4 is stateful, runs over a single TCP port (2049) and adds stronger security (Kerberos).

Advantages: centralized storage, transparent remote access, easy sharing of home directories and data among many UNIX/Linux hosts.

System Hardening

System hardening is the process of securing a system by reducing its attack surface — eliminating unnecessary services, software, accounts and configurations that could be exploited. The principle is least functionality + least privilege: keep only what is required and lock everything else down.

Common hardening measures:

• Remove/disable unused services, daemons, ports and default accounts.
• Patch and update the OS and applications regularly to close known vulnerabilities.
• Enforce strong authentication: strong password policy, disable root SSH login, use key-based SSH, account lockout.
• Apply least-privilege access control and file permissions; use sudo instead of root.
• Enable a firewall (e.g. iptables/firewalld) and SELinux/AppArmor.
• Enable logging, auditing and monitoring; remove unneeded software packages.
• Use secure protocols (SSH, TLS) instead of insecure ones (Telnet, FTP).

Goal: make the system more resistant to attacks and limit the damage if a component is compromised. Security benchmarks such as the CIS Benchmarks provide standard hardening guidelines.

Authentication vs Authorization

Both are core to access control but address different questions.

Authentication — "Who are you?" — is the process of verifying the identity of a user, device or process. It confirms that an entity is who it claims to be, using credentials such as passwords, OTPs, biometrics, smart cards or digital certificates (often multi-factor).

Authorization — "What are you allowed to do?" — is the process of granting or denying permissions to an authenticated entity, deciding which resources or operations it may access (e.g. read/write/execute, role-based privileges).

Relationship: Authentication always precedes authorization — the system first confirms identity, then determines the privileges that identity is entitled to.

Short Note: Monitoring Tools (Nagios)

Network/system monitoring tools continuously observe the health, availability and performance of hosts, services and network devices, and alert administrators when problems occur, helping ensure uptime and quick troubleshooting.

Nagios is a popular open-source monitoring system. Its key features:

• Host and service monitoring: checks availability of servers, switches, routers and services such as HTTP, SMTP, SSH, DNS, disk space, CPU and memory.
• Plugin-based architecture: core engine runs lightweight plugins (and NRPE for remote checks) that return a status — OK, WARNING, CRITICAL, UNKNOWN.
• Alerting/notification: sends email/SMS alerts on state changes and supports escalations.
• Web interface: dashboards showing current status, maps and historical reports.
• Proactive management: event handlers can auto-run corrective actions; thresholds catch issues before outages.

Other tools: Zabbix, Cacti, PRTG, Munin, Prometheus + Grafana.

Benefit: Centralized, automated monitoring reduces downtime, enables capacity planning and gives early warning of failures.