TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.

HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

Phn IV: Internet Services Bi Lab 1: FTP Bi Lab 2: The Secure Shell(SSH) Bi Lab 3: DNS Bi Lab 4: Web Server Bi Lab 5: Squid Server Bi Lab 6: Mail Server Bi Lab 7: Firewall Server Bi Lab 8: IDS Server

Bin son: Nguyn Tr Thc Lu Hnh Ni B

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

Bi Lab 1: FTP

Bin son: Nguyn Tr Thc Lu Hnh Ni B

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn I/ Ci t FTP: FTP l dch v cung cp c ch truyn tin di dng file thng qua mng tcp. C nhiu chng trnh ftp server s dng trn Linux nh: Vsftpd, Wu-ftpd, PureFTPd, ProFTPD, Trong gio trnh ny s trnh by Vsftpd - Kim tra vsftp c ci t hay cha:

- Ci t (nu cha c ci t):

- Kim tra vsftpd c ci t trn h thng:

II/ Cu hnh vsftpd server: file dng cu hnh vsftpd server l /etc/vsftpd/vsftpd.conf - Sa file cu hnh vsftpd.conf nh sau: anonymous_enable=NO # khng cho php anonymous login vo local_enable=YES # Cho php ngi dng cc b login vo write_enable=YES # Cung cp quyn ghi cho ngi dng xferlog_enable=YES # Cho php ghi log xferlog_file=/var/log/vsftpd.log # V tr file log connect_from_port_20=YES # S dng cng 20 cho FTP-Data ftpd_banner=Trung Tam Dao Tao Mang May Tinh Athena userlist_enable=YES # Nhng ngi dng trong user_list b cm truy cp Ch : Khi chy vsftpd trn CentOS5. Nu bt chc nng SELinux = enforcing (/etc/sysconfig/selinux) th ta cn phi set bin ftp_home_dir = on - Kim tra bin ftp_home_dir:

- Set bit ftp_home_dir = on:

- Kim tra li bin ftp_home_dir:

- To FTP Home Dir

- To User cho php truy cp FTP server:

Bin son: Nguyn Tr Thc Lu Hnh Ni B

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

- To Password cho user ftpuser

- To file test.txt

- FTP server khi chy cn m port (20,21) nn ta phi m 2 port ny trn firewall hay tt firewall.

- Start vsftpd daemon:

III/ FTP client: - Truy cp t Linux:

Kim tra

- Truy cp t windows:

Bin son: Nguyn Tr Thc Lu Hnh Ni B

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

Kim tra

Bin son: Nguyn Tr Thc Lu Hnh Ni B

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

Bi Lab 2: The Secure Shell(SSH)

Bin son: Nguyn Tr Thc Lu Hnh Ni B

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn I/ Ci t SSH: Chng trnh telnet cho php ngi dng ng nhp t xa vo h thng. Nhng khuyt im ca chng trnh ny l tn ngi dng v mt khu gi qua mng khng c m ho. Do , rt d b tn cng. Phn mm ssh l mt s h tr mi ca linux nhm khc phc nhc im ca telnet. N cho php bn ng nhp t xa vo h thng linux v mt khu s c m ho. Mc nh khi ci t linux th ssh c ci t - Kim tra ssh c ci t hay cha:

II/ Cu hnh SSH server: file dng cu hnh ssh server l /etc/ssh/sshd_config - Xem file cu hnh sshd_config vi cc option mc nh:

- ssh server khi chy cn m port (22) nn ta phi m port ny trn firewall hay tt firewall.

- Start sshd daemon:

III/ SSH client: - Truy cp ssh server t Linux:

Nhp vo password ca root. thot khi ssh server g exit Nu mun ssh vi account khc root th thm vo option l nh sau:

- S dng lnh scp thc hin sao chp qua ssh:

Ngun ch

Bin son: Nguyn Tr Thc Lu Hnh Ni B

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

=> Sao chp file maillog t localhost sang th mc /tmp ca server 192.168.36.230 Nu mun copy c th mc th thm vo option r nh sau:

=> Sao chp th mc log sang th mc /tmp ca server 192.168.36.230 - Truy cp ssh server t windows: Trn windows ci chng trnh SCRT 4.0.5.exe

Sau khi ci t xong, chy trng trnh trong Start => programs => SecureCRT 4.0 => SecureCRT 4.0.exe

Bin son: Nguyn Tr Thc Lu Hnh Ni B

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

Chn

(New Session), khai bo cc thng s sau:

Chn OK Chn connection Ahtena => chn Connect

Bin son: Nguyn Tr Thc Lu Hnh Ni B

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

Chn Accept & Save

Nhp vo password cho account root, chn OK

- Secure Transfer File t windows: Trn windows ci chng trnh SSHSecureShellClient-3.2.9.exe

Bin son: Nguyn Tr Thc Lu Hnh Ni B

10

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn Sau khi ci t xong, chy trng trnh trong Start => programs => SSH Secure Shell => Secure File Transfer Client

Chn

, nhp vo cc thng s

Chn Connect

Nhp vo password ca account root, chn OK

Bin son: Nguyn Tr Thc Lu Hnh Ni B

11

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

IV/ Cu hnh cho php truy cp SSH server khng yu cu nhp passowrd: - Sa file cu hnh trn server thit lp 2 thuc tnh sau:

- To key ti my Client:

- Copy key ca Client ln Server:

IP Server - Trn server copy file id_rsa.pub thnh file mi i tn thnh authorized_keys:
Bin son: Nguyn Tr Thc Lu Hnh Ni B

12

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

- Restart li sshd daemon trn server:

- Truy cp SSH t Client:

Bin son: Nguyn Tr Thc Lu Hnh Ni B

13

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

Bi Lab 3: DNS

Bin son: Nguyn Tr Thc Lu Hnh Ni B

14

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn DNS l dch v phn gii tn min thnh IP v ngc li. C 3 loi Name Server: Primary Name Server, Secondary Name Server, Caching Name Server I/ Ci t Primary Name Server: - Kim tra DNS c ci t hay cha:

- Ci t (nu cha c ci t):

- Kim tra DNS c ci t trn h thng:

II/ Cu hnh Primary Name Server: - To file cu hnh /etc/named.conf nh sau:

Bin son: Nguyn Tr Thc Lu Hnh Ni B

15

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

- To file /var/named/named.root bng cch download trn mng nh sau:

Ch : Server phi kt ni n internet. - To file /var/named/localhost.db:

- To file /var/named/0.0.127.in-addr.arpa.db:

- To file /var/named/athena.edu.vn.db:
Bin son: Nguyn Tr Thc Lu Hnh Ni B

16

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

- To file /var/named/36.168.192.in-addr.arpa.db:

- Start named daemon:

- M port 53 trn fireware hay stop firewall

III/ Cu hnh DNS client: - T windows: Khai bo Preferred DNS Server l IP ca DNS Server

Bin son: Nguyn Tr Thc Lu Hnh Ni B

17

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

Dng lnh nslookup kim tra: nslookup www.athena.edu.vn

- T linux: Sa file resolv.conf nh sau:

Dng lnh nslookup kim tra: nslookup www.athena.edu.vn Dng lnh ping kim tra: ping www.athena.edu.vn

IV/ Mt s cng c kim tra DNS: - dig (domain information groper): dig @192.168.36.230 www.athena.edu.vn ANY - nslookup: nslookup www.athena.edu.vn

- host: host a www.athena.edu.vn 192.168.36.230

Bin son: Nguyn Tr Thc Lu Hnh Ni B

18

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

Bi Lab 4: Web Server

Bin son: Nguyn Tr Thc Lu Hnh Ni B

19

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn I/ Ci t Apache: Apache l mt phn mm Web Server c nhiu tnh nng nh sau: H tr y nhng giao thc HTTP trc y nh HTTP/1.1. C th cu hnh v m rng vi nhng module ca cng ty th ba. Cung cp source code y vi license khng hn ch. Chy c trn nhiu HH nh Win 9x, Netware 5.x, OS/2, Unix, Linux - Kim tra Apache c ci t hay cha:

- Ci t (nu cha c ci t):

- Kim tra Apache c ci t trn h thng:

II/ Cu hnh Apache Web Server: file dng cu hnh apache web server l /etc/httpd/conf/httpd.conf - To th mc gc cho web site:

- To mt trang html nh sau:

- Sa file cu hnh httpd.conf nh sau: ServerRoot /etc/httpd # V tr ci t Apache Timeout 120 # Thi gian sng ca mt kt ni (giy) KeepAlive On # Cho php client gi nhiu y/c n server qua 1 kt ni MaxkeepAliveRequests 100 # S request ti a trn mt kt ni KeepAliveTimeout 15 # Thi gian timeout ca mt request (giy) Listen 80 # Lng nghe trn port 80 User apache # User v Group chy httpd Group apache ServerAdmin root@localhost # Email ca ngi qun tr ServerName www.athena.edu.vn:80 # Khai bo a ch URL DocumentRoot /var/www/html # Th mc gc ca web server

Bin son: Nguyn Tr Thc Lu Hnh Ni B

20

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

DirectoryIndex ErrorLog CustomLog - Start httpd daemon:

index.html # Tp tin mc nh khi chy website logs/error_log # Lu cc Error log (/etc/httpd/logs/error_log) log/access_log # Lu cc access log (/etc/httpd/logs/error_log)

III/ Truy cp web server:

IV/ Chng thc truy cp: (Base Authentication) 1/ To tp tin passwords: - To 2 user truy cp nh sau:

- To tp tin passwords cho 2 user va to nh sau:

Bin son: Nguyn Tr Thc Lu Hnh Ni B

21

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

Lu : Ty chn c s to mt tp tin passwords mi. Nu tp tin ny tn ti th n s xo ni dung c v ghi vo ni dung mi. Khi to thm mt password cho ngi dng khc th ta khng dng tu chn c. - Kim tra tp tin passwords va to:

2/ To tp tin groups nh sau:

3/ Sa file cu hnh ca apache nh sau: ..

.. 4/ Restart httpd daemon:

5/ Kim tra truy cp:

Bin son: Nguyn Tr Thc Lu Hnh Ni B

22

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

Nhp vo User name, Password => Chn OK

V/ VirtualHost: l tnh nng ch php ta to nhiu hn mt website trn server. Cc cch to virtual host l: IP-based virtual host (mt IP cho mt website yu cu phi c nhiu IP) v Named-based virtual host (mt IP cho nhiu tn khc nhau yu cu phi c DNS server). y s hng dn cc bn to virtualhost bng cch IP-based virtual host. - Kim tra host trn card mng eth0

Bin son: Nguyn Tr Thc Lu Hnh Ni B

23

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

- To mt IP khc trn card mng eth0

- Sa file httpd.conf nh sau:

- Restart httpd daemon:

Kim tra:

Bin son: Nguyn Tr Thc Lu Hnh Ni B

24

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

VI/ Ci t php: - Kim tra php c ci t hay cha:

- Ci t (nu cha c ci t):

- Kim tra php c ci t trn h thng:

VII/ Cu hnh Apache h tr php: - Sa file httpd.conf nh sau:

- To trang web php nh sau:

- Restart httpd daemon:

- Kim tra

Bin son: Nguyn Tr Thc Lu Hnh Ni B

25

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

Bi Lab 4 (tt): Apache + DNS

Bin son: Nguyn Tr Thc Lu Hnh Ni B

26

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn I/ Ci t Apache:

II/ Cu hnh web server cho domain webtest.com: - To th mc web nh sau:

- To mt trang index.html nh sau:

- Sa file cu hnh httpd.conf nh sau: ..

- Start httpd daemon:

III/ Ci t DNS:

III/ Khai bo doamin webtest.com: - To file /etc/named.conf nh sau:

Bin son: Nguyn Tr Thc Lu Hnh Ni B

27

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

- To file /var/named/named.root bng cch download trn mng nh sau:

Ch : Server phi kt ni n internet. - To file /var/named/webtest.com.db:

- To file /var/named/36.168.192.in-addr.arpa.db:
Bin son: Nguyn Tr Thc Lu Hnh Ni B

28

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

- Start named daemon:

- Stop firewall

IV/ Kim tra: - Khai bo trn my client ch n DNS server l: 192.168.36.230 - Kim tra ping:

- Kim tra truy cp:

Bin son: Nguyn Tr Thc Lu Hnh Ni B

29

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

Bin son: Nguyn Tr Thc Lu Hnh Ni B

30

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

Bi Lab 5: Squid server

Bin son: Nguyn Tr Thc Lu Hnh Ni B

31

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn I/ Ci t Squid: Squid l mt chng trnh Internet proxy-caching c vai tr tip nhn cc yu cu t cc clients v chuyn cho Internet server thch hp. ng thi, n cng lu li trn a nhng d liu c tr v t Internet server gi l caching. Nhng giao thc h tr trn Squid: HTTP, FTP, SSL, - Kim tra Squid c ci t hay cha:

- Ci t (nu cha c ci t):

- Kim tra Squid c ci t trn h thng:

II/ Cu hnh web server test: - Ci t apache - To th mc gc cho web site:

- To mt trang html nh sau:

- Sa file cu hnh httpd.conf nh sau:

- Start httpd daemon:

- Stop iptables:

Bin son: Nguyn Tr Thc Lu Hnh Ni B

32

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

- Kim tra truy cp:

III/ Cu hnh Squid: 1/ Thng tin cu hnh chung: Thay i mt s options sau: http_port cache_mem cache_dir 8080 #cng http m squid lng nghe 10 MB #cho php cache 10MB /var/spool/squid 100 16 255 #th mc lu tr cache
size th S th mc S th mc mc(MB) con cp 1 con cp 2

ufs

Store type: ufs, aufs,diskd

access_log

/var/log/squid/access.log

# lu active requests ca clients

2/ Access Control: thm vo cui cng ca tag acl trong file squid.conf a/ Cu hnh cho cho php truy cp mng ni b t th 2 n th 6 t 8h n 17h. - Sa file cu hnh .

. - Restart squid daemon:

Bin son: Nguyn Tr Thc Lu Hnh Ni B

33

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

- Khai bo proxy trn clients:

- Kim tra truy cp:

- Thay i gi trn proxy server:

- Kim tra ngy gi trn h thng:

- Kim tra truy cp:

Bin son: Nguyn Tr Thc Lu Hnh Ni B

34

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

b/ Cho php truy cp/cm truy cp n mt s websites. - To file cha danh sch cc sites c php truy cp:

- To file cha danh sch cc sites cm truy cp:

- Sa file cu hnh: .

. - Thc hin kim tra truy cp:

Bin son: Nguyn Tr Thc Lu Hnh Ni B

35

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

Kim tra click vo Mail c c khng ? ti sao ?

Bin son: Nguyn Tr Thc Lu Hnh Ni B

36

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn c/ Cho php truy cp/cm truy cp n mt s Domains. - To file cha danh sch cc domains c php truy cp:

- To file cha danh sch cc domains cm truy cp:

- Sa file cu hnh: .

. - Restart squid daemon: - Thc hin kim tra truy cp: mail.yahoo.com d/ Dng NCSA kim nh password. - To user test: - To file squid_passwd bng cng c htpasswd nh sau:

- Sa file cu hnh: .

. - Restart squid daemon: - Kim tra truy cp: trang www.dantri.com.vn

Bin son: Nguyn Tr Thc Lu Hnh Ni B

37

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

Nhp vo Username, password => chn OK

e/ Gii hn ni dung cc file download. - To file cha cc phn m rng cc files cn gii hn download

- Sa file cu hnh: .

. - Restart squid daemon: - Kim tra truy cp:

f/ Mt s thit lp khc: - Gii hn truy cp theo IP

Bin son: Nguyn Tr Thc Lu Hnh Ni B

38

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

- Gii hn truy cp theo cng

- Gii hn truy cp theo giao thc

Bin son: Nguyn Tr Thc Lu Hnh Ni B

39

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

Bi Lab 6: Mail Server

Bin son: Nguyn Tr Thc Lu Hnh Ni B

40

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn I/ Cu hnh Hostname: - Sa file /etc/hosts:

- Sa file /etc/sysconfig/network

- Restart h thng: init 6 - Kim tra hostname:

II/ Cu hnh DNS: 1/ Ci t DNS:

2/ Cu hnh DNS: - To file /etc/named.conf nh sau:

Bin son: Nguyn Tr Thc Lu Hnh Ni B

41

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

- To file /var/named/named.root bng cch download trn mng nh sau:

Ch : Server phi kt ni n internet. - To file /var/named/athena.edu.vn.db:

Bin son: Nguyn Tr Thc Lu Hnh Ni B

42

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn - To file /var/named/36.168.192.in-addr.arpa.db:

- Start named daemon:

- Stop firewall

III/ Cu hnh Mail Server: 1/ Cu hnh Postfix: - C th ci t postfix bng Add/Remove Progarm, bng gi source, hoc bng rpm. - Sa file cu hnh /etc/postfix/main.cf, ch nhng phn sau: # Nhng option cu hnh chung: queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix mail_owner = postfix mydomain = athena.edu.vn myhostname = mail.athena.edu.vn # Server s gi mail ra ngoi bng domain no. myorigin = $mydomain #Server s lng nghe trn a ch no nhn mail v. inet_interfaces = all mydestination = $mydomain - Vi nhng cu hnh c bn ny, ta c th start dch v postfix, chkconfig dch v postfix c th start mi khi khi dng:

Bin son: Nguyn Tr Thc Lu Hnh Ni B

43

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn - Dng lnh useradd thm hai user test1, test2 vo h thng. - Kim tra vic gi nhn qua postfix vi 2 account ny. Lc ny, postfix ang nhn account l account ca h thng, mail c lu tr trong /var/spool/mail Dng cc lnh sau: ehlo mail.athena.edu.vn mail from: test1@athena.edu.vn rcpt to: test2@athena.edu.vn data <nhp ni dung th> <kt thc bng du . V Enter >

Kim tra mail trong /var/spool/mail/test2: less / var/spool/mail/test2

2/ Kim sot cc policy ca Postfix: - Postfix h tr nhiu policy kim sot qu trnh gi nhn mail rt linh hot.

- C th tm kim thng tin chi tit v cc policy ny www.postfix.org. Trong phm vi ca bi lab, ch nu mt s policy thng dng. - nh gi a ch sender, quyt nh c chp nhn mail hay khng: smtpd_sender_restrictions c th nhn cc gi tr sau: check_sender_access reject_authenticated_sender_login_mismatch reject_non_fqdn_sender reject_rhsbl_sender rbl_domain=d.d.d.d reject_unauthenticated_sender_login_mismatch reject_unverified_sender Vd: smtpd_sender_restrictions = reject_unknown_sender_domain smtpd_sender_restrictions = reject_unknown_sender_domain, - nh gi a ch rcpt, quyt nh chuyn mail: smtpd_recipient_restrictions c th nhn cc gi tr sau: check_recipient_access check_recipient_mx_access
Bin son: Nguyn Tr Thc Lu Hnh Ni B

44

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn permit_auth_destination reject_non_fqdn_recipient reject_unauth_destination reject_rhsbl_recipient rbl_domain=d.d.d.d . Vd: smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination - Kim sot kch thc mailbox: mailbox_size_limit message_size_limit - Kim sot s rcpt nhn mail ng thi: smtpd_recipient_limit - Kim sot s kt ni ng thi, s lng kt ni ng thi: smtpd_client_connection_count_limit (default: 50) smtpd_client_connection_rate_limit (default: no limit) smtpd_client_message_rate_limit (default: no limit) smtpd_client_recipient_rate_limit (default: no limit) smtpd_client_new_tls_session_rate_limit (default: no limit) smtpd_client_event_limit_exceptions (default: $mynetworks) 3/ Ci t Cyrus-imapd: - Cyrus-imapd l phn mm dng lu tr mail. Mc nh, MTA s lu mail thnh mt file text cho tng user th mc /var/spool/mail. - Vi s hin thc ca phn mm Cyrus-imapd, mail s c lu tr thnh cu trc phn cp cy th mc tin li cho vic qun l, tm kim. - Kim tra cyrus-imapd c ci t hay cha:

- Ci t (nu cha c ci t):

4/ Cu hnh cyrus-imapd:
Bin son: Nguyn Tr Thc Lu Hnh Ni B

45

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn - Cyrus-imapd c hai file cu hnh chnh: /etc/cyrus.conf v /etc/imapd.conf - File /etc/cyrus.conf iu khin cu hnh: o H tr user check mail bng POP, IMAP. M sn bao nhiu tin trnh t lc u. o Nhn mail deliver t MTA bng lmtp qua socket hay qua IP.

- File /etc/imapd.conf iu khin cu hnh: o Lu tr mailbox u. o IMAP server s h tr domain no. o Chng thc user nhn mail bng phng thc no: user local, hoc dng qua c s d liu. iu ny to nn kh nng ty bin cao trong vic qun l user.

Bin son: Nguyn Tr Thc Lu Hnh Ni B

46

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

- Dng nhng lnh sau to cu trc lu tr cho IMAP server:

- Xem li cu trc sau khi to:

5/ Test chng thc vi cyrus-imapd bng saslauthd: - Start service saslauthd bt u chng thc:

- Start cyrus-imap bng tin trnh cyrus-master. To script khi ng imap nh mt service, hoc chy trc tip bng lnh:

- Dng lnh imtest th chng thc vi user cyrus ( y dng cch chng thc localuser cyrus l user ca h thng).
Bin son: Nguyn Tr Thc Lu Hnh Ni B

47

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn Dng lnh: imtest a cyrus@athena.edu.vn u cyrus@athena.edu.vn m login localhost

- Dng lnh useradd thm hai user h thng test1, test2.

- ng nhp bng user cyrus (user qun tr ca domain athena.edu.vn), to mailbox cho hai user test1 v test2: cyrusadm u cyrus locahost >cm user.test1@athena.edu.vn >cm user.test1@athena.edu.vn.INBOX >cm user.test1@athena.edu.vn.SENT Tng t cho vic to account mail test2.

- Xem li cu trc sau khi to mailbox:

6/ Cu hnh postfix chuyn mail cho cyrus-imapd: - Postfix chuyn mail vo lu tr trong cu trc ca cyrus-imapd thay v lu tr local, sa i dng sau trong file /etc/postfix/main.cf
local_transport = cyrus - ng thi uncomment, hoc thm dng sau vo file /etc/postfix/master.cf

cyrus unix n n pipe flags=R user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} - Test li qu trnh gi nhn mail bng postfix, theo di xem mail c a vo u???

Bin son: Nguyn Tr Thc Lu Hnh Ni B

48

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

Bi Lab 7: Firewall

Bin son: Nguyn Tr Thc Lu Hnh Ni B

49

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn I/ Ci t IPTABLES: Iptables cung cp cc tnh nng sau: Tch hp tt hn vi kernel ca h iu hnh Linux. C kh nng phn tch package hiu qu. Lc package da vo MAC v mt s c hiu trong TCP Header. Cung cp chi tit cc tu chn ghi nhn s kin h thng. Cung cp k thut NAT. C kh nng ngn chn c c ch tn cng theo kiu DOS (Denial Of Service). - Kim tra iptables c ci t hay cha:

- Ci t (nu cha c ci t):

- Kim tra iptables c ci t trn h thng:

- Khi ng service iptables

II/ Cu hnh iptables: C 2 cch cu hnh iptables l dng lnh v Sa file /etc/sysconfig/iptables. Nu cu hnh iptables bng cch dng lnh s khng c lu li sau khi ta restart service iptables. - Cu hnh iptables cho php truy cp ssh:

Bin son: Nguyn Tr Thc Lu Hnh Ni B

50

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn Restart service iptables

Kim tra: Sang my khc g lnh ssh 192.168.36.230 hay:

Sau thc hin # b dng trong file /etc/sysconfig/iptables, restart li service iptables, v telnet 192.168.36.230 22 kim tra li kt qu. - Cu hnh iptables cm ping: B dng Trong /etc/sysconfig/iptables Restart service iptables

Kim tra li

Thc hin m li dng Trong /etc/sysconfig/iptables cho php ping Restart service iptables

Bin son: Nguyn Tr Thc Lu Hnh Ni B

51

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

- Cu hnh iptables gi mo a ch ngun:

Restart service iptables

Kim tra iptables:

Cho php IP_FORWARD:

Tin hnh ping n mt my khc (192.168.36.233):

Bin son: Nguyn Tr Thc Lu Hnh Ni B

52

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

Sang my 192.168.36.233 kim tra:

III/ Mt s cu hnh iptables tham kho: - iptables chp nhn cc packet vo cng 80 trn card mng eth0 iptables -A INPUT -i eth0 --dport 80 -j ACCEPT - iptables drop cc packet n cng 23 dng giao thc TCP trn card mng eth0 iptables -A INPUT -i eth0 -p tcp --dport 23 -j DROP - iptables c cu hnh cho php firewall chp nhn cc gi tin TCP c a ch ngun l bt k v a ch ch l 192.168.1.1; v c hng i vo l cng interface eth0: iptables A INPUT s 0/0 i eth0 -d 192.168.1.1 -p TCP -j ACCEPT - Chp nhn cc gi tin TCP cho vic forward khi cc gi tin c a ch ngun l bt k n t interface ethernet 0, source post nm trong dy 1024-65535 v c a ch ch l 192.168.1.58, ng ra l interface ethernet 1, vi destination post l 80 (www) iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP --sport 1024:65535 -dport 80 -j ACCEPT - Chp nhn cho firewall send ICMP (echo-request) v nhn ICMP (echo-reply) iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT - Firewall chp nhn cc gi tin TCP s c route khi chng i vo interface ethernet0 vi a ch ngun l bt k v c chiu i ra l interface ethernet 1 vi a ch ch l 192.168.1.58. Source post l dy 1024-65535 v destination port l 80 (www) v 443 (https). iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP --sport 1024:65535 m multiport --dport 80,443 -j ACCEPT Thay v phi nh ra source post v destination port, ta ch n gin s dng ty chn m state -state ESTABLISHED iptables -A FORWARD -d 0/0 -o eth0 -s 192.168.1.58 -i eth1 -p TCP \ -m state --state ESTABLISHED -j ACCEPT - iptables i IP ngun cho cc packet ra card mng eth0 l 210.40.2.71. Khi nhn c packet vo t Internet, Iptables s t ng i IP ch 210.40.2.71 thnh IP ch tng ng ca my tnh trong mng LAN 192.168.0/24 iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 210.40.2.71 Hoc bn c th dng MASQUERADE thay cho SNAT nh sau:
Bin son: Nguyn Tr Thc Lu Hnh Ni B

53

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE (MASQUERADE thng c dng khi kt ni n Internet l pp0 v dng a ch IP ng) - i a ch ch ca server thnh 192.168.1.2 khi truy cp n 172.28.24.199 iptables -t nat -A PREROUTING -d 172.28.24.199 -i eth0 -j DNAT to-destination 192.168.1.2 IV/ Ci t shorewall: - Shorewall l mt kiu giao din d qun l iptables hn. - Ci t shorewall bng gi rpm nh sau:

V/ Cu hnh shorewall: - Cu hnh file /etc/shorewall/interfaces. nh ngha interface nh sau:

- Cu hnh file /etc/shorewall/zone:

- Cu hnh file /etc/shorewall/policy. File ny nh ngha cc policy kt ni gia nhng zone c nh ngha trong file /etc/shorewall/zone:

- Cu hnh file /etc/shorewall/rules. y l file quan trng nht, kim sot nhng rule cho php kt ni hay khng. File /etc/shorewall/rules c hiu nh giao din ca iptables, thay v nh ngha bng iptables phc tp, th ta tin hnh nh ngha theo cu trc ca shorewall, sau shorewall s bin dch li thnh nhng cu lnh iptables.

- Cu hnh file /etc/shorewall/shorewall.conf. File nh ngha cc option hot ng cho shorewall. file cu hnh nh mc nh, sa dng sau:

- Check cu hnh shorewall:

Bin son: Nguyn Tr Thc Lu Hnh Ni B

54

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

- Start shorewall, kim tra cc lut iptables pht sinh t shorewall:

Bin son: Nguyn Tr Thc Lu Hnh Ni B

55

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

Bi Lab 8: IDS

Bin son: Nguyn Tr Thc Lu Hnh Ni B

56

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn I/ Ci t Snort: - Ci gi ph thuc:

- Ci snort t gi source bng nhng lnh sau: ./configure make make install - Gii nn tp lut ca snort vo cng th mc source ca snort:

- File cu hnh ca snort l /usr/snort-2.8.0.1/etc/snort.conf, chnh sa bin RULE_PATH, v mt s tp lut rules (c nhng tp lut khng chun, khng s dng c).

- To user snort, to th mc ghi li s kin log:

- To mt script start/ stop snort nh mt service:

- Start snort dng service:

Bin son: Nguyn Tr Thc Lu Hnh Ni B

57

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn Start snort mode NIDS debug:

II/ Cu hnh, theo di Snort ch ha: - Ci t webmin:

- Log vo Webmin, chn chc nng Webmin Modules, import thm Snort module vo Webmin:

Bin son: Nguyn Tr Thc Lu Hnh Ni B

58

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

- Ci t mysql:

- To user, v cp quyn cho user trong mysql: # mysql u root mysql> set password for root@localhost=password(123456); mysql> create database snort; mysql> exit; # mysql u root p mysql> connect snort;
File script to cu trc lu tr d liu cho Snort

Bin son: Nguyn Tr Thc Lu Hnh Ni B

59

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn mysql> source create_mysql; mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort; mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost; mysql> grant CREATE,INSERT,SELECT,UPDATE on snort.* to acidviewer; mysql> grant CREATE, INSERT, SELECT, UPDATE on snort.* to acidviewer@localhost; mysql> connect mysql; mysql> set password for snort@localhost=password(123456); mysql> set password for snort@%=password(123456); mysql> set password for acidviewer@localhost=password(123456); mysql> set password for acidviewer@%=password(123456); mysql> flush privileges; mysql> exit; - Sa file snort.conf nhng dng sau: # output database: log, mysql, user=root password=test dbname=db host=localhost sa thnh output database: log, mysql, user=snort password=123456 dbname=snort host=000.000.000.000 - Tip theo chng ta tin hnh ci t acid, adodb, gd, phplot # tar xzvf acid-0.9.6b23.tar.gz C /var/www/html # tar xzvf adodb461.tar.gz C /var/www/html # tar xzvf gd-2.0.33.tar.gz C /var/www/html # tar xzvf phplot-4.4.6.tar.gz C /var/www/html - i tn cc th mc gd-2.0.33 v phplot-4.4.6 thnh gd v phplot. Copy th mc acid thnh mt th mc khc l acidviewer. - Sa file /var/www/html/acid/acid_conf.php v file /var/www/html/acidviewer/ acid_conf.php cc dng sau: $DBlib_path=../adodb; $alert_dbname=snort; $alert_user=snort; (hoc acidviewer) $alert_password=123456; $Chartlib_path=../phplot; - Tip tc cu hnh cc bc sau: # mkdir /usr/lib/apache # mkdir /usr/lib/apache/passwords # htpasswd c /usr/lib/apache/passwords/passwords snort # htpasswd /usr/lib/apache/passwords/passwords acidviewer
Bin son: Nguyn Tr Thc Lu Hnh Ni B

60

TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn

- Thm on sau vo file /etc/httpd/conf/httpd.conf: <Directory /var/www/html/acid> AuthType Basic AuthName snort solution AuthUserFile /usr/lib/apache/passwords/passwords Require user snort AllowOverride None </Directory> <Directory /var/www/html/acid> AuthType Basic AuthName snort solution AuthUserFile /usr/lib/apache/passwords/passwords Require user acidviewer AllowOverride None </Directory> - By gi chng ta truy cp vo trang acid thng qua a ch: http://localhost/acid/, tip tc setup theo cc bc trn web. - Sau khi qu trnh ci t hon tt, mun xem snort log th vo a ch http://localhost/acid vi quyn ca snort hoc http://localhost/acidviewer vi quyn ca acidviewer. - Mun thc hin cc thao tc qun tr snort th vo https://localhost:10000:

Bin son: Nguyn Tr Thc Lu Hnh Ni B

61