Professional Documents
Culture Documents
ATHENA Lab Linux Phan IV
ATHENA Lab Linux Phan IV
Phn IV: Internet Services Bi Lab 1: FTP Bi Lab 2: The Secure Shell(SSH) Bi Lab 3: DNS Bi Lab 4: Web Server Bi Lab 5: Squid Server Bi Lab 6: Mail Server Bi Lab 7: Firewall Server Bi Lab 8: IDS Server
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn
Bi Lab 1: FTP
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn I/ Ci t FTP: FTP l dch v cung cp c ch truyn tin di dng file thng qua mng tcp. C nhiu chng trnh ftp server s dng trn Linux nh: Vsftpd, Wu-ftpd, PureFTPd, ProFTPD, Trong gio trnh ny s trnh by Vsftpd - Kim tra vsftp c ci t hay cha:
II/ Cu hnh vsftpd server: file dng cu hnh vsftpd server l /etc/vsftpd/vsftpd.conf - Sa file cu hnh vsftpd.conf nh sau: anonymous_enable=NO # khng cho php anonymous login vo local_enable=YES # Cho php ngi dng cc b login vo write_enable=YES # Cung cp quyn ghi cho ngi dng xferlog_enable=YES # Cho php ghi log xferlog_file=/var/log/vsftpd.log # V tr file log connect_from_port_20=YES # S dng cng 20 cho FTP-Data ftpd_banner=Trung Tam Dao Tao Mang May Tinh Athena userlist_enable=YES # Nhng ngi dng trong user_list b cm truy cp Ch : Khi chy vsftpd trn CentOS5. Nu bt chc nng SELinux = enforcing (/etc/sysconfig/selinux) th ta cn phi set bin ftp_home_dir = on - Kim tra bin ftp_home_dir:
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn
- To file test.txt
- FTP server khi chy cn m port (20,21) nn ta phi m 2 port ny trn firewall hay tt firewall.
Kim tra
- Truy cp t windows:
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn
Kim tra
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn I/ Ci t SSH: Chng trnh telnet cho php ngi dng ng nhp t xa vo h thng. Nhng khuyt im ca chng trnh ny l tn ngi dng v mt khu gi qua mng khng c m ho. Do , rt d b tn cng. Phn mm ssh l mt s h tr mi ca linux nhm khc phc nhc im ca telnet. N cho php bn ng nhp t xa vo h thng linux v mt khu s c m ho. Mc nh khi ci t linux th ssh c ci t - Kim tra ssh c ci t hay cha:
II/ Cu hnh SSH server: file dng cu hnh ssh server l /etc/ssh/sshd_config - Xem file cu hnh sshd_config vi cc option mc nh:
- ssh server khi chy cn m port (22) nn ta phi m port ny trn firewall hay tt firewall.
Nhp vo password ca root. thot khi ssh server g exit Nu mun ssh vi account khc root th thm vo option l nh sau:
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn
=> Sao chp file maillog t localhost sang th mc /tmp ca server 192.168.36.230 Nu mun copy c th mc th thm vo option r nh sau:
=> Sao chp th mc log sang th mc /tmp ca server 192.168.36.230 - Truy cp ssh server t windows: Trn windows ci chng trnh SCRT 4.0.5.exe
Sau khi ci t xong, chy trng trnh trong Start => programs => SecureCRT 4.0 => SecureCRT 4.0.exe
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn
Chn
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn
10
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn Sau khi ci t xong, chy trng trnh trong Start => programs => SSH Secure Shell => Secure File Transfer Client
Chn
, nhp vo cc thng s
Chn Connect
11
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn
IV/ Cu hnh cho php truy cp SSH server khng yu cu nhp passowrd: - Sa file cu hnh trn server thit lp 2 thuc tnh sau:
- To key ti my Client:
IP Server - Trn server copy file id_rsa.pub thnh file mi i tn thnh authorized_keys:
Bin son: Nguyn Tr Thc Lu Hnh Ni B
12
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn
13
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn
Bi Lab 3: DNS
14
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn DNS l dch v phn gii tn min thnh IP v ngc li. C 3 loi Name Server: Primary Name Server, Secondary Name Server, Caching Name Server I/ Ci t Primary Name Server: - Kim tra DNS c ci t hay cha:
15
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn
- To file /var/named/0.0.127.in-addr.arpa.db:
- To file /var/named/athena.edu.vn.db:
Bin son: Nguyn Tr Thc Lu Hnh Ni B
16
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn
- To file /var/named/36.168.192.in-addr.arpa.db:
III/ Cu hnh DNS client: - T windows: Khai bo Preferred DNS Server l IP ca DNS Server
17
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn
Dng lnh nslookup kim tra: nslookup www.athena.edu.vn Dng lnh ping kim tra: ping www.athena.edu.vn
IV/ Mt s cng c kim tra DNS: - dig (domain information groper): dig @192.168.36.230 www.athena.edu.vn ANY - nslookup: nslookup www.athena.edu.vn
18
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn
19
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn I/ Ci t Apache: Apache l mt phn mm Web Server c nhiu tnh nng nh sau: H tr y nhng giao thc HTTP trc y nh HTTP/1.1. C th cu hnh v m rng vi nhng module ca cng ty th ba. Cung cp source code y vi license khng hn ch. Chy c trn nhiu HH nh Win 9x, Netware 5.x, OS/2, Unix, Linux - Kim tra Apache c ci t hay cha:
II/ Cu hnh Apache Web Server: file dng cu hnh apache web server l /etc/httpd/conf/httpd.conf - To th mc gc cho web site:
- Sa file cu hnh httpd.conf nh sau: ServerRoot /etc/httpd # V tr ci t Apache Timeout 120 # Thi gian sng ca mt kt ni (giy) KeepAlive On # Cho php client gi nhiu y/c n server qua 1 kt ni MaxkeepAliveRequests 100 # S request ti a trn mt kt ni KeepAliveTimeout 15 # Thi gian timeout ca mt request (giy) Listen 80 # Lng nghe trn port 80 User apache # User v Group chy httpd Group apache ServerAdmin root@localhost # Email ca ngi qun tr ServerName www.athena.edu.vn:80 # Khai bo a ch URL DocumentRoot /var/www/html # Th mc gc ca web server
20
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn
index.html # Tp tin mc nh khi chy website logs/error_log # Lu cc Error log (/etc/httpd/logs/error_log) log/access_log # Lu cc access log (/etc/httpd/logs/error_log)
IV/ Chng thc truy cp: (Base Authentication) 1/ To tp tin passwords: - To 2 user truy cp nh sau:
21
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn
Lu : Ty chn c s to mt tp tin passwords mi. Nu tp tin ny tn ti th n s xo ni dung c v ghi vo ni dung mi. Khi to thm mt password cho ngi dng khc th ta khng dng tu chn c. - Kim tra tp tin passwords va to:
22
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn
V/ VirtualHost: l tnh nng ch php ta to nhiu hn mt website trn server. Cc cch to virtual host l: IP-based virtual host (mt IP cho mt website yu cu phi c nhiu IP) v Named-based virtual host (mt IP cho nhiu tn khc nhau yu cu phi c DNS server). y s hng dn cc bn to virtualhost bng cch IP-based virtual host. - Kim tra host trn card mng eth0
23
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn
Kim tra:
24
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn
- Kim tra
25
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn
26
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn I/ Ci t Apache:
III/ Ci t DNS:
27
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn
- To file /var/named/36.168.192.in-addr.arpa.db:
Bin son: Nguyn Tr Thc Lu Hnh Ni B
28
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn
- Stop firewall
IV/ Kim tra: - Khai bo trn my client ch n DNS server l: 192.168.36.230 - Kim tra ping:
29
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn
30
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn
31
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn I/ Ci t Squid: Squid l mt chng trnh Internet proxy-caching c vai tr tip nhn cc yu cu t cc clients v chuyn cho Internet server thch hp. ng thi, n cng lu li trn a nhng d liu c tr v t Internet server gi l caching. Nhng giao thc h tr trn Squid: HTTP, FTP, SSL, - Kim tra Squid c ci t hay cha:
- Stop iptables:
32
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn
III/ Cu hnh Squid: 1/ Thng tin cu hnh chung: Thay i mt s options sau: http_port cache_mem cache_dir 8080 #cng http m squid lng nghe 10 MB #cho php cache 10MB /var/spool/squid 100 16 255 #th mc lu tr cache
size th S th mc S th mc mc(MB) con cp 1 con cp 2
ufs
access_log
/var/log/squid/access.log
2/ Access Control: thm vo cui cng ca tag acl trong file squid.conf a/ Cu hnh cho cho php truy cp mng ni b t th 2 n th 6 t 8h n 17h. - Sa file cu hnh .
33
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn
34
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn
b/ Cho php truy cp/cm truy cp n mt s websites. - To file cha danh sch cc sites c php truy cp:
- Sa file cu hnh: .
35
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn
36
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn c/ Cho php truy cp/cm truy cp n mt s Domains. - To file cha danh sch cc domains c php truy cp:
- Sa file cu hnh: .
. - Restart squid daemon: - Thc hin kim tra truy cp: mail.yahoo.com d/ Dng NCSA kim nh password. - To user test: - To file squid_passwd bng cng c htpasswd nh sau:
- Sa file cu hnh: .
37
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn
e/ Gii hn ni dung cc file download. - To file cha cc phn m rng cc files cn gii hn download
- Sa file cu hnh: .
38
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn
39
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn
40
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn I/ Cu hnh Hostname: - Sa file /etc/hosts:
- Sa file /etc/sysconfig/network
41
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn
42
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn - To file /var/named/36.168.192.in-addr.arpa.db:
- Stop firewall
III/ Cu hnh Mail Server: 1/ Cu hnh Postfix: - C th ci t postfix bng Add/Remove Progarm, bng gi source, hoc bng rpm. - Sa file cu hnh /etc/postfix/main.cf, ch nhng phn sau: # Nhng option cu hnh chung: queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix mail_owner = postfix mydomain = athena.edu.vn myhostname = mail.athena.edu.vn # Server s gi mail ra ngoi bng domain no. myorigin = $mydomain #Server s lng nghe trn a ch no nhn mail v. inet_interfaces = all mydestination = $mydomain - Vi nhng cu hnh c bn ny, ta c th start dch v postfix, chkconfig dch v postfix c th start mi khi khi dng:
43
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn - Dng lnh useradd thm hai user test1, test2 vo h thng. - Kim tra vic gi nhn qua postfix vi 2 account ny. Lc ny, postfix ang nhn account l account ca h thng, mail c lu tr trong /var/spool/mail Dng cc lnh sau: ehlo mail.athena.edu.vn mail from: test1@athena.edu.vn rcpt to: test2@athena.edu.vn data <nhp ni dung th> <kt thc bng du . V Enter >
2/ Kim sot cc policy ca Postfix: - Postfix h tr nhiu policy kim sot qu trnh gi nhn mail rt linh hot.
- C th tm kim thng tin chi tit v cc policy ny www.postfix.org. Trong phm vi ca bi lab, ch nu mt s policy thng dng. - nh gi a ch sender, quyt nh c chp nhn mail hay khng: smtpd_sender_restrictions c th nhn cc gi tr sau: check_sender_access reject_authenticated_sender_login_mismatch reject_non_fqdn_sender reject_rhsbl_sender rbl_domain=d.d.d.d reject_unauthenticated_sender_login_mismatch reject_unverified_sender Vd: smtpd_sender_restrictions = reject_unknown_sender_domain smtpd_sender_restrictions = reject_unknown_sender_domain, - nh gi a ch rcpt, quyt nh chuyn mail: smtpd_recipient_restrictions c th nhn cc gi tr sau: check_recipient_access check_recipient_mx_access
Bin son: Nguyn Tr Thc Lu Hnh Ni B
44
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn permit_auth_destination reject_non_fqdn_recipient reject_unauth_destination reject_rhsbl_recipient rbl_domain=d.d.d.d . Vd: smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination - Kim sot kch thc mailbox: mailbox_size_limit message_size_limit - Kim sot s rcpt nhn mail ng thi: smtpd_recipient_limit - Kim sot s kt ni ng thi, s lng kt ni ng thi: smtpd_client_connection_count_limit (default: 50) smtpd_client_connection_rate_limit (default: no limit) smtpd_client_message_rate_limit (default: no limit) smtpd_client_recipient_rate_limit (default: no limit) smtpd_client_new_tls_session_rate_limit (default: no limit) smtpd_client_event_limit_exceptions (default: $mynetworks) 3/ Ci t Cyrus-imapd: - Cyrus-imapd l phn mm dng lu tr mail. Mc nh, MTA s lu mail thnh mt file text cho tng user th mc /var/spool/mail. - Vi s hin thc ca phn mm Cyrus-imapd, mail s c lu tr thnh cu trc phn cp cy th mc tin li cho vic qun l, tm kim. - Kim tra cyrus-imapd c ci t hay cha:
4/ Cu hnh cyrus-imapd:
Bin son: Nguyn Tr Thc Lu Hnh Ni B
45
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn - Cyrus-imapd c hai file cu hnh chnh: /etc/cyrus.conf v /etc/imapd.conf - File /etc/cyrus.conf iu khin cu hnh: o H tr user check mail bng POP, IMAP. M sn bao nhiu tin trnh t lc u. o Nhn mail deliver t MTA bng lmtp qua socket hay qua IP.
- File /etc/imapd.conf iu khin cu hnh: o Lu tr mailbox u. o IMAP server s h tr domain no. o Chng thc user nhn mail bng phng thc no: user local, hoc dng qua c s d liu. iu ny to nn kh nng ty bin cao trong vic qun l user.
46
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn
5/ Test chng thc vi cyrus-imapd bng saslauthd: - Start service saslauthd bt u chng thc:
- Start cyrus-imap bng tin trnh cyrus-master. To script khi ng imap nh mt service, hoc chy trc tip bng lnh:
- Dng lnh imtest th chng thc vi user cyrus ( y dng cch chng thc localuser cyrus l user ca h thng).
Bin son: Nguyn Tr Thc Lu Hnh Ni B
47
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn Dng lnh: imtest a cyrus@athena.edu.vn u cyrus@athena.edu.vn m login localhost
- ng nhp bng user cyrus (user qun tr ca domain athena.edu.vn), to mailbox cho hai user test1 v test2: cyrusadm u cyrus locahost >cm user.test1@athena.edu.vn >cm user.test1@athena.edu.vn.INBOX >cm user.test1@athena.edu.vn.SENT Tng t cho vic to account mail test2.
6/ Cu hnh postfix chuyn mail cho cyrus-imapd: - Postfix chuyn mail vo lu tr trong cu trc ca cyrus-imapd thay v lu tr local, sa i dng sau trong file /etc/postfix/main.cf
local_transport = cyrus - ng thi uncomment, hoc thm dng sau vo file /etc/postfix/master.cf
cyrus unix n n pipe flags=R user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} - Test li qu trnh gi nhn mail bng postfix, theo di xem mail c a vo u???
48
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn
Bi Lab 7: Firewall
49
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn I/ Ci t IPTABLES: Iptables cung cp cc tnh nng sau: Tch hp tt hn vi kernel ca h iu hnh Linux. C kh nng phn tch package hiu qu. Lc package da vo MAC v mt s c hiu trong TCP Header. Cung cp chi tit cc tu chn ghi nhn s kin h thng. Cung cp k thut NAT. C kh nng ngn chn c c ch tn cng theo kiu DOS (Denial Of Service). - Kim tra iptables c ci t hay cha:
II/ Cu hnh iptables: C 2 cch cu hnh iptables l dng lnh v Sa file /etc/sysconfig/iptables. Nu cu hnh iptables bng cch dng lnh s khng c lu li sau khi ta restart service iptables. - Cu hnh iptables cho php truy cp ssh:
50
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn Restart service iptables
Sau thc hin # b dng trong file /etc/sysconfig/iptables, restart li service iptables, v telnet 192.168.36.230 22 kim tra li kt qu. - Cu hnh iptables cm ping: B dng Trong /etc/sysconfig/iptables Restart service iptables
Kim tra li
Thc hin m li dng Trong /etc/sysconfig/iptables cho php ping Restart service iptables
51
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn
52
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn
III/ Mt s cu hnh iptables tham kho: - iptables chp nhn cc packet vo cng 80 trn card mng eth0 iptables -A INPUT -i eth0 --dport 80 -j ACCEPT - iptables drop cc packet n cng 23 dng giao thc TCP trn card mng eth0 iptables -A INPUT -i eth0 -p tcp --dport 23 -j DROP - iptables c cu hnh cho php firewall chp nhn cc gi tin TCP c a ch ngun l bt k v a ch ch l 192.168.1.1; v c hng i vo l cng interface eth0: iptables A INPUT s 0/0 i eth0 -d 192.168.1.1 -p TCP -j ACCEPT - Chp nhn cc gi tin TCP cho vic forward khi cc gi tin c a ch ngun l bt k n t interface ethernet 0, source post nm trong dy 1024-65535 v c a ch ch l 192.168.1.58, ng ra l interface ethernet 1, vi destination post l 80 (www) iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP --sport 1024:65535 -dport 80 -j ACCEPT - Chp nhn cho firewall send ICMP (echo-request) v nhn ICMP (echo-reply) iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT - Firewall chp nhn cc gi tin TCP s c route khi chng i vo interface ethernet0 vi a ch ngun l bt k v c chiu i ra l interface ethernet 1 vi a ch ch l 192.168.1.58. Source post l dy 1024-65535 v destination port l 80 (www) v 443 (https). iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP --sport 1024:65535 m multiport --dport 80,443 -j ACCEPT Thay v phi nh ra source post v destination port, ta ch n gin s dng ty chn m state -state ESTABLISHED iptables -A FORWARD -d 0/0 -o eth0 -s 192.168.1.58 -i eth1 -p TCP \ -m state --state ESTABLISHED -j ACCEPT - iptables i IP ngun cho cc packet ra card mng eth0 l 210.40.2.71. Khi nhn c packet vo t Internet, Iptables s t ng i IP ch 210.40.2.71 thnh IP ch tng ng ca my tnh trong mng LAN 192.168.0/24 iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 210.40.2.71 Hoc bn c th dng MASQUERADE thay cho SNAT nh sau:
Bin son: Nguyn Tr Thc Lu Hnh Ni B
53
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE (MASQUERADE thng c dng khi kt ni n Internet l pp0 v dng a ch IP ng) - i a ch ch ca server thnh 192.168.1.2 khi truy cp n 172.28.24.199 iptables -t nat -A PREROUTING -d 172.28.24.199 -i eth0 -j DNAT to-destination 192.168.1.2 IV/ Ci t shorewall: - Shorewall l mt kiu giao din d qun l iptables hn. - Ci t shorewall bng gi rpm nh sau:
- Cu hnh file /etc/shorewall/policy. File ny nh ngha cc policy kt ni gia nhng zone c nh ngha trong file /etc/shorewall/zone:
- Cu hnh file /etc/shorewall/rules. y l file quan trng nht, kim sot nhng rule cho php kt ni hay khng. File /etc/shorewall/rules c hiu nh giao din ca iptables, thay v nh ngha bng iptables phc tp, th ta tin hnh nh ngha theo cu trc ca shorewall, sau shorewall s bin dch li thnh nhng cu lnh iptables.
- Cu hnh file /etc/shorewall/shorewall.conf. File nh ngha cc option hot ng cho shorewall. file cu hnh nh mc nh, sa dng sau:
54
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn
55
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn
Bi Lab 8: IDS
56
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn I/ Ci t Snort: - Ci gi ph thuc:
- Ci snort t gi source bng nhng lnh sau: ./configure make make install - Gii nn tp lut ca snort vo cng th mc source ca snort:
- File cu hnh ca snort l /usr/snort-2.8.0.1/etc/snort.conf, chnh sa bin RULE_PATH, v mt s tp lut rules (c nhng tp lut khng chun, khng s dng c).
57
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn Start snort mode NIDS debug:
- Log vo Webmin, chn chc nng Webmin Modules, import thm Snort module vo Webmin:
58
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn
- Ci t mysql:
- To user, v cp quyn cho user trong mysql: # mysql u root mysql> set password for root@localhost=password(123456); mysql> create database snort; mysql> exit; # mysql u root p mysql> connect snort;
File script to cu trc lu tr d liu cho Snort
59
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn mysql> source create_mysql; mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort; mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost; mysql> grant CREATE,INSERT,SELECT,UPDATE on snort.* to acidviewer; mysql> grant CREATE, INSERT, SELECT, UPDATE on snort.* to acidviewer@localhost; mysql> connect mysql; mysql> set password for snort@localhost=password(123456); mysql> set password for snort@%=password(123456); mysql> set password for acidviewer@localhost=password(123456); mysql> set password for acidviewer@%=password(123456); mysql> flush privileges; mysql> exit; - Sa file snort.conf nhng dng sau: # output database: log, mysql, user=root password=test dbname=db host=localhost sa thnh output database: log, mysql, user=snort password=123456 dbname=snort host=000.000.000.000 - Tip theo chng ta tin hnh ci t acid, adodb, gd, phplot # tar xzvf acid-0.9.6b23.tar.gz C /var/www/html # tar xzvf adodb461.tar.gz C /var/www/html # tar xzvf gd-2.0.33.tar.gz C /var/www/html # tar xzvf phplot-4.4.6.tar.gz C /var/www/html - i tn cc th mc gd-2.0.33 v phplot-4.4.6 thnh gd v phplot. Copy th mc acid thnh mt th mc khc l acidviewer. - Sa file /var/www/html/acid/acid_conf.php v file /var/www/html/acidviewer/ acid_conf.php cc dng sau: $DBlib_path=../adodb; $alert_dbname=snort; $alert_user=snort; (hoc acidviewer) $alert_password=123456; $Chartlib_path=../phplot; - Tip tc cu hnh cc bc sau: # mkdir /usr/lib/apache # mkdir /usr/lib/apache/passwords # htpasswd c /usr/lib/apache/passwords/passwords snort # htpasswd /usr/lib/apache/passwords/passwords acidviewer
Bin son: Nguyn Tr Thc Lu Hnh Ni B
60
TRUNG TM O TO QUN TR V AN NINH MNG ATHENA 2 Bis inh Tin Hong, P. a Kao, Q.1, TP.HCM Tel: (84-8) 38244041 0989012418 www.athena.edu.vn
- Thm on sau vo file /etc/httpd/conf/httpd.conf: <Directory /var/www/html/acid> AuthType Basic AuthName snort solution AuthUserFile /usr/lib/apache/passwords/passwords Require user snort AllowOverride None </Directory> <Directory /var/www/html/acid> AuthType Basic AuthName snort solution AuthUserFile /usr/lib/apache/passwords/passwords Require user acidviewer AllowOverride None </Directory> - By gi chng ta truy cp vo trang acid thng qua a ch: http://localhost/acid/, tip tc setup theo cc bc trn web. - Sau khi qu trnh ci t hon tt, mun xem snort log th vo a ch http://localhost/acid vi quyn ca snort hoc http://localhost/acidviewer vi quyn ca acidviewer. - Mun thc hin cc thao tc qun tr snort th vo https://localhost:10000:
61