FIT - GTTH Quan Tri Mang Linux - Version 2

MN HC/MUN: Qun Tr Mng Linux TI LIU THC HNH
STT BI HC BI HC 1 K nng t c Nhn bit HDH Linux v vic ci t HDH ny. Cc ch hot ng ca HDH Linux 1 Bit cch recovery password root b mt. BI TP 01 Tnh hung 1 M t ni dung: Bn l mt nhn vin IT ca cng ty LHV, hin ti cng ty bn ang s dng HDH Windows Server cho ton b h thng server ca bn. Mt vn t ra l s dng HDH Windows th cng ty b n phi tr tin bn quyn, vic thanh tra bn quyn phn mm ang c cc c quan chc nng tin hnh v yu cu khng c s dng phn mm bt hp php, nhng gim c ca bn khng mun tr tin cho vic mua bn quyn HDH Windows, v ng ta yu cu bn tm mt HDH hnh thay th HDH Windows. Bn c bit rng HDH Linux l min ph v bn chn n trin khai cho h thng ca mnh. Trc khi bn trin khai h thng bn phi ci t c HDH Linux ln cc server ca cng ty bn. Yu cu thc hin: Trc tin ci t HDH Linux bn phi xc nh c HDH Linux no l n nh, c h tr tt v ph hp cho vic trin khai trn cc server ng dng. c bit HDH Linux CentOS ca hng RedHat l HDH tt hin nay. Yu cu bn trin khai HDH CentOS cho h thng server ca cng ty bn. Hng dn thc hin step by step: 1. Chun b a DVD ci t CentOS v a ci t (mua hoc download ti website www.centos.org) 2. Kim tra cu hnh my (CPU, RAM,NIC,HDD) 3. Tin hnh ci t (xem video demo) Tnh hung 2 M t ni dung: Bn l nhn vin IT ca cng ty LHV, cng ty bn ang vit mt phn mm y t (phn mm ny c vit bng ngn ng PHP). B phn sale(bn hng) s dng cc laptop dng HDH Windows Vista c b n quyn ci t phn mm y t demo sn phm n khch hng( cc bnh vin v phng mch ), nhng c bit phn mm ny chy trn HDH Windows chm hn trn HDH Linux. lm cho phn mm ca mnh c ti u khi demo vi khch hng Project Management yu cu Ci t HDH Linux. Khc phc s c b mt password root NI DUNG THC HNH NG DNG THC T
Khoa CNTT MH/M..
STT
BI HC
NI DUNG THC HNH bn ci t HDH Linux (Fedora) ln cc laptop ca nh ng nhn vin sale m khng lm mt HDH Windows Vista h ang s dng. Cc laptop ny c cu hnh cao (CPU core2dual 2.8Ghz, RAM 4GB, HDD 350GB) Yu cu thc hin: Ci t HDH Windows Vista (XP) v Linux (Fedora) trn cng mt my tnh Gi thc hin: 1. Backup ton b data trn cc my laptop trn. 2. Dng chng trnh Hiren boot to mt partion mi (Free) vi dung lng trn 10GB, partion ny chng ta khng cn nh dng, khi to partion ny khng c lm nh hng ti HDH ang s dng. 3. Chn a ci t HDH Fedora v tin hnh ci t 4. Qu trnh ci t bt u chng ta tin hnh bnh thng cho n khi yu cu chn a ci t HDH xut hin, chn create custom layout 5. Chn partion Free v tin hnh phn chia (/boot, /, swap). 6. Chn HDH s boot mc nh. 7. Tin hnh nhng thao tc cn li cho n khi hon t t qu trnh ci t HDH Linux Sinh vin ghi tm tt qu trnh thc hin:.. . . . .
NG DNG THC T
im nh gi:...GVHD k tn:.
BI TP 02 2 Tnh hung 1 M t ni dung: Bn l IT ca cng ty LHV , bn tip qun h thng server ca cng ty t ngi qun tr trc, nhng anh ta
Khoa CNTT MH/M..
STT
BI HC
NI DUNG THC HNH qun khng cung cp cho bn password root ca samba server. Bn login vo samba server kim tra log ca server nhng bn khng c password root. Lm cch no bn c th login vo samba sever bng account root. Yu cu thc hin: Recovery password root ca samba server (HDH CentOS) Hng dn thc hin step by step: 1. Restart l i HDH 2. Khi boot loader menu xut hin, nhn mt phm bt k menu chn HDH s xut hin.
NG DNG THC T
3. Nhn phm e edit command boot
Khoa CNTT MH/M..
STT
BI HC
NI DUNG THC HNH
NG DNG THC T
4. Thm s 1 vo cui dng lnh
5. Nhn Enter quay li menu chn HDH v nhn b reboot li HDH, i qu trnh boot hon tt, chng ta s thy du nhc sh-2.05# xut hin, lc ny chng ta ang trong ch single mode (Runlevel 1). => i password root: sh-2.05# passwd root Nhp password mi, nhp confirm password mi 6. Sau khi change xong password => reboot li HDH sh-2.05#init 6 Tnh hung 2 M t ni dung: My tnh bn ang s dng HDH Linux Fedora, bn cho mt ngi no s dng my tnh ca bn. Khi anh ta tr li my tnh cho bn th bn khng th login vo HDH bng account root. Bn lm cch no ly li password root. Yu cu thc hin: Recovery password root ca HDH Fedora Gi thc hin: 1. Khi ng li HDH 2. Khi boot loader menu xut hin, nhn mt phm bt k menu chn HDH s xut hin. 3. Nhn phm e edit command boot
Khoa CNTT MH/M..
STT
BI HC 4. Thm s 1 vo cui dng lnh
NI DUNG THC HNH
NG DNG THC T
5. Nhn Enter quay l i menu chn HDH v nhn b reboot li HDH ch level 1 v tin hnh i password 6. Reboot li HDH Sinh vin ghi tm tt qu trnh thc hin:. ... ... ... ... ...
K nng t c Qun tr h thng t p tin Cc chun chuyn hng 3 BI TP 03 Tnh hung 1 M t ni dung: Bn l ngi mi lm quen vi HDH Linux, trc tin bn phi thnh tho vic Qun tr h thng tp tin trn HDH Linux. Yu cu thc hin: Nm vng chc nng v cch s dng cc lnh c gii thiu trong slide bi ging Hng dn thc hin step by step: 1. 2. Da vo slide bi ging, thc hnh cc lnh gii thiu. Dng lnh man tm tr gip khi s dng cc lnh trn. C php: #man lenh Qun tr HDH Linux
Khoa CNTT MH/M..
STT
BI HC
NI DUNG THC HNH
NG DNG THC T
V d:
Tnh hung 2 M t tnh hung: Bn l admin ca file server. Bn c yu cu gn cho group ketoan ch c php s dng ti a 5GB dung lng a cng, cnh bo mc 4,5GB, sau thi gian cnh bo 8 ngy th d liu s b xa nu cn vi phm. Nhng user khc
Khoa CNTT MH/M..
STT
BI HC
NI DUNG THC HNH ch c php ti a 20 file v th mc, cnh bo mc 15, sau thi gian 10 ngy th d liu s t ng xa nu cn vi phm. Yu cu thc hin: Cu hnh quota Hng dn thc hin: Edit file /etc/fstab: #vi /etc/fstab
NG DNG THC T
Cu hnh quota: 1. To file aquota.user trong th mc /home, dng cu hnh xem mi ngi dng c bao nhiu khng gian trn cng. #touch /home/aquota.user #touch /home/aquota.group #chmod 600 /home/aquota.* 2. To bn quota #quotacheck -avugm 3. Phn quota cho user #edquota u User 4. Phn quota cho group #edquota g Group 5. Gn thi gian cho quota vt qu soft limit s b xa data #edquota -t
Khoa CNTT MH/M..
STT
BI HC Tnh hung 3
NI DUNG THC HNH
NG DNG THC T
M t ni dung: Bn l IT ca cng ty LHV, s lng nhn vin ca LHV hin ti l 100 ngi, v vy partion lu tr data ca samba server ca khng cn dung lng p ng nh cu lu tr d liu ca nhn vin, bn c yu cu tng kch thc lu tr ca samba server. Yu cu thc hin: Add thm mt a cng vo partion lu tr d liu. Hng dn thc hin step by step: 1. Kim tra dung lng data trn cc partion
Nhn hnh trn chng ta thy partion /var (/dev/hda2) dng 99% l partion cn c m rng. 2. Gn HDD vo my tnh sau kim tra cc HDD, partion hin ti v HDD mi gn vo.
Khoa CNTT MH/M..
STT
BI HC
NI DUNG THC HNH
NG DNG THC T
Chng ta thy hda l HDD hin ti cha OS v cc thnh phn h thng, gm cc partion hda1->hda6, hdb l HDD m chng ta va thm vo. 3. Add filesystem n hdb
Khoa CNTT MH/M..
STT
BI HC
NI DUNG THC HNH
NG DNG THC T
Khoa CNTT MH/M..
10
STT
BI HC 4. To partion mi vi cho hdb
NI DUNG THC HNH
NG DNG THC T
W l thc hin lnh to partion cho hdb, q thot khi lnh. 5. Kim tra partion mi to
Partion mi to c tn l hdb1 6. Format partion mi vi filesystem ext3
7. To im mount cho partion va to
Khoa CNTT MH/M..
11
STT
BI HC
NI DUNG THC HNH
NG DNG THC T
Edit file /etc/fstab mount vo h thng
c file /etc/fstab: #mount a Truy cp partion mi /mnt/hdb1

8. Di chuyn data t /var n partion mi hdb1 v backup data trn n 9. Khi ng li h thng ch single-mode dng lnh: #init 1 10. Rename transactions trong /var sh-2.05b# mv /var/transactions /var/transactions-save 11. To transactions mi mount partion mi sh-2.05b# mkdir /var/transactions 12. copy ni dung ca /var/transaction-save n /mnt/hdb1 sh-2.05b# cp -a /var/transactions-save/* /mnt/hdb1 13. Umount /dev/hdb1 : #umount /mnt/hdb1 14. Edit file /etc/fstab vi ni dung nh sau:
Thc hin moun6: #mount -a 15. Thot khi ch single-mode : #init 6
Khoa CNTT MH/M..
12
STT
BI HC
NI DUNG THC HNH Sinh vin ghi tm tt qu trnh thc hin:. .. .. ...
NG DNG THC T
BI HC 2 K nng t c Cu hnh mng Qun l tin trnh Thao tc vi trnh son tho vi 4 BI TP 04 Tnh hung 1 M t ni dung: Bn l IT ca cng ty LHV. Cc developer thng xuyn remote n cc server test Linux build sn phm, H gp kh khn trong vic s dng lnh lm vic. H yu cu bn bng cch no cho h remote n cc server test Linux v lm vic vi n bng giao din ho (Guide mode) h d dng lm vic vi n. Yu cu thc hin: Cu hnh remote bng VNC. Hng dn thc hin step by step: 1. Ci t VNC server: #yum install vnc-server vnc 2. Tin hnh cu hnh: Edit file /etc/sysconfig/vncservers S dng trnh son tho vi thao tc trn file ca Linux Qun l cc tin trnh
C th to ra nhiu instance VNC cho cc user khc nhau nh v d sau:
Khoa CNTT MH/M..
13
STT
BI HC
NI DUNG THC HNH
NG DNG THC T
3. t password cho cc user remote bng VNC:
4. Khi ng VNC server vi cc tu chn
5. Chnh phn gii ca mn hnh Edit file ~/.vnc/xstartup theo nh sau
Khoa CNTT MH/M..
14
STT
BI HC
NI DUNG THC HNH
NG DNG THC T
6. Dng VNC Viewer kt ni n cc server
Tnh hung 2 M t tnh hung: Cng ty LHV c mt chi nhnh TP.HCM, hin ti h m thm mt chi nhnh H Ni. Bn c cng ty LHV thu lm administrator cho cty LHV. Hin ti mi chi nhnh u c cho mnh mt mng ring, v vy vic chia s data gp nhiu kh khn. Bn c yu cu kt ni hai mng ca 2 chi nhnh H Ni v H Ch Minh p ng yu cu cng vic ca cng ty c 2 chi nhnh c th truy xut data ln nhau. S kt ni mng gia 2 chi nhnh nh hnh v.
Dng my tnh chy HDH Linux lm Router
Khoa CNTT MH/M..
15
STT
BI HC
NI DUNG THC HNH
NG DNG THC T
Yu cu thc hin: Cu hnh nh tuyn trn cc Router H NI v Router H CH MINH Gi thc hin: Bc 1: Trn mi router tin hnh nh tuyn cho 3 mng Bc 2: Bt chc nng IP FORWARD : echo 1 > /proc/sys/net/ipv4/ip_forward Sinh vin ghi tm tt qu trnh thc hin:. ...
Khoa CNTT MH/M..
16
STT
BI HC
NI DUNG THC HNH
NG DNG THC T
Tnh hung 3 M t tnh hung: Cng ty b n thu t mail server t i ISP, Gim c yu cu bn xem li log mail xem trong 1h qua c ai g i mail t a ch abc@hp.com n email ca gim c khng. Bn dng ssh remote n mail server. Yu cu khi bn thc hin truy cp ssh n mail server phi c chng thc bng Key v phi m ho ng truyn. Yu cu thc hin: Cu hnh SSH trn Linux chp nhn cc truy cp c chng thc thng qua key nhm tng tnh bo mt. Gi thc hin: A) Trn my mail server m chng ta s truy cp bng ssh 1. To mt cp key bng lnh: Cu hnh cho truy cp t xa qua ssh
: t l kiu thut ton m ha : b l kch thc ca kha Sau khi to ssh keygen trong th mc /root/.ssh/ s xut hin 2 file id_rsa v id_rsa.pub 2. i public key id_rsa.pub trong th mc home directory ca user, v d y l user root: ~/.ssh/ thnh authorized_keys 3. Set permission cho authorized_keys l: 600 4. Edit file /etc/ssh/sshd.conf
Khoa CNTT MH/M..
17
STT
BI HC
NI DUNG THC HNH
NG DNG THC T
RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no <-- b chng thc bng password
5. Restart l i sshd B) Trn my client (my s remote ssh vo my mail) 1. Copy file id_rsa trn my mail server b vo th mc /root/.ssh/ 2. Set permission cho id_rsa l: 600 3. Tin hnh dng ssh truy cp vo mail server
i vi my client l my windows, chng ta dng puty import key id_rsa vo puty
Khoa CNTT MH/M..
18
STT
BI HC
NI DUNG THC HNH
NG DNG THC T
Sau chn ng dn lu file private key(id_rsa) m ta lu windows client. Nhp password m ta to ra trong qu trnh to key cho user.
Khoa CNTT MH/M..
19
STT
BI HC
NI DUNG THC HNH
NG DNG THC T
Xut hin thng bo import key thnh cng.Bm "Save private key" vi tn l sshkey.ppk
Khoa CNTT MH/M..
20
STT
BI HC
NI DUNG THC HNH
NG DNG THC T
M PuTTY v chuyn ti trng Auth v chn file sshkey.ppk m ta lu trn
Khoa CNTT MH/M..
21
STT
BI HC
NI DUNG THC HNH
NG DNG THC T
Tip theo, ta quay li trng Session v nhp vo IP ca ssh server.Nhp vo user m ta cu hnh chng thc bng Keys Authentication.
Khoa CNTT MH/M..
22
STT
BI HC Ch :
NI DUNG THC HNH
NG DNG THC T
+ Nu to ssh key gen trn server th chng ta copy private key n cho client. + Nu to ssh key trn client th chng ta copy public key n cho server + Quyn hn ca public key l 644 v private l 600 Sinh vin ghi tm tt qu trnh thc hin:. ...
Nhn bit v vit c shell script trn Linux BI TP 05 Tnh hung 1 M t tnh hung: Bn l qun tr h thng linux. Bn mun bit hin ti bn ang login vi user no, ngy thng bao nhiu, s user hin ti ang login vo h thng ca bn. Yu cu thc hin: Vit mt on shell script t ng ha qu trnh trn. Hng dn thc hin: Sau y l on shell script: #!/bin/sh clear #xa mn hnh # Thng bo user ang chy shell script # Cho bit ngy, gi hin ti # m s user hin ang login vo h thng echo Xin cho $USER
echo Hm nay l ngy: ; date echo Lch cal # Hin bn lch calendar
echo S user ang login vo h thng: ; who |wc l
Khoa CNTT MH/M..
23
STT
BI HC exit 0 #Kt thc shell
NI DUNG THC HNH
NG DNG THC T
Tnh hung 2 M t tnh hung: Bn l qun tr h thng linux. Bn c yu cu monitor space ca HDD, nu dung space vt qu dung lng m bn cho php (v d 90%) th h thng s t ng gi mail cnh bo cho admin. Yu cu thc hin: Vit mt shell script thc hin qu trnh ny t ng ha. Hng dn thc hin: Sau y l shell script
#!/bin/sh #Set dung lng cho php, nu vt qu dung lng ny s gi messages cnh bo. Alert=14 #Email s c h thng gi cnh bo Email=admin@domain.com df -H |grep -vE 'Filesystem|tmpfs|cdrom' |awk '{print $5 " " $1}'|while read output; do echo $output usep=$(echo $output| awk '{print $1}' | cut -d '%' -f1) partition=$(echo $output| awk '{print $2}') if [ $usep -ge $Alert ]; then echo "Running out of space \"$partition ($usep%)\" on $(hostname) as on $(date)" mail -s "Alert: out of disk space $usep%" $Email fi done
Khoa CNTT MH/M..
24
STT
BI HC BI HC 3 K nng t c Ci t v cu hnh DHCP trong Linux Ci t v cu hnh DNS trong Linux BI TP 06 Tnh hung 1
NI DUNG THC HNH
NG DNG THC T
M t tnh hung: Cng ty bn c 100 PC c kt ni mng ni b ca cng ty, cc PC c kt ni mng th mi PC phi c a ch IP. Vic gn a ch IP bng cch th cng(n tng my cu hnh) rt mt thi gian d trng IP v khng ti u, Administrator khng th qun l c vic cp pht IP. Bn lm cch no gn IP mt cch t ng n 100 PC trong cng ty ca bn. Hin ti cng ty dng HDH Linux cho cc server. Yu cu thc hin: Trin khai dch v cp pht IP ng DHCP server trn HDH Linux. Hng dn thc hin step by step: 1. Gn a ch IP tnh cho my lm DHCP Server 2. Ci t DHCP Server: #yum install dhcp 3. Cu hnh DHCP Server
Xy dng h thng cp pht IP ng DHCP trn Linux
To file cu hnh dhcpd.conf bng cch copy file dhcpd.conf. sample trong th mc /usr/share/doc/dhcp-<version-number>/dhcpd.conf.sample #cp /usr/share/doc/dhcp-<version-number>/dhcpd.conf.sample \ /etc/dhcpd.conf
Ni dung file cu hnh nh sau:
Khoa CNTT MH/M..
25
STT
BI HC ddns-update-style interim; ignore client-updates;
NI DUNG THC HNH
NG DNG THC T
subnet 192.168.1.0 netmask 255.255.255.0 { # --- Dy a ch IP dnh ring cho qu trnh boot range dynamic-bootp 192.168.1.200 192.168.1.254; # --- Dy a chi dng cp pht IP range 192.168.1.2 192.168.1.100;
# --- default gateway option routers option subnet-mask 192.168.1.1; 255.255.255.0;
# --- DNS server option domain-name-servers 208.67.222.222;
# --- Thi gian cho php mt client c lu gi IP default-lease-time 21600; max-lease-time 43200;
Khoa CNTT MH/M..
26
STT
BI HC
NI DUNG THC HNH # --- Gn a ch IP cho mt client c nh da vo a ch MAC host dhcp_test { hardware ethernet 00:26:B9:00:21:5C; fixed-address 192.168.1.254; } }
NG DNG THC T
To mt file dng lu tr cc thng tin m DHCP server cho client thu IP #touch /var/lib/dhcp/dhcpd.leases
Khi ng dch v DHCP server: #/etc/init.d/dhcpd start
Tnh hung 2 M t ni dung: Bn l admin ca cng ty LHV, cng ty c mt DHCP server dng cung cp dch v DHCP cho ton cng ty. Hin ti cng ty c chia lm 2 vn phng vi hai lp mng khc nhau. gn IP cho cc client bn dng dch v DHCP, nhng bn khng iu kin xy dng DHCP cho ring mng ny. Bn tn dng DHCP hin ti ca mng c cung cp DHCP cho mng ny. Lm cch no bn dng DHCP server ang chy cung cp IP cho mng mi ny. S mng hin ti ca cng ty:
Cu hnh DHCP Relay Agent trn Linux
Khoa CNTT MH/M..
27
STT
BI HC
NI DUNG THC HNH
NG DNG THC T
Yu cu thc hin: Trin khai dch v DHCP Relay Agent Gi thc hin: + Cu hnh DHCP trn DHCP server cho 2 subnet (10.0.60.0/24 v 172.16.1.0/24)
Khoa CNTT MH/M..
28
STT
BI HC
NI DUNG THC HNH + File cu hnh DHCP server cho 2 subnet nh sau: ddns-update-style interim; ignore client-updates; subnet 10.0.60.0 netmask 255.255.255.0 { range dynamic-bootp 10.0.60.200 10.0.60.254; range 10.0.60.2 10.0.60.100; option routers option subnet-mask 10.0.60.1; 255.255.255.0; 208.67.222.222;
NG DNG THC T
option domain-name-servers default-lease-time 21600; max-lease-time 43200; host dhcp_test {
hardware ethernet 00:26:B9:00:21:5C; fixed-address 10.0.60.254; } }
subnet 172.16.1.0 netmask 255.255.255.0 {
Khoa CNTT MH/M..
29
STT
BI HC
NI DUNG THC HNH range dynamic-bootp 172.16.1.200 172.16.1.254; range 172.16.1.2 172.16.1.100; option routers option subnet-mask 172.16.1.1; 255.255.255.0; 208.67.222.222;
NG DNG THC T
option domain-name-servers default-lease-time 21600; max-lease-time 43200; host dhcp_test {
hardware ethernet 00:26:B9:00:21:5C; fixed-address 172.16.1.254; } }
+ Cu hnh cho my DHCP Relay Agent forward cc request ca client n DHCP server Sinh vin ghi tm tt qu trnh thc hin:. .. .. ..
Khoa CNTT MH/M..
30
STT
BI HC BI TP 07 Tnh hung 1
NI DUNG THC HNH
NG DNG THC T
M t tnh hung: Bn l Administrator ca cng ty LHV, cng ty mua domain lhv.com.vn. Hin ti cng ty c cc server public ra ngoi internet gm: Web Server c IP address 192.168.1.2 c public vi tn www.lhv.com.vn v lhv.com.vn, Mail Server c IP address 192.168.1.3 c public vi tn mail.lhv.com.vn, LDAP Server c IP address 192.168.1.4 c public vi tn ldap.lhv.com.vn, FTP Server 192.168.1.5 c public vi tn ftp.lhv.com.vn , v mt server dng cho cc dch v khc c tn Data server 192.168.1.6 dng public cc svn, bugzilla, twiki, web testing. Lm cch no cho cc user khi truy cp n cc dch v bng cc tn nh trn. Yu cu thc hin: Trin khai DNS server phn gii tn min lhv.com.vn phn gii tn min cho cc dch v trn, DNS server c IP address 192.168.1.1 Hng dn thc hin step by step: 1. Gn IP tnh cho DNS server 2. Edit file /etc/resolve.conf tr a ch IP ca servername v IP ca my (192.168.1.1) 3. Tin hnh cu hnh DNS server: Ci t BIND, Caching-nameserver, bind-utils
Xy dng h thng phn gii tn min DNS Server trn Linux
#yum install bind caching-nameserver bind-utils
Cu hnh DNS: Bc 1: To file cu hnh named.conf nm trong /etc # cp /etc/named.rfc1912.zones /etc/named.conf Edit file named.conf, thm vo cc thng tin nh sau:
options {
Khoa CNTT MH/M..
31
STT
BI HC directory "/var/named/"; };
NI DUNG THC HNH
NG DNG THC T
zone lhv.com.vn" IN{ type master; file db.lhv.com.vn"; };
zone "1.168.192.in-addr.arpa" IN { type master; file " db.192.168.1"; };
Lu file named.conf v gn permisson #chown root:named /etc/named.conf
============================================= Bc 2: Tip theo ta to hai file cho qu trnh phn gii DNS
Khoa CNTT MH/M..
32
STT
BI HC
NI DUNG THC HNH
NG DNG THC T
To hai file db.lhv.com.vn v db.192.168.1 trong th mc /var/named
Ni dung file db.lhv.com.vn
IN
SOA dns1.lhv.com.vn. admin.mail.lhv.com.vn. ( 2010070704 86400 7200 2592000 345600 ) ; serial ; refresh ; retry ; expire ; TTL
; Name Server (NS) records. NS dns1.lhv.com.vn.
; Mail Exchange (MX) records. MX 0 mail.lhv.com.vn.
; Address (A) records. dns1 www A A 192.168.1.1 192.168.1.2
Khoa CNTT MH/M..
33
STT
BI HC mail ldap ftp Data A A A A 192.168.1.3 192.168.1.4 192.168.1.5 192.168.1.6
NI DUNG THC HNH
NG DNG THC T
; Aliases in Canonical Name (CNAME) records. svn bugzilla twiki Web CNAME CNAME CNAME CNAME data data data data
Ni dung file db.192.168.1
IN
SOA dns1.lhv.com.vn. admin.mail.lhv.com.vn. ( 2010070704 86400 7200 2592000 345600 ) ; serial ; refresh ; retry ; expire ; TTL
; Name Server (NS) records.
Khoa CNTT MH/M..
34
STT
BI HC NS dns1.lhv.com.vn.
NI DUNG THC HNH
NG DNG THC T
; Addresses Point to Canonical Names (PTR) for Reverse lookups 1 2 3 4 5 6 6 6 6 PTR PTR PTR PTR PTR PTR PTR PTR PTR dns1.lhv.com.vn. www.lhv.com.vn. mail.lhv.com.vn. ldap.lhv.com.vn. ftp.lhv.com.vn. svn.lhv.com.vn. bugzilla.lhv.com.vn. twiki.lhv.com.vn. web.lhv.com.vn.
Lu 2 file va to Gn quyn cho th mc /var/named #chown named:named /var/named
Qu trnh cu hnh DNS server hon tt Khi ng DNS server: #/etc/init.d/named start|restart|stop
Khoa CNTT MH/M..
35
STT
BI HC
NI DUNG THC HNH
NG DNG THC T
Kim tra tnh trng ca DNS #service named status

Tnh hung 2 M t tnh hung: Cng ty bn va mua thm mt domain c tn luhoanviet.com.vn phn gii thm cho cc dch v ang chy. Yu cu thc hin: Trin khai thm mt tn min mi trn DNS server hin ti dng phn gi i cho cc dch v ang chy vi cc tn tng ng nh Tnh hung 1. Gi thc hin: 1. Thm zone luhoanviet.com.vn vo file /etc/named.conf 2. To 2 file phn gi i t tn sang IP v t IP sang tn Sinh vin ghi tm tt qu trnh thc hin:. . . . .
Khoa CNTT MH/M..
36
STT
BI HC BI HC 4 K nng t c Ci t v cu hnh Samba v NFS BI TP 08
NI DUNG THC HNH
NG DNG THC T
M t tnh hung: Cng ty bn dng server Linux (mail, web, ftp,.), cc client dng windows c bn quyn. Bn c yu cu dng mt file server cho cng ty mi ngi c th lu data phc v cho cng vic. Lm cch no bn dng mt file server chia s data gia windows v Linux. Yu cu thc hin: Ci t v cu hnh file server vi dch v samba Hng dn thc hin step by step: 1. Ci t samba: #yum install samba 2. Disable selinux v iptables + Vi selinux edit file /etc/selinux/config i dng SELINUX=enforcing thnh SELINUX=disabled + Vi iptables #/etc/init.d/iptables stop 3. Edit file /etc/samba/smb.conf theo ni dung sau:
Xy dng h thng chia s file gia Linux v Windows, Linux vi Linux Xy dng h thng ng b d
Khoa CNTT MH/M..
37
STT
BI HC
NI DUNG THC HNH
NG DNG THC T liu NFS
Khoa CNTT MH/M..
38
STT
BI HC 4. To th mc chia s #mkdir /data #chmod 777 /data
NI DUNG THC HNH
NG DNG THC T
5. To Linux user v add user ny thnh samba user
6. Khi ng samba: #/etc/init.d/smb start 7. Qun l samba vi SWAT Ci t SWAT: #yum install samba-swat Cu hnh SWAT: Edit file /etc/xinetd.d/swat nh sau
Khi ng swat: #/etc/init.d/xinetd start
Dng browse kt ni n Samba server: http://ip:901
Khoa CNTT MH/M..
39
STT
BI HC Tnh hung 2
NI DUNG THC HNH
NG DNG THC T
M t tnh hung: Hin ti cng ty bn c hai server dnh cho cc developer dng build sn phm web service. Server th nht c dng sync d liu t chi nhnh ca cng cty v cho cc team lm vic ti vn phng chnh, server ny cc developer khng c bt k quyn truy cp no vo n. Server th hai cc developer c quyn truy cp ly d liu c sync t server th nht. Lm cch no bn c th ng b d liu c sync t chi nhnh v server th nht n server th hai cho cc developer c th m bo cng vic ca mnh. Yu cu thc hin: Trin khai NFS trn hai server trn. Server th nht l NFS server, server th hai l NFS client Gi thc hin: 1. Ci t NFS trn server th nht: #yum install system-config-nfs 2. To th mc dng lu tr d liu c sync t chi nhnh v chia s d liu vi server th hai: #mkdir /mnt/data 3. Cu hnh NFS Server: Edit file /etc/exports vi ni dung nh sau: /mnt/data IP_client(rw,sync) 4. Export th mc share: #export a 5. Khi ng cc dch v NFS server: nfs, nfslock, portmap 6. Kim tra hot ng NFS: #rpcinfo p localhost 7. Ci t NFS trn server th hai: #yum install system-config-nfs 8. To th mc dng mount th mc data ca server th nht: #mkdir /mnt/data 9. Cu hnh NFS Client: Edit file /etc/fstab v thm dng sau vo cui file
IP_NFS_Server:/data
/mnt/share
nfs
soft
00
10. Thc hin mount th mc chia s data: #mount a hoc #mount t nfs IP_NFS_Server:/data/mnt/share Sinh vin ghi tm tt qu trnh thc hin:. .. .. ..
Khoa CNTT MH/M..
40
STT
BI HC BI HC 5 K nng t c Ci t v cu hnh Apache Web Server Ci t v cu hnh VSFTP FTP Server ... BI TP 09 Tnh hung 1
NI DUNG THC HNH
NG DNG THC T
M t tnh hung: Cng ty bn mun dng web qung b hnh nh ca cng ty ra bn ngoi. Gim c yu cu bn setup mt web server trn Linux public website ny. Tn Website public l www.lhv.com.vn Yu cu thc hin: Ci t v cu hnh Apache web server . Hng dn thc hin step by step: 1. Ci t apache httpd: #yum install httpd 2. Cu hnh apache Web server
Trin khai Web Server Apache trn Linux
Bc 1: Edit file cu hnh httpd.conf nm trong th mc /etc/httpd/conf/ theo nh sau:

Listen 192.168.1.2:80 #a ch IP ca card mng s lng nghe cc request ServerName www.lhv.com.vn:80 ServerAdmin admin@lhv.com.vn DirectoryIndex file index ca website #tn FQDN hoc a ch IP ca my
Bc 2: Copy source website vo th mc /var/www/html/ v gn permission cho th mc website vi quyn 755 v thuc s hu ca apache
#chmod R 755 website #chown R apache:apache website 3. Khi ng apache: #/etc/init.d/httpd start
Khoa CNTT MH/M..
41
STT
BI HC Tnh hung 2
NI DUNG THC HNH
NG DNG THC T Hosting nhiu website trn mt web server
M t tnh hung: Cng ty bn va mua thm mt domain luhoanviet.com.vn, gim c yu cu bn public website ca cng ty vi c 2 tn mi v c (www.lhv.com.vn, www.luhoanviet.com.vn ) Yu cu thc hin: S dng chc nng VirtualHost cu hnh website public vi 2 domain trn Gi thc hin: Da vo slide bi ging cu hnh VirtualHost Sinh vin ghi tm tt qu trnh thc hin:. . . . . . . .
BI TP 10 Tnh hung 1 M t tnh hung: Cng ty bn hin ti ang c h thng file server ni b lu tr cc sn phm phn mm ca cng ty. Cng ty mun public cc sn phm ra ngoi cho mi ngi s dng qung b v sn phm ca mnh, mt yu cu t ra l bn public file server ny ra ngoi internet cho mi ngi download cc sn phm ca cng ty. Yu cu thc hin: Trin khai FTP Server trn Linux vi phn mm VsFTPD Hng dn thc hin step by step:
Khoa CNTT MH/M..
42
STT
BI HC 1. Ci t VsFTPD: #yum install vsftpd 2. Cu hnh VsFTPD:
NI DUNG THC HNH
NG DNG THC T
Edit file /etc/vsftpd/vsftpd.conf nh sau: # Cho php anonymous c php truy cp FTP Server anon_anonymous=YES # Thay i th mc gc mc nh ca FTP Server thnh /data/ftp anon_root=/data/ftp
Tnh hung 2
Restart vsftpd: /etc/init.d/vsftpd start
M t tnh hung: Cng ty bn c mt file server dng lu tr cc thng tin ni b, ch cho php cc user l nhn vin ca cng ty access ly d liu. Cng ty mun public file Server ny ra internet cho cc user sale c th ly ti liu phc v cho cng vic. Yu cu thc hin: Cu hnh FTP Server VsFTPD gii hn truy cp, ch nhng user c ti khon mi c th access ly data Gi thc hin: 1. Thay i file cu hnh anon_anonymous=NO local_enable=YES 2. To group add FTP Users #groupadd ftp-users 3. To th mc chia s data #mkdir /data/ftp-docs #chmod 750 /data/ftp-docs #chown root:ftp-users /data/ftp-docs
Khoa CNTT MH/M..
43
STT
BI HC
NI DUNG THC HNH 4. To v add cc users vo trong group ftp-users #useradd g group ftp-users d /data/ftp-docs user1 #passwd user1
NG DNG THC T
5. Thay i quyn hn i vi user home directory va mi to #chown root:ftp-users /data/ftp-docs/* #chmod 750 /data/ftp-docs/* 6. Restart vsftpd #/etc/init.d/vsftpd restart Sinh vin ghi tm tt qu trnh thc hin:. ... .
BI HC 6 K nng t c Nm vng cc giao thc, protocol IMAP, POP3, SMTP. BI TP 11 Tnh hung 1 M t tnh hung: Cng ty bn thng xuyn giao dch vi khch hng qua email. Hin ti cc giao dch ca cng ty u dng yahoo hoc gmail v vy rt kh qun l v gim st cc email n/i ca cc nhn vin. Bn c yu cu trin khai mt mail server cho cng ty vi domain lhv.com.vn Yu cu thc hin: Trin khai mail server trn Linux dng sendmail + dovecot Trin khai v qun tr mail server vi sendmail + dovecot
Khoa CNTT MH/M..
44
STT
BI HC Phn bit mail gateway, mail host, mail server, mail client Hiu c spam mail v cch ngn chn spam mail. Hng dn thc hin step by step:
NI DUNG THC HNH
NG DNG THC T
1. Trin khai DNS server vi MX record mail.lhv.com.vn 2. Ci t v cu hnh sendmail Bc 1: Ci t sendmail v cc package cn thit: Ci t chng trnh m4: #yum install m4 Bc 2: Edit file /etc/mail/sendmail.mc theo nh sau: T: DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl FEATURE(`accept_unresolvable_domains')dnl Thnh: dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl dnl FEATURE(`accept_unresolvable_domains')dnl Save v exit vic edit file sendmail.mc Bc 3: Khi to file sendmail.cf: #m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf #yum install sendmail sendmail-cf
Khoa CNTT MH/M..
45
STT
BI HC Bc 4: Edit file database /etc/mail/access nh sau: 192.168.1.0 lhv.com.vn RELAY RELAY #a ch lp mng
NI DUNG THC HNH
NG DNG THC T
Cp nhp database cho file access.db: #makemap hash access.db < access
Bc 5: Ci t v cu hnh POP cho mail server: #yum install dovecot Bc 6: Edit file /etc/dovecot.conf T: #protocols = imap imaps pop3 pop3s Thnh: protocols = imap imaps pop3 pop3s Save v exit Bc 7: Restart sendmail v dovecot #/etc/init.d/sendmail start
Khoa CNTT MH/M..
46
STT
BI HC #/etc/init.d/dovecot start Kim tra mail server c m cc port 25 v 110 #netstat na|grep tcp
NI DUNG THC HNH
NG DNG THC T
Bc 8: To user v tin hnh dng OutLook Express, MS OutLook hoc Thunderbird kim tra vic gi mail qua li gia cc user: #useradd user1 #passwd user1
#useradd user2 #passwd user2
Tnh hung 2 M t tnh hung: Trin khai thm mt mail server vi mt domain khc ispace.com.vn Yu cu thc hin: Trin khai thm mt mail server trn Linux dng sendmail vi domain ispace.com.vn Gi thc hin: Thc hin tng t nh tnh hung 1 Sinh vin ghi tm tt qu trnh thc hin:. .. .. .. ..
Khoa CNTT MH/M..
47
STT
NI DUNG THC HNH
NG DNG THC T
M t tnh hung: Bn l admin ca cng ty LHV, bn c yu cu trin khai mail server cho cng ty. Mail server b n s trin khai phi m bo yu cu sau: D ci t v cu hnh c th kt hp tt vi database hoc LDAP, cc email phi c lu tr mailbox trn mail server. Yu cu thc hin: Trin khai h thng mail server dng postfix + Cyrus-IMAP trn Linux Hng dn thc hin step by step: Bc 1: Ci t Postfix, cyrus-imapd, cyrus-sasl #yum install postfix cyrus-imapd cyrus-sasl Bc 2: Cu hnh postfix nh sau: Edit file /etc/postfix/main.cf myhostname = mail.lhv.com.vn mydomain = lhv.com.vn inet_interfaces = $myhostname, localhost mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain mynetworks = 192.168.1.0/24, 127.0.0.0/8 mailbox_transport = cyrus
Trin khai v qun tr mail server vi Postfix + IMAP
Start postfix: #/etc/init.d/postfix start
Khoa CNTT MH/M..
48
STT
BI HC
NI DUNG THC HNH Bc 3: Cu hnh cyrus-imapd nh sau: Edit file /etc/imapd.conf configdirectory: /var/lib/imap partition-default: /var/spool/imap admins: cyrus #Account admin qun tr imap (t o mailbox, xo mailbox,) sievedir: /var/lib/imap/sieve sendmail: /usr/sbin/sendmail hashimapspool: true sasl_pwcheck_method: saslauthd sasl_mech_list: PLAIN tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem #Certificate imap c to mc nh khi ci cyrus-sasl tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem #Copy cc certificate t /etc/pki/tls/certs tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt #Chng ta s to li cc certificate ny Bc 4: To certificate cho t chc. Ti th mc /etc/pki/tls/certs xo 2 file cyrus-imapd.pem, ca-bundle.crt v to li 2 file mi. Ti th mc /etc/pki/tls/certs chy lnh make #make cyrus-imapd.pem #make ca-bundle.crt #chmod 644 * Bc 5: Edit file /etc/sasl2/smtpd.conf vi ni dung nh sau: pwcheck_method: saslauthd mech_list: PLAIN LOGIN
NG DNG THC T
Khoa CNTT MH/M..
49
STT
BI HC Bc 6: To cc user Linux account #useradd username #passwd username #passwd cyrus
NI DUNG THC HNH
NG DNG THC T
#Account ca admin cyrus-imapd
Start cyrus-imapd: #/etc/init.d/cyrus-imapd start Bc 7: Add user Linux account n sasl database #saslpasswd2 c username (Password phi trng vi password ca user Linux account) Bc 8: To mailbox #su cyrus $cyradm localhost IMAP Password: (enter password) >cm user.username >lm #Lit k cc mailbox >quit $exit Bc 9: Test: Dng thunderbird setup email client trong qu trnh ci t chn IMAP port 993 Bc 10: Xo mailbox >setaclmailbox user.username cyrus c
>deletemailbox user.username
Khoa CNTT MH/M..
50
STT
BI HC Tnh hung 2
NI DUNG THC HNH
NG DNG THC T
M t tnh hung: trin khai mail server nh tnh hung 1 vi domain ispace.edu.vn Yu cu thc hin: ci t v cu hnh mail server trn Linux vi Postfix + Cyrus-IMAP Gi thc hin: da vo tnh hung 1 sinh vin thc hin trin khai mail server theo yu cu trn Sinh vin ghi tm tt qu trnh thc hin:. ..
BI HC 7 K nng t c Hiu c proxy v filewall. Cu hnh Linux proxy server(squid) v Linux firewall (iptables) Nm vng c ch hot ng ca iptables BI TP 12 Tnh hung 1 M t tnh hung: Bn l nhn vin IT ca cng ty LHV, cng ty bn thu mt ng truyn ADSL, phc v cho cng vic, cng ty khng gii hn truy cp internet vi cc nhn vin. Cc nhn vin ca cng ty phn nn rng vic truy cp internet t mng ni b qu chm gy kh khn cho cng vic ca h. bn c yu cu ci thin tc truy cp internet ca cng ty m khng c thu thm ng truyn. Yu cu thc hin: trin khai proxy caching server trn Linux vi phn mm squid Hng dn thc hin step by step: Bc 1: Ci t squid #yum install squid Bc 2: Cu hnh squid, edit file /etc/squid/squid.conf theo ni dung th t nh sau: Trin khai h thng proxy Trin khai h thng caching server
Khoa CNTT MH/M..
51
STT
BI HC
NI DUNG THC HNH #Cc ty chn b sung: Nu bn mun tt c cc user trong mng local ca bn u phi xc thc username/password #Tin hnh cc bc sau # To username v password, bc ny chng ta to ngoi command line ################command to username/passwd##########
NG DNG THC T
############################################# # Thm vo phn auth_param ca file cu hnh squid.conf nh sau: auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd acl ncsa_users proxy_auth REQUIRED http_access allow ncsa_users ############################################# #Cu hnh h thng cho squid visible_hostname hvtin http_port 172.16.1.1:8080 cache_dir ufs /var/spool/squid 100 16 256 cache_mem 64 MB ######################### #To cc rules cho squid #Cc rule c to mc nh khi ci squid
Khoa CNTT MH/M..
52
STT
BI HC #Recommended minimum configuration: acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 acl Safe_ports port 70 acl Safe_ports port 210 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl CONNECT method CONNECT #Recommended minimum configuration: # http # ftp # https # gopher # wais
NI DUNG THC HNH
NG DNG THC T
acl Safe_ports port 1025-65535 # unregistered ports # http-mgmt # gss-http # filemaker # multiling http
# Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to unknown ports http_access deny !Safe_ports
Khoa CNTT MH/M..
53
STT
BI HC # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports
NI DUNG THC HNH
NG DNG THC T
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS acl our_networks src 172.16.1.0/24 http_access allow our_networks ##################################################### # Cc ty chn b sung: Nu cng ty bn c chnh sch cm truy cp internet trong thi gian lm vic th set rule sau: #cm tt c cc truy cp internet t trong internal vo tt c cc ngy trong tun, ch cho php truy cp t 11h30 ti 13:00 acl free_time time 11:30-13:00 http_access allow free_time # Hoc nu mun cm tt c cc truy cp trong gi lm vic t th 2 ti th 6 acl bussiness_time time M T W H F 11:30-13:00 http_access allow bussiness_time ##################################################### # And finally deny all other access to this proxy http_access allow localhost http_access deny all
Bc 3: To th mc cache cho squid
Khoa CNTT MH/M..
54
STT
BI HC #squid z Bc 4: Chy squid ch debug-mod #squid NCd1 Bc 5: Restart squid #service squid start|stop|restart Bc 6: Cu hnh client s dng proxy
NI DUNG THC HNH
NG DNG THC T
Tnh hung 2 M t tnh hung: Nhm tn dng h thng mng c sn v ti u ho bng thng, bn c yu cu ci t proxy caching server trn Gateway server ca network ca bn. Yu cu thc hin: Trin khai proxy caching server trn Gateway server Gi thc hin: Bc 1: Dng Gateway server nh l mt router k t ni internal v external Bc 2: Da vo Tnh hung 1 setup proxy caching server trn Gateway Sinh vin ghi tm tt qu trnh thc hin:. .. .. .. .. ..
Khoa CNTT MH/M..
55
STT
BI HC
NI DUNG THC HNH
NG DNG THC T
BI TP 13 Tnh hung 1 M t tnh hung: Bn l IT ca cng ty LHV, sau khi bn trin khai h thng proxy caching server. Ban lnh o cty mun kim sot tt c cc truy cp internet ca nhn vin u phi i qua proxy v nhm ngn chn vic nhn vin truy cp cc website khng mong mun. Vi m hnh nh sau: Trin khai h thng proxy transparent
Khoa CNTT MH/M..
56
STT
BI HC
NI DUNG THC HNH Yu cu thc hin: Trin khai h thng proxy transparent trn Gateway Gi thc hin: Bc 1: Cu hnh h thng nh l router + Enable package forwarding: #echo 1 > /proc/sys/net/ipv4/ip_forward + Hoc edit file /etc/sysctl.conf vi ni dung nh sau: net.ipv4.ip_forward = 0 Thnh net.ipv4.ip_forward = 1 + Cu hnh firewall forward tt c cc http request n squid server port 3128 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to ip_lan:3128 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 Bc 2: Cu hnh h thng squid nh Tnh hung 1 bi tp 12 Bc 3: Khi ng squid Bc 4: Test: Cu hnh browse dng proxy v khng dng proxy Sinh vin ghi tm tt qu trnh thc hin:. .. .. .. .. ..
NG DNG THC T
Khoa CNTT MH/M..
57
STT
NI DUNG THC HNH
NG DNG THC T
M t tnh hung: Bn l IT ca cty LHV, nhm m bo cc yu cu bo mt cho h thng bn c yu cu trin khai h thng firewall trn h thng ca bn. H thng firewall c yu cu m cc dch v nh sau: + T LAN ra INTERNET: * Chp nhn truy cp http, https, ftp, mail (smtp, imap), DNS + T INTERNET vo DMZ: * Chp nhn truy cp http, https, ftp, mail (smtp, imap), DNS + T LAN vo DMZ: * Chp nhn truy cp http, https, ftp, mail (smtp, imap), DNS M hnh nh sau:
Trin khai h thng firewall trn Linux dng iptables
Khoa CNTT MH/M..
58
STT
BI HC
NI DUNG THC HNH Yu cu thc hin: Trin khai h thng firewall dng IPTABLES trn Gateway Hng dn thc hin step by step: C 2 cch vit cc rule cho iptables: + Cch 1: Vit cc rule trc tip trn du nhc shell (command line), cch ny t c dng. + Cch 2: Vit mt shell script, cch ny thng c dng. y chng ta s vit mt shell script cho iptables Vit mt shell script cho iptables nh sau: t tn file shell script l fw.sh, ni dung file fw.sh nh sau: #Xa cc rule mc nh iptables F INPUT iptables F OUTPUT iptables F FORWARD #To cc rule mc nh (Ty thuc vo h thng ca mnh m c rule mc nh ph hp) iptables P INPUT DROP iptables P OUTPUT DROP iptables P FORWARD DROP #Chp nhn cho WAN v LAN truy cp vng DMZ # Forward traffic gia DMZ v LAN iptables -A FORWARD -i eth2 -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth1 -o eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT # forward traffic gia DMZ v WAN (Chp nhn cc truy cp t WAN v DMZ, v ngc li) iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
NG DNG THC T
Khoa CNTT MH/M..
59
STT
BI HC
NI DUNG THC HNH # NAT port 25 t ip public 202.2.54.1 n DMZ server c IP 192.168.2.2 iptables -t nat -A PREROUTING -p tcp -i eth0 -d 202.54.1.1 --dport 25 -j DNAT --to-destination 192.168.2.2 # NAT port 80 t ip public 202.2.54.1 n DMZ server c IP 192.168.2.3 iptables -t nat -A PREROUTING -p tcp -i eth0 -d 202.54.1.1 --dport 80 -j DNAT --to-destination 192.168.2.3 # NAT port 443 t ip public 202.2.54.1 n DMZ server c IP 192.168.2.4 iptables -t nat -A PREROUTING -p tcp -i eth0 -d 202.54.1.1 --dport 443 -j DNAT --to-destination 192.168.2.4 #Kt thc qu trnh cho php cc gi tin di vo DMZ t LAN v WAN #Cho php LAN ra ngoi internet Tnh hung 2 M t tnh hung: Xy dng cc rule cho cc dch v (rule tutorial). Cc rule ny c trin khai trn local. RULE cho php icmp echo-request v icmp echo-replay cho php ping t my firewall iptables A OUTPUT p icmp -- icmp-type echo-request j ACCEPT iptables A INPUT p icmp -- icmp-type echo-reply j ACCEPT cho php ping t client vo firewall iptables A INPUT p icmp --icmp-type echo-request j ACCEPT Iptables A OUTPUT p icmp --icmp-type echo-reply j ACCEPT RULE cho dch v HTTP, HTTPS v FTP iptables A OUTPUT o eth0 m state --state ESTABLISHED, RELATED j ACCEPT iptables A INPUT p tcp i eht0 --dport 80 sport 1024:65535 m state --state NEW j ACCEPT iptables A INPUT p tcp i eht0 --dport 443 sport 1024:65535 m state --state NEW j ACCEPT iptables A INPUT p tcp i eht0 --dport 20 sport 1024:65535 m state --state NEW j ACCEPT
NG DNG THC T
Khoa CNTT MH/M..
60
STT
BI HC
NI DUNG THC HNH iptables A INPUT p tcp i eht0 --dport 21 sport 1024:65535 m state --state NEW j ACCEPT RULE cho dch v ssh iptables A OUTPUT o eth0 m state --state ESTABLISHED, RELATED j ACCEPT iptables A INPUT p tcp i eht0 --dport 22 --sport 1024:65535 m state --state NEW j ACCEPT RULE cho dch v SMTP, POP3, IMAP RULE cho dch v DNS (Cho php truy xut DNS n firewall) iptables A OUTPUT p udp o eth0 --dport 53 --sport 1024:65535 j ACCEPT iptables A INPUT p udp i eth0 --dport 53 --sport 1024:65535 j ACCEPT RULE cho dch v DHCP RULE cho dch v
NG DNG THC T
Tnh hung 3 M t tnh hung: Cng ty ABC c h thng mng nh sau
Khoa CNTT MH/M..
61
STT
BI HC
NI DUNG THC HNH
NG DNG THC T
Cc user trong mng LAN u truy cp c internet . Yu cu thc hin: Dng firewall iptables trin khai cc rule trn firewall theo cc yu cu + Cho php tt c cc packet i vo loopback vi tt c cc protocol
+ Cho php cc gi tin i vo firewall ch vi icmp protocol
Khoa CNTT MH/M..
62
STT
BI HC
NI DUNG THC HNH
NG DNG THC T
+ Cho php cc packet i vo eth1 c a ch ngun l a ch ca LAN + Cho php cc packet ra t eth1 c a ch ch l a ch ca LAN + Thc hin NAT bng cch i a ch ngun ca gi tin trc khi nh tuyn, i ra t eth0 vi bt k a ch no khc a ch ca LAN + Cho php cc gi tin i qua firewall c a ch ngun hoc a ch ch l a ch ca LAN
Gi thc hin: Trn firewall ch trin khai iptables To file firewall.sh, firewall c ni dung nh sau:
#!/bin/sh ######### Cc gi tr khi to INTERNAL_LAN="172.16.1.0/24" # a ch mng LAN INTERNAL_LAN_INTERFACE="eth1" # Interface ni n mng LAN INTERNAL_LAN_INTERFACE_ADDR="172.16.1.100" ##a ch int eth1 EXTERNAL_INTERFACE="eth0" ## Interface public EXTERNAL_INTERFACE_ADDR="192.168.1.100" ## a ch eth0 ############################################### iptables -F FORWARD ## Xa cc lut ca FORWARD chain iptables -F INPUT ## Xa cc lut ca INPUT chain iptables -F OUTPUT ## Xa cc lut ca OUTPUT chain iptables -P FORWARD DROP ## Mc nh FORWARD chain l DROP iptables -P OUPUT ACCEPT ## Mc nh OUTPUT chain l ACCEPT iptables -P INPUT DROP ## Mc nh INPUT chain l DROP
###############################################
Khoa CNTT MH/M..
63
STT
BI HC
NI DUNG THC HNH
NG DNG THC T
## Cho php tt c cc packet i vo loopback vi tt c cc protocol iptables -A INPUT -i lo -p all -j ACCEPT ## Cho php cc gi tin i vo firewall ch vi icmp protocol iptables -A INPUT -p icmp -j ACCEPT ## Cho php cc packet i vo eth1 c a ch ngun l a ch ca LAN iptables -A INPUT -i $INTERNAL_LAN_INTERFACE -s $INTERNAL_LAN -j ACCEPT # Cho php cc packet ra t eth1 c a ch ch l a ch ca LAN iptables -A OUTPUT -o $INTERNAL_LAN_INTERFACE -d $INTERNAL_LAN -j ACCEPT # Thc hin NAT bng cch i a ch ngun ca gi tin trc khi nh tuyn,i ra t eth0 vi bt k a ch no khc a ch ca LAN iptables -t nat -A POSTROUTING -o $EXTERNAL_LAN_INTERFACE -j MASQUERADE ## Cho php cc gi tin i qua firewall c a ch ngun hoc a ch ch l a ch ca LAN iptables -A FORWARD -s $INTERNAL_LAN -j ACCEPT iptables -A FORWARD -d $INTERNAL_LAN -j ACCEPT
Trn firewall trin khai thm squid proxy To file squid.sh, ni dung file squid.sh nh sau: #!/bin/sh ########################## # squid server IP SQUID_SERVER="192.168.1.1" # Interface kt ni n Internet INTERNET="eth0" # Interface connected to LAN LAN_IN="eth1"
Khoa CNTT MH/M..
64
STT
BI HC
NI DUNG THC HNH
NG DNG THC T
# Squid port SQUID_PORT="3128" # Xa nhng ci rule c iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X # Load IPTABLES modules cho NAT v IP conntrack support modprobe ip_conntrack modprobe ip_conntrack_ftp # cho win xp ftp client #modprobe ip_nat_ftp echo 1 > /proc/sys/net/ipv4/ip_forward # Set default policy iptables -P INPUT DROP iptables -P OUTPUT ACCEPT # Khng gii hn truy cp a ch loopback iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT
Khoa CNTT MH/M..
65
STT
BI HC
NI DUNG THC HNH
NG DNG THC T
# Chp nhn UDP, DNS v Passive FTP iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT # Route cho LAN iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT # Khng gii hn truy cp n LAN iptables -A INPUT -i $LAN_IN -j ACCEPT iptables -A OUTPUT -o $LAN_IN -j ACCEPT # Chuyn tt c cc request t LAN n port 80 n squid port 3128 iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT # Nu squid v iptables c ci trn cng h thng iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT # Drop cc gi tin khc v log cc packge iptables -A INPUT -j LOG iptables -A INPUT -j DROP
im nh gi:...GVHD k tn:. NH GI KT QU THC HNH CUI MH/M: im trung bnh:.. (t: >=5)
GV k tn:..
........................., Ngy ... thng ... nm ................... Ging vin ging dy
Khoa CNTT MH/M..
66

FIT - GTTH Quan Tri Mang Linux - Version 2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FIT - GTTH Quan Tri Mang Linux - Version 2

Uploaded by

Copyright:

Available Formats

MN HC/MUN: Qun Tr Mng Linux TI LIU THC HNH

Khoa CNTT MH/M..

Khoa CNTT MH/M..

3. Nhn phm e edit command boot

Khoa CNTT MH/M..

NI DUNG THC HNH

4. Thm s 1 vo cui dng lnh

Khoa CNTT MH/M..

BI HC 4. Thm s 1 vo cui dng lnh

NI DUNG THC HNH

Khoa CNTT MH/M..

NI DUNG THC HNH

Khoa CNTT MH/M..

Khoa CNTT MH/M..

NI DUNG THC HNH

Khoa CNTT MH/M..

NI DUNG THC HNH

Khoa CNTT MH/M..

NI DUNG THC HNH

Khoa CNTT MH/M..

BI HC 4. To partion mi vi cho hdb

NI DUNG THC HNH

Partion mi to c tn l hdb1 6. Format partion mi vi filesystem ext3

7. To im mount cho partion va to

Khoa CNTT MH/M..

NI DUNG THC HNH

Edit file /etc/fstab mount vo h thng

c file /etc/fstab: #mount a Truy cp partion mi /mnt/hdb1

Thc hin moun6: #mount -a 15. Thot khi ch single-mode : #init 6

Khoa CNTT MH/M..

C th to ra nhiu instance VNC cho cc user khc nhau nh v d sau:

Khoa CNTT MH/M..

NI DUNG THC HNH

3. t password cho cc user remote bng VNC:

4. Khi ng VNC server vi cc tu chn

5. Chnh phn gii ca mn hnh Edit file ~/.vnc/xstartup theo nh sau

Khoa CNTT MH/M..

NI DUNG THC HNH

6. Dng VNC Viewer kt ni n cc server

Dng my tnh chy HDH Linux lm Router

Khoa CNTT MH/M..

NI DUNG THC HNH

Khoa CNTT MH/M..

NI DUNG THC HNH

Khoa CNTT MH/M..

NI DUNG THC HNH

i vi my client l my windows, chng ta dng puty import key id_rsa vo puty

Khoa CNTT MH/M..

NI DUNG THC HNH

Khoa CNTT MH/M..

NI DUNG THC HNH

Khoa CNTT MH/M..

NI DUNG THC HNH

M PuTTY v chuyn ti trng Auth v chn file sshkey.ppk m ta lu trn

Khoa CNTT MH/M..

NI DUNG THC HNH

Khoa CNTT MH/M..

NI DUNG THC HNH

echo S user ang login vo h thng: ; who |wc l

Khoa CNTT MH/M..

BI HC exit 0 #Kt thc shell

NI DUNG THC HNH

Khoa CNTT MH/M..