Cai Dat Redhat Linux 80

www.nhipsongcongnghe.
net
CI T H IU HNH LINUX REDHAT
8.0

1. Mt s iu lu trc khi ci:

ci RedHat 8.0 chy trn tru thoi mi, bn cn c h thng PII, 64MB Ram tr ln, v
phn vng cng dnh ci Linux cn khong 2GB tr ln. Tuy nhin khng c g cn
tr bn ci Linux trn mt h thng c cu hnh thp hn, nhng khi bn ch c th
chy vi cc ng dng hn ch trn h thng.

Nn tm hiu thng s cu hnh ca h thng trc khi ci t. iu ny rt quan trng,
gip bn thun li trong qu trnh cu hnh h thng sau khi ci t. Bn s phi la chn
cho ng thng s ca cc linh kin phn cng trong qu trnh cu hnh h thng nh: loi
card mn hnh, loi mn hnh( tn s qut ngang, dc), card mng, card m thanh. v.v.

Cn chun b phn vng a cn trng ci Linux. Linux cn ti thiu hai phn vng l
Linux Native (ext3) v Linux swap. n gin, bn c th dng Partition Magic phn chia
a.

Mt partition l Linux native ext3. Cn khong 2GB tr ln ci Linux, bao gm c KDE
v Gnome, cc tin ch ha, multimedia, v lp trnh. Ti thiu bn cn 400MB v ci
ton b l 4,5GB.

Mt partition l Linux swap, l phn vng tro i ca Linux dnh cho vic s dng b
nh o, lm khng gian trao i. Thng thng, dung lng b nh o ti u s gp i
dung lng b nh RAM ca h thng.

2. Bt u ci t:

Cch n gin v thng dng nht ci Redhat Linux l ci t t b CDROM:

Khi ng h thng t b a CD ci t ( CD s 1), v nhn Enter t du nhc khi ng
mc nh ci t theo ch ho. Chng trnh ci t s t ng d thng s ca
bn phm, chut, card mn hnh, mn hnh v sau i vo qu trnh ci t. Thng qua
tng bc wizard bn chn cc thng s v h thng nh bn phm, chut, ngn ng
trong qu trnh ci t, gi h thng.

a. Chn kiu ci t:
www.nhipsongcongnghe.net

- Personal Desktop: dnh cho ngi mi bt u vi Linux hoc cho nhng h thng
desktop c nhn. Chng trnh ci t s chn la nhng gi phn mm cn thit nht cho
cu hnh ny. Dung lng a cn cho kiu ci t ny chim khong 1,5GB, bao gm c
mi trng ho.

- WorkStation: dnh cho nhng trm lm vic vi chc nng ho cao cp v cc cng
c pht trin.

- Server: ci t h thng ng vai tr my ch nh webserver, ftpsever, SQL server.v.v.

- Custom: y l la chn linh hot cho bn trong qu trnh ci t. Bn c th chn cc
gi phn mm, cc mi trng lm vic, boot loader tu theo bn.

b. Thit lp phn vng ci Linux:

y l qu trnh nhy cm nht v nguy him nht trong qu trnh ci t, v ch cn bt
cn chn sai th d liu trn cng ca bn c th b mt sch.

Chc nng automatic partition s gip bn t ng to cc phn vng cho Linux. Hy
cn thn nu bn chn option remove all partition on this system, v nh th tt c cc
phn vng trn cng ca bn u b xo. Option remove all Linux partition on this
system s ch xo cc phn vng ca Linux m thi

y, thun tin th bn c th dng Partition Magic phn chia a trc. Ti giai
on ny ch l cng vic to nh dng cho phn vng ci t m thi. Tuy nhin bn vn
c th thao tc phn chia phn vng ci t d dng vi Disk Druid.

Thng thng, bn nn chn Manually partition with Disk Druid to cc phn vng:

Mt phn vng cha mount point l /, c kiu file h thng l Linux Native ext3.

Mt phn vng swap cho Linux, kiu ca phn vng ny l Linux swap, kch thc ti u
l gp i dung lng RAM ca h thng hin ti.

Cc button trn mn hnh giao din cho php bn thao tc phn chia v nh dng phn
vng. Nt New, Delete to mi hay xo mt phn vng. Nt Edit nh dng phn
vng , c kiu l g (ext3, swap, fvat), qui nh li kch thc, l th mc g trong h
thng phn cp b nh.

Bn c th Reset qu trnh thao tc nu cha tho mn yu cu ca mnh, cha c mt
thay i no c thc hin cho n khi bn hon thnh cng vic vi Disk Druid.

c. Cch qun l a trong Linux:

Trong cu trc cy th bc ca Linux, cao nht l /, di l /boot, /etc, /root, /mnt
.v.v.

i vi Linux, mi thit b phn cng u c coi nh file hoc th mc nm trong h
thng phn cp cy th mc. Chng hn h thng ca bn c hai cng th a cng th
nht l /dev/had, cng th hai l /dev/hdb. Trong cng mt da, cc h thng file c
chia thnh cc phn vng khc nhau. Mt cng c 4 phn vng chnh (primary) c
nh s th t t 1 n 4. tng ng vi cng u tin s l hda1, hda2 .v.v, phn vng
thuc phn m rng (extended) c nh s bt u t s 5: v d hda5, hda6

d. Ci t boot loader

y l chng trnh dng khi ng Linux cng nh cc h iu hnh khc (dual boot)
khi bn c nhiu hn mt h iu hnh c ci trn h thng. Grub l boot loader mc
nh khi ci RedHat 8.0. y l chng trnh rt mnh v uyn chuyn. Grub t ng d
cc h iu hnh hin c trn h thng v thm vo trong danh sch khi ng. Cc tu
chn trn mn hnh tng i d hiu.

Vi tu chn configure advance boot loader option cho php bn chn vic ci grub ln
u trong cng:

Nu chn Grub khi ng h thng , grub s c ci ln Master boot record (
/dev/hda).

Nu chn mt chng trnh khc khi ng nh system commander chng hn, bn
hy chn ci grub ln first sector of boot partition. Nh vy, system commander s t
ng nhn ra Linux v thm vo mc nhp khi ng cho Linux.

e. Cu hnh account:

Vic cu hnh acount dng thit lp mt khu root v c th to thm cc account khc
log in vo h thng khi vic ci t hon tt.

Ti khon root l ti khon c quyn cao nht trong h thng. Bn c th ci t, cu hnh
h thng hay lm mi chuyn mt khi ng nhp vo h thng vi ti khon ny.

f. Cc lu la chn gi phn mm ci t:

Vi Redhat 8.0, vic chn cc gi phn mm ci t c thc hin rt thun tin khi
cc gi phn mm c gom li thnh nhm. C th chn ci cc gi phn mm ngay lc
ny cc gi cn thit hoc c th ci thm sau khi hon tt ci t.

Bn chn mc select individual package ci thm cc gi m mc nh s khng ci
cho bn. V d nh mc (Midnight Commander, tng t NC trong DOS). Sau khi la chn
xong, chng trnh ci t s duyt cc gi ph thuc bn ci thm.

Trong sut qu trnh chn gi phn mm ci t, bn c thng bo dung lng cn
ci t. Nn ch khng vt qu dung lng phn vng m bn dnh cho Linux
trong qu trnh chn la. Mt iu ch l bn nn ci cc programming develop v
kernerl source, cc th vin lp trnh thun tin cho vic sau ny cn bin dch li nhn
h iu hnh hoc ci t v bin dch phn mm v driver cho h thng.

g. Cu hnh X

lm vic c vi giao din ho, bn cn cu hnh cho X Window. Nu may mn,
card ho v mn hnh ca bn s nm trong danh sch c Linux h tr. Cn nu
khng, cch chc chn vi loi card ha chy c l chn loi vesa. V mn hnh,
Linux s t d cho bn hoc bn s cu hnh bng tay vic chn tn s qut cho mn hnh.
Hy cn thn v qu trnh ny d lm hng mn hnh v card ho ca bn. y chnh l
l do bn cn nm vng thng s ca cc linh kin phn cng.

Nu khng cn Linux t d tm v cu hnh dm bn, bn c th m file
/etc/X11/XF86Config (hoc XF86Config-4) cu hnh bng tay.

Sau khi nhn nt test kim tra h thng c chy tt vi ch ha cha, nu mi
vic sun s, chc mng bn hon tt qu trnh ci t Linux.

Lu v card ha

Mc d Linux nhn dng v h tr ng nhiu loi card ho c sn xut trong 2 nm
gn y, sau khi cu hnh, card ho vn chy vi bus PCI cho d card ha ca bn l
loi AGP, v bn vn cha tn dng c cc chng nng ho 3D cao cp ca n. L do
l cc nh sn xut linh kin v l do bo mt v bn quyn nn cha h tr cho cc nh
pht trin Linux. Tuy nhin, hin nay nhiu nh sn xut phn cng bt u h tr
driver cho cc linh kin ca mnh trn cc h thng Linux. Chng hn vi nh sn xut
Nvidia, bn c th ti driver ca n thng qua www.nvidia.com hoc
ftp://download.nvidia.com/XFree86_40/1.0-3123. Cc game 3D chy vi hnh nh rt mn
mng khng thua km g trn MS Window sau khi bn ci driver cho h thng.
Cch ci t font v in n ting Vit trn
Linux

C 2 cch ci t Unicode fonts cho X Window.
1. S dng ttmkfdir (cch c)
2. S dng fontconfig (cch mi cho Mandrake-9.0, RedHat-8.0)

1. S dng ttmkfdir (cch c):

a. To /usr/share/fonts, nu cha c, bng lnh:
mkdir /usr/share/fonts

b. M utf8.tar.gz trong th mc /usr/share/fonts bng lnh:
cd /usr/share/fonts && tar xvzf utf8.tar.gz

c. To danh sch cha fonts bng lnh:
cd utf8 && ttmkfdir > fonts.scale && mkfontdir

d. Bo cho fonts server bit a im ca Unicode fonts bng lnh:
chkfontpath --add /usr/share/fonts/utf8

e. Khi ng li X font server bng lnh:
/etc/rc.d/init.d/xfs restart

2. S dng fontconfig (cch mi cho Mandrake-9.0, RedHat-8.0):

a. B utf8.tar.gz v /usr/share/fonts v m n ra bng lnh:
cp utf8.tar.gz /usr/share/fonts && cd /usr/share/fonts && tar xvzf utf8.tar.gz

b. Cp nht danh snch fonts bng lnh:
fc-cache

Ch vy thi khng cn khi ng li xfs hay X.

Bn cng c th b arial font (ti v a ch di) v trong ~/.fonts v khng phi restart
ci chi ht nu bn xi fontconfig (Red Hat 8 hoc 9 hoc Mandrake-9.1).

V d:

cd ~

mkdir ~/.fonts (nu cha c)

tar xvjf arial.tar.bz2

cp arialuni.ttf ~/.fonts

Xem trang web ting Vit v cch in ting Vit:

Thng thng nu bn xem trang web bng Mozilla th khng cn phi set font g c. Nu
bn xi Konqueror trn Red Hat 8.0 th bn phi set fonts trong Konqueror nh hnh y
th mi xem v in c ting Vit.

Nu bn xi bn Mandrake mi nht (9.1) th bn s khng cn lm g ht. Vic hin th v
in n ting Vit c h tr rt tt.

Thm chi tit:

.Unicode fonts: c th ti v t http://www.vnlinux.org/fonts/utf8.tar.gz hoc
http://www.vnlinux.org/arial.tar.bz2 nu bn vn cha hin th c ting Vit 100%
.fontconfig homepage ti http://www.fontconfig.org.
.ttmkfdir c th ti v t http://www.joerg-pommnitz.de/TrueType/xfsft.html
.mkfontdir nm trong gi XFree86-3x (hoc XFree86-4x)
. Viet Unicode c nhiu fonts http://sourceforge.net/project/showfiles.p...lease_id=132517

Th thut bo mt cho Linux

Trong bi vit ny, chng ti xin gii thiu mt s kinh nghim nhm nng cao
tnh an ton cho mt h thng Linux ( d theo di cho bn c, chng ti s
minh ho bng RedHat, mt phin bn Linux rt ph bin Vit Nam v trn th
gii).

Hin nay, trn mi trng my ch, Linux ngy cng chim mt v tr quan trng.
Nguyn nhn khin Linux dn tr thnh mt i th tim nng ca h iu hnh
Microsoft Windows l do tnh n nh, linh hot v kh nng chu ti ln: y l
nhng c im quan trng hng u ca mt h thng my phc v.

Tnh bo mt tt cng l mt trong nhng im ni bt ca Linux. Tuy nhin,
mt h thng Linux c kh nng chng li cc cuc tn cng, ngi qun tr cng
cn phi nm c mt s k nng nht nh. Trong bi vit ny, chng ti xin
gii thiu mt s kinh nghim nhm nng cao tnh an ton cho mt h thng
Linux ( d theo di cho bn c, chng ti s minh ho bng RedHat, mt phin
bn Linux rt ph bin Vit Nam v trn th gii).

1.1. Loi b tt c cc account v nhm c bit

Ngay sau khi ci t Linux, ngi qun tr nn xo b tt c cc account v nhm
(group) c to sn trong h thng nhng khng c nhu cu s dng, v d
nh lp, sync, shutdown, halt, news, uucp, operator, games, gopher, v.v... (Tuy
nhin bn c cn bit r nhng account v nhm no khng cn cho h thng
ca mnh ri hy xo)

Thc hin vic xo b account vi lnh :

# userdel

V d, nu khng c nhu cu v in n trn h thng, c th xo account lp nh
sau:

# userdel lp

Tng t nh vy, c th thc hin vic xo b cc nhm khng cn thit vi lnh

# groupdel

2.2. Che giu file cha mt khu

T lch s xa xa ca Unix v c Linux, mt khu ca ton b cc account tng
c lu ngay trong file /etc/password, file c quyn c bi tt c cc account
trong h thng! y l mt k h ln cho cc k ph hoi: Mc d cc mt khu
u c m ho, nhng vic gii m ngc l c th thc hin c (v c th
thc hin kh d dng, c bit v c ch m ho mt khu khng phi l kh ph
v ngy nay kh nng tnh ton v x l ca my tnh rt mnh). V l do trn, gn
y cc nh pht trin Unix v Linux phi t ring mt khu m ho vo mt
file m ch c account root mi c c: file /etc/shadow. (Khi s dng phng
php ny, m bo tnh tng thch, ni vn t mt khu trong file
/etc/password ngi ta nh du "x")

Nu bn c ang s dng cc phin bn RedHat gn y (v d RedHat 6.x hay
7.x) th nh chn la Enable the shadow password khi ci t RedHat s dng
tnh nng che giu mt khu ny (Cng tht may v chn la ny l mc nh
trong hu ht cc phin bn Linux ang s dng rng ri hin nay)

3.3. T ng thot khi shell

Ngi qun tr h thng rt hay qun thot ra khi du nhc shell khi kt thc
cng vic. Bn thn ti cng tng nhiu ln khi ang thc hin vic qun tr
vi account root th b i v mt s cng vic khc. Tht nguy him nu lc c
mt k ph hoi : K ny c th d dng c quyn truy xut h thng mc
cao nht m chng cn tn mt cht cng sc no c.

gim nguy c ny, ngi qun tr nn ci t tnh nng t ng thot ra khi
shell khi khng c s truy xut no trong mt khong thi gian nh trc bng
cch t mt tham s quy nh khong thi gian h thng vn duy tr du nhc
shell.

Mun ci t tham s ny, ngi s dng bin mi trng TMOUT v gn cho n
mt gi tr s th hin khong thi gian tnh bng giy h thng vn duy tr du
nhc. thc hin iu ny cho tt c cc account trong h thng, cch n gin
nht l t n vo file /etc/profile dng lnh sau: (gi s ta t khong thi gian
l 600 giy)

TMOUT=600

Nh vy l nu trong khong 10 pht ngi s dng khng truy xut shell, shell
s t ng thot ra. Tuy nhin cn ch : Mo ny s khng "n" nu lc ngi
dng ang chy mt chng trnh no nh vi hay mc,... C ngha l ngi dng
phi ang lm vic trc tip vi shell ch khng phi vi bt k mt chng trnh
no khc.

4.4. Loi b cc dch v khng s dng

Mt iu kh nguy him l sau khi ci t, h thng t ng bt chy kh nhiu
dch v (v a s l cc dch v khng mong mun), dn ti tn ti nguyn v gy
nn nhiu nguy c v bo mt. Ngi qun tr nn loi b ngay lp tc cc dch v
khng dng ti ngay sau khi ci my. Hoc n gin bng cch xo b cc gi
phn mm/dch v khng s dng (qua cng c qun tr gi phn mm rpm ca
RedHat) hoc s dng cng c ntsysv duyt xem tt c cc dch v ang ci
t ri v hiu ho nhng dch v khng cn thit (bng cch b nh du cc
dch v khng s dng vi phm Space). Sau khi thot ra khi ntsysv th khi
ng li my: cc dch v khng mong mun s khng chy na.

5.5. Khng tit l thng tin v h thng qua telnet

Dch v cho php truy xut h thng t xa telnet c kh nng tit l thng tin v
h thng, d to iu kin cho nhng k ph hoi tn cng da vo nhng im
yu bit. iu ny rt d nhn thy: Mi ngi dng kt ni t xa vo dch v
telnet u nhn c thng tin v tn my, phin bn Linux v phin bn ca
nhn (kernel) ca my ch.

trnh iu ny, ta cn thc hin vic kch hot telnetd (telnet server) vi tham
s -h. (Tham s -h s ngn telnet tit l cc thng tin v ch in ra du nhc
"Login:" cho nhng ngi kt ni t xa).

Do cc phin bn RedHat 7.x khi chy telnetd khng cn s dng inetd na (m
s dng xinetd - mt phin bn nng cp v c nhiu ci tin so vi inetd) nn
cch cu hnh li telnetd s khc nhau tu theo phin bn RedHat ang s dng.

+ Vi cc phin bn RedHat 6.x v trc , thc hin cc bc sau:

Trong file /etc/inetd.conf, thay i dng

telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd

chuyn thnh :

telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd -h

Tip theo, khi ng li inetd bng cu lnh:

# /etc/rc.d/init.d/inetd restart

+ Vi cc phin bn RedHat 7.x, thc hin bc sau:

Trong file /etc/xinetd.d/telnet , thm chn la:

server_args = -h

File trn s c dng nh sau;

service telnet
{
disable = yes
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
server_args = -h
}

Tip theo, khi ng li xinetd bng cu lnh:

# /etc/rc.d/init.d/xinetd restart

6.6. Trnh s dng cc dch v khng m ho thng tin trn ng truyn

Mc d trn chng ti trnh by cch ngn dch v telnet tit l thng tin,
nhng chng ti xin c li khuyn: Tuyt i trnh s dng nhng dch v kiu
nh telnet, ftp (ngoi tr ftp anonymous) v nhng dch v ny hon ton khng
h m ho mt khu khi truyn qua mng. Bt k mt k ph hoi no cng c
th d dng "tm" c mt khu ca bn bng nhng cng c nghe ln kiu nh
sniffer.

' nhng trng hp c th, nn s dng dch v ssh thay th cho c ftp v
telnet: dch v SSH (Secure Shell) dng c ch m ho cng khai bo mt
thng tin, thc hin m ho c mt khu ln thng tin chuyn trn ng truyn.
Hin ang c s dng kh rng ri, gi phn mm ca SSH cng c ng
km trong hu ht cc phin bn gn y ca Linux. Chng hn, cc phin bn
RedHat t 7.0 tr ln mc nh u ci OpenSSH, mt sn phm m ngun m c
th s dng hon ton min ph. (Bn c c th tham kho website
www.openssh.org v sn phm ny).

Ngoi ra, nhng dch v "r" kiu nh rsh, rcp hay rlogin chng ti cng khuyn
nn tuyt i trnh s dng. L do l cc dch v ny ngoi vic truyn mt khu
khng m ho cn thc hin vic kim tra quyn truy xut da trn a ch my
kt ni, l mt iu cc k nguy him. Cc k ph hoi s dng k thut spoofing
u c th d dng nh la c cch kim tra ny khi "lm gi" c a ch
ca my truy xut dch v hp l.

7. 7. Cm s dng account root t consoles

C th bn c u nhn thy, ngay sau khi ci t RedHat, account root s
khng c quyn kt ni telnet vo dch v telnet trn h thng (ch nhng
account thng mi c th kt ni). Nguyn nhn l do file /etc/securetty quy
nh nhng console c php truy nhp bi root ch lit k nhng console "vt
l" (tc l ch truy xut c khi ngi trc tip ti my ch) m b qua nhng kt
ni qua mng. Dch v ftp cng s b hn ch ny: account root khng c php
truy xut ftp qua mng.

tng tnh bo mt hn na, son tho file /etc/securetty v b i nhng
console bn khng mun root truy nhp t .

8.8. Cm "su" ln root

Trong Linux, lnh su (Substitute User) cho php ngi dng chuyn sang mt
account khc. Nu khng mun mt ngi bt k "su" thnh root, thm hai dng
sau vo ni dung file /etc/pam.d/su

auth sufficient /lib/security/pam_rootok.so debug
auth required /lib/security/Pam_wheel.so group=wheel

Nh vy, ch c nhng ngi c ng k l thnh vin ca nhm wheel mi c
quyn "su" thnh root. cho php mt ngi dng c quyn ny, ngi qun tr
ch vic gn account ca ngi ny vo nhm wheel (qua file /etc/group)

9.9. Hn ch cc thng tin ghi bi bash shell

Thng thng, tt c cc lnh c thc hin ti du nhc shell ca cc account
u c ghi vo file ".bash_history" nm trong th mc c nhn ca cc
account. iu ny cng gy nn nhng nguy him tim n, c bit vi nhng
ng dng i hi phi g cc thng mt nh mt khu trn dng lnh. Ngi
qun tr nn hn ch nguy c ny da trn 2 bin mi trng HISTFILESIZE v
HISTSIZE: Bin mi trng HISTFILESIZE xc nh s lnh (g ti du nhc shell)
s c lu li cho ln truy nhp sau, cn bin mi trng HISTSIZE xc nh s
lnh s c ghi nh trong phin lm vic hin thi. Ta c th gim gi tr ca
HISTSIZE v t bng 0 gi tr HISTFILESIZE gim ti a nhng nguy him
nu trn.

thc hin vic ny, ch cn n gin thay i gi tr hai bin ny trong file
/etc/profile nh sau:

HISTFILESIZE=0
HISTSIZE=20

Nh vy, ti phin lm vic hin thi, shell ch ghi nh 20 lnh gn nht, ng
thi khng ghi li cc lnh ngi dng g khi ngi dng thot ra khi shell.

10.10. Cm nhm ng ti nhng file script khi ng Linux

Khi khi ng Linux, cc file script c t ti th mc /etc/rc.d/init.d s c
thc hin. trnh nhng s t m khng cn thit, ngi qun tr nn hn ch
quyn truy xut ti nhng file ny ch cho account root bng lnh sau:

# chmod -R 700 /etc/rc.d/init.d/*

11.11. Xo b nhng chng trnh SUID/SGID khng s dng

Thng thng, nhng ng dng c thc hin di quyn ca account gi thc
hin ng dng. Tuy nhin, Unix v Linux s dng mt k thut c bit cho php
mt s chng trnh thc hin di quyn ca ngi qun l chng trnh (ch
khng phi ngi thc hin). y chnh l l do ti sao tt c mi user trong h
thng u c th i mt khu ca mnh trong khi khng h c quyn truy xut
ln file /etc/shadow: Nguyn nhn v lnh passwd c gn thuc tnh SUID v
c qun l bi root, m ch c root mi c quyn truy xut /etc/shadow.

Tuy nhin, kh nng ny c th gy nn nhng nguy c tim tng: Nu mt
chng trnh c tnh nng thc thi c qun l bi root, do thit k ti hoc do
c ci t c tnh bi nhng k ph hoi m li c thuc tnh SUID th mi iu
ti t u c th xy ra. Thc t cho thy, kh nhiu k thut xm nhp h thng
m khng c quyn root c thc hin nh k thut ny: k ph hoi bng cch
no to c mt shell (v d bash) c qun l bi root, c thuc tnh SUID.
Sau mi truy xut ph hot s c thc hin qua shell ny v mi lnh thc
hin trong shell s c thc hin di quyn ca root.

Thuc tnh SGID cng tng t nh thuc tnh SUID: cc chng trnh c thc
hin vi quyn nhm l nhm qun l chng trnh ch khng phi nhm ca
ngi chy chng trnh.

Nh vy, ngi qun tr s phi thng xuyn kim tra xem trong h thng c
nhng ng dng no c thuc tnh SUID hoc SGID m khng c php khng?

tm tt c cc file c thuc tnh SUID/SGID, s dng lnh find nh sau:

# find / -type f $ -perm -04000 -o -perm -02000 $ \-exec ls lg {} \;

Nu pht hin c mt file c thuc tnh SUID/SGID mt cch khng cn thit,
c th loi b cc thuc tnh ny bng lnh:

# chmod a-s

12.12. Tng tnh bo mt cho nhn (kernel) ca Linux

Thc t cho thy, Linux khng hn c thit k vi cc tnh nng bo mt tht
cht ch: kh nhiu l hng c th b li dng bi nhng tin tc thng tho v h
thng. Do , vic s dng mt h iu hnh vi nhn c cng c l rt quan
trng: Mt khi nhn - phn ct li nht ca h iu hnh - c thit k tt th
nguy c b ph hoi s gim i rt nhiu.

Bn c c th xem xt vic cng c nhn Linux thng qua cc ming v (patch).
Ti xin gii thiu mt trong nhng website tt nht chuyn cung cp cc ming
v b sung cho nhn Linux v bo mt ti a ch www.grsecurity.net. Ti y bn
c c th tm hiu thng tin hu ch v ti xung cc ming v b sung cho h
thng Linux ca mnh.

Bo mt h thng *nix vi PAM

1. t vn

Chc hn bn tng t hi ti sao cc chng trnh ftp, su, login, passwd, sshd, rlogin
li c th hiu v lm vic vi shadow password; hay ti sao cc chng trnh su, rlogin li
i hi password; ti sao mt s h thng ch cho mt nhm no c quyn su, hay
sudo, hay h thng ch cho php mt s ngi dng, nhm ngi dng n t cc host xc
nh v cc thit lp gii hn cho nhng ngi dng , Tt c u c th l gii vi PAM.
ng dng ca PAM cn nhiu hn nhng g ti va nu nhiu, v n bao gm cc module
tin cho ngi qun tr la chn.

2. Cu trc PAM

- Cc ng dng PAM c thit lp trong th mc /etc/pam.d hay trong file /etc/pam.conf
( login, passwd, sshd, vsftp, )
- Th vin cc module c lu trong /lib/security ( pam_chroot.so, pam_access.so,
pam_rootok.so, pam_deny.so, )
- Cc file cu hnh c lu trong /etc/security ( access.conf, chroot.conf, group.conf , )
+access.conf iu khin quyn truy cp, c s dng cho th vin pam_access.so.
+group.conf iu khin nhm ngi dng, s dng bi pam_group.so
+limits.conf thit lp cc gii hn ti nguyn h thng, c s dng bi pam_limits.so.
+pam_env iu khin kh nng thay i cc bin mi trng, s dng cho th vin
pam_env.so .
+time Thit lp hn ch thi gian cho dch v v quyn ngi dng, s dng cho th
vin pam_time.so.

3. Cch hot ng ca PAM

Thut ng
- Cc chng trnh login, pass, su, sudo, trn c gi l privilege-granting application (
chng trnh trao c quyn ).

- PAM-aware application: l chng trnh gip cc privile-granting application lm vic vi
th vin PAM.

Cc bc hot ng:

1. Ngi dng chy mt ng dng truy cp vo dch v mong mun, vd login.
2. PAM-aware application gi th vin PAM thc hin nhim v xc thc.
3. PAM library s da vo file cu hnh ca chng trnh trong /etc/pam.d ( vd y l
login -> file cu hnh /etc/pam.d/login ) xc nh loi xc thc no c yu cu cho
chng trnh trn. Trong trng hp khng c file cu hnh, th file /etc/pam.d/other s
c s dng.
4. PAM library s load cc module yu cu cho xc thc trn.
5. Cc modules ny s to mt lin kt ti cc hm chuyn i ( conversation functions )
trn chng trnh.
6. Cc hm ny da vo cc modules m a ra cc yu cu vi ngi dng, vd chng yu
cu ngi dng nhp password.
7. Ngi dng nhp thng tin vo theo yu cu.
8. Sau khi qu trnh xc thc kt thc, chng trnh ny s da vo kt qu m p ng
yu cu ngi dng ( vd cho php login vo h thng ) hay thng bo tht bi vi ngi
dng.

4. By gi chng ta s nghin cu file config

Listing 10-1: The /etc/pam.d/rlogin file
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth sufficient /lib/security/pam_rhosts_auth.so
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth

Cc dng trong file config c dng sau:

module-type control-flag module-path module-args

----MODULE TYPE
auth: thc hin xc thc. Thng thng, mt auth module s yu cu password kim
tra, hay thit lp cc nh danh nh nhm ngi dng, hay th kerberos.

Account iu khin s kim tra b mt vi yu cu xc thc. V d, n c th kim tra
ngi dng truy cp dch v t mt host v trong thi gian cho php hay khng.

Password: thit lp password. Thng thng, n lun c s tng ng gia mt module
auth v mt module password..

Session: iu khin cc nhim v qun l session. c s dng m bo rng ngi
dng s dng ti khon ca h khi c xc thc..

----PAM MODULE CONTROL FLAGS

Require: c iu khin ny ni vi PAM library yu cu s thnh cng ca modules tng
ng, vd auth required /lib/security/pam_securetty.so module pam_securetty.so phi
thnh cng. Nu module khng c thc hin thnh cng th qu trnh xc thc tht
bi. Nhng lc , PAM vn tip tc vi cc module khc, tuy nhin n ch c tc dng
nhm trnh khi vic ngi dng c th on c qu trnh ny b tht bi giai on
no.

Sufficient: c ny khc vi c trn ch, khi c mt module thc hin thnh cng n s
thng bo hon thnh ngay qu trnh xc thc, m khng duyt cc module khc na.

Requisite: c ny c ni PAM library loi b ngay qu trnh xc thc khi gp bt k thng
bo tht bi ca module no.

Optional: c ny t khi c s dng, n c ngha l module ny c thc hin thnh
cng hay tht bi cng khng quan trng, khng nh hng qu trnh xc thc.

----MODULE-PATH ng dn n th vin PAM.
----ARGUMENTS Cc bin ty chn cho cc module.

Cc module ( auth, account, password, session ) c thc hin trong stack v chng c
thc hin theo th t xut hin trong file config.

Cc chng trnh yu cu xc thc u c th s dng PAM.

5.Sau y ti xin gii thiu chc nng ca mt s module

_ pam_access.so:

- Support module type :account
- Module ny s dng file thit lp trong etc/security/access.conf .
File cu hnh ny c dng nh sau:
< + or - > : : + : grant permission
- : deny permission
Vi username list l ngi dng hay nhm ngi dng, tty list l login qua console, host
list xc nh cc host hay domain. Chng ta c th s dng cc t kha ALL=tt c,
EXCEPT=tr, LOCAL=cc b.
V d sau cho cm osg login t tt c, v cho php linet login t xa.
account required pam_access.so
-:osg:ALL
+:linet:ALL EXCEPT LOCAL

pam_chroot.so:
Support module type :account; session; authentication

Dng chroot cho cc user thit lp trong /etc/security/chroot.conf
V d, ti thc hin chroot cho sshd ngi dng linet ch c quyn truy cp trong
/home/osg m khng c quyn truy cp n cc th mc home ca ngi dng khc
Thm dng sau trong /etc/pam.d/sshd ( lu trong /etc/sshd/sshd_config phi thit lp
UsePAM = yes )
session required pam_chroot.so

_ pam_deny.so:

Support module type: account; authentication; password; session
Module ny lun tr v gi tr false. Vd n c dng trong /etc/pam.d/other t chi
mi truy cp ca ngi dng khi truy cp vo cc PAM-aware program m khng c file
cu hnh PAM

- Acount module type: T chi ngi dng quyn truy cp vo h thng

#add this line to your other login entries to disable all accounts
login account required pam_deny.so

- Authentication module type: t chi truy cp, thit lp gi tr mc nh. vd trong
/etc/pam.d/other. Khi ngi dng login vo h thng, u tin s gi cc module trong
/etc/pam.d/login ra v yu cu ngi dng nhp thng tin tng ng ( username,
password ), nu cc thng tin ny khng p ng th PAM s gi /etc/pam.d/other ra
deny quyn truy cp.

#/etc/pam.d/other
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_deny.so
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_deny.so

- Password module type: Khng cho php change password

v d khng cho php ngi dng i passwd
Thm dng sau vo /etc/pam.d/passwd
password required pam_deny.so

_ pam_limits.so
- Support module type: session
Thit lp cc gii hn ti nguyn trong /etc/security/limit

username|@groupname type resource limit.

A resource can be one of these keywords:
core - Limits the size of a core file (KB).
data - Maximum data size (KB).
fsize - Maximum file size (KB).
memlock - Maximum locked-in memory address space (KB).
nofile - Maximum number of open files.
rss - Maximum resident set size (KB).
stack - Maximum stack size (KB).
cpu - Maximum CPU time in minutes.
nproc - Maximum number of processes.
as - Address space limit.
maxlogins - Maximum number of logins allowed for this user.

Thng tin chi tit trong /etc/security/limits.conf

Vd di y, tt c user gii hn 10 MB mi session v cho php max l 4 logins ng thi.
ftp c cho php 10 login ng thi ( hu ch cho anonymous ftp ); thnh vin ca nhm
manager gii hn 40 process, nhm developers gii hn 64MB b nh, v cc user thuc
wwwusers khng th to files ln hn 50 MB = 500000 KB.

Listing 3. Setting quotas and limits

* hard rss 10000
* hard maxlogins 4
* hard core 0
bin -
ftp hard maxlogins 10
@managers hard nproc 40
@developers hard memlock 64000
@wwwusers hard fsize 50000

active cc limits ny, bn cn thm dng sau vo cui /etc/pam.d/login:

session required /lib/security/pam_limits.so.

_ pam_listfile.so

Module ny c thng tin trong file v thc hin hnh ng c thit lp ( nh cho php
hay khng cho php truy cp ) da vo s tn ti hay khng ca cc nhn t nh
username, host, groups,

V d trong vsftpd
auth required /lib/security/pam_listfile.so item=user \
sense=deny file=/etc/ftpusers onerr=succeed

Yu cu PAM load pam_listfile module v c trong /etc/ftpusers, nu /etc/ftpusers cha
cc dng username, th PAM s s dng sense=deny quyt nh ngn cn cc user ny
truy cp vo. Vy cc user trong /etc/ftpusers s ko c quyn truy cp vo ftp.

_ pam_rootok.so

S dng module ny yu cu root khng cn nhp password khi thc hin chng
trnh, vd n c gn vo su chi rng root khng cn g passwd khi nh lnh su

_pam_wheel.so
Ch cho php quyn truy cp root vi group wheel. V d ch cho php nhng ngi thuc
nhm wheel c quyn su ln root.

#
# root gains access by default (rootok), only wheel members can
# become root (wheel) but Unix authenticate non-root applicants.
#
auth sufficient pam_rootok.so
auth required pam_wheel.so
auth required pam_unix_auth.so

-----------------> Tham kho
Document: http://www.kernel.org/pub/linux/libs/pam/pre/doc/
M ngun module:
http://cvs.sourceforge.net/viewcvs.py/pam/Linux-PAM/modules/
Cch bin dch nhn (kernel)

1. Ly kernel v:

Kernel source c th ti v t http://www.kernel.org . Bn stable hin ti l
2.4.21 v developer l 2.5.73. Nu bn khng mun test nhng chc nng mi
ca kernel th nn s dng 2.4.21 cho cng vic hng ngy.

2. Bung nn v chun b kernel: gi s bn va ti v linux-2.4.21.tar.bz2, sau khi
chy cc dng lnh di bn s sn sng cho vic compile kernel

2a. $mv linux-2.4.21.tar.bz2 /usr/src/

2b. $cd /usr/src && tar -xvjf linux-2.4.21.tar.bz2

2c. $ln -s linux-2.4.21 linux

n y bn sn sng cho vic compile nhng i lc c l bn s cn apply
mt patch no th c th chy lnh sau trong th mc /usr/src/linux

$patch -p1 --dry-run < /a im/v tn/ca patch

Lu : --dry-run s 'gi ' apply ci patch nhng thc s cha lm g ht. Bn
nn xi --dry-run trc khi apply phng h ci patch khng phi cho kernel
bn ang xi hoc patch cn b li. Sau khi chy --dry-run v khng thy bo li
g th bn c th tht s apply patch bng lnh $patch -p1 < /a im/v
tn/ca patch

3. Compile kernel: s c thc hin vi cc lnh sau y:

3a. $make menuconfig (hoc make config, hoc make xconfig) s hi bn mt
lot cu hi cho kernel ph hp vi my ca bn. Nu bn bit chc mnh s xi
mt chc nng no th nn tr li Y cn khng th tr li N, tr li M (module)
nu bn lng l khng bit ci phn cng ca mnh s xi driver ny hay driver
khc, nht l phn cho network card hay sound card. Nu bn khng r cu hi
ny hi ci g th g h s c phn gii thch kh r rng.

Bn c th ti v mt bn config mu m mnh xi cho my Pentium3, Tekram
SCSI card, SB Live! sound card, bt848 Haupauge TV card,
ext2/ext3/reiserfs/jfs/tmpfs/iso9660/vfat/ntfs v ipsec VPN compiled v
kernel, tulip, intel, realtek modules cho network cards, iptables v wireless
modules. Nu bn khng cn ci no th ch vic comment out (b ci du #
pha trc) ci hng . Chng hn my bn l Petium4 th nn thay i vi gi tr
tng ng. Sau chy lnh $make oldconfig thay v $make menuconfig nh
trn.

3b. $make dep s chun b cc dependencies cn thit

3c. $make clean s dn dp .o files m developers qun v to cc source tree.

3d. $make bzImage s bt u tht s compile kernel. Nu mi chuyn sun s
bn s c bzImage nm trong th mc /usr/src/linux/arch/i386/boot

3e. $make modules s compile cc modules bn chn trong lc chy $make
menuconfig trn.

3f. $make modules_install s ci cc modules vo th mc /lib/modules/2.4.21

3g. $cp /usr/src/linux/arch/i386/boot/bzImage /boot/mykernel-2.4.21 s cp
kernel image bn mi compile v th mc /boot.

Nu bn c SCSI card v compile SCSI card hoc filesystem (ext3, reiserfs,..v..)
m my s dng di dng module th bn phi to initial ramdisk vi lnh
$mkinitrd -o /boot/initrd-2.4.21.img /lib/modules/2.4.21. Cn nu bn
compile SCSI card v filesytem v lun kernel th bi bai initrd.

:

4. Chun b boot loader

4a. Nu bn dng GRUB: to hn mt section mi cho kernel ca bn bng cch
sa menu.lst vi lnh $vi /boot/grub/menu.lst gi s / ca bn nm trn
/dev/hda3 v /boot nm trn /dev/hda1, thm vo nhng hng sau:

title MyKernel-2.4.21
kernel (hd0,0)/boot/mykernel-2.4.21 root=/dev/hda3

initrd (hd0,0)/boot/initrd-2.4.21.img

Nu bn khng xi initrd th khng cn hng cui trn.

4b. Nu bn dng LILO: to hn mt section cho kernel ca bn bng cch sa
file lilo.conf vi lnh $vi /etc/lilo.conf thm vo nhng hng sau:

image=/boot/mykernel-2.4.21

label=MyKernel-2.4.21

root=/dev/hda3

initrd=/boot/initrd-2.4.21.img

read-only

Nh chy lnh $lilo nu khng bn s khng thy kernel mi ca mnh khi reboot.

Bn nn gi li /usr/src/linux/.config mai ny nu bn mun compile 2.4.22
chng hn th c th xi li n bng cch chy $make oldconfig thay v $make
menuconfig. Lu : $make mrproper s xa i /usr/src/linux/.config file v dn
dp sch s cc .o files v symlinks (ln -s command). Bn s khng th dng
config file ca kernel 2.4 cho kernel 2.5 c.

Hy vng bi vit ny s gip bn hiu r hn qu trnh cp nht kernel t source.
Nh thng l, cm n cc bc trn #unixcircle cho feedback. Mi gp xin
gi v em_m_compile_kernel@vnlinux.org

Lm reverse proxy vi Linux + Apache,
Bo v my ch

1. Gii thiu

Cho cc fan hm m Linux,

Bi vit ny ch yu da trn hai ti liu l "Web Security Appliance With Apache and
mod_security" ca Ivan, tc gi mod_security v "Securing Apache 2: Step-by-Step" ca
Artur Maj. B con c th xem y l mt bn dch ting Vit ca hai ti liu trn, km theo
nhng suy ngh ring ca bn thn ti da vo kinh nghim thc t khi trin khai reverse
proxy -0-. Bi vit ny c th xem l mt case study thuc tp ti liu "Bo v my ch an
ton vi phn mm t do".

Nhim v ca chng ta l bo v mt hay nhiu content web-server -1- nm trong vng
Internal -2-, cc web-server ny c th l Apache httpd, hoc Microsoft IIS, hoc c th
ch l mt web-server n gin c embedded vo mt ng dng no . hon thnh
nhim v, chng ta s tp trung vo xy dng mt firewall/ids hot ng tng
application, trong ti liu ny gi l reverse-proxy, s dng Apache httpd -3- trn nn
Linux.

2. Reverse proxy l g?

Mt proxy, theo nh ngha, l mt thit b ng gia server v client, tham gia vo "cuc
tr chuyn" gia hai bn. Khi nim proxy m chng ta thng dng hng ngy tt hn
nn c gi l mt forward proxy: mt thit b ng gia mt client v tt c server m
client mun truy cp vo. Mt reverse proxy lm cng vic hon ton ngc li: n
ng gia mt server v tt c client m server ny phi phc v. Reverse proxy ging
nh mt nh ga kim mt trm kim sot, cc request t client, bt buc phi gh vo
reverse proxy, ti reverse proxy s kim sot, lc b cc request khng hp l, v lun
chuyn cc request hp l n ch cui cng l cc server. Ch l mt reverse proxy c
th lun chuyn request cho nhiu server cng lc.

Li th ln nht ca vic s dng reverse proxy l kh nng qun l tp trung. Mt khi
y c tt c traffic i qua mt trm kim sot duy nht (l reverse proxy), chng ta c
th p dng nhiu " ngh" khc tng cng an ninh cho h thng ca mnh. D nhin,
bt k sn phm hay cng ngh no cng c u v khuyt im ca n, i cng vi single
point of access bao gi cng l "bng ma" single point of failure. Single point of failure c
th c gii quyt bng cch xy dng cluster. y l mt vn hon ton vt qua
khi phm vi ca bi vit ny, ti ch xin gii thiu b no mun tm hiu v cluster trn
Linux th th gh vo http://www.linux-ha.org. Ngoi ra p dng reverse proxy ng cch
s gip tng cng performance cng nh nng cao scalability ca cc web-application
chy trn cc content server. Cht xu na, ti s i vo chi tit cc u im ca reverse
proxy cng nh lm th no khai thc cc u im .

3. Ci t my ch reverse-proxy

3.1. Chn v ci t h iu hnh cho reverse proxy

D nhin l ti s dng linux cho my ch reverse proxy. Ti khng m t qu trnh ci t
linux y bi c rt nhiu ti liu hay trn Internet ni v ti ny, v hn na ti ngh
l mt khi ngh n chuyn lm reverse proxy th chc chn chuyn ci t Linux khng
l vn .Linux c qu tri distro, th mrro chn distro no? Theo ti th distro no cng
nh nhau c thi, nhng nu ai hi ti cu hi trn th cu tr li s l Trustix -4-. Bt
k chn distro no, nh l sau khi ci t xong, hy dnh mt cht thi gian secure ci
distro ca mnh li trc khi c tip -5-. Phn tip theo chng ta s bn v vic ci t
Apache httpd cng nh cc module km theo ca n.

3.2. 1.3.x hay 2.x?

Trc tin, ti ngh cn phi tr li cu hi l chng ta s chn phin bn Apache no
lm reverse proxy y, 1.3.x hay 2.x? Ti chn 2.x v ba l do: th nht l ti "nghe n"
l c rt nhiu 0-day trong phin bn 1.3.x . L do th hai l Apache 2.x cung cp mt
b filtering API tt hn so vi phin bn 1.3.x, cho php cc module c th nhn thy v
tng tc vi ni dung ca cc request cng nh cc response tng ng t tr li t
server. iu ny rt quan trng i vi mt reverse proxy ng vai tr l mt application
gateway bi v n phi kim tra tt c thng tin i xuyn qua n trc khi chuyn giao cho
bn nhn. -6-. L do cui cng l Apache httpd 2.x c performance cao hn hn 1.3.x khi
phc v cc static content nh file HTML v file hnh nh. Ti quan tm n vn ny l
v ti c nh gim ti cho cc content server bn trong bng cch tch content ra lm
hai loi l dynamic (cc loi file CGI/Perl, PHP) v static (cc file HTML v file hnh nh),
cc content server ch phc v dynamic content, cn tt c static content th a qua my
ch reverse proxy lun. Lc khi cc request ca client i vo reverse proxy, nu request
c ch n l mt static content, my ch reverse proxy s tr li lun cho client m
khng cn forward request n content server pha sau, ch nhng request n cc
dynamic content mi c forward cc content server x l. Ti s i vo chi tit vn
ny phn sau, ch lu mt iu l cui cng ti li khng dng Apache httpd cho mc
ch ny m li s dng mt my ch web khc chuyn tr static content.

3.3. Chn module cho Apache httpd

Ngoi nhng module m ti liu "Securing Apache 2: step by step" ngh, chng ta phi
chn thm cc module sau y:

-mod_rewrite, mod_proxy, mod_proxy_http: cc module ny s h tr chng ta trong vic
thit lp reverse proxy.

-mod_security: module ny gip chng ta cu hnh reverse proxy thnh mt application
firewall chng li cc dng tn cng thng thy vo cc web-application chy trn
content server. -7-

-mod_ssl: module ny gip chng ta m ha d liu ca cc kt ni t client n server
thng qua giao thc SSL v TLS, bin giao thc HTTP khng an ton thnh giao thc
HTTPS rt bo mt. -8-

Phn quan trng tip theo l chn mt MPM ph hp vi mc ch lm reverse proxy ca
chng ta. MPM l vit tt ca cm t Multi-Processing Module, l mt ci thin ng k ca
Apache httpd 2.x so vi Apache 1.x. Trong kin trc ca Apache 2.x, MPM ng vai tr ht
sc quan trng, n chu trch nhim lng nghe trn cc cng mng, chp nhn cc yu
cu kt ni t pha client, v chuyn cc yu cu vo bn trong Apache httpd x l -
9-. Trong trng hp ny ti chn MPM worker. MPM worker s dng thread phc v
cc request, do n c kh nng phc v mt lng ln cc request nhng li tn rt t
ti nguyn so vi cc process-based MPM khc nh prefork. ng thi MPM worker vn
khai thc c tnh n nh ca c process-based MPM bng cch to ra nhiu process
trc, mi process c nhiu thread sn sng phc v client -10-.

3.4. Bin dch v ci t Apache httpd

Cu hi k tip l bin dch cc module theo kiu no. Nh chng ta u bit, c hai cch
bin dch cc module trong Apache httpd. Cch th nht, gi l phng php ng, l bin
dch cc module thnh cc th vin lin kt chia s (tng t nh cc th vin DLL trn
Windows). Vi cch ny, cc module s c bin dch thnh cc file .so, v s c ti ln
khi Apache httpd khi ng nu cn (ty theo cc cu lnh LoadModule trong file cu hnh
conf/httpd.conf). Cch bin dch th hai, gi l phng php tnh, l gom tt c module
nht vo trong file bin/httpd lun (link statically). Khi khi ng v trong qu trnh chy,
Apache httpd khng cn phi ti thm module no na. Phng php tnh c xem l la
chn tt hn ht. Chn phng php tnh, chng ta khng cn dng n module mod_so
(module cn thit ti cc file .so trong phng php ng). Hn na, theo khuyn co
ca Apache, s dng phng php tnh s gip tng 5% v mt performance so vi
phng php ng.

Chng ta ti Apache httpd 2.x http://httpd.apache.org/download.cgi v ti mod_security
ti http://www.modsecurity.org s dng cc lnh sau:

CODE
localhost$ wget http://www.tux.org/pub/net/apache/dist/htt...d-2.0.54.tar.gz
localhost$ wget http://www.modsecurity.org/download/modsecurity-1.8.7.tar.gz
localhost$ tar -xzf httpd-2.0.54.tar.gz -C /usr/local/src
localhost$ tar -xzf modsecurity-1.8.7.tar.gz -C /usr/local/src

Ti liu km theo ca mod_security ch hng dn cch bin dch mod_security thnh mt
th vin chia s ca Apache httpd, do chng ta cn phi chun b i ch c th bin
dch tnh mod_security:

CODE
localhost$ cd /usr/local/src
localhost$ mkdir -p httpd-2.0.54/modules/security
localhost$ cp modsecurity-1.8.7/apache2/mod_security.c httpd-2.0.54/modules/security
localhost$ cp httpd-2.0.54/modules/echo/Makefile.in httpd-2.0.54/modules/security

Okay, xong xui, bt u bin dch nh sau:

CODE
localhost$ cd /usr/local/src/httpd-2.0.54
localhost$ ./configure \
--with-mpm=worker \
--disable-charset-lite \
--disable-include \
--disable-env \
--disable-status \
--disable-autoindex \
--disable-asis \
--disable-cgid \
--disable-cgi \
--disable-negotiation \
--disable-imap \
--disable-actions \
--disable-userdir \
--disable-alias \
--disable-so \
--with-module=security:mod_security.c \
--enable-modules='ssl rewrite proxy proxy_http'

Nu qu trnh bin dch thnh cng, chng ta s tip tc nh sau ci Apache httpd vo
h thng (ti th mc mc nh l /usr/local/apache):

CODE
localhost$ make
localhost$ su
localhost# umask 022
localhost# make install
localhost# chown -R root:sys /usr/local/apache

3.5. i "root" ca server

Phn ny xin vui lng tham kho ti liu "Securing Apache 2:Step by Step."

-m

(cn tip)

Phn sau:
4. Cu hnh Apache httpd lm reverse proxy

----------------------
-0-: Thc t phn ting Vit ca ti liu "Securing Apache 2: Step-by-Step" ti sao chp
kh nhiu t bn dch v m rng ti liu "Securing Apache: Step-by-Step"
(http://www.securityfocus.com/infocus/1694) ca hnd aka conmale. Tham kho thm v
bn dch v m rng ca anh conmale ti
http://www.hvaonline.net/forum/index.php?a...T&f=161&t=46199

-1-: ngoi web-server ra, gii php reverse proxy (hoc tng t) c th p dng cho cc
dch v khc nh VNC (xem th http://sourceforge.net/projects/vnc-reflector/), mail (xem
th ti liu "Qmail as the mail gateway" ca hnd@diendantinhoc.org). Ch duy nht mt
dch v tui cha lm c reverse proxy l FTP, b no c thng tin v ftp reverse proxy
th cho tui vi xu.

-2-: chng ta vn c th thit lp reverse proxy bo v cho cc web-server nm ngay
vng DMZ, hoc thit lp mt reverse-proxy t ngay trong vng Internal bo v cc
web-server vng Internal t cc mi him ha n t bn trong.

-3-: Ngoi Apache httpd ra, cn c rt nhiu software khc c th c ng dng lm
reverse proxy m ng k nht l pound. Thao kho thm ti a ch
http://www.apsis.ch/pound/.

-4-: Trustix l mt distro nh gn (trn b ci t ch c mt CD duy nht) c xy dng
da trn RedHat vi hai mc tiu chnh l bo mt v n nh. Phin bn stable mi nht
ca Trustix l 2.2, phin bn unstable l 3.0 RC2. Tham kho thm ti www.trustix.org.

-5-: Tham kho ti liu Linux Security HOWTO c ti http://www.tldp.org bit thm chi
tit. Phn mm Bastille-Linuxcng s rt hu dng trong vic secure cho cc Linux server.

-6-: Ch c s dng Apache 2.x th nhng lut cn lc OUTPUT ca mod_security mi c
tc dng.

-7-: Tham kho thm ti liu v mod_security ti a ch http://www.modsecurity.org v
lot k s ca conmale v cc v tn cng DDoS vo HVA.

-8-: K t phin bn Apache httpd 2.0, mod_ssl c chnh thc a vo Apache httpd.
Tham kho thm ti liu v mod_ssl ti a ch http://www.modssl.org.

-9-: Chn la MPM cho Apache 2.x l mt vn cc k quan trng, nh hng rt nhin
n performance ca server, do ti ngh nhng ai quan tm n Apache 2.x, nn
tham kho thm ti liu v MPM ti http://httpd.apache.org/docs-2.0/mpm.html

-10-: Ti sao thread li "ngon" hn process v performance? Nhng ai quan tm n vn
ny xin tm cc tm c cc ti liu sau y:
Advanced Linux programming (http://www.advancedlinuxprogramming.com)
Understanding the Linux kernel.

Tc gi Mrro - Nhm HVAonline
ng dng tp tin htaccess trn my ch
Apache

ng dng tp tin htaccess trn my ch Apache - 15/11/2004 12h:37
Bn tng nghe v tp tin .htaccess trn cc my ch h Unix (FreeBSD, Linux,
Solaris, True64...)? Bn bit rng tp tin ny c th iu khin c kh nhiu
th, thm ch thay i c c thit lp mc nh ca my ch Apache
http://apache.org/. Th nhng bn tn dng c bao nhiu lnh trong tp
tin ny lm cho website ca mnh mnh m, an ton hn?
Trong bi vit tng hp ny, tc gi s cng bn nghin cu, ng dng mt s
lnh thng dng nht thc hin cc tc v bo v, iu khin website theo
bn mun. No, xin mi bn!
To trang bo li mang mu sc c nhn
Trong qu trnh lm vic vi client, nu c li xy ra (v d nh khng tm thy
tp tin) th Apache s bo li bng mt trang c sn hin th m s ca li , rt
khng p v kh hiu.
Vi .haccess th bn c th t to cc trang bo li hay hn. lm c iu ny
th trong tp tin .htaccess bn thm dng sau:

ErrorDocument m s li /trangloi.html

Trong m s li l m s ca li pht sinh, sau y l nhng li hay gp:

- 401 - Authorization Required (cn password truy nhp)
- 400 - Bad request (Li do yu cu)
- 403 - Forbidden (khng c vo)
- 500 - Internal Server Error (li server)
- 404 - Wrong page (li trang, khng tm thy...)

cn trangloi.html l trang web m bn mun hin th khi li pht sinh, c th a vo tp
tin ny ni dung hay ho g ty bn, chng hn lin kt tr v trang chnh ca trang
web. V d: ErrorDocument 404/trangloi.html hoc: ErrorDocument500/loi/500.html

By gi bn hy ti (upload) 2 tp tin .htaccess v trangloi.html ln hosting ca mnh.

Chng n cp bng thng (bandwidth)

Thng thng nhng dch v lu tr web ch cung cp cho bn mt lng d liu lun
chuyn (data transfer) nht nh hng thng v khi bn s dng ht lng d liu ny,
website ca bn s t ng b ng ca. Bn s phi tr thm tin cho lng bng thng
vt qu hoc phi buc lng ch n thng sau.

Nu hnh nh, d liu, ca bn b cc website khc n trm (bng cc th thut n
gin) lm cho lng d liu lun chuyn ca bn tng ln, th c ngha l bn s phi tr
tin cho ci m bn khng s dng. S dng tp tin .htaccess l mt gii php hon ho,
ngn chn vic s dng hnh nh tri php trn website ca bn. Bn ch vic a vo
tp tin .htaccess ni dung sau :

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?trangweb\.com/.*$ [NC]
RewriteRule \.(gif|jpg)$ - [F]

on m trn ti s dng module Rewrite ca my ch Apache, bn ch vic thay i
trangweb.com thnh a ch website ca mnh.

C th s dng mt hnh nh no cnh co nhng k n trm bng thng, bn dng
dng lnh sau:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?trangweb\.com/.*$ [NC]
RewriteRule \.(gif|jpg)$ http://www.trangweb.com/diehotlinker.jpg [R,L]

Khng cho hin danh sch tp tin trong th mc

Trong trng hp mt th mc no khng c tp tin index hoc default, Apache s hin
th mt danh sch lit k nhng tp tin c trong th mc . Tuy nhin nu y l nhng
ti liu nhy cm, bn khng mun ngi khc thy, hy thm lnh sau vo tp tin
.htaccess

Options Indexes

Thay th trang index

Thng thng khi truy nhp vo mt trang web, Apache s tm tp tin index.htm hoc
default.htm tr kt qu v cho trnh duyt, bn c th dng .htaccess thay i mc nh
ny.

DirectoryIndex index.php index .php3 messagebrd.pl index.html index.htm

Vi dng lnh ny th tt c cc tp tin c lit k s c tm theo th t khi c yu cu
ti th mc hin hnh, trang no c tm thy u tin s thnh trang index ca th
mc.

Cm/hn ch IP truy nhp

Mt s ngi mun lm ngp (flood) trang web ca bn, vic cn lm l ngn cm nhng
IP ca nhng ngi ny truy nhp vo trang web, bn thm on m sau vo .htaccess:
deny from 203.262.110.20; cho php IP truy nhp: allow from 203.262.110.20.

Nu bn ch vit IP di dng: 203.262.110 th s cm tt c IP trong di t
203.262.110.1 n 203.262.110.254.

S dng dng lnh sau: Deny from all s cm tt c mi truy nhp n cc trang web
trong th mc, tuy nhin cc tp tin trong vn c th c s dng t bn ngoi thng
qua cc lnh dng require hay include (trong lp trnh PHP), c th xem thm m ngun
ca PHPBB forum,IBF... hiu r hn.

T ng chuyn n a ch mi (Redirection)

Bn chuyn trang web ca mnh n a ch mi nhng khng phi ai cng bit iu ny,
redirect truy nhp t xa mt cch n gin bng lnh sau:

Redirect/olddirectory http://www.trangwebmoi.com/thumucmoi ;

Tu bin ui tp tin

Thng thng, tu thuc vo ngn ng lp trnh web m bn s dng tp tin s c phn
m rng khc nhau nh: html, htm, asp, aspx, php, cgi, Tuy nhin nu s dng
.htaccess bn c th tc ng vo my ch Apache, Apache s gi n tp tin ca bn v
tr v cho trnh duyt web ca ngi dng vi phn m rng do bn quy nh trong
.htaccess. Bn s dng on lnh sau trong tp tin .htaccess:

RewriteEngine on
RewriteRule (.*)\.dll$ $1.html

Html l phn m rng thc s ca nhng tp tin trn website, dll l phn m rng do bn
la chn. Lu trong lin kt trn trang web, bn phi gi ng ng dn n tp tin vi
phn m rng mi ( trn l dll), v d http://www.trangweb.com/in dex.dll

Lu khi s dng tp tin .htaccess:

- Ch p dng trn my ch Apache bt ch .htaccess, nu cha bn hy th lin h
vi nh cung cp dich v hosting.

- to ra tp tin ny bn c th s dng ngay chng trnh Notepad ca Windows: chn
ch save as vi tn .htaccess, nhng khi lu nh b ui txt.

-.htaccess ch c tc dng i vi nhng tp tin ngang hng (trong cng th mc vi n)
hoc th mc con. Vi th mc, n ch c tc dng trong th mc cha n v th mc
con, cn v tc dng vi th mc m (parent directory).

- Bn c th dng mt s chng trnh FTP (Leaf FTP, WS FTP, Cute FTP) ti tp tin
.htaccess ln hosting ca mnh vi ch ASCII, nu n khng hot ng bn th CHMOD
vi gi tr 644.

Cai Dat Redhat Linux 80

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cai Dat Redhat Linux 80

Uploaded by

Copyright:

Available Formats

www.nhipsongcongnghe.

You might also like