An Toan Baomat Tren Linux 366

Lun vn: An ton v bo mt
trn h iu hnh Linux
t
i
:Ant
onvbomtt
r
nhi
uhnhLi
nux
Page 1
Gi
it
hi
u
Ngy nay,t
r
n mng I
nt
er
netk di
u,ngit
a ang t
hc hi
n
hngt
l
agi
aod
ch mingy(t
r
n di2 ngn t
USD minm)
.
Mtkhil
nghnghovt
i
nbckhngl
angct
t
cci
n
t
t
hon chuyn ivnt
hcs l
mi
ng mibobchonhng t
ay
n t
r
m hay khng b c c t
r
it
hc
. S phtt
r
i
n nhanh chng
camngmyt
nhl
i
ut
tyu.Hngngyckhngbi
tbaonhi
u
ngit
ham gi
a vo h t
hng t
hng t
i
nt
on cu m chng t
a gil
I
nt
er
net
.Nhng cng t
yl
n,cc doanh nghi
p,cc t
r
ng ihc
cng nh cct
r
ng ph t
hng ngy cng t
ng v hn c t
h c r
t
r
tnhi
u ngiang nimng t
r
ct
uyn sut24/
24 gi
mingy,
byngyt
r
ongt
un.Tr
ongbicnhmtl
i
nmngt
oncuvihng
chct
r
i
ungis dngnh I
nt
er
nett
hvnant
ont
hngt
i
nt
r
nn phct
p vcp t
hi
thn.Domtcu hikhng mydch
u
tr
al
:l
i
umngmyt
nhcachngt
asphibt
ncngbtc
lc no?
S bovcabtkmngmyt
nhnout
i
ncngl
f
i
rewall
v phn mn ngun m nh Li
nux.V cu chuyn v an t
on mng
khng chiktt
hc.Vi
cgi
an t
on mtht
hng kot
heochng
t
aphicnhngki
nt
hct
tvhi
uhnh,mngTCP/
I
Pcsv
qun t
r
d
ch v.Cng vis gi ca gi
vi
n hng dn v t
m
quan t
r
ng ca vi
can t
on t
hng t
i
nl
i
n mng, y chng t
ich
t
r
nhbymtccht
ngquannhngvngniLi
nuxct
hvcnphi
cgi
an t
on,nhng t
hm vo l
ccl
nh c bn,nhng ki
nh
ngi
m t
r
ongnguynt
cant
onvbovht
hngmng.
Nhm si
nhvi
nt
hchi
n:
- NguynHuyChng
- LThHuynTr
ang
GVHD:
NguynTnKhi
Si
nhvi
nt
hchi
n:
LThHuynTr
ang
NguynHuyChng
t
i
:Ant
onvbomtt
r
nhi
uhnhLi
nux
Page 2
I.
An t
on choccgi
aod
ch t
rn mng
C r
tnhi
u d
ch v mng t
r
uyn t
hng gi
ao t
i
p t
hng qua gi
ao t
hcvn bn
khng m ho,nh TELNET,FTP,RLOGI
N,HTTP,POP3.Tr
ong cc gi
ao d
ch gi
a
ngidng vimy ch,t
tc cct
hng t
i
n dng gict
r
uyn qua mng di
h
nht
hcvnbnkhngcmho.Ccgit
i
nnyct
hddngbchnvsao
chpmti
m not
r
nngi
.Vi
cgi
imccgit
i
nnyr
tddng,cho
php l
y ccct
hng t
i
n nh t
n ngidng,mtkhu v cct
hng t
i
n quan
t
r
ng khc.Vi
cs dng ccgi
ao d
ch mng cm ho khi
n cho vi
cgi
im
t
hng t
i
nt
r
nn khhn vgi
p bn gi
an t
on cct
hng t
i
n quan t
r
ng.Cck
t
hutt
hngdnghi
nnayl
I
PSec,SSL,TLS,SASLvPKI
.
Qun t
r
t
xa l
mtt
nh nng hp dn ca cch t
hng UNI
X.Ngiqun t
r
mngct
hddngt
r
uynhpvoht
hngt
btkninot
r
nmngt
hngqua
ccgi
ao t
hct
hng dng nh t
el
net
,r
l
ogi
n.Mts cng c qun t
r
t
xa cs
dng r
ng r
inh l
i
nuxconf
,webmi
n cng dng gi
ao t
hckhng mho.Vi
ct
hay
t
ht
tcccd
chvmngdnggi
aot
hckhngmhobnggi
aot
hccmho
l
r
tkh.Tuynhi
n,bn nn cung cp vi
ct
r
uycp ccd
ch v t
r
uyn t
hng nh
HTTP/
POP3t
hngquaSSL,cngnht
hayt
hccd
chvt
el
net
,r
l
ogi
nbngSSH.
Nguyn t
cbovht
hng mng
1. Hoch
nhht
hngbovmng
Tr
ong mit
r
ng mng,phic s m bo r
ng nhng d l
i
u c t
nh b
mtphicctgi
r
i
ng,saochochcngict
hm quynmicphpt
r
uy
cpchng.Bomtt
hngt
i
nl
vi
cl
m quant
r
ng,vvi
cbovhotngmng
cngct
m quant
r
ongkhngkm.
Mng my t
nh cn cbo v an t
on,t
r
nh khinhng hi
m ho do v
t
nh hay c .
Tuy nhi
n mtnh qun t
r
mng cn phibi
tbtc cigcng c
mc ,khng nn t
hiqu.Mng khng nhaat
st
hi
tphic bo v qu cn
mt
,nmcngidngl
ungpkhkhnkhit
r
uynhpmngt
hchi
nnhi
m
v ca m
nh.Khng nn h t
htvng khic gng t
r
uy cp c t
p t
i
n ca ch
nh
m
nh.
Bnhi
m hoch
nhivisanni
nhcamngl
:
o Tr
uynhpmngbthpphp
o Scant
hi
pbngphngt
i
ni
nt
o Kt
r
m
o Taihovt
nhhoccch
x
Mc bo mt:
Tu t
huc vo dng mit
r
ng t
r
ong
mnganghotng
x
Ch
nh sch bo mt: H t
hng mng ihimtt
p hp
nguyn t
c,i
u l
utv ch
nh sch nhm l
oit
r
mir
ir
o.Gi
p hng dn vc
qua cc t
hay iv nhng t
nh hung khng d ki
n t
r
ong qu t
r
nh phtt
r
i
n
mng.
Sphng:phngnhngt
r
uycpbthpphp
S chng t
hc:t
r
c khit
r
uy nhp mng,bn g ng t
n ng nhp v
passwor
dhpl
.
x
ot
o:Ngidngmngcot
ochu osc
tkh
nngvphhumtt
inguyn
x
Ant
onchot
hi
tb
:Tut
huc:quymcngt
y,bmt
d l
i
u,cct
inguynkhdng.Tr
ongmit
r
ngmngnganghng,ct
hkhng
GVHD:
NguynTnKhi
Si
nhvi
nt
hchi
n:
LThHuynTr
ang
NguynHuyChng
t
i
:Ant
onvbomtt
r
nhi
uhnhLi
nux
Page 3
c ch
nh sch bo v phn cng c t
chcno.Ngidng ch
ut
r
ch nhi
m m
boant
onchomyt
nhvdl
i
ucar
i
ngm
nh.
2. Mh
nhbomt
Haimh
nhbomtkhcnhauphtt
r
i
n,gi
pbovant
ond l
i
uv
t
inguynphncng:
x
Bo vt
inguyn dng chung bng mtm:gn mtm cho
t
ngt
inguyndngchung
x
Tr
uycp khics chophp :l
ch
nh mtsquyn nht
nh t
r
n c s ngidng,ki
m t
r
at
r
uy nhp t
inguyn dng chung cn c vo
CSDL user-access trn my server
3. Nngcaomcbomt
x
Ki
m t
on:Theodihotngt
r
nmnht
hngquat
ikhon
ngidng,ghil
inhi
u dng bi
n c chn l
cvo s nhtk bo mtca my
ser
ver
.Gi
p nhn bi
tcchotng bthp l
hockhng ch
nh.Cung cp cc
t
hngt
i
nvcchdngt
r
ongt
nhhungcphngbannot
hunphs dngmt
st
inguyn nht
nh,vcn quyt
nh phcanhng t
inguyn nyt
heocch
t
hcno.
x
Myt
nh khng
a:
Khng c
a cng v mm.C t
ht
hi
hnhmivi
nh myt
nht
hngt
hng,ngoit
r
vi
cl
ut
r
dl
i
ut
r
n
acng
hay
amm ccb.Khng cn
akhing.Ckh nng gi
aot
i
p viser
verv
ng nhp nh vo mtcon chi
p ROM khing cbi
tccit
r
n car
d mng.
Khibtmy t
nh khng
a,chi
p ROM khing phtt
n hi
u cho ser
verbi
tr
ng
n mun khing.Ser
vert
r
l
ibng ccn t
iphn mm khing vo RAM ca
myt
nh khng
avt
ng hi
n t
hmn h
nh ngnhp .Khimyt
nh c
ktnivimng.
x
Mhod l
i
u: Ngit
amhot
hngt
i
nsangdngmtm
bng mtphng php no sao cho m bo t
hng t
i
n khng t
h nhn bi
t
cnu ninhn khng bi
tcch gi
im.Mtngis dng haymthostct
h
sdngt
hngt
i
nmkhngsnhhngnngisdnghaymthostkhc.
x
Chngvi
r
us:
- Ngnkhngchovi
r
ushotng
- Sachahhimtmcno
- Chnngvi
r
ussaukhinbcpht
Ngn chn t
nh t
r
ng t
r
uy cp bthp php l
mtt
r
ong nhng gi
iphp
hi
u nhi
m nhtt
r
nh vi
r
us.Dobi
n phpch yu l
phngnga,nn nhqun
t
r
mngphibom saochomiyut
cnt
hi
tusnsng:
- Mtmgi
m khnngt
r
uycpbthpphp
- Ch
nhcccquynt
h
chhpchomingidng
- Ccpr
of
i
l
e t
chcmit
r
ng mng cho ngidng c
t
hl
pcu h
nh vduyt
r
mit
r
ng ngnhp,baogm
cc ktnimng v nhng khon mc chng t
r
nh khi
ngidngngnhp.
- Mtch
nhschquyt
nhct
ht
iphnmm no.
GVHD:
NguynTnKhi
Si
nhvi
nt
hchi
n:
LThHuynTr
ang
NguynHuyChng
t
i
:Ant
onvbomtt
r
nhi
uhnhLi
nux
Page 4
Ki
n t
rcbo mtcaht
hng mng
1) Ccmcant
ont
hngt
i
nt
r
nmng
Khng c i
u ggil
hon ho t
r
ong vi
c an t
on h t
hng mng nh
Li
nux.Nct
hi
tkl
mthi
u hnh nimng vs phtt
r
i
n mnh m
cancht
pt
r
ungvos ant
on.Hi
uhnhmngunml
cigmcho
php ngiqun t
r
mng v nhng ngiphtt
r
i
n,nhng ngidng t
r
i
n mi
n
t
heo div ki
m t
on nhng gd bt
n cng. y khng c ghuyn bv an
t
on t
hng t
i
n.Thtl
t
tnu nh cct
inguyn cbomtvcbovt
t
t
r
cbtksxm phm vt
nhhayc.
Ant
onhaybomtkhngphil
mtsnphm,ncngkhngphil
mt
phnmn.Nl
mtcchngh
.S ant
onct
hckhingvdngnh mt
d
ch v.Bo mtl
cch an t
on.Til
i
u bo mtl
t
l
i
u m nhng t
hnh vi
n
cat
chcmunbov.Tr
chnhi
m cavi
cbomtl
ngiqunt
r
mng.
S ant
onmngcvait
r
quant
r
ngt
icao.Ant
onphicm bot
nhng nhn t
bn ngoiker
nel
,t
iphn ctl
ica Li
nux ser
ver
.C ch bo mt
cn phibaogm cu h
nh mngcaSer
ver
,chu ving dng cat
chcmng v
t
hm chca nhng cl
i
entt
r
uy nhp mng t
xa.C vicch m t
a cn phixem
xt:
o Sant
onvtl
o Ant
onht
hng
o Ant
onmng
o Ant
onccngdng
o St
r
uynhpt
xavvi
cchpnhn
1. Sant
onvtl
i
u nyl
cbn vgi
m stct
tkh
acnh an t
on cahi
u hnh
Li
nux.S an t
on vtl
btu vimit
r
ng xung quanh vd nh ivicc
nh cung cp d
ch v hm hi
?C nn kho cckhid l
i
u l
i
?Nhng ngino
cchp nhn cvot
r
ung t
m d l
i
u.Vi
cbovt
h
ch hpl
phit
hchi
n
l
ikhimunxydngmtcitmihaydichuyndl
i
unmtvt
r
mi
.
GVHD:
NguynTnKhi
Si
nhvi
nt
hchi
n:
LThHuynTr
ang
NguynHuyChng
t
i
:Ant
onvbomtt
r
nhi
uhnhLi
nux
Page 5
2. Ant
onht
hng
S an t
on ht
hng baoquanh vi
cchn phn phihi
u hnh Li
nux,xy
dngker
nel
,
t
is ant
ont
ikhonngidng,chophpt
r
uycpt
h mct
pt
i
n,
mhosysl
og vf
i
l
esyst
em.Cct
cv nychon t
hnh t
r
ckhid
ch v ni
vo I
nt
er
net
.Vi
c chn mtphn phino t
ht
u t
huc vo nhng nhu cunh
ch
nh sch cphct
ho t
r
ong c ch an t
on.C mtt
i
u chun chn mt
phn phinhngnkhngt
hucphm vicabiny.
Vi
cxydngmtker
nelsn
cchail
it
h:
o Nhngopt
i
onant
oncanhncxc
nhbingiqunt
r
mng
v ngiqun t
r
mng bi
tcigcxc
nh vo t
r
ong ker
nelv t
y c t
h
ng t
hinhn r
a nu i
u nu c.Phn nm ngun m nichung v h i
u
hnhLi
nuxnir
i
ng,cbi
tcnhngcit
i
nddngchongis dngvc
nhngt
i
n
chdngdng.Chcnupdat
et
r
ongRedHat
.
o Sant
oncct
ikhongngidngcvait
r
t
ol
n.Cnhngvng
cvhi
uho,nhngt
ikhongkhnghotng,vhi
uhovi
ct
r
uycpn
NFS l
n gc,hn chnhngngnhpvot
r
ongmit
r
ngi
u ki
n ht
hng.
M
ho f
i
l
e h t
hng s dng k t
hutm ho m t
hng l
phng t
h cuicng cho
mng.
C haicch t
i
p cn chung:H t
hng f
i
l
e m ho (
CFS) v Practical Privacy
Di
skDr
i
ver
(
PPDD)
.H t
hng c t
hct
heo div t
r
ong Li
nux,h t
hng l
oggi
ng
cl
ogged t
r
ong t
i
n
ch sysl
og.Cng c t
heo dibao gm swat
ch v l
ogcheck.
Swat
ch c cng c t
hng bo t
higi
an t
hc,t
r
ong khil
ogcheckcung cp mtcng
c m phtsi
nh nhng bo co
nh k.Ki
m t
on Passwor
d cng c vait
r
sng
cn t
r
ong vi
can t
on,bomtht
hng t
r
ong khimil
i
n ktyu nhtt
r
ong vi
c
ant
onmngl
ngisdngvvi
cl
achnccmtkhupasswor
d.
3. An ton mng
y l
i
n quan n vi
ktnit
Li
nux ser
vervo mng.Cu h
nh d
ch v
mngvis ant
on ngycngkhkhn chonhngnhqunt
r
mng. The xinetd
daemon cnphic
nhh
nht
chcbomt
.Lnhnetstat Lmtt
i
n
chmnh
cho php ngiqun t
r
ki
m t
r
at
nh t
r
ng cu h
nh mng.Ki
m t
r
a mng l
i
u
cn t
hi
t
cavi
can t
on.i
u nym bor
ng cchan t
on ct
hchi
n
c hi
u qu t
r
ong vi
c hon t
hnh nhng yu cu bo mt
.i
u tcbi
quyn t
hchi
n n mng ca bn.Cch t
i
p cn vi
c ki
m
nh mng hi
u qu
nhtst
r
ongvait
r
cangil
m phi
n.Cnhngcngcki
m
nhcsvhost
cs.
SATAN(Security Administrator's Tool for Analysing Networks), SAINT( Security
Administrator's Integrated Network Tool), SARA (Security Auditor's Research
Assi
st
ant
)l
nhng cng c t
t ki
m
nh c bn.SATAN c u t
i
n cng
nhnnm 1995,nccngnhnngobimngunm.
SAI
NT mnh hn SANAN,t
r
ong khiSARA l
mtmodulackage,t
ng t
cvi
Nmap v Samba.Nhng cit
i
n gn y nhtl
cng c Nessus.Nessusl
mi
n
ph
,ngun m,
y nibt
,cng c ki
m t
on vn ch t
r
cit
i
n cit
i
n
t
ch cc.
Nessusivo2 t
hnh phn :- Cl
i
ent
(
nessus)vser
ver
(nesssus)
.Cng c
Nmap cho ngiqun t
r
gi
u ki
nh nghi
m.MtkhcNmap c scmnh,cng c
qutchongicki
nhnghi
m.Ncsdngt
tt
r
ongmngLAN.
TARA(
Ti
gerAudi
t
or
sResear
ch Assi
st
ant
)
l
mtvd chocng c ki
m t
on c
shost
.Theodimng dimts t
n cng.Cng c t
heodil
Por
t
Sent
r
y
v Et
her
eal
.Por
tSent
r
y qutt
r
ong ch ngm
nh.Bo mtmng nh mtt
r
chigi
amovchut
,cat
r
t
uvmym t
r
t
u.Tr
ongkhimngki
m t
onl
mtphncamngb
nht
hng,mngt
heodicnphicut
i
ncaohn.Vi
c
GVHD:
NguynTnKhi
Si
nhvi
nt
hchi
n:
LThHuynTr
ang
NguynHuyChng
t
i
:Ant
onvbomtt
r
nhi
uhnhLi
nux
Page 6
bomtbaogm vi
cki
m t
onch
nhxcvcvi
ccnnnh t
hhaykhng.
Por
t
Sent
r
yl
mtvd ca cng c t
heo dit
higi
an t
hcct
hi
tk qut
phthi
nr
aht
hng,vckhchobnnhnghip.
4. Ccngdngant
on
Mtvideamonschunt
r
ongvi
cphnphiLi
nuxhi
nt
hil
nhngngdng
y m n c cu t
r
cf
i
l
e phct
p.Web,f
i
l
e,mai
lser
vers dng nhng gi
ao
t
hcphct
p.An t
on ct
hct
hchi
n biccct
nh bomtcavi
ccc
il
chophp(
MTA
s)nhSendmai
l
,Qmai
lvPost
f
i
x.
WebSer
verct
hcngcgi
ant
onbiccmodulchophp:mod_aut
h,
mod_aut
h_dbm,mod_aut
h_db,
.
Vi
cchophp Open SS ht
r
choApachescng
cng t
cviweb ser
ver
.Samba c t
hl
m an t
on bivi
cccct
hng s ang
chy.Bcu t
i
n s cbo vbicng c qun t
r
web Samba (
SAT)viSLL
nnccl
nhqunl
Sambacbov.
5. Chu vi an ton
Cpst
nhi
ncaccht
i
pcncspt
ngl
pns ant
onmyt
nh
r
akhil
pt
l
pmngnl
pngdng,vt
nl
pchuvi
.yl
vngc
quan t
m.Fi
r
ewal
l
sl
t
hnh phn ch
nh ca mi
n chu vian t
on,l
phn mn m
chcnngbtbuct
chcbomtant
onbibl
c,bomt
,ymnh,hayyu
cu nm t
r
ong Li
nux ser
ver ktnin c mng ch
nh v I
nt
er
net
.Fi
r
ewar
e c
t
hct
hchi
nnhi
ucchdat
r
nccl
pcamh
nhOSI
:l
pmng,l
pgi
ao
vn vng dng.Ci
m t
ch ccvt
i
u cct
r
ong vi
ct
r
i
n khaif
i
r
ewar
et
icc
l
p ca mng.
Fi
r
ewal
lmng c bi
tnh cc packet-f
i
l
t
er
i
ng gat
eway,nim
chngki
m t
r
anhggit
i
nI
Pvogi
aodi
nf
i
r
ewar
evhotngphhpcgi
l
i
.hotng bao gm dr
op,cho php/hoc l
og.S btl
il
ki
u Fi
r
ewal
lny
khngkhn kho.Fi
r
wal
lgi
aovn l
m vi
cbikhostTCPhocUDP.Fi
r
ewal
lyu
cu s can t
hi
p ngidng sainhng t
h t
c.Fi
r
ewal
lng dng l
m chocc
quyt
nh t
r
uynhp t
ng ng dng.
N cho php ngiqun t
r
mayf
i
r
ewal
lcho
yucucamil
oingdng.Cacibtt
i
nt
r
ongf
i
r
ewal
ll
ngiqunt
r
cn
nh
h
nh t
r
i
n khait
heodi
,vbot
r
qut
r
nh f
i
r
ewal
lchoming dng mcn t
r
uy
nhpi
ukhi
n.
Nl
unl
t
tt
hchi
nbomtbivi
cs dngkthpmt f
i
r
ewal
lt
i
t
tc ba t
ng t
r
nh s t
n t
hng.Fi
r
ewal
lkhng chcn t
r
nhng ngil
m
phi
n khnghpphpvomngnhngphichophpngis dngt
r
uynhpbn
ngoivongunt
inguyn,t
r
ongkhichpnhnphchunnht
nhnhngkt
nisau cho ngidng.y l
nhn t
hc d nhng l
mtt
hch t
hc khi thi
hnh.
o Fi
r
ewal
lmng
C vil
it
h t
r
ong vi
c s dng Li
nux nh nn t
ng f
i
r
ewar
e.S qun l
ng b,phn cng,s ngidng,ki

m t
r
ann t
ng,vi
ct
hchi
n,gi
gi
acc
l
do t
isao.S l
ocgil
l
i
ch hi
u qu v cch bo vpt
ong phm vi trnh xm
nhp.Ngis dng khng cn xcnhn s dng t
i
n cy nhng d
ch v vng
bn ngoi.
Nhng gi
iphp cho vi
cl
cgit
r
ong Li
nux bao gm i
pchai
nsv i
pf
wadm.
t
i
n
chcavi
cl
cgit
i
ncsdngt
r
ongnhnt
phi
nbn1.
2.
1vt
r
c.
Phi
nbncuicngcai
pf
wadm vot
hng7/
1996,saui
pchai
nst
hayt
h
n.Nhng
a chI
pchai
nsl
nhng gi
ihn t
hi
u stcai
pf
wadrnh m 32 bi
t
,
khng c kh nng gi
iquytcu t
hnh
a chI
P,
.
.
v.
v.I
pchai
nschi
n t
hng cc
gi
ihn bivi
ct
n dng l
i
ch ca ba knh r
i
ng bi
thay nhng quy t
cni
t
i
pl
c.Baknhl
:I
NPUT,OUTPUT,vFORWARD.
GVHD:
NguynTnKhi
Si
nhvi
nt
hchi
n:
LThHuynTr
ang
NguynHuyChng
t
i
:Ant
onvbomtt
r
nhi
uhnhLi
nux
Page 7
Ti
n
chI
pchai
nst
heocphp:
ipchains command chain rule-specification [options] -j action
Tiy c t
h mtt
r
ong s knh I
NPUT,OUTPUT hocFORWARD.Nh nhn
2.
4 v t
r
c,t
nh hotng mtl
n ca I
pchai
ns c t
hay t
h biNet
f
i
l
t
erv
khong quyt
cI
pt
abl
es.Net
f
i
l
t
erch t
r
bicng ngh Wat
chguar
d.I
pct
abl
es
cphtt
r
i
n t
t
i
n
ch caI
pchai
nsvnchchyt
r
n nhng phi
n bn 2.
3 v
t
r
c.
Mtvdvl
nhI
pt
abl
es:
iptables -A INPUT -p tcp -dport smtp -j ACCEPT.
Hi
n nay c nhng t
hi
tk f
i
r
ewal
lbtchu htcccu t
r
cmng ph
bi
n,bohi
ungi
nt
heoyucuktnit
inhngnir
tphct
pkot
heokhu
vccphiqunsho(
DMZ)
.
II.
BomtLi
nuxServer
Nhng ki
nh nghi
m bo mt
Hi
n nay Li
nux ang dn t
r
t
hnh mth i
u hnh kh ph bi
n bit
nh
ki
nh t
,khnng bo mtv s uyn chuyn cao.Thnhng,miht
hng d an
ton n u cng ddng bxm nhp nu ngidng(
vnhtl
ngiqun t
r
r
oot
)khng ts bo mtl
n hng u.Su y l
mts ki
nh nghi
m v bo
mtt
r
nhi
uhnhRedHatLi
nuxmchngt
imunchi
ascngccbn:
1. Khng cho php s dng t
ikhong r
oott
consol
e:Sau khicit
,
t
ikhong r
oots khng c quyn ktnit
el
netvo d
ch v t
el
nett
r
n h t
hng,
t
r
ong khi t
i khon b
nh t
hng l
i c t
h kt ni
, do ni dung t
p t
i
n
/
et
c/
secur
i
t
y chquy
nh nhng consol
ecphp t
r
uycp bir
ootv chl
i
tk
nhng consol
et
r
uyxutkhingit
r
ct
i
p t
imych.t
ng cng bomthn
na,hy son t
ho t
p t
i
n /
et
c/
secur
i
t
y v b inhng consol
e bn khng mun
r
oott
r
uycp.
2. Xobtt
ikhongvnhm cbi
t
:
Ngiqun t
r
nn xobt
tc
cct
ikhong v nhm ct
o sn t
r
ong h t
hng nhng khng c nhu cu s
dng.
(vd:l
p,syne,shut
down,hal
t
,news,uucp,oper
at
or
,game,goph)
.Thc
hi
nvi
cxobt
ikhongbngl
nhusedelvxobnhm vil
nhgr
oupdel
3. Ttccd
ch v khngs dng:Mti
u khnguyhi
m l
sau khici
t
,ht
hng t
ng chykh nhi
u d
ch v,t
r
ong a s l
ccd
ch v khng
mong mun,dn n t
i
u t
n t
inguyn v si
nh r
a nhi
u nguy c v bo mt
.V
vy ngiqun t
r
nn t
tccd
ch v khng dng t
i
(
nt
sysv)hocxo b ccgi
d
chvkhngsdngbngl
nhr
pm
4. Khng cho
SU(
Subst
i
t
ut
e)l
n r
oot
:Lnh su cho php ngidng
chuynsangt
ikhongkhc.Nukhngmunngidng
sut
hnhr
oott
ht
hm
hai dng sau vot
pt
i
n/
et
c/
pam.
d/
su:
Auth sufficient/lib/security/pam_root ok so debug
Auth required/lib/security/pam_wheel.so group= tn_nhm_root
5. Chedut
pt
i
nmtkhu:Gi
aionu,mtkhut
onbt
ikhong
cl
u t
r
ongt
pt
i
n /
et
c/
passwor
d,t
pt
i
nmmingidngucquyn c.
yl
khl
nt
r
ongbomtdmtkhucmhonhngvi
cgi
imkhng
phil
khng t
h t
hchi
n c.Do ,hi
n nay ccnh phtt
r
i
n Li
nux t
GVHD:
NguynTnKhi
Si
nhvi
nt
hchi
n:
LThHuynTr
ang
NguynHuyChng
t
i
:Ant
onvbomtt
r
nhi
uhnhLi
nux
Page 8
r
i
ng mtkhu m ho vo t
p t
i
n /
ect
/
shadow chc r
ootmicc,nhng
yucuphichnEnabl
et
heshadow passwor
dkhiciRedHat
.
6. Lun nngcpchonhn (
ker
nel
)Li
nux:
Li
nuxkhnghn ct
hi
tk
vit
nh nng bo mtchtch,kh nhi

u l
hng c t
h bl
idng bit
i
nt
c.V
vyvi
cs dngmthi
uhnhvinhncnngcpl
r
tquant
r
ngvmt
khinhn,phnctl
inhtcahi
uhnhct
hi
tkt
tt
hnguycbphhoi
sgi
m ir
tnhi
u.
7. T ng t
hotkhiShel
l
:Ngiqun t
r
h t
hng v k c ngis
dng b
nh t
hng r
thayqun t
hotr
adu nhcshel
lkhiktt
hccng vi
c.Tht
nguy hi
m nu c mtk no s c t
on quyn t
r
uy suth t
hng m chng t
n
chtcngscnoc.Dovyngiqunt
r
nncitt
nhnngt
ngt
hotkhi
shel
lkhikhngcs t
r
uyxutt
r
ongkhongt
higi
an
nht
r
cbngcchs dng
bi
nmit
r
ng
vgnmtgi
t
r
quy
nhSgi
yht
hngduyt
r
dunhc,
bnnnvot
pt
i
n /
ect
/pr
of
i
l
el
unt
cdngt
r
ongmiphi
nl
m vi
c.
8. Khngchophpt
r
uynhpt
pt
i
nk
chbnkhingcaLi
nux:Khih
i
u hnh Li
nux khing,cc t
p t
i
n k
ch bn (
scr
i
pt
) c t t
it
h mc
/
et
c/
r
c.
d/
i
ni
t
.
dscgit
hct
hi
.Vt
h,t
r
nhnhngs t
mkhngcnt
hi
t
t
ph
angidng,vit
cch ngiqun t
r
,bn nn hn chquyn t
r
uyxutt
i
cct
pt
i
nnyvchchophpt
ikhongr
ootxl
bngl
nhsau:
#chmod R 700/etc/rc.d/init.d*
9. Gi
ihn vi
ct
ghinhn t
hng t
i
nt
shel
l
:Theo mc
nh,t
tc
l
nh c t
hc t
hit
idu nhc shel
lca t
ikhong u c ghivo t
p t
i
n
.
bash_hi
st
or
y(nu sd bashshel
l
)t
r
ong t
h mcc nhn ca t
ng t
ikhong.i
u
nygynnvsnguyhi
m t
i
m n,cbi
tivinhngngdngihingi
dng phig t
hng t
i
n mtkhu.Do ngiqun t
r
nn gi
ihn vi
ct
ghi
nhnt
hngt
i
nt
shel
ldavohaibi
nmit
r
ngHI
STFI
LESI
ZEvHI
STSI
ZE:
- Bi
n mit
r
ng HI
STFI
LESI
ZE quy
nh s l
nh g t
idu nhc shel
ls
cl
ul
ichol
nt
r
uycpsau.
- Bi
n mit
r
ng HI
STSI
ZE quy
nh s l
nh s cghinh t
r
ong phi
n
l
m vi
chi
nhnh.
Vvy,t
asphigi
m gi
t
r
caHI
STSI
ZEvchogi
t
r
HI
STFI
LESI
ZEbng
0 gi
m t
hi
u t
ianhngnguyhi
m.Bn t
hchi
n vi
cnybngcch t
hayi
gi
t
r
haibi
nnut
r
nt
r
ongt
pt
i
n/
et
c/
pr
of
i
l
enhsau:
HISTFILESIZE = 0
HISTSIZE = xx
Tr
ongxxl
sl
nhmshel
lsghinh,ngt
hikhngghil
ibtkmt
l
nhnodongidnggkhingidngt
hotkhishel
l
.
10. Tccct
i
n t
r
nh SUI
D/
SGI
D :B
nh t
hng,cct
i
n t
r
nh ct
hc
hi
n diquyn cat
ikhon git
hct
hingdng.l
diwi
ndows,nhng
Uni
x/
Li
nux l
is dng mtk t
hutc bi
tcho php mts chng t
r
nh c
t
hchi
n diquyn cangiqun l
chng t
r
nh ch khng phingigit
hc
t
hichng t
r
nh.Vych
nh l
l
dot
isaot
tcmingidngt
r
ong ht
hng
uct
himtkhucam
nht
r
ongkhikhnghcquynt
r
uyxutl
nt
pt
i
n
/
et
c/
shadow,l
vl
nh passwd cgn t
huct
nh SUI
D vcqun l
bi
r
oot
,mr
ootl
il
ngidngduynhtcquynt
r
uyxut/
et
c/
shadow.
GVHD:
NguynTnKhi
Si
nhvi
nt
hchi
n:
LThHuynTr
ang
NguynHuyChng
t
i
:Ant
onvbomtt
r
nhi
uhnhLi
nux
Page 9
Tuyt
h,khnngt
i
nt
i
nnyct
hgynn nhngnguyckhphct
pv
numtchngt
r
nhckhnngt
hct
hicqunl
bir
oot
,dot
hi
tkt
ihoc
do ccitc t
nh binhng k ph hoim l
ictt
huct
nh SUI
Dt
h
mii
u khng khi
pu c t
hxyr
a.Thct
cho t
hyc kh nhi
u kt
hut
xm phm ht
hngmkhngcquynr
ootct
hchi
nbngcckt
hutny:
k ph hoibng cch no t
o mtshel
lc qun l
bir
oot
,c t
huc t
nh
SUI
D,knmit
r
uyxutphhoisct
hchi
nquashel
lvat
ovmil
nh
t
hchi
nt
r
ongshel
lsct
hchi
ngi
ngnhdiquynr
oot
.
Thuct
nhSGI
D cngt
ngt
nh SUI
D:ccchngt
r
nhct
hchi
nvi
quyn nhm qun l
chng t
r
nh ch khng phinhm ca ngichy chng

t
r
nh.Nh vy ngiqun t
r
s phit
hng xuyn ki
m t
r
at
r
ong h t
hng c
nhng ng dng no c t
huct
nh SUI
D hocSGI
D m khng cs qun l
ca
r
ootkhng,nu phthi
n ct
pt
i
n ct
huct
nhSUI
D/
SGI
D ngoil
ung
,bn
ct
hl
oibcct
huct
nhnybngl
nh:
#chmod a-s
III.
Linux Firewall
An t
on ht
hng l
un l
un l
mtvn sngcn camngmyt
nh vf
i
r
ewal
ll
mtt
hnhphnctyuchovi
cm boanni
nh.
Mtf
i
r
ewal
ll
mtt
p hp ccquit
c,ng dng v ch
nh sch m bo cho ngi
dngt
r
uycpccd
chvmngt
r
ongkhimngbnt
r
ongvnant
onivicckt
n
cng t
I
nt
er
net hay t
cc mng khc. C hail
oiki
n t
r
c f
i
r
ewal
lc bn l
:
Proxy/
Appl
i
cat
i
onf
i
r
ewal
lvf
i
l
t
er
i
nggat
ewayf
i
r
ewal
l
.Huhtccht
hngf
i
r
ewal
lhi
n
il
l
oil
ai(
hybr
i
d)cachail
oit
r
n.
Nhi
u cng t
y v nh cung cp d
ch v I
nt
er
nets dng my ch Li
nux nh mt
I
nt
er
netgat
eway.Nhng mych nyt
hng phcv nh mych mai
l
,web,f
t
p,hay
di
al
up.Hn na,chng cngt
hng hotngnh ccf
i
r
ewal
l
,t
hihnh ccch
nh sch
ki
m sotgi
aI
nt
er
netvmngcacngt
y.Khnnguynchuynkhi
nchoLi
nuxt
hu
htnhl
mtt
hayt
hchonhnghi
uhnht
hngmi
.
T
nhnngf
i
r
ewal
lchun ccungcpsnt
r
ongker
nelcaLi
nuxcxydngt
hait
hnhphn:i
pchai
nsvI
PMasquer
adi
ng.
Li
nux I
P Fi
r
ewal
l
i
ng Chai
ns l
mtc ch l
c git
i
nI
P.Nhng t
nh nng ca I
P
Chai
nschophpcuh
nhmychLi
nuxnh mtf
i
l
t
er
i
nggat
eway/
f
i
r
ewal
lddng.Mt
t
hnh phn quan t
r
ng khc ca n t
r
ong ker
nell
I
P Masquer
adi
ng,mtt
nh nng
chuyn i
a chmng (
net
wor
kaddr
esst
r
ansl
at
i
on- NAT)m c t
hchegi
u cc
a
chI
Pt
hccamngbn t
r
ong.s dng i
pchai
ns,bn cn t
hi
tl
pmtt
p ccl
ut
mqui
nhccktnicchophphaybcm.
Ccnguynt
cI
pchai
nsThchi
nccchcnngsau:
Accept: The packet is okay; allow it to pass to the appropriate chain

Chophpchuyngit
i
nquachai
nt
h
chhp
Deny: The packet is not okay; silently drop it in the bit bucket. Khng
ng,br
t
.
Reject: The packet is not okay; but inform the sender of this fact via
anI
CMPpacket
.Khngng,nhngsvi
ccangigi
quagiI
CMP
Masq: Used f
or I
P masquer
adi
ng (
net
wor
k addr
ess t
r
ansl
at
i
on)
.S
dngchoI
Pmasquer
adi
ng(vi
cd
ch
achmng)
Redirect: Send t
hi
spackett
osomeoneel
sef
orpr
ocessi
ng.Gigit
i
n
nynmtngikhcsl
Return: Terminate the rule list. Hon thnh danhschccquyt

c.
GVHD:
NguynTnKhi
Si
nhvi
nt
hchi
n:
LThHuynTr
ang
NguynHuyChng
t
i
:Ant
onvbomtt
r
nhi
uhnhLi
nux
Page 10
Ch :Cc giI
pf
w(
i
pf
i
l
t
er
s/
i
pt
abl
e)dih i
u hnh BSD cung cp hotng
t
ngt
I
pchai
ns.
Vd:
# Chophpccktniwebt
iWebSer
vercabn
/sbin/ipchains -A your_chains_rules -s 0.0.0.0/0 www -d 192.16.0.100 1024: -j ACCEPT
# Chophpccktnit
bnt
r
ongt
iccWebSer
verbnngoi
/sbin/ipchains -A your_chains_rules -s 192.168.0.0/24 1024: -d 0.0.0.0/0 www -j
ACCEPT
# Tchit
r
uycpt
tcccd
chvukhc
/sbin/ipchains -P your_chains_rules input DENY
Ngoir
a,bn ct
hdngccsn phm f
i
r
ewal
lt
hngminh CheckPoi
ntFi
r
eWal
l
1,Phoeni
x Adapt
i
ve Fi
r
ewal
l
,Gat
eway Guar
di
an,XSent
r
y Fi
r
ewal
l
,Rapt
or
,.
.
.hay r
t
nhi
uccphi
nbnmi
nph
,mngunmchoLi
nuxnhT.
RexFi
r
ewal
l
,Dant
e,SI
NUS,
TIS Firewall Toolkit, ...
1.DNG CNG C D TM KHO STH THNG
Thm nhp vo mth t
hng btk no cng cn c s chun b
.Hackerphixc
nh r
amy
ch vt
m xem nhng por

tnoang mt
r
ckhiht
hng ct
hbxm
phm.Qu t
r
nh ny t
hng ct
hchi
n bicccng c d t
m (
scanni
ng t
ool
)
,k
t
hutch
nh t
m r
a my
ch v ccpor
tang m t
r
n .D t
m l
bcu t
i
n
hackers s dng t
r
ckhit
hchi
n t
n cng.Bng cch s dng cccng c d t
m
nh Nmap,hackerc t
h r
khp ccmng t
m r
a ccmy
ch c t
h bt
n cng.
Mtkhixc
nhcccmyny,kxm nhpct
hdt
m ccpor
tangl
ngnghe.
Nmap cng s dng mts k t
hutcho php xc
nh kh ch
nh xc l
oimy ang
ki
m t
r
a.
Bng cch s dngnhngcng c cach
nh cchackert
hngdng,ngiqun t
r
ht
hngct
hnh
nvoht
hngcam
nht
gccacchackervgi
pt
ngcng
t
nh an t
on ca h t
hng.C r
tnhi
u cng c d t
m c t
h s dng nh:Nmap,
strobe, sscan, SATAN, ...
Nmap
Lch vi
tt
tca"
Net
wor
kexpl
or
at
i
on t
oolandsecur
i
t
yscanner
".yl
chngt
r
nh
quthnguvit
cccnhanhvccmnh.Nct
hqutt
r
nmngdi
nr
ngv
cbi
tt
tivimng n l
.NMAPgi
p bn xem nhng d
ch v noang chyt
r
n
ser
ver(
ser
vi
ces/
por
t
s:
webser
ver
,
f
t
pser
ver
,
pop3,
.
.
.
)
,ser
verang dng h i
u hnh g
,
l
oit
ngl
amser
versdng,.
.
.vr
tnhi
ut
nhnngkhc.NichungNMAPht
r
huhtcckt
hutqutnh :I
CMP(
pi
ngaweep)
,I
Ppr
ot
ocol
,Null scan, TCP SYN (half
open)
,.
.
.NMAP cnh gi
l
cng c hng u ca ccHackercng nh ccnh
qunt
r
mngt
r
nt
hgi
i
.
Qutan t
on Nmap l
mtt
r
ong scng c qutan t
on cs dng r
ng
r
inhtsnc.Nmapl
mtcngqutmchngl
iccnhnt
,cccchkhct
n
phn mng cabn.Nct
hphtsi
nh r
anhi
u ki
u gimt
hm dccngn
xpTCP/
I
Pt
r
nnhnght
hngcabn.
Nmapct
hphtsi
nh r
amtdanh sch canhngcngmd
ch v t
r
n h
t
hng ca bn,
t
hm nhp f
i
r
ewal
l
s,v cung cp nhng t
i
n quy r
y,khng t
i
n cy
angchyt
r
nhostcabn.Nmapsecur
i
t
ycsnt
i:http://www.insecure.org
.
Diyl
mtvdsdngNmap:
# nmap -sS -O 192.168.1.200
Starting nmap V. 2.54 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on comet (192.168.1.200):
Port State Protocol Service
7 open tcp echo
19 open tcp chargen
GVHD:
NguynTnKhi
Si
nhvi
nt
hchi
n:
LThHuynTr
ang
NguynHuyChng
t
i
:Ant
onvbomtt
r
nhi
uhnhLi
nux
Page 11
21 open tcp ftp
...
TCP Sequence Prediction: Class=random positive increments
Difficulty=17818 (Worthy challenge)
Remote operating system guess: Linux 2.2.13
Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds
Tuy nhi
n,s dng cccng c ny khng t
h t
hay t
h cho mtngiqun t
r
c ki
n
t
hc.Bivvi
cd t
m t
hng d bo mtcuct
n cng,ccsi
t
enn u t
i
n cho vi
c
t
heodichng.Vicccngcdt
m,ccnhqunt
r
ht
hngmngct
hphthi
n
r
anhnggmcchackerct
ht
hykhidt
r
nht
hngcam
nh.
2.PHTHIN S XM NHP QUA MNG
Nuht
hngcabn cktnivoi
nt
er
net
,bnct
ht
r
t
hnhmtmct
i
ubd
t
m ccl
hngvbomt
.Mcdht
hngcabncghinhni
unyhaykhngt
h
vnkhngxc
nhvphthi
nvi
cdt
m ny.Mtvncnquant
m khcl
cccuct
n cng gy ngng d
ch v (
Deni
alofSer
vi
ces- DoS)
,l
m t
h no ngn
nga,phthi
nviphvichngnubnkhngmunht
hngcabnngngt
r
.
Ht
hngphthi
n xm nhp quamng(
Net
wor
kI
nt
r
usi
on Det
ect
i
on Syst
em - NIDS)
t
heo dicct
hng t
i
nt
r
uyn t
r
n mng v phthi
n nu c hackerang c xm nhp
vo h t
hng (
hocgy gy r
a mtv t
n cng DoS)
.Mtvd i
n h
nh l
h t
hng
t
heo dis l
ng l
n ccyu cu ktniTCP n nhi
u por
tt
r
n mtmy no ,do
vyct
hphthi
n r
anu cai ang t
h mtt
cv dt
m TCPpor
t
.MtNI
DS c
t
h chy t
r
n my cn t
heo dihoct
r
n mtmy cl
p t
heo dit
on b t
hng t
i
n
t
r
nmng.
Cccng c c t
hckthp t
omtht
hng phthi
n xm nhp quamng.
Chng hn dng t
cpwr
apper i
u khi
n,ghinhn ccd
ch v cng k.Cc
chngt
r
nhphnt
chnhtkht
hng,nh swat
ch,ct
hdngxc
nhcct
cv
dt
mt
r
n ht
hng.Vi
u quan t
r
ngnhtl
cccngc ct
hphn t
ch cct
hng
t
i
nt
r
n mng phthi
n cc t
n cng DoS hoc nh cp t
hng t
i
n nh t
cpdump,
ethereal, ngrep, NFR (Network Flight Recorder), PortSentry, Sentinel, Snort, ...
Khihi
n t
hcmth t
hng phthi
n xm nhp qua mng bn cn phil
u t
m n
hi
usutcaht
hngcngnhccch
nhschbom sr
i
ngt
.
3.KIM TRA KH NNG BXM NHP
Ki
m t
r
akhnng bxm nhp l
i
n quan n vi
cxc
nh vspxp ccl
hngan
ni
nh t
r
ong h t
hng bng cch dng mts cng c ki
m t
r
a.Nhi
u cng c ki
m t
r
a
cng ckhnng khait
hcmtsl
hng t
mt
hyl
m r
qut
r
nh t
hm nhp t
r
i
phpsct
hchi
nnht
hno.Vd,mtl
it
r
nbm cachngt
r
nhphcv
d
ch v FTP c t
h dn n vi
c t
hm nhp vo h t
hng viquyn
r
oot
.Nu ngi
qunt
r
mngcki
nt
hcvki
m t
r
akhnngbxm nhpt
r
ckhinxyr
a,hc
t
ht
i
nhnhcct
cvnngcaomcanni
nhcaht
hngmng.
Cr
tnhi
ucccngc mngmbnct
hs dngt
r
ongvi
cki
m t
r
akhnngb
xm nhp.Hu htccqu t
r
nh ki
m t
r
a u dng
tnhtmtcng c t
ng phn
t
chccl
hnganni
nh.Cccngcnyt
hm dht
hngxc
nhccd
chvhi
n
c.Thngt
i
nl
yt
ccd
chvnyscsosnhvicsd l
i
uccl
hnganni
nh
ct
mt
hyt
r
c.
Cccng c t
hng cs dng t
hchi
n ccki
m t
r
al
oiny l
I
SS Scanner
,
Cybercop, Retina, Nessus, cgiscan, CIS, ...
Ki
m t
r
a kh nng bxm nhp cn ct
hchi
n binhng ngic t
r
ch nhi
m
mtcch cn t
hn.S t
hi
u ki
n t
hcv s dng saicch c t
h s dn n hu qu
nghi
m t
r
ngkhngt
hl
ngt
r
cc.
GVHD:
NguynTnKhi
Si
nhvi
nt
hchi
n:
LThHuynTr
ang
NguynHuyChng
t
i
:Ant
onvbomtt
r
nhi
uhnhLi
nux
Page 12
4.IPH KHIHTHNG CA BN BTN CNG
Gn y,mtl
otcc v t
n cng nhm vo cc si
t
e ca nhng cng t
yl
n nh
Yahoo!, Buy.com, E-Bay,Amazon v CNN I
nt
er
act
i
ve gy r
a nhng t
hi
thiv cng
nghi
m t
r
ng.Nhng t
n cng ny l
dng t
n cng gy ngng d
ch v "
Deni
al
-OfSer
vi
ce"m c t
hi
tk l
m ngng hotng ca mtmng my t
nh hay mt
websi
t
e bng cch gil
i
n t
cvis l
ng l
n ccd l
i
u t
imct
i
u t
n cng khi
n
cho h t
hng bt
n cng bngng hotng,i
u ny t
ng t
nh hng t
r
m ngi
cnggikhngngngt
i1si
nt
hoikhi
nnl
i
nt
cbbn.
Tr
ong khikhng t
h no t
r
nh cminguy hi
m t
cccuct
n cng,chng t
i
khuynbnmtsbcmbnnnt
heokhibnphthi
nr
ar
nght
hngcabnb
t
n cng.Chngt
icng ar
amtscch gi
p bn bom t
nh hi
u qacah
t
hng an ni
nh v nhng bcbn nn l
m gi
m r
ir
o v c t
h iph vinhng
cuct
ncng.
Nu phthi
n r
ar
ng h t
hng ca bn ang bt
n cng,hy b
nh t
nh.Sau
yl
nhng bcbn nn l
m:
x Tphp1nhm iphvist
ncng:
o
Nhm ny phibao gm nhng nhn vi
n ki
nh nghi
m,nhng ngim
ct
hgi
ph
nht
hnhmtkhochhnhngiphvist
ncng.
x Da t
heo ch
nh sch v ccquyt
r
nh t
hchi
n van ni
nh cacng t
y,s dng
ccbct
h
chhpkhit
hngbochomingihayt
chcvcuct
ncng.
x T
m s gi
pt
nhcungcpd
chvI
nt
er
netvcquanpht
r
chvanni
nh
my tnh:
o
Li
n h nh cung cp d
ch v I
nt
er
netca bn t
hng bo v cuct
n
cng.Ct
hnhcungcpd
chvI
nt
er
netcabnschnngccuct
ncng.
o
Li
n hc quan ph t
r
ch van ni
nh myt
nh t
hng bo vcuct
n
cng
x Tm t
hidng phng t
hct
r
uyn t
hng khc(
chng hn nh qua i
n t
hoi
)
khit
r
aoit
hngt
i
nm bor
ngkxm nhpkhngt
hchnvl
yct
hngt
i
n.
x Ghil
it
tccchotng cabn (
chng hn nh gii
n t
hoi
,t
hayif
i
l
e,
...)
x Theodiccht
hngquant
r
ngt
r
ongqat
r
nhbt
ncngbngccphnmm
hay d
ch v phthi
n s xm nhp (
i
nt
r
usi
on det
ect
i
on sof
t
war
e/
ser
vi
ces)
.i
u ny c
t
hgi
p l
m gi
m nhs t
n cng cng nh phthi
n nhng du hi
u cas t
n cng
t
hcshaychl
s quyr
inhm nhl
chngs chcabn(
chnghnmtt
n
cngDoS vidngl
m saol
ngschcabnt
r
ongkhit
hcsyl
mtcuct
n
cng nhm xm nhp vo h t
hng ca bn)
.Sao chp l
it
tc ccf
i
l
esm k xm
nhpl
ihayt
hayi(
nhnhngonmchngt
r
nh,l
ogf
i
l
e,.
.
.
)
x Li
nhnhchct
r
chbocovvt
ncng.
Nhng bcbn nn l
m gi
m r
ir
o v iph vis t
n cng t
r
ong t
ng
lai :
o Xydngvt
r
aoquynchonhm iphvist
ncng
o Thihnhki
m t
r
aanni
nhvnhgi
mcr
ir
ocaht
hng
o Citccphnmm ant
onht
hngphhpgi
m btr
ir
o
o Nngcaokhnngcam
nhvant
onmyt
nh
GVHD:
NguynTnKhi
Si
nhvi
nt
hchi
n:
LThHuynTr
ang
NguynHuyChng
t
i
:Ant
onvbomtt
r
nhi
uhnhLi
nux
Page 13
Ccbcki
m t
r
agi
p bn bo m t
nh hi
u qucaht
hng an ni
nh
o Ki
m t
r
aht
hng an ni
nh micit:chcchn t
nh ng n cach
nh sch
anni
nhhi
ncvcuh
nhchuncaht
hng.
o Ki
m t
r
at
ngt
hngxuyn:khm phs
vi
ngt
hmcanhnghacker
haynhnghnhngsait
r
icanhnvi
nt
r
ongcngt
y.
o Ki
m t
r
a ngu nhi
n: ki
m t
r
a ch
nh sch an ni
nh v nhng t
i
u chun,hoc
ki
m t
r
a s hi
n hu ca nhng l
hng cphthi
n (
chng hn nhng l
ic
t
hngbot
nhcungcpphnmm)
o Ki
m t
r
ahngm nhngf
i
l
equant
r
ng:nhgi
s t
onvncanhngf
i
l
e
vcsdl
i
uquant
r
ng
o Ki
m t
r
a cct
ikhon ngidng: phthi
n cct
ikhon khng s dng,
khngt
nt
i
,.
.
.
o Ki
m t
r
a
nhkxc
nht
r
ngt
hihi
nt
icaht
hnganni
nhcabn
Thi
tl
p t
ng l
aIpt
abl
eschoLi
nux
Cu h
nh Tabl
es
Vi
ccitI
pt
abl
esl
mtphn t
r
ongvi
ccitRedHatban u.Nguyn
bn khit
o t
m ki
m s t
n t
ica f
i
l
eI
pt
abl
es,r
ul
es/etc/sysconfig/iptables, V
nu chng t
n t
ii
pt
abl
eskhing vicu h
nh cchr
.Mtkhiser
ver
nyl
gimai
lv nhn mai
l
,cu h
nh I
pt
abl
esnn cho php nhng ktnit
u
vo sendmai
lnbtkniu.Ngiqunt
r
ht
hngschs dngshht
bn
t
r
ongccmy,cbi
tl
MI
S.I
pt
abl
esr
ul
esscitchophpccktnishh
t
2 MI
S.Pi
ng I
CMPschophp btku.Khng ccng nokhcchophp kt
ninngiphcvny.yl
mcbsungchovi
cphngt
hcaser
vert
r
ong
t
r
ng hp Fi
r
ewal
lc t
ho hi
p.Thm vo l
vi
c bo v cho ssh s c
cungcpbicuh
nhccgit
cpbndi
.
Nhngquyt
ct
hchi
ncuh
nhI
pt
abl
esnhsau:
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT(1)
/sbin/iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT(2)
/sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT(3)
/sbin/iptables -A INPUT -p tcp --dport 22 -s 10.100.200.0/24 -j ACCEPT(4)
/sbin/iptables -A INPUT -p tcp --dport 22 -s 10.100.201.0/24 -j ACCEPT(5)
/sbin/iptables -A INPUT -p udp --sport 53 -s 10.100.50.50 -j ACCEPT(6)
/sbin/iptables -A INPUT -p udp -sport 53 -s 10.100.42.42 -j ACCEPT(7)
/sbin/iptables -A INPUT -j LOG(8)
/sbin/iptables -P INPUT DROP(9)
(
1)Chophpnhngktnil
i
nquanvt
hi
tl
pnser
ver
(
2)Chophpcchostkhcpi
ngnser
versendmai
d
(
3)ChophpktniSMTPnser
ver
(
4)
,(
5)Chophpktnissht
2M(
subnet
s)
(
6)
,(
7)Cho php ngiphcv t
n DNS cho box sendmai
d cung cp gi
iphp
DNS.Nubnchnmtdomai
nDNS,t
ht
hm mtdngchomiDNS.
(
8)l
ogbtkktninocgngmnkhngcbi
tchophp
(
9)Cidtch
nhschmc
nhchobngI
NPUTt
oDROP
Ttc ccktnicbi
tkhng chophp sbr
t
.Chng t
r
nh l
osent
r
ysc
cu h
nh
nh r
ng btkdng no l
og cng nh s xm phm an t
on.gi
ccuh
nhquar
eboot
,t
aphichyI
pt
abl
es- Save.Chyl
nhnhsau:
/sbin/iptables-save > /etc/sysconfig/iptables
Khiht
hngkhingl
n,f
i
l
eI
pt
abl
essccvcuh
nhhi
udng.
GVHD:
NguynTnKhi
Si
nhvi
nt
hchi
n:
LThHuynTr
ang
NguynHuyChng
t
i
:Ant
onvbomtt
r
nhi
uhnhLi
nux
Page 14
I
pt
abl
esl
mtt
ng l
a ng dng l
cgid l
i
u r
tmnh,mi
n phv c sn t
r
n
Li
nux.
.Net
f
i
l
t
er
/
I
pt
abl
es gm 2 phn l
Net
f
i
l
t
er t
r
ong nhn Li
nux v I
pt
abl
es nm
ngoi nhn.I
pt
abl
esch
ut
r
ch nhi
m gi
ao t
i
p gi
a ngidng v Net
f
i
l
t
er y cc
l
utca ngidng vo cho Net
f
i
l
erx l
.Net
f
i
l
t
ert
i
n hnh l
cccgid l
i
u mc
I
P.Net
f
i
l
t
erl
m vi
ct
r
ct
i
pt
r
ongnhn,nhanhvkhngl
m gi
m t
ccaht
hng.
Cchi
achI
Png(
dynami
cNAT)
Tr
ckhiivophnch
nh,m
nhcngi
it
hi
uviccbnvcngnghi
achNAT
ngvnggi
I
PMasquer
ade.Hait
nycdngr
tnhi
u t
r
ongI
pt
abl
esnnbn
phibi
t
.Nubnbi
tNATngvMasquer
ade,bnct
hbquaphnny.
NAT ng l
mtt
r
ong nhng kt
hutchuyn i
a chI
P NAT (
Net
wor
k Addr
ess
Tr
ansl
at
i
on)
.Cc
achI
PnibcchuynsangI
PNATnhsau:
NAT Rout
er m nhn vi
c chuyn dy I
P nib 169.
168.
0.
x sang dy I
P mi
203.
162.
2.
x.Khic gil
i
u viI
P ngun l
192.
168.
0.
200 n r
out
er
,r
out
ers iI
P
ngunt
hnh203.
162.
2.
200saumigir
angoi
.Qut
r
nhnygil
SNAT(
Sour
ceNAT,NATngun)
.Rout
erl
udl
i
ut
r
ongmtbnggil
bngNATng.Ngcl
i
,khi
cmtgit
l
i
u t
git
ngoivoviI
P
ch l
203.
162.
2.
200,r
out
erscn c vo
bng NAT ng hi
n t
i i
a ch
ch 203.
162.
2.
200 t
hnh
a ch
ch mil
192.
168.
0.
200.Qu t
r
nh ny gil
DNAT (
Dest
i
nat
i
on-NAT,NAT
ch)
.Li
n l
c gi
a
192.168.0.200 v 203.162.2.200 l hon t
on t
r
ong sut(
t
r
anspar
ent
)qua NAT r
out
er
.
NAT r
out
er t
i
n hnh chuyn t
i
p (
f
or
war
d) gi d l
i
u t
192.
168.
0.
200 n
203.
162.
2.
200vngcl
i
.
GVHD:
NguynTnKhi
Si
nhvi
nt
hchi
n:
LThHuynTr
ang
NguynHuyChng
t
i
:Ant
onvbomtt
r
nhi
uhnhLi
nux
Page 15
Cch ng gi
achIP (masquer
ade)
yl
mtkt
hutkhct
r
ongNAT.
NAT Rout
erchuyn dy I
P nib 192.
168.
0.
x sang mtI
P duy nhtl
203.
162.
2.
4
bngcchdngccshi
ucng(
por
t
-number
)khcnhau.Chnghnkhicgid l
i
u
I
P vingun 192.
168.
0.
168:
1204,
ch 211.
200.
51.
15:
80 n r
out
er
,r
out
er s i
ngun t
hnh 203.
162.
2.
4:
26314 v l
u d l
i
u ny vo mt bng gi l
bng
masquer
ade ng.Khic mtgid l
i
u t
ngoivo vingun l
221.
200.
51.
15:
80,
ch203.
162.
2.
4:
26314nr
out
er
,r
out
erscncvobngmasquer
adenghi
nt
i
i
ch t
203.
162.
2.
4:
26314 t
hnh 192.
168.
0.
164:
1204.Li
n l
c gi
a cc my
t
r
ongmngLAN vimykhcbnngoihont
ont
r
ongsutquar
out
er
Cu t
r
ccaIpt
abl
es
I
pt
abl
es c chi
al
m 4 bng (
t
abl
e)
:bng f
i
l
t
erdng l
c gid l
i
u,bng nat
dngt
haot
cviccgid l
i
ucNATngunhayNAT
ch,bngmangl
edng
t
hay icct
hng s t
r
ong giI
P v bng connt
r
ack dng t
heo diccktni
.Mi
t
abl
egm nhi
umcx
ch(
chai
n)
.Chai
ngm nhi
ul
ut(
r
ul
e)t
haot
cviccgid
l
i
u.Rul
ect
hl
ACCEPT(
chpnhngid l
i
u)
,DROP(
t
hgi
)
,REJ
ECT(
l
oibgi
)
hoct
ham chi
u(
r
ef
er
ence)nmtchai
nkhc.
Qut
r
nh chuyn gid l
i
u quaNet
f
i
l
t
er
Gid l
i
u (
packet
)chy t
r
n chy t
r
n cp,sau ivo car
d mng (
chng hn nh
et
h0)
.ut
i
npacketsquachai
nPREROUTI
NG (
t
r
ckhi
nht
uyn)
.Tiy,packet
ct
hbt
hayit
hngs(
mangl
e)hocbi
achI
P
ch(
DNAT)
.ivipacketi
vomy,nsquachai
nI
NPUT.Tichai
nI
NPUT,packetct
hcchpnhnhocb
hy b.Ti
p t
heo packets cchuyn l
n cho ccng dng (
cl
i
ent
/
ser
ver
)x l
v
t
i
p t
heo l
cchuyn r
a chai
n OUTPUT.Tichai
n OUTPUT,packetc t
h bt
hay i
cc t
hng s v bl
c chp nhn r
a hay bhy b.ivipacketf
or
war
d qua my,
packetsau khir
ichai
n PREROUTI
NG s qua chai
n FORWARD.Tichai
n FORWARD,n
cng bl
cACCEPT hocDENY.Packetsau khiquachai
n FORWARD hocchai
n OUTPUT
snchai
nPOSTROUTI
NG (
saukhi
nht
uyn)
.Tichai
nPOSTROUTI
NG,packetct
h
ci
a chI
P ngun (
SNAT)hocMASQUERADE.Packetsau khir
a car
d mng s
cchuynl
ncpinmyt
nhkhct
r
nmng.
GVHD:
NguynTnKhi
Si
nhvi
nt
hchi
n:
LThHuynTr
ang
NguynHuyChng
t
i
:Ant
onvbomtt
r
nhi
uhnhLi
nux
Page 16
Cct
ham sdngl
nht
hnggpcaI
pt
abl
es
1.Git
r
gi
p
git
r
gi
pvI
pt
abl
es,bngl
nh$ man iptables hoc$ iptables --help.Chnghn
nubncnbi
tvcct
ychnca match limit,bngl
nh$ iptables -m limit --help.
2.Cct
ychn ch
nh t
hng s
- ch
nht
nt
abl
e:-t<t
n_t
abl
e>,vd-t filter, -t nat,.
.nukhngch
nht
abl
e,gi
t
r
mc
nhl
f
i
l
t
er
- chi
nhl
oigi
aot
hc:-p<t
ngi
aot
hc>,vd-p tcp, -p udp hoc-p ! udp ch
nhccgi
aot
hckhngphil
udp
- ch
nhcar
dmngvo:-i<t
n_car
d_mng_vo>,vd:-i eth0, -i lo
- ch
nhcar
dmngr
a:-o<t
n_car
d_mng_r
a>,vd:-o eth0, -o pp0
- ch
nh
achI
Pngun:-s<
a_ch
_i
p_ngun>,vd:-s 192.168.0.0/24 (
mng
192.
168.
0vi24b
tmng)
,-s 192.168.0.1-192.168.0.3 (cc IP 192.168.0.1,
192.168.0.2, 192.168.0.3).
- ch
nh
achI
P
ch:-d<
a_ch
_i
p_
ch>,t
ngt
nh-s
- ch
nhcngngun:--spor
t<cng_ngun>,vd:--sport 21 (
cng21)
,--sport 22:88
(
cccng22.
.88)
,--sport :80 (
cccng<=80)
,--sport 22: (
cccng>=22)
- ch
nhcng
ch:--dpor
t<cng_
ch>,t
ngt
nh--sport
3.Cct
ychn t
haot
cvichai
n
-t
ochai
nmi
:i
pt
abl
es-N <tn_chain>
- xahtccl
utt
ot
r
ongchai
n:i
pt
abl
es-X <tn_chain>
- tch
nhschchoccchai
n`bui
l
t
-in` (INPUT, OUTPUT & FORWARD): iptables -P
<tn_chain_built-i
n> <t
npol
i
cy(
DROPhocACCEPT)
>,vd:iptables -P INPUT
ACCEPT chpnhnccpacket vo chain INPUT
-l
i
tkccl
utct
r
ongchai
n:i
pt
abl
es-L <tn_chain>
- xaccl
utct
r
ongchai
n(
f
l
ushchai
n)
:i
pt
abl
es-F <tn_chain>
-r
esetbm packetv0:i
pt
abl
es-Z <tn_chain>
4.Cct
ychn t
haot
cvil
ut
-t
hm l
ut
:-A (append)
- xal
ut
:-D (delete)
-t
hayt
hl
ut
:-R (replace)
- chnt
hm l
ut
:-I (insert)
M
nhschovdmi
nhhavcct
ychnnyphnsau.
Phnbi
tgi
aACCEPT,DROPvREJECTpacket
- ACCEPT:chpnhnpacket
- DROP:t
hpacket(
khnghim choclient)
- REJ
ECT:l
oibpacket(
him chocl
i
entbngmtpacketkhc)
Vd:
# iptables -A INPUT -i eth0 --dport 80 -j ACCEPT chpnhnccpacketvocng80t
r
n
car
dmnget
h0
GVHD:
NguynTnKhi
Si
nhvi
nt
hchi
n:
LThHuynTr
ang
NguynHuyChng
t
i
:Ant
onvbomtt
r
nhi
uhnhLi
nux
Page 17
# iptables -A INPUT -i eth0 -p tcp --dport 23 -j DROP t
hccpacketncng23dng
gi
aot
hcTCPt
r
ncar
dmnget
h0
# iptables -A INPUT -i eth1 -s ! 10.0.0.1-10.0.0.5 --dport 22 -j REJECT --reject-with tcpreset gigiTCPvicRST=1choccktnikhngnt
dy
achI
P10.
0.
0.
1.
.
5
t
r
ncng22,car
dmnget
h1
# iptables -A INPUT -p udp --dport 139 -j REJECT --reject-with icmp-port-unreachable
gigiI
CMP`por
t
-unr
eachabl
e`choccktnincng139,dnggi
aot
hcUDP
Phn bi
tgi
aNEW ,ESTABLISHED vRELATED
- NEW:mktnimi
- ESTABLI
SHED:t
hi
tl
pktni
- RELATED:mmtktnimit
r
ongktnihi
nt
i
Vd:
# iptables -P INPUT DROP tch
nhschchochai
nI
NPUTl
DROP
# iptables -A INPUT -p tcp --syn -m state --state NEW -j ACCEPT chchpnhnccgi
TCPmktnisetcSYN=1
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT khngngcc
ktniangct
hi
tl
p,
ngt
hicngchophpmccktnimit
r
ongktni
ct
hi
tl
p
# iptables -A INPUT -p tcp -j DROP ccgiTCPcnl
iubDROP
Tychn --limit, --limit-burst
--limit-bur
st
:mc
nh,t
nhbngspacket
--l
i
mi
t
:t
ckhichm mc
nh,t
nhbngspacket
/
s(
gi
y)
,m(
pht
)
,d(
gi
)hoc
h(ngy)
M
nhl
yvdct
hbndhi
u:
# iptables -N test
# iptables -A test -m limit --limit-burst 5 --limit 2/m -j RETURN
# iptables -A test -j DROP
# iptables -A INPUT -i lo -p icmp --icmp-type echo-request -j test
u t
i
n l
nh iptables -N test t
o mtchai
n mit
n l
t
est(
t
abl
e mc
nh l
f
i
l
t
er
)
.Ty chn -A test (
append) t
hm l
utmivo chai
nt
est
.ivichai
nt
est
,
m
nh gi
ihn l
i
mi
t
-bur
st mc 5 gi
,l
i
mi
tl
2 gi
/
pht
,nu t
ha l
uts t
r
v
(
RETURN)cn khng sbDROP.Sau m
nh nit
hm chai
nt
estvo chai
nI
NPUT vi
t
ychncar
dmngvol
l
o,gi
aot
hci
cmp,l
oii
cmpl
echo-r
equest
.Lutnysgi
i
hn ccgiPI
NG t
il
ol
2 gi
/
phtsau khitt
i5 gi
.
Bn t
h pi
ng n l
ocal
host
xem sao?
$ ping -c 10 localhost
Ch5 giu t
r
ong phtu t
i
n cchp nhn,t
hal
utRETURN .Bygi
t
n mc
nh l
5 gi,l
pt
cI
pt
abl
essgi
ihn PI
NG t
il
ol
2 git
r
n miphtbt
chpcbaonhi
ugicPI
NG t
il
oina.Nut
r
ongphtt
ikhngcginoPI
NG
t
i
,I
pt
abl
essgi
m l
i
mi
ti2git
cl
t
cangl
2gi
/
phtst
ngl
n4gi
/
pht
.
Nu t
r
ong phtna khng c gin,l
i
mi
ts gi
m i2 na l
t
r
v l
it
r
ng t
hic
chatnmc
nh5 gi
.Qut
r
nhc t
i
pt
cnh vy.Bnchcnnhngi
nl
khi tt
imc
nh,t
c s bgi
ihn bit
ham s--l
i
mi
t
.Nu t
r
ong mtn v
t
higi
an t
ikhngcgin,t
cst
ngl
n ngbng --l
i
mi
tn khit
r
l
it
r
ng
t
hichatmc--limit-burst th thi.
xem ccl
utt
r
ongI
pt
abl
esbn gl
nh $ i
pt
abl
es-L -nv (-Lt
tcccl
utt
r
ongt
t
cccchai
n,t
abl
emc
nh l filter, -nl
i
tkdngs,vxem chit
i
t
)
# iptables -L -nv
Chain INPUT (policy ACCEPT 10 packets, 840 bytes)
pkts bytes target prot opt in out source destination
10 840 test icmp -- lo * 0.0.0.0/0 0.0.0.0/0 icmp type 8
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
GVHD:
NguynTnKhi
Si
nhvi
nt
hchi
n:
LThHuynTr
ang
NguynHuyChng
t
i
:Ant
onvbomtt
r
nhi
uhnhLi
nux
Page 18
Chain OUTPUT (policy ACCEPT 15 packets, 1260 bytes)
Chain test (1 references)
5 420 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 2/min burst 5
5 420 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
# iptables -Z reset counter
# iptables -F f
l
ushl
ut
# iptables -X xachai
nt
o
Redi
rectcng
I
pt
abl
esht
r
t
ychn-j REDIRECT chophpbnihngcngmtcchddng.V
d nh SQUI
D ang l
i
st
en t
r
n cng 3128/
t
cp. r
edi
r
ectcng 80 n cng 3128 ny
bnl
m nhsau:
# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
Lu:t
ychn-j REDIRECT cho c trong chain PREROUTING
SNAT & MASQUERADE
t
o ktni`t
r
anspar
ent
` gi
a mng LAN 192.
168.
0.
1 viI
nt
er
netbn l
p cu h
nh
chot
ngl
aI
pt
abl
esnhsau:
# echo 1 > /proc/sys/net/ipv4/ip_forward chophpf
or
war
dccpacketquamych t
Iptables
# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 210.40.2.71 iI
Pngun
choccpacketr
acar
dmnget
h0 l
210.
40.
2.
71.Khinhncpacketvot
I
nt
er
net
,
I
pt
abl
esst
ng iI
P
ch 210.
40.
2.
71 t
hnh I
P
ch t
ng ng camyt
nh t
r
ong
mngLAN 192.
168.
0/
24.
Hocbnct
hdngMASQUERADEt
haychoSNATnhsau:
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
(
MASQUERADEt
hngcdngkhiktninI
nt
er
netl
pp0vdng
achI
P
ng)
GVHD:
NguynTnKhi
Si
nhvi
nt
hchi
n:
LThHuynTr
ang
NguynHuyChng
t
i
:Ant
onvbomtt
r
nhi
uhnhLi
nux
Page 19
DNAT
Gi
sbntccmychPr
oxy,Mai
lvDNS t
r
ongmngDMZ.t
oktnitrong
sutt
I
nt
er
netvoccmychnybnl
nhsau:
# echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination
192.168.1.2
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to-destination
192.168.1.3
# iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to-destination
192.168.1.4
Lp cu h
nh Ipt
abl
escho mych phcv W eb
Phnnym
nhs
t
r
nhbyquav
dc
t
hvc
hhngdnc
cbnl
cpac
k
etvo. Cc packet
`f
or
war
d`v'
out
put
'bnt
l
m nha.Gi
s
nhmyc
hphcv
Webk
tnimngt
r
ct
i
pvo
I
nt
er
netquac
ar
dmnget
h0,
ac
hI
Pl
1.
2.
3.
4.Bnc
nl
pc
uh
nht
ngl
ac
hoI
pt
abl
esp
ngc
cy
uc
us
au:
-c
ngTCP80(
c
hyapac
he)mc
homingit
r
uyc
pweb
-c
ng21(
c
hypr
of
t
pd)c
hmc
howebmas
t
er(
dngupl
oadf
i
l
el
npubl
i
c
_ht
ml
)
-c
ng22(
c
hyopens
s
h)c
hmc
hoadmi
n(
c
ungc
ps
hel
l`r
oot
`c
hoadmi
nnngc
p&pat
c
hl
i
c
hos
er
v
erk
hic
n)
-c
ngUDP53(
c
hyt
i
ny
dns
)phcv
t
nmi
n(
yc
hl
v
d)
-c
hc
hpnhnI
CMPPI
NGt
iv
ic
ode=0x
08,c
cl
oipac
k
etc
nl
iubt
c
hi
.
Bc1:t
hi
tl
pcct
ham schonhn
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 10 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_source_route
tcp_syncooki
es=1btchcnngchngDoS SYN quasyncooki
ecaLi
nux
t
cp_f
i
n_t
i
meout
=10tt
higi
ant
i
meoutchoqut
r
nhngktniTCPl
10gi
y
t
cp_keepal
i
ve_t
i
me=1800tt
higi
angi
ktniTCPl
1800gi
y
...
Cct
ham skhcbnct
hxem chit
i
tt
r
ongt
il
i
uikm canhnLi
nux.
Bc2: npccmuncnt
hi
tchoI
pt
abl
es
sdngI
pt
abl
es,bncnphinpt
r
cccmuncnt
hi
t
.Vdnubnmun
dngchcnngLOG t
r
ongI
pt
abl
es,bnphinpmuni
pt
_LOG vot
r
cbngl
nh#
modprobe ipt_LOG.
GVHD:
NguynTnKhi
Si
nhvi
nt
hchi
n:
LThHuynTr
ang
NguynHuyChng
t
i
:Ant
onvbomtt
r
nhi
uhnhLi
nux
Page 20
MODULES="ip_tables iptable_filter ipt_LOG ipt_limit ipt_REJECT ipt_state
for i in $MODULES; do
/sbin/modprobe $MODULES
done
Bc3:nguynt
ctl
utl
"
dr
opt
r
c,acceptsau"
yl
nguynt
cmbnnnt
unt
heo.ut
i
nhynghtcccng,saum
dncchcngcnt
hi
t
.Cchnyt
r
nhchobngpsaistt
r
ongkhitl
utcho
Iptables.
iptables -P INPUT DROP t
hpackett
r
c
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT gi
ccktnihi
n
t
ivchpnhnccktnicl
i
nquan
iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT chpnhnccgivol
oobackt
I
P
127.0.0.1
iptables -A INPUT -i lo -s 1.2.3.4 -j ACCEPT v 1.2.3.4
BANNED_IP="10.0.0.0/8 192.168.0.0/16 172.16.0.0/12 224.0.0.0/4 240.0.0.0/5"
for i in $BANNED_IP; do
iptables -A INPUT -i eth0 -s $i -j DROP t
hccgidl
i
unt
ccI
Pnm t
r
ong
danhschcm BANNER_I
P
done
Bc4:l
cI
CMPvovchnngpl
tPI
NG
LOG caI
pt
abl
esscghivof
i
l
e/
var
/
l
og/
f
i
r
ewal
l
.
l
og.Bnphisal
icuh
nhcho
SYSLOG nhsau:
# vi /etc/syslog.conf
kern.=debug /var/log/firewall.log
# /etc/rc.d/init.d/syslogd restart
iviccgiI
CMPn,chngt
asyquachai
nCHECK_PI
NGFLOOD ki
m t
r
a
xem hi
nt
iangbngpl
tPI
NG haykhng,saumichophpgivo.Nuangb
ngpl
tPI
NG,munLOG st
i
nhnhghinhtkmcgi
ihn--limit $LOG_LIMIT v
--limit-bur
st$LOG_LI
MI
T_BURST,ccgiPI
NG ngpl
tsbt
hht
.
LOG_LEVEL="debug"
LOG_LIMIT=3/m
LOG_LIMIT_BURST=1
PING_LIMIT=500/s
PING_LIMIT_BURST=100
iptables -A CHECK_PINGFLOOD -m limit --limit $PING_LIMIT --limit-burst
$PING_LIMIT_BURST -j RETURN
iptables -A CHECK_PINGFLOOD -m limit --limit $LOG_LIMIT --limit-burst
$LOG_LIMIT_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=PINGFLOOD:warning
a=DROP "
iptables -A CHECK_PINGFLOOD -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -j CHECK_PINGFLOOD
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -j ACCEPT
Bc5:r
ej
ectqutcngTCPvUDP
ybn t
osn chai
nr
ej
ectqutcng,chng t
asyvochai
nI
NPUTsau.i
vigiTCP,chngt
ar
ej
ectbnggiTCPvicSYN=1cnivigiUDP,chngt
as
r
ej
ectbnggiI
CMP`por
t
-unreachable`
GVHD:
NguynTnKhi
Si
nhvi
nt
hchi
n:
LThHuynTr
ang
NguynHuyChng
t
i
:Ant
onvbomtt
r
nhi
uhnhLi
nux
Page 21
iptables-N REJECT_PORTSCAN
iptables-A REJECT_PORTSCAN -p tcp -m limit --limit $LOG_LIMIT --limit-burst
$LOG_LIMIT_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=PORTSCAN:tcp
a=REJECT "
iptables-A REJECT_PORTSCAN -p udp -m limit --limit $LOG_LIMIT --limit-burst
$LOG_LIMIT_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=PORTSCAN:udp
a=REJECT "
iptables-A REJECT_PORTSCAN -p tcp -j REJECT --reject-with tcp-reset
iptables-A REJECT_PORTSCAN -p udp -j REJECT --reject-with icmp-port-unreachable
Bc6:phthi
nqutcngbngNmap
iptables-N DETECT_NMAP
iptables-A DETECT_NMAP -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit $LOG_LIMIT
--limit-burst $LOG_LIMIT_BURST -j LOG --log-level $LOG_LEVEL --log-prefix
"fp=NMAP:XMAS a=DROP "
iptables-A DETECT_NMAP -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit
$LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level $LOG_LEVEL --log-prefix
"fp=NMAP:XMAS-PSH a=DROP "
iptables-A DETECT_NMAP -p tcp --tcp-flags ALL ALL -m limit --limit $LOG_LIMIT --limitburst $LOG_LIMIT_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=NMAP:XMASALL a=DROP "
iptables-A DETECT_NMAP -p tcp --tcp-flags ALL FIN -m limit --limit $LOG_LIMIT --limitburst $LOG_LIMIT_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=NMAP:FIN
a=DROP "
iptables-A DETECT_NMAP -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit
$LOG_LIMIT --limit-burst $LOG_LIMIT_BURST -j LOG --log-level $LOG_LEVEL --log-prefix
"fp=NMAP:SYN-RST a=DROP "
iptables-A DETECT_NMAP -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit $LOG_LIMIT
--limit-burst $LOG_LIMIT_BURST -j LOG --log-level $LOG_LEVEL --log-prefix
"fp=NMAP:SYN-FIN a=DROP "
iptables-A DETECT_NMAP -p tcp --tcp-flags ALL NONE -m limit --limit $LOG_LIMIT -limit-burst $LOG_LIMIT_BURST -j LOG --log-level $LOG_LEVEL --log-prefix
"fp=NMAP:NULL a=DROP "
iptables-A DETECT_NMAP -j DROP
iptables-A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DETECT_NMAP
iviccgiTCPnet
h0mktninhngkhngtSYN=1chngt
aschuyn
sangchai
nDETECT_NMAP.yl
nhnggikhnghpl
vhunh l
qutcngbng
nmap hocknh ngm.Chai
n DETECT_NMAP s phthi
n r
a hu htccki
u qutca
Nmap v t
i
n hnh ghi nht k mc --limit $LOG_LIMIT v --limit-burst
$LOG_LI
MI
T_BURST.Vd ki
m t
r
a qutXMAS,bn dng t
y chn --tcp-flags ALL
FI
N,
URG,
PSH ngh
al
3 c FI
N,URG v PSH cbt
,ccc khcu bt
t
.Ccgi
quachai
nDETECT_NMAPsausbDROPht
.
Bc7:chnngpl
tSYN
Gim TCP vic SYN cset1 l
hp l
nhng khng ngoit
r
kh nng l
cc
giSYN dng ngp l
t
. Vvy, dy bn y cc giSYN cn l
iqua chai
n
CHECK_SYNFLOOD ki
m t
r
angpl
tSYN nhsau:
iptables-N CHECK_SYNFLOOD
iptables-A CHECK_SYNFLOOD -m limit --limit $SYN_LIMIT --limit-burst
$SYN_LIMIT_BURST -j RETURN
iptables-A CHECK_SYNFLOOD -m limit --limit $LOG_LIMIT --limit-burst
$LOG_LIMIT_BURST -j LOG --log-level $LOG_LEVEL --log-prefix
"fp=SYNFLOOD:warning a=DROP "
iptables-A CHECK_SYNFLOOD -j DROP
iptables-A INPUT -i eth0 -p tcp --syn -j CHECK_SYNFLOOD
GVHD:
NguynTnKhi
Si
nhvi
nt
hchi
n:
LThHuynTr
ang
NguynHuyChng
t
i
:Ant
onvbomtt
r
nhi
uhnhLi
nux
Page 22
Bc8:gi
ihnt
r
uycpSSH cho admin
SSH_IP="1.1.1.1"
iptables -N SSH_ACCEPT
iptables -A SSH_ACCEPT -m state --state NEW -j LOG --log-level $LOG_LEVEL --logprefix "fp=SSH:admin a=ACCEPT "
iptables -A SSH_ACCEPT -j ACCEPT
iptables -N SSH_DENIED
iptables -A SSH_DENIED -m limit --limit $LOG_LIMIT --limit-burst
$LOG_LIMIT_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=SSH:attempt
a=REJECT "
iptables -A SSH_DENIED -p tcp -j REJECT --reject-with tcp-reset
for i in $SSH_IP; do
iptables -A INPUT -i eth0 -p tcp -s $i --dport 22 -j SSH_ACCEPT
done
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -j SSH_DENIED
Bc9:gi
ihnFTPchoweb-master
FTP_IP="2.2.2.2"
iptables -N FTP_ACCEPT
iptables -A FTP_ACCEPT -m state --state NEW -j LOG --log-level $LOG_LEVEL --logprefix "fp=FTP:webmaster a=ACCEPT "
iptables -A FTP_ACCEPT -j ACCEPT
iptables -N FTP_DENIED
iptables -A FTP_DENIED -m limit --limit $LOG_LIMIT --limit-burst
$LOG_LIMIT_BURST -j LOG --log-level $LOG_LEVEL --log-prefix "fp=FTP:attempt
a=REJECT "
iptables -A FTP_DENIED -p tcp -j REJECT --reject-with tcp-reset
for i in $FTP_IP; do
iptables -A INPUT -i eth0 -p tcp -s $i --dport 21 -j FTP_ACCEPT
done
iptables -A INPUT -i eth0 -p tcp --dport 21 -m state --state NEW -j FTP_DENIED
Bc10:l
cTCPvo
iptables -N TCP_INCOMING
iptables -A TCP_INCOMING -p tcp --dport 80 -j ACCEPT
iptables -A TCP_INCOMING -p tcp -j REJECT_PORTSCAN
iptables -A INPUT -i eth0 -p tcp -j TCP_INCOMING
Bc11:l
cUDPvovchnngpl
tUDP
iptables -N CHECK_UDPFLOOD
iptables -A CHECK_UDPFLOOD -m limit --limit $UDP_LIMIT --limit-burst
$UDP_LIMIT_BURST -j RETURN
iptables -A CHECK_UDPFLOOD -m limit --limit $LOG_LIMIT --limit-burst
$LOG_LIMIT_BURST -j LOG --log-level $LOG_LEVEL --log-prefix
"fp=UDPFLOOD:warning a=DROP "
iptables -A CHECK_UDPFLOOD -j DROP
iptables -A INPUT -i eth0 -p udp -j CHECK_UDPFLOOD
iptables -N UDP_INCOMING
iptables -A UDP_INCOMING -p udp --dport 53 -j ACCEPT
iptables -A UDP_INCOMING -p udp -j REJECT_PORTSCAN
iptables -A INPUT -i eth0 -p udp -j UDP_INCOMING
hn ch kh nng bDoS v t
ng cng t
c cho my ch phcv web,
bnct
hdngccht
icnbng(
l
oad-bal
aci
ng)nhsau:
GVHD:
NguynTnKhi
Si
nhvi
nt
hchi
n:
LThHuynTr
ang
NguynHuyChng
t
i
:Ant
onvbomtt
r
nhi
uhnhLi
nux
Page 23
Cch 1:chynhi
umychphcvwebt
r
ncc
achI
PI
nt
er
netkhcnhau.
Vd,ngoimychphcvwebhi
nt
i1.
2.
3.
4,bnct
hut
t
hm cc my
ch phcv web mi1.
2.
3.
2,1.
2.
3.
3,1.
2.
3.
4,1.
2.
3.
5.i
m yu ca cch ny l
t
nnhi
u
achI
PI
nt
er
net
.
Cch 2:tccmychphcvwebt
r
ongmtmngDMZ.Cchnyt
i
tki
m
cnhi
u
achI
Pnhng b l
ibn gat
ewayI
pt
abl
es1.
2.3.4 - 192.168.0.254 c
t
h l
oad nng hn t
r
c v yu cu bn u t
t
i
n cho ng t
r
uyn mng t
gateway ra Internet.
BndngDNATt
r
ngat
eway1.
2.
3.
4chuynt
i
pccgid l
i
ut
cl
i
entn
mtt
r
ongccmychphcvwebt
r
ongmngDMZ hocmngLAN nhsau:
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --todestination 192.168.0.1-192.168.0.4
IV.
Xydng ht
hng mng Li
nux
Hng dn citLi
nux
1.To
abootvt
i
n t
r
i
nh boot
i
uut
i
ncnl
m l
t
omt
amm citcngchi
unh
akhi
ng.Numyt
nhcabncht
r
boott
r
ct
i
pt
CD ROM t
hbnct
hi
t
i
pdnbchai,
cnkhngbnct
hboott
amm ,
bngccht
or
annh
sau :
Bc1:
Tr
ckhit
o
aboot,
aCD-ROM RedHatLi
nuxvot
r
ongCD t
r
nmyt
nh
cabnang chyht
hngwi
ndows.MCommand Prompt diwi
ndows.
C:\d:
D:\ cd \ dosutils
D:\ cd \ dosutils> rawrite
Enter disk image source file name :..\images \boot .img
Enter target diskette drive : a:
Please insert a formatted diskette into A drive; nad press Enter
D:\dosutils>
Chngt
r
nhr
awr
i
t
e.
exehit
nt
pt
i
ncadi
ski
mage(
nh
a)
:
Gvo
boot.img v a
amm vo
aA .
Saushi
anoscghivo,
g
vpa:bndhont
hnhbcnyvbncmt
amm vit
nl
RedHat
bootdi
sk
Bc2:a
abootvot
r
ong
aA t
r
nmuncitRedHatLi
nuxvkhi
ngmy,
sau l
m ccbcsau:
GVHD:
NguynTnKhi
Si
nhvi
nt
hchi
n:
LThHuynTr
ang
NguynHuyChng
t
i
:Ant
onvbomtt
r
nhi
uhnhLi
nux
Page 24
xChnngnng.
xChnki
ubnph
m
xChnki
uchut.
Cccchcitvphngphpcachng
RedHatLi
nux6.
1v6.
2c4l
pcutkhcnhaul
;
GNOME Workstation
KDE Workstation
Server
Custom
C3cchcitt
r
nuchobnsl
achnngi
ncat
i
nt
r
nhcit,
myt
nht
ngl
m htmit
hvbnmtingkt
nhl
i
nhhott
r
ongvi
c
cuh
nhmchngt
akhngnnbquavscpchit
i
tt
r
ongnhngbct
i
p
theo . V l do trn m chng ta nn ci tcust
om .
Cchnychophpbnchn
nhngd
chvnosct
hm vovl
m t
hophnhochht
hng.
Cit
a(Di
skset
up)
Chngt
agi
sbnangcicser
verLi
nuxmit
r
nmt
amikhng
chi
unocc
att
r
c.
Mtchi
nl
cphnhocht
tl
t
ot
ng
par
t
i
onr
i
ngl
chomiht
hngt
pt
i
nch
nh.
Vi
cnyl
m t
ngkhnngbomt
vngnchnt
ncnghockhait
hccanhngchngt
r
nhSUI
D.
Bc1:
thi
uqucao,n
nhvant
onbnnnt
occpar
t
i
t
i
onnhnhng
par
t
i
t
i
oncl
i
tkdiyt
r
nmyt
nhcabn.
Chngt
icnggi
sr
ng
t
hct
bncngt
3.
2GB t
r
l
nphnhochvdnhi
nbnchnk
cht
hc
par
t
i
t
i
ont
ut
heonhucucn.
Nhngpar
t
i
t
i
onbn phit
ot
r
nht
hngcabn:
/boot
5MB
Ttcccker
neli
magest
hcl
ugi
y.
/usr
512MB Par
t
i
t
i
onnycnphil
nt
r
ckhit
tcccchng
t
r
nhdngbi
nar
yccity.
/home
1146MB
Cnisngisdngbnc
nht
or
at
r
n
myny.
Vd10MB/
nginhvyvi114ngi
cn1140MB.
/chroot
256MB Nubnkhngmuncitt
r
ongmit
r
ngkhng
t
dochnghnnhDNS t
cal
fmit
r
ngchc
r
ootmicquynt
hct
hi.
/cache
256MB yl
par
t
i
t
i
onl
ut
r
capr
oxyser
ver
(
VD Squi
d)
/var
256MB Changnhngt
pt
i
nt
hayikhiht
hngchy
b
nht
hng(
VD cct
pt
i
nl
og)
<swap>
128MB yl
Swappar
t
i
t
i
onccoinhbnhocah
t
hng,
bnnnchi
ak
cht
hccapar
t
i
t
i
onnyl
n
hnhocbngdungl
ngRam hi
nct
r
nmyca
bn
/tmp
256MB Par
t
i
t
i
onchanhngt
pt
i
nt
m t
hi
/
256MB Root part
i
t
i
oncachngt
a.
Chngt
act
ht
onnhaipar
t
i
t
i
oncbi
tl
/
chr
oot
v
/
cache
,par
t
i
t
i
on
/
chr
oot ct
hcsdngchoDNS ser
ver,Apacheser
vervnhngchngt
r
nh
khct
heodngnhDNS vApache.
Par
t
i
t
i
on/
cachect
hcsdng cho Squid
pr
oxyser
ver.
Nubnkhngc
nhcitSqui
dpr
oxyser
vert
hbnkhngcn
t
opar
t
i
t
i
on/
cache.
t/
t
mpv/
homet
r
nccpar
t
i
t
i
onr
i
ngbi
tt
hr
thayvct
nhchtbt
butnungisdngc
oshel
lt
r
uycpt
iser
ver(
sbovchngl
inhng
GVHD:
NguynTnKhi
Si
nhvi
nt
hchi
n:
LThHuynTr
ang
NguynHuyChng
t
i
:Ant
onvbomtt
r
nhi
uhnhLi
nux
Page 25
chngt
r
nhSUI
D),
ngnchnchngt
r
nhnyvonhngpar
t
i
t
i
onr
i
ngl
v
ngncnngisdngl
m suyyuhotngcabtkht
hngnot
r
nser
ver
.
t/
varv/
usrt
r
nccpar
t
i
t
i
onr
i
ngl
cngl
mtr
thayvcch ly partition
/
varsl
m par
t
i
t
i
onr
ootcabnkhngbt
r
ny.
Tr
ongcuh
nhpar
t
i
t
i
onchngt
asdnhr
i
ng256MB
at
r
ngchonhng
chngt
r
nhchuynir
oot(
chr
oot
edpr
ogr
am)gi
ngApache,
DNS vnhng
chngt
r
nhkhc.
Vi
cnycnt
hi
tvnhngt
pt
il
i
ugc,
nhngt
pt
i
nnh
phn,
nhngchngt
r
nhl
i
nquant
iApachescc
att
r
ongpar
t
i
t
i
onny
nubnc
nhchyWebser
verApachet
r
ongvngr
i
ngbi
t.
Nubnkhngc
nhcitvsdngApachet
r
nser
vercabn,
ct
hgi
m
btk
cht
hccapar
t
i
t
i
onnyxungkhong10MB vchsdngchoDNS l
d
ch
vl
uncnt
r
ongmit
r
ngchr
ootvl
dobomt
.
Cck
cht
hct
it
hi
ucaccpar
t
i
t
i
on
/
35MB
/boot
5MB
/chroot
10MB
/home
100MB
/tmp
30MB
/usr
232MB
/var
25MB
/swap
50MB
Disk Druid
Di
skDr
ui
dl
chngt
r
nhsdngphnchi
a
achobn.ChnAdd t
hm
mtpar
t
i
t
i
onmiEdit hi
uch
nhmtpar
t
i
t
i
on,
Delete xomtpar
t
i
t
i
onv
Reset xcl
ppar
t
i
t
i
onvt
r
ngt
hibanu.
Khibnt
hm mtpar
t
i
t
onmi
,
mtcassxuthi
nt
r
nmnh
nhvcngvi
ccabnl
chnnhngt
hngs
chopar
t
i
t
i
on.
Skhcnhaucacct
hngsl
:
MountPoi
nt
:
vt
r
t
r
onght
hngt
pt
i
nbnmunmountpar
t
i
t
i
onmica
bnt
i.
Si
ze(
Megs):
k
cht
hccapar
t
i
t
i
onmit
nht
r
nmegabyt
es.
Partiton Type: c hai l Linux native dng cho Linux filesystem v Swap dng
cho Linux Swap Partiton .
Nubnc
acngl
oiSCSIt
ht
nt
hi
tbl
/
dev/
sda vnubnc
a
cngki
uI
DEt
ht
nsl
/
dev/
hda.
Nubncnht
hngchi
uquvn
nht
hSCSIl
sl
achnt
tnht.
Par
t
i
t
i
onSwapcsdnght
r
bnho.
Numyt
nhcabnc16MB
Ram hoc
thnt
hbnphit
omtpar
t
i
t
i
onswap,
ngayckhibncbnhl
n
t
hbncngnnt
opar
t
i
t
i
onSwap.
K
cht
hct
it
hi
ucapar
t
i
t
i
onswapnn
bnghocl
nhndungl
ngRam ct
r
nmyt
nhcabn.
K
cht
hcl
nnhtc
t
hsdngchopar
t
i
t
i
onswapl
1GB chonnnubnt
omtpar
t
i
t
i
onswapl
n
hn1GB t
hphncnl
it
r
nnv
ch
Saukhit
occpar
t
i
t
i
ont
r
nhar
ddi
skhont
hnh,
bnst
hyt
hngt
i
n
par
t
i
t
i
ont
r
nmnh
nhgi
ngnhbngl
i
tkdiy:
Mount Point
/boot
/usr
/home
Device Requested
sda1
5 MB
sda5
512MB
sda6
1146MB
GVHD:
NguynTnKhi
Actual
Type
5M
Linux Native
512MB Linux Native
1146MB
Linux Native
Si
nhvi
nt
hchi
n:
LThHuynTr
ang
NguynHuyChng
t
i
:Ant
onvbomtt
r
nhi
uhnhLi
nux
Page 26
/chroot
sda7
256MB
256M
Linux Native
/cache
sda8
256MB
256M
Linux Native
/var
sda9
256Mb
256M
Linux Native
<Swap>
sda10
128MB
128M
Linux Native
/tmp
sda11
256MB
256M
Linux Native
/
sda12
256MB
256M
Linux Native
Drive Geom[C/H/S] Total(M)
Free(M)
Used(M)
Used(%)
Sda
[3079/64/32]
3079M 1M
3078M 99%
Ch :Chngt
aangsdngmt
acngSCSIbivhaikt
ut
i
ncat
hi
t
bl
sd
Bygi
chngt
aangphnchi
avchnmountpoi
ntchocct
hmcca
bn,
chnNext
t
i
pt
c.
Saukhiccpar
t
i
t
i
onct
o,
chngt
r
nhcits
hibnchnpar
t
i
t
i
on
nhdng(
f
or
mat
).
Chnpar
t
i
t
i
onbnmun format v
chnvoCheckf
orbadbl
ocksdur
i
ngf
or
mat)vnhnNext
.
Chngt
r
nhs
f
or
matccpar
t
i
t
i
onvl
m chngchi
ul
ckhiLi
nuxsdngchng.
Tr
nmnh
nhkt
i
pbnst
hyscuh
nhLI
LO ,bnchncit
LILO trn boot record:
Master Boot Record (MBR)
hoc
First Sector of Boot Partition
Tr
ongt
r
nghpLi
nuxl
hi
uhnh(
OS)duynhtt
r
nmyt
nhcabn
,
bnnnchn Mast
erBootRecor
d
.Kbncncuh
nhmngvgi
t
r
nmy
cabn.
Saukhihont
hnhvi
ccuh
nhgi
,
bncnphitmtkhu
(
passwor
d0chor
ootvcuh
nhvi
cki
m t
r
at
nh xc t
hct
r
nser
vermyca
bn.
Khicuh
nhAut
het
i
cat
i
onngqunchn:
.Enable MD5 passwords
.Enable Shadow
2.
S l
achn nhng package(gid ki
u )ri
ng l
Saukhiccpar
t
i
t
i
on
nhh
nhvcchnf
or
mat,bnchunbchn
nhnggidl
i
uchot
nt
r
nhcit.Mt
nhLi
nuxl
mthi
uhnhr
t
mnhckhnngt
hct
hinhi
ud
chvhu
ch.
Tuynhi
ncnhi
ud
chvkhng
cnt
hi
tt
hkhngavovct
ht
or
anhngl
hngt
r
ongvi
cbomth
t
hng.
Mtcchl
t
ngl
cncitt
ngd
chvmngt
r
nmyphcvchuyn
bi
t
.Theomt
nh,
nhi
uhi
uhnhLi
nuxccuh
nhcung ngmtd
ch
vvngdngr
nghnnhngyucucungcpmtd
chvmngr
i
ngbi
t,
do
vycncuh
nhser
verl
oibnhngd
chvmngkhngcnt
hi
t.
Char
a
nhngd
chvchyut
r
nmychr
i
ngbi
t.Ct
ht
ngkhnngbomtt
r
ong
ser
vert
heomtviphngphpsau:
Nhngser
verkhckhngt
hsdngt
ncngmychvl
m hhiv
l
oibnhngd
chvnhmongmun.
Nhngngikhcnhauct
hqunl
nhngser
verkhcnhau.
Bngcchc
l
pccser
vi
ce,
mimychvser
vi
cect
hr
i
ngl
mtngiqunt
r
,
bn
ct
hgi
m nmct
it
hi
ukhnngxungtgi
accqunt
r
vi
n.
Mychct
hccuh
nhchophhphnviyucucat
ngser
vi
ce
r
i
ngbi
t.Nhngser
verkhcnhauct
hyucuscuh
nhphncngv
GVHD:
NguynTnKhi
Si
nhvi
nt
hchi
n:
LThHuynTr
ang
NguynHuyChng
t
i
:Ant
onvbomtt
r
nhi
uhnhLi
nux
Page 27
phnmm khcnhau,vnhngcuh
nhct
hdnnnhngt
nhi
khngcnt
hi
thocgi
ihnser
vi
ce.
Bngcchgi
m btnhngser
vi
ce,
st
pt
i
nl
og(
l
ogf
i
l
e)vcct
hmcghi
cngcgi
m ,
vt
hvi
cxobnhngt
hngt
i
nkhngcnt
hi
tt
r
nn
ddnghn.
Mtt
i
nt
r
nhcitch
nhxccaLi
nuxSer
verch
nhl
bcut
i
ncho
vi
cn
nh,
bovht
hngcabn.
Tr
chtbnphichnnhngt
hnhphn(
compoment
)ht
hngnobnmuncit
.
Chnnhngcompomentvsaubn
c t
ht
i
pt
cchnvkhngchnmigidl
i
ur
i
ngl
camit
hnhphnbng
cchchnopt
i
on(Sel
ecti
ni
vi
ualpackages)t
r
nmnh
nhset
upRedHat
.
Khicuh
nhmtLi
nuxser
verchngt
akhngcnt
hi
tphicitmt
chngt
r
nhgi
aot
i
pho(Xf
r
ee86)t
r
nmyt
nh.
Vi
cgi
m btgi
aot
i
p
ho(gr
aphi
cali
nt
er
f
ace)cngh
al
nt
r
ongvi
ct
ngccpr
ocess,
t
ngkh
nngxl
caCPU ,
bnh,gi
m snguyhi
m t
r
ongbomtvgi
m btmt
vibtt
i
nkhc.
Gi
aot
i
pho(Gr
aphi
cali
nt
er
f
ace)t
hngchcsdng
t
r
ncct
r
m l
m vi
c(
wor
kst
at
i
on)
.
Chnnhnggidl
i
udiychot
i
nt
r
nhcitcabn:
.
Network Wordstation
.
Network Management Workstation
.
Utilities
Saukhichnnhngt
hnhphnbnmuncitbnvnct
hchnv
khngchnccgidl
i
u.
Ch :
Vi
cchnt
uchn(Sel
ecti
ni
vi
ualpackage)r
tquant
r
ngt
r
ckhi
t
i
pt
ckhnngchnvkhngchnccgidl
i
u
Lachn ccgid l
i
u r
i
ng l
(Ini
vi
ualpackagesel
ection)
Tr
ongphnchdncitdit
iar
anhngnhm gidl
i
uct
r
ong
Li
nux,chnmtnhm dl
i
unoxem xt
.
Ngoimc
chhngdncit,t
r
ongchngt
r
nhnyt
icngca
vivnbomtvt
iuhoLi
nuxvot
r
ongt
i
nt
r
nhcit.
Nhngt
hnh
phncl
i
tkdiycncl
oibt
caschngidl
i
udovn
bomt,t
iuhocngnhmtvinguynnhnkhcscdi
ngi
idi
y.
Applications/File:
Applications/Internet:
git
finger.ftp,fwhois,ncftp,rsh,rsync,talk,
telnet
Applications/Publishing:
ghostscript,ghostscript-fonts,groff-perl,
mpage,pnm2ppa,rhs-printfilters
Applications/System:
arwatch,bind-utils,rdate,rdist,screen, ucdsnmp-utils
Documentation:
indexhtml
System Enviroment/Base:
chkfontpath, yp-tools
System Enviroment/Daemons: XFree86-xfs,finger-server,lpr,nfs-utils,
pidentd,portmap,rsh-server,rusers,rusersserver,rwall-server,rwho,talk-server,
telnet-server,tftp-server,ucd-snmp,
ypbind,ypserv
System Enviroment/Libraries: Xfree86-libs,libpng
User Interface/X:
urw-fonts
Nunhngchngt
r
nhnhykhngccitt
r
nmyser
vercabnt
hnhng
t
i
nt
cbucphisdngnhngchngt
r
nhnyt
bnngoihoct
hcitt
r
n
GVHD:
NguynTnKhi
Si
nhvi
nt
hchi
n:
LThHuynTr
ang
NguynHuyChng
t
i
:Ant
onvbomtt
r
nhi
uhnhLi
nux
Page 28
myser
vercabn.
Tr
ongnhngt
r
nghpnybnct
ht
mr
aduvtchng
nhnhngchngt
r
nhgi
ngnhTr
i
pwi
r
e.
Lm t
hno s dng nhng l
nh RPM
Phnnygi
it
hi
ut
ngquanvl
nhRPM,cchsdngl
nhRPM t
r
nht
hng
Li
nuxcabn
Citmtgidl
i
uRPM ,
sdngl
nh:
[root@deep/]# rpm ivh foo-1.0-2.i386.rpm
Dngl
nht
r
ncngh
acitmtgidl
i
ur
pm ct
nl
f
oo-1.0-2.i386.rpm
vicct
hnhphnsau:
Tngidl
i
u:f
oo
Version :
1.0
Release:
2
Ki
nt
r
c: i386
Loibmtgidl
i
u:t
haychi
nm t
r
nbnge.
Nngcp(
upgr
ade):Uvh
Tr
uyvn(
quer
y)
:
q
Trnh by thng tin:qi
Li
tknhngt
pt
i
nt
r
onggidl
i
u:ql
Ki
m t
r
amtRPM si
gnat
ur
egidl
i
u:
checksig
Lnhki
m t
r
achkPGPcagidl
i
ucch
nhobot
nht
on
vnvnguyngccan.
Lunsdngl
nhnyut
i
nt
r
ckhicit
gidl
i
uRPM mit
r
nht
hngcabn.
Khingvdngnhngd
chvdaemon(
st
ar
t
i
ngandst
oppi
ngdaemonser
vi
ce)
Chngt
r
nhi
ni
tcal
i
nux(
cngchi
unhkhit
ovi
ci
ukhi
nt
i
n
t
r
nh)pht
r
chvi
ckhingt
tct
i
nt
r
nhb
nht
hnghoccuquyn
chyl
ckhinght
hng.Nhngt
i
nt
r
nhnyct
hbaogm
APACHE,
NETWORK daemonvbtknhngt
i
nt
r
nhkhcyucuphichykhi
ser
verbnkhing.
Mipr
ocessnyct
pt
i
nscr
i
ptt
r
ongt
hmc
/
et
c/
r
c.
d/
i
ni
t
.
d
.Bnct
ht
hihnhnhngscr
i
ptvinhngdngl
nhsau:
Vd:
Khinght
t
pdWebser
verbngt
aydiLi
nux
:[root@deep/]#/etc/rc.d/init.d/httpd start
Starting http: [OK]
Dnght
t
pdWebser
verbngt
aydiLi
nux
:[root@deep/]#/etc/rc.d/init.d/httpd stop
Shutting down http: [OK]
Khingl
iht
t
pdWebser
verbngt
aydiLi
nux
:[root@deep/]#/etc/rc.d/init.d/httpd restart
Shutting down http: [OK]
Starting http: [OK]
Cc phnmm cnphil
oibsaukhit
i
nt
r
nhcitcaser
verhont
hnh
Mc
nhmtsgidl
i
umht
hngRedHatLi
nuxkhngchophpbn
chnt
hogsutt
i
nt
r
nhset
up.Vnguynnhnnybnphil
oibchng
khit
i
nt
r
nhcithon thnh .
Pump
kernel-pcmcia-cs kudzu
gd
mt-st
linuxconf
raidtools
pciutils
eject
getty_ps
gnupg
rmt
mailcap
isapnptools
Red Hat-logos
GVHD:
NguynTnKhi
Si
nhvi
nt
hchi
n:
LThHuynTr
ang
NguynHuyChng
t
i
:Ant
onvbomtt
r
nhi
uhnhLi
nux
Page 29
apmd
setderial
Red Hat-release
Sdngl
nhRPM nhdiyddt
hodchng.
l
nhdngt
hogphnmm l
:
[root@deep]#rpm e<software names>
y<sof
t
war
enames> l
t
ncaphnmm bnmunt
hog.
Mtschngt
r
nhdaemonnhapmd,
kudzu,
sendmai
lduchyl
ckhing
my,
t
tnht bnnndngchngt
r
ckhit
hogr
aht
hngcabn.
Dngccpr
ocessvinhngl
nh:
[root@deep/]# /etc/rc.d/apmd stop
[root@deep/]# /etc/rc.d/sendmail stop
[root@deep/]# /etc/rc.d/kudzu stop
Bygi
bnct
ht
hogchngcngccgidl
i
ukhcmtcchant
onvi
l
nhsau:
Bc1:
Xobnhnggidl
i
ucch
nh.
[root@deep /]# rpm e nodeps pump mt-st eject mailcap apmd kernel-pcmcia-cs
linuxconf getty_ps isapntools setserial kudzu raidtools gnupg Red Hat-logos Red
Hat-release gd pciutils mt
Bc2:
Xobcct
pt
i
nLi
nux.
conf
-instanlled bngt
ay:
[root@deep /] # rm f /ect/conf.linuxconf-instanlled
Chngt
r
nhhdpar
m cnchoccI
DEhar
dd
knhngkhngcnvhoSCSIhar
ddi
sk
bnphigi
l
aichngt
r
nhny,
nhngnukhngcI
DEhar
ddi
skt
hbnct
h
xokhiht
hng.
[root@deep /]# rpm e hdparm
Nhngchngt
r
nhnhkbdconf
i
g,
mouseconf
i
g,
t
i
meconf
i
g,
aut
hconf
i
g,
nt
sysvv
set
upt
oolt
heot
ht
t
hi
tl
pl
oikeyboar
d,
mouse,
t
i
me,
NI
S vshadow passwor
d
chng
tkhit
hayisaukhicitvt
hbnct
ht
hodchngkhiht
hng
,
nut
r
ongt
ngl
aibncnt
hayikeyboar
d,
mouse,
.
.
.t
hbnct
hcit
chngt
ccgidl
i
uRPM t
r
n
a CD-ROM Red Hat
Ccphnmm cphiccitsauscitcaser
ver
ct
ht
i
nbi
nd
chnhngchngt
r
nht
r
nser
vercabn.
bnphici
tnhnggidl
i
uRPM sau.
Bc1:
u t
i
nchngt
amount
aCD-ROM vchuynRPMS t
r
nCD-ROM
Mount CD-ROM dr
i
vevchuynt
it
hmcRPMS sdngnhngl
nhsau:
[root@deep /]# mount /dev/cdrom /mnt/cdrom/
[root@deep /]# cd /mnt/cdrom/Red Hat/RPMS/
Diyl
nhnggidl
i
umbncnbi
nd
chvcitt
r
nht
hngLi
nux:
autoconf-2.13-5,noarch.rpm
m4-1.4-12.i386.rpm
automake-1.4-6.noarch.rpm
dev86-0.15.0-2.i386.rpm
bison-1.28-2.i386.rpm
byacc-1.9-12.i386.rpm
cdecl-2.5-10.i386.rpm
cpp-1.1.2-30.i386.rpm
cproto-4.6-3.i386.rpm
ctags-3.4-1.i386.rpm
egcs-1.1.2-30.i386.rpm
ElectricFence-2.1-3.i386.rpm
flex-2.5.4a-9i386,rpm
kernel-headers-2.2.15.0.i386.rpm
glibc-devel-2.1.3-15.i386.rpm
make-3.78.1-4.i386.rpm
GVHD:
NguynTnKhi
Si
nhvi
nt
hchi
n:
LThHuynTr
ang
NguynHuyChng
t
i
:Ant
onvbomtt
r
nhi
uhnhLi
nux
Page 30
path-2.5-10.i386.rpm
Bc2:
Cicnhngphnmm cnt
hi
tt
r
nvimtl
nhRPM:
LnhRPM citt
tcccphnmm vinhaul
:
[root@deep RPMS]# rpm Uvh autoconf-2.13-5.noarch.rpm m4-1.412.i386.rpm automake-1.4-6.noarch.rpm dev86-0.150-2.i386.rpm
bison-1.28-2.i386.rpm byacc-1.9-12.i386.rpm cdecl-2.5-10.i386.rpm
cpp-1.1.2-30.i386.rpm cproto-4.6-3.i386.rpm ctags-3.4-1.i386.rpm
egcs-1.1.2-30.i386.rpm ElectricFence-2.1-3.i386.rpm flex-2.5.4a9.i386.rpm egcs-1.1.
Bc3:
Bnphit
hotkhiconsol
evl
ogi
nt
r
l
it
tccct
hayichi
ul
c
x Thotkhiconsol
evil
nh:
[root@deep /]# exit
Saukhicitvbi
nd
cht
tcccchngt
r
nhbncnt
r
nser
verca
bnsl
mthaynubnxobcct
pt
i
nobj
ectct
or
adobi
nd
ch,
cc
t
r
nhbi
nd
ch,
.
.
.
,nhngt
pt
i
nmbnkhngcncnnat
r
onght
hngca
bn.
Mtt
r
ongnhngl
dol
numtt
nt
i
nt
cxm phm ser
vercabnhn
khngt
hbi
nd
chhoct
hayinhngchngt
r
nhnhphn.
Hnnavi
cny
sgi
iphngnhi
ukhongt
r
ngvsgi
pvi
ccit
i
nki
m t
r
at
nht
onvn
canhngt
pt
i
nt
r
nser
ver
.
Khibnchymtser
verbnst
r
uynchonmtcngvi
ctbi
t
t
hchi
n.
Bnskhngbaogi
tt
tcccser
vi
cebnmuncungcpt
r
n
mtmyhocbnsl
m chm t
c(t
inguyncsncchi
abimts
t
i
nt
r
nhangchyt
r
nser
ver)vl
m suyyukhnngbomtcabn(vi
nhi
user
vi
cecngchyt
r
ncngmtmy,
numtt
i
nt
cxm nhpvoser
ver
nyhnct
ht
ncngt
r
ct
i
pnhnggcsnt
r
n)
Cnhi
user
verkhcnhaul
m nhngcngvi
ckhcnhausngi
nho
st
r
ngcoi,
qunl
(bnbi
tcngvi
cgmiser
versl
m ,
nhngser
vi
ceno c
hi
ul
c,
por
tnot
hcmchonhngcl
i
entt
r
uycpvpor
tnot
hng,
bn
cngsbi
tnhnggbncnt
hyt
r
ongccl
ogf
i
l
e.
.
.
)vtchobnsi
u
khi
nt
nhl
i
nhhott
r
nmiser
ver(ser
verchuyndnhchomai
l,
web,database,backup....)
3.
Nhng chng t
r
nh ccitt
r
n ser
vercabn:
Bc1:
Dochngt
achnt
iuhovi
ccitht
hngLi
nuxcachngt
a,yl
danhschcat
tcccchngt
r
nhcitmbnscsaukhihont
tvi
cci
tLi
nux.
Danhschnyphisokhpmtcchch
nhxcvinidungt
pt
i
n
i
nst
al
l
.
l
ogt
r
ongt
hmc/
t
mp.ngquncitt
tcccchngt
r
nhcl
i
t
kt
r
ongCcphnmm phiccitcaser
ver
ct
hbi
nd
chng
ccht
r
nser
vercabn.
Bc2:
Saukhichngt
at
tcphnmm cnt
hobsaut
i
nt
r
nhcitca
ser
vervsaukhit
hm nhnggidl
i
uRPM cnt
hi
tct
hbi
nd
chchng
t
r
nhnhngchngt
r
nht
r
nser
vercachngt
a.
Chngt
aki
m t
r
al
idanhsch
cat
tcccchngt
r
nhRPM ccicvil
nhsau:
ki
m t
r
adanhscht
tcgidl
i
uccitt
r
nser
versdngl
nh:
[root@deep /] # rpm qa >intalled_rpm
GVHD:
NguynTnKhi
Si
nhvi
nt
hchi
n:
LThHuynTr
ang
NguynHuyChng
t
i
:Ant
onvbomtt
r
nhi
uhnhLi
nux
Page 31
Tham s
-qast
r
uyvnt
tcccgidl
i
uRPM ccitt
r
nh
t
hngvkt
tbi
t
>sghil
it
tcnhnggxutr
at
r
nmnh
nhvot
p
tin intalled_rpm
Bc2nyyucuchngt
achcchnkhngqunl
oibnhnggidl
i
uRPM
khngcnt
hi
tvt
hm vonhnggidl
i
uquant
r
ng,
nhngginychophp
bnbi
nd
chchngt
r
nht
r
nht
hng.
Nuktqugi
ngnht
pt
i
ndiyt
h
t
act
hynt
m viser
verLi
nuxminy.
Nidungcat
pt
i
ni
nt
al
l
ed_r
pm phigi
ngdiy:
setup-2.1.8-1
findutils-4.1-34
flex-2.5.4a-9
filesytem-1.3.5-1
gawk-3.0.4-2
ncomprocess-4.2.4-15
basesystem-6.0-4
patch-2.5-10
net-tools.54-4
idconfig-1.9.5-16
gdbm-1.8.0-3
newt-0.50.8-2
gbilc-2.1.3-15
bison-1.2.8-2
passwd-0.64.1-1
shadow-utils-19990827-10 glib-1.2.6-3
perl-5.00503-10
mktemp-1.5-2
gmp-2.0.2-13
popt-1.5-0.48
termpcap-10.2.7-9
autoconf-2.13-5
procmail-3.14-2
libtermcap-2.2.8-20
gbm-1.18.1-7
procps-2.0.6-5
bash-1.14.7-22
groff-1.15-8
psmisc-19-2
MAKEDEV-2.5.2-1
gzip-1.2.4a-2
quota-2.00pre3-2
SysVinit-2.5.2-1
inetd-0.16-4
gdb-4.18-11
anacron-2.1-6
initscripts-5.00-1
readline-2.2.2-6
chkconfig-1.1.2-1
ipchains-1.3.9-5
make-3.78.1-4
...............................................................................................................
...............................................................................................................
etcskel-2.3-1
mount-2.10f-1
glibc-devel-2.1.3-15
file-3.28-2
4.
nh mu t
rn t
er
mi
nalcabn
tmtvimut
r
nt
er
mi
nalcabnct
hgi
pchobnphnbi
tcct
h
mc,
f
i
l
e,
t
hi
tb,
ccl
i
nktvcct
pt
i
nt
hct
hi(
execut
abl
ef
i
l
e)
.
Quani
m
cat
il
nhngmusgi
pgi
m btnhngl
ivas
nhhngnhanht
r
ongh
t
hng.yl
mtvnquant
r
ngvcnt
hi
tchchoRedHatLi
nux6.
1v
nhngver
si
onchn,
kt
RedHatLi
nux6.
2ct
r
ngnyl
uncbimc
nh
Hi
uch
nht
pt
i
n/
et
c/
pr
of
i
l
evt
hm vonhngdngsau:
#Enable Colour Is
eval
di
r
col
or
s/
et
c/
DI
R_COLORS-b
expor
tLS_OPTI
ON=
-s F T 0 col
or
=yes
Hi
uch
nht
pt
i
n/
et
c/
bashr
cvt
hm dng:
al
i
asI
s=
I
scol
or
=aut
o
Saul
ogoutval
ogi
nl
i.nl
cny,
bi
nmit
r
ngCOLORS mic
t
hi
ttvht
hngschpnhni
uny
Xi
nnhcl
ict
r
ngnychcnchoRedHatLi
nux6.
1vchn
Cp nhtphn mm minht
Chngt
anngi
vcpnhtt
tcccphnmm (
cbi
tl
phnmm
mng)vinhngver
si
onminht.
Chngt
annki
m t
r
anhngt
r
ang
nhch
nh
http://www.RedHat.com/corp/support/errata/index.html .
Nhngt
r
angnycl
l
t
inguynt
tnhtvsachagn90% nhngvnchungviRedHat
.Thm
naccgi
iphpvsachaccl
hngbomtcngscal
nsau24gi
RedHatct
hngbo,
bnnnl
unki
m t
r
awebsi
t
eny.
GVHD:
NguynTnKhi
Si
nhvi
nt
hchi
n:
LThHuynTr
ang
NguynHuyChng
t
i
:Ant
onvbomtt
r
nhi
uhnhLi
nux
Page 32
Ph l
c
Cc phn mn bomt
Linux sXid
Cct
pt
i
nSUI
D/
SGI
D ct
ht
r
t
hnhmtminguychovnbomtv
ant
oncaht
hng.gi
m ccr
ir
ony,
t
r
cychngt
a r
emoveccbi
t
st
ccchngt
r
nhcsbir
ootmskhngyucunhi
uquynsdng
,
nhngt
ngl
aicct
pt
i
nt
nt
ikhcct
hcitvi
sbi
t cbtl
nkhi
khngcst
hngbocabn.
sXi
dl
mtchngt
r
nht
heodiht
hngsui
d/
sgi
d
ct
hi
tkchyt
cr
ont
r
nmtnguynl
cbn.
Cbnl
nt
heodibtkst
hayinot
r
ongcct
hmcvcct
pt
i
n
s[
ug]
i
dcabn.
Nucbtkmti
ugmit
r
ongcct
hmchayt
pt
i
n,
cc
t
hmcvt
pt
i
nnyst
hayibi
thocccmodekhcsaust
nngt
hc
hi
nvi
ct
m ki
m t
tcsui
d/
sgi
dt
r
nmyser
vercabnvt
hngbovchng
chobn.
Linux Logcheck
Mtcngvi
cquant
r
ngt
r
ongt
hgi
ibomtvant
onl
phiki
m t
r
a
t
hngxuyncct
pt
i
nxutr
accktqut
heodiht
hng(
l
ogf
i
l
e)
.Thng
t
hngcchotnghngngycangiqunt
r
ht
hngkhngchophpanht
a
cot
higi
ant
hchi
nnhngcngvi
cnyvct
hmangnnhi
uvn.
Gi
it
h
cht
nht
r
ut
ngcal
ogcheck:
Ki
m t
r
at
heodivghinhnccski
nxyr
at
hr
tquant
r
ng!l
nhngngiqunt
r
caht
hngnhnbi
tcccski
nnydovyct
h
ngnchnccvnchcchnxyr
anubncmtht
hngktnivii
nt
er
net
.
Thtkhngmaychohuhtl
ogf
i
l
el
nkhngcaiki
m t
r
avl
og,
mn
t
hngcki
m t
r
akhicski
nnoxyr
a.i
unyl
ogchecksgi
p
chobn
Linux PortSentry
Bct
ngl
a(
f
i
r
ewal
l
)gi
pchngt
abovmngkhinhngxm nhp
bthpphpt
bnngoi.
Vif
i
r
ewal
lchngt
act
hchnnhngpor
t
snochng
tamunm vnhngpor
tnochngsng.
Thngt
i
nt
r
ncgi
mtcchb
mtbinhngngich
ut
r
chnhi
m nf
i
r
ewal
l
.
Tuytikhngnginot
bn
ngoibi
tt
hngt
i
nny,t
uynhi
ncchacker
s(
t
i
nt
c)cngnhccspammer
s
bi
tmtviccht
ncngbn,
hct
hsdngmtchngt
r
nhcbi
tqut
t
tcccpor
t
st
r
nser
vercabnnhtt
hngt
i
nqugi
ny(
por
t
snom,
por
t
s
nong)
Nhcgi
it
h
cht
r
ongl
igi
it
hi
ucaphnPor
t
Sent
r
y
Mtchngt
r
nhqutpor
tl
mtduhi
ucamtvnl
nangnvi
bn.
Nt
hngl
t
i
nt
hnchomtst
ncngvl
mtbphnnguyhi
m t
r
ong
vi
cbovhuhi
ut
inguynt
hngt
i
ncabn.
Por
t
Sent
r
yl
mtchngt
r
nh
ct
hi
tkphthi
nr
avphnhit
iccpor
tqutnhm chngl
imthost
cht
r
ongt
higi
anchngt
at
hchi
nqutpor
tvcmtst
uchnphthi
n
r
accpor
tqut.
Khint
mt
hymtpor
tqutnct
hphnngl
inhngcch
sau:
Mtl
ogf
i
l
el
uccsvi
cxyquat
hngqua syslog( )
Tnhostmct
i
ut
ngcbvot
r
ongt
pt
i
n
/
et
c/
host
s.
denycho
nhngt
r
nhbaobcTCP
Hostnibt
ngcuh
nhl
ihngt
tcccl
ut
hngt
ihostmc
t
i
ut
r
t
imthostkhnghotng(dealhost)l
m ht
hngmctiu
bi
nmt
GVHD:
NguynTnKhi
Si
nhvi
nt
hchi
n:
LThHuynTr
ang
NguynHuyChng
t
i
:Ant
onvbomtt
r
nhi
uhnhLi
nux
Page 33
Localhostt
ngcuh
nhl
il
oibt
tcccgit
hngt
i
nt
hostmc
t
i
ut
hngquabl
cl
ocalhost
Mc
chcaPor
t
Sent
r
yl
gi
pngiqunt
r
mngcccngckho
stkl
nght
hngcam
nh
Linux OpenSSH Clien/Server
Nhcmi
nhhot
r
ongchng2,
ScitLi
nuxSer
ver
,r
tnhi
ud
ch
vmngcavo,
nhngkhngchnchccd
chvnhr
sh,
r
l
ogi
n,hoc
r
execkhngbxm nhpviki
umcct
i
nt
ct
hngdngnhnghet
r
m i
n
t
.
Nhmthqu,
btkai,
ngimt
r
uycpt
ibtkmyt
nhnoc
ktnivomnguct
hl
ngnghet
r
nngt
r
uyngi
aot
i
pcahvl
yv
mtkhucabn,
vcngnhvi
cl
ybtkt
hngt
i
nr
i
ngt
nokhct
hng
quangmngdngvnbn.
Hi
nt
iTel
netl
chngt
r
nhr
tcnt
hi
tcho
cngvi
cqunt
r
hngngy,
nhngnkhngant
onkhint
r
uynmtkhuca
bndngvnbn(pl
ai
nt
ext)t
hngquamngvchophpbtkt
r
nhl
ng
nghe no ( listener) ,theo cch ny tin tcsdngt
ikhoncabnl
m btk
cngvi
cphhoinomhnt
amun.gi
iquytvnnychngt
mt
amt
cchkhc,
hocmtchngt
r
nht
hayt
hn.
ThtmaymnOpenSSH l
mt
d
chvt
htsvngchcvbomtct
ht
hayt
hchocchc,
ccchngt
r
nh
l
ogi
nt
xakhngant
onvcxachnghnnht
el
net,r
l
ogi
n,r
sh,
r
di
sthayr
cp.
Thngquat
pt
i
nREADMEch
nht
hccaOpenSSH :
Ssh(Secur
eShel
l)l
mtchngt
r
nhl
ogvomtmyt
nhkhct
hng
quamtht
hnght
hngmng,t
hihnhccl
nht
r
ongmtmyt
nhxa,
v
chuyncct
pt
i
nt
mtmynyt
imtmykhc.
Ncungcpt
nhnngxc
nhnhpl
aut
hent
i
cat
i
onvbomtst
r
aoit
hngt
i
nquaccknht
r
uyn
dnkhngant
on.
Ncngcdt
r
t
hayt
hchoccchngt
r
nhr
l
goi
n,
r
sh
v rdist.
Tr
ongvi
ccuh
nh,
chngt
aphicuh
nhOpenSSH ht
r
t
cp-wrappers (
i
net
dsuperser
ver
)cit
i
nvi
cbomtchochngt
r
nhbomtsncvl
un
t
r
nhvi
cphichychngt
r
nhdaemoncant
heoki
ubackgr
oundt
r
nmy
ser
ver.
Theocchny,
chngt
r
nhschchykhimykhch(cl
i
ent)ktnin
vst
it
hi
tl
pl
ichngt
hngquat
r
nhdaemonTCP-WRAPPERS chovi
cxc
mi
nht
nhngnvchophpt
r
ckhicphpktnit
imyser
ver
.
OpenSSHt
hmi
nph,mtst
hayt
hvcit
i
ncaSSH1vit
tccccnt
r
caccgi
t
hutsngt
occngnhnbxob(vt
r
t
hnhcct
hvi
n
cmr
ngr
abnngoi)
,t
tcccl
icnhnbi
tcsacha,cc
ct
r
ngmicgi
it
hi
uvr
tnhi
ut
r
nhdndpr
c(cl
ean-up)khc.i
u
ckhuynl
bndngphi
nbnSSH (mi
nphvccl
icsa)t
haycho
bnSSH1(mi
nph,
cnl
ivl
it
hi)haySSH2mcngungcl
cmi
n
phnhnghi
nnayt
r
t
hnhmtphi
nbnt
hngmi.ivit
tcmingi
mdngSSH2nhcngDat
af
el
l
ows,
chngt
iscungcpt
r
ongquynschnyc
haiphi
nbn,
vbtuviOpenSSH ,
vxem nnhl
mtchngt
r
nhSShmi
mmingi
sphichuynsangsdngnt
r
ongt
ngl
ai
.
Linux Tripwire 2.2.1
Mtt
i
nt
r
nhcicRedHatLi
nuxSer
vert
i
ubi
uxl
khong30.
400t
p
t
i
n.
Vot
hii
m bnr
nnhtcachng,
ccnhqunt
r
ht
hngkhngt
h
ki
m t
r
at
nht
onvncat
tccct
pt
i
n,
vnumtkt
ncngnot
r
uycp
myser
vercabn,
t
hhct
hcithayhi
uch
nhcct
pt
i
nmbnkhng
de4nhnbi
tnhngi
uny.
Dokhnngcasct
r
nmmtsccchng
t
r
nhct
or
a pngl
oivnny.
GVHD:
NguynTnKhi
Si
nhvi
nt
hchi
n:
LThHuynTr
ang
NguynHuyChng
t
i
:Ant
onvbomtt
r
nhi
uhnhLi
nux
Page 34
Tr
i
pwi
r
el
m vi
ct
ngcbnnht,
bovccmyser
vervccmyt
r
m
l
m vi
cmchngccut
hnhmnghpnht.
Tr
i
pwi
t
el
m vi
cbngcch
t
r
ct
i
nl
qutmtmyt
nhvt
omtcsdl
i
ucacct
pt
i
ncah
t
hng,
mtdngsho
snapshotcaht
hngt
r
onght
hngbomtbi
t
.
Ngisdngct
hcuh
nhTr
i
pwi
r
emtcchr
tch
nhxc,
chr
t
pt
i
nvt
h
mcshur
i
ngchomimyt
heodi,
hayt
omtdngmuxchunmnc
t
hsdngt
r
nt
tcccmyt
r
ongmng.
Mtkhicsdl
i
ut
or
a,
mtngiqunt
r
ht
hngct
hdngTr
i
wi
r
e
ki
m t
r
at
onvncaht
hngbtkt
hii
m no.
Bngcchqutmth
t
hnghi
nhnhvsosnht
hngt
i
nvidl
i
ul
ut
r
t
r
ongcsdl
i
u,
Tr
i
wi
r
e
phthi
nvboco btkvi
ct
hm vohayxobt,
hayt
hayit
iht
hng
bnngoiccr
anhgi
ibnngoicch
nh.Nuvi
ct
hayil
hpl
t
hqun
t
r
ht
hngct
hcpnhtcsdl
i
ubi
nvit
hngt
i
nmi.Nucct
hayic
t
nhl
m hict
mt
hy,
t
hngiqunt
r
ht
hngsbi
tngayccphnno
cacct
hnhphncamngbnhhng.
Phi
nbnTr
i
pwi
r
enyl
mtsnphm cccphnccit
i
nngkso
viphi
nbnTr
i
pwi
r
et
r
c.
Server Linux DNS v BIND
Mtkhichngt
acitt
tcphnmm bomtcnt
hi
tt
r
nLi
nux
ser
ver,yl
t
hii
m cit
i
nvi
uch
nhphnmng(net
wor
d)caser
ver
cachngt
a.DNS l
mtt
r
ongnhngd
chvquant
r
ngnhtchost
r
aoi
t
hngt
i
nt
r
nmngI
P,
vvl
dony,t
tcccmyLi
nuxcl
i
entsccit
nhngchcnngl
ugi
(
cachi
ng)mtmct
it
hi
uno.
Vi
ccitmt
cachi
ngser
verchoccmycl
i
entnibsl
m gi
m btt
it
r
ncc my primary
ser
ver.MtCachi
ngchr
t
nmychst
m ki
m t
r
l
ichonhngt
nghinhv
phnpnnykhinochngt
acn,npngngaykhngcnmtnhi
u
t
higi
anv
ch
Vnhngnguynnhnbomt,i
ur
tquant
r
ng l
DNS khngt
nt
i
sngi
accmyt
r
nmngvmybnngoi.t
ngt
nhnngant
onhn,
ngi
ndngcc
achI
Pktnivinhngmybnngoit
bnt
r
ongmngv
ngcl
i
Tr
ongcuh
nhccit,
chngt
aschychngt
r
nhBI
ND/
DNS viuser
khngphir
ootvt
r
ongmtmit
r
ngchr
oot
ed.Chngt
iscungcpchobn
bacuh
nhkhcnhau:mtcichngi
nl
ut
nmy(
cl
i
ent),cit
hhail
acho
sl
ave(
secondar
yser
ver
)vcit
hbal
chomast
ernameser
ver(pr
i
mar
yser
ver)
.
Cuh
nht
hnhtsi
mpl
ecachi
ngnameser
verscdngchomychca
bnmkhnghotngnhmast
erhocsl
avenameser
ver,cuh
nhcasl
avev
mast
erscdngchomychcabnmhotngnhmast
ervsl
avename
ser
ver.
Thngt
hng,
cuh
nhsbaogm :mtcishotngnhmast
er,ci
khcnhsl
avevcicnl
inhsi
mpl
ecachi
ngcl
i
entser
ver
GVHD:
NguynTnKhi
Si
nhvi
nt
hchi
n:
LThHuynTr
ang
NguynHuyChng
t
i
:Ant
onvbomtt
r
nhi
uhnhLi
nux
Page 35
Mcl
c
I.
An t
on choccgi
aod
ch t
rn mng.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
2
II.
BomtLi
nuxServer.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.............7
III.
Firewall.................................................................9
IV.
Xydng ht
hng mng Li
nux.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
23
Ph l
c
GVHD:
NguynTnKhi
Ccphn mn bomt
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
31
Si
nhvi
nt
hchi
n:
LThHuynTr
ang
NguynHuyChng

An Toan Baomat Tren Linux 366

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

An Toan Baomat Tren Linux 366

Uploaded by

Copyright:

Available Formats

Lun vn: An ton v bo mt

trn h iu hnh Linux

ng b,phn cng,s ngidng,ki

nh nng bo mtchtch,kh nhi

nh ch khng phinhm ca ngichy chng

Accept: The packet is okay; allow it to pass to the appropriate chain

Return: Terminate the rule list. Hon thnh danhschccquyt

m xem nhng por

You might also like