Professional Documents
Culture Documents
net
CI
TH
1. M t s i u lu tr c khi ci:
ci RedHat 8.0 ch y trn tru tho i mi, b n c n c h th ng PII, 64MB Ram tr ln, v phn vng c ng dnh ci Linux c n kho ng 2GB tr ln. Tuy nhin khng c g c n
i u ny r t quan tr ng,
gip b n thu n l i trong qu trnh c u hnh h th ng sau khi ci t. B n s ph i l a ch n cho ng thng s c a cc linh ki n ph n c ng trong qu trnh c u hnh h th ng nh: lo i card mn hnh, lo i mn hnh( t n s qut ngang, d c), card m ng, card m thanh. v.v.
C n chu n b phn vng a cn tr ng ci Linux. Linux c n t i thi u hai phn vng l Linux Native (ext3) v Linux swap. a. n gi n, b n c th dng Partition Magic phn chia
M t partition l Linux native ext3. C n kho ng 2GB tr ln ci Linux, bao g m c KDE v Gnome, cc ti n ch h a, multimedia, v l p trnh. T i thi u b n c n 400MB v ci ton b l 4,5GB.
M t partition l Linux swap, l phn vng tro i c a Linux dnh cho vi c s nh o, lm khng gian trao i. Thng th ng, dung l ng b nh
d ng b
o t i u s g p i
2. B t u ci t:
b CDROM:
Kh i ng h th ng t
b a CD ci t ( CD s 1), v nh n Enter t
d u nh c kh i ng
ng d thng s c a
bn phm, chu t, card mn hnh, mn hnh v sau i vo qu trnh ci t. Thng qua t ng b c wizard b n ch n cc thng s v h th ng nh bn phm, chu t, ngn ng trong qu trnh ci t, gi h th ng.
a. Ch n ki u ci t:
www.nhipsongcongnghe.net
- Personal Desktop: dnh cho ng i m i b t u v i Linux ho c cho nh ng h th ng desktop c nhn. Chng trnh ci t s ch n l a nh ng gi ph n m m c n thi t nh t cho c u hnh ny. Dung l ng a c n cho ki u ci t ny chi m kho ng 1,5GB, bao g m c mi tr ng ho .
c n th n n u b n ch n option remove all partition on this system, v nh th t t c cc phn vng trn c ng c a b n u b xo. Option remove all Linux partition on this
y, thu n ti n th b n c th dng Partition Magic phn chia a tr c. T i giai o n ny ch l cng vi c t o nh d ng cho phn vng ci t m thi. Tuy nhin b n v n c th thao tc phn chia phn vng ci t d dng v i Disk Druid.
M t phn vng swap cho Linux, ki u c a phn vng ny l Linux swap, kch th c t i u l g p i dung l ng RAM c a h th ng hi n t i.
Cc button trn mn hnh giao di n cho php b n thao tc phn chia v nh d ng phn
www.nhipsongcongnghe.net
vng. Nt New, Delete t o m i hay xo m t phn vng. Nt Edit nh d ng phn vng , c ki u l g (ext3, swap, fvat), qui nh l i kch th c, l th m c g trong h th ng phn c p b nh .
B n c th Reset qu trnh thao tc n u cha tho mn yu c u c a mnh, cha c m t thay i no c th c hi n cho n khi b n hon thnh cng vi c v i Disk Druid.
i v i Linux, m i thi t b ph n c ng u c coi nh file ho c th m c n m trong h th ng phn c p cy th m c. Ch ng h n h th ng c a b n c hai nh t l /dev/had, c ng th hai l /dev/hdb. Trong cng m t c ng th a c ng th
da, cc h th ng file c
c ng c 4 phn vng chnh (primary) c c ng u tin s l hda1, hda2 .v.v, phn vng s 5: v d hda5, hda6
thu c ph n m r ng (extended) c nh s b t u t
d. Ci t boot loader
y l chng trnh dng kh i ng Linux cng nh cc h i u hnh khc (dual boot) khi b n c nhi u hn m t h i u hnh c ci trn h th ng. Grub l boot loader m c nh khi ci RedHat 8.0. y l chng trnh r t m nh v uy n chuy n. Grub t ng d
cc h i u hnh hi n c trn h th ng v thm vo trong danh sch kh i ng. Cc tu ch n trn mn hnh tng i d hi u.
V i tu ch n configure advance boot loader option cho php b n ch n vi c ci grub ln u trong c ng:
N u ch n m t chng trnh khc kh i ng nh system commander ch ng h n, b n hy ch n ci grub ln first sector of boot partition. Nh v y, system commander s t ng nh n ra Linux v thm vo m c nh p kh i ng cho Linux.
e. C u hnh account:
www.nhipsongcongnghe.net
Vi c c u hnh acount dng thi t l p m t kh u root v c th t o thm cc account khc log in vo h th ng khi vi c ci t hon t t.
Ti kho n root l ti kho n c quy n cao nh t trong h th ng. B n c th ci t, c u hnh h th ng hay lm m i chuy n m t khi ng nh p vo h th ng v i ti kho n ny.
f. Cc lu l a ch n gi ph n m m ci t:
V i Redhat 8.0, vi c ch n cc gi ph n m m ci t c th c hi n r t thu n tin khi cc gi ph n m m c gom l i thnh nhm. C th ch n ci cc gi ph n m m ngay lc ny cc gi c n thi t ho c c th ci thm sau khi hon t t ci t.
B n ch n m c select individual package ci thm cc gi m m c nh s khng ci cho b n. V d nh mc (Midnight Commander, tng t NC trong DOS). Sau khi l a ch n
Trong su t qu trnh ch n gi ph n m m ci t, b n c thng bo dung l ng c n ci t. Nn ch khng v t qu dung l ng phn vng m b n dnh cho Linux trong qu trnh ch n l a. M t i u ch l b n nn ci cc programming develop v kernerl source, cc th vi n l p trnh thu n ti n cho vi c sau ny c n bin d ch l i nhn h i u hnh ho c ci t v bin d ch ph n m m v driver cho h th ng.
g. C u hnh X
lm vi c c v i giao di n ho , b n c n c u hnh cho X Window. N u may m n, card ho v mn hnh c a b n s n m trong danh sch c Linux h tr . Cn n u khng, cch ch c ch n v i lo i card h a ch y c l ch n lo i vesa. V mn hnh, Linux s t d cho b n ho c b n s c u hnh b ng tay vi c ch n t n s qut cho mn hnh. y chnh l
N u khng c n Linux t
d tm v c u hnh dm b n, b n c th m file
Sau khi nh n nt test ki m tra h th ng c ch y t t v i ch h a cha, n u m i vi c sun s , chc m ng b n hon t t qu trnh ci t Linux.
Lu v card h a
www.nhipsongcongnghe.net
M c d Linux nh n d ng v h tr ng nhi u lo i card ho c s n xu t trong 2 nm g n y, sau khi c u hnh, card ho v n ch y v i bus PCI cho d card h a c a b n l lo i AGP, v b n v n cha t n d ng c cc ch ng nng ho 3D cao c p c a n. L do l cc nh s n xu t linh ki n v l do b o m t v b n quy n nn cha h tr cho cc nh pht tri n Linux. Tuy nhin, hi n nay nhi u nh s n xu t ph n c ng b t u h tr driver cho cc linh ki n c a mnh trn cc h th ng Linux. Ch ng h n v i nh s n xu t Nvidia, b n c th t i driver c a n thng qua www.nvidia.com ho c ftp://download.nvidia.com/XFree86_40/1.0-3123. Cc game 3D ch y v i hnh nh r t m n mng khng thua km g trn MS Window sau khi b n ci driver cho h th ng.
www.nhipsongcongnghe.net
n ti ng Vi t trn
C 2 cch ci t Unicode fonts cho X Window. 1. S 2. S d ng ttmkfdir (cch c) d ng fontconfig (cch m i cho Mandrake-9.0, RedHat-8.0)
1. S
c. T o danh sch ch a fonts b ng l nh: cd utf8 && ttmkfdir > fonts.scale && mkfontdir
2. S
a. B utf8.tar.gz v /usr/share/fonts v m n ra b ng l nh: cp utf8.tar.gz /usr/share/fonts && cd /usr/share/fonts && tar xvzf utf8.tar.gz
www.nhipsongcongnghe.net
V d :
cd ~
cp arialuni.ttf ~/.fonts
Thng th ng n u b n xem trang web b ng Mozilla th khng c n ph i set font g c . N u b n xi Konqueror trn Red Hat 8.0 th b n ph i set fonts trong Konqueror nh hnh th m i xem v in c ti ng Vi t. y
Thm chi ti t:
.Unicode fonts: c th t i v t
http://www.vnlinux.org/fonts/utf8.tar.gz ho c
.mkfontdir n m trong gi XFree86-3x (ho c XFree86-4x) . Viet Unicode c nhi u fonts http://sourceforge.net/project/showfiles.p...lease_id=132517
www.nhipsongcongnghe.net
Th
Trong bi vi t ny, chng ti xin gi i thi u m t s tnh an ton cho m t h minh ho gi i). th ng Linux ( d
Hi n nay, trn mi tr ng my ch , Linux ngy cng chi m m t v tr quan tr ng. Nguyn nhn khi n Linux d n tr Microsoft Windows l do tnh thnh m t i th ti m n ng c a h i u hnh
n nh,
linh ho t v kh
n ng ch u t i l n: y l
nh ng c i m quan tr ng hng u c a m t h
th ng my ph c v .
Tnh b o m t t t cng l m t trong nh ng i m n i b t c a Linux. Tuy nhin, m th th ng Linux c kh n ng ch ng l i cc cu c t n cng, ng i qu n tr cng k n ng nh t nh. Trong bi vi t ny, chng ti xin th ng
c n ph i n m c m t s gi i thi u m t s Linux ( d
b ng RedHat, m t phin
b n Linux r t ph
1.1. Lo i b
t tc
cc account v nhm c bi t
t tc
nh lp, sync, shutdown, halt, news, uucp, operator, games, gopher, v.v... (Tuy nhin b n c c n bi t r nh ng account v nhm no khng c n cho h c a mnh r i hy xo) th ng
Th c hi n vi c xo b
account v i l nh :
# userdel
in
n trn h
th ng, c th
xo account lp nh
# userdel lp
Tng t
nh v y, c th
th c hi n vi c xo b
www.nhipsongcongnghe.net
# groupdel
l ch s
xa xa c a Unix v c
Linux, m t kh u c a ton b
cc account t ng cc account
ph ho i: M c d cc m t kh u th c hi n c (v c th
m ho m t kh u khng ph i l kh ph
y cc nh pht tri n Unix v Linux ph i t ring m t kh u m ho vo m t file m ch c account root m i c c: file /etc/shadow. (Khi s php ny, d ng phng
/etc/password ng i ta nh d u "x")
N u b n c ang s 7.x) th nh
d ng cc phin b n RedHat g n y (v d
3.3. T
ng thot kh i shell
Ng i qu n tr h
cng vi c. B n thn ti cng t ng nhi u l n khi ang th c hi n vi c qu n tr v i account root th b m tk ph ho i i v m t s ny c th cng vi c khc. Th t nguy hi m n u lc c d dng c quy n truy xu t h th ng m c
: K
ng thot ra kh i
Mu n ci t tham s m t gi tr s nh c. th
ny, ng i s
th c hi n i u ny cho t t c
cc account trong h s
ta t kho ng th i gian
www.nhipsongcongnghe.net
TMOUT=600
dng ang ch y m t chng trnh no nh vi hay mc,... C ngha l ng i dng ph i ang lm vi c tr c ti p v i shell ch no khc. khng ph i v i b t k m t chng trnh
4.4. Lo i b
cc d ch v
khng s
d ng
th ng t
ng b t ch y kh nhi u
nn nhi u nguy c v
b o m t. Ng i qu n tr nn lo i b
khng dng t i ngay sau khi ci my. Ho c n gi n b ng cch xo b ph n m m/d ch v RedHat) ho c s khng s d ng (qua cng c ntsysv
qu n tr gi ph n m m rpm c a cc d ch v ang ci
d ng cng c
duy t xem t t c
t r i v hi u ho nh ng d ch v d ch v khng s
nh d u cc
ng l i my: cc d ch v
5.5. Khng ti t l
thng tin v
th ng qua telnet
D ch v h
th ng t
xa telnet c kh
n ng ti t l
thng tin v
th ng, d
t o i u ki n cho nh ng k i u ny r t d
ph ho i t n cng d a vo nh ng i m xa vo d ch v
y u bi t.
nh n th y: M i ng i dng k t n i t
trnh i u ny, ta c n th c hi n vi c kch ho t telnetd (telnet server) v i tham s -h. (Tham s -h s ng n telnet ti t l cc thng tin v ch in ra d u nh c
"Login:" cho nh ng ng i k t n i t
xa).
d ng inetd n a (m
d ng xinetd - m t phin b n nng c p v c nhi u c i ti n so v i inetd) nn khc nhau tu theo phin b n RedHat ang s d ng.
www.nhipsongcongnghe.net
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
chuy n thnh :
# /etc/rc.d/init.d/inetd restart
server_args = -h
File trn s
c d ng nh sau;
service telnet { disable = yes flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID server_args = -h }
# /etc/rc.d/init.d/xinetd restart
6.6. Trnh s
d ng cc d ch v
M c d
telnet ti t l
thng tin, ki u
d ng nh ng d ch v
ftp anonymous) v nh ng d ch v
ph ho i no cng c
www.nhipsongcongnghe.net
th d dng "tm" c m t kh u c a b n b ng nh ng cng c nghe ln ki u nh
sniffer.
' nh ng tr ng h p c th , nn s telnet: d ch v
d ng d ch v
ssh thay th
cho c
ftp v b om t
m ho cng khai
km trong h u h t cc phin b n g n y c a Linux. Ch ng h n, cc phin b n RedHat t th s 7.0 tr ln m c nh u ci OpenSSH, m t s n ph m m ngu n m tham kh o website c
www.openssh.org v
"r" ki u nh rsh, rcp hay rlogin chng ti cng khuyn d ng. L do l cc d ch v ny ngoi vi c truy n m t kh u
c a my truy xu t d ch v
7. 7. C m s
d ng account root t
consoles
C th
nh nh ng console c php truy nh p b i root ch li t k nh ng console "v t l" (t c l ch truy xu t c khi ng i tr c ti p t i my ch ) m b n i qua m ng. D ch v ftp cng s b h n ch qua nh ng k t
i nh ng
Trong Linux, l nh su (Substitute User) cho php ng i dng chuy n sang m t account khc. N u khng mu n m t ng i b t k "su" thnh root, thm hai dng sau vo n i dung file /etc/pam.d/su
www.nhipsongcongnghe.net
Nh v y, ch c nh ng ng i c ng k l thnh vin c a nhm wheel m i c quy n "su" thnh root. cho php m t ng i dng c quy n ny, ng i qu n tr
9.9. H n ch
Thng th ng, t t c
cc l nh c th c hi n t i d u nh c shell c a cc account
HISTSIZE: Bi n mi tr ng HISTFILESIZE xc nh s s
l nh s
gi m t i a nh ng nguy hi m
HISTFILESIZE=0 HISTSIZE=20
20 l nh g n nh t, ng
t m khng c n thi t, ng i qu n tr nn h n ch
11.11. Xo b
d ng
Thng th ng, nh ng hi n m ts
www.nhipsongcongnghe.net
khng ph i ng i th c hi n). th ng u c th y chnh l l do t i sao t t c m i user trong h c quy n truy xu t
ln file /etc/shadow: Nguyn nhn v l nh passwd c gn thu c tnh SUID v c qu n l b i root, m ch c root m i c quy n truy xu t /etc/shadow.
Tuy nhin, kh
n ng ny c th
gy nn nh ng nguy c ti m tng: N u m t t i ho c do
ph ho i b ng cch
c th c hi n d i quy n c a root.
Nh v y, ng i qu n tr s nh ng
th ng c
tm t t c
d ng l nh find nh sau:
N u pht hi n c m t file c thu c tnh SUID/SGID m t cch khng c n thi t, c th lo i b cc thu c tnh ny b ng l nh:
# chmod a-s
Th c t
v i cc tnh n ng b o m t th t h
ch t ch : kh nhi u l th ng. Do , vi c s
l r t quan t t th
i u hnh - c thi t k
B n c c th
xem xt vi c c ng c
www.nhipsongcongnghe.net
v b sung cho nhn Linux v b o m t t i a ch www.grsecurity.net. T i y b n sung cho h
c c th
tm hi u thng tin h u ch v t i xu ng cc mi ng v b
th ng Linux c a mnh.
www.nhipsongcongnghe.net
B om th
1. tv n
th ng *nix v i PAM
Ch c h n b n t ng t
l i c th hi u v lm vi c v i shadow password; hay t i sao cc chng trnh su, rlogin l i i hi password; t i sao m t s h th ng ch cho m t nhm no c quy n su, hay sudo, hay h th ng ch cho php m t s ng i dng, nhm ng i dng n t cc host xc
nh v cc thi t l p gi i h n cho nh ng ng i dng , T t c u c th l gi i v i PAM. ng d ng c a PAM cn nhi u hn nh ng g ti v a nu nhi u, v n bao g m cc module ti n cho ng i qu n tr l a ch n.
2. C u trc PAM
- Cc
( login, passwd, sshd, vsftp, ) - Th vi n cc module c lu trong /lib/security ( pam_chroot.so, pam_access.so, pam_rootok.so, pam_deny.so, ) - Cc file c u hnh c lu trong /etc/security ( access.conf, chroot.conf, group.conf , ) +access.conf +group.conf i u khi n quy n truy c p, c s i u khi n nhm ng i dng, s d ng cho th vi n pam_access.so.
+limits.conf thi t l p cc gi i h n ti nguyn h th ng, c s +pam_env pam_env.so . i u khi n kh nng thay i cc bi n mi tr ng, s
d ng cho th
3. Cch ho t ng c a PAM
Thu t ng - Cc chng trnh login, pass, su, sudo, trn c g i l privilege-granting application ( chng trnh trao c quy n ).
Cc b c ho t ng:
1. Ng i dng ch y m t
www.nhipsongcongnghe.net
2. PAM-aware application g i th vi n PAM th c hi n nhi m v xc th c. 3. PAM library s d a vo file c u hnh c a chng trnh trong /etc/pam.d ( vd y l
login -> file c u hnh /etc/pam.d/login ) xc nh lo i xc th c no c yu c u cho chng trnh trn. Trong tr ng h p khng c file c u hnh, th file /etc/pam.d/other s c s d ng.
4. PAM library s load cc module yu c u cho xc th c trn. 5. Cc modules ny s t o m t lin k t t i cc hm chuy n i ( conversation functions ) trn chng trnh. 6. Cc hm ny d a vo cc modules m a ra cc yu c u v i ng i dng, vd chng yu c u ng i dng nh p password. 7. Ng i dng nh p thng tin vo theo yu c u. 8. Sau khi qu trnh xc th c k t thc, chng trnh ny s d a vo k t qu m p ng
Listing 10-1: The /etc/pam.d/rlogin file #%PAM-1.0 auth required /lib/security/pam_securetty.so auth sufficient /lib/security/pam_rhosts_auth.so auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth
----MODULE TYPE auth: th c hi n xc th c. Thng th ng, m t auth module s yu c u password ki m tra, hay thi t l p cc nh danh nh nhm ng i dng, hay th kerberos.
Account i u khi n s
ng i dng truy c p d ch v t
www.nhipsongcongnghe.net
tng
ng gi a m t module
cs
d ng m b o r ng ng i
ng, vd auth required /lib/security/pam_securetty.so module pam_securetty.so ph i thnh cng. N u module khng c th c hi n thnh cng th qu trnh xc th c th t b i. Nhng lc , PAM v n ti p t c v i cc module khc, tuy nhin n ch c tc d ng nh m trnh kh i vi c ng i dng c th on c qu trnh ny b th t b i no. giai o n
Optional: c ny t khi c s
----MODULE-PATH
ng d n n th vi n PAM.
Cc module ( auth, account, password, session ) c th c hi n trong stack v chng c th c hi n theo th t xu t hi n trong file config.
Cc chng trnh yu c u xc th c u c th s
d ng PAM.
_ pam_access.so:
www.nhipsongcongnghe.net
File c u hnh ny c d ng nh sau: < + or - > : : + : grant permission - : deny permission V i username list l ng i dng hay nhm ng i dng, tty list l login qua console, host list xc nh cc host hay domain. Chng ta c th s EXCEPT=tr , LOCAL=c c b . V d sau cho c m osg login t t t c , v cho php linet login t xa. d ng cc t kha ALL=t t c ,
Dng chroot cho cc user thi t l p trong /etc/security/chroot.conf V d , ti th c hi n chroot cho sshd ng i dng linet ch c quy n truy c p trong /home/osg m khng c quy n truy c p n cc th m c home c a ng i dng khc Thm dng sau trong /etc/pam.d/sshd ( lu trong /etc/sshd/sshd_config ph i thi t l p UsePAM = yes ) session required pam_chroot.so
_ pam_deny.so:
Support module type: account; authentication; password; session Module ny lun tr v gi tr false. Vd n c dng trong /etc/pam.d/other t ch i
m i truy c p c a ng i dng khi truy c p vo cc PAM-aware program m khng c file c u hnh PAM
#add this line to your other login entries to disable all accounts login account required pam_deny.so
/etc/pam.d/other. Khi ng i dng login vo h th ng, u tin s g i cc module trong /etc/pam.d/login ra v yu c u ng i dng nh p thng tin tng password ), n u cc thng tin ny khng p deny quy n truy c p. ng ( username,
ng th PAM s g i /etc/pam.d/other ra
#/etc/pam.d/other
www.nhipsongcongnghe.net
auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_deny.so password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_deny.so
v d khng cho php ng i dng i passwd Thm dng sau vo /etc/pam.d/passwd password required pam_deny.so
A resource can be one of these keywords: core - Limits the size of a core file (KB). data - Maximum data size (KB). fsize - Maximum file size (KB). memlock - Maximum locked-in memory address space (KB). nofile - Maximum number of open files. rss - Maximum resident set size (KB). stack - Maximum stack size (KB). cpu - Maximum CPU time in minutes. nproc - Maximum number of processes. as - Address space limit. maxlogins - Maximum number of logins allowed for this user.
trong /etc/security/limits.conf
Vd d i y, t t c user gi i h n 10 MB m i session v cho php max l 4 logins ng th i. ftp c cho php 10 login ng th i ( h u ch cho anonymous ftp ); thnh vin c a nhm manager gi i h n 40 process, nhm developers gi i h n 64MB b nh , v cc user thu c wwwusers khng th t o files l n hn 50 MB = 500000 KB.
www.nhipsongcongnghe.net
* hard rss 10000 * hard maxlogins 4 * hard core 0 bin ftp hard maxlogins 10 @managers hard nproc 40 @developers hard memlock 64000 @wwwusers hard fsize 50000
_ pam_listfile.so
Module ny c thng tin trong file v th c hi n hnh ng c thi t l p ( nh cho php hay khng cho php truy c p ) d a vo s username, host, groups, t n t i hay khng c a cc nhn t nh
Yu c u PAM load pam_listfile module v c trong /etc/ftpusers, n u /etc/ftpusers ch a cc dng username, th PAM s s d ng sense=deny quy t nh ngn c n cc user ny
_ pam_rootok.so
_pam_wheel.so Ch cho php quy n truy c p root v i group wheel. V d ch cho php nh ng ng i thu c nhm wheel c quy n su ln root.
# # root gains access by default (rootok), only wheel members can # become root (wheel) but Unix authenticate non-root applicants.
www.nhipsongcongnghe.net
# auth sufficient pam_rootok.so auth required pam_wheel.so auth required pam_unix_auth.so
www.nhipsongcongnghe.net
1. L y kernel v :
Kernel source c th
t iv
http://www.kernel.org . B n stable hi n t i l
2.4.21 v developer l 2.5.73. N u b n khng mu n test nh ng ch c nng m i c a kernel th nn s d ng 2.4.21 cho cng vi c hng ngy.
b nv at iv
b ns
c n apply
Lu : --dry-run s
'gi
cha lm g h t. B n
b n ang xi ho c patch cn b l i. Sau khi ch y --dry-run v khng th y bo l i g th b n c th tn/c a patch th t s apply patch b ng l nh $patch -p1 < / a i m/v
3. Compile kernel: s
c th c hi n v i cc l nh sau y:
h ib nm t xi
l i M (module)
khng bi t ci ph n c ng c a mnh s
khc, nh t l ph n cho network card hay sound card. N u b n khng r cu h i ny h i ci g th g h s c ph n gi i thch kh r rng.
www.nhipsongcongnghe.net
B n c th
t iv
SCSI card, SB Live! sound card, bt848 Haupauge TV card, ext2/ext3/reiserfs/jfs/tmpfs/iso9660/vfat/ntfs v ipsec VPN compiled v kernel, tulip, intel, realtek modules cho network cards, iptables v wireless modules. N u b n khng c n ci no th ch vi c comment out (b ci d u #
pha tr c) ci hng . Ch ng h n my b n l Petium4 th nn thay i v i gi tr tng trn. ng. Sau ch y l nh $make oldconfig thay v $make menuconfig nh
d n d p .o files m developers
b t u th t s
ci cc modules vo th m c /lib/modules/2.4.21
cp
N u b n c SCSI card v compile SCSI card ho c filesystem (ext3, reiserfs,..v..) m my s d ng d i d ng module th b n ph i t o initial ramdisk v i l nh
$mkinitrd -o /boot/initrd-2.4.21.img /lib/modules/2.4.21. Cn n u b n compile SCSI card v filesytem v lun kernel th bi bai initrd.
4a. N u b n dng GRUB: t o h n m t section m i cho kernel c a b n b ng cch s a menu.lst v i l nh $vi /boot/grub/menu.lst gi s / c a b n n m trn
title MyKernel-2.4.21
www.nhipsongcongnghe.net
kernel (hd0,0)/boot/mykernel-2.4.21 root=/dev/hda3
initrd (hd0,0)/boot/initrd-2.4.21.img
trn.
4b. N u b n dng LILO: t o h n m t section cho kernel c a b n b ng cch s a file lilo.conf v i l nh $vi /etc/lilo.conf thm vo nh ng hng sau:
image=/boot/mykernel-2.4.21
label=MyKernel-2.4.21
root=/dev/hda3
initrd=/boot/initrd-2.4.21.img
read-only
Nh
ch y l nh $lilo n u khng b n s
B n nn gi
l i /usr/src/linux/.config
ch ng h n th c th
Hy v ng bi vi t ny s
source.
www.nhipsongcongnghe.net
M t proxy, theo nh ngha, l m t thi t b ng gi a server v client, tham gia vo "cu c tr chuy n" gi a hai bn. Khi ni m proxy m chng ta th ng dng hng ngy t t hn nn c g i l m t forward proxy: m t thi t b ng gi a m t client v t t c server m client mu n truy c p vo. M t reverse proxy lm cng vi c hon ton ng c l i: n ng gi a m t server v t t c client m server ny ph i ph c v . Reverse proxy gi ng nh m t nh ga kim m t tr m ki m sot, cc request t client, b t bu c ph i gh vo reverse proxy, t i reverse proxy s ki m sot, l c b cc request khng h p l , v lun chuy n cc request h p l n ch cu i cng l cc server. Ch l m t reverse proxy c th lun chuy n request cho nhi u server cng lc. L i th l n nh t c a vi c s d ng reverse proxy l kh nng qu n l t p trung. M t khi y c t t c traffic i qua m t tr m ki m sot duy nh t (l reverse proxy), chng ta c th p d ng nhi u " ngh " khc tng c ng an ninh cho h th ng c a mnh. D nhin, b t k s n ph m hay cng ngh no cng c u v khuy t i m c a n, i cng v i single point of access bao gi cng l "bng ma" single point of failure. Single point of failure c th c gi i quy t b ng cch xy d ng cluster. y l m t v n hon ton v t qua kh i ph m vi c a bi vi t ny, ti ch xin gi i thi u b no mu n tm hi u v cluster trn Linux th th gh vo http://www.linux-ha.org. Ngoi ra p d ng reverse proxy ng cch s gip tng c ng performance cng nh nng cao scalability c a cc web-application ch y trn cc content server. Cht xu n a, ti s i vo chi ti t cc u i m c a reverse proxy cng nh lm th no khai thc cc u i m . 3. Ci t my ch reverse-proxy
www.nhipsongcongnghe.net
3.1. Ch n v ci t h i u hnh cho reverse proxy D nhin l ti s d ng linux cho my ch reverse proxy. Ti khng m t qu trnh ci t linux y b i c r t nhi u ti li u hay trn Internet ni v ti ny, v hn n a ti ngh l m t khi ngh n chuy n lm reverse proxy th ch c ch n chuy n ci t Linux khng l v n .Linux c qu tr i distro, th mrro ch n distro no? Theo ti th distro no cng nh nhau c thi, nhng n u ai h i ti cu h i trn th cu tr l i s l Trustix -4-. B t k ch n distro no, nh l sau khi ci t xong, hy dnh m t cht th i gian secure ci distro c a mnh l i tr c khi c ti p -5-. Ph n ti p theo chng ta s bn v vi c ci t Apache httpd cng nh cc module km theo c a n. 3.2. 1.3.x hay 2.x? Tr c tin, ti ngh c n ph i tr l i cu h i l chng ta s ch n phin b n Apache no lm reverse proxy y, 1.3.x hay 2.x? Ti ch n 2.x v ba l do: th nh t l ti "nghe n" l c r t nhi u 0-day trong phin b n 1.3.x . L do th hai l Apache 2.x cung c p m t b filtering API t t hn so v i phin b n 1.3.x, cho php cc module c th nhn th y v tng tc v i n i dung c a cc request cng nh cc response tng ng t tr l i t server. i u ny r t quan tr ng i v i m t reverse proxy ng vai tr l m t application gateway b i v n ph i ki m tra t t c thng tin i xuyn qua n tr c khi chuy n giao cho bn nh n. -6-. L do cu i cng l Apache httpd 2.x c performance cao hn h n 1.3.x khi ph c v cc static content nh file HTML v file hnh nh. Ti quan tm n v n ny l v ti c nh gi m t i cho cc content server bn trong b ng cch tch content ra lm hai lo i l dynamic (cc lo i file CGI/Perl, PHP) v static (cc file HTML v file hnh nh), cc content server ch ph c v dynamic content, cn t t c static content th a qua my ch reverse proxy lun. Lc khi cc request c a client i vo reverse proxy, n u request c ch n l m t static content, my ch reverse proxy s tr l i lun cho client m khng c n forward request n content server pha sau, ch nh ng request n cc dynamic content m i c forward cc content server x l. Ti s i vo chi ti t v n ny ph n sau, ch lu m t i u l cu i cng ti l i khng dng Apache httpd cho m c ch ny m l i s d ng m t my ch web khc chuyn tr static content. 3.3. Ch n module cho Apache httpd Ngoi nh ng module m ti li u "Securing Apache 2: step by step" ngh , chng ta ph i ch n thm cc module sau y: -mod_rewrite, mod_proxy, mod_proxy_http: cc module ny s h tr chng ta trong vi c thi t l p reverse proxy. -mod_security: module ny gip chng ta c u hnh reverse proxy thnh m t application firewall ch ng l i cc d ng t n cng th ng th y vo cc web-application ch y trn content server. -7-mod_ssl: module ny gip chng ta m ha d li u c a cc k t n i t client n server thng qua giao th c SSL v TLS, bi n giao th c HTTP khng an ton thnh giao th c HTTPS r t b o m t. -8Ph n quan tr ng ti p theo l ch n m t MPM ph h p v i m c ch lm reverse proxy c a chng ta. MPM l vi t t t c a c m t Multi-Processing Module, l m t c i thi n ng k c a Apache httpd 2.x so v i Apache 1.x. Trong ki n trc c a Apache 2.x, MPM ng vai tr h t s c quan tr ng, n ch u trch nhi m l ng nghe trn cc c ng m ng, ch p nh n cc yu c u k t n i t pha client, v chuy n cc yu c u vo bn trong Apache httpd x l 9-. Trong tr ng h p ny ti ch n MPM worker. MPM worker s d ng thread ph c v cc request, do n c kh nng ph c v m t l ng l n cc request nhng l i t n r t t ti nguyn so v i cc process-based MPM khc nh prefork. ng th i MPM worker v n khai thc c tnh n nh c a c process-based MPM b ng cch t o ra nhi u process tr c, m i process c nhi u thread s n sng ph c v client -10-. 3.4. Bin d ch v ci t Apache httpd Cu h i k ti p l bin d ch cc module theo ki u no. Nh chng ta u bi t, c hai cch
www.nhipsongcongnghe.net
bin d ch cc module trong Apache httpd. Cch th nh t, g i l phng php ng, l bin d ch cc module thnh cc th vi n lin k t chia s (tng t nh cc th vi n DLL trn Windows). V i cch ny, cc module s c bin d ch thnh cc file .so, v s c t i ln khi Apache httpd kh i ng n u c n (ty theo cc cu l nh LoadModule trong file c u hnh conf/httpd.conf). Cch bin d ch th hai, g i l phng php tnh, l gom t t c module nht vo trong file bin/httpd lun (link statically). Khi kh i ng v trong qu trnh ch y, Apache httpd khng c n ph i t i thm module no n a. Phng php tnh c xem l l a ch n t t hn h t. Ch n phng php tnh, chng ta khng c n dng n module mod_so (module c n thi t t i cc file .so trong phng php ng). Hn n a, theo khuy n co c a Apache, s d ng phng php tnh s gip tng 5% v m t performance so v i phng php ng. Chng ta t i Apache httpd 2.x http://httpd.apache.org/download.cgi v t i mod_security t i http://www.modsecurity.org s d ng cc l nh sau: CODE localhost$ localhost$ localhost$ localhost$
wget http://www.tux.org/pub/net/apache/dist/htt...d-2.0.54.tar.gz wget http://www.modsecurity.org/download/modsecurity-1.8.7.tar.gz tar -xzf httpd-2.0.54.tar.gz -C /usr/local/src tar -xzf modsecurity-1.8.7.tar.gz -C /usr/local/src
Ti li u km theo c a mod_security ch h ng d n cch bin d ch mod_security thnh m t th vi n chia s c a Apache httpd, do chng ta c n ph i chu n b i ch c th bin d ch tnh mod_security: CODE localhost$ localhost$ localhost$ localhost$
Okay, xong xui, b t u bin d ch nh sau: CODE localhost$ cd /usr/local/src/httpd-2.0.54 localhost$ ./configure \ --with-mpm=worker \ --disable-charset-lite \ --disable-include \ --disable-env \ --disable-status \ --disable-autoindex \ --disable-asis \ --disable-cgid \ --disable-cgi \ --disable-negotiation \ --disable-imap \ --disable-actions \ --disable-userdir \ --disable-alias \ --disable-so \ --with-module=security:mod_security.c \ --enable-modules='ssl rewrite proxy proxy_http' N u qu trnh bin d ch thnh cng, chng ta s ti p t c nh sau ci Apache httpd vo h th ng (t i th m c m c nh l /usr/local/apache): CODE localhost$ make localhost$ su localhost# umask 022 localhost# make install localhost# chown -R root:sys /usr/local/apache
www.nhipsongcongnghe.net
3.5. i "root" c a server
Ph n ny xin vui lng tham kh o ti li u "Securing Apache 2:Step by Step." -m (cn ti p) Ph n sau: 4. C u hnh Apache httpd lm reverse proxy ----------------------0-: Th c t ph n ti ng Vi t c a ti li u "Securing Apache 2: Step-by-Step" ti sao chp kh nhi u t b n d ch v m r ng ti li u "Securing Apache: Step-by-Step" (http://www.securityfocus.com/infocus/1694) c a hnd aka conmale. Tham kh o thm v b n d ch v m r ng c a anh conmale t i http://www.hvaonline.net/forum/index.php?a...T&f=161&t=46199 -1-: ngoi web-server ra, gi i php reverse proxy (ho c tng t ) c th p d ng cho cc d ch v khc nh VNC (xem th http://sourceforge.net/projects/vnc-reflector/), mail (xem th ti li u "Qmail as the mail gateway" c a hnd@diendantinhoc.org). Ch duy nh t m t d ch v tui cha lm c reverse proxy l FTP, b no c thng tin v ftp reverse proxy th cho tui vi xu. -2-: chng ta v n c th thi t l p reverse proxy b o v cho cc web-server n m ngay vng DMZ, ho c thi t l p m t reverse-proxy t ngay trong vng Internal b o v cc web-server vng Internal t cc m i hi m h a n t bn trong. -3-: Ngoi Apache httpd ra, cn c r t nhi u software khc c th c reverse proxy m ng k nh t l pound. Thao kh o thm t i a ch http://www.apsis.ch/pound/. ng d ng lm
-4-: Trustix l m t distro nh g n (tr n b ci t ch c m t CD duy nh t) c xy d ng d a trn RedHat v i hai m c tiu chnh l b o m t v n nh. Phin b n stable m i nh t c a Trustix l 2.2, phin b n unstable l 3.0 RC2. Tham kh o thm t i www.trustix.org. -5-: Tham kh o ti li u Linux Security HOWTO c t i http://www.tldp.org bi t thm chi ti t. Ph n m m Bastille-Linuxcng s r t h u d ng trong vi c secure cho cc Linux server. -6-: Ch c s tc d ng. d ng Apache 2.x th nh ng lu t c n l c OUTPUT c a mod_security m i c
-7-: Tham kh o thm ti li u v mod_security t i a ch http://www.modsecurity.org v lo t k s c a conmale v cc v t n cng DDoS vo HVA. -8-: K t phin b n Apache httpd 2.0, mod_ssl c chnh th c a vo Apache httpd. Tham kh o thm ti li u v mod_ssl t i a ch http://www.modssl.org. -9-: Ch n l a MPM cho Apache 2.x l m t v n c c k quan tr ng, nh h ng r t nhi n n performance c a server, do ti ngh nh ng ai quan tm n Apache 2.x, nn tham kh o thm ti li u v MPM t i http://httpd.apache.org/docs-2.0/mpm.html -10-: T i sao thread l i "ngon" hn process v performance? Nh ng ai quan tm n v n ny xin tm cc tm c cc ti li u sau y: Advanced Linux programming (http://www.advancedlinuxprogramming.com) Understanding the Linux kernel. Tc gi Mrro - Nhm HVAonline
www.nhipsongcongnghe.net
cn trangloi.html l trang web m b n mu n hi n th khi l i pht sinh, c th a vo t p tin ny n i dung hay ho g ty b n, ch ng h n lin k t tr v trang chnh c a trang web. V d : ErrorDocument 404/trangloi.html ho c: ErrorDocument500/loi/500.html By gi b n hy t i (upload) 2 t p tin .htaccess v trangloi.html ln hosting c a mnh. Ch ng n c p bng thng (bandwidth) Thng th ng nh ng d ch v lu tr web ch cung c p cho b n m t l ng d li u lun chuy n (data transfer) nh t nh hng thng v khi b n s d ng h t l ng d li u ny, website c a b n s t ng b ng c a. B n s ph i tr thm ti n cho l ng bng thng v t qu ho c ph i bu c lng ch n thng sau. N u hnh nh, d li u, c a b n b cc website khc n tr m (b ng cc th thu t n gi n) lm cho l ng d li u lun chuy n c a b n tng ln, th c ngha l b n s ph i tr ti n cho ci m b n khng s d ng. S d ng t p tin .htaccess l m t gi i php hon h o, ngn ch n vi c s d ng hnh nh tri php trn website c a b n. B n ch vi c a vo t p tin .htaccess n i dung sau : RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(www\.)?trangweb\.com/.*$ [NC] RewriteRule \.(gif|jpg)$ - [F] o n m trn ti s d ng module Rewrite c a my ch Apache, b n ch vi c thay i trangweb.com thnh a ch website c a mnh. C th s d ng m t hnh nh no c nh co nh ng k n tr m bng thng, b n dng dng l nh sau:
www.nhipsongcongnghe.net
RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(www\.)?trangweb\.com/.*$ [NC] RewriteRule \.(gif|jpg)$ http://www.trangweb.com/diehotlinker.jpg [R,L] Khng cho hi n danh sch t p tin trong th m c Trong tr ng h p m t th m c no khng c t p tin index ho c default, Apache s hi n th m t danh sch li t k nh ng t p tin c trong th m c . Tuy nhin n u y l nh ng ti li u nh y c m, b n khng mu n ng i khc th y, hy thm l nh sau vo t p tin .htaccess Options Indexes Thay th trang index Thng th ng khi truy nh p vo m t trang web, Apache s tm t p tin index.htm ho c default.htm tr k t qu v cho trnh duy t, b n c th dng .htaccess thay i m c nh ny. DirectoryIndex index.php index .php3 messagebrd.pl index.html index.htm V i dng l nh ny th t t c cc t p tin c li t k s c tm theo th t khi c yu c u t i th m c hi n hnh, trang no c tm th y u tin s thnh trang index c a th m c. C m/h n ch IP truy nh p M t s ng i mu n lm ng p (flood) trang web c a b n, vi c c n lm l ngn c m nh ng IP c a nh ng ng i ny truy nh p vo trang web, b n thm o n m sau vo .htaccess: deny from 203.262.110.20; cho php IP truy nh p: allow from 203.262.110.20. N u b n ch vi t IP d i d ng: 203.262.110 th s c m t t c IP trong d i t 203.262.110.1 n 203.262.110.254. S d ng dng l nh sau: Deny from all s c m t t c m i truy nh p n cc trang web trong th m c, tuy nhin cc t p tin trong v n c th c s d ng t bn ngoi thng qua cc l nh d ng require hay include (trong l p trnh PHP), c th xem thm m ngu n c a PHPBB forum,IBF... hi u r hn. T ng chuy n n a ch m i (Redirection)
B n chuy n trang web c a mnh n a ch m i nhng khng ph i ai cng bi t i u ny, redirect truy nh p t xa m t cch n gi n b ng l nh sau: Redirect/olddirectory http://www.trangwebmoi.com/thumucmoi ; Tu bi n ui t p tin Thng th ng, tu thu c vo ngn ng l p trnh web m b n s d ng t p tin s c ph n m r ng khc nhau nh: html, htm, asp, aspx, php, cgi, Tuy nhin n u s d ng .htaccess b n c th tc ng vo my ch Apache, Apache s g i n t p tin c a b n v tr v cho trnh duy t web c a ng i dng v i ph n m r ng do b n quy nh trong .htaccess. B n s d ng o n l nh sau trong t p tin .htaccess: RewriteEngine on RewriteRule (.*)\.dll$ $1.html Html l ph n m r ng th c s c a nh ng t p tin trn website, dll l ph n m r ng do b n l a ch n. Lu trong lin k t trn trang web, b n ph i g i ng ng d n n t p tin v i ph n m r ng m i ( trn l dll), v d http://www.trangweb.com/in dex.dll Lu khi s d ng t p tin .htaccess:
www.nhipsongcongnghe.net
- Ch p d ng trn my ch Apache b t ch .htaccess, n u cha b n hy th v i nh cung c p dich v hosting. lin h
t o ra t p tin ny b n c th s d ng ngay chng trnh Notepad c a Windows: ch n ch save as v i tn .htaccess, nhng khi lu nh b ui txt. -.htaccess ch c tc d ng i v i nh ng t p tin ngang hng (trong cng th m c v i n) ho c th m c con. V i th m c, n ch c tc d ng trong th m c ch a n v th m c con, cn v tc d ng v i th m c m (parent directory). - B n c th dng m t s chng trnh FTP (Leaf FTP, WS FTP, Cute FTP) t i t p tin .htaccess ln hosting c a mnh v i ch ASCII, n u n khng ho t ng b n th CHMOD v i gi tr 644.