Cai Dat Redhat Linux 8.0

www.nhipsongcongnghe.
net
CI
TH
I U HNH LINUX REDHAT 8.0
1. M t s i u lu tr c khi ci:
ci RedHat 8.0 ch y trn tru tho i mi, b n c n c h th ng PII, 64MB Ram tr ln, v phn vng c ng dnh ci Linux c n kho ng 2GB tr ln. Tuy nhin khng c g c n
tr b n ci Linux trn m t h th ng c c u hnh th p hn, nhng khi b n ch c th ch y v i cc ng d ng h n ch trn h th ng.
Nn tm hi u thng s c u hnh c a h th ng tr c khi ci t.
i u ny r t quan tr ng,
gip b n thu n l i trong qu trnh c u hnh h th ng sau khi ci t. B n s ph i l a ch n cho ng thng s c a cc linh ki n ph n c ng trong qu trnh c u hnh h th ng nh: lo i card mn hnh, lo i mn hnh( t n s qut ngang, d c), card m ng, card m thanh. v.v.
C n chu n b phn vng a cn tr ng ci Linux. Linux c n t i thi u hai phn vng l Linux Native (ext3) v Linux swap. a. n gi n, b n c th dng Partition Magic phn chia
M t partition l Linux native ext3. C n kho ng 2GB tr ln ci Linux, bao g m c KDE v Gnome, cc ti n ch h a, multimedia, v l p trnh. T i thi u b n c n 400MB v ci ton b l 4,5GB.
M t partition l Linux swap, l phn vng tro i c a Linux dnh cho vi c s nh o, lm khng gian trao i. Thng th ng, dung l ng b nh
d ng b
o t i u s g p i
dung l ng b nh RAM c a h th ng.
2. B t u ci t:
Cch n gi n v thng d ng nh t ci Redhat Linux l ci t t
b CDROM:
Kh i ng h th ng t
b a CD ci t ( CD s 1), v nh n Enter t
d u nh c kh i ng
m c nh ci t theo ch ho . Chng trnh ci t s t
ng d thng s c a
bn phm, chu t, card mn hnh, mn hnh v sau i vo qu trnh ci t. Thng qua t ng b c wizard b n ch n cc thng s v h th ng nh bn phm, chu t, ngn ng trong qu trnh ci t, gi h th ng.
a. Ch n ki u ci t:
www.nhipsongcongnghe.net
- Personal Desktop: dnh cho ng i m i b t u v i Linux ho c cho nh ng h th ng desktop c nhn. Chng trnh ci t s ch n l a nh ng gi ph n m m c n thi t nh t cho c u hnh ny. Dung l ng a c n cho ki u ci t ny chi m kho ng 1,5GB, bao g m c mi tr ng ho .
- WorkStation: dnh cho nh ng tr m lm vi c v i ch c nng ho cao c p v cc cng c pht tri n.
- Server: ci t h th ng ng vai tr my ch nh webserver, ftpsever, SQL server.v.v.
- Custom: y l l a ch n linh ho t cho b n trong qu trnh ci t. B n c th ch n cc gi ph n m m, cc mi tr ng lm vi c, boot loader tu theo b n.
b. Thi t l p phn vng ci Linux:
y l qu trnh nh y c m nh t v nguy hi m nh t trong qu trnh ci t, v ch c n b t c n ch n sai th d li u trn c ng c a b n c th b m t s ch.
Ch c nng automatic partition s gip b n t
ng t o cc phn vng cho Linux. Hy
c n th n n u b n ch n option remove all partition on this system, v nh th t t c cc phn vng trn c ng c a b n u b xo. Option remove all Linux partition on this
system s ch xo cc phn vng c a Linux m thi
y, thu n ti n th b n c th dng Partition Magic phn chia a tr c. T i giai o n ny ch l cng vi c t o nh d ng cho phn vng ci t m thi. Tuy nhin b n v n c th thao tc phn chia phn vng ci t d dng v i Disk Druid.
Thng th ng, b n nn ch n Manually partition with Disk Druid t o cc phn vng:
M t phn vng ch a mount point l /, c ki u file h th ng l Linux Native ext3.
M t phn vng swap cho Linux, ki u c a phn vng ny l Linux swap, kch th c t i u l g p i dung l ng RAM c a h th ng hi n t i.
Cc button trn mn hnh giao di n cho php b n thao tc phn chia v nh d ng phn
vng. Nt New, Delete t o m i hay xo m t phn vng. Nt Edit nh d ng phn vng , c ki u l g (ext3, swap, fvat), qui nh l i kch th c, l th m c g trong h th ng phn c p b nh .
B n c th Reset qu trnh thao tc n u cha tho mn yu c u c a mnh, cha c m t thay i no c th c hi n cho n khi b n hon thnh cng vi c v i Disk Druid.
c. Cch qu n l a trong Linux:
Trong c u trc cy th .v.v.
b c c a Linux, cao nh t l /, d i l /boot, /etc, /root, /mnt
i v i Linux, m i thi t b ph n c ng u c coi nh file ho c th m c n m trong h th ng phn c p cy th m c. Ch ng h n h th ng c a b n c hai nh t l /dev/had, c ng th hai l /dev/hdb. Trong cng m t c ng th a c ng th
da, cc h th ng file c
chia thnh cc phn vng khc nhau. M t nh s th t t 1 n 4. tng ng v i
c ng c 4 phn vng chnh (primary) c c ng u tin s l hda1, hda2 .v.v, phn vng s 5: v d hda5, hda6
thu c ph n m r ng (extended) c nh s b t u t
d. Ci t boot loader
y l chng trnh dng kh i ng Linux cng nh cc h i u hnh khc (dual boot) khi b n c nhi u hn m t h i u hnh c ci trn h th ng. Grub l boot loader m c nh khi ci RedHat 8.0. y l chng trnh r t m nh v uy n chuy n. Grub t ng d
cc h i u hnh hi n c trn h th ng v thm vo trong danh sch kh i ng. Cc tu ch n trn mn hnh tng i d hi u.
V i tu ch n configure advance boot loader option cho php b n ch n vi c ci grub ln u trong c ng:
N u ch n Grub kh i ng h th ng , grub s c ci ln Master boot record ( /dev/hda).
N u ch n m t chng trnh khc kh i ng nh system commander ch ng h n, b n hy ch n ci grub ln first sector of boot partition. Nh v y, system commander s t ng nh n ra Linux v thm vo m c nh p kh i ng cho Linux.
e. C u hnh account:
Vi c c u hnh acount dng thi t l p m t kh u root v c th t o thm cc account khc log in vo h th ng khi vi c ci t hon t t.
Ti kho n root l ti kho n c quy n cao nh t trong h th ng. B n c th ci t, c u hnh h th ng hay lm m i chuy n m t khi ng nh p vo h th ng v i ti kho n ny.
f. Cc lu l a ch n gi ph n m m ci t:
V i Redhat 8.0, vi c ch n cc gi ph n m m ci t c th c hi n r t thu n tin khi cc gi ph n m m c gom l i thnh nhm. C th ch n ci cc gi ph n m m ngay lc ny cc gi c n thi t ho c c th ci thm sau khi hon t t ci t.
B n ch n m c select individual package ci thm cc gi m m c nh s khng ci cho b n. V d nh mc (Midnight Commander, tng t NC trong DOS). Sau khi l a ch n
xong, chng trnh ci t s duy t cc gi ph thu c b n ci thm.
Trong su t qu trnh ch n gi ph n m m ci t, b n c thng bo dung l ng c n ci t. Nn ch khng v t qu dung l ng phn vng m b n dnh cho Linux trong qu trnh ch n l a. M t i u ch l b n nn ci cc programming develop v kernerl source, cc th vi n l p trnh thu n ti n cho vi c sau ny c n bin d ch l i nhn h i u hnh ho c ci t v bin d ch ph n m m v driver cho h th ng.
g. C u hnh X
lm vi c c v i giao di n ho , b n c n c u hnh cho X Window. N u may m n, card ho v mn hnh c a b n s n m trong danh sch c Linux h tr . Cn n u khng, cch ch c ch n v i lo i card h a ch y c l ch n lo i vesa. V mn hnh, Linux s t d cho b n ho c b n s c u hnh b ng tay vi c ch n t n s qut cho mn hnh. y chnh l
Hy c n th n v qu trnh ny d lm h ng mn hnh v card ho c a b n. l do b n c n n m v ng thng s c a cc linh ki n ph n c ng.
N u khng c n Linux t
d tm v c u hnh dm b n, b n c th m file
/etc/X11/XF86Config (ho c XF86Config-4) c u hnh b ng tay.
Sau khi nh n nt test ki m tra h th ng c ch y t t v i ch h a cha, n u m i vi c sun s , chc m ng b n hon t t qu trnh ci t Linux.
Lu v card h a
M c d Linux nh n d ng v h tr ng nhi u lo i card ho c s n xu t trong 2 nm g n y, sau khi c u hnh, card ho v n ch y v i bus PCI cho d card h a c a b n l lo i AGP, v b n v n cha t n d ng c cc ch ng nng ho 3D cao c p c a n. L do l cc nh s n xu t linh ki n v l do b o m t v b n quy n nn cha h tr cho cc nh pht tri n Linux. Tuy nhin, hi n nay nhi u nh s n xu t ph n c ng b t u h tr driver cho cc linh ki n c a mnh trn cc h th ng Linux. Ch ng h n v i nh s n xu t Nvidia, b n c th t i driver c a n thng qua www.nvidia.com ho c ftp://download.nvidia.com/XFree86_40/1.0-3123. Cc game 3D ch y v i hnh nh r t m n mng khng thua km g trn MS Window sau khi b n ci driver cho h th ng.
Cch ci t font v in Linux
n ti ng Vi t trn
C 2 cch ci t Unicode fonts cho X Window. 1. S 2. S d ng ttmkfdir (cch c) d ng fontconfig (cch m i cho Mandrake-9.0, RedHat-8.0)
1. S
d ng ttmkfdir (cch c):
a. T o /usr/share/fonts, n u cha c, b ng l nh: mkdir /usr/share/fonts
b. M utf8.tar.gz trong th m c /usr/share/fonts b ng l nh: cd /usr/share/fonts && tar xvzf utf8.tar.gz
c. T o danh sch ch a fonts b ng l nh: cd utf8 && ttmkfdir > fonts.scale && mkfontdir
d. Bo cho fonts server bi t a i m c a Unicode fonts b ng l nh: chkfontpath --add /usr/share/fonts/utf8
e. Kh i ng l i X font server b ng l nh: /etc/rc.d/init.d/xfs restart
2. S
d ng fontconfig (cch m i cho Mandrake-9.0, RedHat-8.0):
a. B utf8.tar.gz v /usr/share/fonts v m n ra b ng l nh: cp utf8.tar.gz /usr/share/fonts && cd /usr/share/fonts && tar xvzf utf8.tar.gz
b. C p nh t danh snch fonts b ng l nh: fc-cache
Ch v y thi khng c n kh i ng l i xfs hay X.
B n cng c th b arial font (t i v a ch
d i) v trong ~/.fonts v khng ph i restart
ci chi h t n u b n xi fontconfig (Red Hat 8 ho c 9 ho c Mandrake-9.1).
V d :
cd ~
mkdir ~/.fonts (n u cha c)
tar xvjf arial.tar.bz2
cp arialuni.ttf ~/.fonts
Xem trang web ti ng Vi t v cch in ti ng Vi t:
Thng th ng n u b n xem trang web b ng Mozilla th khng c n ph i set font g c . N u b n xi Konqueror trn Red Hat 8.0 th b n ph i set fonts trong Konqueror nh hnh th m i xem v in c ti ng Vi t. y
N u b n xi b n Mandrake m i nh t (9.1) th b n s khng c n lm g h t. Vi c hi n th v in n ti ng Vi t c h tr r t t t.
Thm chi ti t:
.Unicode fonts: c th t i v t
http://www.vnlinux.org/fonts/utf8.tar.gz ho c
http://www.vnlinux.org/arial.tar.bz2 n u b n v n cha hi n th c ting Vi t 100% .fontconfig homepage t i http://www.fontconfig.org. .ttmkfdir c th t i v t http://www.joerg-pommnitz.de/TrueType/xfsft.html
.mkfontdir n m trong gi XFree86-3x (ho c XFree86-4x) . Viet Unicode c nhi u fonts http://sourceforge.net/project/showfiles.p...lease_id=132517
Th
thu t b o m t cho Linux
Trong bi vi t ny, chng ti xin gi i thi u m t s tnh an ton cho m t h minh ho gi i). th ng Linux ( d
kinh nghi m nh m nng cao
theo di cho b n c, chng ti s bi n Vi t Nam v trn th
b ng RedHat, m t phin b n Linux r t ph
Hi n nay, trn mi tr ng my ch , Linux ngy cng chi m m t v tr quan tr ng. Nguyn nhn khi n Linux d n tr Microsoft Windows l do tnh thnh m t i th ti m n ng c a h i u hnh
n nh,
linh ho t v kh
n ng ch u t i l n: y l
nh ng c i m quan tr ng hng u c a m t h
th ng my ph c v .
Tnh b o m t t t cng l m t trong nh ng i m n i b t c a Linux. Tuy nhin, m th th ng Linux c kh n ng ch ng l i cc cu c t n cng, ng i qu n tr cng k n ng nh t nh. Trong bi vi t ny, chng ti xin th ng
c n ph i n m c m t s gi i thi u m t s Linux ( d
kinh nghi m nh m nng cao tnh an ton cho m t h minh ho gi i).
theo di cho b n c, chng ti s bi n Vi t Nam v trn th
b ng RedHat, m t phin
b n Linux r t ph
1.1. Lo i b
t tc
cc account v nhm c bi t
Ngay sau khi ci t Linux, ng i qu n tr nn xo b (group) c t o s n trong h
t tc
cc account v nhm d ng, v d
th ng nhng khng c nhu c u s
nh lp, sync, shutdown, halt, news, uucp, operator, games, gopher, v.v... (Tuy nhin b n c c n bi t r nh ng account v nhm no khng c n cho h c a mnh r i hy xo) th ng
Th c hi n vi c xo b
account v i l nh :
# userdel
V d , n u khng c nhu c u v sau:
in
n trn h
th ng, c th
xo account lp nh
# userdel lp
Tng t
nh v y, c th
th c hi n vi c xo b
cc nhm khng c n thi t v i l nh
# groupdel
2.2. Che gi u file ch a m t kh u
l ch s
xa xa c a Unix v c
Linux, m t kh u c a ton b
cc account t ng cc account
c lu ngay trong file /etc/password, file c quy n c b i t t c trong h th ng! y l m t k h l n cho cc k
ph ho i: M c d cc m t kh u th c hi n c (v c th
u c m ho, nhng vi c gi i m ng c l c th th c hi n kh d v ngy nay kh dng, c bi t v c ch n ng tnh ton v x
m ho m t kh u khng ph i l kh ph
l c a my tnh r t m nh). V l do trn, g n
y cc nh pht tri n Unix v Linux ph i t ring m t kh u m ho vo m t file m ch c account root m i c c: file /etc/shadow. (Khi s php ny, d ng phng
m b o tnh tng thch, ni v n t m t kh u trong file
/etc/password ng i ta nh d u "x")
N u b n c ang s 7.x) th nh
d ng cc phin b n RedHat g n y (v d
RedHat 6.x hay s d ng
ch n l a Enable the shadow password khi ci t RedHat
tnh n ng che gi u m t kh u ny (Cng th t may v ch n l a ny l m c nh trong h u h t cc phin b n Linux ang s d ng r ng ri hi n nay)
3.3. T
ng thot kh i shell
Ng i qu n tr h
th ng r t hay qun thot ra kh i d u nh c shell khi k t thc
cng vi c. B n thn ti cng t ng nhi u l n khi ang th c hi n vi c qu n tr v i account root th b m tk ph ho i i v m t s ny c th cng vi c khc. Th t nguy hi m n u lc c d dng c quy n truy xu t h th ng m c
: K
cao nh t m ch ng c n t n m t cht cng s c no c .
gi m nguy c ny, ng i qu n tr nn ci t tnh n ng t shell khi khng c s cch t m t tham s shell.
ng thot ra kh i
truy xu t no trong m t kho ng th i gian nh tr c b ng quy nh kho ng th i gian h th ng v n duy tr d u nh c
Mu n ci t tham s m t gi tr s nh c. th
ny, ng i s
d ng bi n mi tr ng TMOUT v gn cho n th ng v n duy tr d u th ng, cch n gi n
hi n kho ng th i gian tnh b ng giy h
th c hi n i u ny cho t t c
cc account trong h s
nh t l t n vo file /etc/profile dng l nh sau: (gi l 600 giy)
ta t kho ng th i gian
TMOUT=600
Nh v y l n u trong kho ng 10 pht ng i s s t
d ng khng truy xu t shell, shell khng " n" n u lc ng i
ng thot ra. Tuy nhin c n ch : M o ny s
dng ang ch y m t chng trnh no nh vi hay mc,... C ngha l ng i dng ph i ang lm vi c tr c ti p v i shell ch no khc. khng ph i v i b t k m t chng trnh
4.4. Lo i b
cc d ch v
khng s
d ng
M t i u kh nguy hi m l sau khi ci t, h d ch v (v a s l cc d ch v
th ng t
ng b t ch y kh nhi u
khng mong mu n), d n t i t n ti nguyn v gy ngay l p t c cc d ch v cc gi
nn nhi u nguy c v
b o m t. Ng i qu n tr nn lo i b
khng dng t i ngay sau khi ci my. Ho c n gi n b ng cch xo b ph n m m/d ch v RedHat) ho c s khng s d ng (qua cng c ntsysv
qu n tr gi ph n m m rpm c a cc d ch v ang ci
d ng cng c
duy t xem t t c
t r i v hi u ho nh ng d ch v d ch v khng s
khng c n thi t (b ng cch b
nh d u cc
d ng v i phm Space). Sau khi thot ra kh i ntsysv th kh i khng mong mu n s khng ch y n a.
ng l i my: cc d ch v
5.5. Khng ti t l
thng tin v
th ng qua telnet
D ch v h
cho php truy xu t h
th ng t
xa telnet c kh
n ng ti t l
thng tin v
th ng, d
t o i u ki n cho nh ng k i u ny r t d
ph ho i t n cng d a vo nh ng i m xa vo d ch v
y u bi t.
nh n th y: M i ng i dng k t n i t
telnet u nh n c thng tin v nhn (kernel) c a my ch .
tn my, phin b n Linux v phin b n c a
trnh i u ny, ta c n th c hi n vi c kch ho t telnetd (telnet server) v i tham s -h. (Tham s -h s ng n telnet ti t l cc thng tin v ch in ra d u nh c
"Login:" cho nh ng ng i k t n i t
xa).
Do cc phin b n RedHat 7.x khi ch y telnetd khng cn s s
d ng inetd n a (m
d ng xinetd - m t phin b n nng c p v c nhi u c i ti n so v i inetd) nn khc nhau tu theo phin b n RedHat ang s d ng.
cch c u hnh l i telnetd s
+ V i cc phin b n RedHat 6.x v tr c , th c hi n cc b c sau:
Trong file /etc/inetd.conf, thay i dng
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
chuy n thnh :
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd -h
Ti p theo, kh i ng l i inetd b ng cu l nh:
# /etc/rc.d/init.d/inetd restart
+ V i cc phin b n RedHat 7.x, th c hi n b c sau:
Trong file /etc/xinetd.d/telnet , thm ch n l a:
server_args = -h
File trn s
c d ng nh sau;
service telnet { disable = yes flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID server_args = -h }
Ti p theo, kh i ng l i xinetd b ng cu l nh:
# /etc/rc.d/init.d/xinetd restart
6.6. Trnh s
d ng cc d ch v
khng m ho thng tin trn ng truy n
M c d
trn chng ti trnh by cch ng n d ch v
telnet ti t l
thng tin, ki u
nhng chng ti xin c l i khuyn: Tuy t i trnh s nh telnet, ftp (ngo i tr h
d ng nh ng d ch v
ftp anonymous) v nh ng d ch v
ny hon ton khng
m ho m t kh u khi truy n qua m ng. B t k m t k
ph ho i no cng c
th d dng "tm" c m t kh u c a b n b ng nh ng cng c nghe ln ki u nh
sniffer.
' nh ng tr ng h p c th , nn s telnet: d ch v
d ng d ch v
ssh thay th
cho c
ftp v b om t
SSH (Secure Shell) dng c ch
m ho cng khai
thng tin, th c hi n m ho c Hi n ang c s
m t kh u l n thng tin chuy n trn ng truy n.
d ng kh r ng ri, gi ph n m m c a SSH cng c ng
km trong h u h t cc phin b n g n y c a Linux. Ch ng h n, cc phin b n RedHat t th s 7.0 tr ln m c nh u ci OpenSSH, m t s n ph m m ngu n m tham kh o website c
d ng hon ton mi n ph. (B n c c th s n ph m ny).
www.openssh.org v
Ngoi ra, nh ng d ch v nn tuy t i trnh s
"r" ki u nh rsh, rcp hay rlogin chng ti cng khuyn d ng. L do l cc d ch v ny ngoi vi c truy n m t kh u
khng m ho cn th c hi n vi c ki m tra quy n truy xu t d a trn a ch my k t n i, l m t i u c c k nguy hi m. Cc k u c th d ph ho i s d ng k thu t spoofing
dng nh l a c cch ki m tra ny khi "lm gi " c a ch h pl .
c a my truy xu t d ch v
7. 7. C m s
d ng account root t
consoles
C th
b n c u nh n th y, ngay sau khi ci t RedHat, account root s telnet trn h th ng (ch nh ng
khng c quy n k t n i telnet vo d ch v account th ng m i c th
k t n i). Nguyn nhn l do file /etc/securetty quy
nh nh ng console c php truy nh p b i root ch li t k nh ng console "v t l" (t c l ch truy xu t c khi ng i tr c ti p t i my ch ) m b n i qua m ng. D ch v ftp cng s b h n ch qua nh ng k t
ny: account root khng c php
truy xu t ftp qua m ng.
t ng tnh b o m t hn n a, so n th o file /etc/securetty v b console b n khng mu n root truy nh p t .
i nh ng
8.8. C m "su" ln root
Trong Linux, l nh su (Substitute User) cho php ng i dng chuy n sang m t account khc. N u khng mu n m t ng i b t k "su" thnh root, thm hai dng sau vo n i dung file /etc/pam.d/su
auth sufficient /lib/security/pam_rootok.so debug auth required /lib/security/Pam_wheel.so group=wheel
Nh v y, ch c nh ng ng i c ng k l thnh vin c a nhm wheel m i c quy n "su" thnh root. cho php m t ng i dng c quy n ny, ng i qu n tr
ch vi c gn account c a ng i ny vo nhm wheel (qua file /etc/group)
9.9. H n ch
cc thng tin ghi b i bash shell
Thng th ng, t t c
cc l nh c th c hi n t i d u nh c shell c a cc account
u c ghi vo file ".bash_history" n m trong th m c c nhn c a cc account. i u ny cng gy nn nh ng nguy hi m ti m n, c bi t v i nh ng
ng d ng i h i ph i g cc thng m t nh m t kh u trn dng l nh. Ng i qu n tr nn h n ch nguy c ny d a trn 2 bi n mi tr ng HISTFILESIZE v l nh (g t i d u nh c shell)
HISTSIZE: Bi n mi tr ng HISTFILESIZE xc nh s s
c lu l i cho l n truy nh p sau, cn bi n mi tr ng HISTSIZE xc nh s c ghi nh trong phin lm vi c hi n th i. Ta c th gi m gi tr c a
l nh s
HISTSIZE v t b ng 0 gi tr HISTFILESIZE nu trn.
gi m t i a nh ng nguy hi m
th c hi n vi c ny, ch c n n gi n thay i gi tr hai bi n ny trong file /etc/profile nh sau:
HISTFILESIZE=0 HISTSIZE=20
Nh v y, t i phin lm vi c hi n th i, shell ch ghi nh
20 l nh g n nh t, ng
th i khng ghi l i cc l nh ng i dng g khi ng i dng thot ra kh i shell.
10.10. C m nhm ng t i nh ng file script kh i ng Linux
Khi kh i ng Linux, cc file script c t t i th m c /etc/rc.d/init.d s th c hi n. trnh nh ng s
t m khng c n thi t, ng i qu n tr nn h n ch
quy n truy xu t t i nh ng file ny ch cho account root b ng l nh sau:
# chmod -R 700 /etc/rc.d/init.d/*
11.11. Xo b
nh ng chng trnh SUID/SGID khng s
d ng
Thng th ng, nh ng hi n m ts
ng d ng c th c hi n d i quy n c a account g i th c d ng m t k thu t c bi t cho php
ng d ng. Tuy nhin, Unix v Linux s
chng trnh th c hi n d i quy n c a ng i qu n l chng trnh (ch
khng ph i ng i th c hi n). th ng u c th y chnh l l do t i sao t t c m i user trong h c quy n truy xu t
i m t kh u c a mnh trong khi khng h
ln file /etc/shadow: Nguyn nhn v l nh passwd c gn thu c tnh SUID v c qu n l b i root, m ch c root m i c quy n truy xu t /etc/shadow.
Tuy nhin, kh
n ng ny c th
gy nn nh ng nguy c ti m tng: N u m t t i ho c do
chng trnh c tnh n ng th c thi c qu n l b i root, do thi t k c ci t c t it u c th tnh b i nh ng k x y ra. Th c t
ph ho i m l i c thu c tnh SUID th m i i u cho th y, kh nhi u k thu t xm nh p h k thu t ny: k th ng
m khng c quy n root c th c hi n nh no t o c m t shell (v d Sau m i truy xu t ph ho t s hi n trong shell s
ph ho i b ng cch
bash) c qu n l b i root, c thu c tnh SUID. c th c hi n qua shell ny v m i l nh th c
c th c hi n d i quy n c a root.
Thu c tnh SGID cng tng t
nh thu c tnh SUID: cc chng trnh c th c khng ph i nhm c a
hi n v i quy n nhm l nhm qu n l chng trnh ch ng i ch y chng trnh.
Nh v y, ng i qu n tr s nh ng
ph i th ng xuyn ki m tra xem trong h
th ng c
ng d ng no c thu c tnh SUID ho c SGID m khng c php khng?
tm t t c
cc file c thu c tnh SUID/SGID, s
d ng l nh find nh sau:
# find / -type f $ -perm -04000 -o -perm -02000 $ \-exec ls lg {} \;
N u pht hi n c m t file c thu c tnh SUID/SGID m t cch khng c n thi t, c th lo i b cc thu c tnh ny b ng l nh:
# chmod a-s
12.12. T ng tnh b o m t cho nhn (kernel) c a Linux
Th c t
cho th y, Linux khng h n c thi t k h ng c th d ng m t h
v i cc tnh n ng b o m t th t h
ch t ch : kh nhi u l th ng. Do , vi c s
b l i d ng b i nh ng tin t c thng th o v i u hnh v i nhn c c ng c
l r t quan t t th
tr ng: M t khi nhn - ph n c t li nh t c a h nguy c b ph ho i s gi m i r t nhi u.
i u hnh - c thi t k
B n c c th
xem xt vi c c ng c
nhn Linux thng qua cc mi ng v (patch).
Ti xin gi i thi u m t trong nh ng website t t nh t chuyn cung c p cc mi ng
v b sung cho nhn Linux v b o m t t i a ch www.grsecurity.net. T i y b n sung cho h
c c th
tm hi u thng tin h u ch v t i xu ng cc mi ng v b
th ng Linux c a mnh.
B om th
1. tv n
th ng *nix v i PAM
Ch c h n b n t ng t
h i t i sao cc chng trnh ftp, su, login, passwd, sshd, rlogin
l i c th hi u v lm vi c v i shadow password; hay t i sao cc chng trnh su, rlogin l i i hi password; t i sao m t s h th ng ch cho m t nhm no c quy n su, hay sudo, hay h th ng ch cho php m t s ng i dng, nhm ng i dng n t cc host xc
nh v cc thi t l p gi i h n cho nh ng ng i dng , T t c u c th l gi i v i PAM. ng d ng c a PAM cn nhi u hn nh ng g ti v a nu nhi u, v n bao g m cc module ti n cho ng i qu n tr l a ch n.
2. C u trc PAM
- Cc
ng d ng PAM c thi t l p trong th m c /etc/pam.d hay trong file /etc/pam.conf
( login, passwd, sshd, vsftp, ) - Th vi n cc module c lu trong /lib/security ( pam_chroot.so, pam_access.so, pam_rootok.so, pam_deny.so, ) - Cc file c u hnh c lu trong /etc/security ( access.conf, chroot.conf, group.conf , ) +access.conf +group.conf i u khi n quy n truy c p, c s i u khi n nhm ng i dng, s d ng cho th vi n pam_access.so.
d ng b i pam_group.so d ng b i pam_limits.so. d ng cho th vi n
+limits.conf thi t l p cc gi i h n ti nguyn h th ng, c s +pam_env pam_env.so . i u khi n kh nng thay i cc bi n mi tr ng, s
+time Thi t l p h n ch th i gian cho d ch v v quy n ng i dng, s vi n pam_time.so.
d ng cho th
3. Cch ho t ng c a PAM
Thu t ng - Cc chng trnh login, pass, su, sudo, trn c g i l privilege-granting application ( chng trnh trao c quy n ).
- PAM-aware application: l chng trnh gip cc privile-granting application lm vi c v i th vi n PAM.
Cc b c ho t ng:
1. Ng i dng ch y m t
ng d ng truy c p vo d ch v mong mu n, vd login.
2. PAM-aware application g i th vi n PAM th c hi n nhi m v xc th c. 3. PAM library s d a vo file c u hnh c a chng trnh trong /etc/pam.d ( vd y l
login -> file c u hnh /etc/pam.d/login ) xc nh lo i xc th c no c yu c u cho chng trnh trn. Trong tr ng h p khng c file c u hnh, th file /etc/pam.d/other s c s d ng.
4. PAM library s load cc module yu c u cho xc th c trn. 5. Cc modules ny s t o m t lin k t t i cc hm chuy n i ( conversation functions ) trn chng trnh. 6. Cc hm ny d a vo cc modules m a ra cc yu c u v i ng i dng, vd chng yu c u ng i dng nh p password. 7. Ng i dng nh p thng tin vo theo yu c u. 8. Sau khi qu trnh xc th c k t thc, chng trnh ny s d a vo k t qu m p ng
yu c u ng i dng ( vd cho php login vo h th ng ) hay thng bo th t b i v i ng i dng.
4. By gi chng ta s nghin c u file config
Listing 10-1: The /etc/pam.d/rlogin file #%PAM-1.0 auth required /lib/security/pam_securetty.so auth sufficient /lib/security/pam_rhosts_auth.so auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth
Cc dng trong file config c d ng sau:
module-type control-flag module-path module-args
----MODULE TYPE auth: th c hi n xc th c. Thng th ng, m t auth module s yu c u password ki m tra, hay thi t l p cc nh danh nh nhm ng i dng, hay th kerberos.
Account i u khi n s
ki m tra b m t v i yu c u xc th c. V d , n c th ki m tra m t host v trong th i gian cho php hay khng.
ng i dng truy c p d ch v t
Password: thi t l p password. Thng th ng, n lun c s auth v m t module password..
tng
ng gi a m t module
Session: i u khi n cc nhi m v qu n l session. dng s
cs
d ng m b o r ng ng i
d ng ti kho n c a h khi c xc th c..
----PAM MODULE CONTROL FLAGS
Require: c i u khi n ny ni v i PAM library yu c u s
thnh cng c a modules tng
ng, vd auth required /lib/security/pam_securetty.so module pam_securetty.so ph i thnh cng. N u module khng c th c hi n thnh cng th qu trnh xc th c th t b i. Nhng lc , PAM v n ti p t c v i cc module khc, tuy nhin n ch c tc d ng nh m trnh kh i vi c ng i dng c th on c qu trnh ny b th t b i no. giai o n
Sufficient: c ny khc v i c trn
ch , khi c m t module th c hi n thnh cng n s
thng bo hon thnh ngay qu trnh xc th c, m khng duy t cc module khc n a.
Requisite: c ny c ni PAM library lo i b ngay qu trnh xc th c khi g p b t k thng bo th t b i c a module no.
Optional: c ny t khi c s
d ng, n c ngha l module ny c th c hi n thnh
cng hay th t b i cng khng quan tr ng, khng nh h ng qu trnh xc th c.
----MODULE-PATH
ng d n n th vi n PAM.
----ARGUMENTS Cc bi n ty ch n cho cc module.
Cc module ( auth, account, password, session ) c th c hi n trong stack v chng c th c hi n theo th t xu t hi n trong file config.
Cc chng trnh yu c u xc th c u c th s
d ng PAM.
5.Sau y ti xin gi i thi u ch c nng c a m t s module
_ pam_access.so:
- Support module type :account - Module ny s d ng file thi t l p trong etc/security/access.conf .
File c u hnh ny c d ng nh sau: < + or - > : : + : grant permission - : deny permission V i username list l ng i dng hay nhm ng i dng, tty list l login qua console, host list xc nh cc host hay domain. Chng ta c th s EXCEPT=tr , LOCAL=c c b . V d sau cho c m osg login t t t c , v cho php linet login t xa. d ng cc t kha ALL=t t c ,
account required pam_access.so -:osg:ALL +:linet:ALL EXCEPT LOCAL
pam_chroot.so: Support module type :account; session; authentication
Dng chroot cho cc user thi t l p trong /etc/security/chroot.conf V d , ti th c hi n chroot cho sshd ng i dng linet ch c quy n truy c p trong /home/osg m khng c quy n truy c p n cc th m c home c a ng i dng khc Thm dng sau trong /etc/pam.d/sshd ( lu trong /etc/sshd/sshd_config ph i thi t l p UsePAM = yes ) session required pam_chroot.so
_ pam_deny.so:
Support module type: account; authentication; password; session Module ny lun tr v gi tr false. Vd n c dng trong /etc/pam.d/other t ch i
m i truy c p c a ng i dng khi truy c p vo cc PAM-aware program m khng c file c u hnh PAM
- Acount module type: T
ch i ng i dng quy n truy c p vo h th ng
#add this line to your other login entries to disable all accounts login account required pam_deny.so
- Authentication module type: t
ch i truy c p, thi t l p gi tr m c nh. vd trong
/etc/pam.d/other. Khi ng i dng login vo h th ng, u tin s g i cc module trong /etc/pam.d/login ra v yu c u ng i dng nh p thng tin tng password ), n u cc thng tin ny khng p deny quy n truy c p. ng ( username,
ng th PAM s g i /etc/pam.d/other ra
#/etc/pam.d/other
auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_deny.so password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_deny.so
- Password module type: Khng cho php change password
v d khng cho php ng i dng i passwd Thm dng sau vo /etc/pam.d/passwd password required pam_deny.so
_ pam_limits.so - Support module type: session Thi t l p cc gi i h n ti nguyn trong /etc/security/limit
username|@groupname type resource limit.
A resource can be one of these keywords: core - Limits the size of a core file (KB). data - Maximum data size (KB). fsize - Maximum file size (KB). memlock - Maximum locked-in memory address space (KB). nofile - Maximum number of open files. rss - Maximum resident set size (KB). stack - Maximum stack size (KB). cpu - Maximum CPU time in minutes. nproc - Maximum number of processes. as - Address space limit. maxlogins - Maximum number of logins allowed for this user.
Thng tin chi ti t
trong /etc/security/limits.conf
Vd d i y, t t c user gi i h n 10 MB m i session v cho php max l 4 logins ng th i. ftp c cho php 10 login ng th i ( h u ch cho anonymous ftp ); thnh vin c a nhm manager gi i h n 40 process, nhm developers gi i h n 64MB b nh , v cc user thu c wwwusers khng th t o files l n hn 50 MB = 500000 KB.
Listing 3. Setting quotas and limits
* hard rss 10000 * hard maxlogins 4 * hard core 0 bin ftp hard maxlogins 10 @managers hard nproc 40 @developers hard memlock 64000 @wwwusers hard fsize 50000
active cc limits ny, b n c n thm dng sau vo cu i /etc/pam.d/login:
session required /lib/security/pam_limits.so.
_ pam_listfile.so
Module ny c thng tin trong file v th c hi n hnh ng c thi t l p ( nh cho php hay khng cho php truy c p ) d a vo s username, host, groups, t n t i hay khng c a cc nhn t nh
V d trong vsftpd auth required /lib/security/pam_listfile.so item=user \ sense=deny file=/etc/ftpusers onerr=succeed
Yu c u PAM load pam_listfile module v c trong /etc/ftpusers, n u /etc/ftpusers ch a cc dng username, th PAM s s d ng sense=deny quy t nh ngn c n cc user ny
truy c p vo. V y cc user trong /etc/ftpusers s ko c quy n truy c p vo ftp.
_ pam_rootok.so
d ng module ny yu c u root khng c n nh p password khi th c hi n chng
trnh, vd n c gn vo su chi r ng root khng c n g passwd khi nh l nh su
_pam_wheel.so Ch cho php quy n truy c p root v i group wheel. V d ch cho php nh ng ng i thu c nhm wheel c quy n su ln root.
# # root gains access by default (rootok), only wheel members can # become root (wheel) but Unix authenticate non-root applicants.
# auth sufficient pam_rootok.so auth required pam_wheel.so auth required pam_unix_auth.so
-----------------> Tham kh o Document: http://www.kernel.org/pub/linux/libs/pam/pre/doc/ M ngu n module: http://cvs.sourceforge.net/viewcvs.py/pam/Linux-PAM/modules/
Cch bin d ch nhn (kernel)
1. L y kernel v :
Kernel source c th
t iv
http://www.kernel.org . B n stable hi n t i l
2.4.21 v developer l 2.5.73. N u b n khng mu n test nh ng ch c nng m i c a kernel th nn s d ng 2.4.21 cho cng vi c hng ngy.
2. Bung nn v chu n b kernel: gi ch y cc dng l nh d i b n s
b nv at iv
linux-2.4.21.tar.bz2, sau khi
s n sng cho vi c compile kernel
2a. $mv linux-2.4.21.tar.bz2 /usr/src/
2b. $cd /usr/src && tar -xvjf linux-2.4.21.tar.bz2
2c. $ln -s linux-2.4.21 linux
n y b n s n sng cho vi c compile nhng i lc c l m t patch no th c th
b ns
c n apply
ch y l nh sau trong th m c /usr/src/linux
$patch -p1 --dry-run < / a i m/v tn/c a patch
Lu : --dry-run s
'gi
' apply ci patch nhng th c s phng h
cha lm g h t. B n
nn xi --dry-run tr c khi apply
ci patch khng ph i cho kernel
b n ang xi ho c patch cn b l i. Sau khi ch y --dry-run v khng th y bo l i g th b n c th tn/c a patch th t s apply patch b ng l nh $patch -p1 < / a i m/v
3. Compile kernel: s
c th c hi n v i cc l nh sau y:
3a. $make menuconfig (ho c make config, ho c make xconfig) s
h ib nm t xi
lo t cu h i cho kernel ph h p v i my c a b n. N u b n bi t ch c mnh s m t ch c nng no th nn tr n u b n l ng l l i Y cn khng th tr l i N, tr
l i M (module)
khng bi t ci ph n c ng c a mnh s
xi driver ny hay driver
khc, nh t l ph n cho network card hay sound card. N u b n khng r cu h i ny h i ci g th g h s c ph n gi i thch kh r rng.
B n c th
t iv
m t b n config m u m mnh xi cho my Pentium3, Tekram
SCSI card, SB Live! sound card, bt848 Haupauge TV card, ext2/ext3/reiserfs/jfs/tmpfs/iso9660/vfat/ntfs v ipsec VPN compiled v kernel, tulip, intel, realtek modules cho network cards, iptables v wireless modules. N u b n khng c n ci no th ch vi c comment out (b ci d u #
pha tr c) ci hng . Ch ng h n my b n l Petium4 th nn thay i v i gi tr tng trn. ng. Sau ch y l nh $make oldconfig thay v $make menuconfig nh
3b. $make dep s
chu n b cc dependencies c n thi t
3c. $make clean s
d n d p .o files m developers
qun v t o cc source tree.
3d. $make bzImage s b ns
b t u th t s
compile kernel. N u m i chuy n sun s
c bzImage n m trong th m c /usr/src/linux/arch/i386/boot
3e. $make modules s menuconfig trn.
compile cc modules b n ch n trong lc ch y $make
3f. $make modules_install s
ci cc modules vo th m c /lib/modules/2.4.21
3g. $cp /usr/src/linux/arch/i386/boot/bzImage /boot/mykernel-2.4.21 s kernel image b n m i compile v th m c /boot.
cp
N u b n c SCSI card v compile SCSI card ho c filesystem (ext3, reiserfs,..v..) m my s d ng d i d ng module th b n ph i t o initial ramdisk v i l nh
$mkinitrd -o /boot/initrd-2.4.21.img /lib/modules/2.4.21. Cn n u b n compile SCSI card v filesytem v lun kernel th bi bai initrd.
4. Chu n b boot loader
4a. N u b n dng GRUB: t o h n m t section m i cho kernel c a b n b ng cch s a menu.lst v i l nh $vi /boot/grub/menu.lst gi s / c a b n n m trn
/dev/hda3 v /boot n m trn /dev/hda1, thm vo nh ng hng sau:
title MyKernel-2.4.21
kernel (hd0,0)/boot/mykernel-2.4.21 root=/dev/hda3
initrd (hd0,0)/boot/initrd-2.4.21.img
N u b n khng xi initrd th khng c n hng cu i
trn.
4b. N u b n dng LILO: t o h n m t section cho kernel c a b n b ng cch s a file lilo.conf v i l nh $vi /etc/lilo.conf thm vo nh ng hng sau:
image=/boot/mykernel-2.4.21
label=MyKernel-2.4.21
root=/dev/hda3
initrd=/boot/initrd-2.4.21.img
read-only
Nh
ch y l nh $lilo n u khng b n s
khng th y kernel m i c a mnh khi reboot.
B n nn gi
l i /usr/src/linux/.config
mai ny n u b n mu n compile 2.4.22
ch ng h n th c th
xi l i n b ng cch ch y $make oldconfig thay v $make xa i /usr/src/linux/.config file v d n khng th dng
menuconfig. Lu : $make mrproper s d p s ch s
cc .o files v symlinks (ln -s command). B n s
config file c a kernel 2.4 cho kernel 2.5 c.
Hy v ng bi vi t ny s
gip b n hi u r hn qu trnh c p nh t kernel t
source.
Nh th ng l , cm n cc bc trn #unixcircle cho feedback. M i gp xin g iv em_m_compile_kernel@vnlinux.org
Lm reverse proxy v i Linux + Apache, B o v my ch

1. Gi i thi u Cho cc fan hm m Linux, Bi vi t ny ch y u d a trn hai ti li u l "Web Security Appliance With Apache and mod_security" c a Ivan, tc gi mod_security v "Securing Apache 2: Step-by-Step" c a Artur Maj. B con c th xem y l m t b n d ch ti ng Vi t c a hai ti li u trn, km theo nh ng suy ngh ring c a b n thn ti d a vo kinh nghi m th c t khi tri n khai reverse proxy -0-. Bi vi t ny c th xem l m t case study thu c t p ti li u "B o v my ch an ton v i ph n m m t do". Nhi m v c a chng ta l b o v m t hay nhi u content web-server -1- n m trong vng Internal -2-, cc web-server ny c th l Apache httpd, ho c Microsoft IIS, ho c c th ch l m t web-server n gi n c embedded vo m t ng d ng no . hon thnh nhi m v , chng ta s t p trung vo xy d ng m t firewall/ids ho t ng t ng application, trong ti li u ny g i l reverse-proxy, s d ng Apache httpd -3- trn n n Linux. 2. Reverse proxy l g?
M t proxy, theo nh ngha, l m t thi t b ng gi a server v client, tham gia vo "cu c tr chuy n" gi a hai bn. Khi ni m proxy m chng ta th ng dng hng ngy t t hn nn c g i l m t forward proxy: m t thi t b ng gi a m t client v t t c server m client mu n truy c p vo. M t reverse proxy lm cng vi c hon ton ng c l i: n ng gi a m t server v t t c client m server ny ph i ph c v . Reverse proxy gi ng nh m t nh ga kim m t tr m ki m sot, cc request t client, b t bu c ph i gh vo reverse proxy, t i reverse proxy s ki m sot, l c b cc request khng h p l , v lun chuy n cc request h p l n ch cu i cng l cc server. Ch l m t reverse proxy c th lun chuy n request cho nhi u server cng lc. L i th l n nh t c a vi c s d ng reverse proxy l kh nng qu n l t p trung. M t khi y c t t c traffic i qua m t tr m ki m sot duy nh t (l reverse proxy), chng ta c th p d ng nhi u " ngh " khc tng c ng an ninh cho h th ng c a mnh. D nhin, b t k s n ph m hay cng ngh no cng c u v khuy t i m c a n, i cng v i single point of access bao gi cng l "bng ma" single point of failure. Single point of failure c th c gi i quy t b ng cch xy d ng cluster. y l m t v n hon ton v t qua kh i ph m vi c a bi vi t ny, ti ch xin gi i thi u b no mu n tm hi u v cluster trn Linux th th gh vo http://www.linux-ha.org. Ngoi ra p d ng reverse proxy ng cch s gip tng c ng performance cng nh nng cao scalability c a cc web-application ch y trn cc content server. Cht xu n a, ti s i vo chi ti t cc u i m c a reverse proxy cng nh lm th no khai thc cc u i m . 3. Ci t my ch reverse-proxy
3.1. Ch n v ci t h i u hnh cho reverse proxy D nhin l ti s d ng linux cho my ch reverse proxy. Ti khng m t qu trnh ci t linux y b i c r t nhi u ti li u hay trn Internet ni v ti ny, v hn n a ti ngh l m t khi ngh n chuy n lm reverse proxy th ch c ch n chuy n ci t Linux khng l v n .Linux c qu tr i distro, th mrro ch n distro no? Theo ti th distro no cng nh nhau c thi, nhng n u ai h i ti cu h i trn th cu tr l i s l Trustix -4-. B t k ch n distro no, nh l sau khi ci t xong, hy dnh m t cht th i gian secure ci distro c a mnh l i tr c khi c ti p -5-. Ph n ti p theo chng ta s bn v vi c ci t Apache httpd cng nh cc module km theo c a n. 3.2. 1.3.x hay 2.x? Tr c tin, ti ngh c n ph i tr l i cu h i l chng ta s ch n phin b n Apache no lm reverse proxy y, 1.3.x hay 2.x? Ti ch n 2.x v ba l do: th nh t l ti "nghe n" l c r t nhi u 0-day trong phin b n 1.3.x . L do th hai l Apache 2.x cung c p m t b filtering API t t hn so v i phin b n 1.3.x, cho php cc module c th nhn th y v tng tc v i n i dung c a cc request cng nh cc response tng ng t tr l i t server. i u ny r t quan tr ng i v i m t reverse proxy ng vai tr l m t application gateway b i v n ph i ki m tra t t c thng tin i xuyn qua n tr c khi chuy n giao cho bn nh n. -6-. L do cu i cng l Apache httpd 2.x c performance cao hn h n 1.3.x khi ph c v cc static content nh file HTML v file hnh nh. Ti quan tm n v n ny l v ti c nh gi m t i cho cc content server bn trong b ng cch tch content ra lm hai lo i l dynamic (cc lo i file CGI/Perl, PHP) v static (cc file HTML v file hnh nh), cc content server ch ph c v dynamic content, cn t t c static content th a qua my ch reverse proxy lun. Lc khi cc request c a client i vo reverse proxy, n u request c ch n l m t static content, my ch reverse proxy s tr l i lun cho client m khng c n forward request n content server pha sau, ch nh ng request n cc dynamic content m i c forward cc content server x l. Ti s i vo chi ti t v n ny ph n sau, ch lu m t i u l cu i cng ti l i khng dng Apache httpd cho m c ch ny m l i s d ng m t my ch web khc chuyn tr static content. 3.3. Ch n module cho Apache httpd Ngoi nh ng module m ti li u "Securing Apache 2: step by step" ngh , chng ta ph i ch n thm cc module sau y: -mod_rewrite, mod_proxy, mod_proxy_http: cc module ny s h tr chng ta trong vi c thi t l p reverse proxy. -mod_security: module ny gip chng ta c u hnh reverse proxy thnh m t application firewall ch ng l i cc d ng t n cng th ng th y vo cc web-application ch y trn content server. -7-mod_ssl: module ny gip chng ta m ha d li u c a cc k t n i t client n server thng qua giao th c SSL v TLS, bi n giao th c HTTP khng an ton thnh giao th c HTTPS r t b o m t. -8Ph n quan tr ng ti p theo l ch n m t MPM ph h p v i m c ch lm reverse proxy c a chng ta. MPM l vi t t t c a c m t Multi-Processing Module, l m t c i thi n ng k c a Apache httpd 2.x so v i Apache 1.x. Trong ki n trc c a Apache 2.x, MPM ng vai tr h t s c quan tr ng, n ch u trch nhi m l ng nghe trn cc c ng m ng, ch p nh n cc yu c u k t n i t pha client, v chuy n cc yu c u vo bn trong Apache httpd x l 9-. Trong tr ng h p ny ti ch n MPM worker. MPM worker s d ng thread ph c v cc request, do n c kh nng ph c v m t l ng l n cc request nhng l i t n r t t ti nguyn so v i cc process-based MPM khc nh prefork. ng th i MPM worker v n khai thc c tnh n nh c a c process-based MPM b ng cch t o ra nhi u process tr c, m i process c nhi u thread s n sng ph c v client -10-. 3.4. Bin d ch v ci t Apache httpd Cu h i k ti p l bin d ch cc module theo ki u no. Nh chng ta u bi t, c hai cch
bin d ch cc module trong Apache httpd. Cch th nh t, g i l phng php ng, l bin d ch cc module thnh cc th vi n lin k t chia s (tng t nh cc th vi n DLL trn Windows). V i cch ny, cc module s c bin d ch thnh cc file .so, v s c t i ln khi Apache httpd kh i ng n u c n (ty theo cc cu l nh LoadModule trong file c u hnh conf/httpd.conf). Cch bin d ch th hai, g i l phng php tnh, l gom t t c module nht vo trong file bin/httpd lun (link statically). Khi kh i ng v trong qu trnh ch y, Apache httpd khng c n ph i t i thm module no n a. Phng php tnh c xem l l a ch n t t hn h t. Ch n phng php tnh, chng ta khng c n dng n module mod_so (module c n thi t t i cc file .so trong phng php ng). Hn n a, theo khuy n co c a Apache, s d ng phng php tnh s gip tng 5% v m t performance so v i phng php ng. Chng ta t i Apache httpd 2.x http://httpd.apache.org/download.cgi v t i mod_security t i http://www.modsecurity.org s d ng cc l nh sau: CODE localhost$ localhost$ localhost$ localhost$
wget http://www.tux.org/pub/net/apache/dist/htt...d-2.0.54.tar.gz wget http://www.modsecurity.org/download/modsecurity-1.8.7.tar.gz tar -xzf httpd-2.0.54.tar.gz -C /usr/local/src tar -xzf modsecurity-1.8.7.tar.gz -C /usr/local/src
Ti li u km theo c a mod_security ch h ng d n cch bin d ch mod_security thnh m t th vi n chia s c a Apache httpd, do chng ta c n ph i chu n b i ch c th bin d ch tnh mod_security: CODE localhost$ localhost$ localhost$ localhost$
cd /usr/local/src mkdir -p httpd-2.0.54/modules/security cp modsecurity-1.8.7/apache2/mod_security.c httpd-2.0.54/modules/security cp httpd-2.0.54/modules/echo/Makefile.in httpd-2.0.54/modules/security
Okay, xong xui, b t u bin d ch nh sau: CODE localhost$ cd /usr/local/src/httpd-2.0.54 localhost$ ./configure \ --with-mpm=worker \ --disable-charset-lite \ --disable-include \ --disable-env \ --disable-status \ --disable-autoindex \ --disable-asis \ --disable-cgid \ --disable-cgi \ --disable-negotiation \ --disable-imap \ --disable-actions \ --disable-userdir \ --disable-alias \ --disable-so \ --with-module=security:mod_security.c \ --enable-modules='ssl rewrite proxy proxy_http' N u qu trnh bin d ch thnh cng, chng ta s ti p t c nh sau ci Apache httpd vo h th ng (t i th m c m c nh l /usr/local/apache): CODE localhost$ make localhost$ su localhost# umask 022 localhost# make install localhost# chown -R root:sys /usr/local/apache
3.5. i "root" c a server
Ph n ny xin vui lng tham kh o ti li u "Securing Apache 2:Step by Step." -m (cn ti p) Ph n sau: 4. C u hnh Apache httpd lm reverse proxy ----------------------0-: Th c t ph n ti ng Vi t c a ti li u "Securing Apache 2: Step-by-Step" ti sao chp kh nhi u t b n d ch v m r ng ti li u "Securing Apache: Step-by-Step" (http://www.securityfocus.com/infocus/1694) c a hnd aka conmale. Tham kh o thm v b n d ch v m r ng c a anh conmale t i http://www.hvaonline.net/forum/index.php?a...T&f=161&t=46199 -1-: ngoi web-server ra, gi i php reverse proxy (ho c tng t ) c th p d ng cho cc d ch v khc nh VNC (xem th http://sourceforge.net/projects/vnc-reflector/), mail (xem th ti li u "Qmail as the mail gateway" c a hnd@diendantinhoc.org). Ch duy nh t m t d ch v tui cha lm c reverse proxy l FTP, b no c thng tin v ftp reverse proxy th cho tui vi xu. -2-: chng ta v n c th thi t l p reverse proxy b o v cho cc web-server n m ngay vng DMZ, ho c thi t l p m t reverse-proxy t ngay trong vng Internal b o v cc web-server vng Internal t cc m i hi m h a n t bn trong. -3-: Ngoi Apache httpd ra, cn c r t nhi u software khc c th c reverse proxy m ng k nh t l pound. Thao kh o thm t i a ch http://www.apsis.ch/pound/. ng d ng lm
-4-: Trustix l m t distro nh g n (tr n b ci t ch c m t CD duy nh t) c xy d ng d a trn RedHat v i hai m c tiu chnh l b o m t v n nh. Phin b n stable m i nh t c a Trustix l 2.2, phin b n unstable l 3.0 RC2. Tham kh o thm t i www.trustix.org. -5-: Tham kh o ti li u Linux Security HOWTO c t i http://www.tldp.org bi t thm chi ti t. Ph n m m Bastille-Linuxcng s r t h u d ng trong vi c secure cho cc Linux server. -6-: Ch c s tc d ng. d ng Apache 2.x th nh ng lu t c n l c OUTPUT c a mod_security m i c
-7-: Tham kh o thm ti li u v mod_security t i a ch http://www.modsecurity.org v lo t k s c a conmale v cc v t n cng DDoS vo HVA. -8-: K t phin b n Apache httpd 2.0, mod_ssl c chnh th c a vo Apache httpd. Tham kh o thm ti li u v mod_ssl t i a ch http://www.modssl.org. -9-: Ch n l a MPM cho Apache 2.x l m t v n c c k quan tr ng, nh h ng r t nhi n n performance c a server, do ti ngh nh ng ai quan tm n Apache 2.x, nn tham kh o thm ti li u v MPM t i http://httpd.apache.org/docs-2.0/mpm.html -10-: T i sao thread l i "ngon" hn process v performance? Nh ng ai quan tm n v n ny xin tm cc tm c cc ti li u sau y: Advanced Linux programming (http://www.advancedlinuxprogramming.com) Understanding the Linux kernel. Tc gi Mrro - Nhm HVAonline
ng d ng t p tin htaccess trn my ch Apache

ng d ng t p tin htaccess trn my ch Apache - 15/11/2004 12h:37 B n t ng nghe v t p tin .htaccess trn cc my ch h Unix (FreeBSD, Linux, Solaris, True64...)? B n bi t r ng t p tin ny c th i u khi n c kh nhi u th , th m ch thay i c c thi t l p m c nh c a my ch Apache http://apache.org/. Th nhng b n t n d ng c bao nhiu l nh trong t p tin ny lm cho website c a mnh m nh m , an ton hn? Trong bi vi t t ng h p ny, tc gi s cng b n nghin c u, ng d ng m t s l nh thng d ng nh t th c hi n cc tc v b o v , i u khi n website theo b n mu n. No, xin m i b n! T o trang bo l i mang mu s c c nhn Trong qu trnh lm vi c v i client, n u c l i x y ra (v d nh khng tm th y t p tin) th Apache s bo l i b ng m t trang c s n hi n th m s c a l i , r t khng p v kh hi u. V i .haccess th b n c th t t o cc trang bo l i hay hn. lm c i u ny th trong t p tin .htaccess b n thm dng sau: ErrorDocument m s l i /trangloi.html Trong m s l i l m s c a l i pht sinh, sau y l nh ng l i hay g p: 401 400 403 500 404 Authorization Required (c n password truy nh p) Bad request (L i do yu c u) Forbidden (khng c vo) Internal Server Error (l i server) Wrong page (l i trang, khng tm th y...)
cn trangloi.html l trang web m b n mu n hi n th khi l i pht sinh, c th a vo t p tin ny n i dung hay ho g ty b n, ch ng h n lin k t tr v trang chnh c a trang web. V d : ErrorDocument 404/trangloi.html ho c: ErrorDocument500/loi/500.html By gi b n hy t i (upload) 2 t p tin .htaccess v trangloi.html ln hosting c a mnh. Ch ng n c p bng thng (bandwidth) Thng th ng nh ng d ch v lu tr web ch cung c p cho b n m t l ng d li u lun chuy n (data transfer) nh t nh hng thng v khi b n s d ng h t l ng d li u ny, website c a b n s t ng b ng c a. B n s ph i tr thm ti n cho l ng bng thng v t qu ho c ph i bu c lng ch n thng sau. N u hnh nh, d li u, c a b n b cc website khc n tr m (b ng cc th thu t n gi n) lm cho l ng d li u lun chuy n c a b n tng ln, th c ngha l b n s ph i tr ti n cho ci m b n khng s d ng. S d ng t p tin .htaccess l m t gi i php hon h o, ngn ch n vi c s d ng hnh nh tri php trn website c a b n. B n ch vi c a vo t p tin .htaccess n i dung sau : RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(www\.)?trangweb\.com/.*$ [NC] RewriteRule \.(gif|jpg)$ - [F] o n m trn ti s d ng module Rewrite c a my ch Apache, b n ch vi c thay i trangweb.com thnh a ch website c a mnh. C th s d ng m t hnh nh no c nh co nh ng k n tr m bng thng, b n dng dng l nh sau:
RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(www\.)?trangweb\.com/.*$ [NC] RewriteRule \.(gif|jpg)$ http://www.trangweb.com/diehotlinker.jpg [R,L] Khng cho hi n danh sch t p tin trong th m c Trong tr ng h p m t th m c no khng c t p tin index ho c default, Apache s hi n th m t danh sch li t k nh ng t p tin c trong th m c . Tuy nhin n u y l nh ng ti li u nh y c m, b n khng mu n ng i khc th y, hy thm l nh sau vo t p tin .htaccess Options Indexes Thay th trang index Thng th ng khi truy nh p vo m t trang web, Apache s tm t p tin index.htm ho c default.htm tr k t qu v cho trnh duy t, b n c th dng .htaccess thay i m c nh ny. DirectoryIndex index.php index .php3 messagebrd.pl index.html index.htm V i dng l nh ny th t t c cc t p tin c li t k s c tm theo th t khi c yu c u t i th m c hi n hnh, trang no c tm th y u tin s thnh trang index c a th m c. C m/h n ch IP truy nh p M t s ng i mu n lm ng p (flood) trang web c a b n, vi c c n lm l ngn c m nh ng IP c a nh ng ng i ny truy nh p vo trang web, b n thm o n m sau vo .htaccess: deny from 203.262.110.20; cho php IP truy nh p: allow from 203.262.110.20. N u b n ch vi t IP d i d ng: 203.262.110 th s c m t t c IP trong d i t 203.262.110.1 n 203.262.110.254. S d ng dng l nh sau: Deny from all s c m t t c m i truy nh p n cc trang web trong th m c, tuy nhin cc t p tin trong v n c th c s d ng t bn ngoi thng qua cc l nh d ng require hay include (trong l p trnh PHP), c th xem thm m ngu n c a PHPBB forum,IBF... hi u r hn. T ng chuy n n a ch m i (Redirection)
B n chuy n trang web c a mnh n a ch m i nhng khng ph i ai cng bi t i u ny, redirect truy nh p t xa m t cch n gi n b ng l nh sau: Redirect/olddirectory http://www.trangwebmoi.com/thumucmoi ; Tu bi n ui t p tin Thng th ng, tu thu c vo ngn ng l p trnh web m b n s d ng t p tin s c ph n m r ng khc nhau nh: html, htm, asp, aspx, php, cgi, Tuy nhin n u s d ng .htaccess b n c th tc ng vo my ch Apache, Apache s g i n t p tin c a b n v tr v cho trnh duy t web c a ng i dng v i ph n m r ng do b n quy nh trong .htaccess. B n s d ng o n l nh sau trong t p tin .htaccess: RewriteEngine on RewriteRule (.*)\.dll$ $1.html Html l ph n m r ng th c s c a nh ng t p tin trn website, dll l ph n m r ng do b n l a ch n. Lu trong lin k t trn trang web, b n ph i g i ng ng d n n t p tin v i ph n m r ng m i ( trn l dll), v d http://www.trangweb.com/in dex.dll Lu khi s d ng t p tin .htaccess:
- Ch p d ng trn my ch Apache b t ch .htaccess, n u cha b n hy th v i nh cung c p dich v hosting. lin h
t o ra t p tin ny b n c th s d ng ngay chng trnh Notepad c a Windows: ch n ch save as v i tn .htaccess, nhng khi lu nh b ui txt. -.htaccess ch c tc d ng i v i nh ng t p tin ngang hng (trong cng th m c v i n) ho c th m c con. V i th m c, n ch c tc d ng trong th m c ch a n v th m c con, cn v tc d ng v i th m c m (parent directory). - B n c th dng m t s chng trnh FTP (Leaf FTP, WS FTP, Cute FTP) t i t p tin .htaccess ln hosting c a mnh v i ch ASCII, n u n khng ho t ng b n th CHMOD v i gi tr 644.

Cai Dat Redhat Linux 8.0

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cai Dat Redhat Linux 8.0

Uploaded by

Copyright:

Available Formats

www.nhipsongcongnghe.

I U HNH LINUX REDHAT 8.0

tr b n ci Linux trn m t h th ng c c u hnh th p hn, nhng khi b n ch c th ch y v i cc ng d ng h n ch trn h th ng.

Nn tm hi u thng s c u hnh c a h th ng tr c khi ci t.

dung l ng b nh RAM c a h th ng.

Cch n gi n v thng d ng nh t ci Redhat Linux l ci t t

m c nh ci t theo ch ho . Chng trnh ci t s t

- WorkStation: dnh cho nh ng tr m lm vi c v i ch c nng ho cao c p v cc cng c pht tri n.

- Server: ci t h th ng ng vai tr my ch nh webserver, ftpsever, SQL server.v.v.

- Custom: y l l a ch n linh ho t cho b n trong qu trnh ci t. B n c th ch n cc gi ph n m m, cc mi tr ng lm vi c, boot loader tu theo b n.

b. Thi t l p phn vng ci Linux:

y l qu trnh nh y c m nh t v nguy hi m nh t trong qu trnh ci t, v ch c n b t c n ch n sai th d li u trn c ng c a b n c th b m t s ch.

Ch c nng automatic partition s gip b n t

ng t o cc phn vng cho Linux. Hy

system s ch xo cc phn vng c a Linux m thi

Thng th ng, b n nn ch n Manually partition with Disk Druid t o cc phn vng:

M t phn vng ch a mount point l /, c ki u file h th ng l Linux Native ext3.

c. Cch qu n l a trong Linux:

Trong c u trc cy th .v.v.

b c c a Linux, cao nh t l /, d i l /boot, /etc, /root, /mnt

chia thnh cc phn vng khc nhau. M t nh s th t t 1 n 4. tng ng v i

N u ch n Grub kh i ng h th ng , grub s c ci ln Master boot record ( /dev/hda).

xong, chng trnh ci t s duy t cc gi ph thu c b n ci thm.

Hy c n th n v qu trnh ny d lm h ng mn hnh v card ho c a b n. l do b n c n n m v ng thng s c a cc linh ki n ph n c ng.

/etc/X11/XF86Config (ho c XF86Config-4) c u hnh b ng tay.

Cch ci t font v in Linux

d ng ttmkfdir (cch c):

a. T o /usr/share/fonts, n u cha c, b ng l nh: mkdir /usr/share/fonts

b. M utf8.tar.gz trong th m c /usr/share/fonts b ng l nh: cd /usr/share/fonts && tar xvzf utf8.tar.gz

d. Bo cho fonts server bi t a i m c a Unicode fonts b ng l nh: chkfontpath --add /usr/share/fonts/utf8

e. Kh i ng l i X font server b ng l nh: /etc/rc.d/init.d/xfs restart

d ng fontconfig (cch m i cho Mandrake-9.0, RedHat-8.0):

b. C p nh t danh snch fonts b ng l nh: fc-cache

Ch v y thi khng c n kh i ng l i xfs hay X.

B n cng c th b arial font (t i v a ch

d i) v trong ~/.fonts v khng ph i restart

ci chi h t n u b n xi fontconfig (Red Hat 8 ho c 9 ho c Mandrake-9.1).

mkdir ~/.fonts (n u cha c)

tar xvjf arial.tar.bz2

Xem trang web ti ng Vi t v cch in ti ng Vi t:

N u b n xi b n Mandrake m i nh t (9.1) th b n s khng c n lm g h t. Vi c hi n th v in n ti ng Vi t c h tr r t t t.

http://www.vnlinux.org/arial.tar.bz2 n u b n v n cha hi n th c ting Vi t 100% .fontconfig homepage t i http://www.fontconfig.org. .ttmkfdir c th t i v t http://www.joerg-pommnitz.de/TrueType/xfsft.html

thu t b o m t cho Linux

kinh nghi m nh m nng cao

theo di cho b n c, chng ti s bi n Vi t Nam v trn th

b ng RedHat, m t phin b n Linux r t ph

kinh nghi m nh m nng cao tnh an ton cho m t h minh ho gi i).

theo di cho b n c, chng ti s bi n Vi t Nam v trn th

Ngay sau khi ci t Linux, ng i qu n tr nn xo b (group) c t o s n trong h

cc account v nhm d ng, v d

th ng nhng khng c nhu c u s

V d , n u khng c nhu c u v sau:

cc nhm khng c n thi t v i l nh

2.2. Che gi u file ch a m t kh u

c lu ngay trong file /etc/password, file c quy n c b i t t c trong h th ng! y l m t k h l n cho cc k

u c m ho, nhng vi c gi i m ng c l c th th c hi n kh d v ngy nay kh dng, c bi t v c ch n ng tnh ton v x

l c a my tnh r t m nh). V l do trn, g n

m b o tnh tng thch, ni v n t m t kh u trong file

RedHat 6.x hay s d ng

ch n l a Enable the shadow password khi ci t RedHat

tnh n ng che gi u m t kh u ny (Cng th t may v ch n l a ny l m c nh trong h u h t cc phin b n Linux ang s d ng r ng ri hi n nay)

th ng r t hay qun thot ra kh i d u nh c shell khi k t thc

cao nh t m ch ng c n t n m t cht cng s c no c .

gi m nguy c ny, ng i qu n tr nn ci t tnh n ng t shell khi khng c s cch t m t tham s shell.