Professional Documents
Culture Documents
Active Directory
Exchange server
Proxy server
ISA server
FTP server
IIS server
SQL server
S dng my tnh Linux p ng cc yu cu chc nng nh my tnh Windows. Thay th m hnh mng cc server Windows bng m hnh mng cc server Linux. Cc server Linux p ng vai tr nh server Windows, c kh nng qun l tt, chu li tt.
Ni dung kha hc
Installing Linux as a Server
Technical Summary of Linux Distributions Installing Linux in a Server Configuration Installing Software
Hi & p
Ni dung
M ngun m v GPL
Phn mm m ngun m v GNU General Public License. Lch s pht trin ca Linux
c im ca h iu hnh Linux. Khc bit gia h iu hnh Linux v Windows. Li ch v hn ch ca h iu hnh Linux. Cc phin bn Linux chnh.
Mi ngi u c th c source code ca m ngun m, chnh sa, bin dch theo ring. M ngun m chnh sa c th dng cho mc ch ring hoc cng khai. Nu cng khai phi cung cp y source code.
Lch s Linux
c cng ng Internet n nhn. Nhiu ngi tnh nguyn tham gia pht trin Linux.
Khi ngi s dng c mt phn mm m ngun m, h c t do chnh sa, chia s, phn phi li
c im ca Linux
c im ca Linux
Hardware:
Chy trn nhiu platform, Alpha, AMD, Intel, MIPS, PowerPC, Sparc
Software:
http://www.freshmeat.net http://www.linuxberg.com http://www.rpmfind.net/linux/RPM/
Ngn ng lp trnh: C, C++, FORTRAN, Java, Perl, Python, PHP D dng qun l t xa:
D dng remote t xa bng commandline hoc GUI.
Document:
http://www.tldp.org/
Linux v Windows
Windows l h iu hnh c thit k cho single users. Unix l h iu hnh c k cho multi users. Nhiu ngi cng chy mt chng trnh trn mt my tnh vo cng mt thi im.
T Windows 95, h tr multi user. Tuy nhin, Unix h tr multi user t 1969.
Li ch & hn ch ca Linux ch
Nhiu kin cho rng ai cng c th kim sot source code khin n khng an ton. Tuy nhin, b mt khng phi l an ton. Code ca linux c hng ngn programer kim tra. Nu c bug, d dng c tm thy hn m ngun ng.
Cc phin bn Linux
Debian GNU/Linux
http://www.debian.org
MandrakeSoft
http://www.linux-mandrake.com
Khi pht sinh li, khng phi ai cng c kh nng hiu li.
Red Hat
http://www.redhat.com
Slackware Linux
http://www.slackware.com
SuSE
http://www.suse.com
TurboLinux
http://www.turbolinux.com
Hi & p
Ni dung
Tm tt cc bc ci t. Kim tra s h tr phn cng.
Cc bc ci t b
Chn la kiu ci t:
T CD local. Qua mi trng mng. T mt volume trn network server. Dng CD shared t my tnh khc Qua FTP, HTTP.
Cu hnh mng.
Cc bc ci t (tt) b tt)
H tr phn cng
Hu ht cc distribution ca Linux t nhn din cu hnh phn cng nh: PCMCIA, CDROM, Hard drive, Laptop issues, Memory, NIC, Modem, Mouse, SCSI adaptor Cn ch n nhng thit b phn cng c bit, mi.
Mc nh, cc phn vng c mount trn phn vng / /swap: virtual memory. /bin: lnh quan trng. /boot: file cu hnh boot loader. /dev: file devices. /etc: file cu hnh. /home: d liu ca users. /lib: file th vin quan trng, v kernel module.
Cu hnh mng
Boot loader
LILO GRUB
Boot
loader cho php chn h iu hnh no boot. Ti boot loader, c th can thip bng command thay i cc tham s boot.
File grub.conf
boot=/dev/sda default=0 timeout=10 splashimage=(hd0,0)/grub/splash.xpm.gz hiddenmenu title Linux Fedora (2.6.5-1.358smp) root (hd0,0) kernel /vmlinuz-2.6.5-1.358smp ro root=LABEL=/ rhgb quiet initrd /initrd-2.6.5-1.358smp.img title Windows 2000 rootnoverify (hd0,0) chainloader +1
An Ninh Mng ATHENA , www.athena.com.vn
Hi & p
Installing software
Ni dung
Add/ Remove Program. Redhat Package Manager (RPM).
Ci t bng cng c graphic add/ remove program ca Linux gii quyt c cc vn sau:
thao tc n gin, d thc hin. t ng ci cc gi ph thuc. d qun l.
Lnh rpm
Ci t mt package:
rpm i package.rpm
Update mt package:
rpm U package.rpm
G b mt package:
rpm e package.rpm
10
Ci t bng source
Tng thch vi mi phin bn Linux. c ng gi s dng kiu GNU Zip (.gz) hoc BZip2 (bz2).
<filename>.tar.gz or <filename>.tar.bz2
11
Ci t gi source:
make install
Mt s ng dng
Hi & p
12
Ni dung
Nhng thng tin nh ngha users Cng c qun l users.
Managing Users
nh ngha Users
Users c nh ngha trong mt h thng xc nh ai? c quyn dng ci g? trong h thng . Vi Linux, mi user c mt nh danh duy nht, gi l UID (User ID).
0 99: user c quyn qun tr. > 99: user khc. >= 500: khng phi user h thng. => UID c kh nng s dng li???
Mi users cn c nhng thng tin: tn user, UID, tn group, GID, home directory Windows qun l thng tin bng LDAP, Kerberos. Linux qun l thng tin bng file text. C th chnh sa thng tin ca users bng cng c, hoc sa trc tip bng text file.
Mi user thuc t nht mt group. Mi group cng c mt nh danh duy nht l GID.
13
File /etc/passwd
GID Password Home directory
Username UID
Description
Shell
Shell
File /etc/shadow
Password
Ngy user b warn nu Ng b n khng thay i pass Ngy trc khi phi Ng tr ph thay i password
File /etc/group
Groupmember Grouppassword
Username
Groupname
GID
14
Cp quyn Users
15
Cu hnh mc nh
Khi dng lnh useradd khng c option km theo to user, cc thuc tnh ca user s c to theo cc cu hnh mc nh. Nhng file nh ngha cu hnh mc nh:
/etc/default/useradd /etc/skel /etc/login.defs
Sticky bit: ch cho php owner, hoc root c quyn delete file.
Nu mun thay i cu hnh mc nh, thay i trc tip trong nhng file ny.
Cu hnh mc nh (tt)
Hi & p
/etc/default/useradd: nhng gi tr mc nh cho vic to acount. /etc/skel: th mc cha ni dung mc nh s to trong home directory ca users. /etc/login.defs: nhng cu hnh mc nh cho shadow password.
16
Background jobs
Dng lnh l th mnh ca h iu hnh Unix v Linux. Vi h iu hnh Unix v Linux, cc thao tc ha khng th p ng cng vic cn thit. Dng lnh l cng c hu hiu nht. Dng lnh trong Unix v Linux l case sensitive. bit cch s dng dng lnh, gi lnh man.
Vd: man ls
ls al
command option
17
Lnh su v sudo. Lnh gn bin mi trng. Lnh to, xa, sa, copy file , th mc.
mkdir, cp, mv, rmdir, ln cat, vi, rm
Lnh tm kim
find, locate
redirect output
command > output command >> output S dng lnh: ls al /root > /tmp/out.txt
18
Background jobs
Thng thng, lnh chy mode foreground, a kt qu output ra mn hnh (c th chuyn hng a kt qu output vo file). Nu mt lnh chy 1h mode foreground, th lnh s chim lun BASH shell => ngi dng phi m mt shell khc lm vic.
C th start lnh chy mode background, nu cn thit th a kt qu output vo file v ngi dng vn c th lm vic vi BASH shell bnh thng.
Hi & p
19
Ni dung (tt)
Tin trnh init v file inittab Tin trnh rc.sysinit /etc/rc.d/rc script Qu trnh shutdown Linux
Boot loader
BIOS/ POST
MBR (lilo hoc grub): cho php la chn h iu hnh boot. Kernel + initrd: load kernel v detect hardware. Mount root file system (read only) /sbin/init: tin trnh cha ca mi tin trnh.
Boot loader hay cn gi l boot manager cho php qun l nhiu h iu hnh, chn boot vo h iu hnh no. Hai boot loader ph bin ca Linux:
LILO (LInux LOader) GRUB (GRand Unified Boot loader)
Khi thay i file cu hnh, GRUB t ng nhn bit, LILO th phi dng lnh /sbin/lilo update cu hnh. Ngy nay, GRUB l boot loader mc nh ca i a s cc h iu hnh Linux.
/etc/inittab: quyt nh run level v gi start cc dch v cn thit ca run level . Hin th ha nu runlevel 5.
20
File cu hnh grub.conf: default=0 timeout=10 splashimage=(hd0,0)/grub/splash.xpm.gz hiddenmenu title Linux Fedora (2.6.5-1.358smp) root (hd0,0)
a u tin, partition u tin
kernel /vmlinuz-2.6.5-1.358smp ro root=LABEL=/ rhgb quiet initrd /initrd-2.6.5-1.358smp.img title Windows server 20003 rootnoverify (hd0,1) chainloader +1
An Ninh Mng ATHENA , www.athena.com.vn
%d: l s nguyn, bt u t zero ch partition u tin. LILO c cch hiu thng thng nh Linux: hdXY, sdXY.
Mt s lnh ca grub: s dng trong mode grub, hoc trong file grub.conf
21
initrd initial ram disk: c s dng detect phn cng v load driver. ng thi mount file systems di dng read only tin hnh kim tra.
Tin trnh init s tm c file /etc/inittab quyt nh runlevel no s c boot. Mi dng trong /etc/inittab c dng nh sau:
id: runlevels:action:process Nu khng nh ngha, s boot vo runlevel no???
22
/etc/rc.d/rc script
Thc thi tt c script lin quan n run level . Vd: nu runlevel l 5, s gi thc thi cc script trong /etc/rc.d/rc5.d Cc script ny l file symbolic link, link n cc script tht s, thng cha trong /etc/init.d
start stop
An Ninh Mng ATHENA , www.athena.com.vn An Ninh Mng ATHENA , www.athena.com.vn
Nhng script c bt u bng S, h thng s gi chy lnh: /etc/rc.d/init.d/<command> start. Nhng script bt u bng K, h thng s gi chy lnh: /etc/rc.d/init.d<command> stop. An Ninh Mng ATHENA , www.athena.com.vn
23
Hi & p
File systems
Ni dung
Disk v partition. Khi nim File Systems.
Disk v partition
Mi a cng (disk) u cn c phn chia partition. Mi partition c xem nh mt phn vng c lp. Khi d liu y, partition ny khng th overflow (ln chim) kch thc ca partition khc.
C th ci cc h iu hnh khc nhau ln cc partition khc nhau. Sau , dng mt mt trnh qun l boot loader qun l qu trnh boot.
24
25
Mc nh, cc phn vng c mount trn phn vng / /swap: virtual memory. /bin: lnh quan trng. /boot: file cu hnh boot loader. /dev: file devices. /etc: file cu hnh. /home: d liu ca users. /lib: file th vin quan trng, v kernel module.
26
Mi partition u phi c mount s dng => nhng partition h thng c mount lc no => /etc/fstab
PV (Physical Volume)
D dng m rng kch thc ca volume. m rng dung lng lu tr d liu, n gin ch cn thm a mi vo.
27
Hi & p
pvcreate: khi to nhng physical volume s dng trong mi trng LVM. Physical volume c th l a cng, thit b lu tr khc, hoc partition pvdisplay: hin th thng tin ca physical volume. vgcreate: khi to mt volume group t nhng physical devices c khi to bng pvcreate. vgextend: thm physical volume vo volume group. vgdisplay: xem khng tin ca volume group lvcreate: to logical volume t volume group. lvdisplay: xem thng tin ca logical volume.
Ni dung
Service syslogd Service crond
Service xinetd
28
Service syslogd
Ngi qun tr c nhu cu thng xuyn theo di cc s kin xy ra trong h thng. Khi c s c, ngi qun tr c nhu cu tm li cc s kin xy ra trc thi im trong h thng.
/etc/sysconfig/syslog:
nh ngha mode hot ng ca service syslogd. Lu log cc b, hay lu log vo remote server?
facility
level
action
29
Log trong h thng c lu lin tc s qu nhiu log. C nhng log qu c, khng cn thit na. Cn c mt tin trnh ct log hng ngy, ct theo theo kch thc do ngi dng nh ngha, dn dp bt log c. Tin trnh thc hin vic ct log: logrorate.
/etc/logrotate.conf: nh ngha cc option dng chung cho vic ct log. Nhng dch v ct log theo kiu thng thng c th nh ngha trc tip trong file logrotate.conf /etc/logrotate.d/: mi dch v c th nh ngha mt file ring, ct log theo yu cu, ph hp vi dch v .
File /etc/logrorate.conf
File /etc/logrotate.d/radiusd
Service crond
Cc dch v cn chy nh k, chy vo mt thi im no c th trong ngy -> cn cc thao tc lp lch. Service crond l service nh k gi thc thi cc tc v c nh ngha sn.
Service crond
Chy trc tip bng lnh crontab. Chy bng serivce crond, vi file cu hnh l /etc/crontab
30
Service crond
Service xinetd
Mi dch v u lng nghe, nhn request t client. C nhiu dch v khng c request thng xuyn, vn lng nghe => tn ti nguyn. xinetd - the extended Internet services daemon. xinetd qun l chung cc dch v. xinetd s lng nghe tt c cc request gi n cc dch v m n phc v. Khi cn dch v no, xinetd mi khi to dch v , v forward request cho dch v. Cc dch v ch cn nhn request t xinetd, khng nhn trc tip t client. Cc dch v c xinetd bo v kim tra trc khi nhn request.
Cu hnh xinetd:
/etc/xinetd.conf: nh ngha mt s option chung cho cc dch v s dng xinetd.
File /etc/xinetd.d/krb5-telnet
/etc/xinetd.d/: mi dch v c mt file cu hnh, nh ngha c th cu hnh ca dch v khi s dng xinetd.
31
Hi & p
Trc khi cho php x l request, xinetd c th kim tra s hp l ca IP request bng nhng file sau:
/etc/hosts.allow: nhng host trong file ny c chp nhn. /etc/hosts.deny: nhng host trong file ny b discard request.
Ni dung
Kernel version. Kernel modules.
Compiling kernel.
32
Kernel version
major: version chnh ca kernel minor: nhng thay i quan trng ca version.
s chn: version ny c kim tra v cng b s dng. 2.4, 2.6 s l: version ny dng cho mc ch th nghim. Cc kernel developer thng s dng.
Kernel mc nh c dch vi cc module cn thit, khi c nhu cu c th tin hnh dch li kernel => c mt h iu hnh mi.
Kernel modules
Kernel thng c bin dch vi cc module cn thit nht. Cc module t s dng c th c insert vo kernel khi cn thit. Cc module ca kernel l mt file object, nm trong th mc /lib/modules/kernel-version/kernel.
Mt s kernel modules:
block: module cho nhng thit b phn cng c bit: RAID controller, IDE tape drivers. cdrom: module cho CDROM. fs: module cho file systems. ipv4: module cn thit cho vic hot ng vi TCP/IP networking. net: module cho network interface. scsi: module cho SCSI controller. video: module cho video adapter. misc: cc module khng thuc cc module k trn.
33
Compiling kernel
Lnh modinfo: xem thng tin mt module. File modules.dep: lit k mi quan h ph thuc gia cc module.
make mrproper make config, hoc make menuconfig, make xconfig, hoc make oldconfig. Sau khi to file config xong, c th edit trong makefile, v thc hin tip cc lnh sau.
34
Hi & p
File system ca h iu hnh mi cng l file system ca h iu hnh c. H iu hnh mi ch khc h iu hnh c cc modules c bin dch trong kernel.
Ni dung
Cc file cu hnh
/etc/hosts /etc/network /etc/sysconfig/network-scripts/ifcfg-eth[n]
Networking Fundamentals
/etc/resolv.conf /etc/services
35
File /etc/hosts
L bn map gia a ch IP v tn my tnh trong network. Tng t file lmhosts ca Windows.
File /etc/sysconfig/network
C php ca file:
IP address<Tab>Fully.Qualified.Name<space>[host_alias]* 192.168.1.10 centos-1.nhatnghe.com centos-1
Cc ng dng trc tin s s dng file ny khi cn truy vn mt my tnh bng tn.
File ifcfg-eth[n]
File /etc/resolv.conf
File /etc/resolv.conf dng nh ngha name server m my tnh s s dng thc hin cc truy vn phn gii tn min. Mt s c php thng dng:
domain: DNS domain ca my tnh. nameserver: IP hoc tn ca name server m my tnh s s dng. C ti a 3 gi tr. search:
36
File /etc/services
File /etc/services gm mt danh sch network port v cc service s dng nhng port ny. Khi nh ngha mt service mi, ngi qun tr phi nh ngha mt cp service name v port number vo file /etc/services.
Lnh ifconfig dng cu hnh a ch IP, netmask, a ch broadcast v cc tham s cu hnh khc.
ifconfig eth0 192.168.1.10 netmask 255.255.255.0 man ifconfig.
Lnh ifconfig cu hnh cho tng card mng (tng interface). Cc tham s cu hnh ca lnh ifconfig c ngha nh file /etc/sysconfig/network-scripts/ifcfg-eth[n]. Lnh ifup dng enable mt interface. Lnh ifdown dng disable mt interface.
Port 0 1024: l nhng port c dnh ring. Port > 1024: port c nh ngha thm vo ty theo nhu cu ca ng dng.
Lnh route
Lnh route dng hin th, chnh sa, qun l bng routing table. Lnh route cho php nh ngha cc static route theo ca ngi qun tr. Static route l nhng routing t thay i, khng phi cp nht thng xuyn, c nh ngha v mt mc ch no . Lnh route cng cho php ngi qun tr iu chnh default gateway theo mun.
Lnh traceroute: theo di ng i ca gi tin trong h thng mng. Lnh traceroute thng dng debug, xc nh v sao gi tin khng di chuyn n mt network c. Lnh netstat: lit k cc port ang lng nghe, cc kt ni ang m n my tnh, v tnh trng ca cc kt ni ny. Lnh tcpdump: bt gi tin di chuyn trong network. C th lu li thnh file, dng ethereal phn tch gi tin, xc nh loi traffic, hoc tm kim cc du hiu mong mun.
37
Hi & p
DHCP Server
Ni dung
DHCP l dch v cung cp a ch IP ng cho cc my tnh trong h thng. DHCP cng cung cp ng cc tham s khc: DNS, gateway, cp IP tnh. DHCP c ci t bng hai gi:
dhcp-[version].rpm. dhcp-devel-[version].rpm. Hoc ci t t gi source.
File cu hnh
/etc/dhcpd.conf. /var/lib/dhcpd/dhcpd.leases.
Lnh dhclient
38
File /etc/dhcpd.conf
File dhcpd.leases
Lnh dhclient
Hi & p
39
Ni dung
NFS server
Gii thiu dch v NFS. Cu hnh dch v NFS. NFS security.
Samba server
Gii thiu dch v Samba. Cu hnh dch v Samba. SWAT
Cu hnh NFS
Dch v NFS khng c security nhiu, v vy cn thit phi tin tng cc client c permit mount cc phn vng ca NFS server.
40
File /etc/exports:
C php:
/path/to/export
Th mc chia s
Quyn truy cp
[host](options)
Host truy cp
noaccess root_squash
V d:
/mnt/cdrom (ro) /tmp /home (rw) 192.168.0.0/255.255.255.0(rw)
NFS security
File /etc/hosts.allow
portmap,lockd,mountd,rquotad,statd: 192.168.0.0/255.255.0.0
41
Samba l dch v chia s file v dch v in trong mi trng network gia cc my tnh Linux v my tnh Windows. T Linux:
Mount th mc chia s ca Windows. Truy cp my in ca Windows. Chng thc vi cc my tnh Windows.
T Windows:
Thy nhng th mc chia s ca Linux. Chng thc vi cc my tnh Linux. Truy cp my in ca Linux.
Cu hnh Samba
Windows v Linux u s dng m ha khi cn chng thc users. Khi users cn chng thc, password do user nhp vo s c m ha, em so snh vi password m ha c lu sn. Nu ging nhau th chng thc thnh cng. Kiu m ha m Windows v Linux s dng l khc nhau. mt user trn windows chng thc thnh cng trn linux, to li user trn linux, dng lnh smbpasswd.
42
Th mc share ca Samba:
ng dn share tn th mc tht s gn quyn
SWAT
Hi & p
SWAT l giao din web-based cho php chnh sa cc cu hnh ca Samba trn giao din web.
http://localhost:901/
43
Ni dung
PAM
PAM (tt)
Mi ng dng c mt kiu xc thc => phc tp h thng. Pluggable Authentication Modules PAM: cung cp mt phng thc xc thc tp trung. ng dng khng trc tip xc thc, m chuyn request cho PAM, yu cu xc thc. PAM lm vic v tr v kt qu xc thc cho ng dng. ng dng quyt nh cho php user login hay khng.
Theo cch hiu ca Windows, PAM ng vai tr nh DLL i vi cc ng dng khc. Theo cch hiu ca Linux, PAM l mt th vin. PAM cung cp nhiu module xc thc /lib/security t n gin n phc tp. Khi ng dng cn xc thc theo phng thc no th gi phng thc ca trong th vin ca PAM. Thng tin v cc module xc thc ca PAM:
man [pam_module]
44
PAM (tt)
PAM (tt)
/lib/security: nhng module xc thc ca PAM. /etc/security: file cu hnh tng ng ca tng module xc thc ca PAM. /etc/pam.d: file cu hnh ca nhng ng dng s dng PAM xc thc.
=> mi ng dng xc thc bng PAM c mt file cu hnh trong /etc/pam.d
module_type
control_flag
module_path arguments
module_type: nhn mt trong 4 gi tr: auth, account, session, password. control_flag: cu hnh cch x l ca ng dng vi kt qu xc thc do PAM tr v. module_path: ng dn c th ca module xc thc. arguments: cc tham s khc.
PAM (tt)
module_type auth account M t ng dng yu cu user phi nhp password. Khng thc hin chng thc, da vo cc yu t khc quyt nh user c c login khng: login t u, vo gi no Ch nh nhng thao tc cn thc hin trc hoc sau khi user login. Cho php user i password.
PAM (tt)
control_flag required requisite M t Module phi chng thc thnh cng, nu khng kt qu fail s c gi v. Nu module ny fail, kt qu s c tr v ngay lp tc, khng s dng n cc module sau. Nu module ny thnh cng, v khng c module required no na, kt qu thnh cng s c tr v. Cho php tip tc kim tra module khc, d module ny b fail.
session password
sufficient
optional
45
PAM (tt)
argument debug no_warn M t Log li thng tin debug Khng gi msg waring n ng dng.
PAM (tt)
use_first_pass Lu li password, s dng cho ln xc thc sau. try_first_pass Ging option trn, tuy nhin nu password fail, yu cu user nhp li.
Dng lnh man [pam_module] tm hiu v tng module xc thc: Vd: man pam_nologin
An Ninh Mng ATHENA , www.athena.com.vn An Ninh Mng ATHENA , www.athena.com.vn
Hi & p
NIS
46
Ni dung
Gii thiu NIS Ci t NIS
khi c NIS, vic chng thc cho mt user login vo h thng nh sau:
NIS tools
c NIS, vic chng thc cho user login vo h thng c th hiu nh sau:
/etc/passwd, /etc/hosts, /etc/services, /etc/protocol nhng d liu text ny cch nhau bng tab, v c t nht mt ct c gi tr duy nht trn mi dng.
47
Daemon ca client:
ypbind: tm kim NIS server gi truy vn.
NIS tools
Hi & p
48
Ni dung
Gii thiu Network Directory Gii thiu LDAP protocol
LDAP
Network Directory
Network directory l mt cu trc dng t chc lu tr theo dng phn cp hnh cy. Network directory c t chc thun tin nht cho vic c v tm kim. Nu ng dng cn nhiu thao tc insert, update th khng nn lu tr theo kiu network directory. X.500 l mt network directory.
truy vn network directory, ngi ta s dng giao thc DAP Directory Access Protocol. Giao thc ny qui nh mt tp lnh giao tip gia client v server lu tr (network directory) truy vn d liu cn thit. DAP hot ng da trn giao thc OSI. LDAP Lightweight Directory Access Protocol l giao thc ra i thay th DAP. LDAP nh ngha mt tp lnh giao tip gia client/server da trn giao thc TCP truy vn d liu directory.
49
LDAP directory
RDN: Relative Distinguished Name uid=babs, ou=people, dc=example, dc=com DN: Distinguished Name
An Ninh Mng ATHENA , www.athena.com.vn An Ninh Mng ATHENA , www.athena.com.vn
Nhng schema v objectclass thng c dng u c nh ngha sn trong RFC. Khi mun nh ngha mt cu trc cy th mc, phn tch, quyt nh cn nhng attribute no, sau tm nhng objectclass, schema c nhng attribute ny. T , xy dng nn cu trc cy th mc. Nu khng c schema tha mn yu cu, c th nh ngha schema, objectclass mi.
50
OPENLDAP (tt)
Openldap l phn mm m ngun m, dng hin thc LDAP chy trn h iu hnh Linux/ UNIX. Pha server gm c hai dch v chnh:
slapd: standalone LDAP daemon. Daemon ny lng nghe cc request truy vn LDAP t client, tin hnh truy vn, v gi cu tr li. slurpd: LDAP replication daemon. Daemon ny dng ng b nhng thay i t LDAP master server sang LDAP slave server.
OPENLDAP (tt)
Hi & p
51
Ni dung
Dch v FTP
Gii thiu dch v FTP Ci t dch v FTP Cu hnh dch v FTP
Dch v SSH
Gii thiu dch v SSH Ci t dch v SSH Cu hnh dch v SSH
Dch v FTP l dch v cung cp c ch truyn, nhn file qua giao thc TCP/IP. Dch v FTP hot ng trn hai port:
Port 20: data port. D liu s c truyn trn port ny. Port 21: control port. Port ny dng trao i lnh, reply gia client v server.
Active FTP
52
Passive FTP
C nhiu gi ci t dch v FTP nh: vsftpd, wuftpd, pureFTPd, proFTPD. Gi vsftpd c nh gi l security tt. C th ci t bng RPM hoc source. File cu hnh chnh ca gi vsftpd:
vsftpd.conf: kim sot hot ng ca dch v FTP. vsftpd.ftpusers: ds nhng users khng c php log vo FTP. vsftpd.user_list: ty theo cu hnh file vsftpd.conf, dch v FTP s deny hoc allow ds nhng users ny.
Ci t dch v SSH d v
m ha.
V
53
Hi & p
DNS server
Ni dung
Gii thiu dch v DNS. Hot ng ca dch v DNS
my tnh ny c th lin lc vi my tnh kia, cn phi bit a ch IP. Ngi s dng kh khn trong vic nh a ch IP. Ngi s dng mun lin lc vi my tnh khc trong mng bng tn my tnh. Cn c mt bng map gia a ch IP v tn my tnh. Vi h thng mng nh, dng file text qun l. Vi mng Internet, s dng dch v DNS.
Fully Qualified Domain Name (FQDN) The in-addr.arpa Domain Phn gii request DNS Types of DNS server
54
Dch v DNS qun l tn min bng Fully Qualified Domain Name (FQDN).
Top-level domain
Dch v DNS cho php ngi dng truy cp n cc my tnh khc bng tn, khng cn nh n a ch IP. Dch v DNS c hin thc bng phn mm Berkely Internet Name Domain system (BIND).
serverA.
example.
Second-level domain
org
.
Root domain
Third-level domain
55
DNS: DNS ca
Athena.
server
DNS Athena:
request -> Viettel -> answer.
56
Ci t dch v DNS
57
Option chung
Root servers
nh ngha domain
DNS tools
Hi & p
Lnh dig:
dig @nameserver domain
Lnh dnsquery:
dnsquery -n nameserver host
Lnh host:
host domain
Lnh nslookup:
nslookup record [server] nslookup ipaddress
58
Ni dung
Web server
Trung tm o to Qun tr & An ninh mng ATHENA
Ci t Apache.
Apache
World Wide Web (WWW) l mt ng dng client-server da trn giao thc HTTP protocol. Web client (browsers) s gi request n Web server s dng HTTP protocol. Web server nhn request, x l, v tr kt qu cho web client (browers). HyperText Markup Language (HTML) l ngn ng dng vit web.
Nhiu phn mm c s dng hin thc tnh nng ca web server: IIS, Apache Apache l mt phn mm m ngun m c s dng lm web server ph bin nht trn Linux. Apache tng thch vi hu ht h iu hnh UNIX, v c Windows. Apache hot ng linh hot, cho php m rng nhiu tnh nng, c th bin dch thm nhiu module t:
http://modules.apache.org
59
Ci t Apache
Cu hnh Apache h
Virtual host: c hai kiu hin thc name-based v IP-based. Vi kiu IP-based, mi virtual phi c mt card mng:
60
Access control
Access control gip kim tra user no c php truy cp trang web. User c th truy cp trang web no, khng th truy cp trang web no.
C th gii hn truy cp qua dy IP ca user. C th gii hn truy cp bng cch ch chp nhn nhng user c xc thc (valid user).
Log Files
C th gii hn truy cp qua thng tin users. Nhng user c kim tra username/pass ng mi c truy cp. To username/pass:
access_log lit k tng request truy cp vo trang web. agent_log lit k nhng chng trnh c web server gi chy. Log ny l option, c th chn lc bin dch apache, hoc cu hnh trc tip trong file cu hnh httpd.conf error_log Li pht sinh trong qu trnh chy ca web server. refer_log lit k nhng URL trc browser s dng. Log ny cng l option, c th chn trong khi bin dch, khi cu hnh, hoc c th khng cu hnh.
61
Performance
Hi & p
Ni dung
Squid server
Trung tm o to Qun tr & An ninh mng ATHENA
Squid Authentication
62
Sau , truy vn Web page tr v kt qu cho request. Nu kt qu c trong cache ca Squid, th Squid tr kt qu v ngay cho request.
Directory
Megabytes
63
Squid Authentication
Hi & p
s dng Squid, user phi c username/pass hp l => Squid Authentication. s dng tnh nng Squid Authentication, cn bin dch ncsa_auth vi Squid. To password cho user: Cu hnh Squid h tr tnh nng Squid Authentication:
64
Ni dung
Mail server
Trung tm o to Qun tr & An ninh mng ATHENA
Phn tch cch cu hnh MTA. Phn tch chnh sch chng spam.
Dch v Mail l dch v quan trng v cn thit nht i vi ngi s dng. Vi ngi s dng, nhng li thng gp:
Gi email, nhng ngi nhn khng nhn c, v ngi gi cng khng nhn c msg bo li. Gi email, nhng > 1h, n 1 ngy, ngi nhn mi nhn c email. Thng xuyn phi nhn th rc, th qung co
65
User check email qua Incoming server. Incoming server thng l mt server POP3 -> MDA Mail Delivery Agent. Khi gi mail trong cng domain, server Outgoing (MTA) s deliver mail cho server Incoming (MDA) bng giao thc LMTP Local Mail Transfer Protocol. Ngi s dng dng giao thc POP hoc IMAP kt ni vi Incoming (MDA) ly mail v.
-> test1@yahoo.com
Server outgoing
->test1@nhatnghe.com
Server outgoing
LMTP
Athena -> DNS -> Record MX -> Mail yahoo. outgoing -> Mail yahoo
SMTP
-> test1@yahoo.com.
66
-> test@nhatnghe.com
Yahoo -> DNS ->
Record MX -> Mail Athena. Mail yahoo -> Mail Athena SMTP -> test@nhatnghe.com.
Cu hnh MTA
67
Hi & p
Ni dung
Firewall
68
chain
From: 200.2.2.2: 1025 To: 10.0.0.2: 80
table
Eth1: 10.0.0.1 DNAT Eth0: 172.20.12.88 From: 200.2.2.2: 1025 To: 172.20.12.88: 80
Client: 200.2.2.2 `
69
C php iptables
From: 10.0.0.2: 80 To: 200.2.2.2: 1025 Eth1: 10.0.0.1 SNAT Eth0: 17.20.12.88 From: 172.20.12.88: 80 To: 200.2.2.2: 1025
-L chain: xem cc rule c. -F chain: xa mi rule hin c. -N chain: nh ngha mt chain mi. -E [old_chain] [new_chain]: i tn chain (ch c th thay i vi nhng chain do ngi dng to ra).
Client: 200.2.2.2 `
REJECT:
drop gi tin, ng thi gi gi tin ICMP tr li v cho ngi gi. Nu gi qu nhiu ln, s khng gi na. --reject-with type: gi ICMP vi type ch nh.
icmp-net-unreachable icmp-host-unreachable icmp-port-unreachable icmp-proto-unreachable
QUEUE: chuyn gi tin vo hng i queue. RETURN: tr v cho chain cp trn hoc default policy. LOG: ghi li thng tin packet trong system log
--log-level --log-prefix --log-tcp-sequence --log-tcp-options --log-ip-options
70
TARGET (tt)
Match
-p [!] name: chn nhng packet da trn protocol. Protocol c th l tn hoc port tng ng trong file /etc/protocols. -s [!] address[/mask]: chn nhng packet da trn a ch ngun. Address c th l hostname hoc a ch IP.
MASQUERADE: l mt dng c bit ca SNAT. REDIRECT: chuyn hng ca gi tin ti mt port khc trn my local.
-j REDIRECT --to-ports 80
Match (tt)
Match (tt)
-i name: chn packet c nhn t interface name (input). -o name: chn nhng packet c gi t interface name (output). [!] f: chn nhng gi tin b phn mnh (t mnh vn th hai).
--sport [!] [port][:port]: chn nhng packet c port ngun xc nh nh trn --dport [!] [port][:port]: chn nhng packet c port ch xc nh nh trn. iptables A INPUT -p tcp s 10.1.1.0/24 i eth0 -d 192.168.1.1 --dport 80 -j ACCEPT
71
Hi & p
Module state cho php nhn bit v chn cc packet da trn trng thi kt ni ca cc packet . Iptables l stateful.
--state states: chn gi tin c trng thi l 1 trong cc trng thi c lit k states Cc trng thi ca mt kt ni l: INVALID, ESTABLISHED, NEW, RELATED
72
Ni dung
IDS server
Ci t, cu hnh Snort
Preprocessor Output modules
Snort l mt phn mm m ngun m c kh nng pht hin, chng s xm nhp tri php. Snort hot ng nh mt phn mm ng gia s giao tip ca hai my tnh. Cc packet trc khi c gi n my tnh ch s c snort kim tra, thm nh. Snort c th pht hin nhiu loi xm nhp nh: buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts
73
Sniffer Mode
nht.
Bt
74
Inline Mode
Ci t
./configure
hot ng mode NIDS cn c tp lut: snortrules.tar.gz. tar xzvf snortrules.tar.gz -C /etc/snort Sa file /etc/snort/snort.conf
Cu hnh Snort
var HOME_NET: nh ngha mng cn bo v. var EXTERNAL_NET: nh ngha mng bn ngoi. var DNS_SERVERS: nh ngha cc server DNS cn bo v. var SMTP_SERVERS: nh ngha cc server SMTP cn bo v. portvar HTTP_PORTS : nh ngha port ca ng dng.
preprocessor: kim tra packet ngay sau khi packet c gii m. Preprocessor c thc hin trc tt c cc lut tm kim, pht hin khc.
preprocessor <name>:<option>
output module: linh hot trong vic nh dng thng bo n ngi s dng
output <name>:<options>
75
Preprocessor:
stream4 -> replace bng stream5 sfPortscan Performance Monitor ftp_telnet
Output modules:
alert_syslog alert_fast alert_full log_tcpdump alert_csv
alert tcp any any -> any any (content:|00 01 86 a5|; msg: mountd access;)
Protocol
Rule action
Rule action
Rule action:
alert: cnh bo v ghi li packet. log: ghi li packet. pass: b qua packet. active: cnh bo v gi thc thi mt rule khc. dynamic: trng thi idle cho n khi c mt rule khc c kch hot. drop: cho php iptables b qua packet ny v log li packet b b qua. reject: cho php iptables b qua packet ny, log li packet, ng thi gi thng bo t chi n my ngun. sdrop: cho php iptables b qua packet ny nhng khng log li packet, cng khng thng bo n my ngun.
76
Rule option
meta-data: cung cp thng tin v rule nhng khng gy ra bt c nh hng no n qu trnh pht hin packet. payload: tm kim thng tin trong phn payload ca packet.
Meta data
classtype: <classname>;
non-payload: tm kim thng tin trong phn non-payload ca packet. post-detection: xy ra sau khi mt rule c kch hot.
Payload
Non Payload
content: [!] <context string>; nocase; rawbytes; depth: <number>; offset: <number>; distance: <byte count>; uricontent: [!]<context string>; isdataat: <int>; byte_test: <bytes to convert>, [!] <operator>, <value>, <offset> [,relative] [,endian] [,<number type>, string]; byte jump
tos: type of service. dsize: kim tra non-payload c ln hn mt kch thc xc nh khng. flag: kim tra TCP flag bits (F: FIN, S: SYN, R: RST, A: ACK). flow: xc nh chiu ca kt ni.
77
Post detection
Hi & p
resp, react.
78