Đang tải... (xem toàn văn)
+ Triển khai dịch vụ DNS + Triển khai web server, triển khai mô hình name based web server, IP based web server, https web server, user directory + Triển khai dịch vụ mail giúp NSD có tài khỏan có thể gửi mail cho nhau và gửi ra ngoài 1 địa chỉ gmail bất kì + Triển khai các dịch vụ logging nhật kí giúp theo dõi nhật kí truy cập web, truy cập mail … + Triển khai dịch vụ firewall iptable bằng dòng lệnh: Thực hiện mô hình 3 nơi (trong, giữa, ngoài) trong đó máy cài firewall đóng vai trò trung gian ở giữa giúp cho phép, không cho phép ping, telnet, truy cập web, chặn cổng, chặn giao thức, chặn 1 máy IP, chặn dải IP….. ngoài vào trong và ngược lại. Các thử nghiệm nâng cao với ít nhất 10 rules trên dòng lệnh và lưu trong file
HANOI UNIVERSITY OF SCIENCE AND TECHNOLOGY School of Information and Communication Technology f =========*========= FINAL PROJECT REPORT ITSS Linux System and Network Management Instructor : Msc.Banh Thi Quynh Mai Class : ICT 56 Group : Season1418 − Dao Duc Cuong 20111201 − Nguyen Hai Nam 20111884 − Le Anh Tien 20112311 − Hoang Minh Tuan 20112418 Project Report ITSS Linux System and Network Management Prerequisite setup and installation : • Server machine : GNU/Linux CentOS 6.5, host name : server1.season1418.vn • Client machine : GNU/Linux CentOS 6.5, hostname : client.season1418.vn • Server machine has 2 NICs. One for Internet connection, one for local network • Create a NetworkManager profile for each NIC of the server machine. • Client machine has 1 NIC for local network. 1. Setup DHCP server: − On the server machine : eth1 is for Internet connection 10.0.3.0/24 ( changed to outter network 192.168.56.0/24 in part 5 Firewall) eth2 is for local network 192.168.50.0/24 − On the client machine : eth2 is for local network 192.168.50.0/24 − On the server machine, install package dhcpd : $ sudo yum install dhcp − Edit the file : /etc/sysconfig/network-scripts/ifcfg-eth2 DEVICE=eth2 BOOTPROTO=none ONBOOT=no NETWORK=192.168.50.0 NETMASK=255.255.255.0 IPADDR=192.168.50.1 DNS1=192.168.50.1 DEFROUTE=yes IPV4_FAILURE_FATAL=yes IPV6INIT=no − To make the DHCP service running on eth2 interface, edit : /etc/sysconfig/dhcpd DHCPDARGS=eth2 − We create the local network with router address, DNS server address, subnet of the network, range of client IP addresses. Edit the file : /etc/dhcp/dhcpd.conf ddns-update-style none; authoritative; log-facility local7; default-lease-time 600; max-lease-time 7200; option subnet-mask 255.255.255.0; option broadcast-address 192.168.50.255; option routers 192.168.50.1; option domain-name-servers 192.168.50.1; subnet 192.168.50.0 netmask 255.255.255.0 { range 192.168.50.100 192.168.50.200; } − Restart dhcpd service to make these changes effective : $ sudo service dhcpd restart − To find any client has been connected to the DHCP server, check lease log: $ less /var/lib/dhcpd/dhcpd.leases − On the client machine : eth2 is for local network − Set in file /etc/sysconfig/network-scripts/ifcfg-eth2 the following value to use DHCP service in client machine : BOOTPROTO=dhcp − Restart network service : $ sudo service network restart − On the client ping the server to check network : $ ping 192.168.50.1 Local network has the DHCP server at 192.168.50.1, client addresses range from 192.168.50.100 to 192.168.50.200. 2. Setup DNS server: − On the server, install bind package and related packages : $ yum install bind* − The DNS server will listen on DNS queries on port 53. If it does not have the authorative right to the queried domain, it will forward the request to Google DNS server at 8.8.8.8 . This DNS server only has authorative right to 5 domains, which are season1418.vn, season1418.com, season1418.org, season1418.net, season1418.tk. Edit file : /etc/named.conf options { listen-on port 53 { 192.168.50.1; }; # master dns listen-on-v6 port 53 { ::1; }; directory "/var/named"; forwarders { 8.8.8.8; }; # forward to Google DNS dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; zone "season1418.vn" IN{ type master; file "forward.season1418"; allow-update { none; }; }; zone "season1418.com" IN{ type master; file "fw.season1418.com"; allow-update { none; }; }; zone "season1418.org" IN{ type master; file "fw.season1418.org"; allow-update { none; }; }; zone "season1418.net" IN{ type master; file "fw.season1418.net"; allow-update { none; }; }; zone "season1418.tk" IN{ type master; file "fw.season1418.tk"; allow-update { none; }; }; zone "50.168.192.in-addr.arpa" IN{ type master; file "reverse.season1418"; allow-update { none; }; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; − Create 5 forward zone files and 1 reverse zone file in /var/named/ directory. Four files fw.season1418.com, fw.season1418.org, fw.season1418.net, fw.season1418.tk are almost the same except their IP address. The file forward.season1418.vn has some extra records since season1418.vn is the main domain of this configuration. The reverse zone file is for determining a domain name that is associated with a given IP address. − File: /var/named/forward.season1418 $TTL 86400 @ IN SOA server1.season1418.vn. root.season1418.vn. ( 2011071001 ;Serial 3600 ;Refresh 1800 ;Retry 604800 ;Expire 86400 ;Minimum TTL ) @ IN NS server1.season1418.vn. @ IN A 192.168.50.1 @ IN A 192.168.50.100 @ IN MX 10 mail.season1418.vn. server1 IN A 192.168.50.1 client IN A 192.168.50.100 mail IN A 192.168.50.1 − The reserve zone file : /var/named/reverse.season1418 $TTL 86400 @ IN SOA server1.season1418.vn. root.season1418.vn. ( 2011071001 ;Serial 3600 ;Refresh 1800 ;Retry 604800 ;Expire 86400 ;Minimum TTL ) @ IN NS server1.season1418.vn. @ IN MX 10 mail.season1418.vn. server1 IN A 192.168.50.1 client IN A 192.168.50.100 mail IN A 192.168.50.1 1 IN PTR server1.season1418.vn. 1 IN PTR mail.season1418.vn. 100 IN PTR client.season1418.vn. 10 IN PTR season1418.com. 11 IN PTR season1418.org. 12 IN PTR season1418.net. 12 IN PTR season1418.tk. − Other domain forward config file : /var/named/fw.season1418.com. The same configuration goes to fw.season1418.org, fw.season1418.net, fw.season1418.tk. $TTL 86400 @ IN SOA season1418.com. root.season1418.com. ( 2011071010 ;Serial 3600 ;Refresh 1800 ;Retry 604800 ;Expire 86400 ;Minimum TTL ) IN NS server1.season1418.vn. IN A 192.168.50.10 − Start the the DNS service : $ sudo service named start − Edit iptables (using iptables command or edit /etc/sysconfig/iptables to allow DNS query on port 53 or just temporarily stop iptables service for now) $ iptables -A INPUT -p udp -m state state NEW dport 53 -j ACCEPT $ iptables -A INPUT -p tcp -m state state NEW dport 53 -j ACCEPT − Restart iptables service : $ sudo service iptables restart − Edit /etc/resolv.conf on both server and client machine to use our DNS server: nameserver 192.168.50.1 − In /var/named.conf, the record : forwarders { 8.8.8.8; } which means it will help this local DNS server to look up DNS record that it does not have authorative right in the Internet via another NIC eth1. − Test DNS server : $ nslookup season1418.vn $ nslookup server1.season1418.vn $ ping client.season1418.vn $ ping google.com 3. Setup Mail server − Install postfix package : $ yum install postfix − Install SMPT AUTH package : $ yum install openssl cyrus-sas cyrus-sasl-devel cyrus-sasl- gssapi cyrus-sasl-md5 cyrus-sasl-plain − Create SSL Certification : (optional) $ mkdir /etc/postfix/ssl $ cd /etc/postfix/ssl $ openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 $ chmod 600 smtpd.key $ openssl req -new -key smtpd.key -out smtpd.csr $ openssl x509-req -days 365 -in smtpd.csr -signkey smtpd.key -out smtpd.crt $ openssl rsa -in smtpd.key -out smtpd.key.unencrypted $ mv -f smtpd.key.unencrypted smtpd.key $ openssl req -new -x509 -extension v3_ca -keyout cakey.pem -out cacert.pem -days 365 − Edit file : /etc/postfix/main.cf myhostname = season1418.vn.season1418.vn mydomain = season1418.vn myorigin = $mydomain home_mailbox = mail/ mynetworks = 192.168.50.0/24 mynetworks_style=subnet inet_interfaces = all mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain smtpd_sasl_auth_enable = yes smtpd_sasl_type = cyrus smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_recipient_restrictions=permit_sasl_authenticated,permit _my networks,reject_unauth_destination smtpd_tls_auth_only = no smtp_use_tls = yes smtpd_use_tls = yes smtp_tls_note_starttls_offer = yes smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom − To send mail to the internet we have to use a registered mail server as a relay host ( eg: Google mail server) . It means we will need an Google Mail account as a relay account. Suppose our email address, main@season1418.vn, and our relay mail account, my_mail@gmail.com, and the recipeint would see the sender is main@season1418 . Add following lines : relayhost = [smtp.gmail.com]:587 smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous smtp_sasl_tls_security_options = noanonymous smtp_sasl_auth_enable = yes smtp_tls_policy_maps = hash:/etc/postfix/tls_policy − Edit file : /etc/postfix/sasl_passwd. We put our Google Mail address and password in this file. Make sure no other user could see the content of this file ( chmod 400 ) smtp.gmail.com your-email@gmail.com:your-password − Apply postfix rule : $ sudo chown root:root /etc/postfix/sasl_passwd $ sudo chmod 400 /etc/postfix/sasl_passwd $ sudo postmap /etc/postfix/sasl_passwd − Add following lines to : /etc/postfix/master.cf smtps inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_sender=yes -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o broken_sasl_auth_clients=yes − Edit iptables to allow connections via port 25 : $ iptables -A INPUT -p udp -m state state NEW dport 25 -j ACCEPT $ iptables -A INPUT -p tcp -m state state NEW dport 25 -j ACCEPT − Restart postfix and saslauthd service : $ sudo service postfix restart $ sudo service saslauthd restart [...]... $ sudo iptables A OUTPUT p tcp dport ssh j ACCEPT • To block TCP web traffic : $ sudo iptables A FORWARD p tcp dport 80 j REJECT $ sudo iptables A INPUT p tcp dport 80 j REJECT $ sudo iptables A OUTPUT p tcp dport 80 j REJECT • To block FTP connections : $ sudo iptables A FORWARD p tcp dport 20:21 j REJECT $ sudo iptables A INPUT p tcp dport 20:21 j REJECT $ sudo iptables A OUTPUT p tcp dport 20:21 j REJECT... $ iptables A INPUT p tcp dport 80 j ACCEPT $ iptables A INPUT p tcp dport 443 j ACCEPT $ iptables A INPUT p tcp –dport 25 j DROP $ iptables A OUTPUT p tcp –dport 110 j REJECT $ iptables A OUTPUT p tcp –dport 143j REJECT 6 Note: − On the server, if using NetworkManager service, it is better to create two separate profile for 2 NICs in order not going into the phase of chaos when configuring... $ iptables A FORWARD i eth2 j ACCEPT $ iptables A FORWARD o eth2 j ACCEPT $ iptables A POSTROUTING t nat o eth1 j MASQUERADE $ iptables A FORWARD t filter o eth1 m state state NEW,ESTABLISHED,RELATED j ACCEPT $ iptables A FORWARD t filter i eth1 m state state NEW,ESTABLISHED,RELATED j ACCEPT • To allow TCP packets on the default SSH on port 22: $ sudo iptables A FORWARD p tcp dport ssh j ACCEPT $ sudo iptables A INPUT p tcp dport ssh j ACCEPT... www.season1418.vn/~vn/dir 5 Firewall: In GNU/Linux and other *NIX system, iptables is the default firewall solution In this part, we will use iptables to hadle traffic going in or going out from a network In this report, we will try to allow/block a client client1.season1418.vn inside our local network to connect to another computer outside of the network( or even the Internet) We configure the firewall on the... DHCP service and DNS service to allow/block the client to connect to outside world This server server1.season1418.vn acts as an forwarder to all the requests In this server, we add the following rules to iptables chain ( Before doing that, we have to enable forwarding mode on the server : $ echo 1 > /proc/sys/net/ipv4/ip_forward and enable NAT mode for iptables $ modprobe iptable_ nat ) $ iptables A FORWARD i eth2 j ACCEPT... network to block/allow connection between the host computer and the client inside the local network − Some useful command handling iptables: $ iptables flush ( flush all rules) $ iptables flush OUTPUT ( flush all OUTPUT rules) $ iptables-save > save-file ( back up rules) $ iptables-restore < save-file ( recover rules) ... destination on ports 8080 and 443 : $ sudo iptables A FORWARD s 0/0 i eth2 o eth1 d 192.168.56.2 p tcp sport 1024:65535 dport 8080,443 j REJECT • To block icmp echorequest and icmp echoreply packets: $ sudo iptables A OUTPUT p icmp icmptype echorequest j DROP $ sudo iptables A OUTPUT p icmp icmptype echorequest j DROP $ sudo iptables A INPUT p icmp icmptype echoreply j DROP... softwares like VirtualBox or VMWare, the server machine should have one (1) NIC configured as Internal Netwrok (VirtualBox) or LAN Segment/Host-only ( VMWare), and the other one (2) should be NAT (preferable) or Bridged mode The client machine should be configured as the (1) NIC of server machine − In the case of part 5 : Firewall, we could easily create a virtual network connected to eth1 of the server... $ sudo iptables A OUTPUT p tcp dport 20:21 j REJECT • To block any incoming, outcoming, forwaring traffic for any port on any portocol on any interface : $ sudo iptables A INPUT j REJECT rejectwith icmphost prohibited $ sudo iptables A OUTPUT j REJECT rejectwith icmphost prohibited $ sudo iptables A FORWARD j REJECT rejectwith icmphost prohibited • To block any incoming TCP packets to interface eth2( local network),... and season1418.org − We reuse the same eth2 NIC for other IP addresses $ cd /etc/sysconfig/networkscripts $ cp ifcfgeth2 ifcfgeth2:0 $ cp ifcfgeth2 ifcfgeth2:1 $ cp ifcfgeth2 ifcfgeth2:2 − Change DEVICE and IPADDR records to proper values of ifcfgeth2:1 and ifcfg eth2:2. For example, in file : /etc/sysconfig/networkscripts/ifcfgeth2:0 DEVICE=eth2:0 BOOTPROTO=static ONBOOT=no NETWORK=192.168.50.0 . TECHNOLOGY School of Information and Communication Technology f =========*========= FINAL PROJECT REPORT ITSS Linux System and Network Management Instructor : Msc.Banh Thi Quynh Mai Class : ICT 56 Group. 20111201 − Nguyen Hai Nam 20111884 − Le Anh Tien 20112311 − Hoang Minh Tuan 20112418 Project Report ITSS Linux System and Network Management Prerequisite setup and installation : • Server machine. If using virtualization softwares like VirtualBox or VMWare, the server machine should have one (1) NIC configured as Internal Netwrok (VirtualBox) or LAN Segment/Host-only ( VMWare), and the