Upload
huyquan1234567
View
157
Download
1
Tags:
Embed Size (px)
Citation preview
Linux is Everywhere © 2011 Nhatnghe School
LPI3 – xây dựng mạng Linux thay thế windows
• Openldap• Apache• PDC - Samba • Postfix• Squid• Vsftp• Dhcp & Dns• Amanda – backup restore• Firewall - shorewall• Demo: tích hợp openvpn vào openldap
M.Eng Do Quang Ngoc
Linux is Everywhere © 2011 Nhatnghe School
Active Directory Chứng thực tập trung
Exchange server
IIS server SQL serverFTP server
ISA server
Print/ File server
Active Directory Proxy server
DHCP server
Linux is Everywhere © 2011 Nhatnghe School
Sendmail/ Postfix
Apache server MySQL serverFTP/ SSH server
Firewall/ IDS
Samba/ NFS
Bind/ LDAP Squid server
DHCP server
OPENLDAP
Linux is Everywhere © 2011 Nhatnghe School4
Network Directory
• Network directory là một cấu trúc dùng để tổ chức lưu trữ theo dạng phân cấp hình cây.
• Network directory được tổ chức để thuận tiện nhất cho việc đọc và tìm kiếm.
• Nếu ứng dụng cần nhiều thao tác insert, update thì không nên lưu trữ theo kiểu network directory.
• X.500 là một network directory.
Linux is Everywhere © 2011 Nhatnghe School
LDAP directory
uid=babs, ou=people, dc=example, dc=com
DN: Distinguished Name
RDN: Relative Distinguished Name
Linux is Everywhere © 2011 Nhatnghe School6
LDAP directory (tt)
• Những schema và objectclass thường được dùng đều đã được định nghĩa sẵn trong RFC.
• Khi muốn định nghĩa một cấu trúc cây thư mục, phân tích, quyết định cần những attribute nào, sau đó tìm những objectclass, schema có những attribute này.
• Từ đó, xây dựng nên cấu trúc cây thư mục.• Nếu không có schema thỏa mãn yêu cầu, có thể định
nghĩa schema, objectclass mới.
Linux is Everywhere © 2011 Nhatnghe School7
LDAP directory (tt)
Linux is Everywhere © 2011 Nhatnghe School8
OPENLDAP (tt)
• Openldap là phần mềm mã nguồn mở, dùng để hiện thực LDAP chạy trên hệ điều hành Linux/ UNIX.
• Phía server gồm có hai dịch vụ chính:– slapd: standalone LDAP daemon. Daemon này lắng
nghe các request truy vấn LDAP từ client, tiến hành truy vấn, và gởi câu trả lời.
– slurpd: LDAP replication daemon. Daemon này dùng để đồng bộ những thay đổi từ LDAP master server sang LDAP slave server.
Linux is Everywhere © 2011 Nhatnghe School9
OPENLDAP (tt)
• Để truy vấn LDAP, client dùng những lệnh sau:• ldapadd: thêm một entry mới.• ldapmodify: chỉnh sửa thông tin một entry.• ldapdelete: xóa một entry.• ldapmodrdn: chỉnh sửa RDN của entry.• ldapsearch: tìm kiếm thông tin entry.
Linux is Everywhere © 2011 Nhatnghe School
ldapadd -c -x -D "cn=Manager,dc=nhatnghe,dc=com“ -W -f /mnt/sample.ldif
/mnt/sample.ldif dn: dc=nhatnghe,dc=comobjectclass: dcObjectobjectclass: organizationo: Example Companydc: nhatnghedn: ou=Ketoan,dc=nhatnghe,dc=comobjectClass: organizationalUnitou: Ketoandn: ou=Kinhdoanh,dc=nhatnghe,dc=comobjectClass: organizationalUnitou: Kinhdoanh
Linux is Everywhere © 2011 Nhatnghe School
Quản trị Openldap
Linux is Everywhere © 2011 Nhatnghe School
Quản trị Openldap
Linux is Everywhere © 2011 Nhatnghe School
Master ldap & Slave ldapopenLDAP v2.0,v2.3: master/slave replication
Linux is Everywhere © 2011 Nhatnghe School
Multi MasteropenLDAP v2.4: multi-master replication
Linux is Everywhere © 2011 Nhatnghe School
Tích hợp OpenldapFTP server
Web server
File server
Squid server
Mail serverOpenldap
Linux is Everywhere © 2011 Nhatnghe School
Openldap - AD
Linux is Everywhere © 2011 Nhatnghe School
Samba• Chứng thực và cấp phép truy cập• Xây dựng Primary domain controller• Chia sẻ file, Printer• Phân giải tên• File chứa user:
/etc/samba/smbpasswd
Nv1
nv2
Linux is Everywhere © 2011 Nhatnghe School
Samba – openldap Xây dựng hệ thống Domain Controller, cho phép các client xp join domain, truy cập tài nguyên mạng
Linux is Everywhere © 2011 Nhatnghe School
Quản trị Domain
• Cài và cấu hình Domain Controller• Join xp, win7 vào domain • Quản trị OU, User, Group• Share tài nguyên file• Logon script • Roaming user profile• Giám sát truy cập tài nguyên share • Group Policy
Linux is Everywhere © 2011 Nhatnghe School
Apache
Hai phương pháp chứng thực:+ Basic Authentication.+ Digest Authentication.File chứa user:cat /etc/httpd/conf/userpasswd
nv2:pMxqVRP.KZYVwnv1:mS.U/NuGN00qk
Client Web server
Phần mềm dùng làm web server
Linux is Everywhere © 2011 Nhatnghe School
Apache - Openldap
Cấu hình web server chứng thực user từ openldap
Linux is Everywhere © 2011 Nhatnghe School
Postfix
• Xây dựng mail server• Hỗ trợ đầy đủ các giao thức smtp, pop, imap, http ..• File chứa user:• /etc/passwd
quangngoc:501 ….
vanhue:x:502… Client Mail server
Linux is Everywhere © 2011 Nhatnghe School
Postfix - OpenldapCấu hình Mail server chứng thực user từ openldap
Linux is Everywhere © 2011 Nhatnghe School
Squid• Squid là một caching proxy server.• Giới hạn truy cập web thông qua các rules• Tăng tốc truy cập web.• Chứng thực truy cập:
/etc/passwd quangngoc:x:1006:1006::/home/ quangngoc :/bin/bash vanhue:x:51314:51314::/home/vanhue:/bin/bash
Client Proxy server
Linux is Everywhere © 2011 Nhatnghe School
Squid - openldapSquid chứng thực user truy cập từ ldap server
Linux is Everywhere © 2011 Nhatnghe School
Báo cáo - thống kê truy cập
Linux is Everywhere © 2011 Nhatnghe School
FTP• Dịch vụ FTP cho phép upload/download dữ liệu từ xa • Dịch vụ FTP hoạt động trên hai port:
– Port 20: data port. Dữ liệu sẽ được truyền trên port này.
– Port 21: control port. Port này dùng để trao đổi lệnh, reply giữa client và server.
• /etc/passwd quangngoc:x:1006:1006:: …
vanhue:x:51314:51314:: …Client FTP server
Linux is Everywhere © 2011 Nhatnghe School
VSFTP - OpenldapCấu hình ftp server chứng thực user từ openldap
Linux is Everywhere © 2011 Nhatnghe School
Báo cáo - thống kê truy cập
Linux is Everywhere © 2011 Nhatnghe School
Openvpn• Connection: point-to-point or site-to-site • Authentication: using a pre-shared secret key,
certificates, or username/password. • Security: SSL and TLS, smart cards• Extensibility:
- plug-ins or scripts, RADIUS integration
- authenticate against LDAP or SQLite and MySQL
• Platforms: Solaris, Linux, OpenBSD, FreeBSD, NetBSD, QNX, Mac OS X, and Windows 2000/XP/Vista/7.
Linux is Everywhere © 2011 Nhatnghe School
Openldap server
VPN Client
VPN Server
Thực hiện kết nối vpnA VPN extends a private network across shared or public networks, such as the InternetA VPN extends a private network across shared or public networks, such as the Internet
33 VPN server authenticatesand authorizes the clientVPN server authenticatesand authorizes the client
22 VPN server answers the callVPN server answers the call 44 VPN server transfers
data VPN server transfers data
VPN client calls the VPN serverVPN client calls the VPN server11
Linux is Everywhere © 2011 Nhatnghe School
DHCPDHCP reduces the complexity and amount of administrative work by using automatic TCP/IP configurationDHCP reduces the complexity and amount of administrative work by using automatic TCP/IP configuration
Manual TCP/IP ConfigurationManual TCP/IP Configuration
IP addresses are entered manually
IP address could be entered incorrectly
Communication and network issues can result
Frequent computer moves increase administrative effort
IP addresses are entered manually
IP address could be entered incorrectly
Communication and network issues can result
Frequent computer moves increase administrative effort
Automatic TCP/IP ConfigurationAutomatic TCP/IP Configuration
IP addresses are supplied automatically
Correct configuration information is ensured
Client configuration is updated automatically
A common source of network problems is eliminated
IP addresses are supplied automatically
Correct configuration information is ensured
Client configuration is updated automatically
A common source of network problems is eliminated
Linux is Everywhere © 2011 Nhatnghe School
Hoạt động DHCP
DHCP client broadcasts a DHCPDISCOVER packetDHCP client broadcasts a DHCPDISCOVER packet11
DHCP servers broadcast a DHCPOFFER packetDHCP servers broadcast a DHCPOFFER packet22
DHCP client broadcasts a DHCPREQUEST packetDHCP client broadcasts a DHCPREQUEST packet33
DHCP Server1 broadcasts a DHCPACK packetDHCP Server1 broadcasts a DHCPACK packet44
DHCP ClientDHCP Client
DHCP Server1DHCP Server1
DHCP Server2DHCP Server2
DHCP client broadcasts a DHCPDISCOVER packetDHCP client broadcasts a DHCPDISCOVER packet11
DHCP servers broadcast a DHCPOFFER packetDHCP servers broadcast a DHCPOFFER packet22
DHCP client broadcasts a DHCPREQUEST packetDHCP client broadcasts a DHCPREQUEST packet33
DHCP Server1 broadcasts a DHCPACK packetDHCP Server1 broadcasts a DHCPACK packet44
DHCP ClientDHCP Client
DHCP Server1DHCP Server1
DHCP Server2DHCP Server2
Linux is Everywhere © 2011 Nhatnghe School
DNS
Domain Name System
Linux is Everywhere © 2011 Nhatnghe School
Host Name Resolution Process
Host name resolution is the process of resolving a host name to an IP addressHost name resolution is the process of resolving a host name to an IP address
What is the IP address for
Salescomputer2?
What is the IP address for
Salescomputer2?
Salescomputer2Salescomputer2
11 22
33
192.168.1.35Salescomputer2
DNSNetBIOS
Name Cache WINS Broadcast Lmhost FileClient Resolver Cache/Hosts File
Linux is Everywhere © 2011 Nhatnghe School
Hosts FileThe Hosts file is a static local file that contains mappings for host name-to-IP addressesThe Hosts file is a static local file that contains mappings for host name-to-IP addresses
Computer1Computer1
Hosts FileHosts File
# Copyright (c) 1993-1999 Microsoft Corp.## This is a sample HOSTS file used by Microsoft TCP/IP for Windows.## This file contains the mappings of IP addresses to host names. Each# entry should be kept on an individual line. The IP address should# be placed in the first column followed by the corresponding host
name.# The IP address and the host name should be separated by at least one# space.## Additionally, comments (such as these) may be inserted on individual# lines or following the machine name denoted by a '#' symbol.## For example:## 102.54.94.97 rhino.acme.com # source server# 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost
# Copyright (c) 1993-1999 Microsoft Corp.## This is a sample HOSTS file used by Microsoft TCP/IP for Windows.## This file contains the mappings of IP addresses to host names. Each# entry should be kept on an individual line. The IP address should# be placed in the first column followed by the corresponding host
name.# The IP address and the host name should be separated by at least one# space.## Additionally, comments (such as these) may be inserted on individual# lines or following the machine name denoted by a '#' symbol.## For example:## 102.54.94.97 rhino.acme.com # source server# 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost
Linux is Everywhere © 2011 Nhatnghe School
Client Resolver Cache The client resolver cache stores recently resolved host names and host name mappings that are loaded from the Hosts fileThe client resolver cache stores recently resolved host names and host name mappings that are loaded from the Hosts file
Computer1Computer1
Hosts FileHosts FileResolved host names from the DNS server
Resolved host names from the DNS server
Linux is Everywhere © 2011 Nhatnghe School
What Is a Domain Namespace?Root DomainRoot Domain
SubdomainSubdomain
Second-Level DomainSecond-Level Domain
Top-Level DomainTop-Level Domain
FQDN:SERVER1.sales.south.nwtraders.com
FQDN:SERVER1.sales.south.nwtraders.com
southsouth
nwtradersnwtraders
comcom
salessales
westwest easteast
orgorgnetnet
Host: SERVER1Host: SERVER1
Linux is Everywhere © 2011 Nhatnghe School
How Recursive Queries Work
DNS ClientDNS Client
mail1.contoso.msft
172.16.64.11
A recursive query is sent to a DNS server and requires a complete answerA recursive query is sent to a DNS server and requires a complete answer
Database
Local DNS ServerLocal DNS Server
Linux is Everywhere © 2011 Nhatnghe School
How Iterative Queries WorkAn iterative query directed to a DNS server may be answered with a referral to another DNS serverAn iterative query directed to a DNS server may be answered with a referral to another DNS server
Client ServerClient Server
Local DNS Server
Local DNS Server
Root Hint (.)Root Hint (.)
.com.com
Recu
rsive
Que
ry
1.nw
trade
rs.co
m17
2.16
.64.
11Iterative Query
Iterative Query
Iterative Query
Ask .com
Ask nwtraders.com
Authoritative Response
Nwtraders.comNwtraders.com
Linux is Everywhere © 2011 Nhatnghe School
How Forwarders WorkA forwarder is a DNS server designated to resolve external or offsite DNS domain namesA forwarder is a DNS server designated to resolve external or offsite DNS domain names
Client ServerClient ServerNwtraders.comNwtraders.com
Root Hint (.)Root Hint (.)
.com.com
Iterative Query
Iterative Query
Iterative Query
Ask .com
Ask nwtraders.com
Authoritative Response
ForwarderForwarder
Recursive query for mail1.nwtraders.com
172.16.64.11
172.1
6.64.1
1
Recu
rsive
Que
ry
Local DNS Server
Local DNS Server
Linux is Everywhere © 2011 Nhatnghe School
Dynamic DNS (DDNS)
• DDNS allows a client to updates its hostname in our DNS via DHCP
• When a computer requests network information from the DHCP server, the DHCP will update the DNS zones
Linux is Everywhere © 2011 Nhatnghe School
ISC's DHCP
ICS: Internet Systems Consortium
Linux is Everywhere © 2011 Nhatnghe School
Amanda: Open Source Backup
Linux is Everywhere © 2011 Nhatnghe School
FirewallShorewall Features
• Stateful packet filtering• Blacklist: IP addresses and subnetworks• VPN Support. IPSEC, GRE, IPIP and OpenVPN Tunnels. PPTP clients and Servers.• Flexible address management/routing support
Masquerading/SNAT.Port Forwarding (DNAT).One-to-one NAT.
Linux is Everywhere © 2011 Nhatnghe School
Demo
OPENVPN - LDAP
Linux is Everywhere © 2011 Nhatnghe School
Ldap- VPN
`
IP 10.0.0.2DG 10.0.0.1
IP 10.0.0.2DG no
IP 192.168.1.11 IP 192.168.1.12
VPN ClientFile server
Tích hợp OPENVPN vào LDAP
Linux is Everywhere © 2011 Nhatnghe School
Cài Openldap
• openldap-2.3.43-3.el5
yum install openldap-servers openldap-clients• nss_ldap-253-21.el5
• php-ldap-5.1.6-23.2.el5_3• openldap-servers-2.3.43-3.el5• python-ldap-2.2.0-2.1• openldap-devel-2.3.43-3.el5• openldap-clients-2.3.43-3.el5
Linux is Everywhere © 2011 Nhatnghe School
Cấu hình ldap
/etc/openldap/slapd.conf• database bdb• suffix "dc=nhatnghe,dc=com"• rootdn "cn=Manager,dc=nhatnghe,dc=com“• rootpw 123456• directory /var/lib/ldap
Khởi động ldap
service ldap start
chkconfig ldap on
Linux is Everywhere © 2011 Nhatnghe School
Tạo DC, OU, Usertaodc.ldif dn: dc=nhatnghe,dc=comobjectclass: dcObjectobjectclass: organizationo: Example Companydc: nhatnghe
dn: ou=Kinhdoanh,dc=nhatnghe,dc=comobjectClass: organizationalUnitou: Kinhdoanh
dn: cn=quangngoc,dc=nhatnghe,dc=comobjectclass: organizationalRolecn: quangngoc
ldapadd -c -x -D "cn=Manager,dc=nhatnghe,dc=com" -W –f taodc.ldif
Linux is Everywhere © 2011 Nhatnghe School
Cài open vpn
• lzo-2.04-1.el5.rf.i386.rpm • openvpn-2.2.0-2.el5.rf.i386.rpm • openvpn-auth-ldap-2.0.3-3.el5.i386.rpm• libobjc-4.1.2-50.el5.i386.rpm • pkcs11-helper-1.08-1.el5.rf.i386.rpm
Linux is Everywhere © 2011 Nhatnghe School
Cấu hình openvpn
Chép các file cấu hình• cp -R /usr/share/doc/openvpn-2.2.0/easy-rsa/
/etc/openvpn/Configure Public Key Infrastructure Variables/etc/openvpn/easy-rsa/2.0/vars, sửa các dòng:• export KEY_COUNTRY="VN"• export KEY_PROVINCE="HCM"• export KEY_CITY="Hcm"• export KEY_ORG="Nhatnghe"• export [email protected]
Linux is Everywhere © 2011 Nhatnghe School
Initialize the Public Key Infrastructure (PKI)
• cd /etc/openvpn/easy-rsa/2.0/• chmod +rwx *• source ./vars• ./clean-all• ./pkitool --initcaTạo 2 file• ca.crt• ca.key
Linux is Everywhere © 2011 Nhatnghe School
Tạo Certificates./pkitool --server server • ll keys/• -rw-r--r-- 1 root root 3 Jun 28 17:18 serial.old• -rw-r--r-- 1 root root 3835 Jun 28 17:19 server.crt• -rw-r--r-- 1 root root 664 Jun 28 17:19 server.csr• -rw------- 1 root root 887 Jun 28 17:19 server.key• B6. Tạo Diffie Hellman Parameters ./build-dh• ll keys/• -rw-r--r-- 1 root root 245 Jun 28 17:21 dh1024.pem
Linux is Everywhere © 2011 Nhatnghe School
Chép Keys
• ca.crt ca.key dh1024.pem server.crt server.key• cp keys/{ca.crt,ca.key,server.crt,server.key,dh1024.pem}
/etc/openvpn/
Linux is Everywhere © 2011 Nhatnghe School
Cấu hình openvpn chứng thực từ openldap
vi /etc/openvpn/auth/ldap.conf• URL ldap://192.168.1.11• BindDN cn=Manager,dc=nhatnghe,dc=com• Password 123456• #TLSEnable yes• #TLSCACertFile /usr/local/etc/ssl/ca.pem• #TLSCACertDir /etc/ssl/certs• #TLSCertFile /usr/local/etc/ssl/client-cert.pem• #TLSKeyFile /usr/local/etc/ssl/client-key.pem• BaseDN "dc=nhatnghe,dc=com"• SearchFilter (uid=%u)
Linux is Everywhere © 2011 Nhatnghe School
Cấu hình openvpnChép file• cp
/usr/share/doc/openvpn-2.2.0/sample-config-files/server.conf /etc/openvpn/
vi /etc/openvpn/server.conf • 136 push "route 172.16.0.0 255.255.255.0"• 137 push "route 10.8.0.0 255.255.255.0"• Thêm vào cuối file 2 dòng• plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-ldap.so
/etc/openvpn/auth/ldap.conf• client-cert-not-required
Linux is Everywhere © 2011 Nhatnghe School
Cấu hình vpn clientTạo file cấu hình cho client• cp
/usr/share/doc/openvpn-2.2.0/sample-config-files/client.conf /etc/openvpn/easy-rsa/2.0/keys/client.ovpn
vi /etc/openvpn/easy-rsa/2.0/keys/client.ovpn• remote 192.168.1.11 1194• #ciert client.crt• #key client.key• auth-user-pass
Linux is Everywhere © 2011 Nhatnghe School
Lan routing
Enable IP forward
Vi /etc/sysctl.conf• net.ipv4.ip_forward = 1
Enable lan routing• echo 1 > /proc/sys/net/ipv4/ip_forward
Linux is Everywhere © 2011 Nhatnghe School
cài OpenVPN GUI
Chép: client.ovpn và ca.crt đến thư mục C:\Program Files\OpenVPN\config
Linux is Everywhere © 2011 Nhatnghe School
Hướng dẫn cài DHCP
• Yum insall dhcp*gedit /etc/dhcp/dhcpd.conf và sửa lại như sau:
ddns-update-style interim;
ignore client-updates;// 2 lệnh này không cho phép dhcp cập nhật dns động
subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.100 10.0.0.200;
option domain-name-servers 10.0.0.1;
option domain-name "dom20.local";
option routers 10.0.0.1;
option broadcast-address 10.0.0.255;
default-lease-time 600;
max-lease-time 7200;
}
• #service dhcpd start
Muốn cài đặt offline từ đã dvd1:rpm –qa dhcp:kiểm tra xem dhcp cài chưarpm –ivh /media/tên ổ dvd/Packages/dhcp…..
Linux is Everywhere © 2011 Nhatnghe School
Hướng dẫn cài DNS(tên hostname server1.dom20.local)
• yum install bind*Copy các file còn lại (ngoại trừ file named.conf) vào thư mục /var/named/chroot/var/named là có thể khởi động dịch vụ named được
Cấu hình gedit /etc/named.confoptions {
listen-on port 53 { 10.0.0.1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
# query range ( set internal server and so on )
allow-query { localhost; 10.0.0.0/24; };
allow-query-cache { localhost; 10.0.0.0/24; };
};
# cau hinh file zone o day
zone "0.0.10.IN-ADDR.ARPA" IN {
type master;
file "0.0.10.in-addr.arpa.db";
};
zone "dom20.local" IN {
type master;
file "dom20local.db";
};
Cần phải có service named start và chkconfig named on để sau khi khởi động lại máy ko mất• Nhớ đổi DNS server trong gedit /etc/resolv.conf
Linux is Everywhere © 2011 Nhatnghe School
Cách disable Firewall & SELinux trong CentOS 5• FireWall
[1] It's unnecessarry to enable FireWall because it's enable on the Routers, so Change it to disabled.
[root@ns ~]#/etc/rc.d/init.d/iptables stop
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
[root@ns ~]# chkconfig iptables off
[root@ns ~]# chkconfig ip6tables off
Disable SELinux• [2] Change to disabled SELinux (Security-Enhanced Linux).
[root@ns ~]# vi /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.# SELINUX= can take one of these three values:#enforcing - SELinux security policy is enforced.
#permissive - SELinux prints warnings instead of enforcing.
#disabled - SELinux is fully disabled.
SELINUX= disabled # change# SELINUXTYPE= type of policy in use. Possible values are:#targeted - Only targeted network daemons are protected.
#strict - Full SELinux protection.
SELINUXTYPE=targeted
Linux is Everywhere © 2011 Nhatnghe School
Linux is Everywhere © 2011 Nhatnghe School
Linux is Everywhere © 2011 Nhatnghe School