linux-win

Linux is Everywhere © 2011 Nhatnghe School

LPI3 – xây dựng mạng Linux thay thế windows

• Openldap• Apache• PDC - Samba • Postfix• Squid• Vsftp• Dhcp & Dns• Amanda – backup restore• Firewall - shorewall• Demo: tích hợp openvpn vào openldap

M.Eng Do Quang Ngoc


Active Directory Chứng thực tập trung

Exchange server

IIS server SQL serverFTP server

ISA server

Print/ File server

Active Directory Proxy server

DHCP server


Sendmail/ Postfix

Apache server MySQL serverFTP/ SSH server

Firewall/ IDS

Samba/ NFS

Bind/ LDAP Squid server

DHCP server

OPENLDAP

Linux is Everywhere © 2011 Nhatnghe School4

Network Directory

• Network directory là một cấu trúc dùng để tổ chức lưu trữ theo dạng phân cấp hình cây.

• Network directory được tổ chức để thuận tiện nhất cho việc đọc và tìm kiếm.

• Nếu ứng dụng cần nhiều thao tác insert, update thì không nên lưu trữ theo kiểu network directory.

• X.500 là một network directory.


LDAP directory

uid=babs, ou=people, dc=example, dc=com

DN: Distinguished Name

RDN: Relative Distinguished Name


LDAP directory (tt)

• Những schema và objectclass thường được dùng đều đã được định nghĩa sẵn trong RFC.

• Khi muốn định nghĩa một cấu trúc cây thư mục, phân tích, quyết định cần những attribute nào, sau đó tìm những objectclass, schema có những attribute này.

• Từ đó, xây dựng nên cấu trúc cây thư mục.• Nếu không có schema thỏa mãn yêu cầu, có thể định

nghĩa schema, objectclass mới.


LDAP directory (tt)


OPENLDAP (tt)

• Openldap là phần mềm mã nguồn mở, dùng để hiện thực LDAP chạy trên hệ điều hành Linux/ UNIX.

• Phía server gồm có hai dịch vụ chính:– slapd: standalone LDAP daemon. Daemon này lắng

nghe các request truy vấn LDAP từ client, tiến hành truy vấn, và gởi câu trả lời.

– slurpd: LDAP replication daemon. Daemon này dùng để đồng bộ những thay đổi từ LDAP master server sang LDAP slave server.


OPENLDAP (tt)

• Để truy vấn LDAP, client dùng những lệnh sau:• ldapadd: thêm một entry mới.• ldapmodify: chỉnh sửa thông tin một entry.• ldapdelete: xóa một entry.• ldapmodrdn: chỉnh sửa RDN của entry.• ldapsearch: tìm kiếm thông tin entry.


ldapadd -c -x -D "cn=Manager,dc=nhatnghe,dc=com“ -W -f /mnt/sample.ldif

/mnt/sample.ldif dn: dc=nhatnghe,dc=comobjectclass: dcObjectobjectclass: organizationo: Example Companydc: nhatnghedn: ou=Ketoan,dc=nhatnghe,dc=comobjectClass: organizationalUnitou: Ketoandn: ou=Kinhdoanh,dc=nhatnghe,dc=comobjectClass: organizationalUnitou: Kinhdoanh


Quản trị Openldap


Quản trị Openldap


Master ldap & Slave ldapopenLDAP v2.0,v2.3: master/slave replication


Multi MasteropenLDAP v2.4: multi-master replication


Tích hợp OpenldapFTP server

Web server

File server

Squid server

Mail serverOpenldap


Openldap - AD


Samba• Chứng thực và cấp phép truy cập• Xây dựng Primary domain controller• Chia sẻ file, Printer• Phân giải tên• File chứa user:

/etc/samba/smbpasswd

Nv1

nv2


Samba – openldap Xây dựng hệ thống Domain Controller, cho phép các client xp join domain, truy cập tài nguyên mạng


Quản trị Domain

• Cài và cấu hình Domain Controller• Join xp, win7 vào domain • Quản trị OU, User, Group• Share tài nguyên file• Logon script • Roaming user profile• Giám sát truy cập tài nguyên share • Group Policy


Apache

Hai phương pháp chứng thực:+ Basic Authentication.+ Digest Authentication.File chứa user:cat /etc/httpd/conf/userpasswd

nv2:pMxqVRP.KZYVwnv1:mS.U/NuGN00qk

Client Web server

Phần mềm dùng làm web server


Apache - Openldap

Cấu hình web server chứng thực user từ openldap


Postfix

• Xây dựng mail server• Hỗ trợ đầy đủ các giao thức smtp, pop, imap, http ..• File chứa user:• /etc/passwd

quangngoc:501 ….

vanhue:x:502… Client Mail server


Postfix - OpenldapCấu hình Mail server chứng thực user từ openldap


Squid• Squid là một caching proxy server.• Giới hạn truy cập web thông qua các rules• Tăng tốc truy cập web.• Chứng thực truy cập:

/etc/passwd quangngoc:x:1006:1006::/home/ quangngoc :/bin/bash vanhue:x:51314:51314::/home/vanhue:/bin/bash

Client Proxy server


Squid - openldapSquid chứng thực user truy cập từ ldap server


Báo cáo - thống kê truy cập


FTP• Dịch vụ FTP cho phép upload/download dữ liệu từ xa • Dịch vụ FTP hoạt động trên hai port:

– Port 20: data port. Dữ liệu sẽ được truyền trên port này.

– Port 21: control port. Port này dùng để trao đổi lệnh, reply giữa client và server.

• /etc/passwd quangngoc:x:1006:1006:: …

vanhue:x:51314:51314:: …Client FTP server


VSFTP - OpenldapCấu hình ftp server chứng thực user từ openldap


Báo cáo - thống kê truy cập


Openvpn• Connection: point-to-point or site-to-site • Authentication: using a pre-shared secret key,

certificates, or username/password. • Security: SSL and TLS, smart cards• Extensibility:

- plug-ins or scripts, RADIUS integration

- authenticate against LDAP or SQLite and MySQL

• Platforms: Solaris, Linux, OpenBSD, FreeBSD, NetBSD, QNX, Mac OS X, and Windows 2000/XP/Vista/7.


Openldap server

VPN Client

VPN Server

Thực hiện kết nối vpnA VPN extends a private network across shared or public networks, such as the InternetA VPN extends a private network across shared or public networks, such as the Internet

33 VPN server authenticatesand authorizes the clientVPN server authenticatesand authorizes the client

22 VPN server answers the callVPN server answers the call 44 VPN server transfers

data VPN server transfers data

VPN client calls the VPN serverVPN client calls the VPN server11


DHCPDHCP reduces the complexity and amount of administrative work by using automatic TCP/IP configurationDHCP reduces the complexity and amount of administrative work by using automatic TCP/IP configuration

Manual TCP/IP ConfigurationManual TCP/IP Configuration

IP addresses are entered manually

IP address could be entered incorrectly

Communication and network issues can result

Frequent computer moves increase administrative effort

IP addresses are entered manually

IP address could be entered incorrectly

Communication and network issues can result

Frequent computer moves increase administrative effort

Automatic TCP/IP ConfigurationAutomatic TCP/IP Configuration

IP addresses are supplied automatically

Correct configuration information is ensured

Client configuration is updated automatically

A common source of network problems is eliminated

IP addresses are supplied automatically

Correct configuration information is ensured

Client configuration is updated automatically

A common source of network problems is eliminated


Hoạt động DHCP

DHCP client broadcasts a DHCPDISCOVER packetDHCP client broadcasts a DHCPDISCOVER packet11

DHCP servers broadcast a DHCPOFFER packetDHCP servers broadcast a DHCPOFFER packet22

DHCP client broadcasts a DHCPREQUEST packetDHCP client broadcasts a DHCPREQUEST packet33

DHCP Server1 broadcasts a DHCPACK packetDHCP Server1 broadcasts a DHCPACK packet44

DHCP ClientDHCP Client

DHCP Server1DHCP Server1


DHCP client broadcasts a DHCPDISCOVER packetDHCP client broadcasts a DHCPDISCOVER packet11

DHCP servers broadcast a DHCPOFFER packetDHCP servers broadcast a DHCPOFFER packet22

DHCP client broadcasts a DHCPREQUEST packetDHCP client broadcasts a DHCPREQUEST packet33

DHCP Server1 broadcasts a DHCPACK packetDHCP Server1 broadcasts a DHCPACK packet44

DHCP ClientDHCP Client




DNS

Domain Name System


Host Name Resolution Process

Host name resolution is the process of resolving a host name to an IP addressHost name resolution is the process of resolving a host name to an IP address

What is the IP address for

Salescomputer2?

What is the IP address for

Salescomputer2?

Salescomputer2Salescomputer2

11 22

33

192.168.1.35Salescomputer2

DNSNetBIOS

Name Cache WINS Broadcast Lmhost FileClient Resolver Cache/Hosts File


Hosts FileThe Hosts file is a static local file that contains mappings for host name-to-IP addressesThe Hosts file is a static local file that contains mappings for host name-to-IP addresses

Computer1Computer1

Hosts FileHosts File

# Copyright (c) 1993-1999 Microsoft Corp.## This is a sample HOSTS file used by Microsoft TCP/IP for Windows.## This file contains the mappings of IP addresses to host names. Each# entry should be kept on an individual line. The IP address should# be placed in the first column followed by the corresponding host

name.# The IP address and the host name should be separated by at least one# space.## Additionally, comments (such as these) may be inserted on individual# lines or following the machine name denoted by a '#' symbol.## For example:## 102.54.94.97 rhino.acme.com # source server# 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost

# Copyright (c) 1993-1999 Microsoft Corp.## This is a sample HOSTS file used by Microsoft TCP/IP for Windows.## This file contains the mappings of IP addresses to host names. Each# entry should be kept on an individual line. The IP address should# be placed in the first column followed by the corresponding host

name.# The IP address and the host name should be separated by at least one# space.## Additionally, comments (such as these) may be inserted on individual# lines or following the machine name denoted by a '#' symbol.## For example:## 102.54.94.97 rhino.acme.com # source server# 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost


Client Resolver Cache The client resolver cache stores recently resolved host names and host name mappings that are loaded from the Hosts fileThe client resolver cache stores recently resolved host names and host name mappings that are loaded from the Hosts file

Computer1Computer1

Hosts FileHosts FileResolved host names from the DNS server

Resolved host names from the DNS server


What Is a Domain Namespace?Root DomainRoot Domain

SubdomainSubdomain

Second-Level DomainSecond-Level Domain

Top-Level DomainTop-Level Domain

FQDN:SERVER1.sales.south.nwtraders.com

FQDN:SERVER1.sales.south.nwtraders.com

southsouth

nwtradersnwtraders

comcom

salessales

westwest easteast

orgorgnetnet

Host: SERVER1Host: SERVER1


How Recursive Queries Work

DNS ClientDNS Client

mail1.contoso.msft

172.16.64.11

A recursive query is sent to a DNS server and requires a complete answerA recursive query is sent to a DNS server and requires a complete answer

Database

Local DNS ServerLocal DNS Server


How Iterative Queries WorkAn iterative query directed to a DNS server may be answered with a referral to another DNS serverAn iterative query directed to a DNS server may be answered with a referral to another DNS server

Client ServerClient Server

Local DNS Server

Local DNS Server

Root Hint (.)Root Hint (.)

.com.com

Recu

rsive

Que

ry

mail

1.nw

trade

rs.co

m17

2.16

.64.

11Iterative Query

Iterative Query

Iterative Query

Ask .com

Ask nwtraders.com

Authoritative Response

Nwtraders.comNwtraders.com


How Forwarders WorkA forwarder is a DNS server designated to resolve external or offsite DNS domain namesA forwarder is a DNS server designated to resolve external or offsite DNS domain names

Client ServerClient ServerNwtraders.comNwtraders.com

Root Hint (.)Root Hint (.)

.com.com

Iterative Query

Iterative Query

Iterative Query

Ask .com

Ask nwtraders.com

Authoritative Response

ForwarderForwarder

Recursive query for mail1.nwtraders.com

172.16.64.11

172.1

6.64.1

1

Recu

rsive

Que

ry

Local DNS Server

Local DNS Server


Dynamic DNS (DDNS)

• DDNS allows a client to updates its hostname in our DNS via DHCP

• When a computer requests network information from the DHCP server, the DHCP will update the DNS zones


ISC's DHCP

ICS: Internet Systems Consortium


Amanda: Open Source Backup


FirewallShorewall Features

• Stateful packet filtering• Blacklist: IP addresses and subnetworks• VPN Support. IPSEC, GRE, IPIP and OpenVPN Tunnels. PPTP clients and Servers.• Flexible address management/routing support

Masquerading/SNAT.Port Forwarding (DNAT).One-to-one NAT.


Demo

OPENVPN - LDAP


Ldap- VPN

`

IP 10.0.0.2DG 10.0.0.1

IP 10.0.0.2DG no

IP 192.168.1.11 IP 192.168.1.12

VPN ClientFile server

Tích hợp OPENVPN vào LDAP


Cài Openldap

• openldap-2.3.43-3.el5

yum install openldap-servers openldap-clients• nss_ldap-253-21.el5

• php-ldap-5.1.6-23.2.el5_3• openldap-servers-2.3.43-3.el5• python-ldap-2.2.0-2.1• openldap-devel-2.3.43-3.el5• openldap-clients-2.3.43-3.el5


Cấu hình ldap

/etc/openldap/slapd.conf• database bdb• suffix "dc=nhatnghe,dc=com"• rootdn "cn=Manager,dc=nhatnghe,dc=com“• rootpw 123456• directory /var/lib/ldap

Khởi động ldap

service ldap start

chkconfig ldap on


Tạo DC, OU, Usertaodc.ldif dn: dc=nhatnghe,dc=comobjectclass: dcObjectobjectclass: organizationo: Example Companydc: nhatnghe

dn: ou=Kinhdoanh,dc=nhatnghe,dc=comobjectClass: organizationalUnitou: Kinhdoanh

dn: cn=quangngoc,dc=nhatnghe,dc=comobjectclass: organizationalRolecn: quangngoc

ldapadd -c -x -D "cn=Manager,dc=nhatnghe,dc=com" -W –f taodc.ldif


Cài open vpn

• lzo-2.04-1.el5.rf.i386.rpm • openvpn-2.2.0-2.el5.rf.i386.rpm • openvpn-auth-ldap-2.0.3-3.el5.i386.rpm• libobjc-4.1.2-50.el5.i386.rpm • pkcs11-helper-1.08-1.el5.rf.i386.rpm


Cấu hình openvpn

Chép các file cấu hình• cp -R /usr/share/doc/openvpn-2.2.0/easy-rsa/

/etc/openvpn/Configure Public Key Infrastructure Variables/etc/openvpn/easy-rsa/2.0/vars, sửa các dòng:• export KEY_COUNTRY="VN"• export KEY_PROVINCE="HCM"• export KEY_CITY="Hcm"• export KEY_ORG="Nhatnghe"• export [email protected]


Initialize the Public Key Infrastructure (PKI)

• cd /etc/openvpn/easy-rsa/2.0/• chmod +rwx *• source ./vars• ./clean-all• ./pkitool --initcaTạo 2 file• ca.crt• ca.key


Tạo Certificates./pkitool --server server • ll keys/• -rw-r--r-- 1 root root 3 Jun 28 17:18 serial.old• -rw-r--r-- 1 root root 3835 Jun 28 17:19 server.crt• -rw-r--r-- 1 root root 664 Jun 28 17:19 server.csr• -rw------- 1 root root 887 Jun 28 17:19 server.key• B6. Tạo Diffie Hellman Parameters ./build-dh• ll keys/• -rw-r--r-- 1 root root 245 Jun 28 17:21 dh1024.pem


Chép Keys

• ca.crt ca.key dh1024.pem server.crt server.key• cp keys/{ca.crt,ca.key,server.crt,server.key,dh1024.pem}

/etc/openvpn/


Cấu hình openvpn chứng thực từ openldap

vi /etc/openvpn/auth/ldap.conf• URL ldap://192.168.1.11• BindDN cn=Manager,dc=nhatnghe,dc=com• Password 123456• #TLSEnable yes• #TLSCACertFile /usr/local/etc/ssl/ca.pem• #TLSCACertDir /etc/ssl/certs• #TLSCertFile /usr/local/etc/ssl/client-cert.pem• #TLSKeyFile /usr/local/etc/ssl/client-key.pem• BaseDN "dc=nhatnghe,dc=com"• SearchFilter (uid=%u)


Cấu hình openvpnChép file• cp

/usr/share/doc/openvpn-2.2.0/sample-config-files/server.conf /etc/openvpn/

vi /etc/openvpn/server.conf • 136 push "route 172.16.0.0 255.255.255.0"• 137 push "route 10.8.0.0 255.255.255.0"• Thêm vào cuối file 2 dòng• plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-ldap.so

/etc/openvpn/auth/ldap.conf• client-cert-not-required


Cấu hình vpn clientTạo file cấu hình cho client• cp

/usr/share/doc/openvpn-2.2.0/sample-config-files/client.conf /etc/openvpn/easy-rsa/2.0/keys/client.ovpn

vi /etc/openvpn/easy-rsa/2.0/keys/client.ovpn• remote 192.168.1.11 1194• #ciert client.crt• #key client.key• auth-user-pass


Lan routing

Enable IP forward

Vi /etc/sysctl.conf• net.ipv4.ip_forward = 1

Enable lan routing• echo 1 > /proc/sys/net/ipv4/ip_forward


cài OpenVPN GUI

Chép: client.ovpn và ca.crt đến thư mục C:\Program Files\OpenVPN\config


Hướng dẫn cài DHCP

• Yum insall dhcp*gedit /etc/dhcp/dhcpd.conf và sửa lại như sau:

ddns-update-style interim;

ignore client-updates;// 2 lệnh này không cho phép dhcp cập nhật dns động

subnet 10.0.0.0 netmask 255.255.255.0 {

range 10.0.0.100 10.0.0.200;

option domain-name-servers 10.0.0.1;

option domain-name "dom20.local";

option routers 10.0.0.1;

option broadcast-address 10.0.0.255;

default-lease-time 600;

max-lease-time 7200;

}

• #service dhcpd start

Muốn cài đặt offline từ đã dvd1:rpm –qa dhcp:kiểm tra xem dhcp cài chưarpm –ivh /media/tên ổ dvd/Packages/dhcp…..


Hướng dẫn cài DNS(tên hostname server1.dom20.local)

• yum install bind*Copy các file còn lại (ngoại trừ file named.conf) vào thư mục /var/named/chroot/var/named là có thể khởi động dịch vụ named được

Cấu hình gedit /etc/named.confoptions {

listen-on port 53 { 10.0.0.1; };

directory "/var/named";

dump-file "/var/named/data/cache_dump.db";

statistics-file "/var/named/data/named_stats.txt";

memstatistics-file "/var/named/data/named_mem_stats.txt";

# query range ( set internal server and so on )

allow-query { localhost; 10.0.0.0/24; };

allow-query-cache { localhost; 10.0.0.0/24; };

};

# cau hinh file zone o day

zone "0.0.10.IN-ADDR.ARPA" IN {

type master;

file "0.0.10.in-addr.arpa.db";

};

zone "dom20.local" IN {

type master;

file "dom20local.db";

};

Cần phải có service named start và chkconfig named on để sau khi khởi động lại máy ko mất• Nhớ đổi DNS server trong gedit /etc/resolv.conf


Cách disable Firewall & SELinux trong CentOS 5• FireWall

[1] It's unnecessarry to enable FireWall because it's enable on the Routers, so Change it to disabled.

[root@ns ~]#/etc/rc.d/init.d/iptables stop

Flushing firewall rules: [ OK ]

Setting chains to policy ACCEPT: filter [ OK ]

Unloading iptables modules: [ OK ]

[root@ns ~]# chkconfig iptables off

[root@ns ~]# chkconfig ip6tables off

Disable SELinux• [2] Change to disabled SELinux (Security-Enhanced Linux).

[root@ns ~]# vi /etc/sysconfig/selinux

# This file controls the state of SELinux on the system.# SELINUX= can take one of these three values:#enforcing - SELinux security policy is enforced.

#permissive - SELinux prints warnings instead of enforcing.

#disabled - SELinux is fully disabled.

SELINUX= disabled # change# SELINUXTYPE= type of policy in use. Possible values are:#targeted - Only targeted network daemons are protected.

#strict - Full SELinux protection.

SELINUXTYPE=targeted




Documents

linux-win