Dedication Red Hat Linux 253 Experimental Translation (Kevinz)
### Please post the following content ###### Red Hat Linux 253 Experiment part should be the requirements of RH enthusiasts, dedication Red Hat Linux 253 experimental translation, please make valuable comments Mail: kissingwolf@hotmail.comkevinz (Kissingwolf) 2004.3.24 ############################# r h 2 2 实 部分 部分 试 2 2 时间: 2 hours target: Starting point for installing and configuring a DNS server test: Standard Red Hat Linux Installation This experiment Guide You configure domain name service by using the Berkeley Internet Name daemon. Using template files as a guide, you will implement a cached domain name server configuration named as an example server configuration named as the primary domain server for forwarding and IP anti-query throughout the test, the machine name you use The domain name will be based on the IP address of the machine you use. If the following test has the name of the X words, you should replace the X-style name to your workstation number (the last part of your IP address). For example, if your workstation's IP address is 192.168.0.3, you should convert stationX.domainx.example.com to station3.domain3.example.com. Setting the packet filtering to an invalid state. Before this test begins, please make sure all packet filtering on your host has been turned off (obviously, in actual use you can use the Linux kernel firewall mechanism, but we turn off it here to reduce potential problems ). In this trial, the following command is used to reach the above requirements: Service Iptables Stopchkconfig iptables OFF initialization installation A. Get the necessary files require bind, bind-utils, and caching-nameserver packages. Use `rpm -q to determine if these packages are installed. If it is not installed, install (in root identity) by entering the following command: MKDIR / MNT / Server1; Mount Server1: / VAR / FTP / PUB / MNT / Server1RPM -UVH / MNT / Server1 / Redhat / RPMS / BIND-9 * rpm -uvh / mnt / server1 / redhat / rpms / bind-utils * rpm -uvh / mnt / server1 / redhat / rpms / caching-nameserver * RPM package BIND includes DNS daemon and support script, but no configuration and area file. Caching-Nameserver provides a universal configuration and zone file. B. Configure local parsers Configure your host so that it can be used as a domain name service instead of 192.168.0.254. Note: Until your domain name server is properly installed and configured, your machine's DNS service will not work. You should also notice that your /etc/resolve.conf will be rewritten when your system is restarted or re-setting (unless you set it in this lecture unless you set up your network interface. PeerDNS) Edit your parser profile /etc/resolv.confsearch domainx.example.Confsearch domainx.example.comNameserver 192.168.0.x (remember to remember to replace X of the number of your workstation) The first line is defined if it is simple The default domain that does not meet the host name of the full domain name. The second line specifies the parser that will be a host 192.168.0.x (your machine) as a DNS query. To simplify the situation, the definition of the localhost host name will be removed from your host name profile.
/etc/hosts127.0.0.1 localhost localhost.localdomain This step is not required, but you can simplify the modulation of DNS. Sometimes the installer will match the host name of the full domain name in Localhost, which makes you unable to determine if your domain name server configuration is correct. Step 1: Configuring a cached domain name server first configuration You will create a cached domain name server. This type of domain name server is not authorized for any area. Only the cached domain name server is set to the primary domain server. When the host name or IP address needs to be parsed, only cached domain name servers forward the query request to another domain name server or to the root domain name server to determine the domain name server used to parse. Once the parsing is complete, only the cached domain name server stores the resolved information in the cache, which has a segment of the living cycle. The inquiry will become very fast. You have already installed all the required files for this configuration. Follow the steps to configure a domain name server: 1. Add below the "Option" area in /etc/named.conf provided by CACHING-NAMESERVER: Forwarders {192.168.0.254;}; Forward ONLY; this will cause only cached domain name servers on your workstation to forward them DNS cannot be parsed to the domain name server in 192.168.0.254, and if it is timeout, it is not directly contacted with the root domain server. 2. Start Named: Service Named Start3. Test your configuration Use Host or DIG to query some of the example.com names and some real Internet domains (if you have an Internet access interface) Step 2: Configure a reply from the domain name server from the domain name server will provide an authorized answer to a region , But not the authorization of the region. You will now reconfigure your domain name server as an Example.com area and 0.168.192.in-addr.Arpa area from domain name servers. 1. Add a downward zone "example; masters {192.168.0.0.254;}; file" slave-example.com. Zone ";}; zone .in-addr.arpa "{TYPE SLAVE; MASTERS {192.168.0.254;}; file" slave-192.168.0.zone ";}; 2. Restart Named: servcie named restart3. Check the slave-example.com.zone and Slave-192.168.0.zone files. These files should include a copy of the area database from the main domain server located in 192.168.0.254. Make sure all the correct work. Before you start the next section, remove the two from the zone you just added in /etc/named.conf in the first step. Step 3: Configuring a primary domain server Now you will be able to form your domain name server to be responsible for parsing the area "Domainx.example.com". You will also be responsible for the corresponding auto check area. The following steps are used: a. Edit the configuration file (named.conf) b. Prepare the database files of the area "Domainx.example.com" and the area "X.0.168.192.in-addr.arpa". C. Restart the domain name server D. Test your configuration To you prepare your configuration files and zone files, we provide template files. You can get: ftp: //192.168.0.254/pub/namedfiles/ in the following steps, remember to replace each appearing X in the sample file into the number of your workstation.
E. The main configuration file is below the three area 1 we should consider. "." (Root level) area "." Area is the highest layer in the DNS level. The root server provides which servers enjoys authorization for a given domain. "." The section should appear in the following ways: zone "{Type Hint; file" named.ca ";}; 2. The "Domainx.example.com" is added to the area, so that your domain name server becomes the main server of the area. Zone "Domainx.exmaple.com" {Type Master; file "domainx.example.com.zone";}; 3. The "X.0.168.192.-in-addr.arpa" area is now added to the following rows, making your domain name server a primary server in the auto check area. Zone "x.0.168.192.in-addr.arpa" {TYPE MASTER; File "192.168.0.x.zone";}; below is the sample configuration file /etc/named.confoptions in Station2, 192.168.0.2 {Directory "/ var / named"; forwarders {192.168.0.254;}; forward online;}; zone "." {type hint; file "named.ca";}; zone "localhost" in {type master; file " Localhost.zone ";}; zone" 0.0.127.in-addr.Arpa "in {type master; file" named.local ";}; zone" domain2.exmaple.com "{type master; file" domain2.example .com.zone ";}; zone" 2.0.168.192.in-addr.arpa "{type master; file" 192.168.0.2.2.zone ";}; f. Database file Your main configuration file specified / var / named The directory where the database is located. You must now establish a database file for your area and in the field below this directory. These database files include your SOA, NS, A, CNAME, MX, PTR, and other possible records. All data files begin with the following rows: $ TTL 86400 This value is the default in secondary survival, which is valid for all records in this domain. 1. Regional "Domainx.example.com" In the primary configuration file, the area "Domainx.example.com" database file is stored on /var/named/domainx.example.com. This file contains a similar record start authorization record @ in SOA stationX.domainx.example.com. Root.stationx.domainx.example.com. (2001101100; serial28800; refresh14400; retrY3600000; Expire0); Negative "Start Authorization" SOA) Record is the first resource record of the database file, but it may bring a leader $ TTL (default survival time). The SOA record allows the database file called the authorized source of information. The first tag is a subsequent record suitable domain, usually in the "@" simplified form, if the expansion is that the domain name indicated in the "Zone" section in the named.conf file (or defined in the file through $ Origin The current area, if this definition is present, is existing).
The fourth tag makes the domain of the domain, the fifth is the address of the email responsible for maintaining the system administrator of this database, pay attention to the first separator replaced the @ symbol of the first tag (you can explain why ?). Next, the entry in the record specifies the dynamic characteristics of the interactive parsed domain name server. Domain Name Server Record @ in ns stationx.domainx.example.com. Domain Name Server (NS) identifies a host-based domain name server as a specific domain. They specify the main and other servers in the primary and representative authorized subdomains (for example, server1.example.com has an NS record for all Domainx.example.com's domain name servers). As you can have a single domain name server for "Domainx.example.com", you can only have a single NS record. Address Domainx.example.com in A 192.168.0.xample.com in A 192.168.0.xwww in a 192.168.0.xpop in A 192.168.0.x Address ( A) Record map the host name to the IP address (the main function of the domain name server). A database file typically contains a record corresponding to many IP addresses. However, in our classroom, there is only one host in your area. Note The first A record sets the "default IP address" of the domain. The next A record establishes a plurality of host names corresponding to an IP address. The host name can be a fully conforming to the standard name (FQDN) or an abbreviation. All host names that do not end with this number will be considered an abbreviation, and the area name is attached to the back of the host name. For example, the third A record is the host name www.domainx.example.com. Specification Name (alias) Record www1 in cname stationx.domainx.example.com.www2 in cname stationx.domainx.example.com.www3 in CName StationX .domainx.example.com. Alias (CNAME) records an alias for the host name. Note that the alias is mapped to the host name rather than the IP address. CNAME should not appear on the right data area as a real host name, which will be slower for the velocity of multiple albums. Mail exchange record @ in mx 10 stationx.domainx.example.com in mx 10 stationx.domainx.example.com. Mail exchange record (MX) Records a host that will process a given domain or The forwarding of the host mail. When a mail delivery agent (MTA) attempts to deliver the letter, it will first try to find the MX record of the destination host in the DNS. If the MX record exists, it will be sent directly to the MX record specified host. Conversely, if there is no MX record, the MTA is a standard DNS query for the destination host, and is directly delivered to the host. The MX record is used to create a gateway for the message, and as the destination of the default to the domain. 2. Area "x.0.168.192.in-addr.arpa" In /etc/named.conf, we specified /Var/named/192.168.0.x.zone as zone X.0.168.192.in-addr. ARPA's inverse area database file. He should include SOA record, NS record, and corresponding PTR records.
Start authorization record @ in SOA stationX.Domainx.example.com. Root.stationx.domainx.example.com. (4; 10800; 3600; 604800; 86400) in ns stationx.domainx.example.com.soa and NS records The name in the front area file should be the same. Note that the blank place at the beginning of the NS record is very special and is interpreted as an abbreviation for "the same record". In this example, the last record is a symbol "@", which itself is an abbreviation of the domain name defined in the primary configuration file. Pointer Record x.0.168.192.in-addr.arpa. In ptr stationx.domainx.example.com. Pointer (PTR) Record maps the name to the IP address through an indirect mechanism. As an alternative to the reverse query of the IP address, Bind uses a modified way to query a particular host name. This "reverse domain name query" adds "in -addr.arpa" domain in the reverse IP address. This will allow the domain name server to use the same mechanism to perform positive and counter queries. 3. Place them together is the sample profile of station2 in 192.168.0.2: /var/named/domain2.example.com.zone! Root.Station2.Domain2.Example.com. Root.station2.domain2 (2001101100; Serial 28800; Refresh 14400; RETRY 3600000; Expire 0); Negative @ in ns station2.domain2.example.com. @ in A 192.168.0.2station2.domain2.example.com. in A 192.168 . 0.2www in a 192.168.0.2ftp in A 192.168.0.2www1 in cname station2.domain2.example.com.www2 in cname station2.domain2.example.com.www3 in cname station2.domain2.example .com. @ in mx 10 station2.domain2.example.com.Station2 in mx 10 station2.domain2.example.com./var/named/192.168.0.2.zone !ttl 86400 @ in SOA station2.domain2.example.com .Station2.domain2.example.com. (4 10800 3600 604800 86400) in ns station2.0.168.192.in-addr.arpa. in ptr station2.domain2.example.com. C. Restart the domain name server again, we will restart the domain name server. Then by running the PIDOF command: Service Named RestartPidOf Named View the entries in the / var / log / messages file. Determine that your domain name does not have an error when taking it. If you already have a domain name server running and don't want to restart it, you can use Service Named Reload to reload the configuration file, so fast for stopping and starting the server.
D. Test the domain name server for DNS queries, can you explain all the results? host stationXdig stationX.example.comdig stationX.example.com @ 192.168.0.254dig stationX.example.comhost server1.example.comhost 192.168.0.Xdig -x 192.168.0.Xdig -x 192.168.0.254host wwwhost www1 remember dig It is expected to give an inquiry with a FQDN, however Host is viewed by checking information on file /etc/resolv.conf. Try to make additional queries on other people's domain name servers and subdomains. If the setting is correct, you will be able to perform forward and reverse queries on other classroom systems. The challenge item is to make a host name corresponding to different IP addresses by adding multiple "A" records to configure a "rotation" host name. How do you handle this domain name server? Tip: Attempt to try to set the TTL of these A records to 0. Increase the subdomain "support.somainx.example.com" in your domain. Increase the appropriate resource record allows it to reverse to your IP address. Cooperation with another workstation, becoming another workstation from the domain name server, adding a new CNAME for your workstation in your area to ensure that this change can spread from the server. The next test of the end is simpler. Once you restart your workstation, all DNS queries will be reset to the server in the classroom. To ensure the end, make sure you reset /etc/Resolve.conf to its initial state. /etc/resolv.confsearch example.comNameserver 192.168.0.0.0.0.1 localhost localhost.localdomain localhost192.168.0.x stationx.example.com (If you turn the ETH0 interface, DHCP will automatically set up for you CARP 3SAMBA Service Estimation Time: 1 hour target: Use Samba shared user authentication and file system test starting point: Standard Red Hat Linux installation Sets packet filtering to invalid status. Before this test begins, please make sure all packet filtering on your host has been closed. The default installation will have a file called "/ etc / sysconfig / iptables", which configures the IPTable function. Run "ChkConfig iptables off". To remove all rules in the space, run "Service Iptables Stop" Step 1: SAMBA's User Connection Configuration Task 1. Install Samba, Samba-Common, and Samba-Client RPM Packages and start SMB services. A default configuration will be applied. Determine Samba in the right job using the following command: SMBClient -l localhost -n You can respond from the server, but does not mean that file sharing is available. (Make sure the SMBD is running, otherwise the command cannot work) 2. Add a few users (Karl, Joe, Mary, and Jen) in your system, but do not set your password. These users can only access the server from the Samba service. To make them do not contain passwords in Shadow, these users' shell should be set to / sbin / nologin3. The default SAMABA is configured to receive encrypted passwords, but no password is set in the file / etc / samba / smbpasswd.
If the encrypted password is set in /etc/samba/smb.conf, SMBClient will send encrypted passwords, so in order to test Samba services on your system, you should first create the SMBPasswd file, then for each user in this file. Add a password. 4. Notice the first shared [HOME] set in /etc/samba/smb.conf and does not specify a path. This shared is configured to connect to the user's Home directory when the user is connected and authenticated. Browse one or two users' home directory. Upload a file to the home directory of Joe. Available results One work Samba service can be accessed by multiple users via SMBClient. Step 2: Provide access to group directory access / stories In addition to our four users, our four users work in the same department at the same department and need a place to store sectors. file. We will need a Linux user group to create a directory to store their content, and configure the Samba server to share the directory. Task 1. Building a new group called Legal with a user with GID 30000 and adding these users to the group using the usermod command. 2. Create a directory / home / depts / legal. For this directory setting ownership, users can add / delete files in the LEGAL group, howeverby Other people cannot. And set SGID and viscous positions to make all files created in this object owns permissions with the Legal group and other people in the group cannot delete the user created. 3. Create a Samba sharing in /etc/samba/smb.conf called [Legal]. Only users in the Legal group can access the sharing. And ensure that the established permission to be 0600.4 in [Legal] is 0600.4. Restart the SMB service and use SMBClient; Available result 1. Only the Lagal group can access and use a Linux directory. 2. A Samba shared only Legal group users can access and edit step 3: Provide access scenarios for printers to access Scenes in Samba In addition to the files can be shared, another important feature is to provide shared printed queues, the print queue is already in your Linux Defined on the machine. In fact, default, all print queues configured on Linux machines are shared by [Printers]. In this step, you will create a print queue and share it via the Samba server. Then check the shared printer via SMBClient. Task 1. Use RedHat-Config-Printer to create a new print queue. Name the print queue Printerx (where X is the number of your workstation). Configure printers / DEV / LP0 that printers to locally. Configuring the print queue Make sure that any submitted print job will remain in the queue. Don't forget to restart the Samba server. 2. Connect the Printerx shared on the Samba server via SMBClient. Use the print command to submit the print job to the queue. Check that the job is queued. No. Available Results 1. A defined Linux printed queue Printerx2. A Samba server allows authorized users to print to share printer Printerx challenge 1: Safety and backup Samba / SMB now all things can be run, we should consider on the Samba server Network security and data reliability. Task 1. Definition and protect the legal connection for Samba servers. Use the hosts allow parameters in file /etc/samba/smb.conf to determine the subnets in all classrooms and local back ring nets. 2. Use TestParm to test the syntax of /etc/samba/smb.conf. Does this show some security vulnerabilities that should be considered? 3. Back up your neighbor's [Legal] sharing.
Establish a shared data package, use or SMBTAR command or SMBCLIENT's -t option. Available result 1. The Samba server can identify connection 2 from the allowed subnet or host. A SMB or Samba shared backup data package a solution Step 1L rpm -ivh ftp://server1.exmaple.com/pub/redhat/rpms/samba-c*rpm -ivh ftp://server1.exmaple.com / pub / RedHat / RPMS / samba-2 * service smb startsmbclient -L localhost -Nl useradd -s / bin / false karluseradd -s / bin / false joeuseradd -s / bin / false maryuseradd -s / bin / false jenl smbpasswd - A Karlsmbpasswd -a joesmbpasswd -a marysmbpasswd -a jenl smbclient // localhost / joe -u joe you should see SMB: /> prompt PUT / ETC / HOSTS HOSTS Step 2L GroupAdd -g 30000 LegalUserMod -g Legal KarluserMod -g Legal Joeusermod -g legal maryunermod -g legal jenl mkdir -p / home / custom / depts / legalchmod 3770 / home / dePTS / legall in file /etc/samba/smb.conf file, shared definition part: [ legal] commnet = Legal's filespath = / home / depts / legal public = no write list = @legalcreate mask = 0660l service smb restart step 3: l redhat-config-printerl service smb restartl smbclient // localhost / printerX -u joe review questions 1. What is the same place between FTP and SMBCLIENT? When do you use FTP, what is your command to upload? What is the difference between the upload operation between FTP and SMBCLIENT. 2. What is the role of the command nmblookup / * 3. What is the SMBTAR command? 4. TestParm /etc/samba/smb.conf 33.44.55.66 is what? 5. What kind of syntax should I use using the SMBMOUNT command? Test 4 Email Estimation Time: 2 hours Objective: Establishing the Skills Test of Basic MTA Configuration: Standard Red Hat Linux Installation Guide: Make sure that Daemon_Options in the sednmail.mc file on Server1 is commented and recompiled The Sendmail.cf file allows you to accept emails from other hosts. This paper introduces this experiment as an introduction to the installation and configuration of MTA. In the introduction we will mention Sendmail and Postfix. You can choose any MTA if you are allowed, you can do a test. In the next step, you will be installed and verify that Sendmail's "Outbox" adds a new alias for your Sendmail to use the M4 tool to change your forwarding behavior to install POP3 servers and configure the POP client throughout the test. The host and domain name depend on the IP address of your machine.
If the following test has the name of the X words, you should replace the X-style name to your workstation number (the last part of your IP address). For example, if your workstation's IP address is 192.168.0.2, you should convert stationX.domainx.example.com to station2.domain2.example.com. Setting the packet filtering to an invalid state. Before this test begins, please make sure all packet filtering on your host has been turned off (obviously, in actual use you can use the Linux kernel firewall mechanism, but we turn off it here to reduce potential problems ). In this trial, use the following command to reach the above requirements: Service Iptables Stopchkconfig iptables Off Initialization Installation - Installation The necessary packages The following software package is required for Sendmail, Sendmail-Cf, Sendmail-Doc, M4, and Procmail. For Postfix, you need: postfix. If they need them, check and install from the CD, Server1's NFS installation point, from: ftp: // server1 / pub / redhat / rpms / step 1: Configure MTA to charge mail for security reasons, sendmail and postfix The province's configuration allows email but does not allow access from the network (which only accepts connections from the loop interface). Configure the MTA you selected as follows so that it accepts incoming connections: 1. For Sendmail: Modify /etc/mail/sendmail.mc Using DNL Note Before you are below, it is like this: DNL daemon_Options (`port = SMTP, Addr = 127.0.0.1, name = mta ') 2. Make your Sendmail.cf file: cp /etc/mail/sendmail.cf /etc/mail/sendmail.cf.orig3. In the same directory, Compile sendmail.cfm4 /etc/mail/sendmail.mc> /etc/mail/sendmail.cf4. Restart sendmail, through Service Sendmail Restart For Postfix: Modify /etc/postfix/main.cfa. Find and note, as follows, inet_interface = Cancel Note: INET_INTERFACES = Allc. Save the file and proceed to the end of step 2. Find the same place as the above configuration corresponding to Postfix. Step 2: Start and verify the MTA operation For Sendmail: There are several steps. You should use to make sure the Sendmail is properly installed. A. Confident SENDMAIL has been run in the appropriate run level to check your Sendmail appropriate configuration and can run after restarting. It is more convenient to use ChkConfig. Chkconfig --List sendmailsendmail 0: OFF 1: OFF 2: on 3: on 4: on 5: on 6: OFF If sendmail is invalid when sendmail runs at a standard user runs, using CHKCONFIG, NTSYSV, or ServiceConf and other tools to activate the service . B. Determine that Sendmail does not have an error when the error Red Hat Linux is installed when it is started, use the Syslog tool to record all information to file / var / log / maillog. Check where the last appearance of "start" in this file is to ensure that Sendmail does not have any errors when starting. Sendmail executables are located in / usr / sbin / sendmail.
In order to determine whether the correct sendmail identifies your host name to open its debug mode via command line switches and is set to 0: sendmail -d0
Echo "Hello root" | mail -v -s hello root @ server1Root @ Server1 ... Connecting to [127.0.0.1] via relay ... 220 localhost.localdomain ESMTP Sendmail 8.12.8 / 8.12.8; Mon, 22 Sep 2003 14:29:24 0800 >>> EHLO LOCALHOST.LOCALDOMAIN 250-localhost.localdomain Hello Station1 [127.0.0.1], pleased to meet you ... >>> mail from:
D. Determine that PostFix does not have an error and Sendmail when startup, Red Hat Linux installation uses the supplied Syslog Tool to record all information to file / var / log / maillog. Check the final finding any error message in this file. Try to send a simple message to root @ Server1 and check / ver / log / maillog log file mail -s `echo $ user` root @ server1 Sep 22 02:51:50 station1 postfix / cleanup [3534]: A20ED348389: message-id = <20030922065150.A20ED348389@station1.example.com> Sep 22 02:51:50 station1 postfix / nqmgr [2866]: from =
The following command will increase the user student (if not existed) UserAdd Student Add the following row: Note: Note The line of the root alias is PostFixme: StudentWizards: root, memethere: student@stationx.example. COM now running the newalias command to update the database, try sending an email to the recipient for your defined: NEWALIASECHO "Hello there" | mail -s "hello" meecho "hello there" | Mail -s "Hello" WizardSecho "Hello" Hello "|" Mail -s "Hello" Methere Do you get the expected result? Whether all the recipients located in Wizards have been email? Step 4. Control forwarding forwarding allows emails by using the "forwarding" and it is delivered to its destination. Although this feature is once useful, forwarding has become the source of spam on the Internet. When people want to send the initiative to provide a forwarding mechanism, it is desirable to use the forwarding mechanism, making the mail source are difficult to detect. The following steps will use the following host. Replace X, Y, and Z Number: STATIONX: Source Machine, Email From here: Forwarding Machine, here the message sent from the sender STATIONZ: Destination machine, the end of the mail, assuming that you are stationx, forward Machine, with someone's STATIONY, the machine is the source of the mail. In this step, pay attention to / var / log / mailog changes. The following commands will look very useful. For Sendmail Step A: Allows forwarding you have the ability to control who is allowed to forward on your machine. By controlling mixing for your machine, you can make anyone can use your machine as a forwarded host. (We opposed this attempt, and we hope to show its defects through this experiment).
Configuration /etc/mail/sendmail.mc, by adding the M4 pre-processor allows mixed forwarding: /etc/mail/sendmail.mc (... other content ...) Feature (promiscuous_relay) DNL Using M4 pre-processor Generate a new Sendmail configuration file through this template file, then the newly generated file is compared with the SEENDMAIL RPM package M4 /etc/mail/sendmail.mc> /etc/mail/sendmail.test-relaydiff / etc / mail/sendmail.test-relay /etc/mail/sendmail.cf How much difference will there be after using mixed forwarding? Now place the newly established Sendmail.Test on the appropriate location, restart sendmail.mv /etc/mail/sendmail.cf /etc/mail/sendmail.cf.accept-mailcp /etc/mail/sendmail.test-RELAY /etc/mail/sendmail.cfservice sendmail Restart let your partner play a malicious spam sender, which can spoof the address of the address through Telnet to the 25th SMTP (Sendmail) on your machine. Type the following command in STATIONY: This example is STATIONY (source machine) = station2, and stationx (forward, here destination machine) = station1 [root @ station1 root] # telnet station1 25trying station1.example.com ... connection Station1.example.com (station1.example.com) .scape character is '^]'. 220 station1.example.com (iMAIL 8.00 8-1) NT-ESMTP Server X1helo mail.cracker.org 250 Hello Station1.example.commail From: spammer@cracker.org250 okrcpt to: root@station1.example.com 250 ok its for
Next, see if your partner can forward to the third machine from your machine: this example For STATIONY (Source Machine) = station2, and stationx (Forward, Distance) = station1, and stationz (destination machine ) = Station3 [root @ station1 root] # telnet station1 25trying station1.example.com ... connection to station1.example.com (station1.example.com) .scape character is '^]'. 220 station1.example.com (IMail 8.00 9-1) NT-ESMTP Server X1helo mail.craker.org250 Hello Station1.example.commail from: spammer@craker.org250 okrcpt to root@station3.example.com 250 ok its for
Next, see if your partner can forward to the third machine from your machine: this example For STATIONY (Source Machine) = station2, and stationx (Forward, Distance) = station1, and stationz (destination machine ) = Station3 [root @ station1 root] # Telnet Station1 25Trying 127.0.0.1 ... connection to station1 (127.0.0.1) .scape character is '^]'. 220 station1.example.com esmtp postfixhelo mail.craker.org250 station1 .Example.commail from: spammer@cracker.org 250 okrcpt to: root@station3.example.com 250 Okdata354 End Data with
Step 5: Install the POP3 server and client In this step, you will formulate your machine STATIONX as a POP3 server of the message so that your role of the POP client in STATIONY partners. Step A: Installing the POP3 server Configuring a pop3 server is relatively simple, only two steps: l Install the relevant RPM package L to allow the service installation related RPM package POP daemon and other daemon with the same function in XINETD For example, the IMAP daemon is bound to the package IMAP. Another example is as XINETD, KRB5-LIBS * and IMAP packages to check that IMAP software contains what software. Three daemons are included in: IMAPD, IPOP2D, and IPOP3D. POP3 is used in a lot of Internet service providers, POP2 is provided to be backward compatible. The IMAP daemon provides complex capabilities, including management of folders on the server side. Allow services in XINETD For this experiment, we only select POP3 services. IPOP3D is started at the request by xinetd. To activate, run the following command: Service Xinetd Startchkconfig iPop3 ON View /etc/xinetd.d/ipop3. Explicit restart XINETD is not required, because ChkConfig is sent to the Xinetd a USR2 signal tells him to reset its configuration. Confirm that the service runs the following command to confirm that the service has been installed correctly. The following command is just a guide: Echo "Mail to Be Pope" | mail -s "Hello Student" student [root @ station1 root] # telnet localhost 110trying 127.0.0.1 ... connection to station1 (127.0.0.1). OK POP3 station1 v2001.78rh server readyUSER student OK User name accepted, password pleasePASS student OK Mailbox open, 1 messagesSTAT OK 1 440TOP 1 99999 OK Top of message followsReturn-Path:
The POP client with a popular character interface is called Fetchmail. Fetchmail is a highly configurable, you can query multiple mailboxes, which can be run as a daemon, which makes it queries the user's mailbox every five minutes. Fetchmail delivers an email to a mail transfer agent (MTA) on the host, such as Sendmail. We will sket out how to install fetchmail and use it to query the POP server we have installed. Installing the Fetchmail package from the CD or from FTP: // Server1 / Pub / RedHat / RPMS Note that there are many options that can affect the behavior of Fetchmail. Create a ~ / .fetchmailrc file as follows: ~ student / .fetchmailrcpoll stationx.exmaple.com with protocol pop3: user studentxx there is user studentxx here password "password" Since the password is stored in this file, Fetchmail will refuse to run Unless you use the properties of the file to be read-only for the owner of only the file. Note You can also use Chown to change the owner of the file created by root to StudentXX. chmod 600 ~ student / .fetchmailrcchown student.student ~ student / .fetchmailrc try to use studentXX log in to the POP3 mailbox echo "hello student" | mail -s "Hola" studentsu - POP Mail studentfetchmail -vexitfetchmail can not receive the student's? Where is the email that will deliver STUDENT? Is it meaningful than getting a POP mail from your local? Let your partner build the same ~ / .fetchmailrc file (or configure other Mozilla's MTA) at another machine (or configured other MTAs such as Mozilla). Review problem 1. What is the M4 macro saying to send Sendmail? What kind of syntax should I use in XYZ.com user email to local users XZPLOGIN? What documentation is in the file? 2. What is the MAILQ command to do? How do you use it? 3. Sendmail will try to wait for messages in the queue after sendmail -q is issued. When is this command to use? 4. What is the impact on the spam? 5. M4 has any feature allows Sendmail to send mail as a whole domain (for example, "eXample.com") instead of a complete compliant host name (for example, "mail.example.com")? 6. How does myNetworks_Style affect forwarding in postfix? Please check the file /etc/postfix/main.cf. 7. How do you need active changes in file / etc / postfix / access? Test 5HTTP Service Estimation Time: 1 hour Objective: Create the starting point for the web server trial with a virtual host with CGI: Standard Red Hat Linux installed, host and domain name depend on your machine's IP address. If the following test has the name of the X words, you should replace the X-style name to your workstation number (the last part of your IP address).
For example, if your workstation's IP address is 192.168.0.3, you should convert stationX.domainx.example.com to station3.domain3.example.com. Setting the packet filtering to an invalid state. Before this test begins, please make sure all packet filtering on your host has been closed. The default installation will have a file called "/ etc / sysconfig / iptables", which configures the IPTable function. Run "ChkConfig iptables off". In order to remove all the rules in the space, run "service iptables stop" Step 1: The installation and basic configuration scene / story. Your organization needs to be a web server within an hour, with sufficient CGI's ability than domestic and has Different content services are available for different virtual hosts. Tasks: 1. The following packages are required: httpd and httpd-manual. If needed, install it from the CD or FTP: // Server1 / Pub / RedHat / RPMS ... Use ChkConfig to start the service. 2. Start the HTTPD service Use the default configuration: Service httpd restart3. Check the DocumentRoot project in file /etc/httpd/conf/httpd.conf and the same documentroot / var / www / html4. Open a web browser and Set URL to: http://stationx.example.com If your browser is working, you will see the default server's index page. Note that this file is not the stored HTML file, but the server is automatically generated when there is no default index.html file in these directories. 5. Establish a new directory level and some new content mkdir -p /var/www/virtual/www.example.com/htmlcd /var/www/virtual/wwx.example.com/htmlcat> index.html << EOF < B> wwwx.example.com EOF (This creates a HTML file with only one line) 6. Add the following lines to the end of /etc/httpd/conf/httpd.conf: NamevirtualHost 192.168.0.x
Dig wwwx.example.com8. Restart httpd: service httpd reload9. In your web browser and set up URL to new virtual host: http://wwwx.example.com Do you see your own defined page? ? Step 2: Use the CGI task 1. Add a line in the " echo My username is: whoamiechoecho My id is: idechoecho My shell setting are: setechoecho My environment variable are:. envechoecho Here is / etc / passwdcat / etc / passwdecho "" 3 by Your browser points to the address below attempts to execute the CGI script http://wwwx.example.com/cgi-bin/test.sh Why is this script not executed? Check log file / avr / log / httpd / get information to help you find the answer. (Do you want to restart or reload the server?) 4. Make this script for users, groups, and other readable and executable: chmod 555 test.sh now script can be executed? Challenge 1: Provide a secure access task for your Web site document: Create a file called .htaccess, use the following: /var/www/virtual/wwx.example.com /HTML/.htaccessauthname "Restricted Stuff" Authty BasicauthuserFile /etc/httpd/conf/wwwwxt.htpasswdrequire valid-user2. Create your domain password file. This file must be read by the Apache group. Htpasswd -mc /etc/httpd/conf/wwx.htpasswd user_namechgrp apache /etc/httpd/conf/wwx.htpasswdchmod g r /etc/httpd/conf/wwx.htpasswd3. Access http://wwwx.example.com page , Is you ... HTTPD gets a clue. 4. Add the following list to the server's profile httpd.conf, add a line in the
If the teacher does not have an Internet to access, try to access http://server1.example.com, will return to the server's test page. 4. Now use your neighbor to your host as Proxy. This should not work. The page returned by Squid is explained at the bottom of the /var/log/squid/access.log file. 5. Open the /etc/squid/squid.conf file using your favorite text editor. As you can see, most of them are documents and comments. You should also notice that Squid is very easy to adjust. For this experiment, we only make simple configuration, familiar with you will adapt to more complex configurations. 6. Find the place where the Recommend Minimum Configuration in the file appears. You will see the default Acquisition Control List (ACL). Add a list of access access list items for local networks in the Connect Method Connect: ACL EXAMPLE SRC 192.168.0.0.0/24 You can use it as a reference to anywhere in this configuration. SRC is the source IP address of the ACL. 7. Find Insert Your Rule (s) here in the file, add the following content in the LocalHost ACL: http_access allow example restarts Squid. Your neighbors will be able to access your web cache. 8. Some URLs are best avoided. Return to the part of the ACL, below your new line (using eXample.com If you don't have Internet access inside the teacher) ACL OtherGuys dstdomain .yahoo.com .hotmail.com There are some things you want to mention here. . First, note the additional properties of the ACL. Secondly noted the ACL type of DSTDOMAIN, indicating the purpose of interest. Third, notice that the point represents the symbol before the domain name, make sure to add some points. 9. Increase a domain that reject access rules applied to these existing problems. Return to the place you just added to Allow, add the following: http_access deny OtherGuys restart Squid again, check these related domains again, very unfortunate, and access is not rejected. 10. Open the configuration file again, place the reject rule you add to the Allow rules of Example. That is, the Example allow rules before the OtherGuys reject the rules make the access to be allowed, but the refusal is not taken effect. Restart Squid after the movement rules. This will prohibit access to the site within the domain that is forbidden to access it. Review problem 1. Based on / var / www / manual manual. What role is serveralias? 2. What is the characteristics of the CGI process based on /var/www/manual/suexec.html? 3. What role does the following command, when is it used? HTTPD -T4. Do you feel uneasy for your users to see your / etc / passwd via the CGI script? Is there a way to block the display system password file? Test 6NFS and FTP Estimation Time: 1 hour goal: Management and configuration of VSFTPD and NFS test start: Standard Red Hat Linux Installation Turn off Pack Filter: You need to confirm that the package filtering is not activated before you start test, by default iptables Call / etc / sysconfig / iptables, delete, or rename this file, iptables will fail when starting next time. Or use the command chkconfig iptables off.
If you want iptables to immediately fail to use the command service iptables stop. Step 1: Use the vsftpd to allow an anonymous users to upload 1. The following packages are required: vsftpd. If not installed, install it from the CD or FTP: // Server1 / Pub / RedHat / RPMS. Activate VSFTPD Services 2. The VSFTPD package provides / var / ftp as a directory of download files for anonymous FTP users. But the default has no anonymous folder. To configure vsftpd to allow anonymous uploading, first prepare an upload directory: cd / var / ftpmkdir incomingchown root.ftp incomingchmod 730 incoming Now checks the right to new directories: ls -ld / var / ftp / incoming3. /Etc/vsftpd/vsftpd.conf configuration file each row follows: anon_upload_enable = YESchown_uploads = YESchown_username = daemonanon_umask = 077 Further, by default anonymous_enable = YES (to allow anonymous access) has been configured to restart service vsftpd 4. The result of just configured is to enable anonymous users to upload files to / var / ftp / incoming, but cannot download files or list files (using LS commands) from this folder, which prevents "Warez" from using organizations Our upload directory is used as "DROP BOX" to pobocate software or data. If you want an anonymous user upload file, you should let the / var / ftp / incoming folder for the DAEMON all groups for FTP, and the permissions are 600 (only the DEAMON user is allowed). Step 2: NFS tasks: 5. The package needs to be as follows: NFS-Utils. If you need to install, install it from the CD or FTP: // Server1 / Pub / RedHat / RPMS ... and NFSLOCK services. 6. Create a user and configure NFS to share his home directory, share the read and write permissions. a) When configuring an NFS server, check if the RPC service is running rpcinfo -pshowmount -e localhostb) to create a test user userAdd Nfstestc) Edit / etc / exports to share / Home / Nfstest to Example.com. If you don't know the format of this file, please check the Man Page of Exports. d) Install the NFS package, configure the INIT Run Level 3 to 5 Enable NFS service, but if the / etc / exports file is lost if it is started, the NFS service will not start. So, you have to start it manually, and NFS will start automatically when the next startup is started. e) Whether the RPC service is started to see if the / home / nfstest is shared with NFS: rpcinfo -pshowmount -e localhostf) with one or two partners MOUNT each other, and then read the content inside, Try to write files with root and nfstest (if the UID and GID of the NFSTest user on your machine are different from the user on the partner machine, they change them to the same).
See how will it? Why is this this? Test 8 Authentication Service Estimation Time: 45 minutes Objective: Cultivate the starting point for identity verification test: Standard Red Hat Linux installation Turn off package filter: You need to confirm that the package filter is not activated before you start the test, by default iptables Call / etc / sysconfig / iptables, delete, or rename this file, iptables will fail when starting next time. Or use the command chkconfig iptables off. If you want iptables immediately to fail with the command service iptables stop. Step 1: Use the PAM to limit the location scenario / story in your system. In order to ensure that the data is not leaked, you need to limit the user's access, in addition to the local console, any other way to access the system. Task: 1. Create User Bill, he is a member of the User group, then create a user BIFF, he is a member of the Finance group 2. Edit /etc/security/access.conf Limited Finance group users can only log in in the second virtual console. In order to achieve this, the last line of this file is added: -: Finance: All Except tty23. Limit all services by editing /etc/pam.d/system-auth, add the following line to all rows starting with Auth: Account Required /Lib/security/$IA/PAM_ACCESS.SO4. If you limit, Bill and root can log in to any console, and BIFF can only log in to the second virtual console 5. Clean up: If you run the Authconfig tool, the above operation will be deleted, how do you confirm that your settings have changed? Step 2: Use NIS to do authentication tasks: You should cooperate with people you next, then decide who to do NIS's server, who make NIS clients, through this experiment, you and your companions to configure NIS server side And the client. You have to determine the domain name of NIS, pay attention to the name and IP address of each workstation, confirm the above before the following steps begins. 1. Configuring NIS Server A) From FTP: // Server1 / Pub / RedHat / RPMS, Disc Installs Ypserv, YPBIND, and YPTools' RPM Pack or puts the NFS of Server1 on / MNT / Server1, where you install it.
b) Edit / etc / sysconfig / network, add such a line: NisDomain =
Then use the Nisuser account to log in to the client, it should be no. h) On the / var / yp directory on the server, execute the make command, when the command is complete, then use Nisuser to log in from the client, this time should be successful, why? i) Use passwd to change the password of the Nisuser, change the / etc / passwd and / etc / shadow file on the server? Will the files in the NIS server change? You can use the following command to test: Ypcat Passwd | grep nisuserj) Log in to the client using localguy, is it instant YPBIND still login? K) What is your home directory when you log in to the client with Nisuser? NIS only provides verification information, does not provide a file sharing mechanism for the client and server-side completion: a client that obtains verification information from the NIS server: Restricted NIS User Tasks: Our client is now part of the company NIS system, Because he stores secret data, not all users can access this machine, only specific remote users can access. 1. This test needs to add a NIS user, add a user named Baduser using the Useradd command. UserAdd -u 1026 BaduserPasswd Baduser2. A solution is to use PAM_LISTFILE, only NiSusers are allowed to access our system. Open /etc/pam.d/system-auth, add the following line after the beginning of Auth: Account Required /Lib/security/pam_listfile.so item = user sense = allow file = / etc / nisusers OneRR = Fail3. If you test the current settings, you will find that even root can't log in, so don't turn off the root's shell! You have to create / etc / nisusers and then add all users to access to the file, one line of username, we just want to allow NiSuser users, so our files will be very short. 4. Now if you want to log in to the text console, only NiSusers can enter, because others are not in the file, add root to / etc / nisusers. 5. Our mission is or allow all local users to log in, we can add users in the passwd file to our list, but this is not the best way, we can use the PAM_localuser in the PAM library to achieve the purpose. Add this line to PAM_LOCALUSER.SO. Account Required /Lib/security/pam_localuser.so6. Test this configuration, you will find that only root can log in, why? 7. It is because of the relationship of the Required field, all the two rows added to the two lines of the two lines are changed to Sufficient, now it is good now? What if it is changed to REQUISITE? 8. Clean up: Run the Authconfig Tool again, delete all settings, and disable NIS.
Test 9 System Monitoring Estimation Time: 1 hour 15 minutes Objective: Use the method of finding the file to protect the starting point of the system test: Standard Red Hat Linux installation step 1: Locate easy to attacked files or directory scenarios / story find file system The attacked file or directory task: 6. Find files with SUID and SGID and put their names / root / stickyfiles: Find / -Type F -Perm 6000 2> / dev / null> / root / stickyfiles7. Find anyone can write files, save their names in /root/worls.writalbe.files:find / -type f -perm -2> /Root/world.writalbe.files8. See / root / stickyfiles and /root/world.writable.files What files 2: Use the Tripwire monitoring file system Integrity Scene / Story you decide to use TripWire to confirm the integrity task of the data: 9. Use root to log in and install the RPM package of TripWire (you need to put the shared mount to / mnt / server1 on Server1 before running the following command): rpm -uvh / mnt / server1 / redhat / rpms / tripwire * 10. Look at which files and documents in the Tripwire package: rpm -ql tripwire11. Edit /etc/tripwire/twpol.txt to define your host policy file. The default policy file is based on Red Hat Linux installation so that it will try to monitor the file you are not installed. The result is some error message that can be ignored. The best way is to delete all you don't have installed files. You should define your own strategy, take a closer look at the policy file, delete the files that you have on your machine. Even if you only delete one or two files you have no, it takes a long time. Now add a file currently not monitored, add / etc / samba directory to the "Critical Configuration" section. 12. Now you define your strategy, run /etc/tripwire/twinstall.sh, this script will create encrypted policies, configuration, and key files. You need to enter some passwords, once these steps are completed, there will be some new files generated in / etc / tripwire. 13. Now use the tripwire -init command to initialize the Tripwire database TripWire report a lot of warnings because it can't find the files contained in the policy file, you can ignore them. 14. Let's test TripWire, you need to complete a) mv / sbin / ifconfig /sbin/ifconfig.bakb) Tripwire --Check15. Generate a report using Twprint: twprint -m r --twrfile //var/lib/tripwire/report/somehost.somain-200009-12134.TWR Does Tripwire detected file change? TripWire will correctly detect / sbin / ifconfig lost.
Run ifconfig restore, run Tripwire -Check again, can this time you can detect changes? MV /SBIN/IFCONFIG.BAK / SBIN / IFCONFIGTRIG.BAK / SBIN / IFCONFIGTRIPWIRE-CHECK Even if you restore ifconfig, the modified time has changed, so TripWire will report an error, upgrade Tripwire's database Tripwire --update --TWRFILE / / VAR / LIB / Tripwire / Report / Your_lastest_report_file This will start the default editor so you can agree to the current changes. After completing the editor, TripWire will upgrade your database. 16. You may notice that the TOP program is not monitored. This file is often replaced by "root kits", so it should be monitored by TripWire, edit /etc/tripwire/twpol.txt, add / USR / BIN / TOP this rule. / user / bin / top -> $ (sec_crit); Upgrade your policy: Tripwire --update-policy /etc/tripwire/twpol.txt Complete: Data Integrity Tools should run according to the database daily. Step 3: Use TmpWatch to clean up the temporary file directory scenario / story you need to determine or determine and delete files that have already been accessed for a certain time. Task: 1. Run Test options for TmpWatch, you can see which files have no people to visit 7 days: tmpwatch -v -test 168 / TMP Step 4: File Access Control Scene / Story You want to create some files you can use, however you want to Controls the type of access to these files. Task: 1. Create a user 2 called Supervisor 2. Create two files under the main directory of Supervisor: Touch /Home/supervisor/ }3. Prevent Payroll files from being removed Chattr I / Home / Supervisor / Payroll4. Only the data is allowed to attach to Chattr a /home/supervisor/old.employees5 on the Old.employees file. Confirm that the properties of the file are changed: lsattr / home / supervisor / * 6. Try to delete a Payroll file: RM / HOME / Supervisor / Payroll What error did you receive? 7. Try to edit the Old.emPloyees file, is there an error message when saving a file? Why is there any? What does an error message mean? Enter the following command: echo "foobar" >> /Home/supervisor/old.employees why this command works? Completion: 1. Payroll file 2 cannot be deleted. The /Home/supervisor/old.employee file can only be added to it, and the contents in any file cannot be deleted.
Step 5: Write the log to a special log host Scene / story your boss thinking that all logs write all the logs into a dedicated log host is a very good idea task: do experiment with the people next to you. First configure syslogd to receive remote messages, edit / etc / sysconfig / syslog: syslogd_options = "- r -m 0" 2. Restart Syslogd: Service Syslog Restart Now Your host can receive a message of other machines 3. Configure the Syslogd message to other machines, add this line below /etc/slog.conf: user. * @StationX here STATIONX is the machine 4 next to it. Restart Syslogd: Service Syslog Restart Now your machine will send the user to the machine 5. Create a syslog message using Logger Logger -i -t Yourname "this is a test" This message is displayed in / var / log / messages next to you? Question: Why is this message displayed in / var / log / messages? How do you avoid this situation? Test 10 Make Network Safety Estimation Time: 1 hour Objective: Learn to build a firewall test using iptables: Standard Red Hat Linux installation, kernel To support firewall, iptables To install Step 1: Create a simple firewall scene / story you want Building a firewall to protect your host from suspicious host 192.168.0.254, suspicious hosts are not only this one, you still have to create a rule to prevent you from using ping-flooding to attack your computer with Ping-Flooding (flood ping). Task: 9. Remove all existing user-defined chains, reset the default rules on all Chains, refresh all rules: iptables -f; iptables-xfor chain in input forward output; doiptables -p $ Chain Acceptddone or service iptables stop10. Block all connected connections from neighboring hosts (192.168.0.y): iptables -a input -s 192.168.0.y -m state --state new -j drop This is still allowed to open to their system connection, But not all 11. Limit ICMP Echo Request from your neighbor (192.168.0.x) package iptables -a input -s 192.168.0.x -put --icmp-type echo-request / -m limit LIMIT 6 / Minute --Limit-Burst 2 -j Acceptiptables -a Input -s 192.168.0.x -p icmp --ICMP-TYPE Echo-Request / -J Drop12. Show your firewall policy iptables -nl13. Test your firewall configuration a) You can connect to your system (192.168.0.y)? Can you ping him? b) Confirm that your neighbor (192.168.0.x) is not the address you set at step 2 above.
c) Your neighbor (192.168.0.x) Can you ping your system? Can you ping him? 14. Save your firewall settings: iptables-save> / etc / sysconfig / iptables or service iptables save15. After configuring your system, you still keep new firewall rules: ChkConfig --level 2345 iptables ON now confirms Chkconfig --List iptables16. Restart to confirm that your policy is still there. Completion: 1. You can actively connect your neighbor (192.168.0.y) 2. All hosts can actively connect you, except your neighbors (192.168.0.y) 3. Another neighbor (192.168.0.x) cannot attack your system with ping-flood. Clean: When you are confident, the experiment has been successfully completed, and the policy you just created is effective: Service Iptables Stopchkconfig iptables Off Test 11 Enables service security estimation time: 1 hour Objective: Use TCP_WrapPers and XineTD to limit users' access tests for the system: standard Red Hat Linux Installation Step 1: Limit a particular host to the service access scenario / story is dangerous to protect your host, in order to protect your host, you decide to stop them from accessing some sensitive service tasks: Tell you The host is configured to look at the following description (you need to work with other two people, let them test), pay attention: If you do not have Telnet-Server and OpenSsh-Server, you want to put them on the RPM package. 17. SSH can be accessed by local subnets, but can not access users of other network segments. 18. Telnet can be accessed by your three neighbors, but other people are not allowed to access. 19. Any service does not accept access from Cracker.org (Can you find a specific IP address range?) You can find different solutions, the next page is one of the solutions. A solution: Assuming you to test your configuration using the three computers s next to it .Example.com, stationy.example.com, stationz.example.com.
1. Install Telnet-Server: rpm -uvh / mnt / server1 / redhat / rpms / telnet-server * ChkConfig Telnet ON installation openssh-server: rpm -uvh / mnt / server1 / redhat / rpms / openssh-server * chkconfig sshd --add2 . /etc/hosts.denysshd: All Except 192.168.0.3. /etc/xinetd.d/telnet:only_from = 192.168.0.x 192.168.0.y 192.168.0.z4. /etc/xinetd.confno_access = 192.168.1.0/24 If you want to detect the Cracker.org's IP address, you can use the host command: host -l cracker.org server1.example.com ordered by the command query name server Server1.example The Cracker.org area information in .com, all records from the returned IP are 192.168.1.0 this subnet. Ohham The world is unlikely, usually Name Server (DNS Server) only allows it to be transmitted from the server without allowing other computers. So in order to protect your security, I want to know that the information in the entire area is very difficult to implement. Step 2 Scene / Story You have restricted FTP and Telnet access by configuring /etc/hosts.deny, and now you have to review the service you are running, you need a partner to scan your host's port. If you are in a classroom that can be connected to the internet, don't use NMAP to scan the outside example.com domain or other network segments other than 192.168.0 / 24, thank you for your cooperation! Task: 1. Find someone else's port scan with the following command: nmap -ssur -p0 -vo
1. Establish users [root @ localhost] # UserAdd Alice; useradd bob [root @ localhost] # passwd alice [root @ localhost] # passwd bob2. Establish a public key and key for each user. Note that when GPG is first run, the default initialization user file is established: When prompted "... Your Message", press CTRL-C. [Alice @ localhost] # gpg [alice @ localhost] # gpg -help [alice @ localhost] # gpg -gen-key you will be prompted for multiple key parameters. Select the default option. When you ask your details, set the true name to Alice. Other information You are just filled in. You will be asked at the same time asking your password. You can use any password (but you must remember!); Or simple knocking
[Alice @ localhost] $ cp / var / log / dmesg message.txt [alice @ localhost] $ gpg --encrypt --armor --recipient bobby message.txt [alice @ station1] $ head message.txt.asc - --- BEGIN PGP MESSAGE ----- Version: GnuPG v1.0.6 (GNU / Linux) Comment: For info see http: //www.gnupg.orghQEOAzUJ6BL90Fp6EAP J1gPH9RHQ1C CaJGWSzUD2A603nspW2Ab fQy7rmJbSA5lwIPe5IzdmgSwMy80aefARQokI/cgdiWpb20Wzy2bltP413j/mrOiworKCOKguHIJDQPqYxeticJSbwdZoTozsnLmWKp4uxappv3IaSI91w7REgN0KcwVetIn6UsYsEAIKOqs1oXdYfU3Kzmt3DficQsZDgCuU1mVESCprb7Iyo/TvjjNuc9imqskrSveZZvFU8Loc7uI gQ4HGUpFNryErMbaR2 KQnJCIz9GZJG / Lr7tFND4wCkFsu3jXvN6ehUl5KRmRV3MWAkdOT4E3ZYF3dOhrdScxnpeIZdL5IDPo0usB9t2ZgIPHp9jKIIAc [alice @ localhost] $ mail -s "here it is" bob
If you use a single machine, all machine names will be set to LocalHost. 1. Make sure the appropriate RPM package is installed [Alice @ stationa] $ rpm -q openssh [alice @ stationa] $ rpm -q openssh-clients [alice @ stationa] $ rpm -q openssh-server2. Make the root account to determine The SSHD daemon on the BOB machine is running [root @ stationb] # service sshd start [root @ stationb] # service sshd status3. If Alice knows Bob's password, she can access their accounts via SSH. Note that the interaction between all and BOB accounts is encrypted, including password delivery. As Alice, run the following command, provide a BOB password when it is appropriate. [Alice @ stationa] $ ssh bob @ stationb ls / tmp [alice @ stationa] $ ssh bob @ stationb [alice @ stationa] $ SCP BOB @ stationb: / etc / services. [alice @ stationa] $ scp -r bob @ Stationb: /etc/xinetd.d .4. Suppose Alice and Bob wish to use a more secure mode, let Alice build SSH's public key and key pair. Note that SSH-KEYGEN should be started by the -t command line switch so that the key is generated by the DSA algorithm. Let Alice see its key (id_dsa) and public key (id_dsa.pub). [Alice @ stationa] $ ssh-keygen -t dsa [alice @ stationa] $ ls ~ / .ssh [alice @ stationa] $ less ~ / .ssh / id_dsa [alice @ stationa] $ less ~ / .ssh / id_dsa. Pub Select an option for the default key location. At the same time, when prompted, select an empty password by pressing
[Alice @ stationa] ssh bob @ stationb iduid = 508 (bob) gid = 508 (bob) groups = 508 (bob) [alice @ stationa] ssh bob @ stationb CVZF - / Home / Bob /> /> / TMP / BOB .stationb.tgz If there is no correct configuration, SSH will still use password authentication and prompt the Alice input password. There are several steps to help you debug this situation. First, check the / var / log / messages and / var / log / secure file on the server to help you get useful information. In the second step, the -V command line switch is used on the client of SSH. This will produce useful debug information. 7. The same configuration is also used for BOB so that it can enter the Alice account. Scene Balice builds a public key authentication that can access Bob's account. She is now required to be safe access (text-based) Web services on the BOB machine. 1. Make sure that the web service on the BOB machine is running properly. If not, log in to the BOB machine through the root account, install and launch the Apache Web service. [Alice @ stationa] $ lynx http: // stationb / 2. Using SSH, allows Alice to connect to Bob's account, in order to achieve another effect, at the Alice port 12345 (or other unused ports) to Bob machine The web server (port 80) establishes an encrypted pipe. [Alice @ stationa] $ ssh bob @ stationb -l 12345: stationb: 80 (and in another terminal) [Alice @ stationa] $ Lynx http: // localhost: 12345Alice will be able to see the same in step 1 and step 2 Web page. However, in the first step, the data from the web server to the Lynx client is transmitted by a clear manner, so it is easy to sniff. In the second step, the packet is passed from the web server through the SSH daemon of Bob, through the ciphertext form, over the network to the Alice's SSH client, and decrypt and transferred to the Alice Lynx client. At the same time, IKNOWNTHING is the hard work of participating in the translation work! Thanks to Mandy to endure the rhythmic tyrant after 0:1! __________________
