Athena - Slide Lpi

Mc tiu kha hc
Active Directory
Exchange server
Qun tr mng Linux

Print/ File server DHCP server
Proxy server
ISA server
FTP server
IIS server
SQL server
An Ninh Mng ATHENA , www.athena.com.vn
Mc tiu kha hc (tt)

Mc tiu kha hc (tt)
S dng my tnh Linux p ng cc yu cu chc nng nh my tnh Windows. Thay th m hnh mng cc server Windows bng m hnh mng cc server Linux. Cc server Linux p ng vai tr nh server Windows, c kh nng qun l tt, chu li tt.
Ni dung kha hc
Installing Linux as a Server
Technical Summary of Linux Distributions Installing Linux in a Server Configuration Installing Software
Ni dung kha hc (tt)

Single host Administration
Managing User The Command Line Booting and shutting down File Systems Core System Services Compiling the Linux Kernel
Ni dung kha hc (tt)

Intranet services
Networking Fundamentals DHCP server Samba/ NFS server NIS LDAP
Ni dung kha hc (tt)

Internet services
FPT/ SSH server DNS server Web server/ Database server Proxy server Mail server Firewall server IDS
Hi & p
Technical summary of Linux Distributions
Ni dung

M ngun m v GPL

Phn mm m ngun m v GNU General Public License. Lch s pht trin ca Linux
GNU GPL: GNU General Public License.
c im ca h iu hnh Linux. Khc bit gia h iu hnh Linux v Windows. Li ch v hn ch ca h iu hnh Linux. Cc phin bn Linux chnh.
Mi ngi u c th c source code ca m ngun m, chnh sa, bin dch theo ring. M ngun m chnh sa c th dng cho mc ch ring hoc cng khai. Nu cng khai phi cung cp y source code.
Linux l h iu hnh m ngun m, c phn phi theo quy nh ca GNU GPL.
M ngun m v GPL (tt)

C th tnh ph khi phn phi mt sn phm c ngun gc l m ngun m. Tuy nhin, khi phn phi phi km theo source code.

Lch s Linux

Linux c Linus Torvalds vit nm 1991.
c cng ng Internet n nhn. Nhiu ngi tnh nguyn tham gia pht trin Linux.
Khi ngi s dng c mt phn mm m ngun m, h c t do chnh sa, chia s, phn phi li
H iu hnh Linux gm:

Linux kernel. Nhng ng dng v tin ch GNU. Nhng ng dng khc.
c im ca Linux
c im ca Linux
Hardware:
Chy trn nhiu platform, Alpha, AMD, Intel, MIPS, PowerPC, Sparc
Giao din ha:

H tr GNOME, KDE, Linux khng yu cu giao din ha.
Software:
http://www.freshmeat.net http://www.linuxberg.com http://www.rpmfind.net/linux/RPM/
Ngn ng lp trnh: C, C++, FORTRAN, Java, Perl, Python, PHP D dng qun l t xa:
D dng remote t xa bng commandline hoc GUI.
Document:
http://www.tldp.org/
Tnh n nh cao: Linux c th chy nhiu nm, khng cn reboot.
Linux v Windows
Windows l h iu hnh c thit k cho single users. Unix l h iu hnh c k cho multi users. Nhiu ngi cng chy mt chng trnh trn mt my tnh vo cng mt thi im.

Linux v Windows (tt)
S tch bit gia GUI v Kernel:

GUI l thnh phn chim nhiu memory nht, v rt phc tp, d b li nht. Vi Windows, GUI v kernel l khng th tch ri => tin li cho ngi dng. Vi Linux, GUI tch bit vi kernel. Ngi s dng c th s dng GUI hay khng, hoc s dng nhng GUI khc nhau => cho php ty bin, ph hp vi server, vn khng cn GUI, tit kim c memory, v t b li.
T Windows 95, h tr multi user. Tuy nhin, Unix h tr multi user t 1969.
Linux v Windows (tt)

Tt c nhng cu hnh ca Windows c lu trong registry. Khi mun chnh sa rt phc tp. Thng phi c phm mm third-party. Cu hnh ca Linux l file text, v vy d dng chnh sa theo mun. C th xa b hon ton nhng cu hnh c khi khng cn
Li ch & hn ch ca Linux ch

Tnh n nh cao v hu nh khng c virus.
Nhiu kin cho rng ai cng c th kim sot source code khin n khng an ton. Tuy nhin, b mt khng phi l an ton. Code ca linux c hng ngn programer kim tra. Nu c bug, d dng c tm thy hn m ngun ng.
=> khng c mt chun cu hnh. Mi dch v nh ngha mt chun cu hnh ring.
Li ch & hn ch ca Linux (tt) ch (tt)

Cc phin bn Linux
Kh s dng cho ngi mi bt u.
Debian GNU/Linux
http://www.debian.org
Khng c h tr, khng c document y . Bug vn tn ti.
MandrakeSoft
http://www.linux-mandrake.com
Khi pht sinh li, khng phi ai cng c kh nng hiu li.
Red Hat
http://www.redhat.com
Slackware Linux
http://www.slackware.com
SuSE
http://www.suse.com
TurboLinux
http://www.turbolinux.com
Hi & p
Installing Linux in a Server Configuration
Ni dung
Tm tt cc bc ci t. Kim tra s h tr phn cng.

Cc bc ci t b
Chn la kiu ci t:
T CD local. Qua mi trng mng. T mt volume trn network server. Dng CD shared t my tnh khc Qua FTP, HTTP.
Cu hnh mng.
Linux file system. Linux boot loader.
Cc mode hot ng ca Linux.
Cc bc ci t (tt) b tt)

H tr phn cng
Kim tra s h tr phn cng. Phn chia partition:

Phn chia t ng hoc theo nh dng ring. Bt buc phi c phn vng / v /swap. Chia cc phn vng cn li theo nhu cu.
Kim tra s h tr phn cng.

http://hardware.redhat.com/hcl.
Cu hnh mng. Chn la software ci t. Chn la boot loader. Tin hnh ci t.
Hu ht cc distribution ca Linux t nhn din cu hnh phn cng nh: PCMCIA, CDROM, Hard drive, Laptop issues, Memory, NIC, Modem, Mouse, SCSI adaptor Cn ch n nhng thit b phn cng c bit, mi.
Linux file system
Linux file systems (tt)

Mc nh, cc phn vng c mount trn phn vng / /swap: virtual memory. /bin: lnh quan trng. /boot: file cu hnh boot loader. /dev: file devices. /etc: file cu hnh. /home: d liu ca users. /lib: file th vin quan trng, v kernel module.
Cu hnh mng
Linux boot loader
Thit lp cc thng s cu hnh mng cho server:

IP Address Netmask Gateway IP Address Nameserver IP Address Domain name Hostname
Boot loader
LILO GRUB
Boot
loader cho php chn h iu hnh no boot. Ti boot loader, c th can thip bng command thay i cc tham s boot.
Linux boot loader (tt)
Mode hot ng ca Linux
File grub.conf
Linux c cc mode hot ng sau:

0: shutdown. 1: single mode. 2: multi user without networking. 3: multi user with networking. 4: unused. 5: graphic. 6: reboot.
boot=/dev/sda default=0 timeout=10 splashimage=(hd0,0)/grub/splash.xpm.gz hiddenmenu title Linux Fedora (2.6.5-1.358smp) root (hd0,0) kernel /vmlinuz-2.6.5-1.358smp ro root=LABEL=/ rhgb quiet initrd /initrd-2.6.5-1.358smp.img title Windows 2000 rootnoverify (hd0,0) chainloader +1
Hi & p
Installing software
Ni dung
Add/ Remove Program. Redhat Package Manager (RPM).

Add/ Remove Program
Ci t bng cng c graphic add/ remove program ca Linux gii quyt c cc vn sau:
thao tc n gin, d thc hin. t ng ci cc gi ph thuc. d qun l.
Ci t bng lnh rpm.
Ci t bng source. Gii thiu mt s ng dng.
Redhat Package Manager

c pht trin u tin bi Redhat, sau c cc phin bn linux khc s dng rng ri: Fedora, Mandrake, SuSe Gi rpm c dng:
Lnh rpm

Ci t mt package:
rpm i package.rpm
Update mt package:
rpm U package.rpm
G b mt package:
rpm e package.rpm
Mt s option khc s dng trong ci t:

--nodeps: cho php ci t, b qua cc gi ph thuc. --force: bt buc upgrade, b qua conflicts. --test: khng ci t, upgrage, ch test. --requires: lit k cc gi ph thuc.
Ci t bng lnh rpm.
y l kiu ci t ph bin nht ca linux. D ci t, d remove.

10
Lnh rpm (tt)
Lnh rpm (tt)
Cc option truy vn: kt hp vi option -q

-a: hin th danh sch cc package ci t. -f <file_name>: hin th package s hu <file_name>. -p <package_name>: hin th thng tin ca package_name. (package_name cha c ci t). -i <package_name>: hin th thng tin ca package. -l <package_name>: hin th file cha trong package_name.
Lnh rpm (tt)
Ci t bng source

Tng thch vi mi phin bn Linux. c ng gi s dng kiu GNU Zip (.gz) hoc BZip2 (bz2).
<filename>.tar.gz or <filename>.tar.bz2
Gii nn bng lnh:

tar xvzf <filename>.tar.gz tar xvjf <filename>.tar.bz2
c file INSTALL hoc README c nhng ch dn ring bit ca gi ci t.
11
Ci t bng source (tt)
Ci t bng source (tt)

Khi c thay i trong source, cn bin dch, ci t li. Sau khi ci t xong, g b gi source, dng nhng lnh sau:
Sau khi gii nn, chuyn n th mc ca gi source:

cd <extracted_dir_name>
Chy script configure, cn c file README, INSTALL c nhng option cn thit:

./configure
make clean make distclean
Build gi source bng lnh make:

make
Nu cn thit xa b lun th mc source ci t:

rm rf <extracted_dir_name>
Ci t gi source:
make install
Mt s ng dng
Hi & p
Mt s ng dng c bn cn cho thao tc vn phng trn linux:

open office unikey acrobat reader chm reader
12
Ni dung
Nhng thng tin nh ngha users Cng c qun l users.

Users v cp quyn users. nh ngha cu hnh mc nh cho ngi dng.
Managing Users
nh ngha Users

nh ngha Users (tt)

Users c nh ngha trong mt h thng xc nh ai? c quyn dng ci g? trong h thng . Vi Linux, mi user c mt nh danh duy nht, gi l UID (User ID).
0 99: user c quyn qun tr. > 99: user khc. >= 500: khng phi user h thng. => UID c kh nng s dng li???
Mi users cn c nhng thng tin: tn user, UID, tn group, GID, home directory Windows qun l thng tin bng LDAP, Kerberos. Linux qun l thng tin bng file text. C th chnh sa thng tin ca users bng cng c, hoc sa trc tip bng text file.
Mi user thuc t nht mt group. Mi group cng c mt nh danh duy nht l GID.
13
nh ngha Users (tt)
nh ngha Users (tt)
Nhng file nh ngha thng tin users:

/etc/passwd: cha thng tin user login, password m ha, UID, GID, home directory, v login shell. Mi dng l thng tin ca mt user. /etc/shadow: cha thng tin password m ha, thi gian s dng password, thi gian phi thay i password /etc/group: cha thng tin group.
File /etc/passwd
GID Password Home directory
Username UID
Description
Shell
Shell
nh ngha Users (tt)
nh ngha Users (tt)
File /etc/shadow
Password
Ngy user b warn nu Ng b n khng thay i pass Ngy trc khi phi Ng tr ph thay i password
File /etc/group
Groupmember Grouppassword
Username
Ln thay i password cui cng cu c
Groupname
GID
Ngy sau khi phi thay Ng ph i password
14
Cng c qun l Users c qu
Cp quyn Users
Qun l bng command line

useradd: to user. usermod: chnh sa thng tin user. userdel: xa user. groupadd: to group. groupdel: xa group. groupmod: chnh sa thng tin group.
Quyn trong linux c phn chia nh sau:

Quyn c: r (read). Quyn ghi: w (write). Quyn thc thi: x (excute).
Mi file trong linux c gn quyn theo ba lp user sau:

owner group everyone (other)
Qun l bng giao din ha
Cp quyn users (tt)
Cp quyn users (tt)
Dng cho file thc thi th
15
Cp quyn users (tt)

SetUID: program no c set SUID, khi thc thi s c s hu bi owner ca program , bt k user no gi thc thi program ny. SetGID: hin thc nh SUID, nhng p dng cho file group owner.

Cu hnh mc nh
Khi dng lnh useradd khng c option km theo to user, cc thuc tnh ca user s c to theo cc cu hnh mc nh. Nhng file nh ngha cu hnh mc nh:
/etc/default/useradd /etc/skel /etc/login.defs
Sticky bit: ch cho php owner, hoc root c quyn delete file.
Nu mun thay i cu hnh mc nh, thay i trc tip trong nhng file ny.
Cu hnh mc nh (tt)

Hi & p
/etc/default/useradd: nhng gi tr mc nh cho vic to acount. /etc/skel: th mc cha ni dung mc nh s to trong home directory ca users. /etc/login.defs: nhng cu hnh mc nh cho shadow password.
16
The Command Line

Gii thiu dng lnh C php dng lnh

Mt s lnh thng dng Chuyn hng dng lnh

redirection pipe
The Command Line
Background jobs
Gii thiu dng lnh

C php dng lnh
Dng lnh l th mnh ca h iu hnh Unix v Linux. Vi h iu hnh Unix v Linux, cc thao tc ha khng th p ng cng vic cn thit. Dng lnh l cng c hu hiu nht. Dng lnh trong Unix v Linux l case sensitive. bit cch s dng dng lnh, gi lnh man.
Vd: man ls
C php ca mt dng lnh gm c ba thnh phn: <command> [option] [arguments]

command: h thng s lm g? option: h thng s lm g? arguments: h thng s thc thi lnh u?
ls al
/root: lit k ni dung ca th mc root (bao gm c file n).

arguments
command option
17
Lnh thng dng

Chuyn hng dng lnh
Lnh su v sudo. Lnh gn bin mi trng. Lnh to, xa, sa, copy file , th mc.
mkdir, cp, mv, rmdir, ln cat, vi, rm
Phn tch lnh ls al /root

X l ls -al
Lnh cp quyn trn file, th mc.

chown, chgrp, chmod
Lnh tm kim
find, locate
Lnh xem kch thc th mc, phn vng.

df, du
Input (Ngi dng nhp) Output (Kt qu) /root

Lnh qun l tin trnh, tnh trng h thng.

ps, top, kill
Chuyn hng dng lnh Chuy h l
Chuyn hng dng lnh (tt) Chuy h l
Redirection: c hai loi redirection:

redirect input
command < filename To file /tmp/in.txt c ni dung /root S dng lnh: ls al /tmp/in.txt
Pipe: l khi nim a output ca lnh ny thnh input ca lnh kia.

command1 | command2 ls al /root | more
redirect output
command > output command >> output S dng lnh: ls al /root > /tmp/out.txt
18
Background jobs
Thng thng, lnh chy mode foreground, a kt qu output ra mn hnh (c th chuyn hng a kt qu output vo file). Nu mt lnh chy 1h mode foreground, th lnh s chim lun BASH shell => ngi dng phi m mt shell khc lm vic.

Background jobs (tt)

Lnh chy background gi l JOB. Start lnh background:

command &
Mt s lnh kim sot jobs.
C th start lnh chy mode background, nu cn thit th a kt qu output vo file v ngi dng vn c th lm vic vi BASH shell bnh thng.
Hi & p
Booting and shutting down
19
Ni dung (tt)

Qu trnh boot linux
Qu trnh boot Linux Boot loader (boot manager)

Boot loader GRUB Boot loader LILO
Kernel image v initrd
Tin trnh init v file inittab Tin trnh rc.sysinit /etc/rc.d/rc script Qu trnh shutdown Linux
An Ninh Mng ATHENA , www.athena.com.vn An Ninh Mng ATHENA , www.athena.com.vn
Qu trnh boot Linux

Boot loader

BIOS/ POST
MBR (lilo hoc grub): cho php la chn h iu hnh boot. Kernel + initrd: load kernel v detect hardware. Mount root file system (read only) /sbin/init: tin trnh cha ca mi tin trnh.
Boot loader hay cn gi l boot manager cho php qun l nhiu h iu hnh, chn boot vo h iu hnh no. Hai boot loader ph bin ca Linux:
LILO (LInux LOader) GRUB (GRand Unified Boot loader)
Khi thay i file cu hnh, GRUB t ng nhn bit, LILO th phi dng lnh /sbin/lilo update cu hnh. Ngy nay, GRUB l boot loader mc nh ca i a s cc h iu hnh Linux.
/etc/inittab: quyt nh run level v gi start cc dch v cn thit ca run level . Hin th ha nu runlevel 5.
20
Boot loader GRUB
Boot loader GRUB (tt)

Cch phn bit partition trong boot loader GRUB khc vi cch thng thng ca Linux. GRUB khng phn bit IDE, v SCSI. a cng c hiu l: hd%d.
File cu hnh grub.conf: default=0 timeout=10 splashimage=(hd0,0)/grub/splash.xpm.gz hiddenmenu title Linux Fedora (2.6.5-1.358smp) root (hd0,0)
a u tin, partition u tin
kernel /vmlinuz-2.6.5-1.358smp ro root=LABEL=/ rhgb quiet initrd /initrd-2.6.5-1.358smp.img title Windows server 20003 rootnoverify (hd0,1) chainloader +1
%d: l s nguyn, bt u t zero ch partition u tin. LILO c cch hiu thng thng nh Linux: hdXY, sdXY.
Boot loader GRUB (tt)
Boot loader LILO
Mt s lnh ca grub: s dng trong mode grub, hoc trong file grub.conf
File cu hnh lilo.conf:

boot=/dev/hda prompt timeout=10 image=/boot/vmlinuz-2.6.5-1.358smp label=Linux Fedora (2.6.5-1.358smp) root=/dev/hda1 read-only other = /dev/hda2 label=Windows server 2003 table=/dev/hda
a IDE u tin, partition u tin
21
Boot loader LILO (tt)
Kernel image v initrd

Kernel image l hnh nh nh nht ca kernel c nn thnh file vmlinuz-version.tar.gz. Kernel image cha nhng thnh phn quan trng cn thit u tin boot my tnh.
ci t LILO lm boot loader, dng lnh:

/sbin/lilo yu cu phi c file lilo.conf
G b boot loader LILO, dng lnh:

/sbin/lilo u
Tm hiu lnh lilo:

man lilo
Tm hiu file cu hnh boot loader lilo:

man lilo.conf
initrd initial ram disk: c s dng detect phn cng v load driver. ng thi mount file systems di dng read only tin hnh kim tra.
Tin trnh init v file inittab Ti tr

Tin trnh init (tt)
Tin trnh init l cha ca mi tin trnh.
Tin trnh init s tm c file /etc/inittab quyt nh runlevel no s c boot. Mi dng trong /etc/inittab c dng nh sau:
id: runlevels:action:process Nu khng nh ngha, s boot vo runlevel no???
22
Tin trnh rc.sysinit
/etc/rc.d/rc script

Tin trnh rc.sysinit thc thi nhng nhim v sau:

thit lp hostname ca my tnh v detect mi trng network. Mount /proc file system. Thit lp cc tham s ca kernel. Thit lp gi h thng, fonts. Khi to phn vng swap. Check file system v mount li mode read-write. Load nhng module cn thit.
Thc thi tt c script lin quan n run level . Vd: nu runlevel l 5, s gi thc thi cc script trong /etc/rc.d/rc5.d Cc script ny l file symbolic link, link n cc script tht s, thng cha trong /etc/init.d
start stop
/etc/rc.d/rc script (tt) /etc/rc.d/rc (tt)
Qu trnh shut down linux
Nhng script c bt u bng S, h thng s gi chy lnh: /etc/rc.d/init.d/<command> start. Nhng script bt u bng K, h thng s gi chy lnh: /etc/rc.d/init.d<command> stop. An Ninh Mng ATHENA , www.athena.com.vn
23
Hi & p
File systems
Ni dung
Disk v partition. Khi nim File Systems.

Disk v partition

Mi a cng (disk) u cn c phn chia partition. Mi partition c xem nh mt phn vng c lp. Khi d liu y, partition ny khng th overflow (ln chim) kch thc ca partition khc.
Qun l File Systems.

mount v umount. Lnh fsck.
Logical Volume Management.
C th ci cc h iu hnh khc nhau ln cc partition khc nhau. Sau , dng mt mt trnh qun l boot loader qun l qu trnh boot.
24
Disk v partition (tt)
Nhng a IDE s c tn l hdX.

X c gi tr t [a-z] i din cho mt a vt l. Vd: hda, hdb
Khi c chia partition, partition s c dng: hdXY

X l k t a. Y l s th t. Vd: hda1, hda2, hdb1, hdb2
CDROM cng c hiu nh mt a IDE. a SCSI s c tn l sdX

Khi nim File systems
25
Khi nim File Systems (tt)

Qun l File Systems Qu

Partition, a CD-ROM, floopy, usb cn c mount, nh th ni dung ca n mi c th c c. Mount l bin mt partition, mt thit b (CDROM, USB) thnh mt th mc trn cy th mc. Th mc ny c gi l mount-point.

Mc nh, cc phn vng c mount trn phn vng / /swap: virtual memory. /bin: lnh quan trng. /boot: file cu hnh boot loader. /dev: file devices. /etc: file cu hnh. /home: d liu ca users. /lib: file th vin quan trng, v kernel module.
Xem ni dung ca partition va c mount bng xem ni dung ca th mc mount-point.
Qun l File Systems (tt) Qu (tt)
Qun l File Systems (tt) Qu (tt)
To mt th mc /mnt/cdrom. Th mc ny dng lm mount-point cho a CD-ROM
Nu th mc mount point c d liu trc.
Mount mt partition vo th mc mount point. Xem ni dung ca th mc mount point.
C nhng file trc khng???
Umount CD-ROM ra khi mount point

Nhng file trc c b mt khng???
26
Qun l File Systems (tt)
Qun l File Systems (tt)
Mi partition u phi c mount s dng => nhng partition h thng c mount lc no => /etc/fstab
Lnh fdisk: xem, to, xa partition.
Lnh fsck: chn on v sa li file systems.
Logical Volume Management
Logical Volume Management (tt) (tt)

Linh hot trong vic phn chia partition.
PV (Physical Volume)
D dng m rng kch thc ca volume. m rng dung lng lu tr d liu, n gin ch cn thm a mi vo.
VG (Volume Group) LV (Logical Volume)
27
Logical Volume Management (tt) (tt)
Hi & p
pvcreate: khi to nhng physical volume s dng trong mi trng LVM. Physical volume c th l a cng, thit b lu tr khc, hoc partition pvdisplay: hin th thng tin ca physical volume. vgcreate: khi to mt volume group t nhng physical devices c khi to bng pvcreate. vgextend: thm physical volume vo volume group. vgdisplay: xem khng tin ca volume group lvcreate: to logical volume t volume group. lvdisplay: xem thng tin ca logical volume.
Ni dung
Service syslogd Service crond

Service xinetd
Core System Services
28
Service syslogd
Ngi qun tr c nhu cu thng xuyn theo di cc s kin xy ra trong h thng. Khi c s c, ngi qun tr c nhu cu tm li cc s kin xy ra trc thi im trong h thng.
Service syslogd (tt)
Log trong h thng c syslog phn loi nh sau:

facility: cho bit ng dng no pht sinh ra log.
syslog nh ngha cc facility c sn: authpriv, cron, daemon, kern, lpr, mail, mark, news, syslog, user, uucp . syslog dnh facility t local0 -> local7 cho ngi dng nh ngha.
Mt h thng lun c nhu cu cn lu log. C th lu log cc b, hoc lu log tp trung.
level: mc nghim trng ca log.

debug < info < notice < warn < err < crit, alert < emerg
action: log s c x l nh th no? Lu hay khng, lu u?
File cu hnh ca syslog:

/etc/syslog.conf:
file cu hnh chnh ca service syslogd. Kim sot vic record log no c ghi, v ghi vo u?
/etc/sysconfig/syslog:
nh ngha mode hot ng ca service syslogd. Lu log cc b, hay lu log vo remote server?
facility
level
action
29

Log trong h thng c lu lin tc s qu nhiu log. C nhng log qu c, khng cn thit na. Cn c mt tin trnh ct log hng ngy, ct theo theo kch thc do ngi dng nh ngha, dn dp bt log c. Tin trnh thc hin vic ct log: logrorate.
/etc/logrotate.conf: nh ngha cc option dng chung cho vic ct log. Nhng dch v ct log theo kiu thng thng c th nh ngha trc tip trong file logrotate.conf /etc/logrotate.d/: mi dch v c th nh ngha mt file ring, ct log theo yu cu, ph hp vi dch v .
File /etc/logrorate.conf
File /etc/logrotate.d/radiusd
Service crond
Cc dch v cn chy nh k, chy vo mt thi im no c th trong ngy -> cn cc thao tc lp lch. Service crond l service nh k gi thc thi cc tc v c nh ngha sn.

Service crond
File /etc/crontab c cu trc nh sau:

minute hour day month dayofweek command minute: c gi tr t 0-59. hour: c gi tr t 0-23 day of month: c gi tr t 0-31 month:c gi tr t 1-12 day of week: c gi tr t 0-6 command: nh command thc thi BASH shell. trng no c du *: mi lc. trng no c du /*: mi lc.
Chy trc tip bng lnh crontab. Chy bng serivce crond, vi file cu hnh l /etc/crontab
30
Service crond
Service xinetd
Nhng dng nh ngha sau c ngha nh th no???

0 1 * * * command; 0 1 1,15 * * command; 0 1 1-15 * * command; 0 1 */5 * * command;
Mi dch v u lng nghe, nhn request t client. C nhiu dch v khng c request thng xuyn, vn lng nghe => tn ti nguyn. xinetd - the extended Internet services daemon. xinetd qun l chung cc dch v. xinetd s lng nghe tt c cc request gi n cc dch v m n phc v. Khi cn dch v no, xinetd mi khi to dch v , v forward request cho dch v. Cc dch v ch cn nhn request t xinetd, khng nhn trc tip t client. Cc dch v c xinetd bo v kim tra trc khi nhn request.
Service xinetd (tt)
Service xinetd (tt)
Cu hnh xinetd:
/etc/xinetd.conf: nh ngha mt s option chung cho cc dch v s dng xinetd.
File /etc/xinetd.d/krb5-telnet
/etc/xinetd.d/: mi dch v c mt file cu hnh, nh ngha c th cu hnh ca dch v khi s dng xinetd.
31
Service xinetd (tt)
Hi & p
Trc khi cho php x l request, xinetd c th kim tra s hp l ca IP request bng nhng file sau:
/etc/hosts.allow: nhng host trong file ny c chp nhn. /etc/hosts.deny: nhng host trong file ny b discard request.
Cu hnh nh th no, deny tt c, ch chp nhn nhng host trong hosts.allow???
Ni dung
Kernel version. Kernel modules.

Compiling kernel.
Compiling The Linux kernel

32
Kernel version
Kernel version (tt)
Version ca kernel c format nh sau:

linux-major.minor.patchlevel
Vd: linux-2.6.18.8
xc nh kernel version, dng lnh:

uname a uname r
major: version chnh ca kernel minor: nhng thay i quan trng ca version.
s chn: version ny c kim tra v cng b s dng. 2.4, 2.6 s l: version ny dng cho mc ch th nghim. Cc kernel developer thng s dng.
patchlevel: dng v li.
Kernel mc nh c dch vi cc module cn thit, khi c nhu cu c th tin hnh dch li kernel => c mt h iu hnh mi.
Kernel modules

Kernel modules (tt)
Kernel thng c bin dch vi cc module cn thit nht. Cc module t s dng c th c insert vo kernel khi cn thit. Cc module ca kernel l mt file object, nm trong th mc /lib/modules/kernel-version/kernel.
Mt s kernel modules:
block: module cho nhng thit b phn cng c bit: RAID controller, IDE tape drivers. cdrom: module cho CDROM. fs: module cho file systems. ipv4: module cn thit cho vic hot ng vi TCP/IP networking. net: module cho network interface. scsi: module cho SCSI controller. video: module cho video adapter. misc: cc module khng thuc cc module k trn.
33
Kernel modules (tt)

Lnh lsmod: lit k nhng module ang c kernel h tr. Lnh insmod: thm mt module vo kernel.

Compiling kernel
Download source kernel t:

kernel.org
Lnh rmmod: xa b mt module ra khi kernel.
bin dch c kernel, cn ci t b C compiler. Cc lnh bin dch:
Lnh modinfo: xem thng tin mt module. File modules.dep: lit k mi quan h ph thuc gia cc module.
make mrproper make config, hoc make menuconfig, make xconfig, hoc make oldconfig. Sau khi to file config xong, c th edit trong makefile, v thc hin tip cc lnh sau.
Compiling kernel (tt)
Cc lnh bin dch kernel:

make dep make clean make bzImage make modules make modules_install
Cc lnh bin dch kernel:

make dep: nhng file source C s c kim tra cc mi quan h ph thuc. make clean: remove nhng output file c c th tn ti trong source. make bzImage: to mt file kernel image. make modules: bin dch nhng driver thit b, v nhng module chn la bin dch. make modules_install: tt c nhng modules c bin dch s c ci t vo th mc /lib/modules/kernel-version.
34

Sau khi bin dch kernel hon tt, to ra mt kernel image v mt initrd mi. Khi ng li my, boot loader s nhn thm mt h iu hnh mi.
Hi & p
File system ca h iu hnh mi cng l file system ca h iu hnh c. H iu hnh mi ch khc h iu hnh c cc modules c bin dch trong kernel.
Ni dung
Cc file cu hnh
/etc/hosts /etc/network /etc/sysconfig/network-scripts/ifcfg-eth[n]
Networking Fundamentals
/etc/resolv.conf /etc/services
Cc lnh cu hnh, debug thng tin

ifconfig, ifup, ifdown route traceroute, netstat, tcpdump
35
File /etc/hosts
L bn map gia a ch IP v tn my tnh trong network. Tng t file lmhosts ca Windows.

File /etc/sysconfig/network
File /etc/sysconfig/network nh ngha cc cu hnh network c bn cho my tnh.

enable network enable network IPv6 tn my tnh so snh vi gi tr trong /etc/hosts default gateway ca my tnh
C php ca file:
IP address<Tab>Fully.Qualified.Name<space>[host_alias]* 192.168.1.10 centos-1.nhatnghe.com centos-1
Cc ng dng trc tin s s dng file ny khi cn truy vn mt my tnh bng tn.
File ifcfg-eth[n]

File /etc/resolv.conf
File /etc/resolv.conf dng nh ngha name server m my tnh s s dng thc hin cc truy vn phn gii tn min. Mt s c php thng dng:
Mi card mng c mt file cu hnh /etc/sysconfig/network-scripts/ifcfg-eth[n].
n: c gi tr bt u t 1. Card loopback c file cu hnh ifcfg-lo

tn card mng gn IP tnh, hoc DHCP
domain: DNS domain ca my tnh. nameserver: IP hoc tn ca name server m my tnh s s dng. C ti a 3 gi tr. search:
active khi boot.

36
File /etc/services

Lnh ifconfig, ifup, ifdown
File /etc/services gm mt danh sch network port v cc service s dng nhng port ny. Khi nh ngha mt service mi, ngi qun tr phi nh ngha mt cp service name v port number vo file /etc/services.
Lnh ifconfig dng cu hnh a ch IP, netmask, a ch broadcast v cc tham s cu hnh khc.
ifconfig eth0 192.168.1.10 netmask 255.255.255.0 man ifconfig.
Lnh ifconfig cu hnh cho tng card mng (tng interface). Cc tham s cu hnh ca lnh ifconfig c ngha nh file /etc/sysconfig/network-scripts/ifcfg-eth[n]. Lnh ifup dng enable mt interface. Lnh ifdown dng disable mt interface.
Port 0 1024: l nhng port c dnh ring. Port > 1024: port c nh ngha thm vo ty theo nhu cu ca ng dng.
Lnh route

Lnh traceroute, netstat, tcpdump
Lnh route dng hin th, chnh sa, qun l bng routing table. Lnh route cho php nh ngha cc static route theo ca ngi qun tr. Static route l nhng routing t thay i, khng phi cp nht thng xuyn, c nh ngha v mt mc ch no . Lnh route cng cho php ngi qun tr iu chnh default gateway theo mun.
Lnh traceroute: theo di ng i ca gi tin trong h thng mng. Lnh traceroute thng dng debug, xc nh v sao gi tin khng di chuyn n mt network c. Lnh netstat: lit k cc port ang lng nghe, cc kt ni ang m n my tnh, v tnh trng ca cc kt ni ny. Lnh tcpdump: bt gi tin di chuyn trong network. C th lu li thnh file, dng ethereal phn tch gi tin, xc nh loi traffic, hoc tm kim cc du hiu mong mun.
37
Hi & p
DHCP Server
Ni dung
Gii thiu dch v DHCP

Gii thiu dch v DHCP

chc nng gi ci t.
DHCP l dch v cung cp a ch IP ng cho cc my tnh trong h thng. DHCP cng cung cp ng cc tham s khc: DNS, gateway, cp IP tnh. DHCP c ci t bng hai gi:
dhcp-[version].rpm. dhcp-devel-[version].rpm. Hoc ci t t gi source.
File cu hnh
/etc/dhcpd.conf. /var/lib/dhcpd/dhcpd.leases.
Lnh dhclient
File cu hnh chnh:

/etc/dhcpd.conf.
38
File /etc/dhcpd.conf
File dhcpd.leases
File dhcpd.leases theo di tnh trng cp pht IP ng:
Lnh dhclient
Hi & p
C th get IP ng bng cch iu chnh file:

/etc/sysconfig/network-scripts/ifcfg-eth[n]
Lnh dhclient: dng get IP ng t DHCP server.
39
Ni dung
NFS server
Gii thiu dch v NFS. Cu hnh dch v NFS. NFS security.
NFS & Samba server
Samba server
Gii thiu dch v Samba. Cu hnh dch v Samba. SWAT
Gii thiu dch v NFS

NFS Network File System l dch v chia s file trong mi trng network gia cc server Linux. Dch v NFS cho php cc NFS client mount mt phn vng ca NFS server nh phn vng cc b ca n.

Cu hnh NFS
Cc tin trnh ca NFS server:

portmap rpc.nfsd rpc.statd v rpc.lockd rpc.rpquotad: kim sot quota m NFS users c th s dng. rpc.mountd: kim sot quyn c mount partition ca NFS users.
Dch v NFS khng c security nhiu, v vy cn thit phi tin tng cc client c permit mount cc phn vng ca NFS server.
File cu hnh ca NFS server:

/etc/exports
40
Cu hnh NFS (tt)
Cu hnh NFS (tt)
File /etc/exports:
C php:
/path/to/export
Th mc chia s
Quyn truy cp
Quyn truy cp c cc gi tr sau:

secure ro rw : Port t client requests phi nh hn 1024 : Read only : Read write : Denied access : Ngn remote root users
[host](options)
Host truy cp
noaccess root_squash
V d:
/mnt/cdrom (ro) /tmp /home (rw) 192.168.0.0/255.255.255.0(rw)
no_root_squash : Cho php remote root users
Hai c php sau ging hay khc nhau:

host (options) host(options)
Cu hnh NFS (tt)
NFS security

Lnh ca NFS client:

mount: dng mount mt phn vng ca NFS server thnh phn vng cc b. C th a vo file /etc/fstab mount t ng lc khi ng. nfsstat rpcinfo showmount: hin th thng tin client no s dng phn vng no ca NFS server.
m bo NFS security, s dng da vo 2 file /etc/hosts.allow v /etc/hosts.deny. File /etc/hosts.deny

portmap,lockd,mountd,rquotad,statd: ALL
File /etc/hosts.allow
portmap,lockd,mountd,rquotad,statd: 192.168.0.0/255.255.0.0
41
Gii thiu dch v Samba Gi thi d v
Gii thiu dch v Samba (tt) Gi thi d v
Samba l dch v chia s file v dch v in trong mi trng network gia cc my tnh Linux v my tnh Windows. T Linux:
Mount th mc chia s ca Windows. Truy cp my in ca Windows. Chng thc vi cc my tnh Windows.
Dch v Samba gm nhng tin trnh sau:

Tin trnh smbd:
lng nghe trn port 139, trc tip x l cc request truy cp n th mc chia s trn Linux. Khi mt client kt ni, smbd s to ra mt tin trnh mi, phc v cho kt ni ny.
Tin trnh nmdb:

lng nghe trn port 137, chu trch nhim cung cp tn NetBIOS ca samba server cho cc request kt ni.
T Windows:
Thy nhng th mc chia s ca Linux. Chng thc vi cc my tnh Linux. Truy cp my in ca Linux.
Gii thiu dch v Samba (tt) Gi thi d v

Cu hnh Samba
Windows v Linux u s dng m ha khi cn chng thc users. Khi users cn chng thc, password do user nhp vo s c m ha, em so snh vi password m ha c lu sn. Nu ging nhau th chng thc thnh cng. Kiu m ha m Windows v Linux s dng l khc nhau. mt user trn windows chng thc thnh cng trn linux, to li user trn linux, dng lnh smbpasswd.
Dch v Samba c th c ci t t RPM:

samba-client-[version] samba-common-[version] samba-[version] system-config-samba-[version]
Hoc c th ci t dch v Samba t gi source. File cu hnh chnh ca dch v Samba:

/etc/samba/smb.conf Dng lnh testparm test file cu hnh Samba.
42
Cu hnh Samba (tt)

File cu hnh dch v Samba c th c chnh sa trc tip, hoc chnh sa qua giao din web s dng SWAT. nh ngha cc option chung ca Samba trong section [global]:
share | domain | server
Cu hnh Samba (tt)
Th mc share ca Samba:
ng dn share tn th mc tht s gn quyn
Nhng th mc share ca Samba c nh ngha thnh tng section.

SWAT
Hi & p
SWAT l giao din web-based cho php chnh sa cc cu hnh ca Samba trn giao din web.
http://localhost:901/
Lnh ca Samba client:

smbclient smbmount
43
Ni dung
Pluggable Authentication Modules (PAM).

Gii thiu Cu hnh
PAM
Pluggable Authentication Modules

PAM (tt)

Mi ng dng c mt kiu xc thc => phc tp h thng. Pluggable Authentication Modules PAM: cung cp mt phng thc xc thc tp trung. ng dng khng trc tip xc thc, m chuyn request cho PAM, yu cu xc thc. PAM lm vic v tr v kt qu xc thc cho ng dng. ng dng quyt nh cho php user login hay khng.
Theo cch hiu ca Windows, PAM ng vai tr nh DLL i vi cc ng dng khc. Theo cch hiu ca Linux, PAM l mt th vin. PAM cung cp nhiu module xc thc /lib/security t n gin n phc tp. Khi ng dng cn xc thc theo phng thc no th gi phng thc ca trong th vin ca PAM. Thng tin v cc module xc thc ca PAM:
man [pam_module]
44
PAM (tt)

PAM (tt)
/lib/security: nhng module xc thc ca PAM. /etc/security: file cu hnh tng ng ca tng module xc thc ca PAM. /etc/pam.d: file cu hnh ca nhng ng dng s dng PAM xc thc.
=> mi ng dng xc thc bng PAM c mt file cu hnh trong /etc/pam.d
module_type
control_flag
module_path arguments
module_type: nhn mt trong 4 gi tr: auth, account, session, password. control_flag: cu hnh cch x l ca ng dng vi kt qu xc thc do PAM tr v. module_path: ng dn c th ca module xc thc. arguments: cc tham s khc.
PAM (tt)
module_type auth account M t ng dng yu cu user phi nhp password. Khng thc hin chng thc, da vo cc yu t khc quyt nh user c c login khng: login t u, vo gi no Ch nh nhng thao tc cn thc hin trc hoc sau khi user login. Cho php user i password.
PAM (tt)
control_flag required requisite M t Module phi chng thc thnh cng, nu khng kt qu fail s c gi v. Nu module ny fail, kt qu s c tr v ngay lp tc, khng s dng n cc module sau. Nu module ny thnh cng, v khng c module required no na, kt qu thnh cng s c tr v. Cho php tip tc kim tra module khc, d module ny b fail.
session password
sufficient
optional
45
PAM (tt)
argument debug no_warn M t Log li thng tin debug Khng gi msg waring n ng dng.
PAM (tt)
use_first_pass Lu li password, s dng cho ln xc thc sau. try_first_pass Ging option trn, tuy nhin nu password fail, yu cu user nhp li.
Dng lnh man [pam_module] tm hiu v tng module xc thc: Vd: man pam_nologin
Hi & p
NIS
46
Ni dung
Gii thiu NIS Ci t NIS
Gii thiu NIS

Trc
khi c NIS, vic chng thc cho mt user login vo h thng nh sau:
cc daemon file cu hnh
NIS tools
Gii thiu NIS (tt)

Khi
Gii thiu NIS (tt)

NIS Network Information Service l ni lu tr d liu tp trung cc client c th truy vn. D liu c th lu tr trong NIS l nhng d liu text.
c NIS, vic chng thc cho user login vo h thng c th hiu nh sau:
/etc/passwd, /etc/hosts, /etc/services, /etc/protocol nhng d liu text ny cch nhau bng tab, v c t nht mt ct c gi tr duy nht trn mi dng.
47
Ci t & cu hnh NIS

Ci t & cu hnh NIS (tt) c h

NIS server c th hot ng c, u tin cn khi to d liu cho NIS server bng tin trnh ypinit. File /var/yp/Makefile: quyt nh nhng d liu no NIS server s h tr.

NIS c ci t gi bng gi rpm, hoc source:

ypserv-[version].rpm
NIS hot ng theo m hnh client/server. Server c cc daemon sau:

ypserv: lng nghe truy vn t client, v tr li cho nhng truy vn ny. ypxfrd: transfer nhng thay i t NIS master sang NIS slave.
Daemon ca client:
ypbind: tm kim NIS server gi truy vn.
Khi cn update d liu ca NIS server, s dng lnh:

/var/yp/make
NIS tools
Hi & p
Client c th s dng nhng tools sau truy vn t NIS server:

ypcat: dump ni dung mt bng map ca NIS server.
ypcat passwd
ypwhich: cho bit NIS server no ang phc v request

ypwhich
ypmatch: truy vn d liu bng map ca NIS match mt t kha no

ypmatch test passwd
48
Ni dung
Gii thiu Network Directory Gii thiu LDAP protocol

Cu trc lu tr LDAP Directory Gii thiu Openldap

server side daemon client side command
LDAP
Network Directory

Gii thiu LDAP protocol Gi thi

Network directory l mt cu trc dng t chc lu tr theo dng phn cp hnh cy. Network directory c t chc thun tin nht cho vic c v tm kim. Nu ng dng cn nhiu thao tc insert, update th khng nn lu tr theo kiu network directory. X.500 l mt network directory.
truy vn network directory, ngi ta s dng giao thc DAP Directory Access Protocol. Giao thc ny qui nh mt tp lnh giao tip gia client v server lu tr (network directory) truy vn d liu cn thit. DAP hot ng da trn giao thc OSI. LDAP Lightweight Directory Access Protocol l giao thc ra i thay th DAP. LDAP nh ngha mt tp lnh giao tip gia client/server da trn giao thc TCP truy vn d liu directory.
49
LDAP protocol (tt)
LDAP directory
RDN: Relative Distinguished Name uid=babs, ou=people, dc=example, dc=com DN: Distinguished Name
LDAP directory (tt)

entry
LDAP directory (tt)

cn=gerald carter, ou=people, dc=plainjoe, dc=com

attribute
Nhng schema v objectclass thng c dng u c nh ngha sn trong RFC. Khi mun nh ngha mt cu trc cy th mc, phn tch, quyt nh cn nhng attribute no, sau tm nhng objectclass, schema c nhng attribute ny. T , xy dng nn cu trc cy th mc. Nu khng c schema tha mn yu cu, c th nh ngha schema, objectclass mi.
50
LDAP directory (tt)
OPENLDAP (tt)
Openldap l phn mm m ngun m, dng hin thc LDAP chy trn h iu hnh Linux/ UNIX. Pha server gm c hai dch v chnh:
slapd: standalone LDAP daemon. Daemon ny lng nghe cc request truy vn LDAP t client, tin hnh truy vn, v gi cu tr li. slurpd: LDAP replication daemon. Daemon ny dng ng b nhng thay i t LDAP master server sang LDAP slave server.
OPENLDAP (tt)
Hi & p
truy vn LDAP, client dng nhng lnh sau:

ldapadd: thm mt entry mi. ldapmodify: chnh sa thng tin mt entry. ldapdelete: xa mt entry. ldapmodrdn: chnh sa RDN ca entry. ldapsearch: tm kim thng tin entry.
51
Ni dung
Dch v FTP
Gii thiu dch v FTP Ci t dch v FTP Cu hnh dch v FTP
FTP & SSH server
Dch v SSH
Gii thiu dch v SSH Ci t dch v SSH Cu hnh dch v SSH
Gii thiu dch v FTP

Gii thiu dch v FTP (tt) Gi thi d v
Dch v FTP l dch v cung cp c ch truyn, nhn file qua giao thc TCP/IP. Dch v FTP hot ng trn hai port:
Port 20: data port. D liu s c truyn trn port ny. Port 21: control port. Port ny dng trao i lnh, reply gia client v server.
Active FTP
Dch v FTP c hai mode hot ng:

Active FTP. Passive FTP.
52
Gii thiu dch v FTP (tt) Gi thi d v
Ci t & cu hnh dch v FTP c h d v

Passive FTP
C nhiu gi ci t dch v FTP nh: vsftpd, wuftpd, pureFTPd, proFTPD. Gi vsftpd c nh gi l security tt. C th ci t bng RPM hoc source. File cu hnh chnh ca gi vsftpd:
vsftpd.conf: kim sot hot ng ca dch v FTP. vsftpd.ftpusers: ds nhng users khng c php log vo FTP. vsftpd.user_list: ty theo cu hnh file vsftpd.conf, dch v FTP s deny hoc allow ds nhng users ny.
Gii thiu dch v SSH

Th mnh Dch
Ci t dch v SSH d v

ca h iu hnh Linux l dng lnh.
v SSH cho php iu khin mt phin lm vic t xa bng dng lnh.

D liu, password
Mc nh dch v SSH c ci t khi ci t my tnh. Hoc c th ci t dch v SSH bng gi:

openssh-[version].
truyn trong m trng SSH l d liu
m ha.
V
tnh an ton d liu, dch v SSH c tin dng hn dch v telnet.

Dch
File cu hnh chnh ca dch v SSH:

sshd_config
v SSH lng nghe port 22.
53
Hi & p
DNS server
Ni dung
Gii thiu dch v DNS. Hot ng ca dch v DNS
Gii thiu dch v DNS

my tnh ny c th lin lc vi my tnh kia, cn phi bit a ch IP. Ngi s dng kh khn trong vic nh a ch IP. Ngi s dng mun lin lc vi my tnh khc trong mng bng tn my tnh. Cn c mt bng map gia a ch IP v tn my tnh. Vi h thng mng nh, dng file text qun l. Vi mng Internet, s dng dch v DNS.
Fully Qualified Domain Name (FQDN) The in-addr.arpa Domain Phn gii request DNS Types of DNS server

Ci t dch v DNS Cu hnh dch v DNS DNS tools
54
Gii thiu dch v DNS

Dch v DNS Domain Name Service l dch v phn gii tn min. Dch v DNS s nh x t tn min sang a ch IP.

Fully Qualified Domain Name
Dch v DNS qun l tn min bng Fully Qualified Domain Name (FQDN).
Top-level domain
Dch v DNS cho php ngi dng truy cp n cc my tnh khc bng tn, khng cn nh n a ch IP. Dch v DNS c hin thc bng phn mm Berkely Internet Name Domain system (BIND).
serverA.
example.
Second-level domain
org
.
Root domain
Third-level domain
DNS qun l tn min theo cu trc cy.
Fully Qualified Domain Name (tt)
Fully Qualified Domain Name (tt)
55
The in-addr.arpa Domain (tt) in-
Phn gii request DNS

request
-> server DNS -> IP (a.b.c.d)

domain name: domain name: domain name:
request (domain name) ->
server DNS -> IP (a.b.c.d)

server
tn min do Athena qun l. tn min do VNNIC qun l. tn min quc t.
DNS: DNS ca
Athena.
server
DNS: DNS ca nh cung cp khc.
Phn gii request DNS (tt) gi
Tn min do Athena qun l:

request -> Athena -> answer.
DNS Athena:
request -> Viettel -> answer.
domain name: tn min do VNNIC qun l.

request -> Athena -> VNNIC -> ISP -> answer.
DNS ca nh cung cp khc:

request -> DNS server -> answer. request -> DNS server -> VNNIC -> Athena -> answer.
domain name: tn min quc t.

request -> Athena -> Root servers -> DNS primary > answer.
56
Chi tit x l request ca DNS khng h tr mode recursive:
Chi tit x l request ca DNS h tr mode recursive:
Type of DNS server

Ci t dch v DNS
Primary DNS server
Ci t dch v DNS bng cc gi bind

bind-utils-[version] bind-libs-[version] bind-[version]
Secondary DNS server Caching/ Forwarding DNS server
File cu hnh chnh ca dch v DNS:

named.conf
57
Cu hnh dch v DNS (tt) h d v
Cu hnh dch v DNS (tt) h d v
Option chung
DNS h tr cc bn ghi: SOA, NS, PTR, MX, A, CNAME.
Root servers
nh ngha domain
DNS tools
Hi & p
Lnh dig:
dig @nameserver domain
Lnh dnsquery:
dnsquery -n nameserver host
Lnh host:
host domain
Lnh nslookup:
nslookup record [server] nslookup ipaddress
58
Ni dung
Web server
Trung tm o to Qun tr & An ninh mng ATHENA
Gii thiu dch v Web. Gii thiu Apache.

Ci t Apache.
Cu hnh Apache Access control Log Files Performance
Gii thiu dch v Web

Apache

World Wide Web (WWW) l mt ng dng client-server da trn giao thc HTTP protocol. Web client (browsers) s gi request n Web server s dng HTTP protocol. Web server nhn request, x l, v tr kt qu cho web client (browers). HyperText Markup Language (HTML) l ngn ng dng vit web.
Nhiu phn mm c s dng hin thc tnh nng ca web server: IIS, Apache Apache l mt phn mm m ngun m c s dng lm web server ph bin nht trn Linux. Apache tng thch vi hu ht h iu hnh UNIX, v c Windows. Apache hot ng linh hot, cho php m rng nhiu tnh nng, c th bin dch thm nhiu module t:
http://modules.apache.org
59
Ci t Apache
Cu hnh Apache h

C th ci t Apache bng gi rpm

httpd-[version].rpm
File cu hnh ca Apache: httpd.conf Cu hnh ca Apache gm ba phn chnh:

Global section: nhng cu hnh trong section ny apply cho tt c host trn server. Main section: apply cho nhng virtual host khng c section ring. Virtual host section: mi virtual host c th c mt section ring.
Hoc c th ci t Apache bng gi source

httpd-[version].tar.gz
Khi ci t bng gi source c th chn nhiu option bin dch Apache

--enable-proxy --enable-ssl --enable-rewrite .
Cu hnh Apache (tt)

File cu hnh ca Apache: httpd.conf Global section:
ServerRoot /etc/httpd # V tr ci t Apache Timeout 120 # Thi gian sng ca mt kt ni (giy) KeepAlive On # Client gi nhiu y/c n server qua 1 kt ni MaxkeepAliveRequests 100 # S request ti a trn mt kt ni KeepAliveTimeout 15 # Thi gian timeout ca mt request Listen 80 # Lng nghe trn port 80 User apache # User v Group chy httpd Group apache ServerAdmin root@localhost # Email ca ngi qun tr ServerName www.nhatnghe_lpi.com:80 # Khai bo a ch URL DocumentRoot /var/www/html# Th mc gc ca web server
Cu hnh Apache (tt)

Virtual host: c hai kiu hin thc name-based v IP-based. Vi kiu IP-based, mi virtual phi c mt card mng:
60
Cu hnh Apache (tt) h
Access control
Access control gip kim tra user no c php truy cp trang web. User c th truy cp trang web no, khng th truy cp trang web no.

Cu hnh Apache h tr Virtual host theo kiu name-based
C th gii hn truy cp qua dy IP ca user. C th gii hn truy cp bng cch ch chp nhn nhng user c xc thc (valid user).
Access control (tt)

Log Files

C th gii hn truy cp qua thng tin users. Nhng user c kim tra username/pass ng mi c truy cp. To username/pass:
access_log lit k tng request truy cp vo trang web. agent_log lit k nhng chng trnh c web server gi chy. Log ny l option, c th chn lc bin dch apache, hoc cu hnh trc tip trong file cu hnh httpd.conf error_log Li pht sinh trong qu trnh chy ca web server. refer_log lit k nhng URL trc browser s dng. Log ny cng l option, c th chn trong khi bin dch, khi cu hnh, hoc c th khng cu hnh.
Gii hn truy cp trong file httpd.conf
61
Performance
Hi & p
Nhng option ny c nh ngha trong phn Global Section:

StartServers: s tin trnh con c sinh ra lc u khi web server start. MinSpareServers: s tin trnh con ti thiu trng thi idle, ch kt ni. MaxSpareServers: s tin trnh con ti a cho php trng thi idle, ch kt ni. MaxClient: web server phc v ti a cho bao nhiu request ng thi.
Ni dung
Squid server
Gii thiu Squid server Cu hnh Squid server
Option Cu hnh ACL
Squid Authentication
62
Gii thiu Squid server

Squid l mt caching proxy server. Squid server c t gia Web client v Web server. Khi c request yu cu Web page, Squid s kim tra, xc nhn tnh hp l ca request da trn nhng policy c nh ngha trong Squid.

Gii thiu Squid server (tt) Gi thi

Squid server c th c ci t bng source hoc bng rpm. Squid server gm nhng file sau trong h thng:
/etc/squid /usr/lib/squid /usr/sbin/squid /var/log/squid
Sau , truy vn Web page tr v kt qu cho request. Nu kt qu c trong cache ca Squid, th Squid tr kt qu v ngay cho request.
Cu hnh Squid server
Cu hnh Squid server (tt) h

cache_mem: Squid server s s dng bao nhiu memory ca RAM. cache_access_log: Squid server ghi nhn li cc request query Squid. acl: y l phn phc tp nht ca Squid server, cho php ngi no s c truy cp Web, truy cp nhng trang no.
acl intranet src 192.168.1.0/24 http_access allow intranet http_access deny all
Mt s option chnh cu hnh Squid server:

http_port: port Squid server lng nghe request phc v. Mc nh l port 3128. cache_dir: nh ngha Squid server s cha cache u
cache_dir storage_type directory-name megabytes L1 L2 [options] cache_dir ufs /var/spool/squid 10000 16 256
Directory
Megabytes
Top level directory Second level directory

63
C th dng acl gii hn truy cp bng nhiu cch:

Gii hn truy cp theo thi gian. Gii hn truy cp theo IP. Gii hn truy cp theo port. Gii hn truy cp theo giao thc. Gii hn truy cp theo trang web. Gii hn file c php download. Gii hn bng thng ti a c s dng.
Squid Authentication

Hi & p
s dng Squid, user phi c username/pass hp l => Squid Authentication. s dng tnh nng Squid Authentication, cn bin dch ncsa_auth vi Squid. To password cho user: Cu hnh Squid h tr tnh nng Squid Authentication:
64
Ni dung
Mail server
Gii thiu dch v Mail

MUA Mail User Agent. MDA Mail Delivery Agent. MTA Mail Transfer Agent. Cc protocol transfer mail.
Phn tch cch cu hnh MTA. Phn tch chnh sch chng spam.
Gii thiu dch v Mail

Gii thiu dch v Mail (tt) Gi thi d v
Dch v Mail l dch v quan trng v cn thit nht i vi ngi s dng. Vi ngi s dng, nhng li thng gp:
Gi email, nhng ngi nhn khng nhn c, v ngi gi cng khng nhn c msg bo li. Gi email, nhng > 1h, n 1 ngy, ngi nhn mi nhn c email. Thng xuyn phi nhn th rc, th qung co
kim sot tt dch v Mail, ngi qun tr phi:

monitor tnh trng ca email, c gi i cha, gi n ni cha, c nhn v cha, l do v sao khng gi c, khng nhn c. monitor c cc kt ni gi, nhn mail, nhiu hay t, c b nghn hay khng? kim sot c tnh trng gi spam mail, virus mail
65
Qu trnh gi mail ca ngi dng nh sau:

Ngi dng cu hnh Outgoing, Incoming server trong chng trnh son email. (Outlook, eudora, MUA thunderbird) Dng chng trnh son email. Ngi dng send email. Server Outgoing nhn email. Server Outgoing phn tch To:address. V lin lc vi server mail chu trch nhim v rcpt ny gi mail.
Remote MTA MTA
Qu trnh lin lc gia cc MTA nh sau:

Sau khi phn tch To:address, xc nh rcpt cng domain vi sender, deliver local. Rcpt thuc domain khc, outgoing s dng DNS tm bn ghi MX ca mail server domain (remote MTA). Outgoing s lin lc vi remote MTA theo kt qu phn gii bn ghi MX ca DNS. SMTP Remote MTA s chuyn email n rcpt ca h.

test@nhatnghe.com test@nhatnghe.com
User check email qua Incoming server. Incoming server thng l mt server POP3 -> MDA Mail Delivery Agent. Khi gi mail trong cng domain, server Outgoing (MTA) s deliver mail cho server Incoming (MDA) bng giao thc LMTP Local Mail Transfer Protocol. Ngi s dng dng giao thc POP hoc IMAP kt ni vi Incoming (MDA) ly mail v.
-> test1@yahoo.com
Server outgoing
->test1@nhatnghe.com
Server outgoing
LMTP
Athena -> DNS -> Record MX -> Mail yahoo. outgoing -> Mail yahoo
SMTP
Athena -> Incoming Athena

test1@nhatnghe.com
-> test1@yahoo.com.
>checkmail bng POP nhn email t Incoming.
66

test1@yahoo.com Mail
-> test@nhatnghe.com
Yahoo -> DNS ->
Record MX -> Mail Athena. Mail yahoo -> Mail Athena SMTP -> test@nhatnghe.com.
Athena -> LMTP Incoming Athena deliver mail cho test@nhatnghe.com

test@nhatnghe.com
Cc protocol s dng trong qu trnh gi nhn mail nh sau:

SMTP Simple Mail Transfer Protocol: giao thc gi nhn mail gia cc MTA. LMTP Local Mail Transfer Protocol: giao thc deliver mail gia MTA v MDA. POP Post Office Protocol: giao thc ly mail t MDA v MUA. IMAP Internet Mail Access Protocol: giao thc ly mail t MDA v MUA.
->checkmail bng POP nhn email t Incoming.
Cu hnh MTA
Cc phn mm dng m nhn chc nng MTA Mail Transfer Agent:

Sendmail, Postfix, Qmail, Exim.
Khi cu hnh MTA, cn lu nhng tnh nng sau:

MTA yu cu user xc thc trc khi gi mail => SMTP Authentication. MTA x l mail cho nhng domain no => relay domains. MTA khng chp nhn kt ni t nhng domain, IP no. MTA gii hn s kt ni ng thi t mt IP, s kt ni ti a m MTA c th m nhn. MTA gii hn s rcpt ti a c th gi ng thi. MTA gii hn kch thc ca msg. Cch MTA x l hng i mail: trong hng i ti a bao lu, thi gian gi warning cho ngi dng, thi gian drop mail trong hng i. MTA s chuyn mail cho server MDA no.
Cc phn mm dng m nhn chc nng MDA Mail Delivery Agent:

Procmail, Maildrop, Cyrus-IMAP, Courier IMAP.
Cc phn mm cho chc nng MUA Mail User Agent:

Outlook, Thunderbird, Eudora.
67
Chnh sch chng SPAM
Hi & p
Chng SPAM cho mail c hai loi chnh:

SPAM t kt ni: chng SPAM bng cc chnh sch kim tra kt ni gi mail.
mt IP lin tc m nhiu kt ni -> hn ch ngng kt ni ti a ca mt IP. nhiu IP lin tc m kt ni: kim tra reverse, da vo blacklist. gi lin tc nhiu email: dng nhng phn mm nh gi ngun gi email.
Ni dung mail SPAM: chng SPAM bng cch lc ni dung email.

Ni dung email l ni dung qung co Email cha virus nguy him. => dng phn mm lc spam, virus.
Ni dung
Gii thiu iptables

Gii thiu mt m hnh mng. Phn tch traffic. p dng firewall.
M hnh x l logic ca iptables C php iptables
Firewall
68
Gii thiu iptables

Min cn bo v
Gii thiu iptables
Cn qun l nhng loi traffic sau:

Cho php mi traffic t trong firewall (10.0.0.0/24) ra ngoi. Cm tt c cc traffic t ngoi vo trong firewall, ngoi tr nhng traffic sau:
TCP port 80, port 22, port 443 TCP port 80: forward n web server. TCP port 22: forward n file server. TCP port 443: forward n file server.
nat filter
M hnh logic iptables h

Server 10.0.0.2 Default route: 10.0.0.1
chain
From: 200.2.2.2: 1025 To: 10.0.0.2: 80
table
Eth1: 10.0.0.1 DNAT Eth0: 172.20.12.88 From: 200.2.2.2: 1025 To: 172.20.12.88: 80
Client: 200.2.2.2 `
69

Server: 10.0.0.2 Default route: 10.0.0.1
C php iptables
iptables t table A chain [match] [target]

table: filter (default), nat, mangle -A chain: thm mt rule mi. -D chain: xa mt rule. -I chain number: chn mt rule vo dng [number]. -R chain number: thay th mt rule dng [number].
rules
From: 10.0.0.2: 80 To: 200.2.2.2: 1025 Eth1: 10.0.0.1 SNAT Eth0: 17.20.12.88 From: 172.20.12.88: 80 To: 200.2.2.2: 1025
-L chain: xem cc rule c. -F chain: xa mi rule hin c. -N chain: nh ngha mt chain mi. -E [old_chain] [new_chain]: i tn chain (ch c th thay i vi nhng chain do ngi dng to ra).
Client: 200.2.2.2 `
C php iptables (tt)
C php iptables TARGET ph
iptables A INPUT p tcp dport 22 j ACCEPT

ACCEPT: cho php gi tin i qua. DROP: vt b gi tin.
match target
REJECT:
drop gi tin, ng thi gi gi tin ICMP tr li v cho ngi gi. Nu gi qu nhiu ln, s khng gi na. --reject-with type: gi ICMP vi type ch nh.
icmp-net-unreachable icmp-host-unreachable icmp-port-unreachable icmp-proto-unreachable
QUEUE: chuyn gi tin vo hng i queue. RETURN: tr v cho chain cp trn hoc default policy. LOG: ghi li thng tin packet trong system log
--log-level --log-prefix --log-tcp-sequence --log-tcp-options --log-ip-options
70
TARGET (tt)
Match
-p [!] name: chn nhng packet da trn protocol. Protocol c th l tn hoc port tng ng trong file /etc/protocols. -s [!] address[/mask]: chn nhng packet da trn a ch ngun. Address c th l hostname hoc a ch IP.

SNAT: ch c th s dng trong table nat trong chain POSTROUTING

--to-source address[-address][:port-port] -j SNAT --to-source 172.20.12.88
DNAT: ch c th s dng trong table nat trong chain PREROUTING

--to-destination address[-address][:port-port] -j DNAT --to-destination 10.0.0.2:80
MASQUERADE: l mt dng c bit ca SNAT. REDIRECT: chuyn hng ca gi tin ti mt port khc trn my local.
-d [!] address[/mask]: cng ging trng hp trn nhng l a ch ch ca packet.
-j REDIRECT --to-ports 80
Match (tt)

Match (tt)

-i name: chn packet c nhn t interface name (input). -o name: chn nhng packet c gi t interface name (output). [!] f: chn nhng gi tin b phn mnh (t mnh vn th hai).
--sport [!] [port][:port]: chn nhng packet c port ngun xc nh nh trn --dport [!] [port][:port]: chn nhng packet c port ch xc nh nh trn. iptables A INPUT -p tcp s 10.1.1.0/24 i eth0 -d 192.168.1.1 --dport 80 -j ACCEPT
71
Match icmp & mac (tt)
Match limit (tt)
i vi icmp (s dng -p icmp)

--icmp-type [!] type: chn nhng packet icmp thuc kiu type. Type c th ch nh bng s hoc tn (iptables -p icmp -h)
i vi limit (s dng -m)

--limit rate: gii hn tn sut ca packet, c ch nh bng 1 con s v ng sau l /second, /minute, /hour, /day. Default l 3/hour. --limit-burst [number]: xc nh s lng packet ti a c chp nhn. Default l 5.
i vi mac (s dng -m)

--mac-source [!] address: chn nhng packet c a ch MAC ngun l address. Address vit di dng 00:60:08:91:CC:B7
Match state (tt)
Hi & p
Module state cho php nhn bit v chn cc packet da trn trng thi kt ni ca cc packet . Iptables l stateful.
--state states: chn gi tin c trng thi l 1 trong cc trng thi c lit k states Cc trng thi ca mt kt ni l: INVALID, ESTABLISHED, NEW, RELATED
72
Ni dung
Gii thiu Snort

Sniffer mode Packet Logger mode Network Instrution Detection System (NIDS) Inline mode
IDS server
Ci t, cu hnh Snort
Preprocessor Output modules
Cu trc lut ca Snort

Rule header Rule option
Gii thiu Snort

Gii thiu Snort (tt) Gi thi
Snort l mt phn mm m ngun m c kh nng pht hin, chng s xm nhp tri php. Snort hot ng nh mt phn mm ng gia s giao tip ca hai my tnh. Cc packet trc khi c gi n my tnh ch s c snort kim tra, thm nh. Snort c th pht hin nhiu loi xm nhp nh: buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts
73
Gii thiu Snort (tt) Gi thi
Sniffer Mode
Hin th thng tin header ca packet:

snort -v
Hin th thng tin ng dng ang pht sinh packet:

snort v -d
Header ca tng datalink:

snort vde snort v d -e
Packet Logger Mode
Network Instrution Detection System

Mode
Lu thng tin xung file:

snort dev l [filename]
hot ng phc tp nht, nhiu option
nht.
Bt
Lu thng tin dng binary:

snort l [filename] -b
buc phi ch ra file lut dng hot ng (option -c)

snort u snort g snort D c /etc/snort
Mc
c ngc thng tin t file binary:

snort dv r [filename] snort dv r [filename] icmp
nh ca mode ny l cnh bo full alert v log li packet theo dng ASCII.
74
Inline Mode
Ci t

Bin dch h tr inline mode:

./configure enable-inline
./configure
C 3 loi lut c s dng mode inline:

drop: iptables s b qua packet v log li s kin ny. reject: iptables s b qua packet, log li s kin, v thng bo n my tnh rng packet ny s khng n ni. sdrop: iptables s b qua packet, khng thng bo n my ch v cng khng log li s kin.
make make install

hot ng mode NIDS cn c tp lut: snortrules.tar.gz. tar xzvf snortrules.tar.gz -C /etc/snort Sa file /etc/snort/snort.conf
snort_inline QDc ../etc/drop.conf l /var/log/snort
Cu hnh Snort
var HOME_NET: nh ngha mng cn bo v. var EXTERNAL_NET: nh ngha mng bn ngoi. var DNS_SERVERS: nh ngha cc server DNS cn bo v. var SMTP_SERVERS: nh ngha cc server SMTP cn bo v. portvar HTTP_PORTS : nh ngha port ca ng dng.
Cu hnh Snort (tt)
preprocessor: kim tra packet ngay sau khi packet c gii m. Preprocessor c thc hin trc tt c cc lut tm kim, pht hin khc.
preprocessor <name>:<option>
output module: linh hot trong vic nh dng thng bo n ngi s dng
output <name>:<options>
75
Cu hnh Snort (tt)
Cu trc lut Snort

Rule header: rule action, protocol, a ch IP ngun v a ch IP ch, port ngun v port ch . Rule option: thng ip cnh bo, phn thng tin xc nh packet no s b gi li.

Preprocessor:
stream4 -> replace bng stream5 sfPortscan Performance Monitor ftp_telnet
Output modules:
alert_syslog alert_fast alert_full log_tcpdump alert_csv
alert tcp any any -> any any (content:|00 01 86 a5|; msg: mountd access;)
Protocol
Rule action
Rule action
Rule action (tt)
Rule action:
alert: cnh bo v ghi li packet. log: ghi li packet. pass: b qua packet. active: cnh bo v gi thc thi mt rule khc. dynamic: trng thi idle cho n khi c mt rule khc c kch hot. drop: cho php iptables b qua packet ny v log li packet b b qua. reject: cho php iptables b qua packet ny, log li packet, ng thi gi thng bo t chi n my ngun. sdrop: cho php iptables b qua packet ny nhng khng log li packet, cng khng thng bo n my ngun.
nh ngha rule type ring ph hp vi mc ch:

ruletype redalert { type alert output alert_syslog: LOG_AUTH LOG_ALERT output database: log, mysql, user=snort dbname=snort host=localhost. }
76
Rule option
meta-data: cung cp thng tin v rule nhng khng gy ra bt c nh hng no n qu trnh pht hin packet. payload: tm kim thng tin trong phn payload ca packet.

Meta data

msg: <message text>;
reference: <id system>, <id>; sid: <snort rules id>;
classtype: <classname>;
non-payload: tm kim thng tin trong phn non-payload ca packet. post-detection: xy ra sau khi mt rule c kch hot.
priority: <priority integer>
Payload

Non Payload

content: [!] <context string>; nocase; rawbytes; depth: <number>; offset: <number>; distance: <byte count>; uricontent: [!]<context string>; isdataat: <int>; byte_test: <bytes to convert>, [!] <operator>, <value>, <offset> [,relative] [,endian] [,<number type>, string]; byte jump
ttl: time to live.
tos: type of service. dsize: kim tra non-payload c ln hn mt kch thc xc nh khng. flag: kim tra TCP flag bits (F: FIN, S: SYN, R: RST, A: ACK). flow: xc nh chiu ca kt ni.

window: kim tra tcp window size.
77
Post detection
Hi & p
logto: kim tra log li s kin vo file.

logto: filename;
session: s dng ly s kin t mt TCP session.

session: [printable|all];
resp, react.
78

Athena - Slide Lpi

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Athena - Slide Lpi

Uploaded by

Copyright:

Available Formats

Mc tiu kha hc

Qun tr mng Linux

An Ninh Mng ATHENA , www.athena.com.vn

Mc tiu kha hc (tt)

Mc tiu kha hc (tt)

An Ninh Mng ATHENA , www.athena.com.vn

An Ninh Mng ATHENA , www.athena.com.vn

Ni dung kha hc (tt)

An Ninh Mng ATHENA , www.athena.com.vn

An Ninh Mng ATHENA , www.athena.com.vn

Ni dung kha hc (tt)

Ni dung kha hc (tt)

An Ninh Mng ATHENA , www.athena.com.vn

An Ninh Mng ATHENA , www.athena.com.vn

Technical summary of Linux Distributions

An Ninh Mng ATHENA , www.athena.com.vn

GNU GPL: GNU General Public License.

Linux l h iu hnh m ngun m, c phn phi theo quy nh ca GNU GPL.

An Ninh Mng ATHENA , www.athena.com.vn

An Ninh Mng ATHENA , www.athena.com.vn

M ngun m v GPL (tt)

Linux c Linus Torvalds vit nm 1991.

H iu hnh Linux gm:

An Ninh Mng ATHENA , www.athena.com.vn

An Ninh Mng ATHENA , www.athena.com.vn

Giao din ha:

Tnh n nh cao: Linux c th chy nhiu nm, khng cn reboot.

An Ninh Mng ATHENA , www.athena.com.vn

An Ninh Mng ATHENA , www.athena.com.vn

Linux v Windows (tt)

S tch bit gia GUI v Kernel:

An Ninh Mng ATHENA , www.athena.com.vn

An Ninh Mng ATHENA , www.athena.com.vn

Linux v Windows (tt)

Tnh n nh cao v hu nh khng c virus.

=> khng c mt chun cu hnh. Mi dch v nh ngha mt chun cu hnh ring.

An Ninh Mng ATHENA , www.athena.com.vn

An Ninh Mng ATHENA , www.athena.com.vn

Li ch & hn ch ca Linux (tt) ch (tt)

Kh s dng cho ngi mi bt u.

Khng c h tr, khng c document y . Bug vn tn ti.

An Ninh Mng ATHENA , www.athena.com.vn

An Ninh Mng ATHENA , www.athena.com.vn

Installing Linux in a Server Configuration

An Ninh Mng ATHENA , www.athena.com.vn

Linux file system. Linux boot loader.

Cc mode hot ng ca Linux.

An Ninh Mng ATHENA , www.athena.com.vn

An Ninh Mng ATHENA , www.athena.com.vn

Kim tra s h tr phn cng. Phn chia partition:

Kim tra s h tr phn cng.

Cu hnh mng. Chn la software ci t. Chn la boot loader. Tin hnh ci t.

An Ninh Mng ATHENA , www.athena.com.vn

An Ninh Mng ATHENA , www.athena.com.vn

Linux file system

Linux file systems (tt)

An Ninh Mng ATHENA , www.athena.com.vn

An Ninh Mng ATHENA , www.athena.com.vn

Linux boot loader

Thit lp cc thng s cu hnh mng cho server:

An Ninh Mng ATHENA , www.athena.com.vn

An Ninh Mng ATHENA , www.athena.com.vn

Linux boot loader (tt)

Mode hot ng ca Linux