linux-thay the windows

5/28/2018 Linux-Thay the Windows

1/66

Linux is Everywhere 2011 Nhatnghe School

LPI3xy dng mng Linux thayth windows

Openldap Apache PDC - Samba Postfix Squid Vsftp Dhcp & Dns Amandabackup restore

Firewall - shorewall Demo: tch hp openvpn vo openldap

M.Eng Do Quang Ngoc


2/66


Active DirectoryChng thc tp trung

Exchange server

IIS server SQL server FTP server

ISA server

Print/ File server

Active Directory Proxy server

DHCP server


3/66


Sendmail/ Postfix

Apache server MySQL serverFTP/ SSH server

Firewall/ IDS

Samba/ NFS

Bind/ LDAP Squid server

DHCP server

OPENLDAP


4/66

Linux is Everywhere 2011 Nhatnghe School 4

Network Directory

Network directory l mt cu trc dng tchc lu tr theo dng phn cp hnh cy.

Network directory c t chc thun tin

nht cho vic c v tm kim. Nu ng dng cn nhiu thao tc insert,

update th khng nn lu tr theo kiu networkdirectory.

X.500 l mt network directory.


5/66


LDAP directory

uid=babs, ou=people,

dc=example, dc=com

DN: Distinguished Name

RDN: Relative Distinguished Name


6/66


LDAP directory (tt)

Nhng schema v objectclass thng c dng u c nh ngha sn trong RFC.

Khi mun nh ngha mt cu trc cy th mc, phntch, quyt nh cn nhng attribute no, sau tmnhng objectclass, schema c nhng attribute ny.

T , xy dng nn cu trc cy th mc.

Nu khng c schema tha mn yu cu, c th nhngha schema, objectclass mi.


7/66


LDAP directory (tt)


8/66


OPENLDAP (tt)

Openldap l phn mm m ngun m, dng hinthc LDAP chy trn h iu hnh Linux/ UNIX.

Pha server gm c hai dch v chnh:

slapd: standalone LDAP daemon. Daemon ny lngnghe cc request truy vn LDAP t client, tin hnhtruy vn, v gi cu tr li.

slurpd: LDAP replication daemon. Daemon ny dng ng b nhng thay i t LDAP master serversang LDAP slave server.


9/66


OPENLDAP (tt)

truy vn LDAP, client dng nhng lnh sau:

ldapadd: thm mt entry mi.

ldapmodify: chnh sa thng tin mt entry.

ldapdelete: xa mt entry. ldapmodrdn: chnh sa RDN ca entry.

ldapsearch: tm kim thng tin entry.


10/66


ldapadd -c -x -D "cn=Manager,dc=nhatnghe,dc=com

-W -f/mnt/sample.ldif

/mnt/sample.ldif

dn: dc=nhatnghe,dc=com

objectclass: dcObjectobjectclass: organization

o: Example Company

dc: nhatnghe

dn: ou=Ketoan,dc=nhatnghe,dc=com

objectClass: organizationalUnit

ou: Ketoan

dn: ou=Kinhdoanh,dc=nhatnghe,dc=com


ou: Kinhdoanh


11/66


Qun tr Openldap


12/66


Qun tr Openldap


13/66


Master ldap & Slave ldap

openLDAP v2.0,v2.3: master/slave replication


14/66


Multi Master

openLDAP v2.4: multi-master replication


15/66


Tch hp OpenldapFTP server

Web server

File server

Squid server

Mail server Openldap


16/66


Openldap - AD


17/66


Samba

Chng thc v cp php truy cp Xy dng Primary domain controller

Chia s file, Printer

Phn gii tn

File cha user:

/etc/samba/smbpasswd

Nv1

nv2


18/66


SambaopenldapXy dng h thng Domain Controller, cho phpcc client xp join domain, truy cp ti nguyn mng


19/66


Qun tr Domain

Ci v cu hnh Domain ControllerJoin xp, win7 vo domainQun tr OU, User, GroupShare ti nguyn fileLogon scriptRoaming user profileGim st truy cp ti nguyn shareGroup Policy


20/66


Apache

Hai phng php chng thc:+ Basic Authentication.

+ Digest Authentication.

File cha user:cat /etc/httpd/conf/userpasswd

nv2:pMxqVRP.KZYVw

nv1:mS.U/NuGN00qkClient Web server

Phn mm dng lm web server


21/66


Apache - Openldap

Cu hnh web server chng thc user t openldap


22/66


Postfix

Xy dng mail server

H tr y cc giao thc smtp, pop, imap, http ..

File cha user:

/etc/passwdquangngoc:501 .

vanhue:x:502 ClientMail server


23/66


Postfix - Openldap

Cu hnh Mail server chng thc user t openldap


24/66


Squid

Squid l mt caching proxy server. Gii hn truy cp web thng qua cc rules Tng tc truy cp web. Chng thc truy cp:

/etc/passwd

quangngoc:x:1006:1006::/home/ quangngoc:/bin/bash

vanhue:x:51314:51314::/home/vanhue:/bin/bash

Client Proxy server


25/66


Squid - openldap

Squid chng thc user truy cp t ldap server


26/66


Bo co - thng k truy cp


27/66


FTP

Dch v FTP cho php upload/download d liu txa Dch v FTP hot ng trn hai port:

Port 20: data port. D liu s c truyn trnport ny.

Port 21: control port. Port ny dng trao ilnh, reply gia client v server.

/etc/passwdquangngoc:x:1006:1006::

vanhue:x:51314:51314:: Client FTP server


28/66


VSFTP - Openldap

Cu hnh ftp server chng thc user t openldap


29/66


Bo co - thng k truy cp


30/66


Openvpn

Connection: point-to-point or site-to-site Authentication: using a pre-shared secret key,

certificates, or username/password.

Security: SSL and TLS, smart cards

Extensibility:- plug-ins or scripts, RADIUS integration

- authenticate against LDAP or SQLite and MySQL

Platforms: Solaris, Linux, OpenBSD, FreeBSD,NetBSD, QNX, Mac OS X, and Windows2000/XP/Vista/7.


31/66


Openldap server

VPN Client

VPN Server

Thc hin kt ni vpn

A VPNextends a private network across shared or publicnetworks, such as the Internet

3 VPN server authenticatesand authorizes the client

2 VPN serveranswers the call 4VPN server transfersdata

VPN client calls theVPN server1


32/66


DHCP

DHCP reduces the complexity and amount of administrative work byusing automatic TCP/IP configuration

Manual TCP/IP Configuration

IP addresses are enteredmanually

IP address could be enteredincorrectly

Communication and networkissues can result

Frequent computer movesincrease administrative effort

Automatic TCP/IP Configuration

IP addresses are suppliedautomatically

Correct configuration informationis ensured

Client configuration is updatedautomatically

A common source of networkproblems is eliminated


33/66


Hot ng DHCP

DHCP client broadcasts a DHCPDISCOVER packet

1DHCP servers broadcast a DHCPOFFER packet2

DHCP client broadcasts a DHCPREQUEST packet3

DHCP Server1 broadcasts a DHCPACK packet4

DHCP

Client

DHCPServer1

DHCPServer2

DHCP client broadcasts a DHCPDISCOVER packet

1DHCP servers broadcast a DHCPOFFER packet2

DHCP client broadcasts a DHCPREQUEST packet3

DHCP Server1 broadcasts a DHCPACK packet4

DHCP

Client

DHCPServer1

DHCPServer2


34/66


DNS

Domain Name System


35/66


Host Name Resolution Process

Host name resolutionis the process of

resolving a host name to an IP address

What is the

IP address for

Salescomputer2?

Salescomputer2

1 2

3

192.168.1.35Salescomputer2

DNSNetBIOS

Name Cache WINS BroadcastLmhost File

Client ResolverCache/Hosts File


36/66


Hosts File

The Hosts fileis a static local file that contains mappings for hostname-to-IP addresses

Computer1

Hosts File

# Copyright (c) 1993-1999 Microsoft Corp.## This is a sample HOSTS file used by Microsoft TCP/IP for Windows.## This file contains the mappings of IP addresses to host names. Each

# entry should be kept on an individual line. The IP address should# be placed in the first column followed by the corresponding hostname.

# The IP address and the host name should be separated by at least one# space.## Additionally, comments (such as these) may be inserted on individual# lines or following the machine name denoted by a '#' symbol.## For example:## 102.54.94.97 rhino.acme.com # source server

# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost


37/66


Client Resolver CacheThe client resolver cachestores recently resolved host names and hostname mappings that are loaded from the Hosts file

Computer1

Hosts File

Resolved host namesfrom the DNS server


38/66


What Is a Domain Namespace?Root Domain

Subdomain

Second-Level Domain

Top-Level Domain

FQDN:

SERVER1.sales.south.nwtraders.com

south

nwtraders

com

sales

west east

orgnet

Host: SERVER1


39/66


How Recursive Queries Work

DNS Client

mail1.contoso.msft

172.16.64.11

A recursive queryis sent to a DNS server and requires acomplete answer

Database

Local DNS Server


40/66


How Iterative Queries Work

An iterative query directed to a DNS server may beanswered with a referral to another DNS server

Client Server

Local

DNS ServerRoot Hint (.)

.com

Iterative Query

Ask .com

Nwtraders.com


41/66


How Forwarders WorkA forwarderis a DNS server designated to resolve external oroffsite DNS domain names

Client Server

Nwtraders.com

Root Hint (.)

.com

Iterative Query

Ask .comForwarder

Local

DNS Server


42/66


Dynamic DNS (DDNS)

DDNS allows a client to updates its hostname in ourDNS via DHCP

When a computer requests network information

from the DHCP server, the DHCP will update theDNS zones


43/66


ISC's DHCP

ICS: Internet Systems Consortium


44/66


Amanda: Open Source Backup


45/66


Firewall

Shorewall Features

Stateful packet filteringBlacklist: IP addresses and subnetworksVPN Support.

IPSEC, GRE, IPIP and OpenVPN Tunnels.

PPTP clients and Servers.

Flexible address management/routing supportMasquerading/SNAT.

Port Forwarding (DNAT).One-to-one NAT.


46/66


Demo

OPENVPN - LDAP


47/66


Ldap- VPN

`

IP 10.0.0.2

DG 10.0.0.1

IP 10.0.0.2

DG no

IP 192.168.1.11 IP 192.168.1.12

VPN ClientFile server

Tch hp OPENVPN vo LDAP


48/66


Ci Openldap

openldap-2.3.43-3.el5

yum install openldap-servers openldap-clients

nss_ldap-253-21.el5

php-ldap-5.1.6-23.2.el5_3

openldap-servers-2.3.43-3.el5

python-ldap-2.2.0-2.1 openldap-devel-2.3.43-3.el5

openldap-clients-2.3.43-3.el5


49/66


Cu hnh ldap

/etc/openldap/slapd.conf

database bdb

suffix "dc=nhatnghe,dc=com"

rootdn "cn=Manager,dc=nhatnghe,dc=com rootpw 123456

directory /var/lib/ldap

Khi ng ldap

service ldap startchkconfig ldap on


50/66


To DC, OU, Usertaodc.ldif

dn: dc=nhatnghe,dc=comobjectclass: dcObject

objectclass: organization

o: Example Company

dc: nhatnghe

dn: ou=Kinhdoanh,dc=nhatnghe,dc=com


ou: Kinhdoanh

dn: cn=quangngoc,dc=nhatnghe,dc=com

objectclass: organizationalRole

cn: quangngoc

ldapadd -c -x -D "cn=Manager,dc=nhatnghe,dc=com" -Wf taodc.ldif


51/66


Ci open vpn

lzo-2.04-1.el5.rf.i386.rpm

openvpn-2.2.0-2.el5.rf.i386.rpm

openvpn-auth-ldap-2.0.3-3.el5.i386.rpm

libobjc-4.1.2-50.el5.i386.rpm pkcs11-helper-1.08-1.el5.rf.i386.rpm


52/66


Cu hnh openvpn

Chp cc file cu hnh cp -R /usr/share/doc/openvpn-2.2.0/easy-rsa/

/etc/openvpn/

Configure Public Key Infrastructure Variables

/etc/openvpn/easy-rsa/2.0/vars, sa cc dng: export KEY_COUNTRY="VN" export KEY_PROVINCE="HCM" export KEY_CITY="Hcm" export KEY_ORG="Nhatnghe"

export [email protected]
mailto:[email protected]:[email protected]


53/66


Initialize the Public Key

Infrastructure (PKI) cd /etc/openvpn/easy-rsa/2.0/ chmod +rwx * source ./vars ./clean-all

./pkitool --initcaTo 2 file ca.crt ca.key


54/66


To Certificates

./pkitool --server server ll keys/ -rw-r--r-- 1 root root 3 Jun 28 17:18 serial.old -rw-r--r-- 1 root root 3835 Jun 28 17:19 server.crt

-rw-r--r-- 1 root root 664 Jun 28 17:19 server.csr -rw------- 1 root root 887 Jun 28 17:19 server.key B6. To Diffie Hellman Parameters./build-dh

ll keys/ -rw-r--r-- 1 root root 245 Jun 28 17:21 dh1024.pem


55/66


Chp Keys

ca.crt ca.key dh1024.pem server.crt server.key

cp keys/{ca.crt,ca.key,server.crt,server.key,dh1024.pem}/etc/openvpn/


56/66


Cu hnh openvpn chng thc topenldap

vi /etc/openvpn/auth/ldap.conf

URL ldap://192.168.1.11 BindDN cn=Manager,dc=nhatnghe,dc=com Password 123456

#TLSEnable yes #TLSCACertFile /usr/local/etc/ssl/ca.pem #TLSCACertDir /etc/ssl/certs #TLSCertFile /usr/local/etc/ssl/client-cert.pem

#TLSKeyFile /usr/local/etc/ssl/client-key.pem BaseDN "dc=nhatnghe,dc=com" SearchFilter (uid=%u)


57/66


Cu hnh openvpnChp file

cp /usr/share/doc/openvpn-2.2.0/sample-config-files/server.conf /etc/openvpn/

vi /etc/openvpn/server.conf

136 push "route 172.16.0.0 255.255.255.0" 137 push "route 10.8.0.0 255.255.255.0" Thm vo cui file 2 dng plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-ldap.so

/etc/openvpn/auth/ldap.conf

client-cert-not-required


58/66


Cu hnh vpn client

To file cu hnh cho client cp /usr/share/doc/openvpn-2.2.0/sample-config-

files/client.conf /etc/openvpn/easy-

rsa/2.0/keys/client.ovpn

vi /etc/openvpn/easy-rsa/2.0/keys/client.ovpn remote 192.168.1.111194

#ciert client.crt

#key client.key

auth-user-pass


59/66


Lan routing

Enable IP forward

Vi /etc/sysctl.conf

net.ipv4.ip_forward = 1

Enable lan routing

echo 1 > /proc/sys/net/ipv4/ip_forward


60/66


ci OpenVPN GUI

Chp: client.ovpn v ca.crt n th mc C:\Program Files\OpenVPN\config


61/66


Hng dn ci DHCP

Yum insall dhcp*gedit /etc/dhcp/dhcpd.conf v salinhsau:

ddns-update-style interim;

ignore client-updates;// 2 lnhny khng cho php dhcp cpnhtdns ng

subnet 10.0.0.0 netmask 255.255.255.0 {

range 10.0.0.100 10.0.0.200;

option domain-name-servers 10.0.0.1;option domain-name "dom20.local";

option routers 10.0.0.1;

option broadcast-address 10.0.0.255;

default-lease-time 600;

max-lease-time 7200;

}

#service dhcpd startMunci toffline tdvd1:rpmqa dhcp:kimtra xem dhcp ci charpmivh /media/tn dvd/Packages/dhcp..


62/66


Hng dn ci DNS(tn hostname server1.dom20.local) yum install bind*

Copy cc file cn li (ngoi tr file named.conf) vo thmc/var/named/chroot/var/named l c th khi ng dch v named cCu hnh gedit /etc/named.confoptions {

listen-on port 53 { 10.0.0.1; };

directory "/var/named";

dump-file "/var/named/data/cache_dump.db";

statistics-file "/var/named/data/named_stats.txt";

memstatistics-file "/var/named/data/named_mem_stats.txt";

# query range ( set internal server and so on )

allow-query { localhost; 10.0.0.0/24; };

allow-query-cache { localhost; 10.0.0.0/24; };

};

# cau hinh file zone o day

zone "0.0.10.IN-ADDR.ARPA" IN {

type master;

file "0.0.10.in-addr.arpa.db";

};

zone "dom20.local" IN {

type master;

file "dom20local.db";

};

Cn phi c service named start v chkconfig named on sau khi khi ng li my ko mt

Nh i DNS server trong gedit /etc/resolv.conf

C h di bl Fi ll & SELi t
http://tuonglua.net/vi/bai-viet-hay/open-source/2544-cach-disable-firewall-a-selinux-trong-centos-5.htmlhttp://tuonglua.net/vi/bai-viet-hay/open-source/2544-cach-disable-firewall-a-selinux-trong-centos-5.html


63/66


Cch disable Firewall & SELinux trong

CentOS 5

FireWall[1] It's unnecessarry to enable FireWall because it's enable on the Routers, so Change it to disabled.

[root@ns ~]#/etc/rc.d/init.d/iptables stop

Flushing firewall rules: [ OK ]

Setting chains to policy ACCEPT: filter [ OK ]

Unloading iptables modules: [ OK ]

[root@ns ~]# chkconfig iptables off

[root@ns ~]# chkconfig ip6tables offDisable SELinux

[2] Change to disabled SELinux (Security-Enhanced Linux).

[root@ns ~]# vi /etc/sysconfig/selinux

# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

#enforcing - SELinux security policy is enforced.

#permissive - SELinux prints warnings instead of enforcing.

#disabled - SELinux is fully disabled.

SELINUX= disabled # change

# SELINUXTYPE= type of policy in use. Possible values are:

#targeted - Only targeted network daemons are protected.

#strict - Full SELinux protection.

SELINUXTYPE=targeted
http://tuonglua.net/vi/bai-viet-hay/open-source/2544-cach-disable-firewall-a-selinux-trong-centos-5.htmlhttp://tuonglua.net/vi/bai-viet-hay/open-source/2544-cach-disable-firewall-a-selinux-trong-centos-5.htmlhttp://tuonglua.net/vi/bai-viet-hay/open-source/2544-cach-disable-firewall-a-selinux-trong-centos-5.htmlhttp://tuonglua.net/vi/bai-viet-hay/open-source/2544-cach-disable-firewall-a-selinux-trong-centos-5.html


64/66



65/66



66/66

linux-thay the windows

Documents

kinhdoanh5282018 linuxthay

quang ngoc5282018 linuxthay

nhatnghe schoolldapadd

ldap slave server

t ldap master

mt network directory

daemon ny dng ng b nhng

standalone ldap daemon