msword - Dept. of IE, CUHK Personal Web Server
advertisement
Story Line
In 200x, hkntec.net is nominated by United Nation to launch the "INFO SHARE" project to help
30 developing countries to promote Internet in their economics. hkntec.net accept this challenge and
will set up network infrastructure and basic Internet services for these 30 countries in 12 weeks. Due to
limited resources, hkntec.net cannot afford to hire full-time system administrators or network engineers
to accomplish these tasks. Hence, hkntec.net are recruiting you, the volunteers, to finish these
challenging tasks within 12 weeks.
In the following 12 weeks, you will spend ~ 3 hours in each week to finish the following tasks
for a network:
1.
Set up a DNS server
2.
Set up a Mail server and Mailing List service
3.
Build a Public Key Infrastructure (PKI)
4.
Set up the network monitoring system
5.
Set up a Firewall and Intrusion Detection system
Each of you will get the root access of a linux host and discharge the above tasks according to the
following instructions
1
Mission
Week #1-2: DNS Server Setup
Each of you will be assigned with a code number. This code number is referring to the country you are
working at. At the later stage, this code number will be transferred to the actual domain name of that
country.
Notation: N is your code number; where N in [11..25; 81..95].
P is your partner code number;
where if N in [11..25], P = N + 70;
if N in [81..95], P = N -70;
ntecN is the hostname of your system. Their host IPs are as follows:
for ntec[11..25]: 192.168.64.[11..25]; netmask 255.255.255.0
for ntec[81..95]: 192.168.128.[81..95]; netmask 255.255.255.0
For example, if your code number is 81, then your hostname that you are going to manage
is ntec81 and the host IP is 192.168.128.81; your partner code number is 11.
You can find the full qualified host name and IP in /etc/hosts file. You can also check with
it at http://info.hkntec.net/ptmsc/host_list.txt
Set up the following domain and sub domain at your host
-
sN.hkntec.net
ss.sN.hkntec.net
Where N is your code number. For example, if your project number is 81, then you need to set
up the domain "s81.hkntec.net" and "ss.s81.hkntec.net".
Instruction:
1.
You need to edit the /etc/named.conf file to specify these domains:
e.g.
zone "s81.hkntec.net" {
type master;
file "zone/s81.hkntec.net";
};
zone "ss.81N.hkntec.net" {
type master;
file "zone/ss.s81.hkntec.net";
};
zone "81.18.172.in-addr.arpa" {
type master;
file "zone/81.18.172";
};
2
2.
In your zone files (e.g. s81.hkntec.net, ss.s81.hkntec.net and 100.18.172.in-addr.arpa)
2.1 Set the A record for your hostname ntecN and assign this host IP to your netcN IP in your
zone file (e.g s81.hkntec.net, ss.s81.hkntec.net)
e.g.
ntec81
A
192.168.128.81
2.2 Set the CNAME record for www.sN.hkntec.net and www.ss.sN.hkntec.net ; and
assign this web site IP to your ntecN IP. You will need to build the web server for these two
domains later.
e.g.
www
CNAME
ntec81
2.3 Set the NS and MX record for sN.hkntec.net and ss.sN.hkntec.net. Assign these NS server and
mail exchange servers IP to your ntecN IP. You will need to build the mail server for these two
domains later.
e.g.
NS
ntec81.s81.hkntec.net.
MX
10 ntec81.s81.hkntec.net.
2.4 Set the MX record for listserv. SN.hkntec.net too.
e.g.
Listserv.
MX
10
ntec81
2.5 the A records for the host in ss.sN.hkntec.net domain.
172.18.N.[1..254] ->
host[1..254].ss.sN.hkntec.net
e.g.
host1
A
172.18.81.1
host2
A
172.18.81.2
A
172.18.81.254
…..
host254
2.6 the N.18.172.in-addr.arpa for the ss.sN.hkntec.net domain (edit the 81.18.172.in-addr.arpa
file)
e.g.
1
PTR
host1
2
PTR
host2
PTR
host254
……
254
3
3.
Set the slave DNS server for your partner domain ss.sP.hkntec.net when your partner has set his
DNS server
e.g.
In the /etc/named.conf,
zone "ss.s11.hkntec.net" {
type slave;
file "slave/ss.s11.hkntec.net";
masters {192.168.64.11;} ;
};
zone "11.18.172.in-addr.arpa" {
type slave;
file "slave/11.18.172";
masters {192.168.64.11;} ;
};
-
Restrict your domain ss.sN.hkntec.net and N.18.172.in-addr.arpa zone transfer to your partner
slave host
e.g.
In the /etc/named.conf
allow-transfer { 192.168.64.11/24; };
-
Start up the named and debug
Start the named by "/usr/sbin/ndc start" command and then "tail /var/log/messages" to see if
there is any error messages. After you have fixed the problem, you can restarted the named by
"/usr/sbin/ndc restart"
4.
Use nslookup to verify the above setup
e.g.
nslookup www.s81.hkntec.net (query the www.s81.hkntec.net A record)
nslookup www.ss.s81.hkntec.net (query the www.ss.s81.hkntec.net A record)
csh> nslookup
set type=ns
(set the query type to ns, name server)
ss.s81.hkntec.net (query the name server of ss.s81.hkntec.net)
set type=mx
(set the query type to mx, mail exchange)
ss.s81.hkntec.net (query the mail exchange server of ss.s81.hkntec.net)
server ntec81
(use the ntec81 as DNS server)
ls ss.s81.hkntec.net (list all the entries in ss.s81.hkntec.net)
server ntec11
(use the slave DNS server, ntec11)
ls ss.s81.hkntec.net (list all the entries in ss.s81.hkntec.net)
4
Here is a complete example of setting a DNS server of athena.hknec.net and ss.athena.hkntec.net.
Project code
Partner code
Athena domain
Apollo domain
Athena Host IP
Apollo Host IP
ss.athena.hkntec.net IP range
ss.apollo.hkntec.net IP range
-
Athena
Apollo
Athena.hkntec.net and ss.athena.hkntec.net
Apollo.hkntec.net and ss.apollo.hkntec.net
192.168.64.232
192.168.128.238
172.18.100.1 - 255 (i.e. 172.18.100.0/24 network)
172.18.101.1 - 255 (i.e. 17.2.18.101.0/24 network,)
The sample /etc/named.conf file is at
http://www.athena.hkntec.net/examples/dns/named.conf
-
The sample zone files in /var/named directory is at
http://www.athena.hkntec.net/examples/dns/named/
-
The sample nslookup query log for that DNS setup is at
http://www.athena.hkntec.net/examples/dns/nslookup.log
References:
Linux DNS How To
http://www.linuxdoc.org/HOWTO/DNS-HOWTO.html
DNS Resources Directory
http://www.dns.net/dnsrd/
DNS and BIND
By Paul Albitz & Cricket Liu, O'Reilly ISBN 1-56592-523-8
5
Week #3-4 Mail server Setup
Mission #1 Set the mail servers for your domain sN.hkntec.net and ss.sN.hkntec.net
1.
Update the /etc/sendmail.cw for accepting mails for the above domain. Add your full quantified
host node name and the listserv entry too.
e.g.
s81.hkntec.net
ss.s81.hkntec.net
ntec81.fox.hkntec.net
listserv.s81.hkntec.net
2.
Open the sysadmin accounts for the above domain (adim, ss-adim)
e.g.
csh> adduser -c "Admin" -d /home/admin -g users -s /bin/tcsh -u 800 admin
csh> passwd admin
Changing password for user admin
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully
3.
Configure the /etc/aliases file for the mail address webmaster, abuse, noc and security pointing to
admin
e.g
webmaster:
admin
abuse:
admin
noc:
admin
security:
admin
Do not forget to run "newaliases" after updating the /etc/aliases file
4.
Configure the mc file for the domain masquerade for ss.sN.hknetc.net and anti-spam measure
4.1 cd
/usr/lib/sendmail-cf/cf
4.2 cp
redhat.mc ntecN.mc
(use the rehat.mc as the mc file template)
4.3 edit the ntecN.mc file.
-
Add the masquerade and ct_file entries.
e.g.
MASQUERADE_AS(s81.hkntec.net)
FEATURE(masquerade_envelope)
FEATURE(use_ct_file)
-
Comment the accept unresolvable entry
e.g
dnl FEATURE(`accept_unresolvable_domains')
4.4 Make the cf file
6
e.g
make ntecN.cf
4.5 Restart the sendmail daemon
e.g
csh>
cp ntecN.cf /etc/sendmail.cf
csh>
/etc/rc.d/init.d/sendmail restart
4.6 Try to send mail to webmaster, abuse, noc and security, see if these account can receive these
mail. (e.g check the /var/spool/mail files there)
5.
Configure the /etc/mail/virtusertable for the address webmaster, abuse, noc and security at
ss.sN.hkntec.net pointing to ss-admin
e.g.
webmaster@ss.s81.hkntec.net
ss-admin
abuse@ss.s81.hkntec.net
ss-admin
noc@ss.s81.hkntec.net
ss-admin
security@ss.s81.hkntec.net
ss-admin
Do not forget to run "make virtusertable.db" in the /etc/mail directory after updating the
virtusertable file. Try to send mail to the above mail address and see if ss-admin account gets any
mail.
6.
Configure the access file for mail relay restriction
-
Edit the /etc/mail/access file to allow your partner host to relay mail
e.g
192.168.64.11
7.
RELAY
Do not forget to "make access.db" after updating the access file
Set up a mailing list at sN.hkntec.net
7.1 Get the majordomo package from /usr/local2/pkg/majordomo/dist ( or get you can get it from
http://www.greatcircle.com/majordomo)
7.2 Open the majordomo account
E.g
csh> adduser -c "Majordomo Admin" -d /home/majordomo -g daemon -s /bin/tcsh
\
-u 300 majordomo
7.3
Login the majordomo account and extract the package
e.g
csh > gzip -d -c majordomo-1.94.5.tar.gz|tar xvf -
7.4
Edit the Makefile file, update the necessary entries.
E.g.
PERL = /usr/bin/perl
CC = gcc
W_HOME = /home/majordomo
7
W_USER = 300
W_GROUP = 2
7.5 cp sampel.cf
majordomo.cf and update the necessary entries;
e.g
$whereami = "listserv.athena.hkntec.net";
$homedir = "/home/majordomo";
$digest_work_dir = "/home/majordomo/digest";
$majordomo_request = 1;
7.6 make wrapper
7.7 make install
7.8 Now use sudo to "make install-wrapper"
7.9 sudo to "./wrapper config-test"
7.10 link the wrapp to /ec/smrch
e.g.
ln -s /home/majordomo/wrapper /etc/smrsh/wrapper
7.11 Edit /etc/sendmail.ct and add the "majordomo" entry
7.12 Create the mail aliases for majordomo in /etc/aliases
e.g
majordomo: "|/home/majordomo/wrapper majordomo"
owner-majordomo: root@s81hkntec.net,
majordomo-owner: root@s81.hkntec.net
Do not forget to run "newaliases" after updating the /etc/aliases file
7.13 create a mailing list
-
touch
/home /majordomo/lists/test
echo 'lists' | mail majordomo
You should receive a return mail from majordomo and a test.config file shoule be created in
the /home /majordomo/lists directly. Update the necessary entries in this test.config file.
e.g
description
=
A TEST mailing list
7.14 create the mail aliase for the mailing list
e.g.
test:
test-list:
"|/home/majordomo/wrapper resend -l test test-list"
:include:/home/majordomo/lists/test
owner-test:
root@s81.hkntec.net,
test-owner:
root@s81.hkntec.net
test-request: "|/home/majordomo/wrapper majordomo -l test"
test-approval: root@s81.hkntec.net
Do not forget to run "newaliases" after updating the /etc/aliases file
8
7.15 Try to subscribe this test mailing list by sending command to majordomo
You may use https://info.hkntec.net/horde/imp/ to check your mail at your host. However, you
need to enable the pop mail at your host first by:
-
Uncoment
the imap entry in /etc/inetd.conf
imap
-
stream tcp
nowait
root
/usr/sbin/tcpd
imapd
Restart the inetd
killall -1 inetd
Here is a complete example of setting a mail and mailing list server @athena.hknec.net
-
The sample /etc/sendmail.cw is at
http://www.athena.hkntec.net/examples/mail/sendmail.cw
-
The sample /etc/aliases is at
http://www.athena.hkntec.net/examples/mail/aliases
-
The sample /usr/lib/sendmail-cf/cf/athena.mc is at
http://www.athena.hkntec.net/examples/mail/athena.mc
-
The sample /etc/sendmail.cf is at
http://www.athena.hkntec.net/examples/mail/sendmail.cf
-
The sample /etc/mail/virtusertable is at
http://www.athena.hkntec.net/examples/mail/virtusertable
-
The sample majordomo Makefile
http://www.athena.hkntec.net/examples/mail/Makefile
-
The sample installation log
http://www.athena.hkntec.net/examples/mail/build.log
-
The sample majordomo.cf is at
http://www.athena.hkntec.net/examples/mail/majordomo.cf
-
The sample test.config is at
http://www.athena.hkntec.net/examples/mail/test.config
References:
sendmail.org
http://www.sendmail.org/
Majordomo
http://www.greatcircle.com/majordomo/
Sendmail
By Bryan Costales & Eric Allman; O'Reilly ISBN 1-56592-222-0
Managing Mailing Lists
By Alan Schwartz; O'Reilly ISBN 1-56592-259-X
9
Week #5-6 E-Commerce: Public Key Infrastructure (PKI)
1.
Set up both orginal ( port 80) and secure ( port 443)web server (mod ssl) for
http[s]://www.sN.hknetc.net. Set the security proxy to be proxy.hkntec.net:80 to access your
https://www.sN.hknetc.net.
1.1 get the following packages from /usr/local2/pkg/www/dist
-
apache_1.3.12.tar.gz
mod_ssl-2.6.5-1.3.12.tar.gz
openssl-0.9.5a.tar.gz
1.2 extract the distributions of Apache, mod_ssl and OpenSSL
-
gzip -d -c apache_1.3.12.tar.gz | tar xvf -
-
gzip -d -c openssl-0.9.5a.tar.gz | tar xvf -
gzip -d -c mod_ssl-2.6.5-1.3.12.tar.gz | tar xvf -
1.3 Build OpenSSL
-
cd openssl-0.9.5a
./config
make
make install
1.4 Build and install the SSL-aware Apache
2.
-
cd ..
-
./configure \
cd mod_ssl-2.6.5-1.3.12
--with-apache=../apache_1.3.12 \
--with-ssl=../openssl-0.9.5a \
--prefix=/usr/local/apache
cd ..
cd apache_1.3.12
make
make install
Create a certificate for your https site
2.1 extract the distributions of ssl.ca
-
gzip -d -c ssl.ca-0.1.tar.gz | tar xvf cd ssl.ca-0.1
2.2 set the openssl in your search path
-
setenv PATH /usr/local/ssl/bin:$PATH
2.3 Create the self-signed Root CA key by running "./new-root-ca.sh"
After the creation, you should have the following two files:
-
ca.cert (CA self signed cert)
ca.key (CA private key)
10
2.4 Create the server cert
e.g.
./new-server-cert.sh www.s81.hkntec.net
2.5 Sign the server cert
e.g.
./sign-server-cert.sh www.s81.hkntec.net
After the sign, you should have the following three files:
-
www.s81.hkntec.net.crt
(the web server cert, signed by your CA)
www.s81.hkntec.net.csr
(the web server cert sign request)
www.s81.hkntec.net.key
(the web server private key)
you may copy these files to /usr/local/apache/certs directory for the apache httpd to access
3.
Start up the https server
3.1 edit /usr/local/apache/conf/httpd.conf; update the necessary entries:
e.g
ServerAdmin root@s81.hkntec.net
ServerName www.s81.hkntec.net
SSLCertificateFile /usr/local/apache/certs/www.s81.hkntec.net.crt
SSLCertificateKeyFile /usr/local/apache/certs/www.s82.hkntec.net.key
3.2 stop the original httpd by "/etc/rc.d/init.d/httpd stop" and start up the SSL httpd by
"/usr/local/apache/bin/ apachectl startssl". Review the log files at /usr/local/apache/logs for
debugging.
4.
Check the web site cert.
4.1 Now set your web browser security proxy entry to be proxy.hkntec.net:80 (that is
proxy.hkntec.net server and 80 port)
4.2 Try to access your ssl web site URL
e.g. https://www.s81.hkntec.net
4.3 View the document info (or just click the low left lock icon of the browser) and check the site
cert. You should read the information that you have assigned.
5.
Act as a CA to sign a user CSR
5.1 Create a user cert
e.g.
./new-user-cert.sh user@s81.hkntec.net
5.2 Sign the user cert
e.g.
./sign-user-cert.sh user@s81.hkntec.net
After the sign, you should have three files:
-
user@s81.hkntec.net.crt
(the user cert; signed by your CA)
user@s81.hkntec.net.csr
(the user CSR)
11
-
user@s81.hkntec.net.key
(the user private key)
5.3 Collect the user cert into a pkcs12 file.
e.g.
./p12.sh user@s81.hkntec.net
You need to supply an export password when you create the pkcs12 file. Ftp the "
user@s1.hkntec.net.p12" into your PC and then import this user cert into your browser. (i.e.
click your netscape low left lock icon to pop up the security info window; click the yours under
the certificates; then click the import certificate button in the right window.)
6.
Try the Client Authentication and Access Control of your https://www.sN.hknetc.net
6.1 Create another user cert name "user2"according to the procedure in step 5
6.2 Create two directories under the htdoc directory
e.g.
mkdir /usr/local/apache/htdocs/secure
mkdir /usr/local/apache/htdocs/sercure/user2
6.3 Edit the /usr/local/apache/conf/httpd.conf to configure the access control for the above two
directory.
e.g.
SSLVerifyClient none
SSLCACertificateFile /usr/local/apache/certs/ca.crt
<Location /secure>
SSLVerifyClient require
SSLVerifyDepth 1
</Location>
<Directory /usr/local/apache/htdocs/secure/user2>
SSLVerifyClient
SSLVerifyDepth
SSLOptions
require
5
+FakeBasicAuth
SSLRequireSSL
SSLRequire
%{SSL_CLIENT_S_DN_CN} eq "user2 "
</Directory>
6.3 Now delete all user cert in your browser. You will find that your browser cannot access both
"secure" and "secure/user2" web pages
6.4 Now just import a user cert name "user". You can access "secure" but not "secure/user2" web
page
6.5 Now import the user2 cert. You can access both "secure" and "secure/user2" web pages
7.
Set up WAP server for wap.sN.hkntec.net
12
Here is a complete example of setting the above PKI at athena.hkntec.net
-
The sample httpd.conf file
http://www.athena.hkntec.net/examples/pki/httpd.conf
-
The sample install log
http://www.athena.hkntec.net/examples/pki/build.log
-
The sample web cert signing log
http://www.athena.hkntec.net/examples/pki/build2.log
-
The sample user cert signing log
http://www.athena.hkntec.net/examples/pki/build3.log
-
The athena PKI demo site
https://www.athena.hkntec.net
References:
Mod_ssl
http://www.modssl.org/
Open-Source PKI Book
http://ospkibook.sourceforge.net/
Apache HTTP Server
http://www.apache.org/httpd.html
Understanding the Public-Key Infrastructure
By Carlisle Adams, Steve Lloyd; New Riders Publishing; ISBN: 157870166X ;
13
Week #7-9 Network Monitoring and Debugging
-
Use SAR to monitor your system CPU, memory and DISK O/I status
Use SNMP to monitor your system process and network traffic
Use the following tools to monitor and debug your system and network
top, vmstat, netstat, iostat, ifconfig, tcpdump
-
Use MRTG to keep track of the above system and network information and status
References:
MRTG
http://ee-staff.ethz.ch/~oetiker/webtools/mrtg/mrtg.html
SNMP network management
By Simoneau, Paul; McGraw-Hill;
ISBN:0079130755
Practical Guide to Snmpv3 and Network Management
By David Zeltserman, Dave Zeltserman; Prentice Hall; ISBN: 0130214531
14
Week #10-12 Network Security (3 weeks)
-
Hacking Techniques
-
Try the following hacking tools
DDOS, Buffer Overflow, Sniffer, Port Scanner
-
-
Firewall Setting
-
Setting up access list in IP filtering
-
Setting up TCP wrapper
-
Setting up gateway and proxy servers
Intrusion Detection
-
Setting up system and network log
-
Setting up alert system
-
Tools: COPS, Tripewire, Tigers, tcpdump
References:
Smashing The Stack For Fun And Profit
http://phrack.infonexus.com/search.phtml?view&article=p49-14
Linux IPCHAINS-HOWTO
http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html
Linux Firewall and Proxy Server HOWTO
http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html
Linux Firewalls
By Robert L. Ziegler; New Riders Publishing; ISBN: 0-7357-0900-9
Building Internet Firewalls
By D. Brent Chapman & Elizabeth D. Zwicky; O'Reilly ISBN 1-56592-124-0
Practical UNIX & Internet Security
By Simson Garfinkel & Gene Spafford; O'Reilly ISBN 1-56592-148-8
Network Intrusion Detection: An Analysts' Handbook
By Stephen Northcutt, Stephen Northcult; New Riders Publishing; ISBN: 0735708681
15
