Story Line In 200x, hkntec.net is nominated by United Nation to launch the "INFO SHARE" project to help 30 developing countries to promote Internet in their economics. hkntec.net accept this challenge and will set up network infrastructure and basic Internet services for these 30 countries in 12 weeks. Due to limited resources, hkntec.net cannot afford to hire full-time system administrators or network engineers to accomplish these tasks. Hence, hkntec.net are recruiting you, the volunteers, to finish these challenging tasks within 12 weeks. In the following 12 weeks, you will spend ~ 3 hours in each week to finish the following tasks for a network: 1. Set up a DNS server 2. Set up a Mail server and Mailing List service 3. Build a Public Key Infrastructure (PKI) 4. Set up the network monitoring system 5. Set up a Firewall and Intrusion Detection system Each of you will get the root access of a linux host and discharge the above tasks according to the following instructions 1 Mission Week #1-2: DNS Server Setup Each of you will be assigned with a code number. This code number is referring to the country you are working at. At the later stage, this code number will be transferred to the actual domain name of that country. Notation: N is your code number; where N in [11..25; 81..95]. P is your partner code number; where if N in [11..25], P = N + 70; if N in [81..95], P = N -70; ntecN is the hostname of your system. Their host IPs are as follows: for ntec[11..25]: 192.168.64.[11..25]; netmask 255.255.255.0 for ntec[81..95]: 192.168.128.[81..95]; netmask 255.255.255.0 For example, if your code number is 81, then your hostname that you are going to manage is ntec81 and the host IP is 192.168.128.81; your partner code number is 11. You can find the full qualified host name and IP in /etc/hosts file. You can also check with it at http://info.hkntec.net/ptmsc/host_list.txt Set up the following domain and sub domain at your host - sN.hkntec.net ss.sN.hkntec.net Where N is your code number. For example, if your project number is 81, then you need to set up the domain "s81.hkntec.net" and "ss.s81.hkntec.net". Instruction: 1. You need to edit the /etc/named.conf file to specify these domains: e.g. zone "s81.hkntec.net" { type master; file "zone/s81.hkntec.net"; }; zone "ss.81N.hkntec.net" { type master; file "zone/ss.s81.hkntec.net"; }; zone "81.18.172.in-addr.arpa" { type master; file "zone/81.18.172"; }; 2 2. In your zone files (e.g. s81.hkntec.net, ss.s81.hkntec.net and 100.18.172.in-addr.arpa) 2.1 Set the A record for your hostname ntecN and assign this host IP to your netcN IP in your zone file (e.g s81.hkntec.net, ss.s81.hkntec.net) e.g. ntec81 A 192.168.128.81 2.2 Set the CNAME record for www.sN.hkntec.net and www.ss.sN.hkntec.net ; and assign this web site IP to your ntecN IP. You will need to build the web server for these two domains later. e.g. www CNAME ntec81 2.3 Set the NS and MX record for sN.hkntec.net and ss.sN.hkntec.net. Assign these NS server and mail exchange servers IP to your ntecN IP. You will need to build the mail server for these two domains later. e.g. NS ntec81.s81.hkntec.net. MX 10 ntec81.s81.hkntec.net. 2.4 Set the MX record for listserv. SN.hkntec.net too. e.g. Listserv. MX 10 ntec81 2.5 the A records for the host in ss.sN.hkntec.net domain. 172.18.N.[1..254] -> host[1..254].ss.sN.hkntec.net e.g. host1 A 172.18.81.1 host2 A 172.18.81.2 A 172.18.81.254 ….. host254 2.6 the N.18.172.in-addr.arpa for the ss.sN.hkntec.net domain (edit the 81.18.172.in-addr.arpa file) e.g. 1 PTR host1 2 PTR host2 PTR host254 …… 254 3 3. Set the slave DNS server for your partner domain ss.sP.hkntec.net when your partner has set his DNS server e.g. In the /etc/named.conf, zone "ss.s11.hkntec.net" { type slave; file "slave/ss.s11.hkntec.net"; masters {192.168.64.11;} ; }; zone "11.18.172.in-addr.arpa" { type slave; file "slave/11.18.172"; masters {192.168.64.11;} ; }; - Restrict your domain ss.sN.hkntec.net and N.18.172.in-addr.arpa zone transfer to your partner slave host e.g. In the /etc/named.conf allow-transfer { 192.168.64.11/24; }; - Start up the named and debug Start the named by "/usr/sbin/ndc start" command and then "tail /var/log/messages" to see if there is any error messages. After you have fixed the problem, you can restarted the named by "/usr/sbin/ndc restart" 4. Use nslookup to verify the above setup e.g. nslookup www.s81.hkntec.net (query the www.s81.hkntec.net A record) nslookup www.ss.s81.hkntec.net (query the www.ss.s81.hkntec.net A record) csh> nslookup set type=ns (set the query type to ns, name server) ss.s81.hkntec.net (query the name server of ss.s81.hkntec.net) set type=mx (set the query type to mx, mail exchange) ss.s81.hkntec.net (query the mail exchange server of ss.s81.hkntec.net) server ntec81 (use the ntec81 as DNS server) ls ss.s81.hkntec.net (list all the entries in ss.s81.hkntec.net) server ntec11 (use the slave DNS server, ntec11) ls ss.s81.hkntec.net (list all the entries in ss.s81.hkntec.net) 4 Here is a complete example of setting a DNS server of athena.hknec.net and ss.athena.hkntec.net. Project code Partner code Athena domain Apollo domain Athena Host IP Apollo Host IP ss.athena.hkntec.net IP range ss.apollo.hkntec.net IP range - Athena Apollo Athena.hkntec.net and ss.athena.hkntec.net Apollo.hkntec.net and ss.apollo.hkntec.net 192.168.64.232 192.168.128.238 172.18.100.1 - 255 (i.e. 172.18.100.0/24 network) 172.18.101.1 - 255 (i.e. 17.2.18.101.0/24 network,) The sample /etc/named.conf file is at http://www.athena.hkntec.net/examples/dns/named.conf - The sample zone files in /var/named directory is at http://www.athena.hkntec.net/examples/dns/named/ - The sample nslookup query log for that DNS setup is at http://www.athena.hkntec.net/examples/dns/nslookup.log References: Linux DNS How To http://www.linuxdoc.org/HOWTO/DNS-HOWTO.html DNS Resources Directory http://www.dns.net/dnsrd/ DNS and BIND By Paul Albitz & Cricket Liu, O'Reilly ISBN 1-56592-523-8 5 Week #3-4 Mail server Setup Mission #1 Set the mail servers for your domain sN.hkntec.net and ss.sN.hkntec.net 1. Update the /etc/sendmail.cw for accepting mails for the above domain. Add your full quantified host node name and the listserv entry too. e.g. s81.hkntec.net ss.s81.hkntec.net ntec81.fox.hkntec.net listserv.s81.hkntec.net 2. Open the sysadmin accounts for the above domain (adim, ss-adim) e.g. csh> adduser -c "Admin" -d /home/admin -g users -s /bin/tcsh -u 800 admin csh> passwd admin Changing password for user admin New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully 3. Configure the /etc/aliases file for the mail address webmaster, abuse, noc and security pointing to admin e.g webmaster: admin abuse: admin noc: admin security: admin Do not forget to run "newaliases" after updating the /etc/aliases file 4. Configure the mc file for the domain masquerade for ss.sN.hknetc.net and anti-spam measure 4.1 cd /usr/lib/sendmail-cf/cf 4.2 cp redhat.mc ntecN.mc (use the rehat.mc as the mc file template) 4.3 edit the ntecN.mc file. - Add the masquerade and ct_file entries. e.g. MASQUERADE_AS(s81.hkntec.net) FEATURE(masquerade_envelope) FEATURE(use_ct_file) - Comment the accept unresolvable entry e.g dnl FEATURE(`accept_unresolvable_domains') 4.4 Make the cf file 6 e.g make ntecN.cf 4.5 Restart the sendmail daemon e.g csh> cp ntecN.cf /etc/sendmail.cf csh> /etc/rc.d/init.d/sendmail restart 4.6 Try to send mail to webmaster, abuse, noc and security, see if these account can receive these mail. (e.g check the /var/spool/mail files there) 5. Configure the /etc/mail/virtusertable for the address webmaster, abuse, noc and security at ss.sN.hkntec.net pointing to ss-admin e.g. webmaster@ss.s81.hkntec.net ss-admin abuse@ss.s81.hkntec.net ss-admin noc@ss.s81.hkntec.net ss-admin security@ss.s81.hkntec.net ss-admin Do not forget to run "make virtusertable.db" in the /etc/mail directory after updating the virtusertable file. Try to send mail to the above mail address and see if ss-admin account gets any mail. 6. Configure the access file for mail relay restriction - Edit the /etc/mail/access file to allow your partner host to relay mail e.g 192.168.64.11 7. RELAY Do not forget to "make access.db" after updating the access file Set up a mailing list at sN.hkntec.net 7.1 Get the majordomo package from /usr/local2/pkg/majordomo/dist ( or get you can get it from http://www.greatcircle.com/majordomo) 7.2 Open the majordomo account E.g csh> adduser -c "Majordomo Admin" -d /home/majordomo -g daemon -s /bin/tcsh \ -u 300 majordomo 7.3 Login the majordomo account and extract the package e.g csh > gzip -d -c majordomo-1.94.5.tar.gz|tar xvf - 7.4 Edit the Makefile file, update the necessary entries. E.g. PERL = /usr/bin/perl CC = gcc W_HOME = /home/majordomo 7 W_USER = 300 W_GROUP = 2 7.5 cp sampel.cf majordomo.cf and update the necessary entries; e.g $whereami = "listserv.athena.hkntec.net"; $homedir = "/home/majordomo"; $digest_work_dir = "/home/majordomo/digest"; $majordomo_request = 1; 7.6 make wrapper 7.7 make install 7.8 Now use sudo to "make install-wrapper" 7.9 sudo to "./wrapper config-test" 7.10 link the wrapp to /ec/smrch e.g. ln -s /home/majordomo/wrapper /etc/smrsh/wrapper 7.11 Edit /etc/sendmail.ct and add the "majordomo" entry 7.12 Create the mail aliases for majordomo in /etc/aliases e.g majordomo: "|/home/majordomo/wrapper majordomo" owner-majordomo: root@s81hkntec.net, majordomo-owner: root@s81.hkntec.net Do not forget to run "newaliases" after updating the /etc/aliases file 7.13 create a mailing list - touch /home /majordomo/lists/test echo 'lists' | mail majordomo You should receive a return mail from majordomo and a test.config file shoule be created in the /home /majordomo/lists directly. Update the necessary entries in this test.config file. e.g description = A TEST mailing list 7.14 create the mail aliase for the mailing list e.g. test: test-list: "|/home/majordomo/wrapper resend -l test test-list" :include:/home/majordomo/lists/test owner-test: root@s81.hkntec.net, test-owner: root@s81.hkntec.net test-request: "|/home/majordomo/wrapper majordomo -l test" test-approval: root@s81.hkntec.net Do not forget to run "newaliases" after updating the /etc/aliases file 8 7.15 Try to subscribe this test mailing list by sending command to majordomo You may use https://info.hkntec.net/horde/imp/ to check your mail at your host. However, you need to enable the pop mail at your host first by: - Uncoment the imap entry in /etc/inetd.conf imap - stream tcp nowait root /usr/sbin/tcpd imapd Restart the inetd killall -1 inetd Here is a complete example of setting a mail and mailing list server @athena.hknec.net - The sample /etc/sendmail.cw is at http://www.athena.hkntec.net/examples/mail/sendmail.cw - The sample /etc/aliases is at http://www.athena.hkntec.net/examples/mail/aliases - The sample /usr/lib/sendmail-cf/cf/athena.mc is at http://www.athena.hkntec.net/examples/mail/athena.mc - The sample /etc/sendmail.cf is at http://www.athena.hkntec.net/examples/mail/sendmail.cf - The sample /etc/mail/virtusertable is at http://www.athena.hkntec.net/examples/mail/virtusertable - The sample majordomo Makefile http://www.athena.hkntec.net/examples/mail/Makefile - The sample installation log http://www.athena.hkntec.net/examples/mail/build.log - The sample majordomo.cf is at http://www.athena.hkntec.net/examples/mail/majordomo.cf - The sample test.config is at http://www.athena.hkntec.net/examples/mail/test.config References: sendmail.org http://www.sendmail.org/ Majordomo http://www.greatcircle.com/majordomo/ Sendmail By Bryan Costales & Eric Allman; O'Reilly ISBN 1-56592-222-0 Managing Mailing Lists By Alan Schwartz; O'Reilly ISBN 1-56592-259-X 9 Week #5-6 E-Commerce: Public Key Infrastructure (PKI) 1. Set up both orginal ( port 80) and secure ( port 443)web server (mod ssl) for http[s]://www.sN.hknetc.net. Set the security proxy to be proxy.hkntec.net:80 to access your https://www.sN.hknetc.net. 1.1 get the following packages from /usr/local2/pkg/www/dist - apache_1.3.12.tar.gz mod_ssl-2.6.5-1.3.12.tar.gz openssl-0.9.5a.tar.gz 1.2 extract the distributions of Apache, mod_ssl and OpenSSL - gzip -d -c apache_1.3.12.tar.gz | tar xvf - - gzip -d -c openssl-0.9.5a.tar.gz | tar xvf - gzip -d -c mod_ssl-2.6.5-1.3.12.tar.gz | tar xvf - 1.3 Build OpenSSL - cd openssl-0.9.5a ./config make make install 1.4 Build and install the SSL-aware Apache 2. - cd .. - ./configure \ cd mod_ssl-2.6.5-1.3.12 --with-apache=../apache_1.3.12 \ --with-ssl=../openssl-0.9.5a \ --prefix=/usr/local/apache cd .. cd apache_1.3.12 make make install Create a certificate for your https site 2.1 extract the distributions of ssl.ca - gzip -d -c ssl.ca-0.1.tar.gz | tar xvf cd ssl.ca-0.1 2.2 set the openssl in your search path - setenv PATH /usr/local/ssl/bin:$PATH 2.3 Create the self-signed Root CA key by running "./new-root-ca.sh" After the creation, you should have the following two files: - ca.cert (CA self signed cert) ca.key (CA private key) 10 2.4 Create the server cert e.g. ./new-server-cert.sh www.s81.hkntec.net 2.5 Sign the server cert e.g. ./sign-server-cert.sh www.s81.hkntec.net After the sign, you should have the following three files: - www.s81.hkntec.net.crt (the web server cert, signed by your CA) www.s81.hkntec.net.csr (the web server cert sign request) www.s81.hkntec.net.key (the web server private key) you may copy these files to /usr/local/apache/certs directory for the apache httpd to access 3. Start up the https server 3.1 edit /usr/local/apache/conf/httpd.conf; update the necessary entries: e.g ServerAdmin root@s81.hkntec.net ServerName www.s81.hkntec.net SSLCertificateFile /usr/local/apache/certs/www.s81.hkntec.net.crt SSLCertificateKeyFile /usr/local/apache/certs/www.s82.hkntec.net.key 3.2 stop the original httpd by "/etc/rc.d/init.d/httpd stop" and start up the SSL httpd by "/usr/local/apache/bin/ apachectl startssl". Review the log files at /usr/local/apache/logs for debugging. 4. Check the web site cert. 4.1 Now set your web browser security proxy entry to be proxy.hkntec.net:80 (that is proxy.hkntec.net server and 80 port) 4.2 Try to access your ssl web site URL e.g. https://www.s81.hkntec.net 4.3 View the document info (or just click the low left lock icon of the browser) and check the site cert. You should read the information that you have assigned. 5. Act as a CA to sign a user CSR 5.1 Create a user cert e.g. ./new-user-cert.sh user@s81.hkntec.net 5.2 Sign the user cert e.g. ./sign-user-cert.sh user@s81.hkntec.net After the sign, you should have three files: - user@s81.hkntec.net.crt (the user cert; signed by your CA) user@s81.hkntec.net.csr (the user CSR) 11 - user@s81.hkntec.net.key (the user private key) 5.3 Collect the user cert into a pkcs12 file. e.g. ./p12.sh user@s81.hkntec.net You need to supply an export password when you create the pkcs12 file. Ftp the " user@s1.hkntec.net.p12" into your PC and then import this user cert into your browser. (i.e. click your netscape low left lock icon to pop up the security info window; click the yours under the certificates; then click the import certificate button in the right window.) 6. Try the Client Authentication and Access Control of your https://www.sN.hknetc.net 6.1 Create another user cert name "user2"according to the procedure in step 5 6.2 Create two directories under the htdoc directory e.g. mkdir /usr/local/apache/htdocs/secure mkdir /usr/local/apache/htdocs/sercure/user2 6.3 Edit the /usr/local/apache/conf/httpd.conf to configure the access control for the above two directory. e.g. SSLVerifyClient none SSLCACertificateFile /usr/local/apache/certs/ca.crt <Location /secure> SSLVerifyClient require SSLVerifyDepth 1 </Location> <Directory /usr/local/apache/htdocs/secure/user2> SSLVerifyClient SSLVerifyDepth SSLOptions require 5 +FakeBasicAuth SSLRequireSSL SSLRequire %{SSL_CLIENT_S_DN_CN} eq "user2 " </Directory> 6.3 Now delete all user cert in your browser. You will find that your browser cannot access both "secure" and "secure/user2" web pages 6.4 Now just import a user cert name "user". You can access "secure" but not "secure/user2" web page 6.5 Now import the user2 cert. You can access both "secure" and "secure/user2" web pages 7. Set up WAP server for wap.sN.hkntec.net 12 Here is a complete example of setting the above PKI at athena.hkntec.net - The sample httpd.conf file http://www.athena.hkntec.net/examples/pki/httpd.conf - The sample install log http://www.athena.hkntec.net/examples/pki/build.log - The sample web cert signing log http://www.athena.hkntec.net/examples/pki/build2.log - The sample user cert signing log http://www.athena.hkntec.net/examples/pki/build3.log - The athena PKI demo site https://www.athena.hkntec.net References: Mod_ssl http://www.modssl.org/ Open-Source PKI Book http://ospkibook.sourceforge.net/ Apache HTTP Server http://www.apache.org/httpd.html Understanding the Public-Key Infrastructure By Carlisle Adams, Steve Lloyd; New Riders Publishing; ISBN: 157870166X ; 13 Week #7-9 Network Monitoring and Debugging - Use SAR to monitor your system CPU, memory and DISK O/I status Use SNMP to monitor your system process and network traffic Use the following tools to monitor and debug your system and network top, vmstat, netstat, iostat, ifconfig, tcpdump - Use MRTG to keep track of the above system and network information and status References: MRTG http://ee-staff.ethz.ch/~oetiker/webtools/mrtg/mrtg.html SNMP network management By Simoneau, Paul; McGraw-Hill; ISBN:0079130755 Practical Guide to Snmpv3 and Network Management By David Zeltserman, Dave Zeltserman; Prentice Hall; ISBN: 0130214531 14 Week #10-12 Network Security (3 weeks) - Hacking Techniques - Try the following hacking tools DDOS, Buffer Overflow, Sniffer, Port Scanner - - Firewall Setting - Setting up access list in IP filtering - Setting up TCP wrapper - Setting up gateway and proxy servers Intrusion Detection - Setting up system and network log - Setting up alert system - Tools: COPS, Tripewire, Tigers, tcpdump References: Smashing The Stack For Fun And Profit http://phrack.infonexus.com/search.phtml?view&article=p49-14 Linux IPCHAINS-HOWTO http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html Linux Firewall and Proxy Server HOWTO http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html Linux Firewalls By Robert L. Ziegler; New Riders Publishing; ISBN: 0-7357-0900-9 Building Internet Firewalls By D. Brent Chapman & Elizabeth D. Zwicky; O'Reilly ISBN 1-56592-124-0 Practical UNIX & Internet Security By Simson Garfinkel & Gene Spafford; O'Reilly ISBN 1-56592-148-8 Network Intrusion Detection: An Analysts' Handbook By Stephen Northcutt, Stephen Northcult; New Riders Publishing; ISBN: 0735708681 15