231
Windows Linux
Linux LAN Internet
L i n u x S a m b a M i c r o s o f t
Windows Unix Samba
Samba Apache SSH Apache SSH Internet Internet Internet Internet Internet Nmap
11.5
DHCP IP DNS
Fedora Core DHCP server Linux DHCP server PC IP DHCP server root root root
11.1
DNS IP ISP DNS server IP Samba L i n u x D N S Linux /etc/hosts DNS IP /etc/hosts nano /etc/hosts 11-1 / 11-2IP IP
IP 1 2 7 . 0 . 0 . 1 l o c a l h o s t
Linux IP /etc/hosts
Windows hosts
Windows 95/98/Me hosts c:\windows\etc\ Windows NT/2000/XP c:\winnt\system32\drivers\etc\hosts Windows
C:\Windows c:\winnt
Linux Windows hosts
127.0.0.1 localhost.localdomain localhost 192.168.0.10 rox.oreilly.com.tw rox 192.168.0.9 sun.oreilly.com.tw sun IP IP /etc/hosts
11.2 Samba
Windows SMB Server Message BlockCIFS Common Internet File System N e t B I O S L a n M a n a g e r L i n u x S M B
Andrew Tridgell Linux Samba SMB SMB Samba
Samba
Windows OS/2 Netware Unix
Windows PC Linux
S a m b a http://www.samba.org/pub/samba/survey/ssstats.html Bank of A m e r i c a S a m b a 1 5 , 0 0 0 Hewlett-Packard 7,000 Samba
11.2.1
Samba
Samba Samba nmbd smbd / e t c / s a m b a / s m b u s e r s /etc/samba/smb.conf /etc/samba/lmhosts smbusers SambaLinux Windows Windows
administrator admin Linux root lmhosts
/etc/hosts Windows smb.conf Samba smbusers lmhosts smb.conf
Samba Windows
/ Samba
Windows
s y s t e m c o n f i g s a m b a -Samba server configuration tool 11-3
Windows
Fedora CD/DVD
11.2.2
Samba
Samba server /etc/samba/smb.conf Samba Linux smb.conf
Samba RedHat Samba
GUI Samba
Samba Samba 11-4
Windows Samba Samba Samba Samba Samba man smb.conf
Samba
Samba 11-5 Samba Samba Samba mygroup 11-6ADS
ADS Samba server ADS Active Directory Services
Kerberos Kerberos Samba
Kerberos Samba
ADS ADS Samba
S a m b a Wi n d o w s d o m a i n controller
Samba Samba Samba NetBIOS Samba Samba Windows 98 Windows 3.1 Windows 95
Windows Samba server
Windows 98 Windows
Windows
... Windows Guest Windows Linux Samba
Samba
Samba Samba Samba Samba 11-7 Samba Samba 11-7 UnixLinux Windows Windows
Unix Samba Samba Windows Unix
Samba Windows Windows Samba Unix Samba Unix Linux Samba Samba Samba Samba
Samba
Unix Windows Windows Samba Windows
Linux Unix Samba
Samba
S a m b a Samba Samba 11-8 Samba Windows / 11-9Samba
11.2.3 Samba
S a m b a runlevel 3 smb runlevel 5 smb Samba server runlevel smb r u n l e v e l S a m b a smb Samba server Ctrl-5 Ctrl-311.2.4
Samba
Samba
Samba Windows
Linux Samba
Windows
Samba server share \\server\share Windows
Samba
Samba
Samba Samba Windows Samba Internet S a m b a /usr/share/doc/samba-*/docs/htmldocs diagnosis.html Samba d i a g n o s i s . h t m l S a m b a s e r v e r comp.protocols.smb
Using Samba Robert Eckstein David Collier-Brown Peter Kelly Open Publication License OPL
http://www.oreilly.com/catalog/samba Samba Samba /etc/samba/smb.conf # cp /etc/samba/smb.conf /etc/samba/smb.conf.bak /etc/samba/smb.conf # cp /etc/samba/smb.conf.bak /etc/samba/smb.conf smb # service smb restart
11.2.5 Samba
Samba WindowsLinux Samba Samba
Windows OS/2 Mac OS Mac OS X SMB Samba
11.2.4 Samba
Windows
SMB IBM Microsoft Windows 3.11/9x/Me/NT/2000/XP/2003 SMB
Samba Windows 2000/XP Samba Samba server server Samba Windows
Windows Samba workgroup W i n d o w s Samba server
server Samba server server
Windows Samba Windows Windows 2000/XP Samba Samba \\server\sharename server sharename
SERVER pub \\SERVER\pub \\SERVER\lp
Windows \\SERVER\pub
S a m b a S M B s m b c l i e n t
Samba SMB
Samba Samba server
$ smbclient -L localhost
Samba Linux Samba server
SMB server localhost NetBIOS $ smbclient -L server
server Linux
Samba server -U Samba server
$ smbclient -L server -U userid SMB
$ smbclient 'service' -U userid
service SMB userid
Samba SMB //
/
$ smbclient //server/myshare -U billmccarty
Windows \ / \\server\myshare smbclient \\server\myshare //server/myshare SMB smbclient smb: dir dir SMB dir ls smb: \> dir
smb: \> ls cd smb: \> cd dir dir dir .. smb: \> cd .. get smb: \> get lename SMB put
smb: \> put local_ lename
smbclint help
smb: \> help
? altname archive blocksize cancel case_sensitive cd chmod chown del dir du exit get hardlink help history lcd link lowercase ls mask md mget mkdir more mput newer open print printmode prompt put pwd q queue quit rd recurse reget rename reput rm rmdir setmode symlink tar tarmode translate vuid logon !
help command
smb: \> help lcd HELP lcd:
[directory] change/report the local current working directory
exit quit smbclient Linux shell
Samba smbprint script
Linux smbprint
smbprint
smbclient
smbclient Windows
Windows
Linux smbclient Windows Windows NetBIOS winhost
work Samba bill
[bill@linux ~]$ smbclient '//winhost/work' -U bill Password:
Domain=[WINHOST] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] smb: \>
SMB cd tar
smb: \> cd data
smb: \data\> tar c backup.tar
SMB tar shell tar c create backup.tar Linux backup.tar .tar ... Windows Linux tar c x extract cd smb: \> cd data
smb: \data\> tar x backup.tar SMB server
backup.tar
11.3
Apache
Apache Internet Apache
Internet Linux
11.3.1
Apache
Linux Apache / httpd mod_ssl system-config-httpd11.3.2
Apache
A p a c h eApache Fedora Core 3 Apache A p a c h e /etc/httpd/conf Apache access.conf httpd.conf srm.conf httpd.conf Apache H T T P HTTP 11-11
HTTP w w w . d o m a i n . c o m domain.com
Webmaster
Apache I P DNS IP IP Webmaster port 8011-12 Apache virtual hosting
IP Apache h t t p : / / w w w . m y f i r s t s i t e . c o m http://www.myothersite.com IP HTTP 1.1 HTTP 1.0 HTTP 1.0 11-13 Apache server 11-14 Apache Apache 150 15
A p a c h e http://httpd.apache.org/docs-2.0 Apache
11.3.3 Apache
Apache runlevel httpd runlevel ApacheApache FireFox http://localhost/ 11-15 Apache Apache http://myweb.mydomain DNS I P I P http://192.168.102.33 DNS IP IP IP /etc/hosts Windows 2000 C:\WINNT\system32\drivers\etc\hosts Apache Apache
11.3.4
H T M L d o c u m e n t r o o t
/var/www/html root root
Apache http://www.domain.com URL request
domain.com
index.html
public_html /home/joe/public_html
http://www.domain.com/~joe joe joe ~ A p a c h e
Apache /etc/httpd/conf/httpd.conf
UserDir disable
UserDir enable all
HTTP
httpd.conf
HTTP httpd.conf Apache HTTP
all UserDir enable bill joe andyoram
httpd.conf httpd
Apache Apache server apache
apache /home/joe/public_html apache apache /home /home/joe /home/joe/public_html
/home/joepublic/public_html 11-1
11-1
Apache
/home 755 /home/joe 711 /home/joe/public_html 755 /home/joe/public_html 755 /home/joe/public_html 644 11-1A p a c h e Apache Apache
11.4 SSH
SSH Secure Shell TCP/IP Linux
s h e l l S S H Telnet SSH
11.4.1
SSH
SSH runlevel 3 5 sshd sshd runlevel sshd SSH /etc/ssh SSH sshd11.4.2
SSH
SSH [bill@linux ~]$ ssh localhostThe authenticity of host 'localhost (127.0.0.1)' can't be established. RSA key ngerprint is c0:e2:fe:8d:09:d8:e8:62:6b:36:60:b8:98:de:3f:e2. Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts. bill@localhost's password:
[bill@linux ~]$ exit
ssh RSA yes ssh localhost ssh ssh bill shell ssh sshd exit SSH ssh localhost IP ssh @ email ssh userid@host userid host IP [bill@moon ~]$ ssh [email protected] lin@carbon's password: lin
[lin@carbon ~]$
moon carbon ssh carbon RSA exit logout
SSH scp SSH
$ scp le userid@host:destination
file host destination
file userid destination
destination
$ scp rhbook_rev.txt [email protected]:rh le
rhbook_rev.txt example.com /home/bill rhfile destination shell * ? scp scp -r Desktop newDesktop newDesktop $ scp -r Desktop [email protected]:newDesktop
$ scp userid@host:path local le
host IP path localfile
userid
$ scp [email protected]:/out/ch11.doc my le
b i l l a u t h o r. e x a m p l e . c o m / o u t ch11.doc myfile myfile
SSH sftp ftp ftp sftp $ sftp userid@host SSH sftp ftp sftp author.example.com $ sftp bill@dhcp195 Connecting to dhcp195... bill@dhcp195's password: bill sftp> ls
Desktop FC3_Snapshots backup.tar les
refox-1.0.installer.tar.gz logs sftp> get backup.tar
Fetching /home/bill/backup.tar to backup.tar
/home/bill/backup.tar 25% 18MB 1.6MB/s 00:32 ETA
FTP help sftp
sftp> help
Available commands:
cd path Change remote directory to 'path' lcd path Change local directory to 'path' chgrp grp path Change group of le 'path' to 'grp'
chmod mode path Change permissions of le 'path' to 'mode' chown own path Change owner of le 'path' to 'own'
help Display this help text get remote-path [local-path] Download le
lls [ls-options [path]] Display local directory listing ln oldpath newpath Symlink remote le
lpwd Print local working directory ls [path] Display remote directory listing lumask umask Set local umask to 'umask' mkdir path Create remote directory
progress Toggle display of progress meter put local-path [remote-path] Upload le
pwd Display remote working directory exit Quit sftp
quit Quit sftp
rename oldpath newpath Rename remote le rmdir path Remove remote directory rm path Delete remote le symlink oldpath newpath Symlink remote le version Show SFTP version
!command Execute 'command' in local shell ! Escape to local shell
? Synonym for help
11.4.3
Windows
SSH
ssh Linux Linux
Windows Linux Windows SSH Simon Tatham PuTTY Windows SSH http://www.chiark.greenend.org.uk/~sgtatham/putty/
Google "putty" PuTTY putty.exe windows putty.exe $PATH putty 11-16 PuTTY PuTTY
Hostname
SSH IP putty.exe Windows http://www.csie.ntu.edu.tw/~piaip/prjs/pputty/ PuTTY Linux http://beta.wsl.sinica.edu.tw/~ylchang/putty/Protocol
SSH PuTTY Port 22 SSH SSH port 22 Port Saved Sessions Save IP Open PuTTY PuTTY Windows SSH WinSCP SCP SFTP Windows GUI 11-17 WinSCP WinSCP11.4.4
TCP wrapper
TCP
SSH SSH SSH sshd runlevel sshd SSH TCP wrapper SSH TCP Wrapper TCP SSH / e t c / h o s t s . a l l o w /etc/hosts.deny /etc/hosts.allow TCP /etc/hosts.deny TCP /etc/hosts.allow ## hosts.allow This le describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server.
T C P /etc/hosts.allow sshd: 127.0.0.1 1.2.3.4 1.2.3.5 1.2.4. sshd 127.0.0.1 1.2.3.4 1.2.3.5 1.2.4.0/24 1.2.4.0 1.2.4.255 IP 127.0.0.1 /etc/hosts.allow /etc/hosts.deny /etc/hosts.deny #
# hosts.deny This le describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that # the new secure portmap uses hosts.deny and hosts.allow. In particular # you should know that NFS uses portmap!
protmap line /etc/hosts.deny sshd: ALL sshd TCP wrapper TCP /etc/services TCP /etc/hosts.allow ftp 192.168.100.0/24 # /etc/hosts.allow ftp: 192.168.100. # /etc/hosts.deny ftp: ALL TCP TCP wrapper TCP UDP
11.5
Internet firewall Linux TCP wrapper TCP UDP ICMP11.5.1
11-18 SELinux SELinuxNSA Linux policy
S E L I N U X N S A ' s O p e n S o u r c e S e c u r i t y Enhanced Linux O'Reilly SELinux
Linux Internet Linux Internet
11.5.2
iptables iptablesiptables runlevel runlevel 2 3 4 5 iptables
11.6
Nmap
Nmap Nmap
N m a p N m a p
http://www.insecure.org/ Nmap Nmap scan TCP UDP
Nmap
Linux Nmap
/ Nmap
GNOME KDE Nmap
nmap nmapfe
Nmap FE Nmap FE nmap X Nmap FE G U I
nmap 11-19 Nmap FE Nmap FE root
Nmap FE Scan Discover Timing
File Options Scan
Ta rg e t 1 2 7 . 0 . 0 . 1
Scan Scan Type Connect Scan Scanned Ports Range Given Below Range 1-1023
Scan Nmap 11-19 Nmap FE ssh root 127.0.0.1 IP 1 - 1023 1024 1024 ISP ISP
11.7
Inter net Internet EnterB u i l d i n g I n t e r n e t F i r e w a l l s E l i z a b e t h D . Zwicky Simon Cooper D. Brent Chapman
Building Secure Servers with Linux Linux Michael D. Bauer
Computer Security Basics Deborah Russell G.T. Gangemi, Sr.
L i n u x S e c u r i t y C o o k b o o k D a n i e l J . B a r r e t t R i c h a r d S i l v e r m a n Robert G. Byrnes
Linux Server Hacks Linux Rob Flickenger
Practical Unix & Internet Security Simson Garfinkel Gene Spafford Alan Schwartz
Red Hat Linux Firewalls Bill McCarty Red Hat Press
mailing list
http://www.cert.org CERT
