Config DNS server, webserver, mail server, iptable firewall

+ Triển khai dịch vụ DNS + Triển khai web server, triển khai mô hình name based web server, IP based web server, https web server, user directory + Triển khai dịch vụ mail giúp NSD có tài khỏan có thể gửi mail cho nhau và gửi ra ngoài 1 địa chỉ gmail bất kì + Triển khai các dịch vụ logging nhật kí giúp theo dõi nhật kí truy cập web, truy cập mail … + Triển khai dịch vụ firewall iptable bằng dòng lệnh: Thực hiện mô hình 3 nơi (trong, giữa, ngoài) trong đó máy cài firewall đóng vai trò trung gian ở giữa giúp cho phép, không cho phép ping, telnet, truy cập web, chặn cổng, chặn giao thức, chặn 1 máy IP, chặn dải IP….. ngoài vào trong và ngược lại. Các thử nghiệm nâng cao với ít nhất 10 rules trên dòng lệnh và lưu trong file

HANOI UNIVERSITY OF SCIENCE AND TECHNOLOGY

School of Information and Communication Technology

f

=========*=========

FINAL PROJECT REPORT

ITSS Linux System and Network Management

Instructor : Msc.Banh Thi Quynh Mai

Class : ICT 56

Group : Season1418

− Dao Duc Cuong 20111201

− Nguyen Hai Nam 20111884

− Le Anh Tien 20112311

− Hoang Minh Tuan 20112418

Project Report ITSS Linux System and Network Management

Prerequisite setup and installation :

• Server machine : GNU/Linux CentOS 6.5, host name : server1.season1418.vn

• Client machine : GNU/Linux CentOS 6.5, hostname : client.season1418.vn

• Server machine has 2 NICs One for Internet connection, one for local network

• Create a NetworkManager profile for each NIC of the server machine

• Client machine has 1 NIC for local network

1 Setup DHCP server:

− On the server machine :

eth1 is for Internet connection 10.0.3.0/24 ( changed to outter network 192.168.56.0/24 in part 5 Firewall)

eth2 is for local network 192.168.50.0/24

− On the client machine :

eth2 is for local network 192.168.50.0/24

− On the server machine, install package dhcpd :

$ sudo yum install dhcp

− Edit the file : /etc/sysconfig/network­scripts/ifcfg­eth2 

DEVICE=eth2

BOOTPROTO=none

ONBOOT=no

NETWORK=192.168.50.0

NETMASK=255.255.255.0

IPADDR=192.168.50.1

DNS1=192.168.50.1

DEFROUTE=yes

IPV4_FAILURE_FATAL=yes

IPV6INIT=no

− To make the DHCP service running on eth2 interface, edit : /etc/sysconfig/dhcpd

DHCPDARGS=eth2

− We create the local network with router address, DNS server address, subnet of the network, range of client IP addresses Edit the file : /etc/dhcp/dhcpd.conf 

ddns­update­style none;

authoritative;

log­facility local7;

default­lease­time 600;

max­lease­time 7200;

option subnet­mask 255.255.255.0;

option broadcast­address 192.168.50.255;

option routers 192.168.50.1;

option domain­name­servers 192.168.50.1;

subnet 192.168.50.0 netmask 255.255.255.0 {

range 192.168.50.100 192.168.50.200;

}

− Restart dhcpd service to make these changes effective :

$ sudo service dhcpd restart

− To find any client has been connected to the DHCP server, check lease log:

$ less /var/lib/dhcpd/dhcpd.leases

− On the client machine : eth2 is for local network

− Set in file /etc/sysconfig/network­scripts/ifcfg­eth2 the following value to use DHCP service in client machine :

BOOTPROTO=dhcp

− Restart network service :

$ sudo service network restart

− On the client ping the server to check network :

$ ping 192.168.50.1 Local network has the DHCP server at 192.168.50.1, client addresses range from 192.168.50.100 to 192.168.50.200

2 Setup DNS server:

− On the server, install bind package and related packages :

$ yum install bind*

− The DNS server will listen on DNS queries on port 53 If it does not have the authorative right to the queried domain, it will forward the request to Google DNS server at 8.8.8.8 This DNS server only has authorative right to 5 domains, which are season1418.vn, season1418.com,

season1418.org, season1418.net, season1418.tk Edit file : /etc/named.conf

options {

listen­on port 53 { 192.168.50.1; };  # master dns

listen­on­v6 port 53 { ::1; };

directory  "/var/named";

forwarders { 8.8.8.8; }; # forward to Google DNS

dump­file  "/var/named/data/cache_dump.db";

     statistics­file "/var/named/data/named_stats.txt";

     memstatistics­file "/var/named/data/named_mem_stats.txt"; allow­query     { any; };

recursion yes;

dnssec­enable yes;

dnssec­validation yes;

dnssec­lookaside auto;

/* Path to ISC DLV key */

bindkeys­file "/etc/named.iscdlv.key";

managed­keys­directory "/var/named/dynamic";

};

logging {

        channel default_debug {

      file "data/named.run";

      severity dynamic;

        };

};

zone "." IN {

type hint;

file "named.ca";

};

zone "season1418.vn" IN{

     type master;

     file "forward.season1418";

     allow­update { none; };

};

zone "season1418.com" IN{

     type master;

     file "fw.season1418.com";

     allow­update { none; };

};

     type master;

     file "fw.season1418.org";

     allow­update { none; };

};

zone "season1418.net" IN{

     type master;

     file "fw.season1418.net";

     allow­update { none; };

};

zone "season1418.tk" IN{

     type master;

     file "fw.season1418.tk";

     allow­update { none; };

};

zone "50.168.192.in­addr.arpa" IN{

     type master;

     file "reverse.season1418";

     allow­update { none; };

};

include "/etc/named.rfc1912.zones";

include "/etc/named.root.key";

− Create 5 forward zone files and 1 reverse zone file in /var/named/ directory Four files

fw.season1418.com, fw.season1418.org, fw.season1418.net,

fw.season1418.tk are almost the same except their IP address The file

forward.season1418.vn has some extra records since season1418.vn is the main domain

of this configuration The reverse zone file is for determining a domain name that is associated with

a given IP address

− File: /var/named/forward.season1418

$TTL 86400

@   IN  SOA   server1.season1418.vn. root.season1418.vn. (

        2011071001  ;Serial

        3600        ;Refresh

        1800        ;Retry

        604800      ;Expire

        86400       ;Minimum TTL

)

@       IN  NS      server1.season1418.vn

@       IN  A       192.168.50.1

@       IN  A       192.168.50.100

@       IN  MX 10       mail.season1418.vn

server1 IN  A    192.168.50.1

client  IN  A    192.168.50.100

mail     IN  A 192.168.50.1

− The reserve zone file : /var/named/reverse.season1418

$TTL 86400

@   IN  SOA   server1.season1418.vn. root.season1418.vn. (

2011071001  ;Serial

         3600        ;Refresh

         1800        ;Retry

         604800      ;Expire

         86400       ;Minimum TTL

)

@       IN  NS       server1.season1418.vn

@       IN  MX 10   mail.season1418.vn

server1       IN  A    192.168.50.1

client      IN  A    192.168.50.100

mail     IN  A 192.168.50.1

1     IN  PTR          server1.season1418.vn

1     IN  PTR mail.season1418.vn

100   IN  PTR          client.season1418.vn

10    IN  PTR season1418.com

11    IN  PTR season1418.org

12    IN  PTR season1418.net

12    IN  PTR season1418.tk

− Other domain forward config file : /var/named/fw.season1418.com. The same

configuration goes to fw.season1418.org,  fw.season1418.net, 

fw.season1418.tk

$TTL 86400

@   IN  SOA     season1418.com. root.season1418.com. (

        2011071010  ;Serial

        3600        ;Refresh

        1800        ;Retry

        604800      ;Expire

        86400       ;Minimum TTL

)

IN  NS       server1.season1418.vn

− Start the the DNS service :

$ sudo service named start

− Edit iptables (using iptables command or edit /etc/sysconfig/iptables to allow DNS query on port 53 or just temporarily stop iptables service for now)

$ iptables ­A INPUT ­p udp ­m state ­­state NEW ­­dport 53 ­j  ACCEPT

$ iptables ­A INPUT ­p tcp ­m state ­­state NEW ­­dport 53 ­j  ACCEPT

− Restart iptables service :

$ sudo service iptables restart 

− Edit /etc/resolv.conf on both server and client machine to use our DNS server:

nameserver 192.168.50.1

− In /var/named.conf, the record : forwarders { 8.8.8.8; } which means it will help this local DNS server to look up DNS record that it does not have authorative right in the Internet via another NIC eth1

− Test DNS server :

$ nslookup season1418.vn

$ nslookup server1.season1418.vn

$ ping client.season1418.vn

$ ping google.com

3 Setup Mail server

− Install postfix package :

$ yum install postfix

− Install SMPT AUTH package :

$ yum install openssl cyrus­sas cyrus­sasl­devel cyrus­sasl­ gssapi cyrus­sasl­md5 cyrus­sasl­plain

− Create SSL Certification : (optional)

$ mkdir /etc/postfix/ssl

$ cd /etc/postfix/ssl

$ openssl genrsa ­des3 ­rand /etc/hosts ­out smtpd.key 1024

$ chmod 600 smtpd.key

$ openssl req ­new ­key smtpd.key ­out smtpd.csr

$ openssl x509­req ­days 365 ­in smtpd.csr ­signkey smtpd.key 

­out smtpd.crt

$ openssl rsa ­in smtpd.key ­out smtpd.key.unencrypted

$ mv ­f smtpd.key.unencrypted smtpd.key

$ openssl req ­new ­x509 ­extension v3_ca ­keyout cakey.pem 

­out cacert.pem ­days 365

− Edit file : /etc/postfix/main.cf

myhostname = season1418.vn.season1418.vn mydomain = season1418.vn

myorigin = $mydomain home_mailbox = mail/

mynetworks = 192.168.50.0/24 mynetworks_style=subnet

inet_interfaces = all mydestination = $myhostname, localhost.$mydomain, localhost, 

$mydomain

smtpd_sasl_auth_enable = yes smtpd_sasl_type = cyrus

smtpd_sasl_security_options = noanonymous  broken_sasl_auth_clients = yes

smtpd_sasl_authenticated_header = yes smtpd_recipient_restrictions=permit_sasl_authenticated,permit _my networks,reject_unauth_destination

smtpd_tls_auth_only = no smtp_use_tls = yes

smtpd_use_tls = yes smtp_tls_note_starttls_offer = yes smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

− To send mail to the internet we have to use a registered mail server as a relay host ( eg: Google mail server) It means we will need an Google Mail account as a relay account Suppose our email

address, main@season1418.vn, and our relay mail account, my_mail@gmail.com, and the recipeint would see the sender is main@season1418 Add following lines :

relayhost = [smtp.gmail.com]:587 smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous

smtp_sasl_tls_security_options = noanonymous smtp_sasl_auth_enable = yes

smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

− Edit file : /etc/postfix/sasl_passwd We put our Google Mail address and password in this file Make sure no other user could see the content of this file ( chmod 400 )

smtp.gmail.com your­email@gmail.com:your­password

− Apply postfix rule :

$ sudo chown root:root /etc/postfix/sasl_passwd

$ sudo chmod 400 /etc/postfix/sasl_passwd

$ sudo postmap /etc/postfix/sasl_passwd

− Add following lines to : /etc/postfix/master.cf

smtps     inet  n       ­       n     ­     ­    smtpd       ­o smtpd_sasl_auth_enable=yes

      ­o smtpd_reject_unlisted_sender=yes       ­o

smtpd_recipient_restrictions=permit_sasl_authenticated,reject       ­o broken_sasl_auth_clients=yes

− Edit iptables to allow connections via port 25 :

$ iptables ­A INPUT ­p udp ­m state ­­state NEW ­­dport 25 ­j  ACCEPT

$ iptables ­A INPUT ­p tcp ­m state ­­state NEW ­­dport 25 ­j  ACCEPT

− Restart postfix and saslauthd service :

$ sudo service postfix restart

$ sudo service saslauthd restart

4 Setup Web server

Since Apache Web Server is so popular, in this report we will use it as a web service running on our server

− On the server, install httpd package :

$ yum install httpd 

 Named-based virtual host: ( season1418.net, season1418.tk )

− Create directory for each virtual host :

$ sudo mkdir ­p /var/www/season1418.net/public_html

$ sudo mkdir ­p /var/www/season1418.tk/public_html

− Change owner to the main user :

$ sudo chown ­R user:user /var/www/season1418.net/public_html

$ sudo chown ­R user:user /var/www/season1418.tk/public_html

− Change permission :

$ sudo chmod 755 /var/www

− Create index for each website: /var/www/season1418.xxx/public_html/index.html

 Ip-based virtual host: ( season1418.com, season1418.org )

− Create directory for season1418.com and season1418.org 

− We reuse the same eth2 NIC for other IP addresses

$ cd /etc/sysconfig/network­scripts

$ cp ifcfg­eth2  ifcfg­eth2:0

$ cp ifcfg­eth2  ifcfg­eth2:1 

$ cp ifcfg­eth2  ifcfg­eth2:2

− Change DEVICE and IPADDR records to proper values of ifcfg­eth2:1 and ifcfg­

eth2:2. For example, in file : /etc/sysconfig/network­scripts/ifcfg­eth2:0

DEVICE=eth2:0 BOOTPROTO=static ONBOOT=no

NETWORK=192.168.50.0 NETMASK=255.255.255.0 IPADDR=192.168.50.10 GATEWAY=192.168.50.1 HWADDR=08:00:27:32:DF:C2 DNS1=192.168.50.1

DEFROUTE=yes IPV4_FAILURE_FATAL=yes

− We have to keep HWADDR the same as in ifcfg­eth2 and the BOOTPROTO type must be static since we have to get a fixed IP address for those websites We will do the same thing for ifcfg­ eth2:1, ifcfg­eth2:2 with the IPADDR=192.168.50.11 and

IPADDR=192.168.50.12 ,respectively

 In summary:

− Main domain : www.season1418.vn 192.168.50.1:80 ( eth2)

− IP-based hosting :

www.season1418.com 192.168.50.10:80 ( eth2:0)

www.season1418.org 192.168.50.11:80 ( eth2:1)

− Named-based hosting:

www.season1418.net 192.168.50.12:80 ( eth2:2)

www.season1418.tk 192.168.50.12:80 ( eth2:2)

− Edit file : /etc/httpd/conf/httpd.conf

####################################

###### IP­based & main domain ######

####################################

Listen 192.168.50.1:80

Listen 192.168.50.10:80

Listen  192.168.50.11:80

NameVirtualHost season1418.vn:80

NameVirtualHost season1418.com:80

NameVirtualHost season1418.org:80

<VirtualHost season1418.vn:80   >

     ServerAdmin main@season1418.vn

     DocumentRoot /var/www/season1418.vn/public_html

     ServerName www.season1418.vn

     ServerAlias season1418.vn

     ErrorLog /var/www/season1418.vn/error.log

     CustomLog /var/www/season1418.vn/requests.log common      Alias /~vn /var/www/season1418.vn/public_html/uservn  Alias /~vn/dir   

  /var/www/season1418.vn/public_html/uservn/dir

     <Directory "/var/www/season1418.vn/public_html/uservn">

         Options Indexes MultiViews FollowSymLinks

      AllowOverride None

      Order allow,deny

      Allow from all

     </Directory>

</VirtualHost>

<VirtualHost season1418.com:80>

     ServerAdmin main@season1418.vn

     DocumentRoot /var/www/season1418.com/public_html      ServerName www.season1418.com

     ServerAlias season1418.com

     ErrorLog /var/www/season1418.com/error.log

</VirtualHost>

<VirtualHost  season1418.org:80>

     ServerAdmin main@season1418.vn

     DocumentRoot /var/www/season1418.org/public_html

     ServerName www.season1418.org

     ServerAlias season1418.org

     ErrorLog /var/www/season1418.org/error.log

     CustomLog /var/www/season1418.org/requests.log common

</VirtualHost>

####################################

########### Name­based ###############

####################################

Listen 192.168.50.12:80

NameVirtualHost season1418.net:80

<VirtualHost season1418.net:80>

    ServerAdmin main@season1418.vn

    DocumentRoot /var/www/season1418.net/public_html

    ServerName www.season1418.net

     ServerAlias season1418.net

     ErrorLog /var/www/season1418.net/error.log

     CustomLog /var/www/season1418.net/requests.log common

</VirtualHost>

<VirtualHost season1418.tk:80>

    ServerAdmin main@season1418.vn

    DocumentRoot /var/www/season1418.tk/public_html

    ServerName www.season1418.tk

     ServerAlias season1418.tk

     ErrorLog /var/www/season1418.tk/error.log

     CustomLog /var/www/season1418.tk/requests.log common

</VirtualHost>

− To setup personal webpage and personal directory on a website we use Alias keyword inside the

<VirtualHost> </VirtualHost> record of that website :

<VirtualHost season1418.vn:80>

. .  Alias /~vn /var/www/season1418.vn/public_html/uservn

  /var/www/season1418.vn/public_html/uservn/dir

<Directory "/var/www/season1418.vn/public_html/uservn">

         Options Indexes MultiViews FollowSymLinks

      AllowOverride None

      Order allow,deny

      Allow from all

     </Directory>

. . 

</VirtualHost>