231
Linux Linux
Windows Linux
Linux LAN Internet
L inux Samba Mic roso f t
Windows Unix Samba
Samba Apache SSH
Apache SSH Internet
Internet
Internet
Internet
Internet
Nmap
11.5
DHCP IP DNS
Fedora Core DHCP server
Linux DHCP server
PC
IP
DHCP server
root root
root
11.1DNS IP
ISP DNS server IP
Samba
Linux DNS
Linux /etc/hosts DNS
IP /etc/hosts nano
/etc/hosts
11-1 /
11-2
232
IP IP
IP
127 .0 .0 .1 loca lhos t
localhost /
233
Linux IP
/etc/hosts
Windows
hosts
Windows 95/98/Me hosts
c:\windows\etc\ Windows NT/2000/XP
c:\winnt\system32\drivers\etc\hosts Windows
C:\Windows c:\winnt
Linux Windows hosts
127.0.0.1 localhost.localdomain localhost192.168.0.10 rox.oreilly.com.tw rox192.168.0.9 sun.oreilly.com.tw sun
IP
IP
/etc/hosts
11.2 Samba Windows
SMB Server Message Block
CIFS Common Internet File System
NetBIOS LanManager L inux SMB
Andrew Tridgell Linux Samba
SMB SMB Samba
Samba
Windows OS/2 Netware Unix
Windows PC Linux
Ctrl-S
234
Samba
http://www.samba.org/pub/samba/survey/ssstats.html Bank of
America Samba 15,000
Hewlett-Packard 7,000 Samba
11.2.1 Samba Samba
Samba nmbd smbd
/ e t c / s a m b a / s m b u s e r s
/etc/samba/smb.conf /etc/samba/lmhosts smbusers Samba
Linux Windows Windows
administrator admin Linux root lmhosts
/etc/hosts Windows smb.conf Samba
smbusers lmhosts smb.conf
Samba Windows
/
Samba
Windows
system-conf ig-samba -
Samba server configuration tool 11-3
Windows
Fedora CD/DVD
11.2.2 Samba Samba server /etc/samba/smb.conf Samba
Linux smb.conf
Samba RedHat Samba
GUI Samba
Samba Samba
11-4
235
236
Windows
Samba
Samba
Samba
Samba Samba
man
smb.conf
Samba
Samba
11-5
Samba Samba
Samba
mygroup
11-6
237
ADS
ADS Samba server ADS Active Directory
Services
Kerberos Kerberos Samba
Kerberos Samba
ADS ADS Samba
Samba Windows domain
controller
NetBIOS
238
Samba Samba
Samba NetBIOS
Samba
Samba
Windows 98
Windows 3.1 Windows 95
Windows Samba server
Windows 98 Windows
Windows
... Windows Guest
Windows Linux Samba
Samba
Samba Samba
Samba Samba
11-7
Samba Samba
11-7 Unix
Linux Windows Windows
Unix Samba Samba
Windows Unix
239
Samba Windows Windows
Samba Unix
Samba
Unix Linux
Samba
Samba Samba
Samba
240
Samba
Unix Windows
Windows Samba Windows
Linux Unix
Samba
Samba
Samba
Samba
Samba
11-8 Samba
Windows
/ 11-9
241
Samba
11.2.3 Samba Samba
runlevel 3
smb runlevel 5 smb
Samba server
runlevel smb
run leve l Samba
smb Samba server
Ctrl-5
Ctrl-3
242
11.2.4 Samba Samba
Samba Windows
Linux Samba
Windows
Samba server share
\\server\share Windows
Samba
Samba
Samba Windows
243
Samba
Samba Windows
Samba
Internet
Samba
/usr/share/doc/samba-*/docs/htmldocs diagnosis.html
Samba
diagnosis .html Samba
se rve r
comp.protocols.smb
Using Samba Robert Eckstein David Collier-Brown Peter
Kelly Open Publication License OPL
http://www.oreilly.com/catalog/samba
Samba Samba
/etc/samba/smb.conf
# cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
/etc/samba/smb.conf
# cp /etc/samba/smb.conf.bak /etc/samba/smb.conf
smb
# service smb restart
11.2.5 Samba Samba Windows
Linux Samba Samba
Samba
244
Windows OS/2 Mac OS Mac OS X SMB
Samba
11.2.4 Samba
Windows
SMB IBM Microsoft Windows
3.11/9x/Me/NT/2000/XP/2003 SMB
Samba Windows 2000/XP
Samba Samba server
server Samba Windows
Windows Samba workgroup
Windows
Samba server
server
Samba server server
Windows Samba
Windows
Windows 2000/XP
Samba
Samba
\\server\sharename
server sharename
SERVER pub \\SERVER\pub
\\SERVER\lp
Windows
\\SERVER\pub
Samba 11.2.4 Samba
245
Samba SMB smbcl ient
Samba SMB
Samba Samba server
$ smbclient -L localhost
Samba Linux
Samba server
SMB server localhost NetBIOS
$ smbclient -L server
server Linux
Samba server -U Samba server
$ smbclient -L server -U userid
SMB
$ smbclient 'service' -U userid
service SMB userid
Samba SMB //
/
$ smbclient //server/myshare -U billmccarty
Windows \ /
\\server\myshare smbclient
\\server\myshare //server/myshare
SMB smbclient
smb: dir
dir SMB dir ls
smb: \> dir
246
smb: \> ls
cd
smb: \> cd dir
dir dir ..
smb: \> cd ..
get
smb: \> get �lename
SMB put
smb: \> put local_�lename
smbclint help
smb: \> help? altname archive blocksize cancelcase_sensitive cd chmod chown deldir du exit get hardlinkhelp history lcd link lowercasels mask md mget mkdirmore mput newer open printprintmode prompt put pwd qqueue quit rd recurse regetrename reput rm rmdir setmodesymlink tar tarmode translate vuidlogon !
help command
smb: \> help lcdHELP lcd:
[directory] change/report the local current working directory
exit quit smbclient Linux shell
Samba smbprint script
Linux smbprint
smbprint
Using Samba
247
smbclient
smbclient Windows
Windows
Linux smbclient Windows
Windows NetBIOS winhost
work Samba bill
[bill@linux ~]$ smbclient '//winhost/work' -U billPassword: Domain=[WINHOST] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]smb: \>
SMB cd tar
smb: \> cd datasmb: \data\> tar c backup.tar
SMB tar shell tar
c create
backup.tar Linux
backup.tar .tar
...
Windows Linux
tar c x extract
cd
smb: \> cd datasmb: \data\> tar x backup.tar
SMB server
backup.tar
11.3 ApacheApache Internet Apache
Internet
Linux
248
11.3.1 Apache Linux Apache
/
httpd mod_ssl system-config-
httpd
11.3.2 Apache Apache
Apache Fedora Core 3 Apache
Apache
/etc/httpd/conf Apache
access.conf
httpd.conf
srm.conf
httpd.conf Apache
HTTP
HTTP 11-11
249
HTTP
www.domain . com
domain.com
Webmaster
Apache
IP
DNS
IP
IP
Webmaster
port 80
11-12 Apache virtual hosting
IP Apache
h t tp : / /www.myf i r s t s i t e . com
http://www.myothersite.com
IP HTTP 1.1 HTTP 1.0
HTTP 1.0
11-13 Apache server
11-14 Apache
Apache
150
15
250
251
Apache
http://httpd.apache.org/docs-2.0 Apache
11.3.3 Apache Apache
runlevel httpd
runlevel Apache
Apache FireFox http://localhost/
11-15 Apache
Apache
http://myweb.mydomain DNS
IP IP
http://192.168.102.33 DNS IP
IP IP
/etc/hosts Windows 2000
C:\WINNT\system32\drivers\etc\hosts
Apache Apache
252
11.3.4HTML document roo t
/var/www/html root root
Apache http://www.domain.com URL request
domain.com
index.html
public_html
/home/joe/public_html
http://www.domain.com/~joe joe joe ~
Apache
253
Apache /etc/httpd/conf/httpd.conf
UserDir disable
UserDir enable all
HTTP
httpd.conf
HTTP httpd.conf
Apache HTTP
all
UserDir enable bill joe andyoram
httpd.conf httpd
Apache
Apache server apache
apache /home/joe/public_html apache
apache /home /home/joe /home/joe/public_html
/home/joepublic/public_html
11-1
11-1 Apache
/home 755
/home/joe 711
/home/joe/public_html 755
/home/joe/public_html 755
/home/joe/public_html 644
11-1
254
Apache
Apache Apache
11.4 SSH SSH Secure Shell TCP/IP Linux
she l l SSH
Telnet SSH
11.4.1 SSHSSH runlevel 3 5
sshd
sshd runlevel sshd
SSH /etc/ssh
SSH
sshd
11.4.2 SSH SSH
[bill@linux ~]$ ssh localhostThe authenticity of host 'localhost (127.0.0.1)' can't be established.RSA key �ngerprint is c0:e2:fe:8d:09:d8:e8:62:6b:36:60:b8:98:de:3f:e2.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added 'localhost' (RSA) to the list of known hosts.bill@localhost's password: [bill@linux ~]$ exitConnection to localhost closed.
255
ssh RSA
yes ssh localhost
ssh ssh
bill
shell ssh sshd
exit SSH
ssh localhost
IP ssh
ssh userid@host
userid host IP
[bill@moon ~]$ ssh [email protected]@carbon's password: lin[lin@carbon ~]$
moon carbon ssh carbon
RSA exit logout
SSH scp SSH
$ scp �le userid@host:destination
file host destination
file userid destination
destination
$ scp rhbook_rev.txt [email protected]:rh�le
rhbook_rev.txt example.com /home/bill
rhfile destination
shell * ? scp
scp -r
Desktop newDesktop
newDesktop
$ scp -r Desktop [email protected]:newDesktop
256
$ scp userid@host:path local�le
host IP path localfile
userid
$ scp [email protected]:/out/ch11.doc my�le
bi l l author.example.com /out
ch11.doc myfile myfile
SSH sftp ftp ftp
sftp
$ sftp userid@host
SSH sftp
ftp sftp author.example.com
$ sftp bill@dhcp195Connecting to dhcp195...bill@dhcp195's password: billsftp> lsDesktop FC3_Snapshotsbackup.tar �les�refox-1.0.installer.tar.gz logssftp> get backup.tarFetching /home/bill/backup.tar to backup.tar/home/bill/backup.tar 25% 18MB 1.6MB/s 00:32 ETA
FTP help sftp
sftp> helpAvailable commands:cd path Change remote directory to 'path'lcd path Change local directory to 'path'chgrp grp path Change group of �le 'path' to 'grp'chmod mode path Change permissions of �le 'path' to 'mode'chown own path Change owner of �le 'path' to 'own'help Display this help textget remote-path [local-path] Download �lells [ls-options [path]] Display local directory listingln oldpath newpath Symlink remote �lelmkdir path Create local directory
257
lpwd Print local working directoryls [path] Display remote directory listinglumask umask Set local umask to 'umask'mkdir path Create remote directoryprogress Toggle display of progress meterput local-path [remote-path] Upload �lepwd Display remote working directoryexit Quit sftpquit Quit sftprename oldpath newpath Rename remote �lermdir path Remove remote directoryrm path Delete remote �lesymlink oldpath newpath Symlink remote �leversion Show SFTP version!command Execute 'command' in local shell! Escape to local shell? Synonym for help
11.4.3 Windows SSH ssh Linux Linux
Windows Linux Windows
SSH Simon Tatham PuTTY Windows
SSH http://www.chiark.greenend.org.uk/~sgtatham/putty/
Google "putty" PuTTY putty.exe
windows
putty.exe $PATH
putty
11-16 PuTTY
PuTTY
Hostname
SSH IP
258
putty.exe Windows
http://www.csie.ntu.edu.tw/~piaip/prjs/pputty/ PuTTY
Linux http://beta.wsl.sinica.edu.tw/~ylchang/putty/
Protocol
SSH PuTTY Port 22 SSH
SSH port 22 Port
Saved Sessions
Save
IP
Open PuTTY
PuTTY
Windows SSH WinSCP SCP SFTP
Windows GUI 11-17 WinSCP WinSCP
http://winscp.sourceforge.net/eng
259
11.4.4 TCP wrapper TCP SSH SSH
SSH
sshd runlevel
sshd
SSH TCP wrapper SSH
TCP Wrapper TCP SSH
/e tc /hos t s . a l low
/etc/hosts.deny
/etc/hosts.allow TCP /etc/hosts.deny
TCP
/etc/hosts.allow
## hosts.allow This �le describes the names of the hosts which are# allowed to use the local INET services, as decided# by the '/usr/sbin/tcpd' server.#
260
TCP
/etc/hosts.allow
sshd: 127.0.0.1 1.2.3.4 1.2.3.5 1.2.4.
sshd 127.0.0.1 1.2.3.4 1.2.3.5
1.2.4.0/24
1.2.4.0 1.2.4.255 IP 127.0.0.1
/etc/hosts.allow /etc/hosts.deny
/etc/hosts.deny
## hosts.deny This �le describes the names of the hosts which are# *not* allowed to use the local INET services, as decided# by the '/usr/sbin/tcpd' server.## The portmap line is redundant, but it is left to remind you that# the new secure portmap uses hosts.deny and hosts.allow. In particular# you should know that NFS uses portmap!
protmap line
/etc/hosts.deny
sshd: ALL
sshd
TCP wrapper TCP
/etc/services TCP
/etc/hosts.allow
ftp 192.168.100.0/24
# /etc/hosts.allowftp: 192.168.100.
# /etc/hosts.denyftp: ALL
TCP TCP wrapper
TCP UDP
261
11.5
Internet firewall
Linux
TCP wrapper
TCP UDP ICMP
11.5.1
11-18
SELinux SELinux
NSA Linux policy
SELinux
262
SEL INUX NSA ' s Open Source Secur i t y
Enhanced Linux O'Reilly SELinux
Linux
Internet
Linux Internet
11.5.2 iptables
iptables
iptables runlevel runlevel 2 3 4 5 iptables
11.6 Nmap
Nmap
Nmap
Nmap Nmap
http://www.insecure.org/ Nmap Nmap
scan TCP UDP
Nmap
Linux Nmap
/ Nmap
nmap nmap-frontend
263
GNOME KDE Nmap
nmap nmapfe
Nmap FE Nmap FE nmap X Nmap FE
GUI
nmap 11-19 Nmap FE Nmap FE root
Nmap FE Scan Discover Timing
File Options Scan
Target 127.0.0 .1
Scan Scan Type Connect Scan Scanned Ports Range
Given Below Range 1-1023
Scan Extensions
264
Scan Nmap
11-19
Nmap FE
ssh root
127.0.0.1 IP
1 - 1023 1024
1024
ISP ISP
11.7Internet
Internet
Enter
265
Bui ld ing In te rne t F i rewa l l s E l i zabe th D.
Zwicky Simon Cooper D. Brent Chapman
Building Secure Servers with Linux Linux
Michael D. Bauer
Computer Security Basics Deborah Russell G.T. Gangemi, Sr.
Linux Security Cookbook Daniel J . Barrett Richard Silverman
Robert G. Byrnes
Linux Server Hacks Linux Rob Flickenger
Practical Unix & Internet Security Simson Garfinkel Gene Spafford
Alan Schwartz
Red Hat Linux Firewalls Bill McCarty Red Hat Press
mailing list
http://www.cert.org CERT
Red Hat Network
266