Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Li ni u __________________________________________________________________________ 3 Ti 13: ___________________________________________________________________________ 4 A. I. NFS-NETWORK FILE SYSTEM ____________________________________________________ 5 Gii Thiu S Lc V NFS ________________________________________________________ 5
Danh sch cc file cu hnh, cc dch v, cc file script v cu lnh ca NFS server ______________ 6
/etc/exports _________________________________________________________________________________ 6 /Etc / hosts.allow v / etc / hosts.deny ____________________________________________________________ 7
2.
a. b.
3. 4.
Xc minh cc dch v ca NFS ang chy _________________________________________________ 8 Cp nht thay i cho /etc/exports _______________________________________________________ 9
III.
1. 2.
IV.
1. 2. 3. 4.
a. b.
Bo Mt______________________________________________________________________ 11
Tng quan __________________________________________________________________________ 11 The Portmapper-qun l cc kt ni ____________________________________________________ 11 Server security: nfsd and mountd_______________________________________________________ 12 Client security _______________________________________________________________________ 13
Ty chn gn kt nosuid the nosuid mount option _______________________________________________13 Ty chn gn kt broken_suid the broken_suid mount option ______________________________________14
5. 6. 7.
NFS v tng la ____________________________________________________________________ 14 Truyn a giao thc NFS thng qua SSH ________________________________________________ 16 Tm tt ____________________________________________________________________________ 17
B. I.
Page 1
f. g.
Khi ng 2 dch v ypbind v ypxfrd ____________________________________________________________22 Kim tra li xem cc dch v chy n cha ______________________________________________________22
2. 3.
a. b. c. d. a.
III. IV.
Minh H
Bo Mt______________________________________________________________________ 32
Ph Lc: ___________________________________________________________________________ 33
Mt s khi nim: ________________________________________________________________________ 33 Ti liu tham kho: _______________________________________________________________________ 33
Page 2
Li ni u
Hin nay h iu hnh Linux ang ngy cng c ng dng trong nhiu ngnh khoa hc cng nh phc v cuc sng thng ngy, t ng dng trong cc h thng chuyn bit phc v trong y t, qun i ti phc v trong h thng gio dc v ng dng vn phng cho ngi dng cui Trong nhng nm gn y h iu hnh Linux tng bc c a vo s dng ti Vit Nam. Nhiu t chc, cng ty v cc d n tin hc chn Linux l mi trng pht trin cc ng dng ca mnh. Chnh v th nhu cu tm hiu h iu hnh ny ang tr nn rt quan trng v cn thit. ti ny ch cp ti 2 ng dng rt nh trong vic khai thc cc dch v qun tr mng trn h iu hnh linux l Network File System (NFS) v Network Information Service (NIS). Ti liu v linux hin nay rt nhiu tuy nhin cc ti liu chuyn su v 1 mng no th a s vn l ting Anh v hn na: Linux hin nay c rt nhiu bn phn phi ( trn 30 bn phn phi tnh n thng 4/2011 ), chnh v th trong qu trnh thc hin n, chng em gp khng t kh khn khi tham kho cc ti liu vi nhiu t chuyn ngnh, cng nh c s sai khc gia cc bc thit lp trn tng bn phn phi. T thc t chc chn ti ny khng trnh khi nhiu thiu st v cha chnh xc. Rt mong nhn c s ng gp kin ca thy. Nhm chng em chn thnh cm n s hng dn ca thy Nguyn Tn Khi v cc bn cng nh nhng thnh vin trn cc din n linux gip chng em hon thnh ti ny.
Page 3
Ti 13:
Tm hiu v khai thc dch v qun tr mng NIS, NFS trn h iu hnh Linux: Gii thiu chc nng. Cc th vin h tr v cch bin dch ci t t m ngun. Cc dch v/tools lin quan v file cu hnh. Trin khai dch v trn my server v client. Minh ha kt qu c th. C ch an ton v bo mt cho dch v.
Page 4
NFS (Network File System) l h thng cung cp dch v chia s file ph bin hin nay trong h thng mng Linux v Unix. NFS c pht trin cho php cc my tnh gn kt ti 1 phn vng a trn 1 my t xa ging nh n l a cc b (local disk.)vy. n cho php vic truyn ti file qua mng c nhanh v trn tru hn. N cng to ra kh nng tm tng cho nhng ngi m bn khng mong mun truy cp cng ca bn qua mng (theo cch h c th c email, xa file v lm sp h thng ca bn) nu bn ci t n khng chnh xc. NFS dng h thng m hnh client/server. Trn server c cc a vt l cha cc file h thng c chia s v mt s dch v chy ngm trn h thng (daemon) phc v cho vic chia s vi client (gi l qu trnh export). Ngoi ra cc dch v chy trn server cng cung cp chc nng bo mt file v qun l lu lng s dng (file system quota). Cc client mun s dng cc file system c chia s trn Server ch n gin dng giao thc NFS mount (gn kt) cc file system ln h thng ca mnh. H thng chia s file NFS c s dng vi nhiu chc nng khc nhau. V d thay v mi h thng client/server ca bn phi c mt phn vng /home/username ca tng ngi dng th ch cn lu tr th mc trn 1 my ch trung tm (NFS server), sau dng giao thc NFS mount th mc /home/username tng ng ca tng ngi dng khi h ng nhp h thng. C vi s khc bit gia cc phin bn 2 NFS,3NFS,4NFS. Bn s cn 3 NFS nu nh ci t trn mt h thng ln hay h thng chuyn bit no y, cn 2 NFS v 4 NFS thch hp cho ngi dng ngu nhin, nh l. NFS (Network File System) h thng c pht trin gn cc phn vng a trn cc my t xa nh th trn my local. Cho php chia s file nhanh v tp trung trn mng.
Page 5
II.
Thit lp my ch s c thc hin theo hai bc: Thit lp cc tp tin cu hnh cho NFS, v sau khi ng cc dch v NFS.
1. Danh sch cc file cu hnh, cc dch v, cc file script v cu lnh ca NFS server
Cc file cu hnh NFS Server
/etc/exports /var/lib/nfs/rmtab /var/lib/nfs/xtab /etc/host.allow /etc/host.deny
C ba tp tin cu hnh chnh, bn s cn phi chnh sa thit lp mt my ch NFS: /etc/exports , /etc/hosts.allow v /etc/hosts.deny Ni dung cc file cu hnh:
a. /etc/exports
Cc dng text trong file cu hnh /etc/exports c c php nh sau : dir host1(options) host2(options) hostN(options) Trong : dir : th mc hoc file system mun chia s. host : mt hoc nhiu host c cho php mount dir. c th c nh ngha l mt tn, mt nhm s dng k t , * hoc mt nhm s dng 1 di a ch mng/subnetmask... options : nh ngha 1 hoc nhiu options khi mount. C th: ro: th mc c chia s ch c c; client khng th ghi ln n. rw: client c th c v ghi trn th mc. no_root_squash: mc nh, bt k file truy vn c to bi ngi ch (root) my trm u c x l tng t nu n c to bi user nobody (cc file to ra trn h thng m ko do ngi dng can thip-ti khon v danh) trn my ch. (truy vn c nh x ph thuc vo UID ca user nobody trn server ch khng phi trn client). Nu no_root_squash c chn, ngi qun tr cao cp trn client s c cng mc truy cp n cc file trn h thng ging nh qun tr cao cp trn server. iu ny c th ko theo nhiu vn an ninh nghim trng, mc d n c th l cn thit nu bn mun thc hin cng vic qun tr no trn client-cng vic i hi cc th mc phi c chia s. Bn khng nn ch nh la chn ny nu khng c l do r rng. no_subtree_check: nu ch 1 phn ca a c chia s, 1 on chng trnh gi l thm tra li vic kim tra cy con c yu cu t pha client (n l 1 file n m trong phn vng c chia s). Nu ton b a c chia s, vic v hiu ha s kim tra ny s tng tc truyn ti.
Page 6
sync: thng bo cho client bit 1 file c ghi xong- tc l n c ghi lu tr an ton-khi m NFS hon thnh vic kim sot ghi ln cc file h thng. cch x l ny c th l nguyn nhn lm sai lch d liu nu server khi ng li.
V d 1 file cu hnh mu /etc/exports : /usr/local *.ipmac.vn(ro) /home 192.168.1.0/255.255.255.0(rw) /var/tmp 192.168.1.1(rw) Dng th nht : cho php tt c cc host vi tn min nh dng somehost.ipmac.vn c mount th mc /usr/local vi quyn ch c. Dng th hai : cho php bt k host no c a ch IP thuc subnet 192.168.1.0/24 c mount th mc /home vi quyn c v ghi. Dng th ba : ch cho php host c a ch IP l 192.168.1.1 c mount th mc /var/tmp vi quyn c v ghi.
b. /Etc / hosts.allow v / etc / hosts.deny
Hai tp tin c bit ny gip xc nh cc my tnh trn mng c th s dng cc dch v trn my ca bn. Mi dng trong ni dung file cha duy nht 1 danh sch gm 1 dch v v 1 nhm cc my tnh. Khi server nhn c yu cu t client, cc cng vic sau s c thc thi: Kim tra file host.allow nu client ph hp vi 1 quy tc c lit k ti y th n c quyn truy cp. Nu client khng ph hp vi 1 mc trong host.allow server chuyn sang kim tra trong host.deny xem th client c ph hp vi 1 quy tc c lit k trong hay khng (host.deny). Nu ph hp th client b t chi truy cp. Nu client ph hp vi cc quy tc khng c lit k trong c 2 file th n s c quyn truy cp.
Portmap: Qun l cc kt ni, s dng c ch RPC (Remote Procedure Call), dch v chy c server v client NFS: Khi ng cc tin trnh RPC khi c yu cu phc v cho chia s file, dch v ch chy trn server NFS lock: S dng cho client kha cc file trn NFS server thng qua PRC.
Page 7
a. Khi ng portmapper
NFS ph thuc vo tin trnh ngm qun l cc kt ni (portmap hoc rpc.portmap), chng cn phi c khi ng trc. N nn c t ti /sbin nhng i khi trong /usr/sbin. Hu ht cc bn phn phi linux gn y u khi ng dch v ny trong kch bn khi ng (boot scripts t khi ng khi server khi ng) nhng vn phi m bo n c khi ng u tin trc khi bn lm vic vi NFS (ch cn g lnh netstat -anp |grep portmap kim tra). b. c tin trnh ngm:
Dch v NFS c h tr bi 5 tin trnh ngm: rpc.nfsd- thc hin hu ht mi cng vic. rpc.lockd and rpc.statd-qun l vic kha cc file. rpc.mountd-qun l cc yu cu gn kt lc ban u. rpc.rquotad-qun l cc hn mc truy cp file ca ngi s dng trn server c truy xut. lockd c gi theo yu cu ca nfsd. V th bn cng khng cn quan tm lm ti vic khi ng n. statd th cn phi c khi ng ring.
Tuy nhin trong cc bn phn phi linux gn y u c kch bn khi ng cho cc tin trnh trn. Tt c cc tin trnh ny u n m trong gi nfs-utils, n c th c lu gi trong /sbin hoc /usr/sbin Nu bn phn phi ca bn khng tch hp chng trong kch bn khi ng, th bn nn t thm chng vo, cu hnh theo th t sau y:
rpc.portmap
rpc.mountd, rpc.nfsd rpc.statd, rpc.lockd (nu cn thit) rpc.rquotad
Page 8
program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100011 1 udp 749 rquotad 100011 2 udp 749 rquotad 100005 1 udp 759 mountd 100005 1 tcp 761 mountd 100005 2 udp 764 mountd 100005 2 tcp 766 mountd 100005 3 udp 769 mountd 100005 3 tcp 771 mountd 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 300019 1 tcp 830 amd 300019 1 udp 831 amd 100024 1 udp 944 status 100024 1 tcp 946 status 100021 1 udp 1042 nlockmgr 100021 3 udp 1042 nlockmgr 100021 4 udp 1042 nlockmgr 100021 1 tcp 1629 nlockmgr 100021 3 tcp 1629 nlockmgr 100021 4 tcp 1629 nlockmgr
Page 9
Chnh sa file /etc/exports cho php gn kt NFS ca th mc ny vi cc quyn truy cp. dng lnh vi /etc/exports
Kim tra xem cc dch v NFS ,NFSlock, daemon portmap cng hot ng v t khi ng mi khi server khi ng li hay khng.
Page 10
IV.
Bo Mt
1. Tng quan
Vi NFS, c 2 bc cn thit 1 client c truy cp n ti nguyn trn server. Bc u tin l gn kt truy cp. vic gn kt truy cp t c l do client c gng kt ni vo server. Nu a ch IP ca cc client khp vi 1 trong nhng a ch trong danh sch cho php th client s c gn kt. iu ny khng tht s an ton. Nu ai c kh nng bt chc hay chim ly 1 a ch ng tin cy th h c th truy cp im gn kt ca bn. Mt v d thc t: Bn gi ti cng ty sa cha ng ng nc, sau mt ngi n v t gii thiu bn thn vi bn, bn tin r ng ngi ng l ngi do cng ty kia gi n, bi v h c eo 1 ci th nhn vin ca cng ty trn. Tuy nhin c th ngi c c n l k gi mo th sao Mi mt my tnh gn kt vi 1 a (volume), h iu hnh ca my s c quyn truy cp n mi file trn a v c ghi ln cc file , nu a c th hin vi ty chn rw. Bc th hai l vic truy cp file. y l chc nng iu khin truy cp file thng thng trn client ch khng phi 1 chc nng c bit ca NFS. Mi a c gn vi ngi s dng v nhm nhng quyn hn trn cc file gii hn quyn iu khin truy cp. Mt v d: trn server ngi dng c tn NEO c nh x vi ID 9999. NEO to ra 1 tp tin trn server m ngi khc ch c quyn truy cp (tng ng vi vic chmod 600). Mt my client c gn kt ti a cha tp tin . Trn my client ngi dng tn XONE cng c ID 9999. iu ny c ngha r ng XONE c th truy cp ti tp tin ca NEO ci m ch c quyn truy xut bi chnh NEO. T hi hn, nu ngi no tr thnh superuser (siu ngi dng- L mt ti khon ngi dng c bit trn UNIX c quyn truy cp ti Root) trn my client th h c th dng lnh su username ( thay i tn ti khon) v tr thnh bt k ai. Lc ny NFS khng cn l s la chn sng sut.
2. The Portmapper-qun l cc kt ni
The Portmapper (qun l tin trnh) gi 1 danh sch nhng dch v ang chy trn cc cng. Danh sch ny c s dng bi 1 my tnh c kt ni thy c nhng cng no m n (my tnh) mun truy cp ti cc dch v no y. Portmapper khng cn t nh vi nm trc y nhng n vn l 1 im ng lo i vi nhiu ngi qun tr h thng. portmapper ging nh NIS v NFS, tht s khng nn c nhng kt ni ra bn ngoi 1
Page 11
mng LAN. Nu bn bt buc phi chia s chng ra bn ngoi hy cn thn v duy try thng xuyn vic kim tra h thng. Khng phi bn phn phi linux no cng c to ra ging nhau. Mt vi bn phn phi khng km theo 1 portmapper ng tin cy. Cch n gin kim tra portmapper ca bn c m bo hay khng l thc thi lnh : strings /sbin/portmap | grep hosts. N s c file hosts.allow v hosts.deny. Gi s portmapper t ti /sbin/portmap bn c th kim tra n vi lnh sau cng kt qu tr v tng t th ny:
# strings /sbin/portmap | grep hosts. /etc/hosts.allow /etc/hosts.deny @(#) hosts_ctl.c 1.4 94/12/28 17:42:27
iu ny s chn truy cp n mi ngi. Sau , trong lc cc truy cp b chn th chy lnh rpcinfo p nh m kim tra xem portmap ca bn c tht s c v tun theo file ny hay khng. Kt qu tr v c th khng c g, hoc c th l 1 thng bo li. Hai file hosts.allow v hosts.deny c hiu lc ngay lp tc sau khi bn lu li chng. Khng dch v no (daemon) cn c khi ng li. Vic chn mi qun l truy cp vi tt c mi ngi c hi mnh tay, v vy chng ta m li truy cp b ng cch edit file /etc/hosts.allow. Nhng trc tin ta phi tm hiu nhng g cha bn trong n. V c bn, n lit k tt c cc my tnh c quyn truy cp portmap. Nhng my cn truy cp cc dch v trn my ca bn cn c chp thun lm iu y. Gi d my bn c a ch 192.168.0.254, thuc mng con 192.168.0.0 v cc my trong mng con c th truy cp n n (192.168.0.254). thc hin iu trn thay v portmap: ALL ta s vit li l portmap: 192.168.0.0/255.255.255.0 (Nu bn khng chc chn v a ch mng/mt n mng, bn c th s dng lnh ifconfig hay netstat xc minh li).
Page 12
tr cao cp trn server mi c c quyn y m thi. iu ny rt tt v c l bn nn dng root_squash trn tt c cc file h thng m bn cho truy cp n. Vn tn ti cu hi r ng liu ngi qun tr cao cp trn my trm c th dng lnh su mo danh thnh ngi dng bt k v c gng truy cp, thay i cc file h thng trn my ch hay khng . Cu tr li l c, v tht s l nhng g s din ra (trn 1 h thng chy linux vi NFS). y c 1 ch : tt c cc file quan trng nn c s hu bi ngi qun tr cao cp v ti khon duy nht m ngi qun tr cao cp trn my trm khng th gi mo chnh l ti khon qun tr cao cp ca my ch. Cc cng TCP t 1-1024 c dnh ring cho cng vic ca ngi qun tr cao cp ( l l do m i khi n c gi l cng an ton). Nhng ngi dng khc khng th ghp ni ti cc cng ny. B sung thm ty chn secure trong /etc/exports ngha l n s ch lit k cc truy vn n t cc cng 1-1024 trn my khch, do mi nguy him t nhng ngi dng khng phi l qun tr cao cp trn my trm khng th xut hin v m ra 1 s tng tc gi mo trn 1 cng khng c bo mt. Ty chn ny c thit lp mc nh.
4. Client security
a. Ty chn gn kt nosuid the nosuid mount option
Chng ta c th cm nhng chng trnh SUID lm bin mt h thng file NFS vi ty chn nosuid. Vi chng trnh trn linux, nh passwd c gi l chng trnh suid: chng thit lp ID ca nhng ngi ang chy chng thnh ID ch nhn file . Nu 1 file cng c qun l bi root v suid, chng trnh s thc thi vi quyn root, v th chng c th thc hin cc cng vic m ch root mi c quyn thc hin (nh l ghi chp trn file cha mt khu). Vic s dng ty chn nosuid l tng tt, v bn nn xem xt p dng n trn tt c cc a NFS c gn kt. iu ny c ngha l ngi dng c quyn root trn my ch khng th to 1 chng trnh suid-root trn file h thng, ng nhp my trm nh ngi s dng bnh hng v dng chng trnh suid-root tr thnh ngi qun tr cao cp trn my trm. Mt ngi no y cng c th chn truy
Page 13
cp i vi cc file trn h thng c gn kt hon ton vi ty chn noexec. Nhng iu ny nhiu kh nng khng thc t hn vic nosuid v r ng 1 file h thng t nht c kh nng ngn chn 1 vi kch bn hoc chng trnh cn c thc thi.
b. Ty chn gn kt broken_suid the broken_suid mount option
Mt vi chng trnh c ( v d xterm ) thng tin vo vic root c th thc thi mi khu vc. iu ny s b ph v cc nhn linux mi trn cc gn kt NFS. Cc vn bo mt lin quan l nhng chng trnh thc hin kiu hot ng ny ca suid c th quen vi vic thay i uid ca bn bn ngoi my ch nfs thc hin vic nh x uid. V th, mc nh broken_suid c v hiu ha trong nhn linux. Nu bn ang s dng 1 bn phn phi linux c, 1 vi loi chng trnh suid c hoc 1 vi bn unix c hn, bn c th phi gn kt t my trm vi ty chn broken_suid. Tuy nhin cc bn unix v linux gn y c xterm v nhng chng trnh nh th ch ging nh c kh nng thc thi bnh thng, h gi nhng chng trnh thc hin vic setuid. Gii thch: setuid l mt tin trnh c th thit lp quan h ca ngi s dng c hiu lc v super-user (root). C ngha l mc d bt k ngi dng no cng c th chy tin trnh, nhng sau tin trnh c th i hi nhng c quyn gc (root). Mt v d v setuid l tin trnh wservice ArcStorm.
5. NFS v tng la
Khi 1 dch v chy ngm khi ng, n yu cu 1 cng cn trng t bn nh x. Portmapper a ra 1 cng cho tin trnh v ghi li du vt ca cng . Khi cc my ch hoc nhng tin trnh khc cn giao tip vi tin trnh ngm, chng yu cu s cng t portmapper truy tm tin trnh. V th cc cng s khng ngng b th ni, v cc cng khc nhau c th rnh vo cc thi im khc nhau v v th portmapper s phn b chng (port) mi ln mi khc. y l vn au u cho vic thit lp tng la nu nh bn cha bao gi bit c khu vc m cc tin trnh s din ra, sau khng bit chnh xc nhng cng no cho php truy cp. y khng hn l mt vn ln i vi nhiu ngi ang chy trn mng LAN c bo v hoc b c lp. Vi ngi dng trn mng cng cng th iu ny tht khng khip. Trong phin bn nhn 2.4.13 v sau ny bn khng cn phi lo lng v vic th ni ca cc cng. By gi tt c cc tin trnh ngm lin quan n NFS c th c nh vi 1 cng. Hu ht chng d dng thc hin k m ty chn p khi c khi ng. Cc tin trnh ngm c khi ng vi 1 vi i s hoc ty chn, chng c m t sau y: Portmap lun s dng cng 111 trn giao thc tcp v udp. Nfsd trn cng 2049(tcp/udp). Mt s tin trnh khc: statd, mountd, lockd, rquotad thng s c chuyn ti cng kh dng u tin do portmapper ch nh. nhng tc ng ca statd kt hp vi 1 cng c th, s dng ty chn p s cng. nhng tc ng ca statd p ng trn 1 cng c th, thm vo ty chn o s cng khi khi ng n. nhng tc ng ca mountd kt hp vi cng c th, s dng thuc tnh p s cng
Page 14
V d: statd pht i trn cng 32765, nghe trn cng 32766, v mountd nghe trn cng 32767, ta g lnh sau:
# statd -p 32765 -o 32766 # mountd -p 32767
lockd khi ng khi c kernel gi. Vic khin bn phi vt qua cc ty chn modul hay ty chn nhn (kernel) khin lockd nghe v hi p trn ch 1 cng no y. Nu bn ang dng modul c th np ti v mun ch r nhng ty chn ny trong file /etc/modules.conf th hy thm dng sau:
options lockd nlm_udpport=32768 nlm_tcpport=32768
Dng trn s xc nh giao thc tcp v udp trn cng 32768 cho lockd. Nu bn khng s dng modul np ti hoc nu bn bin dch lockd vo trong nhn thay v xy dng n nh 1 modul, bn s cn vt qua iu ny b ng ty chn trong s khi ng ca nhn. N trng t nh th ny :
vmlinuz 3 root=/dev/hda1 lockd.udpport=32768 lockd.tcpport=32768
Nu bn ang s dng hn ngch (quota) v dng nrc.quotad khin n c kh nng xem c trn nfs, bn s cn phi a n vo ti khon khi thit lp tng la. C 2 ni cha m ngun ca rpc.rquotad, mt ni cha nfs-utils, cn li ni cha quota-tools. Chng khng hot ng ng nht vi nhau: Mt ci c cung cp vi s h tr bi nfs-utils ni tin trnh ngm ti 1 cng vi lnh dn hng p, nhng phn n m trong quota-tools th khng nh th. Ta cng ly 1 v d v vic thit lp tng la trn my ch: NFS server 192.168.0.42 Client 192.168.0.45
Trong v d phn trn ta c: statd nhn cc truy vn cng 32765, hi p trn cng 32766 mountd buc phi gn vi cng 32767 Cc thng s ca lockd c thit lp gn cho cng 32768 nfsd trn cng 2049 portmapper trn cng 111 V chng ta khng s dng quotas
Page 15
ipchains -A input -f -j ACCEPT -s 192.168.0.45 ipchains -A input -s 192.168.0.45 -d 0/0 32765:32768 -p 6 -j ACCEPT ipchains -A input -s 192.168.0.45 -d 0/0 32765:32768 -p 17 -j ACCEPT ipchains -A input -s 192.168.0.45 -d 0/0 2049 -p 17 -j ACCEPT ipchains -A input -s 192.168.0.45 -d 0/0 2049 -p 6 -j ACCEPT ipchains -A input -s 192.168.0.45 -d 0/0 111 -p 17 -j ACCEPT
Dngipchainscho bit s chp 0/0 -d 0/0 -p 6 -j DENYca gi tin (ngoi tr mnh tin u tin s u tin -A input -s nhn tt c cc phn ri rc -y -l c s l nh gi tin bnh thng). Trn l thuyt khng c gi tin no i qua cho n khi n c ghp ipchains -A cuc -s 0/0 -d gy ra 17 -j gy -l li. D nhin c nhnginputtn cng c0/0 -p bi vic DENYqu ti 1 my tnh vi cc mnh gi tin. Nhng NFS s khng hot ng chnh xc cho n khi bn cc mnh tin i qua. Cc dng khc cho bit vic chp nhn cc kt ni c th t bt k cng no trn my trm n cc cng c th m chng ti lm cho n sn sng s dng c trn my ch. C ngha l nu c 1 my trm 192.158.0.46 c gng lin lc vi my ch NFS th n s khng th gn kt Vi nhng cng c kh nng gn kt, hin nhin l rt d dng iu khin nhng g cc my ch c cho php gn kt cc chia s NFS ca bn. iu ang ni l NFS khng phi l 1 giao thc m ha v bt c ai trn cng mng vt l c th pht hin s lu thng (cc gi tin) v ti hin li cc thng tin ang c chuyn qua li.
Mt phng n m ha lung lu thng d liu trong NFS trn mng l s dng kh nng chuyn tip cng ca SSH . Tuy nhin lm nh vy c 1 hn ch nghim trng nu bn khng hon ton tin tng vo ngi dng cc b trn my ch.
Page 16
Bc u tin l chia s file cho localhost (my ch cc b). V d chia s th mc /home th ta thm dng sau vo file /etc/exports : /home 127.0.0.1(rw) Bc tip theo l dng ssh chuyn tip cng. V d, ssh c th bo cho my ch nh m chuyn tip ti bt k cng no trn bt k my no t 1 cng trn my trm. Gi s nh phn trc, my ch ca chng ta l 192.158.0.42 v gn kt n cng 32767 vi tham s -p 32767 . Trn my trm ta g vo: # ssh root@192.168.0.42 -L 250:localhost:2049 -f sleep 60m # ssh root@192.168.0.42 -L 251:localhost:32767 -f sleep 60m Mc ch lnh trn l iu khin ssh trn my trm thc hin bt k truy vn trc tip cng 250 ca my trm v chuyn hng n (request), u tin l thng qua sshd trn my ch, sau l trn cng 2049 ca my ch. Dng lnh th 2 tng t, iu khin vic giao nhn gia cc yu cu truy xut n cng 251 trn my trm v cng 32767 ca my ch. Localhost tng ng vi my ch, iu ny ngha l vic chuyn hng s c thc hin trn chnh my ch. Cng kt ni c th c cch khc chuyn tip ti bt k my tnh no, v cc truy vn s ging nh l xut pht t bn ngoi (thc t l t trong chnh server) nu nh chng n t my ch.
7. Tm tt
Nu bn dng hosts.allow, hosts.deny, root_squash, nosuid v cc cng chc nng c u tin trong portmapper/NFS software, bn trnh c nhiu li c bit n hin nay trong NFS v c th cm thy an ton. Nhng cha ht, sau tt c iu : khi k t nhp truy cp mng, h c th khin cc m lnh l xut hin, chuyn hng hay c trm th in t khi /home hoc /var/mail c chia s trong NFS. V vi l do trn, bn ng bao gi nn truy cp kha bo v PGP (mt phng php m ha d liu) trn NFS. Hoc t nht bn nn bit nhng nguy c lin quanNFS v portmaper bn cht l 1 h thng con rt phc tp, do khng hon ton s khng c li mi c pht hin, li trong thit k ca n hoc do cch chng ta s dng
Page 17
Dch v thng tin mng NIS cho php bn to ra cc ti khon c kh nng chia s trn mi h thng trong mng ca bn. NIS l 1 dch v cho php chng thc user tp trung:
Cc ti khon ngi dng ch c to ra trn NIS server. Cc NIS client ti thng tin v mt khu cn thit t NIS server chng thc mi khi user ng nhp. Mt li th l user ch phi thay i mt khu trn NIS server, thay v ti mi h thng trong mng. iu ny khin NIS ph bin trong cc phng th nghim v my tnh, cc d n pht trin phn mm phn tn hoc bt c ni no m nhiu nhm phi chia s nhiu my tnh khc nhau. Qu trnh chc thc user khng c m ha.
NIS khng m ha thng tin ti khon v mt khu gi ti my trm vo mi lc ng nhp. Mi ngi s dng u c quyn truy cp n ni NIS server cha file m ha mt khu.
II.
Cu Hnh NIS
Mt s lnh vi NIS: ypcat - Cho php in ra mt s gi tr trong NIS map ypwhich - Tm kim server hin ti cho host ang s dng. ypclnt - Cung cp mt giao din ha cho YP (Yellow Pages) cho h thng con. yppasswd - i li password cho NIS Domain ypmake - To mi mt hash map. ypinit - Cu hnh host tr thnh Server or client
yppush - update version cho map
Page 18
Bn phi thm NIS domain m bn mun dng vo cui file trn, v d domain l NIS-SCHOOLNETWORK #/etc/sysconfig/network NISDOMAIN="NIS-SCHOOL-NETWORK"
c. Thay i file /etc/yp.conf
NIS server cng phi ng thi l NIS client, v th bn phi iu chnh li ni dung file config ca NIS client /etc/yp.conf , thm vo localhost. # /etc/yp.conf - ypbind configuration file ypserver 127.0.0.1
d. Khi ng cc dch v NIS server lin quan
Khi ng cc dch v NIS cn thit trong /etc/init.d v dng lnh chkconfig chc r ng chng c th t khi ng cng vi my tnh.
[root@bigboy tmp]# service portmap start Starting portmapper: [ OK ] [root@bigboy tmp]# service yppasswdd start Starting YP passwd service: [ OK ] [root@bigboy tmp]# service ypserv start Setting NIS domain name NIS-SCHOOL-NETWORK: [ OK ] Starting YP server services: [ OK ] [root@bigboy tmp]# [root@bigboy tmp]# chkconfig portmap on [root@bigboy tmp]# chkconfig yppasswdd on [root@bigboy tmp]# chkconfig ypserv on
Page 19
Cc dch v cn c ca NIS server kim tra trng thi cc dch v trong bng trn trc khi chuyn qua bc tip theo, bn c th dng lnh rpcinfo
[root@bigboy tmp]# rpcinfo -p localhost program vers proto port 100000 100000 100009 100004 100004 100004 100004 2 tcp 2 udp 1 udp 2 udp 1 udp 2 tcp 1 tcp 111 portmapper 111 portmapper 681 yppasswdd 698 ypserv 698 ypserv 701 ypserv 701 ypserv
[root@bigboy tmp]#
Hai dch v ypbind v ypxfrd s khng khi ng chnh xc cho n khi bn khi to NIS domain. Bn hy khi ng chng sau khi hon tt vic khi to.
e. Khi to NIS domain
By gi bn quyt nh tn ca NIS domain, bn s phi dng lnh ypinit d to ra cc tp tin xc thc lin quan cho tn min. bn s c nhc nhp tn my ch NIS, m trong trng hp ny l bigboy. Vi th thut ny, cc ti khon nonprivileged (khng c c quyn) s t ng truy cp thng qua NIS
[root@bigboy tmp]# /usr/lib/yp/ypinit -m At this point, we have to construct a list of the hosts which will run NIS servers. bigboy is in the list of NIS server hosts. Please continue to add the names for the other hosts, one per line. When you are done with the list, type a <control D>. next host to add: bigboy
Page 20
next host to add: The current list of NIS servers looks like this: bigboy Is this correct? [y/n: y] y We need a few minutes to build the databases... Building /var/yp/NIS-SCHOOL-NETWORK/ypservers... Running /var/yp/Makefile... gmake[1]: Entering directory `/var/yp/NIS-SCHOOL-NETWORK' Updating passwd.byname... Updating passwd.byuid... Updating group.byname... Updating group.bygid... Updating hosts.byname... Updating hosts.byaddr... Updating rpc.byname... Updating rpc.bynumber... Updating services.byname... Updating services.byservicename... Updating netid.byname... Updating protocols.bynumber... Updating protocols.byname... Updating mail.aliases... gmake[1]: Leaving directory `/var/yp/NIS-SCHOOL-NETWORK' bigboy has been set up as a NIS master server. Now you can run ypinit -s bigboy on all slave server. [root@bigboy tmp]#
Ch : bn phi m bo portmap ang chy trc khi thc hin bc ny, nu khng s nhn c thng bo li dng nh: failed to send 'clear' to local ypserv: RPC: Port mapper failureUpdating group.bygid... Bn s phi xa th mc /var/yp/NIS-SCHOOL-NETWORK v khi ng li portmap, yppasswd, ypserv trc khi th lm li bc ny.
Page 21
f.
2 udp 2049 nfs 3 udp 2049 nfs 1 udp 1024 nlockmgr 3 udp 1024 nlockmgr 4 udp 1024 nlockmgr 2 udp 1 udp 2 tcp 1 tcp 1 udp 1 udp 1 tcp 2 udp 1 udp 2 tcp 1 tcp 784 ypserv 784 ypserv 787 ypserv 787 ypserv 798 yppasswdd 850 fypxfrd 852 fypxfrd 924 ypbind 924 ypbind 927 ypbind 927 ypbind
[root@bigboy tmp]#
Page 22
Bn c th kim tra xem cc thng tin chng thc c cp nht hay cha b ng lnh ypmatch, kt qu tr v l chui mt khu m ha ca ngi dng .
[root@bigboy yp]# ypmatch nisuser passwd nisuser:$1$d6E2i79Q$wp3Eo0Qw9nFD/::504:100::/home/nisuser:/bin/bash [root@bigboy yp]
Ta cng c th dng lnh getent c c php tng t, tuy nhin khc ypmatch, n khng a ra chui mt khu m ha khi chy lnh trn my ch, m n ch ra ni cha file passwd. Trn my client th kt qu tr v ging nh lnh ypmatch.
[root@bigboy yp]# getent passwd nisuser nisuser:x:504:100::/home/nisuser:/bin/bash [root@bigboy yp]#
Page 23
Authconfig hoc authconfig-tui l nhng chng trnh t ng thit lp cc file NIS. [root@smallfry tmp]# authconfig-tui Khi hon thnh, n s to ra mt file /etc/yp.conf, file ny nh ngha mt s th khc, a ch IP ca NIS server cho 1 tn min c th. N cng thay i file /etc/sysconfig/network nh ngha NIS domain m cc NIS client ph thuc.
# /etc/yp.conf - ypbind configuration file domain NIS-SCHOOL-NETWORK server 192.168.1.100 #/etc/sysconfig/network NISDOMAIN=NIS-SCHOOL-NETWORK b. Khi ng cc dch v ngm lin quan ti NIS client
Khi ng dch v ypbind client v portmap trong th mc /etc/init.d v dng lnh chkconfig khin chng t khi ng sau mi ln my tnh khi ng li.
[root@smallfry tmp]# service portmap start Starting portmapper: [ OK ] [root@smallfry tmp]# service ypbind start Binding to the NIS domain: Listening for an NIS domain server. [root@smallfry tmp]# [root@smallfry tmp]# chkconfig ypbind on [root@smallfry tmp]# chkconfig portmap on c. Kim tra vic phn gii tn min
Bn phi kim tra xem vic phn gii tn min c ng vi a ch IP hay khng # File: /etc/hosts (smallfry) #192.168.1.100 bigboy
Page 24
Bn c th dng ln ypcat, ypmatch,getent chc chn r ng qu trnh giao tip vi my ch din ra chnh xc.
[root@smallfry tmp]# ypcat passwd nisuser:$1$Cs2GMe6r$1hohkyG7ALrDLjH1:505:100::/home/nisuser:/bin/bash quotauser:!!:503:100::/home/quotauser:/bin/bash ftpinstall:$1$8WjAVtes$SnRh9S1w07sYkFNJwpRKa.:502:100::/:/bin/bash www:$1$DDCi/OPI$hwiTQ.L0XqYJUk09Bw.pJ/:504:100::/home/www:/bin/bash smallfry:$1$qHni9dnR$iKDs7gfyt..BS9Lry3DAq.:501:100::/:/bin/bash [root@smallfry tmp]#
Thit lp sai authconfig trong /etc/yp.conf , /etc/sysconfig/network v /etc/nsswitch.conf Khng chy lnh ypinit trm NIS server. NIS khng c khi ng trn NIS server hoc client. Vic nh tuyn gia server v client b li, hoc do tng la chn vic lu thng trong mng
Sau cc bc thit lp trn NIS server, thm ngi dng v cu hnh NIS client, ta s th ng nhp vo NIS server t client. Nu vic ng nhp tht bi c th l do 2 nguyn nhn chnh: tng la chn vic truy cp thng qua SSH v TELNET hoc l do 2 dch v trn cha c khi ng trn my client.
i. ng nhp thng qua Telnet
Page 25
Connected to 192.168.1.201. Escape character is '^]'. Red Hat Linux release 9 (Shrike) Kernel 2.4.20-6 on an i686 login: nisuser Password: Last login: Sun Nov 16 22:03:51 from 192-168-1-100.simiya.com [nisuser@smallfry nisuser]$
ii.
Trong mt vi phin bn linux, dch v SSH trn my client khng t ng cp nht li ni dung file /etc/nsswitch.conf m bn thay i cho n khi SSH c khi ng li. v l do nn ta s khng truy vn n NIS server c, tr khi khi ng li SSH trn my client.
[root@smallfry root]# service sshd restart Stopping sshd:[ OK ] Starting sshd:[ OK ] [root@smallfry root]#
Page 26
III.
Page 27
Thm dng sau vo cui file: khai bo NISdomain chnh l my mnh b ng IP lookback:
Page 28
y bn c th add 1 user vo. Hoc c th add user sau. y mnh s add user sau b ng cch nhn phm "Ctrl +D "
Page 29
Page 30
To user cho client login vo NIS server v import user vo NIS domain
Page 31
Lu : nu bn to mi 1 user b ng lnh useradd th user ch n m trn local n thuc NIS domain bn cn import user vo nh trn
IV.
Bo Mt
Cch thng thng thay i mt khu NIS l chy lnh yppasswd trn NIS client. Lnh ny s dng giao thc yppasswd v cn tin trnh rpc.yppasswdd ang chy trn my NIS server. Giao thc ny c im bt li, l cc mt khu c s c gi i di dng vn bn thun-clear text (khng c m ha) trn mng. iu ny khng c g ng bn nu vic thay i mt khu thnh cng, trong trng hp ny mt khu c s c ghi bi mt khu mi. nhng nu trng hp vic thay i mt khu tht bi gia chng, v k tn cng c th bt s dng mt khu khng c m ha ng nhp mng. Ti t hn: nu ngi qun l h thng thay i mt khu NIS cho mt ai y, mt khu root (root password) ca my ch NIS s c truyn i di dng vn bn thun trn mng. trnh tnh trng ny, ta c th s dng lnh rpasswd trong gi pwdutils vi tnh an ton cao hn. rpasswd thay i mt khu ca ti khon ngi dng trn my ch thng qua kt ni SSL an ton. Mt ngi dng bnh thng ch c th thay i mt khu ca chnh h. Nu ngi no bit mt khu ca ngi qun tr h thng (trong trng hp ny l root password trn my ch NIS), ngi c th thay i mt khu ca bt k ti khon no nu gi lnh rpasswd vi ty chn a.
-a, --admin With this option, rpasswd connects as administrator user to the remote server. The user has to supply the administrator password and can change then every password
Page 32
Ph Lc:
Mt s khi nim:
loadable module: modun c th np ti Network Loadable Module (Netware) (NLM): modun c th np ti mng Source tree: thut ng ch th mc ni m m ngun s c bin dch Traffic: s lu thng d liu Portmapper: s cng (port), cha danh sch cc nh x cng vi cc dch v tng ng (cu trc t nh file C:\Windows\System32\drivers\etc\services trong windows) Daemon: dch v chy ngm trn h thng. Export: chia s file (qu trnh export)
--------------------------HT--------------------------
Page 33