aaaaaa - dga.or.th€¦ · title: aaaaaa created date: 7/19/2015 12:30:20 am
TRANSCRIPT
![Page 1: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/1.jpg)
การติดตัง้ CentOS Linux
เพื่อใช้งาน
1
คมกรชิ ค ำสวสัดิ ์วศิวกรควำมมัน่คงปลอดภยัสำรสนเทศอำวุโสส ำนกังำนรฐับำลอเิลก็ทรอนิกส์ (องคก์ำรมหำชน)
![Page 2: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/2.jpg)
PDCA on your System.
2
- Plan
- Requirements gathering
- System design (Work flow, Diagram, Business Process)
- Shopping (Hardware/Virtualization, Software, Network)
- Do
- Secured installation
- Secured dev.
- Check
- System & Application audit (VA, PenTest)
- Act
- Hardening
![Page 3: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/3.jpg)
Linux secured installation steps
3
- Installation
- Setup OS
- Patching
- Time sync.
- Default services hardening (Disabled unneeded/unsecured services)
- Secured services installation (SSH, MySQL, Apache+PHP, FTP)
- Application installations (iTop)
- Hardening steps
- Server management (Secure Shell: SSH)
- Local firewall (iptables, ip6tables)
- Logging
- System monitoring tools
- Hands-on labs
![Page 4: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/4.jpg)
Setup a Linux server
4
![Page 5: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/5.jpg)
Virtual server ท่ีใช้ทดสอบ
5
![Page 6: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/6.jpg)
Installation
6
![Page 7: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/7.jpg)
ขัน้ตอนตรวจสอบ Installation media
7
![Page 8: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/8.jpg)
Installation
8
![Page 9: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/9.jpg)
เลือกภาษาในการติดตัง้
9
![Page 10: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/10.jpg)
เลือกประเภท Keyboard
10
![Page 11: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/11.jpg)
การจดัการ Disk
11
![Page 12: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/12.jpg)
การจดัการ Disk
12
![Page 13: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/13.jpg)
Hostname / Networking
13
![Page 14: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/14.jpg)
Networking
14
![Page 15: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/15.jpg)
Networking
15
![Page 16: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/16.jpg)
Time zone
16
![Page 17: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/17.jpg)
ROOT password
17
![Page 18: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/18.jpg)
Weak Password!!!
18
![Page 19: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/19.jpg)
จดัการ Disk partitions
19
![Page 20: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/20.jpg)
จดัการ Disk partitions
20
![Page 21: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/21.jpg)
จดัการ Disk partitions
21
![Page 22: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/22.jpg)
เร่ิมติดตัง้
22
![Page 23: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/23.jpg)
ติดตัง้แล้วเสรจ็
23
![Page 24: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/24.jpg)
ระบบพร้อมใช้งาน
24
![Page 25: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/25.jpg)
How to Disable SELINUX and IPTABLES (Just for testing system)
25
- กำร Disable SELINUX
[root@Server ~]# setenforce 0
แกไ้ขไฟล์ /etc/selinux/config โดยแกใ้ห้SELINUX=disabled
- กำร Disable IPTABLES
[root@Server ~]# chkconfig iptables off
[root@Server ~]# service iptables stop
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
![Page 26: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/26.jpg)
การจดัการ User ของ Linux เบือ้งต้น
26
- กำรเพิม่ User
[root@Server ~]# adduser admin01
- กำรแก้ Password[root@Server ~]# passwd admin01
Changing password for user admin01.
New password: <password>
Retype new password: <password>
passwd: all authentication tokens updated successfully.
![Page 27: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/27.jpg)
การจดัการ User ของ Linux เบือ้งต้น
27
- กำรลบ User (รวมถงึ User’s Home ดว้ย)[root@Server ~]# userdel -r admin01
- กำร Lock user
[root@Server ~]# usermod -L admin01
- กำร Unlock user
- [root@Server ~]# usermod -U admin01
![Page 28: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/28.jpg)
Default System Hardening
28
- Disabled unneeded/unsecured services เชน่โดยปกตแิลว้ CentOS
จะท ำกำรตดิตัง้ Postfix (Mail server) มำใหด้ว้ย ซึง่หำกไมใ่ชง้ำนควรท ำกำร Disable ดงัตวัอยำ่ง
[root@Server ~]# chkconfig postfix off
- System tuning เชน่ กำรเปิดใชง้ำน TCP syncookies เป็นตน้(/etc/sysctl.conf)
![Page 29: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/29.jpg)
Patching your Linux
29
![Page 30: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/30.jpg)
Update patch
30
[root@Server ~]# yum upgradeLoaded plugins: fastestmirror
Setting up Upgrade Process
Base | 3.7 kB 00:00
base/primary_db | 3.6 MB 00:00
Extras | 3.4 kB 00:00
extras/primary_db | 29 kB 00:00
Updates | 3.4 kB 00:00
updates/primary_db | 3.6 MB 00:01
Resolving Dependencies
--> Running transaction check
...
...
Transaction Summary
=======================================================================================================
Install 1 Package(s)
Upgrade 52 Package(s)
Total download size: 83 M
Is this ok [y/N]: y
![Page 31: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/31.jpg)
Update patch
31
-------------------------------------------------------------------------------------------------------
Total 1.3 MB/s | 83 MB 01:05
warning: rpmts_HdrFromFdno: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEY
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
Importing GPG key 0xC105B9DE:
Userid : CentOS-6 Key (CentOS 6 Official Signing Key) <[email protected]>
Package: centos-release-6-6.el6.centos.12.2.i686 (@anaconda-CentOS-201410241409.i386/6.6)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
Is this ok [y/N]:y...
...
Complete!
[root@Server ~]#
[root@Server ~]# reboot
Broadcast message from root@Server
(/dev/pts/0) at 20:31 ...
The system is going down for reboot NOW!
![Page 32: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/32.jpg)
Clock synchronizations
32
![Page 33: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/33.jpg)
เทียบเวลากบั NTP server
33
- กำรตดิตัง้ ntpdate
[root@Server ~]# yum -y install ntpdate
- เทยีบเวลำกบั NTP server
[root@Server ~]# ntpdate time.ega.or.th13 Jul 15:28:42 ntpdate[1429]: step time server 164.115.2.132 offset -25201.355561 sec
[root@Server ~]# ntpdate time.ega.or.th time.navy.mi.th13 Jul 15:29:33 ntpdate[1430]: adjust time server 203.185.69.60 offset 0.000215 sec
![Page 34: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/34.jpg)
เทียบเวลากบั NTP server
34
- กำรตดิตัง้ ntpd
[root@Server ~]# yum -y install ntp
-แกไ้ข NTP servers ในไฟล์ /etc/ntp.conf ดงันี้
server time.ega.or.th iburst
server time.navy.mi.th iburst
server time1.nimt.or.th iburst
server time2.nimt.or.th iburst
![Page 35: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/35.jpg)
เทียบเวลากบั NTP server
35
- ก ำหนดให้ ntpd ท ำงำนทุกครัง้ที่ reboot[root@Server ~]# chkconfig ntpd on
- กำร Start/Stop/Restart ntpd
[root@Server ~]# service ntpd start
[root@Server ~]# service ntpd stop
[root@Server ~]# service ntpd restart
- ตรวจสอบสถำนกำรณ์ท ำงำนของ ntpd
[root@Server ~]# ntpq -pn
remote refid st t when poll reach delay offset jitter
==============================================================================
+164.115.2.132 203.185.67.115 3 u 34 64 1 3.932 3.032 1.926
+113.53.247.3 .PPS. 1 u 31 64 3 5.531 2.460 0.769
203.185.69.60 .STEP. 16 u - 64 0 0.000 0.000 0.000
*203.185.69.59 .GPS. 1 u 125 64 2 5.414 2.098 0.550
![Page 36: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/36.jpg)
MySQL server
36
![Page 37: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/37.jpg)
การติดตัง้ MySQL server
37
- ตดิตัง้ MySQL server
[root@Server ~]# yum -y install mysql-server
- กำรก ำหนดให้ MySQL ท ำงำนทุกครัง้เมือ่มกีำร boot เครือ่ง[root@Server ~]# chkconfig mysqld on
- กำร Start/Stop/Restart MySQL server
[root@Server ~]# service mysqld start
[root@Server ~]# service mysqld stop
[root@Server ~]# service mysqld restart
![Page 38: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/38.jpg)
MySQL server
38
- ต ำแหน่งไฟล์ Configuration ของ MySQL server
/etc/my.cnf
- ต ำแหน่งไฟล์ Logs ของ MySQL server
/var/log/mysqld.log
![Page 39: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/39.jpg)
MySQL server
39
- ตรวจสอบสถำนกำรณ์ท ำงำนของ MySQL server
[root@Server ~]# ps ax | grep mysqld
1541 ? S 0:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --socket=/var/lib/mysql/mysql.sock --pid-file=/var/run/mysqld/mysqld.pid --basedir=/usr --user=mysql
1643 ? Sl 0:03 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --log-error=/var/log/mysqld.log --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/lib/mysql/mysql.sock
1915 pts/0 S+ 0:00 grep mysqld
[root@Server ~]# netstat -antp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 1643/mysqld
![Page 40: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/40.jpg)
MySQL server
40
- เข้าใช้งาน MySQL server
[root@Server ~]# mysql -u root -pEnter password:<password>Your MySQL connection id is 9
Server version: 5.1.73 Source distribution
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
![Page 41: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/41.jpg)
MySQL server
41
- การตัง้ Password ให้ Root ของ MySQL (ผา่น SQL query)
[root@Server ~]# mysql -u root –p mysql
Enter password:
mysql> update user set password = password("MySQLPASSWORD") where user = "root";
Query OK, 3 rows affected (0.00 sec)
Rows matched: 3 Changed: 3 Warnings: 0
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
![Page 42: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/42.jpg)
MySQL server
42
- การตัง้ Password ให้ Root ของ MySQL (แนะน าใช้วิธีน้ี)[root@Server ~]# mysql_secure_installation
...
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Change the root password? [Y/n] Y
New password: <new-secure-password>
Re-enter new password: <new-secure-password>
Password updated successfully!
Reloading privilege tables..
... Success!
Remove anonymous users? [Y/n] Y
... Success!
![Page 43: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/43.jpg)
MySQL server
43
Disallow root login remotely? [Y/n] Y
... Success!
Remove test database and access to it? [Y/n] Y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reload privilege tables now? [Y/n] Y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MySQL
installation should now be secure.
Thanks for using MySQL!
![Page 44: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/44.jpg)
MySQL server
44
- Command อ่ืนๆท่ีน่าสนใจmysql> use mysql;Database changed
mysql> select user,host,password from user;+--------+-----------+-------------------------------------------+
| user | host | password |
+--------+-----------+-------------------------------------------+
| root | localhost | *4A07491D82231F5AA938F1670CA874A1384677B0 |
| root | server | *4A07491D82231F5AA938F1670CA874A1384677B0 |
| root | 127.0.0.1 | *4A07491D82231F5AA938F1670CA874A1384677B0 |
| | localhost | |
| | server | |
| komkit | localhost | *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19 |
| root | % | *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19 |
+--------+-----------+-------------------------------------------+
7 rows in set (0.00 sec)
![Page 45: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/45.jpg)
MySQL server
45
- Command อ่ืนๆท่ีน่าสนใจ
mysql> show processlist;+----+------+--------------------+-------+---------+------+-------+------------------+
| Id | User | Host | db | Command | Time | State | Info |
+----+------+--------------------+-------+---------+------+-------+------------------+
| 26 | root | localhost | mysql | Query | 0 | NULL | show processlist |
| 37 | root | 192.168.38.1:54182 | NULL | Sleep | 4 | | NULL |
| 38 | root | 192.168.38.1:54183 | NULL | Sleep | 4 | | NULL |
+----+------+--------------------+-------+---------+------+-------+------------------+
3 rows in set (0.00 sec)
![Page 46: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/46.jpg)
MySQL server
46
- การก าหนดให้ MySQL server ท าการ Listen บนเฉพาะ Localhost เท่านัน้ (ในกรณทีี่ Application และ MySQL อยูบ่นเครือ่งเดยีวกนั) โดยใหท้ ำกำรแกไ้ขทีไ่ฟล์/etc/my.cnf ดงันี้
[mysqld]
bind-address=127.0.0.1
จำกนัน้ท ำกำร restart mysqld แลว้ตรวจสอบกำรท ำงำน[root@Server ~]# service mysqld restart
[root@Server ~]# netstat -antp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1953/mysqld
![Page 47: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/47.jpg)
HTTP server
47
![Page 48: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/48.jpg)
Apache server
48
- การติดตัง้ Apache server
[root@Server ~]# yum -y install httpd
- กำรก ำหนดให้ Apache ท ำงำนทุกครัง้เมือ่มกีำร boot เครือ่ง[root@Server ~]# chkconfig httpd on
- กำร Start/Stop/Restart Apache server
[root@Server ~]# service httpd start
[root@Server ~]# service httpd stop
[root@Server ~]# service httpd restart
![Page 49: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/49.jpg)
Apache server
49
- ต ำแหน่งไฟล์ Configuration ของ Apache server
/etc/httpd/
- ต ำแหน่งไฟล์ Logs ของ Apache server
/var/log/httpd/
- ต ำแหน่งทีเ่กบ็ไฟลข์อง WWW server
/var/www/html/
![Page 50: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/50.jpg)
Apache server
50
- ตรวจสอบสถำนกำรณ์ท ำงำนของ Apache server[root@Server ~]# ps ax | grep httpd
1942 ? Ss 0:00 /usr/sbin/httpd
1944 ? S 0:00 /usr/sbin/httpd
1945 ? S 0:00 /usr/sbin/httpd
1946 ? S 0:00 /usr/sbin/httpd
1947 ? S 0:00 /usr/sbin/httpd
1948 ? S 0:00 /usr/sbin/httpd
1949 ? S 0:00 /usr/sbin/httpd
1950 ? S 0:00 /usr/sbin/httpd
1951 ? S 0:00 /usr/sbin/httpd
1955 pts/0 S+ 0:00 grep httpd
[root@Server ~]# netstat -antpActive Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 :::80 :::* LISTEN 1942/httpd
![Page 51: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/51.jpg)
Apache server
51
![Page 52: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/52.jpg)
Apache + PHP
52
- ติดตัง้ PHP
[root@Server ~]# yum -y install php php-mysql
[root@Server ~]# service httpd restart
- ทดสอบใชง้ำน PHP
[root@Server ~]# vi /var/www/html/abcde.php
<?php phpinfo(); ?>
![Page 53: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/53.jpg)
Apache + PHP
53
![Page 54: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/54.jpg)
LAMP: Linux + Apache + MySQL + PHP
54
- ทดสอบ Connect MySQL ด้วย PHP
<?php
$dbConnect = mysql_connect("localhost","root","MySQLPASSWORD");
if($dbConnect)
{
echo "Database Connected.";
}
else
{
echo "Database Connect Failed.";
}
mysql_close($dbConnect);
?>
![Page 55: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/55.jpg)
LAMP: Linux + Apache + MySQL + PHP
55
![Page 56: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/56.jpg)
Apache server (Hardening)
56
### ปิดกำรแสดง Apache version และ OS version
![Page 57: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/57.jpg)
Apache server (Hardening)
57
### แกไ้ขไฟล์ /etc/httpd/conf/httpd.conf
ServerTokens Prod
ServerSignature Off
### ท ำกำร restart httpd
[root@Server ~]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: httpd: apr_sockaddr_info_get() failed for Server
httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[ OK ]
![Page 58: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/58.jpg)
Apache server (Hardening)
58
![Page 59: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/59.jpg)
Apache server (Hardening)
59
### ตวัอยำ่งเพิม่เตมิเกีย่วกบั ServerTokens
![Page 60: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/60.jpg)
Apache server (Hardening)
60
### ปิดกำรใชง้ำน Directory Listing
![Page 61: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/61.jpg)
Apache server (Hardening)
61
### แกไ้ขไฟล์ /etc/httpd/conf/httpd.conf แล้วค้นหา
<Directory "/var/www/html">
--- ตดั Output ---
Options Indexes FollowSymLinks
--- ตดั Output ---
</Directory>
### แกไ้ขเป็น<Directory "/var/www/html">
--- ตดั Output ---
Options FollowSymLinks
--- ตดั Output ---
</Directory>
![Page 62: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/62.jpg)
Apache server (Hardening)
62
![Page 63: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/63.jpg)
Apache server (Hardening)
63
### กำรจ ำกดัใหเ้ฉพำะบำง IP เขำ้ถงึ Directory โดย .htaccess
### กำรเปิดกำรใชง้ำน .htaccess
### แกไ้ขไฟล์ /etc/httpd/conf/httpd.conf แล้วค้นหา
<Directory "/var/www/html">
--- ตดั Output ---
AllowOverride None
--- ตดั Output ---
<Directory>
![Page 64: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/64.jpg)
Apache server (Hardening)
64
### แกไ้ขเป็น
<Directory "/var/www/html">
--- ตดั Output ---
AllowOverride All
--- ตดั Output ---
<Directory>
จำกนัน้ Restart httpd service
![Page 65: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/65.jpg)
Apache server (Hardening)
65
### ตวัอยำ่งกำรใชง้ำน .htaccess เพือ่จ ำกดัใหเ้ฉพำะ IP 192.168.0.0/24
เทำ่นัน้ทีส่ำมำรถเขำ้ใชง้ำน http://IP-Address/administrator ได้สำมำรถท ำไดโ้ดย สรำ้งไฟล์ .htaccess ภำยใน Directory
administrator แลว้ใสค่ำ่ Configuration ดงันี้
order deny,allow
deny from all
allow from 192.168.0.0/24
จำกนัน้ท ำกำรบนัทกึไฟล์
![Page 66: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/66.jpg)
Apache server (Hardening)
66
### ทดสอบกำรใชง้ำนจำก IP ท่ีไมใ่ช่ 192.168.0.0/24
### Log กำร Deny IP ทีเ่ขำ้ถงึ (/var/log/httpd/error_log)
[Tue Mar 17 19:26:15 2015] [error] [client 192.168.38.1] client denied by server configuration: /var/www/html/administrator
![Page 67: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/67.jpg)
Apache: enable HTTPS
67
[root@Server ~]# yum -y install mod_ssl
จำกนัน้ท ำกำร restart httpd
[root@Server ~]# service httpd restart
ตรวจสอบวำ่ HTTPS ถกูเปิดแลว้[root@Server ~]# netstat –antupProto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 :::443 :::* LISTEN 2412/httpd
![Page 68: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/68.jpg)
Apache: Redirect Users to HTTPS
68
! ท ำกำรสรำ้งไฟล์ .htaccess ใน Directory ทีต่อ้งกำรใหม้กีำรredirect เชน่ตวัอยำ่งจะสรำ้งใน path /admin
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/admin/$1 [R,L]
![Page 69: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/69.jpg)
FTP server
69
![Page 70: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/70.jpg)
การติดตัง้ FTP server (vsftpd)
70
- กำรตดิตัง้ FTP server
[root@Server httpd]# yum -y install vsftpd
- กำรก ำหนดให้ FTP ท ำงำนทุกครัง้เมือ่มกีำร boot เครือ่ง[root@Server ~]# chkconfig vsftpd on
- กำร Start/Stop/Restart MySQL server
[root@Server ~]# service vsftpd start
[root@Server ~]# service vsftpd stop
[root@Server ~]# service vsftpd restart
![Page 71: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/71.jpg)
FTP server
71
- ต ำแหน่งไฟล์ Configuration ของ FTP server
/etc/vsftpd/
- ต ำแหน่งไฟล์ Logs ของ FTP server
/var/log/xferlog
/var/log/secure
![Page 72: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/72.jpg)
FTP server
72
- ตรวจสอบสถำนกำรณ์ท ำงำนของ FTP server
[root@Server ~]# ps ax | grep vsftpd
2289 ? Ss 0:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
2433 pts/0 S+ 0:00 grep vsftpd
[root@Server ~]# netstat -antp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 2289/vsftpd
![Page 73: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/73.jpg)
FTP server
73
- ท ำกำร Hardening FTP service โดยแกไ้ขไฟล์ /etc/vsftpd/vsftpd.conf
anonymous_enable=NO
anon_upload_enable=NO
anon_mkdir_write_enable=NO
chroot_local_user=YES
![Page 74: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/74.jpg)
vsftpd with SSL
74
! ท ำกำรสรำ้ง Certificate
openssl req -x509 -nodes -days 365 -newkey rsa:1024 –keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem
Generating a 1024 bit RSA private key
..++++++
.........................++++++
writing new private key to '/etc/vsftpd/vsftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:TH
State or Province Name (full name) []:Bangkok
Locality Name (eg, city) [Default City]:Bangkok
Organization Name (eg, company) [Default Company Ltd]:EGA
Organizational Unit Name (eg, section) []:EGA.Security
Common Name (eg, your name or your server's hostname) []:www.ega.or.th
Email Address []:[email protected]
![Page 75: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/75.jpg)
vsftpd with SSL
75
! แกไ้ขไฟล์ /etc/vsftpd/vsftpd.conf เพิม่แถวต่อไปนี้
ssl_enable=YESrsa_cert_file=/etc/vsftpd/vsftpd.pemrsa_private_key_file=/etc/vsftpd/vsftpd.pemallow_anon_ssl=YESforce_local_data_ssl=YESforce_local_logins_ssl=YESssl_tlsv1=YESssl_sslv2=YESssl_sslv3=YESrequire_ssl_reuse=NOssl_ciphers=HIGH
![Page 76: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/76.jpg)
vsftpd with SSL
76
! ทดสอบกำรใชง้ำนผำ่น SSL
![Page 77: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/77.jpg)
vsftpd with SSL
77
! ทดสอบกำรใชง้ำนผำ่น SSL
![Page 78: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/78.jpg)
vsftpd with SSL
78
! ทดสอบใชง้ำนแบบไมผ่ำ่น SSL
X:\>ftp 172.17.12.199
Connected to 172.17.12.199.
220 Authorized person only!
User (172.17.12.199:(none)): komkit
530 Non-anonymous sessions must use encryption.
Login failed.
ftp>
![Page 79: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/79.jpg)
SFTP by OpenSSH
79
![Page 80: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/80.jpg)
กำรใชง้ำน SSH ในกำร SFTP
80
![Page 81: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/81.jpg)
กำรใชง้ำน SSH ในกำร SFTP
81
![Page 82: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/82.jpg)
Hands-on LAB
82
![Page 84: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/84.jpg)
iTop
84
- Upload iTop ไปยงั Web server โดย FTP
![Page 85: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/85.jpg)
iTop
85
- ท ำกำร Copy โฟลเ์ดอร์ web ใน iTop ไปยงั /var/www/html/itop
[root@Server ~]# cp -rv /home/admin01/iTop-2.1.0-2127/web /var/www/html/itop/
- แก้ owner ของไฟลใ์หเ้ป็น apache
[root@Server ~]# chown apache:apache -R /var/www/html/itop
- ตดิตัง้ PHP extendtion พืน้ฐำนทีจ่ ำเป็น[root@Server ~]# yum -y install php-dom php-soap php-ldap
[root@Server ~]# service httpd restart
- เพืม่ Options ให้ MySQL server โดยแกไ้ขเขำ้ไปทีไ่ฟล์ /etc/my.cnf ดงันี้
[mysqld]
max_allowed_packet=2097652
จำกนัน้ใชค้ ำสัง่ service mysqld restart
![Page 86: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/86.jpg)
iTop
86
- สรำ้ง Database ส ำหรบั iTop
[root@Server ~]# mysql -u root -pEnter password:
mysql>
mysql> create database itop;Query OK, 1 row affected (0.00 sec)
mysql> grant all on itop.* to "itopuser"@"localhost" identified by "itoppassword";
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;Query OK, 0 rows affected (0.00 sec)
mysql> quit
![Page 87: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/87.jpg)
iTop
87
![Page 88: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/88.jpg)
iTop
88
![Page 89: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/89.jpg)
iTop
89
![Page 90: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/90.jpg)
iTop
90
![Page 91: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/91.jpg)
iTop
91
![Page 92: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/92.jpg)
iTop
92
![Page 93: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/93.jpg)
iTop
93
![Page 94: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/94.jpg)
iTop
94
![Page 95: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/95.jpg)
iTop
95
![Page 96: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/96.jpg)
iTop
96
![Page 97: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/97.jpg)
iTop
97
![Page 98: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/98.jpg)
iTop
98
![Page 99: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/99.jpg)
iTop
99
![Page 100: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/100.jpg)
iTop
100
![Page 101: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/101.jpg)
iTop
101
![Page 102: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/102.jpg)
iTop
102
![Page 103: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/103.jpg)
SSH: Secure Shell
103
![Page 104: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/104.jpg)
Secure Shell (SSH)
104
Ref. http://linux-audit.com/auditing-hardening-ssh-configurations/
### แกไ้ขไฟล์ /etc/ssh/sshd_config
Protocol 2
X11Forwarding no
IgnoreRhosts yes
PermitEmptyPasswords no
LoginGraceTime 30
PermitRootLogin no
MaxAuthTries 4
![Page 105: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/105.jpg)
Secure Shell (SSH)
105
[root@Server ~]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
![Page 106: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/106.jpg)
Secure Shell (SSH)
106
### แกไ้ขไฟล์ /etc/ssh/sshd_config### ในสว่นนี้ควรก ำหนดใหเ้หมำะสม
AllowUsers user1 user2 user3
AllowGroup usergroup1 usergroup2
DenyUsers user1 user2 user3
DenyGroup usergroup1 usergroup2
![Page 107: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/107.jpg)
Secure Shell (SSH)
107
### ตวัอยำ่ง SSH log (/var/log/secure)
Mar 14 19:02:43 Server sshd[4698]: User cloudadmin01 from 172.17.12.5 not allowed because not listed in AllowUsers
Mar 14 19:08:11 Server sshd[4758]: User cloudadmin01 from 172.17.12.5 not allowed because none of user's groups are listed in AllowGroups
Mar 14 19:18:27 Server sshd[4972]: User cloudadmin01 from 172.17.12.5 not allowed because listed in DenyUsers
Mar 14 19:26:36 Server unix_chkpwd[9920]: password check failed for user (root)
![Page 108: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/108.jpg)
IPTABLES / IP6TABLES
108
![Page 109: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/109.jpg)
IPTABLES / IP6TABLES
109
- การก าหนดให้ iptables/ip6tables ท างานทุกครัง้ท่ี reboot เครื่อง
[root@Server sysconfig]# chkconfig iptables on
[root@Server sysconfig]# chkconfig ip6tables on
- ไฟล์ Configuration ของ iptables และ ip6tables
/etc/sysconfig/iptables
/etc/sysconfig/ip6tables
![Page 110: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/110.jpg)
IPTABLES / IP6TABLES
110
- กำร Start/Stop/Restart iptables/ip6tables service
[root@Server sysconfig]# service iptables start
[root@Server sysconfig]# service iptables stop
[root@Server sysconfig]# service iptables retart
[root@Server sysconfig]# service ip6tables start
[root@Server sysconfig]# service ip6tables stop
[root@Server sysconfig]# service ip6tables restart
![Page 111: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/111.jpg)
IPTABLES / IP6TABLES
111
- การตรวจสอบการท างานของ iptables
[root@Server sysconfig]# iptables -nvLChain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
27 1976 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 16 packets, 1872 bytes)
pkts bytes target prot opt in out source destination
![Page 112: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/112.jpg)
IPTABLES / IP6TABLES
112
- การตรวจสอบการท างานของ iptables
[root@Server sysconfig]# ip6tables -nvLChain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all * * ::/0 ::/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmpv6 * * ::/0 ::/0
0 0 ACCEPT all lo * ::/0 ::/0
0 0 ACCEPT udp * * ::/0 fe80::/64 state NEW udp dpt:546
0 0 ACCEPT tcp * * ::/0 ::/0 state NEW tcp dpt:22
0 0 REJECT all * * ::/0 ::/0 reject-with icmp6-adm-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all * * ::/0 ::/0 reject-with icmp6-adm-prohibited
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
![Page 113: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/113.jpg)
IPTABLES / IP6TABLES
113
- ตวัอยำ่งกำรเพิม่ Policy ให้ iptables เพือ่อนุญำตใหใ้ชง้ำน TCP/80
# Firewall configuration written by system-config-firewall# Manual customization of this file is not recommended.*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [0:0]-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT-A INPUT -p icmp -j ACCEPT-A INPUT -i lo -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT-A INPUT -j REJECT --reject-with icmp-host-prohibited-A FORWARD -j REJECT --reject-with icmp-host-prohibitedCOMMIT
![Page 114: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/114.jpg)
IPTABLES / IP6TABLES
114
- ตวัอยำ่งกำรเพิม่ Policy ให้ iptables เพือ่อนุญำตใหใ้ชง้ำน TCP/80 จำกตน้ทำง IP 192.168.1.0/24 เท่ำนัน้
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW –s 192.168.1.0/24 -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
![Page 115: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/115.jpg)
Logging
115
![Page 116: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/116.jpg)
Logging
116
- การส่ง System log ไปเกบ็ท่ี Syslog server ให้ท าการแก้ไขไฟล์ /etc/rsyslog.conf ดงัน้ี
*.* @IP-Log-Server
- จำกนัน้ท ำกำร restart rsyslog
[root@Server sysconfig]# service rsyslog restart
![Page 117: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/117.jpg)
System monitoring tools
117
![Page 118: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/118.jpg)
Linux-dash
118
- Linux-dash (https://github.com/afaqurk/linux-dash/)
[root@Server ~]# yum -y install git
[root@Server ~]# cd /var/www/html/
[root@Server html]# git clone https://github.com/afaqurk/linux-dash.git
Initialized empty Git repository in /var/www/html/linux-dash/.git/
remote: Counting objects: 2888, done.
Receiving objects: 100% (2888/2888), 3.26 MiB | 25 KiB/s, done.
remote: Total 2888 (delta 0), reused 0 (delta 0), pack-reused 2888
Resolving deltas: 100% (1666/1666), done.
- เข้าใช้งานท่ี https://ip-address/linux-dash/
![Page 119: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/119.jpg)
Linux-dash
119
![Page 120: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/120.jpg)
Linux-dash
120
![Page 121: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/121.jpg)
System monitoring tools
121
- Cacti (http://www.cacti.net)
- Nagios (https://www.nagios.org)
- Zabbix (http://www.zabbix.com)
![Page 122: aaaaaa - dga.or.th€¦ · Title: aaaaaa Created Date: 7/19/2015 12:30:20 AM](https://reader035.vdocuments.mx/reader035/viewer/2022071116/5fff002b3d70a51edd005809/html5/thumbnails/122.jpg)
122
Hands-on LAB