tai lieu ipcop

Cng ty CP Gii Php Phn Mm AZ Ti liu IPCop Proxy Server

L An Tn April 2006 Trang 1

IPCop l mt bn phn phi Linux thun ty dng lm Proxy Server c chc nng "tng la" (firewall) chuyn nghip bo v h thng mng trc cc nguy c nh virus v xm nhp bt hp php. IPCop Firewall khng i hi cu hnh phn cng cao nn cho php tn dng my tnh c. Trc khi ci t v trin khai IPCop, nn tham kho danh sch cc phn cng tng thch vi IPCop ti trang web: http://ipcop.sourceforge.net/cgi-bim/twiki/view/IPCopHCLv01.

IPCop Firewall/Router c nhiu tnh nng mnh m ngay c nhng sn phm tng la thng mi hng u cng khng c c. tng cng bo mt cho cc ng dng v ti u ha bng thng, IPCop tch hp nhng chng trnh bo mt hng u vi nhng tnh nng hu ch nh:

1. Linux Netfilter - Stateful Packet Inspection: mt ng dng firewall ni ting v mnh.

2. Snort -Network IDS: h thng d tm v pht hin s xm nhp tri php.

3. Squid Web Proxy: chng trnh kim sot v tng tc truy cp Internet.

4. H tr FreeS/WAN IPSec cho php xy dng my ch VPN cung cp truy cp ti nguyn ni b cho ngi dng t xa thng qua cc phin truyn c m ha v chng thc cht ch.

5. Ngoi ra cn c cc dch v mng ph bin v quan trng nh DHCP server cp a ch IP ng, h tr chc nng ng k tn min ng thng qua c ch Dynamic DNS...

6. Giao din qun l, cu hnh thn thin v d s dng thng qua mi trng web.

7. C ch t v li v cp nht cc chnh sch bo mt t ng.

8. Cho php sao lu v khi phc nhanh chng cc thng tin cu hnh ca IPCop khi c s c xy ra.

Yu cu thit b ti thiu:

PC 386 vi 16MB RAM (nn c nhiu hn nu s dng chc nng IDS ca Snort v tng tc truy cp Internet ca Squid)

a cng ATA dung lng ti thiu 125MB + 2x (dung lng b nh RAM) Ngoi ra, IPCop l mt h thng firewall cho nn cn c t nht hai card mng (NIC): mt cho mi

trng bn ngoi (Internet) v mt cho h thng ni b (LAN).

Lu : khi ci t IPCop, a cng s c phn vng li, ton b d liu ang c s b xa.

Cc kiu vng mng:

Red: lp mng giao tip vi h thng bn ngoi nh Internet. Green: h thng mng ni b ca cng ty, gm my tnh ca cc nhn vin, phng ban... Orange: y l vng DMZ dnh cho cc web server, mail server Client t Internet c th kt ni

n vng ny m khng nh hng n vng Green.

Blue: y l vng dnh ring cho cc thit b khng dy nhm tng cng tnh bo mt cho cc my tnh v d liu c truyn trong mi trng ny.


TRIN KHAI IPCOP FIREWALL/ROUTER

Chng ta dng m hnh mng c 1 ng truyn ADSL vi a ch modem ADSL (IP: 192.168.8.1) minh ha. Lc ny trn my tnh ci IPCop cn 2 card mng: Red c IP 192.168.8.2 v Green c IP 192.168.1.1.

Ti v tp tin nh a (iso) ci t IPCop t website www.ipcop.org, sau dng chng trnh ghi a nh Nero Burn ghi file nh ln a CD. Khi ng my tnh vi CD ny, mn hnh cho hin th nh bn di.



Nhn Enter bt u v ch tin trnh khi ng hon tt.

Tip theo xc nh ngn ng hin th cho IPCop, version 1.4.10 h tr ting Vit t giao din ci t n giao din qun tr. y chng ta chn English v nhn OK.

Chng trnh ci t s xc nhn li mt ln na, nhn OK tip tc



Sau chn ci t t CD ROM trn khung Select installation media.

IPCOP nhc li rng a cng s c phn vng li, mi d liu ang c trn s b xo sch. Bm OK ng v tip tc hoc CANCEL hu b v khi ng li my tnh.



Sau khi h thng tp tin c khi to, mt mn hnh nhc nh c cn phc hi IPCop Firewall t a mm lu gi thng tin cu hnh hay khng, chn Skip b qua bc ny.

Tip theo chng ta cn xc nh cc trnh iu khin (driver) v tham s cho cc card mng, chn Probe h thng t ng d tm hoc chn Select nu nh mun t mnh xc nh. Lu l bc ny ta ch ci t card mng cho vng GREEN m thi, card mng vng RED s c ci t bc sau.

Sau khi trnh iu khin cho GREEN interface c np, chng ta s cu hnh cc tham s TCP/IP cho card mng ny, theo m hnh trn chng ta s nhp vo: IP address: 192.168.1.1Network mask: 255.255.255.0



Lc ny tt c cc thnh phn cn thit ca IPCop c ci t, h thng s yu cu ta ly a CD ci t ra khi CD-ROM, bm OK bt u khi to cc thng tin cu hnh c bn.

Hy chn kiu bn phm (keyboard) l US v chn Time zone ph hp vi mi gi ti a phng.



t tn v domain cho IPCop Firewall, v d ipcop v localdomain ri chn OK, chng ta c th thay i cc thng tin ny trong phn qun tr IPCop.

Bc tip theo l cu hnh thng s cho mng ISDN. Do s dng ADSL nn ta chn Disable ISDN.



Sau chng ta xc nh thm v cc thng tin nh TCP/IP ca RED interface, dy a ch ng cp cho cc client, a ch DNS, gateway, mt m ng nhp h thng v website qun tr v khi ng li h thng.

Vo mc Network configuration type. Chn kiu cu hnh mng l GREEN + RED. Chn Drivers and card assignments vo chc nng d tm card mng. Lc ny chng ta ci

t card mng cho vng RED, cch lm ging nh i vi vng GREEN.

Vo mc Address settings, chn RED t IP cho card mng vng RED. Vo mc DNS and Gateway settings cu hnh Default Gateway v DNS Server dng kt ni

ra Internet.



t IP cho card mng vng RED: 192.168.1.2

Cu hnh Default Gateway l IP ca Router ADSL (192.168.1.1), a ch DNS tu theo ISP (v d: FPT l 210.245.31.10 v 210.245.31.130 VDC l 203.162.4.190 v 203.162.4.191)

Cu hnh DHCP, nu mng dng IP tnh th trng mc Enable ri bm OK.



Tip theo l t mt khu cho ti khon root.

Mt khu qun tr, bn s c hi mt khu ny khi truy cp vo trang web qun tr ca IPCop.

n y l qu trnh ci t hon tt. Bm OK khi ng li my tnh.



QUN TR IPCOP FIREWALL/ROUTER

Chng ta c th qun tr IPCop bng giao din web t bt c my tnh no trong h thng ca mnh, ngoi tr chnh n. V l mt firewall nn bn c th tho b cc thit b ngoi vi nh chut, bn phm v c mn hnh khi IPCop Firewall tit kim chi ph v nng cao tnh bo mt. T my tnh dng qun tr, hy nhp vo a ch sau http://ipcop:81 hoc http://192.168.1.1:81 ty theo a ch mng trong ca firewall ng nhp vo mn hnh qun tr.

Trong giao din web qun tr h thng IPCop Firewall, trn thanh cng c c cc menu iu khin nh: System, Status, Network, Services, Firewall... Trc khi c th truy cp cc chc nng iu khin ca IPCop, bn cn ng nhp vi ti khon admin.

Di y s im qua mt s menu quan trng:

1. SYSTEM

Trong trnh n ny c cc cng c:

Home: quay v trang qun tr chnh. Updates: cp nht nhng bn v mi cho firewall. Password thay i thng tin ti khon qun tr. SSH Access bt/tt SecureShell c th kt ni n IPCop bng cc tin ch SSH Client nh

Putty v tin hnh cc thay i trc tip trn nhng tp tin cu hnh ca firewall.

Shutdown: cho php shutdown hoc reboot h thng. Ngoi ra c th lp lch shutdown/reboot nh k.

Backup sao lu ton b thng tin cu hnh IPCop phng khi c s c xy ra. V bn c th chn GUI Settings thay i giao din trang web qun tr ca IPCop thnh ting Vit.

1.1. Updates

phn Available Updates chng ta thy c nhng bn cp nht mi, hy truy cp vo website www.ipcop.org v ti v tp tin cp nht ny v lu chng trn my dng qun tr. Sau chn nt Browse trong phn Install new update chn tp tin ny v Upload chng ln firewall, tin trnh ci t s t ng thc thi. Ty theo bn cp nht m chng ta c cn reboot h thng firewall hay khng.



1.2. SSH Access

cho php qun tr IPCop firewall/router mc su, cn phi thit lp SSH Server thng qua menu SSH Access v chn enable (mc nh disable).

Lu : SSH server trn IPCop s dng port 222 cho nn chng ta cn phi kt ni SSH Client n port 222 thay v port 22 nh thng thng, v d:

$ ssh p 222 [email protected] vi 192.168.1.192 l a ch mng trong ca firewall.

1.3. GUI Settings

chuyn sang giao din ting Vit, chn GUI Settings v chn Vietnamese trong phn Select the language you wish IPCop to display in v chn Save.

Lu : c mt s add-on ch hot ng tt vi giao din ting Anh.

1.4. Backup

Bm nt Create v chn Backup to floppy ri a a mm c nh dng bng Linux vo. Dng lnh nh dng a mm trn h thng Linux: #fdfomat /dev/fd0 (c th chy thng qua SSH Client).



Nu khng c a mm th c th chn bm Export to tp tin backup v lu vo 1 th mc trn my tnh. Nn chn Encrypted c th np li file backup bng cch bm Browse, chn tp tin backup ri bm Import .dat khi phc cu hnh.

1.5. Shutdown

Bm Reboot khi ng li hoc Shutdown tt my tnh chy IPCop.

Ngoi ra c th lp lch IPCop t Reboot hay Shutdown mc Shedule IPCop reboots.

2. STATUS

Khi h thng hot ng, chng ta cn xem xt trng thi hin ti ca firewall, nhng dch v no ang chy, qu trnh s dng b nh, a...



2.1. Gim st cc dch v

Cn m bo tt c cc dch v u trng thi Running, ngoi tr dch v NTP Server v VPN, ring dch v DHCP th tu theo cu hnh c kch hot chc nng DHCP Server hay khng.

2.2. Gim st b nh

2.3. Gim st cc kt ni



3. SERVICES

y l menu dng qun l cc dch v nh Web Proxy, Instruction Detect, DHCP...

3.1. Proxy

Enable on Green: kch hot chc nng proxy trn mng Green. Bt buc phi chn mc ny. Transparent on Green: kch hot thuc tnh trong sut ca Proxy. Nu bt chc nng ny th

client khng cn t thng s Proxy trong trnh duyt m ch cn t Gefault Gateway v DNS Server l a ch IP ca my tnh IPCop l c th kt ni Internet.

Proxy Port: t tu (nn t l 800). Log Enable: kch hot chc nng ghi log (nn bt). Cache size: t khong 50 100 MB (tu dung lng a cng). URL filter: kch hot chc nng lc URL (cn phi ci t plugin URL Filter). Upstream proxy: nu proxy ny c ni vi mt proxy cp cao hn th nhp cc thng s

ca proxy cp trn vo y.

Sau khi thay i cc tu chn, bm nt Save lu li.



3.2. Instrution Detection

Dch v Network Instruction Detect System da trn Snort phng nga v pht hin cc trng hp tn cng. Mc nh h thng IDS ch hot ng trn RED Interface, nn kch hot cho c GREEN v BLUE interface v theo thng k c n 80% cc trng hp tn cng v c bit l nghe ln vi nhng phn mm nh dsniff c ngun gc t ni b.

update rule database cho Snort, chn Sourcefire VRT rules for registered users, sau nhp chui ba10001f412995b5540057d97a93eaad20629d4f vo Oink Code ri bm nt Save lu li. Sau bm Download new ruleset update cho Snort.

# Ghi ch: C th ng k 1 ti khon min ph ti website http://www.snort.org to Oink Code. 4. SERVICES

Gm cc chc nng Port Forwarding, External Access v Firewall Option. y ta ch ch mc Firewall Option. Chn Only RED cho mc Disable ping response. Mc ch l khng cho IPCop tr li cc gi tin ping t bn ngoi hn ch vic hacker thm d h thng.

5. LOGS

5.1. Log Settings

Log viewing options: mc nh file log s c sp th t mc c nht trn cng, do d quan st ta nn nh du chn Sort in reverse chronological order o th t sp xp li. ng thi chn 500 cho mc Lines per page.



Log summaries: chn s ngy m file log lu gi trong mc Keep summaries for v mc chi tit ca log file mc Detail level (nn chn Medium).

Remote logging: chc nng ghi log ln mt my tnh khc. Khng cn thit nn c th b qua.

5.2. Proxy logs

Hin th cc kt ni thng qua Proxy.

Source IP: chn a ch IP ca my tnh m kt ni (chn ALL hin th tt c cc my). Update: cp nht li ni dung bo co. Export: xut ni dung trang bo co ang xem ra mt trang web ring bit.



HNG DN CI T MT S ADD-ON CHO IPCOP

1. CNG C KT NI SSH

IPCop s dng giao thc SSH. SSH l giao thc an ton cho php kt ni t xa n mt my tnh, ngi dng c th chy cc dng lnh hoc thc hin sao chp d liu gia 2 my tnh.

thc hin ci t add-on ln h thng IPCop chng ta dng mt chng trnh SSH Client. Ti liu hng dn ny s minh ho da trn phn mm SSHSecureShellClient. Ti SSHSecureShellClient ti a ch: http://ftp.ssh.com/pub/ssh/SSHSecureShellClient-3.2.9.exe v ci t vo my tnh.

Trc tin khi ng Secure File Transfer Client. Bm nt Profiles, chn Add Profile to Profile mi, nhp tn Profile ri bm Add to Profiles. Bm nt Profiles ln na, chn Edit Profiles

Trong ca s Profiles, chn tn Profile bn tri v thit lp thng s bn phi. Host name l a

ch IP vng GREEN ca server IPCop. User name l root. Mc nh giao thc SSH dng port 22 nhng IPCop li s dng port 222 nn ta phi sa li cho ng. Cc mc khc khng i.

.



Bm nt Profiles, chn Profile cu hnh bt u kt ni. Nhp password ca ti khon root thit lp trong qu trnh ci t IPCop. Ln kt ni u tin chng trnh s hi c mun lu key ca host hay khng, tr li YES.

Ni dung th mc v tp tin ca server IPCop th hin khung bn phi. Lc ny ta c th copy file t my tnh local khung bn tri sang server IPCop bng cch chn tp tin v th mc mun copy, click chut phi ri chn upload. Hoc copy t server IPCop v my tnh local bng cch chn khung bn phi, click chut phi ri chn download.

Sau khi upload cc file cn thit ln server, chy cng c Secure Shell Client. Chn profile kt ni ging nh trn. Sau khi logon bn s vo console ca server IPCop. T y bn c th thc hin chy cc lnh ging nh ang thao tc trc tip trn server.



2. ADVANCED PROXY

Advanced Proxy l mt Plugin thay th cho dch v Proxy chun ca IPCop nhm b sung thm nhiu tnh nng hu ch.

Lu : Trc khi ci t v cu hnh Advanced Proxy, ta phi hon tt vic cu hnh Proxy chun ca IPCop (bt chc nng Proxy on Green, t Port, bt URL Filter, Log enable)

2.1. Download v ci t

Download Advanced Proxy ti a ch: http://www.advproxy.net/download.html File ti v c dng nh sau: ipcop-advproxy-version.tar.gz trong version l s phin bn ca phn mm.

Upload file ny ln th mc root ca server IPCop. M ca s Secure Shell Client, kt ni vo server, g cc lnh sau:

o cd / o tar xzf ipcop-advproxy-version.tar.gz (version: g theo tn file) o ipcop-advproxy/install

Chng trnh s t tin hnh ci t vo h thng. 2.2. S dng

Phn Common settings v Upstream proxy th khng c g khc trn.

Lu : Proxy port y phi t trng vi port t dch v Proxy.



Log enable: bt Memory cache size:mc nh l 2MB, khng c t ln hn 50% b nh RAM. Harddisk cache size: t 50 100 MB. Cc thng s khc mc nh.

Allowed subnets: mc nh. Unrestricted IP/MAC addresses: nhng a ch IP/MAC t y s khng b nh hng bi

cc tu chn v gii hn truy cp. Nhp vo mi a ch trn mt dng.

Banned IP/MAC addresses: danh sch cc a ch IP/MAC b cm.



Time restrictions: gii hn truy cp theo thi gian. Cc client trong danh sch Unrestricted IP/MAC addresses khng b nh hng bi chc nng ny.

Transfer limits: gii hn tc download v upload. Cc client trong danh sch Unrestricted IP/MAC addresses khng b nh hng bi chc nng ny khi download. Gii hn tc upload cc tc dng i vi tt c client.

Download throttling: gii hn bng thng download ti a ca ton h thng (Overall limit) v ca tng client (Limit per host). Bng thng tng cng ca cc client s khng th ln hn Overall limit. Download throttling c tc dng vi tt c d liu i qua Proxy hoc c th thit lp ch nh hng cc loi d liu: Binary files, CD images v Multimedia.

MIME type filter: nh du Enable bt chc nng lc d liu theo MIME type. Tham kho thm thng tin v MIME type ti a ch http://www.iana.org/assignments/media-types/

Web browser: chn kt ni theo trnh duyt. nh du Enable browser check sau chn nhng trnh duyt mun cho php kt ni ra Internet.



Authentication method: chn kiu chng thc ngi dng. Tham kho thm trong ti liu hng dn ca Advanced Proxy.

Sau khi thit lp cc tu chn, bm nt Save lu li nhng thay i. Cc thit lp s c hiu lc khi IPCop khi ng li. Nu mun cc thit lp c hiu lc ngay th bm Save and restart.

3. URL FILTER

URL Filter l mt add-on khng chnh thc rt hu ch trong vic gii hn user truy cp vo cc a ch web b cm. Ti trnh ci t ti a ch: http://www.urlfilter.net/download.html

Cch ci t URL Filter ging nh Advanced Proxy. Sau khi ci t th trong menu SERVICES s xut hin thm mc URL FILTER.

Chng ta ch tm hiu mt s chc nng chnh quan trng ca URL Filter.



nh du chn Enable custom blacklist v Enable custom whitelist 2 chc nng ny c hiu lc.

3.1. Network based access control

Bn c th nhp nhiu a ch IP ngn cch bng khong trng (space).

3.2. Block page settings



Redirect to this URL: chuyn tip ti a ch ny khi user truy cp trang b cm. Message line 1, 2, 3: cc thng ip nhc nh user trn trang cnh bo. Nu trng th

IPCop s s dng cc thng bo mc nh.

Show URL on block page: hin th a ch b cm trn trang cnh bo. Show IP on block page: hin th a ch IP ca user. Use DNS Error to block URLs: hin th bo li dng DNS Error thay cho trang cnh bo.

3.3. Advanced settings

Enable expression lists: cho php danh sch chn kiu biu thc. Block ads with empty windows: chn cc popup c ni dung rng. Block sites accessed by its IP address: khng cho truy cp trc tip bng a ch IP. Block all URLs not explicitly allowed: chn tt c cc URL khng c trong Whitelist. Enable log: bt chc nng ghi nht k. Allow custom whitelist for banned clients: cho php cc IP b cm tuyt i truy cp vo cc

URL c trong Whitelist.

3.4. Bm Save lu cc tu chn hoc Save and restart lu v khi ng li URL Filter.

3.5. URL filter maintenance

Enable automatic update: bt chc nng t ng cp nht blacklist. Automatic update schedule: lch cp nht (hng ngy, hng tun, hng thng).



Select download source: chn ngun cp nht. Custom source URL: nu mun cp nht t ngun ring khng c trong danh sch trn th

g a ch vo y.

Save update settings: lu li cc thng s chn. Update now: cp nht blacklist ngay lp tc. Blacklist editor: son tho blacklist cho ring mnh.

Backup URL filter settings: bm Create backup file to file backup cu hnh URL Filter. Chn Include complete blacklist nu mun sao lu ton b blacklist.

Restore URL filter settings: bm Browse dn n file backup ri bm Import backup file phc hi li cu hnh sao lu trc .


tai lieu ipcop

Documents