. Unix Windows
. Apache Web Server
Web Server
Unix. ! ! Apache
Web Server , . "
Web Server
SSL. # $
Apache.
1. UNIX... 4
1.1 Unix ... 4
1.2 Linux... 10
1.3 !" # # Windows NT/2000 # $ UNIX ... 12
1.3.1 ! % (Indentification) ... 12
1.3.2 & !' # ( ) (Access Control)... 13
1.3.3 ! * ) + (Log Files)... 15
1.3.4 " + (Networking)... 15
2. , -... 16
2.1 # !"( Unix... 16
2.1.1 Denial-Of-Service Attacks... 17
2.1.2 Access Attacks ... 17
2.1.3 Repudiation Attacks... 18
2.2 Problems with Operating System... 18
2.2.1 +/"( # ( ) ... 19
2.3 0 ) * " " # ! ... 19
2.3.1 ( + /" + ... 20
2.3.2 Modification Attacks... 22
2.3.3 " "( ' / ... 24
2.3.4 ' + (FTP)... 24
3. UNIX... 25
3.1 Utilities... 25
3.2 ' + ... 25
3.3 Shell ... 26
3.2.4 " ... 26
3.2.5 " "( ' / ... 26
3.3 ' ... 27
3.3.1 ' " " (! ... 27
3.3.2 1 * ... 28
3.3.3 +/"( # ( ) ... 28
4. PERL... 29
5. 0 , ... 31
5.1 0 "* ... 31
5.1.1 ' * + (Administrator)... 32
5.1.2 0 # / , ' *, * # +# "(... 32
5.1.3 0 " ! * / + # / % * # +# " ... 33
5.2 ' ! ! ... 34
5.2.1 0 + "+/"% # ( ) ... 34
5.2.2 0 server #( client ... 36
5.2.3 0 + $ + # % ... 41
5.3.1 ( "(... 43
5.3.2 0% ! (... 44
5.3.3 $ ( + # % # # (" # '$ server /" ... 44
6. APACHE WEB SERVER ... 45
6.1 !" Apache Web Server ... 48
6.2 / ! !" ... 49
7. . , ... 51
7.1 # "( ... 51
7.2 " ( ... 51
7.3 $ " # ... 51
8. 0 - SSL... 52
8.1 # "( . ... 53
8.2 " ( ... 55
8.3 # " + ... 56
8.4 SSL " # # "... 57
8.5 0 2 # + "( SSL... 58
8.6 !" SSL ... 58
8.7 OpenSSL ... 59
8.8 ' + # # "% ... 61
8.9 ! ( 3 ! " /% ... 61
8.10 ! ( # # " # # ! ... 62
8.11 ! ( (- # ! ( # # " ... 64
8.12 ( + SSL ... 64
8.13 "" Server ... 65
8.14 !( $ ... 66
8.15 0 # " # % ... 66
8.16 #(/ ... 67
8.17 ! *... 67
8.18 * SSLOptions ... 67
8.19 & !' # ( ) ... 68
8.20 Reverse Proxy ' * SSL... 68
9. 4 4 , ……….70
1. UNIX
1.1 Unix
% Unix '60 & ' (
% Bell. #
!
. ) Unix , ! !
. * !
! .
') 1991 "
+ , Linus Benedict Torvalds,
MS-DOS 5.0
. ,
$ $ Unix
.
Minix Andrew S.
Tanenbaum !
. % Minix
- 8086. .
Tanenbaum,
, 12000
!! “Operating System”,
.
« Linux $ # . 5 +
#( $ ) (, /( $
' ' ( ! " /
' * desktop, # " #
/ ' % . 6# %
Linux ' ) # ) * ,
/ / ( Linux / (
$ ( " " . #
!+ * *
# ( , (' " / 3….»
Eric Raymond, Open
Source Initation
linuxvalue.com
Linus Torvalds
3 / 1991 Linus Torvalds
newsgroup comp.os.minix project
posix. " -
. , 2
0.1. ( $
. # , “Freax”,
free Unix “ ” freaking.
FTP hacking 0 !
Linux . " “1
. %
Freax”.
% . ! 1991 0 0.2
. ( Unix !
. % !
-, ! $
- $ . 2
Linux - . # 0.96 40000
. ( GNU project Richard Stallman
- -
GNU C compiler
! Linux. 2
100.000 1.0 170.000 . #
- . % 1995
Linux Digital Alpha
Sun Sparc. To Linux
500.000 250.000 . "
- Linux
- . % 5
Linus Torvalds . % Linux
- - - . ,
3 ,
Linux Desktop
2.0 400.000 1,5 . .
$ .
2 . ( !
. .
- Linux !
IT Industry, ! « . ( !
. Linux
1996: FVWM '" # !
#( Robert Nation,
" # $ +
" ' window manager. O FVWM
# '$ " % 5
# /
#( + " # '
" *
!"(
3D # )
! .
1997: Afterstep
4 3 FVWM,
+ ( '
'/ %
3 $
"
# ) !
Nextstep. $
#+ "
" (
customization "
" + #
# "
« ».
1998:
Window Maker
# / Nextstep,
(#+ " # # + Afterstep, o
Window Maker $ + "( "
* #( # ' "
#+ " window
managers Linux.
KDE 1.0
# % % # # $ !
/ ! ( " + ! "
# ) ! Linux $
# % "/ " KDE 1.0
!! (. 7 " " 5/.
1999:
Enlightenment + ( " +
« » ) 3(
'"
FVWM2 %
# '
!
%
/ $
" " (
"%/"
# /*#
Manager.
0
#+ "*
# 5
# / "
2000:
ICEWM
#( #
window manager ! Linux " #(
/ # !
5 + # +
' % Linux.
" "(
# / " ) "(
" $ * ' * . KDE 2.0
* "/
'3 #
'% Linux
desktop " $%
/ " " ( #(
2 * ' "(
" 2 ! $ "*
2002: GNOME 2
" +
GNU Network Object Model Enviroment.
# ! "(
# )
GNU project "
/
/ "(
" +
! "(
# )
Linux. #
# " $
GUI RED
HAT.
2003: KDE 3.1.4 '* 5 5 "
# (
/ " "
' !
desktop
'3 . /% "
" ( ( KDE ( " GNOME
"
' * "( " !
# ' * , %
«# !"(
" ' » #
" #( # .
! " UNIX
/ “root” " ! . ! ( #( # " (! .
/bin 0 ' # + # ! ! ! ( *
Linux
/boot 0 ' ( ' # # ! "" ( * .
/dev 6 " # # ' (# ! " * " " ) / $
* # ( ' ( " ! (' !
" $ # %, ! #(/ /" + + # ( ) "
! "( ! # " + % ' OS).
/etc ( " " ' $ + * (system wide).
# / # '* # 5 ! .
/home ( " ! / ( home directories + ' % .
# / ! , /home/zazi ' * zazi ' /" + !! * , % (
" ! # $ " ( *$+ " " (! ) '
$ + # " $ 3 $ # ' " ' * ! /
internet, ! # / ! , * ! # # ! .
/lib 0 ' ) " )) $*" * .
/opt '" # 3( ! 5 # /*# # " ! "
# ! ' * !" * . # ( / " + #( (
!" $ KDE, GNOME, MOZILLA, OpenOffice " Apache.
/root Home " ! # ' * (root)
/sbin 0 ' ( ! # $ + ) " ! / '
* .
/usr # " /*# ' * . 0 ' ! , # ! ,
)) $*" * .
!
- ,
Microsoft. " Intel, IBM, Compaq, Hewlett Packard, Sun, Silicon Graphics, Corel, Oracle, Sybase, Informix
, ! desktop
Linux. . - 10
, -
10.000.
% 1,5 . O Linus 1998 $ , Transmeta.
# . 1
! - . . %
- palmtops
- - (fully scalable kernel). %
desktop. Linus
- (raid), ,
. (
! X-windows. 2 Linux
'* 1. Suse Linux ! "( # ) KDE
LinuxExpo, $ . 4 !
$ ,
standard .
2. Slackware Linux
- Linux
, Tanenbaum,
Torvalds Linux, : «
! .» % Torvalds.
1.2 Linux To Linux
. .
. .
Linux $ !
Gigabyte .
5 - CD . .
download .
http://www.redhat.com/
Red Hat, Red Hat Software
. 2 Graphical User Interface
text-based , Red Hat
Linux . #
! packages “RPM”. # !
GNU Network Object Model Environment (GNOME) “K Desktop Environment” (KDE), GUI X Window System.
Intel, Alpha, Sparc .
http://www.debian.org/
Debian, The
Debian Project 6 . #
! packages “dpkg”.
Intel, Alpha, Sparc , Motorola (Macintosh,
Amiga, Atari) .
http://www.suse.com/
S.u.S.E., S.u.S.E.,
, " . # ! “K Desktop
Environment” (KDE),
packages “YaST”. Intel
Alpha .
http://www.caldera.com/
OpenLinux, Caldera,
. 2 OpenLinux 2.2, Caldera
$ Linux.
" “K Desktop Environment” (KDE).
Intel .
http://www.linux-mandrake.com/
Mandrake, MandrakeSoft S.A.,
Red Hat Debian ( )
!
.
http://www.slackware.com/
Slackware, Patrick Volkerding Walnut Creek Software,
Linux. #
, -
! packages.
! $ !! libc
glibc. $ Linux.
Intel .
1.3 !" # # Windows NT/2000 "
# $" " UNIX
2icrosoft $ Windows NT/ 2000
. 4 Windows NT
1992. 7 $
, ,
threads,
- , distributed
computing
. Windows &%
!
client/server[2].
% Unix AT&T Bell.
“ ” kernel mode
user mode. . ,
[1][9]. #
UNIX $ , , -
, user mode.
1.3.1 % (Indentification)
Windows
. % Windows
$ SID !
$ (Security
Accounts Manager, SAM). 1 (LM-hash & NT-native)
. . NT-native
MD4 LM-hash
DES.
UNIX
2 UNIX $
! !
.
) !
DES
/etc/passwd.
$
.
% /etc/passwd
. 2
! /etc/passwd
/etc/shadow .
1.3.2 & !" ' # ( ) (Access Control) Windows
( ! (Access Control List, ACL).
« ! » (Access Control
Entries, ACE). ( !
-
. .
. . ACL NTFS
. )
! ! .
" ! ,
. 2
!
!
.
.
UNIX
. !
UNIX
. (
, , bits !
identifier $ .
% bits ! ,
,
. : -rwxr-x—x
$ ! , 5 ,
, !
.
3." Slackware Linux
.
1.3.3 * ) + (Log Files)
Windows
. (Security Reference Monitor), $
! (Event Logger) windows ! . 1
! !
[10].
UNIX
# UNIX
! $ log files !
server . )
syslog.[8]
1.3.4 + (Networking) Windows
windows ! $ Server Message Block (SMB).
Microsoft
. , !
Internet (Common Internet File System protocol
(CIFS)) [4][6][7]. ! Windows SMB !
NET-BIOS over TCP/IP [11][12], ! NET-BIOS.
Unix
% Unix .
! $ TCP/IP. ! ,
. % (Network
File System, NFS) [13] - $
, Network Information System (NIS) [5] !
, ! . %
Network Information System ,
Unix ! /7
! DES [5]
. " ! $
Kerberos [3][14].
2. , -.
2 , ,
$ . .
, ! ,
, , ,
. .
! . ( ,
! - .
2.1 #"! " ( Unix
. !
, ,
server.
2.1.1 Denial-Of-Service Attacks
. Denial-of-service (Dos) , ,
. 2 DOS $
.
.
. # ,
! Internet,
! .
Snooping ! -
! . "
, -
! .
2.1.2 Access Attacks
2 « ! » 5
- .
.
.
Eavesdropping - " 5 -
. " !
- , 5
.
Interception - " . )
$ , !
! . 8 -
5
.
2.1.3 Repudiation Attacks
« -» . 2
, - 5 !
! .
Masquerading- H -
. ,
, - .
Denying an Event-
.
# ,
. ) ,
.
2.2 Problems with Operating System
,
, , , . .
, $
. " , !
.
2.2.1 +/ ( # ( )
,
, . 2 , , , ,
$ .
" , ! « »
. ( ! .
. ( , !
. " ,
, .
!
! . " , $ ! $
! ,
! . 2
! - . 1 -
$ . ,
! -
. , !
! . . !
! - .
. ! ! !
. ,
! $
$ ! . % !
$ ! .
2.3 0 )!* " " # !
, -
- .
- , bytes
client. .
. . .
2.3.1 ( + / +
. /
. . Web Servers
!
. 4 Web Server
- . 2
. CGI (common gateway interface) Web
server
. " http. % script CGI
, server.
CGI !
CGI
. CGI script CGI
server
$ Web, CGI script
server .
( , server
! server.
" Web Server ! ,
! server. 7
.
1 script CGI : ,
CGI script
CGI. 4
httpd.conf CGI. ScriptAlias server
! script CGI. . !
script CGI $ . #
, : “ ScriptAlias /store-
cgi/usr/local/apache/store/cgi httpd.conf, .
$ -
. $
! script CGI
. 1
script CGI
: .
script CGI
$
, *.cgi.
. ( ' ,
script CGI server. 1 ,
HTML
script CGI. % , -
CGI. # , $
file.cgi Emac,
file.cgi~. " browser
! ,
.
'* 4. ! (# # " + 5 client " Web Server
2.3.2 Modification Attacks
2 « » -
. ,
. .
! . # , -
.
. ,
. ) , -
.
.
. ,
.
. . !
-
! . " - ! ,
- !
. ( , - ! ,
. . !
. ,
!
'* 5. $ Mail Server
. ,
.
2.3.3 !" ( ' / "
server ! - . .
. , :
agent 5 agent - $
. 1 ,
, agent -
. .
, agent
5 .
.
2.3.4 " '"+ (FTP)
!
. % FTP . .
FTP 5 ! ,
server,
.
2
( ! 2
!
1 2
" 2
2
2 2
!
Denial of Service Attacks 2
" ! 2
3. UNIX
% Unix
. ) hacking $ !
, Unix ! . 9 ,
Unix !
! .
3.1 Utilities
% Unix utilities, VI, exac - , Telnet
, mail . utilities
Unix. . !
. .
utilities Unix.
7 utilities - ,
, ,
, - ,
, .
3.2 '"+
! Unix
. % Unix ,
, , . %
, . ,
, , Unix
$ . # ,
$ ,
. 1 (
) $ - .
3.3 Shell
% « » ! $
, $ . "
shell $ , . " -
, shell .
, -
.
3.2.4
% Unix . .
Telnet !
,
.
.
3.2.5 !" ( ' / "
% Unix
! ! $ , $
, ,
. % !
- , - -'
! , !! , . %
Unix, mail,
! . "
, mail .
3.3 ' !"
% Unix ,
Unix . ,
Unix - .
3.3.1 '" !" !(
% Unix
! . ( !
. . ,
, ! Unix (
).
Unix.
$ ! !
. 7 !
Unix. , .
! ! ,
. %
, 5 , ,
. 9 , 5
5 .
3.3.2 1 * " " !
LS - . "
! ,
- 5
Trojans ( ).
Who- . 2
-
. !
- - logins,
- .
Finger- " Who
! .
Finger . 3.3.3 +/ ( # ( )
Unix ( )
! . . !
. . ! Unix
, ,
! . . ! $ passwd.
$ - ! .
. ! Unix
crypt () !
- . . !
! !
5 .
$
! .
% Unix - ! ,
! . .
- ! , -
- ! ! . " ,
- ! ,
! -
.
4. PERL
Perl
World Wide Web.
# , shell Perl
Perl, LS, Who,
finger Perl. # , 5
! ,
passwd !
Unix. ( ,
. " , Perl ! $
Unix, .
. Open Perl -
Unix.
Perl , ,
, . Perl
glue language Unix Perl
Unix . Perl ,
! MS-DOS, Macintosh. "
.
Perl Wed
developers. Perl , !
client-server, script CGI. Perl
CGI script.
H Perl compile,
shell script. .
Perl .
Perl ! (strings)
. Perl
$
- ( C ).
H Perl data-reduction, ,
, ,
! . 4
, , ! ,
client-server , , !
WEB ,
. # , Perl !
Unix. .
Unix 5 script -
.
H Perl
5 . .
Perl ,
Perl. 2 ,
-
Perl. . - !!
Perl. # , shell (Unix)
Perl.
utilities Unix shell Perl. %
( ! switches) utilities string.
% Perl ! 5 .
"
$ 5
! . % , Perl
Perl ! ,
. . CGI
.
5. 0 ,
# !! ' / ", ' / " ' # ( 2
# * .
5.1 0 ! * !"
!
. .
- . %
.
, ! ,
-
. % -
.
5.1.1 '" * + (Administrator)
. !
, , , . .
- $ ,
- ! ,
- . 2 -
. . !
! . " , , ,
5
. .
- . ! !
5 !
.
5.1.2 0" # / , ' !*, * # + # (
. , , . ,
, , , - $
.
. , ,
. # - ! .
# ,
! ! -
. "
- $
. " ,
!
! .. #
, li
tsering . .
. ( , li tsering -
5.1.3 0" " * / ! + # / % *
# +#
!
! . " ,
! . "
,
$ ! .
5.2 ' " ! " !"
5.2.1 0 + + / % # ( )
% !
passwd Linux 5
! ! !
. ( ,
! interface .
! ,
! , .
%
:
% !
. ! ! !
%
% !
. !
Type in command: perl passwd Enter your name
Lihua (my user name) Enter your password (If I enter lihua)
Password cannot equal to your name. (Program will be terminated) (If I enter wer)
Password has to contain 7 characters. (Program will be terminated) (If I enter wererwerwe)
Password has to contain at least one number and one letter. (Program will be terminated) (If I enter wwwwww5)
The number of repeated characters in password cannot be greater than 3. (Program will be terminated) (If I enter 411yuiq and it is in the password file)
411yuiq is used in the system, it is not allowed to use again. (Program will be terminated) (If I enter werty56)
New Unix password Type in your password Retype your password
Lihua and werty56 have been successfully entered into the password file.
. ! ! -
! ! ! -
! . " ! ,
!
! .
/etc/passwd Linux
- . - ,
!
! Linux !
! . "
! (*) ! .
0 0
) , -
! Linux.
5.2.2 0 server #( client
4 ,
! . .
, . # ,
! ,
. -
5 , , 5 .
" ! . .
script CGI
script
. .
error_log - . %
error_log ! . " ,
script
CGI ! ,
. 2
script CGI cgi-bin
.
# access_log error_log
client . % access_log
. %
-
:
# ,
# ! (
)
# $ $
# $ , ,
% ! ,
! - ! .
" ! site,
! .
World Wide Web server.
%
web page. "
-
!
.
" access_log:
Type in command: perl accinfo.pl
Please enter the name of the information you want to view.
Lmei
Do you want to view the particular site address?
(If I enter yes)
yes 10.2.41.39 [05/Mar/2002:14:39:59 -0500] <br>
10.2.41.39 [05/Mar/2002:14:39:59 -0500] <br>
10.2.41.39 [05/Mar/2002:14:39:59 -0500] <br>
10.2.41.39 [05/Mar/2002:14:39:59 -0500] <br>
10.2.41.39 [05/Mar/2002:14:40:05 -0500] <br>
10.2.41.39 [05/Mar/2002:14:40:05 -0500] <br>
10.2.41.39 [05/Mar/2002:14:40:14 -0500] <br>
10.3.41.129 [27/Mar/2002:19:47:36 -0500] <br>
10.3.41.129 [27/Mar/2002:19:47:37 -0500] <br>
10.3.41.129 [27/Mar/2002:19:47:37 -0500] <br>
10.3.41.129 [27/Mar/2002:19:47:37 -0500] <br>
10.3.41.129 [27/Mar/2002:19:47:39 -0500] <br>
10.3.41.129 [27/Mar/2002:19:47:39 -0500] <br>
10.3.41.129 [27/Mar/2002:19:47:39 -0500] <br>
10.3.41.129 [27/Mar/2002:19:47:39 -0500] <br>
10.3.41.129 [27/Mar/2002:19:47:44 -0500] <br>
Total number of lmei is : 16 (If I enter no)
no Total number of lmei is : 16
. - .
" error_log:
Type in command: perl erinfo.pl Do you want to view errors by date.
(If I enter yes) yes
Please enter your name srs
Please enter the year 2002
Please enter the month Jan
Please enter the day 14
[Mon Jan 14 08:46:23 2002] [srs File does not exist<br>
[Mon Jan 14 09:17:19 2002] [srs File does not exist<br>
[Mon Jan 14 09:31:11 2002] [srs File does not exist<br>
[Mon Jan 14 09:31:13 2002] [srs File does not exist<br>
[Mon Jan 14 09:47:36 2002] [srs File does not exist<br>
[Mon Jan 14 09:55:55 2002] [srs File does not exist<br>
[Mon Jan 14 10:24:56 2002] [srs File does not exist<br>
[Mon Jan 14 10:56:55 2002] [srs File does not exist<br>
[Mon Jan 14 11:04:54 2002] [srs File does not exist<br>
[Mon Jan 14 11:13:29 2002] [srs File does not exist<br>
[Mon Jan 14 12:00:55 2002] [srs File does not exist<br>
[Mon Jan 14 12:03:06 2002] [srs File does not exist<br>
[Mon Jan 14 12:18:30 2002] [srs File does not exist<br>
[Mon Jan 14 12:19:52 2002] [srs File does not exist<br>
[Mon Jan 14 12:32:13 2002] [srs File does not exist<br>
[Mon Jan 14 12:32:29 2002] [srs File does not exist<br>
[Mon Jan 14 12:51:36 2002] [srs File does not exist<br>
[Mon Jan 14 13:10:31 2002] [srs File does not exist<br>
[Mon Jan 14 13:10:31 2002] [srs File does not exist<br>
[Mon Jan 14 13:12:59 2002] [srs File does not exist<br>
(if I enter no) no
please enter your name srs
File does not exist[Mon Jan 14 12:51:36 2002] [ /home/srs/public_html/Math251-F all01/Sig_vs_hypoth.htm
<br>
File does not exist[Mon Jan 14 13:10:31 2002] [ /home/srs/public_html/Math151hw 25.htm
<br>
File does not exist[Mon Jan 14 13:10:31 2002] [ /home/srs/public_html/Math151hw 28.htm
<br>
File does not exist[Mon Jan 14 13:12:59 2002] [ /home/srs/public_html/Math251-F all01/index.htm
<br>
File does not exist[Tue Mar 5 14:44:01 2002] [ /home/srs/public_html/Math151hw 33.htm
<br>
File does not exist[Wed Mar 27 16:24:42 2002] [ /home/srs/public_html/Math151-S p02/Day24.htm
<br>
File does not exist[Wed Mar 27 16:45:39 2002] [ /home/srs/public_html/Math251hw 20.htm
<br>
File does not exist[Wed Mar 27 18:03:20 2002] [ /home/srs/public_html/Math151-S p02/Day24.htm
<br>
. - $
script ! .
5.2.3 0 + " $ + #! %
% Unix
! . % Unix ! (log files)
5 , , . %
,
. * ,
- 5 bug,
, $ . )
$ , .
! $
- , - , , $
, ! . " ,
. "
! , -
5 - .
, Unix /var/log/secure,
logins
Unix . % /var/log/messages
logins, logout, logins
Unix .
!
! Unix .
,
! .
% logins
var/log/secure Unix
. ,
! . (
- ! 5 .
% logins var/log/messages
logins Unix .
Unix , 8 6 .
5
.
# logins:
Type in command: perl fail Please enter your user name:
(If I enter root) root
Please enter the month (If I enter April) Apr Please enter the day (If I enter 17)
17 Here is the information on failed logins:
Apr 17 1:30 Failed Login Authentication Failure Apr 17 2:30 Failed Login Authentication Failure 8 is the number of failure.
# logins:
5.3 !" ( + # + # " % /
!" * .
/ ,
server. # server -
. ,
.
5.3.1
server
:
: server
- . (
-
server
server.
. . 2
server ,
- (
).
Type command: perl logins Apr 17 1:30 root LOGIN Apr 17 19:38 Li LOGIN
. server
. 1
,
.
2 ,
, .
5.3.2 0% " (
, " ,
." 1
- . "
.
5.3.3 $ ( + # " % # # ( " # '$ " server
/ .
. server -
server . . -
, - ,
- .
workstation server o
.
( server
( . .,
server. % NFS
.)
( . ., ,
)
server. ,
server
server. ( , -
, , shell, script,
server (
! server -).
1 (DNS vs. NIS). 1 server
. !
DNS spoofing. .
. !
server - .
# (IP, IPX, AppleTalk, DecNet, . .)
" . 2
, .
6. APACHE WEB SERVER
% + ! 1995 software server web “public
domain HTTP daemon” Rob McCool
- Illinois. # -
“ ” HTTP Rob McCool NCSA
1994
. 2
$ . . Brian Behlendorf
Cliff Skolnick $ email,
, logins - server
( bandwidth HotWired.
+ ! , 8 “Apache Group”.[19]
* HTTPD NCSA !
! !
server (0.6.2)
Apache Server 1995. NCSA - -
HTTPD Brandon Long Beth Frank -
NCSA project
- . . Apache server
$
. % 2 1995 -
-
Apache, o Robert Thau server
! modular API . Apache
! server /
0.7 0.8.8 1995.[19]
2 - , ,
modules Apache 1.0 1 ! 1995.
Apache server
1 HTTP server HTTPD NCSA
$ ! .
% 1999 Apache Group Apache Software
- , -
Apache HTTP Server.
$ (The Core)
Apache.
5
. )
!
site
apache -
apache server.
. %
Apache Group
- - . %
email. # 40 email
$
'* 6. Apache web server Windows
, , !
$
. -
site
. . 5
$
. " !
5 . [19]
6.1 Apache Web Server
# Apache
Apache.
7 . .
Apache Foundation
compile . 2
.
, modules
( . PHP)
. .
. )
! (security patches)
.
" Apache
binary Apache
modules ! $ . binary
. " backdoor.
binary $ - Apache $ -
module. ( binary .
6.2 / "
! Apache $ internet
. # -
! Apache. :
$ ./configure –prefix=/usr/local/apache
configure Makefile
- compile,
5 –prefix
apachectl - Apache.
$ make
# make install
# /usr/local/apache/bin/apachectl start
2 Apache -
$ Apache -
- .
# cd /etc/rc3.d
# ln –s /usr/local/apache/bin/apachectl 585httpd
4 - o Apache
- internet browser ! server (
localhost ) - .
% Modules
. modules
server. #
module
mod_ssl. % modules - :
1. mod_userdir – " Web server
~username. module
! server .
2. mod_info – 1 server web
3. mod_status – 1 server
web.
4. mod_include – 1 SSI. "
.
,
module .
$ ./configure\
> --prefix=/usr/local/apache \
> --enable-module=rewrite \
> --enable-module=so \
> --disable-module=imap \
> --disable-module=userdir
Apache 2 - .
$ ./configure\
> --prefix=/usr/local/apache \
> --enable-rewrite \
> --enable-so \
> --disable-imap \
> --disable-userdir
7. . ,
(
$ « »
. / internet
! .
4 internet
-
.
7.1 # " (
( -
,
.
7.2 " (
.
- . 4 100
- 1000 .
" !
.
7.3 $" #
# - .
4
.
!!
, .
$
.
8. 0 - SSL
% SSL (Secure Socket Layer) TLS ( Transport Layer Security)
HTTP
IMAP
NNTP. ) HTTP
$ SSL
HTTP (HTTPS).
H Netscape
SSL 1994
1995. % TLS IETF
SSL . "
SSL
! . %
TLS
- Netscape Microsoft
. #
SSL. 4
SSL server
http browser https.
SSL 443.[18]
8.1 # " ( .
% SSL . (
!
, . 2
$
. ,
, $
.
$
.
" ( #
"
, . .
DES,
triple-Des, RC4, RC2. #
bits. 4 , ! 5
, bits ,
’ - -
.
%
, - . %
, . ,
$ , 5
!
. % ! ! :
# ! ;
,
, !
- $ .
" #
% .
! $ , $ :
. % ,
. ,
.
( !!
, ! !
. ,
.
%
. . RSA .
.
,
$
. " , .
% SSL
( $ handshaking) -
. 8.2 " (
.
) ,
. " -,
.
. digest algorithms ! , 5
. 5
$ .
2 « » . ,
5 5 ,
. 2 5
- .
5 . # 5 MD5 SHA.
5 , ,
- 5
. . , MACs, 5
, . %
- ! . "
! ,
5 . . HMAC .
% SSL MAC
5 ! ! .
8.3 # +
% SSL !
. %
5 . ,
, .
: 5 $
. 2
$
.
1 ,
-
, .
5 .
( , , ). 4 ,
( , CA)
. 7 . 2
,
1 . : CAs
.
. %
- . %
. # ,
,
.
" ,
-
.
"- , browser ! $
.
8.4 SSL # #
% $ X.509,
1 . , X.509 :
/( : %
' : %
# ( " / ( !"/: %
0! " "! ' :
# *:
2 -
server browser. "
, -
browser. 2 Internet Explorer,
-
SSL (server).
. ,
. : browser, Netscape, Mozilla,
Konqueror .
https://www.ibm.com browser ,
! . 2
Equifax Secure E-Business Certification Authority-2
Thawte CA.
Thawte Internet Explorer
. 4 internet Explorer
- : Tools, Internet Options, Content, Certificates, Trusted Root Certification Authorities.
8.5 0" ! 2 # + (!! SSL
, SSL ,
,
5 .
SSL :
1. . browser Apache server.
2. 5 $ , browser server
.
3. . browser server,
! - , CA.
4. # , server
.
5. . server client
.
6. 5 $
.
$ - server
browser
! .
8.6 SSL
4 SSL server, - SSL
Apache. . Apache web server !
plug-ins
. % plug-ins Apache $ mods. - SSL
mod_ssl, ! Apache
- . % mod_ssl, , OpenSSL library open source
SSL&TLS . %
OpenSSL ! !! SSLeay Eric A. Young
Tim J. Hudson.
8.7 OpenSSL
Windows
4 Apache
installer Windows . )
Windows .
Unix
Linux FreeBSD OpenSSL
$
.
packages
$
! $ $ :
http://www.openssl.org. [17] !
:
# gunzip < openssl*.tar.gz | tar xvf -
# cd openssl*
% OpenSSL config script ! .
# .
: /usr/local/ssl/install
. 2
build .
# ./config --prefix=/usr/local/ssl/install --openssldir=/usr/local/ssl/install/openssl
# make
# make install
" , OpenSSL Toolkit.
OpenSSL ! /usr/local/ssl/install/bin/.
.
mod_ssl
, SSL extensions Apache
- ; .
,
, mod_ssl
Apache 2.0. # !
build module. To mod_ssl - !! OpenSSL,
OpenSSL .
" o Apache server 2.0 mod_ssl
! . * packages
.
build Apache 2.0
build mod_ssl compile.
--enable-ssl --with-ssl=/usr/local/ssl/install/openssl
OpenSSL
.
" mod_ssl compile statically Apache,
,
compiled-in modules.
# /usr/local/apache2/bin/httpd -l
o Apache usr/local/apache2.
" mod_ssl dynamic loadable module, configuration file:
LoadModule ssl_module modules/libmodssl.so [17]
8.8 '" + # # %
4 server SSL, !
server. " SSL site ,
- site .
8.9 " ( 3" !"/ %
# / $
. 7 site
www.example.com. (<
FQDN Apache.) %
:
# ./usr/local/ssl/install/bin/openssl genrsa -des3 -rand file1:file2:file3
-out www.example.com.key 1024
% genrsa OpenSSL ! $ .
% des3
.
% rand to OpenSSL -
! 5 . 4
file1, file2, . . ., ,
( (kernel), , ).
" /den/random. option
Windows
.
% out .
To 1024 bits .
% $ :
625152 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus ...++++++
...++++++
e is 65537 (0x10001) Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
) , . "
. .
$ server. 2 -
. !
server,
! ! . "
, 5 5
option - des3 :
# ./usr/local/ssl/install/bin/openssl rsa -in www.example.com.key \ -out www.example.com.key.unsecure
" www.example.com.key.
2 :
# ./usr/local/ssl/bin/openssl rsa -noout -text -in www.example.com.key
8.10 " ( # # # # "
4 (CA),
! . 4 ,
:
# ./usr/local/ssl/install/bin/openssl req -new -key www.example.com.key -out www.example.com.csr
< $ :
Using configuration from /usr/local/ssl/install/openssl/openssl.cnf Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
7. % $ Internet Explorer
.
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank For some fields there will be a default value,
If you enter '.', the field will be left blank.
---
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CA Locality Name (eg, city) []: San Francisco
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (eg, YOUR name) []:www.example.com
Email Address []:administrator@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:
An optional company name []:
"
Common Name $
browser .
browser server . " ,
$ .
% www.example.com.csr. 2
:
# ./usr/local/ssl/install/bin/openssl req -noout -text -in www.example.com.csr
2 !
CA. . VeriSign Thawte -
. . ! .
VeriSign: http://digitalid.verisign.com/server/apacheNotice.htm
Thawte: http://www.thawte.com
8.11 " ( (- # ( " # #
2 - . 1
.
,
mod_ssl server
CA.
#./usr/local/ssl/install/bin/openssl x509 -req -days 30 -in www.example.com.csr -signkey www.example.com.key -out www.example.com.cert
# 5 www.example.com.cert
( CA -
) /usr/local/ssl/install/openssl/certs/
/usr/local/ssl/install/openssl/private/.
2 :
# chmod 400 www.example.com.key
8.12 ( + SSL
% , , Apache - SSL. %
mod_ssl ,
, LoadModule .
Apache:
Listen 80 Listen 443
<VirtualHost _default_:443>
ServerName http://www.example.com SSLEngine on
SSLCertificateFile \
/usr/local/ssl/install/openssl/certs/http://www.example.com.cert SSLCertificateKeyFile \
/usr/loca/ssl/install/openssl/certs/http://www.example.com.key
</VirtualHost>
2 , $ host
443 ( HTTPS) SSL
host SSLEngine.[18]
# - ! server
, SSLCertificateFile
SSLCertificateKeyfile.
8.13 Server
server.
"
(pass phrase), $
. 2 , Apache
server
URL https://www.example.com/.
" Apache server -
-
! . # ,
- Apache
. # (administrator)
443 , - 8443
! URL https://www.example.com:8443. [18]
8.14 ! ( $
2 - ciphers
SSLCipherSuite SSLProtocol. # ,
: SSLProtocol
SSLCipherSuite HIGH:MEDIUM
8.15 0 # #"! %
. clients - server
, server -
.
. SSLCACertificateFile SSLCACertificatePath Apache
. 2
clients $
! server.
SSLCACertificateFile
.
" ,
SSLCACertificatePath
. %
. % SSLVerifyClient
. SSLVerifyDepth
client. . SSLCARevocationFile SSLCARevocationPath
.
8.16 #(/
% SSL . % mod_ssl
OpenSSL
(cache) . 2
SSLSessionCache
SSLSessionCacheTimeout. 7 - -
-
-
. SSLMutex
SSL. SSLRandomSeed
. .
- server.
8.17 *
To mod_ssl Apache -
$ SSL,
!
client.
CGI script ! ! StdEnvVars
Options.
8.18 " !* SSLOptions
# !
. . SSL URLs.
SSLOptions.
SSLPassPhraseDialog
(pass phrase) $ -
.
8.19 & !" ' # ( )
SSLRequireSSL clients
SSL ! server.
SSLRequire
! client. - SSLRequire
, - . $
mod_ssl $ !
! client .
! - ! :
SSL - ( ) cipher
(NULL) cipher,
, !
(1 # )
(8:00 . . 8:00 . .). # .
. , . [18]
0 /"
SSLRequire!
SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \ and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
8.20 Reverse Proxy "' * SSL
- reverse proxy
.
reverse proxy server
server client [18]. . : SSLProxyMachineCertificatePath,
SSLProxyMachineCertificateFile, SSLProxyVerify, SSLProxyVerifyDepth, SSLProxyCACertificatePath,
SSLProxyEngine, and SSLProxyCACertificateFile.
9. 4 4 ,
[1] Maurice J Bach, The Design of the UNIX Operating System, Prentice Hall Inc, 1986 [2] Helen Custer, Inside Windows NT, Microsoft Press 1993
[3] Simson Garfinkel and Gene Spafford, Practical UNIX and Internet Security, 2nd edition, O’Reilly & Associates Inc 1996.
[4] I Heizer, P.Leach, D.Perry Common Internet File System Protocol (CIFS), Internet Draft 1996
[5] David K. Hess, David R. Safford and Udo W. Pooch, A UNIX Network Protocol Security Study: Network Information Service. Texas A&M University.
[6] Paul J. Leach, CIFS Authentication Protocols Specification. Microsoft, Preliminary Draft, Author’s draft: 4.
[7] Paul J. Leach and Dilip C. Naik, CIFS Logon and Pass Through Authentication.
Internet Draft, 1997.
[8] LeFebvre-W, Simply syslog. Unix-Review, vol. 15, no. 12, November 1997.
[9] Marshall Kirk McKusick, Keith Bostic, Michael J. Karels and John S. Quarterman, The Design and Implementation of the 4.4BSD Operating System. Addison-
Wesley, 1996.
[10] NCSC, FINAL EVALUATION REPORT Microsoft Inc.: Windows NT Workstation and Server Version 3.5 with U.S. Service Pack 3. National Computer Security
Center, 1996.
[11] RFC 1001, Protocol Standard for a NetBIOS Service on a TCP/UDP Transport:
Concepts and Methods. March, 1987.
[12] RFC 1002, Protocol Standard for a NetBIOS Service on a TCP/UDP Transport:
Detailed Specifications. March, 1987.
[13] Russel Sandberg, David Goldberg, Steve Kleiman, Dan Walsh and Bob Lyon, Design and Implementation of the Sun Network Filesystem. Summer USENIX Conference Proceedings, Portland, 1985.
[14] Jennifer G. Steiner, Clifford Neumann and Jeffery I. Schiller, Kerberos: An Authentication Service for Open Network Systems. USENIX Winter Conference, Dallas, Texas, USA, February, 1988.
[15] Applied Cryptography: Protocols, Algorithms, and Source Code in C, Second Edition, by
Bruce Schneier
[16] SSL and TLS: Designing and Building Secure Systems, by Eric Rescorla [17] OpenSSL project: http://www.openssl.org
[18]ModSSL project: http://www.modssl.org [19]Apache reference: http://www.apacheref.com