1- Installation Systeme (fournie par votre instructeur): - Installer VirtualBox sur votre PC. - Installer Centos 7 ( utiliser root/Icann2018 ). 2- Verifier votre configuration reseau : # vi /etc/sysconfig/network-scripts/ifcfg-ens0p3 ( demander a votre instructur le plan d'addressage de la classe ) ... BOOTPROTO=none ONBOOT=yes IPADDR=192.168.X.Y PREFIX=24 GATEWAY=192.168.X.1 ... 4- Changer le hostname : # hostnamectl set-hostname hidden1 3- Installer les packatages suivants : # yum -y install net-tools bind-utils # yum -y install bind-* -x bind-chroot 4- creer le repertoire des logs DNS /var/log/named/ # mkdir /var/log/named/ /var/log/zones/ # chown named.named /var/log/named/ /var/log/zones/ 5- creer les fichiers suivants : vi /etc/named.acl.conf acl SLAV { 127.0.0.1; }; masters SLAV { 127.0.0.1; }; acl MAST { 127.0.0.1; }; masters MAST { 127.0.0.1; }; vi /etc/named.log.conf logging { channel "ch_default" { file "/var/log/named/default.log" versions 99 size 100M; print-category yes; print-time yes; }; category default { ch_default; }; channel "ch_general" { file "/var/log/named/general.log" versions 99 size 100M; print-category yes; print-time yes; }; category general { ch_general; }; channel "ch_client" { file "/var/log/named/client.log" versions 99 size 100M; print-category yes; print-time yes; }; category client { ch_client; }; channel "ch_config" { file "/var/log/named/config.log" versions 99 size 100M; print-category yes; print-time yes; }; category config { ch_config; }; channel "ch_database" { file "/var/log/named/database.log" versions 99 size 100M; print-category yes; print-time yes; }; category database { ch_database; }; channel "ch_dnssec" { file "/var/log/named/dnssec.log" versions 99 size 100M; print-category yes; print-time yes; }; category dnssec { ch_dnssec; }; channel "ch_lame-servers" { file "/var/log/named/lame-servers.log" versions 99 size 100M; print-category yes; print-time yes; }; category lame-servers { ch_lame-servers; }; channel "ch_network" { file "/var/log/named/network.log" versions 99 size 100M; print-category yes; print-time yes; }; category network { ch_network; }; channel "ch_notify" { file "/var/log/named/notify.log" versions 99 size 100M; print-category yes; print-time yes; }; category notify { ch_notify; }; channel "ch_queries" { file "/var/log/named/queries.log" versions 99 size 500M; print-category yes; print-time yes; }; category queries { ch_queries; }; channel "ch_resolver" { file "/var/log/named/resolver.log" versions 99 size 100M; print-category yes; print-time yes; }; category resolver { ch_resolver; }; channel "ch_security" { file "/var/log/named/security.log" versions 99 size 100M; print-category yes; print-time yes; }; category security { ch_security; }; channel "ch_update" { file "/var/log/named/update.log" versions 99 size 100M; print-category yes; print-time yes; }; category update { ch_update; }; channel "ch_update-security" { file "/var/log/named/update-security.log" versions 99 size 100M; print-category yes; print-time yes; }; category update-security { ch_update-security; }; channel "ch_xfer-in" { file "/var/log/named/xfer-in.log" versions 99 size 100M; print-category yes; print-time yes; }; category xfer-in { ch_xfer-in; }; channel "ch_xfer-out" { file "/var/log/named/xfer-out.log" versions 99 size 100M; print-category yes; print-time yes; }; category xfer-out { ch_xfer-out; }; channel "ch_unmatched" { file "/var/log/named/unmatched.log" versions 99 size 100M; print-category yes; print-time yes; }; category unmatched { ch_unmatched; }; channel "ch_dispatch" { file "/var/log/named/dispatch.log" versions 99 size 100M; print-category yes; print-time yes; }; category dispatch { ch_dispatch; }; channel "ch_delegation-only" { file "/var/log/named/delegation-only.log" versions 99 size 100M; print-category yes; print-time yes; }; category delegation-only { ch_delegation-only; }; channel "ch_edns-disabled" { file "/var/log/named/edns-disabled.log" versions 99 size 100M; print-category yes; print-time yes; }; category edns-disabled { ch_edns-disabled; }; }; # vi /etc/named.opt.conf options { listen-on port 53 { any; }; #listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; }; recursion no; #dnssec-enable yes; #dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; # touch /etc/named.zones.conf # vi /etc/named.conf include "/etc/named.acl.conf"; include "/etc/named.opt.conf"; include "/etc/named.log.conf"; include "/etc/named.zones.conf"; 7- fixer les permissions : # chow named.named /etc/named.* 5- Desinstaller le firewall : # yum -y erase firewalld 6- Coloner votre machine virtuel en utilisant virtualBox, pour creer deux autres VM. 7- Connecter vos nouvelles VM et faite les modifications suivantes : - changer le nom du VM : master1 et revolver1 - Attribuer des IPs pour les nouvelles VMs( consulter votre inscructeur) 6- copier/coller ce script dans un fichier securite.sh ( pour utilisation ulterieur ) /----------------------------------------------------------------------- #!/bin/sh # Reinitialise les regles iptables -t filter -F iptables -t filter -X # Bloque tout le trafic iptables -t filter -P INPUT DROP iptables -t filter -P FORWARD DROP iptables -t filter -P OUTPUT DROP # Autorise les connexions deja etabli et localhost iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -t filter -A INPUT -i lo -j ACCEPT iptables -t filter -A OUTPUT -o lo -j ACCEPT # DNS In/Out iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT # SSH iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT # ICMP iptables -t filter -A OUTPUT -p icmp -j ACCEPT iptables -t filter -A INPUT -p icmp -j ACCEPT /----------------------------------------------------------------------- puis executer le script : # sh securite.sh verifier iptables : # iptables -nL Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 /-----------------------------------------------------------------------