实验

实验1：你想把一台装有RHEL的计算机配置成安全的 Web服务器。为保证系统安全性，你想配置合适的防火墙，并禁用不需要的服务。你需要做什么？

答案：（不翻）
1.  
If you want to set up an RHEL computer as a secure Web server, it's a straightforward process. You'll want to set up a firewall to block all but the most essential ports. This should include TCP/IP ports 80 and 443, which allow outside computers to access your regular and secure Web services.
The easiest way to set this up is with the Red Hat Security Level Configuration tool, which you can start with the system-config-securitylevel command. Once you're in the Red Hat tool, take the following steps:
1.
Enable the firewall. This configures a basic set of firewall rules that prohibits access except for requests that come from inside the firewall.
2.
Scroll down the Trusted Services window. (If you're in the text-based tool, click Customize to open the Firewall Configuration - Customize window.) Activate the WWW (HTTP) option. This allows access from outside the local computer to your regular Web site. Activate the Secure WWW (HTTPS) services as well.
3.
Click OK to exit from the Security Level Configuration tool.
4.
Enter the following command to check your resulting firewall.

# iptables -L

5.
Once you've configured a Web service as described in Chapter 9, you'll be able to access both the regular and secure Web servers from remote computers, while retaining a firewall that protects the other services on your system.

实验2：你想在局域网内建立Telnet服务器，只允许一个特殊的IP地址访问，并拒绝所有来自局域网外面的访问。假设你的局域网地址是 192.168.1.0，被允许的 IP 地址为：192.168.1.33。为了完成实验，你需要在另一台计算机上配置该子网地址。你该怎么做？

答案：
2.  
Several steps are required to set up any xinetd service such as Telnet. You'll need to modify the xinetd Telnet configuration file and set up filtering in one of three ways: in the /etc/xinetd.d/krb5-telnet configuration file, through tcp_wrappers, or with the appropriate firewall commands.
1.
First, you want to enable Telnet. Make sure that the krb5-telnet RPM is installed.
2.
Activate Telnet. Use the chkconfig krb5-telnet on command to revise the /etc/xinetd.d/krb5-telnet configuration script.
3.
Edit the /etc/xinetd.d/krb5-telnet configuration file. Add the only_from = 192.168.1.33 line. (If you have another computer on your network with a private IP address, substitute accordingly in all steps in this lab.)
4.
Save the configuration file and reload the xinetd service script with the service xinetd reload command. Try accessing Telnet from the local computer. What happens?
5.
Try accessing Telnet from the computer with the IP address of 192.168.1.33. What happens? Try again from a different computer on your LAN.
6.
Restore the previous /etc/xinetd.d/krb5-telnet configuration file. Don't forget to reload the xinetd service script with the service xinetd reload command.
7.
Edit /etc/hosts.deny. Add the telnetd : ALL EXCEPT 192.168.1.33 line.
8.
Try accessing Telnet from the computer with the IP address of 192.168.1.33. What happens? Try again from a different computer on your LAN.
9.
Restore the previous /etc/hosts.deny file.
10.
Save any existing iptables chains. Back up /etc/sysconfig/iptables, if that file currently exists to ~/bak.iptables.
11.
Flush current firewall rules with the iptables -F command.
12.
Block the Telnet port, 23, for all IP addresses except 192.168.1.33 with the iptables -A INPUT -s ! 192.168.1.33 -p tcp --dport 23 -j DROP command.
13.
Try accessing the Telnet server from the computer with the IP address of 192.168.1.33. What happens? Try again from a different computer on your LAN.
14.
Flush current firewall rules with the iptables -F command.
15.
Restore any previous firewall rules with the iptables-restore < ~/bak.iptables command.
16.
Bonus: Repeat these commands for other services and networks.

实验3：你想在局域网内搭建安全的 Web服务器，并允许局域网内部与因特网的访问。但是你不想任何因特网的流量进入你的局域网。你该怎么做？

在实验中要考虑三种情况。首先，不考虑成本，你有三台计算机，2台可以当作防火墙，一台为 Web服务器。其次，考虑到成本，你要在一台机器上配置防火墙和 Web服务器。最后，在 SELinux被设置为 enforcing模式时，考虑以上两种情况。

答案：
3.  
Scenario 1: Cost is not an object. This means you can build a DMZ using two firewalls and a separate Web server, all running Linux. You should have the Web server dedicated only to the Web. You configure two more Linux hosts, each with two network cards, and essentially isolate the intranet behind one firewall. You then put the Web server in the middle, placing the second firewall between the Web server and the Internet. You configure the firewall on the intranet with IP masquerading to ensure anonymity for all your intranet hosts.
Scenario 2: You have one old computer available, and the Web server is a separate computer. Use your one computer as the firewall between you and the Internet and only forward HTTP packets to the Web server IP address directly; use NAT for all intranet requests going out to the Internet for HTTP and FTP. Disallow all other services.
Scenario 3: Repeat scenarios 1 and 2; configure SELinux in enforcing mode and activate the appropriate booleans for the scenarios.

实验4：你想使用 SELinux，但你不确定是否会对系统上运行的诸多服务产生影响。你如何在保证当前服务正常运行的情况下监控 SELinux产生的影响？你如何监控这一过程？测试所有服务，并使用 Setroubleshoot浏览器查看系统的配置。当所有服务正常工作后，将 SELinux工作模式改为 enforcing。

答案：
4.  
The simplest way to experiment with SELinux is to set it to permissive mode. All violations of SELinux are logged in /var/log/messages with the avc label. You can set SELinux to permissive mode with the SELinux Management Tool or by setting SELINUX=permissive in /etc/sysconfig/selinux. Open the Setroubleshoot Browser, and try out various services-locally and remotely. Follow any suggestions made by the browser. When you're confident that your configured network services will work with SELinux, set SELinux=enforcing in /etc/sysconfig/selinux, reboot, and test configured network services again.