středa 26. března 2008

The Big Bang Theory



Rec je o novem americkem serialu, ktery se prave vysila vsude mozne, jen ne v Cechach. Co me zaujalo? Zname prostredi! :)
Hlavnimi postavami jsou dva intelektualove a jejich dva pratele (vsichni genialni mladi fyzici), kteri maji, jak uz to tak byva, drobny problem v komunikaci se zbytkem sveta. Ze si ziji v jinem svete nebylo tolik znat, dokud se v byte naproti pres chodbu neobjevila nova sympaticka najemnice, ktera ovsem intelektem tolik neoplyva...
Jestli mate s intelektualy zkusenosti, budete se smat od zacatku do konce .)

I'm talking about a new Ameriacan situation comedy that is broadcast at many countries except Czech coutnry. What holds my interest? The well known environment!
The main characters are two intellectuals and their two friends (all of them are young genius physicists) and how it usually is they have a little problem with communication with the rest of the world. However there is a new beautiful and lovely girl-neighbour living across the hall (that is not such smart as nice).
If you are experienced in living in a world of intellect you will really like it .)

čtvrtek 20. března 2008

Velky pes / Big Dog

čtvrtek 6. března 2008

Seminar z TCP/IP

Sem budu pridavat poznamky z tohoto seminare. Ta podivna cisla na zacatcich radku jsou jmena slidy, ke kterym poznamky patri .)

Slidy jsou vystizne, da se to vsechno udelat jen zpodle nich. Moje poznamky jsou urceny spis
pro ty, co si to budou chtit cist treba v metru a nebudou zrovna mit moznost si to zkouset.
Slidy jsou dulezity! (a nebojte se jich, jsou hezky napsany)

Thu Feb 21 17:21:28 CET 2008



Uvod



Ucast nepovinna, zapocet za bojovku - sada ukolu, ktere dostane na poslednim
terminu, nebo v nahradnim terminu (dostaneme ukol, po vyreseni dalsi, vitezi
se tim, ze se dostaneme do cile)

http://bug.ms.mff.cuni.cz/tcpip/slides

Hrajeme si na serveru, na kterym je ten web. prihlasuje se pres ssh, kazdy
ma sve heslo a login (tam mame virtualni servrik, kde budeme rooti). Nedelat
tam bordel, aby nam server nevzali! :)

ssh vmXX@bug.ms.mff.cuni.cz, pak root;
(na papirku se dostane cislo a heslo)

Ja mam cislo 15, takze vsude, kde je 15, tak tam neni nahodou :) A pripadne
si tam dosadte svoje cislo.

Server je pristupny odkudkoliv, i z venci.

Odpojeni:
zabit ssh "~.enter" nebo ctrl+"]" (bacha, u toho si pamatuje shell,
co jsme tam meli napsany, ale neni to videt)

Kdybychom si pokazili to cely, staci rict a to cele nam to obnovi.

Obcas ten server nemusi fungovat, hlavne treba pred seminarem.

Rozvrzeni site na slidu 6

slide 8:

ifconfig
ifconfig -a


IP adresy si nastavujme tak, aby obsahovali nase prihlasovaci cislo, abychom se
o ne nepoprali :)

slide 10: nastaveni adresy

vm15:~# ifconfig eth0 10.0.0.15/24 # mam cislo 15
SIOCSIFNETMASK: Cannot assign requested address
vm15:~# ifconfig eth0 up
vm15:~# ifconfig eth1 10.0.1.15/24
SIOCSIFNETMASK: Cannot assign requested address
vm15:~# ifconfig eth1 up


slide 11: vyzkousime si, ze nam to funguje: ping (je rekurzivne spocetny :)

vm15:~# ping 10.0.0.22
.
.
.
vm15:~# ping 10.0.0.22 -s 65536
Error: packet size 65536 is too large. Maximum is 65507


slide 12:

vm15:~# tcpdump -v -i eth0 -n
# -n ... neprekladat ip adresy na jmena


slide 14:
zmena mac adresy (interface nesmi byt aktivni)
prehled arp tabulky:

vm15:~# arp
vm15:~# arping 10.0.0.22
ARPING 10.0.0.22
42 bytes from 00:16:3e:00:00:22 (10.0.0.22): index=0 time=3.280 msec
.
.


slide 15:

vm15:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
vm15:~# ping 195.113.31.123
connect: Network is unreachable
vm15:~# route add default gw 10.0.0.100
vm15:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 10.0.0.100 0.0.0.0 UG 0 0 0 eth0
vm15:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 * 255.255.255.0 U 0 0 0 eth0
10.0.1.0 * 255.255.255.0 U 0 0 0 eth1
default 10.0.0.100 0.0.0.0 UG 0 0 0 eth0
vm15:~# ping 195.113.31.123
PING 195.113.31.123 (195.113.31.123) 56(84) bytes of data.
64 bytes from 195.113.31.123: icmp_seq=1 ttl=58 time=3.12 ms
.
.


slide 16:

vm15:~# tcpdump -v -i eth0 > /tmp/log001 2>&1 &
[1] 1354
vm15:~# device eth0 entered promiscuous mode
audit(1203615867.513:8): dev=eth0 prom=256 old_prom=0 auid=4294967295

vm15:~#
vm15:~# traceroute 195.113.31.123
traceroute to 195.113.31.123 (195.113.31.123), 30 hops max, 40 byte packets
1 10.0.0.100 (10.0.0.100) 1.965 ms 0.434 ms 0.244 ms
2 fw-ms.ms.mff.cuni.cz (195.113.19.222) 1.826 ms 1.588 ms 1.793 ms
3 gems-mffmsfw.pasnet.cz (195.113.69.5) 3.343 ms 2.459 ms 3.677 ms
4 geruk-gems.pasnet.cz (195.113.68.201) 1.459 ms 1.467 ms 2.291 ms
5 karlingw-c.karlin.mff.cuni.cz (195.113.31.130) 1.243 ms 1.160 ms 3.587 ms
6 k5gw.karlin.mff.cuni.cz (195.113.31.137) 2.014 ms 2.466 ms 1.009 ms
7 atrey.karlin.mff.cuni.cz (195.113.31.123) 2.233 ms 2.173 ms 1.060 ms
vm15:~# fg
tcpdump -v -i eth0 >/tmp/log001 2>&1
device eth0 left promiscuous mode
audit(1203615888.574:9): dev=eth0 prom=0 old_prom=256 auid=4294967295
vm15:~# less /tmp/log001


slide 19:

vm15:~# ifconfig eth0 down
vm15:~# ifconfig eth0 hw ether 00:11:22:33:44:15
vm15:~# ifconfig eth0 up
vm15:~# vim /etc/network/interfaces
# Used by ifup(8) and ifdown(8). See the interfaces(5) manpage or
# /usr/share/doc/ifupdown/examples for more information.

auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
vm15:~# /etc/init.d/networking restart
Reconfiguring network interfaces...Internet Systems Consortium DHCP Client V3.0.4
Copyright 2004-2006 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/

Listening on LPF/eth0/00:11:22:33:44:15
Sending on LPF/eth0/00:11:22:33:44:15
Sending on Socket/fallback
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 7
DHCPOFFER from 10.0.0.100
DHCPREQUEST on eth0 to 255.255.255.255 port 67
DHCPACK from 10.0.0.100
bound to 10.0.0.115 -- renewal in 227 seconds.
postconf: fatal: open /etc/postfix/main.cf: No such file or directory
done.




Thu Feb 28 17:19:23 CET 2008




20:
Chceme pomoci arp ziskat identitu nekoho jinyho. jak na to?
(napriklad kdyz chceme ospolechnout nejake heslo atd...)

21: odpoved je na tomdle slidu :)


C
|
|
A --------+--------B


Jsme C a chceme odposlouchavat komunikaci A a B, + je switch, takze za
normalnich okolnosti to skrz nas nejde. Pro A se budeme tvarit jako B a pro B
jako A.

Staci posilat falesne ARP odpovedi, kde bude vyplnena mac adresa obeti a moje
IP adresa. musim se ale chovat jako smerovac.

Lze to delat ruzne, bud pravidelne posilam odpovedi i bez vyzadani, nebo
posilam dotaz... zalezi na OS, jak bude reagovat - jak ktery...


vm15:~# ping 10.0.0.100
PING 10.0.0.100 (10.0.0.100) 56(84) bytes of data.
64 bytes from 10.0.0.100: icmp_seq=1 ttl=64 time=1.01 ms
64 bytes from 10.0.0.100: icmp_seq=2 ttl=64 time=0.693 ms

--- 10.0.0.100 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.693/0.853/1.014/0.163 ms
vm15:~# arp -n
Address HWtype HWaddress Flags Mask Iface
10.0.0.100 ether FE:FF:FF:FF:FF:FF C eth0
RPING 10.0.0.100
42 bytes from fe:ff:ff:ff:ff:ff (10.0.0.100): index=0 time=1.327 msec
42 bytes from fe:ff:ff:ff:ff:ff (10.0.0.100): index=1 time=1.713 msec
42 bytes from fe:ff:ff:ff:ff:ff (10.0.0.100): index=2 time=4.258 msec

--- 10.0.0.100 statistics ---
3 packets transmitted, 3 packets received, 0% unanswered

-> vsechno hezky funguje

V tudle chvili vyucujici pusti skript na dalsim pocitaci, ktery se bud chovat
jako smerovac a bude rozesilat pravidelne falesne ARP packety (napadneme ten
pocitac 10.0.0.100) :)


vm15:~# ping 10.0.0.100
PING 10.0.0.100 (10.0.0.100) 56(84) bytes of data.
64 bytes from 10.0.0.100: icmp_seq=1 ttl=64 time=8.43 ms
64 bytes from 10.0.0.100: icmp_seq=2 ttl=64 time=0.715 ms

--- 10.0.0.100 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.715/4.574/8.434/3.860 ms
vm15:~# arp -n
Address HWtype HWaddress Flags Mask Iface
10.0.0.100 ether 00:16:3E:00:00:99 C eth0
vm15:~# arping 10.0.0.100
ARPING 10.0.0.100
42 bytes from fe:ff:ff:ff:ff:ff (10.0.0.100): index=0 time=1.452 msec
42 bytes from 00:16:3e:00:00:99 (10.0.0.100): index=1 time=121.695 msec
42 bytes from fe:ff:ff:ff:ff:ff (10.0.0.100): index=2 time=2.145 msec
42 bytes from 00:16:3e:00:00:99 (10.0.0.100): index=3 time=1.000 sec

--- 10.0.0.100 statistics ---
2 packets transmitted, 4 packets received, -100% unanswered

-> a hle, secko funguje, jen se podivejme, ze ma najednou jinou arp adresu...

Skript: arpspoof-all, udajne googlitelny

DNS



4:

TTL bychom meli snizit treba na minuty v pripade, ze se chystame menit IP
adresy, jinak je vhodne v radu hodin...

Zona: podstromy struktury, mohou mit casti vykousnute (treba *.cuni.cz bez mff
je zona -> mff ma vlastni zonu)

5:


vm15:~# nslookup idnes.cz
Server: 195.113.19.71
Address: 195.113.19.71#53

Non-authoritative answer:
Name: idnes.cz
Address: 194.79.52.192


6:


vm15:~# dig cuni.cz ns

; ---- DiG 9.3.4 ---- cuni.cz ns
;; global options: printcmd
;; Got answer:
;; ---HEADER--- opcode: QUERY, status: NOERROR, id: 10358
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3

;; QUESTION SECTION:
;cuni.cz. IN NS

;; ANSWER SECTION:
cuni.cz. 17709 IN NS golias.ruk.cuni.cz.
cuni.cz. 17709 IN NS ns.ces.net.

;; ADDITIONAL SECTION:
ns.ces.net. 168668 IN A 195.113.144.233
ns.ces.net. 82268 IN AAAA 2001:718:1:101::3
golias.ruk.cuni.cz. 82268 IN A 195.113.0.2

;; Query time: 2 msec
;; SERVER: 195.113.19.71#53(195.113.19.71)
;; WHEN: Thu Feb 28 18:06:20 2008
;; MSG SIZE rcvd: 134


7:

Jak vypadaji delegace z domen vyssich radu (iterativni dotaz, pod tim je to
okomentovane):

vm15:~# dig +trace +all +qr www.karlin.mff.cuni.cz

; ---- DiG 9.3.4 ---- +trace +all +qr www.karlin.mff.cuni.cz
;; global options: printcmd
;; Sending:
;; ---HEADER--- opcode: QUERY, status: NOERROR, id: 33276
;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;. IN NS

;; Got answer:
;; ---HEADER--- opcode: QUERY, status: NOERROR, id: 33276
;; flags: qr ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 12

;; QUESTION SECTION:
;. IN NS

;; ANSWER SECTION:
. 513994 IN NS F.ROOT-SERVERS.NET.
. 513994 IN NS G.ROOT-SERVERS.NET.
. 513994 IN NS H.ROOT-SERVERS.NET.
. 513994 IN NS I.ROOT-SERVERS.NET.
. 513994 IN NS J.ROOT-SERVERS.NET.
. 513994 IN NS K.ROOT-SERVERS.NET.
. 513994 IN NS L.ROOT-SERVERS.NET.
. 513994 IN NS M.ROOT-SERVERS.NET.
. 513994 IN NS A.ROOT-SERVERS.NET.
. 513994 IN NS B.ROOT-SERVERS.NET.
. 513994 IN NS C.ROOT-SERVERS.NET.
. 513994 IN NS D.ROOT-SERVERS.NET.
. 513994 IN NS E.ROOT-SERVERS.NET.

;; ADDITIONAL SECTION:
A.ROOT-SERVERS.NET. 604707 IN A 198.41.0.4
A.ROOT-SERVERS.NET. 604707 IN AAAA 2001:503:ba3e::2:30
C.ROOT-SERVERS.NET. 604740 IN A 192.33.4.12
D.ROOT-SERVERS.NET. 604699 IN A 128.8.10.90
E.ROOT-SERVERS.NET. 604739 IN A 192.203.230.10
G.ROOT-SERVERS.NET. 604572 IN A 192.112.36.4
H.ROOT-SERVERS.NET. 604735 IN A 128.63.2.53
H.ROOT-SERVERS.NET. 604735 IN AAAA 2001:500:1::803f:235
J.ROOT-SERVERS.NET. 604762 IN A 192.58.128.30
J.ROOT-SERVERS.NET. 604762 IN AAAA 2001:503:c27::2:30
K.ROOT-SERVERS.NET. 604728 IN A 193.0.14.129
K.ROOT-SERVERS.NET. 604728 IN AAAA 2001:7fd::1

;; Query time: 4 msec
;; SERVER: 195.113.19.71#53(195.113.19.71)
;; WHEN: Thu Feb 28 18:10:54 2008
;; MSG SIZE rcvd: 468

;; Sending:
;; ---HEADER--- opcode: QUERY, status: NOERROR, id: 42811
;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.karlin.mff.cuni.cz. IN A

;; Got answer:
;; ---HEADER--- opcode: QUERY, status: NOERROR, id: 42811
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 11

;; QUESTION SECTION:
;www.karlin.mff.cuni.cz. IN A

;; AUTHORITY SECTION:
cz. 172800 IN NS F.NS.NIC.cz.
cz. 172800 IN NS A.NS.NIC.cz.
cz. 172800 IN NS B.NS.NIC.cz.
cz. 172800 IN NS C.NS.NIC.cz.
cz. 172800 IN NS D.NS.NIC.cz.
cz. 172800 IN NS E.NS.NIC.cz.

;; ADDITIONAL SECTION:
A.NS.NIC.cz. 172800 IN A 217.31.205.180
B.NS.NIC.cz. 172800 IN A 217.31.205.188
C.NS.NIC.cz. 172800 IN A 195.66.241.202
D.NS.NIC.cz. 172800 IN A 193.29.206.1
E.NS.NIC.cz. 172800 IN A 194.146.105.38
F.NS.NIC.cz. 172800 IN A 193.171.255.48
A.NS.NIC.cz. 172800 IN AAAA 2001:1488:dada:176::180
B.NS.NIC.cz. 172800 IN AAAA 2001:1488:dada:184::188
C.NS.NIC.cz. 172800 IN AAAA 2a01:40:1000::2
D.NS.NIC.cz. 172800 IN AAAA 2001:678:1::1
F.NS.NIC.cz. 172800 IN AAAA 2001:628:453:420::48

;; Query time: 8 msec
;; SERVER: 192.5.5.241#53(F.ROOT-SERVERS.NET)
;; WHEN: Thu Feb 28 18:10:54 2008
;; MSG SIZE rcvd: 379

;; Sending:
;; ---HEADER--- opcode: QUERY, status: NOERROR, id: 32710
;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.karlin.mff.cuni.cz. IN A

;; Got answer:
;; ---HEADER--- opcode: QUERY, status: NOERROR, id: 32710
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1

;; QUESTION SECTION:
;www.karlin.mff.cuni.cz. IN A

;; AUTHORITY SECTION:
cuni.cz. 18000 IN NS golias.ruk.cuni.cz.
cuni.cz. 18000 IN NS ns.ces.net.

;; ADDITIONAL SECTION:
golias.ruk.cuni.cz. 18000 IN A 195.113.0.2

;; Query time: 8 msec
;; SERVER: 193.171.255.48#53(F.NS.NIC.cz)
;; WHEN: Thu Feb 28 18:10:54 2008
;; MSG SIZE rcvd: 105

;; Sending:
;; ---HEADER--- opcode: QUERY, status: NOERROR, id: 24025
;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.karlin.mff.cuni.cz. IN A

;; Got answer:
;; ---HEADER--- opcode: QUERY, status: NOERROR, id: 24025
;; flags: qr aa ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:
;www.karlin.mff.cuni.cz. IN A

;; ANSWER SECTION:
www.karlin.mff.cuni.cz. 86400 IN CNAME wendy.karlin.mff.cuni.cz.
wendy.karlin.mff.cuni.cz. 86400 IN A 195.113.30.214

;; AUTHORITY SECTION:
karlin.mff.cuni.cz. 86400 IN NS krb.karlin.mff.cuni.cz.
karlin.mff.cuni.cz. 86400 IN NS krbik.karlin.mff.cuni.cz.
karlin.mff.cuni.cz. 86400 IN NS golias.ruk.cuni.cz.

;; ADDITIONAL SECTION:
krb.karlin.mff.cuni.cz. 86400 IN A 195.113.30.215
krbik.karlin.mff.cuni.cz. 86400 IN A 195.113.30.216
golias.ruk.cuni.cz. 86400 IN A 195.113.0.2

;; Query time: 2 msec
;; SERVER: 195.113.0.2#53(golias.ruk.cuni.cz)
;; WHEN: Thu Feb 28 18:10:54 2008
;; MSG SIZE rcvd: 187


Predstavme si, ze pro www.seznam.cz je nameserver ns.seznam.cz. Nj, ale to
dostanu od .cz informaci, ze IP adresu ma u sebe ns.seznam.cz, ale jakou ma
on IP adresu? :-o

To se resi pomoci glue records: od toho serveru pro .cz se dozvime nejen
informace typu NS, ale take typu A o tom ns.seznam.cz. ty jsou v aditional
section (je videt i v nasem dotazu, napr. hned na zacatku ty root servery jsou
tam vyjmenovane a pod tim jsou i jejich IP adresy)

8:


vm15:~# vim /etc/resolv.conf
vm15:~# cat /etc/resolv.conf
search seminar
nameserver 10.0.0.100
vm15:~# ping seznam.cz
PING seznam.cz (77.75.76.3) 56(84) bytes of data.
64 bytes from www.seznam.cz (77.75.76.3): icmp_seq=1 ttl=56 time=3.40 ms
64 bytes from www.seznam.cz (77.75.76.3): icmp_seq=2 ttl=56 time=4.70 ms

--- seznam.cz ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 3.402/4.055/4.708/0.653 ms


Top-level domena je pro nase ucely nazvana "seminar" (na stejne urovni jako
.cz atd.)

I kdyz si ten /etc/resolv.conf prepiseme, tak on se casem prepise zpet, takze
musime zrusit dhcp klienta:


vm15:~# pkill dhclient


Otestujeme, jestli nam to funguje hezky:

vm15:~# dig ns.seminar

; ---- DiG 9.3.4 ---- ns.seminar
;; global options: printcmd
;; Got answer:
;; ---HEADER--- opcode: QUERY, status: NOERROR, id: 53501
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;ns.seminar. IN A

;; ANSWER SECTION:
ns.seminar. 604800 IN A 10.0.0.100

;; AUTHORITY SECTION:
seminar. 604800 IN NS ns.seminar.

;; Query time: 6 msec
;; SERVER: 10.0.0.100#53(10.0.0.100)
;; WHEN: Thu Feb 28 18:32:47 2008
;; MSG SIZE rcvd: 58


Takze ok, ale ne uplne, pac treba "dig ns" by mel udelat totez, ale nedela, to
hleda na netu z neznamych pricin, ale neresili jsme to, proc to dela takle
spatne.

9:

Nastavime si vlastni server :)
uz by mel bezet, kdyby ne, tak

vm15:~# /etc/init.d/bind9 start
vm15:~# dig @localhost idnes.cz

; ---- DiG 9.3.4 ---- @localhost idnes.cz
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ---HEADER--- opcode: QUERY, status: NOERROR, id: 37487
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;idnes.cz. IN A

;; ANSWER SECTION:
idnes.cz. 1800 IN A 194.79.52.192

;; AUTHORITY SECTION:
idnes.cz. 1800 IN NS ns.mafra.cz.
idnes.cz. 1800 IN NS ns2.mafra.cz.

;; Query time: 227 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Feb 28 18:38:53 2008
;; MSG SIZE rcvd: 83
vm15:~# dig @localhost ns.seminar

; ---- DiG 9.3.4 ---- @localhost ns.seminar
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ---HEADER--- opcode: QUERY, status: NXDOMAIN, id: 16326
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;ns.seminar. IN A

;; AUTHORITY SECTION:
. 10800 IN SOA A.ROOT-SERVERS.NET. NSTLD.VERISI
GN-GRS.COM. 2008022701 1800 900 604800 86400

;; Query time: 24 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Feb 28 18:39:33 2008
;; MSG SIZE rcvd: 103

Ha, ns.seminar nezna. Stejne si ho v resolv.conf nastavime jako defaultni (asi
si to budeme nastavovat pozdeji)


vm15:~# cat /etc/resolv.conf
search seminar
nameserver 127.0.0.1


Thu Mar 6 17:15:37 CET 2008



11:

Nastavime si dns server (vlastni)


vm15:~# cp /etc/bind/db.local /etc/bind/db.vm15
vm15:~# vim /etc/bind/db.vm15
vm15:~# cat /etc/bind/db.vm15
;
; BIND data file for local loopback interface
;
$TTL 3D
@ IN SOA ns.vm15.seminar. root.seminar. (
2008030601 ; Serial
8H ; Refresh
2D ; Retry
4W ; Expire
1D ) ; Negative Cache TTL
NS ns
MX 20 mail
ns A 10.0.0.115
mail A 10.0.0.115
vm15:~# vim /etc/bind/named.conf.local
vm15:~# cat /etc/bind/named.conf.local
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

zone "vm15.seminar" {
type master;
file "/etc/bind/db.vm15";
};
vm15:~# pkill dhclient
vm15:~# vim /etc/resolv.conf
vm15:~# cat /etc/resolv.conf
search seminar
nameserver 10.0.0.115
nameserver 10.0.0.100
vm15:~# /etc/init.d/bind9 restart
Stopping domain name service...: bind.
Starting domain name service...: bind.
vm15:~# tail /var/log/syslog
Mar 6 17:45:53 vm15 named[1475]: listening on IPv4 interface lo, 127.0.0.1#53
Mar 6 17:45:53 vm15 named[1475]: listening on IPv4 interface eth0, 10.0.0.115#53
Mar 6 17:45:53 vm15 named[1475]: command channel listening on 127.0.0.1#953
Mar 6 17:45:53 vm15 named[1475]: command channel listening on ::1#953
Mar 6 17:45:53 vm15 named[1475]: zone 0.in-addr.arpa/IN: loaded serial 1
Mar 6 17:45:53 vm15 named[1475]: zone 127.in-addr.arpa/IN: loaded serial 1
Mar 6 17:45:53 vm15 named[1475]: zone 255.in-addr.arpa/IN: loaded serial 1
Mar 6 17:45:53 vm15 named[1475]: zone localhost/IN: loaded serial 1
Mar 6 17:45:53 vm15 named[1475]: zone vm15.seminar/IN: loaded serial 2008030601
Mar 6 17:45:53 vm15 named[1475]: running



to vypada dobre....


vm15:~# nslookup ns.vm15.seminar
Server: 10.0.0.115
Address: 10.0.0.115#53

Name: ns.vm15.seminar
Address: 10.0.0.115


Takze to i funguje :) (to, ze to skutecne funguje je jasne z toho, ze jako
server je uvedeny ten 10.0.0.115, coz je nas pocitac a ten to tedy spravne
zodpovedel)



Udelam ze sebe sekundar pro spoluzakuv pocitac:


vm15:~# vim /etc/bind/named.conf.local
vm15:~# cat /etc/bind/named.conf.local
zone "vm15.seminar" {
type master;
file "/etc/bind/db.vm15";
};

zone "vm28.seminar" {
type slave;
file "db.vm28";
masters { 10.0.0.128; };
};
vm15:~# chmod g+w /etc/bind
# aby si mohl zase on stahnout nas domenovy soubor
vm15:~# /etc/init.d/bind9 restart
Stopping domain name service...: bind.
Starting domain name service...: bind.
vm15:~# nslookup ns.vm28.seminar
Server: 10.0.0.115
Address: 10.0.0.115#53

Name: ns.vm28.seminar
Address: 10.0.0.128


funugje :)

Smerovani



Vsechny pocitace se restartovali, abychom zmenili stukturu site podle slidu 3
a 4. V teto chvili bychom nemeli nic dostat z dhcp serveru.

6:


vm15:~# ifconfig eth0 10.1.0.15 netmask 255.255.255.0
vm15:~# ifconfig eth0 up
vm15:~# ifconfig eth1 10.3.0.15 netmask 255.255.255.0
vm15:~# ifconfig eth1 up
eth0 Link encap:Ethernet HWaddr 00:16:3E:00:01:15
inet addr:10.1.0.15 Bcast:10.1.0.255 Mask:255.255.255.0
inet6 addr: fe80::216:3eff:fe00:115/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:189 errors:0 dropped:0 overruns:0 frame:0
TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:20378 (19.9 KiB) TX bytes:2604 (2.5 KiB)

eth1 Link encap:Ethernet HWaddr 00:16:3E:00:03:15
inet addr:10.3.0.15 Bcast:10.3.0.255 Mask:255.255.255.0
inet6 addr: fe80::216:3eff:fe00:315/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:46 errors:0 dropped:0 overruns:0 frame:0
TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2908 (2.8 KiB) TX bytes:510 (510.0 b)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)


7:

zapneme smerovani


vm15:~# echo 1 > /proc/sys/net/ipv4/ip_forward


a routovani


vm15:~# route add -net 10.2.0.0/24 gw 10.1.0.100 eth0
vm15:~# route add -net 10.4.0.0/24 gw 10.1.0.100 eth0
vm15:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.2.0.0 10.1.0.100 255.255.255.0 UG 0 0 0 eth0
10.4.0.0 10.1.0.100 255.255.255.0 UG 0 0 0 eth0
10.3.0.0 * 255.255.255.0 U 0 0 0 eth1
10.1.0.0 * 255.255.255.0 U 0 0 0 eth0


Thu Mar 13 17:23:06 CET 2008



13, 14:


vm15:~# vim /etc/quagga/daemons
vm15:~# cat /etc/quagga/daemons
...
zebra=yes
bgpd=no
ospfd=no
ospf6d=no
ripd=yes
ripngd=no
isisd=no
vm15:~# vim /etc/quagga/zebra.conf
vm15:~# cat /etc/quagga/zebra.conf
hostname router
password zebra
vm15:~# vim /etc/quagga/ripd.conf
vm15:~# cat /etc/quagga/ripd.conf
hostname ripd
password zebra
router rip
network eth0
network eth1
vm15:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.2.0.0 10.1.0.100 255.255.255.0 UG 0 0 0 eth0
10.4.0.0 10.1.0.100 255.255.255.0 UG 0 0 0 eth0
10.3.0.0 * 255.255.255.0 U 0 0 0 eth1
10.1.0.0 * 255.255.255.0 U 0 0 0 eth0
vm15:~# route del -net 10.2.0.0/24
vm15:~# route del -net 10.4.0.0/24
vm15:~# /etc/init.d/quagga start
Loading capability module if not yet done.
Starting Quagga daemons (prio:10): zebra/usr/lib/quagga/zebra already running.
vm15:~# telnet localhost ripd
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

Hello, this is Quagga (version 0.99.5).
Copyright 1996-2005 Kunihiro Ishiguro, et al.


User Access Verification

Password:
ripd> show ip rip
Codes: R - RIP, C - connected, S - Static, O - OSPF, B - BGP
Sub-codes:
(n) - normal, (s) - static, (d) - default, (r) - redistribute,
(i) - interface

Network Next Hop Metric From Tag Time
R(n) 0.0.0.0/0 10.1.0.100 2 10.1.0.100 0 10:20
C(i) 10.1.0.0/24 0.0.0.0 1 self 0
R(n) 10.2.0.0/24 10.1.0.100 2 10.1.0.100 0 10:20
C(i) 10.3.0.0/24 0.0.0.0 1 self 0
R(n) 10.4.0.0/24 10.1.0.100 3 10.1.0.100 0 10:20
ripd> show ip rip status
Routing Protocol is "rip"
Sending updates every 30 seconds with +/-50%, next due in -1205427131 seconds
Timeout after 180 seconds, garbage collect after 120 seconds
Outgoing update filter list for all interface is not set
Incoming update filter list for all interface is not set
Default redistribution metric is 1
Redistributing:
Default version control: send version 2, receive any version
Interface Send Recv Key-chain
eth0 2 1 2
eth1 2 1 2
Routing for Networks:
eth0
eth1
Routing Information Sources:
Gateway BadPackets BadRoutes Distance Last Update
10.1.0.100 0 0 120 00:00:19
10.1.0.11 0 0 120 00:00:08
10.1.0.9 0 0 120 00:00:19
10.3.0.9 0 0 120 00:00:19
10.1.0.99 0 0 120 00:00:16
10.1.0.3 0 0 120 00:00:35
10.3.0.3 0 0 120 00:00:35
10.1.0.25 0 0 120 00:00:16
10.3.0.25 0 0 120 00:00:16
10.1.0.7 0 0 120 00:00:23
10.3.0.7 0 0 120 00:00:23
10.1.0.5 0 0 120 00:00:26
10.3.0.5 0 0 120 00:00:26
10.3.0.11 0 0 120 00:00:08
Distance: (default is 120)


15:


vm15:~# ifconfig eth1 down
# ze zahadnych pricin je obcas nutne todle udelat
vm15:~# ifconfig eth1 up
vm15:~# ifconfig eth0 down
vm15:~# ifconfig eth0 up
vm15:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.4.0.14 10.1.0.100 255.255.255.255 UGH 3 0 0 eth0
10.2.0.14 10.1.0.100 255.255.255.255 UGH 3 0 0 eth0
10.2.0.0 10.1.0.100 255.255.255.0 UG 2 0 0 eth0
10.0.0.0 10.1.0.100 255.255.255.0 UG 5 0 0 eth0
10.0.1.0 10.1.0.100 255.255.255.0 UG 5 0 0 eth0
10.3.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.1.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 10.1.0.100 0.0.0.0 UG 2 0 0 eth0
vm15:~# ping 195.113.18.123
PING 195.113.18.123 (195.113.18.123) 56(84) bytes of data.
64 bytes from 195.113.18.123: icmp_seq=1 ttl=63 time=1.74 ms
64 bytes from 195.113.18.123: icmp_seq=2 ttl=63 time=1.15 ms
...


ted schodime servrik na 10.1.0.100 a nekomu (kdo pres to mel cestu, treba ja)
prestane chodit pign do netu, ale casem se to opravi :)


vm15:~# ping 195.113.18.123
PING 195.113.18.123 (195.113.18.123) 56(84) bytes of data.

--- 195.113.18.123 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3005ms
vm15:~# telnet localhost ripd
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

Hello, this is Quagga (version 0.99.5).
Copyright 1996-2005 Kunihiro Ishiguro, et al.


User Access Verification

Password:
ripd> show ip rip status
Routing Protocol is "rip"
Sending updates every 30 seconds with +/-50%, next due in -1205427137 seconds
Timeout after 180 seconds, garbage collect after 120 seconds
Outgoing update filter list for all interface is not set
Incoming update filter list for all interface is not set
Default redistribution metric is 1
Redistributing:
Default version control: send version 2, receive any version
Interface Send Recv Key-chain
eth0 2 1 2
eth1 2 1 2
Routing for Networks:
eth0
eth1
Routing Information Sources:
Gateway BadPackets BadRoutes Distance Last Update
10.1.0.100 0 0 120 00:01:20
10.1.0.11 0 0 120 00:00:19
10.1.0.9 0 0 120 00:00:06
10.3.0.9 0 0 120 00:00:06
10.1.0.99 0 0 120 00:00:28
10.1.0.3 0 0 120 00:00:32
10.3.0.3 0 0 120 00:00:32
10.1.0.25 0 0 120 00:00:10
10.3.0.25 1 0 120 00:00:10
10.1.0.7 0 0 120 00:00:25
10.3.0.7 0 0 120 00:00:25
10.1.0.5 0 0 120 00:00:11
10.3.0.5 1 0 120 00:00:11
10.3.0.11 0 0 120 00:00:19
10.1.0.19 0 0 120 00:00:05
10.3.0.19 0 0 120 00:00:05
10.1.0.17 0 0 120 00:00:28
10.3.0.17 0 0 120 00:00:28
Distance: (default is 120)


vidime, ze ze 10.1.0.100 byl Last Update uz pred dost dlouhou dobou. Za chvili
uplne zmizel z ty tabulky. A nasla se jina cesta:


ripd> show ip rip
Codes: R - RIP, C - connected, S - Static, O - OSPF, B - BGP
Sub-codes:
(n) - normal, (s) - static, (d) - default, (r) - redistribute,
(i) - interface

Network Next Hop Metric From Tag Time
R(n) 0.0.0.0/0 10.1.0.99 3 10.1.0.99 0 10:32
R(n) 10.0.0.0/24 10.1.0.99 5 10.1.0.99 0 10:32
R(n) 10.0.1.0/24 10.1.0.99 5 10.1.0.99 0 10:32
C(i) 10.1.0.0/24 0.0.0.0 1 self 0
R(n) 10.2.0.0/24 10.1.0.99 2 10.1.0.99 0 10:32
R(n) 10.2.0.14/32 10.1.0.99 3 10.1.0.99 0 10:32
C(i) 10.3.0.0/24 0.0.0.0 1 self 0
R(n) 10.4.0.0/24 10.1.0.99 3 10.1.0.99 0 10:32
R(n) 10.4.0.14/32 10.1.0.99 3 10.1.0.99 0 10:32
ripd> Connection closed by foreign host.
vm15:~# ping 195.113.18.123
PING 195.113.18.123 (195.113.18.123) 56(84) bytes of data.
64 bytes from 195.113.18.123: icmp_seq=1 ttl=62 time=3.81 ms
64 bytes from 195.113.18.123: icmp_seq=2 ttl=62 time=1.49 ms

--- 195.113.18.123 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 1.496/2.656/3.817/1.161 ms


a kdyz ten interface zase nahodime, tak se tam casem dostane zase ta puvodni
cesta, protoze je kratsi :)


16:



vm15:~# vim /etc/quagga/daemons
...
zebra=yes
bgpd=no
ospfd=yes
ospf6d=no
ripd=no
ripngd=no
isisd=no
vm15:~# vim /etc/quagga/ospfd.conf
vm15:~# cat /etc/quagga/ospfd.conf
hostname ospfd
password zebra
router ospf
network 10.1.0.0/24 area 0
network 10.3.0.0/24 area 0
vm15:~# /etc/init.d/quagga restart
Stopping Quagga daemons (prio:0): (ospfd) zebra (bgpd) (waiting) .. ripd (ripng
d) (ospf6d) (isisd).
Removing all routes made by zebra.
Nothing to flush.
Loading capability module if not yet done.
Starting Quagga daemons (prio:10): zebra ospfd.


zkusime si dalsi vypadek :)


vm15:~# ping 195.113.18.123
PING 195.113.18.123 (195.113.18.123) 56(84) bytes of data.
64 bytes from 195.113.18.123: icmp_seq=1 ttl=63 time=1.25 ms
64 bytes from 195.113.18.123: icmp_seq=2 ttl=63 time=0.957 ms

--- 195.113.18.123 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.957/1.103/1.250/0.150 ms


funguje to mnohem rychleji, nez ten predchozi :) na chvilicku se zastavil a pak
hned bezel dal (cca 3s)

IPv6



Thu Mar 20 17:21:33 CET 2008



5, 6, 7, 8, 9:

V nasem pripade musime tunelovat, proto jsme obklopeni IPv4. Staticke nastaveni:


vm15:~# ip link set dev eth0 up
vm15:~# ip addr add 2001:5c0:94c1:1::04/64 dev eth0
vm15:~# ip route add 2001:5c0:94c1:1::/64 dev eth0
vm15:~# ip route add 2000::/3 via 2001:5c0:94c1:1::100
vm15:~# echo nameserver 2001:5c0:94c1::1 >/etc/resolv.conf
vm15:~# ip route # vypise smerovaci tabulku (route -6)
10.0.0.0/24 via 10.1.0.100 dev eth0 proto zebra metric 20
10.2.0.0/24 proto zebra metric 20
nexthop via 10.1.0.100 dev eth0 weight 1
nexthop via 10.1.0.99 dev eth0 weight 1
10.4.0.0/24 proto zebra metric 30
nexthop via 10.1.0.100 dev eth0 weight 1
nexthop via 10.1.0.99 dev eth0 weight 1
10.3.0.0/24 dev eth1 proto kernel scope link src 10.3.0.15
10.1.0.0/24 dev eth0 proto kernel scope link src 10.1.0.15
default via 10.1.0.100 dev eth0 proto zebra metric 10
vm15:~# route -6
Kernel IPv6 routing table
Destination Next Hop Flags Metric Ref Use Iface
::1/128 :: U 0 12 1 lo
2001:5c0:94c1:1::4/128 :: U 0 39 1 lo
2001:5c0:94c1:1::/64 :: U 256 1 0 eth0
2001:5c0:94c1:1::/64 :: U 1024 0 0 eth0
2000::/3 2001:5c0:94c1:1::100 UG 1024 18 0 eth0
fe80::216:3eff:fe00:115/128 :: U 0 2 1 lo
fe80::216:3eff:fe00:315/128 :: U 0 0 1 lo
fe80::/64 :: U 256 0 0 eth0
fe80::/64 :: U 256 0 0 eth1
ff02::2/128 ff02::2 UC 0 3 3 eth0
ff00::/8 :: U 256 0 0 eth0
ff00::/8 :: U 256 0 0 eth1
vm15:~# ping6 www.kame.net
PING www.kame.net(orange.kame.net) 56 data bytes
64 bytes from orange.kame.net: icmp_seq=1 ttl=46 time=313 ms
64 bytes from orange.kame.net: icmp_seq=2 ttl=46 time=317 ms
64 bytes from orange.kame.net: icmp_seq=3 ttl=46 time=305 ms
64 bytes from orange.kame.net: icmp_seq=4 ttl=46 time=324 ms

--- www.kame.net ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2997ms
rtt min/avg/max/mdev = 305.049/315.113/324.288/6.912 ms


Zrusime statickou konfiguraci a presto ale pingneme, proc? protoze si to
routovani pamatuje.


TNETLINK answers: No such process
vm15:~# ip route del 2001:5c0:94c1:1::/64
vm15:~# ip addr del 2001:5c0:94c1:1::04/64 dev eth0
vm15:~# ping6 www.kame.net
PING www.kame.net(orange.kame.net) 56 data bytes
64 bytes from orange.kame.net: icmp_seq=1 ttl=45 time=326 ms
64 bytes from orange.kame.net: icmp_seq=2 ttl=45 time=328 ms

--- www.kame.net ping statistics ---
3 packets transmitted, 2 received, 33% packet loss, time 2014ms
rtt min/avg/max/mdev = 326.537/327.750/328.963/1.213 ms
vm15:~# ip addr show
1: lo: mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:16:3e:00:01:15 brd ff:ff:ff:ff:ff:ff
inet 10.1.0.15/24 brd 10.1.0.255 scope global eth0
inet6 2001:5c0:94c1:1:216:3eff:fe00:115/64 scope global dynamic
valid_lft 2591996sec preferred_lft 604796sec
inet6 fe80::216:3eff:fe00:115/64 scope link
valid_lft forever preferred_lft forever
3: eth1: mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:16:3e:00:03:15 brd ff:ff:ff:ff:ff:ff
inet 10.3.0.15/24 brd 10.3.0.255 scope global eth1
inet6 fe80::216:3eff:fe00:315/64 scope link
valid_lft forever preferred_lft forever
4: sit0: mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0


Odposlechneme si packet:


dns: /etc/resolv.conf:1: invalid nameserver address `2001:5c0:94c1::1'
device eth0 entered promiscuous mode
audit(1206032751.183:4): dev=eth0 prom=256 old_prom=0 auid=4294967295
Capturing on eth0
Frame 1 (110 bytes on wire, 110 bytes captured)
Arrival Time: Mar 20, 2008 18:05:51.693765000
[Time delta from previous packet: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Packet Length: 110 bytes
Capture Length: 110 bytes
[Frame is marked: False]
[Protocols in frame: eth:ipv6:icmpv6]
Ethernet II, Src: Xensourc_00:01:99 (00:16:3e:00:01:99), Dst: IPv6-Neighbor-Disc
overy_00:00:00:01 (33:33:00:00:00:01)
Destination: IPv6-Neighbor-Discovery_00:00:00:01 (33:33:00:00:00:01)
Address: IPv6-Neighbor-Discovery_00:00:00:01 (33:33:00:00:00:01)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadca
st)
.... ..1. .... .... .... .... = LG bit: Locally administered address (th
is is NOT the factory default)
Source: Xensourc_00:01:99 (00:16:3e:00:01:99)
Address: Xensourc_00:01:99 (00:16:3e:00:01:99)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory
default)
Type: IPv6 (0x86dd)
Internet Protocol Version 6
Version: 6
Traffic class: 0x00
Flowlabel: 0x00000
Payload length: 56
Next header: ICMPv6 (0x3a)
Hop limit: 255
Source address: fe80::216:3eff:fe00:199 (fe80::216:3eff:fe00:199)
Destination address: ff02::1 (ff02::1)
Internet Control Message Protocol v6
Type: 134 (Router advertisement)
Code: 0
Checksum: 0xf491 [correct]
Cur hop limit: 64
Flags: 0x00
0... .... = Not managed
.0.. .... = Not other
..0. .... = Not Home Agent
...0 0... = Router preference: Medium
Router lifetime: 30
Reachable time: 0
Retrans time: 0
ICMPv6 options
Type: 3 (Prefix information)
Length: 32 bytes (4)
Prefix length: 64
Flags: 0xc0
1... .... = Onlink
.1.. .... = Auto
..0. .... = Not router address
...0 .... = Not site prefix
Valid lifetime: 0x00278d00
Preferred lifetime: 0x00093a80
Prefix: 2001:5c0:94c1:1::
ICMPv6 options
Type: 1 (Source link-layer address)
Length: 8 bytes (1)
Link-layer address: 00:16:3e:00:01:99

device eth0 left promiscuous mode
audit(1206032756.767:5): dev=eth0 prom=0 old_prom=256 auid=4294967295
1 packets captured


10, 11:


vm15:~# host www.pasnet.cz
www.pasnet.cz has address 195.113.67.149
www.pasnet.cz has IPv6 address 2001:718:1e00::149
vm15:~# host 2001:718:1e03:4::3
3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.0.0.3.0.e.1.8.1.7.0.1.0.0.2.ip6.arpa domain
name pointer nms.ipv6.pasnet.cz.


{to dns jsem moc nestihla}

UDP, TCP, Firewall



1-5:

pro ukonceni telnetu se standardne pouziva ctrl+], ale to se nam nehodi, pac to
nas vyhodi z konsole :) nastavime pomoci parametru -e. ale netcat je leps, takze
budu pouzivat netcat.

pripojime se na daytime, sluzbu, co nam vraci aktualni cas:

vm15:~# netcat -u localhost 13
1
20 MAR 2008 18:32:01 CET
2
20 MAR 2008 18:32:04 CET


a pres tcp:


vm15:~# netcat localhost 13
20 MAR 2008 18:33:04 CET


6,7,8:

Podivame se, jak probehne spojeni:


vm15:~# tshark >/tmp/dump &
[1] 14660
vm15:~# adns: /etc/resolv.conf:1: invalid nameserver address `2001:5c0:94c1::1'
device eth0 entered promiscuous mode
audit(1206035041.437:6): dev=eth0 prom=256 old_prom=0 auid=4294967295
Capturing on eth0
vm15:~# wget http://10.0.0.100/tcpip/firewall.png
--18:44:06-- http://10.0.0.100/tcpip/firewall.png
=> `firewall.png.1'
Connecting to 10.0.0.100:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 21,058 (21K) [image/png]

100%[====================================>] 21,058 --.--K/s

18:44:06 (5.80 MB/s) - `firewall.png.1' saved [21058/21058]

vm15:~# pkill tshark
vm15:~# device eth0 left promiscuous mode
audit(1206035055.462:7): dev=eth0 prom=0 old_prom=256 auid=4294967295
53 packets captured
vm15:~# cat /tmp/dump
0.000000 0.0.0.0 -> 255.255.255.255 DHCP DHCP Discover - Transaction ID 0x2581fd52
1.852137 10.1.0.15 -> 10.0.0.100 TCP 4150 > www [SYN] Seq=0 Len=0 MSS=1460 TSV=302385660 TSER=0 WS=3
1.854351 10.0.0.100 -> 10.1.0.15 TCP www > 4150 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=632812404 TSER=302385660 WS=4
1.854448 10.1.0.15 -> 10.0.0.100 TCP 4150 > www [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=302385662 TSER=632812404
1.855179 10.1.0.15 -> 10.0.0.100 HTTP GET /tcpip/firewall.png HTTP/1.0
1.856249 10.0.0.100 -> 10.1.0.15 TCP www > 4150 [ACK] Seq=1 Ack=117 Win=5792 Len=0 TSV=632812404 TSER=302385663
1.857332 10.0.0.100 -> 10.1.0.15 TCP [TCP segment of a reassembled PDU]
1.857414 10.1.0.15 -> 10.0.0.100 TCP 4150 > www [ACK] Seq=117 Ack=1449 Win=8736 Len=0 TSV=302385663 TSER=632812405
1.857432 10.0.0.100 -> 10.1.0.15 TCP [TCP segment of a reassembled PDU]
1.857451 10.1.0.15 -> 10.0.0.100 TCP 4150 > www [ACK] Seq=117 Ack=2897 Win=11632 Len=0 TSV=302385663 TSER=632812405
1.857484 10.0.0.100 -> 10.1.0.15 TCP [TCP segment of a reassembled PDU]
1.857502 10.1.0.15 -> 10.0.0.100 TCP 4150 > www [ACK] Seq=117 Ack=4345 Win=14528 Len=0 TSV=302385663 TSER=632812405
1.858795 10.0.0.100 -> 10.1.0.15 TCP [TCP segment of a reassembled PDU]
1.858859 10.1.0.15 -> 10.0.0.100 TCP 4150 > www [ACK] Seq=117 Ack=5793 Win=17424 Len=0 TSV=302385663 TSER=632812405
1.858878 10.0.0.100 -> 10.1.0.15 TCP [TCP segment of a reassembled PDU]
1.858900 10.1.0.15 -> 10.0.0.100 TCP 4150 > www [ACK] Seq=117 Ack=7241 Win=20320 Len=0 TSV=302385663 TSER=632812405
1.858908 10.0.0.100 -> 10.1.0.15 TCP [TCP segment of a reassembled PDU]
1.858924 10.1.0.15 -> 10.0.0.100 TCP 4150 > www [ACK] Seq=117 Ack=8689 Win=23216 Len=0 TSV=302385663 TSER=632812405
1.858930 10.0.0.100 -> 10.1.0.15 TCP [TCP segment of a reassembled PDU]
1.858943 10.1.0.15 -> 10.0.0.100 TCP 4150 > www [ACK] Seq=117 Ack=10137 Win=26112 Len=0 TSV=302385663 TSER=632812405
1.858949 10.0.0.100 -> 10.1.0.15 TCP [TCP segment of a reassembled PDU]
1.858975 10.1.0.15 -> 10.0.0.100 TCP 4150 > www [ACK] Seq=117 Ack=11585 Win=29008 Len=0 TSV=302385663 TSER=632812405
1.858981 10.0.0.100 -> 10.1.0.15 TCP [TCP segment of a reassembled PDU]
1.858995 10.1.0.15 -> 10.0.0.100 TCP 4150 > www [ACK] Seq=117 Ack=13033 Win=31904 Len=0 TSV=302385663 TSER=632812405
1.861236 10.0.0.100 -> 10.1.0.15 TCP [TCP segment of a reassembled PDU]
1.861310 10.1.0.15 -> 10.0.0.100 TCP 4150 > www [ACK] Seq=117 Ack=14481 Win=34800 Len=0 TSV=302385663 TSER=632812406
1.861334 10.0.0.100 -> 10.1.0.15 TCP [TCP segment of a reassembled PDU]
1.861349 10.1.0.15 -> 10.0.0.100 TCP 4150 > www [ACK] Seq=117 Ack=15929 Win=37696 Len=0 TSV=302385663 TSER=632812406
1.861357 10.0.0.100 -> 10.1.0.15 TCP [TCP segment of a reassembled PDU]
1.861372 10.1.0.15 -> 10.0.0.100 TCP 4150 > www [ACK] Seq=117 Ack=17377 Win=40592 Len=0 TSV=302385663 TSER=632812406
1.861377 10.0.0.100 -> 10.1.0.15 TCP [TCP segment of a reassembled PDU]
1.861390 10.1.0.15 -> 10.0.0.100 TCP 4150 > www [ACK] Seq=117 Ack=18825 Win=43488 Len=0 TSV=302385663 TSER=632812406
1.861396 10.0.0.100 -> 10.1.0.15 TCP [TCP segment of a reassembled PDU]
1.861410 10.1.0.15 -> 10.0.0.100 TCP 4150 > www [ACK] Seq=117 Ack=20273 Win=46384 Len=0 TSV=302385663 TSER=632812406
1.861415 10.0.0.100 -> 10.1.0.15 HTTP HTTP/1.1 200 OK (PNG)
1.861428 10.1.0.15 -> 10.0.0.100 TCP 4150 > www [ACK] Seq=117 Ack=21311 Win=49280 Len=0 TSV=302385663 TSER=632812406
1.861434 10.0.0.100 -> 10.1.0.15 TCP www > 4150 [FIN, ACK] Seq=21311 Ack=117 Win=5792 Len=0 TSV=632812406 TSER=302385663
1.864679 10.1.0.15 -> 10.0.0.100 TCP 4150 > www [FIN, ACK] Seq=117 Ack=21312 Win=49280 Len=0 TSV=302385665 TSER=632812406
1.867147 10.0.0.100 -> 10.1.0.15 TCP www > 4150 [ACK] Seq=21312 Ack=118 Win=5792 Len=0 TSV=632812407 TSER=302385665
4.432056 fe80::216:3eff:fe00:199 -> ff02::1 ICMPv6 Router advertisement
4.987530 0.0.0.0 -> 255.255.255.255 DHCP DHCP Discover - Transaction ID 0x2581fd52
5.559465 10.1.0.11 -> 224.0.0.5 OSPF Hello Packet
5.562169 10.1.0.19 -> 224.0.0.5 OSPF Hello Packet
5.575656 10.1.0.9 -> 224.0.0.5 OSPF Hello Packet
5.578740 10.1.0.1 -> 224.0.0.5 OSPF Hello Packet
5.596916 10.1.0.3 -> 224.0.0.5 OSPF Hello Packet
5.596970 10.1.0.100 -> 224.0.0.5 OSPF Hello Packet
5.604864 10.1.0.25 -> 224.0.0.5 OSPF Hello Packet
5.610941 10.1.0.15 -> 224.0.0.5 OSPF Hello Packet
5.619775 10.1.0.99 -> 224.0.0.5 OSPF Hello Packet
5.625787 10.1.0.17 -> 224.0.0.5 OSPF Hello Packet
5.630497 10.1.0.7 -> 224.0.0.5 OSPF Hello Packet
5.642481 10.1.0.5 -> 224.0.0.5 OSPF Hello Packet


9: oskenujeme router na verzi OS:


vm15:~# nmap -O 10.0.0.100

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-03-20 18:52 CET
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled.
Try using --system-dns or specify valid servers with --dns_servers
Interesting ports on 10.0.0.100:
Not shown: 1676 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
443/tcp open https
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
OS details: Linux 2.4.0 - 2.5.20, Linux 2.4.7 - 2.6.11

Nmap finished: 1 IP address (1 host up) scanned in 2.748 seconds



Thu Mar 27 17:20:27 CET 2008




vm15:~# netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:echo *:* LISTEN
tcp 0 0 *:discard *:* LISTEN
tcp 0 0 localhost:zebra *:* LISTEN
tcp 0 0 localhost:ospfd *:* LISTEN
tcp 0 0 *:daytime *:* LISTEN
tcp 0 0 vm15.seminar:domain *:* LISTEN
tcp 0 0 localhost:domain *:* LISTEN
tcp 0 0 localhost:953 *:* LISTEN
tcp6 0 0 *:www *:* LISTEN
tcp6 0 0 *:domain *:* LISTEN
tcp6 0 0 ip6-localhost:953 *:* LISTEN
udp 0 0 *:1024 *:*
udp 0 0 *:echo *:*
udp 0 0 *:discard *:*
udp 0 0 *:daytime *:*
udp 0 0 vm15.seminar:domain *:*
udp 0 0 localhost:domain *:*
udp 0 0 *:bootpc *:*
udp6 0 0 *:1025 *:*
udp6 0 0 *:domain *:*
raw 0 0 *:ospf *:* 7
raw6 15344 0 *:ipv6-icmp *:* 7
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 2933 /var/run/quagga/zserv.api
unix 2 [ ACC ] STREAM LISTENING 2940 /var/run/quagga/zebra.vty
unix 2 [ ACC ] STREAM LISTENING 2952 /var/run/quagga/ospfd.vty


14:


vm15:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


16:


vm15:~# iptables -A INPUT -p tcp --dport daytime -j DROP
vm15:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpt:daytime

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
vm15:~# nc localhost daytime



...to nc samozrejme nic nedelalo

smazeme a nahradime reject:

vm15:~# iptables -D INPUT -p tcp --dport daytime -j DROP
vm15:~# iptables -A INPUT -p tcp --dport daytime -j REJECT
vm15:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:daytime reject-with icmp-po
rt-unreachable

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
vm15:~# nc localhost daytime

localhost [127.0.0.1] 13 (daytime) : Connection refused


kdyz bychom si chtela zakazat secko, akorat vynechame tu informaci o portu.
potom nam ale nebude chodit ani treba ssh, protoze to je sice "odchozi", ale
take potrebuje samozrejme prichozi komunikaci... - dobre vyzkouset pomoci
tcpdump treba :)

18:

ted si zakazeme prichozi, krome uz spojenych, takze nam to ssh zacne fungovat,
ale ostatni ciste z venci ne:


vm15:~# iptables -A INPUT -p tcp -m
state --state ESTABLISHED,RELATED -j ACCEP
Netfilter messages via NETLINK v0.30.
ip_conntrack version 2.4 (1088 buckets, 8704 max) - 224 bytes per conntrack
vm15:~# iptables -A INPUT -p tcp -j DROP
vm15:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpt:daytime
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
DROP tcp -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
vm15:~# ssh urtax.ms.mff.cuni.cz
The authenticity of host 'urtax.ms.mff.cuni.cz (195.113.20.119)' can't be establ
ished.
RSA key fingerprint is 88:c0:0b:d3:9f:8e:d6:5a:5a:9b:90:35:60:f0:32:a5.
Are you sure you want to continue connecting (yes/no)?
...


HTTP



5:

vm15:~# nc www.google.com 80
GET / HTTP/1.0

HTTP/1.0 302 Found
Location: http://www.google.cz/
Cache-Control: private
Set-Cookie: PREF=ID=896ed3e96761f7c1:TM=1206639248:LM=1206639248:S=-Vvh42c1MoDaH
fat; expires=Sat, 27-Mar-2010 17:34:08 GMT; path=/; domain=.google.com
Content-Type: text/html
Server: gws
Content-Length: 218
Date: Thu, 27 Mar 2008 17:34:08 GMT
Connection: Close

<HTML><HEAD><meta http-equiv="content-type" content="text/html;chars
et=utf-8">
<TITLE>302 Moved</TITLE></HEAD>lt;BODY>
<h1>302 Moved</H1>
The document has moved
<A HREF="http://www.google.cz/">here</A>.
</BODY></HTML>
vm15:~# wget -S http://www.google.com
--18:41:39-- http://www.google.com/
=> `index.html.1'
Resolving www.google.com... 66.249.91.147, 66.249.91.99, 66.249.91.103, ...
Connecting to www.google.com|66.249.91.147|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.0 302 Found
Location: http://www.google.cz/
Cache-Control: private
Set-Cookie: PREF=ID=4b80fcef6e783fd3:TM=1206639699:LM=1206639699:S=m6-DJhcgsJe
s4CcX; expires=Sat, 27-Mar-2010 17:41:39 GMT; path=/; domain=.google.com
Content-Type: text/html
Server: gws
Content-Length: 218
Date: Thu, 27 Mar 2008 17:41:39 GMT
Connection: Keep-Alive
Location: http://www.google.cz/ [following]
--18:41:39-- http://www.google.cz/
=> `index.html.1'
Resolving www.google.cz... 66.249.91.104, 66.249.91.147, 66.249.91.99, ...
Reusing existing connection to www.google.com:80.
HTTP request sent, awaiting response...
HTTP/1.0 200 OK
Cache-Control: private
Content-Type: text/html; charset=ISO-8859-2
Set-Cookie: PREF=ID=ec80351da085837a:TM=1206639699:LM=1206639699:S=-cL0R5F9l4x
GLV3x; expires=Sat, 27-Mar-2010 17:41:39 GMT; path=/; domain=.google.cz
Server: gws
Date: Thu, 27 Mar 2008 17:41:39 GMT
Connection: Close
Length: unspecified [text/html]

[ <=> ] 5,757 --.--K/s

18:41:39 (283.31 KB/s) - `index.html.1' saved [5757]
vm15:~# cat ./index.html
<html><head>...


Thu Apr 3 17:19:18 CEST 2008



9:
pustime apache a vyzkousime, ze funguje:

vm15:~# /etc/init.d/apache2 start
vm15:~# echo ":)" > /var/www/index.html
vm15:~# wget http://localhost
--17:27:29-- http://localhost/
=> `index.html.2'
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3 [text/html]

100%[====================================>] 3 --.--K/s

17:27:29 (97.66 KB/s) - `index.html.2' saved [3/3]

vm15:~# cat index.html
:)


nastavime dns, abysme se mohli ptat i skrz jmeno, ne jen cislo:


vm15:~# cat /etc/bind/db.vm15
;
; BIND data file for local loopback interface
;
$TTL 3D
@ IN SOA vm15.seminar. root.seminar. (
2008030602 ; Serial
8H ; Refresh
2D ; Retry
4W ; Expire
1D ) ; Negative Cache TTL
NS ns
MX 20 mail
ns A 10.0.0.115
www A 10.0.0.115
mail A 10.0.0.115
ns AAAA 2001:5c0:94c1:1::15
vm15:~# /etc/init.d/bind9 restart
Stopping domain name service...: bind.
Starting domain name service...: bind.
vm15:~# wget http://www.vm15.seminar.
--17:36:09-- http://www.vm15.seminar./
=> `index.html.1'
Resolving www.vm15.seminar.... 10.0.0.115
Connecting to www.vm15.seminar.|10.0.0.115|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3 [text/html]

100%[====================================>] 3 --.--K/s

17:36:09 (146.48 KB/s) - `index.html.1' saved [3/3]

vm15:~# cat index.html.1
:)


10, 11:



vm15:/var/www# mkdir auth
vm15:/var/www# #adresar, ktery budeme chranit jmenem a heslem
vm15:/var/www# cd ./auth/
vm15:/var/www/auth# echo "tajne" > secret.html
vm15:/var/www/auth# htpasswd -c ./overovani uzivatel
New password:
Re-type new password:
Adding password for user uzivatel
vm15:/var/www/auth# vim ./.htaccess
vm15:/var/www/auth# cat ./.htaccess
AuthType Basic
AuthName "uzivatel (realm)"
AuthUserFile /var/www/auth/secret.html
Require valid­user
vm15:/var/www/auth# wget http://localhost/auth/secret.html
--17:55:33-- http://localhost/auth/secret.html
=> `secret.html.1'
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 401 Authorization Required
Authorization failed.


mno a po tom, co jsme zadali


vm15:/var/www/auth# wget -d --http-user uzivatel --http-password heslo http://localhost/auth/secret.html


se nam to teoreticky melo povest, ale me jedine se to nepovedlo, kdo vi proc,
kazdopadne nebyl moc cas to zkoumat :)

12:


vm15:/var/www# vim /etc/bind/db.vm15
vm15:/var/www# cat /etc/bind/db.vm15
;
; BIND data file for local loopback interface
;
$TTL 3D
@ IN SOA vm15.seminar. root.seminar. (
2008030603 ; Serial
8H ; Refresh
2D ; Retry
4W ; Expire
1D ) ; Negative Cache TTL
NS ns
MX 20 mail
ns A 10.0.0.115
www A 10.0.0.115
mail A 10.0.0.115
ns AAAA 2001:5c0:94c1:1::15

www2 IN CNAME www
vm15:/var/www# vim /etc/apache2/sites-enabled/test-config
vm15:/var/www# cat /etc/apache2/sites-enabled/test-config
NameVirtualHost 10.0.0.115:80

ServerName www.vm15.seminar
DocumentRoot /var/www/www



ServerName www2.vm15.seminar
DocumentRoot /var/www/www2


vm15:/var/www# mkdir www
vm15:/var/www# mkdir www2
vm15:/var/www# echo "1" > www/index.html
vm15:/var/www# echo "2" > www2/index.html
vm15:/var/www# a2dissite default
Site default disabled; run /etc/init.d/apache2 reload to fully disable.
vm15:/var/www# /etc/init.d/bind9 restart
Stopping domain name service...: bind.
Starting domain name service...: bind.
vm15:/var/www# /etc/init.d/apache2 restart
Forcing reload of web server (apache2)...apache2: apr_sockaddr_info_get() failed
for vm15
apache2: Could not reliably determine the server's fully qualified domain name,
using 127.0.0.1 for ServerName
apache2: apr_sockaddr_info_get() failed for vm15
apache2: Could not reliably determine the server's fully qualified domain name,
using 127.0.0.1 for ServerName
.
vm15:/var/www# wget http://www2.vm15.seminar/
--18:22:05-- http://www2.vm15.seminar/
=> `index.html.1'
Resolving www2.vm15.seminar... 10.0.0.115
Connecting to www2.vm15.seminar|10.0.0.115|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2 [text/html]

100%[====================================>] 2 --.--K/s

18:22:05 (75.12 KB/s) - `index.html.1' saved [2/2]

vm15:/var/www# cat index.html.1
2
vm15:/var/www# wget http://www.vm15.seminar/
--18:22:27-- http://www.vm15.seminar/
=> `index.html.2'
Resolving www.vm15.seminar... 10.0.0.115
Connecting to www.vm15.seminar|10.0.0.115|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2 [text/html]

100%[====================================>] 2 --.--K/s

18:22:27 (88.78 KB/s) - `index.html.2' saved [2/2]

vm15:/var/www# cat index.html.2
1


funguje :)

SSL, IPSec



9:



vm15:~# openssl req -new -nodes -out cert.csr -keyout cert.key
Generating a 1024 bit RSA private key
................++++++
.....++++++
writing new private key to 'cert.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cz
State or Province Name (full name) [Some-State]:Czech Republic
Locality Name (eg, city) []:Prague
Organization Name (eg, company) [Internet Widgits Pty Ltd]:s0cketky spolecnost
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:www.vm15.seminar
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
vm15:~# ls
cert.csr cert.key
vm15:~# less cert.key
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCoKhQUa1offD6kD/9bP4I/fAF9rqWTcRqOc9m2x3YlCQRQPkMc
nPwAGU6rdi9acYojYMarw6O0LT/ndsFo7DzWMx3KvzEA51StIVe+PuzTvM3INuOA
H8WmsjyEEBVr/bLpkpCwGyX8kAnggX0xb5X1J1EgwSGaT88THdaIVdh3owIDAQAB
AoGAElVsFQHTNIWOKsLXuzIEWDmDzBkDUjzNgWReAxBh8A24m6r+FBuFWdloe0cK
SJkCT3MYlddhfJ5GTkzjLzY6N47KO+GX6uH813xMnXRDNNTSUIoOhZDzyFM4VC10
KOaBuoQAVzbUC62QGCWBCivTaBenYKgW1Uvbn86s+TvZuEkCQQDdke6AQOIDbmLx
U8lJM4+TZyXg/mNvU6ENNTa57ThlxRvNMlXTc9Rf4Qt9RBr81ih7whO3BANLT0hg
/4rCXwXfAkEAwkuqhWKvgB/+Z1UMHCUSt2MS+CnYmL/w0+fUa62nHnH6IyOMlAnr
ppVVXwshYYfNIj6ID3jw0RZJa0zfPCj/vQJBALbtU4Ypiy+gBCoPraA05HWi9D/0
Zm20EsQPyfXopuZGvLRFuVwRRiY+azjpcIqL2PKMAbDYrEuR0kTa1VmyD+sCQEJh
xb3SzLFSvQGi7gNDq1RaliWRbn4pvec4YrvzVZCyUkrlH2eIyClfBg71547B7hUQ
Fj5rDKPzIFx3pCGSxGUCQA4GCJGHDENqCZ5gFBGdee0wT2ad6XNQAoW23KrTkjlr
0OX15mPW16SSul0X4ck354wmVmEhoSiHgJZ0nxD1uTw=
-----END RSA PRIVATE KEY-----
vm15:~# less cert.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIBsDCCARkCAQAwcDELMAkGA1UEBhMCY3oxFzAVBgNVBAgTDkN6ZWNoIFJlcHVi
bGljMQ8wDQYDVQQHEwZQcmFndWUxHDAaBgNVBAoTE3MwY2tldGt5IHNwb2xlY25v
c3QxGTAXBgNVBAMTEHd3dy52bTE1LnNlbWluYXIwgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAKgqFBRrWh98PqQP/1s/gj98AX2upZNxGo5z2bbHdiUJBFA+Qxyc
/AAZTqt2L1pxiiNgxqvDo7QtP+d2wWjsPNYzHcq/MQDnVK0hV74+7NO8zcg244Af
xaayPIQQFWv9sumSkLAbJfyQCeCBfTFvlfUnUSDBIZpPzxMd1ohV2HajAgMBAAGg
ADANBgkqhkiG9w0BAQUFAAOBgQA4Y0Ng+ChnVHgc0sZSo6EFszuilO/jb/zd6FiH
FSJdHFWaJXYLd+ePWMaMoZ8icKQ/98Vfkq2CxqJC7y2K0PeseIhsqFVSdhw/XrYZ
dChpCFUOFFNFrdRZIQF73/cz5xjMbtpcOYzZvwMzqF51bp6q9hEEhexI5KxLY+xf
MZen2g==
-----END CERTIFICATE REQUEST-----
vm15:~# openssl rsa -text -in cert.key
Private-Key: (1024 bit)
modulus:
00:a8:2a:14:14:6b:5a:1f:7c:3e:a4:0f:ff:5b:3f:
...
publicExponent: 65537 (0x10001)
privateExponent:
12:55:6c:15:01:d3:34:85:8e:2a:c2:d7:bb:32:04:
...
...
vm15:~# openssl req -text -in cert.csr
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=cz, ST=Czech Republic, L=Prague, O=s0cketky spolecnost, CN=www.
vm15.seminar
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:a8:2a:14:14:6b:5a:1f:7c:3e:a4:0f:ff:5b:3f:
...
vm15:~# openssl x509 -req -in cert.c
sr -signkey cert.key -out cert.crt
Signature ok
subject=/C=cz/ST=Czech Republic/L=Prague/O=s0cketky spolecnost/CN=www.vm15.semin
ar
Getting Private key
vm15:~# openssl x509 -text -in cert.crt
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
95:26:08:dd:dc:db:d2:94
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=cz, ST=Czech Republic, L=Prague, O=s0cketky spolecnost, CN=www.vm1
5.seminar
...


13 a 14 z predchozi kapitoly:

zkusime rozchodit ssl pro web:


vm15:~# vim /etc/apache2/sites-enabled/test-config
vm15:~# cat /etc/apache2/sites-enabled/test-config
NameVirtualHost 10.0.0.115:443
Listen 10.0.0.115:443


ServerName www.vm15.seminar
DocumentRoot /var/www/www
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem



Thu Apr 10 17:17:11 CEST 2008



HTTPS, slide 13 a 14 (net6.pdf):


vm15:~# cat /etc/apache2/sites-enabled/test-config
NameVirtualHost 10.0.0.115:443
Listen 10.0.0.115:443


ServerName www.vm15.seminar
DocumentRoot /var/www/www
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem

vm15:~# mkdir /etc/apache2/ssl
vm15:~# cat cert.crt cert.key > /etc/apache2/ssl/apache.pem
vm15:~# a2enmod ssl
Module ssl installed; run /etc/init.d/apache2 force-reload to enable.
vm15:~# /etc/init.d/apache2 restart
Forcing reload of web server (apache2)...apache2: apr_sockaddr_info_get() failed
for vm15
apache2: Could not reliably determine the server's fully qualified domain name,
using 127.0.0.1 for ServerName
waiting apache2: apr_sockaddr_info_get() failed for vm15
apache2: Could not reliably determine the server's fully qualified domain name,
using 127.0.0.1 for ServerName
.
vm15:~# openssl s_client -connect 10.0.0.115:443 | less
CONNECTED(00000003)
---
Certificate chain
0 s:/C=cz/ST=Czech Republic/L=Prague/O=s0cketky spolecnost/CN=www.vm15.seminar
i:/C=cz/ST=Czech Republic/L=Prague/O=s0cketky spolecnost/CN=www.vm15.seminar
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICVzCCAcACCQCVJgjd3NvSlDANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQGEwJj
ejEXMBUGA1UECBMOQ3plY2ggUmVwdWJsaWMxDzANBgNVBAcTBlByYWd1ZTEcMBoG
A1UEChMTczBja2V0a3kgc3BvbGVjbm9zdDEZMBcGA1UEAxMQd3d3LnZtMTUuc2Vt
aW5hcjAeFw0wODA0MDMxNjQzMTZaFw0wODA1MDMxNjQzMTZaMHAxCzAJBgNVBAYT
AmN6MRcwFQYDVQQIEw5DemVjaCBSZXB1YmxpYzEPMA0GA1UEBxMGUHJhZ3VlMRww
GgYDVQQKExNzMGNrZXRreSBzcG9sZWNub3N0MRkwFwYDVQQDExB3d3cudm0xNS5z
ZW1pbmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCoKhQUa1offD6kD/9b
P4I/fAF9rqWTcRqOc9m2x3YlCQRQPkMcnPwAGU6rdi9acYojYMarw6O0LT/ndsFo
7DzWMx3KvzEA51StIVe+PuzTvM3INuOAH8WmsjyEEBVr/bLpkpCwGyX8kAnggX0x
b5X1J1EgwSGaT88THdaIVdh3owIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAJYLZxCM
QkYDde6IfnSTsd0Gygun75ezWzXMeXBkOy+U46PGGcsKDevejKSbCtlY60/giCLG
tdNFoThGu1t6EhhjYf72zGUcNk0xCaaSh9btZfXmVL1skeyyXgF69nYEijY5Bly1
PpJJSyJ7aNdcshFo19RsfR3W0Ib75NUqWnEW
-----END CERTIFICATE-----
subject=/C=cz/ST=Czech Republic/L=Prague/O=s0cketky spolecnost/CN=www.vm15.semin
ar
issuer=/C=cz/ST=Czech Republic/L=Prague/O=s0cketky spolecnost/CN=www.vm15.semina
r
---
No client certificate CA names sent
---
SSL handshake has read 1167 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 7F7A32BABB154BD32C22AFA9A1BD03B66E5E9F2CF495041DF6C87E6E99B623DC
Session-ID-ctx:
Master-Key: D2C36EEA73722EF77650E1E39BBD7E0B3199C5324BBFE32754D443016D5584CE
0DAAB545CE93E4A48EE4C3C5829E85DF
Key-Arg : None
Start Time: 1207841259
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
vm15:~# openssl s_client -connect is.mff.cuni.cz:443 | less
CONNECTED(00000003)
---
Certificate chain
0 s:/C=CZ/O=Charles University in Prague/CN=is.mff.cuni.cz
i:/C=BE/O=Cybertrust/OU=Educational CA/CN=Cybertrust Educational CA
1 s:/C=CZ/ST=Czech Republic/L=Prague/O=Charles University in Prague/OU=PSiK MFF
UK/CN=is.mff.cuni.cz/emailAddress=www@mff.cuni.cz
i:/C=CZ/ST=Czech Republic/L=Prague/O=Charles University in Prague/OU=PSiK MFF
UK/CN=is.mff.cuni.cz/emailAddress=www@mff.cuni.cz
2 s:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust
Global Root
i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust
Global Root
3 s:/C=BE/O=Cybertrust/OU=Educational CA/CN=Cybertrust Educational CA
i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust
Global Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEaDCCA1CgAwIBAgILAQAAAAABDs4u6+kwDQYJKoZIhvcNAQEFBQAwXzELMAkG
A1UEBhMCQkUxEzARBgNVBAoTCkN5YmVydHJ1c3QxFzAVBgNVBAsTDkVkdWNhdGlv
bmFsIENBMSIwIAYDVQQDExlDeWJlcnRydXN0IEVkdWNhdGlvbmFsIENBMB4XDTA2
MTEwOTE5MjU1MVoXDTA5MTEwOTE5MjU1MVowTTELMAkGA1UEBhMCQ1oxJTAjBgNV
BAoTHENoYXJsZXMgVW5pdmVyc2l0eSBpbiBQcmFndWUxFzAVBgNVBAMTDmlzLm1m
Zi5jdW5pLmN6MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDSjseWbu/ToGaU
vJKUQfgvfAwbwmuH1teTdLjKGmSCN+GNmOXQw78towcE6M1xIL4Dhwim/2BSU39r
5brKcV7df2M0dkpud+lMgANcrxjomRk46WZrup9BEXv1IGH7BI0Bzjnw3XAx2Tmi
4Om2Q7GDUZDxdVK5fKLFaohauygjVwIDAQABo4IBuTCCAbUwUAYDVR0gBEkwRzBF
BgcqhkixPgEAMDowOAYIKwYBBQUHAgEWLGh0dHA6Ly93d3cuZ2xvYmFsc2lnbi5u
ZXQvcmVwb3NpdG9yeS9jcHMuY2ZtMA4GA1UdDwEB/wQEAwIFoDAfBgNVHSMEGDAW
gBRlZaM91zsRowoHJTfJQkpbdndQ4TAdBgNVHQ4EFgQU4M2Y1zG24OrMIa2kH0D6
kPXtbV0wOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nbG9iYWxzaWduLm5l
dC9lZHVjYXRpb25hbC5jcmwwTwYIKwYBBQUHAQEEQzBBMD8GCCsGAQUFBzAChjNo
dHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24ubmV0L2NhY2VydC9lZHVjYXRpb25hbC5j
cnQwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGUGA1UdEQReMFyCDmlz
Lm1mZi5jdW5pLmN6gg93d3cubWZmLmN1bmkuY3qCE3BoeXNpY3MubWZmLmN1bmku
Y3qCEHBzaWsubWZmLmN1bmkuY3qCEnNlYXJjaC5tZmYuY3VuaS5jejANBgkqhkiG
9w0BAQUFAAOCAQEAL4g48bLS/yrmmKMqvJUeRSJr9WmMFtTohGfStKtTaXvUc1Q7
szG6fHEpP8IxFnT4+qwDnaQm/c7Ln5BgMALAgsNxGbuFt3GUgG0r0oMZ02de3k+i
3tXoVCO5nWh5zBMBSIB9mIfChkIPCQVor6DBVA7AxZGfViK+omahlqxKtGM6mOvp
7IflU4MiUyXB8gXkAYHIPuEAWUpvysNZUGu3WlQYmXb1e0i0iOONwOwKgUnNeeLD
C684rnHNPECpYuBPbbx/BhkkppI2+0xP/4s5zGMSz187PYq/tMj8z/GY+ICIQA8/
bqHVprZW7GAZEN/U+LCkzDRXmyr5j4heJAdN6Q==
-----END CERTIFICATE-----
subject=/C=CZ/O=Charles University in Prague/CN=is.mff.cuni.cz
issuer=/C=BE/O=Cybertrust/OU=Educational CA/CN=Cybertrust Educational CA
---
No client certificate CA names sent
---
SSL handshake has read 4253 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 4B4E3C820E1D28032B1B490BE02538B145D13ADD31FD40AA9D34DAEFA20EC93E
Session-ID-ctx:
Master-Key: B0B5F38EED2B7CBBB4F47C3751CB76BF5412DDE565580A88F78ECF3C29F58492
FEABAF3E640E0C5014147D13B9D933C2
Key-Arg : None
Start Time: 1207841631
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---



14:


vm15:~# tcpdump >/tmp/dump 2>&1 &
[1] 9643
vm15:~# device eth0 entered promiscuous mode
audit(1207841888.039:2): dev=eth0 prom=256 old_prom=0 auid=4294967295

vm15:~# openssl s_client -connect is.mff.cuni.cz:443
...
vm15:~# fg
tcpdump >/tmp/dump 2>&1
device eth0 left promiscuous mode
audit(1207841932.189:3): dev=eth0 prom=0 old_prom=256 auid=4294967295
vm15:~# less /tmp/dump

aha, on tam neni videt ten obsah tech paketu, to by se musel podrobneji udelat,
tak nic :)

10 (net7.pdf):


vm15:~# cd /usr/lib/ssl/
vm15:/usr/lib/ssl# misc/CA.sh -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
.................++++++
...++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:czech republic
Locality Name (eg, city) []:prague
Organization Name (eg, company) [Internet Widgits Pty Ltd]:s0cketky company
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:s0cketka
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem:
9682:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:849:You must
type in 4 to 8191 characters
Enter pass phrase for ./demoCA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Apr 10 15:53:11 2008 GMT
Not After : Apr 10 15:53:11 2011 GMT
Subject:
countryName = cz
stateOrProvinceName = czech republic
organizationName = s0cketky company
commonName = s0cketka
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
9F:95:26:55:AE:43:FB:71:F3:3D:D2:CE:D8:A4:25:38:F7:E3:00:FA
X509v3 Authority Key Identifier:
keyid:9F:95:26:55:AE:43:FB:71:F3:3D:D2:CE:D8:A4:25:38:F7:E3:00:FA

Certificate is to be certified until Apr 10 15:53:11 2011 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

vm15:/usr/lib/ssl# cp /root/cert.csr newreq.pem
vm15:/usr/lib/ssl# misc/CA.sh -sign
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 10 15:57:56 2008 GMT
Not After : Apr 10 15:57:56 2009 GMT
Subject:
countryName = cz
stateOrProvinceName = Czech Republic
localityName = Prague
organizationName = s0cketky spolecnost
commonName = www.vm15.seminar
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
55:CF:C1:A5:00:5D:7A:06:1F:F5:20:05:BA:73:52:1D:C2:D2:F2:99
X509v3 Authority Key Identifier:
keyid:9F:95:26:55:AE:43:FB:71:F3:3D:D2:CE:D8:A4:25:38:F7:E3:00:FA

Certificate is to be certified until Apr 10 15:57:56 2009 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=cz, ST=czech republic, O=s0cketky company, CN=s0cketka
Validity
Not Before: Apr 10 15:57:56 2008 GMT
Not After : Apr 10 15:57:56 2009 GMT
Subject: C=cz, ST=Czech Republic, L=Prague, O=s0cketky spolecnost, CN=ww
w.vm15.seminar
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:a8:2a:14:14:6b:5a:1f:7c:3e:a4:0f:ff:5b:3f:
82:3f:7c:01:7d:ae:a5:93:71:1a:8e:73:d9:b6:c7:
76:25:09:04:50:3e:43:1c:9c:fc:00:19:4e:ab:76:
2f:5a:71:8a:23:60:c6:ab:c3:a3:b4:2d:3f:e7:76:
c1:68:ec:3c:d6:33:1d:ca:bf:31:00:e7:54:ad:21:
57:be:3e:ec:d3:bc:cd:c8:36:e3:80:1f:c5:a6:b2:
3c:84:10:15:6b:fd:b2:e9:92:90:b0:1b:25:fc:90:
09:e0:81:7d:31:6f:95:f5:27:51:20:c1:21:9a:4f:
cf:13:1d:d6:88:55:d8:76:a3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
55:CF:C1:A5:00:5D:7A:06:1F:F5:20:05:BA:73:52:1D:C2:D2:F2:99
X509v3 Authority Key Identifier:
keyid:9F:95:26:55:AE:43:FB:71:F3:3D:D2:CE:D8:A4:25:38:F7:E3:00:FA

Signature Algorithm: sha1WithRSAEncryption
a8:c5:85:53:37:86:6d:38:93:16:45:53:c7:d6:ab:e8:be:87:
95:34:cc:6f:e6:a7:73:30:af:50:3b:bd:0b:3b:b2:99:ef:80:
3b:f9:c5:bb:4b:1d:c1:12:83:f1:38:4f:67:b3:75:6e:ef:4b:
3a:d2:d6:73:ea:15:22:08:56:14:3d:ee:73:e4:19:d3:d5:ba:
5c:3e:9a:04:bb:0a:7e:c4:af:c3:71:ae:48:1d:a2:96:9f:5b:
51:07:7a:1e:9f:aa:4f:0b:9a:8e:21:f8:87:0e:57:93:30:af:
b3:99:da:6e:21:b0:05:02:f4:dc:d0:24:e4:06:8e:cf:12:64:
8a:df
-----BEGIN CERTIFICATE-----
MIICtTCCAh6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJjejEX
MBUGA1UECBMOY3plY2ggcmVwdWJsaWMxGTAXBgNVBAoTEHMwY2tldGt5IGNvbXBh
bnkxETAPBgNVBAMTCHMwY2tldGthMB4XDTA4MDQxMDE1NTc1NloXDTA5MDQxMDE1
NTc1NlowcDELMAkGA1UEBhMCY3oxFzAVBgNVBAgTDkN6ZWNoIFJlcHVibGljMQ8w
DQYDVQQHEwZQcmFndWUxHDAaBgNVBAoTE3MwY2tldGt5IHNwb2xlY25vc3QxGTAX
BgNVBAMTEHd3dy52bTE1LnNlbWluYXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAKgqFBRrWh98PqQP/1s/gj98AX2upZNxGo5z2bbHdiUJBFA+Qxyc/AAZTqt2
L1pxiiNgxqvDo7QtP+d2wWjsPNYzHcq/MQDnVK0hV74+7NO8zcg244AfxaayPIQQ
FWv9sumSkLAbJfyQCeCBfTFvlfUnUSDBIZpPzxMd1ohV2HajAgMBAAGjezB5MAkG
A1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRp
ZmljYXRlMB0GA1UdDgQWBBRVz8GlAF16Bh/1IAW6c1IdwtLymTAfBgNVHSMEGDAW
gBSflSZVrkP7cfM90s7YpCU49+MA+jANBgkqhkiG9w0BAQUFAAOBgQCoxYVTN4Zt
OJMWRVPH1qvovoeVNMxv5qdzMK9QO70LO7KZ74A7+cW7Sx3BEoPxOE9ns3Vu70s6
0tZz6hUiCFYUPe5z5BnT1bpcPpoEuwp+xK/Dca5IHaKWn1tRB3oen6pPC5qOIfiH
DleTMK+zmdpuIbAFAvTc0CTkBo7PEmSK3w==
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
vm15:/usr/lib/ssl# less newcert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=cz, ST=czech republic, O=s0cketky company, CN=s0cketka
Validity
Not Before: Apr 10 15:57:56 2008 GMT
Not After : Apr 10 15:57:56 2009 GMT
Subject: C=cz, ST=Czech Republic, L=Prague, O=s0cketky spolecnost, CN=ww
w.vm15.seminar
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:a8:2a:14:14:6b:5a:1f:7c:3e:a4:0f:ff:5b:3f:
82:3f:7c:01:7d:ae:a5:93:71:1a:8e:73:d9:b6:c7:
76:25:09:04:50:3e:43:1c:9c:fc:00:19:4e:ab:76:
2f:5a:71:8a:23:60:c6:ab:c3:a3:b4:2d:3f:e7:76:
c1:68:ec:3c:d6:33:1d:ca:bf:31:00:e7:54:ad:21:
57:be:3e:ec:d3:bc:cd:c8:36:e3:80:1f:c5:a6:b2:
3c:84:10:15:6b:fd:b2:e9:92:90:b0:1b:25:fc:90:
09:e0:81:7d:31:6f:95:f5:27:51:20:c1:21:9a:4f:
cf:13:1d:d6:88:55:d8:76:a3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
55:CF:C1:A5:00:5D:7A:06:1F:F5:20:05:BA:73:52:1D:C2:D2:F2:99
X509v3 Authority Key Identifier:
keyid:9F:95:26:55:AE:43:FB:71:F3:3D:D2:CE:D8:A4:25:38:F7:E3:00:F
A

Signature Algorithm: sha1WithRSAEncryption
a8:c5:85:53:37:86:6d:38:93:16:45:53:c7:d6:ab:e8:be:87:
95:34:cc:6f:e6:a7:73:30:af:50:3b:bd:0b:3b:b2:99:ef:80:
3b:f9:c5:bb:4b:1d:c1:12:83:f1:38:4f:67:b3:75:6e:ef:4b:
3a:d2:d6:73:ea:15:22:08:56:14:3d:ee:73:e4:19:d3:d5:ba:
5c:3e:9a:04:bb:0a:7e:c4:af:c3:71:ae:48:1d:a2:96:9f:5b:
51:07:7a:1e:9f:aa:4f:0b:9a:8e:21:f8:87:0e:57:93:30:af:
b3:99:da:6e:21:b0:05:02:f4:dc:d0:24:e4:06:8e:cf:12:64:
8a:df
-----BEGIN CERTIFICATE-----
MIICtTCCAh6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJjejEX
MBUGA1UECBMOY3plY2ggcmVwdWJsaWMxGTAXBgNVBAoTEHMwY2tldGt5IGNvbXBh
bnkxETAPBgNVBAMTCHMwY2tldGthMB4XDTA4MDQxMDE1NTc1NloXDTA5MDQxMDE1
NTc1NlowcDELMAkGA1UEBhMCY3oxFzAVBgNVBAgTDkN6ZWNoIFJlcHVibGljMQ8w
DQYDVQQHEwZQcmFndWUxHDAaBgNVBAoTE3MwY2tldGt5IHNwb2xlY25vc3QxGTAX
BgNVBAMTEHd3dy52bTE1LnNlbWluYXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAKgqFBRrWh98PqQP/1s/gj98AX2upZNxGo5z2bbHdiUJBFA+Qxyc/AAZTqt2
L1pxiiNgxqvDo7QtP+d2wWjsPNYzHcq/MQDnVK0hV74+7NO8zcg244AfxaayPIQQ
FWv9sumSkLAbJfyQCeCBfTFvlfUnUSDBIZpPzxMd1ohV2HajAgMBAAGjezB5MAkG
A1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRp
ZmljYXRlMB0GA1UdDgQWBBRVz8GlAF16Bh/1IAW6c1IdwtLymTAfBgNVHSMEGDAW
gBSflSZVrkP7cfM90s7YpCU49+MA+jANBgkqhkiG9w0BAQUFAAOBgQCoxYVTN4Zt
OJMWRVPH1qvovoeVNMxv5qdzMK9QO70LO7KZ74A7+cW7Sx3BEoPxOE9ns3Vu70s6
0tZz6hUiCFYUPe5z5BnT1bpcPpoEuwp+xK/Dca5IHaKWn1tRB3oen6pPC5qOIfiH
DleTMK+zmdpuIbAFAvTc0CTkBo7PEmSK3w==
-----END CERTIFICATE-----


ted strcime podepsany certifikat k apachovi


vm15:/usr/lib/ssl# cat /root/cert.key newcert.pem > /etc/apache2/ssl/apache.pem
vm15:/usr/lib/ssl# /etc/init.d/apache2 restart
Forcing reload of web server (apache2)...apache2: apr_sockaddr_info_get() failed for vm15
apache2: Could not reliably determine the server's fully qualified domain name,
using 127.0.0.1 for ServerName
httpd (no pid file) not running
apache2: apr_sockaddr_info_get() failed for vm15
apache2: Could not reliably determine the server's fully qualified domain name,
using 127.0.0.1 for ServerName
.
vm15:/usr/lib/ssl# openssl s_client -connect 10.0.0.115:443
CONNECTED(00000003)
---
Certificate chain
0 s:/C=cz/ST=Czech Republic/L=Prague/O=s0cketky spolecnost/CN=www.vm15.seminar
i:/C=cz/ST=czech republic/O=s0cketky company/CN=s0cketka
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICtTCCAh6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJjejEX
MBUGA1UECBMOY3plY2ggcmVwdWJsaWMxGTAXBgNVBAoTEHMwY2tldGt5IGNvbXBh
bnkxETAPBgNVBAMTCHMwY2tldGthMB4XDTA4MDQxMDE1NTc1NloXDTA5MDQxMDE1
NTc1NlowcDELMAkGA1UEBhMCY3oxFzAVBgNVBAgTDkN6ZWNoIFJlcHVibGljMQ8w
DQYDVQQHEwZQcmFndWUxHDAaBgNVBAoTE3MwY2tldGt5IHNwb2xlY25vc3QxGTAX
BgNVBAMTEHd3dy52bTE1LnNlbWluYXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAKgqFBRrWh98PqQP/1s/gj98AX2upZNxGo5z2bbHdiUJBFA+Qxyc/AAZTqt2
L1pxiiNgxqvDo7QtP+d2wWjsPNYzHcq/MQDnVK0hV74+7NO8zcg244AfxaayPIQQ
FWv9sumSkLAbJfyQCeCBfTFvlfUnUSDBIZpPzxMd1ohV2HajAgMBAAGjezB5MAkG
A1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRp
ZmljYXRlMB0GA1UdDgQWBBRVz8GlAF16Bh/1IAW6c1IdwtLymTAfBgNVHSMEGDAW
gBSflSZVrkP7cfM90s7YpCU49+MA+jANBgkqhkiG9w0BAQUFAAOBgQCoxYVTN4Zt
OJMWRVPH1qvovoeVNMxv5qdzMK9QO70LO7KZ74A7+cW7Sx3BEoPxOE9ns3Vu70s6
0tZz6hUiCFYUPe5z5BnT1bpcPpoEuwp+xK/Dca5IHaKWn1tRB3oen6pPC5qOIfiH
DleTMK+zmdpuIbAFAvTc0CTkBo7PEmSK3w==
-----END CERTIFICATE-----
subject=/C=cz/ST=Czech Republic/L=Prague/O=s0cketky spolecnost/CN=www.vm15.semin
ar
issuer=/C=cz/ST=czech republic/O=s0cketky company/CN=s0cketka
---
No client certificate CA names sent
---
SSL handshake has read 1261 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 1834BFC9ABD548D163449C31FD640E63BA12AD452DF5C400C16E51FC599C0371
Session-ID-ctx:
Master-Key: 2A328C42BD7D5F99A780547D32F5390C979FFD044EA86072A5637D550AA07B8B
35DD14B3F6B7FB715B26CBB11473B17F
Key-Arg : None
Start Time: 1207843694
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---


jenze my nejsme duveryhodna certifikacni autorita, takze nam to stejne moc
nepomuze :)

14,15 (net7.pdf):


vm15:~# setkey -DP
No SPD entries.
vm15:~# ping 10.0.0.100
... ok
vm15:~# vim /etc/ipsec-tools.conf
vm15:~# cat /etc/ipsec-tools.conf
#!/usr/sbin/setkey -f

## Flush the SAD and SPD
#
flush;
spdflush;

add 10.0.0.100 10.0.0.115 esp 0x115 -E 3des-cbc "100000000000000000000001" -A h
mac-md5 "1000000000000001";
add 10.0.0.115 10.0.0.100 esp 0x215 -E 3des-cbc "100000000000000000000001" -A h
mac-md5 "1000000000000001";
spdadd 10.0.0.100 10.0.0.115 any -P in ipsec esp/transport//require;
spdadd 10.0.0.115 10.0.0.100 any -P out ipsec esp/transport//require;
vm15:~# /etc/ipsec-tools.conf
vm15:~# setkey -DP
10.0.0.100[any] 10.0.0.115[any] any
in ipsec
esp/transport//require
created: Apr 10 18:29:25 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=8 seq=2 pid=9897
refcnt=1
10.0.0.115[any] 10.0.0.100[any] any
out ipsec
esp/transport//require
created: Apr 10 18:29:25 2008 lastused: Apr 10 18:29:58 2008
lifetime: 0(s) validtime: 0(s)
spid=17 seq=1 pid=9897
refcnt=2
10.0.0.100[any] 10.0.0.115[any] any
fwd ipsec
esp/transport//require
created: Apr 10 18:29:25 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=10 seq=0 pid=9897
refcnt=1
vm15:~# ping 10.0.0.100
PING 10.0.0.100 (10.0.0.100) 56(84) bytes of data.
64 bytes from 10.0.0.100: icmp_seq=1 ttl=64 time=1.36 ms
64 bytes from 10.0.0.100: icmp_seq=2 ttl=64 time=0.696 ms

--- 10.0.0.100 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.696/1.030/1.364/0.334 ms
vm15:~# setkey -DP
10.0.0.100[any] 10.0.0.115[any] any
in ipsec
esp/transport//require
created: Apr 10 18:29:25 2008 lastused: Apr 10 18:31:04 2008
lifetime: 0(s) validtime: 0(s)
spid=8 seq=2 pid=9899
refcnt=3
10.0.0.115[any] 10.0.0.100[any] any
out ipsec
esp/transport//require
created: Apr 10 18:29:25 2008 lastused: Apr 10 18:31:03 2008
lifetime: 0(s) validtime: 0(s)
spid=17 seq=1 pid=9899
refcnt=3
10.0.0.100[any] 10.0.0.115[any] any
fwd ipsec
esp/transport//require
created: Apr 10 18:29:25 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=10 seq=0 pid=9899
refcnt=1


po tom pingu vidime last used, ze se zmenilo a na projektoru nam bezi tcpdump
z toho serveru :) je tam videt napr. to ESP, ze se tam pouziva...

Thu Apr 17 17:23:13 CEST 2008



slidy: net8.pdf

8:

vm15:~#lftp ftp://10.0.0.100
lftp 10.0.0.100:~> ls
drwxr-xr-x 2 0 0 4096 Apr 17 15:11 pub
lftp 10.0.0.100:/> cd pub
lftp 10.0.0.100:/pub> ls
-rw-r--r-- 1 0 0 1429 Apr 17 15:03 jama.txt
lftp 10.0.0.100:/pub> get jama.txt
1429 bytes transferred
lftp 10.0.0.100:/pub> quit


na prvni konzoli:

u2-6:~$ nc ftp.linux.cz 21
220 ProFTPD 1.3.0a Server (Faculty of Informatics) [::ffff:147.251.48.205]
USER anonymous
331 Anonymous login ok, send your complete email address as your password.
PASS email@server.cz
230-Hello, UNKNOWN at u2-6.ms.mff.cuni.cz!

Vitejte na FTP serveru Welcome to the FTP server of
Fakulty informatiky Faculty of Informatics
Masarykovy univerzity v Brne Masaryk University, Brno

This FTP site is in Brno, Czech Republic, Europe. The local time is
Thu Apr 17 17:51:19 2008. You are user number 130 out of maximium 800
in class default. There are 130 users in all classes (the maximum is 800). All
transfers to and from archive are logged. If you do not like this policy,
disconnect now!

We serve as the ftp.fi.muni.cz, ftp.linux.cz, and ftp.cstug.cz archive,
and we have lot of Linux-, UNIX-, and TeX-related stuff here. Look
at the /pub/ROADMAP (or /pub/ROADMAP.html) for details. The file
/pub/README.uploads states the rules for uploading data to this server.
The server is avaliable via rsync and HTTP protocols. Use the following URLs:
rsync://ftp.fi.muni.cz/pub and http://ftp.fi.muni.cz/pub/.
The server is available via FTP over IPv6 at ftp://ftp6.linux.cz/ as well.
Look at http://www.linux.cz/stats/ for the hardware configuration and
statistics of this server.

-System Administrator
230 Anonymous access granted, restrictions apply.
PASV
227 Entering Passive Mode (147,251,48,205,167,93).


na druhe konzoli napiseme:

u2-6:~$ nc 147.251.48.205 42845


na prvni doplnime:

LIST


a vidime:

150 Opening ASCII mode data connection for file list
226 Transfer complete.


a na druhe se objevi

u2-6:~$ nc 147.251.48.205 42845
drwxr-xr-x 3 ftpadm ftpadm 56 Feb 12 2007 etc
drwxr-xr-x 4 ftpadm ftpadm 4096 May 30 2007 http
drwxr-xr-x 2 ftpadm ftpadm 0 Apr 17 15:52 mount
drwxr-xr-x 23 ftpadm ftpadm 8192 Apr 17 05:59 pub



vm15:~# lftp --debug ftp.linux.cz
lftp ftp.linux.cz:~> ls
---- Connecting to ftp.linux.cz (147.251.48.205) port 21
<--- 220 ProFTPD 1.3.0a Server (Faculty of Informatics) [::ffff:147.251.48.205]
---> FEAT
<--- 211-Features:
<--- MDTM
<--- REST STREAM
<--- SIZE
<--- 211 End
---> USER anonymous
<--- 331 Anonymous login ok, send your complete email address as your password.
---> PASS lftp@
<--- 230-Hello, UNKNOWN at bug.ms.mff.cuni.cz!
<---
<--- Vitejte na FTP serveru Welcome to the FTP server of
<--- Fakulty informatiky Faculty of Informatics
<--- Masarykovy univerzity v Brne Masaryk University, Brno
<---
<--- This FTP site is in Brno, Czech Republic, Europe. The local time is
<--- Thu Apr 17 18:03:19 2008. You are user number 124 out of maximium 800
<--- in class default. There are 124 users in all classes (the maximum is 800). All
<--- transfers to and from archive are logged. If you do not like this policy,
<--- disconnect now!
<---
<--- We serve as the ftp.fi.muni.cz, ftp.linux.cz, and ftp.cstug.cz archive,
<--- and we have lot of Linux-, UNIX-, and TeX-related stuff here. Look
<--- at the /pub/ROADMAP (or /pub/ROADMAP.html) for details. The file
<--- /pub/README.uploads states the rules for uploading data to this server.
<--- The server is avaliable via rsync and HTTP protocols. Use the following URLs:
<--- rsync://ftp.fi.muni.cz/pub and http://ftp.fi.muni.cz/pub/.
<--- The server is available via FTP over IPv6 at ftp://ftp6.linux.cz/ as well.
<--- Look at http://www.linux.cz/stats/ for the hardware configuration and
<--- statistics of this server.
<---
<--- -System Administrator
<--- 230 Anonymous access granted, restrictions apply.
---> PWD
<--- 257 "/" is current directory.
---> PASV
<--- 227 Entering Passive Mode (147,251,48,205,163,118).
---- Connecting data socket to (147.251.48.205) port 41846
---- Data connection established
---> LIST
<--- 150 Opening ASCII mode data connection for file list
---- Got EOF on data connection
---- Closing data socket
<--- 226 Transfer complete.
drwxr-xr-x 3 ftpadm ftpadm 56 Feb 12 2007 etc
drwxr-xr-x 4 ftpadm ftpadm 4096 May 30 2007 http
drwxr-xr-x 3 ftpadm ftpadm 0 Apr 17 16:03 mount
drwxr-xr-x 23 ftpadm ftpadm 8192 Apr 17 05:59 pub
lftp ftp.linux.cz:/> quit
---> QUIT
---- Closing control socket




vm15:~# lftp --debug 10.0.0.100
lftp 10.0.0.100:~> set ftp:ssl-allow-anonymous yes
lftp 10.0.0.100:~> ls
---- Connecting to 10.0.0.100 (10.0.0.100) port 21
<--- 220 (vsFTPd 2.0.5)
---> FEAT
<--- 211-Features:
<--- AUTH SSL
<--- AUTH TLS
<--- EPRT
<--- EPSV
<--- MDTM
<--- PASV
<--- PBSZ
<--- PROT
<--- REST STREAM
<--- SIZE
<--- TVFS
<--- 211 End
---> AUTH TLS
<--- 234 Proceed with negotiation.
---> USER anonymous
Certificate: C=--,ST=SomeState,L=SomeCity,O=SomeOrganization,OU=SomeOrganizatio
nalUnit,CN=localhost.localdomain,EMAIL=root@localhost.localdomain
Issued by: C=--,ST=SomeState,L=SomeCity,O=SomeOrganization,OU=SomeOrganization
alUnit,CN=localhost.localdomain,EMAIL=root@localhost.localdomain
WARNING: Certificate verification: Not trusted
WARNING: Certificate verification: The certificate's owner does not match hostn
ame '10.0.0.100'

<--- 331 Please specify the password.
---> PASS lftp@
<--- 230 Login successful.
---> PWD
<--- 257 "/"
---> PBSZ 0
<--- 200 PBSZ set to 0.
---> PROT P
<--- 200 PROT now Private.
---> PASV
<--- 227 Entering Passive Mode (10,0,0,100,31,108)
---- Connecting data socket to (10.0.0.100) port 8044
---- Data connection established
---> LIST
<--- 150 Here comes the directory listing.
Certificate: C=--,ST=SomeState,L=SomeCity,O=SomeOrganization,OU=SomeOrganizatio
nalUnit,CN=localhost.localdomain,EMAIL=root@localhost.localdomain
Issued by: C=--,ST=SomeState,L=SomeCity,O=SomeOrganization,OU=SomeOrganization
alUnit,CN=localhost.localdomain,EMAIL=root@localhost.localdomain
WARNING: Certificate verification: Not trusted
WARNING: Certificate verification: The certificate's owner does not match hostn
ame '10.0.0.100'

gnutls_record_recv: A TLS packet with unexpected length was received.; assuming
EOF
---- Got EOF on data connection
---- Closing data socket
drwxr-xr-x 2 0 0 4096 Apr 17 15:11 pub
<--- 226 Directory send OK.
lftp 10.0.0.100:/> quit
---> QUIT
---- Closing control socket


11:

vm15:~# tftp 10.0.0.100
tftp> trace
Packet tracing on.
tftp> get recept
sent RRQ
received DATA
sent ACK
received DATA
sent ACK
received DATA
Received 1491 bytes in 0.0 seconds
tftp> vm15:~#


14:

vygenerujeme si klic a nakopirujem si ho do homu. pak kdyz se tam hlasime
a mame ve svym homu na lokalni masince ten odpovidajici klic, tak nas tam
pusti bez hesla :)


vm15:~# useradd s0c --password heslo --home-dir /home/s0c
vm15:~# dpkg -l |grep ssh
ii openssh-client 4.3p2-9 Secure shell client, an rlogin/rsh/rcp repla
vm15:~# apt-get install openssh-server
Reading package lists... Done
Building dependency tree... Done
Suggested packages:
ssh-askpass xbase-clients rssh molly-guard
The following NEW packages will be installed:
openssh-server
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 222kB of archives.
After unpacking 569kB of additional disk space will be used.
Get:1 http://ftp.sh.cvut.cz etch/main openssh-server 1:4.3p2-9 [222kB]
Fetched 222kB in 0s (701kB/s)
Preconfiguring packages ...
Selecting previously deselected package openssh-server.
(Reading database ... 14457 files and directories currently installed.)
Unpacking openssh-server (from .../openssh-server_1%3a4.3p2-9_i386.deb) ...
Setting up openssh-server (4.3p2-9) ...
Creating SSH2 RSA key; this may take some time ...
Creating SSH2 DSA key; this may take some time ...
Restarting OpenBSD Secure Shell server: sshd.

vm15:~# ssh s0c@localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is b3:47:b8:0b:61:7e:3c:f9:99:3c:47:0e:36:48:2e:d7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
s0c@localhost's password:
Linux vm15 2.6.18-4-xen-vserver-686 #1 SMP Thu May 10 04:02:17 UTC 2007 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
s0c@vm15:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/s0c/.ssh/id_rsa):
Created directory '/home/s0c/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/s0c/.ssh/id_rsa.
Your public key has been saved in /home/s0c/.ssh/id_rsa.pub.
The key fingerprint is:
85:1e:4f:3f:6d:cd:9c:90:ae:85:fc:59:b5:4a:91:eb s0c@vm15
s0c@vm15:~$ cd .ssh/
s0c@vm15:~/.ssh$ ls
id_rsa id_rsa.pub
s0c@vm15:~/.ssh$ cat ./id_rsa.pub >> authorized_keys
s0c@vm15:~$ logout
Connection to localhost closed.
vm15:~# su s0c
vm15:/root$ ssh s0c@localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is b3:47:b8:0b:61:7e:3c:f9:99:3c:47:0e:36:48:2e:d7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
Linux vm15 2.6.18-4-xen-vserver-686 #1 SMP Thu May 10 04:02:17 UTC 2007 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Apr 17 18:36:13 2008 from localhost
s0c@vm15:~$ logout
Connection to localhost closed.


uzivateli povolime pouze jediny prikaz, co muze provest a co se provede vzdy,
kdyz se prihlasi


vm15:~# vim /home/s0c/.ssh/authorized_keys
vm15:~# cat /home/s0c/.ssh/authorized_keys
command="echo 'hello' >> /tmp/hello" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzXT18FyeAaQE9gXVwE6acv2wMgTF2N2gNAKNuT9BJ94O5DVh57wQTdCkH
eUG4GonQsJqUhiKbWBBFU4+znto5yXiBFsF1JYh8iEGErgClkTLycE8TLEPI4tbsjlD/n3CYHjPlbmOBRxit+W
ytUtxzDA3/V6iauxRi8ohIF7zisoJaSHvPNNhj853BtjeiZH/4Af7wGoOUrhDKVd5XI2WPcoCF7SyvbOUX8LCR
Kn5+GoPhJ3pXfs7G3iBoQBYCU4a25fU8rlkjRSirwA50Vuvb73IT4F+bYeSwPJ9s6+9zryQsT+e3a6AElFoPtk
m+vtvq66iXKRBDLD6xWf0YyyU+w== s0c@vm15
vm15:~# su s0c
vm15:/root$ ssh s0c@localhost
Connection to localhost closed.
vm15:/root$ cat /tmp/hello
hello


Thu Apr 24 17:25:08 CEST 2008



net8.pdf, slide 15:

na virtualnim stroji:

vm15:/root$ ssh -R 2222:localhost:22 tomim4am@u-pl22.ms.mff.cuni.cz
tomim4am@u-pl22.ms.mff.cuni.cz's password:
Last login: Thu Apr 24 17:42:07 2008 from bug.ms.mff.cuni.cz
NEWS: snadne_upozorneni_na_news bash_completion lprcs_xppcs symlinky_home
NEWS: quota_freee.sh diskove_kvoty vypalovani vymenna_media ulimit
NEWS: kvoty_na_odchozi_data
u-pl22:~$


pak se terba lokalne prihlasim na u-pl22:

u2-7:~$ ssh tomim4am@u-pl22.ms.mff.cuni.cz
The authenticity of host 'u-pl22.ms.mff.cuni.cz (195.113.21.152)' can't be esta
blished.
RSA1 key fingerprint is 58:07:72:15:c4:84:e0:d5:7a:b4:70:6b:9b:1a:f2:c3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'u-pl22.ms.mff.cuni.cz,195.113.21.152' (RSA1) to the
list of known hosts.
tomim4am@u-pl22.ms.mff.cuni.cz's password:
Last login: Thu Apr 24 17:38:53 2008 from bug.ms.mff.cuni.cz
NEWS: snadne_upozorneni_na_news bash_completion lprcs_xppcs symlinky_home
NEWS: quota_freee.sh diskove_kvoty vypalovani vymenna_media ulimit
NEWS: kvoty_na_odchozi_data
u-pl22:~$ ssh -p 2222 s0c@localhost
s0c@localhost's password:
Linux vm15 2.6.18-4-xen-vserver-686 #1 SMP Thu May 10 04:02:17 UTC 2007 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Apr 17 18:52:09 2008 from localhost
s0c@vm15:~$ ls
/home/s0c


slide 16:

vyzkousime kopirovani pomoci scp:

vm15:/root$ scp tomim4am@u-pl22.ms.mff.cuni.cz:/afs/ms/u/t/tomim4am/test_file /tmp/
tomim4am@u-pl22.ms.mff.cuni.cz's password:
test_file 100% 0 0.0KB/s 00:00
vm15:/root$ ls -l /tmp/test_file
-rw-r--r-- 1 s0c s0c 0 Apr 24 17:55 /tmp/test_file


Posta



net9.pdf, slide 7:

posleme si zpravu rucne :) (na dole uvedeny mail mi nepiste, je spatne, kvuli
spamu .)


vm15:/root$ nc smtp2.ms.mff.cuni.cz 25
220 smtp2.ms.mff.cuni.cz ESMTP Sendmail 8.14.2/8.14.2; Thu, 24 Apr 2008 18:15:
50 +0200 (CEST)
HELO s0cketka
250 smtp2.ms.mff.cuni.cz Hello bug.ms.mff.cuni.cz [195.113.18.123], pleased to
meet you
MAIL FROM:
250 2.1.0 ... Sender ok
RCPT TO:
250 2.1.5 ... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
helo :)
.
250 2.0.0 m3OGFo8S064098 Message accepted for delivery
QUIT
221 2.0.0 smtp2.ms.mff.cuni.cz closing connection


falesne udaje:


vm15:/root$ nc smtp2.ms.mff.cuni.cz 25
220 smtp2.ms.mff.cuni.cz ESMTP Sendmail 8.14.2/8.14.2; Thu, 24 Apr 2008 18:15:
15 +0200 (CEST)
HELO s0cketka
250 smtp2.ms.mff.cuni.cz Hello bug.ms.mff.cuni.cz [195.113.18.123], pleased to
meet you
MAIL FROM:
550 5.7.1 ... MX 10 'pecka.reflektor.cz.' [81.0.208.98] for
rejected address saying ": Recipient address
rejected: User unknown in virtual mailbox table"



podivejme se na zaznamy seznamu, kam se pripojit, kdyz bychom chteli poslat
postu:

vm15:/root$ dig seznam.cz MX

; <<>> DiG 9.3.4 <<>> seznam.cz MX
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16359
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;seznam.cz. IN MX

;; ANSWER SECTION:
seznam.cz. 298 IN MX 60 mx60.seznam.cz.
seznam.cz. 298 IN MX 50 mx50.seznam.cz.

;; AUTHORITY SECTION:
seznam.cz. 17998 IN NS ms.seznam.cz.
seznam.cz. 17998 IN NS ns.seznam.cz.

;; ADDITIONAL SECTION:
mx50.seznam.cz. 298 IN A 77.75.73.47
mx60.seznam.cz. 298 IN A 77.75.73.48

;; Query time: 2 msec
;; SERVER: 10.0.0.100#53(10.0.0.100)
;; WHEN: Thu Apr 24 18:32:37 2008
;; MSG SIZE rcvd: 135


nakonfigurujeme si mailovy server :)

zkontroluju, jestli mam nastavene dns:


vm15:/root$ dig vm15.seminar MX

; <<>> DiG 9.3.4 <<>> vm15.seminar MX
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63482
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3

;; QUESTION SECTION:
;vm15.seminar. IN MX

;; ANSWER SECTION:
vm15.seminar. 259200 IN MX 20 mail.vm15.seminar.

;; AUTHORITY SECTION:
vm15.seminar. 259200 IN NS ns.vm15.seminar.

;; ADDITIONAL SECTION:
mail.vm15.seminar. 259200 IN A 10.0.0.115
ns.vm15.seminar. 259200 IN A 10.0.0.115
ns.vm15.seminar. 259200 IN AAAA 2001:5c0:94c1:1::15

;; Query time: 7 msec
;; SERVER: 10.0.0.100#53(10.0.0.100)
;; WHEN: Thu Apr 24 18:36:47 2008
;; MSG SIZE rcvd: 128


konfigurace:

vm15:# vim /etc/postfix/main.cf
vm15:~# cat /etc/postfix/main.cf
myhostname = mail.vm15.seminar
mydomain = vm15.seminar
myorigin = vm15.seminar
vm15:~# /etc/init.d/postfix start
Starting Postfix Mail Transport Agent: postfix.
vm15:~# mail -s test root@vm15.seminar
Cc:
helo
.

vm15:~# mail
No mail for root
vm15:~# ls /var/spool/mail/
vm15:~#
vm15:~# mailq
Mail queue is empty
vm15:~# sendmail -q
vm15:~#
vm15:~# nslookup mail.vm15.seminar
Server: 10.0.0.100
Address: 10.0.0.100#53

Non-authoritative answer:
Name: mail.vm15.seminar
Address: 10.0.0.115


Proc to neprislo?


vm15:~# tail -f /var/log/mail.log
Apr 24 18:47:50 vm15 postfix/pickup[8174]: 5B590168C0: uid=0 from=
Apr 24 18:47:50 vm15 postfix/cleanup[8179]: 5B590168C0: message-id=<20080424164
750.5B590168C0@mail.vm15.seminar>
Apr 24 18:47:50 vm15 postfix/qmgr[8175]: 5B590168C0: from=,
size=334, nrcpt=1 (queue active)
Apr 24 18:47:50 vm15 postfix/smtp[8181]: 5B590168C0: to=, re
lay=none, delay=0.14, delays=0.1/0.04/0.01/0, dsn=5.4.6, status=bounced (mail f
or vm15.seminar loops back to myself)
Apr 24 18:47:50 vm15 postfix/cleanup[8179]: 7F932168C3: message-id=<20080424164
750.7F932168C3@mail.vm15.seminar>
Apr 24 18:47:50 vm15 postfix/qmgr[8175]: 7F932168C3: from=<>, size=2062, nrcpt=
1 (queue active)
Apr 24 18:47:50 vm15 postfix/bounce[8182]: 5B590168C0: sender non-delivery noti
fication: 7F932168C3
Apr 24 18:47:50 vm15 postfix/qmgr[8175]: 5B590168C0: removed
Apr 24 18:47:50 vm15 postfix/smtp[8181]: 7F932168C3: to=, re
lay=none, delay=0.03, delays=0.02/0/0/0, dsn=5.4.6, status=bounced (mail for vm
15.seminar loops back to myself)
Apr 24 18:47:50 vm15 postfix/qmgr[8175]: 7F932168C3: removed


On zjistil, ze to ma poslat vlastne sobe. Jenze je malo nastaveny a tak to neumi
poslat. Tak to zahodil, zkusil poslat hlasku o zahozeni, ale tu taky neumi poslat,
takze to proste zahodil :) Teoreticky by to ted melo jit ale poslat ven nekam,
treba na seznam atd.

Thu May 15 17:27:35 CEST 2008



slidy 9, slide 15:

donastavime si prijem posty:


vm15:~# vim /etc/postfix/main.cf
vm15:~# cat /etc/postfix/main.cf
myhostname = mail.vm15.seminar
mydomain = vm15.seminar
myorigin = vm15.seminar
mydestination = vm15.seminar
vm15:~# mail root@vm15.seminar
Cc:
Subject: pokus1
test1
.


ale nic mi neprislo :(


vm15:~# tail /var/log/mail.err
May 15 17:30:13 vm15 postfix/local[2655]: fatal: open database /etc/aliases.db:
No such file or directory


aaahaa


vm15:~# newaliases
vm15:~# mail root@vm15.seminar
Cc:
Subject: opkus 2
test2
.
vm15:~# mail
"/var/mail/root": 2 messages 2 new
>N 1 root Thu May 15 17:32 13/425 pokus1
N 2 root Thu May 15 17:32 13/426 opkus 2
& q
Held 2 messages in /var/mail/root


zkusime poslat beznemu uzivateli:


vm15:~# mail s0c@vm15.seminar
Cc:
Subject: pokus 3
test 3
.
vm15:~# su s0c
vm15:/root$ mail
"/var/mail/s0c": 1 message 1 unread
>U 1 root Thu May 15 17:36 16/469 pokus 3
& q
Held 1 message in /var/mail/s0c
vm15:/root$ exit


je tam :) a ted jak se dostane uzivatel nejakym beznym zpusobem ke sve poste?

16:
nastavime pop3 server:


vm15:~# vim /etc/dovecot/dovecot.conf
vm15:~# cat /etc/dovecot/dovecot.conf |grep -v '#' |less
protocols = pop3 imap
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_extra_groups = mail
protocol imap {
}
protocol pop3 {
pop3_uidl_format = %08Xu%08Xv
}
auth default {
mechanisms = plain
passdb pam {
}
userdb passwd {
}
user = root
}
dict {
}
plugin {
}
vm15:~# /etc/init.d/dovecot restart
Restarting mail server: dovecotWarning: Fixing permissions of /var/run/dovecot to be
world-readable
Warning: Corrected permissions for login directory /var/run/dovecot/login
.
vm15:~# nc localhost 110
+OK Dovecot ready.
USER s0c
+OK
PASS heslo
+OK Logged in.
LIST
+OK 1 messages:
1 438
.
RETR 1
+OK 438 octets
Return-Path:
X-Original-To: s0c@vm15.seminar
Delivered-To: s0c@vm15.seminar
Received: by mail.vm15.seminar (Postfix, from userid 0)
id B60BA168C7; Thu, 15 May 2008 17:36:36 +0200 (CEST)
To:
Subject: pokus 3
X-Mailer: mail (GNU Mailutils 1.1)
Message-Id: <20080515153636.B60BA168C7@mail.vm15.seminar>
Date: Thu, 15 May 2008 17:36:36 +0200 (CEST)
From: root@vm15.seminar (root)

test 3
.
QUIT
+OK Logging out.
vm15:~#


Odvazlivci si zkusili i imap, ja to nestihla.

17:


vm15:~# dig seznam.cz ANY |grep TXT
seznam.cz. 284 IN TXT "wwrr\00977.75.76.3\0091\009http\00980\00930\0096\0093"
seznam.cz. 284 IN TXT "v=spf1 mx ip4:77.75.72.1/24 ip4:77.75.73.1/24 ip4:
77.75.76.1/24 ip4:77.75.77.1/24 ?all"
seznam.cz. 284 IN TXT "wwrr\00977.75.72.3\0091\009http\00980\00930\0096\0093"


ten prostredni radek jsou adresy serveru, ktere jsou opravnene posilat maily (viz SPF na slidu)

Na zaver zminka ze serie slidu 10:

7:

vm15:~# snmpwalk -v1 -c public 10.0.0.100
SNMPv2-MIB::sysDescr.0 = STRING: Linux bug.ms.mff.cuni.cz 2.6.18-53.1.13.el5xen #1 SMP Tue Feb 12 14:04:18 EST 2008 i686
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (763702) 2:07:17.02
SNMPv2-MIB::sysContact.0 = STRING: root
SNMPv2-MIB::sysName.0 = STRING: bug.ms.mff.cuni.cz
SNMPv2-MIB::sysLocation.0 = STRING: MS
...
(strasne dlouhy)


a ten druhy ukol ze stejneho slidu:


vm15:~# snmpwalk -v1 -c public eliska.ms.mff.cuni.cz | grep IF-MIB::ifPhy
IF-MIB::ifPhysAddress.1 = STRING: 0:1:e6:3:6f:7a
IF-MIB::ifPhysAddress.2 = STRING:



Bojovka



Bojovka probihala v uvolnene atmosfere, byla imho tak nejak primerene tezka, ale kdyz jsem se treba na 10 nebo i 20 minut zasekla na jednom ukolu, bylo to docela deprimujici. Nastesti, kdyz jste skutecne vyzkouseli vsechno, koukate do toho uz veky a nevite, tak se da prihlasit a mozna vam bude mirne napovezeno :) Limit byl 75 minut, ktery jsme ale nakonec pretahovali, protoze vetsina lidi to do toho casu nestihla. Mirek (vyucujici) byl maximalne vstricny. Tak hodne stesti :)