カテゴリー「Linux」の16件の記事

NTP サーバーの設定 / CentOS 6.5 (64-bit)

外部の NTP サーバーを用いて時間合わせを行います。また、ほかのサーバーなどからの時間問い合わせに応答します。



【インストール】

[root@vm003 ~]# yum -y install ntp
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: ftp.riken.jp
 * extras: ftp.riken.jp
 * updates: ftp.riken.jp
base                                                                                             | 3.7 kB     00:00
extras                                                                                           | 3.4 kB     00:00
updates                                                                                          | 3.4 kB     00:00
updates/primary_db                                                                               | 1.4 MB     00:00
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package ntp.x86_64 0:4.2.6p5-1.el6.centos will be installed
--> Processing Dependency: ntpdate = 4.2.6p5-1.el6.centos for package: ntp-4.2.6p5-1.el6.centos.x86_64
--> Running transaction check
---> Package ntpdate.x86_64 0:4.2.6p5-1.el6.centos will be installed
--> Finished Dependency Resolution

Dependencies Resolved

========================================================================================================================
 Package                   Arch                     Version                                Repository              Size
========================================================================================================================
Installing:
 ntp                       x86_64                   4.2.6p5-1.el6.centos                   base                   592 k
Installing for dependencies:
 ntpdate                   x86_64                   4.2.6p5-1.el6.centos                   base                    75 k

Transaction Summary
========================================================================================================================
Install       2 Package(s)

Total download size: 667 k
Installed size: 1.7 M
Downloading Packages:
(1/2): ntp-4.2.6p5-1.el6.centos.x86_64.rpm                                                       | 592 kB     00:00
(2/2): ntpdate-4.2.6p5-1.el6.centos.x86_64.rpm                                                   |  75 kB     00:00
------------------------------------------------------------------------------------------------------------------------
Total                                                                                   1.0 MB/s | 667 kB     00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : ntpdate-4.2.6p5-1.el6.centos.x86_64                                                                  1/2
  Installing : ntp-4.2.6p5-1.el6.centos.x86_64                                                                      2/2
  Verifying  : ntp-4.2.6p5-1.el6.centos.x86_64                                                                      1/2
  Verifying  : ntpdate-4.2.6p5-1.el6.centos.x86_64                                                                  2/2

Installed:
  ntp.x86_64 0:4.2.6p5-1.el6.centos

Dependency Installed:
  ntpdate.x86_64 0:4.2.6p5-1.el6.centos

Complete!
[root@vm003 ~]#




【関係するファイル】

■ /etc/ntp.conf : 設定ファイル(赤太字:変更箇所 / 青太字:説明)

# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).

driftfile /var/lib/ntp/drift                                           時刻の補正情報記録用ファイル

# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default kod nomodify notrap nopeer noquery                    すべての問い合わせを無視
restrict -6 default kod nomodify notrap nopeer noquery                 すべての問い合わせを無視

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1                                                     自分自身との通信を許可(IPv4)
restrict -6 ::1                                                        自分自身との通信を許可(IPv6)

# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
restrict 192.168.101.0 mask 255.255.255.0 nomodify notrap
                                                                       LAN からの通信を許可(IPv6)
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
#server 0.centos.pool.ntp.org iburst
#server 1.centos.pool.ntp.org iburst
#server 2.centos.pool.ntp.org iburst
#server 3.centos.pool.ntp.org iburst
server ntp.nict.jp                     参照する NTP サーバー
server ntp.jst.mfeed.ad.jp             参照する NTP サーバー
server s2csntp.miz.nao.ac.jp           参照する NTP サーバー
server ats1.e-timing.ne.jp             参照する NTP サーバー
server ntp.shoshin.co.jp               参照する NTP サーバー

#broadcast 192.168.1.255 autokey        # broadcast server
#broadcastclient                        # broadcast client
#broadcast 224.0.1.1 autokey            # multicast server
#multicastclient 224.0.1.1              # multicast client
#manycastserver 239.255.254.254         # manycast server
#manycastclient 239.255.254.254 autokey # manycast client

# Enable public key cryptography.
#crypto

includefile /etc/ntp/crypto/pw

# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys

# Specify the key identifiers which are trusted.
#trustedkey 4 8 42

# Specify the key identifier to use with the ntpdc utility.
#requestkey 8

# Specify the key identifier to use with the ntpq utility.
#controlkey 8

# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats


■ /etc/sysconfig/iptables : ポート:123(NTP)を解放(赤太字:追記箇所)

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 123 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT




【オペレーション】

■ /var/lib/ntp/drift の初期化(ntp サービスの停止時に実行)

[root@vm003 ~]# echo -n "0" > /var/lib/ntp/drift
[root@vm003 ~]# ls -l /var/lib/ntp
total 4
-rw-r--r--. 1 root root 1 Feb  5 22:20 drift
[root@vm003 ~]#


■ ntp サーバーを用いた時刻合わせ(ntpd サービスの起動前に実行)

[root@vm003 ~]# ntpdate ntp.nict.jp
 5 Feb 21:56:25 ntpdate[1412]: step time server 133.243.238.164 offset -7.121093 sec
[root@vm003 ~]#


■ 起動時に ntpd を自動開始を有効化

[root@vm003 ~]# chkconfig ntpd on
[root@vm003 ~]#


■ 起動時に ntpd を自動起動を無効化

[root@vm003 ~]# chkconfig ntpd off
[root@vm003 ~]#


■ ランレベル毎の起動状況確認(自動起動:有効)

[root@vm003 ~]# chkconfig --list ntpd
ntpd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
[root@vm003 ~]#


■ ランレベル毎の起動状況確認(自動起動:無効)

[root@vm003 ~]# chkconfig --list ntpd
ntpd            0:off   1:off   2:off   3:off   4:off   5:off   6:off
[root@vm003 ~]#


■ ntpd サービスの開始(起動)

[root@vm003 ~]# service ntpd start
Starting ntpd:                                             [  OK  ]
[root@vm003 ~]#


■ ntpd サービスの終了(停止)

[root@vm003 ~]# service ntpd stop
Shutting down ntpd:                                        [  OK  ]
[root@vm003 ~]#


■ ntpd サービスの再起動

[root@vm003 ~]# service ntpd restart
Shutting down ntpd:                                        [  OK  ]
Starting ntpd:                                             [  OK  ]
[root@vm003 ~]#


■ NTP サーバーとの同期状態確認 : IP アドレスの前の"*"は同期が取れている NTP サーバーを示す

[root@vm003 ~]# ntpq -np
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*133.243.238.243 .NICT.           1 u   16   64  177   18.588  -21.065   5.375
-210.173.160.27  172.29.2.50      2 u   13   64  177   18.332  -15.786   6.844
-133.40.41.134   133.40.41.133    2 u   16   64  177   29.874  -24.744   7.189
+61.114.187.55   .PPS.            1 u   10   64  177   18.876  -13.214   9.165
+210.168.211.231 .CDMA.           1 u   12   64  177   24.947  -15.717   5.860
[root@vm003 ~]#

内部 DNS の構築 / CentOS 6.5 (64-bit)

内部(LAN 内の)DNS サーバーを構築する。



【インストール】

■ インターネット経由でインストール

[root@sv1 ~]# yum -y install bind
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.fairway.ne.jp
 * extras: mirror.fairway.ne.jp
 * updates: mirror.fairway.ne.jp
base                                                                    | 3.7 kB     00:00
extras                                                                  | 3.4 kB     00:00
updates                                                                 | 3.4 kB     00:00
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package bind.x86_64 32:9.8.2-0.17.rc1.el6_4.6 will be installed
--> Processing Dependency: bind-libs = 32:9.8.2-0.17.rc1.el6_4.6 for package: 32:bind-9.8.2-0.17.rc1.el6_4.6.x86_64
--> Processing Dependency: portreserve for package: 32:bind-9.8.2-0.17.rc1.el6_4.6.x86_64
--> Processing Dependency: liblwres.so.80()(64bit) for package: 32:bind-9.8.2-0.17.rc1.el6_4.6.x86_64
--> Processing Dependency: libisccfg.so.82()(64bit) for package: 32:bind-9.8.2-0.17.rc1.el6_4.6.x86_64
--> Processing Dependency: libisccc.so.80()(64bit) for package: 32:bind-9.8.2-0.17.rc1.el6_4.6.x86_64
--> Processing Dependency: libisc.so.83()(64bit) for package: 32:bind-9.8.2-0.17.rc1.el6_4.6.x86_64
--> Processing Dependency: libdns.so.81()(64bit) for package: 32:bind-9.8.2-0.17.rc1.el6_4.6.x86_64
--> Processing Dependency: libbind9.so.80()(64bit) for package: 32:bind-9.8.2-0.17.rc1.el6_4.6.x86_64
--> Running transaction check
---> Package bind-libs.x86_64 32:9.8.2-0.17.rc1.el6_4.6 will be installed
---> Package portreserve.x86_64 0:0.0.4-9.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

===============================================================================================
 Package              Arch            Version                              Repository     Size
===============================================================================================
Installing:
 bind                 x86_64          32:9.8.2-0.17.rc1.el6_4.6            base          4.0 M
Installing for dependencies:
 bind-libs            x86_64          32:9.8.2-0.17.rc1.el6_4.6            base          878 k
 portreserve          x86_64          0.0.4-9.el6                          base           23 k

Transaction Summary
===============================================================================================
Install       3 Package(s)

Total download size: 4.9 M
Installed size: 9.5 M
Downloading Packages:
(1/3): bind-9.8.2-0.17.rc1.el6_4.6.x86_64.rpm                           | 4.0 MB     00:14
(2/3): bind-libs-9.8.2-0.17.rc1.el6_4.6.x86_64.rpm                      | 878 kB     00:04
(3/3): portreserve-0.0.4-9.el6.x86_64.rpm                               |  23 kB     00:00
-----------------------------------------------------------------------------------------------
Total                                                          252 kB/s | 4.9 MB     00:19
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : portreserve-0.0.4-9.el6.x86_64                                              1/3
  Installing : 32:bind-libs-9.8.2-0.17.rc1.el6_4.6.x86_64                                  2/3
  Installing : 32:bind-9.8.2-0.17.rc1.el6_4.6.x86_64                                       3/3
  Verifying  : 32:bind-9.8.2-0.17.rc1.el6_4.6.x86_64                                       1/3
  Verifying  : 32:bind-libs-9.8.2-0.17.rc1.el6_4.6.x86_64                                  2/3
  Verifying  : portreserve-0.0.4-9.el6.x86_64                                              3/3

Installed:
  bind.x86_64 32:9.8.2-0.17.rc1.el6_4.6

Dependency Installed:
  bind-libs.x86_64 32:9.8.2-0.17.rc1.el6_4.6          portreserve.x86_64 0:0.0.4-9.el6

Complete!
[root@sv1 ~]# yum -y install bind-chroot
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.fairway.ne.jp
 * extras: mirror.fairway.ne.jp
 * updates: mirror.fairway.ne.jp
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package bind-chroot.x86_64 32:9.8.2-0.17.rc1.el6_4.6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

===============================================================================================
 Package              Arch            Version                              Repository     Size
===============================================================================================
Installing:
 bind-chroot          x86_64          32:9.8.2-0.17.rc1.el6_4.6            base           71 k

Transaction Summary
===============================================================================================
Install       1 Package(s)

Total download size: 71 k
Installed size: 0
Downloading Packages:
bind-chroot-9.8.2-0.17.rc1.el6_4.6.x86_64.rpm                           |  71 kB     00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : 32:bind-chroot-9.8.2-0.17.rc1.el6_4.6.x86_64                                1/1
  Verifying  : 32:bind-chroot-9.8.2-0.17.rc1.el6_4.6.x86_64                                1/1

Installed:
  bind-chroot.x86_64 32:9.8.2-0.17.rc1.el6_4.6

Complete!
[root@sv1 ~]# yum -y install bind-utils
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.fairway.ne.jp
 * extras: mirror.fairway.ne.jp
 * updates: mirror.fairway.ne.jp
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package bind-utils.x86_64 32:9.8.2-0.17.rc1.el6_4.6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

===============================================================================================
 Package             Arch            Version                               Repository     Size
===============================================================================================
Installing:
 bind-utils          x86_64          32:9.8.2-0.17.rc1.el6_4.6             base          182 k

Transaction Summary
===============================================================================================
Install       1 Package(s)

Total download size: 182 k
Installed size: 438 k
Downloading Packages:
bind-utils-9.8.2-0.17.rc1.el6_4.6.x86_64.rpm                            | 182 kB     00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : 32:bind-utils-9.8.2-0.17.rc1.el6_4.6.x86_64                                 1/1
  Verifying  : 32:bind-utils-9.8.2-0.17.rc1.el6_4.6.x86_64                                 1/1

Installed:
  bind-utils.x86_64 32:9.8.2-0.17.rc1.el6_4.6

Complete!
[root@sv1 ~]#


■ インストール DVD(ISO イメージファイル)からインストール(※事前にこの処理をする必要あり)

[root@sv1 ~]# mount /dev/cdrom /mnt
mount: block device /dev/sr0 is write-protected, mounting read-only
[root@sv1 ~]# yum --disablerepo=\* --enablerepo=centos-dvd -y install bind
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
centos-dvd                                                              | 4.0 kB     00:00 ...
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package bind.x86_64 32:9.8.2-0.17.rc1.el6_4.6 will be installed
--> Processing Dependency: bind-libs = 32:9.8.2-0.17.rc1.el6_4.6 for package: 32:bind-9.8.2-0.17.rc1.el6_4.6.x86_64
--> Processing Dependency: portreserve for package: 32:bind-9.8.2-0.17.rc1.el6_4.6.x86_64
--> Processing Dependency: liblwres.so.80()(64bit) for package: 32:bind-9.8.2-0.17.rc1.el6_4.6.x86_64
--> Processing Dependency: libisccfg.so.82()(64bit) for package: 32:bind-9.8.2-0.17.rc1.el6_4.6.x86_64
--> Processing Dependency: libisccc.so.80()(64bit) for package: 32:bind-9.8.2-0.17.rc1.el6_4.6.x86_64
--> Processing Dependency: libisc.so.83()(64bit) for package: 32:bind-9.8.2-0.17.rc1.el6_4.6.x86_64
--> Processing Dependency: libdns.so.81()(64bit) for package: 32:bind-9.8.2-0.17.rc1.el6_4.6.x86_64
--> Processing Dependency: libbind9.so.80()(64bit) for package: 32:bind-9.8.2-0.17.rc1.el6_4.6.x86_64
--> Running transaction check
---> Package bind-libs.x86_64 32:9.8.2-0.17.rc1.el6_4.6 will be installed
---> Package portreserve.x86_64 0:0.0.4-9.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

===============================================================================================
 Package             Arch           Version                           Repository          Size
===============================================================================================
Installing:
 bind                x86_64         32:9.8.2-0.17.rc1.el6_4.6         centos-dvd         4.0 M
Installing for dependencies:
 bind-libs           x86_64         32:9.8.2-0.17.rc1.el6_4.6         centos-dvd         878 k
 portreserve         x86_64         0.0.4-9.el6                       centos-dvd          23 k

Transaction Summary
===============================================================================================
Install       3 Package(s)

Total download size: 4.9 M
Installed size: 9.5 M
Downloading Packages:
-----------------------------------------------------------------------------------------------
Total                                                           22 MB/s | 4.9 MB     00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : portreserve-0.0.4-9.el6.x86_64                                              1/3
  Installing : 32:bind-libs-9.8.2-0.17.rc1.el6_4.6.x86_64                                  2/3
  Installing : 32:bind-9.8.2-0.17.rc1.el6_4.6.x86_64                                       3/3
  Verifying  : 32:bind-9.8.2-0.17.rc1.el6_4.6.x86_64                                       1/3
  Verifying  : 32:bind-libs-9.8.2-0.17.rc1.el6_4.6.x86_64                                  2/3
  Verifying  : portreserve-0.0.4-9.el6.x86_64                                              3/3

Installed:
  bind.x86_64 32:9.8.2-0.17.rc1.el6_4.6

Dependency Installed:
  bind-libs.x86_64 32:9.8.2-0.17.rc1.el6_4.6          portreserve.x86_64 0:0.0.4-9.el6

Complete!
[root@sv1 ~]# yum --disablerepo=\* --enablerepo=centos-dvd -y install bind-chroot
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package bind-chroot.x86_64 32:9.8.2-0.17.rc1.el6_4.6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

===============================================================================================
 Package             Arch           Version                           Repository          Size
===============================================================================================
Installing:
 bind-chroot         x86_64         32:9.8.2-0.17.rc1.el6_4.6         centos-dvd          71 k

Transaction Summary
===============================================================================================
Install       1 Package(s)

Total download size: 71 k
Installed size: 0
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : 32:bind-chroot-9.8.2-0.17.rc1.el6_4.6.x86_64                                1/1
  Verifying  : 32:bind-chroot-9.8.2-0.17.rc1.el6_4.6.x86_64                                1/1

Installed:
  bind-chroot.x86_64 32:9.8.2-0.17.rc1.el6_4.6

Complete!
[root@sv1 ~]# yum --disablerepo=\* --enablerepo=centos-dvd -y install bind-utils
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package bind-utils.x86_64 32:9.8.2-0.17.rc1.el6_4.6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

===============================================================================================
 Package            Arch           Version                            Repository          Size
===============================================================================================
Installing:
 bind-utils         x86_64         32:9.8.2-0.17.rc1.el6_4.6          centos-dvd         182 k

Transaction Summary
===============================================================================================
Install       1 Package(s)

Total download size: 182 k
Installed size: 438 k
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : 32:bind-utils-9.8.2-0.17.rc1.el6_4.6.x86_64                                 1/1
  Verifying  : 32:bind-utils-9.8.2-0.17.rc1.el6_4.6.x86_64                                 1/1

Installed:
  bind-utils.x86_64 32:9.8.2-0.17.rc1.el6_4.6

Complete!
[root@sv1 ~]# umount /mnt
[root@sv1 ~]# 




【関係するファイル】

■ /var/named/chroot/etc/named.conf(青太字:説明)

acl "AclInternal" {                アクセスリスト
        127.0.0.1;                    ループバックアドレス
        192.168.154.0/24;             アクセスを許可するネットワーク
};

options {
        directory "/var/named";    ファイルの起点となるディレクトリ
        allow-query{               名前解決の問い合わせを受け付けるネットワーク/サーバー
                    AclInternal;
        };
        allow-recursion{           キャッシュサーバーとしての使用を許可するネットワーク/サーバー
                    AclInternal;
        };
        allow-transfer{            ゾーン情報の転送元として許可するネットワーク/サーバー
                    none;
        };
        forwarders{                自分自身が名前解決ができない時に参照するサーバー
                    8.8.8.8;
        };
};

controls {                         rndc キーの設定
        inet 127.0.0.1 allow { localhost; }
        keys { rndckey; };
};

include "/etc/rndc.key";

logging {
        category lame-servers { null; };
                                   DNS解決の際にほかのサーバで見つけた設定ミス(lame)を記録しない
};

zone "." IN {                      . ゾーン
        type hint;
        file "named.ca";
};

zone "localhost" IN {              localhost ゾーン(正引き)
        type master;
        file "localhost.zone";
        allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {   127.0.0.* ゾーン(逆引き)
        type master;
        file "0.0.127.in-addr.arpa.zone";
        allow-update { none; };
};

zone "exam.local" IN {             正引きゾーン(ドメイン名 → IP アドレス)
        type master;
        file "exam.local.zone";
        allow-update { none; };
};

zone "154.168.192.in-addr.arpa" IN {   逆引きゾーン( IP アドレス → ドメイン名)
        type master;
        file "154.168.192.in-addr.arpa.zone";
        allow-update { none; };
};


■ /var/named/chroot/var/named/localhost.zone

$TTL    86400
@       IN      SOA     sv1.exam.local.   examuser.exam.local.   (
                                      2013123101 ; Serial
                                      28800      ; Refresh
                                      14400      ; Retry
                                      3600000    ; Expire
                                      86400 )    ; Minimum
              IN      NS        sv1.exam.local.
localhost.    IN      A         127.0.0.1


■ /var/named/chroot/var/named/0.0.127.in-addr.arpa.zone

$TTL    86400
@       IN      SOA     sv1.exam.local.  examuser.exam.local.   (
                                      2013123101 ; Serial
                                      28800      ; Refresh
                                      14400      ; Retry
                                      3600000    ; Expire
                                      86400 )    ; Minimum
              IN      NS        sv1.exam.local.
1             IN      PTR       localhost.


■ /var/named/chroot/var/named/exam.local.zone

$TTL    86400
@        IN     SOA     sv1.exam.local.   examuser.exam.local.(
                                      2013123101 ; Serial
                                      28800      ; Refresh
                                      14400      ; Retry
                                      3600000    ; Expire
                                      86400 )    ; Minimum
              IN      NS        sv1.exam.local.
              IN      MX 10     sv1.exam.local.
@             IN      A         192.168.154.11
sv1           IN      A         192.168.154.11
ntp           IN      A         192.168.154.16


■ /var/named/chroot/var/named/154.168.192.in-addr.arpa.zone

$TTL    86400
@       IN      SOA     sv1.exam.local.   examuser.exam.local.(
                                      2013123101 ; Serial
                                      28800      ; Refresh
                                      14400      ; Retry
                                      3600000    ; Expire
                                      86400 )    ; Minimum
              IN      NS    sv1.exam.local.
11            IN      PTR   sv1.exam.local.
16            IN      PTR   ntp.exam.local.


■ /etc/sysconfig/named : BIND の動作を IPv4 に限定

ROOTDIR=/var/named/chroot
OPTIONS="-4"


■ /etc/resolv.conf : nameserver を自サーバー(127.0.0.1)に変更

search exam.local
nameserver 127.0.0.1


■ /etc/sysconfig/network-scripts/ifcfg-eth0 : DNS1 を自サーバー(127.0.0.1)に変更

DEVICE=eth0
TYPE=Ethernet
UUID=e4ef067c-92e2-49c8-b8ee-b0dc970ebc8a
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=none
HWADDR=00:0C:29:FC:2C:9A
IPADDR=192.168.154.11
PREFIX=24
GATEWAY=192.168.154.2
DNS1=127.0.0.1
DOMAIN=exam.local
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
NAME="System eth0"


■ /etc/sysconfig/iptables : DNS 用のポートの解放

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT




【オペレーション】

■ /var/named/chroot/var/named/named.ca の作成

[root@sv1 ~]# dig @a.root-servers.net . ns > /var/named/chroot/var/named/named.ca
[root@sv1 ~]#


■ /etc/rndc.ky の作成

[root@sv1 ~]# rndc-confgen -a -b 512 -k rndckey
wrote key file "/etc/rndc.key"
[root@sv1 ~]# chgrp named /etc/rndc.key
[root@sv1 ~]# chmod 644 /etc/rndc.key
[root@sv1 ~]#


■ 各ゾーンファイルおよび named.conf の構文確認

[root@sv1 ~]# named-checkzone localhost /var/named/chroot/var/named/localhost.zone
zone localhost/IN: loaded serial 2013123101
OK
[root@sv1 ~]# named-checkzone 0.0.127.in-addr.arpa /var/named/chroot/var/named/0.0.127.in-addr.arpa.zone
zone 0.0.127.in-addr.arpa/IN: loaded serial 2013123101
OK
[root@sv1 ~]# named-checkzone exam.local /var/named/chroot/var/named/exam.local.zone
zone exam.local/IN: loaded serial 2013123101
OK
[root@sv1 ~]# named-checkzone 154.168.192.in-addr.arpa /var/named/chroot/var/named/154.168.192.in-addr.arpa
.zone
zone 154.168.192.in-addr.arpa/IN: loaded serial 2013123101
OK
[root@sv1 ~]# named-checkconf /var/named/chroot/etc/named.conf
[root@sv1 ~]#


■ 起動時に named の自動開始の有効化

[root@sv1 ~]# chkconfig named on
[root@sv1 ~]#


■ 起動時に ntpd を自動起動を無効化

[root@sv1 ~]# chkconfig named off
[root@sv1 ~]#


■ ランレベル毎の起動状況確認(自動起動:有効)

[root@sv1 ~]# chkconfig --list named
named           0:off   1:off   2:on    3:on    4:on    5:on    6:off
[root@sv1 ~]#


■ ランレベル毎の起動状況確認(自動起動:無効)

[root@sv1 ~]# chkconfig --list named
named           0:off   1:off   2:off   3:off   4:off   5:off   6:off
[root@sv1 ~]#


■ named サービスの開始(起動)

[root@sv1 ~]# service named start
Starting named:                                            [  OK  ]
[root@sv1 ~]#


■ named サービスの終了(停止)

[root@sv1 ~]# service named stop
Stopping named:                                            [  OK  ]
[root@sv1 ~]#


■ named サービスの再起動

[root@sv1 ~]# service named restart
Stopping named:                                            [  OK  ]
Starting named:                                            [  OK  ]
[root@sv1 ~]#


■ 起動状態の確認(起動済み)

[root@sv1 ~]# rndc status
version: 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6
CPUs found: 1
worker threads: 1
number of zones: 20
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
[root@sv1 ~]#


■ 起動状態の確認(未起動)

[root@sv1 ~]# rndc status
rndc: connect failed: 127.0.0.1#953: connection refused
[root@sv1 ~]#


■ iptables サービスの再起動

[root@sv1 ~]# service iptables restart
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]
[root@sv1 ~]#




【確認】

■ 自サーバーで確認 #1

[root@sv1 ~]# dig @127.0.0.1 sv1.exam.local +norec

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @127.0.0.1 sv1.exam.local +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6991
;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;sv1.exam.local.                        IN      A

;; ANSWER SECTION:
sv1.exam.local.         86400   IN      A       192.168.154.11

;; AUTHORITY SECTION:
exam.local.             86400   IN      NS      sv1.exam.local.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Dec 31 23:10:04 2013
;; MSG SIZE  rcvd: 62

[root@sv1 ~]# dig @127.0.0.1 ntp.exam.local +norec

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @127.0.0.1 ntp.exam.local +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5744
;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;ntp.exam.local.                        IN      A

;; ANSWER SECTION:
ntp.exam.local.         86400   IN      A       192.168.154.16

;; AUTHORITY SECTION:
exam.local.             86400   IN      NS      sv1.exam.local.

;; ADDITIONAL SECTION:
sv1.exam.local.         86400   IN      A       192.168.154.11

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Dec 31 23:10:25 2013
;; MSG SIZE  rcvd: 82

[root@sv1 ~]# dig @127.0.0.1 -x 192.168.154.11 +norec

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @127.0.0.1 -x 192.168.154.11 +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5560
;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;11.154.168.192.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
11.154.168.192.in-addr.arpa. 86400 IN   PTR     sv1.exam.local.

;; AUTHORITY SECTION:
154.168.192.in-addr.arpa. 86400 IN      NS      sv1.exam.local.

;; ADDITIONAL SECTION:
sv1.exam.local.         86400   IN      A       192.168.154.11

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Dec 31 23:10:46 2013
;; MSG SIZE  rcvd: 103

[root@sv1 ~]# dig @127.0.0.1 -x 192.168.154.16 +norec

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @127.0.0.1 -x 192.168.154.16 +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11865
;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;16.154.168.192.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
16.154.168.192.in-addr.arpa. 86400 IN   PTR     ntp.exam.local.

;; AUTHORITY SECTION:
154.168.192.in-addr.arpa. 86400 IN      NS      sv1.exam.local.

;; ADDITIONAL SECTION:
sv1.exam.local.         86400   IN      A       192.168.154.11

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Dec 31 23:11:12 2013
;; MSG SIZE  rcvd: 107

[root@sv1 ~]#


■ 自サーバーで確認 #2

[root@sv1 ~]# dig @192.168.154.11 sv1.exam.local +norec

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @192.168.154.11 sv1.exam.local +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26394
;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;sv1.exam.local.                        IN      A

;; ANSWER SECTION:
sv1.exam.local.         86400   IN      A       192.168.154.11

;; AUTHORITY SECTION:
exam.local.             86400   IN      NS      sv1.exam.local.

;; Query time: 0 msec
;; SERVER: 192.168.154.11#53(192.168.154.11)
;; WHEN: Tue Dec 31 23:11:42 2013
;; MSG SIZE  rcvd: 62

[root@sv1 ~]# dig @192.168.154.11 ntp.exam.local +norec

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @192.168.154.11 ntp.exam.local +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43713
;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;ntp.exam.local.                        IN      A

;; ANSWER SECTION:
ntp.exam.local.         86400   IN      A       192.168.154.16

;; AUTHORITY SECTION:
exam.local.             86400   IN      NS      sv1.exam.local.

;; ADDITIONAL SECTION:
sv1.exam.local.         86400   IN      A       192.168.154.11

;; Query time: 0 msec
;; SERVER: 192.168.154.11#53(192.168.154.11)
;; WHEN: Tue Dec 31 23:12:00 2013
;; MSG SIZE  rcvd: 82

[root@sv1 ~]# dig @192.168.154.11 -x 192.168.154.11 +norec

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @192.168.154.11 -x 192.168.154.11 +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38158
;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;11.154.168.192.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
11.154.168.192.in-addr.arpa. 86400 IN   PTR     sv1.exam.local.

;; AUTHORITY SECTION:
154.168.192.in-addr.arpa. 86400 IN      NS      sv1.exam.local.

;; ADDITIONAL SECTION:
sv1.exam.local.         86400   IN      A       192.168.154.11

;; Query time: 0 msec
;; SERVER: 192.168.154.11#53(192.168.154.11)
;; WHEN: Tue Dec 31 23:13:03 2013
;; MSG SIZE  rcvd: 103

[root@sv1 ~]# dig @192.168.154.11 -x 192.168.154.16 +norec

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @192.168.154.11 -x 192.168.154.16 +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40962
;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;16.154.168.192.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
16.154.168.192.in-addr.arpa. 86400 IN   PTR     ntp.exam.local.

;; AUTHORITY SECTION:
154.168.192.in-addr.arpa. 86400 IN      NS      sv1.exam.local.

;; ADDITIONAL SECTION:
sv1.exam.local.         86400   IN      A       192.168.154.11

;; Query time: 0 msec
;; SERVER: 192.168.154.11#53(192.168.154.11)
;; WHEN: Tue Dec 31 23:13:21 2013
;; MSG SIZE  rcvd: 107

[root@sv1 ~]# 


■ 自サーバーで確認 #3

[root@sv1 ~]# dig @127.0.0.1 jprs.jp

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @127.0.0.1 jprs.jp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9618
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 4

;; QUESTION SECTION:
;jprs.jp.                       IN      A

;; ANSWER SECTION:
jprs.jp.                14933   IN      A       202.11.16.167

;; AUTHORITY SECTION:
.                       5449    IN      NS      a.root-servers.net.
.                       5449    IN      NS      h.root-servers.net.
.                       5449    IN      NS      f.root-servers.net.
.                       5449    IN      NS      j.root-servers.net.
.                       5449    IN      NS      i.root-servers.net.
.                       5449    IN      NS      m.root-servers.net.
.                       5449    IN      NS      k.root-servers.net.
.                       5449    IN      NS      d.root-servers.net.
.                       5449    IN      NS      c.root-servers.net.
.                       5449    IN      NS      l.root-servers.net.
.                       5449    IN      NS      g.root-servers.net.
.                       5449    IN      NS      e.root-servers.net.
.                       5449    IN      NS      b.root-servers.net.

;; ADDITIONAL SECTION:
m.root-servers.net.     9982    IN      A       202.12.27.33
l.root-servers.net.     19383   IN      A       199.7.83.42
b.root-servers.net.     4290    IN      A       192.228.79.201
d.root-servers.net.     9164    IN      A       199.7.91.13

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Dec 31 22:03:36 2013
;; MSG SIZE  rcvd: 316

[root@sv1 ~]# dig @127.0.0.1 -x 202.11.16.167

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @127.0.0.1 -x 202.11.16.167
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23164
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 4

;; QUESTION SECTION:
;167.16.11.202.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
167.16.11.202.in-addr.arpa. 21455 IN    PTR     jprs.jp.

;; AUTHORITY SECTION:
.                       5439    IN      NS      f.root-servers.net.
.                       5439    IN      NS      d.root-servers.net.
.                       5439    IN      NS      l.root-servers.net.
.                       5439    IN      NS      j.root-servers.net.
.                       5439    IN      NS      g.root-servers.net.
.                       5439    IN      NS      e.root-servers.net.
.                       5439    IN      NS      c.root-servers.net.
.                       5439    IN      NS      m.root-servers.net.
.                       5439    IN      NS      k.root-servers.net.
.                       5439    IN      NS      i.root-servers.net.
.                       5439    IN      NS      b.root-servers.net.
.                       5439    IN      NS      a.root-servers.net.
.                       5439    IN      NS      h.root-servers.net.

;; ADDITIONAL SECTION:
m.root-servers.net.     9972    IN      A       202.12.27.33
l.root-servers.net.     19373   IN      A       199.7.83.42
b.root-servers.net.     4280    IN      A       192.228.79.201
d.root-servers.net.     9154    IN      A       199.7.91.13

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Dec 31 22:03:46 2013
;; MSG SIZE  rcvd: 340

[root@sv1 ~]# dig @192.168.154.11 jprs.jp

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @192.168.154.11 jprs.jp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17048
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 4

;; QUESTION SECTION:
;jprs.jp.                       IN      A

;; ANSWER SECTION:
jprs.jp.                14904   IN      A       202.11.16.167

;; AUTHORITY SECTION:
.                       5420    IN      NS      a.root-servers.net.
.                       5420    IN      NS      h.root-servers.net.
.                       5420    IN      NS      i.root-servers.net.
.                       5420    IN      NS      b.root-servers.net.
.                       5420    IN      NS      l.root-servers.net.
.                       5420    IN      NS      d.root-servers.net.
.                       5420    IN      NS      m.root-servers.net.
.                       5420    IN      NS      k.root-servers.net.
.                       5420    IN      NS      f.root-servers.net.
.                       5420    IN      NS      j.root-servers.net.
.                       5420    IN      NS      c.root-servers.net.
.                       5420    IN      NS      e.root-servers.net.
.                       5420    IN      NS      g.root-servers.net.

;; ADDITIONAL SECTION:
m.root-servers.net.     9953    IN      A       202.12.27.33
l.root-servers.net.     19354   IN      A       199.7.83.42
b.root-servers.net.     4261    IN      A       192.228.79.201
d.root-servers.net.     9135    IN      A       199.7.91.13

;; Query time: 0 msec
;; SERVER: 192.168.154.11#53(192.168.154.11)
;; WHEN: Tue Dec 31 22:04:05 2013
;; MSG SIZE  rcvd: 316

[root@sv1 ~]# dig @192.168.154.11 -x 202.11.16.167

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @192.168.154.11 -x 202.11.16.167
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27546
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 4

;; QUESTION SECTION:
;167.16.11.202.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
167.16.11.202.in-addr.arpa. 21428 IN    PTR     jprs.jp.

;; AUTHORITY SECTION:
.                       5412    IN      NS      c.root-servers.net.
.                       5412    IN      NS      a.root-servers.net.
.                       5412    IN      NS      b.root-servers.net.
.                       5412    IN      NS      g.root-servers.net.
.                       5412    IN      NS      e.root-servers.net.
.                       5412    IN      NS      j.root-servers.net.
.                       5412    IN      NS      k.root-servers.net.
.                       5412    IN      NS      l.root-servers.net.
.                       5412    IN      NS      f.root-servers.net.
.                       5412    IN      NS      d.root-servers.net.
.                       5412    IN      NS      h.root-servers.net.
.                       5412    IN      NS      m.root-servers.net.
.                       5412    IN      NS      i.root-servers.net.

;; ADDITIONAL SECTION:
m.root-servers.net.     9945    IN      A       202.12.27.33
l.root-servers.net.     19346   IN      A       199.7.83.42
b.root-servers.net.     4253    IN      A       192.228.79.201
d.root-servers.net.     9127    IN      A       199.7.91.13

;; Query time: 0 msec
;; SERVER: 192.168.154.11#53(192.168.154.11)
;; WHEN: Tue Dec 31 22:04:13 2013
;; MSG SIZE  rcvd: 340

[root@sv1 ~]#


■ 他サーバーで確認 #1 : DNS サーバー 192.168.154.11

[workuser@vm001 ~]$ dig @192.168.154.11 sv1.exam.local +norec

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @192.168.154.11 sv1.exam.local +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18877
;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;sv1.exam.local.                        IN      A

;; ANSWER SECTION:
sv1.exam.local.         86400   IN      A       192.168.154.11

;; AUTHORITY SECTION:
exam.local.             86400   IN      NS      sv1.exam.local.

;; Query time: 1 msec
;; SERVER: 192.168.154.11#53(192.168.154.11)
;; WHEN: Tue Dec 31 23:14:08 2013
;; MSG SIZE  rcvd: 62

[workuser@vm001 ~]$ dig @192.168.154.11 ntp.exam.local +norec

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @192.168.154.11 ntp.exam.local +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29334
;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;ntp.exam.local.                        IN      A

;; ANSWER SECTION:
ntp.exam.local.         86400   IN      A       192.168.154.16

;; AUTHORITY SECTION:
exam.local.             86400   IN      NS      sv1.exam.local.

;; ADDITIONAL SECTION:
sv1.exam.local.         86400   IN      A       192.168.154.11

;; Query time: 0 msec
;; SERVER: 192.168.154.11#53(192.168.154.11)
;; WHEN: Tue Dec 31 23:14:24 2013
;; MSG SIZE  rcvd: 82

[workuser@vm001 ~]$ dig @192.168.154.11 -x 192.168.154.11 +norec

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @192.168.154.11 -x 192.168.154.11 +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42359
;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;11.154.168.192.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
11.154.168.192.in-addr.arpa. 86400 IN   PTR     sv1.exam.local.

;; AUTHORITY SECTION:
154.168.192.in-addr.arpa. 86400 IN      NS      sv1.exam.local.

;; ADDITIONAL SECTION:
sv1.exam.local.         86400   IN      A       192.168.154.11

;; Query time: 0 msec
;; SERVER: 192.168.154.11#53(192.168.154.11)
;; WHEN: Tue Dec 31 23:14:57 2013
;; MSG SIZE  rcvd: 103

[workuser@vm001 ~]$ dig @192.168.154.11 -x 192.168.154.16 +norec

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @192.168.154.11 -x 192.168.154.16 +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26555
;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;16.154.168.192.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
16.154.168.192.in-addr.arpa. 86400 IN   PTR     ntp.exam.local.

;; AUTHORITY SECTION:
154.168.192.in-addr.arpa. 86400 IN      NS      sv1.exam.local.

;; ADDITIONAL SECTION:
sv1.exam.local.         86400   IN      A       192.168.154.11

;; Query time: 0 msec
;; SERVER: 192.168.154.11#53(192.168.154.11)
;; WHEN: Tue Dec 31 23:15:15 2013
;; MSG SIZE  rcvd: 107

[workuser@vm001 ~]$


■ 他サーバーで確認 #2 : DNS サーバー 192.168.154.11

[root@sv1 ~]# dig @192.168.154.11 jprs.jp

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @192.168.154.11 jprs.jp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20067
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 4

;; QUESTION SECTION:
;jprs.jp.                       IN      A

;; ANSWER SECTION:
jprs.jp.                14747   IN      A       202.11.16.167

;; AUTHORITY SECTION:
.                       5263    IN      NS      b.root-servers.net.
.                       5263    IN      NS      g.root-servers.net.
.                       5263    IN      NS      m.root-servers.net.
.                       5263    IN      NS      j.root-servers.net.
.                       5263    IN      NS      f.root-servers.net.
.                       5263    IN      NS      l.root-servers.net.
.                       5263    IN      NS      a.root-servers.net.
.                       5263    IN      NS      e.root-servers.net.
.                       5263    IN      NS      k.root-servers.net.
.                       5263    IN      NS      d.root-servers.net.
.                       5263    IN      NS      i.root-servers.net.
.                       5263    IN      NS      c.root-servers.net.
.                       5263    IN      NS      h.root-servers.net.

;; ADDITIONAL SECTION:
m.root-servers.net.     9796    IN      A       202.12.27.33
l.root-servers.net.     19197   IN      A       199.7.83.42
b.root-servers.net.     4104    IN      A       192.228.79.201
d.root-servers.net.     8978    IN      A       199.7.91.13

;; Query time: 0 msec
;; SERVER: 192.168.154.11#53(192.168.154.11)
;; WHEN: Tue Dec 31 22:06:42 2013
;; MSG SIZE  rcvd: 316

[root@sv1 ~]# dig @192.168.154.11 -x 202.11.16.167

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @192.168.154.11 -x 202.11.16.167
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50708
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 4

;; QUESTION SECTION:
;167.16.11.202.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
167.16.11.202.in-addr.arpa. 21270 IN    PTR     jprs.jp.

;; AUTHORITY SECTION:
.                       5254    IN      NS      g.root-servers.net.
.                       5254    IN      NS      d.root-servers.net.
.                       5254    IN      NS      e.root-servers.net.
.                       5254    IN      NS      f.root-servers.net.
.                       5254    IN      NS      m.root-servers.net.
.                       5254    IN      NS      c.root-servers.net.
.                       5254    IN      NS      a.root-servers.net.
.                       5254    IN      NS      b.root-servers.net.
.                       5254    IN      NS      k.root-servers.net.
.                       5254    IN      NS      h.root-servers.net.
.                       5254    IN      NS      l.root-servers.net.
.                       5254    IN      NS      i.root-servers.net.
.                       5254    IN      NS      j.root-servers.net.

;; ADDITIONAL SECTION:
m.root-servers.net.     9787    IN      A       202.12.27.33
l.root-servers.net.     19188   IN      A       199.7.83.42
b.root-servers.net.     4095    IN      A       192.228.79.201
d.root-servers.net.     8969    IN      A       199.7.91.13

;; Query time: 0 msec
;; SERVER: 192.168.154.11#53(192.168.154.11)
;; WHEN: Tue Dec 31 22:06:51 2013
;; MSG SIZE  rcvd: 340

[root@sv1 ~]#


■ Windows クライアントで確認 : DNS サーバー 192.168.154.11


C:\home>nslookup sv1.exam.local
サーバー:  sv1.exam.local
Address:  192.168.154.11

名前:    sv1.exam.local
Address:  192.168.154.11


C:\home>nslookup ntp.exam.local
サーバー:  sv1.exam.local
Address:  192.168.154.11

名前:    ntp.exam.local
Address:  192.168.154.16


C:\home>nslookup jprs.jp
サーバー:  sv1.exam.local
Address:  192.168.154.11

権限のない回答:
名前:    jprs.jp
Addresses:  2001:df0:8:7::80
      202.11.16.167


C:\home>nslookup 192.168.154.11
サーバー:  sv1.exam.local
Address:  192.168.154.11

名前:    sv1.exam.local
Address:  192.168.154.11


C:\home>nslookup 192.168.154.16
サーバー:  sv1.exam.local
Address:  192.168.154.11

名前:    ntp.exam.local
Address:  192.168.154.16


C:\home>nslookup 202.11.16.167
サーバー:  sv1.exam.local
Address:  192.168.154.11

名前:    jprs.jp
Address:  202.11.16.167


C:\home>


NTP クライアントの設定 / CentOS 6.5 (64-bit)

LAN 内の NTP サーバー:192.168.154.16 を用いて時間合わせを行います。他からの時間合わせ要求は拒否します。



【インストール】

■ インターネット経由でインストール

[root@sv1 ~]# yum -y install ntp
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.fairway.ne.jp
 * extras: mirror.fairway.ne.jp
 * updates: mirror.fairway.ne.jp
base                                                                    | 3.7 kB     00:00
extras                                                                  | 3.4 kB     00:00
updates                                                                 | 3.4 kB     00:00
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package ntp.x86_64 0:4.2.6p5-1.el6.centos will be installed
--> Processing Dependency: ntpdate = 4.2.6p5-1.el6.centos for package: ntp-4.2.6p5-1.el6.centos.x86_64
--> Running transaction check
---> Package ntpdate.x86_64 0:4.2.6p5-1.el6.centos will be installed
--> Finished Dependency Resolution

Dependencies Resolved

===============================================================================================
 Package            Arch              Version                            Repository       Size
===============================================================================================
Installing:
 ntp                x86_64            4.2.6p5-1.el6.centos               base            592 k
Installing for dependencies:
 ntpdate            x86_64            4.2.6p5-1.el6.centos               base             75 k

Transaction Summary
===============================================================================================
Install       2 Package(s)

Total download size: 667 k
Installed size: 1.7 M
Downloading Packages:
(1/2): ntp-4.2.6p5-1.el6.centos.x86_64.rpm                              | 592 kB     00:01
(2/2): ntpdate-4.2.6p5-1.el6.centos.x86_64.rpm                          |  75 kB     00:00
-----------------------------------------------------------------------------------------------
Total                                                          312 kB/s | 667 kB     00:02
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : ntpdate-4.2.6p5-1.el6.centos.x86_64                                         1/2
  Installing : ntp-4.2.6p5-1.el6.centos.x86_64                                             2/2
  Verifying  : ntp-4.2.6p5-1.el6.centos.x86_64                                             1/2
  Verifying  : ntpdate-4.2.6p5-1.el6.centos.x86_64                                         2/2

Installed:
  ntp.x86_64 0:4.2.6p5-1.el6.centos

Dependency Installed:
  ntpdate.x86_64 0:4.2.6p5-1.el6.centos

Complete!
[root@sv1 ~]#


■ インストール DVD(ISO イメージファイル)からインストール(※事前にこの処理をする必要あり)

[root@sv1 ~]# mount /dev/cdrom /mnt
mount: block device /dev/sr0 is write-protected, mounting read-only
[root@sv1 ~]# yum --disablerepo=\* --enablerepo=centos-dvd -y install ntp
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
centos-dvd                                                              | 4.0 kB     00:00 ...
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package ntp.x86_64 0:4.2.6p5-1.el6.centos will be installed
--> Processing Dependency: ntpdate = 4.2.6p5-1.el6.centos for package: ntp-4.2.6p5-1.el6.centos.x86_64
--> Running transaction check
---> Package ntpdate.x86_64 0:4.2.6p5-1.el6.centos will be installed
--> Finished Dependency Resolution

Dependencies Resolved

===============================================================================================
 Package           Arch             Version                         Repository            Size
===============================================================================================
Installing:
 ntp               x86_64           4.2.6p5-1.el6.centos            centos-dvd           592 k
Installing for dependencies:
 ntpdate           x86_64           4.2.6p5-1.el6.centos            centos-dvd            75 k

Transaction Summary
===============================================================================================
Install       2 Package(s)

Total download size: 667 k
Installed size: 1.7 M
Downloading Packages:
-----------------------------------------------------------------------------------------------
Total                                                           82 kB/s | 667 kB     00:08
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : ntpdate-4.2.6p5-1.el6.centos.x86_64                                         1/2
  Installing : ntp-4.2.6p5-1.el6.centos.x86_64                                             2/2
  Verifying  : ntp-4.2.6p5-1.el6.centos.x86_64                                             1/2
  Verifying  : ntpdate-4.2.6p5-1.el6.centos.x86_64                                         2/2

Installed:
  ntp.x86_64 0:4.2.6p5-1.el6.centos

Dependency Installed:
  ntpdate.x86_64 0:4.2.6p5-1.el6.centos

Complete!
[root@sv1 ~]# umount /mnt
[root@sv1 ~]#




【関係するファイル】

■ /etc/ntp.conf : 設定ファイル(赤太字:変更箇所 / 青太字:説明)

# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).

driftfile /var/lib/ntp/drift                                          時刻の補正情報を記録するファイル

# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.

#restrict default kod nomodify notrap nopeer noquery
#restrict -6 default kod nomodify notrap nopeer noquery
restrict default ignore                                           初期状態としてすべての問い合わせを無視
restrict 192.168.154.16 mask 255.255.255.255 nomodify notrap noquery  NTP サーバーとの通信を許可

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1                                                    自分自身との通信を許可(IPv4)
restrict -6 ::1                                                       自分自身との通信を許可(IPv6)

# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
#server 0.centos.pool.ntp.org iburst
#server 1.centos.pool.ntp.org iburst
#server 2.centos.pool.ntp.org iburst
#server 3.centos.pool.ntp.org iburst
server 192.168.154.16 iburst                                      参照する NTP サーバー(192.168.154.16)

#broadcast 192.168.1.255 autokey        # broadcast server
#broadcastclient                        # broadcast client
#broadcast 224.0.1.1 autokey            # multicast server
#multicastclient 224.0.1.1              # multicast client
#manycastserver 239.255.254.254         # manycast server
#manycastclient 239.255.254.254 autokey # manycast client

# Enable public key cryptography.
#crypto

includefile /etc/ntp/crypto/pw                                        パスワードファイル(変更しない)

# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys                                                    キーファイル(変更しない)

# Specify the key identifiers which are trusted.
#trustedkey 4 8 42

# Specify the key identifier to use with the ntpdc utility.
#requestkey 8

# Specify the key identifier to use with the ntpq utility.
#controlkey 8

# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats




【オペレーション】

■ /var/lib/ntp/drift の初期化(ntp サービスの停止時に実行)

[root@sv1 ~]# echo -n "0" > /var/lib/ntp/drift
[root@sv1 ~]# ls /var/lib/ntp
drift
[root@sv1 ~]#


■ ntp サーバーを用いた時刻合わせ(ntpd サービスの起動前に実行)

[root@sv1 ~]# ntpdate 192.168.154.16
28 Dec 23:36:49 ntpdate[1530]: adjust time server 192.168.154.16 offset 0.025449 sec
[root@sv1 ~]#


■ 起動時に ntpd を自動開始を有効化

[root@sv1 ~]# chkconfig ntpd on
[root@sv1 ~]#


■ 起動時に ntpd を自動起動を無効化

[root@sv1 ~]# chkconfig ntpd off
[root@sv1 ~]#


■ ランレベル毎の起動状況確認(自動起動:有効)

[root@sv1 ~]# chkconfig --list ntpd
ntpd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
[root@sv1 ~]#


■ ランレベル毎の起動状況確認(自動起動:無効)

[root@sv1 ~]# chkconfig --list ntpd
ntpd            0:off   1:off   2:off   3:off   4:off   5:off   6:off
[root@sv1 ~]#


■ ntpd サービスの開始(起動)

[root@sv1 ~]# service ntpd start
Starting ntpd:                                             [  OK  ]
[root@sv1 ~]#


■ ntpd サービスの終了(停止)

[root@sv1 ~]# service ntpd stop
Shutting down ntpd:                                        [  OK  ]
[root@sv1 ~]#


■ ntpd サービスの再起動

[root@sv1 ~]# service ntpd restart
Shutting down ntpd:                                        [  OK  ]
Starting ntpd:                                             [  OK  ]
[root@sv1 ~]#


■ NTP サーバーとの同期状態確認 : IP アドレスの前の"*"は NTP サーバーと同期が取れていることを示す

[root@sv1 ~]# ntpq -np
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*192.168.154.16  133.243.238.163  2 u   20   64    1    0.105   -8.188   0.165
[root@sv1 ~]#

TCP Wrapper によるアクセス制御 / CentOS 6.5 (64-bit)

TCP Wrapper によるアクセス制御 / CentOS 6.5 (64-bit)

ライブラリ "libwrap" を含んだサービスは TCP Wrapper でアクセス制御ができます。アクセス制御は /etc/hosts.allow と /etc/hosts.deny を参照して行います。
iptables と TCP Wrapper を併用した場合、先に iptables が評価された後に TCP Wrapper の評価が行われます。



【インストール】

■ インターネット経由でインストール

[root@sv1 ~]# yum -y install tcp_wrappers
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.fairway.ne.jp
 * extras: mirror.fairway.ne.jp
 * updates: mirror.fairway.ne.jp
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package tcp_wrappers.x86_64 0:7.6-57.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==============================================================================================================
 Package                      Arch                   Version                       Repository            Size
==============================================================================================================
Installing:
 tcp_wrappers                 x86_64                 7.6-57.el6                    base                  61 k

Transaction Summary
==============================================================================================================
Install       1 Package(s)

Total download size: 61 k
Installed size: 146 k
Downloading Packages:
tcp_wrappers-7.6-57.el6.x86_64.rpm                                                     |  61 kB     00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : tcp_wrappers-7.6-57.el6.x86_64                                                             1/1
  Verifying  : tcp_wrappers-7.6-57.el6.x86_64                                                             1/1

Installed:
  tcp_wrappers.x86_64 0:7.6-57.el6

Complete!
[root@sv1 ~]#


■ インストール DVD(ISO イメージファイル)からインストール(※事前にこの処理をする必要あり)

[root@sv1 ~]# mount /dev/cdrom /mnt
mount: block device /dev/sr0 is write-protected, mounting read-only
[root@sv1 ~]# yum --disablerepo=\* --enablerepo=centos-dvd -y install tcp_wrappers
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
centos-dvd                                                                             | 4.0 kB     00:00 ...
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package tcp_wrappers.x86_64 0:7.6-57.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==============================================================================================================
 Package                      Arch                   Version                       Repository            Size
==============================================================================================================
Installing:
 tcp_wrappers                 x86_64                 7.6-57.el6                    centos-dvd            61 k

Transaction Summary
==============================================================================================================
Install       1 Package(s)

Total download size: 61 k
Installed size: 146 k
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : tcp_wrappers-7.6-57.el6.x86_64                                                             1/1
  Verifying  : tcp_wrappers-7.6-57.el6.x86_64                                                             1/1

Installed:
  tcp_wrappers.x86_64 0:7.6-57.el6

Complete!
[root@sv1 ~]# umount /mnt
[root@sv1 ~]#




【関係するファイル】

■ /etc/hosts.allow : アクセスを許可するための情報 / 最初はコメントだけで何も定義されていない

#
# hosts.allow   This file contains access rules which are used to
#               allow or deny connections to network services that
#               either use the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
#


■ /etc/hosts.deny : アクセスを拒否するための情報 / 最初はコメントだけで何も定義されていない

#
# hosts.deny    This file contains access rules which are used to
#               deny connections to network services that either use
#               the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               The rules in this file can also be set up in
#               /etc/hosts.allow with a 'deny' option instead.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
#


■ /var/log/secure : アクセスログを出力

Dec 28 18:45:56 sv1 sshd[1677]: pam_unix(sshd:session): session opened for user testuser by (uid=0)
Dec 28 18:45:59 sv1 sshd[1681]: Received disconnect from 192.168.154.21: 11: disconnected by user
Dec 28 18:45:59 sv1 sshd[1677]: pam_unix(sshd:session): session closed for user testuser
Dec 28 18:46:02 sv1 unix_chkpwd[1699]: password check failed for user (testuser)
Dec 28 18:46:02 sv1 sshd[1697]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=192.168.154.21  user=testuser
Dec 28 18:46:03 sv1 sshd[1697]: Failed password for testuser from 192.168.154.21 port 52884 ssh2
Dec 28 18:46:09 sv1 sshd[1697]: Accepted password for testuser from 192.168.154.21 port 52884 ssh2
Dec 28 18:46:10 sv1 sshd[1697]: pam_unix(sshd:session): session opened for user testuser by (uid=0)
Dec 28 18:46:10 sv1 sshd[1702]: Received disconnect from 192.168.154.21: 11: disconnected by user
Dec 28 18:46:10 sv1 sshd[1697]: pam_unix(sshd:session): session closed for user testuser
[root@sv1 ~]#




【オペレーション】

■ ライブラリ "libwrap" を含むかどうかの確認 : 含まれている場合

[root@sv1 ~]# ldd /usr/sbin/sshd | grep libwrap
        libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f3d02501000)
[root@sv1 ~]#


■ ライブラリ "libwrap" を含むかどうかの確認 : 含まれていない場合

[root@sv1 ~]# ldd /usr/sbin/postfix | grep libwrap
[root@sv1 ~]#


■ 評価順序
次の順序で評価します。
1./etc/hosts.allow を先頭から解釈し、記述したルールに一致したらその時点でアクセスを許可。以降の記述は無視。
2./etc/hosts.deny を先頭から解釈し、記述したルールに一致したらその時点でアクセスを拒否。以降の記述は無視。
3.アクセスを許可。

■ ルールの書式
"サービス"と"アクセスを「許可」または「拒否」するアドレス(ドメイン名を含む)"の組み合わせ

service : ip address | domain


・ /etc/hosts.allow : すべてアドレスやドメインに対してアクセスを許可

ALL : ALL


・ /etc/hosts.allow : すべての exam.local(eaxm.local , sample.exam.local 等)ドメインからのアクセスを許可

ALL : .exam.local
または
ALL : *.exam.local


・ 192.168.1.1 から SSH 接続を許可

sshd : 192.168.1.1


・ 192.168.1.* から SSH 接続を許可

sshd : 192.168.1.


・ /etc/hosts.deny : すべてアドレスドメインに対してアクセスを拒否(TCP Wrapper を使用する場合、この記述は最後の行として必須の条件)

ALL : ALL




【確認】

■ /etc/hosts.allow の内容

#
# hosts.allow   This file contains access rules which are used to
#               allow or deny connections to network services that
#               either use the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
#
sshd : 192.168.1.21


■ /etc/hosts.deny の内容

#
# hosts.deny    This file contains access rules which are used to
#               deny connections to network services that either use
#               the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               The rules in this file can also be set up in
#               /etc/hosts.allow with a 'deny' option instead.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
#
ALL : ALL


■ 192.168.1.21 から接続した場合 → 許可

[workuser@vm001 ~]$ ssh 192.168.154.11 -l testuser
testuser@192.168.154.11's password:
Last login: Thu Dec 26 23:22:36 2013 from 192.168.154.134
[testuser@sv1 ~]$


■ 192.168.1.22 から接続した場合 → 拒否

[workuser@vm001 ~]$ ssh 192.168.154.11 -l testuser
ssh_exchange_identification: Connection closed by remote host
[workuser@vm001 ~]$

wheel グループに所属するユーザーが "sudo" コマンドを使用できるようにする / CentOS 6.5 (64-bit)

インストール直後の CentOS 6.5 は root ユーザーだけが sudo コマンドを使用可能です。これを wheel グループに所属するユーザーも sudo コマンドを使用できるよう変更します。



【関係するファイル】

■ /etc/sudoers
・"# %wheel ALL=(ALL) ALL"の先頭の "#" を削除します。/etc/sudoers の編集は visudo コマンドを使用します。

  :
  :
##
##      user    MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL

## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands
%wheel        ALL=(ALL)       ALL

## Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

## Allows members of the users group to mount and unmount the
## cdrom as root
# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system
# %users  localhost=/sbin/shutdown -h now

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d


■ /var/log/secure
・ sudo コマンドを使用する度に実行履歴が記録されます。実行履歴には sudo コマンドを実行したユーザー名、sudo コマンドと共に実行したコマンドなどが含まれます。

  :
  :
Dec 24 23:10:02 sv1 sshd[1422]: pam_unix(sshd:session): session opened for user testuser by (uid=0)
Dec 24 23:10:14 sv1 sudo: testuser : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/testuser ; USER=root ; COMMAND=/bin/mo
unt
Dec 24 23:11:16 sv1 sudo: testuser : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/testuser ; USER=root ; COMMAND=/bin/mo
unt /dev/cdrom /mnt
Dec 24 23:20:18 sv1 sshd[1426]: Received disconnect from 192.168.154.134: 2: disconnected by server request
Dec 24 23:20:18 sv1 sshd[1422]: pam_unix(sshd:session): session closed for user testuser
Dec 24 23:20:29 sv1 sshd[1464]: Accepted password for examuser from 192.168.154.134 port 49175 ssh2
Dec 24 23:20:29 sv1 sshd[1464]: pam_unix(sshd:session): session opened for user examuser by (uid=0)
Dec 24 23:20:40 sv1 sudo: examuser : TTY=pts/0 ; PWD=/home/examuser ; USER=root ; COMMAND=/bin/mount /dev/cdrom /mnt
Dec 24 23:21:48 sv1 sudo: examuser : TTY=pts/0 ; PWD=/home/examuser ; USER=root ; COMMAND=/bin/umount /mnt
Dec 24 23:21:57 sv1 sudo: examuser : TTY=pts/0 ; PWD=/home/examuser ; USER=root ; COMMAND=/usr/bin/tail /var/log/secure




【オペレーション】

■ /etc/sudoers を編集します。使用方法は vi に準じます。

[root@sv1 ~]# visudo




【確認】

■ wheel グループに所属するユーザーの場合

[examuser@sv1 ~]$ sudo mount /dev/cdrom /mnt
[sudo] password for examuser:
mount: block device /dev/sr0 is write-protected, mounting read-only
[examuser@sv1 ~]$


■ wheel グループに所属していないユーザーの場合

[testuser@sv1 ~]$ sudo mount /dev/cdrom /mnt
[sudo] password for testuser:
testuser is not in the sudoers file.  This incident will be reported.
[testuser@sv1 ~]$

"su -"コマンドで root ユーザーになることができるユーザーの制限 / CentOS 6.5 (64-bit)

インストール直後の CentOS 6.5 はすべてのユーザーが "su- " コマンドで root ユーザーになることができます。この設定を変更し、wheel グループに所属するユーザーだけが "su-" コマンドで root ユーザーになることができるよう変更します。



【関係するファイル】

■ /etc/pam.d/su
・"#auth required pam_wheel.so use_uid"の先頭の"#"を削除します。

#%PAM-1.0
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth            required        pam_wheel.so use_uid
auth            include         system-auth
account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account         include         system-auth
password        include         system-auth
session         include         system-auth
session         optional        pam_xauth.so


■ /etc/login.defs
・"SU_WHEEL_ONLY yes"を追記します。

  :
  :
# This enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes

# Use SHA512 to encrypt password.
ENCRYPT_METHOD SHA512

SU_WHEEL_ONLY yes




【オペレーション】

■ "su- "コマンドの実行を許可するユーザーを wheel グループに所属させます。

[root@sv1 ~]# usermod -G wheel examuser
[root@sv1 ~]#




【確認】

■ "su-" コマンドを許可したユーザーの場合

[examuser@sv1 ~]$ su -
Password:
[root@sv1 ~]#


■ "su-" コマンドを許可していないユーザーの場合

[testuser@sv1 ~]$ su -
Password:
su: incorrect password
[testuser@sv1 ~]$

root アカウントによる SSH 接続時のログイン禁止 / CentOS 6.5 (64-bit)

インストール直後の CentOS 6.5 は root アカウントで SSH 接続が可能な設定になっています。この設定を変更し、root アカウントによる SSH 接続を拒否するようにします。



【関係するファイル】

■ /etc/ssh/sshd_config
・ファイル内に "PermitRootLogin no" を追加します。

   :
   :
# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
   :
   :




【オペレーション】

■ sshd サービスを再起動し /etc/ssh/sshd_config の変更を有効にします。

[root@sv1 ~]# service sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd:                                             [  OK  ]
[root@sv1 ~]#




【確認】

■ 設定後 root アカウントで SSH 接続しようとしても "Permission denied" と表示されてログインできません。

[examuser@sv1 ~]$ ssh 192.168.154.11 -l root
root@192.168.154.11's password:
Permission denied, please try again.
root@192.168.154.11's password:


■ コンソールからは root アカウントによるログインは可能です。

IP アドレスの変更 / CentOS 6.5 (64-bit)


IP アドレスに関する情報は次の3ファイルに記録されています。各ファイルを編集し、network サービスを再起動して変更内容を反映します。



【関係するファイル】

■ /etc/sysconfig/network-scripts/ifcfg-eth0
・ IP アドレス , DNS サーバーのアドレス , ゲートウェイアドレス

DEVICE=eth0
TYPE=Ethernet
UUID=b02063ac-d40c-4cc1-affe-00031bf72f24
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=none
HWADDR=00:0C:29:6A:BE:EC
IPADDR=192.168.154.11
PREFIX=24
GATEWAY=192.168.154.2
DNS1=192.168.154.2
DOMAIN=exam.local
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
NAME="System eth0"


■ /etc/resolv.conf
・ DNS サーバーのアドレス

# Generated by NetworkManager
search exam.local
nameserver 192.168.154.2


■ /etc/sysconfig/network
・ ゲートウェイアドレス

NETWORKING=yes
HOSTNAME=sv1.exam.local
GATEWAY=192.168.154.2




【オペレーション】

■ IP アドレスの確認

[root@sv1 ~]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0C:29:6A:BE:EC
          inet addr:192.168.154.11  Bcast:192.168.154.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe6a:beec/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:999 errors:0 dropped:0 overruns:0 frame:0
          TX packets:742 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:115690 (112.9 KiB)  TX bytes:126811 (123.8 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

[root@sv1 ~]#


■ network サービスの再起動(IP アドレスを 192.168.154.22 に変更した場合)

[root@sv1 ~]# service network restart
Shutting down interface eth0:                              [  OK  ]
Shutting down loopback interface:                          [  OK  ]
Bringing up loopback interface:                            [  OK  ]
Bringing up interface eth0:  Determining if ip address 192.168.154.22 is already in use for device eth0...
                                                           [  OK  ]
[root@sv1 ~]#

ホスト名の変更 / CentOS 6.5 (64-bit)

ホスト名は /etc/sysconfig/network に記録されています。このファイル内の "HOSTNAME=" の値を編集し、ホストを再起動することでホスト名を変更できます。

【変更前の内容】

NETWORKING=yes
HOSTNAME=centos.exam.local
GATEWAY=192.168.154.2


【変更後の内容】

NETWORKING=yes
HOSTNAME=sv1.exam.local
GATEWAY=192.168.154.2


【変更前の画面】


【変更(再起動)後の画面】

iptables : filter テーブル / CentOS 6.5 (64-bit)

【 iptables 】

サーバーに届く/サーバーから出ていくパケットのフィルタリングや、ネットワーク間でルーティングするときに使用します。それぞれのパケットの取り扱いをまとめたものを"テーブル"と呼び、パケットフィルタリングは"filter テーブル"、ルーティングは"nat テーブル"と呼ばれます。さらにテーブルは"チェイン"と呼ばれるルールに分けられます。filter テーブルは "INPUT チェイン"、"OUTPUT チェイン"、"FORWARD チェイン"の3つに分けることができます。




【オペレーション】

設定ファイルの内容確認

[root@centos ~]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
[root@centos ~]#


設定内容確認

[root@centos ~]# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   80  9795 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
    1    52 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:ssh
    3   234 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 69 packets, 11987 bytes)
 pkts bytes target     prot opt in     out     source               destination
[root@centos ~]#


サービスの起動(開始)

[root@centos ~]# service iptables start
iptables: Applying firewall rules:                         [  OK  ]
[root@centos ~]#


サービスの停止

[root@centos ~]# service iptables stop
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]
[root@centos ~]#


サービスの再起動

[root@centos ~]# service iptables restart
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]
[root@centos ~]#


自動起動 ON

[root@centos ~]# chkconfig iptables on
[root@centos ~]#


自動起動 OFF

[root@centos ~]# chkconfig iptables off
[root@centos ~]#


ランレベル毎の起動状況確認(自動起動 ON 時)

[root@centos ~]# chkconfig --list iptables
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off
[root@centos ~]#


ランレベル毎の起動状況確認(自動起動 OFF 時)

[root@centos ~]# chkconfig --list iptables
iptables        0:off   1:off   2:off   3:off   4:off   5:off   6:off
[root@centos ~]#




【チェインの作成】

filter テーブルのチェインの記載ルールです。
-A チェーン マッチングルール -j ターゲット


先ず自サーバーを中心に、どのチェーンにルールを追加(Add)するのかを決定します。

 ■ 自サーバーに入ってくる  → INPUT  → -A INPUT
 ■ 自サーバーから出ていく  → OUTPUT  → -A OUTPUT
 ■ 自サーバーを経由していく → FORWARD → -A FORWARD


次にマッチングルールを指定します。マッチングルールにはフィルタリングするパケットの送信元(Source)や宛先(Destination)、プロトコル(Protocol)、ポート番号(Destination Port/Source Port)を指定します。

 ■ 送信元 → -s IPアドレス / 省略した場合はすべての送信元
 ■ 宛先  → -d IPアドレス / 省略した場合はすべての宛先
 ■ プロトコル → tcp | udp | icmp → -p tcp | -p udp | -p icmp
 ■ 自サーバーで受け付けるポート番号 → --dport ポート番号
 ■ 他サーバーに送り出すポート番号  → --sport ポート番号


最後に受け付けた/送り出したパケットの扱いを指定します。

 ■ 許可する  → INPUT  → -j ACCEPT
 ■ 破棄する  → OUTPUT  → -j DROP
 ■ 破棄する  → REJECT  → -j REJECT / 送信元に ICMP エラーメッセージを送付
 ■ ログに記録 → LOG   → -j LOG


自サーバーで 送信元 192.168.1.1 からのSSH 接続(TCP / ポート番号 22)を許可するルールを INPUT チェインに追加する例です。

 -A INPUT -s 192.168.1.1 -p tcp --dport 22 -j ACCEPT


まとめると次のようになります。




【iptables ファイルの解読】

CentOS 6.5 のインストール直後の /etc/sysconfig/iptables ファイルの内容です。

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT


先頭が # で始まる行はコメント行です。

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.


filter テーブルであることを明示しています。この行から"COMMIT"までが filter テーブルの記載内容になります。

*filter


各チェインにおけるパケットのデフォルトの扱いを指定しています。下記の例ではすべて許可(ACCEPT)しています。この行以降に OUTPUT チェイン( -A OUTPUT )の記載がないので、出ていくパケットはノーチェックになります。

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]


"-m state --state ESTABLISHED,RELATED"は「すでに通信しているパケット」を意味します。よって下記は、「すでに通信しているパケットは許可」になります。

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


ICMP プロトコルの通信はポート番号に関係なく許可します。

-A INPUT -p icmp -j ACCEPT


"-i"はインターフェース(Interface)を指定します。"lo"はループバックインターフェースを指します。よってこれはループバックインターフェース(=自分自身)からの通信を許可しています。

-A INPUT -i lo -j ACCEPT


"-m state --state NEW"は新規の通信を意味します。"-m tcp"は TCP パケット内の SYN などのフラグをチェックするときに指定します(例:SYN フラグが立っている → -m tcp --tcp-flags SYN )。TCP フラグのチェックを行わないときは省略できます。

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT


接続要求のパケットを破棄し、送信元に"icmp-host-prohibited(到達不可)"を返します。

-A INPUT -j REJECT --reject-with icmp-host-prohibited


転送要求のパケットを破棄し、送信元に"icmp-host-prohibited(到達不可)"を返します。

-A FORWARD -j REJECT --reject-with icmp-host-prohibited


filter テーブルの区切りになり、ここまでの設定を有効にします。

COMMIT




【条件の評価順序】

iptables の記載されたルールは、基本ルールと優先ルールに分けることができます。次の部分が基本ルールになります。

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]


優先ルールの部分です。

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited


優先ルールは基本ルールよりも優先されるます。そのため、基本ルールで「破棄」を指定していても優先ルールで「許可」を指定した場合、優先ルールの「許可」が優先されます。優先ルールは、先頭から順番に評価されます。該当する条件が見つかると、それ以降の条件はチェックされません。上述のインストール直後の /etc/sysconfig/iptables ファイルの評価順序をフローに表わすと下図のようになります。


次の内容でもほぼ同じ結果が得られます。違いは許可されなかった場合、送信元に"icmp-host-prohibited(到達不可)"が返されない点です。
■基本ルールで INPUT チェインと FORWARD チェインは「破棄」、OUTPUT チェインは「許可]
■優先ルールで INPUT チェインで「許可」するものを定義

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
COMMIT