Gambar 4.36 Startup FileZilla Server interface

(1)

Gambar 4.36 Startup FileZilla Server interface

(2)

f. Konfigurasi FTP Server dan Windows file Sharing

1. Konfigurasi FTP Server

• Proses Login ke FTP Server

Gambar 4.38 Tampilan Login

• Membuat FTP User

(3)

• Mengaktifkan dan Mengganti Password FTP User

Gambar 4.40 FTP User Setting

• Mengatur FTP User Sharing Directory

(4)

• Mengatur FTP User Sharing Directory Permission

Gambar 4.42 FTP User Sharing Directory Permission

2. Konfigurasi Windows File Sharing

• Membuat User untuk Windows File Sharing

(5)

Gambar 4.44 Menentukan Username dan Password

• Mengatur Directory Permission

(6)

Gambar 4.46 Menambahkan User Permission

(7)

• Mengatur Windows File Sharing Directory

Gambar 4.48 Folder Sharing

• Mengatur Sharing Directory Permission

(8)

Gambar 4.50 User Sharing Directory Permission

4.3.8. Monitoring Sistem Hypervisor

Pada bagian ini akan dibahas proses instalasi dan konfigurasi

sistem monitoring.

a. Instalasi dan Konfigurasi Munin pada Host Server

Instalasi dengan menggunakan file rpm (Red Hat Package Manager)

[root@cybersama munin]# rpm -Uivh *.rpm

Preparing... ########################################### [100%] 1:dejavu-lgc-serif-fonts ########################################### [ 3%] 2:dejavu-lgc-sans-mono-fo########################################### [ 7%] 3:dejavu-lgc-sans-fonts ########################################### [ 10%] 4:sysstat ########################################### [ 13%] 5:dejavu-fonts-lgc-compat########################################### [ 17%] 6:rrdtool ########################################### [ 20%] 7:perl-version ########################################### [ 23%] 8:perl-Module-Pluggable ########################################### [ 27%] 9:perl-libs ########################################### [ 30%] 10:perl ########################################### [ 33%] 11:perl-Compress-Raw-Zlib ########################################### [ 37%] 12:perl-Digest-SHA1 ########################################### [ 40%] 13:perl-Crypt-DES ########################################### [ 43%] 14:rrdtool-perl ########################################### [ 47%]

(9)

15:perl-IO-Compress-Base ########################################### [ 50%] 16:perl-Pod-Escapes ########################################### [ 53%] 17:perl-Pod-Simple ########################################### [ 57%] 18:perl-IO-Compress-Zlib ########################################### [ 60%] 19:perl-Compress-Zlib ########################################### [ 63%] 20:perl-Digest-HMAC ########################################### [ 67%] 21:perl-Net-SNMP ########################################### [ 70%] 22:perl-HTML-Tagset ########################################### [ 73%] 23:perl-HTML-Parser ########################################### [ 77%] 24:perl-HTML-Template ########################################### [ 80%] 25:perl-IO-Multiplex ########################################### [ 83%] 26:perl-Net-Server ########################################### [ 87%] 27:perl-URI ########################################### [ 90%] 28:perl-libwww-perl ########################################### [ 93%] 29:munin ########################################### [ 97%] 30:munin-node ########################################### [100%]

b. Instalasi Httpd pada Host Server

[root@cybersama httpd]# rpm -Uivh httpd-2.2.13-1.fc11.i586.rpm httpd-tools-2.2.13-1.fc11.i586.rpm

Preparing... ########################################### [100%] 1:httpd-tools ########################################### [ 50%] 2:httpd ########################################### [100%]

c. Konfigurasi Httpd

File konfigurasi httpd berada di /etc/httpd/conf/httpd.conf

... Listen 8080 ... DocumentRoot "/var/www/html/munin" ... <Directory "/var/www/html/munin"> Options Indexes FollowSymLinks AllowOverride AuthConfig Order allow,deny Allow from all </Directory> ...

1. Membuat Password dengan Htpasswd

[root@cybersama ~]# htpasswd -c /var/www/html/munin/passwd admin New password:

Re-type new password: Adding password for user admin

(10)

2. Mengatur Login dengan Menggunakan Htaccess

[root@cybersama ~]# cat /var/www/html/munin/.htaccess AuthType Basic

AuthName "Restricted Access"

AuthUserFile /var/www/html/munin/passwd Require user admin

d. Menjalankan Service Httpd dan Munin

1. Menjalankan Service Munin

[root@cybersama ~]# /etc/rc.d/init.d/munin-node start

Starting Munin Node: [ OK ]

Untuk menjalan service munin pada runlevel 3, 4, dan 5

[root@cybersama ~]# chkconfig --level 345 munin-node on [root@cybersama ~]# chkconfig | grep munin-node

munin-node 0:off 1:off 2:off 3:on 4:on 5:on 6:off

2. Menjalankan Service Httpd

[root@virtual_http_server ~]# /etc/rc.d/init.d/httpd start

Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain for ServerName

[ OK ]

Untuk menjalan service httpd pada runlevel 3, 4, dan 5

[root@cybersama ~]# chkconfig --level 345 httpd on [root@cybersama ~]# chkconfig | grep httpd

httpd 0:off 1:off 2:off 3:on 4:on 5:on 6:off

e. Monitoring Server Virtual dengan Virt-top

1. Untuk Melihat Status Virtual Server secara Umum

[root@cybersama ~]# virt-top

virt-top 15:42:15 - i686 2/2CPU 2200MHz 2013MB

3 domains, 3 active, 3 running, 0 sleeping, 0 paused, 0 inactive D:0 O:0 X:0 CPU: 2.3% Mem: 1536 MB (1536 MB by guests)

ID S RDRQ WRRQ RXBY TXBY %CPU %MEM TIME NAME 2 R 0 3 104 0 1.3 25.0 0:35.80 virtual_nas_server

(11)

3 R 0 4 104 0 0.5 25.0 0:56.63 virtual_http_server 1 R 0 0 104 0 0.5 25.0 2:28.25 virtual_mail_server

2. Untuk Melihat Status Processor

[root@cybersama ~]# virt-top -1

PHYCPU %CPU virtual_mail_server virtual_http_server virtual_nas_server 0 2.3 1.3=# 0.5= 0.5=

1 2.3 1.3= 0.5=# 0.5=#

3. Untuk Melihat Status Virtual Hard Disk

ID S RDBY WRBY RDRQ WRRQ DOMAIN DEVICE 1 R 3M 0 340 0 virtual_mail hdc 3 R 3M 0 292 0 virtual_http hdc 2 R 216K 0 108 0 virtual_nas_ hdc 2 R 13K 403K 13 60 virtual_nas_ hda 3 R 0 3M 0 13 virtual_http hda 1 R 0 12K 0 2 virtual_mail hda

4. Untuk Melihat Status Virtual Network

ID S RXBY TXBY RXPK TXPK DOMAIN INTERFACE 1 R 646 490 8 5 virtual_mail vnet0

3 R 646 490 8 5 virtual_http vnet2 2 R 526 370 8 5 virtual_nas_ vnet1

4.3.9. Instalasi dan Konfigurasi OpenVPN

Pada bagian ini akan dibahas proses instalasi dan konfigurasi

OpenVPN.

(12)

a. Instalasi dengan menggunakan file rpm (Red Hat Package Manager)

[root@cybersama openvpn]# rpm -Uivh NetworkManager-openvpn-0.7.0.99-1.fc11.i586.rpm openvpn-2.1-0.32.rc15.fc11.i586.rpm

Preparing... ########################################### [100%] 1:openvpn ########################################### [ 50%] 2:NetworkManager-openvpn ########################################### [100%]

b. Konfigurasi OpenVPN Server

1. Pindah ke directory /etc/openvpn/

[root@cybersama ~]# cd /etc/openvpn/ [root@cybersama openvpn]# pwd /etc/openvpn

2. Copy File easy-rsa ke dalam directory /etc/openvpn/

[root@cybersama openvpn]# cp /usr/share/openvpn/easy-rsa/2.0/* .

3. Edit File konfigurasi vars

[root@cybersama openvpn]# cat vars ... ... export KEY_SIZE=1024 export CA_EXPIRE=3650 export KEY_EXPIRE=3650 export KEY_COUNTRY="IN" export KEY_PROVINCE="JK" export KEY_CITY="JakartaBarat" export KEY_ORG="Cybersama" export KEY_EMAIL="[email protected]"

4. Membuat CA (Certificate Authority)

[root@cybersama openvpn]# source ./vars

NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/keys [root@cybersama openvpn]# ./clean-all

[root@cybersama openvpn]# ./build-ca Generating a 1024 bit RSA private key

...++++++ ...++++++

writing new private key to 'ca.key' ---

You are about to be asked to enter information that will be incorporated into your certificate request.

(13)

What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank

For some fields there will be a default value, If you enter '.', the field will be left blank. ---

Country Name (2 letter code) [IN]: State or Province Name (full name) [JK]: Locality Name (eg, city) [JakartaBarat]: Organization Name (eg, company) [Cybersama]: Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) [Cybersama CA]: Name []:

Email Address [[email protected]]:

5. Membuat key untuk server

[root@cybersama openvpn]# ./build-key-server server Generating a 1024 bit RSA private key

...++++++ ...++++++

writing new private key to 'server.key' ---

For some fields there will be a default value, If you enter '.', the field will be left blank. ---

Common Name (eg, your name or your server's hostname) [server]: Name []:

Email Address [[email protected]]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:

An optional company name []:

Using configuration from /etc/openvpn/openssl.cnf Check that the request matches the signature Signature ok

The Subject's Distinguished Name is as follows countryName :PRINTABLE:'IN' stateOrProvinceName :PRINTABLE:'JK' localityName :PRINTABLE:'JakartaBarat' organizationName :PRINTABLE:'Cybersama' commonName :PRINTABLE:'server' emailAddress :IA5STRING:'[email protected]'

(14)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries

Data Base Updated

6. Membuat Diffie Hellman Parameter

[root@cybersama openvpn]# ./build-dh

Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time

...+...++*++*++*

7. Membuat File Konfigurasi untuk Menjalankan OpenVPN Server

[root@cybersama openvpn]# cat server.conf port 1194

proto udp dev tun ca keys/ca.crt cert keys/server.crt

key keys/server.key # This file should be kept secret dh keys/dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log verb 3

c. Konfigurasi OpenVPN Client

1. Membuat Key untuk Client

[root@cybersama openvpn]# ./build-key client1 Generating a 1024 bit RSA private key

...++++++ ...++++++

writing new private key to 'client1.key' ---

For some fields there will be a default value, If you enter '.', the field will be left blank.

(15)

---

Common Name (eg, your name or your server's hostname) [client1]: Name []:

Email Address [[email protected]]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:

An optional company name []:

Using configuration from /etc/openvpn/openssl.cnf Check that the request matches the signature Signature ok

The Subject's Distinguished Name is as follows countryName :PRINTABLE:'IN' stateOrProvinceName :PRINTABLE:'JK' localityName :PRINTABLE:'JakartaBarat' organizationName :PRINTABLE:'Cybersama' commonName :PRINTABLE:'client1' emailAddress :IA5STRING:'[email protected]'

Certificate is to be certified until Nov 27 09:19:20 2019 GMT (3650 days) Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries

Data Base Updated

2. Membuat File Konfigurasi untuk Menjalankan OpenVPN Client

[root@cybersama client1]# cat client.conf client dev tun proto udp remote 192.168.0.44 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client1.crt key client1.key ns-cert-type server comp-lzo verb 3

(16)

d. Menjalankan OpenVPN

[root@cybersama client1]# /etc/rc.d/init.d/openvpn start

Starting openvpn: [ OK ]

Untuk menjalankan service OpenVPN pada runlevel 3, 4, dan 5

[root@cybersama client1]# chkconfig --level 345 openvpn on [root@cybersama client1]# chkconfig | grep openvpn

openvpn 0:off 1:off 2:off 3:on 4:on 5:on 6:off

4.3.10. Management Bandwidth untuk Server

Pada bagian ini akan dibahas proses konfigurasi bandwidth untuk

server dengan menggunakan program tc (traffic control)

[root@cybersama ~]# tc qdisc add dev eth1 root handle 1:0 htb default 30

[root@cybersama ~]# tc class add dev eth1 parent 1:0 classid 1:1 htb rate 1mbps ceil 50mbps

[root@cybersama ~]# tc class add dev eth1 parent 1:0 classid 1:2 htb rate 1mbps ceil 50mbps

[root@cybersama ~]# tc filter add dev eth1 protocol ip parent 1:0 prio 1 u32 match ip src 192.168.0.0/24 flowid 1:2

[root@cybersama ~]# tc filter add dev eth1 protocol ip parent 1:0 prio 1 u32 match ip dst 192.168.0.0/24 flowid 1:1

Supaya konfigurasi program tc dapat berjalan pada waktu komputer

startup, maka konfigurasi tc dimasukkan dalam file /etc/rc.local

4.3.11. Instalasi dan Konfigurasi Firewall dengan Menggunakan Iptables

Pada bagian ini akan dibahas proses konfigurasi firewall dengan

menggunakan program iptables.

a. Mengatur IP Forwarding

(17)

Supaya IP Forwarding dapat aktif pada waktu komputer startup

[root@cybersama ~]# echo "echo 1 > /proc/sys/net/ipv4/ip_forward" >> /etc/rc.local

b. Mengatur Konfigurasi Iptables

[root@cybersama ~]# cat /etc/sysconfig/iptables-config IPTABLES_MODULES="ip_nat_ftp" IPTABLES_MODULES_UNLOAD="yes" IPTABLES_SAVE_ON_STOP="no" IPTABLES_SAVE_ON_RESTART="no" IPTABLES_SAVE_COUNTER="no" IPTABLES_STATUS_NUMERIC="yes" IPTABLES_STATUS_VERBOSE="no" IPTABLES_STATUS_LINENUMBERS="yes"

c. Firewall Rules

Memberi akses untuk loopback device

[root@cybersama ~]# iptables -I INPUT -i lo -j ACCEPT

Mengatur default policy

[root@cybersama ~]# iptables -P INPUT DROP [root@cybersama ~]# iptables -P FORWARD DROP [root@cybersama ~]# iptables –P OUTPUT ACCEPT

Mengatur akses forward dari network 192.168.122.0/24

[root@cybersama ~]# iptables -A FORWARD -s 192.168.122.0/24 -j ACCEPT

Mengatur akses untuk protokol HTTP untuk sistem hypervisor

[root@cybersama ~]# iptables -t nat -I PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.122.2:80

[root@cybersama ~]# iptables -I FORWARD -d 192.168.122.2 -p tcp --dport 80 -j ACCEPT

Mengatur akses untuk protokol HTTPS untuk sistem hypervisor

[root@cybersama ~]# iptables -t nat -I PREROUTING -p tcp --dport 443 -j DNAT --to-destination 192.168.122.2:443

[root@cybersama ~]# iptables -I FORWARD -d 192.168.122.2 -p tcp --dport 443 -j ACCEPT

(18)

Mengatur akses untuk protokol IMAP untuk sistem hypervisor

[root@cybersama ~]# iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 143 -j DNAT --to-destination 192.168.122.3:143

[root@cybersama ~]# iptables -t nat -I PREROUTING -i tun0 -p tcp --dport 143 -j DNAT --to-destination 192.168.122.3:143

[root@cybersama ~]# iptables -I FORWARD -i eth0 -d 192.168.122.3 -p tcp --dport 143 -j ACCEPT

[root@cybersama ~]# iptables -I FORWARD -i tun0 -d 192.168.122.3 -p tcp --dport 143 -j ACCEPT

Mengatur akses untuk protokol POP3 untuk sistem hypervisor

[root@cybersama ~]# iptables -I FORWARD -i eth0 -d 192.168.122.3 -p tcp --dport 110 -j ACCEPT

[root@cybersama ~]# iptables -I FORWARD -i tun0 -d 192.168.122.3 -p tcp --dport 110 -j ACCEPT

Mengatur akses untuk protokol SMTP untuk sistem hypervisor

[root@cybersama ~]# iptables I FORWARD i eth0 d 192.168.122.3 p tcp dport 25 -j ACCEPT

[root@cybersama ~]# iptables I FORWARD i tun0 d 192.168.122.3 p tcp dport 25 -j ACCEPT

Mengatur akses untuk protokol FTP untuk sistem hypervisor

[root@cybersama ~]# iptables -I FORWARD -i tun0 -d 192.168.122.4 -p tcp --dport 1024: -j ACCEPT

(19)

Mengatur akses untuk protokol SMB untuk sistem hypervisor

[root@cybersama ~]# iptables -A PREROUTING -t nat -p tcp --dport 445 -i tun0 -j DNAT --to-destination 192.168.122.4:445

[root@cybersama ~]# iptables -A PREROUTING -t nat -p tcp --dport 445 -i eth1 -j DNAT --to-destination 192.168.122.4:445

[root@cybersama ~]# iptables -A FORWARD -d 192.168.122.4 -p tcp --dport 445 -j ACCEPT

Memberi akses untuk OpenVPN pada protokol udp port 1194

[root@cybersama ~]# iptables -A INPUT -p udp --dport 1194 -j ACCEPT

Memberi akses untuk tunnel device

[root@cybersama ~]# iptables -A INPUT -i tun0 -j ACCEPT

d. Menyimpan konfigurasi firewall

[root@cybersama ~]# /etc/rc.d/init.d/iptables save

iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]

4.4. Tampilan Layar Output Sistem

Pada bagian ini akan ditampilkan hasil output dari sistem yang telah

diimplementasikan di PT. Cybersama Technology.

4.4.1. Tampilan OpenVPN Client

(20)

4.4.2. Tampilan Remote SSH dengan Aplikasi Putty

Gambar 4.52 Login di Putty dengan Menggunakan SSH

(21)

4.4.3. Tampilan Aplikasi Munin pada Web Browser

Gambar 4.54 Login Munin

(22)

4.4.4. Tampilan Web Server pada Web Browser

Gambar 4.56 Tampilan Web Server melalui HTTP

(23)

4.4.5. Tampilan Mail Server di Client

Gambar 4.58 Tampilan Login Mail Server

(24)

4.4.6. Tampilan NAS Server di Client

Gambar 4.60 Login untuk Windows Sharing

(25)

Gambar 4.62 Tampilan File Sharing dengan menggunakan FTP

4.5. Evaluasi Sistem

Pada bagian ini akan dibahas masalah evaluasi sistem yang telah

diimplementasi di PT. Cybersama Technology.

4.5.1. Evaluasi Sistem dari Aspek Network Security

Pada bagian ini akan dibahas masalah evaluasi sistem dari aspek

network security dengan menganalisa setiap paket data yang keluar

masuk dari komputer client ke komputer server dengan menggunakan

program wireshark

dan menganalisa sistem firewall

dengan

menggunakan program nmap.

a. Sistem Firewall

C:\Documents and Settings\Administrator>nmap -sV -v -O 192.168.0.44

Starting Nmap 5.21 ( http://nmap.org ) at 2010-02-14 15:02 Pacific Standard Time NSE: Loaded 4 scripts for scanning.

(26)

Initiating ARP Ping Scan at 15:02 Scanning 192.168.0.44 [1 port]

Completed ARP Ping Scan at 15:02, 4.80s elapsed (1 total hosts)

mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers

Initiating SYN Stealth Scan at 15:02 Scanning 192.168.0.44 [1000 ports]

Discovered open port 80/tcp on 192.168.0.44

Completed SYN Stealth Scan at 15:02, 6.05s elapsed (1000 total ports) Initiating Service scan at 15:02

Scanning 1 service on 192.168.0.44

Completed Service scan at 15:03, 6.24s elapsed (1 service on 1 host) Initiating OS detection (try #1) against 192.168.0.44

Retrying OS detection (try #2) against 192.168.0.44 NSE: Script scanning 192.168.0.44.

NSE: Script Scanning completed. Nmap scan report for 192.168.0.44 Host is up (0.0020s latency). Not shown: 999 filtered ports PORT STATE SERVICE VERSION

80/tcp open http Apache httpd 2.2.14 ((Fedora)) MAC Address: 06:C0:1A:74:22:F2 (Unknown)

Warning: OSScan results may be unreliable because we could not find at least 1 o pen and 1 closed port

Device type: general purpose|WAP|webcam|printer|broadband router

Running (JUST GUESSING) : Linux 2.6.X|2.4.X (94%), Asus embedded (90%), AXIS emb edded (85%), AXIS Linux 2.6.X (85%), HP embedded (85%), Sphairon embedded (85%) Aggressive OS guesses: Linux 2.6.9 - 2.6.24 (94%), Linux 2.6.24 - 2.6.31 (92%), Asus WL-500gP wireless broadband router (90%), Linux 2.6.15 (Ubuntu 6.06) (88%), Linux 2.6.9 - 2.6.28 (86%), Linux 2.6.9-22.0.1.EL (CentOS 4.4) (86%), Linux 2.6 .9-022stab078.19-enterprise (CentOS 4.2 x86) (85%), Linux 2.6.22 (Fedora Core 6) (85%), AXIS 207W Network Camera (85%), AXIS 207 Network Camera (Linux 2.6.16) o r 241Q Video Server (85%)

No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop

TCP Sequence Prediction: Difficulty=203 (Good luck!) IP ID Sequence Generation: All zeros

Read data files from: C:\Program Files\Nmap

OS and Service detection performed. Please report any incorrect results at http: //nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 65.17 seconds Raw packets sent: 2077 (96.330KB) | Rcvd: 24 (1307B)