作者:冷风 Berkeley Internert Name Domain(BIND)是我们所熟知的域名软件,它具有广泛的使用基础,Internet上的绝大多数DNS服务器都是基于这个软件的。BIND目前由ISC(Internet Software Consortium)负责维护,具体的开发由Nominum(www.nominum.com)公司来完成。 CERT于2002年6月4日发布了一个有关 ISC BIND 9 的安全漏洞. 由于网络上很多的功能运作有赖于DNS的正常运转, 所以受到此漏洞影响的层面可能很广. 受到影响的版本是 9.2.1 以前的版本, 8.x 与 4.x 版并不受到影响, 攻击者可以通过发送特殊的数据包导致 BIND 9 DNS Service 无法运作. 不过攻击者并不能利用这个漏洞在DNS服务器上运行代码或者写入数据. ISC 已经发布了 BIND 9.2.1 以修正此安全漏洞, 建议所有使用 BIND 9 的系统尽快升级. BIND9.2.1下载地址: http://www.isc.org/prodUCts/BIND/bind9.Html 按照下面的步骤安装升级,程序将被安装在/usr/local/bind921目录. 备份和卸载原来的bind: # cp /etc/named.conf /etc/named.conf.bak # cp -R /var/named /var/named.bak # rpm -e bind bind-devel bind-utils caching-nameserver 编译安装新的bind921: # tar zxvf bind-9.2.1.tar.gz # cd bind-9.2.1 # ./configure --with-liBTool --enable-threads --prefix=/usr/local/bind921 # make # make install 恢复数据: # mkdir /usr/local/bind921/etc # cp /etc/named.conf.bak /usr/local/bind921/etc/named.conf # mkdir -p /usr/local/bind921/var/named/run # useradd -u 25 -d /usr/local/bind921/var/named -s /bin/false named # cp -r /var/named.bak/* /usr/localbind921/var/named # chown -R named /usr/local/bind921/var 修改配置文集: 修改/usr/local/bind921/etc/named.conf使之可以在我们新安装的系统上工作,将: options { Directory "/var/named"; 改为: options { directory "/usr/local/bind921/var/named"; 注释掉原来的rndc.key,当然如果一会你想使用rndc来控制bind的话还需要它,我这里不多讲: include "/etc/rndc.key"; 为: //include "/etc/rndc.key"; 创建启动教本: 我主要是根据redhat自带的rpm包进行修改的,大家可以参考一下然后根据自己的情况修改 #!/bin/bash # # named This shell script takes care of starting and stopping # named (BIND DNS server). # # chkconfig: - 55 45 # description: named (BIND) is a Domain Name Server (DNS) # that is used to resolve host names to IP addresses. # probe: true # Source function library. . /etc/rc.d/init.d/functions eXPort PATH="/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin:/usr/local/bind921/bin:/usr/local/bind921/sbin" # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. [ "${NETWORKING}" = "no" ] && exit 0 #[ -f /etc/sysconfig/named ] && . /etc/sysconfig/named [ -f /usr/local/bind921/sbin/named ] exit 0 [ -f /usr/local/bind921/etc/named.conf ] exit 0 RETVAL=0 prog="/usr/local/bind921/sbin/named" start() { # Start daemons. if [ -n "`/sbin/pidof named`" ]; then echo -n $"$prog: already running" return 1 fi echo -n $"Starting $prog: " if [ -n "${ROOTDIR}" -a "x${ROOTDIR}" != "x/" ]; then OPTIONS="${OPTIONS} -t ${ROOTDIR}" fi # Since named doesn't return proper exit codes at the moment # (won't be fixed before 9.2), we can't use daemon here - emulate # its functionality base=$prog named -u named ${OPTIONS} RETVAL=$? usleep 100000 if [ -z "`/sbin/pidof named`" ]; then # The child processes have died after fork()ing, e.g. # because of a broken config file RETVAL=1 fi [ $RETVAL -ne 0 ] && failure $"$base startup" [ $RETVAL -eq 0 ] && touch /var/lock/subsys/named && success $"$base startup" echo return $RETVAL } stop() { # Stop daemons. echo -n $"Stopping $prog: " killproc named RETVAL=$? [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/named echo return $RETVAL } rhstatus() { /usr/local/bind921/sbin/rndc status return $? } restart() { stop start } reload() { /usr/local/bind921/sbin/rndc reload >/dev/null 2>&1 /usr/bin/killall -HUP named return $? } probe() { # named knows how to reload intelligently; we don't want Linuxconf # to offer to restart every time /usr/local/bind921/sbin/rndc reload >/dev/null 2>&1 echo start return $? } # See how we were called. case "$1" in start) start ;; stop) stop ;; status) rhstatus ;; restart) restart ;; condrestart) [ -f /var/lock/subsys/named ] && restart ;; reload) reload ;; probe) probe ;; *) echo $"Usage: $0 {startstopstatusrestartcondrestartreloadprobe}" exit 1 esac exit $? 把上面的教本复制到/etc/init.d/并改名为named,修改权限为600 chmod 600 /etc/inid.d/named 将/usr/local/bind921/bin和/usr/local/bind921/sbin添加到/etc/profile中 if [ `id -u` = 0 ]; then pathmunge /sbin pathmunge /usr/sbin pathmunge /usr/local/sbin pathmunge /usr/local/mysql/bin pathmunge /usr/local/bind921/bin pathmunge /usr/local/bind921/sbin fi 测试: # chkconfig --add 456 named # chkconfig --level 345 named on # /etc/init.d/named start 记得执行如果不能启动,请查看/var/log/mesages里的日志并根据日志进行排错,也可以到本站论坛寻求帮助.
[1] [2] 下一页
(出处:http://www.sheup.com)
上一页 [1] [2]