Securing SWAT

Secara Default SWAT di configure melalui webl ink yang tidak terencrypt, maka dari itu untuk alasan security, kita bisa malekukan securing dengan menggunakan openssl (https).

langkah-langkahnya adalah :

  • Create User stunnel
  • # useradd stunnel

  • Create The Certificates
  • # cd /usr/share/ssl/certs
    # make stunnel.pem
    # chmod 640 stunnel.pem
    # chgrp stunnel stunnel.pem

  • Create /etc/stunnel/stunnel.conf
  • Sebagai contoh, kita bisa gunakan /etc/stunnel/stunnel.conf seperti ini:

    # Configure stunnel to run as user “stunnel” placing temporary
    # files in the /home/stunnel/ directory
    chroot = /home/stunnel/
    pid = /stunnel.pid
    setuid = stunnel
    setgid = stunnel

    # Log all stunnel messages to /var/log/messages
    debug = 7
    output = /var/log/messages

    # Define where the SSL certificates can be found.
    client = no
    cert = /usr/share/ssl/certs/stunnel.pem
    key = /usr/share/ssl/certs/stunnel.pem

    # Accept SSL connections on port 901 and funnel it to
    # port 902 for swat.
    [swat]
    accept = 901
    connect = 902

  • Create file Secure SWAT baru di /etc/xinetd.d
  • Untuk memudahkan, kita bisa meng-copy dari file SWAT yang asli.

    # cd /etc/xinetd.d
    # cp swat swat-stunnel
    # vi swat-stunnel

    Kemudian edit file swat-stunnel menjadi seperti ini:

    service swat-stunnel
    {
    port = 902
    socket_type = stream
    wait = no
    only_from = 127.0.0.1
    user = root
    server = /usr/sbin/swat
    log_on_failure += USERID
    disable = no
    bind = 127.0.0.1
    }

    Agar tidak menjadikan conflict maka file swat di /etc/xinetd.d/swat harus di disable, dengan cara mengubah config “disable = no/yes” menjadi “disable = yes”

  • Kemudian edit /etc/services
  • # vi /etc/services

    swat-stunnel 902/tcp # Samba Web Administration Tool (Stunnel)

  • Actifkan swat-stunnel
  • # chkconfig swat on
    # chkconfig swat-stunnel on

  • Start stunnel
  • # stunnel

  • Test Secure SWAT
  • # netstat -tan | grep 90

    tcp 0 0 0.0.0.0:901 0.0.0.0:* LISTEN
    tcp 0 0 127.0.0.:902 0.0.0.0:* LISTEN

  • Test Secure SWAT Login

Arahkan web browser anda ke https://server-ip-address:901/ jika muncul halaman login, silahkan masukkan username dan password sesuai dengan settingan Anda.

Share it now...
Share on Facebook0Tweet about this on TwitterEmail this to someoneShare on Google+0
The following two tabs change content below.
Unix/Linux enthusiasts, good working experience with SAN, NAS, Linux, Solaris, AIX, VMWare & Graphic Design. Certified for Solaris Admin, EMC & HDS Storage.

Leave a Reply

Your email address will not be published. Required fields are marked *