第八周作业

最新推荐文章于 2024-09-26 16:26:21 发布

know_1

最新推荐文章于 2024-09-26 16:26:21 发布

阅读量448

点赞数

本文链接：https://blog.csdn.net/know_1/article/details/122973414

版权

创建私有CA并进行证书申请

创建CA

#创建文件夹
[root@centos8 ~]# mkdir /etc/pki/CA/{certs,crl,newcerts,private} -p

[root@centos8 ~]# tree /etc/pki/CA
/etc/pki/CA
├── certs
├── crl
├── newcerts
└── private

[root@centos8 ~]# cd /etc/pki/CA

#生成证书索引数据库文件
[root@centos8 CA]# touch /etc/pki/CA/index.txt

#指定第一个颁发证书的序列号
[root@centos8 CA]# echo 01 > /etc/pki/CA/serial

#生成CA私钥放到private文件夹内
[root@centos8 CA]#umask 066; openssl genrsa -out private/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
................+++++
..............................................+++++
e is 65537 (0x010001)
[root@centos8 CA]# ll private/
total 4
-rw------- 1 root root 1679 Feb 14 13:29 cakey.pem

#生成CA自签名证书
[root@centos8 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanxisheng
Locality Name (eg, city) [Default City]:xianshi
Organization Name (eg, company) [Default Company Ltd]:aaa
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:ca.aaa.com
Email Address []:

[root@centos8 CA]# tree
.
├── cacert.pem       
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│   └── cakey.pem
└── serial

申请证书

#创建文件夹
[root@centos8 data]# mkdir /data/app1
[root@centos8 data]# cd /data/app1

#生成用户私钥
[root@centos8 data]# (umask 066; openssl genrsa -out /data/app1/app1.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
....+++++
..........................................................+++++
e is 65537 (0x010001)

#生成证书申请文件
[root@centos8 app1]# openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanxisheeng
Locality Name (eg, city) [Default City]:xianyangshi
Organization Name (eg, company) [Default Company Ltd]:aaa
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:ca.ccc.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

[root@centos8 app1]# ll
total 8
-rw------- 1 root root 1005 Feb 14 15:18 app1.csr
-rw------- 1 root root 1675 Feb 14 15:11 app1.key

#颁发证书
[root@centos8 app1]# openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Feb 16 12:51:24 2022 GMT
            Not After : Nov 12 12:51:24 2024 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = shanxisheng
            organizationName          = aaa
            organizationalUnitName    = it
            commonName                = ca.bbb.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                A3:71:9C:5D:60:33:FC:0B:A5:C5:F8:61:BD:BC:E7:5F:A5:2D:D3:6A
            X509v3 Authority Key Identifier: 
                keyid:4F:1C:FC:D4:52:1B:66:49:B9:B8:46:81:1F:08:35:84:63:7A:70:11

Certificate is to be certified until Nov 12 12:51:24 2024 GMT (1000 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

[root@centos8 app1]# tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
│   └── app1.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

总结ssh常用参数、用法

选项

-p port #远程服务器监听的端口
-b #指定连接的源IP
-v #调试模式
-C #压缩方式
-X #支持x11转发
-t #强制伪tty分配，如：ssh -t remoteserver1 ssh -t remoteserver2   ssh   
remoteserver3
-o option   如：-o StrictHostKeyChecking=no 
-i <file>  #指定私钥文件路径，实现基于key验证，默认使用文件： ~/.ssh/id_dsa, 
~/.ssh/id_ecdsa, ~/.ssh/id_ed25519，~/.ssh/id_rsa等

格式

ssh [user@]host [COMMAND]
ssh [-l user] host [COMMAND]

总结sshd服务常用参数

服务器端：sshd

服务器端的配置文件: /etc/ssh/sshd_config

服务器端的配置文件帮助：man 5 sshd_config

常用参数：

Port        #生产建议修改
ListenAddress ip
LoginGraceTime 2m
PermitRootLogin yes #默认ubuntu不允许root远程ssh登录
StrictModes yes   #检查.ssh/文件的所有者，权限等
MaxAuthTries   6     #pecifies the maximum number of authentication 
attempts permitted per connection. Once the number of failures reaches half this 
value, additional failures are logged. The default is 6.
MaxSessions  10         #同一个连接最大会话
PubkeyAuthentication yes     #基于key验证
PermitEmptyPasswords no      #空密码连接
PasswordAuthentication yes   #基于用户名和密码连接
GatewayPorts no
ClientAliveInterval 10 #单位:秒
ClientAliveCountMax 3 #默认3
UseDNS yes #提高速度可改为no
GSSAPIAuthentication yes #提高速度可改为no
MaxStartups    #未认证连接最大值，默认值10
Banner /path/file
#以下可以限制可登录用户的办法：
AllowUsers user1 user2 user3
DenyUsers user1 user2 user3
AllowGroups g1 g2
DenyGroups g1 g2

ssh服务的最佳实践

1）建议使用非默认端口
2）禁止使用protocol version 1
3）限制可登录用户
4）设定空闲会话超时时长
5）利用防火墙设置ssh访问策略
6）仅监听特定的IP地址
7）基于口令认证时，使用强密码策略，比如：tr -dc A-Za-z0-9_ < /dev/urandom | head -c 12| 
xargs
8）使用基于密钥的认证
9）禁止使用空密码
10）禁止root用户直接登录
11）限制ssh的访问频度和并发在线数
12）经常分析日志

搭建dhcp服务，实现ip地址申请分发

DHCP服务的实现软件

dhcp（CentOS 7 之前版本）或 dhcp-server（CentOS 8 中的包名）
/etc/dhcp/dhcpd.conf dhcp #服务配置文件
/usr/share/doc/dhcp-server/dhcpd.conf.example #dhcp服务配置范例文件

实现DHCP服务前，先将网络已有DHCP服务，如：vmware中的DHCP关闭，访止冲突

在这里插入图片描述

#安装dhcp

[root@centos8 data]# yum -y install dhcp-server

#启动服务

[root@centos8 data]# systemctl enable --now dhcpd 
Created symlink /etc/systemd/system/multi-user.target.wants/dhcpd.service → /usr/lib/systemd/system/dhcpd.service.
Job for dhcpd.service failed because the control process exited with error code.
See "systemctl status dhcpd.service" and "journalctl -xe" for details.

#启动服务报错

#复制范例文件到配置文件中
[root@centos8 data]# cp /usr/share/doc/dhcp-server/dhcpd.conf.example /etc/dhcp/dhcpd.conf
cp: overwrite '/etc/dhcp/dhcpd.conf'? y

#打开配置文件
修改subnet 要和本机在同网段
[root@centos8 ~]# vim /etc/dhcp/dhcpd.conf

option domain-name-servers 180.76.76.76 , 223.5.5.5;      #DNS

default-lease-time 86400;                                 #租期
max-lease-time 7200;

# Use this to enble / disable dynamic dns updates globally.
#ddns-update-style none;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

# No service will be given on this subnet, but declaring it helps the 
# DHCP server to understand the network topology.

subnet 10.0.0.0 netmask 255.255.255.0 {               #网段  子网掩码
    range 10.0.0.100 10.0.0.130;                      #地址范围                   
    option routers 10.0.0.2;                          #网关
}

#启动dhcp

[root@centos8 ~]# systemctl enable --now dhcpd
[root@centos8 ~]# systemctl status dhcpd
● dhcpd.service - DHCPv4 Server Daemon
   Loaded: loaded (/usr/lib/systemd/system/dhcpd.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2022-02-16 22:18:34 CST; 4min 17s ago
     Docs: man:dhcpd(8)
           man:dhcpd.conf(5)
 Main PID: 1828 (dhcpd)
   Status: "Dispatching packets..."
    Tasks: 1 (limit: 12257)
   Memory: 5.4M
   CGroup: /system.slice/dhcpd.service
           └─1828 /usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid

#申请IP

[root@centos7 ~]# dhclient -d
[root@centos7 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:d2:42:db brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.140/24 brd 10.0.0.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet 10.0.0.100/24 brd 10.0.0.255 scope global secondary dynamic eth0
       valid_lft 7163sec preferred_lft 7163sec
    inet6 fe80::20c:29ff:fed2:42db/64 scope link 
       valid_lft forever preferred_lft forever