创建私有CA并进行证书申请
创建CA
#创建文件夹
[root@centos8 ~]# mkdir /etc/pki/CA/{certs,crl,newcerts,private} -p
[root@centos8 ~]# tree /etc/pki/CA
/etc/pki/CA
├── certs
├── crl
├── newcerts
└── private
[root@centos8 ~]# cd /etc/pki/CA
#生成证书索引数据库文件
[root@centos8 CA]# touch /etc/pki/CA/index.txt
#指定第一个颁发证书的序列号
[root@centos8 CA]# echo 01 > /etc/pki/CA/serial
#生成CA私钥放到private文件夹内
[root@centos8 CA]#umask 066; openssl genrsa -out private/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
................+++++
..............................................+++++
e is 65537 (0x010001)
[root@centos8 CA]# ll private/
total 4
-rw------- 1 root root 1679 Feb 14 13:29 cakey.pem
#生成CA自签名证书
[root@centos8 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanxisheng
Locality Name (eg, city) [Default City]:xianshi
Organization Name (eg, company) [Default Company Ltd]:aaa
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:ca.aaa.com
Email Address []:
[root@centos8 CA]# tree
.
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
申请证书
#创建文件夹
[root@centos8 data]# mkdir /data/app1
[root@centos8 data]# cd /data/app1
#生成用户私钥
[root@centos8 data]# (umask 066; openssl genrsa -out /data/app1/app1.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
....+++++
..........................................................+++++
e is 65537 (0x010001)
#生成证书申请文件
[root@centos8 app1]# openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanxisheeng
Locality Name (eg, city) [Default City]:xianyangshi
Organization Name (eg, company) [Default Company Ltd]:aaa
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:ca.ccc.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@centos8 app1]# ll
total 8
-rw------- 1 root root 1005 Feb 14 15:18 app1.csr
-rw------- 1 root root 1675 Feb 14 15:11 app1.key
#颁发证书
[root@centos8 app1]# openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Feb 16 12:51:24 2022 GMT
Not After : Nov 12 12:51:24 2024 GMT
Subject:
countryName = CN
stateOrProvinceName = shanxisheng
organizationName = aaa
organizationalUnitName = it
commonName = ca.bbb.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
A3:71:9C:5D:60:33:FC:0B:A5:C5:F8:61:BD:BC:E7:5F:A5:2D:D3:6A
X509v3 Authority Key Identifier:
keyid:4F:1C:FC:D4:52:1B:66:49:B9:B8:46:81:1F:08:35:84:63:7A:70:11
Certificate is to be certified until Nov 12 12:51:24 2024 GMT (1000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@centos8 app1]# tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
│ └── app1.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
总结ssh常用参数、用法
选项
-p port #远程服务器监听的端口
-b #指定连接的源IP
-v #调试模式
-C #压缩方式
-X #支持x11转发
-t #强制伪tty分配,如:ssh -t remoteserver1 ssh -t remoteserver2 ssh
remoteserver3
-o option 如:-o StrictHostKeyChecking=no
-i <file> #指定私钥文件路径,实现基于key验证,默认使用文件: ~/.ssh/id_dsa,
~/.ssh/id_ecdsa, ~/.ssh/id_ed25519,~/.ssh/id_rsa等
格式
ssh [user@]host [COMMAND]
ssh [-l user] host [COMMAND]
总结sshd服务常用参数
服务器端:sshd
服务器端的配置文件: /etc/ssh/sshd_config
服务器端的配置文件帮助:man 5 sshd_config
常用参数:
Port #生产建议修改
ListenAddress ip
LoginGraceTime 2m
PermitRootLogin yes #默认ubuntu不允许root远程ssh登录
StrictModes yes #检查.ssh/文件的所有者,权限等
MaxAuthTries 6 #pecifies the maximum number of authentication
attempts permitted per connection. Once the number of failures reaches half this
value, additional failures are logged. The default is 6.
MaxSessions 10 #同一个连接最大会话
PubkeyAuthentication yes #基于key验证
PermitEmptyPasswords no #空密码连接
PasswordAuthentication yes #基于用户名和密码连接
GatewayPorts no
ClientAliveInterval 10 #单位:秒
ClientAliveCountMax 3 #默认3
UseDNS yes #提高速度可改为no
GSSAPIAuthentication yes #提高速度可改为no
MaxStartups #未认证连接最大值,默认值10
Banner /path/file
#以下可以限制可登录用户的办法:
AllowUsers user1 user2 user3
DenyUsers user1 user2 user3
AllowGroups g1 g2
DenyGroups g1 g2
ssh服务的最佳实践
1)建议使用非默认端口
2)禁止使用protocol version 1
3)限制可登录用户
4)设定空闲会话超时时长
5)利用防火墙设置ssh访问策略
6)仅监听特定的IP地址
7)基于口令认证时,使用强密码策略,比如:tr -dc A-Za-z0-9_ < /dev/urandom | head -c 12|
xargs
8)使用基于密钥的认证
9)禁止使用空密码
10)禁止root用户直接登录
11)限制ssh的访问频度和并发在线数
12)经常分析日志
搭建dhcp服务,实现ip地址申请分发
DHCP服务的实现软件
- dhcp(CentOS 7 之前版本) 或 dhcp-server(CentOS 8 中的包名)
- /etc/dhcp/dhcpd.conf dhcp #服务配置文件
- /usr/share/doc/dhcp-server/dhcpd.conf.example #dhcp服务配置范例文件
实现DHCP服务前,先将网络已有DHCP服务,如:vmware中的DHCP关闭,访止冲突
#安装dhcp
[root@centos8 data]# yum -y install dhcp-server
#启动服务
[root@centos8 data]# systemctl enable --now dhcpd
Created symlink /etc/systemd/system/multi-user.target.wants/dhcpd.service → /usr/lib/systemd/system/dhcpd.service.
Job for dhcpd.service failed because the control process exited with error code.
See "systemctl status dhcpd.service" and "journalctl -xe" for details.
#启动服务报错
#复制范例文件到配置文件中
[root@centos8 data]# cp /usr/share/doc/dhcp-server/dhcpd.conf.example /etc/dhcp/dhcpd.conf
cp: overwrite '/etc/dhcp/dhcpd.conf'? y
#打开配置文件
修改subnet 要和本机在同网段
[root@centos8 ~]# vim /etc/dhcp/dhcpd.conf
option domain-name-servers 180.76.76.76 , 223.5.5.5; #DNS
default-lease-time 86400; #租期
max-lease-time 7200;
# Use this to enble / disable dynamic dns updates globally.
#ddns-update-style none;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
subnet 10.0.0.0 netmask 255.255.255.0 { #网段 子网掩码
range 10.0.0.100 10.0.0.130; #地址范围
option routers 10.0.0.2; #网关
}
#启动dhcp
[root@centos8 ~]# systemctl enable --now dhcpd
[root@centos8 ~]# systemctl status dhcpd
● dhcpd.service - DHCPv4 Server Daemon
Loaded: loaded (/usr/lib/systemd/system/dhcpd.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2022-02-16 22:18:34 CST; 4min 17s ago
Docs: man:dhcpd(8)
man:dhcpd.conf(5)
Main PID: 1828 (dhcpd)
Status: "Dispatching packets..."
Tasks: 1 (limit: 12257)
Memory: 5.4M
CGroup: /system.slice/dhcpd.service
└─1828 /usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid
#申请IP
[root@centos7 ~]# dhclient -d
[root@centos7 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:d2:42:db brd ff:ff:ff:ff:ff:ff
inet 10.0.0.140/24 brd 10.0.0.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet 10.0.0.100/24 brd 10.0.0.255 scope global secondary dynamic eth0
valid_lft 7163sec preferred_lft 7163sec
inet6 fe80::20c:29ff:fed2:42db/64 scope link
valid_lft forever preferred_lft forever