03-服务安全

1.SElinux

访问控制分类
DAC
Discretionary Access Control,自主访问被控制，依据进程的所有者与文件资源的rwx权限来决定有无访问权
限。
缺点：

1. 如果某个进程以root身份运行，可能被恶意目的
2. 用户可以取得进程来获得文件的访问权限

总结：DAC针对控制的主体是用户

MAC
Mandatory Access Control,强制访问控制，依据策略规则决定进程可以访问哪些文件
优点：
即使是root用户，在使用不同进程时，所能取得的权限并不一定是root，需要看当时进程的设置而定
总结：MAC针对控制的主体是进程

SElinux介绍
SELinux(Security-Enhanced Linux) 是美国国家安全局（NSA）对于强制访问控制的实现，是 Linux历史上最杰出的新安全子系统。NSA是在Linux社区的帮助下开发了一种访问控制体系，在这种访问控制体系的限制下，进程只能访问那些在他的任务中所需要文件。SELinux 默认安装在 Fedora 和 Red Hat Enterprise Linux 上，也可以作为其他发行版上容易安装的包得到。

SELinux 是 2.6 版本的 Linux 内核中提供的强制访问控制(MAC）系统。对于可用的 Linux安全模块来说，SELinux 是功能最全面，而且测试最充分的，它是在 20 年的 MAC 研究基础上建立的。SELinux 在类型强制服务器中合并了多级安全性或一种可选的多类策略，并采用了基于角色的访问控制概念。

SElinux策略模式
无强制访问控制(disabled)

[root@vm1 ~]# cat /etc/selinux/config |grep -i selinux=
# SELINUX= can take one of these three values:
SELINUX=disabled

有强制访问控制(enforcing)

[root@vm1 ~]# cat /etc/selinux/config |grep -i selinux=
# SELINUX= can take one of these three values:
SELINUX=enforcing

许可访问控制(permissive)

[root@vm1 ~]# cat /etc/selinux/config |grep -i selinux=
# SELINUX= can take one of these three values:
SELINUX=permissive

查看SElinux当前策略模式

[root@vm1 ~]# getenforce 
Permissive
[root@vm1 ~]# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31

2.数据加密技术

对称加密
加密和解密使用一同把钥匙
优点:效率高,加密速度快,可以加密大量的数据.
缺点:密钥的传递问题

Openssl

[root@vm1 ~]# openssl enc -des3 -in ./tes.txt -out ./tes.txt.enc   
# 加密
enter des-ede3-cbc encryption password:
Verifying - enter des-ede3-cbc encryption password:
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
[root@vm1 ~]# openssl enc -des3 -a -in ./tes.txt -out ./tes1.txt.enc
# ascii码
enter des-ede3-cbc encryption password:
Verifying - enter des-ede3-cbc encryption password:
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
[root@vm1 ~]# ls
anaconda-ks.cfg  tes1.txt.enc  tes.txt  tes.txt.enc  vm2

[root@vm1 ~]# openssl enc -des3 -d -in ./tes.txt.enc -out ./test.txt
# 解密
enter des-ede3-cbc decryption password:
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
[root@vm1 ~]# openssl enc -des3 -a -d -in ./tes1.txt.enc -out ./test1.txt
enter des-ede3-cbc decryption password:
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
[root@vm1 ~]# ls
anaconda-ks.cfg  tes1.txt.enc  test1.txt  test.txt  tes.txt  tes.txt.enc  vm2
[root@vm1 ~]# cat test.txt 
123

非对称加密
加密和解密使不用的同钥匙,一般是公钥加密,私钥解密
优点:解决了密钥传递的问题
缺点:效率低，加密速度慢,只能加密少量数据

单向加密
加密不可逆
例:md5

3.非对称加密SSL/TLS

CA简介
CA ：CertificateAuthority的缩写，通常翻译成认证权威或者认证中心，主要用途是为用户发放数字证书
功能：证书发放、证书更新、证书撤销和证书验证。
作用：身份认证，数据的不可否认性
证书请求文件:CSR是Cerificate Signing Request的英文缩写，即证书请求文件，也就是证书申请者在申请数字证书时
由CSP(加密服务提供者)在生成私钥的同时也生成证书请求文件，证书申请者只要把CSR文件提交给证书颁发机构
后，证书颁发机构使用其根证书的私钥签名就生成了证书文件，也就是颁发给用户的证书
用作HTTP转HTTPS
HTTPS（全称：Hyper Text Transfer Protocol over Secure Socket Layer），是以安全为目标的HTTP通道，简单讲
是HTTP的安全版。

SSL：(Secure Socket Layer)安全套接字层，通过一种机制在互联网上提供密钥
传输 其主要目标是保证两个应用 间通信数据的保密性和可靠性,可在服务器端和用
户端同时支持的一种加密算法 目前主流版本SSLV2、SSLV3(常 用）。
SSL四次握手安全传输： 
加密协议： SSL 3.0 或 TLS 1.0 
C-------------------------------------------------> S 
1. 请求一个安全的会话，协商算法 
C <------------------------------------------------- S 
2. 将自己Server端的证书给客户端，证 书中包括了64自己的公钥 
C -------------------------------------------------> S 
3. 客户端用浏览器中存放CA的根证书检
测client证书，如果对，使用CA根证书中的公钥解密 得到CA的公钥；
然后生成一把对称的加密密钥,用client的 公钥加密这个密钥
发给CA , 后期使用对称密钥加密数据 
C <----------------------------------------- > S
4.client使用私钥解密，得到对称的加 密密钥然后，使用对称加密密钥来进行安全快速传输数据

CA认证

一.环境准备

[root@vm1 ~]# cat /etc/hosts 
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
172.20.203.10 vm1 ca.cn
172.20.203.11 vm2 test.nginx.cn

二.修改CA配置文件

[root@vm1 ~]# dnf -y install openssl
[root@vm1 ~]# vim /etc/pki/tls/openssl.cnf
# 修改为如下配置 
[ CA_default ]

dir             = /etc/pki/CA           # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several certs with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.

certificate     = $dir/ca.crt   # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/ca.key # The private key
...
[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = CN # 修改国家
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Guangdong # 修改省份

localityName                    = Locality Name (eg, city)
localityName_default            = Shenzhen # 修改城市

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = it # 修改部门
保存退出
[root@vm1 ~]# cd /etc/pki/
[root@vm1 pki]# mkdir CA
[root@vm1 pki]# mkdir CA/{certs,crl,newcerts,private}

三.生成CA私钥和自签名证书

[root@vm1 CA]# touch index.txt # 生成证书索引库文件
[root@vm1 CA]# echo 00 > serial # 制定颁发第一个证书的序列号
# 生成private
[root@vm1 CA]# (umask 077;openssl genrsa -out private/ca.key -des3 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.............+++++
..+++++
e is 65537 (0x010001)
Enter pass phrase for private/ca.key:
Verifying - Enter pass phrase for private/ca.key:
# 生成CA私钥
[root@vm1 CA]# ls private/
ca.key
[root@vm1 CA]# openssl req -new -x509 -days 356 -key private/ca.key > ca.crt       
Enter pass phrase for private/ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Guangdong]:
Locality Name (eg, city) [Shenzhen]:
Organization Name (eg, company) [it]:
Organizational Unit Name (eg, section) []:web
Common Name (eg, your name or your server's hostname) []:ca.cn
Email Address []:test@test.com   
[root@vm1 CA]# ls
ca.crt  certs  crl  index.txt  newcerts  private  serial

四.nginx服务器准备

[root@vm2 ~]# dnf -y install nginx openssl # 安装包
[root@vm2 ~]# openssl genrsa -out /etc/nginx/nginx.key # 生成私钥
Generating RSA private key, 2048 bit long modulus (2 primes)
................+++++
.................................................+++++
e is 65537 (0x010001)        
[root@vm2 ~]# openssl req -new -key /etc/nginx/nginx.key -out /tmp/nginx.csr
# 生成web证书的申请文件
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN # 注意内容要一致
State or Province Name (full name) []:Guangdong
Locality Name (eg, city) [Default City]:Shenzhen
Organization Name (eg, company) [Default Company Ltd]:it
Organizational Unit Name (eg, section) []:web
Common Name (eg, your name or your server's hostname) []:www.test.nginx.cn
Email Address []:web@web.cn

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@vm2 ~]# scp /tmp/nginx.csr vm1:/tmp  
nginx.csr                100% 1045     1.7MB/s   00:00   

五.CA给nginx服务器颁发证书

[root@vm1 CA]# openssl ca -in /tmp/nginx.csr -out /tmp/nginx.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 0 (0x0)
        Validity
            Not Before: Oct  6 06:49:12 2021 GMT
            Not After : Oct  6 06:49:12 2022 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Guangdong
            organizationName          = it
            organizationalUnitName    = web
            commonName                = www.test.nginx.cn
            emailAddress              = web@web.cn
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                F5:F6:2D:A6:CD:17:27:E9:0E:3F:DD:FC:96:5E:A9:58:49:51:12:62
            X509v3 Authority Key Identifier: 
                keyid:9B:CA:7E:AF:57:34:0F:31:1F:0D:C9:40:E4:96:CC:E9:75:D8:AF:25

Certificate is to be certified until Oct  6 06:49:12 2022 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@vm1 CA]# scp /tmp/nginx.crt test.nginx.cn:/etc/nginx
The authenticity of host 'test.nginx.cn (172.20.203.11)' can't be established.
ECDSA key fingerprint is SHA256:hS1l8wyrxAPtN060zptsSAdH3XIYO2Kg9cl+qzSMlwE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'test.nginx.cn' (ECDSA) to the list of known hosts.
nginx.crt                      100% 4574     5.3MB/s   00:00    

六.nginx服务器配置

[root@vm2 ~]# vim /etc/nginx/nginx.conf
    server {
        listen       80;
        server_name  www.test.nginx.cn test.nginx.cn;
        root         /usr/share/nginx/html;
        return 301 https://www.test.nginx.cn/$request_uri; #添加

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

# Settings for a TLS enabled server.
#
    server {
        listen       443 ssl;
#        listen       [::]:443 ssl http2 default_server;
        server_name  www.test.nginx.cn;
        root         /usr/share/nginx/html;

        ssl on; # 开启
        ssl_certificate "/etc/nginx/nginx.crt"; # 修改
        ssl_certificate_key "/etc/nginx/nginx.key"; # 修改
#        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m; # 删除注释
        ssl_protocols SSLv2 SSLv3 TLSv1; # 添加
#        ssl_ciphers PROFILE=SYSTEM;
#        ssl_prefer_server_ciphers on;
#
#        # Load configuration files for the default server block.
#        include /etc/nginx/default.d/*.conf;
#
#        location / {
#        }
#
#        error_page 404 /404.html;
#            location = /40x.html {
#        }
#
#        error_page 500 502 503 504 /50x.html;
#            location = /50x.html {
#        }
    } # 开启

}
保存退出
[root@vm2 ~]# rm -rf /usr/share/nginx/html/nginx-logo.png 
[root@vm2 ~]# rm -rf /usr/share/nginx/html/poweredby.png 
[root@vm2 ~]# echo "nginx test" > /usr/share/nginx/html/index.html 
[root@vm2 ~]# systemctl restart nginx

7.客户端检验

打开文件资源管理器,进入
C:\Windows\System32\drivers\etc
将hosts文件复制到桌面上打开
添加如下两行

172.20.203.10 ca.cn
172.20.203.11 www.test.nginx.cn
保存退出

覆盖etc下的源文件
浏览器访问http://www.test.nginx.cn

解决方案:
将证书导入到浏览器
进入设置,搜索证书

点击管理证书->受信任的根证书颁发机构->导入->下一页->选择文件->
下一页->下一页->完成->是
浏览器重新访问即可