1、创建私有CA并进行证书申请。
[root@centos8 ~]# mkdir /etc/pki/CA/{certs,crl,newcerts,private} -pv
mkdir: created directory '/etc/pki/CA/certs'
mkdir: created directory '/etc/pki/CA/crl'
mkdir: created directory '/etc/pki/CA/newcerts'
[root@centos8 ~]# cd /etc/pki/CA
[root@centos8 CA]# tree
.
├── certs
├── crl
├── newcerts
└── private
4 directories, 0 files
[root@centos8 CA]# openssl genrsa -out private/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.......................................................................................+++++
..................+++++
e is 65537 (0x010001)
[root@centos8 CA]# cd
[root@centos8 ~]# touch /etc/pki/CA/index.txt
[root@centos8 ~]# echo 0F > /etc/pki/CA/serial
[root@centos8 ~]# cd /etc/pki/CA
[root@centos8 CA]# tree
.
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
4 directories, 3 files
[root@centos8 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:guangdong
Locality Name (eg, city) [Default City]:guangzhou
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:ca.magedu.org
Email Address []:5295464651@com
[root@centos8 CA]# openssl x509 -in cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
3a:22:ad:00:df:4c:4b:4f:86:3a:9f:78:8e:15:c8:92:30:ad:c1:79
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = guangdong, L = guangzhou, O = magedu, OU = it, CN = ca.magedu.org, emailAddress = 5295464651@com
Validity
Not Before: Jun 21 15:29:21 2022 GMT
Not After : Jun 18 15:29:21 2032 GMT
Subject: C = CN, ST = guangdong, L = guangzhou, O = magedu, OU = it, CN = ca.magedu.org, emailAddress = 5295464651@com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:bb:1f:1f:ec:87:a8:23:e8:8c:10:dc:24:51:13:
61:00:24:a8:99:96:ab:8f:07:b4:4b:ea:df:16:e7:
b5:f1:a2:6e:9f:80:94:41:96:a0:42:9b:08:99:ed:
0d:a5:07:9c:b7:16:c5:de:7f:6c:cc:c5:38:15:4a:
9e:92:67:97:a2:09:df:bf:a6:8e:c0:78:19:31:d0:
f5:5a:a8:5d:e1:82:c9:ff:96:ef:fb:bb:9a:f3:99:
d6:6c:7e:5a:97:68:21:81:6c:52:1b:1d:43:c7:95:
8a:e2:7b:14:4f:4c:9c:55:73:34:73:0c:00:b3:77:
d0:2d:e4:f4:e2:fc:86:27:db:d1:be:1a:b5:e4:d5:
e2:85:3f:89:6c:11:d7:b8:87:7c:97:ae:7e:9f:8e:
83:e2:e3:5a:73:a8:82:f8:78:65:03:6e:d3:ba:f0:
ca:2e:75:d9:31:52:d1:c9:08:6d:a8:a6:99:72:8f:
e5:86:ea:dc:d4:e0:32:eb:62:de:ac:50:39:14:b3:
ca:81:e5:78:8f:7d:82:d4:7d:8f:8f:c4:cc:0f:78:
82:ee:61:6b:c0:79:ea:dc:ad:56:b5:0b:8d:03:bf:
fa:1d:d5:71:f8:8e:37:7e:d9:41:16:e2:e4:92:e1:
15:b3:1b:c8:62:7f:4b:7b:9a:d5:e8:f9:03:65:44:
c5:b5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
18:09:5A:2E:F6:03:1E:57:F0:E7:10:79:02:CA:34:3E:E4:60:93:15
X509v3 Authority Key Identifier:
keyid:18:09:5A:2E:F6:03:1E:57:F0:E7:10:79:02:CA:34:3E:E4:60:93:15
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
01:38:f2:0d:39:2d:8e:af:41:1b:f4:a1:4f:9f:05:ae:6c:ce:
6c:9a:d2:47:3f:16:7e:41:f6:64:c0:d7:90:bd:7f:79:02:d1:
46:a7:55:af:dc:86:67:13:e4:fc:45:8f:c6:0b:6a:bc:0c:88:
ce:5b:15:1f:21:3f:06:e3:c3:ac:ac:45:77:e0:74:56:54:cb:
0b:37:c4:fd:8f:ed:8b:60:a9:34:ab:1e:3f:96:41:1c:31:56:
ea:c9:93:4c:53:3c:89:0a:2e:ed:9c:39:52:f2:b6:3a:0e:c9:
53:c0:62:c3:1a:64:d3:d2:f0:1f:1d:ec:44:04:b3:b0:97:74:
b9:72:fe:5f:bb:82:6b:f5:4f:72:93:3b:b9:ca:3c:3c:4a:b2:
ce:af:4c:fd:f2:8f:db:11:66:04:e3:8d:87:cd:2c:7a:ad:d4:
81:1f:5b:59:2c:2c:3f:32:2e:2c:1e:7a:49:88:eb:fe:6b:36:
60:0a:a0:9d:d8:e1:d9:ed:93:c3:51:8d:76:ad:f9:33:52:cc:
0c:90:91:b4:3a:f6:e3:10:96:74:cf:44:e2:07:13:a2:a0:9a:
c7:d4:e7:99:dc:aa:31:28:d0:e5:b7:6a:9c:71:7c:3c:33:18:
e7:65:60:94:ab:99:d5:2e:82:64:be:82:c4:c2:00:c8:fc:50:
ca:2d:50:bc
2、总结ssh常用参数、用法
ssh命令是ssh客户端,允许实现对远程系统经验证地加密安全访问
常见用法有远程连接或远程执行命令
-p 远程服务器监听的端口
-b 制定连接的源IP
-v 调试模式
-c 压缩方式
-x 支持x11转发
-t 强制伪tty分配
-o 选项
-i 制定私钥文件路径,实现基于key验证
3、总结sshd服务常用参数。
Port #生产建议修改
ListenAddress ip
LoginGraceTime 2m
PermitRootLogin yes #默认ubuntu不允许root远程ssh登录
StrictModes yes #检查.ssh/文件的所有者,权限等
MaxAuthTries 6 #pecifies the maximum number of authentication
attempts permitted per connection. Once the number of failures reaches half this
value, additional failures are logged. The default is 6.
MaxSessions 10 #同一个连接最大会话
PubkeyAuthentication yes #基于key验证
PermitEmptyPasswords no #空密码连接
PasswordAuthentication yes #基于用户名和密码连接
GatewayPorts no
ClientAliveInterval 10 #单位:秒
ClientAliveCountMax 3 #默认3
UseDNS yes #提高速度可改为no
GSSAPIAuthentication yes #提高速度可改为no
MaxStartups #未认证连接最大值,默认值10
Banner /path/file
#以下可以限制可登录用户的办法:
AllowUsers user1 user2 user3
DenyUsers user1 user2 user3
AllowGroups g1 g2
DenyGroups g1 g2
4、搭建dhcp服务,实现ip地址申请分发
[root@centos8 ~]#yum -y install dhcp
[root@centos8 ~]#cp /usr/share/doc/dhcp-4.2.5/dhcpd.conf.example /etc/dhcp/dhcp.conf
[root@centos8 ~]#vim /etc/dhcp/dhcp.conf
# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#
# option definitions common to all supported networks...
option domain-name "example.org";
option domain-name-servers 223.5.5.5, 180.76.76.76;
default-lease-time 86400;
max-lease-time 106400;
# Use this to enble / disable dynamic dns updates globally.
#ddns-update-style none;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.150 10.0.0.180;
option routers 10.0.0.2;
}
# This is a very basic subnet declaration.
subnet 10.254.239.0 netmask 255.255.255.224 {
range 10.254.239.10 10.254.239.20;
option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
}
# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.
subnet 10.254.239.32 netmask 255.255.255.224 {
range dynamic-bootp 10.254.239.40 10.254.239.60;
option broadcast-address 10.254.239.31;
option routers rtr-239-32-1.example.org;
}
# A slightly different configuration for an internal subnet.
subnet 10.5.5.0 netmask 255.255.255.224 {
range 10.5.5.26 10.5.5.30;
option domain-name-servers ns1.internal.example.org;
option domain-name "internal.example.org";
option routers 10.5.5.1;
option broadcast-address 10.5.5.31;
default-lease-time 600;
max-lease-time 7200;
}
# Hosts which require special configuration options can be listed in
# host statements. If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.
host testhost {
hardware ethernet 00:0c:29:33:b7:af;
fixed-address 10.0.0.123;
}
host passacaglia {
hardware ethernet 0:0:c0:5d:bd:95;
filename "vmunix.passacaglia";
server-name "toccata.fugue.com";
}
# Fixed IP addresses can also be specified for hosts. These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP. Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
host fantasia {
hardware ethernet 08:00:07:26:c0:a5;
fixed-address fantasia.fugue.com;
}
# You can declare a class of clients and then do address allocation
# based on that. The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.
class "foo" {
match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
}
shared-network 224-29 {
subnet 10.17.224.0 netmask 255.255.255.0 {
option routers rtr-224.example.org;
}
subnet 10.0.29.0 netmask 255.255.255.0 {
option routers rtr-29.example.org;
}
pool {
allow members of "foo";
range 10.17.224.10 10.17.224.250;
}
pool {
deny members of "foo";
range 10.0.29.10 10.0.29.230;
}
}
[root@centos8 ~]# systemctl start dhcpd
[root@centos8 ~]# systemctl status dhcpd
● dhcpd.service - DHCPv4 Server Daemon
Loaded: loaded (/usr/lib/systemd/system/dhcpd.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2022-05-03 15:40:46 CST; 10s ago
Docs: man:dhcpd(8)
man:dhcpd.conf(5)
Main PID: 5583 (dhcpd)
Status: "Dispatching packets..."
Tasks: 1 (limit: 12257)
Memory: 5.4M
CGroup: /system.slice/dhcpd.service
└─5583 /usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid
May 03 15:40:46 centos8.leizi.org dhcpd[5583]: Source compiled to use binary-leases
May 03 15:40:46 centos8.leizi.org dhcpd[5583]: Wrote 0 class decls to leases file.
May 03 15:40:46 centos8.leizi.org dhcpd[5583]: Wrote 0 deleted host decls to leases file.
May 03 15:40:46 centos8.leizi.org dhcpd[5583]: Wrote 0 new dynamic host decls to leases file.
May 03 15:40:46 centos8.leizi.org dhcpd[5583]: Wrote 0 leases to leases file.
May 03 15:40:46 centos8.leizi.org dhcpd[5583]: Listening on LPF/eth0/00:0c:29:27:73:35/10.0.0.0/24
May 03 15:40:46 centos8.leizi.org dhcpd[5583]: Sending on LPF/eth0/00:0c:29:27:73:35/10.0.0.0/24
May 03 15:40:46 centos8.leizi.org dhcpd[5583]: Sending on Socket/fallback/fallback-net
May 03 15:40:46 centos8.leizi.org dhcpd[5583]: Server starting service.
May 03 15:40:46 centos8.leizi.org systemd[1]: Started DHCPv4 Server Daemon.