open***配置

最新推荐文章于 2024-08-16 18:41:12 发布

weixin_33884611

最新推荐文章于 2024-08-16 18:41:12 发布

阅读量121

点赞数

文章标签：网络开发工具 ldap

原文链接：http://blog.51cto.com/plking/1330468

版权

https://

web; ftp; ldap; samba; mail;

---------

open***

---------

××× 虚拟专用网络

PPTP
L2TP
IPSEC

open*** based ssl/pptp

172.16.254.250 172.16.35.6
+-----------------------+***
10.8.0.1 10.8.0.6
+-----------------------+***

----server----
# yum install ntp -y
# vim /etc/ntp.conf
-------------------------------
restrict 172.16.7.250 mask 255.255.255.0 nomodify notrap
------------------------------
# service ntpd restart
# watch -n 1 ntpq -p
# rpm -ivh *.rpm (lzo2-* open***)
# echo 1 > /proc/sys/net/ipv4/ip_forward
# cd /usr/share/doc/open***-2.0.9/
# cp -r easy-rsa /etc/open***/
# cp sample-config-files/server.conf /etc/open***/
# cd /etc/open***/
# cd easy-rsa/
# chmod +x *
# vi vars
---------------------
export KEY_COUNTRY=CN
export KEY_PROVINCE=liaoning
export KEY_CITY=shenyang
export KEY_ORG="uplooking"
export KEY_EMAIL="zhouxiaoyu@uplooking.com"
---------------------
# . vars
# ./clean-all
# ./build-ca
# ./build-key-server server
# ./build-key client
# ./build-dh

# cp ca.crt server.key server.crt dh1024.pem /etc/open***/
# vi server.conf
# grep -v '#' server.conf | grep -v ';' | grep -v ^$
----------------------------
local 172.16.254.250
port 53
proto udp
dev tun
ca ca.crt
cert server.crt
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status open***-status.log
verb 3
--------------------------------
# service open*** start
# ifconfig tun0

---client---

# ntpdate 10.8.0.1
# yum install openssl-devel -y
# rpm -ivh *.rpm
# cp /usr/share/doc/open***-2.0.9/sample-config-files/client.conf /etc/open***/
# cd /etc/open***/
# scp 172.16.7.251:/etc/open***/easy-rsa/keys/ca.crt client.crt client.key /etc/open***
# vim client.conf

# grep -v '#' /etc/open***/client.conf | grep -v ';' | grep -v ^$
-------------------
client
dev tun
proto udp
remote 172.16.254.250 53  //(server IP)
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca ca.crt             //与拷贝过来的文件名一致
cert client.crt
key client.key
comp-lzo
verb 3
-------------------
# service open*** start
# ifconfig tun0
# ping 10.8.0.1   如果可以ping通那么就证明***可用

注意时间同步的问题

××× 保证传输通道是被加密的
scp 保证传输过程是被加密的
openssl/gpg 保证文件是被加密的

01 srv1;srv2两台服务器，srv1是NTP server， srv2是*** server
02 使用open×××搭建起×××
03 双方使用scp进行数据交换，使用scp是不需要输入登录密码，需要输入私钥密码
# ssh-keygen
# scp /root/.ssh/id_isa.pub 10.8.0.1:/root/.ssh/authorized_keys2
04 被交换的文件使用openssl对称加密
# openssl enc -e -rc4 -in passwd -out passwd.enc
05 双方交换gpg方式的公钥
# gpg --import server22.pub
# gpg --encrypt --recipient server22 key
# scp key.gpg 172.16.7.251:/root/
# scp passwd.enc 10.8.0.6:/root/
06 使用对方公钥将写有对称加密的算法和密码文件进行加密
07 双方互换这个文件
08 解开密码文件，再解开被加密的数据文件
# gpg --decrypt key.gpg
# openssl enc -d -rc4 -in passwd.enc
09 所有交互过程均使用×××隧道进行通信

IDS ***检测系统

HIDS (host)
NIDS (network)

---HIDS---

01 tripwire

# rpm -ivh tripwire-2.4.1.1-1.el5.i386.rpm
# /usr/sbin/tripwire-setup-keyfiles
----//生成用来加密的key(site;local)

site keyfile
local keyfile

Signing configuration file...
Please enter your site passphrase:

Signing policy file...
Please enter your site passphrase:

# tripwire --init ----//初始化数据库
Please enter your local passphrase:

Wrote database file: /var/lib/tripwire/node1.uplooking.com.twd
The database was successfully generated.

# tripwire --check ----//根据规则文件，进行系统校验

由于原始的规则文件校验内容过多，我们要做适当删减

# tripwire --check | grep Filename > /tmp/nf.txt

# vi twnew.txt

-------------------------
#!/bin/bash

org_file=/etc/tripwire/twpol.txt
not_file=/tmp/nf.txt

tmp_file=tmp.txt
new_file=new.txt

cat $org_file > $tmp_file

for i in $(cat $not_file | cut -d ":" -f 2)
do
grep -v $i $tmp_file > $new_file
cat $new_file > $tmp_file
done
mv $org_file $org_file.bak
cat $new_file > $org_file

rm -f $tmp_file
rm -f $new_file
-----------------------------------

# sh twnew.sh

# twadmin -m P /etc/tripwire/twpol.txt
----//经过修改以后，重新生成校验规则文件

# tripwire --init

# tripwire --check

# cd /var/lib/tripwire/report ----//每次校验生成的报告存放的路径

# tripwire -m u -r node1.uplooking.com-20130924-150809.twr
----//读一个校验报告，只读最新的就可以
----//以前的报告可以用来检验是否遗漏哪些可以操作
# tripwire --check

02 AIDE

# yum install aide -y
# vi /etc/aide.conf
# aide --init
# ls /var/lib/aide
# cd /var/lib/aide
# ln -s aide.db.new.gz aide.db.gz
# aide -c /etc/aide.conf

# aide --update

转载于:https://blog.51cto.com/plking/1330468

weixin_33884611

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
open***配置

https://web;ftp;ldap;samba;mail;---------open***---------×××虚拟专用网络PPTPL2TPIPSECopen***basedssl/pptp172.16.254.250172.16.35.6+-----------------------+***10.8.0.1...
复制链接

扫一扫