-
1、 简述常见加密算法及常见加密算法原理,最好使用图例解说
常见加密算法:
-
对称加密:加密和解密使用同一个密钥;
DES:Data Encryption Standard;
3DES:Triple DES;
AES:Advanced Encryption Standard; (128bits, 192bits, 256bits, 384bits)
Blowfish
Twofish
DEA
RC6
CAST5
特性:
1、加密、解密使用同一个密钥;
2、将原始数据分割成为固定大小的块,逐个进行加密;
缺陷:
1、密钥过多;
2、密钥分发困难;
-
公钥加密:密钥分为公钥与私钥
公钥:从私钥中提取产生;可公开给所有人;pubkey
私钥:通过工具创建,使用者自己留存,必须保证其私密性;secret key;
特点:用公钥加密的数据,只能使用与之配对儿的私钥解密;反之亦然;
用途:
数字签名:主要在于让接收方确认发送方的身份;
密钥交换:发送方用对方公钥加密一个对称密钥,并发送给对方;
数据加密
算法:RSA, DSA, ELGamal
DSS: Digital Signature Standard
DSA:Digital Signature Algorithm
-
单向加密:即提出数据指纹;只能加密,不能解密;
特性:定长输出、雪崩效应;
功能:完整性;
算法:
md5:Message Digest 5, 128bits
sha1:Secure Hash Algorithm 1, 160bits
sha224, sha256, sha384, sha512 -
密钥交换: IKE(Internet Key Exchange)
公钥加密
DH(Deffie-Hellman)
A:p, g
B:p, gA: x --> p^x%g ==> B A: (p^y%g)^x=p^yx%g B: y --> p^y%g ==> A B: (p^x%g)^y=p^xy%g
-
2、 搭建apache或者nginx并使用自签证书实现https访问,自签名证书的域名自拟
此次我采用的是两Centos 7系统,CA主机为192.168.10.10,WEB主机为192.168.10.20
CA主机上创建私有CA
[root@localhost ~]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
...+++
......+++
e is 65537 (0x10001)
[root@localhost ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 36You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:guanxi
Locality Name (eg, city) [Default City]:liuzhou
Organization Name (eg, company) [Default Company Ltd]:ops
Organizational Unit Name (eg, section) []:dev
Common Name (eg, your name or your server's hostname) []:xiaochen.com
Email Address []:
[root@localhost ~]# ls /etc/pki/CA/
cacert.pem certs crl newcerts private
[root@localhost ~]# cd /etc/pki/CA/
[root@localhost CA]# touch {serial,index.txt}
[root@localhost CA]# echo 01 > serial
[root@localhost CA]# ls
cacert.pem certs crl index.txt newcerts private serial
[root@localhost CA]# cat serial
01
[root@localhost ~]# rz
[root@localhost ~]# ls
anaconda-ks.cfg httpd.csr
[root@localhost ~]# openssl ca -in ./httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 12 14:18:27 2018 GMT
Not After : Nov 12 14:18:27 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = guanxi
organizationName = ops
organizationalUnitName = dev
commonName = xiaochen.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
EB:53:54:71:C5:02:D9:8D:61:A9:0B:0A:9B:38:CE:38:DB:E1:E1:DF
X509v3 Authority Key Identifier:
keyid:29:78:85:34:33:F9:88:E4:43:87:DC:4C:67:26:EB:05:48:29:E8:38
Certificate is to be certified until Nov 12 14:18:27 2019 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost ~]# ls
anaconda-ks.cfg httpd.csr
[root@localhost ~]# openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=guanxi/O=ops/OU=dev/CN=xiaochen.com
[root@localhost ~]# scp /etc/pki/CA/certs/httpd.crt root@192.168.10.20:/etc/httpd/ssl/
root@192.168.10.20's password:
httpd.crt 100% 4431 2.2MB/s 00:00 WEB主机上配置相关服务
[root@localhost ~]# yum -y install httpd
[root@localhost ~]# yum -y install mod_ssl openssl
[root@localhost ~]# cd /etc/httpd/
[root@localhost httpd]# ls
conf conf.d conf.modules.d logs modules run
[root@localhost httpd]# mkdir ssl
[root@localhost httpd]# cd ssl/
[root@localhost ssl]# (umask 077;openssl genrsa -out ./httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
........................................................................................................+++
.......................................................+++
e is 65537 (0x10001)
[root@localhost ssl]# openssl req -new -key ./httpd.key -out ./httpd.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:guanxi
Locality Name (eg, city) [Default City]:liuzhou
Organization Name (eg, company) [Default Company Ltd]:ops
Organizational Unit Name (eg, section) []:dev
Common Name (eg, your name or your server's hostname) []:xiaochen.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
[root@localhost ~]# vi /var/www/html/index.html
[root@localhost ~]# systemctl restart httpd.serviceWeb页面访问
-
3、简述DNS服务器原理,并搭建主-辅服务器
-
DNS服务器原理:
DNS也就是Domain Name Service的缩写,它的作用就是通过域名查找IP地址。DNS查询的类型对DNS于客户端来说是递归查询,对于DNS服务器端来说,绝大多数是迭代查询,在它的解析中,从名称到IP的查询叫做正向解析,而从IP到名称的查询叫做反向解析。如果DNS服务器至少解析了一个或一个以上的域叫做DNS主服务器或者DNS辅助服务器,如果不负责任何解析叫做DNS缓存服务器。现全球一共分布了13台DNS根服务器,名称为A至M。 -
域名解析过程:
- 客户访问时,查找自己的hosts文件,有则返回,无则查找DNS服务器。
2.DNS服务器查找中先从顶级域到二级域,分别获取他们的IP地址,然后最终获得域名的IP地址,找到服务器。
- 客户访问时,查找自己的hosts文件,有则返回,无则查找DNS服务器。
- DNS区域数据库文件:
资源记录(resource record 简称rr)的类型有以下几种:
SOA:起始授权记录,只能有一个,必须放在第一条
NS:域名服务记录,其中一个为主,可以有多个
A:IPV4地址记录
AAAA:IPV6地址记录
CNAME:别名记录
PTR:反向解析记录
MX:邮件交换器
搭建主-辅服务器
安装软件
[root@localhost ~]# yum -y install bind
[root@localhost ~]# yum -y install bind-utils
[root@localhost ~]# systemctl start named
[root@localhost ~]# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 9952/named
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 960/sshd
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 9952/named
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1099/master
tcp6 0 0 ::1:53 :::* LISTEN 9952/named
tcp6 0 0 :::22 :::* LISTEN 960/sshd
tcp6 0 0 ::1:953 :::* LISTEN 9952/named
tcp6 0 0 ::1:25 :::* LISTEN 1099/master
udp 0 0 127.0.0.1:53 0.0.0.0:* 9952/named
udp6 0 0 ::1:53 :::* 9952/named 配置环境:
[root@localhost ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.10.10
[root@localhost ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 192.168.10.10; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";配置解析一个正向区域
[root@localhost ~]# vi /etc/named.rfc1912.zones
zone "test.com" IN {
type master;
file "test.com.zone";
};
[root@localhost ~]# cat /var/named/test.com.zone
$TTL 3600
$ORIGIN test.com.
@ IN SOA ns1.test.com. dnsadmin.test.com. (
2018111301
1H
10M
3D
1D )
IN NS ns1
IN MX 10 mx1
IN MX 20 mx2
ns1 IN A 192.168.10.10
MX1 IN A 192.168.10.20
MX2 IN A 192.168.10.20
www IN A 192.168.10.10
web IN CNAME www
[root@localhost ~]# chgrp named /var/named/test.com.zone
[root@localhost ~]# chmod o= /var/named/test.com.zone
[root@localhost ~]# named-checkconf
[root@localhost ~]# named-checkzone test.com /var/named/test.com.zone
zone test.com/IN: loaded serial 2018111301
OKDNS主服务器正向解析测试
[root@localhost ~]# dig -t -A www.test.com
;; Warning, ignoring invalid type -A
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -t -A www.test.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27177
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.test.com. IN A
;; ANSWER SECTION:
www.test.com. 3600 IN A 192.168.10.10
;; AUTHORITY SECTION:
test.com. 3600 IN NS ns1.test.com.
;; ADDITIONAL SECTION:
ns1.test.com. 3600 IN A 192.168.10.10
;; Query time: 0 msec
;; SERVER: 192.168.10.10#53(192.168.10.10)
;; WHEN: Tue Nov 13 22:20:40 CST 2018
;; MSG SIZE rcvd: 91
[root@localhost ~]# dig -t -A web.test.com
;; Warning, ignoring invalid type -A
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -t -A web.test.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57437
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;web.test.com. IN A
;; ANSWER SECTION:
web.test.com. 3600 IN CNAME www.test.com.
www.test.com. 3600 IN A 192.168.10.10
;; AUTHORITY SECTION:
test.com. 3600 IN NS ns1.test.com.
;; ADDITIONAL SECTION:
ns1.test.com. 3600 IN A 192.168.10.10
;; Query time: 0 msec
;; SERVER: 192.168.10.10#53(192.168.10.10)
;; WHEN: Tue Nov 13 22:21:07 CST 2018
;; MSG SIZE rcvd: 109配置反向区域
[root@localhost ~]# vi /etc/named.rfc1912.zones
zone "10.168.192.in-addr.arpa" IN {
type master;
file "192.168.10.zone";
};
[root@localhost ~]# cat /var/named/192.168.10.zone
$TTL 3600
$ORIGIN 10.168.192.in-addr.arpa.
@ IN SOA ns1.test.com. nsadmin.test.com. (
2018111301
1H
10M
3D
12H )
IN NS ns1.test.com.
10 IN PTR ns1.test.com.
20 IN PTR mx1.test.com.
20 IN PTR mx2.test.com.
10 IN PTR www.test.com.
[root@localhost ~]# chgrp named /var/named/192.168.10.zone
[root@localhost ~]# chmod o= /var/named/192.168.10.zone
[root@localhost ~]# named-checkconf
[root@localhost ~]# named-checkzone 10.168.192.in-addr.arpa /var/named/192.168.10.zone
zone 10.168.192.in-addr.arpa/IN: loaded serial 2018111301
OK主服务器反向测试
[root@localhost ~]# dig -x 192.168.10.10
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -x 192.168.10.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2714
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;10.10.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
10.10.168.192.in-addr.arpa. 3600 IN PTR www.test.com.
10.10.168.192.in-addr.arpa. 3600 IN PTR ns1.test.com.
;; AUTHORITY SECTION:
10.168.192.in-addr.arpa. 3600 IN NS ns1.test.com.
;; ADDITIONAL SECTION:
ns1.test.com. 3600 IN A 192.168.10.10
;; Query time: 0 msec
;; SERVER: 192.168.10.10#53(192.168.10.10)
;; WHEN: Tue Nov 13 22:37:57 CST 2018
;; MSG SIZE rcvd: 129设置辅DNS服务器
[root@localhost ~]# yum -y install bind bind-utils
[root@localhost ~]# systemctl start named.service
[root@localhost ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.10.20
[root@localhost ~]# vi /etc/named.rfc1912.zones
zone "test.com" IN {
type slave;
file "slaves/test.com.zone";
masters { 192.168.10.10; };
};在主服务器上添加内容
[root@localhost ~]# cat /var/named/test.com.zone
$TTL 3600
$ORIGIN test.com.
@ IN SOA ns1.test.com. dnsadmin.test.com. (
2018111309
1H
10M
3D
1D )
IN NS ns1
IN NS ns2
IN MX 10 mx1
IN MX 20 mx2
ns1 IN A 192.168.10.10
ns2 IN A 192.168.10.20
MX1 IN A 192.168.10.21
MX2 IN A 192.168.10.22
www IN A 192.168.10.10
web IN CNAME www
pop3 IN A 192.168.10.25
[root@localhost ~]# named-checkzone test.com /var/named/test.com.zone
zone test.com/IN: loaded serial 2018111309
OK
[root@localhost ~]# rndc reload
server reload successful测试辅助服务器
[root@localhost slaves]# dig -t A www.test.com @192.168.10.20
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> -t A www.test.com @192.168.10.20
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45851
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.test.com. IN A
;; ANSWER SECTION:
www.test.com. 3600 IN A 192.168.10.10
;; AUTHORITY SECTION:
test.com. 3600 IN NS ns2.test.com.
test.com. 3600 IN NS ns1.test.com.
;; ADDITIONAL SECTION:
ns1.test.com. 3600 IN A 192.168.10.10
ns2.test.com. 3600 IN A 192.168.10.20
;; Query time: 0 msec
;; SERVER: 192.168.10.11#53(192.168.10.11)
;; WHEN: Thu May 31 23:20:16 EDT 2018
;; MSG SIZE rcvd: 125辅助服务器反向解析IP
[root@localhost ~]# dig -x 192.168.10.10 @192.168.10.20
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> -x 192.168.10.10 @192.168.10.20
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50592
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;10.10.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
10.10.168.192.in-addr.arpa. 3600 IN PTR ns1.test.com.
10.10.168.192.in-addr.arpa. 3600 IN PTR www.test.com.
;; AUTHORITY SECTION:
10.168.192.in-addr.arpa. 3600 IN NS ns2.test.com.
10.168.192.in-addr.arpa. 3600 IN NS ns1.test.com.
;; ADDITIONAL SECTION:
ns1.test.com. 3600 IN A 192.168.10.10
ns2.test.com. 3600 IN A 192.168.10.20
;; Query time: 1 msec
;; SERVER: 192.168.10.11#53(192.168.10.20
;; WHEN: Fri Jun 01 02:25:17 EDT 2018
;; MSG SIZE rcvd: 163至此,主辅DNS服务器搭建完成
-
4、搭建并实现智能DNS
以192.168.10.10为例搭建智能DNS
修改DNS的named.conf的配置文件
view internal {
match-clients { 192.168.10.10; };
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};
view external {
match-clients { any; };
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};建立两份数据文件
[root@localhost ~]# cat /var/named/test.com/internal
$TTL 3600
$ORIGIN test.com.
@ IN SOA ns1.test.com. dnsadmin.test.com. (
2018111602
1H
10M
3D
1D )
IN NS ns1
ns1 IN A 192.168.10.10
www IN A 1.1.1.1
web IN CNAME www
bbs IN A 1.1.1.2
bbs IN A 1.1.1.3
[root@localhost ~]# cat /var/named/test.com/external
$TTL 3600
$ORIGIN test.com.
@ IN SOA ns1.test.com. dnsadmin.test.com. (
2018111501
1H
10M
3D
1D )
IN NS ns1
ns1 IN A 192.168.10.10
www IN A 192.168.10.10
web IN CNAME www
bbs IN A 192.168.10.20
bbs IN A 192.168.10.20设置权限
[root@localhost ~]# named-checkconf
[root@localhost ~]# named-checkzone test.com /var/named/test.com/internal
zone test.com/IN: loaded serial 2018111602
OK
[root@localhost ~]# named-checkzone test.com /var/named/test.com/external
zone test.com/IN: loaded serial 2018111501
OK
[root@localhost ~]# chgrp named /var/named/test.com/{internal,external}
[root@localhost ~]# chmod o= /var/named/test.com/{internal,external}
[root@localhost ~]# rndc reload
server reload successful解析内网IP
[root@localhost ~]# dig -t A www.test.com @192.168.10.10
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -t A www.test.com @192.168.10.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38238
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.test.com. IN A
;; ANSWER SECTION:
www.test.com. 3600 IN A 192.168.10.10
;; AUTHORITY SECTION:
test.com. 3600 IN NS ns2.test.com.
test.com. 3600 IN NS ns1.test.com.
;; ADDITIONAL SECTION:
ns1.test.com. 3600 IN A 192.168.10.10
ns2.test.com. 3600 IN A 192.168.10.20
;; Query time: 0 msec
;; SERVER: 192.168.10.10#53(192.168.10.10)
;; WHEN: Fri Nov 16 14:58:57 CST 2018
;; MSG SIZE rcvd: 125解析外网IP
[root@localhost ~]# dig -t A www.test.com @192.168.10.10
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -t A www.test.com @192.168.10.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18774
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.test.com. IN A
;; ANSWER SECTION:
www.test.com. 3600 IN A 1.1.1.1
;; AUTHORITY SECTION:
test.com. 3600 IN NS ns1.test.com.
test.com. 3600 IN NS ns2.test.com.
;; ADDITIONAL SECTION:
ns1.test.com. 3600 IN A 192.168.10.10
ns2.test.com. 3600 IN A 192.168.10.20
;; Query time: 0 msec
;; SERVER: 192.168.10.10#53(192.168.10.10)
;; WHEN: Fri Nov 16 15:19:01 CST 2018
;; MSG SIZE rcvd: 125转载于:https://blog.51cto.com/13929964/2317996
3628
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
