1、創(chuàng)建私有CA并進行證書申請欣福。
1蝗敢、創(chuàng)建所需要的文件
touch /etc/pki/CA/index.txt? ? ? ? #生成證書索引數據庫文件
echo 01 > /etc/pki/CA/serial? ? ? #指定第一個頒發(fā)證書的序列號
2逗堵、 CA生成簽名私鑰
cd /etc/pki/CA/
(umask 066; openssl genrsa -out private/cakey.pem 2048)
3叶眉、CA生成自簽名證書
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
4、在需要申請證書的主機
①生成證書申請的簽名私鑰
(umask 066; openssl genrsa -out /data/test.key 2048)
②生成證書申請文件
openssl req -new -key /data/test.key -out /data/test.csr
5僻焚、將證書請求文件傳輸給CA
6允悦、CA簽署證書,并將證書頒發(fā)給請求者
openssl ca -in /tmp/test.csr -out /etc/pki/CA/certs/test.crt -days 100
(注意:默認要求 國家虑啤,省隙弛,公司名稱三項必須和CA一致)
查看證書中的信息:
openssl x509 -in /PATH/FROM/CERT_FILE -noout -text|issuer|subject|serial|dates
openssl ca -status SERIAL 查看指定編號的證書狀態(tài)
吊銷證書步驟
1、在客戶端獲取要吊銷的證書的serial
openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject
2狞山、在CA上全闷,根據客戶提交的serial與subject信息,對比檢驗是否與index.txt文件中的信息一致
3萍启、吊銷證書:
openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem
4总珠、指定第一個吊銷證書的編號,注意:第一次更新證書吊銷列表前屏鳍,才需要執(zhí)行
echo 01 > /etc/pki/CA/crlnumber
5、更新證書吊銷列表
openssl ca -gencrl -out /etc/pki/CA/crl.pem
查看crl文件:
openssl crl -in /etc/pki/CA/crl.pem -noout -text
2局服、總結ssh常用參數钓瞭、用法
ssh命令是ssh客戶端,允許實現對遠程系統(tǒng)經驗證地加密安全訪問淫奔。
格式:
ssh [user@]host [COMMAND]
ssh [-l user] host [COMMAND]
說明:以上兩種方式都可以遠程登錄到遠程主機山涡,server代表遠程主機,name為登錄遠程主機的用戶名唆迁。
常見選項:
-p port? #遠程服務器監(jiān)聽的端口
-b? #指定連接的源IP
-v? #調試模式
-C? #壓縮方式
-X? #支持x11轉發(fā)
-t? #強制偽tty分配鸭丛,如:
ssh -t remoteserver1 ssh -t remoteserver2 ssh remoteserver3
-o? option 如:-o StrictHostKeyChecking=no
-i <file>? #指定私鑰文件路徑,實現基于key驗證唐责,默認使用文件: ~/.ssh/id_dsa,
~/.ssh/id_ecdsa, ~/.ssh/id_ed25519鳞溉,~/.ssh/id_rsa等
1、連接到遠程主機指定的端口:
命令格式:
ssh name@remoteserver -p 9999 或者
ssh remoteserver -l name -p 9999
說明:p 參數指定端口號鼠哥,通常在路由里做端口映射時穿挨,我們不會把22端口直接映射出去,而是轉換成其他端口號肴盏,這時就需要使用-p端口號命令格式。
2帽衙、通過遠程主機1跳到遠程主機2:
命令格式:
ssh -t remoteserver1 ssh remoteserver2
說明:當遠程主機remoteserver2無法直接到達時菜皂,可以使用-t參數,然后由remoteserver1跳轉到remoteserver2厉萝。在此過程中要先輸入remoteserver1的密碼恍飘,然后再輸入remoteserver2的密碼,然后就可以操作remoteserver2了谴垫。
3章母、通過SSH運行遠程shell命令:
命令格式:
ssh -l name remoteserver ‘command’
說明:連接到遠程主機,并執(zhí)行遠程主機的command命令翩剪。例如:查看遠程主機的內存使用情況乳怎。
$ ssh -l root 10.0.0150 svmon -G
4、修改SSH監(jiān)聽端口:
默認情況下前弯,SSH監(jiān)聽連接端口22蚪缀,攻擊者使用端口掃描軟件就可以看到主機是否運行有SSH服務,將SSH端口修改為大于1024的端口是一個明智的選擇恕出,因為大多數端口掃描軟件(包括nmap)默認情況都不掃描高位端口询枚。打開/etc/ssh/sshd_config文件并查找下面這樣的行:
Port 22
去掉該行前面的# 號,然后修改端口號并重新啟動SSH服務:
$ /etc/init.d/ssh restart
5浙巫、僅允許SSH協議版本2:
有兩個SSH協議版本金蜀,僅使用SSH協議版本2會更安全刷后,SSH協議版本1有安全問題,包括中間人攻擊(man-in-the-middle)和注入(insertion)攻擊渊抄。編輯/etc/ssh/sshd_config文件并查找下面這樣的行:
# Protocol 2尝胆,1
修改為
Protocol 2
6、禁止root用戶登錄:
通常情況下抒线,不采用直接用root用戶登錄到遠程主機班巩,由于root用戶擁有超級權限,這樣會帶來安全隱患嘶炭,所以抱慌,一般我們用普通用戶登錄,當需要管理遠程主機時眨猎,再切換到root用戶下抑进。打開/etc/ssh/sshd_config文件并查找下面這樣的行:
#PermitRootLogin yes
將#號去掉,然后將yes修改成no睡陪,重啟ssh服務寺渗,這樣就可以禁止root用戶登錄。
7兰迫、設置登錄時提示信息
首先編輯一個文件信殊,如bannertest.txt,文件內容自行定義汁果。然后打開/etc/ssh/sshd_config文件并查找下面這樣的行:
#Banner /some/path
將#號去掉涡拘,然后將bannertest.txt文件的全路徑替換/some/path,然后保存据德,重啟ssh服務鳄乏。當客戶端登錄時,就會看到bannertest.txt文件中的提示信息棘利。
8橱野、進行端口映射:
假如公司內網有臺web服務器,但是只對內不對外善玫,這樣水援,外網就無法訪問,可以用ssh進行端口映射來實現外網訪問內網的web服務器蝌焚。假如web服務器名為webserver裹唆,webserver可以用ssh訪問到遠端主機remoteserver,登錄到webserver只洒,然后用下面命令進行映射
命令格式:
ssh -R 3000:localhost:80 remoteserver
執(zhí)行完成后许帐,在remoteserver機器上,執(zhí)行netstat -an | grep 3000毕谴,查看有沒有開通3000端口成畦。并執(zhí)行以下命令觀察是否可以打開webserver上的網頁
$ w3m http://127.0.0.1:3000
如果能打開界面距芬,說明映射成功.但是,這只限于本機訪問web服務器循帐,即只能remoteserver機器訪問webserver框仔。因為3000端口綁定的是remoteserver機器的127.0.0.1端口≈粞可以編輯remoteserver機器上的/etc/ssh/sshd_config文件并添加如下內容:
添加 GatewayPorts yes 內容离斩,把監(jiān)聽端口3000綁定到 0.0.0.0 地址上,這樣外部的所有機器都能訪問到這個監(jiān)聽端口瘪匿,然后保存退出跛梗。并重啟ssh服務。完成后其它機器就可以在瀏覽器中輸入 http://remoteserver:3000來訪問webserver了棋弥。
3核偿、總結sshd服務常用參數。
sshd:openssh服務器守護進程顽染。
服務器端:sshd
服務器端的配置文件: /etc/ssh/sshd_config
常用參數:
Port? #生產建議修改
ListenAddress ip
LoginGraceTime 2m
PermitRootLogin yes? #默認ubuntu不允許root遠程ssh登錄
StrictModes yes? #檢查.ssh/文件的所有者漾岳,權限等
MaxAuthTries 6? #pecifies the maximum number of authentication
attempts permitted per connection. Once the number of failures reaches half this
value, additional failures are logged. The default is 6.
MaxSessions 10? #同一個連接最大會話
PubkeyAuthentication yes? #基于key驗證
PermitEmptyPasswords no? #空密碼連接
PasswordAuthentication yes? #基于用戶名和密碼連接
GatewayPorts no
ClientAliveInterval 10? #單位:秒
ClientAliveCountMax 3? #默認3
UseDNS yes? #提高速度可改為no
GSSAPIAuthentication yes? #提高速度可改為no
MaxStartups? #未認證連接最大值,默認值10
Banner /path/file
#以下可以限制可登錄用戶的辦法:
AllowUsers user1 user2 user3
DenyUsers user1 user2 user3
AllowGroups g1 g2
DenyGroups g1 g2
ssh服務的最佳實踐:
(1)建議使用非默認端口
(2)禁止使用protocol version 1
(3)限制可登錄用戶
(4)設定空閑會話超時時長
(5)利用防火墻設置ssh訪問策略
(6)僅監(jiān)聽特定的IP地址
(7)基于口令認證時粉寞,使用強密碼策略尼荆,比如:tr -dc A-Za-z0-9_ < /dev/urandom | head -c 12|xargs
(8)使用基于密鑰的認證
(9)禁止使用空密碼
(10)禁止root用戶直接登錄
(11)限制ssh的訪問頻度和并發(fā)在線數
(12)經常分析日志
附錄SSH運維總結(htt ps:// w ww.cnblogs.com/kevingrace/p/6110842.html)
4、搭建dhcp服務唧垦,實現ip地址申請分發(fā)
配置DHCP服務
[root@centos6 ~]#cp /usr/share/doc/dhcp-4.1.1/dhcpd.conf.sample /etc/dhcp/dhcpd.conf
[root@centos6 ~]#vim /etc/dhcp/dhcpd.conf
[root@centos6 ~]#cat /etc/dhcp/dhcpd.conf
option domain-name "example.com";
option domain-name-servers 10.0.0.1;
subnet 10.0.0.0 netmask 255.255.255.0 {
? range 10.0.0.1 10.0.0.200;
? option routers 10.0.0.1;
? filename "pxelinux.0";
? next-server 10.0.0.100;
}
[root@centos6 ~]#service dhcpd start
DHCP實現:
注意:
(1)實現DHCP服務前耀找,先將網絡已有DHCP服務,如:vmware中的DHCP關閉业崖,防止沖突
(2)DHCP服務器本身采用靜態(tài)IP
(3)必須配置和DHCP網卡的靜態(tài)IP所在網段的subnet 段,否則DHCP服務無法啟動
DHCP服務的實現軟件:
dhcp(CentOS 7 之前版本) 或 dhcp-server(CentOS 8 中的包名)
dhcp服務配置文件:/etc/dhcp/dhcpd.conf
dhcp服務配置范例文件:/usr/share/doc/dhcp*/dhcpd.conf.example
1、關閉vmware中的DHCP
2蓄愁、安裝dhcp
[root@centos7 ~]#yum install -y dhcp
3双炕、復制并修改配置文件,給指定主機分配固定IP
[root@centos7 ~]#rpm -ql dhcp
/etc/NetworkManager
/etc/NetworkManager/dispatcher.d
/etc/NetworkManager/dispatcher.d/12-dhcpd
/etc/dhcp/dhcpd.conf
/etc/dhcp/dhcpd6.conf
/etc/dhcp/scripts
/etc/dhcp/scripts/README.scripts
/etc/openldap/schema/dhcp.schema
/etc/sysconfig/dhcpd
/usr/bin/omshell
/usr/lib/systemd/system/dhcpd.service
/usr/lib/systemd/system/dhcpd6.service
/usr/lib/systemd/system/dhcrelay.service
/usr/sbin/dhcpd
/usr/sbin/dhcrelay
/usr/share/doc/dhcp-4.2.5
/usr/share/doc/dhcp-4.2.5/dhcpd.conf.example
/usr/share/doc/dhcp-4.2.5/dhcpd6.conf.example
/usr/share/doc/dhcp-4.2.5/ldap
/usr/share/doc/dhcp-4.2.5/ldap/README.ldap
/usr/share/doc/dhcp-4.2.5/ldap/dhcp.schema
/usr/share/doc/dhcp-4.2.5/ldap/dhcpd-conf-to-ldap
/usr/share/man/man1/omshell.1.gz
/usr/share/man/man5/dhcpd.conf.5.gz
/usr/share/man/man5/dhcpd.leases.5.gz
/usr/share/man/man8/dhcpd.8.gz
/usr/share/man/man8/dhcrelay.8.gz
/usr/share/systemtap/tapset/dhcpd.stp
/var/lib/dhcpd
/var/lib/dhcpd/dhcpd.leases
/var/lib/dhcpd/dhcpd6.leases
[root@centos7 ~]#cp /usr/share/doc/dhcp-4.2.5/dhcpd.conf.example /etc/dhcp/dhcpd.conf
cp: overwrite ‘/etc/dhcp/dhcpd.conf’? y
[root@centos7 ~]#ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
? ? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
? ? inet 127.0.0.1/8 scope host lo
? ? ? valid_lft forever preferred_lft forever
? ? inet6 ::1/128 scope host
? ? ? valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
? ? link/ether 00:0c:29:33:b7:af brd ff:ff:ff:ff:ff:ff
? ? inet 10.0.0.7/24 brd 10.0.0.255 scope global noprefixroute eth0
? ? ? valid_lft forever preferred_lft forever
? ? inet6 fe80::31c3:e200:902b:ae0e/64 scope link noprefixroute
? ? ? valid_lft forever preferred_lft forever
[root@centos7 ~]#vim /etc/dhcp/dhcpd.conf
[root@centos7 ~]#cat /etc/dhcp/dhcpd.conf
# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#
# option definitions common to all supported networks...
option domain-name "example.org";
option domain-name-servers 223.5.5.5, 180.76.76.76;
default-lease-time 86400;
max-lease-time 106400;
# Use this to enble / disable dynamic dns updates globally.
#ddns-update-style none;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
subnet 10.0.0.0 netmask 255.255.255.0 {
? range 10.0.0.150 10.0.0.180;
? option routers 10.0.0.2;
}
# This is a very basic subnet declaration.
subnet 10.254.239.0 netmask 255.255.255.224 {
? range 10.254.239.10 10.254.239.20;
? option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
}
# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.
subnet 10.254.239.32 netmask 255.255.255.224 {
? range dynamic-bootp 10.254.239.40 10.254.239.60;
? option broadcast-address 10.254.239.31;
? option routers rtr-239-32-1.example.org;
}
# A slightly different configuration for an internal subnet.
subnet 10.5.5.0 netmask 255.255.255.224 {
? range 10.5.5.26 10.5.5.30;
? option domain-name-servers ns1.internal.example.org;
? option domain-name "internal.example.org";
? option routers 10.5.5.1;
? option broadcast-address 10.5.5.31;
? default-lease-time 600;
? max-lease-time 7200;
}
# Hosts which require special configuration options can be listed in
# host statements.? If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.
host testhost {
? hardware ethernet 00:0c:29:33:b7:af;
? fixed-address 10.0.0.123;
}
host passacaglia {
? hardware ethernet 0:0:c0:5d:bd:95;
? filename "vmunix.passacaglia";
? server-name "toccata.fugue.com";
}
# Fixed IP addresses can also be specified for hosts.? These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP.? Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
host fantasia {
? hardware ethernet 08:00:07:26:c0:a5;
? fixed-address fantasia.fugue.com;
}
# You can declare a class of clients and then do address allocation
# based on that.? The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.
class "foo" {
? match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
}
shared-network 224-29 {
? subnet 10.17.224.0 netmask 255.255.255.0 {
? ? option routers rtr-224.example.org;
? }
? subnet 10.0.29.0 netmask 255.255.255.0 {
? ? option routers rtr-29.example.org;
? }
? pool {
? ? allow members of "foo";
? ? range 10.17.224.10 10.17.224.250;
? }
? pool {
? ? deny members of "foo";
? ? range 10.0.29.10 10.0.29.230;
? }
}
4撮抓、啟動dhcp服務妇斤,查看dhcp客戶端申請地址的過程
[root@centos7 ~]#systemctl start dhcpd
[root@centos7 ~]#dhclient -d
Internet Systems Consortium DHCP Client 4.2.5
Copyright 2004-2013 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Listening on LPF/eth0/00:0c:29:33:b7:af
Sending on? LPF/eth0/00:0c:29:33:b7:af
Sending on? Socket/fallback
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 4 (xid=0x508cbce0)
DHCPREQUEST on eth0 to 255.255.255.255 port 67 (xid=0x508cbce0)
DHCPOFFER from 10.0.0.7
DHCPACK from 10.0.0.7 (xid=0x508cbce0)
bound to 10.0.0.123 -- renewal in 37907 seconds.
[root@centos7 ~]#ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
? ? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
? ? inet 127.0.0.1/8 scope host lo
? ? ? valid_lft forever preferred_lft forever
? ? inet6 ::1/128 scope host
? ? ? valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
? ? link/ether 00:0c:29:33:b7:af brd ff:ff:ff:ff:ff:ff
? ? inet 10.0.0.7/24 brd 10.0.0.255 scope global noprefixroute eth0
? ? ? valid_lft forever preferred_lft forever
? ? inet 10.0.0.123/24 brd 10.0.0.255 scope global secondary dynamic eth0
? ? ? valid_lft 86259sec preferred_lft 86259sec
? ? inet6 fe80::31c3:e200:902b:ae0e/64 scope link noprefixroute
? ? ? valid_lft forever preferred_lft forever
