加密安全和时间同步自动化

1、创建私有CA并进行证书申请。

(1):创建CA相关目录和文件
11:16:03 root@CentOS8 ~]\ [#mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
mkdir: created directory '/etc/pki/CA'
mkdir: created directory '/etc/pki/CA/certs'
mkdir: created directory '/etc/pki/CA/crl'
mkdir: created directory '/etc/pki/CA/newcerts'
mkdir: created directory '/etc/pki/CA/private'
[11:16:38 root@CentOS8 ~]\ [#touch /etc/pki/CA/index.txt
[11:16:56 root@CentOS8 ~]\ [#echo 01 > /etc/pki/CA/serial
(2):创建CA的私钥
[11:18:09 root@CentOS8 ~]\ [#cd /etc/pki/CA/
[11:19:04 root@CentOS8 CA]\ [#umask 066;openssl genrsa -out private/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.....................+++++
..............................................................................................+++++
e is 65537 (0x010001)
(3):给CA颁发自签名证书
[11:19:49 root@CentOS8 CA]\ [#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:ca.magedu.org
Email Address []:
(4)用户生成私钥并申请证书
[11:22:41 root@CentOS8 CA]\ [#mkdir /data/app1
[11:27:42 root@CentOS8 CA]\ [#umask 066;openssl genrsa -out /data/app1/app1.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
..........+++++
.............................+++++
e is 65537 (0x010001)
[11:29:01 root@CentOS8 CA]\ [#openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:C++
Common Name (eg, your name or your server's hostname) []:app1.magedu.org
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Can't open /data/app1/app1/csr for writing, No such file or directory
140054067681088:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/data/app1/app1/csr','w')
140054067681088:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
(5):CA颁发证书
[11:35:06 root@CentOS8 CA]\ [#openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 500
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Aug 29 04:35:07 2021 GMT
            Not After : Jan 11 04:35:07 2023 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = beijing
            organizationName          = magedu
            organizationalUnitName    = C++
            commonName                = app1.magedu.org
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                9E:24:DC:97:90:47:2A:F0:B4:D4:9F:AD:85:D1:72:38:DD:01:6A:0E
            X509v3 Authority Key Identifier: 
                keyid:B8:C3:B1:0F:CC:49:A4:9B:1A:D8:E1:67:1D:C3:E8:F0:82:5D:98:F1

Certificate is to be certified until Jan 11 04:35:07 2023 GMT (500 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[11:35:12 root@CentOS8 CA]\ [#tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
│   └── app1.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

4 directories, 9 files

2、总结ssh常用参数、用法

SSH:secure shell protocol,22/tcp,安全的远程登录,实现加密通信,代理传统的telnet协议
-p prot :远程服务器监听的断开
-b :指定连接的源IP
-v :调试模式
-C :压缩方式
-X :支持x11转发
-o option
-i <file>:指定私钥文件路径,实现基于key验证,默认使用文件:~/.ssh/id_dsa,~/.ssh/id_ecdsa,~/.ssh/id_ed25519,~/.ssh/id_rsa等
-t :强制伪tty分配

3、总结sshd服务常用参数。

(1):SSH本地端口转发--选项:
		-f 后台启用    -N不打开远程shell;处于等待状态    -g 启用网卡功能
(2):SSH远程端口转发
(3):SSH动态端口转发
	当用firefox访问internet时,本机的1080端口做为代理服务器,firefox的访问请求被转发到
sshserver上,由sshserver替之访问internet
(4):X协议转发
所有图形化应用程序都是X客户程序,能够通过tcp/ip连接远程X服务器,数据没有加密,但是它通过ssh连
接隧道安全进行

4、搭建dhcp服务,实现ip地址申请分发

(1):下载dhcp服务
[root@CentOS7 ~]# yum install dhcp -y
(2):更改配置文件:vim /etc/dhcp/dhcp.conf
[root@CentOS7 ~]# cat /etc/dhcp/dhcpd.conf 
#
# DHCP Server Configuration file.
#   see /usr/share/doc/dhcp*/dhcpd.conf.example
#   see dhcpd.conf(5) man page
#
default-lease-time 600;
max-lease-time 7200;

subnet 10.0.0.0 netmask 255.255.255.0 {
	range 10.0.0.100 10.0.0.200;
	option routers	 10.0.0.2;
}
host printer {
	hardware ethernet 00:0c:29:31:d8:ae;
	fixed-address 10.0.0.8;
}
(3):重启服务
[root@CentOS7 ~]# systemctl start dhcpd
[root@CentOS7 ~]# systemctl status dhcpd.service
● dhcpd.service - DHCPv4 Server Daemon
   Loaded: loaded (/usr/lib/systemd/system/dhcpd.service; disabled; vendor preset: disabled)
   Active: active (running) since Sun 2021-08-29 17:44:12 WIB; 7s ago
     Docs: man:dhcpd(8)
           man:dhcpd.conf(5)
 Main PID: 60565 (dhcpd)
   Status: "Dispatching packets..."
    Tasks: 1
   CGroup: /system.slice/dhcpd.service
           └─60565 /usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid
(4):修改网卡配置文件:vim /etc/sysconfig/network-scripts/ifcfg-ens33
[root@CentOS7 ~]# cat /etc/sysconfig/network-scripts/ifcfg-
ifcfg-ens33  ifcfg-lo     
[root@CentOS7 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens33 
TYPE="Ethernet"
PROXY_METHOD="none"
BROWSER_ONLY="no"
BOOTPROTO="dhcp"
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
IPV6_ADDR_GEN_MODE="stable-privacy"
NAME="ens33"
UUID="fe487840-a56a-4980-9d92-2122afe83b22"
DEVICE="ens33"
ONBOOT="yes"
GATEWAY=10.0.0.109
NETMASK=255.255.255.0
DNS1=8.8.8.8
DNS2=114.114.114.114
(5):重启网络服务
[root@CentOS7 ~]# systemctl restart network
(6):客户端查看
[17:49:47 root@CentOS8 ~]\ [#ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:dc:b4:a9 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.8/24 brd 10.0.0.255 scope global noprefixroute ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fedc:b4a9/64 scope link 
       valid_lft forever preferred_lft forever
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 52:54:00:55:8f:b2 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master virbr0 state DOWN group default qlen 1000
    link/ether 52:54:00:55:8f:b2 brd ff:ff:ff:ff:ff:ff
上一篇:Alpha冲刺 (1/3)


下一篇:2. 创建 CA 证书和秘钥