1、创建私有CA并进行证书申请。
1、创建所需要的文件
touch /etc/pki/CA/index.txt #生成证书索引数据库文件
echo 01 > /etc/pki/CA/serial #指定第一个颁发证书的序列号
2、 CA生成签名私钥
cd /etc/pki/CA/
(umask 066; openssl genrsa -out private/cakey.pem 2048)
3、CA生成自签名证书
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
4、在需要申请证书的主机
①生成证书申请的签名私钥
(umask 066; openssl genrsa -out /data/test.key 2048)
②生成证书申请文件
openssl req -new -key /data/test.key -out /data/test.csr
5、将证书请求文件传输给CA
6、CA签署证书,并将证书颁发给请求者
openssl ca -in /tmp/test.csr -out /etc/pki/CA/certs/test.crt -days 100
(注意:默认要求 国家,省,公司名称三项必须和CA一致)
查看证书中的信息:
openssl x509 -in /PATH/FROM/CERT_FILE -noout -text|issuer|subject|serial|dates
openssl ca -status SERIAL 查看指定编号的证书状态
吊销证书步骤
1、在客户端获取要吊销的证书的serial
openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject
2、在CA上,根据客户提交的serial与subject信息,对比检验是否与index.txt文件中的信息一致
3、吊销证书:
openssl ca -revoke /etc/pki/CA/newcerts/SERIAL.pem
4、指定第一个吊销证书的编号,注意:第一次更新证书吊销列表前,才需要执行
echo 01 > /etc/pki/CA/crlnumber
5、更新证书吊销列表
openssl ca -gencrl -out /etc/pki/CA/crl.pem
查看crl文件:
openssl crl -in /etc/pki/CA/crl.pem -noout -text
2、总结ssh常用参数、用法
ssh命令是ssh客户端,允许实现对远程系统经验证地加密安全访问。
格式:
ssh [user@]host [COMMAND]
ssh [-l user] host [COMMAND]
说明:以上两种方式都可以远程登录到远程主机,server代表远程主机,name为登录远程主机的用户名。
常见选项:
-p port #远程服务器监听的端口
-b #指定连接的源IP
-v #调试模式
-C #压缩方式
-X #支持x11转发
-t #强制伪tty分配,如:
ssh -t remoteserver1 ssh -t remoteserver2 ssh remoteserver3
-o option 如:-o StrictHostKeyChecking=no
-i <file> #指定私钥文件路径,实现基于key验证,默认使用文件: ~/.ssh/id_dsa,
~/.ssh/id_ecdsa, ~/.ssh/id_ed25519,~/.ssh/id_rsa等
1、连接到远程主机指定的端口:
命令格式:
ssh name@remoteserver -p 9999 或者
ssh remoteserver -l name -p 9999
说明:p 参数指定端口号,通常在路由里做端口映射时,我们不会把22端口直接映射出去,而是转换成其他端口号,这时就需要使用-p端口号命令格式。
2、通过远程主机1跳到远程主机2:
命令格式:
ssh -t remoteserver1 ssh remoteserver2
说明:当远程主机remoteserver2无法直接到达时,可以使用-t参数,然后由remoteserver1跳转到remoteserver2。在此过程中要先输入remoteserver1的密码,然后再输入remoteserver2的密码,然后就可以操作remoteserver2了。
3、通过SSH运行远程shell命令:
命令格式:
ssh -l name remoteserver ‘command’
说明:连接到远程主机,并执行远程主机的command命令。例如:查看远程主机的内存使用情况。
$ ssh -l root 10.0.0150 svmon -G
4、修改SSH监听端口:
默认情况下,SSH监听连接端口22,攻击者使用端口扫描软件就可以看到主机是否运行有SSH服务,将SSH端口修改为大于1024的端口是一个明智的选择,因为大多数端口扫描软件(包括nmap)默认情况都不扫描高位端口。打开/etc/ssh/sshd_config文件并查找下面这样的行:
Port 22
去掉该行前面的# 号,然后修改端口号并重新启动SSH服务:
$ /etc/init.d/ssh restart
5、仅允许SSH协议版本2:
有两个SSH协议版本,仅使用SSH协议版本2会更安全,SSH协议版本1有安全问题,包括中间人攻击(man-in-the-middle)和注入(insertion)攻击。编辑/etc/ssh/sshd_config文件并查找下面这样的行:
# Protocol 2,1
修改为
Protocol 2
6、禁止root用户登录:
通常情况下,不采用直接用root用户登录到远程主机,由于root用户拥有超级权限,这样会带来安全隐患,所以,一般我们用普通用户登录,当需要管理远程主机时,再切换到root用户下。打开/etc/ssh/sshd_config文件并查找下面这样的行:
#PermitRootLogin yes
将#号去掉,然后将yes修改成no,重启ssh服务,这样就可以禁止root用户登录。
7、设置登录时提示信息
首先编辑一个文件,如bannertest.txt,文件内容自行定义。然后打开/etc/ssh/sshd_config文件并查找下面这样的行:
#Banner /some/path
将#号去掉,然后将bannertest.txt文件的全路径替换/some/path,然后保存,重启ssh服务。当客户端登录时,就会看到bannertest.txt文件中的提示信息。
8、进行端口映射:
假如公司内网有台web服务器,但是只对内不对外,这样,外网就无法访问,可以用ssh进行端口映射来实现外网访问内网的web服务器。假如web服务器名为webserver,webserver可以用ssh访问到远端主机remoteserver,登录到webserver,然后用下面命令进行映射
命令格式:
ssh -R 3000:localhost:80 remoteserver
执行完成后,在remoteserver机器上,执行netstat -an | grep 3000,查看有没有开通3000端口。并执行以下命令观察是否可以打开webserver上的网页
$ w3m http://127.0.0.1:3000
如果能打开界面,说明映射成功.但是,这只限于本机访问web服务器,即只能remoteserver机器访问webserver。因为3000端口绑定的是remoteserver机器的127.0.0.1端口。可以编辑remoteserver机器上的/etc/ssh/sshd_config文件并添加如下内容:
添加 GatewayPorts yes 内容,把监听端口3000绑定到 0.0.0.0 地址上,这样外部的所有机器都能访问到这个监听端口,然后保存退出。并重启ssh服务。完成后其它机器就可以在浏览器中输入 http://remoteserver:3000来访问webserver了。
3、总结sshd服务常用参数。
sshd:openssh服务器守护进程。
服务器端:sshd
服务器端的配置文件: /etc/ssh/sshd_config
常用参数:
Port #生产建议修改
ListenAddress ip
LoginGraceTime 2m
PermitRootLogin yes #默认ubuntu不允许root远程ssh登录
StrictModes yes #检查.ssh/文件的所有者,权限等
MaxAuthTries 6 #pecifies the maximum number of authentication
attempts permitted per connection. Once the number of failures reaches half this
value, additional failures are logged. The default is 6.
MaxSessions 10 #同一个连接最大会话
PubkeyAuthentication yes #基于key验证
PermitEmptyPasswords no #空密码连接
PasswordAuthentication yes #基于用户名和密码连接
GatewayPorts no
ClientAliveInterval 10 #单位:秒
ClientAliveCountMax 3 #默认3
UseDNS yes #提高速度可改为no
GSSAPIAuthentication yes #提高速度可改为no
MaxStartups #未认证连接最大值,默认值10
Banner /path/file
#以下可以限制可登录用户的办法:
AllowUsers user1 user2 user3
DenyUsers user1 user2 user3
AllowGroups g1 g2
DenyGroups g1 g2
ssh服务的最佳实践:
(1)建议使用非默认端口
(2)禁止使用protocol version 1
(3)限制可登录用户
(4)设定空闲会话超时时长
(5)利用防火墙设置ssh访问策略
(6)仅监听特定的IP地址
(7)基于口令认证时,使用强密码策略,比如:tr -dc A-Za-z0-9_ < /dev/urandom | head -c 12|xargs
(8)使用基于密钥的认证
(9)禁止使用空密码
(10)禁止root用户直接登录
(11)限制ssh的访问频度和并发在线数
(12)经常分析日志
附录SSH运维总结(htt ps:// w ww.cnblogs.com/kevingrace/p/6110842.html)
4、搭建dhcp服务,实现ip地址申请分发
配置DHCP服务
[root@centos6 ~]#cp /usr/share/doc/dhcp-4.1.1/dhcpd.conf.sample /etc/dhcp/dhcpd.conf
[root@centos6 ~]#vim /etc/dhcp/dhcpd.conf
[root@centos6 ~]#cat /etc/dhcp/dhcpd.conf
option domain-name "example.com";
option domain-name-servers 10.0.0.1;
subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.1 10.0.0.200;
option routers 10.0.0.1;
filename "pxelinux.0";
next-server 10.0.0.100;
}
[root@centos6 ~]#service dhcpd start
DHCP实现:
注意:
(1)实现DHCP服务前,先将网络已有DHCP服务,如:vmware中的DHCP关闭,防止冲突
(2)DHCP服务器本身采用静态IP
(3)必须配置和DHCP网卡的静态IP所在网段的subnet 段,否则DHCP服务无法启动
DHCP服务的实现软件:
dhcp(CentOS 7 之前版本) 或 dhcp-server(CentOS 8 中的包名)
dhcp服务配置文件:/etc/dhcp/dhcpd.conf
dhcp服务配置范例文件:/usr/share/doc/dhcp*/dhcpd.conf.example
1、关闭vmware中的DHCP
2、安装dhcp
[root@centos7 ~]#yum install -y dhcp
3、复制并修改配置文件,给指定主机分配固定IP
[root@centos7 ~]#rpm -ql dhcp
/etc/NetworkManager
/etc/NetworkManager/dispatcher.d
/etc/NetworkManager/dispatcher.d/12-dhcpd
/etc/dhcp/dhcpd.conf
/etc/dhcp/dhcpd6.conf
/etc/dhcp/scripts
/etc/dhcp/scripts/README.scripts
/etc/openldap/schema/dhcp.schema
/etc/sysconfig/dhcpd
/usr/bin/omshell
/usr/lib/systemd/system/dhcpd.service
/usr/lib/systemd/system/dhcpd6.service
/usr/lib/systemd/system/dhcrelay.service
/usr/sbin/dhcpd
/usr/sbin/dhcrelay
/usr/share/doc/dhcp-4.2.5
/usr/share/doc/dhcp-4.2.5/dhcpd.conf.example
/usr/share/doc/dhcp-4.2.5/dhcpd6.conf.example
/usr/share/doc/dhcp-4.2.5/ldap
/usr/share/doc/dhcp-4.2.5/ldap/README.ldap
/usr/share/doc/dhcp-4.2.5/ldap/dhcp.schema
/usr/share/doc/dhcp-4.2.5/ldap/dhcpd-conf-to-ldap
/usr/share/man/man1/omshell.1.gz
/usr/share/man/man5/dhcpd.conf.5.gz
/usr/share/man/man5/dhcpd.leases.5.gz
/usr/share/man/man8/dhcpd.8.gz
/usr/share/man/man8/dhcrelay.8.gz
/usr/share/systemtap/tapset/dhcpd.stp
/var/lib/dhcpd
/var/lib/dhcpd/dhcpd.leases
/var/lib/dhcpd/dhcpd6.leases
[root@centos7 ~]#cp /usr/share/doc/dhcp-4.2.5/dhcpd.conf.example /etc/dhcp/dhcpd.conf
cp: overwrite ‘/etc/dhcp/dhcpd.conf’? y
[root@centos7 ~]#ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:33:b7:af brd ff:ff:ff:ff:ff:ff
inet 10.0.0.7/24 brd 10.0.0.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::31c3:e200:902b:ae0e/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@centos7 ~]#vim /etc/dhcp/dhcpd.conf
[root@centos7 ~]#cat /etc/dhcp/dhcpd.conf
# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#
# option definitions common to all supported networks...
option domain-name "example.org";
option domain-name-servers 223.5.5.5, 180.76.76.76;
default-lease-time 86400;
max-lease-time 106400;
# Use this to enble / disable dynamic dns updates globally.
#ddns-update-style none;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.150 10.0.0.180;
option routers 10.0.0.2;
}
# This is a very basic subnet declaration.
subnet 10.254.239.0 netmask 255.255.255.224 {
range 10.254.239.10 10.254.239.20;
option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
}
# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.
subnet 10.254.239.32 netmask 255.255.255.224 {
range dynamic-bootp 10.254.239.40 10.254.239.60;
option broadcast-address 10.254.239.31;
option routers rtr-239-32-1.example.org;
}
# A slightly different configuration for an internal subnet.
subnet 10.5.5.0 netmask 255.255.255.224 {
range 10.5.5.26 10.5.5.30;
option domain-name-servers ns1.internal.example.org;
option domain-name "internal.example.org";
option routers 10.5.5.1;
option broadcast-address 10.5.5.31;
default-lease-time 600;
max-lease-time 7200;
}
# Hosts which require special configuration options can be listed in
# host statements. If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.
host testhost {
hardware ethernet 00:0c:29:33:b7:af;
fixed-address 10.0.0.123;
}
host passacaglia {
hardware ethernet 0:0:c0:5d:bd:95;
filename "vmunix.passacaglia";
server-name "toccata.fugue.com";
}
# Fixed IP addresses can also be specified for hosts. These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP. Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
host fantasia {
hardware ethernet 08:00:07:26:c0:a5;
fixed-address fantasia.fugue.com;
}
# You can declare a class of clients and then do address allocation
# based on that. The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.
class "foo" {
match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
}
shared-network 224-29 {
subnet 10.17.224.0 netmask 255.255.255.0 {
option routers rtr-224.example.org;
}
subnet 10.0.29.0 netmask 255.255.255.0 {
option routers rtr-29.example.org;
}
pool {
allow members of "foo";
range 10.17.224.10 10.17.224.250;
}
pool {
deny members of "foo";
range 10.0.29.10 10.0.29.230;
}
}
4、启动dhcp服务,查看dhcp客户端申请地址的过程
[root@centos7 ~]#systemctl start dhcpd
[root@centos7 ~]#dhclient -d
Internet Systems Consortium DHCP Client 4.2.5
Copyright 2004-2013 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Listening on LPF/eth0/00:0c:29:33:b7:af
Sending on LPF/eth0/00:0c:29:33:b7:af
Sending on Socket/fallback
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 4 (xid=0x508cbce0)
DHCPREQUEST on eth0 to 255.255.255.255 port 67 (xid=0x508cbce0)
DHCPOFFER from 10.0.0.7
DHCPACK from 10.0.0.7 (xid=0x508cbce0)
bound to 10.0.0.123 -- renewal in 37907 seconds.
[root@centos7 ~]#ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:33:b7:af brd ff:ff:ff:ff:ff:ff
inet 10.0.0.7/24 brd 10.0.0.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet 10.0.0.123/24 brd 10.0.0.255 scope global secondary dynamic eth0
valid_lft 86259sec preferred_lft 86259sec
inet6 fe80::31c3:e200:902b:ae0e/64 scope link noprefixroute
valid_lft forever preferred_lft forever
