一、创建私有CA并进行证书申请
创建私有CA
1、创建CA所需要的文件:
[root@centOS8 ~]# touch /etc/pki/CA/index.txt
[root@centOS8 ~]# echo 01 > /etc/pki/CA/serial
2、生成CA私钥:
[root@centOS8 ~]# cd /etc/pki/CA
[root@centOS8 CA]# openssl genrsa -out private/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...........................+++++
.................................................................................+++++
e is 65537 (0x010001)
3、生成CA自签名证书:
[root@centOS8 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 365 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SHANGHAI
Locality Name (eg, city) [Default City]:SHANGHAI
Organization Name (eg, company) [Default Company Ltd]:xiaohuo.org
Organizational Unit Name (eg, section) []:xiaohuo--it
Common Name (eg, your name or your server's hostname) []:xiaohuo
Email Address []:unknown
申请证书并颁发证书:
1、为需要使用证书的主机生成私钥:
[root@centOS8 ~]# openssl genrsa -out /data/test.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
..................................+++++
..........+++++
e is 65537 (0x010001)
2、为需要使用证书的主机生成证书申请文件:
[root@centOS8 ~]# openssl req -new -key /data/test.key -out /data/test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SHANGHAI
Locality Name (eg, city) [Default City]:SHANGHAI
Organization Name (eg, company) [Default Company Ltd]:xiaohuo.org
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:xiaohuo
3、在CA签署证书并将证书颁发给请求者:
[root@centOS8 ~]# openssl req -new -key /data/test.key -out /data/test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SHANGHAI
Locality Name (eg, city) [Default City]:SHANGHAI
Organization Name (eg, company) [Default Company Ltd]:xiaohuo.org
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:xiaohuo
Email Address []:unknown
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:+-*/..931215
An optional company name []:xiaohuo
二、总结SSH常用参数、用法
ssh命令是ssh客户端允许实现对远程系统经验证地加密安全访问,ssh客户端配置文件为:/etc/ssh.ssh_config
ssh命令配合的常见选项:
ssh -p:远程服务器监听端口
ssh -b:指定连接的源IP
ssh -v:调试模式
ssh -c:压缩方式
ssh -x::支持X11转发
ssh -l:指定私钥文件路径,实现基于key验证,默认使用文件:~/.ssh/id_dsa, ~/.ssh/id_ecdsa, /.ssh/id_ed25519,/.ssh/id_rsa等
三、总结sshd服务常用参数
服务器端的配置文件:/etc/ssh/sshg_config
常用参数:
Port #端口号
ListenAddress ipLoginGraceTime 2m #宽限期
PermitRootLogin yes #默认ubuntu不允许root远程ssh登录
StrictModes yes #检查.ssh/文件的所有者,权限等
MaxAuthTries 6
MaxSessions 10 #同一个连接最大会话
PubkeyAuthentication yes #基于key验证
PermitEmptyPasswords no #空密码连接
PasswordAuthentication yes #基于用户名和密码连接
GatewayPorts no
ClientAliveInterval 10 #单位:秒
ClientAliveCountMax 3 #默认3
UseDNS yes #提高速度可改为no
GSSAPIAuthentication yes #提高速度可改为no
MaxStartups #未认证连接最大值,默认值10
Banner /path/file
#以下可以限制可登录用户的办法:
AllowUsers user1 user2 user3
DenyUsers
AllowGroups
ssh服务的最佳实践
建议使用非默认端口
禁止使用protocol version 1
限制可登录用户
设定空闲会话超时时长
利用防火墙设置ssh访问策略仅监听特定的IP地址
基于口令认证时,使用强密码策略,比如:tr -dc A-Za-z0-9_ < /dev/urandom | head -c 12|xargs
使用基于密钥的认证
禁止使用空密码
禁止root用户直接登录
限制ssh的访问频度和并发在线数
经常分析日志
四、搭建dhcp服务,实现ip地址申请分发
1、关闭vmware中已有DHCP服务
2、安装DHCP服务器软件
①查看DHCP安装包信息
[root@centOS8 ~]# rpm -q dhcp-server
package dhcp-server is not installed
[root@centOS8 ~]# yum info dhcp-server
CentOS Linux 8 - AppStream 938 B/s | 4.3 kB 00:04
CentOS Linux 8 - BaseOS 837 B/s | 3.9 kB 00:04
CentOS Linux 8 - Extras 334 B/s | 1.5 kB 00:04
Available Packages
Name : dhcp-server
Epoch : 12
Version : 4.3.6
Release : 45.el8
Architecture : x86_64
Size : 530 k
Source : dhcp-4.3.6-45.el8.src.rpm
Repository : baseos
Summary : Provides the ISC DHCP server
URL : http://isc.org/products/DHCP/
License : ISC
Description : DHCP (Dynamic Host Configuration Protocol) is a protocol which allows
: individual devices on an IP network to get their own network
: configuration information (IP address, subnetmask, broadcast address,
: etc.) from a DHCP server. The overall purpose of DHCP is to make it
: easier to administer a large network.
:
: This package provides the ISC DHCP server.
②安装DHCP服务器
[root@centOS8 ~]# yum -y install dhcp-server
Last metadata expiration check: 0:27:44 ago on Fri 21 Jan 2022 04:37:56 PM CST.
Dependencies resolved.
====================================================================================
Package Architecture Version Repository Size
====================================================================================
Installing:
dhcp-server x86_64 12:4.3.6-45.el8 baseos 530 k
Transaction Summary
Install 1 Package
Total download size: 530 k
Installed size: 1.2 M
Downloading Packages:
dhcp-server-4.3.6-45.el8.x86_64.rpm 201 kB/s | 530 kB 00:02
Total 66 kB/s | 530 kB 00:07
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Running scriptlet: dhcp-server-12:4.3.6-45.el8.x86_64 1/1
Installing : dhcp-server-12:4.3.6-45.el8.x86_64 1/1
Running scriptlet: dhcp-server-12:4.3.6-45.el8.x86_64 1/1
Verifying : dhcp-server-12:4.3.6-45.el8.x86_64 1/1
Installed products updated.
Installed:
dhcp-server-12:4.3.6-45.el8.x86_64
Complete!
3、修改DHCP配置文件,并将模板文件copy过来
①备份原文件
[root@centOS8 ~]# mv /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.bakdate +%F
[root@centOS8 dhcp-server]# cp /usr/share/doc/dhcp-server/dhcpd.conf.example /etc/dhcp/dhcpd.conf
②修改配置文件
[root@centOS8 ~]# vim /etc/dhcp/dhcpd.conf
dhcpd.conf
Sample configuration file for ISC dhcpd
option definitions common to all supported networks...
option domain-name "www.megedu.org";
option domain-name-servers 114.114.114.114, 8.8.8.8;
default-lease-time 86400;
max-lease-time 106400;
Use this to enble / disable dynamic dns updates globally.
ddns-update-style none;
If this DHCP server is the official DHCP server for the local
network, the authoritative directive should be uncommented.
authoritative;
Use this to send dhcp log messages to a different log file (you also
have to hack syslog.conf to complete the redirection).
log-facility local7;
No service will be given on this subnet, but declaring it helps the
DHCP server to understand the network topology.
subnet 10.0.0.0 netmask 255.255.255.0 {
undefined range 10.0.0.180 10.0.0.200;
option routers 10.0.0.2
}
This is a very basic subnet declaration.
subnet 10.254.239.0 netmask 255.255.255.224 {
range 10.254.239.10 10.254.239.20;
3、启动服务并设为开机启动
reated symlink /etc/systemd/system/multi-user.target.wants/dhcpd.service → /usr/lib/systemd/system/dhcpd.service.
Job for dhcpd.service failed because the control process exited with error code.
See "systemctl status dhcpd.service" and "journalctl -xe" for details.
[root@centOS8 ~]# systemctl status dhcpd.service
● dhcpd.service - DHCPv4 Server Daemon
Loaded: loaded (/usr/lib/systemd/system/dhcpd.service; enabled; vendor preset: d>
Active: failed (Result: exit-code) since Sat 2022-01-22 15:29:59 CST; 20s ago
Docs: man:dhcpd(8)
man:dhcpd.conf(5)
Process: 51798 ExecStart=/usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd >
Main PID: 51798 (code=exited, status=1/FAILURE)
Jan 22 15:29:59 centOS8.magedu.org dhcpd[51798]:
Jan 22 15:29:59 centOS8.magedu.org dhcpd[51798]: This version of ISC DHCP is based >
Jan 22 15:29:59 centOS8.magedu.org dhcpd[51798]: on ftp.isc.org. Features have been>
Jan 22 15:29:59 centOS8.magedu.org dhcpd[51798]: have been made to the base softwar>
Jan 22 15:29:59 centOS8.magedu.org dhcpd[51798]: it work better with this distribut>
Jan 22 15:29:59 centOS8.magedu.org dhcpd[51798]:
Jan 22 15:29:59 centOS8.magedu.org dhcpd[51798]: Please report issues with this sof>
Jan 22 15:29:59 centOS8.magedu.org dhcpd[51798]: https://bugs.centos.org/
Jan 22 15:29:59 centOS8.magedu.org dhcpd[51798]:
Jan 22 15:29:59 centOS8.magedu.org dhcpd[51798]: exiting.
lines 1-18/18 (END)
4、客户端测试
[root@centOS8 ~]# ip a
1: lo:
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0:
link/ether 00:0c:29:f7:8f:6a brd ff:ff:ff:ff:ff:ff
inet 10.0.0.8/24 brd 10.0.0.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fef7:8f6a/64 scope link
valid_lft forever preferred_lft forever
3: virbr0:
link/ether 52:54:00:cc:d1:2f brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
4: virbr0-nic:
link/ether 52:54:00:cc:d1:2f brd ff:ff:ff:ff:ff:ff
[root@centOS8 ~]# dhclient -d
Internet Systems Consortium DHCP Client 4.3.6
Copyright 2004-2017 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Listening on LPF/virbr0-nic/52:54:00:cc:d1:2f
Sending on LPF/virbr0-nic/52:54:00:cc:d1:2f
Listening on LPF/virbr0/52:54:00:cc:d1:2f
Sending on LPF/virbr0/52:54:00:cc:d1:2f
Listening on LPF/eth0/00:0c:29:f7:8f:6a
Sending on LPF/eth0/00:0c:29:f7:8f:6a
Sending on Socket/fallback
DHCPDISCOVER on virbr0-nic to 255.255.255.255 port 67 interval 5 (xid=0x94270247)
DHCPDISCOVER on virbr0 to 255.255.255.255 port 67 interval 4 (xid=0x6d4ed659)
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 4 (xid=0xbd99a206)
DHCPDISCOVER on virbr0 to 255.255.255.255 port 67 interval 10 (xid=0x6d4ed659)
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 7 (xid=0xbd99a206)
DHCPDISCOVER on virbr0-nic to 255.255.255.255 port 67 interval 6 (xid=0x94270247)
DHCPDISCOVER on virbr0-nic to 255.255.255.255 port 67 interval 6 (xid=0x94270247)
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 15 (xid=0xbd99a206)
DHCPDISCOVER on virbr0 to 255.255.255.255 port 67 interval 13 (xid=0x6d4ed659)
DHCPDISCOVER on virbr0-nic to 255.255.255.255 port 67 interval 18 (xid=0x94270247)
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 20 (xid=0xbd99a206)
DHCPDISCOVER on virbr0 to 255.255.255.255 port 67 interval 9 (xid=0x6d4ed659)
DHCPDISCOVER on virbr0-nic to 255.255.255.255 port 67 interval 7 (xid=0x94270247)
DHCPDISCOVER on virbr0 to 255.255.255.255 port 67 interval 15 (xid=0x6d4ed659)
DHCPDISCOVER on virbr0-nic to 255.255.255.255 port 67 interval 12 (xid=0x94270247)
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 15 (xid=0xbd99a206)
DHCPDISCOVER on virbr0 to 255.255.255.255 port 67 interval 10 (xid=0x6d4ed659)
DHCPDISCOVER on virbr0-nic to 255.255.255.255 port 67 interval 7 (xid=0x94270247)
No DHCPOFFERS received.
No working leases in persistent database - sleeping.
No DHCPOFFERS received.
No working leases in persistent database - sleeping.
No DHCPOFFERS received.
No working leases in persistent database - sleeping.
5、DHCP服务器搭建完成
eth0:
link/ether 00:0c:29:f7:8f:6a brd ff:ff:ff:ff:ff:ff
inet 10.0.0.8/24 brd 10.0.0.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fef7:8f6a/64 scope link
valid_lft forever preferred_lft forever