第八周--作业

1、创建私有CA并进行证书申请

（1）创建CA相关目录和文件

[root@localhost ~]#mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
[root@localhost ~]#tree /etc/pki/CA/
/etc/pki/CA/
├── certs
├── crl
├── newcerts
└── private
#生成证书索引数据库文件
[root@localhost ~]#touch /etc/pki/CA/index.txt
#指定第一个颁发证书的序列号
[root@localhost ~]#echo 01 > /etc/pki/CA/serial
[root@localhost ~]#openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000

　　

（2）为需要使用证书的主机创建私钥

[root@localhost ~]#cd /etc/pki/CA/
[root@centos8 CA]#(umask 066; openssl genrsa -out private/cakey.pem 2048)
[root@centos8 CA]#ll private/
total 4
-rw------- 1 root root 1679 May 20 11:55 cakey.pem

　　

（3）CA生成自签名证书

[root@localhost ~]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:ca.magedu.org
Email Address []:admin@magedu.org

[root@localhost ~]#openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
#将文件cacert.pem传到windows上，修改文件名为cacert.pem.crt，双击可以看到下面显示
[root@localhost ~]#sz /etc/pki/CA/cacert.pem 

　　

（4）用户生成私钥和证书申请文件

[root@localhost ~]#mkdir /data/app1
#生成私钥文件
[root@localhost ~]#(umask 066; openssl genrsa -out   /data/app1/app1.key 2048)
#生成申请证书
[root@localhost ~]#openssl req -new -key /data/app1/app1.key -out 
/data/app1/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:bj 
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:app1.magedu.org
Email Address []:root@magedu.org
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

　　

（5）CA颁发证书

[root@localhost ~]#openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 15 (0xf)
        Validity
            Not Before: Mar 18 04:32:38 2022 GMT
            Not After : Dec 12 04:32:38 2024 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = bj
            organizationName          = magedu
            organizationalUnitName    = it
            commonName                = app1.magedu.org
            emailAddress              = admin@magedu.org
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                59:95:C5:2A:14:8B:91:EC:A8:26:52:B7:4A:74:DD:A2:40:BF:F6:2D
            X509v3 Authority Key Identifier: 
                keyid:3F:5E:02:EF:0E:0F:30:F4:62:87:3D:63:44:76:6B:99:87:E1:F1:C4

Certificate is to be certified until Dec 12 04:32:38 2024 GMT (1000 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost ~]#tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
│   └── app1.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 0F.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old
4 directories, 9 files
#验证指定编号对应证书的有效性
[root@localhost ~]#openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
0F=Valid (V)

　　

（6）将证书相关文件发送到客户端使用

[root@localhost ~]#cp /etc/pki/CA/certs/app1.crt /data/app1/
[root@localhost ~]#tree /data/app1/
/data/app1/
├── app1.crt
├── app1.csr
└── app1.key
0 directories, 3 files

　　

2、总结ssh常用参数、用法

ssh命令是ssh客户端，允许实现对远程系统经验证地加密安全访问
当用户远程连接ssh服务器时，会复制ssh服务器/etc/ssh/ssh_host*key.pub文件中的公钥到客户机的
~/.ssh/know_hosts中。下次连接时，会自动匹配相对应的私钥，不能匹配，将拒绝连接

格式：
ssh [user@]host [COMMAND]
ssh [-l user] host [COMMAND]

常见选项：
-p port #远程服务器监听的端口
-b #指定连接的源IP
-v #调试模式
-C #压缩方式
-X #支持x11转发
-t #强制伪tty分配，如：ssh -t remoteserver1 ssh -t remoteserver2   ssh   
remoteserver3
-o option   如：-o StrictHostKeyChecking=no 
-i <file>  #指定私钥文件路径，实现基于key验证，默认使用文件： ~/.ssh/id_dsa, 
~/.ssh/id_ecdsa, ~/.ssh/id_ed25519，~/.ssh/id_rsa等

　　

3、总结sshd服务常用参数

sshd：openssh服务器守护进程。

服务器端：sshd

服务器端的配置文件: /etc/ssh/sshd_config

常用参数：
ListenAddress ip
LoginGraceTime 2m
PermitRootLogin yes  #默认ubuntu不允许root远程ssh登录
StrictModes yes  #检查.ssh/文件的所有者，权限等
MaxSessions 10   #同一个连接最大会话
PubkeyAuthentication yes   #基于key验证
PermitEmptyPasswords no  #空密码连接
PasswordAuthentication yes  #基于用户名和密码连接
GatewayPorts no
ClientAliveInterval 10   #单位:秒
ClientAliveCountMax 3   #默认3
UseDNS yes  #提高速度可改为no
GSSAPIAuthentication yes   #提高速度可改为no
MaxStartups   #未认证连接最大值，默认值10

ssh服务的最佳实践：
（1）建议使用非默认端口
（2）禁止使用protocol version 1
（3）限制可登录用户
（4）设定空闲会话超时时长
（5）利用防火墙设置ssh访问策略
（6）仅监听特定的IP地址
（7）基于口令认证时，使用强密码策略，比如：tr -dc A-Za-z0-9_ < /dev/urandom | head -c 12|
xargs
（8）使用基于密钥的认证
（9）禁止使用空密码
（10）禁止root用户直接登录
（11）限制ssh的访问频度和并发在线数

　　

4、搭建dhcp服务，实现ip地址申请分发

安装dhcp服务
[root@localhost ~]#yum -y install dhcp-server

编写dhcp配置文件
[root@localhost ~]#vim /etc/dhcp/dhcpd.conf
# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#

# option definitions common to all supported networks...
option domain-name "example.org";
option domain-name-servers 180.76.76.76,223.6.6.6;

default-lease-time 600;
max-lease-time 7200;

# Use this to enble / disable dynamic dns updates globally.
#ddns-update-style none;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

# No service will be given on this subnet, but declaring it helps the 
# DHCP server to understand the network topology.

subnet 10.0.0.0 netmask 255.255.255.0 {
    range 10.0.0.1 10.0.0.200;
    option routers 10.0.0.1;
}

重启dhcp服务
[root@localhost ~]#systemctl restart dhcpd