N46030-段鹏-第十七周作业
1、利用SAMBA实现指定目录共享
案例:利用samba实现指定目录共享 服务端:10.0.0.8 客户端:10.0.0.18 10.0.0.28 服务端10.0.0.8配置 1、安装samba软件包 yum install samba -y 2、创建samba用户和组 groupadd -r admins useradd -s /sbin/nologin -G admins duan userdel -r duan useradd -s /sbin/nologin -G admins duan smbpasswd -a duan useradd -s /sbin/nologin -G admins peng smbpasswd -a peng 3、创建samba共享目录,并设置selinux [root@localhost ~]# mkdir /testdir/smbshare -pv mkdir: created directory '/testdir' mkdir: created directory '/testdir/smbshare' [root@localhost ~]# chgrp admins /testdir/smbshare/ [root@localhost ~]# chmod 2775 /testdir/smbshare/ 4、samba服务器配置 [root@localhost ~]# vim /etc/samba/smb.conf 在配置文件尾部增加 [share] path = /testdir/smbshare write list = @admins 5、启动smb服务并设置开机自启动 [root@localhost ~]# systemctl enable --now smb 客户端10.0.0.18/28配置 1、安装文件系统插件 yum install -y cifs-utils 2、用duan用户挂载smb共享并访问,10.0.0.18上 mkdir /mnt/duan mount -o username=duan //10.0.0.8/share /mnt/wang 3、用peng用户挂载smb共享并访问,10.0.0.28上 mkdir /mnt/peng mount -o username=peng //10.0.0.8/share /mnt/peng 4、自动挂载加入/etc/fstab cat /etc/fstab //10.0.0.8/share /mnt/peng cifs credentials=/etc/smb.txt 0 0 或 //10.0.0.8/share /mnt/peng cifs cred=/etc/smb.txt 0 0 cat /etc/smb.txt username=peng #或user=peng password=123456 #或pass=123456
2、实现不同samba用户访问相同的samba共享,实现不同的配置
服务端:10.0.0.8
客户端:10.0.0.18
服务端配置
1、创建三个samba用户指定密码123456 [root@localhost ~]# useradd -s /sbin/nologin smb1 [root@localhost ~]# useradd -s /sbin/nologin smb2 [root@localhost ~]# useradd -s /sbin/nologin smb3 [root@localhost ~]# smbpasswd -a smb1 [root@localhost ~]# smbpasswd -a smb2 [root@localhost ~]# smbpasswd -a smb3 [root@localhost ~]# vim /etc/samba/smb.conf [global] workgroup = SAMBA config file = /etc/samba/conf.d/%U [share] Path = /data/dir Read only = NO Guest ok = yes write list = @wheel 2、针对smb1和smb2用户创建单独的配置文件 mkdir /data/dir{,1,2} mkdir /etc/samba/conf.d vim /etc/samba/conf.d/smb1 [share] Path = /data/dir1 Read only = NO Create mask =0644 vim /etc/samba/conf.d/smb2 [share] Path = /data/dir2 3、重启服务 systemctl restart smb
客户端测试 4、测试访问 [root@localhost ~]# smbclient //10.0.0.8/share -U smb2%123456 Try "help" to get a list of possible commands. smb: \> ls . D 0 Tue Sep 22 09:25:45 2020 .. D 0 Tue Sep 22 09:23:49 2020 smb2.txt N 0 Tue Sep 22 09:25:45 2020 104806400 blocks of size 1024. 104042548 blocks available smb: \> q [root@localhost ~]# smbclient //10.0.0.8/share -U smb1%123456 Try "help" to get a list of possible commands. smb: \> ls . D 0 Tue Sep 22 09:25:22 2020 .. D 0 Tue Sep 22 09:23:49 2020 smb1.txt N 0 Tue Sep 22 09:25:22 2020 104806400 blocks of size 1024. 104042548 blocks available smb: \> q [root@localhost ~]# smbclient //10.0.0.8/share -U smb3%123456 Try "help" to get a list of possible commands. smb: \> ls . D 0 Tue Sep 22 09:25:06 2020 .. D 0 Tue Sep 22 09:30:14 2020 test N 0 Tue Sep 22 09:25:06 2020 104806400 blocks of size 1024. 104042580 blocks available smb: \>
3、远程主机通过链接openvpn修复内网里 httpd 服务主机,假如现在 httpd 宕机了,我们需要链接进去让 httpd 启动
阿里云购买的三台服务器 openvpn:172.16.0.100 web1:172.16.10.110 web2:172.16.10.120 一、安装openvpn软件包和相关配置 1、安装openVPN和证书工具 yum install -y openvpn easy-rsa 2、准备相关配置文件 生成服务器配置文件 cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn 准备证书签发相关文件 cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-server 准备签发证书相关变量配置文件 cp /usr/share/doc/easy-rsa/vars.example /etc/openvpn/easy-rsa-server/3/vars 修改CA给openvpn服务器颁发证书的有效期 [root@openvpn ~]# vim /etc/openvpn/easy-rsa-server/3/vars #set_var EASYRSA_CERT_EXPIRE 825 set_var EASYRSA_CERT_EXPIRE 3650
二、准备证书相关文件 1、初始化PKI生成PKI相关目录和文件 [root@openvpn 3]# pwd /etc/openvpn/easy-rsa-server/3 [root@openvpn 3]# ./easyrsa init-pki Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.7/vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/easy-rsa-server/3/pki [root@openvpn 3]# tree . ├── easyrsa ├── openssl-easyrsa.cnf ├── pki #生成一个新目录及相关文件 │ ├── openssl-easyrsa.cnf │ ├── private │ ├── reqs │ └── safessl-easyrsa.cnf ├── vars └── x509-types ├── ca ├── client ├── code-signing ├── COMMON ├── email ├── kdc ├── server └── serverClient 4 directories, 13 files 2、创建CA机构 [root@openvpn 3]# tree pki pki ├── openssl-easyrsa.cnf ├── private ├── reqs └── safessl-easyrsa.cnf 2 directories, 2 files [root@openvpn 3]# ./easyrsa build-ca nopass Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.7/vars Using SSL: openssl OpenSSL 1.1.1c FIPS 28 May 2019 Generating RSA private key, 2048 bit long modulus (2 primes) .......................+++++ ........................................+++++ e is 65537 (0x010001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]: #直接回车默认 CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/easy-rsa-server/3/pki/ca.crt #生成自签名的证书文件 [root@openvpn 3]# tree pki pki ├── ca.crt #生成自签名的证书文件 ├── certs_by_serial ├── index.txt ├── index.txt.attr ├── issued ├── openssl-easyrsa.cnf ├── private │ └── ca.key #生成私钥文件 ├── renewed │ ├── certs_by_serial │ ├── private_by_serial │ └── reqs_by_serial ├── reqs ├── revoked │ ├── certs_by_serial │ ├── private_by_serial │ └── reqs_by_serial ├── safessl-easyrsa.cnf └── serial 12 directories, 7 files #生成CA相关的文件 [root@openvpn 3]# cat pki/serial 01 [root@openvpn 3]# ll pki/index.txt -rw------- 1 root root 0 Sep 18 16:22 pki/index.txt [root@openvpn 3]# ll pki/ca.crt pki/private/ca.key -rw------- 1 root root 1204 Sep 18 16:22 pki/ca.crt -rw------- 1 root root 1679 Sep 18 16:22 pki/private/ca.key 查看生成的自签名证书 [root@openvpn 3]# cat pki/ca.crt [root@openvpn 3]# openssl x509 -in pki/ca.crt -noout -text 3、创建服务器端证书申请 [root@openvpn 3]# pwd /etc/openvpn/easy-rsa-server/3 [root@openvpn 3]# ./easyrsa gen-req server nopass Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.7/vars Using SSL: openssl OpenSSL 1.1.1c FIPS 28 May 2019 Generating a RSA private key ...............+++++ .............+++++ writing new private key to '/etc/openvpn/easy-rsa-server/3/pki/easy-rsa-1643.893CPO/ tmp.PF17RM'----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [server]: #接受默认直接回车 Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa-server/3/pki/reqs/server.req #生成请求文件 key: /etc/openvpn/easy-rsa-server/3/pki/private/server.key #生成私钥文件 [root@openvpn 3]# tree pki pki ├── ca.crt ├── certs_by_serial ├── index.txt ├── index.txt.attr ├── issued ├── openssl-easyrsa.cnf ├── private │ ├── ca.key │ └── server.key #生成私钥文件 ├── renewed │ ├── certs_by_serial │ ├── private_by_serial │ └── reqs_by_serial ├── reqs │ └── server.req #生成请求文件 ├── revoked │ ├── certs_by_serial │ ├── private_by_serial │ └── reqs_by_serial ├── safessl-easyrsa.cnf └── serial 4、签发服务端证书 将上面server.req的申请,颁发server类型的证书 [root@openvpn 3]# pwd /etc/openvpn/easy-rsa-server/3 [root@openvpn 3]# ./easyrsa sign server server Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.7/vars Using SSL: openssl OpenSSL 1.1.1c FIPS 28 May 2019 You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 3650 days: #可以看到vars文件指定的有效期 subject= commonName = server Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes #输入yes回车 Using configuration from /etc/openvpn/easy-rsa-server/3/pki/easy-rsa-1675.mQsIam/tmp .0FrDhkCheck that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'server' Certificate is to be certified until Sep 16 08:35:51 2030 GMT (3650 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa-server/3/pki/issued/server.crt #生成服务器证书文件 验证 [root@openvpn 3]# tree pki pki ├── ca.crt ├── certs_by_serial │ └── FC6ABCB0FB1B89BB9A0C90F7581ECFDF.pem #服务器证书文件 ├── index.txt ├── index.txt.attr ├── index.txt.attr.old ├── index.txt.old ├── issued │ └── server.crt #服务器证书文件 ├── openssl-easyrsa.cnf ├── private │ ├── ca.key │ └── server.key ├── renewed │ ├── certs_by_serial │ ├── private_by_serial │ └── reqs_by_serial ├── reqs │ └── server.req ├── revoked │ ├── certs_by_serial │ ├── private_by_serial │ └── reqs_by_serial ├── safessl-easyrsa.cnf ├── serial └── serial.old 证书相关文件 [root@openvpn 3]# cat pki/serial FC6ABCB0FB1B89BB9A0C90F7581ECFE0 [root@openvpn 3]# cat pki/index.txt V 300916083551Z FC6ABCB0FB1B89BB9A0C90F7581ECFDF unknown /CN= server[root@openvpn 3]# cat pki/serial.old fc6abcb0fb1b89bb9a0c90f7581ecfdf 5、创建Diffie-Hellman秘钥 方法1 [root@openvpn 3]# ./easyrsa gen-dh DH parameters of size 2048 created at /etc/openvpn/easy-rsa-server/3/pki/dh.pem #生成的秘钥文件 方法2 #openssl dhparam -out /etc/openvpn/dh2048.pem 2048 以上服务器端证书配置完成 6、准备客户端证书环境,以下为客户端证书配置 [root@openvpn ~]#cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-client [root@openvpn ~]#cp /usr/share/doc/easy-rsa/vars.example /etc/openvpn/easy-rsa-client/3/vars [root@openvpn ~]#cd /etc/openvpn/easy-rsa-client/3/ [root@openvpn 3]# pwd /etc/openvpn/easy-rsa-client/3 [root@openvpn 3]# ls easyrsa openssl-easyrsa.cnf vars x509-types [root@openvpn 3]# ./easyrsa init-pki Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-client/3.0.7/vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/easy-rsa-client/3/pki #生成新目录 7、创建客户端证书申请 [root@openvpn 3]# ./easyrsa gen-req duanpeng nopass Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-client/3.0.7/vars Using SSL: openssl OpenSSL 1.1.1c FIPS 28 May 2019 Generating a RSA private key ....................+++++ .................................................................................... .................+++++writing new private key to '/etc/openvpn/easy-rsa-client/3/pki/easy-rsa-1880.peCR6l/ tmp.ypHauf'----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [duanpeng]: 接受默认直接回车 Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa-client/3/pki/reqs/duanpeng.req #私钥文件 key: /etc/openvpn/easy-rsa-client/3/pki/private/duanpeng.key #证书申请文件 8、签发客户端证书 切换至server端目录 [root@openvpn 3]# pwd /etc/openvpn/easy-rsa-client/3 [root@openvpn 3]# cd /etc/openvpn/easy-rsa-server/3 [root@openvpn 3]# pwd /etc/openvpn/easy-rsa-server/3 将客户端证书请求文件复制到CA的工作目录 [root@openvpn 3]# ./easyrsa import-req /etc/openvpn/easy-rsa-client/3/pki/reqs/duanp eng.req duanpeng Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.7/vars Using SSL: openssl OpenSSL 1.1.1c FIPS 28 May 2019 The request has been successfully imported with a short name of: duanpeng You may now use this name to perform signing operations on this request. [root@openvpn 3]# tree pki/ pki/ ├── ca.crt ├── certs_by_serial │ └── FC6ABCB0FB1B89BB9A0C90F7581ECFDF.pem ├── dh.pem ├── index.txt ├── index.txt.attr ├── index.txt.attr.old ├── index.txt.old ├── issued │ └── server.crt ├── openssl-easyrsa.cnf ├── private │ ├── ca.key │ └── server.key ├── renewed │ ├── certs_by_serial │ ├── private_by_serial │ └── reqs_by_serial ├── reqs │ ├── duanpeng.req #导入的文件 │ └── server.req ├── revoked │ ├── certs_by_serial │ ├── private_by_serial │ └── reqs_by_serial ├── safessl-easyrsa.cnf ├── serial └── serial.old 俩文件一样 [root@openvpn 3]# ll pki/reqs/duanpeng.req /etc/openvpn/easy-rsa-client/3/pki/reqs/duanpeng.req -rw------- 1 root root 891 Sep 18 16:52 /etc/openvpn/easy-rsa-client/3/pki/reqs/duanpeng.req -rw------- 1 root root 891 Sep 18 16:55 pki/reqs/duanpeng.req [root@openvpn 3]# vim vars 修改给客户端颁发证书的有效期 set_var EASYRSA_CERT_EXPIRE 90 签发客户端证书 [root@openvpn 3]# ./easyrsa sign client duanpeng Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.7/vars Using SSL: openssl OpenSSL 1.1.1c FIPS 28 May 2019 You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for 90 days: subject= commonName = duanpeng Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /etc/openvpn/easy-rsa-server/3/pki/easy-rsa-2061.mkgzaV/tmp .oiMLmiCheck that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'duanpeng' Certificate is to be certified until Dec 17 09:18:23 2020 GMT (90 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa-server/3/pki/issued/duanpeng.crt [root@openvpn 3]# tree pki pki ├── ca.crt ├── certs_by_serial │ ├── C5F29979C3FE83363DD332F2A4F92426.pem │ └── FC6ABCB0FB1B89BB9A0C90F7581ECFDF.pem ├── dh.pem ├── index.txt ├── index.txt.attr ├── index.txt.attr.old ├── index.txt.old ├── issued │ ├── duanpeng.crt │ └── server.crt #生成客户端证书 ├── openssl-easyrsa.cnf ├── private │ ├── ca.key │ └── server.key ├── renewed │ ├── certs_by_serial │ ├── private_by_serial │ └── reqs_by_serial ├── reqs │ ├── duanpeng.req │ └── server.req ├── revoked │ ├── certs_by_serial │ ├── private_by_serial │ └── reqs_by_serial ├── safessl-easyrsa.cnf ├── serial └── serial.old 9、将CA和服务器证书相关文件复制到服务器相关目录 [root@openvpn ~]#mkdir /etc/openvpn/certs cp /etc/openvpn/easy-rsa-server/3/pki/ca.crt /etc/openvpn/certs cp /etc/openvpn/easy-rsa-server/3/pki/issued/server.crt /etc/openvpn/certs cp /etc/openvpn/easy-rsa-server/3/pki/private/server.key /etc/openvpn/certs cp /etc/openvpn/easy-rsa-server/3/pki/dh.pem /etc/openvpn/certs 10、将客户端私钥与证书相关文件复制到服务器相关目录 [root@openvpn ~]#mkdir /etc/openvpn/client/duanpeng/ cp /etc/openvpn/easy-rsa-client/3.0.7/pki/private/duanpeng.key /etc/openvpn/client/duanpeng/ cp /etc/openvpn/easy-rsa-client/3.0.7/pki/issued/duanpeng.crt /etc/openvpn/client/duanpeng/ cp /etc/openvpn/easy-rsa-client/3.0.7/pki/ca.crt /etc/openvpn/client/duanpeng/ 三、准备OpenVPN服务器配置文件 1、修改服务器配置文件 [root@openvpn ~]#vim /etc/openvpn/server.conf port 1194 proto tcp dev tun ca /etc/openvpn/certs/ca.crt cert /etc/openvpn/cert/server.crt key /etc/openvpn/certs/server.key dh /etc/openvpn/certs/dh.pem server 10.8.0.0 255.255.255.0 push "route 172.16.0.0 255.255.255.0" keepalive 10 120 cipher AES-256-CBC compress lz4-v2 push "compress lz4-v2" max-clients 2048 user openvpn group openvpn status /var/log/openvpn/openvpn-status.log log-append /var/log/openvpn/openvpn.log verb 3 mute 200 2、准备日志相关目录 [root@openvpn ~]#getent passwd openvpn #验证openvpn用户存在 mkdir /var/log/openvpn chown openvpn.openvpn /var/log/openvpn 3、准备iptables规则和内核参数 #在服务器端开启ip_forward转发功能 [root@openvpn ~]#echo net.ipv4.ip_forward = 1 >> /etc/sysctl.conf sysctl -p #添加SNAT规则 [root@openvpn ~]#echo 'iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE' >> /etc/rc.d/rc.local chmod +x /etc/rc.d/rc.local /etc/rc.d/rc.local #加载 4、CentOS8准备服务启动文件 [root@openvpn ~]#vim /usr/lib/systemd/system/openvpn@.service Description=... After=network.target [Service] Type=notify PrivateTmp=true ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config %i.conf [Install] WanteBy=multi-user.target 或者共centos7安装openvpn后拷贝过来 scp /lib/systemd/system/openvpn@.service 10.0.0.8:/lib/systemd/system/ 5、启动服务及状态查看 root@openvpn ~]#systemctl daemon-reload systemctl enable --now openvpn@server #这个服务和配置文件名不同 服务状态 systemctl status openvpn@server 端口 ss -ntlp 日志 cat /var/log/openvpn/openvpn.log ip ip -a 路由 route -n 四、准备客户端OpenVPN客户端配置文件 1、修改客户端配置文件 vim /etc/openvpn/client/duanpeng/client.ovpn client dev tun proto tcp remote 35.149.33.24 #生产中为openvpn公网IP resolv-retry infinite nobind ca ca.crt cert duanpeng.crt key duanpeng.key remote-cert-tls server cipher AES-256-CBC verb 3 compress lz4-v2 2、在windows客户端下载openvpn软件安装包 3、拷贝文件至windows客户端C:\Program Files\OpenVPN\config目录下 在服务器端/etc/openvpn/client/duanpeng/目录下 ca.crt client.ovpn duanpeng.crt duanpeng.key 五、连接进行远程管理
浙公网安备 33010602011771号