linux_8

1、创建私有CA并进行证书申请。

  • 创建CA相关目录和文件
[root@centos8 ~]#mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
[root@centos8 ~]#tree /etc/pki/CA/
/etc/pki/CA/
├── certs
├── crl
├── newcerts
└── private
[root@centos8 ~]#touch /etc/pki/CA/index.txt
[root@centos8 ~]#echo 01 > /etc/pki/CA/serial	#指定第一个颁发证书的序列号,01为十六进制数
  • 创建CA的私钥
[root@centos8 ~]#cd /etc/pki/CA/
[root@centos8 CA]#(umask 066; openssl genrsa -out private/cakey.pem 2048)
[root@centos8 CA]#tree
.
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│   └── cakey.pem
└── serial
  • 给CA颁发自签名证书
[root@centos8 ~]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:bj
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:it
Common Name (eg, your name or your server's hostname) []:ca.xxx.org
Email Address []:admin@xxx.org	

[root@centos8 ~]#tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│   └── cakey.pem
└── serial
  • 用户生成私钥和证书申请
[root@centos8 ~]#mkdir /data/app -pv
#生成私钥文件
[root@centos8 ~]#(umask 066; openssl genrsa -out /data/app/app.key 2048)
#生成证书申请文件
[root@centos8 ~]#openssl req -new -key /data/app/app.key -out /data/app/app.csr
...
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:bj
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:it
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:app.xxx.org
Email Address []:admin@app.org
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
#注意,这里的国家和省以及组织要和CA匹配
  • CA颁发证书
[root@centos8 ~]#openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 3650
...
Certificate is to be certified until Jun 26 17:26:52 2024 GMT (1000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries

[root@centos8 ~]#tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
│   └── app1.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old
4 directories, 9 files

2、总结ssh常用参数、用法
ssh命令是ssh客户端,允许实现对远程系统经验证地加密安全访问
常见选项

-p port #远程服务器监听的端口
-b #指定连接的源IP
-v #调试模式
-C #压缩方式
-X #支持x11转发
-i <file> #指定私钥文件路径,实现基于key验证,默认使用文件: ~/.ssh/id_dsa,
~/.ssh/id_ecdsa, ~/.ssh/id_ed25519,~/.ssh/id_rsa等

范例1:远程执行命令

[root@centos6 ~]#ssh 10.0.0.8 "sed -i.bak
'/StrictHostKeyChecking/s/.*/StrictHostKeyChecking no/' /etc/ssh/ssh_config"
root@10.0.0.8's password:

范例2:在远程主机运行本地shell脚本

[root@centos8 ~]#ssh 10.0.0.18 /bin/bash < test.sh
root@10.0.0.18's password:

3、总结sshd服务常用参数。
ssh服务和sshd服务的区别:ssh服务是运行在客户端,而sshd服务运行在服务端。
常用参数

-L:正向代理,相当于 iptable 的 port forwarding
-R:反向代理。相当于 frp 或者 ngrok
-f 后台启用
-N 不打开远程shell,处于等待状态
-g 启用网关功能

范例:

#当访问本机的9527的端口时,被加密后转发到sshsrv的ssh服务,再解密被转发到telnetsrv:23
[root@centos8 ~]#ssh -L 9527:telnetsrv:23 -Nfg sshsrv telnet 127.0.0.1 9527

4、搭建dhcp服务,实现ip地址申请分发
搭建环境:基于VMware虚拟机,在centos7环境下

  • 环境准备
    需要关掉虚拟机的dhcp服务,不然两个dhcp地址池会冲突。
    关闭步骤:编辑-->虚拟网络编辑器-->更改设置-->去掉√并确认

  • 使用yum安装dhcp

[root@centos7 ~]#yum -y install dhcp
[root@centos7 ~]#systemctl enable --now dhcpd  #直接启动服务失败,说明需要更改配置文件
Created symlink from /etc/systemd/system/multi-user.target.wants/dhcpd.service to /usr/lib/systemd/system/dhcpd.service.
Job for dhcpd.service failed because the control process exited with error code. See "systemctl status dhcpd.service" and "journalctl -xe" for details.
[root@centos7 ~]#rpm -ql dhcp  #查看配置文件目录
...
/etc/dhcp/dhcpd.conf

[root@centos7 ~]#vim  /etc/dhcp/dhcpd.conf  #配置文件下全是英文注释,看注释内容,去找example文件
#
# DHCP Server Configuration file.
#   see /usr/share/doc/dhcp*/dhcpd.conf.example
#   see dhcpd.conf(5) man page
#
[root@centos7 ~]#cp /usr/share/doc/dhcp*/dhcpd.conf.example /etc/dhcp/dhcpd.conf  #直接将example文件复制覆盖到配置文件
  • 修改配置文件
[root@centos7 ~]#vim  /etc/dhcp/dhcpd.conf

#在第8行配置DNS
option domain-name-servers 180.76.76.76,223.5.5.5;
#在第10行配置默认续租时间,单位s
default-lease-time 86400; 
max-lease-time 106400; #最大时间
#在第27行配置网段范围
subnet 10.0.0.0 netmask 255.255.255.0 {
 }
#在第32行配置网关
subnet 10.0.0.0 netmask 255.255.255.0 {
  range 10.0.0.60 10.0.0.100;
  option routers 10.0.0.2;
}
  • 启动服务
[root@centos7 ~]#systemctl restart dhcpd
[root@centos7 ~]# ss -ntul  #发现端口号67已开启
  • 模拟ip分发
[root@centos8 ~]#ip a  #事先的ip地址
...
    inet 10.0.0.131/24 brd 10.0.0.255 scope global dynamic noprefixroute ens33
...
[root@centos8 ~]#nmcli connection reload   #重新加载网卡
[root@centos8 ~]#ip a
...
    inet 10.0.0.60/24 brd 10.0.0.255 scope global dynamic noprefixroute ens33
  ...
#已经拿到了新的ip地址,符合事先规划的地址网段
posted @ 2021-11-08 00:55  火火7412  阅读(33)  评论(0)    收藏  举报