Linux服务基础
实验环境:centos7.9 ubuntu18.04
1、创建私有CA并进行证书申请。
1).创建CA所需要的文件
#生成证书索引数据库文件
[root@OurLab ~]# touch /etc/pki/CA/index.txt
#指定第一个颁发证书的序列
[root@OurLab ~]# echo 01 > /etc/pki/CA/serial
2). CA自签证书
#生成私钥
[root@OurLab ~]# (umask 066;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
....................................................................+++
.......................+++
e is 65537 (0x10001)
#生成自签名证书
[root@OurLab ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 180 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ningxia
Locality Name (eg, city) [Default City]:yinchuan
Organization Name (eg, company) [Default Company Ltd]:megedu
Organizational Unit Name (eg, section) []:gw
Common Name (eg, your name or your server's hostname) []:ca.magedu.com
Email Address []:
3).申请和颁发证书
root@node2:~# mkdir /etc/apache2/ssl
#生成私钥
root@node2:~# (umask 077;openssl genrsa -out /etc/apache2/ssl/apache.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
........+++++
..........+++++
e is 65537 (0x010001)
#生成证书申请文件
root@node2:~# openssl req -new -key /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.csr
Can't load /root/.rnd into RNG
139697046380992:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/root/.rnd
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:ningxia
Locality Name (eg, city) []:yinchuan
Organization Name (eg, company) [Internet Widgits Pty Ltd]:megedu
Organizational Unit Name (eg, section) []:gw
Common Name (e.g. server FQDN or YOUR name) []:ca.magedu.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
#将证书请求文件传输给CA
root@node2:~# scp /etc/apache2/ssl/apache.csr 192.0.2.21:/tmp
The authenticity of host '192.0.2.21 (192.0.2.21)' can't be established.
ECDSA key fingerprint is SHA256:rqNq6Oq0tQ9qpav30p0e8Y91KKvEmL7yP3lJ6z+oZdE.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.0.2.21' (ECDSA) to the list of known hosts.
root@192.0.2.21's password:
apache.csr 100% 1005 94.7KB/s 00:00
r
4).CA签署证书,并将证书颁发给请求者
[root@OurLab ~]# openssl ca -in /tmp/apache.csr -out /etc/pki/CA/certs/apache.crt -days 180
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Aug 29 12:47:39 2021 GMT
Not After : Feb 25 12:47:39 2022 GMT
Subject:
countryName = CN
stateOrProvinceName = ningxia
organizationName = megedu
organizationalUnitName = gw
commonName = ca.magedu.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
BC:E0:D8:16:9C:98:B0:7F:BF:E8:62:86:BA:3F:AF:93:69:C1:A7:AE
X509v3 Authority Key Identifier:
keyid:DE:3E:BA:63:9A:95:45:75:E4:13:0F:88:3C:0E:61:16:B8:6C:09:2A
Certificate is to be certified until Feb 25 12:47:39 2022 GMT (180 days)
Sign the certificate? [y/n]:Y
1 out of 1 certificate requests certified, commit? [y/n]Y
Write out database with 1 new entries
Data Base Updated
#将证书颁发给请求者
[root@OurLab ~]# scp /etc/pki/CA/certs/apache.crt gw@192.0.2.20:/etc/apache2/ssl/
5).查看证书信息
[root@OurLab ~]# openssl x509 -in /etc/pki/CA/certs/apache.crt -noout -issuer
issuer= /C=CN/ST=ningxia/L=yinchuan/O=megedu/OU=gw/CN=ca.magedu.com
2、总结ssh常用参数、用法
1).远程连接到主机
[root@OurLab ~]# ssh gw@192.0.2.20
gw@192.0.2.20's password:
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 5.4.0-42-generic x86_64)
2).远程连接到指定的端口
[root@OurLab ~]# ssh gw@192.0.2.20 -p 22
gw@192.0.2.20's password:
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 5.4.0-42-generic x86_64)
3).通过远程主机1跳到主机2
[root@OurLab ~]# ssh -t gw@192.0.2.20 ssh 192.0.2.21
gw@192.0.2.20's password:
The authenticity of host '192.0.2.21 (192.0.2.21)' can't be established.
ECDSA key fingerprint is SHA256:rqNq6Oq0tQ9qpav30p0e8Y91KKvEmL7yP3lJ6z+oZdE.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.0.2.21' (ECDSA) to the list of known hosts.
gw@192.0.2.21's password:
Last login: Sun Aug 22 19:39:57 2021 from gateway
4).运行shell命令
[root@OurLab ~]# ssh -l gw 192.0.2.20 'df -h'
gw@192.0.2.20's password:
Filesystem Size Used Avail Use% Mounted on
/dev/sda6 47G 53M 45G 1% /data
/dev/sda1 945M 119M 761M 14% /boot
tmpfs 391M 32K 391M 1% /run/user/121
tmpfs 391M 52K 391M 1% /run/user/1000
/dev/loop9 62M 62M 0 100% /snap/core20/1081
/dev/loop10 2.5M 2.5M 0 100% /snap/gnome-system-monitor/163
tmpfs 391M 0 391M 0% /run/user/0
3、总结sshd服务常用参数
1).port 22
默认端口为22,可使用多个端口,重复这条即可,比如增加443端口:port 443
2).protocol 1,2
ssh协议版本,可单选也可多选
3).ListenAddress 0.0.0.0
监听IP,默认监听所有,可指定监听IP:如ListenAddress 192.0.2.20
4).PermitRootLogin no
是否允许root用户登录
5).PasswordAuthentication yes
是否密码验证
6).PermitEmptyPasswords no
是否允许空密码登录
4、搭建dhcp服务,实现ip地址申请分发
1).安装dhcp服务
root@node2:~# apt install isc-dhcp-server
2).修改配置文件
root@node2:~# vim /etc/default/isc-dhcp-server
INTERFACESv4="ens36"
root@node2:~# vim /etc/dhcp/dhcpd.conf
#添加以下内容
subnet 192.0.2.0 netmask 255.255.255.0 {
range 192.0.2.30 192.0.2.200;
option domain-name-servers 192.0.2.1;
option domain-name "internal.example.org";
option routers 192.0.2.1;
option broadcast-address 192.0.2.255;
default-lease-time 600;
max-lease-time 7200;
}
host OurLab {
hardware ethernet 00:0c:29:5d:8f:74;
fixed-address 192.0.2.100;
}
3).为监听网卡设置静态IP
root@node2:~# nmcli connection add type ethernet ifname ens38 con-name ens38
Connection 'ens38' (956c1629-a954-4247-8940-4b249ae78b90) successfully added.
root@node2:~# nmcli connection modify ens38 ipv4.addresses 192.0.2.35/24 ipv4.gateway 192.0.2.1 ipv4.method manual
root@node2:~# nmcli connection reload
root@node2:~# nmcli connection up ens38
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/21)
4).重启DHCP服务
root@node2:~# systemctl restart isc-dhcp-server
root@node2:~# systemctl status isc-dhcp-server
● isc-dhcp-server.service - ISC DHCP IPv4 server
Loaded: loaded (/lib/systemd/system/isc-dhcp-server.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2021-08-29 21:45:01 CST; 29s ago
Docs: man:dhcpd(8)
Main PID: 105594 (dhcpd)
Tasks: 1 (limit: 4634)
CGroup: /system.slice/isc-dhcp-server.service
└─105594 dhcpd -user dhcpd -group dhcpd -f -4 -pf /run/dhcp-server/dhcpd.pid -cf /etc/dhcp/dhcpd.conf ens38
8月 29 21:45:01 node2 sh[105594]: Multiple interfaces match the same subnet: ens33 ens38
8月 29 21:45:01 node2 sh[105594]: Multiple interfaces match the same shared network: ens33 ens38
8月 29 21:45:01 node2 dhcpd[105594]: Multiple interfaces match the same shared network: ens33 ens38
8月 29 21:45:01 node2 dhcpd[105594]: Listening on LPF/ens38/00:0c:29:9d:83:48/192.0.2.0/24
8月 29 21:45:01 node2 sh[105594]: Listening on LPF/ens38/00:0c:29:9d:83:48/192.0.2.0/24
8月 29 21:45:01 node2 sh[105594]: Sending on LPF/ens38/00:0c:29:9d:83:48/192.0.2.0/24
8月 29 21:45:01 node2 sh[105594]: Sending on Socket/fallback/fallback-net
8月 29 21:45:01 node2 dhcpd[105594]: Sending on LPF/ens38/00:0c:29:9d:83:48/192.0.2.0/24
8月 29 21:45:01 node2 dhcpd[105594]: Sending on Socket/fallback/fallback-net
8月 29 21:45:01 node2 dhcpd[105594]: Server starting service.
5).客户机设置网卡协议为dhcp
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens36
UUID=ec2191a0-4f5c-446f-9b10-b371dcec0b60
DEVICE=ens36
ONBOOT=yes
6).查看IP获取信息
[root@OurLab network-scripts]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:5d:8f:6a brd ff:ff:ff:ff:ff:ff
inet 192.0.2.21/24 brd 192.0.2.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::ebed:1849:3b90:f95b/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 52:54:00:04:2c:f0 brd ff:ff:ff:ff:ff:ff
4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000
link/ether 52:54:00:04:2c:f0 brd ff:ff:ff:ff:ff:ff
5: ens36: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:5d:8f:74 brd ff:ff:ff:ff:ff:ff
inet 192.0.2.100/24 brd 192.0.2.255 scope global noprefixroute dynamic ens36
valid_lft 310sec preferred_lft 310sec
inet6 fe80::df81:a856:cad6:f28f/64 scope link noprefixroute
valid_lft forever preferred_lft forever
