加密安全和时间同步自动化
作者:互联网
1、创建私有CA并进行证书申请。
(1):创建CA相关目录和文件
11:16:03 root@CentOS8 ~]\ [#mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
mkdir: created directory '/etc/pki/CA'
mkdir: created directory '/etc/pki/CA/certs'
mkdir: created directory '/etc/pki/CA/crl'
mkdir: created directory '/etc/pki/CA/newcerts'
mkdir: created directory '/etc/pki/CA/private'
[11:16:38 root@CentOS8 ~]\ [#touch /etc/pki/CA/index.txt
[11:16:56 root@CentOS8 ~]\ [#echo 01 > /etc/pki/CA/serial
(2):创建CA的私钥
[11:18:09 root@CentOS8 ~]\ [#cd /etc/pki/CA/
[11:19:04 root@CentOS8 CA]\ [#umask 066;openssl genrsa -out private/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.....................+++++
..............................................................................................+++++
e is 65537 (0x010001)
(3):给CA颁发自签名证书
[11:19:49 root@CentOS8 CA]\ [#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:ca.magedu.org
Email Address []:
(4)用户生成私钥并申请证书
[11:22:41 root@CentOS8 CA]\ [#mkdir /data/app1
[11:27:42 root@CentOS8 CA]\ [#umask 066;openssl genrsa -out /data/app1/app1.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
..........+++++
.............................+++++
e is 65537 (0x010001)
[11:29:01 root@CentOS8 CA]\ [#openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:C++
Common Name (eg, your name or your server's hostname) []:app1.magedu.org
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Can't open /data/app1/app1/csr for writing, No such file or directory
140054067681088:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/data/app1/app1/csr','w')
140054067681088:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
(5):CA颁发证书
[11:35:06 root@CentOS8 CA]\ [#openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 500
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Aug 29 04:35:07 2021 GMT
Not After : Jan 11 04:35:07 2023 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = magedu
organizationalUnitName = C++
commonName = app1.magedu.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
9E:24:DC:97:90:47:2A:F0:B4:D4:9F:AD:85:D1:72:38:DD:01:6A:0E
X509v3 Authority Key Identifier:
keyid:B8:C3:B1:0F:CC:49:A4:9B:1A:D8:E1:67:1D:C3:E8:F0:82:5D:98:F1
Certificate is to be certified until Jan 11 04:35:07 2023 GMT (500 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[11:35:12 root@CentOS8 CA]\ [#tree /etc/pki/CA
/etc/pki/CA
├── cacert.pem
├── certs
│ └── app1.crt
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 9 files
2、总结ssh常用参数、用法
SSH:secure shell protocol,22/tcp,安全的远程登录,实现加密通信,代理传统的telnet协议
-p prot :远程服务器监听的断开
-b :指定连接的源IP
-v :调试模式
-C :压缩方式
-X :支持x11转发
-o option
-i <file>:指定私钥文件路径,实现基于key验证,默认使用文件:~/.ssh/id_dsa,~/.ssh/id_ecdsa,~/.ssh/id_ed25519,~/.ssh/id_rsa等
-t :强制伪tty分配
3、总结sshd服务常用参数。
(1):SSH本地端口转发--选项:
-f 后台启用 -N不打开远程shell;处于等待状态 -g 启用网卡功能
(2):SSH远程端口转发
(3):SSH动态端口转发
当用firefox访问internet时,本机的1080端口做为代理服务器,firefox的访问请求被转发到
sshserver上,由sshserver替之访问internet
(4):X协议转发
所有图形化应用程序都是X客户程序,能够通过tcp/ip连接远程X服务器,数据没有加密,但是它通过ssh连
接隧道安全进行
4、搭建dhcp服务,实现ip地址申请分发
(1):下载dhcp服务
[root@CentOS7 ~]# yum install dhcp -y
(2):更改配置文件:vim /etc/dhcp/dhcp.conf
[root@CentOS7 ~]# cat /etc/dhcp/dhcpd.conf
#
# DHCP Server Configuration file.
# see /usr/share/doc/dhcp*/dhcpd.conf.example
# see dhcpd.conf(5) man page
#
default-lease-time 600;
max-lease-time 7200;
subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.100 10.0.0.200;
option routers 10.0.0.2;
}
host printer {
hardware ethernet 00:0c:29:31:d8:ae;
fixed-address 10.0.0.8;
}
(3):重启服务
[root@CentOS7 ~]# systemctl start dhcpd
[root@CentOS7 ~]# systemctl status dhcpd.service
● dhcpd.service - DHCPv4 Server Daemon
Loaded: loaded (/usr/lib/systemd/system/dhcpd.service; disabled; vendor preset: disabled)
Active: active (running) since Sun 2021-08-29 17:44:12 WIB; 7s ago
Docs: man:dhcpd(8)
man:dhcpd.conf(5)
Main PID: 60565 (dhcpd)
Status: "Dispatching packets..."
Tasks: 1
CGroup: /system.slice/dhcpd.service
└─60565 /usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid
(4):修改网卡配置文件:vim /etc/sysconfig/network-scripts/ifcfg-ens33
[root@CentOS7 ~]# cat /etc/sysconfig/network-scripts/ifcfg-
ifcfg-ens33 ifcfg-lo
[root@CentOS7 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE="Ethernet"
PROXY_METHOD="none"
BROWSER_ONLY="no"
BOOTPROTO="dhcp"
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
IPV6_ADDR_GEN_MODE="stable-privacy"
NAME="ens33"
UUID="fe487840-a56a-4980-9d92-2122afe83b22"
DEVICE="ens33"
ONBOOT="yes"
GATEWAY=10.0.0.109
NETMASK=255.255.255.0
DNS1=8.8.8.8
DNS2=114.114.114.114
(5):重启网络服务
[root@CentOS7 ~]# systemctl restart network
(6):客户端查看
[17:49:47 root@CentOS8 ~]\ [#ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:dc:b4:a9 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.8/24 brd 10.0.0.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fedc:b4a9/64 scope link
valid_lft forever preferred_lft forever
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 52:54:00:55:8f:b2 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master virbr0 state DOWN group default qlen 1000
link/ether 52:54:00:55:8f:b2 brd ff:ff:ff:ff:ff:ff
标签:00,同步,加密,CA,app1,etc,ff,自动化,root 来源: https://www.cnblogs.com/zhaoyaxuan/p/15203477.html