Loading...

一、 初始化环境

1.默认账号及默认密码

Username: root

Password: ChinaSkill22!

Username: skills

Password: ChinaSkill22!

注:若非特别指定,所有账号的密码均为 ChinaSkill22!

2.操作系统配置

所处区域:CST + 8

系统环境语言:English US (UTF-8)

键盘:English US

注意:当任务是配置TLS,请把根证书或者自签名证书添加到受信任区。

控制台登陆后不管是网络登录还是本地登录,都按下方欢迎信息内容显示

********************************* ChinaSkills 2022–CSK Module C Linux >>hostname<< >>Linux Version<< >> TIME << *********************************
Centos

一、查询当前所属区域,并设置当前所属区域

[root@localhost ~]# timedatectl list-timezones|grep Asia/Shanghai

Asia/Shanghai

[root@localhost ~]# timedatectl set-timezone Asia/Shanghai

[root@localhost ~]# timedatectl |grep "Time zone"

Time zone: Asia/Shanghai (CST, +0800)
[root@localhost ~]#

二、编辑动态sh文件

[root@localhost ~]# vim /login.sh

#!/bin/bash printf "**************************************\n" printf "%-2s ChinaSkills 2022 - CSK\n" printf "%-8s Module C Linux\n\n\n" printf "%-11s>>"`hostname -s`"<<\n" echo ">>"`cat /etc/centos-release`"<<" echo ">>" `date` "<<" printf "**************************************\n"

三、配置登录输出该sh

[root@localhost ~]# vim /root/.bash_profile

最后一行写入

bash /login.sh

四、关闭本地控制台日志提示

touch一个空的hushlogin这样就不会输出

[root@localhost ~]# touch ~/.hushlogin

五、关闭SSH控制台登录日志

[root@localhost ~]# vim /etc/ssh/sshd_config

修改为

PrintLastLog no

重启SSHD服务

[root@localhost ~]# systemctl restart sshd

六、测试

本地控制台:

SSH链接测试:

Uos

时区变更:

[root@localhost ~]# timedatectl set-timezone Asia/Shanghai [root@localhost ~]# timedatectl |grep "Time zone" Time zone: Asia/Shanghai (CST, +0800)

欢迎配置:

方法一:

一、编辑动态sh文件
root@skills-PC:~# vim /login.sh

#!/bin/bash printf "**************************************\n" printf "%-2s ChinaSkills 2022 - CSK\n" printf "%-8s Module C Linux\n\n\n" printf "%-11s>>"`hostname -s`"<<\n" printf "%-9s>>"Uos` cat /etc/os-version |grep "MinorVersion" `"<<\n" echo ">>" `date` "<<" printf "**************************************\n"

二、配置登录输出该sh

root@skills-PC:~# vim /root/.profile

最后一行写入
bash /login.sh

三、删除控制台登录及ssh后静态motd文件

把静态motd删除:
root@skills-PC:~# rm /etc/motd

四、关闭SSH控制台日志提示

注销掉第91行
root@routersrv:~# vim /etc/pam.d/login
90 # (Replaces the `LASTLOG_ENAB' option from login.defs)
91 #session optional pam_lastlog.so

五、关闭ssh控制台登录日志

[root@localhost ]# vim /etc/ssh/sshd_config
修改为no
PrintLastLog no
重启sshd服务
root@skills-PC:# systemctl restart ssh

方法二:

一、编辑静态motd文件
root@skills-PC:~# vim /etc/motd

********************************* ChinaSkills 2022–CSK Module C Linux >>hostname<< >>Linux Version<< >> TIME << *********************************

二、关闭ssh控制台登录日志

[root@localhost ]# vim /etc/ssh/sshd_config
修改为no
PrintLastLog no
重启sshd服务
root@skills-PC:# systemctl restart ssh

一、 项目任务描述

某公司要为员工提供便捷、安全稳定内外网络服务,你作为一个公司网络系统管理员,负责公司网络系统管理,请根据网络拓扑、基本配置信息和服务需求完成网络服务安装与测试,网络拓扑图和基本配置信息如下:

1.拓扑图

2.基本配置

服务器和客户端基本配置如下表,各虚拟机已预装系统。

Device Hostname System FQDN IP Address Service
Server01 Server01 Centos Server01.sdskills.com 172.16.100.201 RAID5
NFS
DNS
Webserver
SSH
DBM
SSDN
Server02 Server02 Centos Server02.sdskills.com 172.16.100.202 FtpMailSSH
Server03 Server03 UOS Server03.skills.com 192.168.10.3 NtpSSH
Server04 Server04 UOS Server04.skills.com 192.168.10.X DNSWebserverSSHLDAP
Rserver Rserver Centos Rserver.skills.com
Rserver.sdskills.com
172.16.100.254
192.168.10.2
10.10.100.254
proxy
firewall
dhcp
SSH
CA
Client Client Centos 10.10.100.x none

网络

Network CIDR
office 10.10.100.0/24
service 172.16.100.128/25
internet 192.168.10.0/28

3.任务需求

任务设备:Client,Rserver,servr01,server02,server03,server04。

注意:若题目中未明确规定,请使用默认配置。

CLIENT TASK

1.Client 相关任务 ,具体要求如下:

• 作为DNS服务器域名解析测试的客户端,安装nslookup、dig命令行工具;

Centos

先进行本地源搭建

[root@Server ~]# mount /dev/cdrom /mnt
[root@Server ~]# cd /etc/yum.repos.d/
[root@Server yum.repos.d]# vi CentOS-Base.repo #修改配置文件,内容如下

[a]
name=a
baseurl=file:///mnt
enabled=1
gpgkey=file:///mnt/RPM-GPG-KEY-CentOS-7

[root@Server ~]#yum clean all 清理缓存
[root@Server ~]#yum makecache 重新生成新的yum缓存

[root@Server ~]#yum install -y nslookup dig

Uos

uslookup与dig有内置

• 作为网站访问测试的客户端,安装firefox浏览器, curl命令行测试工具;

Centos

[root@Server ~]# yum install -y firefox curl

Uos

Tip:需要先把apt源更改为阿里源,然后才可以安装firefox与curl

• 作为SSH远程登录测试客户端,安装ssh命令行测试工具;

Centos

[root@Server ~]# yum install openssh* -y

Uos

默认内置

uslookup与dig有内置

• 作为SAMBA测试的客户端,使用图形界面文件浏览器测试, 并安装smbclient工具;

Centos

[root@Server ~]# yum install smbclient*

Uos

root@skills-PC:~# sudo aptitude install sambclient

• 作为FTP测试的客户端,安装lftp命令行工具;

Centos

[root@Server ~]# yum install lftp -y

Uos

root@skills-PC:~# sudo aptitude install lftp

• 作为防火墙规则效果测试客户端,安装ping命令行工具。

Centos

默认内置

Uos

默认内置

• 截图的时候请使用上述提到的工具进行功能测试。

RSERVER TASK

1.NETWORK

• 请根据基本配置信息配置服务器的主机名,网卡IP地址配置、域名等。

Centos

方法一 配置文件

cd /etc/sysconifg/ network-scripts

cp ifcf-ens33 ifcf-en36  #直接复制文件

uuidgen ens36 >>ifcf-ens36    #查看到的uuid写于ifcf-en36的配置文件的uuid

systemclt restart networking
方法二 命令输出

nmcli connection add con-name 33 type ethernet ifname ens33

nmcli conmection modify 网卡 ipv4.address 172.16.100.201/24

nmcli conmection mmodify 网卡 ipv4.method manual 设置静态

nmcli conmection modify 网卡 ipv4.gatway 网关 设置网关

方法三 图像界面

nmtui
配置主机名字

[root@server01 ~]# hostnamectl set-hostname mv  设置名字
[root@server01 ~]# bash    刷新名字

[root@mv ~]#

配置域名

[root@Server01 ~]# vi /etc/hosts  修改hosts
172.16.100.201 Server01.sdskills.com

[root@localhost ~]# timedatectl list-timezones|grep Asia/Shanghai 查看区域 是否可用

Asia/Shanghai

[root@localhost ~]# timedatectl set-timezone Asia/Shanghai  设置当前所属区域

[root@localhost ~]# timedatectl |grep "Time zone"    查看区域

Time zone: Asia/Shanghai (CST, +0800)
[root@localhost ~]#

uos

一、修改配置文件并重启

第一种:(多网卡可能有问题)

进入网络配置文件,添加ip地址及网关信息

root@skills-PC:~# vim /etc/network/interfaces

auto ens33
iface ens33 inet static
address 10.10.100.254/24
gateway 10.10.100.254

auto ens37
iface ens37 inet static
address 172.16.100.254/25
gateway 172.16.100.254

auto ens38
iface ens38 inet static
address 192.168.10.2/28
gateway 192.168.10.2

保存重启网卡

root@skills-PC:~# systemctl restart network-manager.service

root@skills-PC:~# systemctl restart networking.service

第二种:

网络文件在 /etc/NetworkManager/system-conmections/

root@skills-PC:nmcli conmection add con-name ens33 type ethernet ifname ens33

root@skills-PC:# nmcli conncetion up ens33

root@skills-PC:nmcli connection modify ens33 ipv4.addresses 10.10.100.254/24

root@skills-PC:# nmcli connection modify ens33 ipv4.gateway 10.10.100.254

root@skills-PC:nmcli conmection add con-name ens37 type ethernet ifname ens33

root@skills-PC:# nmcli conncetion up ens37

root@skills-PC:nmcli connection modify ens37 ipv4.addresses 172.16.100.254/25

root@skills-PC:# nmcli connection modify ens37 ipv4.gateway 172.16.100.254

root@skills-PC:nmcli conmection add con-name ens38 type ethernet ifname ens38

root@skills-PC:# nmcli conncetion up ens38

root@skills-PC:nmcli connection modify ens38 ipv4.addresses 192.168.10.2/28

root@skills-PC:# nmcli connection modify ens38 ipv4.gateway 192.168.10.254

查看是否配置成功

root@skills-PC:~# ip a

二、配置主机域名

完整域名

root@skills-PC:~# hostnamectl set-hostname Rserver

root@skills-PC:~# bash

修改hosts

root@Rserver:~# vi /etc/hosts

10.10.100.254 Rserver.skills.cn Rserver

测试

root@Rserver:~# hostname

Rserver

root@Rserver:~# hostname -f

Rserver.skills.cn

2.squid

• 安装squid服务,开启路由转发,为当前实验环境提供路由功能;

Centos

[root@localhost ~]# yum install squid –y

[root@localhost ~]# systemctl start squid

配置路由转发,提供路由功能

临时开启

echo "1" >> /proc/sys/net/ipv4/ip_forward

永久开启

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf

sysctl -p

net.ipv4.ip_forward = 1

图形界面打开火狐浏览器找到网络设置

请输入图片描述

请输入图片描述

变成手动 输入ip 端口

uos

一、关闭防火墙

root@Rserver:~# systemctl stop firewalld

二、安装Squid服务,并启动

root@Rserver:~# aptitude install squid

三、配置路由转发,提供路由功能

临时开启

root@Rserver:~# echo "1" >> /proc/sys/net/ipv4/ip_forward

永久开启

root@Rserver:~# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf

root@Rserver:~# sysctl -p

net.ipv4.ip_forward = 1

3.Iptables

• 默认阻挡所有流量

• 添加必要的NAT规则和流量放行规则,正常情况下Internet网络不能访问office网络,满足使所有要求中的服务正常提供工作。

Centos和Uos

默认阻挡所有流量

iptables -A INPUT -s 0.0.0.0/0 -j REJECT

192.168.10.0/24 禁止访问 192.168.1.0/24

iptables -A INPUT -s 192.168.10.0/24 -d 192.168.1.0/24 -j REJECT

上面的命令将丢掉所有来自 所有 网络的网络包,而将只允许192.168.1.0/24网络和10.1.100.0/24网络通过端口 22 的流入流量。

iptables -A INPUT -S 0.0.0.0/0 -j DROP iptables -I INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT iptables -I INPUT -s 10.1.100.0/24 -p tcp -m tcp --dport 22 -j ACCEPT

Server1 192.168.10.134
Server2 192.168.10.132
Server2 10.1.100.129
Server3 10.1.100.128
10.1.100.0/24网络不能访问除了192.168.10.132以外的192.168.10.0/24网络

iptables -A FORWARD -s 10.1.100.0/24 -d 192.168.10.0/24 -j REJECT

10.1.100.0/24网络不能访问192.168.10.132

iptables -A OUTPUT -s 10.1.100.0/24 -d 192.168.10.0/24 -j REJECT

10.1.100.0/24网络不能访问192.168.10.0/24网络

iptables -A FORWARD -s 10.1.100.0/24 -d 192.168.10.0/24 -j REJECT iptables -A FORWARD -s 10.1.100.0/24 -d 192.168.10.0/24 -j REJECT

4.DHCP

• 为客户端分配IP范围是10.10.100.1-10.10.100.50;

• DNS:按照实际需求配置DNS服务器地址选项;

• GATEWAY:按照实际需求配置网关地址选项。

Centos

yum install dhcp –y

vim /etc/dhcp/dhcpd.conf  配置文件

option domain-name "skills.com"; option domain-name-servers 172.16.100.201; default-lease-time 600; max-lease-time 7200; subnet 10.10.100.0 netmask 255.255.255.0 { option routers 10.10.100.254; range 10.10.100.1 10.10.100.50; }

Systemclt restart dhcp.service 启动

uos

一、安装dhcp

root@Rserver:~# apt-get install isc-dhcp-common=4.2.4-7ubuntu12.13

root@Rserver:~# apt-get install isc-dhcp-server

二、编辑和配置dhcp

root@Rserver:~# vim /etc/dhcp/dhcpd.conf

option domain-name "skills.com"; option domain-name-servers 10.10.100.254; default-lease-time 600; max-lease-time 7200; subnet 10.10.100.0 netmask 255.255.255.0 { range 10.10.100.1 10.10.100.50; option routers 10.10.100.254; }

将监听端口修改为对应网卡,代码如下:

root@Rserver:~# vim /etc/default/isc-dhcp-server

INTERFACES="ens33"

三、启动置dhcp服务

root@Rserver:~# systemctl restart isc-dhcp-server

四、客户端测试

root@Rserver:~# vim /etc/sysconfig/network-scripts/ifcfg-ens33

BOOTPROTO=dhcp

ONBOOT=yes

重启网卡

root@Rserver:~# systemctl restart network

5.SSH

安装SSH

仅允许client客户端进行ssh访问,其余所有主机的请求都应该拒绝;

配置client只能在Chinaskill22用户环境下可以免秘钥登录,端口号为2022,并且拥有root控制权限。

Centos

[root@Rserver ~]# yum install openssh –y

[root@Rserver ~]# vim /etc/ssh/sshd_config 设置端口

port 2022

[root@Rserver ~]# systemctl restart sshd

[root@Rserver ~]# vim /etc/hosts.allow 设置规则

只允许 Client这个ip

sshd:10.10.100.1:allow

拒接所有

[root@Rserver ~]# vim /etc/hosts.deny

sshd:ALL

创建用户

[root@client ~]# useradd Chinaskill22

[root@client ~]# su Chinaskill22

[Chinaskill22@client root]$ ssh-keygen  生成密钥

复制密钥到RServer服务器

[Chinaskill22@client root]$ ssh-copy-id root@10.10.100.254 -p 2022 复制密钥到RServer服务器

Uos

一、安装ssh

root@Rserver:~# apt install openssh –y

二、编辑ssh配置文件、端口

root@Rserver:~# vim /etc/ssh/sshd_config

port 2022

三、重启ssh服务

root@Rserver:~# systemctl restart sshd

四、设置规则

root@Rserver:~# vim /etc/hosts.allow

只允许Client这个ip

sshd:10.10.100.1:allow

拒接所有

root@Rserver:~# vim /etc/hosts.deny

sshd:ALL

6.CA

• CA根证书路径/CA/cacert.pem;

• 签发数字证书,颁发者信息:

国家 = CN

单位 = Inc

组织机构 = www.skills.com

公用名 = Skill Global Root CA

• 创建用户组ldsgp ,将zsuser、lsusr、wuusr添加到组内。

Centos

一、安装Openssl

[root@Rserver ~]# yum install openssl –y

二、建立根证书存放目录

[root@Rserver ~]# mkdir /CA

[root@Rserver ~]# cd /CA

[root@Rserver CA]# mkdir certs #存放已颁发的证书

[root@Rserver CA]# mkdir newcerts #存放CA指令生成的新证书

[root@Rserver CA]# mkdir private #存放私钥

[root@Rserver CA]# touch index.txt #已签发证书的文本数据文件

[root@Rserver CA]# vim serial #证书签发时使用的序列号参考文件

01

[root@Rserver CA]# openssl genrsa -out private/cakey.pem 4096 #生成一个密钥,长度4096

Generating RSA private key, 4096 bit long modulus

............................................++

..........................................++e is 65537 (0x10001)

[root@Rserver CA]#

[root@Rserver CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem 签发数字证书,颁发者信息

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.


Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:

Locality Name (eg, city) [Default City]:

Organization Name (eg, company) [Default Company Ltd]:Inc

Organizational Unit Name (eg, section) []:www.skills.com

Common Name (eg, your name or your server's hostname) []:Skill Gloabl Root CA

Email Address []:

[root@Rserver CA]#

三、测试

生成一个秘钥

[root@Rserver CA]# openssl genrsa -out private/apache2.key

Generating RSA private key, 2048 bit long modulus

......+++.............................+++

e is 65537 (0x10001)

生成一个证书

[root@Rserver CA]# openssl req -new -key private/apache2.key -out certs/apache2.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.


Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:

Locality Name (eg, city) [Default City]:

Organization Name (eg, company) [Default Company Ltd]:Inc

Organizational Unit Name (eg, section) []:www.skills.com

Common Name (eg, your name or your server's hostname) []:www.skills.com

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

使用私钥进行签名

[root@Rserver CA]# openssl x509 -req -in /CA/certs/apache2.csr -CA cacert.pem -CAkey private/cakey.pem -CAcreateserial -out apache2.crt -days 365

Signature ok

subject=/C=CN/L=Default City/O=Inc/OU=www.skills.com/CN=www.skills.com

Getting CA Private Key

[root@Rserver CA]#

Uos

一、安装Openssl

root@skills-PC:~# apt install openssl -y

二、建立根证书存放目录

创建目录及文件

root@skills-PC:~# mkdir /CA

root@skills-PC:~# cd /CA

root@skills-PC:~# mkdir certs #存放已颁发的证书

root@skills-PC:~# mkdir newcerts #存放CA指令生成的新证书

root@skills-PC:~# mkdir private #存放私钥

root@skills-PC:~# touch index.txt #已签发证书的文本数据文件

root@skills-PC:~# echo 01 > serial #证书签发时使用的序列号参考文件

生成证书

root@skills-PC:~# openssl

genrsa -out private/cakey.pem 4096 #生成一个密钥,长度4096 req -new -x509 -key private/cakey.pem -out cacert.pem 签发数字证书,颁发者信息 Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]:Inc Organizational Unit Name (eg, section) []:www.skills.com Common Name (e.g. server FQDN or YOUR name) []:Skill Global Root CA Email Address []:

7.Web Proxy

• 安装Nginx组件;

• 配置文件名为proxy.conf,放置在/etc/nginx/conf.d/目录下;

• 为www.chinaskills.cn配置代理前端,通过HTTPS的访问后端Web服务器;

• 后端服务器日志内容需要记录真实客户端的IP地址。

• 缓存后端Web服务器上的静态页面。

• 创建服务监控脚本:/shells/chkWeb.sh

• 编写脚本监控公司的网站运行情况;

• 脚本可以在后台持续运行;

• 每隔3S检查一次网站的运行状态,如果发现异常尝试3次;

• 如果确定网站无法访问,则返回用户“网站正在维护中,请您稍后再试”的页面。

Centos

一、关闭Selinux和防火墙

[root@localhost ~]# setenforce 0

[root@localhost ~]# systemctl stop firewalld

二、上传安装包并安装Nginx

使用WinSCP上传到/root

[root@Rserver ~]# yum install centos-indexhtml-7-9.el7.centos.noarch.rpm gperftools-libs-2.6.1-1.el7.x86_64.rpm nginx-1.20.1-9.el7.x86_64.rpm nginx-filesystem-1.20.1-9.el7.noarch.rpm openssl11-libs-1.1.1k-2.el7.x86_64.rpm –y

三、创建Nginx配置并代理和缓存

代理配置

[root@Rserver /]# vim /etc/nginx/conf.d/proxy.conf

[root@Rserver /]# vim /etc/nginx/conf.d/proxy.conf server { listen 80; server_name proxy.chinaskills.cn; location / {proxy_pass https://www.chinaskills.cn;} location ~ .*\.(gif|jpg|png|css|js|ico)$ { proxy_pass https://www.chinaskills.cn; proxy_cache proxy; proxy_set_header Host $host; proxy_cache_valid 200 301 302 5m; } }

缓存配置

在http下面添加

[root@Rserver /]# vim /etc/nginx/nginx.conf

http {

proxy_cache_path /cache levels=1:2 keys_zone=proxy:20m max_size=20m;

创建缓存目录

[root@Rserver /]# mkdir /cache

记录真实ip地址

多了一条proxy_set_header X-Real-IP $remote_addr;

[root@Rserver /]# vim /etc/nginx/conf.d/proxy.conf

server { listen 80; server_name proxy.chinaskills.cn; location / {proxy_pass https://www.chinaskills.cn;} location ~ .*\.(gif|jpg|png|css|js|ico)$ { proxy_pass https://www.chinaskills.cn; proxy_cache proxy; proxy_set_header Host $host; proxy_cache_valid 200 301 302 5m; proxy_set_header X-Real-IP $remote_addr; } }

再去后端的apache日志设置一下就可以

找到196行,把h改成%{X-Real-IP}i

[root@Server02 ~]# vim /etc/httpd/conf/httpd.conf

LogFormat "%{X-Real-IP}i %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Age

nt}i"" combined          ## 196行

创建一个测试网页

[root@Server02 html]# vim /etc/httpd/conf.d/ssl.conf

DocumentRoot "/var/www/html"             # 注销掉59行

重启httpd

[root@Server02 html]# echo "测试" >> /var/www/html/index.html

[root@Server02 ~]# systemctl restart httpd

重启服务

注意:必须要ping通代理的那台web服务域名否则启动不了

[root@Rserver /]# systemctl restart nginx

Job for nginx.service failed because the control process exited with error code. See "systemctl status nginx.service" and "journalctl -xe" for details.

[root@Rserver /]# ping www.chinaskills.cn

ping: www.chinaskills.cn Name or service not known

[root@Rserver /]# ping www.chinaskills.cn

PING www.chinaskills.cn (172.16.100.202) 56(84) bytes of data.

64 bytes from www.chinaskills.cn (172.16.100.202): icmp_seq=1 ttl=64 time=0.304 ms

^C

--- www.chinaskills.cn ping statistics ---

1 packets transmitted, 1 received, 0% packet loss, time 0ms

rtt min/avg/max/mdev = 0.304/0.304/0.304/0.000 ms

[root@Rserver /]# systemctl restart nginx

四、测试

刚开始缓存目录里是空的

[root@Rserver /]# ls /cache/

[root@Rserver /]#

接下来访问一下,访问2个站点一个带图片一个普通的

里面就加了内容缓存的网页

[root@Rserver ~]# ls /cache/

6

[root@Rserver ~]#

五、创建服务监控脚本:/shells/chkWeb.sh

[root@Rserver ~]# mkdir /shells

[root@Rserver ~]# vim /shells/chkWeb.sh

#!/bin/bash url=https://www.chinaskills.cn o=`curl -s -k $url -I |grep 'OK' |awk '{print $2}'` while [ true ]; do /bin/sleep 3 if [[ $o -eq 200 ]];then echo "$url 正常打开 3s" else for i in 1 2 3;do if [[ $o -eq 200 ]];then echo "$url 正常打开" else echo "$url 异常 $i" fi done echo "网站正在维护中..." fi done

运行测试

[root@Rserver ~]# bash /shells/chkWeb.sh

https://www.chinaskills.cn 正常打开 3s

https://www.chinaskills.cn 正常打开 3s

https://www.chinaskills.cn 正常打开 3s

关闭后端网站再测试

[root@Server02 ~]# systemctl stop httpd

[root@Rserver ~]# bash /shells/chkWeb.sh

https://www.chinaskills.cn 异常 1

https://www.chinaskills.cn 异常 2

https://www.chinaskills.cn 异常 3

网站正在维护中...

SERVER01 TASK

1.NETWORK

• 请根据基本配置信息配置服务器的主机名,网卡IP地址配置、域名服务器、网关等。

Centos

方法一 配置文件

cd /etc/sysconifg/ network-scripts

cp ifcf-ens33 ifcf-en36  #直接复制文件

uuidgen ens36 >>ifcf-ens36    #查看到的uuid写于ifcf-en36的配置文件的uuid

systemclt restart networking
方法二 命令输出

nmcli connection add con-name 33 type ethernet ifname ens33

nmcli conmection modify 网卡 ipv4.address 172.16.100.201/24

nmcli conmection mmodify 网卡 ipv4.method manual 设置静态

nmcli conmection modify 网卡 ipv4.gatway 网关 设置网关

方法三 图像界面

nmtui
配置主机名字

[root@server01 ~]# hostnamectl set-hostname mv  设置名字
[root@server01 ~]# bash    刷新名字

[root@mv ~]#

配置域名

[root@Server01 ~]# vi /etc/hosts  修改hosts

172.16.100.201 Server01.sdskills.com

Uos

一、修改配置文件并重启

第一种:(多网卡可能有问题)

进入网络配置文件,添加ip地址及网关信息

root@skills-PC:~# vim /etc/network/interfaces

auto ens33
iface ens33 inet static
address 172.16.100.201/25
gateway 172.16.100.254

保存重启网卡

root@skills-PC:~# systemctl restart network-manager.service

root@skills-PC:~# systemctl restart networking.service

第二种:

网络文件在 /etc/NetworkManager/system-conmections/

root@skills-PC:nmcli conmection add con-name ens33 type ethernet ifname ens33

root@skills-PC:# nmcli conncetion up ens33

root@skills-PC:nmcli connection modify ens33 ipv4.addresses 172.16.100.201/25

root@skills-PC:# nmcli connection modify ens33 ipv4.gateway 172.16.100.254

查看是否配置成功

root@skills-PC:~# ip a

二、配置主机域名

完整域名

root@skills-PC:~# hostnamectl set-hostname Server01

root@skills-PC:~# bash

修改hosts

root@Server01:~# vi /etc/hosts

172.16.100.201 Rserver.skills.cn Server01

测试

root@Server01:~# hostname

Server01

root@Server01:~# hostname -f

Server01.skills.cn

2.DISK(RAID5)

• 在虚拟机上添加4 个1G 的硬盘;

• 创建raid5,其中一个作为热备盘, 设备名为md0;

• 将md0 设置为LVM,设备为/dev/vg01/lv01;

• 格式化为ext4 文件系统;

• 开机自动挂载到/data 目录。

Centos

Yum install mdadm -y

[root@Server01 ~]# mdadm -C -n 3 -l 5 -a yes -x 1 /dev/md0 /dev/sd{b,c,d,e}

mdadm: Defaulting to version 1.2 metadata

mdadm: array /dev/md0 started.

创建卷组vg

[root@Server01 ~]# vgcreate vg01 /dev/md0

Physical volume "/dev/md0" successfully created.

Volume group "vg01" successfully created

[root@Server01 ~]#

创建逻辑卷组lv

[root@Server01 ~]# lvcreate -l 100%FREE -n lv01 vg01

Logical volume "lv01" created.

[root@Server01 ~]#

逻辑卷格式化

[root@Server01 ~]# mkfs.ext4 /dev/vg01/lv01

mke2fs 1.42.9 (28-Dec-2013)

Filesystem label=

OS type: Linux

Block size=4096 (log=2)

Fragment size=4096 (log=2)

Stride=128 blocks, Stripe width=256 blocks

130560 inodes, 522240 blocks

26112 blocks (5.00%) reserved for the super user

First data block=0

Maximum filesystem blocks=534773760

16 block groups

32768 blocks per group, 32768 fragments per group

8160 inodes per group

Superblock backups stored on blocks:

32768, 98304, 163840, 229376, 294912
Allocating group tables: done                            

Writing inode tables: done                            

Creating journal (8192 blocks): done

Writing superblocks and filesystem accounting information: done

[root@Server01 ~]#

挂载

[root@Server01 ~]# mkdir /data

添加到fstab

[root@Server01 ~]# echo /dev/vg01/lv01 /data/ ext4 defaults 0 0 >> /etc/fstab

将/etc/fstab的所有内容重新加载

[root@Server01 ~]# mount –a

查看是否挂载成功

[root@Server01 ~]# df -Th

/dev/mapper/vg01-lv01   ext4      2.0G  6.0M  1.9G   1% /dat

Uos

、安装mdadm、lvm

root@Server01:~# apt-get install mdadm lvm2 -y

二、添加磁盘

添加好之后可能查看不到磁盘,这时候需要重启下虚拟机

root@Server01:~# reboot

查看磁盘

root@Server01:~# ls /dev/sd*

三、创建RAID5

root@Server01:~# mdadm -C -n 3 -l 5 -a yes -x 1 /dev/md0 /dev/sd{b,c,d,e}

mdadm: Defaulting to version 1.2 metadata

mdadm: array /dev/md0 started.

四、创建LVM

创建卷组vg

root@Server01:~# vgcreate vg01 /dev/md0

Physical volume "/dev/md0" successfully created.

Volume group "vg01" successfully created

创建逻辑卷组lv

root@Server01:~# lvcreate -l 100%FREE -n lv01 vg01

Logical volume "lv01" created.

逻辑卷格式化

root@Server01:~# mkfs.ext4 /dev/vg01/lv01

Allocating group tables: done

Writing inode tables: done

Creating journal (8192 blocks): done

六、开机自动挂载

root@Server01:~# mkdir /data

root@Server01:~# mount /dev/vg01/lv01 /data/

添加到fstab

root@Server01:~# echo /dev/vg01/lv01 /data/ ext4 defaults 0 0 >> /etc/fstab

将/etc/fstab的所有内容重新加载

root@Server01:~# mount –a

查看是否挂载成功

root@Server01:~# df -Th

/dev/mapper/vg01-lv01 ext4 2.0G 6.0M 1.9G 1% /data

3.NFS

• 共享/data/share目录;

• 用于存储server01主机的web数据;

• 仅允许service01主机访问该共享。

Centos

[root@Server01 ~]# yum install nfs-utils –y

创建

[root@Server01 ~]# mkdir /data/share –p

赋权

[root@Server01 ~]# chmod 755 /data/share/

修改配置文件

[root@Server01 ~]# vim /etc/exports

/data/share  192.168.10.4(rw,sync,no_root_squash,no_all_squash)  

#192.168.10.4为Server01主机ip地址

一定要按顺序启动

[root@Server01 ~]# systemctl start rpcbind

[root@Server01 ~]# systemctl start nfs

测试是否配置成功

[root@Server01 ~]# showmount -e localhost

Export list for localhost:

/data/share 192.168.10.4

客户端挂载

[root@Server01 ~]# mkdir /guazai

[root@Server01 ~]# mount -t nfs 192.168.10.4:/data/share /guazai/     

[root@Server01 ~]# df -Th

192.168.10.4:/data/share nfs4      2.0G  6.0M  1.9G   1% /guazai

Uos

一、安装nfs

root@Server01:~# apt install nfs-kernel-server # 安装服务

二、配置共享目录

root@Server01:~# mkdir /data/share –p

root@Server01:~# chmod 755 /data/share/

root@Server01:~# vim /etc/exports #修改共享文件目录

/data/share 172.16.100.201(rw,sync,no_root_squash,no_all_squash)

三、启动服务、测试

root@Server01:~# systemctl start rpcbind

root@Server01:~# systemctl start nfs

root@Server01:~# showmount -e localhost #测试是否配置成功

客户端挂载

root@Server01:~# mkdir /guazai

root@Server01:~# mount -t nfs 192.168.10.4:/data/share /guazai/

root@Server01:~# df -Th

192.168.10.4:/data/share nfs4 2.0G 6.0M 1.9G 1% /guazai

4.DNS

· 安装DNS服务相关软件包;

· 建立sdskills.com域,为所有除Internet区域的主机或服务器建立正\反的域名解析;

· 当出现无法解析的域名时,向域skills.com申请更高层次的解析。

Centos

[root@Server01 ~]# yum install bind –y

[root@Server01 ~]# vim  /etc/named.conf

把13行和21行修改为any

listen-on port 53 { any; };

allow-query     { any; };

设置转发

forwarders {  192.168.10.4;};

注释掉这三行代码

# recursion yes; # dnssec-enable yes; # dnssec-validation yes;
在末尾添加正反向解析区域 zone "sdskills.com" IN { type master; file "sdskills.com.zone"; }; zone "100.16.172.in-addr.arpa" IN { type slave; file "172.16.100.zone"; };

保存退出,切换目录

[root@Server04 ~]# cd /var/named/

复制模板

[root@Server04 named]# cp named.loopback sdskills.com.zone

[root@Server04 named]# cp named.loopback 172.16.100.zone

修改文件

正向区域 [root@Server04 named]# vim sdskills.com.zone $TTL 1D @ IN SOA @ rname.invalid. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum @ IN NS www.sdskills.com. @ IN MX 10 mail www IN A 172.16.100.201 ftp IN A 172.16.100.202 mail IN A 172.16.100.202 反向区域 [root@Server04 named]# vim 172.16.100.zone $TTL 1D @ IN SOA @ rname.invalid. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum @ NS www.sdskills.com. 201 IN PTR www.sdskills.com. 202 IN PTR ftp.sdskills.com. 202 IN PTR mail.sdskills.com.

给文件赋权

[root@Server04 named]# chmod 777 sdskills.com.zone 172.16.100.zone

重启服务

[root@Server04 named]# systemctl restart named   

客户端

修改DNS地址

[root@Client ~]# vim /etc/resolv.conf

设置DNS地址

nameserver 172.16.100.201

安装DNS工具

[root@Client ~]# yum install bind-utils –y

解析

[root@Client ~]# nslookup www.sdskills.com      

Uos

一、安装DNS服务

root@Server01:~# apt install -y bind9

三、修改配置文件,设置正反向解析区域

root@Server01:~# vim /etc/named.conf

把13行和21行修改为any

listen-on port 53 { any; };

allow-query { any; };

设置转发

forwarders { 192.168.10.4;};

注释掉这三行代码

# recursion yes; # dnssec-enable yes; # dnssec-validation yes;

在末尾添加正反向解析区域

zone "sdskills.com" IN { type master; file "sdskills.com.zone"; }; zone "100.16.172.in-addr.arpa" IN { type master; file "172.16.100.zone"; };

保存退出,切换目录

root@Server01:~# cd /var/named/

复制模板

root@Server01:/var/named# cp named.loopback sdskills.com.zone

root@Server01:/var/named# cp named.loopback 172.16.100.zone

修改文件

正向区域

root@Server01:/var/named# vim sdskills.com.zone

$TTL 1D @ IN SOA @ rname.invalid. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum @ IN NS www.sdskills.com. @ IN MX 10 mail www IN A 172.16.100.201 ftp IN A 172.16.100.202 mail IN A 172.16.100.202 smtp IN A 172.16.100.202 imap IN A 172.16.100.202

反向区域

root@Server01:/var/named# vim 172.16.100.zone

$TTL 1D @ IN SOA @ rname.invalid. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum @ NS www.sdskills.com. 201 IN PTR www.sdskills.com. 202 IN PTR ftp.sdskills.com. 202 IN PTR mail.sdskills.com. 202 IN PTR smtp.sdskills.com. 202 IN PTR imap.sdskills.com.

给文件赋权

root@Server01:/var/named# chmod 777 sdskills.com.zone 172.16.100.zone

重启服务

root@Server01:/var/named# systemctl restart named

5.Webserver

• 安装web服务相关软件包;

• 由Server01提供www.sdskills.com

• skills公司的门户网站;

• 使用apache服务;

• 网页文件放在/data/share/htdocs/skills;

• 服务以用户webuser运行;

• 首页内容为“This is the front page of sdskills's website.”;

• /htdocs/skills/staff.html内容为“Staff Information”;

• 该页面需要员工的账号认证才能访问;

• 员工账号存储在ldap中,账号为zsuser、lsus

• 网站使用https协议;

• SSL使用RServer颁发的证书, 颁发给:

C = CN

ST = China

L = ShangDong

O = skills

OU = Operations Departments

CN = *.skills.com

• Sever01的CA证书路径:/CA/cacert.pem

• 签发数字证书,颁发者:

C = CN;

O = Inc

OU = www.skills.com

CN = skill Global Root CA

• 客户端访问https时应无浏览器(含终端)安全警告信息;

• 当用户使用http访问时自动跳转到https安全连接;

• 当用户使用sdskills.com或any.sdskills.com(any代表任意网址前缀)访问时,自动跳转到www.sdskills.com

Uos

一、安装httpd、ssl模块

root@Server01:~# apt install apache6 -y

二、增加用户并修改

root@Server01:~# useradd -r webuser

root@Server01:~# vim /etc/httpd/conf/httpd.conf

User webuser

Group webuser

三、创建证书并申请

这只是其中方法之一,还可以将证书给CA根证书机构(Rserver)去签发

创建根证书

root@Server01:~# vim /etc/pki/tls/openssl.cnf

dir = /CA

root@Server01:~# mkdir /CA

root@Server01:~# cp -rf /etc/pki/tls/* /CA

root@Server01:~# cd /CA/

root@Server01:~# touch index.txt

root@Server01:~# echo 01 >serial

root@Server01:~# openssl genrsa -out private/cakey.pem 2048

Generating RSA private key, 2048 bit long modulus .+++ .................................................................................................................+++ e is 65537 (0x10001) root@Server04:/CA# openssl req -new -x509 -key ./private/cakey.pem -out cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]:Inc Organizational Unit Name (eg, section) []:www.skills.com Common Name (e.g. server FQDN or YOUR name) []:skill Global Root CA Email Address []:

申请网络证书秘钥和请求证书

[root@Server01 CA]# openssl genrsa -out httpd.key 2048

Generating RSA private key, 2048 bit long modulus ..............................................................+++ ................................................................+++ e is 65537 (0x10001) [root@Server01 CA]# openssl req -new -key httpd.key -out httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:China Locality Name (eg, city) [Default City]:ShangDong Organization Name (eg, company) [Default Company Ltd]:skills Organizational Unit Name (eg, section) []:Operations Departments Common Name (eg, your name or your server's hostname) []:*.sdskills.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

给证书签名

root@Server01:/CA/# openssl x509 -req -in httpd.csr -CA /CA/cacert.pem -CAkey /CA/private/cakey.pem -CAcreateserial -out httpd.crt

Signature ok

五、创建apache目录和内容

root@Server01:/CA/# mkdir /data/share/htdocs/skills -p

root@Server01:/CA/# echo "This is the front page of sdskills's website." >> /data/share/htdocs/skills/index.html

root@Server01:/CA/# echo "Staff Information" >> /data/share/htdocs/skills/staff.html

六、修改配置文件及重定向应用

root@Server01:/CA/# vim /etc/httpd/conf/httpd.conf

最后一行插入

IncludeOptional conf.d/*.conf <VirtualHost *:80> Redirect permanent / https://www.sdskills.com/ </VirtualHost> <VirtualHost *:443> Redirect permanent / https://www.sdskills.com/ SSLEngine ON SSLCertificateFile /CA/httpd.crt SSLCertificateKeyFile /CA/httpd.key </VirtualHost> <VirtualHost *:443> ServerName www.sdskills.com DocumentRoot /data/share/htdocs/skills SSLEngine ON SSLCertificateFile /CA/httpd.crt SSLCertificateKeyFile /CA/httpd.key <Directory /data/share/htdocs/skills> Require all granted </Directory> <Directory /data/share/htdocs/skills/staff.html> AuthType Basic AuthName "login" AuthUserFile "/var/passwd" Require valid-user </Directory> </VirtualHost>

修改CA证书路径

root@Server01:~# vim /etc/httpd/conf.modules.d/ssl.conf

<VirtualHost *:443> SSLCertificateFile /CA/httpd.crt SSLCertificateKeyFile /CA/httpd.key

创建认证用户

root@Server01:/CA/# htpasswd -c /var/passwd zsuser

New password:

Re-type new password:

Adding password for user zsuser

6.SSH

• 安装SSH

• 仅允许client客户端进行ssh访问,其余所有主机的请求都应该拒绝;

• 配置client只能在Chinaskill22用户环境下可以免秘钥登录,端口号为3033,并且拥有root控制权限;

Uos

一、安装ssh服务

root@Server01:~# apt install openssh-server

二、编辑ssh配置文件设置端口

root@Server01:~# vim /etc/ssh/sshd_config

port 2233

三、重启ssh服务

root@Server01:~# systemctl restart ssh

、设置规则

root@Server01:~# vim /etc/hosts.allow

只允许Client这个IP登录

sshd:10.10.100.1:allow

拒接所有

root@Server01:~# vim /etc/hosts.deny

sshd:ALL

、创建用户并设置免密登录

Client:

创建用户

[root@client ~]# useradd Chinaskill22

切换到Chinaskill22用户下

[root@client ~]# su Chinaskill22

生成密钥

[Chinaskill22@client root]$ ssh-keygen

复制密钥到服务器

[Chinaskill22@client root]$ ssh-copy-id root@ip地址 -p 2233

7.DBMS

• 在Server01上完成MariaDB数据库的安装,添加数据库root用户密码为Chinaskill22!

• 安装MariaDB 数据库服务器组件;

• MariaDB数据库管理员信息:User: root/ Password: Chinaskill20!;

• 安装MariaDB WEB 管理面板 “phpMyAdmin”,通过apache 进行发布

• 安装phpMyAdmin ,MariaDB 的web管理面板组件;

• 安装apache,配置php环境,用于发布phpMyAdmin;

Uos

root@Server01:~# apt -y install php mariadb-server.x86_64 php-mysql php-mbstring.x86_64 //安装环境

root@Server01:~# apt -y install lrzsz.x86_64 //安装上传程序

//将phpmyadmin安装包上传

root@Server01:~# mv /etc/phpMyAdmin-4.4.15.10-all-languages.tar.gz
/data/share/htdocs/skills/ //移动到站点目录

root@Server01:~# cd /data/share/htdocs/skills/ //进入站点目录

root@Server01:~# tar -zxvf phpMyAdmin-4.4.15.10-all-languages.tar.gz //解压

root@Server01:~# mv phpMyAdmin-4.4.15.10-all-languages phpmyadmin //修改目录名称

root@Server01:~# systemctl restart mariadb.service
//开启数据库

root@Server01:~# mysql_secure_installation //数据库初始化

//请输入当前root用户的密码,如果没有直接按回车,此root并非linux的root用户是mysql 的

//是否设置root密码?

//是否移除匿名用户?选择移除

//禁止远程root登录?选择否

//是否移除测试数据库?(建议先不移除)

//是否重新加载权限表?选择y 因为刚刚更改了密码(当我们更改了mysql用户相关的信息之后建议去重载权限

root@Server01:~# systemctl restart mariadb.service
//重启数据库

root@Server01:~# systemctl restart httpd.service //重启apache服务

//访问 www.sdskills.org/phpadmin/ 警告会话权限不足

root@Server01:~# vim /var/log/httpd/error_log //查看http错误日志,没有发现问题

root@Server01:~# chmod -R 777 /var/lib/php/session/
//给php会话权限

//访问的时候输入数据库账号密码就可以登陆

8.SDN服务

• 安装opendaylight、mininet、Ovs软件平台。。

• 启动OpenDayLight的karaf程序,安装如下组件:odl-restconf、odl-l2switch-switch-ui、odl-mdsal-apidocs、odl-dluxapps-applications。

• 使用Mininet和OpenVswitch构建拓扑,连接ODL的6653端口如下拓扑结构:

• 在浏览器上可以访问ODL管理页面查看网元拓扑结构。

• 通过OVS手工下发流表,H1可以ping通H3,H1、H3无法ping通H2。

H1启动HTTP-Server功能,WEB端口为8080,H3作为HTTP-Client,获取H1的html网页配置文件。

Uos

一、上传并安装好需要的安装包

使用WinSCP上传

安装好JDK及SDN需要的插件

root@Server01:~# apt install unzip telnet java-1.8.0-openjdk net-tools –y

安装上传好的Opendaylight、Mininet、Ovs以及Python插件包

root@Server01:~# ls

anaconda-ks.cfg distribution-karaf-0.6.0-Carbon.zip mininet-2.2.2-2.el7.x86_64.rpm openvswitch-2.5.0-2.el7.x86_64.rpm python-networkx-1.8.1-12.el7.noarch.rpm python-networkx-core-1.8.1-12.el7.noarch.rpm

root@Server01:~# apt install mininet-2.2.2-2.el7.x86_64.rpm openvswitch-2.5.0-2.el7.x86_64.rpm python-networkx-1.8.1-12.el7.noarch.rpm python-networkx-core-1.8.1-12.el7.noarch.rpm –y

启动OVS

root@Server01:~# systemctl start openvswitch

二、解压Opendaylight并启动Karaf程序

root@Server01:~# unzip distribution-karaf-0.6.0-Carbon.zip

root@Server01:~# cd distribution-karaf-0.6.0-Carbon/bin/

root@Server01:/distribution-karaf-0.6.0-Carbon/bin/# ./start

root@Server01:/distribution-karaf-0.6.0-Carbon/bin/# ./client   ##这里需要等待一下在输入

三、安装组件

opendaylight-user@root>feature:install odl-restconf odl-l2switch-switch-ui odl-mdsal-apidocs odl-dluxapps-applications

安装完后打开页面测试一下

http://ip:8181/index.html#login

用户名和密码都是admin

四、创建拓扑

opendaylight-user@root>logout

root@Server01:/distribution-karaf-0.6.0-Carbon/bin/# mn --controller=remote,ip=127.0.0.1,port=6653 --topo=tree,1,3

mininet> pingall

*** Ping: testing ping reachability

h1 -> h2 h3

h2 -> h1 h3

h3 -> h1 h2

*** Results: 0% dropped (6/6 received)

mininet>

打开网页查看拓扑(注:一定要ping通再去查看)

五、下发流表

mininet> dpctl add-flow in_port=1,actions=output:3

*** s1 ------------------------------------------------------------------------

mininet> dpctl add-flow in_port=3,actions=output:1

*** s1 ------------------------------------------------------------------------

mininet> pingall

*** Ping: testing ping reachability

h1 -> X h3

h2 -> X X

h3 -> h1 X

*** Results: 66% dropped (2/6 received)

mininet>

六、启动HTTP-Server功能

mininet> h1 python -m SimpleHTTPServer 8080 &

mininet> sh apt install wget -y

mininet> h3 wget 10.0.0.1:8080

--2022-07-20 12:52:56-- http://10.0.0.1/

Connecting to 10.0.0.1:8080... connected.

HTTP request sent, awaiting response... 200 OK

Length: 1052 (1.0K) [text/html]

Saving to: ‘index.html’

index.html 100%[===================>] 1.03K --.-KB/s in 0s

2022-07-20 12:52:56 (123 MB/s) - ‘index.html’ saved [1052/1052]

mininet>

SERVER02 TASK

1.NETWORK

• 请根据基本配置信息配置服务器的主机名,网卡IP地址配置、域名服务器、网关等。

Uos

一、修改配置文件并重启

第一种:(多网卡可能有问题)

进入网络配置文件,添加ip地址及网关信息

root@skills-PC:~# vim /etc/network/interfaces

auto ens33
iface ens33 inet static
address 172.16.100.202/25
gateway 172.16.100.128

保存重启网卡

root@skills-PC:~# systemctl restart network-manager.service

root@skills-PC:~# systemctl restart networking.service

第二种:

网络文件在 /etc/NetworkManager/system-conmections/

root@skills-PC:nmcli conmection add con-name ens33 type ethernet ifname ens33

root@skills-PC:# nmcli conncetion up ens33

root@skills-PC:nmcli connection modify ens33 ipv4.addresses 172.16.100.202/25

root@skills-PC:# nmcli connection modify ens33 ipv4.gateway 172.16.100.128

查看是否配置成功

root@skills-PC:~# ip a

二、配置主机域名

完整域名

root@skills-PC:~# hostnamectl set-hostname Server01

root@skills-PC:~# bash

修改hosts

root@Server01:~# vi /etc/hosts

172.16.100.202 Rserver.skills.cn Server01

测试

root@Server02:~# hostname

Server02

root@Server02:~# hostname -f

Server02.skills.cn

2.Ftp

• 禁止使用不安全的FTP,请使用“CSK Global Root CA”证书颁发机构,颁发的证书,启用FTPS服务;

• 用户webadmin,登录ftp服务器,根目录为/webdata/;

• 登录后限制在自己的根目录;

• 允许WEB管理员上传和下载文件,但是禁止上传后缀名为.doc .docx .xlsx的文件。

• 限制用户的下载最大速度为100kb/s;最大同一IP在线人数为2人;

• 用于通过工具或者浏览器下载的最大速度不超过 100kb/s

• 一个IP地址同时登陆的用户进程/人数不超过2人。

Uos

一、安装vsftpd

root@Server02:~#apt install vsftpd –y

三、创建用户与目录并申请证书

root@Server02:~# mkdir /webdata

root@Server02:~# chmod 777 /webdata/

root@Server02:~# useradd webadmin

root@Server02:~# passwd webadmin

Changing password for user webadmin.

New password:

BAD PASSWORD: The password is shorter than 8 characters

Retype new password:

passwd: all authentication tokens updated successfully.

创建根证书

这是其中方法之一,还可将证书给CA根证书机构(Rserver)去签发

root@Server02:~# vim /etc/pki/tls/openssl.cnf dir = /CA root@Server02:~# mkdir /CA root@Server02:~# cp -rf /etc/pki/tls/* /CA root@Server02:~# cd /CA/ root@Server02:~# touch index.txt root@Server02:~# echo 01 >serial root@Server02:~# openssl genrsa -out private/cakey.pem 2048 Generating RSA private key, 2048 bit long modulus .+++ .................................................................................................................+++ e is 65537 (0x10001) root@Server04:/CA# openssl req -new -x509 -key ./private/cakey.pem -out cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]:Inc Organizational Unit Name (eg, section) []:www.skills.com Common Name (e.g. server FQDN or YOUR name) []:skill Global Root CA Email Address []: 申请站点证书秘钥和请求证书 root@Server02:CA# openssl genrsa -out ftp.key 2048 Generating RSA private key, 2048 bit long modulus ..............................................................+++ ................................................................+++ e is 65537 (0x10001) root@Server02:CA# openssl req -new -key ftp.key -out ftp.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:China Locality Name (eg, city) [Default City]:ShangDong Organization Name (eg, company) [Default Company Ltd]:skills Organizational Unit Name (eg, section) []:Operations Departments Common Name (eg, your name or your server's hostname) []:ftp.sdskills.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: 给证书签名 root@Server02:CA# openssl x509 -req -in ftp.csr -CA /CA/cacert.pem -CAkey /CA/private/cakey.pem -CAcreateserial -out ftp.crt Signature ok subject=/C=CN/ST=China/L=ShangDong/O=skills/OU=Operations Departments/CN=ftp.sdskills.com Getting CA Private Key

三、编辑ftp配置文件
root@Server02:CA# vim /etc/vsftpd/vsftpd.conf

chroot_local_user=YES force_local_data_ssl=YES force_local_logins_ssl=YES ssl_enable=YES rsa_cert_file=/CA/ftp.crt rsa_private_key_file=/CA/ftp.key local_root=/webdata allow_writeable_chroot=YES deny_file={*.doc,*.docx,*.xlsx} local_max_rate=100000 max_per_ip=2

3.MAIL

• Postfix

• sdskill.com 的邮件发送服务器

• 支持smtps(465)协议连接,使用Rserver颁发的证书,证书路径/CA/cacert.pem

• 创建邮箱账户“user1~user99”(共99个用户),密码为Chinaskill20!;

· Dovecot

• sdskill.com 的邮件接收服务器;

• 支持imaps(993)协议连接,使用Rserver颁发的证书,证书路径/CA/cacert.pem;

• 请保留至少两个用户已成功登录并能正常收发邮件,以方便测试.

Uos

一、安装postfix

root@Server02:~#apt-get install postfix

二、申请证书

这里使用自签名证书

Postfix证书

root@Server02:~# mkdir /CA

root@Server02:~# openssl genrsa -out /CA/postfix.key

Generating RSA private key, 2048 bit long modulus ....................+++ ..................+++ e is 65537 (0x10001)

root@Server02 ~# openssl req -x509 -new -key /CA/postfix.key -out /CA/postfix.crt

You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:China Locality Name (eg, city) [Default City]:ShangDong Organization Name (eg, company) [Default Company Ltd]:skills Organizational Unit Name (eg, section) []:Operations Departments Common Name (eg, your name or your server's hostname) []:smtp.sdskills.com Email Address []:

Dovecot证书

root@Server02 ~# openssl genrsa -out /CA/dovecot.key

Generating RSA private key, 2048 bit long modulus ...................................................+++ ..............+++ e is 65537 (0x10001)

root@Server02 ~# openssl req -x509 -new -key /CA/dovecot.key -out /CA/dovecot.crt

You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:China Locality Name (eg, city) [Default City]:ShangDong Organization Name (eg, company) [Default Company Ltd]:Skills Organizational Unit Name (eg, section) []:imap.sdskills.com Common Name (eg, your name or your server's hostname) []: Email Address []:

三、配置Postfix

root@Server02 ~# vim /etc/postfix/main.cf

:set nu //以数字显示行数 75行:myhostname = mail.sdskills.com //本机主机名,可以为 wjy.com 83行:mydomain = sdskills.com //服务器域名 99行:myorigin = $mydomain //初始域名 113行:inet_interfaces = all //网卡选择 115行: #inet_interfaces = localhost //注释115行 164行:mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain //目标域 or 注释164行,取消注释165行 264行:mynetworks = 0.0.0.0/0 //以下网段可以通过 419行:home_mailbox = Maildir/ //邮件目录,在用户家目录下 670行:smtpd_use_tls = yes 671行:smtpd_tls_cert_file = /CA/postfix.crt 672行:smtpd_tls_key_file = /CA/postfix.key

关闭普通端口开启465端口

root@Server02:~# vim /etc/postfix/master.cf

11行:#smtp inet n - n - - smtpd ##注释掉25端口 16行:smtps inet n - n - - smtpd ##开启465端口 28行: -o smtpd_tls_wrappermode=yes ##取消注释,启动证书认证

四、配置Dovecot

root@Server02 ~# vim /etc/dovecot/dovecot.conf

24行:protocols = imaps   ##启用 imaps

root@Server02 ~# vim /etc/dovecot/conf.d/10-auth.conf

10行:disable_plaintext_auth = no

root@Server02 ~# vim /etc/dovecot/conf.d/10-mail.conf

24行:  mail_location = maildir:~/Maildir ##取消注释

root@Server02 ~# vim /etc/dovecot/conf.d/10-ssl.conf

14行:ssl_cert = </CA/dovecot.crt

15行:ssl_key = </CA/dovecot.key

五、创建99个用户

[root@Server02 ~]# for i in $(seq 1 99);do useradd user$i;done [root@Server02 ~]# for i in $(seq 1 99);do echo "Chinaskill22"|passwd --stdin user$i;done

六、重启服务

root@Server02 ~# systemctl restart postfix

root@Server02 ~# systemctl restart dovecot

5.SSH

• 安装SSH

• 仅允许client客户端进行ssh访问,其余所有主机的请求都应该拒绝;

• 配置client只能在Chinaskill22用户环境下可以免秘钥登录,端口号为4044,并且拥有root控制权限;

Uos

一、安装ssh服务

root@Server02:~# apt install openssh-server

二、编辑ssh配置文件设置端口

root@Server02:~# vim /etc/ssh/sshd_config

port 4044

三、重启ssh服务

root@Server02:~# systemctl restart ssh

、设置规则

root@Server02:~# vim /etc/hosts.allow

只允许Client这个IP登录

sshd:10.10.100.1:allow

拒接所有

root@Server02:~# vim /etc/hosts.deny

sshd:ALL

SERVER03 TASK

1.NETWORK

· 请根据基本配置信息配置服务器的主机名,网卡IP地址配置、域名服务器、网关等。

Uos

一、修改配置文件并重启

第一种:(多网卡可能有问题)

进入网络配置文件,添加ip地址及网关信息

root@skills-PC:~# vim /etc/network/interfaces

auto ens33
iface ens33 inet static
address 172.16.100.201/25
gateway 172.16.100.254

保存重启网卡

root@skills-PC:~# systemctl restart network-manager.service

root@skills-PC:~# systemctl restart networking.service

第二种:

网络文件在 /etc/NetworkManager/system-conmections/

root@skills-PC:nmcli conmection add con-name ens33 type ethernet ifname ens33

root@skills-PC:# nmcli conncetion up ens33

root@skills-PC:nmcli connection modify ens33 ipv4.addresses 172.16.100.201/25

root@skills-PC:# nmcli connection modify ens33 ipv4.gateway 172.16.100.254

查看是否配置成功

root@skills-PC:~# ip a

二、配置主机域名

完整域名

root@skills-PC:~# hostnamectl set-hostname Server01

root@skills-PC:~# bash

修改hosts

root@Server01:~# vi /etc/hosts

172.16.100.201 Rserver.skills.cn Server01

测试

root@Server01:~# hostname

Server01

root@Server01:~# hostname -f

Server01.skills.cn

2.chrony

· chrony为全网提供时间同步服务器;

· Server01、Server02、Server04、Client和Rserver应定期与其校正时间;

· 每隔1分钟自动校正一次时间。

Uos

一、安装chrony

配置好本地源再安装

root@Server04:~# apt-get install chrony –y

二、修改配置

删除默认配置文件

root@Server04:~# rm /etc/chrony/chrony.conf

编辑配置文件

root@Server04:~# vim /etc/chrony/chrony.conf

server 127.0.0.1 iburst

allow all

local stratum 10

三、启动服务、测试

重启chrony

root@Server04:~# systemctl restart chrony

测试下是否配置成功

安装npdate

一定要在客户端测试

[root@Client ~]# apt-get install ntpdate -y

[root@Client ~]# ntpdate 192.168.10.4

22 Jul 03:46:55 ntpdate[10459]: step time server 192.168.10.4 offset -1.144208 sec

[root@Client ~]#

Cron任务计划

编辑

[root@Client ~]# vim /etc/crontab

*/1 * * * * root /usr/sbin/ntpdate 192.168.10.4

3.SSH

· 安装SSH

· 仅允许client客户端进行ssh访问,其余所有主机的请求都应该拒绝;

· 配置client只能在Chinaskill20用户环境下可以免秘钥登录,端口号为2233,并且拥有root控制权限;

Uos

一、安装ssh服务

root@Server03:~# apt install openssh-server

二、编辑ssh配置文件设置端口

root@Server03:~# vim /etc/ssh/sshd_config

port 2233

三、重启ssh服务

root@Server03:~# systemctl restart ssh

、设置规则

root@Server03:~# vim /etc/hosts.allow

只允许Client这个IP登录

sshd:10.10.100.1:allow

拒接所有

root@Server03:~# vim /etc/hosts.deny

sshd:ALL

、创建用户并设置免密登录

Client:

切换到Chinaskill22用户下

[root@client ~]# su Chinaskill22

生成密钥

[Chinaskill22@client root]$ ssh-keygen

复制密钥到服务器

[Chinaskill22@client root]$ ssh-copy-id root@ip地址 -p 2233

SERVER04 TASK

1.NETWORK

· 请根据基本配置信息配置服务器的主机名,网卡IP地址配置、域名服务器、网关等。

Uos

一、修改配置文件并重启

第一种:(多网卡可能有问题)

进入网络配置文件,添加ip地址及网关信息

root@skills-PC:~# vim /etc/network/interfaces

auto ens33
iface ens33 inet static
address 172.16.100.201/25
gateway 172.16.100.254

保存重启网卡

root@skills-PC:~# systemctl restart network-manager.service

root@skills-PC:~# systemctl restart networking.service

第二种:

网络文件在 /etc/NetworkManager/system-conmections/

root@skills-PC:nmcli conmection add con-name ens33 type ethernet ifname ens33

root@skills-PC:# nmcli conncetion up ens33

root@skills-PC:nmcli connection modify ens33 ipv4.addresses 172.16.100.201/25

root@skills-PC:# nmcli connection modify ens33 ipv4.gateway 172.16.100.254

查看是否配置成功

root@skills-PC:~# ip a

二、配置主机域名

完整域名

root@skills-PC:~# hostnamectl set-hostname Server01

root@skills-PC:~# bash

修改hosts

root@Server01:~# vi /etc/hosts

172.16.100.201 Rserver.skills.cn Server01

测试

root@Server01:~# hostname

Server01

root@Server01:~# hostname -f

Server01.skills.cn

2.DNS

· 安装DNS相关服务软件包;

· 为域skills.com提供必要的域名解析

· 当非skills.com域的解析时,统一解析到Rserver连接Internet网段的IP地址或Rserver.skills.com

Uos

一、安装DNS服务

root@Server01:~# apt -y install bind9 dnsutils

root@Server01:~# cd /etc/bind/

db.127 #反向区域数据库,用于将ip解析为对应的域名

db.local #正向区域数据库,用于将域名解析为对应的IP地址

named.conf.default-zones #默认区域

named.conf.local #用于定义解析域,也可以直接在named.conf中直接划定解析域

named.conf.options #配置文件,全局选项配置

named.conf #Bind的主配置文件,不包含DNS数据

二、定义解析域

先去vim named.conf.default-zones

复制最后一个zone

将复制的粘贴到最后

粘贴如下:

zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; vim named.conf.loacl 修改为: zone "." { type master; file "/etc/bind/root.zone"; }; zone "skills.com" { type master; file "/etc/bind/skills.com.zone"; };

root@Server01:/etc/bind# /etc/bind# cp -a db.local root.zone

root@Server01:/etc/bind# /etc/bind# cp -a db.local skills.com.zone

root@Server01:/etc/bind# /etc/bind# vim skills.com.zone

$TTL 604800 @ IN SOA localhost. root.localhost. ( 2 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS www.skills.com. www IN A 192.168.10.4

root@Server01:~# /etc/bind

root@Server01:/etc/bind~# vim root.zone

$TTL 604800 @ IN SOA localhost. root.localhost. ( 2 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS localhost. * IN A 192.168.10.2

三、重启服务测试

root@Server01:/etc/bind# systemctl restart bind9

设置好DNS地址

root@Server01:/etc/bind# vim /etc/resolv.conf

nameserver 192.168.10.4

解析

root@Server04:/etc/bind# nslookup www.skills.com

Server: 192.168.10.4

Address: 192.168.10.4#53

Name: www.skills.com

Address: 192.168.10.4

root@Server04:/etc/bind# nslookup any.any.any

Server: 192.168.10.4

Address: 192.168.10.4#53

Name: any.any.any

Address: 192.168.10.2

root@Server04:/etc/bind#

3.Webserver

· 提供www.skills.com

· skills公司的门户网站;

· 使用apache服务;

· 网页文件放在/htdocs/skills;

· 服务以用户webuser运行;

· 首页内容为“This is the front page of skills's website.”;

· /htdocs/sdskills/staff.html内容为“Staff Information”;

· 该页面需要员工的账号认证才能访问;

· 员工账号存储在ldap中,账号为zsuser、lsus

· 网站使用https协议;

· SSL使用RServer颁发的证书, 颁发给:

C = CN

ST = China

L = ShangDong

O = skills

OU = Operations Departments

CN = *.skills.cn

· Rserver的CA证书路径:/CA/cacert.pem

· 签发数字证书,颁发者:

C = CN;

O = Inc

OU = www.skills.com

CN = skill Global Root CA

· 客户端访问https时应无浏览器(含终端)安全警告信息;

· 当用户使用http访问时自动跳转到https安全连接;

· 当用户使用skills.cn或any.skills.cn(any代表任意网址前缀)访问时,自动跳转到www.skills.com

Uos

、安装apache服务

root@Server04:~# apt install apache2 -y

二、增加用户并修改

root@Server04:~# useradd -r webuser

root@Server04:~# vim /etc/apache2/apache2.conf

User webuser

Group webuser

三、创建证书并申请

这是其中方法之一,还可将证书给CA根证书机构(Rserver)去做签发

root@Server04:~# vim /etc/ssl/openssl.cnf

dir = /CA

root@Server04:~# mkdir /CA

root@Server04:~# cp -rf /etc/ssl/* /CA

root@Server04:~# touch index.txt

root@Server04:~# echo 01 >serial

root@Server04:~# cd /CA

root@Server04:/CA# openssl genrsa -out private/cakey.pem 2048

Generating RSA private key, 2048 bit long modulus (2 primes) ...............+++++ .................................+++++ e is 65537 (0x010001) root@Server04:/CA# openssl req -new -x509 -key ./private/cakey.pem -out cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]:Inc Organizational Unit Name (eg, section) []:www.skills.com Common Name (e.g. server FQDN or YOUR name) []:skill Global Root CA Email Address []: root@Server04:/CA# openssl genrsa -out apache.key 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ...+++++ ........................................................+++++ e is 65537 (0x010001) root@Server04:/CA# openssl req -new -key apache.key -out apache.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:China Locality Name (eg, city) []:ShangDong Organization Name (eg, company) [Internet Widgits Pty Ltd]:skills Organizational Unit Name (eg, section) []:Operations Departments Common Name (e.g. server FQDN or YOUR name) []:*.skills.cn Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: root@Server04:/CA# openssl x509 -req -in apache.csr -CA /CA/cacert.pem -CAkey /CA/private/cakey.pem -CAcreateserial -out apache.crt Signature ok subject=C = CN, ST = China, L = ShangDong, O = skills, OU = Operations Departments, CN = *.skills.cn Getting CA Private Key

四、创建apache目录及内容

root@Server04:/CA# mkdir /htdocs/skills -p

root@Server04:/CA# echo "This is the front page of skills's website." >> /htdocs/skills/index.html

root@Server04:/CA# echo "Staff Information" >> /htdocs/skills/staff.html

五、修改配置文件及重定向应用

root@Server04:/CA# vim /etc/apache2/sites-enabled/000-default.conf

<VirtualHost *:80> Redirect permanent / https://www.skills.cn/ </VirtualHost> <VirtualHost *:443> Redirect permanent / https://www.skills.cn/ SSLEngine ON SSLCertificateFile /CA/apache.crt SSLCertificateKeyFile /CA/apache.key </VirtualHost> <VirtualHost *:443> ServerName www.skills.cn DocumentRoot /htdocs/skills SSLEngine ON SSLCertificateFile /CA/apache.crt SSLCertificateKeyFile /CA/apache.key <Directory /htdocs/skills> Require all granted </Directory> <Directory /htdocs/skills/staff.html> AuthType Basic AuthName "login" AuthUserFile "/var/passwd" Require valid-user </Directory> </VirtualHost>

创建认证用户

root@Server04:/CA# htpasswd -c /var/passwd zsuser

4.SSH

· 安装SSH

· 仅允许client客户端进行ssh访问,其余所有主机的请求都应该拒绝;

· 配置client只能在Chinaskill22用户环境下可以免秘钥登录,端口号为3344,并且拥有root控制权限;

Uos

一、安装ssh服务

root@Server04:~# apt install openssh-server

二、编辑ssh配置文件设置端口

root@Server04:~# vim /etc/ssh/sshd_config

port 3344

三、重启ssh服务

root@Server04:~# systemctl restart ssh

、设置规则

root@Server04:~# vim /etc/hosts.allow

只允许Client这个IP登录

sshd:10.10.100.1:allow

拒接所有

root@Server04:~# vim /etc/hosts.deny

sshd:ALL

、创建用户并设置免密登录

Client:

创建用户

[root@client ~]# useradd Chinaskill22

切换到Chinaskill22用户下

[root@client ~]# su Chinaskill22

生成密钥

[Chinaskill22@client root]$ ssh-keygen

复制密钥到服务器

[Chinaskill22@client root]$ ssh-copy-id root@ip地址 -p 3344

5.LDAP

· 安装openldap,为apache服务提供账户认证;

· 创建chinaskills.cn目录服务,并创建用户组ldsgp ,将zsuser、lsusr、wuusr。

Uos

、安装服务

root@Server04:~# apt install slapd ldap-utils –y

输入密码

二、修改ldap配置文件

root@Server04:~# vim /etc/ldap/ldap.conf

BASE dc=chinaskills,dc=cn

URI 192.168.10.4 192.168.10.4:389

三、更新ldap配置

root@Server04:~# dpkg-reconfigure slapd

输入安装时设置的密码

测试是否安装好

root@Server04:~# ldapsearch -x

# extended LDIF # # LDAPv3 # base <dc=chinaskills,dc=cn> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # chinaskills.cn dn: dc=chinaskills,dc=cn objectClass: top objectClass: dcObject objectClass: organization o: chinaskills dc: chinaskills # admin, chinaskills.cn dn: cn=admin,dc=chinaskills,dc=cn objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 root@Server04:/etc/ldap#

四、创建用户和用户组节点

root@Server04:~# cd /etc/ldap/   #进入ldap目录

root@Server04:/etc/ldap# vim group.ldif #新建文件group.ldif 后缀格式一定要对

objectclass: organizationalUnit ou: users dn: ou=ldsgp,dc=chinaskills,dc=cn objectclass :organizationalUnit ou: group vim zsuser.ldif dn: uid=zsuser,ou=users,dc=chinaskills,dc=cn objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount uid: zsuser cn: zsuser userPassword: ChinaSkill22 shadowLastChange: 0 shadowMax: 0 shadowWarning: 0 loginShell: /bin/bash uidNumber: 1008 gidNumber: 1008 homeDirectory: /home/zsuser gecos: zsuser

五、将创建的组和用户导入到数据库

root@Server04:/etc/ldap# ldapadd -x -D "cn=admin,dc=chinaskills,dc=cn" -W -f group.ldif

Enter LDAP Password: adding new entry "ou=users,dc=chinaskills,dc=cn" adding new entry "ou=ldsgp,dc=chinaskills,dc=cn" root@Server04:/etc/ldap# root@Server04:/etc/ldap# ldapadd -x -D "cn=admin,dc=chinaskills,dc=cn" -W -f zsuser.ldif Enter LDAP Password: adding new entry "uid=zsuser,ou=users,dc=chinaskills,dc=cn" root@Server04:/etc/ldap#

接下来创建用户以此类推

六、用户加入到组中

root@Server04:/etc/ldap# vim jr.ldif

dn: cn=jr,ou=ldsgp,dc=chinaskills,dc=cn objectclass: posixGroup gidNumber: 10001 cn: jr memberUid: zsuser root@Server04:/etc/ldap# ldapadd -x -D "cn=admin,dc=chinaskills,dc=cn" -W -f jr.ldif Enter LDAP Password: adding new entry "cn=jr,ou=ldsgp,dc=chinaskills,dc=cn"

七、测试

root@Server04:/etc/ldap# ldapsearch -x -LLL | grep 'dn: dc'

dn: dc=chinaskills,dc=cn

root@Server04:/etc/ldap# ldapsearch -x -LLL | grep 'dn: uid'

dn: uid=zsuser,ou=users,dc=chinaskills,dc=cn

root@Server04:/etc/ldap#

最后修改:2022 年 08 月 26 日
如果觉得我的文章对你有用,请随意赞赏