一、 初始化环境

1.默认账号及默认密码

Username: root

Password: ChinaSkill22!

Username: skills

Password: ChinaSkill22!

注:若非特别指定,所有账号的密码均为 ChinaSkill22!

2.操作系统配置

所处区域:CST + 8

系统环境语言:English US (UTF-8)

键盘:English US

注意:当任务是配置TLS,请把根证书或者自签名证书添加到受信任区。

控制台登陆后不管是网络登录还是本地登录,都按下方欢迎信息内容显示

*********************************
     ChinaSkills 2022–CSK
       Module C Linux

        >>hostname<<
      >>Linux Version<<
         >> TIME <<
*********************************

Centos

一、查询当前所属区域,并设置当前所属区域

[root@localhost ~]# timedatectl list-timezones|grep Asia/Shanghai

Asia/Shanghai

[root@localhost ~]# timedatectl set-timezone Asia/Shanghai

[root@localhost ~]# timedatectl |grep "Time zone"

Time zone: Asia/Shanghai (CST, +0800)
[root@localhost ~]#

二、编辑动态sh文件

[root@localhost ~]# vim /login.sh

#!/bin/bash
printf "**************************************\n"
printf "%-2s ChinaSkills 2022 - CSK\n"
printf "%-8s Module C Linux\n\n\n"
printf "%-11s>>"`hostname -s`"<<\n"
echo ">>"`cat /etc/centos-release`"<<"
echo ">>" `date` "<<"
printf "**************************************\n"

三、配置登录输出该sh

[root@localhost ~]# vim /root/.bash_profile

最后一行写入

bash /login.sh

四、关闭本地控制台日志提示

touch一个空的hushlogin这样就不会输出

[root@localhost ~]# touch ~/.hushlogin

五、关闭SSH控制台登录日志

[root@localhost ~]# vim /etc/ssh/sshd_config

修改为

PrintLastLog no

重启SSHD服务

[root@localhost ~]# systemctl restart sshd

六、测试

本地控制台:

SSH链接测试:

Uos

时区变更:

[root@localhost ~]# timedatectl set-timezone Asia/Shanghai
[root@localhost ~]# timedatectl |grep "Time zone" 
       Time zone: Asia/Shanghai (CST, +0800)

欢迎配置:

方法一:

一、编辑动态sh文件
root@skills-PC:~# vim /login.sh

#!/bin/bash
printf "**************************************\n"
printf "%-2s ChinaSkills 2022 - CSK\n"
printf "%-8s Module C Linux\n\n\n"
printf "%-11s>>"`hostname -s`"<<\n"
printf "%-9s>>"Uos` cat /etc/os-version |grep "MinorVersion" `"<<\n"
echo ">>" `date` "<<"
printf "**************************************\n"

二、配置登录输出该sh

root@skills-PC:~# vim /root/.profile

最后一行写入
bash /login.sh

三、删除控制台登录及ssh后静态motd文件

把静态motd删除:
root@skills-PC:~# rm /etc/motd

四、关闭SSH控制台日志提示

注销掉第91行
root@routersrv:~# vim /etc/pam.d/login
90 # (Replaces the `LASTLOG_ENAB' option from login.defs)
91 #session optional pam_lastlog.so

五、关闭ssh控制台登录日志

[root@localhost ]# vim /etc/ssh/sshd_config
修改为no
PrintLastLog no
重启sshd服务
root@skills-PC:# systemctl restart ssh

方法二:

一、编辑静态motd文件
root@skills-PC:~# vim /etc/motd

*********************************
     ChinaSkills 2022–CSK
       Module C Linux

        >>hostname<<
      >>Linux Version<<
         >> TIME <<
*********************************

二、关闭ssh控制台登录日志

[root@localhost ]# vim /etc/ssh/sshd_config
修改为no
PrintLastLog no
重启sshd服务
root@skills-PC:# systemctl restart ssh

一、 项目任务描述

某公司要为员工提供便捷、安全稳定内外网络服务,你作为一个公司网络系统管理员,负责公司网络系统管理,请根据网络拓扑、基本配置信息和服务需求完成网络服务安装与测试,网络拓扑图和基本配置信息如下:

1.拓扑图

2.基本配置

服务器和客户端基本配置如下表,各虚拟机已预装系统。

DeviceHostnameSystemFQDNIP AddressService
Server01Server01CentosServer01.sdskills.com172.16.100.201RAID5
NFS
DNS
Webserver
SSH
DBM
SSDN
Server02Server02CentosServer02.sdskills.com172.16.100.202FtpMailSSH
Server03Server03UOSServer03.skills.com192.168.10.3NtpSSH
Server04Server04UOSServer04.skills.com192.168.10.XDNSWebserverSSHLDAP
RserverRserverCentosRserver.skills.com
Rserver.sdskills.com
172.16.100.254
192.168.10.2
10.10.100.254
proxy
firewall
dhcp
SSH
CA
ClientClientCentos 10.10.100.xnone

网络

NetworkCIDR
office10.10.100.0/24
service172.16.100.128/25
internet192.168.10.0/28

3.任务需求

任务设备:Client,Rserver,servr01,server02,server03,server04。

注意:若题目中未明确规定,请使用默认配置。

CLIENT TASK

1.Client 相关任务 ,具体要求如下:

• 作为DNS服务器域名解析测试的客户端,安装nslookup、dig命令行工具;

Centos

先进行本地源搭建

[root@Server ~]# mount /dev/cdrom /mnt
[root@Server ~]# cd /etc/yum.repos.d/
[root@Server yum.repos.d]# vi CentOS-Base.repo #修改配置文件,内容如下

[a]
name=a
baseurl=file:///mnt
enabled=1
gpgkey=file:///mnt/RPM-GPG-KEY-CentOS-7

[root@Server ~]#yum clean all 清理缓存
[root@Server ~]#yum makecache 重新生成新的yum缓存

[root@Server ~]#yum install -y nslookup dig

Uos

uslookup与dig有内置

• 作为网站访问测试的客户端,安装firefox浏览器, curl命令行测试工具;

Centos

[root@Server ~]# yum install -y firefox curl

Uos

Tip:需要先把apt源更改为阿里源,然后才可以安装firefox与curl

• 作为SSH远程登录测试客户端,安装ssh命令行测试工具;

Centos

[root@Server ~]# yum install openssh* -y

Uos

默认内置

uslookup与dig有内置

• 作为SAMBA测试的客户端,使用图形界面文件浏览器测试, 并安装smbclient工具;

Centos

[root@Server ~]# yum install smbclient*

Uos

root@skills-PC:~# sudo aptitude install sambclient

• 作为FTP测试的客户端,安装lftp命令行工具;

Centos

[root@Server ~]# yum install lftp -y

Uos

root@skills-PC:~# sudo aptitude install lftp

• 作为防火墙规则效果测试客户端,安装ping命令行工具。

Centos

默认内置

Uos

默认内置

• 截图的时候请使用上述提到的工具进行功能测试。

RSERVER TASK

1.NETWORK

• 请根据基本配置信息配置服务器的主机名,网卡IP地址配置、域名等。

Centos

方法一 配置文件

cd /etc/sysconifg/ network-scripts

cp ifcf-ens33 ifcf-en36  #直接复制文件

uuidgen ens36 >>ifcf-ens36    #查看到的uuid写于ifcf-en36的配置文件的uuid

systemclt restart networking
方法二 命令输出

nmcli connection add con-name 33 type ethernet ifname ens33

nmcli conmection modify 网卡 ipv4.address 172.16.100.201/24

nmcli conmection mmodify 网卡 ipv4.method manual 设置静态

nmcli conmection modify 网卡 ipv4.gatway 网关 设置网关

方法三 图像界面

nmtui
配置主机名字

[root@server01 ~]# hostnamectl set-hostname mv  设置名字
[root@server01 ~]# bash    刷新名字

[root@mv ~]#

配置域名

[root@Server01 ~]# vi /etc/hosts  修改hosts
172.16.100.201 Server01.sdskills.com

[root@localhost ~]# timedatectl list-timezones|grep Asia/Shanghai 查看区域 是否可用

Asia/Shanghai

[root@localhost ~]# timedatectl set-timezone Asia/Shanghai  设置当前所属区域

[root@localhost ~]# timedatectl |grep "Time zone"    查看区域

Time zone: Asia/Shanghai (CST, +0800)
[root@localhost ~]#

uos

一、修改配置文件并重启

第一种:(多网卡可能有问题)

进入网络配置文件,添加ip地址及网关信息

root@skills-PC:~# vim /etc/network/interfaces

auto ens33
iface ens33 inet static
address 10.10.100.254/24
gateway 10.10.100.254

auto ens37
iface ens37 inet static
address 172.16.100.254/25
gateway 172.16.100.254

auto ens38
iface ens38 inet static
address 192.168.10.2/28
gateway 192.168.10.2

保存重启网卡

root@skills-PC:~# systemctl restart network-manager.service

root@skills-PC:~# systemctl restart networking.service

第二种:

网络文件在 /etc/NetworkManager/system-conmections/

root@skills-PC:nmcli conmection add con-name ens33 type ethernet ifname ens33

root@skills-PC:# nmcli conncetion up ens33

root@skills-PC:nmcli connection modify ens33 ipv4.addresses 10.10.100.254/24

root@skills-PC:# nmcli connection modify ens33 ipv4.gateway 10.10.100.254

root@skills-PC:nmcli conmection add con-name ens37 type ethernet ifname ens33

root@skills-PC:# nmcli conncetion up ens37

root@skills-PC:nmcli connection modify ens37 ipv4.addresses 172.16.100.254/25

root@skills-PC:# nmcli connection modify ens37 ipv4.gateway 172.16.100.254

root@skills-PC:nmcli conmection add con-name ens38 type ethernet ifname ens38

root@skills-PC:# nmcli conncetion up ens38

root@skills-PC:nmcli connection modify ens38 ipv4.addresses 192.168.10.2/28

root@skills-PC:# nmcli connection modify ens38 ipv4.gateway 192.168.10.254

查看是否配置成功

root@skills-PC:~# ip a

二、配置主机域名

完整域名

root@skills-PC:~# hostnamectl set-hostname Rserver

root@skills-PC:~# bash

修改hosts

root@Rserver:~# vi /etc/hosts

10.10.100.254 Rserver.skills.cn Rserver

测试

root@Rserver:~# hostname

Rserver

root@Rserver:~# hostname -f

Rserver.skills.cn

2.squid

• 安装squid服务,开启路由转发,为当前实验环境提供路由功能;

Centos

[root@localhost ~]# yum install squid –y

[root@localhost ~]# systemctl start squid

配置路由转发,提供路由功能

临时开启

echo "1" >> /proc/sys/net/ipv4/ip_forward

永久开启

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf

sysctl -p

net.ipv4.ip_forward = 1

图形界面打开火狐浏览器找到网络设置

请输入图片描述

变成手动 输入ip 端口

uos

一、关闭防火墙

root@Rserver:~# systemctl stop firewalld

二、安装Squid服务,并启动

root@Rserver:~# aptitude install squid

三、配置路由转发,提供路由功能

临时开启

root@Rserver:~# echo "1" >> /proc/sys/net/ipv4/ip_forward

永久开启

root@Rserver:~# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf

root@Rserver:~# sysctl -p

net.ipv4.ip_forward = 1

3.Iptables

• 默认阻挡所有流量

• 添加必要的NAT规则和流量放行规则,正常情况下Internet网络不能访问office网络,满足使所有要求中的服务正常提供工作。

Centos和Uos

默认阻挡所有流量

iptables -A INPUT -s 0.0.0.0/0 -j REJECT

192.168.10.0/24 禁止访问 192.168.1.0/24

iptables -A INPUT -s 192.168.10.0/24 -d 192.168.1.0/24 -j REJECT

上面的命令将丢掉所有来自 所有 网络的网络包,而将只允许192.168.1.0/24网络和10.1.100.0/24网络通过端口 22 的流入流量。

iptables -A INPUT -S 0.0.0.0/0 -j DROP
iptables -I INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -I INPUT -s 10.1.100.0/24 -p tcp -m tcp --dport 22 -j ACCEPT

Server1 192.168.10.134
Server2 192.168.10.132
Server2 10.1.100.129
Server3 10.1.100.128
10.1.100.0/24网络不能访问除了192.168.10.132以外的192.168.10.0/24网络

iptables -A FORWARD -s 10.1.100.0/24 -d 192.168.10.0/24 -j REJECT

10.1.100.0/24网络不能访问192.168.10.132

iptables -A OUTPUT -s 10.1.100.0/24 -d 192.168.10.0/24 -j REJECT

10.1.100.0/24网络不能访问192.168.10.0/24网络

iptables -A FORWARD -s 10.1.100.0/24 -d 192.168.10.0/24 -j REJECT
iptables -A FORWARD -s 10.1.100.0/24 -d 192.168.10.0/24 -j REJECT

4.DHCP

• 为客户端分配IP范围是10.10.100.1-10.10.100.50;

• DNS:按照实际需求配置DNS服务器地址选项;

• GATEWAY:按照实际需求配置网关地址选项。

Centos

yum install dhcp –y

vim /etc/dhcp/dhcpd.conf  配置文件

option domain-name "skills.com";
option domain-name-servers 172.16.100.201;

default-lease-time 600;
max-lease-time 7200;
  subnet 10.10.100.0 netmask 255.255.255.0 {
    option routers 10.10.100.254;
    range 10.10.100.1 10.10.100.50;
}

Systemclt restart dhcp.service 启动

uos

一、安装dhcp

root@Rserver:~# apt-get install isc-dhcp-common=4.2.4-7ubuntu12.13

root@Rserver:~# apt-get install isc-dhcp-server

二、编辑和配置dhcp

root@Rserver:~# vim /etc/dhcp/dhcpd.conf

option domain-name "skills.com";
option domain-name-servers 10.10.100.254;

default-lease-time 600;
max-lease-time 7200;
  subnet 10.10.100.0 netmask 255.255.255.0 {
  range 10.10.100.1 10.10.100.50;
  option routers 10.10.100.254;
}

将监听端口修改为对应网卡,代码如下:

root@Rserver:~# vim /etc/default/isc-dhcp-server

INTERFACES="ens33"

三、启动置dhcp服务

root@Rserver:~# systemctl restart isc-dhcp-server

四、客户端测试

root@Rserver:~# vim /etc/sysconfig/network-scripts/ifcfg-ens33

BOOTPROTO=dhcp

ONBOOT=yes

重启网卡

root@Rserver:~# systemctl restart network

5.SSH

安装SSH

仅允许client客户端进行ssh访问,其余所有主机的请求都应该拒绝;

配置client只能在Chinaskill22用户环境下可以免秘钥登录,端口号为2022,并且拥有root控制权限。

Centos

[root@Rserver ~]# yum install openssh –y

[root@Rserver ~]# vim /etc/ssh/sshd_config 设置端口

port 2022

[root@Rserver ~]# systemctl restart sshd

[root@Rserver ~]# vim /etc/hosts.allow 设置规则

只允许 Client这个ip

sshd:10.10.100.1:allow

拒接所有

[root@Rserver ~]# vim /etc/hosts.deny

sshd:ALL

创建用户

[root@client ~]# useradd Chinaskill22

[root@client ~]# su Chinaskill22

[Chinaskill22@client root]$ ssh-keygen  生成密钥

复制密钥到RServer服务器

[Chinaskill22@client root]$ ssh-copy-id root@10.10.100.254 -p 2022 复制密钥到RServer服务器

Uos

一、安装ssh

root@Rserver:~# apt install openssh –y

二、编辑ssh配置文件、端口

root@Rserver:~# vim /etc/ssh/sshd_config

port 2022

三、重启ssh服务

root@Rserver:~# systemctl restart sshd

四、设置规则

root@Rserver:~# vim /etc/hosts.allow

只允许Client这个ip

sshd:10.10.100.1:allow

拒接所有

root@Rserver:~# vim /etc/hosts.deny

sshd:ALL

6.CA

• CA根证书路径/CA/cacert.pem;

• 签发数字证书,颁发者信息:

国家 = CN

单位 = Inc

组织机构 = www.skills.com

公用名 = Skill Global Root CA

• 创建用户组ldsgp ,将zsuser、lsusr、wuusr添加到组内。

Centos

一、安装Openssl

[root@Rserver ~]# yum install openssl –y

二、建立根证书存放目录

[root@Rserver ~]# mkdir /CA

[root@Rserver ~]# cd /CA

[root@Rserver CA]# mkdir certs #存放已颁发的证书

[root@Rserver CA]# mkdir newcerts #存放CA指令生成的新证书

[root@Rserver CA]# mkdir private #存放私钥

[root@Rserver CA]# touch index.txt #已签发证书的文本数据文件

[root@Rserver CA]# vim serial #证书签发时使用的序列号参考文件

01

[root@Rserver CA]# openssl genrsa -out private/cakey.pem 4096 #生成一个密钥,长度4096

Generating RSA private key, 4096 bit long modulus

............................................++

..........................................++e is 65537 (0x10001)

[root@Rserver CA]#

[root@Rserver CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem 签发数字证书,颁发者信息

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.


Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:

Locality Name (eg, city) [Default City]:

Organization Name (eg, company) [Default Company Ltd]:Inc

Organizational Unit Name (eg, section) []:www.skills.com

Common Name (eg, your name or your server's hostname) []:Skill Gloabl Root CA

Email Address []:

[root@Rserver CA]#

三、测试

生成一个秘钥

[root@Rserver CA]# openssl genrsa -out private/apache2.key

Generating RSA private key, 2048 bit long modulus

......+++.............................+++

e is 65537 (0x10001)

生成一个证书

[root@Rserver CA]# openssl req -new -key private/apache2.key -out certs/apache2.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.


Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:

Locality Name (eg, city) [Default City]:

Organization Name (eg, company) [Default Company Ltd]:Inc

Organizational Unit Name (eg, section) []:www.skills.com

Common Name (eg, your name or your server's hostname) []:www.skills.com

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

使用私钥进行签名

[root@Rserver CA]# openssl x509 -req -in /CA/certs/apache2.csr -CA cacert.pem -CAkey private/cakey.pem -CAcreateserial -out apache2.crt -days 365

Signature ok

subject=/C=CN/L=Default City/O=Inc/OU=www.skills.com/CN=www.skills.com

Getting CA Private Key

[root@Rserver CA]#

Uos

一、安装Openssl

root@skills-PC:~# apt install openssl -y

二、建立根证书存放目录

创建目录及文件

root@skills-PC:~# mkdir /CA

root@skills-PC:~# cd /CA

root@skills-PC:~# mkdir certs #存放已颁发的证书

root@skills-PC:~# mkdir newcerts #存放CA指令生成的新证书

root@skills-PC:~# mkdir private #存放私钥

root@skills-PC:~# touch index.txt #已签发证书的文本数据文件

root@skills-PC:~# echo 01 > serial #证书签发时使用的序列号参考文件

生成证书

root@skills-PC:~# openssl

genrsa -out private/cakey.pem 4096 #生成一个密钥,长度4096
req -new -x509 -key private/cakey.pem -out cacert.pem 签发数字证书,颁发者信息
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Inc
Organizational Unit Name (eg, section) []:www.skills.com
Common Name (e.g. server FQDN or YOUR name) []:Skill Global Root CA
Email Address []:

7.Web Proxy

• 安装Nginx组件;

• 配置文件名为proxy.conf,放置在/etc/nginx/conf.d/目录下;

• 为www.chinaskills.cn配置代理前端,通过HTTPS的访问后端Web服务器;

• 后端服务器日志内容需要记录真实客户端的IP地址。

• 缓存后端Web服务器上的静态页面。

• 创建服务监控脚本:/shells/chkWeb.sh

• 编写脚本监控公司的网站运行情况;

• 脚本可以在后台持续运行;

• 每隔3S检查一次网站的运行状态,如果发现异常尝试3次;

• 如果确定网站无法访问,则返回用户“网站正在维护中,请您稍后再试”的页面。

Centos

一、关闭Selinux和防火墙

[root@localhost ~]# setenforce 0

[root@localhost ~]# systemctl stop firewalld

二、上传安装包并安装Nginx

使用WinSCP上传到/root

[root@Rserver ~]# yum install centos-indexhtml-7-9.el7.centos.noarch.rpm gperftools-libs-2.6.1-1.el7.x86_64.rpm nginx-1.20.1-9.el7.x86_64.rpm nginx-filesystem-1.20.1-9.el7.noarch.rpm openssl11-libs-1.1.1k-2.el7.x86_64.rpm –y

三、创建Nginx配置并代理和缓存

代理配置

[root@Rserver /]# vim /etc/nginx/conf.d/proxy.conf

[root@Rserver /]# vim /etc/nginx/conf.d/proxy.conf 
server {
        listen 80;
        server_name proxy.chinaskills.cn;
        location / {proxy_pass https://www.chinaskills.cn;}
        location ~ .*\.(gif|jpg|png|css|js|ico)$ {
        proxy_pass https://www.chinaskills.cn;
        proxy_cache proxy;
        proxy_set_header Host $host;
        proxy_cache_valid 200 301 302 5m;
}
}

缓存配置

在http下面添加

[root@Rserver /]# vim /etc/nginx/nginx.conf

http {

proxy_cache_path /cache levels=1:2 keys_zone=proxy:20m max_size=20m;

创建缓存目录

[root@Rserver /]# mkdir /cache

记录真实ip地址

多了一条proxy_set_header X-Real-IP $remote_addr;

[root@Rserver /]# vim /etc/nginx/conf.d/proxy.conf

server {
        listen 80;
        server_name proxy.chinaskills.cn;
        location / {proxy_pass https://www.chinaskills.cn;}
        location ~ .*\.(gif|jpg|png|css|js|ico)$ {
        proxy_pass https://www.chinaskills.cn;
        proxy_cache proxy;
        proxy_set_header Host $host;
        proxy_cache_valid 200 301 302 5m;
        proxy_set_header X-Real-IP $remote_addr;
}
}

再去后端的apache日志设置一下就可以

找到196行,把h改成%{X-Real-IP}i

[root@Server02 ~]# vim /etc/httpd/conf/httpd.conf

LogFormat "%{X-Real-IP}i %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Age

nt}i"" combined          ## 196行

创建一个测试网页

[root@Server02 html]# vim /etc/httpd/conf.d/ssl.conf

DocumentRoot "/var/www/html"             # 注销掉59行

重启httpd

[root@Server02 html]# echo "测试" >> /var/www/html/index.html

[root@Server02 ~]# systemctl restart httpd

重启服务

注意:必须要ping通代理的那台web服务域名否则启动不了

[root@Rserver /]# systemctl restart nginx

Job for nginx.service failed because the control process exited with error code. See "systemctl status nginx.service" and "journalctl -xe" for details.

[root@Rserver /]# ping www.chinaskills.cn

ping: www.chinaskills.cn: Name or service not known

[root@Rserver /]# ping www.chinaskills.cn

PING www.chinaskills.cn (172.16.100.202) 56(84) bytes of data.

64 bytes from www.chinaskills.cn (172.16.100.202): icmp_seq=1 ttl=64 time=0.304 ms

^C

--- www.chinaskills.cn ping statistics ---

1 packets transmitted, 1 received, 0% packet loss, time 0ms

rtt min/avg/max/mdev = 0.304/0.304/0.304/0.000 ms

[root@Rserver /]# systemctl restart nginx

四、测试

刚开始缓存目录里是空的

[root@Rserver /]# ls /cache/

[root@Rserver /]#

接下来访问一下,访问2个站点一个带图片一个普通的

里面就加了内容缓存的网页

[root@Rserver ~]# ls /cache/

6

[root@Rserver ~]#

五、创建服务监控脚本:/shells/chkWeb.sh

[root@Rserver ~]# mkdir /shells

[root@Rserver ~]# vim /shells/chkWeb.sh

#!/bin/bash
url=https://www.chinaskills.cn
o=`curl -s -k $url -I |grep 'OK' |awk '{print $2}'`
while [ true ]; do
/bin/sleep 3
  if [[ $o -eq 200 ]];then
     echo "$url 正常打开 3s"
     else
        for i in 1 2 3;do
          if [[ $o -eq 200 ]];then
              echo "$url 正常打开"
          else echo "$url 异常 $i"
          fi
        done
        echo "网站正在维护中..."
  fi
done

运行测试

[root@Rserver ~]# bash /shells/chkWeb.sh

https://www.chinaskills.cn 正常打开 3s

https://www.chinaskills.cn 正常打开 3s

https://www.chinaskills.cn 正常打开 3s

关闭后端网站再测试

[root@Server02 ~]# systemctl stop httpd

[root@Rserver ~]# bash /shells/chkWeb.sh

https://www.chinaskills.cn 异常 1

https://www.chinaskills.cn 异常 2

https://www.chinaskills.cn 异常 3

网站正在维护中...

SERVER01 TASK

1.NETWORK

• 请根据基本配置信息配置服务器的主机名,网卡IP地址配置、域名服务器、网关等。

Centos

方法一 配置文件

cd /etc/sysconifg/ network-scripts

cp ifcf-ens33 ifcf-en36  #直接复制文件

uuidgen ens36 >>ifcf-ens36    #查看到的uuid写于ifcf-en36的配置文件的uuid

systemclt restart networking
方法二 命令输出

nmcli connection add con-name 33 type ethernet ifname ens33

nmcli conmection modify 网卡 ipv4.address 172.16.100.201/24

nmcli conmection mmodify 网卡 ipv4.method manual 设置静态

nmcli conmection modify 网卡 ipv4.gatway 网关 设置网关

方法三 图像界面

nmtui
配置主机名字

[root@server01 ~]# hostnamectl set-hostname mv  设置名字
[root@server01 ~]# bash    刷新名字

[root@mv ~]#

配置域名

[root@Server01 ~]# vi /etc/hosts  修改hosts

172.16.100.201 Server01.sdskills.com

Uos

一、修改配置文件并重启

第一种:(多网卡可能有问题)

进入网络配置文件,添加ip地址及网关信息

root@skills-PC:~# vim /etc/network/interfaces

auto ens33
iface ens33 inet static
address 172.16.100.201/25
gateway 172.16.100.254

保存重启网卡

root@skills-PC:~# systemctl restart network-manager.service

root@skills-PC:~# systemctl restart networking.service

第二种:

网络文件在 /etc/NetworkManager/system-conmections/

root@skills-PC:nmcli conmection add con-name ens33 type ethernet ifname ens33

root@skills-PC:# nmcli conncetion up ens33

root@skills-PC:nmcli connection modify ens33 ipv4.addresses 172.16.100.201/25

root@skills-PC:# nmcli connection modify ens33 ipv4.gateway 172.16.100.254

查看是否配置成功

root@skills-PC:~# ip a

二、配置主机域名

完整域名

root@skills-PC:~# hostnamectl set-hostname Server01

root@skills-PC:~# bash

修改hosts

root@Server01:~# vi /etc/hosts

172.16.100.201 Rserver.skills.cn Server01

测试

root@Server01:~# hostname

Server01

root@Server01:~# hostname -f

Server01.skills.cn

2.DISK(RAID5)

• 在虚拟机上添加4 个1G 的硬盘;

• 创建raid5,其中一个作为热备盘, 设备名为md0;

• 将md0 设置为LVM,设备为/dev/vg01/lv01;

• 格式化为ext4 文件系统;

• 开机自动挂载到/data 目录。

Centos

Yum install mdadm -y

[root@Server01 ~]# mdadm -C -n 3 -l 5 -a yes -x 1 /dev/md0 /dev/sd{b,c,d,e}

mdadm: Defaulting to version 1.2 metadata

mdadm: array /dev/md0 started.

创建卷组vg

[root@Server01 ~]# vgcreate vg01 /dev/md0

Physical volume "/dev/md0" successfully created.

Volume group "vg01" successfully created

[root@Server01 ~]#

创建逻辑卷组lv

[root@Server01 ~]# lvcreate -l 100%FREE -n lv01 vg01

Logical volume "lv01" created.

[root@Server01 ~]#

逻辑卷格式化

[root@Server01 ~]# mkfs.ext4 /dev/vg01/lv01

mke2fs 1.42.9 (28-Dec-2013)

Filesystem label=

OS type: Linux

Block size=4096 (log=2)

Fragment size=4096 (log=2)

Stride=128 blocks, Stripe width=256 blocks

130560 inodes, 522240 blocks

26112 blocks (5.00%) reserved for the super user

First data block=0

Maximum filesystem blocks=534773760

16 block groups

32768 blocks per group, 32768 fragments per group

8160 inodes per group

Superblock backups stored on blocks:

32768, 98304, 163840, 229376, 294912
Allocating group tables: done                            

Writing inode tables: done                            

Creating journal (8192 blocks): done

Writing superblocks and filesystem accounting information: done

[root@Server01 ~]#

挂载

[root@Server01 ~]# mkdir /data

添加到fstab

[root@Server01 ~]# echo /dev/vg01/lv01 /data/ ext4 defaults 0 0 >> /etc/fstab

将/etc/fstab的所有内容重新加载

[root@Server01 ~]# mount –a

查看是否挂载成功

[root@Server01 ~]# df -Th

/dev/mapper/vg01-lv01   ext4      2.0G  6.0M  1.9G   1% /dat

Uos

、安装mdadm、lvm

root@Server01:~# apt-get install mdadm lvm2 -y

二、添加磁盘

添加好之后可能查看不到磁盘,这时候需要重启下虚拟机

root@Server01:~# reboot

查看磁盘

root@Server01:~# ls /dev/sd*

三、创建RAID5

root@Server01:~# mdadm -C -n 3 -l 5 -a yes -x 1 /dev/md0 /dev/sd{b,c,d,e}

mdadm: Defaulting to version 1.2 metadata

mdadm: array /dev/md0 started.

四、创建LVM

创建卷组vg

root@Server01:~# vgcreate vg01 /dev/md0

Physical volume "/dev/md0" successfully created.

Volume group "vg01" successfully created

创建逻辑卷组lv

root@Server01:~# lvcreate -l 100%FREE -n lv01 vg01

Logical volume "lv01" created.

逻辑卷格式化

root@Server01:~# mkfs.ext4 /dev/vg01/lv01

Allocating group tables: done

Writing inode tables: done

Creating journal (8192 blocks): done

六、开机自动挂载

root@Server01:~# mkdir /data

root@Server01:~# mount /dev/vg01/lv01 /data/

添加到fstab

root@Server01:~# echo /dev/vg01/lv01 /data/ ext4 defaults 0 0 >> /etc/fstab

将/etc/fstab的所有内容重新加载

root@Server01:~# mount –a

查看是否挂载成功

root@Server01:~# df -Th

/dev/mapper/vg01-lv01 ext4 2.0G 6.0M 1.9G 1% /data

3.NFS

• 共享/data/share目录;

• 用于存储server01主机的web数据;

• 仅允许service01主机访问该共享。

Centos

[root@Server01 ~]# yum install nfs-utils –y

创建

[root@Server01 ~]# mkdir /data/share –p

赋权

[root@Server01 ~]# chmod 755 /data/share/

修改配置文件

[root@Server01 ~]# vim /etc/exports

/data/share  192.168.10.4(rw,sync,no_root_squash,no_all_squash)  

192.168.10.4为Server01主机ip地址

一定要按顺序启动

[root@Server01 ~]# systemctl start rpcbind

[root@Server01 ~]# systemctl start nfs

测试是否配置成功

[root@Server01 ~]# showmount -e localhost

Export list for localhost:

/data/share 192.168.10.4

客户端挂载

[root@Server01 ~]# mkdir /guazai

[root@Server01 ~]# mount -t nfs 192.168.10.4:/data/share /guazai/     

[root@Server01 ~]# df -Th

192.168.10.4:/data/share nfs4      2.0G  6.0M  1.9G   1% /guazai

Uos

一、安装nfs

root@Server01:~# apt install nfs-kernel-server # 安装服务

二、配置共享目录

root@Server01:~# mkdir /data/share –p

root@Server01:~# chmod 755 /data/share/

root@Server01:~# vim /etc/exports #修改共享文件目录

/data/share 172.16.100.201(rw,sync,no_root_squash,no_all_squash)

三、启动服务、测试

root@Server01:~# systemctl start rpcbind

root@Server01:~# systemctl start nfs

root@Server01:~# showmount -e localhost #测试是否配置成功

客户端挂载

root@Server01:~# mkdir /guazai

root@Server01:~# mount -t nfs 192.168.10.4:/data/share /guazai/

root@Server01:~# df -Th

192.168.10.4:/data/share nfs4 2.0G 6.0M 1.9G 1% /guazai

4.DNS

· 安装DNS服务相关软件包;

· 建立sdskills.com域,为所有除Internet区域的主机或服务器建立正反的域名解析;

· 当出现无法解析的域名时,向域skills.com申请更高层次的解析。

Centos

[root@Server01 ~]# yum install bind –y

[root@Server01 ~]# vim  /etc/named.conf

把13行和21行修改为any

listen-on port 53 { any; };

allow-query     { any; };

设置转发

forwarders {  192.168.10.4;};

注释掉这三行代码

#       recursion yes;
#       dnssec-enable yes;
#       dnssec-validation yes;
在末尾添加正反向解析区域
zone "sdskills.com" IN {
        type master;
        file "sdskills.com.zone";
};
zone "100.16.172.in-addr.arpa" IN {
        type slave;
        file "172.16.100.zone";
};

保存退出,切换目录

[root@Server04 ~]# cd /var/named/

复制模板

[root@Server04 named]# cp named.loopback sdskills.com.zone

[root@Server04 named]# cp named.loopback 172.16.100.zone

修改文件

正向区域
[root@Server04 named]# vim sdskills.com.zone  
$TTL 1D
@       IN SOA  @ rname.invalid. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
@       IN      NS      www.sdskills.com.
@       IN      MX      10      mail
www     IN      A       172.16.100.201
ftp       IN      A       172.16.100.202
mail      IN      A       172.16.100.202

反向区域
[root@Server04 named]# vim 172.16.100.zone
$TTL 1D
@       IN SOA  @ rname.invalid. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
@       NS      www.sdskills.com.
201     IN      PTR     www.sdskills.com.
202     IN      PTR     ftp.sdskills.com.
202     IN      PTR     mail.sdskills.com.

给文件赋权

[root@Server04 named]# chmod 777 sdskills.com.zone 172.16.100.zone

重启服务

[root@Server04 named]# systemctl restart named   

客户端

修改DNS地址

[root@Client ~]# vim /etc/resolv.conf

设置DNS地址

nameserver 172.16.100.201

安装DNS工具

[root@Client ~]# yum install bind-utils –y

解析

[root@Client ~]# nslookup www.sdskills.com      

Uos

一、安装DNS服务

root@Server01:~# apt install -y bind9

三、修改配置文件,设置正反向解析区域

root@Server01:~# vim /etc/named.conf

把13行和21行修改为any

listen-on port 53 { any; };

allow-query { any; };

设置转发

forwarders { 192.168.10.4;};

注释掉这三行代码

# recursion yes;
# dnssec-enable yes;
# dnssec-validation yes;

在末尾添加正反向解析区域

zone "sdskills.com" IN {
        type master;
        file "sdskills.com.zone";
};
zone "100.16.172.in-addr.arpa" IN {
        type master;
        file "172.16.100.zone";
};

保存退出,切换目录

root@Server01:~# cd /var/named/

复制模板

root@Server01:/var/named# cp named.loopback sdskills.com.zone

root@Server01:/var/named# cp named.loopback 172.16.100.zone

修改文件

正向区域

root@Server01:/var/named# vim sdskills.com.zone

$TTL 1D
@       IN SOA  @ rname.invalid. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
@       IN      NS      www.sdskills.com.
@       IN      MX      10      mail
www     IN      A       172.16.100.201
ftp       IN      A       172.16.100.202
mail      IN      A       172.16.100.202
smtp      IN      A       172.16.100.202
imap     IN      A       172.16.100.202

反向区域

root@Server01:/var/named# vim 172.16.100.zone

$TTL 1D
@       IN SOA  @ rname.invalid. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
@       NS      www.sdskills.com.
201     IN      PTR     www.sdskills.com.
202     IN      PTR     ftp.sdskills.com.
202     IN      PTR     mail.sdskills.com.
202     IN      PTR     smtp.sdskills.com.
202     IN      PTR     imap.sdskills.com.

给文件赋权

root@Server01:/var/named# chmod 777 sdskills.com.zone 172.16.100.zone

重启服务

root@Server01:/var/named# systemctl restart named

5.Webserver

• 安装web服务相关软件包;

• 由Server01提供www.sdskills.com

• skills公司的门户网站;

• 使用apache服务;

• 网页文件放在/data/share/htdocs/skills;

• 服务以用户webuser运行;

• 首页内容为“This is the front page of sdskills's website.”;

• /htdocs/skills/staff.html内容为“Staff Information”;

• 该页面需要员工的账号认证才能访问;

• 员工账号存储在ldap中,账号为zsuser、lsus

• 网站使用https协议;

• SSL使用RServer颁发的证书, 颁发给:

C = CN

ST = China

L = ShangDong

O = skills

OU = Operations Departments

CN = *.skills.com

• Sever01的CA证书路径:/CA/cacert.pem

• 签发数字证书,颁发者:

C = CN;

O = Inc

OU = www.skills.com

CN = skill Global Root CA

• 客户端访问https时应无浏览器(含终端)安全警告信息;

• 当用户使用http访问时自动跳转到https安全连接;

• 当用户使用sdskills.com或any.sdskills.com(any代表任意网址前缀)访问时,自动跳转到www.sdskills.com。

Uos

一、安装httpd、ssl模块

root@Server01:~# apt install apache6 -y

二、增加用户并修改

root@Server01:~# useradd -r webuser

root@Server01:~# vim /etc/httpd/conf/httpd.conf

User webuser

Group webuser

三、创建证书并申请

这只是其中方法之一,还可以将证书给CA根证书机构(Rserver)去签发

创建根证书

root@Server01:~# vim /etc/pki/tls/openssl.cnf

dir = /CA

root@Server01:~# mkdir /CA

root@Server01:~# cp -rf /etc/pki/tls/* /CA

root@Server01:~# cd /CA/

root@Server01:~# touch index.txt

root@Server01:~# echo 01 >serial

root@Server01:~# openssl genrsa -out private/cakey.pem 2048

Generating RSA private key, 2048 bit long modulus
.+++
.................................................................................................................+++
e is 65537 (0x10001)
root@Server04:/CA# openssl req -new -x509 -key ./private/cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Inc
Organizational Unit Name (eg, section) []:www.skills.com
Common Name (e.g. server FQDN or YOUR name) []:skill Global Root CA
Email Address []:

申请网络证书秘钥和请求证书

[root@Server01 CA]# openssl genrsa -out httpd.key 2048

Generating RSA private key, 2048 bit long modulus
..............................................................+++
................................................................+++
e is 65537 (0x10001)
[root@Server01 CA]# openssl req -new -key httpd.key -out httpd.csr  
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:China
Locality Name (eg, city) [Default City]:ShangDong
Organization Name (eg, company) [Default Company Ltd]:skills
Organizational Unit Name (eg, section) []:Operations Departments
Common Name (eg, your name or your server's hostname) []:*.sdskills.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

给证书签名

root@Server01:/CA/# openssl x509 -req -in httpd.csr -CA /CA/cacert.pem -CAkey /CA/private/cakey.pem -CAcreateserial -out httpd.crt

Signature ok

五、创建apache目录和内容

root@Server01:/CA/# mkdir /data/share/htdocs/skills -p

root@Server01:/CA/# echo "This is the front page of sdskills's website." >> /data/share/htdocs/skills/index.html

root@Server01:/CA/# echo "Staff Information" >> /data/share/htdocs/skills/staff.html

六、修改配置文件及重定向应用

root@Server01:/CA/# vim /etc/httpd/conf/httpd.conf

最后一行插入

IncludeOptional conf.d/*.conf
<VirtualHost *:80>
Redirect permanent / https://www.sdskills.com/
</VirtualHost>
<VirtualHost *:443>
Redirect permanent / https://www.sdskills.com/
SSLEngine ON
SSLCertificateFile /CA/httpd.crt
SSLCertificateKeyFile /CA/httpd.key
</VirtualHost>
<VirtualHost *:443>
ServerName www.sdskills.com
DocumentRoot /data/share/htdocs/skills
SSLEngine ON
SSLCertificateFile /CA/httpd.crt
SSLCertificateKeyFile /CA/httpd.key
<Directory /data/share/htdocs/skills>
Require all granted
</Directory>
<Directory /data/share/htdocs/skills/staff.html>
AuthType Basic
AuthName "login"
AuthUserFile "/var/passwd"
Require valid-user
</Directory>
</VirtualHost>

修改CA证书路径

root@Server01:~# vim /etc/httpd/conf.modules.d/ssl.conf

<VirtualHost *:443>
SSLCertificateFile /CA/httpd.crt
SSLCertificateKeyFile /CA/httpd.key

创建认证用户

root@Server01:/CA/# htpasswd -c /var/passwd zsuser

New password:

Re-type new password:

Adding password for user zsuser

6.SSH

• 安装SSH

• 仅允许client客户端进行ssh访问,其余所有主机的请求都应该拒绝;

• 配置client只能在Chinaskill22用户环境下可以免秘钥登录,端口号为3033,并且拥有root控制权限;

Uos

一、安装ssh服务

root@Server01:~# apt install openssh-server

二、编辑ssh配置文件设置端口

root@Server01:~# vim /etc/ssh/sshd_config

port 2233

三、重启ssh服务

root@Server01:~# systemctl restart ssh

、设置规则

root@Server01:~# vim /etc/hosts.allow

只允许Client这个IP登录

sshd:10.10.100.1:allow

拒接所有

root@Server01:~# vim /etc/hosts.deny

sshd:ALL

、创建用户并设置免密登录

Client:

创建用户

[root@client ~]# useradd Chinaskill22

切换到Chinaskill22用户下

[root@client ~]# su Chinaskill22

生成密钥

[Chinaskill22@client root]$ ssh-keygen

复制密钥到服务器

[Chinaskill22@client root]$ ssh-copy-id root@ip地址 -p 2233

7.DBMS

• 在Server01上完成MariaDB数据库的安装,添加数据库root用户密码为Chinaskill22!

• 安装MariaDB 数据库服务器组件;

• MariaDB数据库管理员信息:User: root/ Password: Chinaskill20!;

• 安装MariaDB WEB 管理面板 “phpMyAdmin”,通过apache 进行发布

• 安装phpMyAdmin ,MariaDB 的web管理面板组件;

• 安装apache,配置php环境,用于发布phpMyAdmin;

Uos

root@Server01:~# apt -y install php mariadb-server.x86_64 php-mysql php-mbstring.x86_64 //安装环境

root@Server01:~# apt -y install lrzsz.x86_64 //安装上传程序

//将phpmyadmin安装包上传

root@Server01:~# mv /etc/phpMyAdmin-4.4.15.10-all-languages.tar.gz
/data/share/htdocs/skills/ //移动到站点目录

root@Server01:~# cd /data/share/htdocs/skills/ //进入站点目录

root@Server01:~# tar -zxvf phpMyAdmin-4.4.15.10-all-languages.tar.gz //解压

root@Server01:~# mv phpMyAdmin-4.4.15.10-all-languages phpmyadmin //修改目录名称

root@Server01:~# systemctl restart mariadb.service
//开启数据库

root@Server01:~# mysql_secure_installation //数据库初始化

//请输入当前root用户的密码,如果没有直接按回车,此root并非linux的root用户是mysql 的

//是否设置root密码?

//是否移除匿名用户?选择移除

//禁止远程root登录?选择否

//是否移除测试数据库?(建议先不移除)

//是否重新加载权限表?选择y 因为刚刚更改了密码(当我们更改了mysql用户相关的信息之后建议去重载权限

root@Server01:~# systemctl restart mariadb.service
//重启数据库

root@Server01:~# systemctl restart httpd.service //重启apache服务

//访问 www.sdskills.org/phpadmin/ 警告会话权限不足

root@Server01:~# vim /var/log/httpd/error_log //查看http错误日志,没有发现问题

root@Server01:~# chmod -R 777 /var/lib/php/session/
//给php会话权限

//访问的时候输入数据库账号密码就可以登陆

8.SDN服务

• 安装opendaylight、mininet、Ovs软件平台。。

• 启动OpenDayLight的karaf程序,安装如下组件:odl-restconf、odl-l2switch-switch-ui、odl-mdsal-apidocs、odl-dluxapps-applications。

• 使用Mininet和OpenVswitch构建拓扑,连接ODL的6653端口如下拓扑结构:

• 在浏览器上可以访问ODL管理页面查看网元拓扑结构。

• 通过OVS手工下发流表,H1可以ping通H3,H1、H3无法ping通H2。

H1启动HTTP-Server功能,WEB端口为8080,H3作为HTTP-Client,获取H1的html网页配置文件。

Uos

一、上传并安装好需要的安装包

使用WinSCP上传

安装好JDK及SDN需要的插件

root@Server01:~# apt install unzip telnet java-1.8.0-openjdk net-tools –y

安装上传好的Opendaylight、Mininet、Ovs以及Python插件包

root@Server01:~# ls

anaconda-ks.cfg
distribution-karaf-0.6.0-Carbon.zip
mininet-2.2.2-2.el7.x86_64.rpm
openvswitch-2.5.0-2.el7.x86_64.rpm
python-networkx-1.8.1-12.el7.noarch.rpm
python-networkx-core-1.8.1-12.el7.noarch.rpm

root@Server01:~# apt install mininet-2.2.2-2.el7.x86_64.rpm openvswitch-2.5.0-2.el7.x86_64.rpm python-networkx-1.8.1-12.el7.noarch.rpm python-networkx-core-1.8.1-12.el7.noarch.rpm –y

启动OVS

root@Server01:~# systemctl start openvswitch

二、解压Opendaylight并启动Karaf程序

root@Server01:~# unzip distribution-karaf-0.6.0-Carbon.zip

root@Server01:~# cd distribution-karaf-0.6.0-Carbon/bin/

root@Server01:/distribution-karaf-0.6.0-Carbon/bin/# ./start

root@Server01:/distribution-karaf-0.6.0-Carbon/bin/# ./client   ##这里需要等待一下在输入

三、安装组件

opendaylight-user@root>feature:install odl-restconf odl-l2switch-switch-ui odl-mdsal-apidocs odl-dluxapps-applications

安装完后打开页面测试一下

http://ip:8181/index.html#login

用户名和密码都是admin

四、创建拓扑

opendaylight-user@root>logout

root@Server01:/distribution-karaf-0.6.0-Carbon/bin/# mn --controller=remote,ip=127.0.0.1,port=6653 --topo=tree,1,3

mininet> pingall

* Ping: testing ping reachability

h1 -> h2 h3

h2 -> h1 h3

h3 -> h1 h2

* Results: 0% dropped (6/6 received)

mininet>

打开网页查看拓扑(注:一定要ping通再去查看)

五、下发流表

mininet> dpctl add-flow in_port=1,actions=output:3

* s1 ------------------------------------------------------------------------

mininet> dpctl add-flow in_port=3,actions=output:1

* s1 ------------------------------------------------------------------------

mininet> pingall

* Ping: testing ping reachability

h1 -> X h3

h2 -> X X

h3 -> h1 X

* Results: 66% dropped (2/6 received)

mininet>

六、启动HTTP-Server功能

mininet> h1 python -m SimpleHTTPServer 8080 &

mininet> sh apt install wget -y

mininet> h3 wget 10.0.0.1:8080

--2022-07-20 12:52:56-- http://10.0.0.1:8080/

Connecting to 10.0.0.1:8080... connected.

HTTP request sent, awaiting response... 200 OK

Length: 1052 (1.0K) [text/html]

Saving to: ‘index.html’

index.html 100%[===================>] 1.03K --.-KB/s in 0s

2022-07-20 12:52:56 (123 MB/s) - ‘index.html’ saved [1052/1052]

mininet>

SERVER02 TASK

1.NETWORK

• 请根据基本配置信息配置服务器的主机名,网卡IP地址配置、域名服务器、网关等。

Uos

一、修改配置文件并重启

第一种:(多网卡可能有问题)

进入网络配置文件,添加ip地址及网关信息

root@skills-PC:~# vim /etc/network/interfaces

auto ens33
iface ens33 inet static
address 172.16.100.202/25
gateway 172.16.100.128

保存重启网卡

root@skills-PC:~# systemctl restart network-manager.service

root@skills-PC:~# systemctl restart networking.service

第二种:

网络文件在 /etc/NetworkManager/system-conmections/

root@skills-PC:nmcli conmection add con-name ens33 type ethernet ifname ens33

root@skills-PC:# nmcli conncetion up ens33

root@skills-PC:nmcli connection modify ens33 ipv4.addresses 172.16.100.202/25

root@skills-PC:# nmcli connection modify ens33 ipv4.gateway 172.16.100.128

查看是否配置成功

root@skills-PC:~# ip a

二、配置主机域名

完整域名

root@skills-PC:~# hostnamectl set-hostname Server01

root@skills-PC:~# bash

修改hosts

root@Server01:~# vi /etc/hosts

172.16.100.202 Rserver.skills.cn Server01

测试

root@Server02:~# hostname

Server02

root@Server02:~# hostname -f

Server02.skills.cn

2.Ftp

• 禁止使用不安全的FTP,请使用“CSK Global Root CA”证书颁发机构,颁发的证书,启用FTPS服务;

• 用户webadmin,登录ftp服务器,根目录为/webdata/;

• 登录后限制在自己的根目录;

• 允许WEB管理员上传和下载文件,但是禁止上传后缀名为.doc .docx .xlsx的文件。

• 限制用户的下载最大速度为100kb/s;最大同一IP在线人数为2人;

• 用于通过工具或者浏览器下载的最大速度不超过 100kb/s

• 一个IP地址同时登陆的用户进程/人数不超过2人。

Uos

一、安装vsftpd

root@Server02:~#apt install vsftpd –y

三、创建用户与目录并申请证书

root@Server02:~# mkdir /webdata

root@Server02:~# chmod 777 /webdata/

root@Server02:~# useradd webadmin

root@Server02:~# passwd webadmin

Changing password for user webadmin.

New password:

BAD PASSWORD: The password is shorter than 8 characters

Retype new password:

passwd: all authentication tokens updated successfully.

创建根证书

这是其中方法之一,还可将证书给CA根证书机构(Rserver)去签发

root@Server02:~# vim /etc/pki/tls/openssl.cnf 
dir             =  /CA
root@Server02:~# mkdir /CA
root@Server02:~# cp -rf /etc/pki/tls/* /CA
root@Server02:~# cd /CA/
root@Server02:~# touch index.txt
root@Server02:~# echo 01 >serial
root@Server02:~#  openssl genrsa -out private/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus
.+++
.................................................................................................................+++
e is 65537 (0x10001)
root@Server04:/CA# openssl req -new -x509 -key ./private/cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Inc
Organizational Unit Name (eg, section) []:www.skills.com
Common Name (e.g. server FQDN or YOUR name) []:skill Global Root CA
Email Address []:

申请站点证书秘钥和请求证书
root@Server02:CA# openssl genrsa -out ftp.key 2048  
Generating RSA private key, 2048 bit long modulus
..............................................................+++
................................................................+++
e is 65537 (0x10001)
root@Server02:CA# openssl req -new -key ftp.key -out ftp.csr   
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:China
Locality Name (eg, city) [Default City]:ShangDong
Organization Name (eg, company) [Default Company Ltd]:skills
Organizational Unit Name (eg, section) []:Operations Departments
Common Name (eg, your name or your server's hostname) []:ftp.sdskills.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

给证书签名
root@Server02:CA# openssl x509 -req -in ftp.csr -CA /CA/cacert.pem -CAkey /CA/private/cakey.pem -CAcreateserial -out ftp.crt  
Signature ok
subject=/C=CN/ST=China/L=ShangDong/O=skills/OU=Operations Departments/CN=ftp.sdskills.com
Getting CA Private Key

三、编辑ftp配置文件
root@Server02:CA# vim /etc/vsftpd/vsftpd.conf

chroot_local_user=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_enable=YES
rsa_cert_file=/CA/ftp.crt
rsa_private_key_file=/CA/ftp.key
local_root=/webdata
allow_writeable_chroot=YES
deny_file={*.doc,*.docx,*.xlsx}
local_max_rate=100000
max_per_ip=2

3.MAIL

• Postfix

• sdskill.com 的邮件发送服务器

• 支持smtps(465)协议连接,使用Rserver颁发的证书,证书路径/CA/cacert.pem

• 创建邮箱账户“user1~user99”(共99个用户),密码为Chinaskill20!;

· Dovecot

• sdskill.com 的邮件接收服务器;

• 支持imaps(993)协议连接,使用Rserver颁发的证书,证书路径/CA/cacert.pem;

• 请保留至少两个用户已成功登录并能正常收发邮件,以方便测试.

Uos

一、安装postfix

root@Server02:~#apt-get install postfix

二、申请证书

这里使用自签名证书

Postfix证书

root@Server02:~# mkdir /CA

root@Server02:~# openssl genrsa -out /CA/postfix.key

Generating RSA private key, 2048 bit long modulus
....................+++
..................+++
e is 65537 (0x10001)

root@Server02 ~# openssl req -x509 -new -key /CA/postfix.key -out /CA/postfix.crt

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:China
Locality Name (eg, city) [Default City]:ShangDong
Organization Name (eg, company) [Default Company Ltd]:skills
Organizational Unit Name (eg, section) []:Operations Departments
Common Name (eg, your name or your server's hostname) []:smtp.sdskills.com
Email Address []:

Dovecot证书

root@Server02 ~# openssl genrsa -out /CA/dovecot.key

Generating RSA private key, 2048 bit long modulus
...................................................+++
..............+++
e is 65537 (0x10001)

root@Server02 ~# openssl req -x509 -new -key /CA/dovecot.key -out /CA/dovecot.crt

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:China
Locality Name (eg, city) [Default City]:ShangDong
Organization Name (eg, company) [Default Company Ltd]:Skills
Organizational Unit Name (eg, section) []:imap.sdskills.com
Common Name (eg, your name or your server's hostname) []:
Email Address []:

三、配置Postfix

root@Server02 ~# vim /etc/postfix/main.cf

:set nu  //以数字显示行数
75行:myhostname = mail.sdskills.com                 //本机主机名,可以为 wjy.com
83行:mydomain = sdskills.com                        //服务器域名
99行:myorigin = $mydomain                      //初始域名
113行:inet_interfaces = all              //网卡选择
115行: #inet_interfaces = localhost       //注释115行
164行:mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain            //目标域 or 注释164行,取消注释165行
264行:mynetworks = 0.0.0.0/0    //以下网段可以通过
419行:home_mailbox = Maildir/                     //邮件目录,在用户家目录下
670行:smtpd_use_tls = yes
671行:smtpd_tls_cert_file = /CA/postfix.crt
672行:smtpd_tls_key_file = /CA/postfix.key

关闭普通端口开启465端口

root@Server02:~# vim /etc/postfix/master.cf

11行:#smtp      inet  n      -      n      -      -      smtpd   ##注释掉25端口
16行:smtps     inet  n      -      n      -      -      smtpd   ##开启465端口
28行:  -o smtpd_tls_wrappermode=yes   ##取消注释,启动证书认证

四、配置Dovecot

root@Server02 ~# vim /etc/dovecot/dovecot.conf

24行:protocols = imaps   ##启用 imaps

root@Server02 ~# vim /etc/dovecot/conf.d/10-auth.conf

10行:disable_plaintext_auth = no

root@Server02 ~# vim /etc/dovecot/conf.d/10-mail.conf

24行:  mail_location = maildir:~/Maildir ##取消注释

root@Server02 ~# vim /etc/dovecot/conf.d/10-ssl.conf

14行:ssl_cert = </CA/dovecot.crt

15行:ssl_key = </CA/dovecot.key

五、创建99个用户

[root@Server02 ~]# for i in $(seq 1 99);do useradd user$i;done 
[root@Server02 ~]# for i in $(seq 1 99);do echo "Chinaskill22"|passwd --stdin user$i;done

六、重启服务

root@Server02 ~# systemctl restart postfix

root@Server02 ~# systemctl restart dovecot

5.SSH

• 安装SSH

• 仅允许client客户端进行ssh访问,其余所有主机的请求都应该拒绝;

• 配置client只能在Chinaskill22用户环境下可以免秘钥登录,端口号为4044,并且拥有root控制权限;

Uos

一、安装ssh服务

root@Server02:~# apt install openssh-server

二、编辑ssh配置文件设置端口

root@Server02:~# vim /etc/ssh/sshd_config

port 4044

三、重启ssh服务

root@Server02:~# systemctl restart ssh

、设置规则

root@Server02:~# vim /etc/hosts.allow

只允许Client这个IP登录

sshd:10.10.100.1:allow

拒接所有

root@Server02:~# vim /etc/hosts.deny

sshd:ALL

SERVER03 TASK

1.NETWORK

· 请根据基本配置信息配置服务器的主机名,网卡IP地址配置、域名服务器、网关等。

Uos

一、修改配置文件并重启

第一种:(多网卡可能有问题)

进入网络配置文件,添加ip地址及网关信息

root@skills-PC:~# vim /etc/network/interfaces

auto ens33
iface ens33 inet static
address 172.16.100.201/25
gateway 172.16.100.254

保存重启网卡

root@skills-PC:~# systemctl restart network-manager.service

root@skills-PC:~# systemctl restart networking.service

第二种:

网络文件在 /etc/NetworkManager/system-conmections/

root@skills-PC:nmcli conmection add con-name ens33 type ethernet ifname ens33

root@skills-PC:# nmcli conncetion up ens33

root@skills-PC:nmcli connection modify ens33 ipv4.addresses 172.16.100.201/25

root@skills-PC:# nmcli connection modify ens33 ipv4.gateway 172.16.100.254

查看是否配置成功

root@skills-PC:~# ip a

二、配置主机域名

完整域名

root@skills-PC:~# hostnamectl set-hostname Server01

root@skills-PC:~# bash

修改hosts

root@Server01:~# vi /etc/hosts

172.16.100.201 Rserver.skills.cn Server01

测试

root@Server01:~# hostname

Server01

root@Server01:~# hostname -f

Server01.skills.cn

2.chrony

· chrony为全网提供时间同步服务器;

· Server01、Server02、Server04、Client和Rserver应定期与其校正时间;

· 每隔1分钟自动校正一次时间。

Uos

一、安装chrony

配置好本地源再安装

root@Server04:~# apt-get install chrony –y

二、修改配置

删除默认配置文件

root@Server04:~# rm /etc/chrony/chrony.conf

编辑配置文件

root@Server04:~# vim /etc/chrony/chrony.conf

server 127.0.0.1 iburst

allow all

local stratum 10

三、启动服务、测试

重启chrony

root@Server04:~# systemctl restart chrony

测试下是否配置成功

安装npdate

一定要在客户端测试

[root@Client ~]# apt-get install ntpdate -y

[root@Client ~]# ntpdate 192.168.10.4

22 Jul 03:46:55 ntpdate[10459]: step time server 192.168.10.4 offset -1.144208 sec

[root@Client ~]#

Cron任务计划

编辑

[root@Client ~]# vim /etc/crontab

/1 * root /usr/sbin/ntpdate 192.168.10.4

3.SSH

· 安装SSH

· 仅允许client客户端进行ssh访问,其余所有主机的请求都应该拒绝;

· 配置client只能在Chinaskill20用户环境下可以免秘钥登录,端口号为2233,并且拥有root控制权限;

Uos

一、安装ssh服务

root@Server03:~# apt install openssh-server

二、编辑ssh配置文件设置端口

root@Server03:~# vim /etc/ssh/sshd_config

port 2233

三、重启ssh服务

root@Server03:~# systemctl restart ssh

、设置规则

root@Server03:~# vim /etc/hosts.allow

只允许Client这个IP登录

sshd:10.10.100.1:allow

拒接所有

root@Server03:~# vim /etc/hosts.deny

sshd:ALL

、创建用户并设置免密登录

Client:

切换到Chinaskill22用户下

[root@client ~]# su Chinaskill22

生成密钥

[Chinaskill22@client root]$ ssh-keygen

复制密钥到服务器

[Chinaskill22@client root]$ ssh-copy-id root@ip地址 -p 2233

SERVER04 TASK

1.NETWORK

· 请根据基本配置信息配置服务器的主机名,网卡IP地址配置、域名服务器、网关等。

Uos

一、修改配置文件并重启

第一种:(多网卡可能有问题)

进入网络配置文件,添加ip地址及网关信息

root@skills-PC:~# vim /etc/network/interfaces

auto ens33
iface ens33 inet static
address 172.16.100.201/25
gateway 172.16.100.254

保存重启网卡

root@skills-PC:~# systemctl restart network-manager.service

root@skills-PC:~# systemctl restart networking.service

第二种:

网络文件在 /etc/NetworkManager/system-conmections/

root@skills-PC:nmcli conmection add con-name ens33 type ethernet ifname ens33

root@skills-PC:# nmcli conncetion up ens33

root@skills-PC:nmcli connection modify ens33 ipv4.addresses 172.16.100.201/25

root@skills-PC:# nmcli connection modify ens33 ipv4.gateway 172.16.100.254

查看是否配置成功

root@skills-PC:~# ip a

二、配置主机域名

完整域名

root@skills-PC:~# hostnamectl set-hostname Server01

root@skills-PC:~# bash

修改hosts

root@Server01:~# vi /etc/hosts

172.16.100.201 Rserver.skills.cn Server01

测试

root@Server01:~# hostname

Server01

root@Server01:~# hostname -f

Server01.skills.cn

2.DNS

· 安装DNS相关服务软件包;

· 为域skills.com提供必要的域名解析

· 当非skills.com域的解析时,统一解析到Rserver连接Internet网段的IP地址或Rserver.skills.com

Uos

一、安装DNS服务

root@Server01:~# apt -y install bind9 dnsutils

root@Server01:~# cd /etc/bind/

db.127 #反向区域数据库,用于将ip解析为对应的域名

db.local #正向区域数据库,用于将域名解析为对应的IP地址

named.conf.default-zones #默认区域

named.conf.local #用于定义解析域,也可以直接在named.conf中直接划定解析域

named.conf.options #配置文件,全局选项配置

named.conf #Bind的主配置文件,不包含DNS数据

二、定义解析域

先去vim named.conf.default-zones

复制最后一个zone

将复制的粘贴到最后

粘贴如下:

zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
vim named.conf.loacl

修改为:
zone "." {
type master;
file "/etc/bind/root.zone";
};
zone "skills.com" {
type master;
file "/etc/bind/skills.com.zone";
};

root@Server01:/etc/bind# /etc/bind# cp -a db.local root.zone

root@Server01:/etc/bind# /etc/bind# cp -a db.local skills.com.zone

root@Server01:/etc/bind# /etc/bind# vim skills.com.zone

$TTL    604800
@       IN      SOA     localhost. root.localhost. (
                              2         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      www.skills.com.
www     IN      A       192.168.10.4

root@Server01:~# /etc/bind

root@Server01:/etc/bind~# vim root.zone

$TTL    604800
@       IN      SOA     localhost. root.localhost. (
                              2         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      localhost.
*       IN      A       192.168.10.2

三、重启服务测试

root@Server01:/etc/bind# systemctl restart bind9

设置好DNS地址

root@Server01:/etc/bind# vim /etc/resolv.conf

nameserver 192.168.10.4

解析

root@Server04:/etc/bind# nslookup www.skills.com

Server: 192.168.10.4

Address: 192.168.10.4#53

Name: www.skills.com

Address: 192.168.10.4

root@Server04:/etc/bind# nslookup any.any.any

Server: 192.168.10.4

Address: 192.168.10.4#53

Name: any.any.any

Address: 192.168.10.2

root@Server04:/etc/bind#

3.Webserver

· 提供www.skills.com

· skills公司的门户网站;

· 使用apache服务;

· 网页文件放在/htdocs/skills;

· 服务以用户webuser运行;

· 首页内容为“This is the front page of skills's website.”;

· /htdocs/sdskills/staff.html内容为“Staff Information”;

· 该页面需要员工的账号认证才能访问;

· 员工账号存储在ldap中,账号为zsuser、lsus

· 网站使用https协议;

· SSL使用RServer颁发的证书, 颁发给:

C = CN

ST = China

L = ShangDong

O = skills

OU = Operations Departments

CN = *.skills.cn

· Rserver的CA证书路径:/CA/cacert.pem

· 签发数字证书,颁发者:

C = CN;

O = Inc

OU = www.skills.com

CN = skill Global Root CA

· 客户端访问https时应无浏览器(含终端)安全警告信息;

· 当用户使用http访问时自动跳转到https安全连接;

· 当用户使用skills.cn或any.skills.cn(any代表任意网址前缀)访问时,自动跳转到www.skills.com

Uos

、安装apache服务

root@Server04:~# apt install apache2 -y

二、增加用户并修改

root@Server04:~# useradd -r webuser

root@Server04:~# vim /etc/apache2/apache2.conf

User webuser

Group webuser

三、创建证书并申请

这是其中方法之一,还可将证书给CA根证书机构(Rserver)去做签发

root@Server04:~# vim /etc/ssl/openssl.cnf

dir = /CA

root@Server04:~# mkdir /CA

root@Server04:~# cp -rf /etc/ssl/* /CA

root@Server04:~# touch index.txt

root@Server04:~# echo 01 >serial

root@Server04:~# cd /CA

root@Server04:/CA# openssl genrsa -out private/cakey.pem 2048

Generating RSA private key, 2048 bit long modulus (2 primes)
...............+++++
.................................+++++
e is 65537 (0x010001)
root@Server04:/CA# openssl req -new -x509 -key ./private/cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Inc
Organizational Unit Name (eg, section) []:www.skills.com
Common Name (e.g. server FQDN or YOUR name) []:skill Global Root CA
Email Address []:
root@Server04:/CA# openssl genrsa -out apache.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...+++++
........................................................+++++
e is 65537 (0x010001)
root@Server04:/CA# openssl req -new -key apache.key -out apache.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:China
Locality Name (eg, city) []:ShangDong
Organization Name (eg, company) [Internet Widgits Pty Ltd]:skills
Organizational Unit Name (eg, section) []:Operations Departments
Common Name (e.g. server FQDN or YOUR name) []:*.skills.cn 
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
root@Server04:/CA# openssl x509 -req -in apache.csr -CA /CA/cacert.pem -CAkey /CA/private/cakey.pem -CAcreateserial -out apache.crt
Signature ok
subject=C = CN, ST = China, L = ShangDong, O = skills, OU = Operations Departments, CN = *.skills.cn
Getting CA Private Key

四、创建apache目录及内容

root@Server04:/CA# mkdir /htdocs/skills -p

root@Server04:/CA# echo "This is the front page of skills's website." >> /htdocs/skills/index.html

root@Server04:/CA# echo "Staff Information" >> /htdocs/skills/staff.html

五、修改配置文件及重定向应用

root@Server04:/CA# vim /etc/apache2/sites-enabled/000-default.conf

<VirtualHost *:80>
Redirect permanent / https://www.skills.cn/
</VirtualHost>
<VirtualHost *:443>
Redirect permanent / https://www.skills.cn/
SSLEngine ON
SSLCertificateFile /CA/apache.crt
SSLCertificateKeyFile /CA/apache.key
</VirtualHost>
<VirtualHost *:443>
ServerName www.skills.cn
DocumentRoot /htdocs/skills
SSLEngine ON
SSLCertificateFile /CA/apache.crt
SSLCertificateKeyFile /CA/apache.key
<Directory /htdocs/skills>
Require all granted
</Directory>
<Directory /htdocs/skills/staff.html>
AuthType Basic
AuthName "login"
AuthUserFile "/var/passwd"
Require valid-user
</Directory>
</VirtualHost>

创建认证用户

root@Server04:/CA# htpasswd -c /var/passwd zsuser

4.SSH

· 安装SSH

· 仅允许client客户端进行ssh访问,其余所有主机的请求都应该拒绝;

· 配置client只能在Chinaskill22用户环境下可以免秘钥登录,端口号为3344,并且拥有root控制权限;

Uos

一、安装ssh服务

root@Server04:~# apt install openssh-server

二、编辑ssh配置文件设置端口

root@Server04:~# vim /etc/ssh/sshd_config

port 3344

三、重启ssh服务

root@Server04:~# systemctl restart ssh

、设置规则

root@Server04:~# vim /etc/hosts.allow

只允许Client这个IP登录

sshd:10.10.100.1:allow

拒接所有

root@Server04:~# vim /etc/hosts.deny

sshd:ALL

、创建用户并设置免密登录

Client:

创建用户

[root@client ~]# useradd Chinaskill22

切换到Chinaskill22用户下

[root@client ~]# su Chinaskill22

生成密钥

[Chinaskill22@client root]$ ssh-keygen

复制密钥到服务器

[Chinaskill22@client root]$ ssh-copy-id root@ip地址 -p 3344

5.LDAP

· 安装openldap,为apache服务提供账户认证;

· 创建chinaskills.cn目录服务,并创建用户组ldsgp ,将zsuser、lsusr、wuusr。

Uos

、安装服务

root@Server04:~# apt install slapd ldap-utils –y

输入密码

二、修改ldap配置文件

root@Server04:~# vim /etc/ldap/ldap.conf

BASE dc=chinaskills,dc=cn

URI 192.168.10.4 192.168.10.4:389

三、更新ldap配置

root@Server04:~# dpkg-reconfigure slapd

输入安装时设置的密码

测试是否安装好

root@Server04:~# ldapsearch -x

# extended LDIF
#
# LDAPv3
# base <dc=chinaskills,dc=cn> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# chinaskills.cn
dn: dc=chinaskills,dc=cn
objectClass: top
objectClass: dcObject
objectClass: organization
o: chinaskills
dc: chinaskills

# admin, chinaskills.cn
dn: cn=admin,dc=chinaskills,dc=cn
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2
root@Server04:/etc/ldap#

四、创建用户和用户组节点

root@Server04:~# cd /etc/ldap/   #进入ldap目录

root@Server04:/etc/ldap# vim group.ldif #新建文件group.ldif 后缀格式一定要对

objectclass: organizationalUnit
ou: users

dn: ou=ldsgp,dc=chinaskills,dc=cn
objectclass :organizationalUnit
ou: group

vim zsuser.ldif

dn: uid=zsuser,ou=users,dc=chinaskills,dc=cn
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
uid: zsuser
cn: zsuser
userPassword: ChinaSkill22
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
loginShell: /bin/bash
uidNumber: 1008
gidNumber: 1008
homeDirectory: /home/zsuser
gecos: zsuser

五、将创建的组和用户导入到数据库

root@Server04:/etc/ldap# ldapadd -x -D "cn=admin,dc=chinaskills,dc=cn" -W -f group.ldif

Enter LDAP Password:
adding new entry "ou=users,dc=chinaskills,dc=cn"
adding new entry "ou=ldsgp,dc=chinaskills,dc=cn"
root@Server04:/etc/ldap#
root@Server04:/etc/ldap# ldapadd -x -D "cn=admin,dc=chinaskills,dc=cn" -W  -f zsuser.ldif
Enter LDAP Password:
adding new entry "uid=zsuser,ou=users,dc=chinaskills,dc=cn"
root@Server04:/etc/ldap#

接下来创建用户以此类推

六、用户加入到组中

root@Server04:/etc/ldap# vim jr.ldif

dn: cn=jr,ou=ldsgp,dc=chinaskills,dc=cn
objectclass: posixGroup
gidNumber: 10001
cn: jr
memberUid: zsuser
root@Server04:/etc/ldap# ldapadd -x -D "cn=admin,dc=chinaskills,dc=cn" -W  -f jr.ldif
Enter LDAP Password:
adding new entry "cn=jr,ou=ldsgp,dc=chinaskills,dc=cn"

七、测试

root@Server04:/etc/ldap# ldapsearch -x -LLL | grep 'dn: dc'

dn: dc=chinaskills,dc=cn

root@Server04:/etc/ldap# ldapsearch -x -LLL | grep 'dn: uid'

dn: uid=zsuser,ou=users,dc=chinaskills,dc=cn

root@Server04:/etc/ldap#

最后修改:2022 年 08 月 26 日
如果觉得我的文章对你有用,请随意赞赏