Chinaunix首页 | 论坛 | 博客
  • 博客访问: 114958
  • 博文数量: 42
  • 博客积分: 932
  • 博客等级: 准尉
  • 技术积分: 470
  • 用 户 组: 普通用户
  • 注册时间: 2011-07-18 22:33
文章分类
文章存档

2011年(42)

分类: LINUX

2011-09-01 12:55:35

环境配置及检测
# vim /etc/yum.repos.d/myserver.repo
[base]
name=Server
baseurl=ftp://172.16.0.1/yum/Server
gpgcheck=0
# getenforce
enforcing
# ifconfig eth0 172.16.22.1
# vim /etc/sysconfig/network-scripts/ifcfg_eth0
修改以下内容
BOOTPROTO=static
IPADDR=172.16.22.1
NETMASK=255.255.0.0
GATEWAY=172.16.0.1
PEERDNS=no
# vim /etc/hosts
172.16.22.1      stu22.example.com  stu22
# vim /etc/resolv.conf
nameserver 172.16.0.1 (注:此处其实应该指向自己,这里只是要求配置,前面已经说过此题里面有冲突和不合理的地方不必在意)
# hostname stu22.examole.com
# hostname
# logout
重新登录下面正式做题
1、建立DNS服务器的相关知识点
所需的文件:/etc/named.conf
/var/named目录下的数据文件:named.ca localhost.zone named.local ilinux.org.zone 172.16.zone
区域传送配置,在区域中添加此项:allow-transfer { ; };
子域授权设置,在正向区域数据文件中添加:
tech.ilinux.org. IN NS ns.tech.ilinux.org.
ns.tech.ilinux.org. IN A 172.16.22.1
转发设置只需在主配置文件中添加转发域即可
DNS控制设置可以通过iptables控制
具体过程:(此处也可以通过安装caching-nameserver的包来生成一个纯缓存名称服务器,通过修改部分配置文件来实现,但此处为了加强我的印象,我就从头写了,这里不能用tab键所以有些缩进看起来很不舒服....)
# yum install bind
# vim /etc/named.conf
options {
 directory "/var/named";
 };
zone "." {
 type hint;
 file "named.ca"
};
zone "localhost" {
 type master;
 file "localhost.zone"
};
zone "0.0.127.in-addr.arpa" {
 type master;
 file "named.local";
};
zone "ilinux.org" {
 type master;
 file "ilinux.zone";
 allow-transfer {  none; };
};
zone "16.172.in-addr.arpa" {
 type master;
 file "172.16.zone";
 allow-transfer { 172.16.0.0/16; };
};
zone "example.com" {
 type forward;
 forwarders { 172.16.0.1; };
};
注:named.ca 文件生成的方式前面也有提过,如果通过安装caching-nameserver的方式它会默认生成3个数据文件named.ca  named.local localhost.zone 这里我也从头自己建这几个文件。
# dig -t NS . > /var/named.ca
注:这种做法的前提是能连上互联网
# vim /var/named/localhost.zone
$TTL 86400
@        IN       SOA       localhost.    admin.localhost. (
                                                         2011090112
                                                          1H
                                                          10M
                                                          7D
                                                          1D
)
                   IN        NS        localhost.
localhost.         IN        A         127.0.0.1
 
# vim /var/named/named.local
$TTL 86400
@        IN       SOA       localhost.    admin.localhost. (
                                                         2011090112
                                                          1H
                                                          10M
                                                          7D
                                                          1D)
                   IN        NS        localhost.
l                  IN        A         localhost.
(注:这里你可以直接将正向的cp过来直接修改即可,我是为了练手写的=。=!)
# vim /var/named/ilinux.org.zone
$TTL 86400
$ORIGIN ilinux.org.
@       IN        SOA       ns.ilinux.org.      admin.iliux.org. (
                                                  2011083001
                                                  1H
                                                  10M
                                                  7D
                                                  1D )
        IN         NS       ns.ilinux.org.
        IN         MX 10    mail.iliux.org.
ns      IN         A        172.16.22.1
mail    IN         A        172.16.22.1
www1    IN         A        172.16.22.1
www2    IN         A        172.16.22.1
proxy   IN         A        172.16.22.1
pop3    IN         CNAME    mail.ilinux.org.
imaps   IN         CNAME    mail.ilinux.org.
tech.ilinux.org.     IN    NS     ns.tech.ilinux.org.
ns.tech.ilinux.org.  IN    A      172.16.22.2
(注:子域授权的有兴趣有条件的可以这样设置测试下,前面的博文中也有介绍怎么做的,这里仅仅是给出了实现的方法并不具备测试的条件)
# vim /var/named/172.16.zone
$TTL 86400
@       IN        SOA       ns.ilinux.org.      admin.iliux.org. (
                                                  2011083001
                                                  1H
                                                  10M
                                                  7D
                                                  1D )
        IN         NS       ns.ilinux.org.
22.1    IN         PTR      ns.ilinux.org.
22.1    IN         PTR      mail.ilinux.org.
22.1    IN         PTR      www1.ilinux.org.
22.1    IN         PTR      www2.ilinux.org.
22.1    IN         PTR      proxy.ilinux.org.
转发域是不需要数据文件的,到此为止DNS服务部分配置完成!
# named-checkconf ;检查配置文件语法
# named-checkzone "ilinux.zone" ilinux.org.zone ;检查数据文件语法(不一一列举了)
# chmod 644 /etc/named.conf
# chown :named /etc/named.conf
# chmod --reference=/etc/named.conf 172.16.zone ilinux.zone named.local localhost.zone
# chgrp --reference=/etc/named.conf 172.16.zone ilinux.zone named.local localhost.zone
# service named start
# vim /etc/resolv.conf
nameserver 172.16.22.1
# dig -t A www1.ilinux.org.zone
简单做下测试,为保证正确性大家尽可能做完整的测试。
iptables访问控制
iptables -A INPUT -s 192.168.0.0/24 -d 172.16.22.1 -p udp --dport 53 -j REJECT
iptables -A INPUT -s 192.168.0.0/24 -d 172.16.22.1 -p tcp --dport 53 -j REJECT
注:在RHCE考试中要这样做,默认规则是ACCEPT,而非DROP,并且-j 后面的动作要明确指定REJECT
不要用DROP!!
2、sshd服务访问控制,sshd的配置文件 /etc/ssh/sshd_config 里面的选项自己熟悉下默认就是只提供v2版本。
访问控制的方法:iptables tcp wrapper 这里给出两种办法,看自己的喜好!
iptables:
iptables -A INPUT -s 172.16.0.0/16 -d 172.16.22.1 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT  -d 172.16.22.1 -p tcp --dport 22 -j REJECT
tcp wrapper:
# vim /etc/hosts.allow
sshd: 172.16.0.0/255.255.0.0
# vim /etc/hosts.deny
sshd: ALL
# service sshd restart
3、samba服务前面的博文中也有简单的介绍了不再赘述看看题怎么做!
# yum install samba
# cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
# mkdir /data
# vim /etc/samba/smb.conf
workgroup = ilinux
[shared]
comment = My Share
path = /data
write list = +develop
browseable = yes
public = yes
hosts allow = 172.16. 127.
# testparm
# groupadd develop
# useradd -G develop gentoo
# echo "gentoo" | passwd --stdin gentoo
# smbpasswd -a gentoo
注:可以通过以上的方法依次添加就不一一写了
# chcon -t samba_share_t /data
# set facl -m g:develop:rwx /data
# service smb start
# chkconfig smb on
# smbclient -L 172.16.22.1 -U gentoo
# smbclient //172.16.22.1/shared -U gentoo
4、nfs文件共享
# vim /etc/exports
/data 172.16.0.0/16(ro)
固定端口设置:
# vim /etc/sysconfig/nfs ;将里面有关端口设置为固定端口 一般大于8000即可 /etc/services文件中可以查看那些端口被其他常用服务占用
# service nfs start
# rpcinfo -p localhost ;查看服务是否启动和占用的端口
# chkconfig nfs on
5、
# yum install httpd
# vim /etc/httpd/conf/httpd.conf
注释掉 DocumentRoot
启用 VirtualHost 172.16.22.1:80

 ServerName www1.ilinux.org
 DocumentRoot "/var/www/html/www1"
 Errorlog "/var/log/httpd/www1.err"
 Customlog "/var/log/httpd/www1.access" combined
 
  Options None
  AllowOverride None
  Order Allow,Deny
  Allow from 172.16.0.0/16
 


 ServerName www1.ilinux.org
 DocumentRoot "/var/www/html/www2"
 Errorlog "/var/log/httpd/www2.err"
 Customlog "/var/log/httpd/www2.access" combined
 
  Options None
  AllowOverride None
  Order Allow,Deny
  Allow from aLL
 
# mkdir -pv /var/www/html/www{1,2}
# ehco www1.ilinux.org > /var/www/html/www1/index.html
# ehco www2.ilinux.org > /var/www/html/www2/index.html
# service httpd start
# chkconfig httpd on
6、这里我们使用postfix
# yum install postfix
# service sendmail stop
# chkconfig sendmail off
# rpm -e sendmail --nodeps
# vim /etc/postfix/main.cf
myhostname = mail.ilinux.org
mydomain = ilinux.org
myorigin = $mydomain
inet_inerfaces = all
mydestination = $myhostname,localhost,$mydomain,localhost,$mydomain,mail.$mydomain
mynetworks = 172.16.0.0/16,127.0.0.0/8
smtpd_client_restrictions = hash:/etc/postfix/client
smtpd_sender_restrictions = hash:/etc/postfix/sender
#########添加以下内容打开基于cyrus-sasl的认证功能#############
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_invalid_hostname,reject_non_fqdn_hostname,reject_unknown_sender_domain,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sasl_application_name = smtpd
smtpd_banner = Welcome to our $myhostname ESMTP,Warning: Version not Available!
# vim /etc/usr/lib/sasl2/smtpd.conf
pwcheck_method: saslauthd
# service saslauthd start
# chkconfig saslauthd on
# vim /etc/sysconfig/saslauthd
MECH=shadow
# vim /etc/postfix/client
172.16.22.10   REJECT
# postmap /etc/postfix/client
# vim /etc/postfix/sender
ubuntu@ REJECT
# postmap /etc/postfix/sender
# vim /etc/aliases
ubuntu:      gentoo
customers:   gentoo,  centos
# newaliases
# service postfix start
# hostname mail.ilinux.org
iptables -A  INPUT -s 192.168.0.0/24 -d 172.16.22.1 -p tcp --dport 25 -j REJECT
;注:这种做法可以实现,也可以写在/etc/postfix/client文件中
# telnet mail.ilinux.org 25 ;简单测试下 具体测试大家自己做吧!不再详细写了!
 mail from:ubuntu@ilinux.org
 RCPT TO:gentoo@ilinux.org
出现如下行说明限制ubuntu用户发送邮件配置成功
554 5.7.1 : Sender address rejected: Access denied
其他的测试自己做吧,一个一个敲的好慢.....
7、
# yum install dovecot
# vim /etc/dovecot.conf
protocols = pop3
# service dovecot start
# chkconfig dovecot start
iptables -A INPUT -s 192.168.0.0/24 -d 172.16.22.1 -p tcp --dport 110 -j REJECT 
# telnet pop3.ilinux.org 110
 
8、
# vim /etc/vsftpd/vsftpd.conf
接受tcp wrapper的控制
# vim /etc/hosts.allow
vsftpd: 172.16.0.0/255.255.0.0
# vim /etc/hosts.deny
vsftpd: ALL
# getseboll -a | grep ftp
# setsebool -P ftp_home_dir=1
# service vsftpd start
# chkconfig vsftpd on
 
9、这里证书的生成的方法不能用在生产环境中纯属娱乐用!RHCE考试也可以用这种方法节省时间也不容易出错!
# cd /etc/pki/tls/cert
# make dovecot.pem
# vim /etc/dovecot.conf
ssl_cert_file = /etc/pki/tls/certs/dovecot.pem
ssl_key_file = /etc/pki/tls/certs/dovecot.pem
 protocols = pop3 imaps
# service dovecot restart
# mutt -f imaps://imaps.ilinux.org ;测试
# iptables -A INPUT -s 172.16.0.0/16 -d 172.16.22.1 -p tcp --dport 993 -j ACCEPT 
# iptables -A INPUT  -d 172.16.22.1 -p tcp --dport 993 -j REJECT 
 
10 、
# yum install mod_ssl
# cd /etc/pki/tls/certs
# make httpd.pem
# vim /etc/httpd/conf.d/ssl.conf
DocumentRoot "/var/www/html/www2"
ServerName www2.ilinux.org
SSLCertificateFile /etc/pki/tls/certs/httpd.pem
SSLCertificateKeyFile /etc/pki/tls/certs/httpd.pem
# service httpd restart
# chkconfig httpd on
# iptables -A INPUT -s 192.168.0.0/24 -d 172.16.22.1 -p tcp --dport 443 -j REJECT
 
11、
# yum install php php-mbstring php-mysql mysql-server
# vim /var/www/html/www1/index.html
    phpinfo();
?>
# mv !$ /var/www/html/www1/index.php
# mysqladmin -uroot password '123456' ;两种方法下面介绍第2种方法
# service mysqld start
# chkconfig mysqld on
# mysql
mysql>set password for root@localhost=PASSWORD('123456');
mysql>set password for root@"127.0.0.1'=PASSWORD('123456');
mysql>\q
# tar zxvf phpMyAdmin-2.11.10-all-languages.tar.gz -C /var/www/html
# cd !$
# mv phpMyAdmin-1.11.10-all-languages phpmyadmin
# cp config.sample.inc.php config.inc.php
# vim !$
$cfg['blowfish_secret'] = ' 添加任意随机数';
# rpm -ivh libmcrypt-2.5.7-5.el5.i386.rpm
# vim /etc/httpd/conf/httpd.conf
在虚拟主机中定义
Alias /phpmyadmin “/var/www/html/phpmyadmin” ;额外操作其实可以直接放在/var/www/html/www1/phpmyadmin下最简单了
# service httpd restart
 
 
12、
# vim /etc/httpd/conf/httpd.conf
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
DirectoryIndex (添加)indwx.php
用户认证,需要在文件中添加如下内容
# vim /etc/httpd/conf/.webgrps
mygrp: user1 user2 user3 user4
# groupadd mygrp
     
       AllowOverride Authconfig
       AuthName "Auth web"                     //提示信息
       AuthType basic                          //加密方式
       AuthUserFile /etc/httpd/conf/.webuser   //认证用户文件
       AuthGroupFile /etc/httpd/conf/.webgrps
       Require group mygrp                      //允许认证的用户组
    
详细的过程自己写吧!我用别人的无线网他这会儿在调试路由器...保存下睡觉了!下面的两个设计题我还没做,等做出来了再给补上!以上的答案都是手敲的基本上没在虚拟机里测试!如果有错误还请指正!
 
 
 
 
 
 
 
阅读(1078) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~