首页
论坛
课程
招聘
[原创][安全运维向]模拟搭建小型企业内网
2022-8-5 22:18 3407

[原创][安全运维向]模拟搭建小型企业内网

2022-8-5 22:18
3407

运维小实验

实验目的

根据小型企业实际情况,模拟搭建小型局域网,针对常见内网渗透攻击手段(如ddos、ssh爆破等)做相应配置。实验目标是提高运维新手的安全运维能力。

网络拓扑

场景介绍

局域网下含有物理机、proxy server主机。物理机即普通客户主机,proxy server即企业提供的代理,此网络模拟的是公网环境。
Nat网络下含有HTTP server、Backup server、nis server、Client主机。此网络模拟的是公司内网环境。

主机介绍

物理机:设置浏览器代理为同一网段下的192.168.1.10,可访问192.168.56.102门户网站。
Proxy server:关停一切不必要的端口,伪装ssh端口为1022,需要重点考虑防火墙的设置,检测日志信息,短时间内登录ssh超过一定失败次数则给root用户发邮件提醒,提供squid代理服务。
Http server:架设由https协议保护的门户网站,并提供rsync服务,需要考虑防火墙的设置,设置iptables,仅仅让proxy server访问80、443端口。
Backup server:rsync保存http server的日志信息。
Nis server:为client、backup server这两个服务器提供账号管理服务。
client:配置简易防火墙。

详细配置

特殊配置

在192.168.56.0/24这个网段下,除了proxy server这个服务器可以被物理机访问,其他主机需要设置不能被局域网以外的其他ip访问。这个可以通过设置iptables实现:

1
2
3
4
# ban 物理机
iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.1 -j DROP
# 只允许同网段的ip连接
iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.0/24 -j ACCEPT

Proxy server

1.防火墙配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# 清空原有配置
iptables -F
iptables -X
iptables -Z
 
# input 表默认策略 丢弃
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
 
# -A 增加规则,-i 指定网卡,-j 指示动作,-m 模组,-p 协议
# --dport 目标端口,--sport 源端口
#-m state --state RELATED,ESTABLISHED 指定要匹配包的的状态,当前有4种状态可用:INVALID,ESTABLISHED,NEW和RELATED。 INVALID意味着这个包没有已知的流或连接与之关联,也可能是它包含的数据或包头有问题。ESTABLISHED意思是包是完全有效的,而且属于一个已建立的连接,这个连接的两端都已经有数据发送。NEW表示包将要或已经开始建立一个新的连接,或者是这个包和一个还没有在两端都有数据发送的连接有关。RELATED说明包正在建立一个新的连接,这个连接是和一个已建立的连接相关的。
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP -i enp0s3 --dport 111 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s3 --dport 1022 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s3 --dport 3128 --sport 1024:65534 -j ACCEPT
iptables-save > /home/dc/iptables.mysettings

并设置/etc/crontab文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
ELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
 
# For details see man 4 crontabs
 
# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
# apply my iptables from file per minute.
  *  *  *  *  * root            /sbin/iptables-restore /home/dc/iptables.mysettings

开启内核管理功能:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
[root@localhost dc]# vim /etc/sysctl.conf
[root@localhost dc]# cat /etc/sysctl.conf
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
 
# Turn on syncookies for SYN flood attack protection
#
net.ipv4.tcp_syncookies = 1
 
# Avoid a smurf attack
#
net.ipv4.icmp_echo_ignore_broadcasts = 1
 
# Turn on reverse path filtering
#
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.enp0s8.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
# Turn on and log spoofed, source routed, and redirect packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.enp0s8.log_martians = 1
net.ipv4.conf.lo.log_martians = 1
 
# Make sure no one can alter the routing tables
#
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.enp0s8.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
 
# redirects project
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.enp0s8.send_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
[root@localhost dc]# sysctl -p

设置完毕之后可以重启查看防火墙设置是否生效。

 

2.关停一切不必要的端口
查看开启的端口发现这一项:

1
2
[root@localhost dc]# netstat -tulnp
tcp6       0      0 ::1:631                 :::*                    LISTEN      1267/cupsd

根据鸟哥的书中提示,我利用systemctl命令关闭了cups服务
systemctl disable cups.service
也可以使用ntsysv命令查看、关闭不必要的服务。

 

3.伪装ssh端口为1022
/etc/ssh/sshd_config:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
```
Port 1022
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
 
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
 
# Ciphers and keying
#RekeyLimit default none
 
# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
 
# Authentication:
 
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
```

在selinux中添加 1022端口作为ssh服务端口的权限。

1
2
3
4
[root@localhost dc]# semanage port -a -t ssh_port_t -p tcp 1022
[root@localhost dc]#
[root@localhost dc]# semanage port -l | grep ssh
ssh_port_t                     tcp      1022, 22

4.检测日志信息,短时间内超过一定失败测试则给root用户发邮件提醒
使用kali测试爆破ssh端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
date ; hydra -l dc -P /usr/share/wordlists/fasttrack.txt -v ssh://192.168.1.10:1022 ; date
 
 
    20220729日 星期五 22:23:15 CST
    [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
    [ERROR] could not connect to target port 1022: Socket error: Connection reset by peer
    [ERROR] ssh protocol error
    [ERROR] could not connect to target port 1022: Socket error: Connection reset by peer
    [ERROR] ssh protocol error
    20220729日 星期五 22:25:26 CST
 
    cat /usr/share/wordlists/fasttrack.txt | wc -l
    222
 
    >>> (222/(2*60+10))
    1.7076923076923076

平均每秒1.7个失败登录

 

可以看出一分钟内ssh登录次数超过60次,说明极有可能正在被黑客暴力破解账户密码。
编写自动化工具智能探测是否被爆破ssh密码,立即封禁可疑ip、发邮件给系统管理员。

 

具体功能:定时检测lastb命令的输出,如果发现1分钟内某ip登录失败次数超过60次则用mail命令通知root用户,并将立即使用iptables封禁该ip。(将封禁嫌疑ip的命令加入/home/dc/iptables.mysettings)

 

脚本内容:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
import os,datetime
 
def is_this_ip_in_field(ip,field):
    in_field = False
    for element in field:
        if element[0] == ip:
            in_field = True
            return in_field
 
    return in_field
 
def compose_time_str(date_time_t):
    month_str = date_time_t.strftime("%b")
    day_str = date_time_t.strftime("%d").replace('0','')
    time_str = date_time_t.strftime("%H:%M")
    date_str = month_str+'-'+day_str+'-'+time_str
    return date_str
 
now_time = datetime.datetime.now()
month_str = now_time.strftime("%b")
 
current_time_1_min_ago = now_time-datetime.timedelta(minutes=1)
current_time_2_min_ago = now_time-datetime.timedelta(minutes=2)
current_time_3_min_ago = now_time-datetime.timedelta(minutes=3)
 
current_time_1_min_ago_str = compose_time_str(current_time_1_min_ago)
current_time_2_min_ago_str = compose_time_str(current_time_2_min_ago)
current_time_3_min_ago_str = compose_time_str(current_time_3_min_ago)
 
time_str_list = [current_time_1_min_ago_str,current_time_2_min_ago_str,current_time_3_min_ago_str]
#print(time_str_list)
 
cmdline = "lastb | awk \'{printf \"%s-%s-%s %s\\n\",$5,$6,$7,$3}\' | less"
 
a = os.popen(cmdline)
login_failed_infomation = a.read().split('\n')
suspect_ip_and_attack_time_dict = {}
 
# { time:{ip:number,ip2:number},time2:{ip:number} }
for line in login_failed_infomation:
    if not line.startswith(month_str):
        continue
 
    detail_time,ip = line.split(' ')
 
    #print(detail_time)
 
    if detail_time in time_str_list:
        # has detail time segemnt.
        if suspect_ip_and_attack_time_dict.has_key(detail_time):
            time_dict = suspect_ip_and_attack_time_dict[detail_time]
            if time_dict.has_key(ip):
                time_dict[ip] += 1
            else:
                time_dict[ip] = 1
        else:
            # add ip
            tmp_dict = {}
            tmp_dict[ip] = 1
            suspect_ip_and_attack_time_dict[detail_time] = tmp_dict
 
report_message = ""
black_list = []
message = ""
 
for keys,values in suspect_ip_and_attack_time_dict.items():
    for ip,failed_times in values.items():
        if failed_times > 60:
            black_list.append(ip)
            format_str = "{} attacked {} times at {}\n"
            message += format_str.format(ip,failed_times,keys)
            #print(message)
 
black_list = list(set(black_list))
ban_ip_list = []
tmp_list = []
 
f = open("black_list.txt","r")
for line in f:
    ban_ip_list.append(line)
f.close()
 
for element in black_list:
    if element not in ban_ip_list:
        tmp_list.append(element)
 
black_list = tmp_list
f = open("black_list.txt","a")
 
#iptables -I INPUT 3 -i enp0s3 -s 192.168.1.1 -j DROP
for ip in black_list:
    ban_cmd = "iptables -I INPUT 3 -i enp0s3 -s " + ip + " -j DROP"
    f.write(ip+'\n')
    os.popen(ban_cmd)
f.close()
 
os.popen("iptables-save > /home/dc/iptables.mysettings")
 
if message != "":
    mail_cmd = "echo \"" + message + "\" | mail -s \"security report\" root@localhost"
    os.system(mail_cmd)

/etc/crontab 文件的内容:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
ELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
 
# For details see man 4 crontabs
 
# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
# apply my iptables from file per minute.
  *  *  *  *  * root            /sbin/iptables-restore /home/dc/iptables.mysettings
# detect attack beheviour every 3 minutes.
  */3  *  *  *  * root           /usr/bin/python /root/detect_ssh_port_hacking.py

分别在两台主机上使用hydra爆破1022端口
date ; hydra -l dc -P /usr/share/nmap/nselib/data/passwords.lst -v ssh://192.168.1.10:1022 ; date
完成后在本机查看root邮箱

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
[root@localhost ~]# cat /var/spool/mail/root
 
From root@localhost.localdomain  Thu Aug  4 10:33:02 2022
Return-Path: <root@localhost.localdomain>
X-Original-To: root@localhost
Delivered-To: root@localhost.localdomain
Received: by localhost.localdomain (Postfix, from userid 0)
    id 130BE12010FD; Thu,  4 Aug 2022 10:33:02 -0400 (EDT)
Date: Thu, 04 Aug 2022 10:33:02 -0400
To: root@localhost.localdomain
Subject: security report
User-Agent: Heirloom mailx 12.5 7/5/10
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20220804143302.130BE12010FD@localhost.localdomain>
From: root@localhost.localdomain (root)
 
192.168.1.3 attacked 142 times at Aug-4-10:30
192.168.1.16 attacked 142 times at Aug-4-10:30
192.168.1.3 attacked 146 times at Aug-4-10:31
192.168.1.16 attacked 96 times at Aug-4-10:31
192.168.1.3 attacked 64 times at Aug-4-10:32

脚本发现了攻击行为之后,马上拉黑了两台正在攻击的主机。
再看看攻击机的输出:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(root㉿kali)-[/usr/share/nmap/nselib/data]
└─# date ; hydra -l dc -P /usr/share/nmap/nselib/data/passwords.lst -v ssh://192.168.1.10:1022 ; date
20220804日 星期四 22:32:55 CST
Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
 
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-08-04 22:32:55
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 5010 login tries (l:1/p:5010), ~314 tries per task
[DATA] attacking ssh://192.168.1.10:1022/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://dc@192.168.1.10:1022
[ERROR] could not connect to ssh://192.168.1.10:1022 - Timeout connecting to 192.168.1.10
20220804日 星期四 22:33:37 CST

本来是要测试完五千条密码,由于脚本的存在,只测试了不到三四百条条就被ban了:

1
2
dc@LAPTOP-J3UJRUOC:/usr/share/nmap/nselib/data$ wc -l /usr/share/nmap/nselib/data/passwords.lst
5084 /usr/share/nmap/nselib/data/passwords.lst

再查看本机iptables配置:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[root@localhost ~]# iptables -L  --line-number
Chain INPUT (policy DROP)
num  target     prot opt source               destination        
1    ACCEPT     all  --  anywhere             anywhere           
2    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
3    DROP       all  --  192.168.1.16         anywhere           
4    DROP       all  --  192.168.1.3          anywhere           
5    ACCEPT     tcp  --  anywhere             anywhere             tcp spts:1024:65534 dpt:sunrpc
6    ACCEPT     tcp  --  anywhere             anywhere             tcp spts:1024:65534 dpt:exp2
7    ACCEPT     tcp  --  anywhere             anywhere             tcp spts:1024:65534 dpt:squid
 
Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination        
 
Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination        
[root@localhost ~]#

5.搭建squid代理
安装squid:

1
yum install squid

取消配置文件中一行注释:

1
2
3
vim /etc/squid/squid.conf:
 Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 100 16 256

启动服务并设置开机自启:

1
2
[root@localhost ~]# systemctl start squid.service
[root@localhost ~]# systemctl enable squid.service

最后别忘了重新设置一下防火墙,因为物理机还需要访问proxy server:

1
2
3
4
5
6
7
8
9
10
11
12
13
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP -i enp0s3 --dport 111 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s3 --dport 1022 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s3 --dport 3128 --sport 1024:65534 -j ACCEPT
iptables-save > /home/dc/iptables.mysettings
iptables ---line-number

client

配置防火墙:

1
2
3
4
5
6
7
8
9
10
11
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.1 -j DROP
iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.0/24 -j ACCEPT
iptables-save > /home/dc/iptables.mysettings

允许接受来自lo网卡的数据包,允许接受来自56网段、以及和自身发出的数据包相关的数据包。ban掉56.1这个ip(物理机),以及其他所有数据包。

 

写入计划任务:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[root@localhost dc]# vim /etc/crontab
[root@localhost dc]# cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
 
# For details see man 4 crontabs
 
# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
  *  *  *  *  * root            /sbin/iptables-restore /home/dc/iptables.mysettings

http server

1.防火墙配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.1 -j DROP
iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.106 --dport 80 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.106 --dport 443 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 --dport 80 -j DROP
iptables -A INPUT -p TCP -i enp0s8 --dport 443 -j DROP
iptables -A INPUT -p TCP -i enp0s8 --dport 111 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 --dport 22 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 --dport 631 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 --dport 25 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.0/24 -j ACCEPT

保存配置并且安排上定时任务:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
iptables-save > /root/my_iptables_seetings.rule
/usr/sbin/iptables-restore < /root/my_iptables_seetings.rule
[root@localhost html]# cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
 
# For details see man 4 crontabs
 
# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
  *  *  *  *  * root /usr/sbin/iptables-restore < /root/my_iptables_seetings.rule

2.安装httpd服务,启动该服务,并设置开机启动:

1
2
3
4
yum install httpd
systemctl start httpd
systemctl enable httpd
systemctl status httpd

简单设置网站首页:

1
2
3
cd /var/www/html/
cat index.html
This is my first page.

安排上https:

1
2
yum install mod_ssl
systemctl restart httpd

备份服务器

在这个服务器上设置定时备份http服务器的网站内容。
1.首先做免密登录http服务器的设置:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
[dc@localhost ~]$ su
Password:
[root@localhost dc]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:iQiHtrt1CpVCi/9tUepSWVziMnhw/Zk9CASepiHvr2s root@localhost.localdomain
The key's randomart image is:
+---[RSA 2048]----+
|      .+.        |
|   .....+ .      |
* o++o = =     |
| + B.*+.=.= o    |
|. + *..BS    .   |
| . =  =          |
+ oo..         |
|   =E=o          |
|  ..==o          |
+----[SHA256]-----+
[root@localhost dc]# scp ~/.ssh/id_rsa.pub root@192.168.56.102:~
The authenticity of host '192.168.56.102 (192.168.56.102)' can't be established.
ECDSA key fingerprint is SHA256:fXKVGvaS/isxJ+u6655e5dyTap2YDAgEgdrbs96gcoU.
ECDSA key fingerprint is MD5:6d:28:85:28:3a:2d:2e:be:cb:e9:cd:87:ad:9a:ea:22.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.102' (ECDSA) to the list of known hosts.
root@192.168.56.102's password:
id_rsa.pub                                       100%  408   489.5KB/s   00:00

在http server上添加相关公钥信息:

1
2
3
4
5
6
7
8
9
10
[root@localhost ~]# ls -ld id_rsa.pub .ssh/
-rw-r--r--. 1 root root 406 Aug  3 01:38 id_rsa.pub
drwx------. 2 root root  25 Aug  1 03:17 .ssh/
[root@localhost ~]# cat id_rsa.pub >> ~/.ssh/known_hosts
123.txt          .bash_profile    .cshrc           original-ks.cfg  .viminfo        
anaconda-ks.cfg  .bashrc          id_rsa.pub       .rnd             .wireshark/     
.bash_history    .cache/          .lesshst         .ssh/            .xauthTIyBog    
.bash_logout     .config/         .local/          .tcshrc         
[root@localhost ~]# cat id_rsa.pub >> ~/.ssh/authorized_keys
[root@localhost ~]# chmod 644 ~/.ssh/authorized_keys

回到备份服务器测试下:

1
2
3
4
5
[dc@localhost ~]$ ssh root@192.168.32.146
Last login: Sat Jul 30 06:48:47 2022
[root@localhost ~]# exit
logout
Connection to 192.168.32.146 closed.

2.做完免密登录后,直接以root身份添加系统定时任务,每隔一小时同步备份http server的网站内容到本地/tmp下。

1
2
3
4
5
6
7
[root@localhost .ssh]# /usr/bin/rsync -av -e ssh root@192.168.56.102:/var/www/html /tmp
receiving incremental file list
html/
html/index.html
 
sent 47 bytes  received 151 bytes  132.00 bytes/sec
total size is 23  speedup is 0.12

添加计划任务:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[root@localhost ~]# cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
 
# For details see man 4 crontabs
 
# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
*  *  *  *  *     root    /usr/bin/rsync -av -e ssh root@192.168.56.102:/var/www/html /tmp &> /root/rsync_res.txt

可以监视脚本的输出、以及crontab的日志文件来观察运行情况。主要是这两个日志文件:

1
2
/root/rsync_res.txt
/var/log/cron

nis server

1.安装nis

1
2
3
4
yum install yp-tools
yum install ypbind
yum install ypserv
yum install rpcbind

2.设置nis域名。
这里参考鸟哥的书,配置如下:

1
2
3
4
5
nis 域名 vbirdnis
整个内部的信任网络为 192.168.56.0/24
nis master server 的ip 为 192.168.56.103,主机名为 www.centos.vbird
nis client 的ip为192.168.56.105,主机名为client.centos.vbird
nis client 2 的ip为192.168.56.104,主机名为backup.centos.vbird

编辑/etc/sysconfig/network,设置域名,并配置nis启动在固定的端口上:

1
2
3
4
[root@localhost ~]# cat /etc/sysconfig/network
# Created by anaconda
NISDOMAIN=vbirdnis
YPSERV_ARGS="-p 1011"

在两台客户机上也做同样的设置。

 

3.设置主要配置文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
[root@localhost dc]# cat /etc/ypserv.conf
#
# ypserv.conf    In this file you can set certain options for the NIS server,
#        and you can deny or restrict access to certain maps based
#        on the originating host.
#
#        See ypserv.conf(5) for a description of the syntax.
#
 
# Some options for ypserv. This things are all not needed, if
# you have a Linux net.
 
# How many map file handles should be cached ?
files: 30
 
# Should we register ypserv with SLP ?
# slp: no
# After how many seconds we should re-register ypserv with SLP ?
# slp_timeout: 3600
 
# xfr requests are only allowed from ports < 1024
xfr_check_port: yes
 
# The following, when uncommented,  will give you shadow like passwords.
# Note that it will not work if you have slave NIS servers in your
# network that do not run the same server as you.
 
# Host                     : Domain  : Map              : Security
#
# *                        : *       : passwd.byname    : port
# *                        : *       : passwd.byuid     : port
 
# Not everybody should see the shadow passwords, not secure, since
# under MSDOG everbody is root and can access ports < 1024 !!!
*               : *       : shadow.byname    : port
*               : *       : passwd.adjunct.byname : port
 
# If you comment out the next rule, ypserv and rpc.ypxfrd will
# look for YP_SECURE and YP_AUTHDES in the maps. This will make
# the security check a little bit slower, but you only have to
# change the keys on the master server, not the configuration files
# on each NIS server.
# If you have maps with YP_SECURE or YP_AUTHDES, you should create
# a rule for them above, that's much faster.
 *                        : *       : *                : none

4.设置主机名与ip的对应
配置对应文件:

1
2
3
4
5
6
[root@localhost dc]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.56.103 www.centos.vbird
192.168.56.105 client.centos.vbird
192.168.56.104 backup.centos.vbird

使用hostname查看主机名,发现没有设置成功,用hostnamectl命令重新设置:

1
2
3
4
5
[root@localhost dc]# hostname
localhost.localdomain
[root@localhost dc]# hostnamectl set-hostname www.centos.vbird
[root@localhost dc]# hostname
www.centos.vbird

5.启动所有相关服务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
[root@localhost dc]# cat /etc/sysconfig/yppasswdd
# The passwd and shadow files are located under the specified
# directory path. rpc.yppasswdd will use these files, not /etc/passwd
# and /etc/shadow.
#ETCDIR=/etc
 
# This option tells rpc.yppasswdd to use a different source file
# instead of /etc/passwd
# You can't mix usage of this with ETCDIR
#PASSWDFILE=/etc/passwd
 
# This option tells rpc.yppasswdd to use a different source file
# instead of /etc/passwd.
# You can't mix usage of this with ETCDIR
#SHADOWFILE=/etc/shadow
 
# Additional arguments passed to yppasswd
YPPASSWDD_ARGS="--port 1012"
[root@localhost dc]# systemctl status ypserv.service
● ypserv.service - NIS/YP (Network Information Service) Server
   Loaded: loaded (/usr/lib/systemd/system/ypserv.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
[root@localhost dc]# systemctl start ypserv.service
[root@localhost dc]# systemctl enable ypserv.service
Created symlink from /etc/systemd/system/multi-user.target.wants/ypserv.service to /usr/lib/systemd/system/ypserv.service.
[root@localhost dc]# systemctl status ypserv.service
● ypserv.service - NIS/YP (Network Information Service) Server
   Loaded: loaded (/usr/lib/systemd/system/ypserv.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2022-08-05 08:07:36 EDT; 13s ago
 Main PID: 32494 (ypserv)
   Status: "Processing requests..."
   CGroup: /system.slice/ypserv.service
           └─32494 /usr/sbin/ypserv -f -p 1011
 
Aug 05 08:07:36 www.centos.vbird systemd[1]: Starting NIS/YP (Network Information Service) Server...
Aug 05 08:07:36 www.centos.vbird ypserv[32494]: WARNING: no securenets file found!
Aug 05 08:07:36 www.centos.vbird systemd[1]: Started NIS/YP (Network Information Service) Server.
[root@localhost dc]# systemctl status yppasswdd.service
● yppasswdd.service - NIS/YP (Network Information Service) Users Passwords Change Server
   Loaded: loaded (/usr/lib/systemd/system/yppasswdd.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
[root@localhost dc]# systemctl start yppasswdd.service
[root@localhost dc]# systemctl enable yppasswdd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/yppasswdd.service to /usr/lib/systemd/system/yppasswdd.service.
[root@localhost dc]# systemctl status yppasswdd.service
● yppasswdd.service - NIS/YP (Network Information Service) Users Passwords Change Server
   Loaded: loaded (/usr/lib/systemd/system/yppasswdd.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2022-08-05 08:08:06 EDT; 9s ago
 Main PID: 32611 (rpc.yppasswdd)
   Status: "Processing requests..."
   CGroup: /system.slice/yppasswdd.service
           └─32611 /usr/sbin/rpc.yppasswdd -f --port 1012
 
Aug 05 08:08:06 www.centos.vbird systemd[1]: Starting NIS/YP (Network Information Service) Users Passwords Change Server...
Aug 05 08:08:06 www.centos.vbird yppasswdd-pre-setdomain[32606]: Setting NIS domain: 'vbirdnis' (environment variable)
Aug 05 08:08:06 www.centos.vbird systemd[1]: Started NIS/YP (Network Information Service) Users Passwords Change Server.

检查看看是否有异常:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[root@localhost dc]# rpcinfo -p localhost
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100004    2   udp   1011  ypserv
    100004    1   udp   1011  ypserv
    100004    2   tcp   1011  ypserv
    100004    1   tcp   1011  ypserv
    100009    1   udp   1012  yppasswdd
[root@localhost dc]# rpcinfo -u localhost ypserv
program 100004 version 1 ready and waiting
program 100004 version 2 ready and waiting

6.处理账号并建立数据库

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
[root@localhost dc]# useradd -u 1001 nisuser1
[root@localhost dc]# useradd -u 1002 nisuser2
[root@localhost dc]# useradd -u 1003 nisuser3
[root@localhost dc]# vim /etc/passwd
[root@localhost dc]# echo password | passwd --stdin nisuser1
Changing password for user nisuser1.
passwd: all authentication tokens updated successfully.
[root@localhost dc]# echo password | passwd --stdin nisuser2
Changing password for user nisuser2.
passwd: all authentication tokens updated successfully.
[root@localhost dc]# echo password | passwd --stdin nisuser3
Changing password for user nisuser3.
passwd: all authentication tokens updated successfully.
[root@localhost dc]# /usr/lib64/yp/ypinit -m
 
At this point, we have to construct a list of the hosts which will run NIS
servers.  www.centos.vbird is in the list of NIS server hosts.  Please continue to add
the names for the other hosts, one per line.  When you are done with the
list, type a <control D>.
    next host to add:  www.centos.vbird
    next host to add: 
The current list of NIS servers looks like this:
 
www.centos.vbird
 
Is this correct?  [y/n: y]  y
We need a few minutes to build the databases...
Building /var/yp/vbirdnis/ypservers...
Running /var/yp/Makefile...
gmake[1]: Entering directory `/var/yp/vbirdnis'
Updating passwd.byname...
Updating passwd.byuid...
Updating group.byname...
Updating group.bygid...
Updating hosts.byname...
Updating hosts.byaddr...
Updating rpc.byname...
Updating rpc.bynumber...
Updating services.byname...
Updating services.byservicename...
Updating netid.byname...
Updating protocols.bynumber...
Updating protocols.byname...
Updating mail.aliases...
gmake[1]: Leaving directory `/var/yp/vbirdnis'
 
www.centos.vbird has been set up as a NIS master server.
 
Now you can run ypinit -s www.centos.vbird on all slave server.

7.防火墙设置

1
2
3
4
5
6
7
8
9
10
11
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.1 -j DROP
iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.0/24 -j ACCEPT
iptables -A INPUT -p UDP -i enp0s8 -s 192.168.56.0/24 -j ACCEPT

保存配置并且安排上定时任务:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
iptables-save > /root/my_iptables_seetings.rule
/usr/sbin/iptables-restore < /root/my_iptables_seetings.rule
[root@localhost html]# cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
 
# For details see man 4 crontabs
 
# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
  *  *  *  *  * root /usr/sbin/iptables-restore < /root/my_iptables_seetings.rule

8.客户端配置
安装必须软件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
[root@localhost dc]# yum install ypbind
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirrors.nju.edu.cn
 * extras: mirrors.ustc.edu.cn
 * updates: mirrors.ustc.edu.cn
base                                                            | 3.6 kB  00:00:00    
extras                                                          | 2.9 kB  00:00:00    
updates                                                         | 2.9 kB  00:00:00    
updates/7/x86_64/primary_db                                     |  16 MB  00:00:03    
Resolving Dependencies
--> Running transaction check
---> Package ypbind.x86_64 3:1.37.1-9.el7 will be installed
--> Processing Dependency: yp-tools for package: 3:ypbind-1.37.1-9.el7.x86_64
--> Running transaction check
---> Package yp-tools.x86_64 0:2.14-5.el7 will be installed
--> Finished Dependency Resolution
 
Dependencies Resolved
 
=======================================================================================
 Package             Arch              Version                   Repository       Size
=======================================================================================
Installing:
 ypbind              x86_64            3:1.37.1-9.el7            base             62 k
Installing for dependencies:
 yp-tools            x86_64            2.14-5.el7                base             79 k
 
Transaction Summary
=======================================================================================
Install  1 Package (+1 Dependent package)
 
Total download size: 142 k
Installed size: 299 k
Is this ok [y/d/N]: y
Downloading packages:
warning: /var/cache/yum/x86_64/7/base/packages/ypbind-1.37.1-9.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
Public key for ypbind-1.37.1-9.el7.x86_64.rpm is not installed
(1/2): ypbind-1.37.1-9.el7.x86_64.rpm                           |  62 kB  00:00:00    
(2/2): yp-tools-2.14-5.el7.x86_64.rpm                           |  79 kB  00:00:00    
---------------------------------------------------------------------------------------
Total                                                     209 kB/s | 142 kB  00:00    
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Importing GPG key 0xF4A80EB5:
 Userid     : "CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>"
 Fingerprint: 6341 ab27 53d7 8a78 a7c2 7bb1 24c6 a8a7 f4a8 0eb5
 Package    : centos-release-7-9.2009.0.el7.centos.x86_64 (@anaconda)
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Is this ok [y/N]: y
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : yp-tools-2.14-5.el7.x86_64                                          1/2
  Installing : 3:ypbind-1.37.1-9.el7.x86_64                                        2/2
  Verifying  : 3:ypbind-1.37.1-9.el7.x86_64                                        1/2
  Verifying  : yp-tools-2.14-5.el7.x86_64                                          2/2
 
Installed:
  ypbind.x86_64 3:1.37.1-9.el7                                                        
 
Dependency Installed:
  yp-tools.x86_64 0:2.14-5.el7                                                        
 
Complete!
[root@localhost dc]# yum install yp-tools
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirrors.nju.edu.cn
 * extras: mirrors.ustc.edu.cn
 * updates: mirrors.ustc.edu.cn
Package yp-tools-2.14-5.el7.x86_64 already installed and latest version
Nothing to do

可以使用setup命令快速设置配置文件。
使用yptest命令验证数据库
使用ypwhich检查数据库数量
使用su - nisuser1 切换身份。

参考

  1. https://blog.csdn.net/m0_55754984/article/details/119177156 kali虚拟机安装教程(超详细)
  2. https://www.junmajinlong.com/virtual/network/virtualbox_net/ 理解VirtualBox网络
  3. 《鸟哥的linux私房菜》
  4. http://bbs.chinaunix.net/thread-1990048-1-1.html iptables -m state --state RELATED,ESTABLISHED是什么意思
  5. https://blog.csdn.net/MssGuo/article/details/120604176 hostname hostnamectl 显示、设置主机名
  6. https://blog.csdn.net/qq_39914597/article/details/114369086 天翼云修改SSH默认远程端口

[2022夏季班]《安卓高级研修班(网课)》月薪两万班招生中~

最后于 2022-8-5 22:41 被顾言庭编辑 ,原因:
收藏
点赞4
打赏
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回