image.png

image.png
image.png
image.png
image.png
image.png
image.png

①对称加密(同一密钥)

②非对称加密(公钥和私钥)

③哈希算法(单向生成摘要)

创建私有CA

  1. [root@cent8 ~]$ echo welcom to learn ssl > /var/www/html/index.html
  3. ★创建CA相关目录和文件
  5. [root@cent8 /etc/pki/CA]$ touch /etc/pki/CA/index.txt
  6. [root@cent8 /etc/pki/CA]$ echo 01 > /etc/pki/CA/serial
  8. ★创建CA的私钥
  10. [root@cent8 /etc/pki/CA]$ openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048
  11. Generating RSA private key, 2048 bit long modulus (2 primes)
  12. ..............................................................................................................................+++++
  13. ..................................................+++++
  14. e is 65537 (0x010001)
  16. ★创给CA颁发自签名证书
  18. [root@cent8 /etc/pki/CA]$ openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
  19. You are about to be asked to enter information that will be incorporated
  20. into your certificate request.
  21. What you are about to enter is what is called a Distinguished Name or a DN.
  22. There are quite a few fields but you can leave some blank
  23. For some fields there will be a default value,
  24. If you enter '.', the field will be left blank.
  25. -----
  26. Country Name (2 letter code) [XX]:CN
  27. State or Province Name (full name) []:beijing 
  28. Locality Name (eg, city) [Default City]:beijing
  29. Organization Name (eg, company) [Default Company Ltd]:mage
  30. Organizational Unit Name (eg, section) []:test
  31. Common Name (eg, your name or your server's hostname) []:zyy 
  32. Email Address []:2298@qq.com
  34. [root@cent8 /etc/pki/CA]$ tree
  35. .
  36. ├── cacert.pem
  37. ├── certs
  38. ├── crl
  39. ├── index.txt
  40. ├── newcerts
  41. ├── private
  42. │   └── caky.pem
  43. └── serial
  45. [root@cent8 /etc/pki/CA]$ sz /etc/pki/CA/cacert.pem(改为.crt后缀)
  1. ★用户生成私钥
  2. openssl genrsa -out app1/app1.key
  4. ★用户生成证书申请文件
  5. [root@cent8 ~]$ openssl req -new -key app1/app1.key -out app1/app1.csr
  6. You are about to be asked to enter information that will be incorporated
  7. into your certificate request.
  8. What you are about to enter is what is called a Distinguished Name or a DN.
  9. There are quite a few fields but you can leave some blank
  10. For some fields there will be a default value,
  11. If you enter '.', the field will be left blank.
  12. -----
  13. Country Name (2 letter code) [XX]:CN
  14. State or Province Name (full name) []:beijing
  15. Locality Name (eg, city) [Default City]:beijing
  16. Organization Name (eg, company) [Default Company Ltd]:mage
  17. Organizational Unit Name (eg, section) []:learn
  18. Common Name (eg, your name or your server's hostname) []:zyy
  19. Email Address []:zhuyuanyuan
  20. Please enter the following 'extra' attributes
  21. to be sent with your certificate request
  22. A challenge password []:zhuyuany
  23. An optional company name []:magee
  25. ★CA证书颁发
  26. openssl ca -in app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 365
  27. sz /etc/pki/CA/certs/app1.crt

ssh服务器配置

1.在ubuntu上启用root远程ssh登录
2.解决ssh登录缓慢的问题

服务器端的配置文件: /etc/ssh/sshd_config
Port
ListenAddress ip
LoginGraceTime 2m
PermitRootLogin yes #######默认ubuntu不允许root远程ssh登录
prohibit-password
StrictModes yes #检查.ssh/文件的所有者,权限等
MaxAuthTries 6 #
MaxSessions 10 #同一个连接最大会话
PubkeyAuthentication yes #基于key验证
PermitEmptyPasswords no #空密码连接
PasswordAuthentication yes #基于用户名和密码连接
GatewayPorts no
ClientAliveInterval 10 #单位:秒
ClientAliveCountMax 3 #默认3
UseDNS yes ##############提高速度可改为no
GSSAPIAuthentication yes ##############提高速度可改为no
MaxStartups #未认证连接最大值,默认值10
Banner /path/file
#以下可以限制可登录用户的办法:
AllowUsers user1 user2 user3
DenyUsers
AllowGroups
DenyGroups

PAM

模块文件目录 /lib64/security/
特定模块配置 /etc/security/module_name.conf

通用配置文件一般无 /etc/pam.conf
应用模块的专用配置 /etc/pam.d/app_name

时间同步服务

#私有服务端
[root@cent-8 ~]$ yum install chrony -y;systemctl enable --now chronyd
[root@cent-8 ~]$ vim /etc/chrony.conf
server time1.cloud.tencent.com iburst
server time2.cloud.tencent.com iburst
allow 10.0.0.0/24
[root@cent-8 ~]$ systemctl restart chronyd
[root@cent8 ~]$ chronyc accheck 10.0.0.18
208 Access allowed

#私有客户端
[root@cent-8 ~]$ yum install chrony -y;systemctl enable --now chronyd
[root@cent-8 ~]$ ss -untl
udp     UNCONN   0        0               127.0.0.1:323             0.0.0.0:*      
udp     UNCONN   0        0                   [::1]:323                [::]:* 

[root@cent-8 ~]$ date -s "2016-09-10 14:24:34"

[root@cent-8 ~]$ vim /etc/chrony.conf
server 10.0.0.8
[root@cent-8 ~]$ chronyc sources -v
210 Number of sources = 1

  .-- Source mode  '^' = server, '=' = peer, '#' = local clock.
 / .- Source state '*' = current synced, '+' = combined , '-' = not combined,
| /   '?' = unreachable, 'x' = time may be in error, '~' = time too variable.
||                                                 .- xxxx [ yyyy ] +/- zzzz
||      Reachability register (octal) -.           |  xxxx = adjusted offset,
||      Log2(Polling interval) --.      |          |  yyyy = measured offset,
||                                \     |          |  zzzz = estimated error.
||                                 |    |           \
MS Name/IP address         Stratum Poll Reach LastRx Last sample               
===============================================================================
^* 10.0.0.8                      3   6    37    28  +1461ns[  +95us] +/-   30ms
[root@cent-8 ~]$ date
Wed Nov 17 01:11:31 CST 2021