CA
一.Openssl对称加解密
二.1.加密
# openssl enc –e –des3 –in filea –outfilea.enc //filea是文件名,filea.enc是加密出来的文件
2.解密
# openssl enc –d –des3 –in filea.enc –outnew //filea.enc是加密文件,new是解密出来的文件名
二.配置CA服务器 服务器端配置(192.168.1.3)
1..修改配置文件
[root@localhost ~]# cd /etc/pki/tls/
[root@localhost ~]#vim openssl.cnf
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to ‘no‘ to allowcreation of
#several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/my-ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must becommented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/my-ca.key# The private key
RANDFILE = $dir/private/.rand # private random number file
[ req_distinguished_name ]
countryName = Country Name (2 lettercode)
countryName_default = CN
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (fullname)
#stateOrProvinceName_default = Bejing
localityName = Locality Name (eg, city)
localityName_default = Bejing
0.organizationName = Organization Name (eg, company)
0.organizationName_default = wsyht
2.创建相应的文件和目录
# cd /etc/pki/CA
[root@localhost CA]# touch index.txt
[root@localhost CA]# echo 01 > serial
3.生成CA私钥文件
[root@localhost CA]# openssl genrsa –des 2048 >private/my-ca.key //2048加不加亦可
[root@localhost CA]# chmod 600 private/my-ca.key
4.根据私钥生成公钥:
[root@localhost CA]# openssl req -new -x509-key private/my-ca.key -days 365 > my-ca.crt
需要保护私钥的密码。提示的问题,国家、城市、省份、公司名这四项必段和openssl.cnt中设置的完全一致,最后一个部门名随便写,服务器名随便写,Email随便写,否则会失败。
部门名可以写:securityhostname:caserver.wsyht.com Email:admin@wsyht.com
5.web服务器配置(192.168.1.2)
# cd/etc/pki/tls/privte
# openssl genrsa 2048 > www.key //不设置私钥口令
# chmod 600 www.key
# openssl req –new –key www.key > ~/www.csr //公钥
CN –> Bejing –> Bejing -> wsyht ->填部门 -> 填服务器名 -> 填邮箱 –> 回车à回车CN
# ll.www.csr
# openssl req –in www.csr–noout –text
# scp www.csr192.168..1.3:/root
6.CA签发证书 服务器端配置(192.168.1.3)
# openssl req -in www.csr -noout -text
# openssl ca –in www.csr–out www.crt
# 回车 -> y -> y
验证
# ls –l www.c*
# openssl x509 –in www.crt–noout –text
# scp www.crt192.168.1.2:/root
# cat/etc/pki/CA/intext
#cat /etc/pki/CAserial
# md5sum /etc/pik/CA/newcerts/01.pen
# md5sum ~/www.crt
7.WE 服务器下载证书并且布署 服务端配置(192.168.1.2)
将证书拷贝到/etc/pki/tls/certs
[root@localhost tls]# cp ~/www.crt /etc/pki/tls/certs
安装mod.ssl
# yum –y groupinstall ‘web -server’ 或单装 yum –y install mod_ssl
# vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile/etc/pki/tls/certs/www.crt
SSLCertificatekeyFile/etc/pki/tls/private/www.key
:wq
8重启WEB服务器
# service httpd restart
9.客户端访问(192.168.1.4)
# vim /etc/hosts
192.168.1.2 www.wsyht.com
:wq
提示证书不受信任,因为客户端没有信任CA
客户端将CA的根装书装上,再次访问就不会再有提示
10. 服务器端配置(192.168.1.3)
# cp /etc/pki/CA/my-ca.crt /var/www/html
# service httpd restart
# 192.168.1.3/my-ca.crt
11 .客户端再次访问显示正常(192.168.1.4)
12. web服务器上调整httpd配置 (192.168.1.2)
当访问http协义时,自动跳转到https,在ssl.conf 中加入如下三行
# vim /etc/httpd/conf.d/ssl.conf
# /SSLRandomSeed connect builtin //查找这行,在这行下面添加下面三行
# RewriteEngine on
# RewriteCond %{SERVER_PORT} !^443$
#RewriteRule (.*) https//%{SERVER_NAME}/$1 [R]
# :wq
#httpd –t //检查语法看看有没有错误
# service httpd restart
13.客户端直接访问(192.168.1.4)
自动跳转到https:www.wsyht.com
在工具栏->首选项->高级->查看证书(firefox)
安全的邮件服务器
一. 邮件服务器申请证书
证书的申请与签发与WEB服务器完全一样
Open relay 开放中继
SOA 起始授权
$TTL 86400 //缓存时间 86400代表一天
NS 名称服务器
A 名称–> IP
PTR 反向 IP -> 名称
MX 邮件交换
CNAME:别名
FQDN=主机名.域名后缀
FQDN:完全限定域名/完全合格域名/全称域名
192.168.1.3服务器
yum install -y bind bind-chroot
service named start
cd /var/named/chroot/etc
vim named.conf
listen–on port 53 { any; }
listen–on –v6 port 53 { any; }
allow-query { any; }
:wq
# vim named.rfc1912.zones
zone “wsyht.com” IN {
typemaster;;
file“wsyht.com.zone”;
aloow-update{ none; };
}
# cd ../var/named/
# vim wsyht.com.zone
$TTL 86400
@ IN SOA ns.wsyht.com. root.wsyht.com. (
2014100401
3H
15M
1W
1D)
IN NS ns.wsyht.com.
IN MX 10 mail.wsyht.com
ns IN A 192.168.1.3
www IN A 192.168.1.2.
mail IN A 192.168.1.3
:wq
named-checkzone wsyht.com wsyht.com.zone
# service namd restart
# setup
DNS 192.168.1.3
# cat /etc/resllv.conf
# nslookup www.wsyht.com
# chgrp named wsyht.com.zone
# chmod 640 wsyht.com.zone
服务器192.168.1.4 修改如下内容
三.配置potfix,下面只列出了改动的部分
# netstat -tulnp | grep :25
# cd /etc/postfix
# postfconf–d //所有的配置项
# postfconf –d | wc –l
# vim main.cf
myhostname = mail.wsyht.com
mydomain = wsyht.com
myorigin = $mydomin
inet_interfaces = all
# inet_interfaces = all
# net_interfaces = #myhostname,localhost
# inet_interfaces = localhost
mydestination = $mydomain,,$myhostname, localhost。$mydomain, localhost
home_mailbox=Maildir/
:wq
service postfix restart
# service postfix restart
192.168.10.4
vim/etc/sysconfig/network-scripts/ifcfg-eth0
IPADDR=192.168.1.4
PREFIX=24
DNS1=192.168.1.3
:wq
# service network restart
# cat /etc/resolv.conf
# cd /etc/postfix
# nslookup
> set type=mx
> wsyht.com
> set q=a
> mail.wsyht.com
> set type=soa
> wsyht.com
> set type=ns
> wsyht.com
setup - > 防火墙关闭
Setenforce 0
Windows 客户端(192.168.1.5)
Ctrl+r
telnet 192.168.1.4 25
hellow sdf
mailfrom:zhangsan.@126.com
rcpt to:root@wsyht.com
data
然后这行随便写,sfjslfjslfjslfjsflsaj
quit
192.168.1.4服务器
postqueue –p
cd Maildir
ls new
vim new/45546464
cd /etc/pki/tls/private
(umask 077;openssl genrsa 2048 > mail.key) 括号里面写Umask指临时修改Umask
# openssl req –new –key mail.key >~/mail.csr
CN
Bejing
Bejing
wsyht
tecn
mail.wsyht.com
回车
回车
# cd
# opnessl req –in mail.csr –noout –subject(subject主机)
#scp mail.csr 192.168.1.3:/root
192.168.1.3服务器
# openssl ca –in mail.csr –out mail.crt
密码 -> y-> y
# ll mail.crt
# opensll x509 –in mail.crt –noout –subject
#scp mail.crt 192.16810.4:/root
# cp mail.crt /etc/pki/tls/certs/
#scp 192.168.10.3:/var/www/html/my-ca.crt/etc/pki/tls/certs/
192.168.1.4 服务器配置
# cd /etc/postfix
# vim main.cf
smtpd_use_tls = yes
smtpd_tls_CAfile = /etc/pki/tls/certs/my-ca.crt
smtpd_tls_cert_file =/etc/pki/tls/certs/mail.crt
smtpd_tls_key_file =/etc/pki/tls/private/mail.key
:wq
# service postfix restart
或
# postconf –d | grep smtpd | grep tls
# postconf –e ‘smtpd_use_tls= yes’
服务器192.168.1.4
配置dovecot
# yuminstall –y dovecot
# vim /etc/dovecot/conf.d/10-ssl.conf
#ssl = yes
ssl_cert = </etc/pki/tls/certs/mail-crt
ssl_key = </etc/pki/tls/private/mail.key
# vim /etc/dovecot/conf.d/10-mail.conf
mail_location = maildir:~/Maildir
# service dovecot restart
五.配置客户端outlook (windows )
其他设置中把全安接收勾选,STMP用的安全方式为TLS
c:\windwos\System32\drivers\etc
192.168.1.4 www.wsyht.com
扫描
# yum –y install nmap
# man nnmap
# nmap –sP 192.168.1.0/24 TCP SYN扫描半开
# nmap –A 192.168.1.10 目标系统全面分析
# nmap -sT192.168.1.2 TCP SYN扫描 半开
-sU UDP扫描
Ss TCPSYN扫描 (半开)
yum –y install wireshark wires-gnome
tcpdump [选项] [过滤条件]
tcpdump –i eth0 A ‘dst host192.168.1.2’
tcpdump –i 指定监控的网络接口
-A 转换为ACSII码 以方便阅读
-W 将数据包信息保存到指定文件
-r 从指定文件读取数据包信息
tcpdump –i eth0 A ‘dst host192.168.1.2’ –w mypak
Tcpdump的过滤条件
类型: host netport portange
方向: src dst
协议 tcp udp ipwlan arp ……
多个条件组合
and or not
tcpdump –i eth0 –w mypak ‘dsthost 192.168.1.2 ’
本文出自 “wsyht的博客” 博客,请务必保留此出处http://wsyht2015.blog.51cto.com/9014030/1790280
原文地址:http://wsyht2015.blog.51cto.com/9014030/1790280