码迷,mamicode.com
首页 > Web开发 > 详细

4、安全的WEB和邮件服务器

时间:2016-06-17 17:32:05      阅读:262      评论:0      收藏:0      [点我收藏+]

标签:ca认证   邮件和web安全   

                                                                      CA        

一.Openssl对称加解密

二.1.加密

# openssl enc –e –des3 –in filea –outfilea.enc //filea是文件名,filea.enc是加密出来的文件

2.解密

# openssl enc –d –des3 –in filea.enc –outnew //filea.enc是加密文件,new是解密出来的文件名

 

.配置CA服务器      服务器端配置(192.168.1.3

1..修改配置文件

[root@localhost ~]# cd /etc/pki/tls/

[root@localhost ~]#vim openssl.cnf

[ CA_default ]

 

dir             = /etc/pki/CA           # Where everything is kept

certs           = $dir/certs            # Where the issued certs are kept

crl_dir         = $dir/crl              # Where the issued crl are kept

database        = $dir/index.txt        # database index file.

#unique_subject = no                    # Set to ‘no‘ to allowcreation of

                                        #several ctificates with same subject.

new_certs_dir   = $dir/newcerts         # default place for new certs.

 

certificate     = $dir/my-ca.crt      # The CA certificate

serial          = $dir/serial           # The current serial number

crlnumber       = $dir/crlnumber        # the current crl number

                                        # must becommented out to leave a V1 CRL

crl             = $dir/crl.pem          # The current CRL

private_key     = $dir/private/my-ca.key# The private key

RANDFILE        = $dir/private/.rand    # private random number file

 

[ req_distinguished_name ]

countryName                     = Country Name (2 lettercode)

countryName_default             = CN 

countryName_min                 = 2

countryName_max                 = 2

 

stateOrProvinceName             = State or Province Name (fullname)

#stateOrProvinceName_default    = Bejing

 

localityName                    = Locality Name (eg, city)

localityName_default                  = Bejing

 

0.organizationName              = Organization Name (eg, company)

0.organizationName_default      = wsyht

 

2.创建相应的文件和目录 

# cd /etc/pki/CA

[root@localhost CA]# touch  index.txt

[root@localhost CA]# echo 01 > serial

 

3.生成CA私钥文件  

[root@localhost CA]#  openssl genrsa –des 2048 >private/my-ca.key  //2048加不加亦可

[root@localhost CA]#  chmod 600 private/my-ca.key

 

4.根据私钥生成公钥:

[root@localhost CA]# openssl req -new -x509-key private/my-ca.key -days 365 > my-ca.crt

需要保护私钥的密码。提示的问题,国家、城市、省份、公司名这四项必段和openssl.cnt中设置的完全一致,最后一个部门名随便写,服务器名随便写,Email随便写,否则会失败。

部门名可以写:securityhostname:caserver.wsyht.com Email:admin@wsyht.com

 

5.web服务器配置(192.168.1.2)

# cd/etc/pki/tls/privte            

# openssl genrsa 2048 > www.key    //不设置私钥口令

# chmod 600 www.key

# openssl req –new –key www.key > ~/www.csr  //公钥

CN –> Bejing –> Bejing -> wsyht ->填部门 -> 填服务器名 -> 填邮箱 –> 回车à回车CN

# ll.www.csr

# openssl req –in www.csr–noout –text

# scp www.csr192.168..1.3:/root

 

6.CA签发证书   服务器端配置(192.168.1.3

# openssl req -in www.csr -noout -text

# openssl ca –in www.csr–out www.crt

# 回车 -> y -> y

验证

# ls –l www.c*

# openssl x509 –in www.crt–noout –text

# scp www.crt192.168.1.2:/root

# cat/etc/pki/CA/intext

#cat /etc/pki/CAserial

# md5sum /etc/pik/CA/newcerts/01.pen

# md5sum ~/www.crt

 

7.WE 服务器下载证书并且布署     服务端配置(192.168.1.2)

将证书拷贝到/etc/pki/tls/certs

[root@localhost tls]# cp ~/www.crt /etc/pki/tls/certs

安装mod.ssl

# yum –y groupinstall ‘web -server’ 或单装 yum –y install mod_ssl

# vim /etc/httpd/conf.d/ssl.conf

SSLCertificateFile/etc/pki/tls/certs/www.crt

SSLCertificatekeyFile/etc/pki/tls/private/www.key

:wq

8重启WEB服务器

# service httpd restart

 

9.客户端访问(192.168.1.4

# vim /etc/hosts      

192.168.1.2 www.wsyht.com

:wq

https://www.wsyht.com

提示证书不受信任,因为客户端没有信任CA

客户端将CA的根装书装上,再次访问就不会再有提示

 

10. 服务器端配置(192.168.1.3

# cp /etc/pki/CA/my-ca.crt /var/www/html

# service httpd restart

# 192.168.1.3/my-ca.crt

 

11 .客户端再次访问显示正常(192.168.1.4)

https://www.wsyht.com

 

12. web服务器上调整httpd配置       (192.168.1.2)

当访问http协义时,自动跳转到https,在ssl.conf 中加入如下三行

# vim /etc/httpd/conf.d/ssl.conf

# /SSLRandomSeed connect builtin  //查找这行,在这行下面添加下面三行

# RewriteEngine on

# RewriteCond  %{SERVER_PORT}  !^443$

#RewriteRule   (.*)  https//%{SERVER_NAME}/$1  [R]    

# :wq

#httpd –t      //检查语法看看有没有错误

# service httpd restart

 

13.客户端直接访问(192.168.1.4)

www.wsyht.com

自动跳转到httpswww.wsyht.com

在工具栏->首选项->高级->查看证书(firefox

 

安全的邮件服务器

一.  邮件服务器申请证书

证书的申请与签发与WEB服务器完全一样

Open relay 开放中继

SOA 起始授权

$TTL      86400    //缓存时间 86400代表一天

NS 名称服务器

A 名称–> IP

PTR 反向 IP -> 名称

MX 邮件交换

CNAME别名

FQDN=主机名.域名后缀

FQDN:完全限定域名/完全合格域名/全称域名

 

192.168.1.3服务器

yum install -y bind bind-chroot

service named start

cd /var/named/chroot/etc

vim named.conf

listen–on port 53 { any; }

listen–on –v6 port 53 { any; }

allow-query { any; }

:wq

# vim named.rfc1912.zones

zone “wsyht.com” IN {

       typemaster;;

       file“wsyht.com.zone”;

       aloow-update{ none; };

}

# cd ../var/named/

# vim wsyht.com.zone

$TTL      86400

@    IN   SOA       ns.wsyht.com. root.wsyht.com. (

                                          2014100401

                                          3H

                                          15M

                                          1W

                                          1D)

              IN   NS          ns.wsyht.com.

              IN  MX 10 mail.wsyht.com

 ns        IN  A        192.168.1.3

www       IN  A           192.168.1.2.

mail       IN   A            192.168.1.3

:wq

named-checkzone wsyht.com wsyht.com.zone

# service namd restart

# setup

DNS 192.168.1.3

# cat /etc/resllv.conf

# nslookup www.wsyht.com

# chgrp named wsyht.com.zone

# chmod 640 wsyht.com.zone

服务器192.168.1.4 修改如下内容

三.配置potfix,下面只列出了改动的部分

# netstat -tulnp | grep :25

# cd /etc/postfix

# postfconf–d //所有的配置项

# postfconf –d | wc –l

# vim main.cf

myhostname = mail.wsyht.com

mydomain = wsyht.com

myorigin = $mydomin

inet_interfaces = all

# inet_interfaces = all

# net_interfaces = #myhostname,localhost

# inet_interfaces = localhost

mydestination = $mydomain,$myhostname, localhost$mydomain, localhost

home_mailbox=Maildir/

:wq

service postfix restart

# service postfix restart

 

192.168.10.4

vim/etc/sysconfig/network-scripts/ifcfg-eth0

IPADDR=192.168.1.4

PREFIX=24

DNS1=192.168.1.3

:wq

# service network restart

# cat /etc/resolv.conf

# cd /etc/postfix

# nslookup

> set type=mx

> wsyht.com

> set q=a

> mail.wsyht.com

> set type=soa

> wsyht.com

> set type=ns

> wsyht.com

setup - > 防火墙关闭

Setenforce 0

 

Windows 客户端(192.168.1.5)

Ctrl+r

  telnet 192.168.1.4 25

  hellow sdf

mailfrom:zhangsan.@126.com

rcpt to:root@wsyht.com

data

然后这行随便写,sfjslfjslfjslfjsflsaj

quit

 

192.168.1.4服务器

postqueue –p

cd Maildir

ls new

vim new/45546464

cd /etc/pki/tls/private

(umask 077;openssl genrsa 2048  > mail.key) 括号里面写Umask指临时修改Umask

# openssl req –new –key mail.key >~/mail.csr

CN

Bejing

Bejing

wsyht

tecn

mail.wsyht.com

admin@wsyht.com

回车

回车

# cd

# opnessl req –in mail.csr –noout –subject(subject主机)

#scp mail.csr 192.168.1.3:/root

 

192.168.1.3服务器

# openssl ca –in mail.csr –out mail.crt

密码 -> y-> y

# ll mail.crt

# opensll x509 –in mail.crt –noout –subject

#scp mail.crt 192.16810.4:/root

# cp mail.crt /etc/pki/tls/certs/

#scp 192.168.10.3:/var/www/html/my-ca.crt/etc/pki/tls/certs/

 

192.168.1.4 服务器配置

# cd /etc/postfix

# vim main.cf

smtpd_use_tls = yes

smtpd_tls_CAfile = /etc/pki/tls/certs/my-ca.crt

smtpd_tls_cert_file =/etc/pki/tls/certs/mail.crt

smtpd_tls_key_file =/etc/pki/tls/private/mail.key

:wq

# service postfix restart

# postconf –d | grep smtpd | grep tls

# postconf –e ‘smtpd_use_tls= yes’

 

服务器192.168.1.4

配置dovecot

#  yuminstall –y dovecot

# vim /etc/dovecot/conf.d/10-ssl.conf

#ssl = yes

ssl_cert = </etc/pki/tls/certs/mail-crt

ssl_key = </etc/pki/tls/private/mail.key

# vim /etc/dovecot/conf.d/10-mail.conf

mail_location = maildir:~/Maildir

# service dovecot restart

 

.配置客户端outlook  (windows )

其他设置中把全安接收勾选,STMP用的安全方式为TLS

 c:\windwos\System32\drivers\etc

192.168.1.4 www.wsyht.com

 

 

扫描

# yum –y install nmap

# man nnmap

# nmap –sP 192.168.1.0/24  TCP SYN扫描半开

# nmap –A 192.168.1.10    目标系统全面分析

# nmap -sT192.168.1.2     TCP SYN扫描 半开                            

     -sU   UDP扫描

          Ss      TCPSYN扫描 (半开)

 

yum –y install wireshark wires-gnome

 

tcpdump [选项] [过滤条件]

tcpdump –i eth0 A  ‘dst host192.168.1.2’

tcpdump –i    指定监控的网络接口

              -A   转换为ACSII  以方便阅读

              -W   将数据包信息保存到指定文件

              -r    从指定文件读取数据包信息

tcpdump –i eth0 A  ‘dst host192.168.1.2’ –w mypak

Tcpdump的过滤条件

类型: host netport portange

方向: src dst

协议 tcp udp ipwlan arp ……

多个条件组合

and or not

 

tcpdump –i eth0 –w mypak ‘dsthost 192.168.1.2 ’

 

本文出自 “wsyht的博客” 博客,请务必保留此出处http://wsyht2015.blog.51cto.com/9014030/1790280

4、安全的WEB和邮件服务器

标签:ca认证   邮件和web安全   

原文地址:http://wsyht2015.blog.51cto.com/9014030/1790280

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!