前期准备:
systemctl set-default graphical.target
reboot
或者systemctl isolate graphical.target驱动图形化
ifconfig查看IP地址
cat /etc/resolv.conf查看DNS
hostname查看主机名
systemctl stop iptables
systemctl disable iptables
systemctl mask iptables
systemctl stop ebtables
systemctl disable ebtables
systemctl mask ebtables
-----------------------------------------------------------------------
配置yum
vim /etc/yum.repos.d/server.repo
[base]
name=redhat
baseurl=file:///mnt 考试时写http://……
enabeld=1
gpgcheck=0
-----------------------------------------------------------------------
1.selinux
SElinux有三种模式,请将server30与desktop30运行于强制模式
vim /etc/sysconfig/selinux
enforcing
yum -y install setr*
reboot
--------------------------------------------------------------------------------------------------------------------------------
2.配置SSH
用户能够从域exampl.com内的客户端通过SSH访问您的两个虚拟机系统
在域my133t.org内的客户端不能访问您的两个虚拟机系统
firewall-cmd --remove-service=ssh --permanent
firewall-cmd --add-rich-rule ‘rule family=ipv4 source address=172.16.30.0/24 service name=ssh accept‘ --permanent
firewall-cmd --reload
firewall-cmd --list-all
-----------------------------------
vim /etc/hosts.deny
sshd : 172.17.30.0/255.255.255.0 (攻击域)
--------------------------------------------------------------------------------------------------------------------------------
3.命令别名及IP转发
在系统server30和desktop30上创建自定义命令为psa,此自定义命令将执行/bin/ps aux,此命令对系统中所有用户有效
vim /etc/bashrc
alias psa=‘/bin/ps aux‘
. /etc/bashrc
----------------------------------------------------------
IP转发:
vim /usr/lib/sysctl.d/00-system.conf
net.ipv4.ip_forward = 1
sysctl -p /usr/lib/sysctl.d/00-system.conf
---------------------------------------------------------------------------------------------------------------------------------
4.端口转发
在server30上配置端口转发,在172.16.30.0/24中的系统,访问server30的本地端口5423将被转发到80,此设置永久生效
firewall-cmd --add-rich-rule ‘rule family=ipv4 source address=172.16.30.0/24 forward-port port=5423 protocol=tcp to-port=80‘ --permanent
firewall-cmd --reload
---------------------------------------------------------------------------------------------------------------------------------
5.在server30和desktop30 之间配置链路聚合
此链路使用接口slave1和slave2
此链路在一个接口失效后,仍然能工作
此链路在server30上使用地址192.168.0.11/24
此链路在desktop30上使用地址192.168.0.10/24
此链路在系统重启后依然保持正常状态
nmcli connection add con-name eno33600 type ethernet ifname eno33600
nmcli connection add con-name eno55778 type ethernet ifname eno55778
nmcli connection show
nmcli connection add con-name team0 type team ifname team0 config ‘{"runner":{"name":"activebackup"}}‘
nmcli connection modify team0 ipv4.addresses "192.168.1.99/24"
nmcli connection modify team0 ipv4.method manual connection.autoconnect yes
nmcli connection add con-name slave1 ifname eno33600 type team-slave master team0
nmcli connection add con-name slave2 ifname eno55778 type team-slave master team0
nmcli connection show
nmcli connection up slave1
nmcli connection up slave2
ifconfig
nmcli connetction down slave1
测试ping 两个超时消息后之后连通
--------------------------------------------------------------------------------------------------------------------------
6.在您的考试系统上配置接口,在你的默认网卡上使用如下IPv6地址
server30上的IP地址应该是fd00:ba5e:ba11:10::10/64
desktop30上的IP地址应该是fd00:ba5e:ba11:10::11/64
两个系统必须能与网络fd00:ba5e:ba11:10::fe内的系统通信
地址必须在重启后依然生效
两个系统保持当前的IPv4地址并能通信
server30:
nmcli connection modify eth0 ipv6.address "fd00:ba5e:ba11:10::10/64"
nmcli connection modify eth0 ipv6.method manual connection.autoconnect yes
systemctl restart network
systemctl enable network
desktop30:
nmcli connection modify eth0 ipv6.address "fd00:ba5e:ba11:10::11/64"
nmcli connection modify eth0 ipv6.method manual connection.autoconnect yes
systemctl restart network
systemctl enable network
测试:
ping6 fd00:ba5e:ba11:10::fe
--------------------------------------------------------------------------------------------------------------------------------
7.在server30上配置邮件服务----postfix
这些系统不接受外部发来的邮件 127.0.0.1
在这些系统上本地发送任何邮件都会被路由到ldap.example.com
从这些系统上发送的邮件显示来自于example.com
您可以通过访问http://ldap.example.com/email/dave来验证您的配置
发给harry的邮件同时能被natasha收到
rpm -q postfix
systemctl restart postfix
systemctl enable postfix
firewall-cmd --add-service=smtp --permanent
firewall-cmd --reload
vim /etc/postfix/main.cf
inet_interfaces = localhost
mydestination =
myorigin = example.com
relayhost = [ldap.example.com]
mynetworks = 127.0.0.0/8
:wq!
systemctl restart postfix
vim /etc/aliases
harry: harry,natasha 最后一行
:wq!
newaliases
mail -s "test" dave
firefox http://ldap.example.com/email/dave 通过浏览器来访问查看dave的邮件信息
也可以用下面方法来查看
wget http://ldap.example.com/email/dave
cat /var/spool/mail/dave 来查看用户dave的邮件信息
---------------------------------------------------------------------------------------------------------------------------------
8.在server30上配置SAMBA服务
您的samba服务器必须是STAFF工作组的一个成员
共享/common目录,共享名为common
只有example.com域内的客户端可以访问common共享
Common必须是可以浏览的
用户natasha必须能够读取共享中的内容,如果需要的话,验证密码是redhat
server30:
yum -y install samba*
systemctl restart smb nmb
systemctl enable smb nmb
firewall-cmd --add-rich-rule ‘rule family=ipv4 source address=172.16.30.0/24 service name=samba accept‘ --permanent
firewall-cmd --add-rich-rule ‘rule family=ipv4 source address=172.16.30.0/24 service name=samba-client accept‘ --permanent
firewall-cmd --reload
getsebool -a | grep samba | grep dir
setsebool -P samba_enable_home_dirs 1
mkdir /common
chcon -Rt samba_share_t /common
vim /etc/samba/smb.conf
workgroup = STAFF 在89行中修改
[common]
path = /common
browseable = yes
valid users = natasha
:wq!
id natasha 没有该用户的话就得创建一个
useradd natasha
smbpasswd -a natasha
systemctl restart smb nmb
pdbedit -L 查看samba数据库用户
测试:
desktop30:
yum -y install samba-client cifs*
smbclient -L 172.16.30.130查看一下是否有共享文件了
mkdir /test
mount -t cifs -o username=natasha //172.16.30.130/common /test
用户natasha将共享目录挂载到本地/test目录下后,可以读取里面的内容,但是无法创建
-------------------------------------------------------------------------------------------------------------------------------
9.配置多用户samba挂载
在server30上通过samba共享目录/devops
共享名为share
共享目录只能被example.com域内的客户端使用
共享目录share必须可以被浏览
用户kenji能以读的方式访问此共享,访问密码是redhat
用户chihiro能以读写的方式访问此共享,访问密码是redhat
此共享永久挂载在desktop30上的/aaa目录,并使用用户kenji进行认证,任何用户可临时通过chihiro来获得读写权限因为在上面那题中在防火墙中已经允许了samba服务,所有这里就是不要在操作了
server30:
mkdir /devops
chcon -Rt samba_share_t /devops
vim /etc/samba/smb.conf
[share]
path = /devops
browseable = yes
valid users = kenji,chihiro
writable = no
write list = chihiro
:wq!
systemctl restart smb
useradd kenji
useradd chihiro
setfacl –m u:kenji:r-x /devops
setfacl –m u:chihiro:rwx /devops
smbpasswd -a kenji
smbpasswd -a chihiro
desktop30:
yum -y install samba-client cifs*
mkdir /aaa
smbclient -L //172.16.30.130/ -U kenji
vim /etc/fstab
//172.16.30.130/share /aaa cifs defaults,multiuser,username=kenji,password=redhat,sec=ntlmssp 0 0
:wq!
mount -a 看能否挂载上
useradd user1
su – user1
cifscreds add 172.16.30.130 -u chihiro
cd /aaa
touch file.txt 可以创建说明实验成功
----------------------------------------------------------------------------------------------------------------------
10.在server30上配置NFS服务
以只读的方式共享/public,同时只能被example.com内用户访问
以读写的方式共享/protected能被example.com内用户访问
访问/protected需要通过kerberos安全加密,您可以使用下边链接的秘钥:http://ldap.example.com/pub/server30.keytab
目录/protected应该包含名为project拥有人为guest2001的子目录
用户guest2001能以读写的方式访问/protected/project
server30配置:
yum -y install sssd* authconfig* krb5*
authconfig-gtk
LDAP搜索基础:dc=example,dc=com
LDAP服务器:ldap://ldap.example.com
证书key:http://ldap.example.com/pub/EXAMPLE-CA.crt
域:EXAMPLE.COM
KDC:ldap.example.com
管理服务器:ldap.example.com
id guest2001
mkdir /public
mkdir -p /protected/project
chown guest2001 /protected/project
chmod 777 /protected
firewall-cmd --add-rich-rule ‘rule family=ipv4 source address=172.16.30.0/24 service name=nfs accept‘ --permanent
firewall-cmd --add-rich-rule ‘rule family=ipv4 source address=172.16.30.0/24 service name=rpc-bind accept‘ --permanent
firewall-cmd --reload
wget -O /etc/krb5.keytab http://ldap.example.com/pub/server30.keytab
vim /etc/exports
/public 172.16.30.0/24(ro,sync)
/protected 172.16.30.0/24(rw,sec=krb5p)
:wq!
vim /etc/sysconfig/nfs
第13行RPCNFSDARGS="-V 4.2"
vim /etc/chrony.conf
server ldap.example.com iburst
:wq!
systemctl restart chronyd.service
systemctl enable chronyd.service
systemctl enable nfs-secure-server.service nfs-secure.service nfs-server.service
systemctl restart nfs-secure-server.service nfs-secure.service nfs-server.service
showmount -e 127.0.0.1查看共享
------------------------------------------------------------------------------------------------------------------------------
11.在desktop30上挂载来自于server30的NFS共享
/public挂载在目录/mnt/nfsmount上
/protected挂载在目录/mnt/nfssecure,并使用安全的方式,秘钥http://ldap.example.com/pub/desktop30.keytab
用户guest2001能在/mnt/nfssecure/project上创建文件
这些文件系统在系统启动时自动挂载
desktop上的配置:
yum -y install sssd* authconfig* krb5*
authconfig-gtk
LDAP搜索基础:dc=example,dc=com
LDAP服务器:ldap://ldap.example.com
证书key:http://ldap.example.com/pub/EXAMPLE-CA.crt
域:EXAMPLE.COM
KDC:ldap.example.com
管理服务器:ldap.example.com
vim /etc/sysconfig/nfs
RPCNFSDARGS="-V 4.2"
:wq!
vim /etc/chrony.conf
server ldap.example.com iburst
:wq!
systemctl restart chronyd.service
systemctl enable chronyd.service
wget -O /etc/krb5.keytab http://ldap.example.com/pub/desktop30.keytab
mkdir /mnt/nfsmount
mkdir /mnt/nfssecure
vim /etc/fstab
172.16.30.130:/public /mnt/nfsmount nfs ro 0 0
172.16.30.130:/protected /mnt/nfssecure nfs defaults,v4.2,sec=krb5p 0 0
:wq!
systemctl enable nfs-secure-server.service nfs-secure.service nfs-server.service
systemctl restart nfs-secure-server.service nfs-secure.service nfs-server.service
mount -a
df -h
su - guest2001
cd /mnt/nfssecure/project
touch haha
reboot
df
-------------------------------------------------------------------------------------------------------------------------------
12.在server30上配置一个web站点http://server30.example.com
从http://ldap.example.com/pub/example.html下载文件,并重命名为index.html,不要修改文件内容。
将文件index.html拷贝到您的DocumentRoot目录下
来自于example.com的客户端可以访问该web服务器
来自于my133t.org的客户端的访问会被拒绝
server30上配置:
yum -y install httpd
systemctl restart httpd
systemctl enable httpd
cd /var/www/html
wget -O index.html http://ldap.example.com/pub/example.html
firewall-cmd --add-rich-rule ‘rule family=ipv4 source address=172.16.30.0/24 service name=http accept‘ --permanent
firewall-cmd --reload
desktop30上验证:
firefox http://server30.exampel.com
---------------------------------------------------------------------------------------------------------------------------------
13.为站点http://server30.example.com配置TLS加密
已签名证书从http://ldap.example.com/pub/server30.crt获取
证书的秘钥从http://ldap.example.com/pub/server30.key获取
证书的签名授权信息从http://ldap.example.com/pub/group30.crt获取
server30上的配置:
yum -y install mod_ssl
cd /etc/httpd/conf.d
vim ssl.conf
59行:注释去掉
60行:注释去掉 ServerName server30.example.com:443
100行:注释去掉 把后面的localhost.crt改为server30.crt
107行:注释去掉 把后面的localhost.key改为server30.key
122行:注释去掉 把后面的ca-bundle.crt改为group30.crt
cd /etc/pki/tls/certs
wget http://ldap.example.com/pub/server30.crt
wget http://ldap.example.com/pub/group30.crt
cd /etc/pki/tls/private
wget http://ldap.example.com/pub/server30.key
systemctl restart httpd
firwall-cmd --add-rich-rule ‘rule family=ipv4 source address=172.16.30.0/24 service name=https accept‘ --permanent
firewall-cmd --reload
desktop客户端验证:
firefox https://server30.example.com
点击I Understand the Risks-----Add Exception----Get Certificate----Confirm Security Exception
看到的就是server30.example.com
---------------------------------------------------------------------------------------------------------------------------------
14.在server30上扩展您的WEB服务器为站点http://www.example.com创建一个虚拟主机
设置DocumentRoot为/var/www/virtual
从http://ldap.example.com/pub/www.html下载文件,并重命名为index.html,不要修改文件内容。
将文件index.html拷贝到DocumentRoot目录下
确保floyd用户能够在/var/www/virtual下创建文件
注意:原站点server30.example.com必须仍然能够访问
server30上配置
cd /var/www/
mkdir virtual
cd virtual
wget -O index.html http://ldap.example.com/pub/www.html
cd /etc/httpd/conf.d
cp /usr/share/doc/httpd-2.4.6/httpd-vhosts.conf .
vim httpd-vhosts.conf
23行开始
<VirtualHost *:80>
DocumentRoot "/var/www/html"
ServerName server30.example.com
</VirtualHost>
<VirtualHost>
DocumentRoot "/var/www/virtual"
ServerName www.example.com
</VirtualHost>
useradd floyd
setfacl -m u:floyd:rwx /var/www/virtual
systemctl restart httpd
客户端验证
firefox server30.example.com
firefox www.example.com
------------------------------------------------------------------------------------------------------------------------------
15.Web访问控制
在您server30上的web服务器的DocumentRoot目录下创建一个名为private的目录
从http://ldap.example.com/pub/private.html下载文件到这个目录,并重命名为index.html,不要修改文件内容
从server30上,任何人都可以浏览private的内容,但是从其他系统不能访问这个目录的内容
server30配置:
cd /var/www/html
mkdir private
wget -O index.html http://ldap.example.com/pub/private.html
vim /etc/httpd/conf.d/httpd-vhosts.conf
在<VirtualHost *:80>
DocumentRoot "/var/www/html"
ServerName server30.example.com后面写
<Directory "/var/www/html/private">
Require ip 172.16.30.130
</Directory>
systemctl restart httpd
客户端验证:http://server30.example.com/private被拒绝
server30端可以访问到
-----------------------------------------------------------------------------------------------------------------------------
16.在server30上实现动态web内容
动态内容由名为alt.example.com的虚拟主机提供
虚拟主机侦听端口为8909
从http://ldap.example.com/pub/webapp.wsgi下载一个脚本,然后放在适当的位置,不要修改文件内容
客户端访问http://alt.example.com:8909时,应该接收到动态生成的web页面
此http://alt.example.com:8909必须能被example.com内所有的系统访问
server30配置:
cd /var/www/
mkdir wsgi
cd wsgi
wget http://ldap.example.com/pub/webapp.wsgi
yum -y install mod_wsgi
cd /etc/httpd/conf.d
vim /etc/httpd/conf.d/httpd-vhosts.conf
Listen 8909
<VirtualHost *:8909>
WSGIScriptAlias / "var/www/wsgi/webapp.wsgi"
ServerName alt.example.com:8909
</VirtualHost>
semanage port -a -t http_port_t -p tcp 8909
systemctl restart httpd
firewall-cmd --add-rich-rule ‘rule family=ipv4 source address=172.16.30.0/24 port port=8909 protocol=tcp accept‘ --permanent
firewall-cmd --reload
客户端验证:firefox alt.example.com:8909 出现hello,world!就是成功的!
--------------------------------------------------------------------------------------------------------------------------------
17、配置server30提供一个iscsi共享服务
磁盘名为iqn.2014-09.com.example:server30
服务端口为3260
使用iscsi_store作为其后端卷大小为3G
此服务只能被desktop30.example.com访问
server30配置:
fdisk /dev/sda
创建主分区/dev/sda3为3G
partprobe /dev/sda
yum -y install targetcli
systemctl enable target
systemctl restart target
targetcli
cd /backstores/block
create iscsi_store /dev/sda3
cd /iscsi
create iqn.2014-09.com.example:server30
cd /iscsi/iqn.2014-09.com.example:server30/tpg1/acls
create iqn.2014-09.com.example:desktop30
cd ../luns
create /backstores/block/iscsi_store
cd ../portals
create 172.16.30.130
exit
systemctl restart target
firewall-cmd –add-rich-rule ‘rule family=ipv4 source address=172.16.30.0/24 port port=3260 protocol=tcp accept’ --permanent
firewall-cmd --reload
---------------------------------------------------------------------------------------------------------------------------------
18、配置desktop30的iscsi
配置desktop30使其能连接在server30上提供的iqn.2014-09.com.example:server30
iscsi设备在系统启动的期间自动加载
块设备iscsi上包含一个大小为2100MiB的分区。并格式化为ext4
此分区挂载/mnt/data上同时在系统启动的期间自动加载
yum –y install iscsi-init*
systemctl enable iscsid
systemctl restart iscsid
vim /etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.2014-09.com.example:desktop30
systemctl restart iscsi
iscsiadm -m discovery -t sendtargets -p 172.16.30.130
iscsiadm -m node -T iqn.2014-09.com.example:server30 -p 172.16.30.130 -l
lsblk查看是否有/dev/sdb
fdisk /dev/sdb
划分2100M分区
partprobe /dev/sdb
mkfs.ext4 /dev/sdb1
mkdir /mnt/data
blkid查看sdb1的UID
vim /etc/fstab
UUID=”……” /mnt/data ext4 defaults,_netdev 0 0
--------------------------------------------------------------------------------------------------------------------------------
19、配置一个数据库
在server30上创建一个MariaDB数据库,名为Contacts,并符合以下条件:
A 数据库应该包含来自数据库复制的内容,复制文件的URL为
http://ldap.example.com/pub/user.mdb
B 数据库只能被localhost访问
C 除了root用户,此数据库只能被用户Raikon查询,此用户的密码为redhat
D root用户的密码为redhat,同时不允许空密码登录
——在server30上做——
yum groupinstal -y mariadb*
systemctl enable mariadb
systemctl restart mariadb
netstat -tulnp | grep 3306
firewall-cmd --add-service=mysql
firewall-cmd --add-service=mysql –permanent
cd /root/
wget http://ldap.example.com/pub/user.mdb
mysql
show databases;
create database Contacts;
use contacts ;
source /root/user.mdb ;
show tables;
grant select on contacts.* to ‘raikon‘@‘localhost’identified by ‘redhat‘;
flush privileges;
exit
mysql_secure_installation //使用向导来设置root密码
设置密码后全部输入y
--------------------------------------------------------------------------------------------------------------------------------
20、数据库查询
在系统server30上使用数据库contacts,并使用相应的SQL查询以回答下列问题:
A 密码是123456的人的名字?
B 有多少人的姓名是barbara同时居住在sunnyvale?
server30上:
mysql -u root -p
use contacts
select usernamer from user where password=‘123456‘;
select count(*) from user where usernamer=‘barbara‘ and live=‘sunnyvale‘;
--------------------------------------------------------------------------------------------------------------------------------
21、创建一个脚本
在server30上创建一个名为/root/foo.sh 的脚本,让其提供下列特征
A 当运行/root/foo.sh redhat, 输出为fedora
B 当运行/root/foo.sh fedora,输出为redhat
C 当没有任何参数或者参数不是redhat或者fedora时,其错误输出产生以下的信息:/root/foo.sh redhat|fedora
vim /root/foo.sh
#!/bin/bash
if [[ $1 = redhat ]]; then
echo fedora
elif [[ $1 = fedora ]]; then
echo redhat
else
echo "/root/foo.sh redhat|fedora"
fi
chmod 777 /root/foo.sh
/root/foo.sh redhat
/root/foo.sh fedora
--------------------------------------------------------------------------------------------------------------------------------
22、创建一个添加用户的脚本
在desktop30上创建一个脚本,名为/root/batchusers,此脚本能实现为系统system1创建本地用户,并且这些用户的用户名来自一个包含用户名列表的文件。同时满足下列要求:
A 此脚本要求提供一个参数,此参数就是包含用户名列表的文件
B 如果没有提供参数,此脚本应该给出下面的提示信息 Usage: /root/batchusers然后退出并返回相应的值
C 如果提供一个不存在的文件名,此脚本应该给出下面的提示信息 input file not found 然后退出并返回相应的值
D 创建的用户登录shell为/bin/false
E 此脚本不需要为用户设置密码
你可以从下面的URL获取用户名列表作为测试用http://ldap.example.com/pub/userlist
vim /root/batchusers
#!/bin/bash
if [ $# -eq 0 ]; then
echo "Usage: /root/batchusers"
elif [ -f $1 ]; then
for username in $(cat $1);
do
useradd -s /bin/false $username;
done
else
echo "input file not found"
fi
:wq!
chmod 777 /root/batchusers
wget http://ldap.example.com/pub/userlist
/root/batchusers userlist
本文出自 “银河蜜蜂linux运维之路” 博客,请务必保留此出处http://flynn.blog.51cto.com/10727343/1793776
原文地址:http://flynn.blog.51cto.com/10727343/1793776