Linux Administrator technology -01-selinux, configuring advanced connections, Firewall management policies,

security-enhanced Linux (SElinux)

– United States NSA National Security Agency-led development, a set of mandatory access control systems to enhance Linux system security

Purpose: Mandatory access control system

– integrated into the Linux kernel (2.6 and above) running

–RHEL7 provides preset protection policies for users, processes, directories, and files based on the SELinux system, as well as management tools

SELinux Mode of operation

–enforcing (mandatory), permissive (loose)

–disabled (completely disabled)

Toggle Run mode

-Temporary switchover (current switchover): Setenforce 1/0 #0表示降级, 1 means upgrade

-Fixed configuration (the next reboot will take effect): Vim/etc/selinux/config

[Email protected] ~]# Getenforce #查看当前SELinux状态

Enforcing

[Email protected] ~]# Setenforce 0 #设置当前SELinux状态

[Email protected] ~]# Getenforce

Permissive

The switchover between enforcing, permissive and disabled must be restarted to the vim fixed configuration to take effect

Fixed configuration:

[Email protected] ~]# Vim/etc/selinux/config

.. ..

Selinux=permissive

[[Email protected] ~] #reboot #重启系统切换模式

Added: Vim Command mode

C (UPPERCASE): Deletes the cursor to the end of the line and enters insert mode

-------------------------------------------------------------------------------------------

Configure advanced Connections

Configuring aggregation connections (NIC bindings)

Same as HSRP

HSRP: Backing up Gateway devices

Router 1 Router 2

192.168.1.254 192.168.1.253

Active backup

Virtual routers

192.168.1.200

Converged connections: Backing up network card devices

Eth1 eth2

192.168.1.1/24 192.168.1.2/24

Team

192.168.1.10

Team, aggregation connections (also known as Link aggregation)

– A virtual network card, formed by multiple network cards (Team-slave), that is "teaming up"

– Role 1: Traffic load Balancing for polling (Roundrobin)

– Role 2: Hot backup (activebackup) connection redundancy

Hot Backup configuration: {"Runner": {"name": "Activebackup"}}

Hot backup configuration characters are complex to use: Man helps assist memory

Enter man teamd.conf into the help screen

Input/example #全文查找example

Then press N #按n jump to the next match

Locate and copy {"Runner": {"name": "Activebackup"}}

[email protected] ~]# man teamd.conf

/example #全文查找example

#按n Jump Next Match

One, add team equipment

# NMCLI Connection Add type Team

Con-name TEAM0 ifname team0

Config ' {"runner": {"name": "Activebackup"}} '

# CAT/ETC/SYSCONFIG/NETWORK-SCRIPTS/IFCFG-TEAM0

# ifconfig Team0

Second, add members

# NMCLI Connection Add type Team-slave

ifname eth1 Master Team0

# NMCLI Connection Add type Team-slave

ifname eth2 Master Team0

Third, configure the IP address of the TEAM0

# NMCLI Connection Modify Team0

Ipv4.method Manual

Ipv4.addresses 192.168.1.1/24

Connection.autoconnect Yes

Iv. Activation of TEAM0

# NMCLI connection up team-slave-eth1 #激活从设备eth1

# NMCLI connection up Team-slave-eth2 #激活从设备eth2

# NMCLI connection up Team0 #激活主设备team0

V. Verification

# Teamdctl Team0 State #专用于查看team信息

Setup

Runner:activebackup

Ports

Eth1

Link watches:

Link Summary:up

INSTANCE[LINK_WATCH_0]:

Name:ethtool

Link:up #状态已激活

Eth2

Link watches:

Link Summary:up

INSTANCE[LINK_WATCH_0]:

Name:ethtool

Link:up #状态已激活

Runner

Active Port:eth1 #指定活跃网卡为eth1

Note: There is an input error in the front of the place do not lose again correct, will not overwrite, it is best to remove network card Group members

Delete command:

# NMCLI Connection Delete team-slave-eth1

# NMCLI Connection Delete team-slave-eth2

# NMCLI Connection Delete Team0

Configure the IP address to 192.168.1.2/24 on the client desktop virtual machine by Server0 again

You can ping the authentication after you have finished configuring

If one of the network card eth1 or eth2 port is turned off, the command: Ifconfig eth1/eth2 down will also ping, because there is a backup, two are closed ping failed

-------------------------------------------------------------------------------------------

Configuring IPV6 Addresses

IPV6 Address representation

– 128 bits, colon-delimited hexadecimal number

– Successive pre-0 in each paragraph can be omitted, successive multiple: can be simplified to::

# NMCLI Connection Modify ' System eth0 '

Ipv6.method Manual

Ipv6.addresses 2003:AC18::305/64

Connection.autoconnect Yes

# NMCLI connection up ' System eth0 '

# ifconfig Eth0

# ping6 2003:ac18::305

-------------------------------------------------------------------------------------------

Alias aliases Settings

Viewing aliases that have been set

–alias [alias name]

Define a new Alias

–alias Alias name = ' actual execution of command line '

To cancel an alias that has been set

–unalias [alias name]

User Personalization Profile

Bash interpretation environment that affects the specified user

–~/.BASHRC, effective every time the bash terminal is turned on

Global Environment Configuration

Bash interpretation environment that affects all users

–/ETC/BASHRC, effective every time the bash terminal is turned on

[Email protected] ~]# VIM/ROOT/.BASHRC #影响root文件

.. ..

Alias hello= ' echo Hello '

[Email protected] ~]# VIM/HOME/STUDENT/.BASHRC #影响student文件

.. ..

Alias hi= ' echo Hi '

[Email protected] ~]# VIM/ETC/BASHRC #全局配置文件

.. ..

Alias Haha= ' Echo Xixi '

Exit remote login, re-remote SERVER0 authentication

[email protected] ~]# Hello #成功

[email protected] ~]# Hi #失败

[email protected] ~]# haha #成功

[Email protected] ~]# su-student

[email protected] ~]$ Hello #失败

[email protected] ~]$ Hi #成功

[email protected] ~]$ haha #成功

[[Email protected] ~]$ exit

-------------------------------------------------------------------------------------------

Firewall Policy Management (firewall)

first, build basic Web Services

Web services for clients with server-side software (httpd)

Server: httpd (software) developed by Apache organization

Installing httpd software on 1.server0

2.server0 start httpd service, set boot from

By default: Apache does not provide any pages

Virtual Machine Login Firefox page must close all Firefox page programs of the real machine

Default Apache Web page file storage path:/var/www/html

Default Apache web page file name: index.html

[Email protected] ~]# yum-y install httpd #安装软件

[Email protected] ~]# systemctl restart httpd #设置开机自启

[Email protected] ~]# Systemctl enable httpd

[Email protected] ~]# vim/var/www/html/index.html #进入编辑页面

<marquee><font Color=green>

#字体滚动, font color, font size after entering page display content

[email protected] ~]# Firefox 172.25.0.11

The default HTTP service is not written in front of the service

ii. FTP Service Setup ftp: File Transfer Protocol

Service side: vsftpd (software)

Installing VSFTPD software on 1.server0

2.server0 start vsftpd Service, set boot from

Default shared location:/var/ftp

You can create a document file:

e.g:

[Email protected] ~]# Touch/var/ftp/1.txt

[Email protected] ~]# Touch/var/ftp/2.txt

Test

[email protected] ~]# Firefox ftp://172.25.0.11

-------------------------------------------------------------------------------------------

Firewall Policy Management (firewall)

Role: Isolated Extranet and Intranet

Block Extranet (WAN) Inbound, allow intranet (LAN) outbound

System Services: FIREWALLD

Administrative Tools: Firewall-cmd (command), Firewall-config (graphics)

View Firewall Service Status

[Email protected] ~]# systemctl status Firewalld.service

Preset protection rule set based on the location of your network

–public (Default zone): Only a few services that allow access to native sshd

–trusted: Allow any access

–block: Deny any visit request (client request responds and rejects)

–drop: Discard any incoming packets (direct reject without any response)

Rules for firewall judgments: matching and stopping

1. First look at the source IP address in the request (client), whether there is a policy for that IP address in all zones, and if so, the request enters the zone

2. Go to the default zone

Virtual Machine desktop0:

# Firefox http://172.25.0.11 #访问失败 because no HTTP service was added

# Firefox ftp://172.25.0.11 #访问失败 because no FTP service was added

Virtual Machine Server0:

# Firewall-cmd--get-default-zone #查看默认区域为public

# firewall-cmd--zone=public--list-all #查看区域规则信息

Public (default, active)

Interfaces:eth0 eth1 eth2 Team0

Sources

Services:dhcpv6-client SSH #支持的服务

Ports

Masquerade:no

Forward-ports:

Icmp-blocks:

Rich rules:

# firewall-cmd--zone=public--add-service=http #添加服务

# firewall-cmd--zone=public--list-all #查看区域规则信息

Public (default, active)

Interfaces:eth0 eth1 eth2 Team0

Sources

Services:dhcpv6-client http SSH #已添加http服务

Ports

Masquerade:no

Forward-ports:

Icmp-blocks:

Rich rules:

Virtual Machine desktop0:

# Firefox http://172.25.0.11 #访问成功

# Firefox ftp://172.25.0.11 #访问失败

Virtual Machine Server0:

# Firewall-cmd--zone=public--add-service=ftp

# Firewall-cmd--zone=public--list-all

Public (default, active)

Interfaces:eth0 eth1 eth2 Team0

Sources

Services:dhcpv6-client ftp http SSH

Ports

Masquerade:no

Forward-ports:

Icmp-blocks:

Rich rules:

Virtual Machine desktop0:

# Firefox ftp://172.25.0.11 #访问成功

-------------------------------------------------------------------------------------------

--permanent Options: Implementing Permanent settings

Virtual Machine Server0:

# firewall-cmd--reload #重新加载防火墙, close the previously added service

# firewall-cmd--zone=public--list-all #重新后之前设置的服务会消失

# firewall-cmd--permanent--zone=public--add-service=ftp

# firewall-cmd--permanent--zone=public--add-service=http

# Firewall-cmd--reload #重新加载防火墙

# Firewall-cmd--zone=public--list-all

-------------------------------------------------------------------------------------------

Modify the default zone and do not need to add--permanent

Virtual Machine desktop0:

# ping 172.25.0.11 #可以通信

Virtual Machine Server0:

# Firewall-cmd--set-default-zone=block #修改默认区域为block

# Firewall-cmd--get-default-zone #查看默认区域

Virtual Machine desktop0:

# ping 172.25.0.11 #不可以通信

Virtual Machine Server0:

# Firewall-cmd--set-default-zone=drop #修改默认区域为drop

# Firewall-cmd--get-default-zone

Virtual Machine desktop0:

# ping 172.25.0.11 #通信无反馈

-------------------------------------------------------------------------------------------

Virtual Machine Server0:

# firewall-cmd--permanent--zone=public--add-source=172.25.0.10 #添加客户端desktop源IP

# Firewall-cmd--zone=public--list-all

# Firewall-cmd--reload

# Firewall-cmd--zone=public--list-all

Virtual Machine desktop0:

# Firefox http://172.25.0.11

-------------------------------------------------------------------------------------------

Implementing a native port mapping

Port redirection for on-premises applications (port 1 and Port 2)

– Automatically map to native port 2 from client Access port 1 requests

– For example, visit the following two addresses to see the same page:

Virtual Machine desktop0:

# Firefox http://172.25.0.11:5423-------"172.25.0.11:80

Virtual Machine Server0:

# Firewall-cmd--permanent--zone=public

--add-forward-port=port=5423:proto=tcp:toport=80

# Firewall-cmd--reload

# Firewall-cmd--zone=public--list-all

Virtual Machine desktop0:

# Firefox http://172.25.0.11:5423

Linux Administrator technology -01-selinux, configuring advanced connections, Firewall management policies,