security-enhanced Linux (SElinux)
– United States NSA National Security Agency-led development, a set of mandatory access control systems to enhance Linux system security
Purpose: Mandatory access control system
– integrated into the Linux kernel (2.6 and above) running
–RHEL7 provides preset protection policies for users, processes, directories, and files based on the SELinux system, as well as management tools
SELinux Mode of operation
–enforcing (mandatory), permissive (loose)
–disabled (completely disabled)
Toggle Run mode
-Temporary switchover (current switchover): Setenforce 1/0 #0表示降级, 1 means upgrade
-Fixed configuration (the next reboot will take effect): Vim/etc/selinux/config
[Email protected] ~]# Getenforce #查看当前SELinux状态
Enforcing
[Email protected] ~]# Setenforce 0 #设置当前SELinux状态
[Email protected] ~]# Getenforce
Permissive
The switchover between enforcing, permissive and disabled must be restarted to the vim fixed configuration to take effect
Fixed configuration:
[Email protected] ~]# Vim/etc/selinux/config
.. ..
Selinux=permissive
[[Email protected] ~] #reboot #重启系统切换模式
Added: Vim Command mode
C (UPPERCASE): Deletes the cursor to the end of the line and enters insert mode
-------------------------------------------------------------------------------------------
Configure advanced Connections
Configuring aggregation connections (NIC bindings)
Same as HSRP
HSRP: Backing up Gateway devices
Router 1 Router 2
192.168.1.254 192.168.1.253
Active backup
Virtual routers
192.168.1.200
Converged connections: Backing up network card devices
Eth1 eth2
192.168.1.1/24 192.168.1.2/24
Team
192.168.1.10
Team, aggregation connections (also known as Link aggregation)
– A virtual network card, formed by multiple network cards (Team-slave), that is "teaming up"
– Role 1: Traffic load Balancing for polling (Roundrobin)
– Role 2: Hot backup (activebackup) connection redundancy
Hot Backup configuration: {"Runner": {"name": "Activebackup"}}
Hot backup configuration characters are complex to use: Man helps assist memory
Enter man teamd.conf into the help screen
Input/example #全文查找example
Then press N #按n jump to the next match
Locate and copy {"Runner": {"name": "Activebackup"}}
[email protected] ~]# man teamd.conf
/example #全文查找example
#按n Jump Next Match
One, add team equipment
# NMCLI Connection Add type Team
Con-name TEAM0 ifname team0
Config ' {"runner": {"name": "Activebackup"}} '
# CAT/ETC/SYSCONFIG/NETWORK-SCRIPTS/IFCFG-TEAM0
# ifconfig Team0
Second, add members
# NMCLI Connection Add type Team-slave
ifname eth1 Master Team0
# NMCLI Connection Add type Team-slave
ifname eth2 Master Team0
Third, configure the IP address of the TEAM0
# NMCLI Connection Modify Team0
Ipv4.method Manual
Ipv4.addresses 192.168.1.1/24
Connection.autoconnect Yes
Iv. Activation of TEAM0
# NMCLI connection up team-slave-eth1 #激活从设备eth1
# NMCLI connection up Team-slave-eth2 #激活从设备eth2
# NMCLI connection up Team0 #激活主设备team0
V. Verification
# Teamdctl Team0 State #专用于查看team信息
Setup
Runner:activebackup
Ports
Eth1
Link watches:
Link Summary:up
INSTANCE[LINK_WATCH_0]:
Name:ethtool
Link:up #状态已激活
Eth2
Link watches:
Link Summary:up
INSTANCE[LINK_WATCH_0]:
Name:ethtool
Link:up #状态已激活
Runner
Active Port:eth1 #指定活跃网卡为eth1
Note: There is an input error in the front of the place do not lose again correct, will not overwrite, it is best to remove network card Group members
Delete command:
# NMCLI Connection Delete team-slave-eth1
# NMCLI Connection Delete team-slave-eth2
# NMCLI Connection Delete Team0
Configure the IP address to 192.168.1.2/24 on the client desktop virtual machine by Server0 again
You can ping the authentication after you have finished configuring
If one of the network card eth1 or eth2 port is turned off, the command: Ifconfig eth1/eth2 down will also ping, because there is a backup, two are closed ping failed
-------------------------------------------------------------------------------------------
Configuring IPV6 Addresses
IPV6 Address representation
– 128 bits, colon-delimited hexadecimal number
– Successive pre-0 in each paragraph can be omitted, successive multiple: can be simplified to::
# NMCLI Connection Modify ' System eth0 '
Ipv6.method Manual
Ipv6.addresses 2003:AC18::305/64
Connection.autoconnect Yes
# NMCLI connection up ' System eth0 '
# ifconfig Eth0
# ping6 2003:ac18::305
-------------------------------------------------------------------------------------------
Alias aliases Settings
Viewing aliases that have been set
–alias [alias name]
Define a new Alias
–alias Alias name = ' actual execution of command line '
To cancel an alias that has been set
–unalias [alias name]
User Personalization Profile
Bash interpretation environment that affects the specified user
–~/.BASHRC, effective every time the bash terminal is turned on
Global Environment Configuration
Bash interpretation environment that affects all users
–/ETC/BASHRC, effective every time the bash terminal is turned on
[Email protected] ~]# VIM/ROOT/.BASHRC #影响root文件
.. ..
Alias hello= ' echo Hello '
[Email protected] ~]# VIM/HOME/STUDENT/.BASHRC #影响student文件
.. ..
Alias hi= ' echo Hi '
[Email protected] ~]# VIM/ETC/BASHRC #全局配置文件
.. ..
Alias Haha= ' Echo Xixi '
Exit remote login, re-remote SERVER0 authentication
[email protected] ~]# Hello #成功
[email protected] ~]# Hi #失败
[email protected] ~]# haha #成功
[Email protected] ~]# su-student
[email protected] ~]$ Hello #失败
[email protected] ~]$ Hi #成功
[email protected] ~]$ haha #成功
[[Email protected] ~]$ exit
-------------------------------------------------------------------------------------------
Firewall Policy Management (firewall)
first, build basic Web Services
Web services for clients with server-side software (httpd)
Server: httpd (software) developed by Apache organization
Installing httpd software on 1.server0
2.server0 start httpd service, set boot from
By default: Apache does not provide any pages
Virtual Machine Login Firefox page must close all Firefox page programs of the real machine
Default Apache Web page file storage path:/var/www/html
Default Apache web page file name: index.html
[Email protected] ~]# yum-y install httpd #安装软件
[Email protected] ~]# systemctl restart httpd #设置开机自启
[Email protected] ~]# Systemctl enable httpd
[Email protected] ~]# vim/var/www/html/index.html #进入编辑页面
<marquee><font Color=green>
#字体滚动, font color, font size after entering page display content
[email protected] ~]# Firefox 172.25.0.11
The default HTTP service is not written in front of the service
ii. FTP Service Setup ftp: File Transfer Protocol
Service side: vsftpd (software)
Installing VSFTPD software on 1.server0
2.server0 start vsftpd Service, set boot from
Default shared location:/var/ftp
You can create a document file:
e.g:
[Email protected] ~]# Touch/var/ftp/1.txt
[Email protected] ~]# Touch/var/ftp/2.txt
Test
[email protected] ~]# Firefox ftp://172.25.0.11
-------------------------------------------------------------------------------------------
Firewall Policy Management (firewall)
Role: Isolated Extranet and Intranet
Block Extranet (WAN) Inbound, allow intranet (LAN) outbound
System Services: FIREWALLD
Administrative Tools: Firewall-cmd (command), Firewall-config (graphics)
View Firewall Service Status
[Email protected] ~]# systemctl status Firewalld.service
Preset protection rule set based on the location of your network
–public (Default zone): Only a few services that allow access to native sshd
–trusted: Allow any access
–block: Deny any visit request (client request responds and rejects)
–drop: Discard any incoming packets (direct reject without any response)
Rules for firewall judgments: matching and stopping
1. First look at the source IP address in the request (client), whether there is a policy for that IP address in all zones, and if so, the request enters the zone
2. Go to the default zone
Virtual Machine desktop0:
# Firefox http://172.25.0.11 #访问失败 because no HTTP service was added
# Firefox ftp://172.25.0.11 #访问失败 because no FTP service was added
Virtual Machine Server0:
# Firewall-cmd--get-default-zone #查看默认区域为public
# firewall-cmd--zone=public--list-all #查看区域规则信息
Public (default, active)
Interfaces:eth0 eth1 eth2 Team0
Sources
Services:dhcpv6-client SSH #支持的服务
Ports
Masquerade:no
Forward-ports:
Icmp-blocks:
Rich rules:
# firewall-cmd--zone=public--add-service=http #添加服务
# firewall-cmd--zone=public--list-all #查看区域规则信息
Public (default, active)
Interfaces:eth0 eth1 eth2 Team0
Sources
Services:dhcpv6-client http SSH #已添加http服务
Ports
Masquerade:no
Forward-ports:
Icmp-blocks:
Rich rules:
Virtual Machine desktop0:
# Firefox http://172.25.0.11 #访问成功
# Firefox ftp://172.25.0.11 #访问失败
Virtual Machine Server0:
# Firewall-cmd--zone=public--add-service=ftp
# Firewall-cmd--zone=public--list-all
Public (default, active)
Interfaces:eth0 eth1 eth2 Team0
Sources
Services:dhcpv6-client ftp http SSH
Ports
Masquerade:no
Forward-ports:
Icmp-blocks:
Rich rules:
Virtual Machine desktop0:
# Firefox ftp://172.25.0.11 #访问成功
-------------------------------------------------------------------------------------------
--permanent Options: Implementing Permanent settings
Virtual Machine Server0:
# firewall-cmd--reload #重新加载防火墙, close the previously added service
# firewall-cmd--zone=public--list-all #重新后之前设置的服务会消失
# firewall-cmd--permanent--zone=public--add-service=ftp
# firewall-cmd--permanent--zone=public--add-service=http
# Firewall-cmd--reload #重新加载防火墙
# Firewall-cmd--zone=public--list-all
-------------------------------------------------------------------------------------------
Modify the default zone and do not need to add--permanent
Virtual Machine desktop0:
# ping 172.25.0.11 #可以通信
Virtual Machine Server0:
# Firewall-cmd--set-default-zone=block #修改默认区域为block
# Firewall-cmd--get-default-zone #查看默认区域
Virtual Machine desktop0:
# ping 172.25.0.11 #不可以通信
Virtual Machine Server0:
# Firewall-cmd--set-default-zone=drop #修改默认区域为drop
# Firewall-cmd--get-default-zone
Virtual Machine desktop0:
# ping 172.25.0.11 #通信无反馈
-------------------------------------------------------------------------------------------
Virtual Machine Server0:
# firewall-cmd--permanent--zone=public--add-source=172.25.0.10 #添加客户端desktop源IP
# Firewall-cmd--zone=public--list-all
# Firewall-cmd--reload
# Firewall-cmd--zone=public--list-all
Virtual Machine desktop0:
# Firefox http://172.25.0.11
-------------------------------------------------------------------------------------------
Implementing a native port mapping
Port redirection for on-premises applications (port 1 and Port 2)
– Automatically map to native port 2 from client Access port 1 requests
– For example, visit the following two addresses to see the same page:
Virtual Machine desktop0:
# Firefox http://172.25.0.11:5423-------"172.25.0.11:80
Virtual Machine Server0:
# Firewall-cmd--permanent--zone=public
--add-forward-port=port=5423:proto=tcp:toport=80
# Firewall-cmd--reload
# Firewall-cmd--zone=public--list-all
Virtual Machine desktop0:
# Firefox http://172.25.0.11:5423
Linux Administrator technology -01-selinux, configuring advanced connections, Firewall management policies,