? security-enhanced Linux-----Equivalent to a security
– The NSA National Security Agency led development, a set of enhanced Linux systems
Full-force access control system
– integrated into the Linux kernel (2.6 and above) running
–RHEL7 based on SELinux system for users, processes, directories and files
Provides a pre-set protection policy, as well as management tools
? SELinux Mode of operation
–enforcing (mandatory), permissive (loose)
–disabled (completely disabled)
[[email protected] ~]# Getenforce?? #查看当前SELinux状态
? Enforcing
[Email protected] ~]# Setenforce 0? #设置当前SELinux状态
[Email protected] ~]# Getenforce?
? Permissive
Fixed configuration:
[Email protected] ~]# vim/etc/selinux/config?
Selinux=permissive
? Add: Vim command mode??
? ? ? ? ? ? C (UPPERCASE): Deletes the cursor to the end of the line and enters insert mode
#####################################################
Configure an aggregation connection (NIC binding)
? ? HSRP? Back up your gateway device?
?????????????????????????????? Router 2
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 192.168.1.254?? 192.168.1.253
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Active?????????? Backup
? ? ?
????????????????????????
??????????????????????192.168.1.200
? ? ??
?????????????
? ? ? ? ? ? ? ? ? ? ? Eth1?????? eth2
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ??
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Team
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 192.168.1.10
? Team, aggregation connections (also known as Link aggregation)
– A virtual network card formed with multiple network cards (team-slave),
i.e. "Team"
– Role 1: Traffic load Balancing for polling (Roundrobin)
– Role 2: Hot backup (activebackup) connection redundancy
? ? Hot backup configuration:?? {"Runner": {"name": "Activebackup"}}
? ? ? ? ? Man helps assist memory
? ? ? ? ? /example?? #全文查找example
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? #按n Jump Next Match
[email protected] ~]# man teamd.conf
? ? ? ? ? /example? #全文查找example
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? #按n Jump Next Match
One, add team equipment
# NMCLI Connection Add type team?
Con-name team0? ifname? team0?
Config? {"Runner": {"name": "Activebackup"}}
# CAT/ETC/SYSCONFIG/NETWORK-SCRIPTS/IFCFG-TEAM0
# Ifconfig? team0
Second, add members
# NMCLI Connection Add type Team-slave?
ifname eth1 Master Team0?
# NMCLI Connection Add type Team-slave?
ifname eth2 Master Team0
Third, configure the IP address of the TEAM0
# NMCLI connection Modify Team0????
? Ipv4.method manual?
? ipv4.addresses 192.168.1.1/24???
? connection.autoconnect Yes
Iv. Activation of TEAM0
# NMCLI connection up team-slave-eth1? #激活从设备eth1
# NMCLI connection up team-slave-eth2? #激活从设备eth2
# NMCLI connection up team0?????? #激活主设备team0??
V. Verification
# Teamdctl Team0 state?? #专用于查看team信息
Delete
# NMCLI Connection Delete team-slave-eth1?
# NMCLI Connection Delete team-slave-eth2
# NMCLI Connection Delete Team0
#####################################################
? Configure IPV6 Addresses
? IPV6 Address representation
– 128 bits, colon-delimited hexadecimal number
– Successive pre-0 in each paragraph can be omitted, successive multiple: can be simplified to::
# NMCLI Connection Modify ' System eth0 '?
Ipv6.method manual?
Ipv6.addresses 2003:ac18::305/64?
Connection.autoconnect Yes
# NMCLI connection up ' System eth0 '
# ifconfig Eth0
# ping6? 2003:ac18::305
###################################################
Alias aliases Settings
? Viewing aliases that have been set
–alias [alias name]
? Define a new Alias
–alias Alias name = ' actual execution of command line '
? To cancel an alias that has been set
–unalias [alias name]
User Personalization Profile
? Bash interpretation environment that affects the specified user
–~/.BASHRC, effective every time the bash terminal is turned on
Global Environment Configuration
? Bash interpretation environment that affects all users
–/ETC/BASHRC, effective every time the bash terminal is turned on
[Email protected] ~]# VIM/ROOT/.BASHRC??? #影响root文件
? ? Alias hello= ' echo Hello '?
[Email protected] ~]# VIM/HOME/STUDENT/.BASHRC #影响student文件
? ? Alias hi= ' echo Hi '?
[Email protected] ~]# VIM/ETC/BASHRC???
? ? Alias Haha= ' Echo Xixi '
? Exit remote login, verify from new remote SERVER0
[email protected] ~]# hello???? #成功
[email protected] ~]# hi????? #失败
[[email protected] ~]# haha???? #成功
[Email protected] ~]# su-student
[email protected] ~]$ hello??? #失败
[email protected] ~]$ hi ?? #成功
[[email protected] ~]$ haha??? #成功
[[Email protected] ~]$ exit
####################################################
? Firewall Policy Management (firewall)
? I. Building BASIC Web Services
? Service side:? httpd (software)
? Installing httpd software on 1.server0
? 2.server0 start httpd service, set boot from
? ? By default: Apache does not provide any pages
? ? Default Apache Web page file storage path:/var/www/html
? ? Default Apache web page file name: index.html
[Email protected] ~]# systemctl restart httpd
[Email protected] ~]# Systemctl enable httpd
[Email protected] ~]# vim/var/www/html/index.html
? <marquee><font Color=green>
[email protected] ~]# Firefox 172.25.0.11
Second, the construction of FTP services
? Service side:? VSFTPD (software)
? Installing VSFTPD software on 1.server0
? 2.server0 start vsftpd Service, set boot from
??? The default share location:/var/ftp
Test
[email protected] ~]# Firefox ftp://172.25.0.11
? ?
###################################################
? Firewall Policy Management (firewall)
?? Role: Isolate---------------Allow outbound, block inbound
? ? ? ? ? ? Block Inbound, Allow outbound
? ? System Services: FIREWALLD
? ? Administrative Tools: Firewall-cmd (command), Firewall-config (graphics)
? View Firewall Service Status
[Email protected] ~]# systemctl status Firewalld.service
? Preset protection rule set based on the location of your network
–public: Only a few services that allow access to native sshd
–trusted: Allow any access
–block: Reject any request for a visit
–drop: Discard any incoming packets
The rules for firewall judgment: match and stop
? 1. First look at the source IP address in the request (client), whether there is a policy to change the IP address in all regions, if there is a request to enter the zone
? 2. Go to the default zone
Virtual Machine desktop0:
# Firefox http://172.25.0.11? #访问失败
# Firefox ftp://172.25.0.11? #访问失败
Virtual Machine Server0:
# Firewall-cmd--get-default-zone???? #查看默认区域
# Firewall-cmd--zone=public--list-all?
# firewall-cmd--zone=public--add-service=http #添加服务
# Firewall-cmd--zone=public--list-all? #查看区域规则信息
Virtual Machine desktop0:
# Firefox http://172.25.0.11? #访问成功
# Firefox ftp://172.25.0.11? #访问失败
Virtual Machine Server0:
# Firewall-cmd--zone=public--add-service=ftp
# Firewall-cmd--zone=public--list-all?
Virtual Machine desktop0:
# Firefox ftp://172.25.0.11? #访问成功
#####################################################
? --permanent Options: Implementing Permanent settings
Virtual Machine Server0:
# Firewall-cmd--reload? #重新加载防火墙
# Firewall-cmd--zone=public--list-all?
# firewall-cmd--permanent--zone=public?--add-service=ftp
# firewall-cmd--permanent--zone=public--add-service=http
# Firewall-cmd--reload? #重新加载防火墙
# Firewall-cmd--zone=public--list-all?
####################################################
Modify the default zone without adding--permanent
Virtual Machine desktop0:
# ping 172.25.0.11?? #可以通信
Virtual Machine Server0:
# Firewall-cmd--set-default-zone=block? #修改默认区域
# Firewall-cmd--get-default-zone???? #查看默认区域
Virtual Machine desktop0:
# ping 172.25.0.11? #不可以通信
Virtual Machine Server0:
# Firewall-cmd--set-default-zone=drop?
# Firewall-cmd--get-default-zone
Virtual Machine desktop0:
# ping 172.25.0.11? #通信无反馈
######################################################
Virtual machine Server0:?
# firewall-cmd--permanent--zone=public--add-source=172.25.0.10
# Firewall-cmd--zone=public--list-all?
# Firewall-cmd--reload?
# Firewall-cmd--zone=public--list-all
Virtual Machine desktop0:
# Firefox http://172.25.0.11
##################################################
Implementing a native port mapping
? Port redirection for on-premises applications (port 1 and Port 2)
– Automatically map to native port 2 from client Access port 1 requests
– For example, visit the following two addresses to see the same page:
Virtual Machine desktop0:
# Firefox http://172.25.0.11:5423-------"172.25.0.11:80
Virtual machine Server0:?
# Firewall-cmd--permanent--zone=public?
--add-forward-port=port=5423:proto=tcp:toport=80?
# Firewall-cmd--reload?
# Firewall-cmd--zone=public--list-all
Virtual machine desktop0:?
# Firefox http://172.25.0.11:5423
Linux System Engineer Technology (Engineer)-------first day