Linux System learning Seventh Day-<< engineer Technology >>

? security-enhanced Linux

– The NSA National Security Agency led development, a set of enhanced Linux systems
Full-force access control system
– integrated into the Linux kernel (2.6 and above) running
–RHEL7 based on SELinux system for users, processes, directories and files
Provides a pre-set protection policy, as well as management tools

? SELinux Mode of operation
–enforcing (mandatory), permissive (loose)
–disabled (completely disabled)

[Email protected] ~]# Getenforce #查看当前SELinux状态
Enforcing
[Email protected] ~]# Setenforce 0 #设置当前SELinux状态
[Email protected] ~]# Getenforce
Permissive

Fixed configuration:
[Email protected] ~]# Vim/etc/selinux/config

Selinux=permissive

Added: Vim Command mode
C (UPPERCASE): Deletes the cursor to the end of the line and enters insert mode

#####################################################
Configuring aggregation connections (NIC bindings)

HSRP Backup Gateway Device

Router 1 Router 2
192.168.1.254 192.168.1.253
Active backup

Virtual routers
192.168.1.200

Converged connection Backup NIC device

Eth1 eth2

Team
192.168.1.10

? Team, aggregation connections (also known as Link aggregation)
– A virtual network card formed with multiple network cards (team-slave),
i.e. "Team"
– Role 1: Traffic load Balancing for polling (Roundrobin)

– Role 2: Hot backup (activebackup) connection redundancy

Hot backup configuration: {"Runner": {"name": "Activebackup"}}

Man helps assist memory

/example #全文查找example
#按n Jump Next Match

[email protected] ~]# man teamd.conf
/example #全文查找example
#按n Jump Next Match

One, add team equipment
# NMCLI Connection Add type Team
Con-name TEAM0 ifname team0
Config ' {"runner": {"name": "Activebackup"}} '

# CAT/ETC/SYSCONFIG/NETWORK-SCRIPTS/IFCFG-TEAM0
# ifconfig Team0

Second, add members
# NMCLI Connection Add type Team-slave
ifname eth1 Master Team0

# NMCLI Connection Add type Team-slave
ifname eth2 Master Team0

Third, configure the IP address of the TEAM0
# NMCLI Connection Modify Team0
Ipv4.method Manual
Ipv4.addresses 192.168.1.1/24
Connection.autoconnect Yes

Iv. Activation of TEAM0
# NMCLI connection up team-slave-eth1 #激活从设备eth1
# NMCLI connection up Team-slave-eth2 #激活从设备eth2
# NMCLI connection up Team0 #激活主设备team0

V. Verification
# Teamdctl Team0 State #专用于查看team信息

Delete
# NMCLI Connection Delete team-slave-eth1
# NMCLI Connection Delete team-slave-eth2
# NMCLI Connection Delete Team0

#####################################################
Configuring IPV6 Addresses

? IPV6 Address representation
– 128 bits, colon-delimited hexadecimal number
– Successive pre-0 in each paragraph can be omitted, successive multiple: can be simplified to::

# NMCLI Connection Modify ' System eth0 '
Ipv6.method Manual
Ipv6.addresses 2003:AC18::305/64
Connection.autoconnect Yes

# NMCLI connection up ' System eth0 '

# ifconfig Eth0

# ping6 2003:ac18::305

###################################################

Alias aliases Settings
? Viewing aliases that have been set
–alias [alias name]
? Define a new Alias
–alias Alias name = ' actual execution of command line '
? To cancel an alias that has been set
–unalias [alias name]

User Personalization Profile
? Bash interpretation environment that affects the specified user
–~/.BASHRC, effective every time the bash terminal is turned on

Global Environment Configuration
? Bash interpretation environment that affects all users
–/ETC/BASHRC, effective every time the bash terminal is turned on

[[email protected] ~]# vim/root/.bashrc      #影响root文件
    Alias hello= ' echo hello '  
[[email protected] ~]# VIM/HOME/STUDENT/.BASHRC #影响student文件
     alias hi= ' echo Hi '  
[[email protected] ~]# vim/etc/bashrc    #全局配置文件   & nbsp;     
    alias haha= ' echo Xixi '

Exit remote login, verify from new remote SERVER0
[email protected] ~]# Hello #成功
[email protected] ~]# Hi #失败
[email protected] ~]# haha #成功
[Email protected] ~]# su-student
[email protected] ~]$ Hello #失败
[email protected] ~]$ Hi #成功
[email protected] ~]$ haha #成功
[[Email protected] ~]$ exit
####################################################

Firewall Policy Management (firewall)

First, build basic Web Services

Service side: httpd (software)
Installing httpd software on 1.server0
2.server0 start httpd service, set boot from
By default: Apache does not provide any pages

Default Apache Web page file storage path:/var/www/html
Default Apache web page file name: index.html

[Email protected] ~]# systemctl restart httpd
[Email protected] ~]# Systemctl enable httpd

[Email protected] ~]# vim/var/www/html/index.html

<marquee><font Color=green>

[email protected] ~]# Firefox 172.25.0.11

Second, the construction of FTP services
Service side: vsftpd (software)
Installing VSFTPD software on 1.server0
2.server0 start vsftpd Service, set boot from
Default shared location:/var/ftp

Test
[email protected] ~]# Firefox ftp://172.25.0.11

###################################################
Firewall Policy Management (firewall)

Role: Isolation
Block Inbound, Allow outbound

? System Services: FIREWALLD
? Administrative Tools: Firewall-cmd (command), Firewall-config (graphics)

View Firewall Service Status
[Email protected] ~]# systemctl status Firewalld.service

? Preset protection rule set based on the location of your network
–public: Only a few services that allow access to native sshd
–trusted: Allow any access
–block: Reject any request for a visit
–drop: Discard any incoming packets

Rules for firewall judgments: matching and stopping

1. First look at the source IP address in the request (client), whether there is a policy to change the IP address in all regions, if there is a request to enter the zone
2. Go to the default zone

Virtual Machine desktop0:
# Firefox http://172.25.0.11 #访问失败
# Firefox ftp://172.25.0.11 #访问失败
Virtual Machine Server0:
# Firewall-cmd--get-default-zone #查看默认区域
# Firewall-cmd--zone=public--list-all
# firewall-cmd--zone=public--add-service=http #添加服务
# firewall-cmd--zone=public--list-all #查看区域规则信息
Virtual Machine desktop0:
# Firefox http://172.25.0.11 #访问成功
# Firefox ftp://172.25.0.11 #访问失败
Virtual Machine Server0:
# Firewall-cmd--zone=public--add-service=ftp
# Firewall-cmd--zone=public--list-all
Virtual Machine desktop0:
# Firefox ftp://172.25.0.11 #访问成功
#####################################################
--permanent Options: Implementing Permanent settings

Virtual Machine Server0:

# Firewall-cmd--reload #重新加载防火墙
# Firewall-cmd--zone=public--list-all

# firewall-cmd--permanent--zone=public--add-service=ftp
# firewall-cmd--permanent--zone=public--add-service=http

# Firewall-cmd--reload #重新加载防火墙
# Firewall-cmd--zone=public--list-all

####################################################
Modify the default zone and do not need to add--permanent

Virtual Machine desktop0:
# ping 172.25.0.11 #可以通信
Virtual Machine Server0:
# Firewall-cmd--set-default-zone=block #修改默认区域
# Firewall-cmd--get-default-zone #查看默认区域

Virtual Machine desktop0:
# ping 172.25.0.11 #不可以通信

Virtual Machine Server0:
# Firewall-cmd--set-default-zone=drop
# Firewall-cmd--get-default-zone
Virtual Machine desktop0:
# ping 172.25.0.11 #通信无反馈

######################################################

Virtual Machine Server0:
# firewall-cmd--permanent--zone=public--add-source=172.25.0.10

# Firewall-cmd--zone=public--list-all
# Firewall-cmd--reload
# Firewall-cmd--zone=public--list-all

Virtual Machine desktop0:
# Firefox http://172.25.0.11

##################################################
Implementing a native port mapping
? Port redirection for on-premises applications (port 1 and Port 2)
– Automatically map to native port 2 from client Access port 1 requests
– For example, visit the following two addresses to see the same page:

Virtual Machine desktop0:
# Firefox http://172.25.0.11:5423-------"172.25.0.11:80

Virtual Machine Server0:
# Firewall-cmd--permanent--zone=public
--add-forward-port=port=5423:proto=tcp:toport=80

# Firewall-cmd--reload

# Firewall-cmd--zone=public--list-all

Virtual Machine desktop0:
# Firefox http://172.25.0.11:5423

#####################################################

Linux System learning Seventh Day-<< engineer Technical >>