? security-enhanced Linux
– The NSA National Security Agency led development, a set of enhanced Linux systems
Full-force access control system
– integrated into the Linux kernel (2.6 and above) running
–RHEL7 based on SELinux system for users, processes, directories and files
Provides a pre-set protection policy, as well as management tools
? SELinux Mode of operation
–enforcing (mandatory), permissive (loose)
–disabled (completely disabled)
[Email protected] ~]# Getenforce #查看当前SELinux状态
Enforcing
[Email protected] ~]# Setenforce 0 #设置当前SELinux状态
[Email protected] ~]# Getenforce
Permissive
Fixed configuration:
[Email protected] ~]# Vim/etc/selinux/config
Selinux=permissive
Added: Vim Command mode
C (UPPERCASE): Deletes the cursor to the end of the line and enters insert mode
#####################################################
Configuring aggregation connections (NIC bindings)
HSRP Backup Gateway Device
Router 1 Router 2
192.168.1.254 192.168.1.253
Active backup
Virtual routers
192.168.1.200
Converged connection Backup NIC device
Eth1 eth2
Team
192.168.1.10
? Team, aggregation connections (also known as Link aggregation)
– A virtual network card formed with multiple network cards (team-slave),
i.e. "Team"
– Role 1: Traffic load Balancing for polling (Roundrobin)
– Role 2: Hot backup (activebackup) connection redundancy
Hot backup configuration: {"Runner": {"name": "Activebackup"}}
Man helps assist memory
/example #全文查找example
#按n Jump Next Match
[email protected] ~]# man teamd.conf
/example #全文查找example
#按n Jump Next Match
One, add team equipment
# NMCLI Connection Add type Team
Con-name TEAM0 ifname team0
Config ' {"runner": {"name": "Activebackup"}} '
# CAT/ETC/SYSCONFIG/NETWORK-SCRIPTS/IFCFG-TEAM0
# ifconfig Team0
Second, add members
# NMCLI Connection Add type Team-slave
ifname eth1 Master Team0
# NMCLI Connection Add type Team-slave
ifname eth2 Master Team0
Third, configure the IP address of the TEAM0
# NMCLI Connection Modify Team0
Ipv4.method Manual
Ipv4.addresses 192.168.1.1/24
Connection.autoconnect Yes
Iv. Activation of TEAM0
# NMCLI connection up team-slave-eth1 #激活从设备eth1
# NMCLI connection up Team-slave-eth2 #激活从设备eth2
# NMCLI connection up Team0 #激活主设备team0
V. Verification
# Teamdctl Team0 State #专用于查看team信息
Delete
# NMCLI Connection Delete team-slave-eth1
# NMCLI Connection Delete team-slave-eth2
# NMCLI Connection Delete Team0
#####################################################
Configuring IPV6 Addresses
? IPV6 Address representation
– 128 bits, colon-delimited hexadecimal number
– Successive pre-0 in each paragraph can be omitted, successive multiple: can be simplified to::
# NMCLI Connection Modify ' System eth0 '
Ipv6.method Manual
Ipv6.addresses 2003:AC18::305/64
Connection.autoconnect Yes
# NMCLI connection up ' System eth0 '
# ifconfig Eth0
# ping6 2003:ac18::305
###################################################
Alias aliases Settings
? Viewing aliases that have been set
–alias [alias name]
? Define a new Alias
–alias Alias name = ' actual execution of command line '
? To cancel an alias that has been set
–unalias [alias name]
User Personalization Profile
? Bash interpretation environment that affects the specified user
–~/.BASHRC, effective every time the bash terminal is turned on
Global Environment Configuration
? Bash interpretation environment that affects all users
–/ETC/BASHRC, effective every time the bash terminal is turned on
[[email protected] ~]# vim/root/.bashrc #影响root文件
Alias hello= ' echo hello '
[[email protected] ~]# VIM/HOME/STUDENT/.BASHRC #影响student文件
alias hi= ' echo Hi '
[[email protected] ~]# vim/etc/bashrc #全局配置文件 & nbsp;
alias haha= ' echo Xixi '
Exit remote login, verify from new remote SERVER0
[email protected] ~]# Hello #成功
[email protected] ~]# Hi #失败
[email protected] ~]# haha #成功
[Email protected] ~]# su-student
[email protected] ~]$ Hello #失败
[email protected] ~]$ Hi #成功
[email protected] ~]$ haha #成功
[[Email protected] ~]$ exit
####################################################
Firewall Policy Management (firewall)
First, build basic Web Services
Service side: httpd (software)
Installing httpd software on 1.server0
2.server0 start httpd service, set boot from
By default: Apache does not provide any pages
Default Apache Web page file storage path:/var/www/html
Default Apache web page file name: index.html
[Email protected] ~]# systemctl restart httpd
[Email protected] ~]# Systemctl enable httpd
[Email protected] ~]# vim/var/www/html/index.html
<marquee><font Color=green>
[email protected] ~]# Firefox 172.25.0.11
Second, the construction of FTP services
Service side: vsftpd (software)
Installing VSFTPD software on 1.server0
2.server0 start vsftpd Service, set boot from
Default shared location:/var/ftp
Test
[email protected] ~]# Firefox ftp://172.25.0.11
###################################################
Firewall Policy Management (firewall)
Role: Isolation
Block Inbound, Allow outbound
? System Services: FIREWALLD
? Administrative Tools: Firewall-cmd (command), Firewall-config (graphics)
View Firewall Service Status
[Email protected] ~]# systemctl status Firewalld.service
? Preset protection rule set based on the location of your network
–public: Only a few services that allow access to native sshd
–trusted: Allow any access
–block: Reject any request for a visit
–drop: Discard any incoming packets
Rules for firewall judgments: matching and stopping
1. First look at the source IP address in the request (client), whether there is a policy to change the IP address in all regions, if there is a request to enter the zone
2. Go to the default zone
Virtual Machine desktop0:
# Firefox http://172.25.0.11 #访问失败
# Firefox ftp://172.25.0.11 #访问失败
Virtual Machine Server0:
# Firewall-cmd--get-default-zone #查看默认区域
# Firewall-cmd--zone=public--list-all
# firewall-cmd--zone=public--add-service=http #添加服务
# firewall-cmd--zone=public--list-all #查看区域规则信息
Virtual Machine desktop0:
# Firefox http://172.25.0.11 #访问成功
# Firefox ftp://172.25.0.11 #访问失败
Virtual Machine Server0:
# Firewall-cmd--zone=public--add-service=ftp
# Firewall-cmd--zone=public--list-all
Virtual Machine desktop0:
# Firefox ftp://172.25.0.11 #访问成功
#####################################################
--permanent Options: Implementing Permanent settings
Virtual Machine Server0:
# Firewall-cmd--reload #重新加载防火墙
# Firewall-cmd--zone=public--list-all
# firewall-cmd--permanent--zone=public--add-service=ftp
# firewall-cmd--permanent--zone=public--add-service=http
# Firewall-cmd--reload #重新加载防火墙
# Firewall-cmd--zone=public--list-all
####################################################
Modify the default zone and do not need to add--permanent
Virtual Machine desktop0:
# ping 172.25.0.11 #可以通信
Virtual Machine Server0:
# Firewall-cmd--set-default-zone=block #修改默认区域
# Firewall-cmd--get-default-zone #查看默认区域
Virtual Machine desktop0:
# ping 172.25.0.11 #不可以通信
Virtual Machine Server0:
# Firewall-cmd--set-default-zone=drop
# Firewall-cmd--get-default-zone
Virtual Machine desktop0:
# ping 172.25.0.11 #通信无反馈
######################################################
Virtual Machine Server0:
# firewall-cmd--permanent--zone=public--add-source=172.25.0.10
# Firewall-cmd--zone=public--list-all
# Firewall-cmd--reload
# Firewall-cmd--zone=public--list-all
Virtual Machine desktop0:
# Firefox http://172.25.0.11
##################################################
Implementing a native port mapping
? Port redirection for on-premises applications (port 1 and Port 2)
– Automatically map to native port 2 from client Access port 1 requests
– For example, visit the following two addresses to see the same page:
Virtual Machine desktop0:
# Firefox http://172.25.0.11:5423-------"172.25.0.11:80
Virtual Machine Server0:
# Firewall-cmd--permanent--zone=public
--add-forward-port=port=5423:proto=tcp:toport=80
# Firewall-cmd--reload
# Firewall-cmd--zone=public--list-all
Virtual Machine desktop0:
# Firefox http://172.25.0.11:5423
#####################################################
Linux System learning Seventh Day-<< engineer Technical >>