Network configuration and Remote Management

Network configuration and Remote Management
Network Configuration host name Windows: netbios network Basic Input/Output System resolve computer name to IP address Wins service windows Network Name Service Windows Remote Management Tool: tightvnc --> windows/linux rdesktop-> linux management windows format: rdesktop-f-u username-p passwd-f full screen display-u specify username-p specify password linux Remote Desktop Connection Tool VNC default port is 5900, the Remote Desktop Connection port is 5900 + n (n is specified by the vncserver command ). If you use the "vncserver: 1" command to start the VNC Server, the following port should be 5901. # Yum-y install tigervnc-server # vim/etc/sysconfig/vncserver VNCSERVERS = "2: wdd "VNCSERVERARGS [2] ="-geometry 800x600-localhost "# vim/root /. vnc/xstartup gnome-session & # Use The gnome Desktop Environment During connection. You can delete the original twm or put it behind # vncpasswd to create a VNC password # vncserver [: n] enable access to the service Linux client: Disable the firewall and SELINUX during the experiment. Set firewall rules in the production environment # vncviewer-via [email protected] localhost: 2. Enter the user name and password to access # VNC is in plain text and insecure. the connection process may be eavesdropped and interfered. you can use SS The H-channel is encrypted and then communicates with the remote host's back-to-loop address. This increases security. If you want to use a windows vnc client, you 'd better remove-localhost from Windows Client Access: Nic parameters: /ect/sysconfig/network-scripts/ifcfg-eth0 gateway, refers to the network egress route record to be used by any network, when there is a specific target, the network interface DNS used: the DNS option configured for the NIC is automatically added to/etc/resolves. conf icmp: the Internet control protocol temporarily takes effect. You can use commands to adjust network parameters, which is simple and fast. You can directly modify network parameters in operation. It is generally only suitable for network debugging, after the system is restarted, all modifications will become invalid. Modify host name to view Host Name: hostname set Host Name: hostname host name [root @ myweb ~] # Hostname www.baidu.com Note: Try to use the FQDN (Fully Qualified Domain Name) Name of the host name to modify the NIC configuration. View IP Address: ifconfig modify the journal parameters: format: ifconfig Interface Name IP Address [netmask subnet mask] [root @ myweb ~] # Ifconfig eth0 192.168.137.128 netmask 255.255.255.0 ifconfig network interface IP Address [/Mask Length] [root @ myweb ~] # Ifconfig eth0 192.168.137.128/24 gateway settings Delete the default gateway record in the route table: Format: route del default gw IP Address [root @ mylinux ~] # Route del default gw 192.168.137.4 add the default gateway record to the routing table: Format: route add default gw IP Address [root @ mylinux ~] # Route add default gw 192.168.137.4 route record added to the specified CIDR Block: Format: route add-net CIDR block address gw IP Address [root @ mylinux ~] # Route add-net 192.168.216.0/24 gw 192.168.137.4 Delete the route record to the specified CIDR Block in the format of route del-net CIDR Block [root @ mylinux ~] # Route del-net 192.168.216.0/24 gw 192.168.137.4 permanent and effective modification of network parameters through the configuration file, modify the configuration files of network parameters, this method is applicable when you set fixed parameters for the server. You need to reload the network service or restart the server before it takes effect. 2.1 Modify host name Modify/etc/sysconfig/network file set Host Name: Method: HOSTNAME = Host Name 2.2, modify/etc/sysconfig/network-scripts/ifcfg-eth0 file modify Nic parameters: method: DEVICE = eth0 ONBOOT = yes BOOTPROTO = static/dhcp IPADDR = IP address NETMASK = subnet mask DNS1 = xxx. xxx. xxx. xxx specifies the DNS address DNS2 = xxx. xxx. xxx. xxx restart network service: service network restart or restart NIC: ifdown eth0; ifup eth0 2.3, GATEWAY settings Modify/etc/sysconfig/network-scripts/ifcfg-eth0 file method: GATEWAY = xxx. xxx. xxx. xxx: view or set the format of route table information in the Host: r Oute [-n] domain name Configuration Modification/etc/resolv. conf file: Purpose: Save the IP address of the DNS server required by the local machine: search lampbrother.net nameserver 202.106.0.20 nameserver 8.8.8.8 nsloookup command to test DNS installation nslookup [root @ myweb ~] # Yum-y install bind-utils format: nslookup target host address [DNS server address] has two modes: Interactive Mode and non-interactive mode, use the server IP address to specify the DNS host ing file/etc/hosts. Purpose: To save the ing record between the host name and the IP Address: the IP address domain name alias 127.0.0.1 localhost. comparison between the localdomain localhost Hosts file and the DNS server: by default, the system first searches for resolution records from the hosts file. The hosts file is only valid for the current host. The hosts file can reduce the DNS query process, to speed up access, test command 7.1 and netstat command to view the network connection status and route table of the system. Interface statistics and other information formats: netstat [Option] common options:-a: show all active connections-n: Display in numbers-p: Display process information-t: view TCP information-u: View UDP information 7.2. Test the network node format between the current host and the target host by using the traceroute command: traceroute target host address 7.3, ping command to test network connection status ping-c 4-w 3-I 0.1 target address option:-w waittime: set the waiting response time for each probe-I 0.1 (seconds): interval of each ping-c times: ping times 7.4, arp command Address Resolution Protocol, resolve the IP address to a mac address # arp-a query arp cache table # arp-s src dest binding IP address and mac address # arp-d deleting # arpspoof-I eth0-t src dest listening rarp Reverse Address Solution Analysis protocol, convert mac to IP address 7.5, nmap command network probe scan command nmap-[sLpV] host address (can be a single or continuous)-exclude excluded IP address option:-s: scan-L: scan host list-T: TCP-V: scan software version number-p port number: scan port number-exclude IP Address: exclude IP address Remote Management 1. The SSH protocol provides a secure shell environment for clients for remote management. Default port: TCP 22 OpenSSH service name: sshd server main program: /usr/sbin/sshd client main program:/usr/bin/ssh server configuration file:/etc/ssh/sshd_config client configuration file: /etc/ssh/ssh_config 2. Remote Identity Authentication login authentication method: password verification: Check whether the user name and password match the key pair for verification: check whether the customer's private key and server public key match [root @ myweb ~] # Vim/etc/ssh/sshd_config PasswordAuthentication yes # default password verification is enabled # PubkeyAuthentication yes # enable key verification # AuthorizedKeysFile. ssh/authorized_keys # key pair verification, public key storage location 3. function module ssh command-remote Secure Login Format: ssh-p port number user @ host ssh-p port number-l user host scp command-remote secure copy format 1: scp-P port number user @ host: file1 file2 Format 2: scp-P port number file1 user @ host: file2 sftp command-Secure FTP download format: sftp-oPort = port user @ host [root @ mylinux ~] # Sftp-oPort = 2200 [email protected] 4. key pair verification Step 1: Create a key pair (the client user creates a key pair locally) [root @ myweb ~] # Ssh-keygen-t rsa [-f id_rsa-n'']-t dsa/ras specify the encryption algorithm-f file name specify the key file name-n'' automatically created without manually pressing enter step 2: upload the public key file id_rsa.pub [client @ myweb. ssh] $ scp id_rsa.pub [email protected]:/tmp or [client @ myweb. ssh] $ ssh-copy-id-I id_rsa.pub [email protected] # If you use the above command, you can skip the following step 3: Import Public Key Information, Public Key library file: ~ /. Ssh/authorized_keys [root @ mylinux tmp] # mkdir/home/server /. ssh [root @ mylinux tmp] # cat id_rsa.pub>/home/server /. step 4 of ssh/authorized_keys: Use the key pair for authentication [client @ myweb. ssh] $ ssh-l server 192.168.137.129 or [client @ myweb. ssh] $ ssh [email protected] TCP Wrappers Overview 1. Implementation of the protection mechanism, package other service programs through the program of tcpd 2. The configuration file of the access control policy/etc/hosts. allow/etc/hosts. deny 3. Set the access control policy format: Service list: client address list service list: multiple services are separated by commas (,). ALL indicates ALL service clients. Address List: multiple addresses are separated by commas (,). "ALL" indicates that Wildcards are allowed for ALL addresses? And * network segment address, such as 192.168.4. Or 192.168.4.0/255.255.255.0 region address, .baidu.com Note: wildcard (? *) Cannot be mixed with the format at the beginning or end of., for example, sshd: 192.16 ?. 1. Yes; sshd:. xd ?. Com is also incorrect [root @ localhost ~] # Vim/etc/hosts. deny sshd: 192.168.137.130 [sshd: 192.168.137.0/255.255.255.0] 4. Check the application sequence of the policy first. allow. Access is allowed if a match is found. Otherwise, check hosts. deny: access is denied if it is found. If no matching policy exists in both files, access cases are allowed by default: Lan arp spoofing 1. Because lan network flow is not performed based on IP addresses, transmission is performed based on the MAC address. Host A originally accesses host C, but host B uses hacking software to listen to host A and host C. If host A sends A request to host C, host B intercepts the request, disguised as the MAC address of host C, requests sent from host A to host C are forwarded to host C through host B. So host B won't let you forward it? Then you will not be able to access the Internet, which is a simple lan ARP spoofing. Test Machine host A, host B, and host C are all installed in A minimal manner, firewall and SELINUX are all disabled, and their IP addresses are: 192.168.20.2, 192.168.20.3, 192.168.20.4 host A can originally access the web on host C # traceroute 192.168.20.4 with only one hop # curl http: // 192.168.20.4 access the web of host C successfully. The operations of host B are as follows: # yum-y install libpcap # The installation package cannot be installed without the library. # rpm-ivh *. rpm # vim/etc/sysctl. conf Net. ipv4.ip _ forward = 1 # enable the forwarding function # arpspoof-I eth0-t 192.168.20.2 192.168.20.4 option Description:-I: Specify the forwarding Nic device-t src dest: when listening to src to dest, host A can access host B, but it is forwarded by host B. If you use traceroute on host A, host C will find that it has been forwarded by host B, at the same time, run the arp-a command to check whether host B and host C have the same MAC address, if host B rejects access from host A by setting firewall rules (iptables-A FORWARD-s 192.168.20.2-j drop), then host A cannot access host C, this is the so-called ARP spoofing. Host C # yum-y install httpd 2. If ARP spoofing is detected, host A must bind the IP address of host C, provided that you know the IP address of host C. If you do not receive an ARP attack, ping host C to obtain its IP address, that is, run arp-a to view the IP address. To prevent ARP spoofing, you must bind the mac address of host C as follows: view the MAC address of host C # ifconfig on host A and bind the MAC address of host C: in this case, you can access host C normally. What is an SSH tunnel in an SSH tunnel? First, let's take a look at the figure below. Most of the situations we face are similar to it. In the upper-right corner of our computer, we can access the Internet through the company's firewall-enabled router (of course, there may be switches or something connecting you and the router in the middle, but in our case, the switch does not play any key role ). In the lower-left corner, a website server is part of our firewall policy, that is, the company does not want us to access this server. There is another machine in the upper left corner. It also belongs to us. But this machine is not in our company. In other words, it is not restricted by the company's firewall. Finally, the most important thing is that we can directly access this machine through the Internet in the company. Or the machine located outside the company's firewall needs an independent Internet IP address, and the company's firewall rules will not block this machine, and this machine runs an OpenSSH server. Test Conditions: host A, host B, host C, and host D. Their IP addresses are 192.168.1.1, 192.168.1.2, and 200.200.200.2 (dual Nic), 200.200.200.200, and 200.200.200.1, respectively, both firewall and SELINUX are disabled. Test preparation: the eth0 of host A and host B are in the same network segment, and the eth1 of host B and host D are in the same network segment, host C and host D are in the same network segment, that is, host A can communicate with host B, but cannot access host C. Host B can communicate with host C; host C can communicate with host D. Host C is used as the website server: # yum-y install httpd host A cannot access host C. The steps are as follows: 1. host: # route add default gw 192.168.1.2 # Set gateway 2, host C: # route add default gw 200.200.200.2 # Set Gateway 3, host B: # vim/etc/sysctl. conf net. ipv4.ip _ forward = 1 # enable the network forwarding function # ssh-N-f-L 8080: 200.200.200.200: 80 200.200.200.1-N indicates that the ssh link is not intended to be logged on, but port forwarding.-f indicates that the command is run in the background.-L specifies the forwarding policy 8080: 200.200.200.200: 80 200.200.200.1 indicates that port 8080 is enabled locally, then access 200.200.200.1 through 200.200.200.200: 80. Enter the following command in host A: # curl http: // localhost: 8080 to access host C.