Selinux, converged links, IPV6, firewall basics

SELinux security mechanism, system security

? security-enhanced Linux
– The NSA National Security Agency led development, a set of enhanced Linux systems
Full-force access control system
– integrated into the Linux kernel (2.6 and above) running
–RHEL7 based on SELinux system for users, processes, directories and files
Provides a pre-set protection policy, as well as management tools

? SELinux Mode of operation
–enforcing (mandatory), permissive (loose)
–disabled (completely disabled)

Any state that becomes disabled (completely disabled) needs to be re-started

? Toggle Run mode
– Temporary switchover: Setenforce 1|0

– Fixed configuration:/etc/selinux/config file

Virtual Machine Server:
[Email protected] ~]# Getenforce
Enforcing
[Email protected] ~]# Setenforce 0
[Email protected] ~]# Getenforce
Permissive

[Email protected] ~]# Vim/etc/selinux/config
Selinux=permissive

Virtual Machine Desktop:
[Email protected] ~]# Getenforce
Enforcing
[Email protected] ~]# Setenforce 0
[Email protected] ~]# Getenforce
Permissive

[Email protected] ~]# Vim/etc/selinux/config
Selinux=permissive

#######################################################

Configure Advanced Connections

A configuration aggregation connection (also known as Link aggregation has a NIC binding) team teaming

HSRP Hot Standby Routing protocol

                             活跃 路由器        备份 路由器                                         虚拟路由器

Team teams active eth1 backup eth2

                                          虚拟的网卡  – 作用2:热备份(activebackup)连接冗余

1. Create a new virtual network card TEAM0, refer to man teamd.conf in uppercase G from back up

   NMCLI Connection Add Type Team

   AutoConnect Yes Con-name TEAM0 ifname team0
   Config ' {"runner": {"name": "Activebackup"}} '

   Add a network card of type team
   Each time the power-on is automatically enabled the network card configuration file name is Team0 Nic named Team0
   Team0 working mode ' {' runner ': {' name ': ' Activebackup '} ' (Hot standby)

Ifconfig | Less #查看team0网卡信息ls/etc/sysconfig/network-scripts/ifcfg--+6

4. Activating TEAM0
   [Email protected] ~]# NMCLI connection up Team0
   [Email protected] ~]# NMCLI connection up team0-1
   [Email protected] ~]# NMCLI connection up team0-2
   [Email protected] ~]# ifconfig TEAM0

5. Delete Redo
   [Email protected] ~]# NMCLI Connection Delete Team0
   [Email protected] ~]# NMCLI Connection Delete team0-1
   [Email protected] ~]# NMCLI Connection Delete team0-2

6. command to test TEAM0

[Email protected] ~]# Teamdctl TEAM0 State

#########################################################

To configure a permanent alias:

   用户家目录/.bashrc:用户配置文件,仅针对与用户本身,新开一个终端/etc/bashrc:全局配置文件,所有用户均生效,  新开一个终端

[Email protected] ~]# VIM/ROOT/.BASHRC
Alias hello= ' echo Hi '

[Email protected] ~]# VIM/HOME/STUDENT/.BASHRC
Alias hi= ' echo Hello '

[Email protected] ~]# VIM/ETC/BASHRC
Alias Haha= ' Echo Xixi '

Open a new terminal, respectively, with the root user and student user authentication

#########################################################

Configuring IPV6 Addresses

The role of IP address: uniquely identifies the address of a network node

ipv4:32 binary number is convenient to use 4 decimal numbers to indicate, in order to point

ipv6:128 binary number easy to use 8 paragraphs each paragraph is represented by 4 16 binary numbers, with a colon:

Virtual Machine Server:

NMCLI connection Modify ' System eth0 ' ipv6.method manual ipv6.addresses 2003:ac18::305/64 connection.autoconnect YESNMCLI connection up ' System eth0 ' ifconfig | Lessping6 2003:ac18::305

##########################################################
Firewall Policy Management

Role: Isolate requests that allow outbound, filter inbound requests

软件防火墙硬件防火墙

########################################################
Confirm that the firewall service is turned on

[Email protected] ~]# systemctl status Firewalld

[Email protected] ~]# systemctl status Firewalld

#######################################################

Building Web Services

Service side: Server
1. Install a Web services software that can provide
[Email protected] ~]# yum-y install httpd

2.启动httpd服务

[Email protected] ~]# systemctl restart httpd
[Email protected] ~]# Systemctl enable httpd

3.自己访问自己测试

[email protected] ~]# Firefox 127.0.0.1 #可以看到一个测试页面

4.书写网页文件,默认位置/var/www/html/index.html

[Email protected] ~]# vim/var/www/html/index.html
<marquee><font Color=red>

[email protected] ~]# Firefox 127.0.0.1

Build FTP Service
Service-Side Server
1. Install a software that provides FTP functionality
[Email protected] ~]# yum-y install VSFTPD

2. Start the VSFTPD service
[Email protected] ~]# systemctl restart VSFTPD
[Email protected] ~]# Systemctl enable VSFTPD

3.自己访问自己测试

[email protected] ~]# Firefox ftp://127.0.0.1 #可以看到一个目录

4. Default shared directory/var/ftp

#########################################################
RHEL7 's firewall system
? System Services: FIREWALLD
? Management tools: Firewall-cmd, Firewall-config

? Preset protection rule set based on the location of your network
–public: Only a few services that allow access to native sshd
–trusted: Allow any access
–block: Block any incoming requests #明确拒绝
–drop: Discards any incoming packets #直接丢弃不给回应

The firewall's judging mechanism:
1. View the source IP address in the access request, and in all regions, which zone has the policy for that IP address to enter which region

2. Go to the default zone (Admin can modify)

#########################################################

Virtual Machine Server

Firewall-cmd--get-default-zone #查看默认区域是什么firewall-cmd--zone=public--list-all #查看区域规则

Virtual Machine Desktop

Ping 172.25.0.11 #可以通信

Virtual Machine Server

Firewall-cmd--set-default-zone=block #修改默认区域firewall-cmd--zone=block--list-all #查看区域规则

Virtual Machine Desktop

Ping 172.25.0.11 #不可以通信, with a response

Virtual Machine Server

Firewall-cmd--set-default-zone=drop #修改默认区域firewall-cmd--zone=drop--list-all #查看区域规则

Virtual Machine Desktop

Ping 172.25.0.11 #不可以通信, no response

#######################################################
Add service to source IP address

Virtual Machine Server

Firewall-cmd--set-default-zone=public #修改默认区域firewall-cmd--get-default-zone

Virtual Machine Desktop

Firefox 172.25.0.11 #不可以访问firefox ftp://172.25.0.11 #不可以访问

Virtual Machine Server

Firewall-cmd--zone=public--add-service=ftp #添加服务firewall-cmd--zone=public--add-service=http #添加服务firewall-cmd-- Zone=public--list-all

Virtual Machine Desktop

Firefox 172.25.0.11 #可以访问成功firefox ftp://172.25.0.11 #可以访问成功

#####################################################
Location of the configuration rule
– Runtime (Runtime)
– Permanent (permanent)

Virtual Machine Server0

Firewall-cmd--reload #重新加载防火墙所有的配置firewall-cmd--zone=public--list-allfirewall-cmd--permanent--zone=public-- Add-service=httpfirewall-cmd--zone=public--list-allfirewall-cmd--reloadfirewall-cmd--zone=public--list-all

Default zone modification, default is permanent, do not add--permanent

########################################################

Virtual machine Server implements port forwarding for native
? Port redirection for on-premises apps (5423-80)
– Requests from the client to access server 5423 are automatically mapped to the native 80
– For example, visit the following two addresses to see the same page:

http://172.25.0.11:5423/------> http://172.25.0.11:80

Virtual Machine Server0

Firewall-cmd--set-default-zone=publicfirewall-cmd--permanent--zone=public--add-service=httpfirewall-cmd-- Permanent--zone=public

--add-forward-port=port=5423:proto=tcp:toport=80

Firewall-cmd--reloadfirewall-cmd--zone=public--list-all

Virtual Machine desktop0

Firefox http://172.25.0.11:5423

Selinux, converged links, IPV6, firewall basics