此篇为2018年国赛第四篇,现将涉及到的技术以及实现分享给各位。若有不妥或者需要改善之处请联系博主。
联系方式为(VX:Yvresse_ai)
环境说明:
云平台:RG-JCOS 操作系统:Centos7
样题D卷服务网络Topo:
样题D卷系统Topo:
A网卡信息:
B网卡及主机名:
[root@b ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000link/ether fa:16:3e:4f:bd:ff brd ff:ff:ff:ff:ff:ffinet 192.168.1.33/24 brd 192.168.1.255 scope global dynamic eth0valid_lft 86299sec preferred_lft 86299secinet6 fe80::f816:3eff:fe4f:bdff/64 scope link valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000link/ether fa:16:3e:20:e3:ef brd ff:ff:ff:ff:ff:ffinet 192.168.2.33/24 brd 192.168.2.255 scope global eth1valid_lft forever preferred_lft foreverinet6 fe80::f816:3eff:fe20:e3ef/64 scope link valid_lft forever preferred_lft forever
根据上面的Topo我们可以看出A其中涉及到了CA,那也就不得不提及到AD域,所以在完成Topo实现内容之前,应该先将AD域安装
安装AD域:
现在环境已经准备完成。
A创建镜像卷要求如下:
1:新建镜像卷,使用全部空间
2:驱动器号为D
B创建LVM物理卷要求如下:
1:卷组名为datastore,PE大小为16M
2:逻辑卷名为ftp_data属于datastore,大小为10G
3:格式化为XFS,通过UUID实现自动挂载
配置本地YUM源:
创建本地挂载目录及备份文件目录:
[root@b ~]# mkdir /mnt/cdrom
[root@b ~]# mkdir /opt/copy
镜像挂载至本地挂载目录:
[root@b ~]# mount /root/CentOS-7-x86_64-DVD-1511.iso /mnt/cdrom/
mount: /dev/loop0 写保护,将以只读方式挂载
备份YUM源文件及创建本地YUM源配置文件:
[root@b ~]# mv /etc/yum.repos.d/* /opt/copy/
[root@b ~]# vim /etc/yum.repos.d/dvd.repo
[dvd]
name=dvd
baseurl=file:///mnt/cdrom
测试:
[root@b ~]# yum repolist
已加载插件:fastestmirror
dvd | 3.6 kB 00:00:00
(1/2): dvd/group_gz | 155 kB 00:00:00
(2/2): dvd/primary_db | 2.8 MB 00:00:00
Determining fastest mirrors
源标识 源名称 状态
dvd dvd 3,723
repolist: 3,723
查看云硬盘:
[root@b ~]# fdisk -l |grep vdb
磁盘 /dev/vdb:16.1 GB, 16106127360 字节,31457280 个扇区
创建分区:
[root@b ~]# fdisk /dev/vdb
欢迎使用 fdisk (util-linux 2.23.2)。更改将停留在内存中,直到您决定将更改写入磁盘。
使用写入命令前请三思。Device does not contain a recognized partition table
使用磁盘标识符 0x1d7f54d1 创建新的 DOS 磁盘标签。命令(输入 m 获取帮助):n
Partition type:p primary (0 primary, 0 extended, 4 free)e extended
Select (default p): p
分区号 (1-4,默认 1):
起始 扇区 (2048-31457279,默认为 2048):
将使用默认值 2048
Last 扇区, +扇区 or +size{K,M,G} (2048-31457279,默认为 31457279):
将使用默认值 31457279
分区 1 已设置为 Linux 类型,大小设为 15 GiB命令(输入 m 获取帮助):w
The partition table has been altered!Calling ioctl() to re-read partition table.
正在同步磁盘。
初始化为物理卷:
[root@b ~]# pvcreate /dev/vdb1Physical volume "/dev/vdb1" successfully created
创建卷组:
[root@b ~]# vgcreate -s 16M datastore /dev/vdb1Volume group "datastore" successfully created
创建逻辑卷:
[root@b ~]# lvcreate -L 10G datastore -n web_dataLogical volume "web_data" created.
格式化为XFS格式:
[root@b ~]# mkfs.xfs /dev/datastore/web_data
meta-data=/dev/datastore/web_data isize=256 agcount=4, agsize=655360 blks= sectsz=512 attr=2, projid32bit=1= crc=0 finobt=0
data = bsize=4096 blocks=2621440, imaxpct=25= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0 ftype=0
log =internal log bsize=4096 blocks=2560, version=2= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
查看UUID:
[root@b ~]# blkid |grep web
/dev/mapper/datastore-web_data: UUID="7a6e09bf-8fe7-4f66-86f6-5cdd82ffb380" TYPE="xfs"
实现自动挂载:
[root@b ~]# vim /etc/fstab #
# /etc/fstab
# Created by anaconda on Thu Sep 22 17:50:17 2016
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/centos-root / xfs defaults 0 0
UUID=41f7a291-c7de-4694-a5ee-1e6313ff9f44 /boot xfs defaults 0 0
/dev/mapper/centos-swap swap swap defaults 0 0
UUID=7a6e09bf-8fe7-4f66-86f6-5cdd82ffb380 /data/web_data xfs defaults 0 0
创建挂载目录并挂载:
[root@b ~]# mkdir -p /data/web_data
[root@b ~]# mount /dev/mapper/datastore-web_data /data/web_data/
[root@b ~]# mount |grep web
/dev/mapper/datastore-web_data on /data/web_data type xfs (rw,relatime,attr2,inode64,noquota)
B配置DNS服务器要求如下:
1:将ftp.rj.com解析到A
2:将www.rj.com解析到B
3:建立www.rj.com,ftp.rj.com的反向解析
4:允许主机B在192.168.2.22进行区域传送
5:B作为A的从DNS服务器
B安装bind并测试启动:
[root@b ~]# yum install bind* -y > /dev/null
[root@b ~]# systemctl restart named
备份配置文件:
[root@b ~]# cp /etc/named.conf /opt/copy/
按照要求修改配置文件:
[root@b ~]# vim /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//options {listen-on port 53 { any; };listen-on-v6 port 53 { ::1; };directory "/var/named";dump-file "/var/named/data/cache_dump.db";statistics-file "/var/named/data/named_stats.txt";memstatistics-file "/var/named/data/named_mem_stats.txt";allow-query { any; };/* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.- If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so willcause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatlyreduce such attack surface */recursion yes;dnssec-enable yes;dnssec-validation yes;/* Path to ISC DLV key */bindkeys-file "/etc/named.iscdlv.key";managed-keys-directory "/var/named/dynamic";pid-file "/run/named/named.pid";session-keyfile "/run/named/session.key";
};logging {channel default_debug {file "data/named.run";severity dynamic;};
};zone "." IN {type hint;file "named.ca";
};
zone "rj.com"{
type master;
file "rj.com.zone";
allow-transfer { 192.168.2.22; };
};
zone "0.16.172.in-addr.arpa"{
type master;
file "0.16.172.in-addr.arpa.zone";
allow-transfer { 192.168.2.22; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
备份区域数据文件并配置:
[root@b ~]# cp /var/named/named.localhost /var/named/rj.com.zone
[root@b ~]# cp /var/named/named.localhost /var/named/0.16.172.in-addr.arpa.zone
$TTL 1D
@ IN SOA rj.com. rname.invalid. (0 ; serial1D ; refresh1H ; retry1W ; expire3H ) ; minimumIN NS aIN NS b
a IN A 172.16.0.138
b IN A 172.16.0.137
www IN A 172.16.0.138
ftp IN A 172.16.0.137
$TTL 1D
@ IN SOA 0.16.172.in-addr.arpa. rname.invalid. (0 ; serial1D ; refresh1H ; retry1W ; expire3H ) ; minimumIN NS a.rj.com.IN NS b.rj.com.
138 IN PTR b.rj.com.
137 IN PTR a.rj.com.
138 IN PTR www.rj.com.
137 IN PTR ftp.rj.com.
修改属主:
[root@b ~]# chown named /var/named/rj.com.zone
[root@b ~]# chown named /var/named/0.16.172.in-addr.arpa.zone
重启服务并测试:
[root@b ~]# systemctl restart named
[root@b ~]# nslookup www.rj.com
Server: 172.16.0.138
Address: 172.16.0.138#53Name: www.rj.com
Address: 172.16.0.138[root@b ~]# nslookup 172.16.0.138
Server: 172.16.0.138
Address: 172.16.0.138#53138.0.16.172.in-addr.arpa name = b.rj.com.
138.0.16.172.in-addr.arpa name = www.rj.com.
A配置DNS从服务器:
测试从DNS:
[root@b ~]# nslookup www.rj.com
Server: 172.16.0.137
Address: 172.16.0.137#53Name: www.rj.com
Address: 172.16.0.138[root@b ~]# nslookup ftp.rj.com
Server: 172.16.0.137
Address: 172.16.0.137#53Name: ftp.rj.com
Address: 172.16.0.137[root@b ~]# nslookup 172.16.0.137
Server: 172.16.0.137
Address: 172.16.0.137#53137.0.16.172.in-addr.arpa name = ftp.rj.com.
137.0.16.172.in-addr.arpa name = a.rj.com.[root@b ~]# nslookup 172.16.0.138Server: 172.16.0.137
Address: 172.16.0.137#53138.0.16.172.in-addr.arpa name = b.rj.com.
138.0.16.172.in-addr.arpa name = www.rj.com.
A配置FTP站点要求如下:
1:站点名称rjftp,物理路径为D:\ftpdata
2:允许匿名用户和普通用户tom登录,匿名用户对主目录只有读权限,tom对主目录有读写权限,禁止上传exe后缀的文件
3:设置FTP最大客户端连接数为100,设置无任何操作的超时时间为5分钟,设置数据连接的超时时间为1分钟。
A安装IIS管理器以及FTP组件:
验证:
[root@b ~]# ftp ftp.rj.com
Connected to ftp.rj.com (172.16.0.137).
220 Microsoft FTP Service
Name (ftp.rj.com:root): tom
331 Password required for tom.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
227 Entering Passive Mode (172,16,0,137,237,3).
125 Data connection already open; Transfer starting.
04-25-19 09:55PM <DIR> 11.txt
04-25-19 09:54PM <DIR> ceshi
226 Transfer complete.
ftp>
A配置CA证书服务器要求如下:
1:提供Web注册方式,可接受CSR(证书请求文件)并签发证书
2:加密服务提供程序为“RSA#Microsoft Software Key Storage Providew”,密钥字符长度为“2048”
3:颁发的签名证书的哈希算法为“SHA256”
4:CA证书名称:ca.rj.com
5:为云主机B的web服务提供证书,颁发的证书命名为httpd.crt
安装CA证书服务器:
B生成证书请求文件:
[root@b ~]#openssl genrsa -des3 -out www.rj.com.pem 1024
[root@b ~]#openssl rsa -in www.rj.com.pem -out www.rj.com.key
[root@b ~]#openssl req -new -key www.rj.com.pem -out www.rj.com.csr
通过FTP将证书请求文件上传给A:
[root@b ~]# ftp ftp.rj.com
Connected to ftp.rj.com (172.16.0.137).
220 Microsoft FTP Service
Name (ftp.rj.com:root): tom
331 Password required for tom.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
227 Entering Passive Mode (172,16,0,137,194,46).
125 Data connection already open; Transfer starting.
04-25-19 09:55PM <DIR> 11.txt
04-25-19 11:07PM <DIR> ceshi
04-25-19 11:06PM 638 www.rj.com.csr
04-25-19 10:55PM 981 www.rj.com.key
226 Transfer complete.
ftp>
A通过证书请求文件生成证书:http://localhost/certsrv
B通过FTP获取证书:
ftp> cd ceshi
250 CWD command successful.
ftp> ls
227 Entering Passive Mode (172,16,0,137,194,153).
125 Data connection already open; Transfer starting.
04-25-19 11:07PM 1682 certnew.cer
226 Transfer complete.
ftp> get certnew.cer
安装HTTP并测试启动:
[root@b ~]#yum install http* -y > /dev/null
[root@b ~]#systemctl restart httpd
[root@b ~]#systemctl enable httpd
备份配置文件:
[root@b ~]#cp /etc/httpd/conf/httpd.conf /opt/copy/
[root@b ~]#vim /etc/httpd/conf/httpd.conf
# filesystems or if support for these functions is otherwise
# broken on your system.
# Defaults if commented: EnableMMAP On, EnableSendfile Off
#
#EnableMMAP off
EnableSendfile on# Supplemental configuration
#
# Load config files in the "/etc/httpd/conf.d" directory, if any.
IncludeOptional conf.d/virtualhost.conf
配置虚拟主机配置文件:
[root@b ~]# vim /etc/httpd/conf.d/virtualhost.conf
<virtualhost *:80>
servername www.rj.com
documentroot "/data/web_data"
<directory "/data/web_data">
require all granted
</directory>
</virtualhost><virtualhost *:443>
servername www.rj.com
documentroot "/data/web_data"
sslengine on
sslcertificatefile /etc/httpd/ssl/http.crt
sslcertificatekeyfile /etc/httpd/ssl/http.key
<directory "/data/web_data">
require all granted
</directory>
</virtualhost>
将Windows CA拷贝的证书转换为.crt文件:
[root@b ~]#openssl x509 -inform PEM -in certnew.cer -out certnew.crt
移动到指定文件夹/etc/https/ssl并修改为对应名称:
[root@b ~]#cp www.rj.com.key /etc/httpd/ssl/http.key
[root@b ~]#cp certnew.crt /etc/httpd/ssl/http.crt
测试启动HTTPD:
[root@b ~]# systemctl restart httpd
测试:
至此国赛D卷就此结束,若有问题请联系博主。