Test 9

Test 9

1、解决DOS攻击生产案例:根据web日志或者或者网络连接数，监控当某个IP 并发连接数或者短时内PV达到100，即调用防火墙命令封掉对应的IP，监控频 率每隔5分钟。防火墙命令为:iptables -A INPUT -s IP -j REJECT

1 写脚本拒绝IP大于100次的 [root@c7-57]#cat /scripts/check.sh #!/bin/bash # #******************************************************************************* #Author: hwang ss -tn | awk -F " +|:" '/ESTAB/{ip[$(NF-2)]++}END{for(i in ip)if(ip[i]>100) print i}' >/root/DOS.ip while read IP;do iptables -IINPUT -s $IP -j REJECT done < /root/DOs.ip 2 周期性计划任务 [root@c7-57]#crontab -e 1 */5 * * * * /scripts/check.sh

2、描述密钥交换的过程

1. 客户端发起链接请求 2.服务端返回自己的公钥，以及一个会话ID（这一步客户端得到服务端公钥） 3.客户端生成密钥对 4.客户端用自己的公钥异或会话ID，计算出一个值Res，并用服务端的公钥加密 5.客户端发送加密后的值到服务端，服务端用私钥解密，得到Res 6. 服务端用解密后的值Res异或会话ID，计算出客户端的公钥（这一步服务端得到客户端公钥） 7.最终：双方各自持有三个秘钥，分别为自己的一对公、私钥，以及对方的公钥，之后的所有通讯都会被加密

3、客户端发起HTTPS请求 用户在浏览器里输入一个https网址，然后连接到服务器的443端口 2. 服务端的配置 采用HTTPS协议的服务器必须要有一套数字证书，可以自己制作，也可以向组织申请。区别就是 自己颁发的证书需要客户端验证通过，才可以继续访问，而使用受信任的公司申请的证书则不会弹 出提示页面。这套证书其实就是一对公钥和私钥 3. 传送服务器的证书给客户端 证书里其实就是公钥，并且还包含了很多信息，如证书的颁发机构，过期时间等等 4. 客户端解析验证服务器证书 这部分工作是有客户端的TLS来完成的，首先会验证公钥是否有效，比如：颁发机构，过期时间等 等，如果发现异常，则会弹出一个警告框，提示证书存在问题。如果证书没有问题，那么就生成一 个随机值。然后用证书中公钥对该随机值进行非对称加密 5. 客户端将加密信息传送服务器 这部分传送的是用证书加密后的随机值，目的就是让服务端得到这个随机值，以后客户端和服务端 的通信就可以通过这个随机值来进行加密解密了 6. 服务端解密信息 服务端将客户端发送过来的加密信息用服务器私钥解密后，得到了客户端传过来的随机值 7. 服务器加密信息并发送信息 服务器将数据利用随机值进行对称加密,再发送给客户端 8. 客户端接收并解密信息 客户端用之前生成的随机值解密服务段传过来的数据，于是获取了解密后的内容

4、创建私有CA并进行证书申请

创建私有CA 1、创建CA所需要的文件 #生成证书索引数据库文件 touch /etc/pki/CA/index.txt #指定第一个颁发证书的序列号 echo 01 > /etc/pki/CA/serial 2、 生成CA私钥 cd /etc/pki/CA/ (umask 066; openssl genrsa -out private/cakey.pem 2048) 3 生成CA自签名证书 [root06:33 AMcentos8 /etc/pki/CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:beijing Organization Name (eg, company) [Default Company Ltd]:magedu Organizational Unit Name (eg, section) []:devops Common Name (eg, your name or your server's hostname) []:ca.magedu.org Email Address []:admin@magedu.org [root06:35 AMcentos8 /etc/pki/CA]#tree /etc/pki/CA /etc/pki/CA ├── cacert.pem ├── certs ├── crl ├── index.txt ├── newcerts ├── private │   └── cakey.pem └── serial 4 directories, 4 files #查看证书内容 [root06:36 AMcentos8 /etc/pki/CA]#openssl x509 -in /etc/pki/CA/cacert.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 0a:cc:95:df:f1:ae:5d:2d:68:09:f8:54:44:6f:44:7b:99:07:da:fd Signature Algorithm: sha256WithRSAEncryption Issuer: C = CN, ST = beijing, L = beijing, O = magedu, OU = devops, CN = ca.magedu.org, emailAddress = admin@magedu.org Validity Not Before: May 22 22:35:09 2021 GMT Not After : May 20 22:35:09 2031 GMT Subject: C = CN, ST = beijing, L = beijing, O = magedu, OU = devops, CN = ca.magedu.org, emailAddress = admin@magedu.org Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:bb:87:a7:22:a3:d4:6f:b2:29:75:24:89:68:81: a8:18:25:46:29:41:2a:c8:79:0b:56:ef:59:34:25: 1e:5f:66:33:64:f4:da:11:c4:89:09:66:85:3b:b0: 2a:e9:ff:8c:fe:3f:6b:71:76:72:ad:cd:26:c9:2a: 1c:71:a2:66:e9:58:d5:fc:4e:08:d0:8f:be:09:ab: 40:dd:3f:ad:97:0a:9e:60:e9:4a:39:66:00:b2:e9: 4c:59:6a:c2:a2:c9:5c:db:4c:44:b9:9b:9d:39:60: 3a:09:be:04:f7:c2:fd:d4:5e:0d:2f:ab:c8:f7:c5: f4:f0:e6:a0:28:fa:a0:2b:4e:df:60:0c:08:dc:03: cf:68:48:ae:67:cf:4a:fe:6e:b8:fb:e1:cf:5a:f9: f2:46:98:9a:50:ab:3f:20:82:2b:7f:a4:c1:52:72: ad:57:94:7b:2a:bc:bc:01:fc:9f:d4:ce:37:54:e4: 7c:cd:65:33:c3:bb:3d:66:ec:cc:43:4d:4f:a8:a1: 4a:7d:60:4b:aa:aa:08:27:6c:dd:60:3e:74:3d:c4: 38:ca:2f:de:79:14:42:ea:a0:53:7b:65:6a:d7:a5: 86:5d:7c:98:b6:d8:be:2d:6a:44:c3:7f:f3:c5:d8: 63:a7:f8:bd:32:17:42:10:1f:27:87:e8:7e:db:4c: d5:a3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 43:72:CF:37:BF:F1:14:9F:F5:04:1E:9D:76:AF:79:DF:D9:AF:21:9F X509v3 Authority Key Identifier: keyid:43:72:CF:37:BF:F1:14:9F:F5:04:1E:9D:76:AF:79:DF:D9:AF:21:9F X509v3 Basic Constraints: critical CA:TRUE Signature Algorithm: sha256WithRSAEncryption 90:24:30:14:70:80:63:6c:c8:33:5f:31:f6:0d:c1:03:d0:12: ce:dc:48:f7:d7:00:97:0d:6d:19:69:b1:2b:55:cc:17:84:08: b9:86:42:9c:6c:c5:3f:be:bb:b1:77:ea:f6:36:66:37:18:d0: 77:a4:76:ad:7d:21:21:b8:18:41:40:56:37:54:bf:ef:e4:27: cf:1f:3f:0b:b2:5b:3c:56:c9:4c:47:31:ce:32:bf:51:a9:e1: 06:47:cc:36:de:4c:5c:53:fd:69:66:35:4b:fb:de:41:8f:f3: 3d:c1:33:aa:58:22:6c:2f:57:af:41:a7:2b:4f:5d:89:d3:5c: 65:2f:8c:67:db:02:b4:0a:a8:82:16:81:e3:bc:84:d4:33:1f: 52:26:a5:c5:40:0d:f7:63:20:8e:34:78:14:17:f9:dc:70:d2: 3f:c9:48:04:ad:df:84:44:cc:d2:79:d6:57:c4:82:51:82:c8: bf:23:89:c0:4d:c5:4a:f0:57:76:d2:8c:1c:54:7e:bf:b0:ee: 16:df:5f:c7:74:d9:1c:90:19:18:82:b8:9c:37:83:cb:83:eb: 9a:24:38:11:4d:49:41:40:cf:0d:13:17:b3:a6:87:b1:4b:10: 71:36:a4:a5:14:8e:12:63:3e:ad:a4:b1:f9:15:79:cb:67:fd: ba:bc:a2:80 申请证书并颁发证书 #为需要使用证书的主机生成生成私钥 [root07:39 AMcentos8 /data/app1]#(umask 066;openssl genrsa -out /data/app1/app1.key 2048) Generating RSA private key, 2048 bit long modulus (2 primes) .........................................................................................................................+++++ ......................+++++ e is 65537 (0x010001) #创作用户证书申请文件 [root07:44 AMcentos8 ~]#openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:bj Organization Name (eg, company) [Default Company Ltd]:magedu Organizational Unit Name (eg, section) []:it Common Name (eg, your name or your server's hostname) []:app1.magedu.com Email Address []:root@magedu.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root07:52 AMcentos8 ~]#ll /data/app1/ total 8 -rw-r--r-- 1 root root 1045 May 23 07:52 app1.csr #证书申请文件 -rw------- 1 root root 1679 May 23 07:41 app1.key #私钥文件 [root07:53 AMcentos8 ~]# #证书的颁发 [root07:53 AMcentos8 ~]#openssl ca -in /data/app1/app1.csr -out /etc/pki/CA/certs/app1.crt -days 1000 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: May 22 23:59:19 2021 GMT Not After : Feb 16 23:59:19 2024 GMT Subject: countryName = CN stateOrProvinceName = beijing organizationName = magedu organizationalUnitName = it commonName = app1.magedu.com emailAddress = root@magedu.org X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 5E:C2:56:D8:9D:26:85:0D:30:9D:97:5A:CE:00:06:03:A8:AD:BE:84 X509v3 Authority Key Identifier: keyid:1E:5E:E9:D3:92:EC:CC:EF:21:D6:9E:39:B2:3E:B9:CA:74:39:CC:8C Certificate is to be certified until Feb 16 23:59:19 2024 GMT (1000 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@app1]#tree /etc/pki/CA /etc/pki/CA ├── cacert.pem ├── certs │   └── app1.crt ├── crl ├── index.txt ├── index.txt.attr ├── index.txt.old ├── newcerts │   └── 01.pem ├── private │   └── cakey.pem ├── serial └── serial.old [root@app1]#cp /etc/pki/CA/certs/app1.crt /data/app1/ #此时的app1上就有三个文件了，以后这个文件夹就可以拷给用户使用了 [root@app1]#ls app1.crt app1.csr app1.key

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。