ispsrv
#安装软件
apt install isc-dhcp-server bind9 dnsutils
#配置dhcp
#修改配置文件
vim /etc/dhcp/dhcpd.conf
subnet 81.6.63.0 netmask 255.255.255.0{
range 81.6.63.110 81.6.63.190;
option domain-name-servers 192.168.100.100;
option routers 81.6.63.254;
}
vim /etc/default/isc-dhcp-server
INTERFACESv4="ens36" #要分配的那块网卡的名字
#配置DNS
#启用chroot功能,限制bind9在/var/named下运行
#修改在/var/named下运行
vim /etc/default/bind9
OPTIONS="-u bind -t /var/named"
system daemon-reload //守护进程重新加载
#启用chroot
mkdir -p /var/named/{etc,dev,run/named,var/cache/bind} //创建运行目录
mknod /var/named/dev/null c 1 3
mknod /var/named/dev/random c 1 8
mknod /var/named/dev/urandom c 1 9
chmod 660 /var/named/dev/{null,random,urandom} //修改权限
mv /etc/bind /var/named/etc //将bind移动到chroot目录中
ln -s /var/named/etc/bind /etc/bind //创建软连接
chown bind:bind /var/named/etc/bind/rndc.key
chown bind:bind /var/named/run/named
chmod 775 /var/named/{var/cache/bind,/run/named}
chgrp bind /var/named/{var/cache/bind,/run/named} //更改所有权
vim /etc/apparmor.d/local/usr.bin.named
#从Buster开始,Debian默认开启apparmor,所以需要添加权限
/var/named/etc/bind/** r,
/var/named/dev/** rw,
/var/named/var/** rw,
/var/named/run/** rw,
/var/named/usr/** rw,
#重新加载apparmor配置文件
systemctl reload apparmor
#对于Debian 10 Buster,要启用chroot还需要/usr/share/dns下的文件
mkdir -p /var/named/usr/share/dns //创建目录
cp /usr/share/dns/* /var/named/usr/share/dns/ //复制文件
#最后告诉rsyslog在正确位置监听绑定日志
echo "\$AddUnixListenSocket /var/named/dev/log" > /etc/rsyslog.d/bind-chroot.conf
#重启rsyslog和bind9
systemctl restart rsyslog
systemctl restart bind9
DNS配置
#配置为DNS根域服务器,其他未知域名解析,统一解析为本机 IP
vim /etc/bind/named.conf.default-zones
zone "." {
type master;
file "/etc/bind/db.root";
};
#查看第二行根域是否为这样
#然后修改根域文件db.root
;
; BIND reverse data file for broadcast zone
;
$TTL 604800
@ IN SOA @ none. ( //@代表自己 none.表示没有管理员邮箱
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
IN NS @ //NS和@代表自己
@ IN A 81.6.63.100 //对应NS的A记录,前面的@代表是自己,ip是81.6.63.100
* IN A 81.6.63.100 //*代表所有,所有域名都解析到自己
#创建正向区域
vim /etc/bind/named.conf.local
zone "chinaskills.cn" {
type slave;
masters {192.168.100.100;};
};
#重启服务
systemctl restart bind9
NTP
#安装ntp
apt install ntp
#修改配置文件
vim /etc/ntp.conf
#将4个pool注释掉
#pool 0.debian.pool.ntp.org iburst
#pool 1.debian.pool.ntp.org iburst
#pool 2.debian.pool.ntp.org iburst
#pool 3.debian.pool.ntp.org iburst
#然后再文件最底部增加五句话
server 127.127.1.0 prefer //设置时间服务器,加prefer表示优先
fudge 127.127.1.0 stratum 5
restrict 81.6.63.0 mask 255.255.255.0 nomodify //给于局域网机的机器有同步时间的权限
restrict 192.168.0.0 mask 255.255.255.0 nomodify
restrict 192.168.100.0 mask 255.255.255.0 nomodify
#然后重启ntp
service ntp restart
#使用ntpq -p查询网络中的NTP服务器,同时显示客户端和每个服务器的关系
root@debian:~# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
*LOCAL(0) .LOCL. 5 l 7 64 7 0.000 0.000 0.000
root@debian:~#
#在AppSrv和StorageSrv上先安装ntpdate
apt install ntpdate
#创建CRON计划同步,在最后一个#上方添加一行
*/5 * * * * root /usr/sbin/ntpdate 81.6.63.100
#使用ntpdate 81.6.63.100同步一下
root@debian:~# ntpdate 81.6.63.100
17 Jan 09:14:08 ntpdate[3299]: adjust time server 81.6.63.100 offset 0.000251 sec
http://blog.51yip.com/server/1474.html
web部分
#安装 lighttpd;启用 fastcgi-php 模块
apt install lighttpd php php-cgi
vim /etc/lighttpd/lighttpd.conf
#在server.modules中加入一行
“mod_fastcgi”
#在40行下发新增
fastcgi.server=(".php" => ((
"bin-path" => "/usr/bin/php-cgi",
"socket" => "/tmp/php.socket"
)))
#重启lighttp
systemctl restart lihtppd
#更改lighttp首页
root@debian:~# cat > /var/www/html/index.php << EOF
> <?php
> echo (new \DateTime())->format('Y-m-d H:i:s');
> echo PHP_EOL;
> ?>
> EOF
root@debian:~# cat /var/www/html/index.php
<?php
echo (new \DateTime())->format('Y-m-d H:i:s');
echo PHP_EOL;
?>
root@debian:~#
#测试
root@debian:~# curl -i http://81.6.63.100
HTTP/1.1 200 OK
Content-type: text/html; charset=UTF-8
Content-Length: 20
Date: Mon, 17 Jan 2022 16:40:32 GMT
Server: lighttpd/1.4.53
2022-01-17 09:40:32
root@debian:~# curl -i http://81.6.63.100
HTTP/1.1 200 OK
Content-type: text/html; charset=UTF-8
Content-Length: 20
Date: Mon, 17 Jan 2022 16:40:34 GMT
Server: lighttpd/1.4.53
2022-01-17 09:40:34
root@debian:~#
RouteSrv部分
DHCP RELAY
apt install isc-dhcp-relay openssh-server fail2ban
#修改配置文件
vim /etc/default/isc-dhcp-relay
SERVERS="192.168.100.100"
INTERFACES="ens36" //填192.168段的网卡名
#dhcp中继状态
root@debian:~# service isc-dhcp-relay status
● isc-dhcp-relay.service - LSB: DHCP relay
Loaded: loaded (/etc/init.d/isc-dhcp-relay; generated)
Active: active (running) since Mon 2022-01-17 09:59:00 MST; 2s ago
Docs: man:systemd-sysv-generator(8)
Process: 3940 ExecStart=/etc/init.d/isc-dhcp-relay start (code=exited, status=0/SUCCESS)
Tasks: 1 (limit: 2318)
Memory: 1.8M
CGroup: /system.slice/isc-dhcp-relay.service
└─3945 /usr/sbin/dhcrelay -q -i ens36 192.168.100.100
Jan 17 09:59:00 debian systemd[1]: Starting LSB: DHCP relay...
Jan 17 09:59:00 debian isc-dhcp-relay[3940]: Requesting: ens36 as upstream: Y downstream: Y
Jan 17 09:59:00 debian systemd[1]: Started LSB: DHCP relay.
root@debian:~#
ROUTING路由转发
vim /etc/sysctl.conf
#取消注释
net.ipv4.ip_forward=1
#立即生效
sysctl -p
ssh
vim /etc/ssh/sshd_config
#16行下方新添加两行
AllowUsers user01 //只允许user01
DenyUsers all //拒绝所有
SyslogFacility LOCAL1
LogLevel VERBOSE
vim /etc/rsyslog.conf
#在68行下方新添加一行
LOCAL1.* /var/log/ssh.log
touch /var/log/ssh.log
systemctl restart ssh
systemcrrl restart rsyslog
#配置fail2ban来实现超过几次失败拒绝连接
#如果更新会更新刷掉原有配置,所以新建一个配置文件
vim /etc/fail2ban/jail.local
修改添加
[DEFAULT]
maxretry = 3
findtime = 3m
bantime = 1m
[sshd]
enabled = true
filter = sshd
port = 2021
logpath = /var/log/ssh.log
#重启服务
systemctl restart fail2ban
#可以使用fail2ban-client status 和fail2ban-client status sshd查看
AppSrv
#安装
apt install bind9 openssh-server isc-dhcp-server apache2 cacti postfix dovecot
ssh
创建用户
useradd -u 400 cskadmin
passwd cskadmin
#密码ChinaSKill21
mkdir /home/cskadmin
chown cskadmin:cskadmin /home/cskadmin
vim /etc/ssh/sshd_config
port 19210
vim /etc/hosts.deny
sshd:ALL except 192.168.0.190:deny
#重启服务
systemctl restart ssh
#在inside客户端上操作
ssh-keygen #一直回车
ssh-copy-id cskadmin@192.168.100.100 -p 19210
ssh cskadmin@192.168.100.100 -p 19210
dhcp
#修改配置文件
vim /etc/dhcp/dhcpd.conf
#78行
host cc{
hardware ethernet 00:0C:29:06:DA:CA;
fixed-address 192.168.0.190;
}
#92行
share-network cc
{
subnet 192.168.0.0 netmask 255.255.255.0{
range 192.168.0.110 192.168.190;
option routers 192.168.0.254;
option doamin-name-servers 192.168.100.100;
}
subnet 192.168.100.0 netmask{
}
}
vim /etc/default/isc-dhcp-server
INTERFACESv4="ens36"
#重启服务
systemctl restart isc-dhcp-server
dns
#先改转发地址
vim /etc/bind/named.conf.options
forwarders {
81.6.63.100;
};
#做整个DNS这道题的话需要更改named.conf.local和named.conf
#先更改named.conf
vim /etc/bind/named.conf
#注释第三个配置文件
//include "/etc/bind/named.conf.default-zones";
#更改named.conf.local
vim /etc/bind/named.conf.local
#加入以下内容
acl "internal" { //#先做个acl用来抓内网流量
192.168.0.0/16;
localhost;
};
view "internal" { //#内网流量匹配动作
match-clients { internal; }; //#match-client{ internal; } 匹配internal这个acl
zone "chinaskills.cn" { //#下面是匹配后执行的动作,因为要做内外网分离所以需要先做一个内网的DNS zone,然后内网解析域
type master; //#名时就会匹配到这个DNS zone
file "/etc/bind/db.chinaskills.cn";
};
};
view "external" { //#没匹配到内网时执行的动作
match-clients { any;}; //#抓取acl所有,也就是不在internal acl中的网段,都匹配到这里
zone "chinaskills.cn" { //#这是没匹配到所执行DNS zone区域,也就是关于外网解析的区域
type master;
file "/etc/bind/db.wan.chinaskills.cn";
masterfile-format text; //#这条是同步到slave的文件格式,不然会乱码
allow-update {81.6.63.100;}; //#允许哪些slave服务器同步
};
};
#然后填写内网zone
vim /etc/bind/db.chinaskills.cn
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA chinaskills.cn. root.chinaskills.cn. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS appsrv.chinaskills.cn. //#自己的NS记录,NS记录必须要有一个A记录来对应
appsrv IN A 192.168.100.100 //#自己域名的A记录,
@ IN MX 5 mail //#邮件MX记录,@代表自己,MX是记录类型,5是优先级,mail是域名
www IN A 192.168.100.100 //# www的A记录
download IN CNAME appsrv //# www的CNAME别名记录:download
mail IN A 192.168.100.100 //# MX记录的A记录,MX需要有A记录,不可以是CNAME别名记录
#然后填写外网zone
vim /etc/bind/db.wan.chinaskills.cn
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA chinaskills.cn. root.chinaskills.cn. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS appsrv.chinaskills.cn.
appsrv IN A 81.6.63.254
@ IN MX 5 mail
www IN A 81.6.63.254
download IN CNAME appsrv
mail IN A 81.6.63.254
#然后重启服务
systemctl restart bind9
apache2
#服务以webuser系统用户运行
#先创建用户
useradd webuser -u 400
#修改配置文件
vim /etc/apache2/envvars
#16-17行
export APACHE_RUN_USER=webuser
export APACHE_RUN_GROUP=webuser
#单个地址最大50连接数
#修改配置文件
vim /etc/apache2/apache2.conf
MaxKeepAliveRequests 50