openss加密算法l和dns服務

時間 2020-05-30

標籤 openss 加密算法 dns 服務欄目系統網絡简体版

原文原文鏈接

一、簡述常見加密算法及常見加密算法原理，最好使用圖例解說

密鑰算法和協議

對稱加密
公鑰加密
單向加密
認證協議

openssl

分爲三部分
- 加密解密庫 libencrypt
- 安全通訊庫 libssl
- 命令行工具 openssl

加密系統和協議

對稱加密

DES Data Encryption Standard 64位，已經破解
3DES
AES Advanced Encryption Standard 128 192 256 384位
其餘：blowfish twofish idea rc6 casts
特色：
- 加密和解密使用同一個密鑰
- 分割塊大小，逐個加密
缺陷：
- 密鑰太多
- 密鑰分發困難

公鑰加密

公鑰：從私鑰中提取
私鑰：使用者留存
特色：用公鑰加密，配對私鑰解密
用途：數字簽名，身份確認，密鑰交換，數據加密
過程：
- 1.加密方利用單向加密提取數據特徵碼
- 2.加密方使用本身的私鑰加密附在後面
- 3.加密方生成臨時的對稱密鑰，加密整段數據
- 4.加密方獲取解密方的公鑰並加密後附在後面
- 5.發送給解密方
- 6.解密方用本身的私鑰解密
- 7.解密方使用對稱密鑰解密
- 8.解密方獲取加密方的公鑰解密，完成身份認證
- 9.解密方單向加密提取數據特徵碼比對，查看完整性
缺陷：中間人攻擊
解決：雙方經過CA證書頒發機構獲取對方的公鑰，此CA能夠吊銷
算法：RSA 能夠簽名和加解密，DSA只能簽名

單向加密

只能加密，不能解密，用來提取數據特徵碼進行完整性認證
定長輸出，雪崩效應
算法：md5，sha160，sha224，sha256，sha384，sha512

密鑰交換

IKE
兩種算法：公鑰加密，DH算法協商生成密鑰

二、搭建apache或者nginx並使用自簽證書實現https訪問，自簽名證書的域名自擬

+ 1.CA服務器生成私鑰

[root@center ~]# cd /etc/pki/CA/
[root@center CA]# (umask 077; openssl genrsa 1024 > /etc/pki/CA/private/cakey.pem)
Generating RSA private key, 1024 bit long modulus
.....................................................................................................++++++
......++++++
e is 65537 (0x10001)
[root@center CA]# ll private/
total 4
-rw------- 1 root root 891 Jul 29 22:54 cakey.pem

+ 2.CA服務器生成自簽證書

[root@center CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365 You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GUANGDONG
Locality Name (eg, city) [Default City]:GUANGZHOU
Organization Name (eg, company) [Default Company Ltd]:xlc
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:ca.xlc.com
Email Address []:
[root@center CA]# ll
total 4
-rw-r--r-- 1 root root 973 Jul 29 22:57 cacert.pem
drwxr-xr-x. 2 root root 6 Apr 11 12:58 certs
drwxr-xr-x. 2 root root 6 Apr 11 12:58 crl
drwxr-xr-x. 2 root root 6 Apr 11 12:58 newcerts
drwx------. 2 root root 23 Jul 29 22:54 private

+ 3.CA服務器生成目錄和文件

[root@center CA]# touch index.txt
[root@center CA]# ll
total 8
-rw-r--r-- 1 root root 973 Jul 29 22:57 cacert.pem
drwxr-xr-x. 2 root root 6 Apr 11 12:58 certs
drwxr-xr-x. 2 root root 6 Apr 11 12:58 crl
-rw-r--r-- 1 root root 0 Jul 29 23:00 index.txt
drwxr-xr-x. 2 root root 6 Apr 11 12:58 newcerts
drwx------. 2 root root 23 Jul 29 22:54 private
-rw-r--r-- 1 root root 3 Jul 29 23:00 serial

+ 4.httpd服務器建立私鑰

[root@web1 httpd]# cd /etc/httpd/
[root@web1 httpd]# mkdir ssl
[root@web1 httpd]# ll
total 0
drwxr-xr-x 2 root root 37 Jul 29 22:16 conf
drwxr-xr-x 2 root root 255 Jul 29 22:46 conf.d
drwxr-xr-x 2 root root 165 Jul 29 22:43 conf.modules.d
lrwxrwxrwx 1 root root 19 Jul 28 11:49 logs -> ../../var/log/httpd
lrwxrwxrwx 1 root root 29 Jul 28 11:49 modules -> ../../usr/lib64/httpd/modules
lrwxrwxrwx 1 root root 10 Jul 28 11:49 run -> /run/httpd
drwxr-xr-x 2 root root 6 Jul 29 23:02 ssl
[root@web1 httpd]# (umask 077; openssl genrsa 1024 > /etc/httpd/ssl/httpd_key.pem)
Generating RSA private key, 1024 bit long modulus
...............++++++
.++++++
e is 65537 (0x10001)
[root@web1 httpd]# ll ssl
total 4
-rw------- 1 root root 887 Jul 29 23:03 httpd_key.pem

+ 5.httpd服務器生成請求證書

[root@web1 httpd]# openssl req -new -key /etc/httpd/ssl/httpd_key.pem -out /etc/httpd/ssl/httpd_csr.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GUANGDONG
Locality Name (eg, city) [Default City]:GUANGZHOU
Organization Name (eg, company) [Default Company Ltd]:xlc
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:www.xlc.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@web1 httpd]# ll ssl
total 8
-rw-r--r-- 1 root root 655 Jul 29 23:07 httpd_csr.pem
-rw------- 1 root root 887 Jul 29 23:03 httpd_key.pem

+ 6.http服務器將csr請求發送給ca主機

[root@web1 httpd]# scp -P 37777 ssl/httpd_csr.pem xlc@192.168.1.9:~/
xlc@192.168.1.9's password:
httpd_csr.pem 100% 655 275.9KB/s 00:00
[root@center CA]# mv /home/xlc/httpd_csr.pem /etc/pki/CA/certs/
[root@center CA]# ll /etc/pki/CA/certs/
total 4
-rw-r--r-- 1 xlc xlc 655 Jul 29 23:11 httpd_csr.pem
[root@center CA]# chown root:root /etc/pki/CA/certs/httpd_csr.pem
[root@center CA]# ll /etc/pki/CA/certs/
total 4
-rw-r--r-- 1 root root 655 Jul 29 23:11 httpd_csr.pem

+ 7.CA主機上將csr簽證爲crt

[root@center CA]# openssl ca -in /etc/pki/CA/certs/httpd_csr.pem -out /etc/pki/CA/certs/httpd_crt.pem -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jul 29 15:16:20 2018 GMT
            Not After : Jul 29 15:16:20 2019 GMT
        Subject:
            countryName = CN
            stateOrProvinceName = GUANGDONG
            organizationName = xlc
            organizationalUnitName = devops
            commonName = www.xlc.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                AC:23:F3:AA:82:30:85:DF:33:CB:FB:8B:99:40:FE:97:77:27:35:19
            X509v3 Authority Key Identifier:
                keyid:1D:46:AF:3A:D4:63:84:11:CC:40:B1:E2:D1:B1:93:C4:3C:6A:6B:B4

Certificate is to be certified until Jul 29 15:16:20 2019 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@center CA]# ll certs/
total 8
-rw-r--r-- 1 root root 3078 Jul 29 23:16 httpd_crt.pem
-rw-r--r-- 1 root root 655 Jul 29 23:11 httpd_csr.pem

+ 8.CA主機將crt簽證頒發給httpd服務器

[root@center CA]# scp -P 37777 certs/httpd_crt.pem xlc@192.168.1.11:~/
The authenticity of host '[192.168.1.11]:37777 ([192.168.1.11]:37777)' can't be established.
ECDSA key fingerprint is SHA256:wzY0qfeE6RuadsJGxl4+808KAv7mKRR8sbdXEFIYZOc.
ECDSA key fingerprint is MD5:78:f2:b3:f9:e7:4c:1e:5e:06:46:c6:64:35:37:97:a0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.1.11]:37777' (ECDSA) to the list of known hosts.
xlc@192.168.1.11's password:
httpd_crt.pem 100% 3078 919.8KB/s 00:00
[root@web1 httpd]# mv /home/xlc/httpd_crt.pem ssl/
[root@web1 httpd]# ll ssl/
total 12
-rw-r--r-- 1 xlc xlc 3078 Jul 29 23:19 httpd_crt.pem
-rw-r--r-- 1 root root 655 Jul 29 23:07 httpd_csr.pem
-rw------- 1 root root 887 Jul 29 23:03 httpd_key.pem
[root@web1 httpd]# chown root:root ssl/httpd_crt.pem
[root@web1 httpd]# ll ssl
total 12
-rw-r--r-- 1 root root 3078 Jul 29 23:19 httpd_crt.pem
-rw-r--r-- 1 root root 655 Jul 29 23:07 httpd_csr.pem
-rw------- 1 root root 887 Jul 29 23:03 httpd_key.pem

+ 9.修改ssl.conf

DocumentRoot "/home/www"
ServerName www.xlc.com:443
DirectoryIndex index.html
    <Directory "/home/www">
        Options None
        AllowOverride None
        Require all granted
    </Directory>
<location /server-status>
    SetHandler server-status
    <RequireAll>
        Require ip 192.168.1.3
    </RequireAll>
</location>
SSLCertificateFile /etc/httpd/ssl/httpd_crt.pem
SSLCertificateKeyFile /etc/httpd/ssl/httpd_key.pem

+ 10.重啓服務

[root@web1 conf.d]# httpd -t
Syntax OK
[root@web1 conf.d]# !sys
systemctl restart httpd.service
[root@web1 conf.d]# ss -tnl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 192.168.1.11:37777 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 :::443 :::*
LISTEN 0 128 :::80 :::*
LISTEN 0 100 ::1:25 :::*

+ 11.瀏覽器從受權中心導入CA證書
    + 將cacert.pem導入受信任的根證書頒發機構

三、簡述DNS服務器原理，並搭建主-輔服務器

域名解析原理

客戶機先查找本地的host文件
客戶機查找本地的dns緩存記錄
客戶機根據指定的dns運營商地址，將解析請求發送給對方
dns運營商以遞歸的方式向上轉發請求
dns運營商將請求發送給根服務器
根將請求發送給一級域名服務器，以迭代的方式向下查詢
一級域名服務器發送給二級域名服務器
最終的域名服務器找到結果發送給運營商dns
運營商dns記錄在本身的數據庫中，並將結果返給客戶端

正向解析和反向解析

名稱到ip是正向解析，爲A記錄
ip到名稱是反向解析，爲PTR記錄

域名服務商

萬網
godaddy

主副dns服務器

主dns能夠隨時改變
副dns根據主dns隨時同步
主從能夠負載
序列號：數據庫版本號 serial
刷新時間間隔：refresh
重試時間間隔：retry
過時時長：expire
主服務器也能夠通知從服務器隨時同步數據
同步方式：全量，增量

其餘概念

區域zone
域名domain 有正向區域和反向區域

區域數據庫文件

資源記錄：rr
A：address
AAAA：address ipv6
PTR：反向解析
SOA：起始受權
NS：name service 域名解析
CNAME：canonical name 別名
MX: mail exchange 郵件交換 0-99 數字越小優先級越小

語法格式

name [ttl] IN RR_TYPE value
SOA必需要有，且放第一條
SOA的value 包括
- 區域名稱
- 管理員郵箱地址，不能@，點代替
- (serial;refresh;retry;expire;negtive answer ttl) HMWD
ttl 能夠繼承
最後要加.
@表示區域
相鄰name，相同記錄能夠省略name

配置從dns

從服務器：
- 1.定義區域
- 2.重載配置

[root@python ~]# tail -6 /etc/named.rfc1912.zones
zone "xlc.com" IN {
        type slave;
        file "slaves/xlc.com.zone";
        masters { 192.168.1.9; };
};

主服務器：
- 確保從服務器有ns記錄，並a記錄
- 修改後serial +1並重載配置
- 手工傳送：dig -t axfr 域名
- 保證時間相同ntpdate

[root@center ~]# cat /var/named/xlc.com.zone
$TTL 3600
$ORIGIN xlc.com.
@ IN SOA ns1.xlc.com. admin.xlc.com. (
                20180727
                1H
                10M
                3D
                1D
                )
        IN NS ns1
        IN NS ns2
        IN MX 10 mx1
        IN MX 10 mx2
ns1 IN A 192.168.1.9
ns2 IN A 192.168.1.10
www IN A 192.168.1.9
www IN A 192.168.1.10
web IN CNAME www
mx1 IN A 192.168.1.9
mx2 IN A 192.168.1.10

四、搭建並實現智能DNS

view視圖裏設置聯通用戶區域和電信用戶區域

view "internal" {
    match-clients { 10.0.0.0/25; };
    zone "" {
        type
        file
    };
};

相關標籤/搜索

每日一句

每一个你不满意的现在，都有一个你没有努力的曾经。