1
vmnet8
dns1 168.126.63.1
yum install net-tools -y
yum install bind* -y
yum install httpd*
yum install openssl
yum install mod_ssl
dns1 192.168.10.10
vi /etc/named.conf //dns 옵션
listen-on port 53 { any; }; //53포트 연결 누구나
allow-quety { any; }; //질문 누구나
dnssec-enable no; //dns허가 no
dnssec-validation no; //dns확인 no
vi /etc/named.rfc1912.zones #존파일 타입이라던가 파일 정의 주영역
zone "sevas10.com" IN { //sevas10.com 설정
type master; //주영역으로 설정
file "sevas10.zone" //dns 파일설정
allow-update { none; } //업데이트 안해여\
allow-transfer { 192.168.10.20 ; }; // 공유할 보조영역 ip
};
cd /var/named //dns ip 넣을 파일 만들어야지
cp named.empty sevas10.zone //기존파일 복사해서 sevas10.zone dns ip 넣을 파일을 만든다
vi /sevas10.com //ns.sevas10.com = @
$TTL 3H
@ IN SOA @ root.sevas.10.com. (
IN NS @
IN A 192.168.10.10
www IN A IP //등등 입력
$TTL 3H
@ IN SOA @ root.korea10.com(
IN NS @
IN A 192.168.10.10
www IN A 192.168.10.20
~
chmod 660 sevas10.zone /{sevas10.zone 권한 660으로 변경}
chmod 660 korea10.zone /{korea10.zone 권한 660으로 변경}
chown .named sevas10.zone /{sevas10.zone 그룹 소유권 .named으로 변경}
chown .named korea10.zone
firewall-cmd --permanent --add-port 53/udp //dns
firewall-cmd --permanent --add-port 53/tcp //dns
firewall-cmd --permanent --add-port 80/tcp //tcp
firewall-cmd --permanent --add-service ftp //ftp 해야하니까
firewall-cmd --reload //적용
firewall-cmd --list-all //확인
service httpd restart
service named restart
nslookup www.sevas10.com
nslookup www.korea10.com
2.
cd /var/www/html
cat > index.html
^C
3
cmd창을 킨후
telnet 192.168.10.10 80
4-1.
cd /var/www/html
rm -rf index.html
mkdir mini
cd mini
touch 1 2 3
service httpd restart
-> 취약점임
vi /etc/httpd/conf/httpd.conf
140번째 줄
<Directory "/var/www/html">
# Options Indexes FollowSymLinks
Options //추가
AllowOverride None
Require all granted
</Directory>
service httpd restart
-> 보안 화면임
vi /etc/httpd/conf/httpd.conf
140번째 줄 원복
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
service httpd restart
4-2 banner grabbing
vi /etc/httpd/conf/httpd.conf
ServerSignature off
ServerTokens Prod
첫번째줄 에 추가
service httpd restart
5-1.
mkdir -p /cert/key
cd /cert/key
***** 알아둘점 ****
cert => 인증서
csr => 인증서 신청서
key => 암호화
1. 키생성
openssl genrsa -out sevas.key 2048
2. 신청서작성
openssl req -new -key sevas.key > sevas.csr
Country Name [xx] : 어디나라? KR
state or province name : 지역 Seoul
locality Name : 도시 Gangnam
organization Name : WebSecure
organizational Unit Name : sevas
common Name(hostname) : sevas10.com
email address : root@sevas10.com
3. 최종인증서생성
openssl x509 -req -days 365 -in sevas.csr -signkey sevas.key -out sevas.crt
[확인]
openssl x509 -text -in sevas.crt -noout
ll
sevas.key sevas.csr sevas.crt 잘확인할것
5-2
vi /etc/httpd/conf.d/ssl.conf
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /cert/key/sevas.crt //추가
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /cert/key/sevas.key //추가
service httpd restart
firewall-cmd -permanent --add-port 443/tcp
firewall-cmd reload
'수업' 카테고리의 다른 글
| DB (0) | 2023.08.30 |
|---|---|
| 시험준비 crontab (0) | 2023.08.24 |
| 실습 SSL (0) | 2023.08.11 |
| 실습 DNS FTP (0) | 2023.08.11 |
| DNS (0) | 2023.08.07 |
