linux

#pa aux|grep yum
#kill -9 3829
#yum 

Enable userdir, users can create websites with this setting. [1] Configure httpd. [root@www ~]#  vi /etc/httpd/conf.d/userdir.conf # line 17: comment out # UserDir disabled # line 24: uncomment UserDir public_html # line 31 - 35 <Directory "/home/*/public_html">     AllowOverride  All # change     Options  None # change     Require method GET POST OPTIONS </Directory> [root@www ~]#  systemctl restart httpd  [cent@www ~]$  mkdir public_html  [cent@www ~]$  chmod 711 /home/cent  [cent@www ~]$  chmod 755 /home/cent/public_html  [cent@www ~]$ vi ./public_html/index.html <html> <body> <div style="width: 100%; font-size: 40px; font-weight: bold; text-align: center;"> UserDir Test Page </div> </body> </html> 要關selinux   0727   1.nano /etc/httpd/conf/httpd.conf   Find the section that begins with <Directory "/var/www/html">. Change the line from AllowOverride none to AllowOverride AuthConfig AllowOverride AuthConfig Save and close the file.  2. Create a password file with htpasswd   htpasswd -c /var/www/html/.htpasswd user1 htpasswd /var/www/html/.htpasswd user2// next user don't -c [root@localhost ~]# htpasswd -c /var/www/html/.htpasswd hope New password: Re-type new password: Adding password for user hope   3. nano /var/www/html/.htaccess AuthType Basic AuthName "Restricted Content" AuthUserFile /var/www/html/.htpasswd Require valid-user 4.chown apache:apache /var/www/html/.htaccess chown apache:apache /var/www/html/.htpasswd chmod 0660 /var/www/html/.htpasswd 5.systemctl restart httpd 6.test ==================== 8/9 DNS 1.yum install bind bind-chroot bind-utils 2.nano /etc/named.rfc1912.zones add zone  zone "ccna16.edu" IN { type master; file "named.ccna16"; allow-update { none; }; }; zone "40.168.192.in-addr.arpa" IN { type master; file "named.reverse"; allow-update { none; }; }; 3. nano /var/named/named.reverse $TTL 1D @ IN SOA @ ccna16.edu. (100 1H 2D 3W 1H) @ IN NS ccna16.edu. 253 IN PTR ccna16.edu. 253 IN PTR www.ccna16.edu. nano /var/named/named.ccna16 $TTL 1D @ IN SOA @ rname.invalid. ( 0 1D 1H 1W 3H ) NS @ A 192.168.40.253 www A 192.168.40.253  4.systemctl restart named 5.[root@localhost ~]# dig -x 192.168.40.253 @localhost ; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> -x 192.168.40.253 @localhost ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26026 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;253.40.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 253.40.168.192.in-addr.arpa. 86400 IN PTR ccna16.edu. 253.40.168.192.in-addr.arpa. 86400 IN PTR www.ccna16.edu. ;; AUTHORITY SECTION: 40.168.192.in-addr.arpa. 86400 IN NS ccna16.edu. ;; ADDITIONAL SECTION: ccna16.edu. 86400 IN A 192.168.40.253 ;; Query time: 1 msec ;; SERVER: ::1#53(::1) ;; WHEN: 三 8月 09 15:34:44 CST 2017 ;; MSG SIZE rcvd: 128 ================= 8/10 postfix 1.預備動作 nano /var/named/named.ccna16 加入 mail A 192.168.40.253 ccna16.edu MX 10 mail.ccna16.edu. 重啟 named systemctl restart named 測試 Microsoft Windows [版本 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\Administrator>nslookup 預設伺服器: dns.hinet.net Address: 168.95.1.1 > server 192.168.40.253 預設伺服器: [192.168.40.253] Address: 192.168.40.253 > set type=mx > ccna16.edu 伺服器: [192.168.40.253] Address: 192.168.40.253 ccna16.edu MX preference = 10, mail exchanger = mail.ccna16.edu ccna16.edu nameserver = ccna16.edu mail.ccna16.edu internet address = 192.168.40.253 ccna16.edu internet address = 192.168.40.253 2.firewall-cmd --permanent --add-service=smtp firewall-cmd --permanent --add-port=110/tcp firewall-cmd --permanent --add-port=143/tcp firewall-cmd --reload systemctl start postfix systemctl enable postfix 3.#vim /etc/postfix/main.cf myhostname = mail.ccna16.edu mydomain = ccna16.edu myorigin = $mydomain mynetworks_style = class mynetworks = 127.0.0.0/8, 192.168.40.0/24 inet_interfaces = all mydestination = $mydomain, $myhostname, localhost.$mydomain, localhost mail_spool_directory = /var/mail home_mailbox = Maildir/ mailbox_size_limit = 0 #原設定參數沒有 message_size_limit = 0 #請自己加上即可 4.編修設定檔 /etc/dovecot/dovecot.conf protocols = imap pop 5.編修設定檔 /etc/dovecot/conf.d/10-mail.conf： 打開mail_location = mbox:~/mail:INBOX=/var/mail/%u 6. [hope@localhost ~]$ nano ~/.muttrc #su - student $vim ~/.muttrc set mbox_type=Maildir set folder="~/Maildir" set mask="!^\\.[^.]" set mbox="~/Maildir" set record="+.Sent" set postponed="+.Drafts" set spoolfile="~/Maildir"   8/30 practice network command and manage 1.ip address show ip -s link show enp0s3 ip address add 10.0.0.2/24 brd + dev enp0s3  ip address del 10.0.0.2/24 dev enp0s3 2.systemctl start NetworkManager stop stop restart enable disable  cancle MN instead network chkconfig network on cat /etc/sysconfig/network-scripts/ifcfg-enp0s3 //the configuration place ifdown enp0s3 ifconfig ifup enp0s3 3.test tool netstat -ntulp n with port t tcp u udp l listen p pid

cisco security

0721
AAA
Authentication
   Prove :they are who they say they are.
Authorization
   Resources can access and whice operation is allowed to perform
Accounting
    Audting Billing

Example: Configure Local Authentication

Router> enable
Router# configure terminal
Router(config)# aaa new-model
Router(config-if)# aaa authentication login default local
Router(config)# line vty 0 4
Router(config-line)# login authentication default
Router(config-line)# end

Item

TACACS+

RADIUS

Comparison



Connection

TCP

UDP

UDP has less overhead; however, with TCP, TACACS+ more quickly can detect a failed server and switch over to a backup. TCP can do this by having the router look for an RST (closed connection) message or by using TCP keepalives.


Encryption

Payload

Passwords

TACACS+ is more secure because it encrypts the entire payload, which includes all user and AAA message information; RADIUS encrypts only passwords, so everything else, including usernames and other account information, is sent in clear text.


Authentication and authorization

Separate

Combined

RADIUS combines authentication and authorization functions, which means that you must use the same server or group for these functions. TACACS+ separates them, giving you more control over the server that handles these functions.


WAN protocols

PPP, ARAP, NetBIOS, NASI, and X.25 PAD

PPP and SLIP

TACACS+ is better suited for remote-access situations that involve multiple dialup protocols, whereas RADIUS supports only PPP and SLIP.


Router command authorization

Yes

No

TACACS+ enables you to control what commands an authenticated user can execute on a router; RADIUS does not.


Accounting

Basic

Advanced

The one big advantage that RADIUS has over TACACS+ is its robust accounting, which is why many ISPs use it to monitor PPP connections.


Authentication Troubleshooting：
Router# debug aaa authentication

R1(config)#username Admin1 secret admin1pa55
R1(config)#aaa new-model
R1(config)#aaa authentication login default local
R1(config)#line console 0
R1(config-line)#login authentication default
R1(config)#aaa authentication login TELNET-LOGIN local
R1(config)#line vty 0 4
R1(config-line)#login authentication TELNET-LOGIN


R2
R2(config)#username Admin2 secret admin2pa55
R2(config)#tacacs-server host 192.168.2.2
R2(config)#tacacs-server key tacacspa55
R2(config)#aaa new-model
R2(config)#aaa authentication login default group tacacs+ local
R2(config)#line con 0
R2(config-line)#login authentication default



R3
R3(config)#username Admin3 secret admin3pa55
R3(config)#radius-server host 192.168.3.2
R3(config)#radius-server key radiuspa55
R3(config)#aaa new-model
R3(config)#aaa authentication login default group radius local
R3(config)#line con 0
R3(config-line)#login authentication default

07/24



4.4.1.3 Packet Tracer - Configuring a Zone-Based Policy Firewall (ZPF)

Create the Firewall Zones 

R3(config)#zone security IN-ZONE

R3(config-sec-zone)#zone security OUT-ZONE

R3(config-sec-zone)#exit

Define a Traffic Class and Access List

R3(config)#access-list 101 permit ip 192.168.3.0 0.0.0.255 any



R3(config)#class-map type inspect match-all IN-NET-CLASS-MAP

R3(config-cmap)#match access-group 101

R3(config-cmap)#

R3(config-cmap)#exit

R3(config)#policy-map type inspect IN-2-OUT-PMAP

R3(config-pmap)#class type inspect IN-NET-CLASS-MAP

R3(config-pmap-c)#inspect

%No specific protocol configured in class IN-NET-CLASS-MAP for inspection. All protocols will be inspected

R3(config-pmap-c)#exit

R3(config-pmap)#exit

R3(config)# zone-pair security IN-2-OUT-ZPAIR source IN-ZONE destination OUT-ZONE

R3(config-sec-zone-pair)#service-policy type inspect IN-2-OUT-PMAP

R3(config-sec-zone-pair)#exit

R3(config)#interface fa0/1

R3(config-if)#zone-member security IN-ZONE

R3(config-if)#exit

R3(config)#interface s0/0/1

R3(config-if)#zone-member security OUT-ZONE



R3(config-if)#exit



IDS IPS

IPS

線上作業(In-Line)即時阻斷高精確的偵測能力高效能與低延遲可靠性與可用性自我學習與調整能力

階段一 偵測/不防禦

IPS以被動式IDS模式運作，連線到路由器的SPAN埠或分接裝置，以偵測與分析網路封包，無阻檔功能。此一階段，管理者可依據偵測的結果作適當的調整，以減少誤報（False positive）的情形發生

階段二 線上偵測/不防禦

經過IPS，並做即時且深層的檢測

In-line Mode

須對IPS 的攻擊特徵偵測與異常協定偵測進行更細微的調整

階段三 全面偵測/部分防禦

階段四 線上偵測/全面防禦

結論

IPS進行全面阻檔前，如何準確分析出各類異常偵測的臨界值，去除誤報的攻擊特徵，增加漏報的過濾特徵，必須由網路管理者投入長時間的檢測與調整。



09/05 許老師

SIEM  Security Information and Event Management

F/M     UTM (Unified Threat Management，UTM)f/w&idp 安(IDS, Intrusion Detection
System)

coreswitch

log   有正規化分析 FortiGate虛擬設備允許您通過虛擬基礎架構中實現關鍵的安全控制




R語言

網卡RDMA