Linux 网络设置 第11天

2012-11-20 14:25:10 0  category: linux

互联网的计算机寻址
FQHN 完整的计算机名称(域名,应用层)
完整的域名 PHP.XLXZ.ORG 包括主机名、二级域名、顶级域名、根域(第三个.之后)
ARP 解析过程

什么时候使用 RARP?

计算机刚计入网路请求 IP 地址时使用,知道自己的 MAC,不知道自己的 IP,用于 DHCP

网络配置文件

/etc/sysconfig/network-scripts/ifcfg-eth0

文件,保存 IP 地址和网关

文件说明:

DEVICE=eth0 # 网卡名称
BOOTPROTO=dhcp # dhcp 自动获得 static 手工设置
HWADDR=00:0C:29:F3:17:EA #MAC地址,可修改此值,重启网络服务可生效,过去用
于软件防盗版
ONBOOT=yes #启动或禁止
IPADDR #IP 地址
NETMASK #子网掩码,IP 为动态时不用,IP 为静态时用
GATEWAY #指定网关



[root@php_notes samlee]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
# Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE]
DEVICE=eth0
BOOTPROTO=dhcp
HWADDR=00:0C:29:F3:17:EA
ONBOOT=yes
DHCP_HOSTNAME=php_notes


可设置为:

BOOTPROTO=static
IPADDR=192.168.0.100
[root@php_notes ~]# service network restart
[root@php_notes ~]# ifconfig
eth0
Link encap:Ethernet HWaddr 00:0C:29:F3:17:EA
inet addr:192.168.9.100 Bcast:192.168.9.255 Mask:255.255.255.0


子网可不设置
/etc/resolv.conf 默认不存在,用于指定 DNS 服务器地址

[samlee@php_notes ~]$ cat /etc/resolv.conf
; generated by /sbin/dhclient-script
nameserver 192.168.2.2 (最多三个,建议为两个)


/etc/sysconfig/network 文件,保存本机主机名

[samlee@php_notes ~]$ cat /etc/sysconfig/network
NETWORKING=yes 是否使用网络
NETWORKING_IPV6=no
HOSTNAME=php_notes 主机名
[root@php_notes ~]# hostname

php_notes
[root@php_notes ~]# hostname php.xlxz(指定主机名,重启后无效)
[root@php_notes ~]# hostname
php.xlxz


/etc/services 网络服务信息
文件说明:

端口号 0-65535
0-1024 为周至端口

[samlee@helen ~]$ cat /etc/services
43 ftp
21/tcp
44 ftp
21/udp
fsp fspd
45 ssh
22/tcp 用户验证用 TCP 协议
# SSH Remote Login Protocol



46 ssh
22/udp 传输文件用 UDP 协议
# SSH Remote Login Protocol
47 telnet
23/tcp
48 telnet
23/udp
[root@php_notes ~]# netstat -an | grep LISTEN
tcp
0
0 0.0.0.0:111
0.0.0.0:*
LISTEN
tcp
0
0 0.0.0.0:692
0.0.0.0:*
LISTEN
[root@php_notes ~]# netstat -an | grep :22
tcp
0
0 :::22
:::*
LISTEN
tcp 0 52 ::ffff:192.168.9.90:22
::ffff:192.168.9.254:1411 ESTABLISHED
tcp 0 1936 ::ffff:192.168.9.100:22
::ffff:192.168.9.254:1408 ESTABLISHED


客户端 1024 以上端口是随机分配的端口
nmap 扫描周知端口、知名端口,改变服务的默认端口可防止攻击

[root@php_notes ~]# rpm -ivh /mnt/cdrom/CentOS/nmap-4.11-1.1.i386.rpm
[root@php_notes ~]# nmap 192.168.0.105
Starting Nmap 4.11 ( http://php.xlxz.org/nmap/ ) at 2011-02-27 02:41 CST
Interesting ports on localhost (192.168.0.105):
Not shown: 1677 closed ports
PORT
STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
839/tcp open unknown
Nmap finished: 1 IP address (1 host up) scanned in 0.246 seconds


/etc/rc.d/init.d/network 网络启动脚本
主机名数据库/etc/hosts
文件格式:IP 地址
主机名或域名 别名
在此文件中添加记录可绕过 DNS

[root@php_notes samlee]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1
php_notes localhost.localdomain localhost
::1
localhost6.localdomain6 localhost6
[root@php_notes samlee]# vi /etc/hosts
5 192.168.9.44
php.xlxz.org (新添加的记录)
[root@php_notes samlee]# ping php.xlxz.org
PING php.xlxz.org (192.168.9.44) 56(84) bytes of data.
64 bytes from php.xlxz.org (192.168.9.44): icmp_seq=1 ttl=64 time=1.04 ms
64 bytes from php.xlxz.org (192.168.9.44): icmp_seq=2 ttl=64 time=0.603 ms


/etc/services 文件,网络服务信息
/etc/resolv.conf,指定 DNS 服务器地址

网络管理命令
查看网络端口设置:ifconfig
查看 ARP 表信息:arp
-a 查看 arp 缓存表
-d 删除缓存结果
-s 添加缓存记录(静态)

[root@php_notes ~]# arp
Address
HWtype HWaddress
Flags Mask
Iface
localhost
ether 00:1C:25:94:72:D2 C
eth0
localhost
ether 00:0C:29:24:7E:CA C
eth0
[root@php_notes samlee]# arp -a
localhost (192.168.9.254) at C8:0A:A9:EB:E3:8D [ether] on eth0
localhost (192.168.9.1) at 3C:E5:A6:0C:60:BB [ether] on eth0
[root@php_notes samlee]# ping 192.168.9.44
PING 192.168.9.44 (192.168.9.44) 56(84) bytes of data.
64 bytes from 192.168.9.44: icmp_seq=1 ttl=64 time=1.93 ms
[root@php_notes samlee]# arp -a
localhost (192.168.9.254) at C8:0A:A9:EB:E3:8D [ether] on eth0
localhost (192.168.9.44) at 20:6A:8A:25:E3:5C [ether] on eth0
[root@php_notes samlee]# arp -d 192.168.9.44
[root@php_notes samlee]# arp -a
localhost (192.168.9.254) at C8:0A:A9:EB:E3:8D [ether] on eth0
localhost (192.168.9.44) at <incomplete> on eth0
localhost (192.168.9.1) at 3C:E5:A6:0C:60:BB [ether] on eth0
[root@php_notes samlee]# arp -s 192.168.9.44 00:65:ff:43:ea:32
[root@php_notes samlee]# ping 192.168.9.44
PING 192.168.9.44 (192.168.9.44) 56(84) bytes of data.
64 bytes from 192.168.9.44: icmp_seq=1 ttl=64 time=1.95 ms
64 bytes from 192.168.9.44: icmp_seq=1 ttl=64 time=1.95 ms (DUP!)
From 192.168.9.30: icmp_seq=1 Redirect Network(New nexthop: 192.168.9.44)
[root@php_notes samlee]# arp -a
localhost (192.168.9.44) at 00:65:FF:43:EA:32 [ether] PERM on eth0(PERM 表
示静态的)
[root@php_notes samlee]# arp -d 192.168.9.44
[root@php_notes samlee]# arp -a
[root@php_notes samlee]# ping 192.168.9.44 (理论上 Ping 通)


探测远程主机:ping
操作路由表:route

[root@php_notes ~]# route add default gw 192.168.0.1 添加默认网关查看路由路径:traceroute
[root@php_notes ~]# traceroute php.xlxz.org
traceroute to php.xlxz.org (61.135.169.105), 30 hops max, 40 byte packets
1 localhost (192.168.0.1) 4.418 ms 2.950 ms 3.216 ms
2 114.249.224.1 (114.249.224.1) 48.522 ms 48.032 ms 53.824 ms
3 125.35.65.101 (125.35.65.101) 49.762 ms 18.635 ms 18.800 ms
4 bt-227-117.bta.net.cn (202.106.227.117) 21.654 ms 27.840 ms 27.431 ms



5 61.148.153.37 (61.148.153.37) 80.018 ms 80.739 ms 81.634 ms
6 61.148.155.226 (61.148.155.226) 28.758 ms 29.263 ms 31.087 ms
7 202.106.43.174 (202.106.43.174) 11.947 ms !X * *


监控网络状态:netstat
查询 Internet 域名信息 nslookup

[root@php_notes ~]# nslookup php.xlxz.org
Server:
192.168.0.1
Address:
192.168.0.1#53
Non-authoritative answer:
php.xlxz.org canonical name = www.xlxz.org.
Name: www.a.shifen.com
Address: 61.135.169.105
Name: php.xlxz.org
Address: 61.135.169.125



远程管理控制 SSH
ssh 远程登录:ssh 用户名@远程主机 IP 地址
常用选项:-2:强制使用第 2 代 SSH 协议
-p:端口号
示例:
ssh -2 php@php.xlxz.org

[root@php_notes ~]# ssh -2 php_note@www.xlxz.org
The authenticity of host ’192.168.0.105 (192.168.0.105)’ can’t be established.
RSA key fingerprint is 60:87:c8:2a:a9:cf:b6:0d:bb:21:d0:26:4e:5f:67:49.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ’192.168.0.105′ (RSA) to the list of known hosts.
Address 192.168.0.105 maps to localhost, but this does not map back to the address
- POSSIBLE BREAK-IN ATTEMPT!
php_notes@www.xlxz.org ‘is password: php_pass
Last login: Sun Feb 27 02:39:09 2011 from 192.168.0.102
Welcome login in my host !



配置文件:/etc/ssh/sshd_config

[root@php_notes ~]# vi /etc/ssh/sshd_config

更改 Port 为 1002,重启 sshd 服务,用 ssh -2  php_notes@php.xlxz.org 将登录不上

[root@php_notes ~]# nmap 192.168.0.105

将扫描不到 ssh 的端口,因此可提高安全性

使用

[root@php_notes ~]# ssh -p 10022 php_notes@php.xlxz.org

便可登录

[root@php_notes ~]# vi /etc/ssh/sshd_config

PermitRootLogin no 拒绝 root 的用户登录系统
此时用 root 用户将登录不上,但是用普通用户将会登上


Windows 平台 SSH 工具:SSH Workstation
ssh 远程登录
sftp 文件共享 ftp
scp 文件共享 cp

[samlee@php_notes ~]$ sftp mickey@192.168.0.116
Connecting to 192.168.0.116…
The authenticity of host ’192.168.0.116 (192.168.0.116)’ can’t be established.
RSA key fingerprint is 18:3c:50:81:30:43:fb:3e:10:cf:82:0a:ee:dd:bd:8d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ’192.168.0.116′ (RSA) to the list of known hosts.
Address 192.168.0.116 maps to localhost, but this does not map back to the address
- POSSIBLE BREAK-IN ATTEMPT!
mickey@192.168.0.116′s password: 输入密码



sftp> ls
firefox-4.0b12.tar.bz2
sftp> get firefox-4.0b12.tar.bz2
Fetching /home/mickey/firefox-4.0b12.tar.bz2 to firefox-4.0b12.tar.bz2
/home/mickey/firefox-4.0b12.tar.bz2
100% 13MB 6.7MB/s 00:02
sftp> put apache_1.3.31.tar.gz
Uploading apache_1.3.31.tar.gz to /home/mickey/apache_1.3.31.tar.gz
apache_1.3.31.tar.gz
100% 2410KB 2.4MB/s 00:00
sftp> exit
[samlee@php_notes ~]$

本机拷贝文件到远程主机:
scp 本地文件 用户名@远程主机地址:远程主机目标目录
scp -r 本地目录 用户名@远程主机地址:远程主机目标目录
-P 指定端口号

[root@php_notes ~]# scp -r /etc mickey@192.168.0.116:/home/php_user





The authenticity of host ’192.168.0.116 (192.168.0.116)’ can’t be established.
RSA key fingerprint is 18:3c:50:81:30:43:fb:3e:10:cf:82:0a:ee:dd:bd:8d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ’192.168.0.116′ (RSA) to the list of known hosts.
Address 192.168.0.116 maps to localhost, but this does not map back to the address
- POSSIBLE BREAK-IN ATTEMPT!
mickey@192.168.0.116′s password:
slrn.rc
100% 21KB 21.3KB/s 00:00
request-key.conf
100% 1484
1.5KB/s 00:00
macros.prelink
100% 297
0.3KB/s 00:00
platform
100% 20
0.0KB/s 00:00
macros.specspo
100% 26
0.0KB/s 00:00


从远程主机拷贝文件到本地:
scp 用户名@远程主机地址:远程文件 本地目录
scp -r 用户名@远程主机地址:远程目录 本地目录
常用选项:
-p:保持原有文件属性
-r:复制目录

[root@helen ~]# scp -rp mickey@192.168.0.116:/home/mickey/directory /root
Address 192.168.0.116 maps to localhost, but this does not map back to the address
- POSSIBLE BREAK-IN ATTEMPT!
mickey@192.168.0.116′s password:
prelink.conf
100% 973
1.0KB/s 00:00
rc.sysinit
100% 27KB 26.8KB/s 00:00
lvm.conf
100% 19KB 18.6KB/s 00:00

对称密钥加密
加密与解密使用同一密钥
优势:速度快
缺点:密钥本身需要交换
非对称密钥加密
也称公开密钥加密,
使用时生成两个密钥,一个公开存放,为公钥;
一个私人持有,
为私钥。
用户用其中一个密钥加密的数据只有用另一个密钥才能解密。
优势:安全性好
缺点:速度慢
所以加密信息时,通常是对称密钥加密与非对称密钥机密结合使用。


远程管理控制 SSH
建立信任主机:
主机一
建立密钥对

#ssh-keygen -t rsa

生成公钥 id_rsa.pub
主机二
获得主机一公钥,并生成认证密钥:

#cat id_rsa.pub>>.ssh/authorized_keys

此时从主机一访问主机二将不再需要输入密码
主机一

[root@helen ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
8a:6f:7d:8a:9c:f7:ba:16:75:c0:96:94:6e:19:3f:a5 root@helen
[root@helen ~]# cat /root/.ssh/id_rsa.pub
[root@helen ~]# scp /root/.ssh/id_rsa.pub mickey@192.168.0.116:/home/mickey
Address 192.168.0.116 maps to localhost, but this does not map back to the address
- POSSIBLE BREAK-IN ATTEMPT!
mickey@192.168.0.116′s password:
id_rsa.pub
100% 1675
1.6KB/s 00:00
主机二
[mickey@Mickey~]$ mkdir .ssh
[mickey@Mickey.ssh]$ touch authorized_keys
[mickey@Mickey~]$ cat id_rsa.pub >> .ssh/authorized_keys
[mickey@Mickey.ssh]$ cd ../
[mickey@Mickey~]$ chmod 755 ./
root——>mickey 无需密码
root——->root 需密码