Shulou(Shulou.com)06/01 Report--

Gu Yun said, "it is difficult to get on the road of Shu, it is difficult to go to the blue sky." as a beginner, it is really not easy to maintain the security of a website. we should always pay attention to the latest security developments and pay attention to the loopholes in the system. and actively deal with it, for a network management, website maintenance, is a more important project, regardless of some high-level security measures. We should have a good grasp of the basic security measures of httpd services, or we will finally set up a website and be breached by some computer enthusiasts every minute.

So when we set up a website, how to configure its security?

In linux, we have three methods:

1. Authentication: authenticate the users who want to perform operations on the web page to verify their legitimacy and authenticity.

two。 Source control: for some things, such as company secrets, we cannot allow outsiders to log in and view them. Suppose: the unit team finally developed a scientific and technological achievement, and an external user "saved as", or "copy and paste" was tested.

3.ssl socket layer: we often find that the http of url on the web page has become https, which is used a lot on shopping sites about money transactions.

Then let's see how to walk this trilogy!

Part I: authentication

To implement the general process of authentication:

A. write the description file .htacess under the home directory of the site, which is, of course, for authentication. There are four parts here.

Authuserfile / var/www/.htpasswd indicates that the user is authenticated, but the user authentication account library is created, but this is not the same as the system account library.

Authname "please input youusername and passwdstones!" Pop up the authenticated port, requiring the user to enter a password

Type of authtype authentication

What kind of users can be accessed by required

B. generate account files

Htpasswd-c. Htpasswd account name; use this command to create a new user account [Note:-c parameter only needs to be added once]

1. Modify the configuration file, httpd.conf

When AllowOverride is set to None, the. Htaccess file is completely ignored. When this directive is set to All, all instructions with ".htaccess" scope are allowed to appear in the .htaccess file.

two。 Create the home page of the site

[root@localhost html] # echo "welcome to lining's web" > > index.html

Open the httpd service, then log in to display our test page.

3. Configure authentication

Create the .htacss file under / var/www/html in the root directory of the website

4. In the / var/www directory, create the account library file and the user lining

[root@localhostwww] # htpasswd-c .htpasswd lining

New password:

Re-type new password:

Test:

Part II-"Source Control"

Configure the httpd.conf file directly.

Restart the httpd service and test.

Here we went to another page, not our main page, because I was denied access.

Part II-"encrypted access to the website [https]

When visiting the website, we usually use the website at the beginning of http, and http provides a clear way of transmission, which is very unsafe. So we need to get him to transmit ciphertext to provide security.

But when we browse the bank website, it becomes the website of https. So how does https come true?

A: it is implemented through the condom layer protocol ssl.

So how do we realize the condom class in linux?

A: to achieve secure socket layer time encrypted access in linux, we need to know two things.

Use of the 1.openssl command

2.PKI Public key Infrastructure

First, let's take a look at the use of the openssl command.

1. View the file directory of openssl and use the rpm-ql openssl command.

Check out the functions of openssl, including symmetric encryption, asymmetric encryption, check and so on!

two。 The practice of the summary [using md5]. The purpose of the summary can be used to verify the integrity of the content. When we use the MD5 algorithm to operate on the content and produce a fixed-length summary, we can send the summary and the content to the receiver. The receiver calculates the summary again and compares the two abstracts to determine whether the content has been changed.

[small example]

Copy inittab to a folder named after me and make a summary.

[root@localhostlining] # openssl md5 inittab

MD5 (inittab) = 9d49303d50eb59151fc24eb0e3802232

Change the contents of the inittab file and do a summary again.

[root@localhostlining] # openssl md5 inittab

MD5 (inittab) = a30c76ea4096ab1eddf06657d4e9a590

3. Encrypting passwd [introduces the concept of salt. When we look at the / etc/shadow file, you may find that the password set by the user is different from the garbled code in the display, which is the password encrypted by the system. The system encrypts it by adding a set of strings and then mixing it with the password entered. ]

4. Symmetrically encrypt / decrypt files des/des3

[root@localhost lining] # openssldes3-a-in inittab-out F1 / / encrypts the inittab file with a 3x des algorithm, and outputs the encrypted content as an F1 file.

Enter des-ede3-cbcencryption password: the password used to encrypt lining / /. Decryption is to be used.

Verifying-enter des-ede3-cbc encryption password: lining

[root@localhostlining] # openssl des3-a-d-in F1-out inittab2 / / before I delete the inittab file and decrypt the F1 file into an inittab2 file

Enterdes-ede3-cbc decryption password:

[root@localhostlining] # ll

Total 20

-rw-r--r-- 1root root 2288 Jul 11 03:44 F1

-rw-r--r-- 1root root 1665 Jul 11 04:11 inittab2

5. Asymmetric encryption rsa [the public key and private key are used in asymmetric algorithms, the private key can be created using the command, and the public key is extracted from the private key]

First generate a public key key pair ~ use genrsa 1024 to generate a 1024-bit private key, and then extract the public key from the private key.

[root@localhostlining] # openssl rsa-in key.pem-pubout-out public.k / / derive the public key from the private key

Writing RSA key

Second, we need to understand the use of HTTPS on PKI:

As there is much content in PKI, I will not explain it in this space for the time being.

So now let's start implementing a https site:

For the implementation of 1.CA certification authority, first modify the configuration file of openssl [CA center to verify and issue certificates to the client]

two。 For external clients, they need to request certificates, and for root CA, all they need is the private key-"request file"

Https uses port 443 by default. So add another module.

[root@localhost~] # rpm-qa mod_ssl

Mod_ssl-2.2.3-31.el5 / / mine has installed this module as we said before, modular dynamic loading, that is, when you use it, it loads automatically, so there is nothing to do.

Then create the private key request file and certificate for httpd

[root@localhosthttpd] # mkdir certs

[root@localhostcerts] # openssl genrsa 1024 > httpd.key / / Private key file

GeneratingRSA private key, 1024 bit long modulus

... +

.. +

Eis 65537 (0x10001)

[root@localhostcerts] # openssl req-new-in httpd.key-out httpd.req / / request file

Generatinga 1024 bit RSA private key

... +

. +

Issue a certificate

[root@localhostCA] # cat index.txt / / updated the httpd certificate information in the certificate database

V 140711013035Z 01 unknown / C=CN/ST=HENAN/O=MyCompany Ltd

Httpd and certificate bundles:

[root@localhost CA] # vim / etc/httpd/conf.d/ssl.conf

112SSLCertificateFile / etc/httpd/certs/httpd.cert / / indicates the certificate file of the site, which is also used by users to determine whether they have visited the correct site instead of phishing sites.

119SSLCertificateKeyFile / etc/httpd/certs/httpd.key / / indicates the public key of the website

Login test:

112SSLCertificateFile / etc/httpd/certs/httpd.cert

119SSLCertificateKeyFile / etc/httpd/certs/httpd.key

128SSLCertificateChainFile / etc/pki/CA/cacert.pem

To continue to modify the configuration file ssl.conf, we can look at the site's certificate chain and then export the certificate and install it on our own computer. So as to realize the encrypted access between the client and the server.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.