Задание 1
BR-SRV
mount /dev/sr0 /mnt
printf '%s\n' \
'#!/bin/bash' \
'' \
'csv_file="$1"' \
'' \
'# Create OU' \
'awk -F '"'"';'"'"' '"'"'NR>1 {print $5}'"'"' "$csv_file" | sort | uniq | while read ou;' \
'do' \
$'\tsamba-tool ou add OU="$ou",DC=au-team,DC=irpo;' \
'done' \
'' \
'# Create Users' \
'while IFS=";" read -r firstName lastName role phone ou street zip city country password;' \
'do' \
$'\tif [ "$firstName" == "First Name" ];' \
$'\tthen' \
$'\t\tcontinue' \
$'\tfi' \
'' \
$'\tusername="${firstName,,}.${lastName,,}"' \
'' \
$'\tsamba-tool user add "$username" P@ssw0rd1 \\' \
$'\t\t--given-name="$firstName" \\' \
$'\t\t--surname="$lastName" \\' \
$'\t\t--telephone-number="$phone" \\' \
$'\t\t--job-title="$role" \\' \
$'\t\t--userou="OU=$ou"' \
$'\tsamba-tool user setexpiry "$username" --noexpiry' \
'done < "$csv_file"' \
> import_user.sh
chmod +x import_user.sh
./import_user.sh /mnt/Users.csv
Задание 2 делаем по методичке по данным указанным в скрипте
HQ-SRV
-----Скрипт-интерактивный,-смотрите-методичку-3.2.---------
apt-get update && apt-get install -y openssl-gost-engine
control openssl-gost enabled
openssl genpkey -algorithm gost2012_256 -pkeyopt paramset:TCB -out ca.key
openssl req -new -x509 -md_gost12_256 -days 31 -key ca.key -out ca.cer
openssl genpkey -algorithm gost2012_256 -pkeyopt paramset:A -out web.au-team.irpo.key
openssl genpkey -algorithm gost2012_256 -pkeyopt paramset:A -out docker.au-team.irpo.key
openssl req -new -md_gost12_256 -key web.au-team.irpo.key -out web.au-team.irpo.csr
openssl req -new -md_gost12_256 -key docker.au-team.irpo.key -out docker.au-team.irpo.csr
openssl x509 -req -in web.au-team.irpo.csr -CA ca.cer -CAkey ca.key -CAcreateserial -out web.au-team.irpo.cer -days 31
openssl x509 -req -in docker.au-team.irpo.csr -CA ca.cer -CAkey ca.key -CAcreateserial -out docker.au-team.irpo.cer -days 31
---Всё---
ISP
sed -i 's/#PermitRootLogin without-password/PermitRootLogin yes/g' /etc/openssh/sshd_config
systemctl restart sshd
HQ-SRV
scp web.au-team.irpo.key root@172.16.1.1:~/
scp web.au-team.irpo.cer root@172.16.1.1:~/
scp docker.au-team.irpo.key root@172.16.1.1:~/
scp docker.au-team.irpo.cer root@172.16.1.1:~/
ISP
mkdir /etc/nginx/ssl
cp web.au-team.irpo.* /etc/nginx/ssl
cp docker.au-team.irpo.* /etc/nginx/ssl
printf '%s\n' \
'server {' \
$'\tlisten 443 ssl;' \
$'\tserver_name web.au-team.irpo;' \
$'\tssl_certificate /etc/nginx/ssl/web.au-team.irpo.cer;' \
$'\tssl_certificate_key /etc/nginx/ssl/web.au-team.irpo.key;' \
$'\tssl_ciphers GOST2012-GOST8912-GOST8912:HIGH:MEDIUM;' \
$'\tssl_protocols TLSv1 TLSv1.1 TLSv1.2;' \
$'\tssl_prefer_server_ciphers on;' \
'' \
$'\tlocation / {' \
$'\t\tproxy_pass http://172.16.1.2:8081;' \
$'\t\tproxy_set_header Host $host;' \
$'\t\tproxy_set_header X-Real-IP $remote_addr;' \
$'\t\tproxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;' \
$'\t\tproxy_set_header X-Forwarded-Proto $scheme;' \
$'\t\tauth_basic "Restricted area";' \
$'\t\tauth_basic_user_file /etc/nginx/.htpasswd;' \
$'\t}' \
'}' \
'' \
'server {' \
$'\tlisten 443 ssl;' \
$'\tserver_name docker.au-team.irpo;' \
$'\tssl_certificate /etc/nginx/ssl/docker.au-team.irpo.cer;' \
$'\tssl_certificate_key /etc/nginx/ssl/docker.au-team.irpo.key;' \
$'\tssl_ciphers GOST2012-GOST8912-GOST8912:HIGH:MEDIUM;' \
$'\tssl_protocols TLSv1 TLSv1.1 TLSv1.2;' \
$'\tssl_prefer_server_ciphers on;' \
'' \
$'\tlocation / {' \
$'\t\tproxy_pass http://172.16.2.2:8081;' \
$'\t\tproxy_set_header Host $host;' \
$'\t\tproxy_set_header X-Real-IP $remote_addr;' \
$'\t\tproxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;' \
$'\t\tproxy_set_header X-Forwarded-Proto $scheme;' \
$'\t}' \
'}' \
> /etc/nginx/sites-available.d/default.conf
apt-get install -y openssl-gost-engine
control openssl-gost enabled
nginx -t
systemctl restart nginx
HQ-SRV
scp ca.cer user@192.168.200.2:~/
HQ-CLI
cp /home/user/ca.cer /etc/pki/ca-trust/source/anchors/ && update-ca-trust
Дальше по методичке Задания 3.2
cd /home/user/Загрузки/linux-amd64
apt-get install -y cryptopro-preinstall
./install_gui.sh
Дальше по методичке Задания 3.2
BR-SRV
docker exec -it testapp ash
Дальше по методичке Задания 3.2
Задание 3-4 совмещенное
HQ-RTR
en
conf t
crypto-ipsec ike enable
crypto-ipsec profile IPSEC ike-v2
mode tunnel
ike-phase1
proposal aes256-sha256-modp2048
auth pre-shared-key P@ssw0rd
ike-phase2
protocol esp
proposal aes256-sha256
local-ts 172.16.1.2
remote-ts 172.16.2.2
crypto-map CMAP 10
match peer 172.16.2.2
set crypto-ipsec profile IPSEC
filter-map ipv4 FMAP 10
match gre host 172.16.1.2 host 172.16.2.2
set crypto-map CMAP peer 172.16.2.2
filter-map ipv4 FMAP 20
match udp host 172.16.2.2 eq 4500 host 172.16.1.2 eq 4500
set crypto-map CMAP peer 172.16.2.2
exit
interface tunnel.0
ip mtu 1360
set filter-map in FMAP 10
interface isp
set filter-map in FMAP 20
end
write memory
conf t
filter-map ipv4 FMAP 21
match tcp any any eq 88
match udp any any eq 88
match udp any any eq dns
match tcp any any range 3268 3269
match tcp any any eq dns
match tcp any any eq 389
match udp any any eq 464
match tcp any any eq 636
match tcp any any eq 631
match tcp any any eq 445
match udp any any range 137 138
set accept
filter-map ipv4 FMAP 22
match icmp any any
match ospf any any
match tcp any any eq 8081
match tcp any any eq http
match tcp any any eq https
match udp any any eq 123
match tcp any any eq 2011
match tcp any any eq 22
match tcp any any eq 514
match udp any any eq 514
match tcp any any range 32768 60999
match udp any any range 32768 60999
match udp any any eq 500
set accept
end
write memory
BR-RTR
en
conf t
crypto-ipsec ike enable
crypto-ipsec profile IPSEC ike-v2
mode tunnel
ike-phase1
proposal aes256-sha256-modp2048
auth pre-shared-key P@ssw0rd
ike-phase2
protocol esp
proposal aes256-sha256
local-ts 172.16.2.2
remote-ts 172.16.1.2
crypto-map CMAP 10
match peer 172.16.1.2
set crypto-ipsec profile IPSEC
filter-map ipv4 FMAP 10
match gre host 172.16.2.2 host 172.16.1.2
set crypto-map CMAP peer 172.16.1.2
filter-map ipv4 FMAP 20
match udp host 172.16.1.2 eq 4500 host 172.16.2.2 eq 4500
set crypto-map CMAP peer 172.16.1.2
exit
interface tunnel.0
ip mtu 1360
set filter-map in FMAP 10
interface isp
set filter-map in FMAP 20
end
write memory
conf t
filter-map ipv4 FMAP 21
match tcp any any eq 88
match udp any any eq 88
match udp any any eq dns
match tcp any any range 3268 3269
match tcp any any eq dns
match tcp any any eq 389
match udp any any eq 464
match tcp any any eq 636
match tcp any any eq 631
match tcp any any eq 445
match udp any any range 137 138
set accept
filter-map ipv4 FMAP 22
match icmp any any
match ospf any any
match tcp any any eq 8081
match tcp any any eq http
match tcp any any eq https
match udp any any eq 123
match tcp any any eq 2011
match tcp any any eq 514
match udp any any eq 514
match tcp any any range 32768 60999
match udp any any range 32768 60999
match udp any any eq 500
set accept
end
write memory
Задание 5
пишем скрипты, затем делаем по методичке
HQ-SRV
apt-get update && apt-get install -y cups cups-pdf
systemctl enable --now cups
cupsctl --share-printers --remote-any
HQ-CLI
echo "192.168.100.2 hq-srv.au-team.irpo hq-srv" >> /etc/hosts
Дальше по методичке Задания 3.5
ЗАДАНИЕ 6
делаем сверяя с методичкой
HQ-RTR
en
conf t
rsyslog host 192.168.100.2
write memory
exit
BR-RTR
en
conf t
rsyslog host 192.168.100.2
write memory
exit
BR-SRV
apt-get install rsyslog
---Скрипт тут ломается, пишите вручную--- МЕТОДИЧКУ СМОТРИМ ПО АНАЛОГИИ
делаем ручками пишем
cat > /etc/rsyslog.conf <<EOF
$ModLoad imuxsock
$ModLoad imjournal
*.warn @192.168.100.2:514
EOF
HQ-SRV
apt-get install rsyslog
--------Всё--------дальше по скрипту
cat > /etc/rsyslog.conf <<EOF
$ModLoad imuxsock
$ModLoad imjournal
*.warn @192.168.100.2:514
EOF
HQ-SRV ПРИ КОПИРОВАНИИ rsyslog.conf ЛОМАЕТСЯ
apt-get update && apt-get install -y rsyslog
touch /etc/rsyslog.d/rsyslog.conf
cat > "/etc/rsyslog.d/rsyslog.conf" <<EOF
module(load="imudp")
$ModLoad imuxsock
authpriv.* /var/log/auth.log
input(type="imudp" port="514")
if $fromhost-ip contains '192.168.100.1' then {
*.warn /opt/hq-rtr/router.log
}
if $fromhost-ip contains '10.10.10.2' then {
*.warn /opt/br-rtr/router.log
}
if $fromhost-ip contains '192.168.0.2' then {
*.warn /opt/br-srv/server.log
}
EOF
sed -i 's/#module(load="imudp")/module(load="imudp")/g' /etc/rsyslog.d/00_common.conf
sed -i 's/#input(type="imudp" port="514")/input(type="imudp" port="514")/g' /etc/rsyslog.d/00_common.conf
sed -i 's/#module(load="imtcp")/module(load="imtcp")/g' /etc/rsyslog.d/00_common.conf
sed -i 's/#input(type="imtcp" port="514")/input(type="imtcp" port="514")/g' /etc/rsyslog.d/00_common.conf
systemctl enable --now rsyslog
apt-get install -y logrotate
cat > "/etc/logrotate.conf" <<EOF
/opt/br-rtr/*.log
/opt/hq-rtr/*.log
/opt/br-srv/*.log
{
weekly
compress
minsize 11M
}
EOF
systemctl enable -now logrotate
logrotate -d /etc/logrotate.conf
После надо проверить конфигурационные файлы по методичке
ЗАДАНИЕ 7
по методичке делаем 7 номер
ЗАДАНИЕ 8
BR-SRV
cat > /etc/ansible/get_hostname_address.yml <<EOF
---
- name: Get_hostname
hosts: HQ-SRV,HQ-CLI
tasks:
- name: Save hostname ip
copy:
dest: /etc/ansible/PC-INFO/{{ ansible_hostname }}.yml
content: |
Hostname: {{ ansible_hostname }}
IP_Address: {{ ansible_default_ipv4.address }}
delegate_to: localhost
EOF
mkdir /etc/ansible/PC-INFO
ansible-playbook /etc/ansible/get_hostname_address.yml
ЗАДАНИЕ 9
HQ-SRV
apt-get install -y fail2ban iptables
sed -i 's/#SyslogFacility AUTHPRIV/SyslogFacility AUTHPRIV/g' /etc/openssh/sshd_config
sed -i 's/#LogLevel INFO/LogLevel INFO/g' /etc/openssh/sshd_config
sed -i '285c port = 2011' /etc/fail2ban/jail.conf
sed -i 's|logpath = %(sshd_log)s|logpath = /var/log/auth.log|g' /etc/fail2ban/jail.conf
sed -i '288c\
maxretry = 3\
bantime = 2m\
enabled = yes' /etc/fail2ban/jail.conf
echo 'authpriv.* /var/log/auth.log' >> /etc/rsyslog.d/00_common.conf
systemctl enable --now fail2banB1
Модуль 3. Эксплуатация объектов сетевой инфраструктуры