table of Contents
1. Confirm the network card information and ip address of the system
2. Turn off the networkmanager service
3. Configure the network address
Log file management and emergency analysis
Remote backup of logs (establishment of log server)
Experiment: Construction of the log server
Configure the logged-in server:
Test whether the log server is working properly
Simulate a malicious attacker deleting the log
Network address configuration
IP address Subnet mask Gateway DNS
1. Confirm the network card information and ip address of the system
ip addr
eth0 00:0c:29:fc:30:79
eth1 00:0c:29:fc:30:83
2. Turn off the networkmanager service
service NetworkManager stop
chkconfig --level 345 NetworkManager off
Before starting to configure the IP address, you must first close a service (NetworkManager)
that the current operating system has opened. This service will help you manage the network address of your network card in version 6 (there is not much help for this command to configure the IP , It will be counterproductive, it is recommended to turn off)
service NetworkManager stop
In order not to affect future experiments, never open it, and close it permanently: chkconfig --level 345 NetworkManager off
Let one of my NICs (such as eth0) bridge the NIC of my real machine in the virtual machine. The purpose of the bridge is to make my real machine and the virtual machine in the same network environment (local area network)
. One network card for bridging settings:
choose one, click Advanced
Set the network mode to bridge mode (the original default is NAT mode), make sure the
bridge mode is to connect directly to the physical network
Current status after confirmation: ip addr
3. Configure the network address
ip link set eth0 up
ip addr add 192.168.0.100/24 dev eth0 (with ip)
ip route add default via 192.168.0.1 dev eth0 (with routing)Manually configure DNS:
[root@Waffle Desktop]# vim /etc/resolv.conf (it is the dns resolution file, write it in it if you want to record dns)
after opening this file, just find a line and write it:
nameserver, you know dns server address For
example: nameserver 202.106.0.20
ip addr add (you only need to write the corresponding ip address and the corresponding network device name, the written network address should be the same as the real machine network address (the network address is the same as the network segment), the bridge just selected)
ip addr add 192.168.0.100/24 dev eth0 (add device name after dev)
If you don’t want this ip address, just replace add with del: ip addr del 192.168.0.100/24 dev eth0
Try this address can ping my windows (intranet)
ip link set eth0 up
can now ping the real machine
. Whether the real machine can be pinged or not depends on whether the firewall is turned on or not.
Ping the external network to see
Add routing table:
[root@Waffle Desktop]# ip route add default via 192.168.0.1 dev eth0(设定默认网关)
[root@Waffle Desktop]# ip route 查看路由表
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.100
default via 192.168.0.1 dev eth0
Ping the external network to see:
Visit a website to see:
nslookup www.baidu.com (manual resolution) verifies that I can resolve Baidu through dns——"No (because the current operating system does not have DNS configured)
nslookup means to send my current domain name to the dns server address recorded locally That address, that address will give me back to www.baidu.com. This host has its own ip address, and I can access this domain name through this ip.
If I use a domain name to access directly, there is no corresponding IP address relationship, in fact it is access Incapable
Configure DNS manually
[root@Waffle Desktop]# vim /etc/resolv.conf (它就是dns的解析文件,要记录dns就往里面写)
这个文件打开以后只需要随便找一行写上:
nameserver 你知道的dns服务器地址
比如:nameserver 202.106.0.20
Open the Firefox browser and enter Baidu to see if the homepage can be displayed. If the homepage can be displayed, the experiment of configuring the ip address is successful.
The above is the whole process of configuring the IP address (this configuration IP address is only a temporary configuration, the following explains how to make this configured IP address take effect permanently)
Configure the network address through the configuration file (let the configured IP address take effect permanently)
The IP address configured above will become invalid after the server or virtual machine is restarted. The following explains how to make the IP address take effect permanently
eth0 IP is set to 192.168.1.254/24 without gateway
eth1 IP is set to 172.16.1.254/24 without gateway
The configuration file of the management network card in the linux operating system: /etc/sysconfig/network-scripts/ (the configuration files are all under etc)
[root@Waffle network-scripts]# vim ifcfg-eth0 Open the configuration file of the first network card
DEVICE=eth0 网卡设备
TYPE=Ethernet 类型
ONBOOT=yes 是否允许network服务管理该文件
BOOTPROTO=static 静态获取IP地址(也就是手工配置)
IPADDR=192.168.1.254
NETMASK=255.255.255.0
The same reason: [root@Waffle network-scripts]# vim ifcfg-eth1 operation as above
How to take effect after setting? Restart the network service
/etc/init.d/network restart
to sum up:
vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0 Network card device
TYPE=Ethernet type
ONBOOT=yes shi Whether to allow the network service to manage the file
BOOTPROTO=static Get
IPADDR=192.168.1.2
NETMASK=255.255.255.0
GATEWAY= 192.168.1..254
DNS1=
DNS2=The
command to make the current configuration effective:
service network restart
experiment:
1. Connect the middle router to the virtual switch (centos6-1)
2. Open an XP, bridge to vmnet2, configure IP and gateway (winxp-1)
See if you can ping each other
3. The configuration server (centos6-2) is
connected to vmnet3: the
other network card is not used
Configure the network address through the configuration file:
vim /etc/sysconfig/network-scripts/ifcfg-eth0
Remember to restart the network service: service network restart
Try to use 172.16.1.1 to ping each other 1
4. Configure routing to enable the routing function (centos6-1).
To enable the routing function, the routing function is actually a function in the kernel. If you want to enable it, use the configuration file
vim /etc/sysctl.conf (kernel configuration file) Take
effect after executing sysctl -p, go
back to centos6-2 to ping 192.168.1.1
Go to winxp to ping 172.16.1.1 and find that the target host is unreachable
The reason is because centos6-1 opened the firewall (this firewall actually restricts routing and forwarding)
iptables -nL (check the firewall)
Turn off the firewall:
enter setup
After closing the firewall, try to use winxp to ping the other host 172.16.1.1.
Use centos2 to ping 192.168.1.1.
Log file management and emergency analysis
Log file
/var (This directory is the storage directory for constantly changing files, which stores the files that are frequently changed by the operating system, such as logs and emails)
Classification of logs
System log (records some events generated during the operation of the system, some may be faulty events, and some may be normal events) The
system log
login log is stored in massages (that is, when the operating system logs in and when I log in) When the password entered is correct, incorrect or incorrect. When did you enter it...) The
login log
program log is stored in secure (different programs have different program logs, such as Apache, which has its own log. Is there any when it is running? Wrong? Who has access to it?...)
Log management service
Configuration file for log access : /etc/rsyslog.conf
Log level of logging:
debug, info, notice, warning, warn (same as warning), err, error (same as err), crit, alert, emerg, panic (same as emerg)
least serious -> most serious
Remote backup of logs (establishment of log server)
This log is not only kept locally, but also backed up in a remote location
If someone else gets your root privileges
echo ""> /var/log/secure clears your login log directly, so the remote backup of the log is very important.
Experiment: Construction of the log server
lab environment:
A winxp: malicious login client
Two Centos6.9 logged server logging servers
Purpose:
Understand the process of building a log backup server, and realize its significance by building a log backup server.
Configure the logged-in server:
Modify the configuration file of the logged-in server
vim /etc/rsyslog.conf
The log-in service is called authpriv.* @opposite host IP: 514 (*.*, the front * indicates the service name, and the back * indicates the log level)
Temporarily turn off the firewall
setup
Configure the logging server:
vim /etc/rsyslog.conf
Because the sender uses port 514 to send data, the receiver needs to open TCP port 514 to receive data
Configure who’s logs to be collected, and which ones to store after collection
service rsyslog restart //restart to take effect
Check if port 514 is open
ss -antpl | grep 514 (t stands for tcp protocol, l stands for monitoring)
Test whether the log server is working properly
winXP successfully logged into the server
A login log file is generated on the logging server
Simulate a malicious attacker deleting the log
Malicious client remote login to delete server log
The login log on the server is cleared
And our log backup server will still record the login log to prevent the loss of the log.