2023 National Vocational College Skills Competition Network System Management Competition Module B: Service Deployment Volume II

2023 National Vocational College Skills Competition
GZ073 Network System Management Competition Module
B: Service Deployment
Volume II

Contents
1. Windows project task description 1
(1) Topology diagram 1
(2) Network address planning 1
2. Windows project task list 2
(1) Task 2 on the server IspServer
(2) Task 2 on the server RouterSrv
(3 ) Task 3 on the server AppSrv
(4) Task 5 on the server DC1&DC2 (
5) Task 6 on the server IOMSrv
(6) Task 6 on the client InsideCli
(7) Task 6 on the client OutsideCli
3. Linux project task description 7
(1) Topology diagram 7
(2) Network address planning 7
4. Linux project task list 8
(1) Server ISPSrv task 8
(2) Server RouterSrv task 8
(3) Server AppSrv Work task 10
on server StorageSrv Work task 11 on
server IOMSrv Work task 12 on server IOMSrv
Work task 12 on clients OutsideCli and InsideCli

[Instructions for answering questions]
1. For the login information involved in the competition questions, please refer to the "Competition Equipment System Platform User and Password Instructions"
. To avoid file loss, please do not directly edit the file on the USB flash drive).
1. Windows project task description
As a technical engineer, you are assigned to build a company's internal network to provide employees with convenient, safe and stable internal and external network services. You must complete the required tasks within the specified time, and conduct sufficient testing to ensure that the equipment and applications are functioning properly. All task planning is based on the Windows operating system. Please complete the network service installation and testing according to the network topology, basic configuration information and service requirements. The network topology diagram and basic configuration information are as follows: (1) Topology
diagram

(2) Network address planning
The basic configuration of the server and client is shown in the table below, and the system is pre-installed on each virtual machine.
DNS gateway
DC1 chinaskills.com 192.168.100.100/24 ​​127.0.0.1 192.168.100.254
DC2 chinaskills.com 192.168.100.200/24 ​​192.168.100.100 192.168.10 0.254
AppSrv chinaskills.com 192.168.200.100/24 ​​192.168.100.100
192.168.100.200 192.168.200.254
RouterSrv chinaskills.com 192.168.100.254/24
192.168.0.254/24
192.168.200.254/24
100.100.100.251/24 1 92.168.100.100 No
IspSrv Keep Workgroup State 100.100.100.100/24 ​​127.0.0.1 No
InsideCli chinaskills .com 192.168.0.0/24
(dhcp) 192.168.100.100
192.168.100.200 192.168.0.254
OutsideCli Keep Workgroup State 100.100.100.10/24 100.100.100.100 100.100. 100.254
2. Windows project task list
(1) Tasks on the server IspServer
1. DNS
 Install the DNS server, and create the DNS resolution of the necessary forward zone and reverse zone according to the topic.
 Use the current machine as the Internet root domain server, create test1.com~test100.com, and create an A record in all forward areas to resolve to the local machine address.
2. Internet access detection server
 In order to simulate the Internet access test, please set up the network card Internet detection service.
 Use the ispsrv.chinaskills.global site to simulate the Internet detection server.
 Configure the detection file content as internet.
 Allow Internet zone clients to access HTTP resources on AppSrv.
(2) Tasks on the server RouterSrv
1. Routing function
 Install the Remote Access service to enable routing and forwarding to provide routing functions for the current experimental environment.
Enabling the network address translation function to enable internal clients to access Internet resources.
2. Virtual Private Network
 Set up OpenVPN and use EasyRsa3 for deployment.
 The VPN tunnel channel uses the three-layer point-to-point mode and uses TCP 2023 for connection.
 Use a fixed address of 192.168.1.1/24 for the VPN server.
 For VPN clients, use the range 192.168.1.200-192.168.1.220/24.
 The client in the Internet area accesses the chinaskills domain network through OpenVPN.
3.DHCP
 Install and configure DHCP relay service to provide addresses for the office area network to access the Internet.
 The DHCP server is located on the AppSrv server.
 Split the scope on the DHCP server with a split ratio of 7:3.
 InsideCli obtains the address from RouterSrv first.
(3) Tasks on the server AppSrv
1. RDS
 Build RDS services on RouterSrv and AppSrv.
 Resource server is set to AppSrv.
 After successful login, the user can run the following applications through RDS: notepad, wordpad.
 Internal users access through "https://app.chiaskills.cn/rdweb/", there is no certificate warning on the page.
2. World Wide Web Services
 Build a website server on AppSrv.
 Redirect the http request to visit http://www.chinaskills.com to https://www.chinaskills.com site.
 The content of the website is set to "This page is the test page of www.chinaskills.com!".
 Set the current web root directory to the d:\wwwroot directory.
 Enable Windows authentication, only authenticated users can access the site, and members of the manager user group use IE browser to open without prompting for authentication and directly access.
 Set the maximum connection number of the "http://www.chinaskills.com/" website to 1000, and the website connection timeout to 60s.
 Use W3C logging. Create a new log file every day, the file name format: the log only allows to record date, time, client IP address, user name, server IP address, server port number.
 Log files are stored in the "C:\WWWLogFile" directory.
3. File sharing
Create a shared folder in the user's home directory: the local directory is d:\share\users\, allowing all domain users to read and write. Set this folder as the home directory of all domain users. After the user successfully logs in to the computer, it will be automatically mapped and mounted to the H volume. Forbid users to create "*.exe, *.bat, .sh" files in this shared file .  Create a shared folder for the manager group: the local directory is d:\share\managers, only allow members of the manager user group to have write permissions, and this shared file is invisible to other group members.  Create a public-share public shared folder: the local directory is d:\share\public-share, only allow members of the manager user group to have write permissions, and other authenticated users only have read permissions, files written by themselves or created folders Has full control permissions.  It is required to limit the disk size of each user's home directory, and the size is set to 1GB. 4.FTP  Install FTP service, create a new FTP site, and create users soft1 and soft2 with passwords ftp123.  The main directory of the FTP site is D:\ftproot. When users soft1 and soft2 log in to the FTP site anonymously through appropriate technology, they can only browse to the contents of the "Public" subdirectory. If they log in to the FTP site with their personal accounts, they can only access Own subfolder with the same name as the username.  The FTP site uses a pre-shared key to encrypt the communication channel, otherwise it will not be accessible.  Refuse to delete or rename files.  Refuse to upload"








.exe” suffix.
Set the maximum number of FTP client connections to 100. Set the timeout time for no operation to 5 minutes, and set the timeout time for data connections to 1 minute. 5.DHCP Install and configure the dhcp
service
for The office area network provides addresses to access the Internet.
 Create an address pool named inside_pool, and the address pool range: 192.168.0.1-192.168.0.100.
 Correctly configure the gateway and dns information according to the requirements of the topic.
6. Configure failover
 Set as "hot standby server
The partner server “DC2” is in the “Standby” state. Reserve 5% of the
addresses for the standby server.
The state switching interval is 60 minutes.
Enable authentication and the password is “P@ssw0rd”.
7. NTFS permissions
Create folders to store the data of each department.
The path is D:\data{manager;IT;sales}.
Manager, IT, and sales users can only access folders belonging to their own groups, and are not allowed to create files.
In this Group folder, you can create files and subfolders, and have absolute control over this directory except for deletion.  It is
not allowed to open folders of other groups, and deletion is not allowed.
 IT group users need to encrypt txt files to protect data, The content is "ChinaSkills Test", which can only be read by the administrator and the file owner.
8. NFS
 Create an NFS shared folder, allow InsideCli to mount it remotely, and map it to the D volume.
 The path of the shared folder is D:\ shares\NFSshare.
 The share name is NFS share.
 Allow unmapped user access.
 Share permission is read/write.
(4) Tasks on servers DC1&DC2
1. Active Directory Domain ServicesInstall
Active Directory Domain Services on DC1 and DC2 servers, and promote the operating system to a domain controller.
 Active directory domain name is: chinaskills.com.
 Domain users can use [username]@csk.cn to log in.
 Create an OU named "CSK" and create the following domain users and groups.
 sa01-sa20, please add this user to the sales user group.
 it01-it20, please add this user to the IT user group.
ma01-ma10, please add this user to the manager user group.
 Prompt for password when resuming from hibernate/suspend.
 All servers do not need to press ctrl+alt+del.
 Delete "Map Network Drive" and "Disconnect Network Drive".
 For all computers in the domain (except dc), when the dc server is unavailable, cache login is prohibited.
 Disable access to registry editing tools for all groups.
 Delete the sales group by logging out on the start menu.
 Allow manager, IT, sales group to access AppSrv server remotely.
2. Certificate Authority
 Install the Certificate Authority on the DC1 server.
 Define name: CSK2023-ROOTCA.
 Validity of certificate authority: 3 years.
 Issue web certificates for web sites within the chinaskills.com domain.
 All machines in the current topology must trust the certificate authority.
 Automatically issue a computer certificate for all computers in the domain.
3.DNS (Domain Name Resolution Service)
Install and configure DNS service.
 Create a forward zone and add necessary domain name resolution records.
 Configure TXT records and configure domain name reverse PTR.
 Create a reverse lookup zone for the current domain network.
 Domain names that cannot be resolved will be resolved by IspSrv.
4. Disk management
Install and configure soft RAID 5 on DC2.
 Add three 10G virtual disks to the installed DC2 virtual machine.
 Form a RAID 5, and the disk partition is named volume label H disk: Raid5.
 Manually test and destroy a disk, do RAID disk repair, and confirm that RAID 5 configuration is complete.
5. Disk quota
Set the disk quota on the DC2 drive C:\, limit the disk space to 5G, and the warning level to 3G, record events when the quota limit is exceeded, and record events when the warning level is exceeded.
6. Windows backup
 Back up the system state on DC1 to D:\, and all users of the shared folder have read/write permissions.
(5) Tasks on the server IOMSrv
 Graphical interface to log in to the IOMSrv operation and maintenance platform, and the login address is http://192.168.200.200.
 Through the Windows agent template, add DC1 and DC2 operating system monitoring objects to check the running status.
 Through the middleware IIS template, add IIS monitoring objects and check the running status.
 By adding WEB detection objects, monitor the portal website http://www.chinaskills.com to check the running status.
 Based on the portal business on AppSrv, complete the business topology drawing and present it on the large business screen. The portal is bound to the performance indicators of "download speed", "response code" and "response time".
(6) Work tasks on the client InsideCli
Add the host to the domain of the corresponding area as required.
 Set the power profile so that the client never goes to sleep when it is powered on.
 The client is used to test functions such as user login, Profiles, file sharing, security policies, NFS client and RDS.
(7) Work tasks on the client OutsideCli
 The host is not allowed to join the domain.
 Add openvpn for connecting to chinaskills.com domain network.
 Set the power profile so that the client never goes to sleep when it is powered on.
 The client is used to test functions such as user login, Profiles, file sharing, security policies and RDS.

3. Linux project task description
As a Linux technical engineer, you are assigned to build a company's internal network to provide employees with convenient, safe and stable internal and external network services. You must complete the required tasks within the specified time, and conduct sufficient testing to ensure that the equipment and applications are functioning properly. All task planning is based on the Linux operating system. Please complete the network service installation and testing according to the network topology, basic configuration information and service requirements. The network topology diagram and basic configuration information are as follows: (1) Topology
diagram

(2) Network address planning
The basic configuration of the server and client is shown in the table below, and the system is pre-installed on each virtual machine.
ISPSrv (UOS)
 Fully qualified domain name: ispsrv.chinaskills.cn
 Network address/mask: 81.6.63.100/24
​​AppSrv (Centos)
 Fully qualified domain name: appsrv.chinaskills.cn
 Network address/mask: 192.168.100.100 /24
StorageSrv (Centos)
 Fully qualified domain name: storagesrv.chinaskills.cn
 Network address/mask: 192.168.100.200/24
​​RouterSrv (Centos)
 Fully qualified domain name: routersrv.chinaskills.cn
 Network address/mask: 192.168 .100.254/24, 192.168.0.254/24, 81.6.63.254/24
InsideCli (Centos)
 Fully Qualified Domain Name: insidecli.chinaskills.cn
 Network Address/Mask: DHCP From AppSrv
OutsideCli (UOS)
 Fully Qualified Domain Name: outsidecli .chinaskills.cn
Network address/mask: DHCP From ISPSrv
4. Linux project task list
(1) Server ISPSrv task
1.DHCP
 Allocate addresses for the OutsideCli client network, address pool range: 81.6.63.110-81.6.63.190/24.
 Domain name resolution server: configure DNS server address options according to actual needs.
Gateway: Configure gateway address options according to actual needs.
2. DNS
 Install BIND9.
 Configure as a DNS root domain server.
 Other unknown domain name resolution, unified resolution to the local IP.
 Create forward zone "chinaskills.cn".
The type is Slave.
 The main server is "AppSrv".
3. WEB service
 Install nginx software package.
 Create ispweb.chinaskills.cn site.
 The name of the configuration file is ispweb.conf, placed in the /etc/nginx/conf.d/ directory.
 The root directory of the website is /mut/crypt (create the directory if it does not exist).
 Enable the FastCGI function so that nginx can parse php requests.
The content of index.php uses Welcome to 2023 Computer Network Application contest!
(2) Tasks on the server RouterSrv
1.DHCP RELAY
Install DHCP relay.
 Allow the client to obtain the network address through the relay service.
2.ROUTING
 Turn on routing and forwarding to provide routing functions for the current experimental environment.
 According to the requirements of the topic, configure one-arm routing to realize the communication between the internal client and the server.
3. SSH
 The working port is 2021.
 Only user user01 and password ChinaSkill23 are allowed to log in to the router. Other users (including root) cannot log in, create a new user, the new user can log in locally, but not remotely from ssh.
 Try to log in to RouterSrv through ssh login, and the maximum number of login attempts within one minute is 3 times, after which the client network address is prohibited from accessing the ssh service.
 Record the log of user login to /var/log/ssh.log, the log content should include: source address, destination address, protocol, source port, destination port.
4. IPTABLES
 Add necessary network address translation rules, so that external clients can access dns, mail, web and ftp services on internal servers.
 INPUT, OUTPUT and FOREARD chains default to deny (DROP) all traffic.
 Configure source address translation to allow internal clients to access the Internet zone.
5. Web Proxy
 Install Nginx components.
 Create a web.chinaskills.cn site and configure a proxy front-end for www.chinaskills.cn to access the back-end Web server through https.
 The name of the configuration file is proxy.conf, and it is placed in the /etc/nginx/conf.d/ directory.
 The backend server log content needs to record the IP address of the real client.
 Caches static pages on the backend web server.
 Create a service monitoring script: /shells/chkWeb.sh.
 Write scripts to monitor the operation of the company's website.
 Scripts can run continuously in the background.
 Check the running status of the website every 3S, and try 3 times if any abnormality is found.
 If it is determined that the website cannot be accessed, return to the user’s page of “The website is under maintenance, please try again later”.
6. Database server
 Configure this server as a database server, create a database as School, create a table in the library as Score, and create 2 users in the table, respectively (1, suser1, 1999-6-1, female), (2, suser2, 2000-9-1, male), the password (encrypted by password) is the same as the user name, and the table structure is as follows:
Field name Data type Primary key
ID Int(11)
Yes Name varchar(20) No
Birthday Datetime No
Sex char(10) No
Password char(64) No
Enable the query log of the database, the path is /var/log/mariadb/mariadb.log.
7.iSCSI
RouterSrv is set for the target server and creates a target device with a targetID of 10 and a name of iqn.2023-08.chinaskills.cn:test.
(3) Tasks on the server AppSrv
1.DHCP
 Allocate addresses for the InsideCli client network, address pool range: 192.168.0.110-192.168.0.190/24.
 Domain name resolution server: configure DNS server address options according to actual needs.
Gateway: Configure gateway address options according to actual needs.
 Allocate a fixed address for InsideCli as 192.168.0.190/24.
2. DNS
 Provide domain name resolution for chinaskills.cn domain.
 Provide analysis for www.chinaskills.cn.
Enable the internal and external network resolution function. When the internal network client requests resolution, resolve to the corresponding internal server address. When the external client requests resolution, please resolve the resolution result to the public address that provides the service.
 Please use IspSrv as an upstream DNS server, all unknown queries are handled by this server.
3. WEB service
 Install WEB service.
 The service runs as the user webuser system user.
 Restrict WEB service to only use 500M physical memory of the system.
 Enable TLS access for the whole site, issued by the "CSK Global Root CA" authority on this machine, the website certificate information is as follows:
C = CN
ST = China
L = BeiJing
O = skills
OU = Operations Departments
CN = *.chinaskills.com
 There should be no browser (including terminal) security warning information when the client accesses https.
 Automatically jump to https secure connection when users use http to access.
 Build www.chinaskills.cn site.
 Webpage files are placed on the StorageSrv server.
 Install MriaDB on StorageSrv, install PHP on this machine, and publish WordPress website.
 MariaDB database administrator information: User: root/ Password: 000000.
4. Mariadb Backup Script
 Script file: /shells/mysqlbk.sh.
 Backup data to /root/mysqlbackup directory.
 The backup script realizes automatic backup every 30 minutes.
 The name of the exported file is all-databases-20230213102333, where 20230213102333 is the current time of running the backup script, accurate to the second.
5.MAIL
 Install and configure postfix and dovecot, enable imaps and smtps, and create test users mailuser1 and mailuser2.
 Use [email protected] to send a test email to [email protected] with the title of "just test mail from mailuser1" and the content of the email as "hello, mailuser2".
Use [email protected] to send a test email to [email protected] with the title of "just test mail from mailuser2" and the content of the email as "hello, mailuser1".
6. CA (Certificate Authority)
CA root certificate path/csk-rootca/csk-ca.pem.
 Issue digital certificates, issuer information: (only include the following information)
C = CN
ST = China
L = BeiJing
O = skills
OU = Operations Departments
CN = CSK Global Root CA
7.chrony
 Configure to provide time synchronization server for the whole network.
 Provide time synchronization service for all hosts except this machine.
 Synchronize time every 5 minutes.
8.iSCSI
 Edit the iSCSI client configuration file on appsrv to change the node startup mode to manual (manual) mode, and then start the iSCSI client process to discover the target server.
(4) Tasks on the server StorageSrv
1. DISK
Add virtual disks with a size of 10G and configure raid-5 disks.
 Create an LVM named /dev/vg01/lv01, the size is 100G, the format is ext4, hang it in the local directory /webdata, and create a test empty file disk.txt in the partition.
2. NFS
 share the /webdata/ directory.
 Used to store the WEB data of the AppSrv host.
 Allow only the AppSrv host to access the share.
3. VSFTPD
 Prohibit the use of insecure FTP, please use the certificate issued by the "CSK Global Root CA" certification authority to enable FTPS service.
 User webadmin, log in to the ftp server, and the root directory is /webdata/.
 Restricted to your own root directory after login.
4. SAMBA
 Create a samba share, the local directory is /data/share1, requirement: the share name is share1. Only zsuser users are allowed to upload files.
 Create a samba share, the local directory is /data/public, requirement: the share name is public. Allow anonymous access. All users can upload files.
5.LDAP
 Install slapd to provide account authentication for samba service.
 Create chinaskills.cn directory service, create user group ldsgp, and assign zsuser, lsusr, and wuusr.
6.ShellScript
 Write scripts for adding users and store them in the /shells/userAdd.sh directory.
 When a new employee joins the company, the administrator runs a script to create a company account for him.
 Automatically assign client accounts, company mailboxes, samba directories and permissions, website accounts, etc.
 Run the script in the way of userAdd lifei, where lifei is the name of the example employee.
(5) Server IOMSrv tasks
 Graphical interface login IOMSrv operation and maintenance platform, login address http://192.168.100.150.
 Through the Linux proxy template, add StorageSrv, AppSrv operating system monitoring objects, and check the running status.
 Through the middleware Apache template, add Apache monitoring objects to check the running status.
 Through the middleware MySQL database Agent template, add Mariadb monitoring objects and check the running status.
 By adding WEB detection objects, monitor the portal website www.chinaskills.cn to check the running status.
 Based on the portal business on AppSrv, complete the business topology drawing and present it on the big business screen.
(6) Tasks of Clients OutsideCli and InsideCli
1. OutsideCli
As a DNS server domain name resolution test client, install nslookup and dig command line tools.
 As a website access test client, install firefox browser and curl command line test tool.
 As an SSH remote login test client, install the ssh command line test tool.
 As a SAMBA test client, use the graphical interface file browser to test, and install the smbclient tool.
 As an FTP test client, install the lftp command line tool.
 As a client for testing the effect of firewall rules, install the ping command line tool.
 Please use the tools mentioned above for functional testing when taking screenshots.
2. InsideCli
 As a DNS server domain name resolution test client, install nslookup, dig command line tools.
 As a website access test client, install firefox browser and curl command line test tool.
 As an SSH remote login test client, install the ssh command line test tool.
 As a SAMBA test client, use the graphical interface file browser to test, and install the smbclient tool.
 As an FTP test client, install the lftp command line tool.
 As a client for testing the effect of firewall rules, install the ping command line tool.
 Please use the tools mentioned above for functional testing when taking screenshots.