环境:
主机:三台阿里云ECS
配置: 8c16G, 300G
操作系统:CentOS Linux release 7.4.1708 (Core)
内核: 3.10.0-514.6.2.el7.x86_64
ipa版本:
|
1 2 |
[root@freeipa1-iuap-hb2-ali sean]# ipa --version VERSION: 4.5.0, API_VERSION: 2.228 |
安装步骤:
一, 节点一:
1. 更改主机名, 更改为全域名, 如: freeipa1-iuap-hb2-ali.yonyouiuap.com
2. 执行 yum update -y
3. 添加hosts:
|
1 2 3 4 5 6 |
cat /etc/hosts 127.0.0.1 localhost ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.x.x.1 freeipa1-iuap-hb2-ali.yonyouiuap.com freeipa1-iuap-hb2-ali 10.x.x.251 freeipa2-iuap-hb2-ali.yonyouiuap.com freeipa2-iuap-hb2-ali 10.x.x.252 freeipa3-iuap-hb2-ali.yonyouiuap.com freeipa3-iuap-hb2-ali |
4. systemctl stop firewalld.service
systemctl disable firewalld.service
关闭selinux
5. 安装依赖:
|
1 |
yum install screen vim bind bind-dyndb-ldap freeipa-server ipa-server-dns memcached python-memcached |
6. 新建个screen窗口: screen -S ipa
7. 执行安装:
|
1 |
ipa-server-install --setup-dns --auto-reverse --forwarder 100.100.2.136 --forwarder 100.100.2.138 --enable-compat |
8 添加防火墙:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 |
[root@freeipa1-iuap-hb2-ali sean]# cat /etc/sysconfig/iptables ################# # filter # ################# *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :DOCKER - [0:0] # 这里对已经建立连接的包直接放行,以提高iptables 效率(此条规则通常放在第一条) -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #允许ping -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT #本机设备放行 -A INPUT -i lo -j ACCEPT #开放sshd服务 -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 10050 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22122 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT #########################TCP ports for FreeIPA#################### #TCP Ports: # * 80, 443: HTTP/HTTPS # * 389, 636: LDAP/LDAPS # * 88, 464: kerberos # * 53: bind #UDP Ports: # * 88, 464: kerberos # * 53: bind # * 123: ntp -A INPUT -m state --state NEW -m tcp -p tcp --dport 8009 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 88 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 464 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 7389 -j ACCEPT #UDP ports for FreeIPA -A INPUT -m state --state NEW -m udp -p udp --dport 88 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 464 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT ##################################################################### #处理IP碎片数量,防止攻击,允许每秒100个 -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT #允许来自外部的ping测试 -A INPUT -p icmp --icmp-type echo-request -j ACCEPT #设置ICMP包过滤,允许每秒1个包,限制触发条件是10个包 -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT #################### #DROP RULL #################### #丢弃坏的TCP包 #-A FORWARD -p TCP ! --syn -m state --state NEW -j DROP # Reject spoofed packets -A INPUT -s 169.254.0.0/16 -j DROP -A INPUT -s 172.16.0.0/12 -j DROP -A INPUT -s 127.0.0.0/8 -j DROP -A INPUT -s 224.0.0.0/4 -j DROP -A INPUT -d 224.0.0.0/4 -j DROP -A INPUT -s 240.0.0.0/5 -j DROP -A INPUT -d 240.0.0.0/5 -j DROP -A INPUT -s 0.0.0.0/8 -j DROP -A INPUT -d 0.0.0.0/8 -j DROP -A INPUT -d 239.255.255.0/24 -j DROP -A INPUT -d 255.255.255.255 -j DROP # Stop smurf attacks -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP -A INPUT -p icmp -m icmp --icmp-type 8 -j DROP # Drop all invalid packets -A INPUT -m state --state INVALID -j DROP #-A FORWARD -m state --state INVALID -j DROP -A OUTPUT -m state --state INVALID -j DROP # Drop excessive RST packets to avoid smurf attacks -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT # Attempt to block portscans # Anyone who tried to portscan us is locked out for an entire day. -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP # Once the day has passed, remove them from the portscan list -A INPUT -m recent --name portscan --remove -A FORWARD -m recent --name portscan --remove # These rules add scanners to the portscan list, and log the attempt. -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:" -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:" -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP #禁止其他未允许的规则访问 -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT |
重启iptables:
|
1 |
systemctl restart iptables |
节点一安装完毕。
二, 节点二/三, 安装ipa replica:
- 更改/etc/resolv.conf为节点一的IP 地址。
- 执行节点一的前6步
- 安装复制节点:
1ipa-replica-install --setup-dns --forwarder 100.100.2.136 --forwarder 100.100.2.138 --setup-ca --auto-reverse --principal admin --admin-password xxxx --skip-schema-check --skip-conncheck --enable-compat --setup-ca --mkhomedir --force-join --ssh-trust-dns - 配置防火墙
三, 后续
- 登录ipa网页控制台, 修改集群拓扑
由于ipa服务器随着时间会出现内存占用越来越高的BUG, 需要定时重启389服务,由于重启dirsrv时会一定几率导致krb5kdc服务挂掉, 所以需要两个一起重启, 在crontab里添加定时任务, 定时重启389服务和清理log:
|
1 2 3 4 |
[root@freeipa1-iuap-hb2-ali sean]# crontab -l #每周日重启ipadirsrv和krb5kdc服务以释放内存 0 2 * * Sun systemctl restart dirsrv@YONYOUIUAP-COM.service && systemctl restart krb5kdc.service 0 3 * * Sun /opt/scripts/clean_disk.sh |
clean_disk.sh:
|
1 2 3 4 5 6 |
[root@freeipa1-iuap-hb2-ali sean]# cat /opt/scripts/clean_disk.sh #!/bin/bash journalctl --vacuum-size=2048M rm -rf /var/log/messages-[0-9]* echo > /var/log/messages find /var/log/ -mtime +30 -name "*.log*" -exec rm -rf {} \; |
四, 客户端安装:
如之前安装过或安装失败, 执行下面命令进行卸载:
|
1 |
ipa-client-install --uninstall -U |
配置DNS为IPA服务器IP:
安装:
|
1 |
ipa-client-install --mkhomedir --enable-dns-updates |
0 Comments