bulat

2026-04-26T18:06:11.781Z

МОДУЛЬ 1. ЗАДАНИЕ 1 и 4

1.Назначаем имена и настраиваем конфигурационный файл, перезагружаем сеть

ISP

auto ens33
iface ens33 inet dhcp

auto ens36
iface ens36 inet static
    address 172.16.1.1/28

auto ens37
iface ens37 inet static
    address 172.16.2.1/28

HQ-RTR

auto ens33
iface ens33 inet static
    address 172.16.1.2/28
    gateway 172.16.1.1

auto ens36
iface ens36 inet manual

auto ens36.100
iface ens36.100 inet static
    address 192.168.0.1/27
    vlan-raw-device ens36

auto ens36.200
iface ens36.200 inet static
    address 192.168.0.33/28
    vlan-raw-device ens36

auto ens36.999
iface ens36.999 inet static
    address 192.168.0.49/29
    vlan-raw-device ens36

BR-RTR

auto ens33
iface ens33 inet static
    address 172.16.2.2/28
    gateway 172.16.2.1

auto ens36
iface ens36 inet static
    address 192.168.1.1/28

HQ-SRV

auto ens33.100
iface ens33.100 inet static
    address 192.168.0.2/27
    gateway 192.168.0.1
    vlan-raw-device ens33

BR-SRV

auto ens33
iface ens33 inet static
    address 192.168.1.2/28
    gateway 192.168.1.1

HQ-CLI

auto ens33.200
iface ens33.200 inet dhcp

hostnamectl set-hostname isp.au-team.irpo; exec bash

hostnamectl set-hostname hq-rtr.au-team.irpo; exec bash

hostnamectl set-hostname hq-srv.au-team.irpo; exec bash

hostnamectl set-hostname hq-cli.au-team.irpo; exec bash

hostnamectl set-hostname br-rtr.au-team.irpo; exec bash

hostnamectl set-hostname br-srv.au-team.irpo; exec bash

На isp, hq-rtr, br-rtr в nano /etc/sysctl.conf убираем # в начале строки net. ipv4.ip_forward=1

sudo sysctl -p

на hq: echo "8021q" | sudo tee -a /etc/modules

domain au-team.irpo
search au-team.irpo
nameserver 192.168.0.2
nameserver 8.8.8.8

ЗАДАНИЕ 2 и 8

ISP и роутеры:

apt update && apt install iptables iptables-persistent -y

sudo iptables -t nat -A POSTROUTING -o ens33 -j MASQUERADE

sudo iptables-save > /etc/iptables/rules.v4

ЗАДАНИЕ 3

На серверах: sudo useradd sshuser -u 2026 -m -U

sudo passwd sshuser

sudo usermod -aG sudo sshuser

sudo visudo

sshuser ALL=(ALL) NOPASSWD: ALL

На роутерах: sudo useradd net_admin -m -U

sudo passwd net_admin

sudo usermod -aG sudo net_admin

sudo visudo

net_admin ALL=(ALL) NOPASSWD: ALL

ЗАДАНИЕ 5

На серваках: apt install openssh-server -y

nano /etc/ssh/sshd_config: Port 2026

AllowUsers sshuser

MaxAuthTries 2

Banner /etc/ssh/banner

echo "Authorized access only" | sudo tee /etc/ssh/banner

systemctl restart sshd

ЗАДАНИЕ 6

HQ-RTR nano /etc/modules (добавляем ip_gre)

sudo modprobe ip_gre

nano /etc/network/interfaces

auto gre1

iface gre1 inet tunnel

address 10.10.10.1

netmask 255.255.255.252

mode gre

local 172.16.1.2

endpoint 172.16.2.2

ttl 255

post-up ip route add 192.168.1.0/28 via 10.10.10.2

BR-RTR auto gre1

iface gre1 inet tunnel

address 10.10.10.2

netmask 255.255.255.252

mode gre

local 172.16.2.2

endpoint 172.16.1.2

ttl 255

post-up ip route add 192.168.0.0/27 via 10.10.10.1

post-up ip route add 192.168.0.32/28 via 10.10.10.1

systemctl restart networking

ЗАДАНИЕ 7

apt install frr -y

nano /etc/frr/daemons (Меняем ospfd=no на ospfd=yes.)

systemctl restart frr

sudo vtysh

HQ-RTR

configure terminal
router ospf
 passive-interface default
 network 192.168.0.0/27 area 0
 network 192.168.0.32/28 area 0
 network 192.168.0.48/29 area 0
 network 10.10.10.0/30 area 0
 area 0 authentication
 exit
interface gre1
 no ip ospf passive
 ip ospf authentication
 ip ospf authentication-key P@ssw0rd
 exit
exit
write
exit

BR-RTR

configure terminal
router ospf
 passive-interface default
 network 192.168.1.0/28 area 0
 network 10.10.10.0/30 area 0
 area 0 authentication
 exit
interface gre1
 no ip ospf passive
 ip ospf authentication
 ip ospf authentication-key P@ssw0rd
 exit
exit
write
exit

systemctl restart frr

ЗАДАНИЕ 9

HQ-RTR: apt install isc-dhcp-server -y

nano /etc/dhcp/dhcpd.conf

Удаляем всё и пишем: subnet 192.168.0.32 netmask 255.255.255.240 {

range 192.168.0.34 192.168.0.46;

option domain-name-servers 192.168.0.2;

option domain-name "au-team.irpo";

option routers 192.168.0.33;

option broadcast-address 192.168.0.47;

default-lease-time 600;

max-lease-time 7200;

}

sudo nano /etc/default/isc-dhcp-server добавляем INTERFACESv4="ens37.200"

sudo dhcpd -t -cf /etc/dhcp/dhcpd.conf (проверка на ошибки)

sudo systemctl restart isc-dhcp-server

sudo systemctl enable isc-dhcp-server

ЗАДАНИЕ 10

apt install bind9 -y

HQ-SRV

/etc/bind/named.conf.options

text

options {
    directory "/var/cache/bind";

    forwarders {
        77.88.8.7;
        77.88.8.3;  
    };
    
    allow-recursion {
        127.0.0.1;
        192.168.0.0/27;
        192.168.0.32/28;
        192.168.0.48/29;
        192.168.1.0/28;
    };

    allow-query {
        127.0.0.1;
        192.168.0.0/27;
        192.168.0.32/28;
        192.168.0.48/29;
        192.168.1.0/28;
    };

    listen-on {
        127.0.0.1;
        192.168.0.2;
    };

    dnssec-validation auto;
    recursion yes;
    listen-on-v6 { none; };
};

/etc/bind/named.conf.local

text

zone "au-team.irpo" {
    type master;
    file "/var/lib/bind/db.au-team.irpo";
    allow-transfer { 192.168.1.2; };
};

zone "0.168.192.in-addr.arpa" {
    type master;
    file "/var/lib/bind/db.0.168.192";
};

zone "1.168.192.in-addr.arpa" {
    type master;
    file "/var/lib/bind/db.1.168.192";
};

HQ-SRV

/var/lib/bind/db.au-team.irpo

$TTL    86400
@       IN      SOA     hq-srv.au-team.irpo. root.au-team.irpo. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                          86400 )       ; Negative Cache TTL
;
@       IN      NS      hq-srv.au-team.irpo.
hq-srv  IN      A       192.168.0.2
hq-rtr  IN      A       192.168.0.1
hq-cli  IN      A       192.168.0.34
br-rtr  IN      A       172.16.2.2
br-srv  IN      A       192.168.1.2
docker  IN      A       172.16.1.1  
web     IN      A       172.16.2.1

/var/lib/bind/db.0.168.192

$TTL    86400
@       IN      SOA     hq-srv.au-team.irpo. root.au-team.irpo. (
                              2         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                          86400 )       ; Negative Cache TTL
;
@       IN      NS      hq-srv.au-team.irpo.
1       IN      PTR     hq-rtr.au-team.irpo.
2       IN      PTR     hq-srv.au-team.irpo.
34      IN      PTR     hq-cli.au-team.irpo.

/var/lib/bind/db.1.168.192

$TTL    86400
@       IN      SOA     hq-srv.au-team.irpo. root.au-team.irpo. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                          86400 )       ; Negative Cache TTL
;
@       IN      NS      hq-srv.au-team.irpo.
1       IN      PTR     br-rtr.au-team.irpo.
2       IN      PTR     br-srv.au-team.irpo.

sudo named-checkconf

sudo named-checkzone au-team.irpo /var/lib/bind/db.au-team.irpo

sudo named-checkzone 0.168.192.in-addr.arpa /var/lib/bind/db.0.168.192

sudo named-checkzone 1.168.192.in-addr.arpa /var/lib/bind/db.1.168.192

sudo systemctl restart bind9

ЗАДАНИЕ 11

timedatectl set-timezone Europe/Moscow

timedatectl

МОДУЛЬ 2. ЗАДАНИЕ 1

HQ-SRV nano /etc/bind/named.conf.local в зону au-team.irpo добавляем allow-transfer { 192.168.1.2; };

systemctl restart bind9

BR-SRV apt install samba krb5-user winbind -y

/etc/resolv.conf

domain au-team.irpo search au-team.irpo

nameserver 192.168.0.2 nameserver 192.168.1.2

chattr +i /etc/resolv.conf

nano /etc/krb5.conf

[libdefaults]

default_realm = AU-TEAM.IRPO

dns_lookup_realm = false

dns_lookup_kdc = true

[realms]

AU-TEAM.IRPO = {

kdc = br-srv.au-team.irpo

admin_server = br-srv.au-team.irpo

}

[domain_realm]

.au-team.irpo = AU-TEAM.IRPO

au-team.irpo = AU-TEAM.IRPO

sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.bak

samba-tool domain provision --use-rfc2307 --interactive

systemctl stop smbd nmbd winbind

systemctl enable samba

systemctl start samba

systemctl status samba

samba-tool domain info 127.0.0.1

samba-tool domain info 192.168.1.2

samba-tool user add hquser1 P@ssw0rd

samba-tool user add hquser2 P@ssw0rd

samba-tool user add hquser3 P@ssw0rd

samba-tool user add hquser4 P@ssw0rd

samba-tool user add hquser5 P@ssw0rd

samba-tool group add hq

samba-tool group addmembers hq hquser1,hquser2,hquser3,hquser4,hquser5

Проверка samba-tool group listmembers hq

samba-tool user list

HQ-SRV nano /var/lib/bind/db.au-team.irpo (serial увеличиваем на +1)

@ IN NS br-srv.au-team.irpo.

_ldap._tcp IN SRV 0 100 389 br-srv.au-team.irpo.

_kerberos._tcp IN SRV 0 100 88 br-srv.au-team.irpo.

_kerberos._udp IN SRV 0 100 88 br-srv.au-team.irpo.

_kpasswd._tcp IN SRV 0 100 464 br-srv.au-team.irpo.

_kpasswd._udp IN SRV 0 100 464 br-srv.au-team.irpo.

named-checkzone au-team.irpo /var/lib/bind/db.au-team.irpo

systemctl restart bind9

HQ-CLI /etc/resolv.conf nameserver 192.168.0.2 nameserver 192.168.1.2

search au-team.irpo

chattr +i /etc/resolv.conf

apt install -y realmd sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin oddjob oddjob-mkhomedir packagekit

sudo realm discover au-team.irpo

sudo realm join --user=Administrator au-team.irpo

nano /etc/sssd/sssd.conf

В секцию [domain/au-team.irpo] добавить в конец:

ad_server = br-srv.au-team.irpo

ad_backup_server = br-srv.au-team.irpo

ldap_user_extra_attrs = memberOf

systemctl restart sssd

Проверка id hquser1@au-team.irpo

nano /etc/sudoers.d/hq

%hq@au-team.irpo ALL=(ALL) NOPASSWD: /usr/bin/cat, /usr/bin/grep, /usr/bin/id

chmod 440 /etc/sudoers.d/hq

visudo -c

su hquser1@au-team.irpo

sudo cat /etc/passwd # не запрашивает пароль sudo

sudo apt update # запрещено

Проверка samba-tool group listmembers hq

samba-tool computer list

ЗАДАНИЕ 2
ДОБАВЛЯЕМ 2 ДИСКА
echo "- - -" | sudo tee /sys/class/scsi_host/host*/scan

apt install mdadm -y

sudo mdadm --create --verbose /dev/md0 -l 0 -n 2 /dev/sdb /dev/sdc

sudo mdadm --detail --scan --verbose >> /etc/mdadm.conf

sudo mkfs.ext4 /dev/md0

mkdir /raid

mount /dev/md0 /raid

Пишем команду blkid /dev/md0 узнаем UUID

В /etc/fstab добавляем строку с этим UUID

UUID=a1b2c3d4-e5f6-7890-1234-567890abcdef /raid ext4 defaults 0 0

Проверка ошибок: mount -a

ЗАДАНИЕ 3

HQ-SRV: apt install nfs-kernel-server -y

mkdir -p /raid/nfs

chmod -R 777 /raid/nfs

nano /etc/exports

/raid/nfs 192.168.0.32/28(rw,no_root_squash)

systemctl enable --now nfs-server

exportfs -arv

HQ-CLI: apt install nfs-common -y

mkdir -p /mnt/nfs

chmod 777 /mnt/nfs

nano /etc/fstab

192.168.0.2:/raid/nfs /mnt/nfs nfs defaults,vers=3,soft 0 0

systemctl daemon-reload

mount -a

Проверка: df -h

ЗАДАНИЕ 4

На всех ВМ кромер HQ-RTR: apt install -y chrony

ISP: nano /etc/chrony/chrony.conf

Находим строку и добавляем (то что жирное): pool 2.debian.pool.ntp.org iburst prefer

pool ru.pool.ntp.org iburst

И в конец файла: allow 172.16.2.2

allow 172.16.1.2

allow 192.168.0.0/24

local stratum 5

systemctl restart chrony

На других ВМ в этом же файле комментируем (#) строку pool 2.debian.pool.ntp.org iburst

И добавляем на HQ-SRV, HQ-CLI server 172.16.1.1 iburst

На BR-RTR, BR-SRV server 172.16.2.1 iburst

systemctl restart chrony

Проверка на клиентах: chronyc sources (Должен появиться ^*(но не ^ ?) 172.16.1.1.)

На IPS: chronyc clients должно появиться два IP.

ЗАДАНИЕ 5

BR-SRV: apt install ansible sshpass -y

mkdir -p /etc/ansible

nano /etc/ansible/hosts

[hq]

192.168.0.1 ansible_user=net_admin ansible_password=P@ssw0rd

192.168.0.2 ansible_user=sshuser ansible_password=P@ssw0rd ansible_port=2026

192.168.0.34 ansible_user=user ansible_password=root

[br]

192.168.1.1 ansible_user=net_admin ansible_password=P@ssw0rd

nano /etc/ansible/ansible.cfg

[defaults]

host_key_checking = False

interpreter_python = auto_silent

На других, кроме ISP: apt install -y openssh-server && systemctl enable ssh && systemctl start ssh

Проверка: ansible all -m ping

ЗАДАНИЕ 6

docker exec -it db mysql -u root -pP@ssw0rd -e "SHOW DATABASES;"

# Чтобы получать с GitHub файлы добавил на BR-SRV /etc/resov.conf nameserver 8.8.8.8

BR-SRV: добавляем Additional.iso на ВМ

apt install docker.io docker-compose -y

systemctl enable --now docker

mkdir -p /media/cdrom

mount /dev/sr1 /media/cdrom # или /dev/sr0 — смотри lsblk

/etc/fstab добавляем /dev/sr1 /media/cdrom iso9660 ro,user,auto 0 0

docker load < /media/cdrom/docker/site_latest.tar

docker load < /media/cdrom/docker/mariadb_latest.tar

docker image ls

Должны быть site:latest и mariadb:latest (или mariadb:10.11).

Если образ называется mariadb:10.11, создаём тег latest:

docker tag mariadb:10.11 mariadb:latest

nano web.yaml

wget -O web.yaml https://raw.githubusercontent.com/lipid228/mama/94944851f9cf4145b13194dce7cf625940f7e781/web.yaml

services:
  testapp:
    container_name: testapp
    image: site:latest
    restart: always
    ports:
      - "8080:8000"
    environment:
      DB_HOST: "192.168.1.2"
      DB_PORT: "3306"
      DB_NAME: testdb
      DB_USER: test
      DB_PASS: P@ssw0rd
      # DB_TYPE: maria   # если будет ошибка — удалить
    depends_on:
      - db

  db:
    container_name: db
    image: mariadb:latest
    restart: always
    ports:
      - "3306:3306"
    environment:
      MARIADB_DATABASE: testdb
      MARIADB_USER: test
      MARIADB_PASSWORD: P@ssw0rd
      MARIADB_ROOT_PASSWORD: rootpassword
    volumes:
      - db_data:/var/lib/mysql

volumes:
  db_data:

docker-compose -f web.yaml up -d

Проверка с HQ-CLI: http://192.168.1.2:8080

docker restart testapp

ЗАДАНИЕ 7

HQ-SRV: apt install apache2 php libapache2-mod-php php-mysql mariadb-server -y

systemctl enable --now apache2 mariadb

mysql_secure_installation (пароль root: P@ssw0rd, на все вопросы y)

blkid /dev/sr1

mkdir -p /media/iso

nano /etc/fstab

Добавить: UUID="1899-12-30-00-00-00-00" /media/iso iso9660 ro,user,auto 0 0

systemctl daemon-reload

mysql -u root -p

CREATE DATABASE webdb;

CREATE USER 'web'@'localhost' IDENTIFIED BY 'P@ssw0rd';

GRANT ALL PRIVILEGES ON webdb.* TO 'web'@'localhost';

FLUSH PRIVILEGES;

EXIT;

mysql webdb < /media/iso/web/dump.sql

cp /media/iso/web/index.php /var/www/html/

cp /media/iso/web/logo.png /var/www/html/ 2>/dev/null

cp -r /media/iso/web/images /var/www/html/ 2>/dev/null

chown -R www-data:www-data /var/www/html/

chmod -R 755 /var/www/html/

nano /var/www/html/index.php

Заменяем на: $username = "web";

$password = "P@ssw0rd";

$dbname = "webdb";

Удаляем: rm /var/www/html/index.html

systemctl restart apache2

Проверка на клиенте: http://192.168.0.2

ЗАДАНИЕ 8(сначала лучше сделать снапшот)

HQ-RTR: sudo iptables -t nat -A PREROUTING -p tcp -d 172.16.1.2 --dport 8080 -j DNAT --to-destination 192.168.0.2:80

sudo iptables -t nat -A POSTROUTING -p tcp -d 192.168.0.2 --dport 80 -j SNAT --to-source 172.16.1.2

sudo iptables -t nat -A PREROUTING -p tcp -d 172.16.1.2 --dport 2026 -j DNAT --to-destination 192.168.0.2:2026

sudo iptables -t nat -A POSTROUTING -p tcp -d 192.168.0.2 --dport 2026 -j SNAT --to-source 172.16.1.2

sudo iptables-save > /etc/iptables/rules.v4

BR-RTR: sudo iptables -t nat -A PREROUTING -p tcp -d 172.16.2.2 --dport 8080 -j DNAT --to-destination 192.168.1.2:8080

sudo iptables -t nat -A POSTROUTING -p tcp -d 192.168.1.2 --dport 8080 -j SNAT --to-source 172.16.2.2

sudo iptables -t nat -A PREROUTING -p tcp -d 172.16.2.2 --dport 2026 -j DNAT --to-destination 192.168.1.2:2026

sudo iptables -t nat -A POSTROUTING -p tcp -d 192.168.1.2 --dport 2026 -j SNAT --to-source 172.16.2.2

sudo iptables-save > /etc/iptables/rules.v4

ЗАДАНИЕ 9

ISP: apt install nginx -y

systemctl enable --now nginx

nano /etc/nginx/sites-available/proxy

server {

listen 80;

server_name web.au-team.irpo;

location / {

proxy_pass http://172.16.1.2:8080;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

}

server {

listen 80;

server_name docker.au-team.irpo;

location / {

proxy_pass http://172.16.2.2:8080;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

}

ln -s /etc/nginx/sites-available/proxy /etc/nginx/sites-enabled/

rm /etc/nginx/sites-enabled/default

sudo nginx -t

systemctl restart nginx

HQ-CLI: nano /etc/hosts

172.16.1.1 web.au-team.irpo

172.16.2.1 docker.au-team.irpo

Проверка: http://web.au-team.irpo

http://docker.au-team.irpo

ЗАДАНИЕ 10

/var/lib/bind/db.0.168.192

34      IN      PTR     hq-cli.au-team.irpo.

ISP: apt install apache2-utils -y

sudo htpasswd -c /etc/nginx/.htpasswd WEB

cat /etc/nginx/.htpasswd (Должна быть строка вида WEB:$apr1$...)

В sudo nano /etc/nginx/sites-available/proxy добавляем то что жирное

server {

listen 80;

server_name web.au-team.irpo;

auth_basic "Restricted area";

auth_basic_user_file /etc/nginx/.htpasswd;

location / {

proxy_pass http://172.16.1.2:8080;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

}

sudo nginx -t

sudo systemctl restart nginx

HQ-CLI: проверка Открой http://web.au-team.irpo — должно появиться окно авторизации.

Логин: WEB

Пароль: P@ssw0rd

ЗАДАНИЕ 11

HQ-SRV: sudo nano /etc/bind/named.conf.options

Найди строку:

dnssec-validation auto;

и замени на:

dnssec-validation no;

sudo systemctl restart bind9

HQ-CLI: apt install curl -y

sudo chattr -i /etc/resolv.conf

В файл /etc/resolv.conf добавляем строки: nameserver 77.88.8.8

nameserver 77.88.8.1

ping yandex.ru , если пинг есть, то

curl -s https://repo.yandex.ru/yandex-browser/YANDEX-BROWSER-KEY.GPG | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/yandex-browser.gpg

echo "deb [arch=amd64] https://repo.yandex.ru/yandex-browser/deb stable main" | sudo tee /etc/apt/sources.list.d/yandex-browser.list

sudo apt update

sudo apt install yandex-browser-stable -y

МОДУЛЬ 3. ЗАДАНИЕ 1

BR-SRV: Сначала переделываем задание 6 модуля 2.

blkid /dev/sr0

blkid /dev/sr1

Вывод: /dev/sr0: BLOCK_SIZE="2048" UUID="1899-12-30-00-00-00-00" LABEL="Additional.iso" TYPE="iso9660"

/dev/sr1: BLOCK_SIZE="2048" UUID="2025-01-11-10-58-01-00" LABEL="Debian 12.9.0 amd64 n" TYPE="iso9660" PTUUID="28ebc189" PTTYPE="dos"

В /etc/fstab заменяем строки с /dev/sr0 и /dev/sr1 на (главное сверить UUID):

UUID="1899-12-30-00-00-00-00" /media/additional iso9660 ro,user,auto 0 0

UUID="2025-01-11-10-58-01-00" /media/debian iso9660 ro,user,auto 0 0

Потом mkdir -p /media/additional /media/debian

mount -a

В nano /root/import_users.sh вставляем скрипт:

wget -O import_users.sh https://raw.githubusercontent.com/lipid228/mama/94944851f9cf4145b13194dce7cf625940f7e781/import_users.sh

Пишем chmod +x /root/import_users.sh

/root/import_users.sh

Проверка на HQ-CLI:

Берем любого пользователя и пробуем в него войти, например:

su stuart.york@au-team.irpo

ЗАДАНИЕ 3

HQ-RTR: apt install libreswan -y

nano /etc/ipsec.d/hqrtr.conf

conn IPsec-HQ-RTR-to-BR-RTR

auto=start

type=tunnel

authby=secret

left=172.16.1.2

right=172.16.2.2

leftprotoport=gre

rightprotoport=gre

pfs=no

nano /etc/ipsec.d/hqrtr.secrets добавляем

172.16.1.2 172.16.2.2 : PSK "P@ssw0rd"

systemctl enable --now ipsec

sudo ipsec restart

BR-RTR: apt install libreswan -y

nano /etc/ipsec.d/brrtr.conf

conn IPsec-BR-RTR-to-HQ-RTR

auto=start

type=tunnel

authby=secret

left=172.16.2.2

right=172.16.1.2

leftprotoport=gre

rightprotoport=gre

pfs=no

nano /etc/ipsec.d/brrtr.secrets добавляем 172.16.2.2 172.16.1.2 : PSK "P@ssw0rd"

systemctl enable --now ipsec

sudo ipsec restart

Проверка:

на hq-rtr команда tcpdump -i ens33 -n esp (если не скачан-скачать)

На br-srv пингуем ping 192.168.0.2

На Роутере должны появиться такие строки:

20:44:02.835163 IP 172.16.1.2 > 172.16.2.2: ESP(spi=0x46dd7216,seq=0x10), length 144

ЗАДАНИЕ 5

apt install cups cups-pdf -y

systemctl enable --now cups

sudo cupsctl --share-printers --remote-any

systemctl restart cups

http://192.168.0.2:631

lpstat -d

ЗАДАНИЕ 6

HQ-SRV: apt install rsyslog -y

nano /etc/rsyslog.conf

Расскомментировать module(load="imtcp")

input(type="imtcp" port="514")

Закоментировать #module(load="imuxsock")

#module(load="imklog")

#module(load="immark")

В конец файла $template RemoteLogs, "/opt/%HOSTNAME%/rsyslog.log"

*.* ?RemoteLogs

& stop

systemctl enable --now rsyslog

systemctl restart rsyslog

HQ-RTR, BR-RTR, BR-SRV apt install rsyslog -y

nano /etc/rsyslog.conf

Раскомментировать module(load="imuxsock")

module(load="imklog")

module(load="immark")

*.warning @@192.168.0.2:514

systemctl enable --now rsyslog

systemctl restart rsyslog

На клиенте: logger -p user.info "Test info message"

logger -p user.warning "Test warning message"

logger -p user.error "Test error message"

HQ-SRV: cat /opt/hq-rtr/rsyslog.log

cat /opt/br-rtr/rsyslog.log

cat /opt/br-srv/rsyslog.log

ЗАДАНИЕ 7

HQ-SRV: apt update && apt install prometheus -y

systemctl enable --now prometheus

http://192.168.0.2:9090

HQ-SRV: apt install prometheus-node-exporter -y

systemctl enable --now prometheus-node-exporte

http://192.168.0.2:9100/metrics

BR-SRV: apt update && apt install prometheus-node-exporter -y

systemctl enable --now prometheus-node-exporter

HQ-SRV: nano /etc/prometheus/prometheus.yml

  - job_name: 'HQ-SRV'
    static_configs:
      - targets: ['192.168.0.2:9100']

  - job_name: 'BR-SRV'
    static_configs:
      - targets: ['192.168.1.2:9100']

systemctl restart prometheus

http://192.168.0.2:9090 (таргеты)

wget https://dl.grafana.com/oss/release/grafana_10.2.2_amd64.deb

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

dpkg -i grafana_10.2.2_amd64.deb

apt -f install -y

systemctl enable --now grafana-server

systemctl status grafana-server

http://192.168.0.2:3000

https://grafana.com/grafana/dashboards/1860-node-exporter-full/?tab=revisions

Настройка Grafana

1. Войти: admin / admin → сменить на admin / P@ssw0rd

2. Add data source → Prometheus → URL: http://192.168.0.2:9090 → Save & Test

3. Import dashboard → ID: 1860 → Select Prometheus → Import

echo "192.168.0.2 mon.au-team.irpo" >> /etc/hosts

http://mon.au-team.irpo:3000 (дальше интуитивно по сайту я у мамы сисадмин )

Выбор программного обеспечения

Prometheus — система сбора и хранения метрик. Выбрана за популярность, гибкость и интеграцию с Grafana.
Node Exporter — экспортёр системных метрик (CPU, память, диск). Установлен на каждом сервере.
Grafana — система визуализации. Выбрана за удобные дашборды и поддержку Prometheus.

Основные параметры

Prometheus — порт 9090
Node Exporter — порт 9100 на каждом сервере
Grafana — порт 3000

Доступ

Веб-интерфейс Grafana: http://mon.au-team.irpo:3000
Логин: admin
Пароль: P@ssw0rd

ЗАДАНИЕ 8

BR-SRV: cp /mnt/playbook/get_hostname_address.yml /etc/ansible/

chmod u+rwx /etc/ansible/get_hostname_address.yml

nano /etc/ansible/get_hostname_address.yml

- name: Инвентаризация
  hosts: HQ-SRV, HQ-CLI
  tasks:
    - name: получение данных с хоста
      delegate_to: localhost
      copy:
        dest: /etc/ansible/PC-INFO/{{ ansible_hostname }}.yml
        content: |
          Hostname: {{ ansible_hostname }}
          IP_Address: {{ ansible_default_ipv4.address }}

nano /etc/ansible/hosts

[hq]

HQ-RTR ansible_host=192.168.0.1 ansible_user=net_admin ansible_password=P@ssw0rd

HQ-SRV ansible_host=192.168.0.2 ansible_user=sshuser ansible_password=P@ssw0rd ansible_port=2026

HQ-CLI ansible_host=192.168.0.34 ansible_user=user ansible_password=root

[br]

BR-RTR ansible_host=192.168.1.1 ansible_user=net_admin ansible_password=P@ssw0rd

mkdir /etc/ansible/PC-INFO

cd /etc/ansible

ansible-playbook get_hostname_address.yml

ЗАДАНИЕ 9

HQ-SRV:nano /etc/rsyslog.conf

module(load="imjournal" StateFile="imjournal.state" RateLimit.Interval="0" RateLimit.Burst="0")

/etc/ssh/sshd_config добавляем LogLevel VERBOSE

apt install fail2ban -y

nano /etc/fail2ban/jail.local

[sshd]

enabled = true

filter = sshd

action = iptables[name=SSH, port=2026, protocol=tcp]

logpath = /var/log/auth.log

findtime = 300

maxretry = 3

bantime = 60

systemctl enable --now fail2ban

systemctl restart fail2ban

systemctl status fail2ban

fail2ban-client status sshd

ЗАДАНИЕ 2

ISP: sudo apt install openssh-server -y

sudo systemctl enable --now ssh

на всякий:

sudo iptables -I INPUT -p tcp --dport 22 -j ACCEPT

sudo iptables-save > /etc/iptables/rules.v4

HQ-SRV: cd ~

openssl req -newkey rsa:4096 -nodes -keyout ca.key -x509 -days 30 -out ca.crt

Country Name: RU

State: Tatarstan

Locality: Kazan

Organization: AU-Team

Organizational Unit: IRPO

Common Name: AU-Team CA

openssl genrsa -out web.key 4096

openssl req -key web.key -new -out web.csr

Country Name: RU

State: Tatarstan

Locality: Kazan

Organization: AU-Team

Organizational Unit: IRPO

Common Name: *.au-team.irpo

Email: (Enter)

A challenge password: (Enter)

Nano openssl.cnf

[req]

req_extensions = req_ext

[req_ext]

subjectAltName = DNS:web.au-team.irpo, DNS:docker.au-team.irpo

extendedKeyUsage = serverAuth

keyUsage = digitalSignature

openssl x509 -req -in web.csr -CA ca.crt -CAkey ca.key -CAcreateserial \

-out web.crt -days 30 -sha256 -extfile openssl.cnf -extensions req_ext

ls -l web.*

scp web.crt web.key user@172.16.1.1:/home/user/

ssh user@172.16.1.1

sudo mv /home/user/web.crt /etc/nginx/

sudo mv /home/user/web.key /etc/nginx/

sudo nano /etc/nginx/sites-available/proxy

server {
    listen 80;
    server_name web.au-team.irpo;
    return 301 https://$host$request_uri;
}

server {
    listen 80;
    server_name docker.au-team.irpo;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name web.au-team.irpo;

    ssl_certificate /etc/nginx/web.crt;
    ssl_certificate_key /etc/nginx/web.key;

    auth_basic "Restricted area";
    auth_basic_user_file /etc/nginx/.htpasswd;

    location / {
        proxy_pass http://172.16.1.2:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

server {
    listen 443 ssl;
    server_name docker.au-team.irpo;

    ssl_certificate /etc/nginx/web.crt;
    ssl_certificate_key /etc/nginx/web.key;

    location / {
        proxy_pass http://172.16.2.2:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

sudo nginx -t

sudo systemctl restart nginx

HQ-SRV: scp ca.crt user@192.168.0.34:/home/user/

ssh user@192.168.0.34 -p 2026

sudo cp /home/user/ca.crt /usr/local/share/ca-certificates/

sudo update-ca-certificates

trust list | grep "AU-Team"

Делаем импорт в Яндексе.Готово.

Задание 4. Межсетевой экран на HQ-RTR и BR-RTR

Требования:

Разрешить из интернета (ISP): HTTP, HTTPS, DNS, NTP, ICMP

Всё остальное — DROP

Где выполняем

Роутер Интерфейс в сторону ISP

HQ-RTR ens33 (IP 172.16.1.2)

BR-RTR ens33 (IP 172.16.2.2)

1. Базовая политика

Сначала запрещаем весь FORWARD по умолчанию, но разрешаем уже установленные соединения.

На HQ-RTR и BR-RTR (команды одинаковые)

bash

# Политика по умолчанию — DROP для FORWARD

sudo iptables -P FORWARD DROP

# Разрешаем уже установленные соединения (чтобы не рвать ответы)

sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

2. Разрешаем нужные протоколы

Разрешаем новые соединения с интерфейса ens33 (со стороны ISP) на указанные порты.

HTTP (80) и HTTPS (443)

bash

sudo iptables -A FORWARD -i ens33 -p tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT

DNS (53, TCP и UDP)

bash

sudo iptables -A FORWARD -i ens33 -p udp --dport 53 -m state --state NEW -j ACCEPT

sudo iptables -A FORWARD -i ens33 -p tcp --dport 53 -m state --state NEW -j ACCEPT

NTP (123, UDP)

bash

sudo iptables -A FORWARD -i ens33 -p udp --dport 123 -m state --state NEW -j ACCEPT

ICMP (ping)

bash

sudo iptables -A FORWARD -i ens33 -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT

3. (Опционально) SSH для управления

Если нужно подключаться к роутеру извне — можно разрешить SSH. В задании не требуется, но для удобства можно добавить.

bash

sudo iptables -A FORWARD -i ens33 -p tcp --dport 22 -m state --state NEW -j ACCEPT

4. Сохранение правил

bash

sudo iptables-save > /etc/iptables/rules.v4

5. Проверка

Посмотреть все правила FORWARD:

bash

sudo iptables -L FORWARD -n -v

Должно быть примерно так (порядок может отличаться):

text

Chain FORWARD (policy DROP)

target prot opt source destination

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 state NEW

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 dpt:53 state NEW

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 dpt:53 state NEW

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 dpt:123 state NEW

ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 state NEW

6. Тестирование

С любой машины извне (например, с ISP или HQ-CLI) проверь:

bash

# Должно работать

ping 172.16.1.2

curl http://172.16.1.2:8080

curl https://172.16.1.2:443 # если HTTPS настроен

nslookup yandex.ru 172.16.1.2 # DNS

# Не должно работать (например, telnet на 23 порт)

telnet 172.16.1.2 23 # зависнет или сразу отказ

На всякий:

#!/bin/bash

FILE="/media/additional/Users.csv"

while IFS=';' read -r firstname lastname role phone ou street zip city country password; do
samba-tool user add "$firstname.$lastname" "$(echo "$password" | tr -d '[:space:]')" \
--given-name="$firstname" --surname="$lastname" --job-title="$role" --telephone-number="$phone" --department="$ou" \
--description="$zip,$country,$city,$(echo $street | tr -dc '[[:print:]]')"
done < <(tail -n +2 "$FILE")

# Вы уже скачали файл в /home/isp/, поэтому:
chmod +x /home/isp/import_users.sh

# Запуск:
/home/isp/import_users.sh

Булат Абзалеев

bulat

ISP

HQ-RTR

BR-RTR

HQ-SRV

BR-SRV

HQ-CLI

HQ-RTR

BR-RTR

HQ-SRV

/etc/bind/named.conf.options

/etc/bind/named.conf.local

HQ-SRV

/var/lib/bind/db.au-team.irpo

/var/lib/bind/db.0.168.192

/var/lib/bind/db.1.168.192

ЗАДАНИЕ 10

/var/lib/bind/db.0.168.192