域名与证书选择
域名与证书选择
在进行这篇内容之前,笔者强调一下,该篇内容对于学员来说是选做的,因为域名以及证书对于本课程的推进不是必要的,但如果用于工作及现实中,那么这是必要的步骤。无论如何,让我们一起来了解一下怎么给VPS选择域名以及证书。
域名
同VPS厂商一样,提供域名注册/购买的厂商也是令人眼花缭乱,甚至一些厂商提供一条龙服务:VPS、域名、静态IP、证书。但在这里的话,我个人推荐在谷歌上购买域名。
地址:Google Domains - Get a new domain
虽然域名的选择看似是可以根据个人喜好,但实则尽可能选择看起来有意义、合法的域名。相比 www.wocao.com,www.center-bank.com会是一个更好的选择。另外,一些黑客会使用与知名网站看起来类似的域名,比如www.goog1e.com。虽然在有些时候,这样能提高钓鱼攻击的成功率,但另一方面,企业的DNS过滤器会屏蔽这些故意使用错字的域名。
比如,查找raven-med.com是否可用,这个域名还尚未被注册,并且一年只需要12美元的注册费。注册一个自己的域名,就是这么简单!
在google上购买了域名之后,可以在域名设置中配置DNS,使得该域名与自己所持有的公网IP映射起来,这样大家就能通过好记的域名来访问你的VPS了,如果有公开服务的话。
证书
无论是搭建个人网站,还是用于C2监听器,我们都需要 TLS/SSL 来加密通信,因此一个可信的证书是很有必要的。尽管可以使用自签名证书,但自签名证书在公网是不被信任的。因此,我们可以选择在 Let's Encrypt (letsencrypt.org) 上注册一个证书。LetsEncrypt提供的证书是免费且可信的,这是个很好的选择。该网站会引导我们访问这个网站 Certbot Instructions | Certbot (eff.org) ,我们跟着教程中的命令一步步执行,就可以有自己的证书了。涉及的命令如下:
root@web01:~# snap install core
core 16-2.58 from Canonical✓ installed
root@web01:~# snap refresh core
snap "core" has no updates available
root@web01:~# snap install --classic certbot
certbot 1.32.2 from Certbot Project (certbot-eff✓) installed
root@web01:~# ln -s /snap/bin/certbot /usr/bin/certbot
root@web01:~# certbot certonly -d raven-med.com --apache --register-unsafely-without-email --agree-to
但是在本课程中,我们不需要购买域名和证书。我们可以先通过 openssl 来生成密钥对,再生成一个证书签名请求 CSR。
└─# openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out public.crt -keyout private.key
..+......+.....+....+.....+.+............+..+.+.....+...................+...........+...+.+......+...+......+.....+...+.+......+...+.....+...+...+..........+..+.......+...+..+...+....+........+.+.........+.....+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...........+.......+..+.+......+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+...+....+......+...........+.+..+.......+...........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+...+..+......+.............+............+...+.....+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+......+........+.+........+.+.....+...............+.+..............+....+..+....+.........+.....+.+.....+.+...+........+............+.............+..............+...............+......+.........+......+.............+......+...+......+..+...+....+......+.................+.......+...+..............+......+............+.+......+........+.........................+...+........+......+.+..+...............+..........+..+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:VA
Locality Name (eg, city) []:McLean
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Raven Medicine
Organizational Unit Name (eg, section) []:Web Server
Common Name (e.g. server FQDN or YOUR name) []:185.2.101.114
Email Address []:admin@raven-med.local
└─# openssl req -new -key private.key -out raven.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:VA
Locality Name (eg, city) []:McLean
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Raven Medicine
Organizational Unit Name (eg, section) []:Web Server
Common Name (e.g. server FQDN or YOUR name) []:185.2.101.114
Email Address []:admin@raven-med.local
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
