共计 15451 个字符,预计需要花费 39 分钟才能阅读完成。
| 导读 | 作为生产环境的 Linux 服务器,安装按成系统一般都会进行一些初始化操作,本文以 CentOS7 为例,介绍系统安装完成之后应该进行的初始化操作。 |
1、添加用户
新增名为 ”wang” 的用户
| [] | |
| [] | |
| Changing password for user wang. | |
| New password: | |
| Retype new password: | |
| passwd: all authentication tokens updated successfully. | |
| [] |
以用户 ”wang” 为例,设置其为唯一拥有管理员权限的账户
| [root@vdevops ~]# usermod -G wheel wang | |
| [root@vdevops ~]# vim /etc/pam.d/su | |
| #%PAM-1.0 | |
| auth sufficient pam_rootok.so | |
| # Uncomment the following line to implicitly trust users in the "wheel" group. | |
| #auth sufficient pam_wheel.so trust use_uid | |
| # Uncomment the following line to require a user to be in the "wheel" group. | |
| # 取消下面一行的注释 | |
| auth required pam_wheel.so use_uid | |
| auth substack system-auth | |
| auth include postlogin | |
| account sufficient pam_succeed_if.so uid = 0 use_uid quiet | |
| account include system-auth | |
| password include system-auth | |
| session include system-auth | |
| session include postlogin | |
| session optional pam_xauth.so | |
| # 设置 root 账户的邮件转发 | |
| # Person who should get root's mail | |
| # 最后一行,取消注释,改变用户名称 | |
| root: wang |
2、设置防火墙和 SELINUX
【1】防火墙
查看防火墙状态
| [root@vdevops ~]# systemctl status firewalld | |
| ● firewalld.service - firewalld - dynamic firewall daemon | |
| Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) | |
| Active: active (running) since Wed 2016-10-26 01:09:49 CST; 1h 36min ago | |
| Main PID: 744 (firewalld) | |
| CGroup: /system.slice/firewalld.service | |
| └─744 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid | |
| Oct 26 01:09:46 vdevops.com systemd[1]: Starting firewalld - dynamic firewall daemon... | |
| Oct 26 01:09:49 vdevops.com systemd[1]: Started firewalld - dynamic firewall daemon. |
防火墙基本操作
| [root@vdevops ~]# systemctl start firewalld # 启动防火墙 | |
| [root@vdevops ~]# systemctl enable firewalld # 设置防火墙开机自启 | |
| 默认情况下,“public”区域应用于 NIC,dhcpv6-client 和 ssh 是允许的。当使用“firewall-cmd”命令操作时,如果输入命令不带“--zone = ***”规范,则配置设置为默认区域。# 显示默认区域 | |
| [root@vdevops ~]# firewall-cmd --get-default-zone | |
| public | |
| # 显示当前设置 | |
| [root@vdevops ~]# firewall-cmd --list-all | |
| public (default, active) | |
| interfaces: eno16777736 | |
| sources: | |
| services: dhcpv6-client ssh | |
| ports: | |
| masquerade: no | |
| forward-ports: | |
| icmp-blocks: | |
| rich rules: | |
| # 显示全部区域 | |
| [root@vdevops ~]# firewall-cmd --list-all-zones | |
| block | |
| interfaces: | |
| sources: | |
| services: | |
| ports: | |
| masquerade: no | |
| forward-ports: | |
| icmp-blocks: | |
| rich rules: | |
| dmz | |
| interfaces: | |
| sources: | |
| services: ssh | |
| ports: | |
| masquerade: no | |
| forward-ports: | |
| icmp-blocks: | |
| rich rules: | |
| ... | |
| # 显示特定区域允许的服务 | |
| [root@vdevops ~]# firewall-cmd --list-service --zone=external | |
| ssh | |
| # 改变默认区域 | |
| [root@vdevops ~]# firewall-cmd --set-default-zone=external | |
| success | |
| # 改变制定区域的接口 | |
| [root@vdevops ~]# firewall-cmd --change-interface=eth1 --zone=external | |
| success | |
| # 显示制定区域的状态 | |
| [root@vdevops ~]# firewall-cmd --list-all --zone=external | |
| external (default, active) | |
| interfaces: eno16777736 eth1 | |
| sources: | |
| services: ssh | |
| ports: | |
| masquerade: yes | |
| forward-ports: | |
| icmp-blocks: | |
| rich rules: |
# 注:改变制定区域的接口,前提是次接口在当前系统是存在的
显示默认定义的服务
| [root@vdevops ~]# firewall-cmd --get-services | |
| RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind rsyncd samba samba-client smtp ssh telnet tftp tftp-client transmission-client vdsm vnc-server wbem-https | |
| #定义文件路径如下,如果需要添加新的定义文件,在下面目录添加相应的 XML 文件 | |
| [root@vdevops ~]# ls /usr/lib/firewalld/services | |
| amanda-client.xml freeipa-ldap.xml ipp.xml libvirt.xml pmcd.xml RH-Satellite-6.xml tftp-client.xml | |
| bacula-client.xml freeipa-replication.xml ipsec.xml mdns.xml pmproxy.xml rpc-bind.xml tftp.xml | |
| bacula.xml ftp.xml iscsi-target.xml mountd.xml pmwebapis.xml rsyncd.xml transmission-client.xml | |
| dhcpv6-client.xml high-availability.xml kerberos.xml ms-wbt.xml pmwebapi.xml samba-client.xml vdsm.xml | |
| dhcpv6.xml https.xml kpasswd.xml mysql.xml pop3s.xml samba.xml vnc-server.xml | |
| dhcp.xml http.xml ldaps.xml nfs.xml postgresql.xml smtp.xml wbem-https.xml | |
| dns.xml imaps.xml ldap.xml ntp.xml proxy-dhcp.xml ssh.xml | |
| freeipa-ldaps.xml ipp-client.xml libvirt-tls.xml openvpn.xml radius.xml telnet.xml |
添加或删除允许的服务,重新启动系统后,更改将恢复。如果永久更改设置,请添加“–permanent”选项。
# 以添加 http 服务为例
| [] | |
| success | |
| [] | |
| http ssh | |
| <pre name="code" class="html">[root@vdevops ~] | |
| success | |
| [] | |
| ssh |
# 添加 http 服务,永久生效
| [root@vdevops ~]# firewall-cmd --add-service=http --permanentsuccess | |
| [root@vdevops ~]# firewall-cmd --reloadsuccess[root@vdevops ~]# firewall-cmd --list-servicehttp ssh |
添加和移除端口
| [] | |
| success | |
| [] | |
| 465/tcp | |
| [] | |
| success | |
| [] | |
| [] | |
| success | |
| [] | |
| success | |
| [] | |
| 465/tcp |
加或删除禁止的 ICMP 类型
| [root@dlp ~]# firewall-cmd --add-icmp-block=echo-request # 添加禁止回应请求 | |
| success | |
| [root@dlp ~]# firewall-cmd --list-icmp-blocks | |
| echo-request | |
| [root@dlp ~]# firewall-cmd --remove-icmp-block=echo-request # 移除添加的参数 | |
| success | |
| [root@dlp ~]# firewall-cmd --list-icmp-blocks | |
| [root@dlp ~]# firewall-cmd --get-icmptypes #显示 ICMP 支持的功能 | |
| destination-unreachable echo-reply echo-request parameter-problem redirect | |
| router-advertisement router-solicitation source-quench time-exceeded |
【2】如果不需要防火墙服务,关闭如下
| [root@vdevops ~]# systemctl stop firewalld # 停止防火墙服务 | |
| [root@vdevops ~]# systemctl disable firewalld # 禁止防火墙开机自启 | |
| Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. | |
| Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service. |
【3】SELinux 设置
| [] | |
| Enforcing | |
| [] | |
| [] |
【4】网络设置
1、设置静态 IP 和改变接口名称
| [root@vdevops ~]# nmcli c modify eno16777736 ipv4.addresses 10.1.1.56/24 # 设置静态 IP | |
| [root@vdevops ~]# nmcli c modify eno16777736 ipv4.gateway 10.1.1.1 #设置网关 | |
| [root@vdevops ~]# nmcli c modify eno16777736 ipv4.dns 10.1.1.1 # 设置 DNS | |
| [root@vdevops ~]# nmcli c modify eno16777736 ipv4.method manual #设置 ipv4 的类型为静态 | |
| [root@vdevops ~]# nmcli c down eno16777736;nmcli c up eno16777736 # 重启网络接口 | |
| Connection 'eno16777736' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/0) | |
| Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1) | |
| [root@vdevops ~]# nmcli d show eno16777736 # 查看网络接口状态 | |
| GENERAL.DEVICE: eno16777736 | |
| GENERAL.TYPE: ethernet | |
| GENERAL.HWADDR: 00:0C:29:B6:F5:5E | |
| GENERAL.MTU: 1500 | |
| GENERAL.STATE: 100 (connected) | |
| GENERAL.CONNECTION: eno16777736 | |
| GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveConnection/1 | |
| WIRED-PROPERTIES.CARRIER: on | |
| IP4.ADDRESS[1]: 10.1.1.56/24 | |
| IP4.GATEWAY: 10.1.1.1 | |
| IP4.DNS[1]: 10.1.1.1 | |
| IP6.ADDRESS[1]: fe80::20c:29ff:feb6:f55e/64 | |
| IP6.GATEWAY: | |
| [root@vdevops ~]# ip addr show # 查看 IP 状态 | |
| 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN | |
| link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 | |
| inet 127.0.0.1/8 scope host lo | |
| valid_lft forever preferred_lft forever | |
| inet6 ::1/128 scope host | |
| valid_lft forever preferred_lft forever | |
| 2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 | |
| link/ether 00:0c:29:b6:f5:5e brd ff:ff:ff:ff:ff:ff | |
| inet 10.1.1.56/24 brd 10.1.1.255 scope global eno16777736 | |
| valid_lft forever preferred_lft forever | |
| inet6 fe80::20c:29ff:feb6:f55e/64 scope link | |
| valid_lft forever preferred_lft forever |
2、禁用 IPV6
| [root@vdevops ~]# vim /etc/default/grub | |
| # 第六行,添加 | |
| GRUB_CMDLINE_LINUX="crashkernel=auto <span style="color:#FF0000;">ipv6.disable=1</span> rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet" | |
| [root@vdevops ~]# grub2-mkconfig -o /boot/grub2/grub.cfg | |
| Generating grub configuration file ... | |
| Found linux image: /boot/vmlinuz-3.10.0-327.36.2.el7.x86_64 | |
| Found initrd image: /boot/initramfs-3.10.0-327.36.2.el7.x86_64.img | |
| Found linux image: /boot/vmlinuz-3.10.0-327.el7.x86_64 | |
| Found initrd image: /boot/initramfs-3.10.0-327.el7.x86_64.img | |
| Found linux image: /boot/vmlinuz-0-rescue-d1b9467b8b744a3db391f2c15fe58a94 | |
| Found initrd image: /boot/initramfs-0-rescue-d1b9467b8b744a3db391f2c15fe58a94.img | |
| done | |
| [root@vdevops ~]# reboot # 重启系统 |
3、如果要将网络接口名称用作 ethX,请按如下所示进行配置。
| [root@vdevops ~]# vim /etc/default/grub | |
| # 第六行添加 | |
| GRUB_CMDLINE_LINUX="crashkernel=auto ipv6.disable=1 net.ifnames=0 rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet | |
| [root@vdevops ~]# grub2-mkconfig -o /boot/grub2/grub.cfg | |
| Generating grub configuration file ... | |
| Found linux image: /boot/vmlinuz-3.10.0-327.36.2.el7.x86_64 | |
| Found initrd image: /boot/initramfs-3.10.0-327.36.2.el7.x86_64.img | |
| Found linux image: /boot/vmlinuz-3.10.0-327.el7.x86_64 | |
| Found initrd image: /boot/initramfs-3.10.0-327.el7.x86_64.img | |
| Found linux image: /boot/vmlinuz-0-rescue-d1b9467b8b744a3db391f2c15fe58a94 | |
| Found initrd image: /boot/initramfs-0-rescue-d1b9467b8b744a3db391f2c15fe58a94.img | |
| done |
【5】服务设置
1、查看服务状态
# 显示正在运行的服务
| [root@vdevops ~]# systemctl -t service | |
| UNIT LOAD ACTIVE SUB DESCRIPTION | |
| auditd.service loaded active running Security Auditing Service | |
| avahi-daemon.service loaded active running Avahi mDNS/DNS-SD Stack | |
| crond.service loaded active running Command Scheduler | |
| dbus.service loaded active running D-Bus System Message Bus | |
| getty@tty1.service loaded active running Getty on tty1 | |
| ... | |
| ... | |
| ... | |
| systemd-udevd.service loaded active running udev Kernel Device Manager | |
| systemd-update-utmp.service loaded active exited Update UTMP about System Reboot/Shutdown | |
| systemd-user-sessions.service loaded active exited Permit User Sessions | |
| systemd-vconsole-setup.service loaded active exited Setup Virtual Console | |
| tuned.service loaded active running Dynamic System Tuning Daemon | |
| LOAD = Reflects whether the unit definition was properly loaded. | |
| ACTIVE = The high-level unit activation state, i.e. generalization of SUB. | |
| SUB = The low-level unit activation state, values depend on unit type. | |
| 39 loaded units listed. Pass --all to see loaded but inactive units, too. | |
| To show all installed unit files use 'systemctl list-unit-files'. |
# 显示所有服务
| [] | |
| UNIT FILE STATE | |
| auditd.service enabled | |
| autovt@.service disabled | |
| avahi-daemon.service enabled | |
| blk-availability.service disabled | |
| brandbot.service static | |
| ... | |
| ... | |
| ... | |
| systemd-user-sessions.service static | |
| systemd-vconsole-setup.service static | |
| teamd@.service static | |
| tuned.service enabled | |
| wpa_supplicant.service disabled | |
| 125 unit files listed. |
2、设置停止启动自动的服务
| [root@vdevops ~]# systemctl stop postfix #停止服务 | |
| [root@vdevops ~]# systemctl disable postfix | |
| Removed symlink /etc/systemd/system/multi-user.target.wants/postfix.service. | |
| [root@vdevops ~]# systemctl start postfix | |
| [root@vdevops ~]# systemctl enable postfix | |
| Created symlink from /etc/systemd/system/multi-user.target.wants/postfix.service to /usr/lib/systemd/system/postfix.service. | |
| [root@vdevops ~]# systemctl status postfix | |
| ● postfix.service - Postfix Mail Transport Agent | |
| Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; vendor preset: disabled) | |
| Active: active (running) since Wed 2016-10-26 18:40:35 CST; 15s ago | |
| Main PID: 10071 (master) | |
| CGroup: /system.slice/postfix.service | |
| ├─10071 /usr/libexec/postfix/master -w | |
| ├─10072 pickup -l -t unix -u | |
| └─10073 qmgr -l -t unix -u | |
| Oct 26 18:40:35 vdevops.com postfix[9999]: /usr/sbin/postconf: warning: inet_protocols: disabling IPv6 name/address support: Address ...rotocol | |
| Oct 26 18:40:35 vdevops.com postfix[9999]: /usr/sbin/postconf: warning: inet_protocols: disabling IPv6 name/address support: Address ...rotocol | |
| Oct 26 18:40:35 vdevops.com postfix[9999]: postsuper: warning: inet_protocols: disabling IPv6 name/address support: Address family no...rotocol | |
| Oct 26 18:40:35 vdevops.com postfix[9999]: /usr/sbin/postconf: warning: inet_protocols: disabling IPv6 name/address support: Address ...rotocol | |
| Oct 26 18:40:35 vdevops.com postfix/master[10071]: warning: inet_protocols: disabling IPv6 name/address support: Address family not s...rotocol | |
| Oct 26 18:40:35 vdevops.com postfix/master[10071]: warning: inet_protocols: disabling IPv6 name/address support: Address family not s...rotocol | |
| Oct 26 18:40:35 vdevops.com postfix/master[10071]: daemon started -- version 2.10.1, configuration /etc/postfix | |
| Oct 26 18:40:35 vdevops.com systemd[1]: Started Postfix Mail Transport Agent. | |
| Oct 26 18:40:35 vdevops.com postfix/qmgr[10073]: warning: inet_protocols: disabling IPv6 name/address support: Address family not sup...rotocol | |
| Oct 26 18:40:35 vdevops.com postfix/pickup[10072]: warning: inet_protocols: disabling IPv6 name/address support: Address family not s...rotocol | |
| Hint: Some lines were ellipsized, use -l to show in full. |
3、还有一些 SysV 服务。它们由 chkconfig 控制,如下所示
| [root@vdevops ~]# chkconfig --list | |
| Note: This output shows SysV services only and does not include native | |
| systemd services. SysV configuration data might be overridden by native | |
| systemd configuration. | |
| If you want to list systemd services use 'systemctl list-unit-files'. | |
| To see services enabled on particular target use | |
| 'systemctl list-dependencies [target]'. | |
| netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off | |
| network 0:off 1:off 2:on 3:on 4:on 5:on 6:off |
【6】更新系统添加其他源
yum update -y
添加其它源
添加一些有用的外部存储库来安装有用的软件
1、安装插件以向每个安装的存储库添加优先级。
| [] | |
| [] |
2、添加从 Fedora 项目提供的 EPEL 存储库
| [] | |
| [] | |
| [] | |
| [] |
3、添加 CentOS SCLo 软件集合存储库。
| [] | |
| [] | |
| [] | |
| [] | |
| [] | |
| [] | |
| [] |
4、添加 Remi 的 RPM 存储库,它提供了许多有用的包
| [] | |
| [] |
【7】配置特色的 vim
1、安装 vim [root@vdevops ~]# yum -y install vim-enhanced
2、设置别名
设置命令别名。(适用于以下所有用户,如果您申请某个用户,请在“〜/ .bashrc”中写入相同的设置)
| [root@dlp ~]# vi /etc/profile | |
| # 在最后添加下面一行内容 | |
| alias vi='vim' | |
| [root@dlp ~]# source /etc/profile #重载 | |
| 或者 | |
| echo "alias vi='vim'" >> /etc/profile && source /etc/profile |
3、配置 vim,针对所有用户生效修改 /etc/vimrc,针对特定用户生效修改~/.vimrc
主要用语法高亮,插件使用,自动缩进等功能,本文不做详细操作,后续会专门写一篇关于优化 vim 使用的博文,工欲善其事必先利其器
【8】设置 sudo
配置 sudo 以区分用户的职责,如果一些人共享权限,必手动安装 sudo,因为它默认安装,即使“最小安装”
1、设置普通用户拥有 root 的所有权限
| [root@vdevops ~]# visudo | |
| # 添加下面一行,使用户“wang”拥有 root 的所有权限 | |
| wang ALL=(ALL) ALL | |
| # 普通用户使用 root 命令 | |
| # 确保用户为 'wang' | |
| [wang@vdevops ~]$ /usr/bin/cat /etc/shadow | |
| cat: /etc/shadow: Permission denied# denied normally | |
| [wang@vdevops ~]$ sudo /usr/bin/cat /etc/shadow | |
| [sudo] password for cent:# own password | |
| daemon:*:16231:0:99999:7::: | |
| adm:*:16231:0:99999:7::: | |
| lp:*:16231:0:99999:7::: | |
| ... | |
| ... | |
| # 输入 wang 的密码可以看到执行结果 |
2、设置用户不能执行危险命令
| [root@vdevops ~]# visudo | |
| # 49 行: 定义别名 SHUTDOWN | |
| Cmnd_Alias SHUTDOWN = /sbin/halt, /sbin/shutdown, /sbin/poweroff, /sbin/reboot, /sbin/init | |
| # 设置用户 wang 不能执行别名 SHUTDOWN 对应的命令 | |
| wang ALL=(ALL) ALL, !SHUTDOWN | |
| # 确保用户为 'wang' | |
| [wang@vdevops ~]$ sudo /sbin/shutdown -r now | |
| Sorry, user cent is not allowed to execute '/sbin/shutdown -r now' as root on vdevops.com. # denied normally |
3、创建一个特殊的组,组用户可以执行部分 root 命令
| [root@vdevops ~]# visudo | |
| # 51 行: 为管理用户的几个命令设置别名为 USERMGR | |
| Cmnd_Alias USERMGR = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd | |
| # 最后一行添加 | |
| %usermgr ALL=(ALL) USERMGR | |
| [root@vdevops ~]# groupadd usermgr | |
| [root@vdevops ~]# usermod -G usermgr wang | |
| # 确保用户为 wang | |
| [wang@vdevops ~]$ sudo /usr/sbin/useradd testuser | |
| # 输入用户 wang 的密码,查看创建结果,显示成功 | |
| [wang@vdevops ~]$ sudo /usr/bin/passwd testuser | |
| Changing password for user testuser. | |
| New UNIX password: | |
| Retype new UNIX password: | |
| passwd: all authentication tokens updated successfully. |
4、设置 sudo 日志
sudo 的日志保存在 / var / log / secure 中,但它中有很多种类的日志。如果你想保持只有 sudo 的日志在一个文件,设置如下:
| [root@vdevops ~]# visudo | |
| # 最后一行添加 | |
| Defaults syslog=local1 | |
| [root@vdevops ~]# vi /etc/rsyslog.conf | |
| # 在 54 行修改,添加 local1.none | |
| *.info;mail.none;authpriv.none;cron.none;local1.none | |
| /var/log/messages | |
| # 添加下面一行内容 | |
| local1.* /var/log/sudo.log | |
| [root@vdevops ~]# systemctl restart rsyslog #重启 rsyslog 服务 |
正文完
星哥玩云-微信公众号
