共计 15451 个字符,预计需要花费 39 分钟才能阅读完成。
| 导读 | 作为生产环境的 Linux 服务器,安装按成系统一般都会进行一些初始化操作,本文以 CentOS7 为例,介绍系统安装完成之后应该进行的初始化操作。 |
1、添加用户
新增名为 ”wang” 的用户
[root@vdevops ~]# useradd wang # 添加账户
[root@vdevops ~]# passwd wang # 设置密码
Changing password for user wang.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@vdevops ~]# exit # 退出 以用户 ”wang” 为例,设置其为唯一拥有管理员权限的账户
[root@vdevops ~]# usermod -G wheel wang
[root@vdevops ~]# vim /etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
# 取消下面一行的注释
auth required pam_wheel.so use_uid
auth substack system-auth
auth include postlogin
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session include postlogin
session optional pam_xauth.so
# 设置 root 账户的邮件转发
# Person who should get root's mail
# 最后一行,取消注释,改变用户名称
root: wang2、设置防火墙和 SELINUX
【1】防火墙
查看防火墙状态
[root@vdevops ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2016-10-26 01:09:49 CST; 1h 36min ago
Main PID: 744 (firewalld)
CGroup: /system.slice/firewalld.service
└─744 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Oct 26 01:09:46 vdevops.com systemd[1]: Starting firewalld - dynamic firewall daemon...
Oct 26 01:09:49 vdevops.com systemd[1]: Started firewalld - dynamic firewall daemon.防火墙基本操作
[root@vdevops ~]# systemctl start firewalld # 启动防火墙
[root@vdevops ~]# systemctl enable firewalld # 设置防火墙开机自启
默认情况下,“public”区域应用于 NIC,dhcpv6-client 和 ssh 是允许的。当使用“firewall-cmd”命令操作时,如果输入命令不带“--zone = ***”规范,则配置设置为默认区域。# 显示默认区域
[root@vdevops ~]# firewall-cmd --get-default-zone
public
# 显示当前设置
[root@vdevops ~]# firewall-cmd --list-all
public (default, active)
interfaces: eno16777736
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
# 显示全部区域
[root@vdevops ~]# firewall-cmd --list-all-zones
block
interfaces:
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
dmz
interfaces:
sources:
services: ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
...
# 显示特定区域允许的服务
[root@vdevops ~]# firewall-cmd --list-service --zone=external
ssh
# 改变默认区域
[root@vdevops ~]# firewall-cmd --set-default-zone=external
success
# 改变制定区域的接口
[root@vdevops ~]# firewall-cmd --change-interface=eth1 --zone=external
success
# 显示制定区域的状态
[root@vdevops ~]# firewall-cmd --list-all --zone=external
external (default, active)
interfaces: eno16777736 eth1
sources:
services: ssh
ports:
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:# 注:改变制定区域的接口,前提是次接口在当前系统是存在的
显示默认定义的服务
[root@vdevops ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind rsyncd samba samba-client smtp ssh telnet tftp tftp-client transmission-client vdsm vnc-server wbem-https
#定义文件路径如下,如果需要添加新的定义文件,在下面目录添加相应的 XML 文件
[root@vdevops ~]# ls /usr/lib/firewalld/services
amanda-client.xml freeipa-ldap.xml ipp.xml libvirt.xml pmcd.xml RH-Satellite-6.xml tftp-client.xml
bacula-client.xml freeipa-replication.xml ipsec.xml mdns.xml pmproxy.xml rpc-bind.xml tftp.xml
bacula.xml ftp.xml iscsi-target.xml mountd.xml pmwebapis.xml rsyncd.xml transmission-client.xml
dhcpv6-client.xml high-availability.xml kerberos.xml ms-wbt.xml pmwebapi.xml samba-client.xml vdsm.xml
dhcpv6.xml https.xml kpasswd.xml mysql.xml pop3s.xml samba.xml vnc-server.xml
dhcp.xml http.xml ldaps.xml nfs.xml postgresql.xml smtp.xml wbem-https.xml
dns.xml imaps.xml ldap.xml ntp.xml proxy-dhcp.xml ssh.xml
freeipa-ldaps.xml ipp-client.xml libvirt-tls.xml openvpn.xml radius.xml telnet.xml添加或删除允许的服务,重新启动系统后,更改将恢复。如果永久更改设置,请添加“–permanent”选项。
# 以添加 http 服务为例
[root@vdevops ~]# firewall-cmd --add-service=http
success
[root@vdevops ~]# firewall-cmd --list-service
http ssh
#移除添加的 http
<pre name="code" class="html">[root@vdevops ~]# firewall-cmd --remove-service=http
success
[root@vdevops ~]# firewall-cmd --list-service
ssh# 添加 http 服务,永久生效
[root@vdevops ~]# firewall-cmd --add-service=http --permanentsuccess
[root@vdevops ~]# firewall-cmd --reloadsuccess[root@vdevops ~]# firewall-cmd --list-servicehttp ssh添加和移除端口
[root@vdevops ~]# firewall-cmd --add-port=465/tcp # 添加端口
success
[root@vdevops ~]# firewall-cmd --list-port
465/tcp
[root@vdevops ~]# firewall-cmd --remove-port=465/tcp # 移除端口
success
[root@vdevops ~]# firewall-cmd --list-port
[root@vdevops ~]# firewall-cmd --add-port=465/tcp --permanent # 添加端口,永久生效
success
[root@vdevops ~]# firewall-cmd --reload
success
[root@vdevops ~]# firewall-cmd --list-port
465/tcp加或删除禁止的 ICMP 类型
[root@dlp ~]# firewall-cmd --add-icmp-block=echo-request # 添加禁止回应请求
success
[root@dlp ~]# firewall-cmd --list-icmp-blocks
echo-request
[root@dlp ~]# firewall-cmd --remove-icmp-block=echo-request # 移除添加的参数
success
[root@dlp ~]# firewall-cmd --list-icmp-blocks
[root@dlp ~]# firewall-cmd --get-icmptypes #显示 ICMP 支持的功能
destination-unreachable echo-reply echo-request parameter-problem redirect
router-advertisement router-solicitation source-quench time-exceeded【2】如果不需要防火墙服务,关闭如下
[root@vdevops ~]# systemctl stop firewalld # 停止防火墙服务
[root@vdevops ~]# systemctl disable firewalld # 禁止防火墙开机自启
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.【3】SELinux 设置
[root@vdevops ~]# getenforce # 查看 SELINUX 工作模式
Enforcing
[root@vdevops ~]# sed -i 's/SELINUX=Enforcing/SELINUX=disabled/' /etc/selinux/config # 禁用 SELINUX
[root@vdevops ~]# setenforce 0 # 临时禁用 SELINUX,无需重启 【4】网络设置
1、设置静态 IP 和改变接口名称
[root@vdevops ~]# nmcli c modify eno16777736 ipv4.addresses 10.1.1.56/24 # 设置静态 IP
[root@vdevops ~]# nmcli c modify eno16777736 ipv4.gateway 10.1.1.1 #设置网关
[root@vdevops ~]# nmcli c modify eno16777736 ipv4.dns 10.1.1.1 # 设置 DNS
[root@vdevops ~]# nmcli c modify eno16777736 ipv4.method manual #设置 ipv4 的类型为静态
[root@vdevops ~]# nmcli c down eno16777736;nmcli c up eno16777736 # 重启网络接口
Connection 'eno16777736' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/0)
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1)
[root@vdevops ~]# nmcli d show eno16777736 # 查看网络接口状态
GENERAL.DEVICE: eno16777736
GENERAL.TYPE: ethernet
GENERAL.HWADDR: 00:0C:29:B6:F5:5E
GENERAL.MTU: 1500
GENERAL.STATE: 100 (connected)
GENERAL.CONNECTION: eno16777736
GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveConnection/1
WIRED-PROPERTIES.CARRIER: on
IP4.ADDRESS[1]: 10.1.1.56/24
IP4.GATEWAY: 10.1.1.1
IP4.DNS[1]: 10.1.1.1
IP6.ADDRESS[1]: fe80::20c:29ff:feb6:f55e/64
IP6.GATEWAY:
[root@vdevops ~]# ip addr show # 查看 IP 状态
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:b6:f5:5e brd ff:ff:ff:ff:ff:ff
inet 10.1.1.56/24 brd 10.1.1.255 scope global eno16777736
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:feb6:f55e/64 scope link
valid_lft forever preferred_lft forever2、禁用 IPV6
[root@vdevops ~]# vim /etc/default/grub
# 第六行,添加
GRUB_CMDLINE_LINUX="crashkernel=auto <span style="color:#FF0000;">ipv6.disable=1</span> rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet"
[root@vdevops ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-3.10.0-327.36.2.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-327.36.2.el7.x86_64.img
Found linux image: /boot/vmlinuz-3.10.0-327.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-327.el7.x86_64.img
Found linux image: /boot/vmlinuz-0-rescue-d1b9467b8b744a3db391f2c15fe58a94
Found initrd image: /boot/initramfs-0-rescue-d1b9467b8b744a3db391f2c15fe58a94.img
done
[root@vdevops ~]# reboot # 重启系统 3、如果要将网络接口名称用作 ethX,请按如下所示进行配置。
[root@vdevops ~]# vim /etc/default/grub
# 第六行添加
GRUB_CMDLINE_LINUX="crashkernel=auto ipv6.disable=1 net.ifnames=0 rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet
[root@vdevops ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-3.10.0-327.36.2.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-327.36.2.el7.x86_64.img
Found linux image: /boot/vmlinuz-3.10.0-327.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-327.el7.x86_64.img
Found linux image: /boot/vmlinuz-0-rescue-d1b9467b8b744a3db391f2c15fe58a94
Found initrd image: /boot/initramfs-0-rescue-d1b9467b8b744a3db391f2c15fe58a94.img
done【5】服务设置
1、查看服务状态
# 显示正在运行的服务
[root@vdevops ~]# systemctl -t service
UNIT LOAD ACTIVE SUB DESCRIPTION
auditd.service loaded active running Security Auditing Service
avahi-daemon.service loaded active running Avahi mDNS/DNS-SD Stack
crond.service loaded active running Command Scheduler
dbus.service loaded active running D-Bus System Message Bus
getty@tty1.service loaded active running Getty on tty1
...
...
...
systemd-udevd.service loaded active running udev Kernel Device Manager
systemd-update-utmp.service loaded active exited Update UTMP about System Reboot/Shutdown
systemd-user-sessions.service loaded active exited Permit User Sessions
systemd-vconsole-setup.service loaded active exited Setup Virtual Console
tuned.service loaded active running Dynamic System Tuning Daemon
LOAD = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB = The low-level unit activation state, values depend on unit type.
39 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.# 显示所有服务
[root@vdevops ~]# systemctl list-unit-files -t service
UNIT FILE STATE
auditd.service enabled
autovt@.service disabled
avahi-daemon.service enabled
blk-availability.service disabled
brandbot.service static
...
...
...
systemd-user-sessions.service static
systemd-vconsole-setup.service static
teamd@.service static
tuned.service enabled
wpa_supplicant.service disabled
125 unit files listed.2、设置停止启动自动的服务
[root@vdevops ~]# systemctl stop postfix #停止服务
[root@vdevops ~]# systemctl disable postfix
Removed symlink /etc/systemd/system/multi-user.target.wants/postfix.service.
[root@vdevops ~]# systemctl start postfix
[root@vdevops ~]# systemctl enable postfix
Created symlink from /etc/systemd/system/multi-user.target.wants/postfix.service to /usr/lib/systemd/system/postfix.service.
[root@vdevops ~]# systemctl status postfix
● postfix.service - Postfix Mail Transport Agent
Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2016-10-26 18:40:35 CST; 15s ago
Main PID: 10071 (master)
CGroup: /system.slice/postfix.service
├─10071 /usr/libexec/postfix/master -w
├─10072 pickup -l -t unix -u
└─10073 qmgr -l -t unix -u
Oct 26 18:40:35 vdevops.com postfix[9999]: /usr/sbin/postconf: warning: inet_protocols: disabling IPv6 name/address support: Address ...rotocol
Oct 26 18:40:35 vdevops.com postfix[9999]: /usr/sbin/postconf: warning: inet_protocols: disabling IPv6 name/address support: Address ...rotocol
Oct 26 18:40:35 vdevops.com postfix[9999]: postsuper: warning: inet_protocols: disabling IPv6 name/address support: Address family no...rotocol
Oct 26 18:40:35 vdevops.com postfix[9999]: /usr/sbin/postconf: warning: inet_protocols: disabling IPv6 name/address support: Address ...rotocol
Oct 26 18:40:35 vdevops.com postfix/master[10071]: warning: inet_protocols: disabling IPv6 name/address support: Address family not s...rotocol
Oct 26 18:40:35 vdevops.com postfix/master[10071]: warning: inet_protocols: disabling IPv6 name/address support: Address family not s...rotocol
Oct 26 18:40:35 vdevops.com postfix/master[10071]: daemon started -- version 2.10.1, configuration /etc/postfix
Oct 26 18:40:35 vdevops.com systemd[1]: Started Postfix Mail Transport Agent.
Oct 26 18:40:35 vdevops.com postfix/qmgr[10073]: warning: inet_protocols: disabling IPv6 name/address support: Address family not sup...rotocol
Oct 26 18:40:35 vdevops.com postfix/pickup[10072]: warning: inet_protocols: disabling IPv6 name/address support: Address family not s...rotocol
Hint: Some lines were ellipsized, use -l to show in full.3、还有一些 SysV 服务。它们由 chkconfig 控制,如下所示
[root@vdevops ~]# chkconfig --list
Note: This output shows SysV services only and does not include native
systemd services. SysV configuration data might be overridden by native
systemd configuration.
If you want to list systemd services use 'systemctl list-unit-files'.
To see services enabled on particular target use
'systemctl list-dependencies [target]'.
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off【6】更新系统添加其他源
yum update -y添加其它源
添加一些有用的外部存储库来安装有用的软件
1、安装插件以向每个安装的存储库添加优先级。
[root@vdevops ~]# yum -y install yum-plugin-priorities
# 设置官方源的优先级为 [priority=1]
[root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=1/g" /etc/yum.repos.d/CentOS-Base.repo2、添加从 Fedora 项目提供的 EPEL 存储库
[root@vdevops ~]# yum -y install epel-release
# 设置优先级 [priority=5]
[root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=5/g" /etc/yum.repos.d/epel.repo
# 可以通过设置 enabled=0,来控制安装软件包时使用相应的源
[root@vdevops ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/epel.repo
# 如果 [enabled=0], 使用下面命令安装软件包
[root@vdevops ~]# yum --enablerepo=epel install [Package]3、添加 CentOS SCLo 软件集合存储库。
[root@vdevops ~]# yum -y install centos-release-scl-rh centos-release-scl
# 设置优先级 [priority=10]
[root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=10/g" /etc/yum.repos.d/CentOS-SCLo-scl.repo
[root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=10/g" /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo
# 设置 [enabled=0]
[root@vdevops ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/CentOS-SCLo-scl.repo
[root@vdevops ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo
# 设置 [enabled=0], 通过下面命令使用相应源
[root@vdevops ~]# yum --enablerepo=centos-sclo-rh install [Package]
[root@vdevops ~]# yum --enablerepo=centos-sclo-sclo install [Package]4、添加 Remi 的 RPM 存储库,它提供了许多有用的包
[root@vdevops ~]# yum -y install http://rpms.famillecollet.com/enterprise/remi-release-7.rpm
# 设置优先级 [priority=10]
[root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=10/g" /etc/yum.repos.d/remi-safe.repo【7】配置特色的 vim
1、安装 vim [root@vdevops ~]# yum -y install vim-enhanced
2、设置别名
设置命令别名。(适用于以下所有用户,如果您申请某个用户,请在“〜/ .bashrc”中写入相同的设置)
[root@dlp ~]# vi /etc/profile
# 在最后添加下面一行内容
alias vi='vim'
[root@dlp ~]# source /etc/profile #重载
或者
echo "alias vi='vim'" >> /etc/profile && source /etc/profile3、配置 vim,针对所有用户生效修改 /etc/vimrc,针对特定用户生效修改~/.vimrc
主要用语法高亮,插件使用,自动缩进等功能,本文不做详细操作,后续会专门写一篇关于优化 vim 使用的博文,工欲善其事必先利其器
【8】设置 sudo
配置 sudo 以区分用户的职责,如果一些人共享权限,必手动安装 sudo,因为它默认安装,即使“最小安装”
1、设置普通用户拥有 root 的所有权限
[root@vdevops ~]# visudo
# 添加下面一行,使用户“wang”拥有 root 的所有权限
wang ALL=(ALL) ALL
# 普通用户使用 root 命令
# 确保用户为 'wang'
[wang@vdevops ~]$ /usr/bin/cat /etc/shadow
cat: /etc/shadow: Permission denied# denied normally
[wang@vdevops ~]$ sudo /usr/bin/cat /etc/shadow
[sudo] password for cent:# own password
daemon:*:16231:0:99999:7:::
adm:*:16231:0:99999:7:::
lp:*:16231:0:99999:7:::
...
...
# 输入 wang 的密码可以看到执行结果 2、设置用户不能执行危险命令
[root@vdevops ~]# visudo
# 49 行: 定义别名 SHUTDOWN
Cmnd_Alias SHUTDOWN = /sbin/halt, /sbin/shutdown, /sbin/poweroff, /sbin/reboot, /sbin/init
# 设置用户 wang 不能执行别名 SHUTDOWN 对应的命令
wang ALL=(ALL) ALL, !SHUTDOWN
# 确保用户为 'wang'
[wang@vdevops ~]$ sudo /sbin/shutdown -r now
Sorry, user cent is not allowed to execute '/sbin/shutdown -r now' as root on vdevops.com. # denied normally3、创建一个特殊的组,组用户可以执行部分 root 命令
[root@vdevops ~]# visudo
# 51 行: 为管理用户的几个命令设置别名为 USERMGR
Cmnd_Alias USERMGR = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd
# 最后一行添加
%usermgr ALL=(ALL) USERMGR
[root@vdevops ~]# groupadd usermgr
[root@vdevops ~]# usermod -G usermgr wang
# 确保用户为 wang
[wang@vdevops ~]$ sudo /usr/sbin/useradd testuser
# 输入用户 wang 的密码,查看创建结果,显示成功
[wang@vdevops ~]$ sudo /usr/bin/passwd testuser
Changing password for user testuser.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.4、设置 sudo 日志
sudo 的日志保存在 / var / log / secure 中,但它中有很多种类的日志。如果你想保持只有 sudo 的日志在一个文件,设置如下:
[root@vdevops ~]# visudo
# 最后一行添加
Defaults syslog=local1
[root@vdevops ~]# vi /etc/rsyslog.conf
# 在 54 行修改,添加 local1.none
*.info;mail.none;authpriv.none;cron.none;local1.none
/var/log/messages
# 添加下面一行内容
local1.* /var/log/sudo.log
[root@vdevops ~]# systemctl restart rsyslog #重启 rsyslog 服务
正文完
星哥说事-微信公众号
