版权声明:本文为博主原创文章,转载请标明出处。 https://blog.csdn.net/chaoyu168/article/details/76984944
1、添加用户
新增名为"wang"的用户
[root@vdevops ~]# useradd wang #添加账户
[root@vdevops ~]# passwd wang #设置密码
Changing password for user wang.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@vdevops ~]# exit #退出
以用户"wang"为例,设置其为唯一拥有管理员权限的账户
[root@vdevops ~]# usermod -G wheel wang
[root@vdevops ~]# vim /etc/pam.d/su
- #%PAM-1.0
- auth sufficient pam_rootok.so
- # Uncomment the following line to implicitly trust users in the "wheel" group.
- #auth sufficient pam_wheel.so trust use_uid
- # Uncomment the following line to require a user to be in the "wheel" group.
- # 取消下面一行的注释
- auth required pam_wheel.so use_uid
- auth substack system-auth
- auth include postlogin
- account sufficient pam_succeed_if.so uid = 0 use_uid quiet
- account include system-auth
- password include system-auth
- session include system-auth
- session include postlogin
- session optional pam_xauth.so
设置root账户的邮件转发
# Person who should get root's mail
# 最后一行,取消注释,改变用户名称
root: wang
2、设置防火墙和SELINUX
【1】防火墙
查看防火墙状态
- [root@vdevops ~]# systemctl status firewalld
- ● firewalld.service - firewalld - dynamic firewall daemon
- Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
- Active: active (running) since Wed 2016-10-26 01:09:49 CST; 1h 36min ago
- Main PID: 744 (firewalld)
- CGroup: /system.slice/firewalld.service
- └─744 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
-
- Oct 26 01:09:46 vdevops.com systemd[1]: Starting firewalld - dynamic firewall daemon...
- Oct 26 01:09:49 vdevops.com systemd[1]: Started firewalld - dynamic firewall daemon.
防火墙基本操作
- [root@vdevops ~]# systemctl start firewalld #启动防火墙
- [root@vdevops ~]# systemctl enable firewalld #设置防火墙开机自启
默认情况下,“public”区域应用于NIC,dhcpv6-client和ssh是允许的。当使用“firewall-cmd”命令操作时,如果输入命令不带“--zone = ***”规范,则配置设置为默认区域。
- #显示默认区域
- [root@vdevops ~]# firewall-cmd --get-default-zone
- public
- #显示当前设置
- [root@vdevops ~]# firewall-cmd --list-all
- public (default, active)
- interfaces: eno16777736
- sources:
- services: dhcpv6-client ssh
- ports:
- masquerade: no
- forward-ports:
- icmp-blocks:
- rich rules:
- #显示全部区域
- [root@vdevops ~]# firewall-cmd --list-all-zones
- block
- interfaces:
- sources:
- services:
- ports:
- masquerade: no
- forward-ports:
- icmp-blocks:
- rich rules:
-
- dmz
- interfaces:
- sources:
- services: ssh
- ports:
- masquerade: no
- forward-ports:
- icmp-blocks:
- rich rules:
- ...
- #显示特定区域允许的服务
- [root@vdevops ~]# firewall-cmd --list-service --zone=external
- ssh
- #改变默认区域
- [root@vdevops ~]# firewall-cmd --set-default-zone=external
- success
- #改变制定区域的接口
- [root@vdevops ~]# firewall-cmd --change-interface=eth1 --zone=external
- success
- #显示制定区域的状态
- [root@vdevops ~]# firewall-cmd --list-all --zone=external
- external (default, active)
- interfaces: eno16777736 eth1
- sources:
- services: ssh
- ports:
- masquerade: yes
- forward-ports:
- icmp-blocks:
- rich rules:
- #注:改变制定区域的接口,前提是次接口在当前系统是存在的
显示默认定义的服务 - [root@vdevops ~]# firewall-cmd --get-services
- RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind rsyncd samba samba-client smtp ssh telnet tftp tftp-client transmission-client vdsm vnc-server wbem-https
- #定义文件路径如下,如果需要添加新的定义文件,在下面目录添加相应的XML文件
- [root@vdevops ~]# ls /usr/lib/firewalld/services
- amanda-client.xml freeipa-ldap.xml ipp.xml libvirt.xml pmcd.xml RH-Satellite-6.xml tftp-client.xml
- bacula-client.xml freeipa-replication.xml ipsec.xml mdns.xml pmproxy.xml rpc-bind.xml tftp.xml
- bacula.xml ftp.xml iscsi-target.xml mountd.xml pmwebapis.xml rsyncd.xml transmission-client.xml
- dhcpv6-client.xml high-availability.xml kerberos.xml ms-wbt.xml pmwebapi.xml samba-client.xml vdsm.xml
- dhcpv6.xml https.xml kpasswd.xml mysql.xml pop3s.xml samba.xml vnc-server.xml
- dhcp.xml http.xml ldaps.xml nfs.xml postgresql.xml smtp.xml wbem-https.xml
- dns.xml imaps.xml ldap.xml ntp.xml proxy-dhcp.xml ssh.xml
- freeipa-ldaps.xml ipp-client.xml libvirt-tls.xml openvpn.xml radius.xml telnet.xml
添加或删除允许的服务,重新启动系统后,更改将恢复。如果永久更改设置,请添加“--permanent”选项。
- #以添加http服务为例
- [root@vdevops ~]# firewall-cmd --add-service=http
- success
- [root@vdevops ~]# firewall-cmd --list-service
- http ssh
- #移除添加的http
- <pre name="code" class="html">[root@vdevops ~]# firewall-cmd --remove-service=http
- success
- [root@vdevops ~]# firewall-cmd --list-service
- ssh
- #添加http服务,永久生效
[root@vdevops ~]# firewall-cmd --add-service=http --permanentsuccess
[root@vdevops ~]# firewall-cmd --reloadsuccess[root@vdevops ~]# firewall-cmd --list-servicehttp ssh
添加和移除端口
- [root@vdevops ~]# firewall-cmd --add-port=465/tcp #添加端口
- success
- [root@vdevops ~]# firewall-cmd --list-port
- 465/tcp
- [root@vdevops ~]# firewall-cmd --remove-port=465/tcp #移除端口
- success
- [root@vdevops ~]# firewall-cmd --list-port
- [root@vdevops ~]# firewall-cmd --add-port=465/tcp --permanent #添加端口,永久生效
- success
- [root@vdevops ~]# firewall-cmd --reload
- success
- [root@vdevops ~]# firewall-cmd --list-port
- 465/tcp
加或删除禁止的ICMP类型
- [root@dlp ~]# firewall-cmd --add-icmp-block=echo-request #添加禁止回应请求
- success
- [root@dlp ~]# firewall-cmd --list-icmp-blocks
- echo-request
- [root@dlp ~]# firewall-cmd --remove-icmp-block=echo-request #移除添加的参数
- success
- [root@dlp ~]# firewall-cmd --list-icmp-blocks
- [root@dlp ~]# firewall-cmd --get-icmptypes #显示ICMP支持的功能
- destination-unreachable echo-reply echo-request parameter-problem redirect
- router-advertisement router-solicitation source-quench time-exceeded
【2】如果不需要防火墙服务,关闭如下
- [root@vdevops ~]# systemctl stop firewalld #停止防火墙服务
- [root@vdevops ~]# systemctl disable firewalld #禁止防火墙开机自启
- Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
- Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.
3、SELinux
- [root@vdevops ~]# getenforce #查看SELINUX工作模式
- Enforcing
- [root@vdevops ~]# sed -i 's/SELINUX=Enforcing/SELINUX=disabled/' /etc/selinux/config #禁用SELINUX
- [root@vdevops ~]# setenforce 0 #临时禁用SELINUX,无需重启
4、网络设置
【1】、设置静态IP和改变接口名称
- [root@vdevops ~]# nmcli c modify eno16777736 ipv4.addresses 10.1.1.56/24 #设置静态IP
- [root@vdevops ~]# nmcli c modify eno16777736 ipv4.gateway 10.1.1.1 #设置网关
- [root@vdevops ~]# nmcli c modify eno16777736 ipv4.dns 10.1.1.1 #设置DNS
- [root@vdevops ~]# nmcli c modify eno16777736 ipv4.method manual #设置ipv4的类型为静态
- [root@vdevops ~]# nmcli c down eno16777736;nmcli c up eno16777736 #重启网络接口
- Connection 'eno16777736' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/0)
- Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1)
- [root@vdevops ~]# nmcli d show eno16777736 #查看网络接口状态
- GENERAL.DEVICE: eno16777736
- GENERAL.TYPE: ethernet
- GENERAL.HWADDR: 00:0C:29:B6:F5:5E
- GENERAL.MTU: 1500
- GENERAL.STATE: 100 (connected)
- GENERAL.CONNECTION: eno16777736
- GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveConnection/1
- WIRED-PROPERTIES.CARRIER: on
- IP4.ADDRESS[1]: 10.1.1.56/24
- IP4.GATEWAY: 10.1.1.1
- IP4.DNS[1]: 10.1.1.1
- IP6.ADDRESS[1]: fe80::20c:29ff:feb6:f55e/64
- IP6.GATEWAY:
- [root@vdevops ~]# ip addr show #查看IP状态
- 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
- link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
- inet 127.0.0.1/8 scope host lo
- valid_lft forever preferred_lft forever
- inet6 ::1/128 scope host
- valid_lft forever preferred_lft forever
- 2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
- link/ether 00:0c:29:b6:f5:5e brd ff:ff:ff:ff:ff:ff
- inet 10.1.1.56/24 brd 10.1.1.255 scope global eno16777736
- valid_lft forever preferred_lft forever
- inet6 fe80::20c:29ff:feb6:f55e/64 scope link
- valid_lft forever preferred_lft forever
【2】禁用IPV6
- [root@vdevops ~]# vim /etc/default/grub
- #第六行,添加
- GRUB_CMDLINE_LINUX="crashkernel=auto <span style="color:#FF0000;">ipv6.disable=1</span> rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet"
- [root@vdevops ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
- Generating grub configuration file ...
- Found linux image: /boot/vmlinuz-3.10.0-327.36.2.el7.x86_64
- Found initrd image: /boot/initramfs-3.10.0-327.36.2.el7.x86_64.img
- Found linux image: /boot/vmlinuz-3.10.0-327.el7.x86_64
- Found initrd image: /boot/initramfs-3.10.0-327.el7.x86_64.img
- Found linux image: /boot/vmlinuz-0-rescue-d1b9467b8b744a3db391f2c15fe58a94
- Found initrd image: /boot/initramfs-0-rescue-d1b9467b8b744a3db391f2c15fe58a94.img
- done
- [root@vdevops ~]# reboot #重启系统
【3】如果要将网络接口名称用作ethX,请按如下所示进行配置。
- [root@vdevops ~]# vim /etc/default/grub
- #第六行添加
- GRUB_CMDLINE_LINUX="crashkernel=auto ipv6.disable=1 <span style="color:#FF0000;">net.ifnames=0</span> rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet
- [root@vdevops ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
- Generating grub configuration file ...
- Found linux image: /boot/vmlinuz-3.10.0-327.36.2.el7.x86_64
- Found initrd image: /boot/initramfs-3.10.0-327.36.2.el7.x86_64.img
- Found linux image: /boot/vmlinuz-3.10.0-327.el7.x86_64
- Found initrd image: /boot/initramfs-3.10.0-327.el7.x86_64.img
- Found linux image: /boot/vmlinuz-0-rescue-d1b9467b8b744a3db391f2c15fe58a94
- Found initrd image: /boot/initramfs-0-rescue-d1b9467b8b744a3db391f2c15fe58a94.img
- done
4、服务设置
[1]、查看服务状态
- # 显示正在运行的服务
- [root@vdevops ~]# systemctl -t service
- UNIT LOAD ACTIVE SUB DESCRIPTION
- auditd.service loaded active running Security Auditing Service
- avahi-daemon.service loaded active running Avahi mDNS/DNS-SD Stack
- crond.service loaded active running Command Scheduler
- dbus.service loaded active running D-Bus System Message Bus
- getty@tty1.service loaded active running Getty on tty1
- ...
- ...
- ...
- systemd-udevd.service loaded active running udev Kernel Device Manager
- systemd-update-utmp.service loaded active exited Update UTMP about System Reboot/Shutdown
- systemd-user-sessions.service loaded active exited Permit User Sessions
- systemd-vconsole-setup.service loaded active exited Setup Virtual Console
- tuned.service loaded active running Dynamic System Tuning Daemon
-
- LOAD = Reflects whether the unit definition was properly loaded.
- ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
- SUB = The low-level unit activation state, values depend on unit type.
-
- 39 loaded units listed. Pass --all to see loaded but inactive units, too.
- To show all installed unit files use 'systemctl list-unit-files'.
-
- # 显示所有服务
- [root@vdevops ~]# systemctl list-unit-files -t service
-
- UNIT FILE STATE
- auditd.service enabled
- autovt@.service disabled
- avahi-daemon.service enabled
- blk-availability.service disabled
- brandbot.service static
- ...
- ...
- ...
- systemd-user-sessions.service static
- systemd-vconsole-setup.service static
- teamd@.service static
- tuned.service enabled
- wpa_supplicant.service disabled
-
- 125 unit files listed.
[2]、设置停止启动自动的服务
- [root@vdevops ~]# systemctl stop postfix #停止服务
- [root@vdevops ~]# systemctl disable postfix
- Removed symlink /etc/systemd/system/multi-user.target.wants/postfix.service.
- [root@vdevops ~]# systemctl start postfix
- [root@vdevops ~]# systemctl enable postfix
- Created symlink from /etc/systemd/system/multi-user.target.wants/postfix.service to /usr/lib/systemd/system/postfix.service.
- [root@vdevops ~]# systemctl status postfix
- ● postfix.service - Postfix Mail Transport Agent
- Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; vendor preset: disabled)
- Active: active (running) since Wed 2016-10-26 18:40:35 CST; 15s ago
- Main PID: 10071 (master)
- CGroup: /system.slice/postfix.service
- ├─10071 /usr/libexec/postfix/master -w
- ├─10072 pickup -l -t unix -u
- └─10073 qmgr -l -t unix -u
-
- Oct 26 18:40:35 vdevops.com postfix[9999]: /usr/sbin/postconf: warning: inet_protocols: disabling IPv6 name/address support: Address ...rotocol
- Oct 26 18:40:35 vdevops.com postfix[9999]: /usr/sbin/postconf: warning: inet_protocols: disabling IPv6 name/address support: Address ...rotocol
- Oct 26 18:40:35 vdevops.com postfix[9999]: postsuper: warning: inet_protocols: disabling IPv6 name/address support: Address family no...rotocol
- Oct 26 18:40:35 vdevops.com postfix[9999]: /usr/sbin/postconf: warning: inet_protocols: disabling IPv6 name/address support: Address ...rotocol
- Oct 26 18:40:35 vdevops.com postfix/master[10071]: warning: inet_protocols: disabling IPv6 name/address support: Address family not s...rotocol
- Oct 26 18:40:35 vdevops.com postfix/master[10071]: warning: inet_protocols: disabling IPv6 name/address support: Address family not s...rotocol
- Oct 26 18:40:35 vdevops.com postfix/master[10071]: daemon started -- version 2.10.1, configuration /etc/postfix
- Oct 26 18:40:35 vdevops.com systemd[1]: Started Postfix Mail Transport Agent.
- Oct 26 18:40:35 vdevops.com postfix/qmgr[10073]: warning: inet_protocols: disabling IPv6 name/address support: Address family not sup...rotocol
- Oct 26 18:40:35 vdevops.com postfix/pickup[10072]: warning: inet_protocols: disabling IPv6 name/address support: Address family not s...rotocol
- Hint: Some lines were ellipsized, use -l to show in full.
[3]、还有一些SysV服务。它们由chkconfig控制,如下所示
- [root@vdevops ~]# chkconfig --list
-
- Note: This output shows SysV services only and does not include native
- systemd services. SysV configuration data might be overridden by native
- systemd configuration.
-
- If you want to list systemd services use 'systemctl list-unit-files'.
- To see services enabled on particular target use
- 'systemctl list-dependencies [target]'.
-
- netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
- network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
5、更新系统添加其他源
yum update -y
添加其它源
添加一些有用的外部存储库来安装有用的软件
【1】安装插件以向每个安装的存储库添加优先级。
- [root@vdevops ~]# yum -y install yum-plugin-priorities
- # 设置官方源的优先级为[priority=1]
- [root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=1/g" /etc/yum.repos.d/CentOS-Base.repo
【2】添加从Fedora项目提供的EPEL存储库
- [root@vdevops ~]# yum -y install epel-release
- # 设置优先级[priority=5]
- [root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=5/g" /etc/yum.repos.d/epel.repo
-
- # 可以通过设置enabled=0,来控制安装软件包时使用相应的源
- [root@vdevops ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/epel.repo
-
- # 如果[enabled=0], 使用下面命令安装软件包
- [root@vdevops ~]# yum --enablerepo=epel install [Package]
【3】添加CentOS SCLo软件集合存储库。
- [root@vdevops ~]# yum -y install centos-release-scl-rh centos-release-scl
- # 设置优先级[priority=10]
- [root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=10/g" /etc/yum.repos.d/CentOS-SCLo-scl.repo
- [root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=10/g" /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo
-
- # 设置 [enabled=0]
- [root@vdevops ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/CentOS-SCLo-scl.repo
- [root@vdevops ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo
-
- # 设置[enabled=0], 通过下面命令使用相应源
- [root@vdevops ~]# yum --enablerepo=centos-sclo-rh install [Package]
- [root@vdevops ~]# yum --enablerepo=centos-sclo-sclo install [Package]
【4】添加Remi的RPM存储库,它提供了许多有用的包
- [root@vdevops ~]# yum -y install http://rpms.famillecollet.com/enterprise/remi-release-7.rpm
- # 设置优先级 [priority=10]
- [root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=10/g" /etc/yum.repos.d/remi-safe.repo
6、配置特色的vim
【1】安装vim
- [root@vdevops ~]# yum -y install vim-enhanced
【2】设置别名
设置命令别名。 (适用于以下所有用户,如果您申请某个用户,请在“〜/ .bashrc”中写入相同的设置)
- [root@dlp ~]# vi /etc/profile
- # 在最后添加下面一行内容
- alias vi='vim'
- [root@dlp ~]# source /etc/profile #重载
- 或者
- echo "alias vi='vim'" >> /etc/profile && source /etc/profile
【3】配置vim,针对所有用户生效修改/etc/vimrc,针对特定用户生效修改~/.vimrc
主要用语法高亮,插件使用,自动缩进等功能,本文不做详细操作,后续会专门写一篇关于优化vim使用的博文,工欲善其事必先利其器
7、设置sudo
配置sudo以区分用户的职责,如果一些人共享权限,必手动安装sudo,因为它默认安装,即使“最小安装”
【1】设置普通用户拥有root的所有权限
- [root@vdevops ~]# visudo
- # 添加下面一行,使用户“wang”拥有root的所有权限
- wang ALL=(ALL) ALL
-
- # 普通用户使用root命令
- # 确保用户为 'wang'
-
- [wang@vdevops ~]$ /usr/bin/cat /etc/shadow
- cat: /etc/shadow: Permission denied# denied normally
- [wang@vdevops ~]$ sudo /usr/bin/cat /etc/shadow
-
- [sudo] password for cent:# own password
-
- daemon:*:16231:0:99999:7:::
- adm:*:16231:0:99999:7:::
- lp:*:16231:0:99999:7:::
- ...
- ...
- # 输入wang的密码可以看到执行结果
- [root@vdevops ~]# visudo
- # 49行: 定义别名SHUTDOWN
-
- Cmnd_Alias SHUTDOWN = /sbin/halt, /sbin/shutdown, /sbin/poweroff, /sbin/reboot, /sbin/init
- # 设置用户wang不能执行别名SHUTDOWN对应的命令
- wang ALL=(ALL) ALL, !SHUTDOWN
- # 确保用户为'wang'
- [wang@vdevops ~]$ sudo /sbin/shutdown -r now
-
- Sorry, user cent is not allowed to execute '/sbin/shutdown -r now' as root on vdevops.com. # denied normally
【3】创建一个特殊的组,组用户可以执行部分root命令
- [root@vdevops ~]# visudo
- # 51行: 为管理用户的几个命令设置别名为USERMGR
-
- Cmnd_Alias USERMGR = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd
-
- # 最后一行添加
- %usermgr ALL=(ALL) USERMGR
- [root@vdevops ~]# groupadd usermgr
-
- [root@vdevops ~]# usermod -G usermgr wang
-
- # 确保用户为wang
- [wang@vdevops ~]$ sudo /usr/sbin/useradd testuser
- #输入用户wang的密码,查看创建结果,显示成功
- [wang@vdevops ~]$ sudo /usr/bin/passwd testuser
- Changing password for user testuser.
- New UNIX password:
- Retype new UNIX password:
- passwd: all authentication tokens updated successfully.
【4】设置sudo日志
sudo的日志保存在/ var / log / secure中,但它中有很多种类的日志。如果你想保持只有sudo的日志在一个文件,设置如下:
- [root@vdevops ~]# visudo
- # 最后一行添加
- Defaults syslog=local1
- [root@vdevops ~]# vi /etc/rsyslog.conf
- # 在54行修改,添加<span style="color:#FF6666;">local1.none</span>
- *.info;mail.none;authpriv.none;cron.none;<span style="color:#FF6666;">local1.none</span>
- /var/log/messages
- # 添加下面一行内容
- local1.* /var/log/sudo.log
-
- [root@vdevops ~]# systemctl restart rsyslog #重启rsyslog服务
-