新增名为"wang"的用户
[[email protected] ~]# useradd wang #添加账户[[email protected] ~]# passwd wang #设置密码Changing password for user wang.New password:Retype new password:passwd: all authentication tokens updated successfully.[[email protected] ~]# exit #退出
以用户"wang"为例,设置其为唯一拥有管理员权限的账户
[[email protected] ~]# usermod -G wheel wang[[email protected] ~]# vim /etc/pam.d/su#%PAM-1.0auth sufficient pam_rootok.so# Uncomment the following line to implicitly trust users in the "wheel" group.#auth sufficient pam_wheel.so trust use_uid# Uncomment the following line to require a user to be in the "wheel" group.# 取消下面一行的注释auth required pam_wheel.so use_uidauth substack system-authauth include postloginaccount sufficient pam_succeed_if.so uid = 0 use_uid quietaccount include system-authpassword include system-authsession include system-authsession include postloginsession optional pam_xauth.so# 设置root账户的邮件转发# Person who should get root's mail# 最后一行,取消注释,改变用户名称root: wang
查看防火墙状态
[[email protected] ~]# systemctl status firewalld● firewalld.service - firewalld - dynamic firewall daemonLoaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)Active: active (running) since Wed 2016-10-26 01:09:49 CST; 1h 36min agoMain PID: 744 (firewalld)CGroup: /system.slice/firewalld.service└─744 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopidOct 26 01:09:46 vdevops.com systemd[1]: Starting firewalld - dynamic firewall daemon...Oct 26 01:09:49 vdevops.com systemd[1]: Started firewalld - dynamic firewall daemon.
防火墙基本操作
[[email protected] ~]# systemctl start firewalld #启动防火墙[[email protected] ~]# systemctl enable firewalld #设置防火墙开机自启默认情况下,“public”区域应用于NIC,dhcpv6-client和ssh是允许的。当使用“firewall-cmd”命令操作时,如果输入命令不带“--zone = ***”规范,则配置设置为默认区域。#显示默认区域[[email protected] ~]# firewall-cmd --get-default-zonepublic#显示当前设置[[email protected] ~]# firewall-cmd --list-allpublic (default, active)interfaces: eno16777736sources:services: dhcpv6-client sshports:masquerade: noforward-ports:icmp-blocks:rich rules:#显示全部区域[[email protected] ~]# firewall-cmd --list-all-zonesblockinterfaces:sources:services:ports:masquerade: noforward-ports:icmp-blocks:rich rules:dmzinterfaces:sources:services: sshports:masquerade: noforward-ports:icmp-blocks:rich rules:...#显示特定区域允许的服务[[email protected] ~]# firewall-cmd --list-service --zone=externalssh#改变默认区域[[email protected] ~]# firewall-cmd --set-default-zone=externalsuccess#改变制定区域的接口[[email protected] ~]# firewall-cmd --change-interface=eth1 --zone=externalsuccess#显示制定区域的状态[[email protected] ~]# firewall-cmd --list-all --zone=externalexternal (default, active)interfaces: eno16777736 eth1sources:services: sshports:masquerade: yesforward-ports:icmp-blocks:rich rules:
#注:改变制定区域的接口,前提是次接口在当前系统是存在的
显示默认定义的服务
[[email protected] ~]# firewall-cmd --get-servicesRH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind rsyncd samba samba-client smtp ssh telnet tftp tftp-client transmission-client vdsm vnc-server wbem-https#定义文件路径如下,如果需要添加新的定义文件,在下面目录添加相应的XML文件[[email protected] ~]# ls /usr/lib/firewalld/servicesamanda-client.xml freeipa-ldap.xml ipp.xml libvirt.xml pmcd.xml RH-Satellite-6.xml tftp-client.xmlbacula-client.xml freeipa-replication.xml ipsec.xml mdns.xml pmproxy.xml rpc-bind.xml tftp.xmlbacula.xml ftp.xml iscsi-target.xml mountd.xml pmwebapis.xml rsyncd.xml transmission-client.xmldhcpv6-client.xml high-availability.xml kerberos.xml ms-wbt.xml pmwebapi.xml samba-client.xml vdsm.xmldhcpv6.xml https.xml kpasswd.xml mysql.xml pop3s.xml samba.xml vnc-server.xmldhcp.xml http.xml ldaps.xml nfs.xml postgresql.xml smtp.xml wbem-https.xmldns.xml imaps.xml ldap.xml ntp.xml proxy-dhcp.xml ssh.xmlfreeipa-ldaps.xml ipp-client.xml libvirt-tls.xml openvpn.xml radius.xml telnet.xml
添加或删除允许的服务,重新启动系统后,更改将恢复。如果永久更改设置,请添加“--permanent”选项。
#以添加http服务为例
[[email protected] ~]# firewall-cmd --add-service=httpsuccess[[email protected] ~]# firewall-cmd --list-servicehttp ssh#移除添加的http<pre name="code" class="html">[[email protected] ~]# firewall-cmd --remove-service=httpsuccess[[email protected] ~]# firewall-cmd --list-servicessh
#添加http服务,永久生效
[[email protected] ~]# firewall-cmd --add-service=http --permanentsuccess[[email protected] ~]# firewall-cmd --reloadsuccess[[email protected] ~]# firewall-cmd --list-servicehttp ssh
添加和移除端口
[[email protected] ~]# firewall-cmd --add-port=465/tcp #添加端口success[[email protected] ~]# firewall-cmd --list-port465/tcp[[email protected] ~]# firewall-cmd --remove-port=465/tcp #移除端口success[[email protected] ~]# firewall-cmd --list-port[[email protected] ~]# firewall-cmd --add-port=465/tcp --permanent #添加端口,永久生效success[[email protected] ~]# firewall-cmd --reloadsuccess[[email protected] ~]# firewall-cmd --list-port465/tcp
加或删除禁止的ICMP类型
[[email protected] ~]# firewall-cmd --add-icmp-block=echo-request #添加禁止回应请求success[[email protected] ~]# firewall-cmd --list-icmp-blocksecho-request[[email protected] ~]# firewall-cmd --remove-icmp-block=echo-request #移除添加的参数success[[email protected] ~]# firewall-cmd --list-icmp-blocks[[email protected] ~]# firewall-cmd --get-icmptypes #显示ICMP支持的功能destination-unreachable echo-reply echo-request parameter-problem redirectrouter-advertisement router-solicitation source-quench time-exceeded
[[email protected] ~]# systemctl stop firewalld #停止防火墙服务[[email protected] ~]# systemctl disable firewalld #禁止防火墙开机自启Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.
[[email protected] ~]# getenforce #查看SELINUX工作模式Enforcing[[email protected] ~]# sed -i 's/SELINUX=Enforcing/SELINUX=disabled/' /etc/selinux/config #禁用SELINUX[[email protected] ~]# setenforce 0 #临时禁用SELINUX,无需重启
1、设置静态IP和改变接口名称
[[email protected] ~]# nmcli c modify eno16777736 ipv4.addresses 10.1.1.56/24 #设置静态IP[[email protected] ~]# nmcli c modify eno16777736 ipv4.gateway 10.1.1.1 #设置网关[[email protected] ~]# nmcli c modify eno16777736 ipv4.dns 10.1.1.1 #设置DNS[[email protected] ~]# nmcli c modify eno16777736 ipv4.method manual #设置ipv4的类型为静态[[email protected] ~]# nmcli c down eno16777736;nmcli c up eno16777736 #重启网络接口Connection 'eno16777736' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/0)Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1)[[email protected] ~]# nmcli d show eno16777736 #查看网络接口状态GENERAL.DEVICE: eno16777736GENERAL.TYPE: ethernetGENERAL.HWADDR: 00:0C:29:B6:F5:5EGENERAL.MTU: 1500GENERAL.STATE: 100 (connected)GENERAL.CONNECTION: eno16777736GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveConnection/1WIRED-PROPERTIES.CARRIER: onIP4.ADDRESS[1]: 10.1.1.56/24IP4.GATEWAY: 10.1.1.1IP4.DNS[1]: 10.1.1.1IP6.ADDRESS[1]: fe80::20c:29ff:feb6:f55e/64IP6.GATEWAY:[[email protected] ~]# ip addr show #查看IP状态1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWNlink/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope hostvalid_lft forever preferred_lft forever2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000link/ether 00:0c:29:b6:f5:5e brd ff:ff:ff:ff:ff:ffinet 10.1.1.56/24 brd 10.1.1.255 scope global eno16777736valid_lft forever preferred_lft foreverinet6 fe80::20c:29ff:feb6:f55e/64 scope linkvalid_lft forever preferred_lft forever
2、禁用IPV6
[[email protected] ~]# vim /etc/default/grub#第六行,添加GRUB_CMDLINE_LINUX="crashkernel=auto <span [[email protected] ~]# grub2-mkconfig -o /boot/grub2/grub.cfgGenerating grub configuration file ...Found linux image: /boot/vmlinuz-3.10.0-327.36.2.el7.x86_64Found initrd image: /boot/initramfs-3.10.0-327.36.2.el7.x86_64.imgFound linux image: /boot/vmlinuz-3.10.0-327.el7.x86_64Found initrd image: /boot/initramfs-3.10.0-327.el7.x86_64.imgFound linux image: /boot/vmlinuz-0-rescue-d1b9467b8b744a3db391f2c15fe58a94Found initrd image: /boot/initramfs-0-rescue-d1b9467b8b744a3db391f2c15fe58a94.imgdone[[email protected] ~]# reboot #重启系统
3、如果要将网络接口名称用作ethX,请按如下所示进行配置。
[[email protected] ~]# vim /etc/default/grub#第六行添加GRUB_CMDLINE_LINUX="crashkernel=auto ipv6.disable=1 net.ifnames=0 rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet[[email protected] ~]# grub2-mkconfig -o /boot/grub2/grub.cfgGenerating grub configuration file ...Found linux image: /boot/vmlinuz-3.10.0-327.36.2.el7.x86_64Found initrd image: /boot/initramfs-3.10.0-327.36.2.el7.x86_64.imgFound linux image: /boot/vmlinuz-3.10.0-327.el7.x86_64Found initrd image: /boot/initramfs-3.10.0-327.el7.x86_64.imgFound linux image: /boot/vmlinuz-0-rescue-d1b9467b8b744a3db391f2c15fe58a94Found initrd image: /boot/initramfs-0-rescue-d1b9467b8b744a3db391f2c15fe58a94.imgdone
1、查看服务状态
# 显示正在运行的服务
[[email protected] ~]# systemctl -t serviceUNIT LOAD ACTIVE SUB DESCRIPTIONauditd.service loaded active running Security Auditing Serviceavahi-daemon.service loaded active running Avahi mDNS/DNS-SD Stackcrond.service loaded active running Command Schedulerdbus.service loaded active running D-Bus System Message Bus[email protected] loaded active running Getty on tty1.........systemd-udevd.service loaded active running udev Kernel Device Managersystemd-update-utmp.service loaded active exited Update UTMP about System Reboot/Shutdownsystemd-user-sessions.service loaded active exited Permit User Sessionssystemd-vconsole-setup.service loaded active exited Setup Virtual Consoletuned.service loaded active running Dynamic System Tuning DaemonLOAD = Reflects whether the unit definition was properly loaded.ACTIVE = The high-level unit activation state, i.e. generalization of SUB.SUB = The low-level unit activation state, values depend on unit type.39 loaded units listed. Pass --all to see loaded but inactive units, too.To show all installed unit files use 'systemctl list-unit-files'.
# 显示所有服务
[[email protected] ~]# systemctl list-unit-files -t serviceUNIT FILE STATEauditd.service enabledautovt@.service disabledavahi-daemon.service enabledblk-availability.service disabledbrandbot.service static.........systemd-user-sessions.service staticsystemd-vconsole-setup.service staticteamd@.service statictuned.service enabledwpa_supplicant.service disabled125 unit files listed.
2、设置停止启动自动的服务
[[email protected] ~]# systemctl stop postfix #停止服务[[email protected] ~]# systemctl disable postfixRemoved symlink /etc/systemd/system/multi-user.target.wants/postfix.service.[[email protected] ~]# systemctl start postfix[[email protected] ~]# systemctl enable postfixCreated symlink from /etc/systemd/system/multi-user.target.wants/postfix.service to /usr/lib/systemd/system/postfix.service.[[email protected] ~]# systemctl status postfix● postfix.service - Postfix Mail Transport AgentLoaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; vendor preset: disabled)Active: active (running) since Wed 2016-10-26 18:40:35 CST; 15s agoMain PID: 10071 (master)CGroup: /system.slice/postfix.service├─10071 /usr/libexec/postfix/master -w├─10072 pickup -l -t unix -u└─10073 qmgr -l -t unix -uOct 26 18:40:35 vdevops.com postfix[9999]: /usr/sbin/postconf: warning: inet_protocols: disabling IPv6 name/address support: Address ...rotocolOct 26 18:40:35 vdevops.com postfix[9999]: /usr/sbin/postconf: warning: inet_protocols: disabling IPv6 name/address support: Address ...rotocolOct 26 18:40:35 vdevops.com postfix[9999]: postsuper: warning: inet_protocols: disabling IPv6 name/address support: Address family no...rotocolOct 26 18:40:35 vdevops.com postfix[9999]: /usr/sbin/postconf: warning: inet_protocols: disabling IPv6 name/address support: Address ...rotocolOct 26 18:40:35 vdevops.com postfix/master[10071]: warning: inet_protocols: disabling IPv6 name/address support: Address family not s...rotocolOct 26 18:40:35 vdevops.com postfix/master[10071]: warning: inet_protocols: disabling IPv6 name/address support: Address family not s...rotocolOct 26 18:40:35 vdevops.com postfix/master[10071]: daemon started -- version 2.10.1, configuration /etc/postfixOct 26 18:40:35 vdevops.com systemd[1]: Started Postfix Mail Transport Agent.Oct 26 18:40:35 vdevops.com postfix/qmgr[10073]: warning: inet_protocols: disabling IPv6 name/address support: Address family not sup...rotocolOct 26 18:40:35 vdevops.com postfix/pickup[10072]: warning: inet_protocols: disabling IPv6 name/address support: Address family not s...rotocolHint: Some lines were ellipsized, use -l to show in full.
3、还有一些SysV服务。它们由chkconfig控制,如下所示
[[email protected] ~]# chkconfig --listNote: This output shows SysV services only and does not include nativesystemd services. SysV configuration data might be overridden by nativesystemd configuration.If you want to list systemd services use 'systemctl list-unit-files'.To see services enabled on particular target use'systemctl list-dependencies [target]'.netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:offnetwork 0:off 1:off 2:on 3:on 4:on 5:on 6:off
yum update -y
添加其它源
添加一些有用的外部存储库来安装有用的软件
1、安装插件以向每个安装的存储库添加优先级。
[[email protected] ~]# yum -y install yum-plugin-priorities# 设置官方源的优先级为[priority=1][[email protected] ~]# sed -i -e "s/\]$/\]\npriority=1/g" /etc/yum.repos.d/CentOS-Base.repo
2、添加从Fedora项目提供的EPEL存储库
[[email protected] ~]# yum -y install epel-release# 设置优先级[priority=5][[email protected] ~]# sed -i -e "s/\]$/\]\npriority=5/g" /etc/yum.repos.d/epel.repo# 可以通过设置enabled=0,来控制安装软件包时使用相应的源[[email protected] ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/epel.repo# 如果[enabled=0], 使用下面命令安装软件包[[email protected] ~]# yum --enablerepo=epel install [Package]
3、添加CentOS SCLo软件集合存储库。
[[email protected] ~]# yum -y install centos-release-scl-rh centos-release-scl# 设置优先级[priority=10][[email protected] ~]# sed -i -e "s/\]$/\]\npriority=10/g" /etc/yum.repos.d/CentOS-SCLo-scl.repo[[email protected] ~]# sed -i -e "s/\]$/\]\npriority=10/g" /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo# 设置 [enabled=0][[email protected] ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/CentOS-SCLo-scl.repo[[email protected] ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo# 设置[enabled=0], 通过下面命令使用相应源[[email protected] ~]# yum --enablerepo=centos-sclo-rh install [Package][[email protected] ~]# yum --enablerepo=centos-sclo-sclo install [Package]
4、添加Remi的RPM存储库,它提供了许多有用的包
[[email protected] ~]# yum -y install rpms.famillecollet.com/enterprise/remi-release-7.rpm# 设置优先级 [priority=10][[email protected] ~]# sed -i -e "s/\]$/\]\npriority=10/g" /etc/yum.repos.d/remi-safe.repo
1、安装vim [[email protected] ~]# yum -y install vim-enhanced
2、设置别名
设置命令别名。 (适用于以下所有用户,如果您申请某个用户,请在“〜/ .bashrc”中写入相同的设置)
[[email protected] ~]# vi /etc/profile# 在最后添加下面一行内容alias vi='vim'[[email protected] ~]# source /etc/profile #重载或者echo "alias vi='vim'" >> /etc/profile && source /etc/profile
3、配置vim,针对所有用户生效修改/etc/vimrc,针对特定用户生效修改~/.vimrc
主要用语法高亮,插件使用,自动缩进等功能,本文不做详细操作,后续会专门写一篇关于优化vim使用的博文,工欲善其事必先利其器
配置sudo以区分用户的职责,如果一些人共享权限,必手动安装sudo,因为它默认安装,即使“最小安装”
1、设置普通用户拥有root的所有权限
[[email protected] ~]# visudo# 添加下面一行,使用户“wang”拥有root的所有权限wang ALL=(ALL) ALL# 普通用户使用root命令# 确保用户为 'wang'[[email protected] ~]$ /usr/bin/cat /etc/shadowcat: /etc/shadow: Permission denied# denied normally[[email protected] ~]$ sudo /usr/bin/cat /etc/shadow[sudo] password for cent:# own passworddaemon:*:16231:0:99999:7:::adm:*:16231:0:99999:7:::lp:*:16231:0:99999:7:::......# 输入wang的密码可以看到执行结果
2、设置用户不能执行危险命令
[[email protected] ~]# visudo# 49行: 定义别名SHUTDOWNCmnd_Alias SHUTDOWN = /sbin/halt, /sbin/shutdown, /sbin/poweroff, /sbin/reboot, /sbin/init# 设置用户wang不能执行别名SHUTDOWN对应的命令wang ALL=(ALL) ALL, !SHUTDOWN# 确保用户为'wang'[[email protected] ~]$ sudo /sbin/shutdown -r nowSorry, user cent is not allowed to execute '/sbin/shutdown -r now' as root on vdevops.com. # denied normally
3、创建一个特殊的组,组用户可以执行部分root命令
[[email protected] ~]# visudo# 51行: 为管理用户的几个命令设置别名为USERMGRCmnd_Alias USERMGR = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd# 最后一行添加%usermgr ALL=(ALL) USERMGR[[email protected] ~]# groupadd usermgr[[email protected] ~]# usermod -G usermgr wang# 确保用户为wang[[email protected] ~]$ sudo /usr/sbin/useradd testuser#输入用户wang的密码,查看创建结果,显示成功[[email protected] ~]$ sudo /usr/bin/passwd testuserChanging password for user testuser.New UNIX password:Retype new UNIX password:passwd: all authentication tokens updated successfully.
4、设置sudo日志
sudo的日志保存在/ var / log / secure中,但它中有很多种类的日志。如果你想保持只有sudo的日志在一个文件,设置如下:
[[email protected] ~]# visudo# 最后一行添加Defaults syslog=local1[[email protected] ~]# vi /etc/rsyslog.conf# 在54行修改,添加local1.none*.info;mail.none;authpriv.none;cron.none;local1.none/var/log/messages# 添加下面一行内容local1.* /var/log/sudo.log[[email protected] ~]# systemctl restart rsyslog #重启rsyslog服务