在优化的第一步,我们建立一个普通用户并设置密码,目的是在平时维护时,尽量不用root用户做操作,防止误操作
[root@CentOS6 ~]# whoami
root
[root@CentOS6 ~]# useradd test
[root@CentOS6 ~]# passwd test
更改用户 test 的密码 。
新的 密码:
无效的密码: 过短
无效的密码: 过于简单
重新输入新的 密码:
passwd: 所有的身份验证令牌已经成功更新。
[root@CentOS6 ~]# 另外一种非交互式的密码设置方法,可以用到后期开发的脚本中
[root@CentOS6 ~]# echo "test"|passwd --stdin test
更改用户 test 的密码 。
passwd: 所有的身份验证令牌已经成功更新。
[root@CentOS6 ~]# 如果需要批量创建用户并设置密码
for user in `seq 10`;do useradd user$user;echo user$user|passwd --stdin user$user;done[root@CentOS6 home]# for user in `seq 10`;do useradd user$user;echo user$user|passwd --stdin user$user;done
Changing password for user user1.
passwd: all authentication tokens updated successfully.
Changing password for user user2.
passwd: all authentication tokens updated successfully.
Changing password for user user3.
passwd: all authentication tokens updated successfully.
Changing password for user user4.
passwd: all authentication tokens updated successfully.
Changing password for user user5.
passwd: all authentication tokens updated successfully.
Changing password for user user6.
passwd: all authentication tokens updated successfully.
Changing password for user user7.
passwd: all authentication tokens updated successfully.
Changing password for user user8.
passwd: all authentication tokens updated successfully.
Changing password for user user9.
passwd: all authentication tokens updated successfully.
Changing password for user user10.
passwd: all authentication tokens updated successfully.如果要批量删除用户,可以这么做
[root@CentOS6 home]# for user in `seq 10`;do userdel user$user;done
[root@CentOS6 home]# 删除用户目录
[root@CentOS6 home]# find /home/ -type d -name "user*" -exec rm -rf {} \;删除邮件目录
[root@CentOS6 home]# find /var/spool/mail -type d -name "user*" -exec rm -rf {} \;我们切换到新的用户下,中间必须加"-",表示将用户的环境变量也更改过来
[root@CentOS6 ~]# su - test
[test@CentOS6 ~]$ 在Linux中,超级用户的命令提示符是#,普通用户的命令提示符是$
我们切换到root用户,如果su - 后面不加用户,默认是root用户
[test@CentOS6 ~]$ su -
密码:
[root@CentOS6 ~]# 在切换到root用户下时,需要输入root用户密码
yum是linux下方便软件的命令,可以通过网络安装rpm包,用yum安装软件时,默认获取途径是国外的源,所以我们将国外的yum源改成国内的yum源
在root用户下修改yum配置文件
[root@CentOS6 ~]# cd /etc/yum.repos.d/
[root@CentOS6 yum.repos.d]# /bin/mv CentOS-Base.repo CentOS-Base.repo.ori
[root@CentOS6 yum.repos.d]# wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo
--2018-08-08 23:47:56-- http://mirrors.aliyun.com/repo/Centos-6.repo
正在解析主机 mirrors.aliyun.com... 124.67.215.100, 124.67.215.5, 124.67.215.101, ...
正在连接 mirrors.aliyun.com|124.67.215.100|:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:2523 (2.5K) [application/octet-stream]
正在保存至: “/etc/yum.repos.d/CentOS-Base.repo”
100%[====================================================>] 2,523 --.-K/s in 0s
2018-08-08 23:47:56 (151 MB/s) - 已保存 “/etc/yum.repos.d/CentOS-Base.repo” [2523/2523])
[root@CentOS6 yum.repos.d]# [root@CentOS6 yum.repos.d]# yum makecache
已加载插件:fastestmirror, security
Determining fastest mirrors
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
base | 3.7 kB 00:00
base/group_gz | 242 kB 00:00
base/filelists_db | 6.4 MB 00:00
base/other_db | 2.8 MB 00:00
extras | 3.4 kB 00:00
extras/filelists_db | 24 kB 00:00
extras/prestodelta | 1.1 kB 00:00
extras/other_db | 28 kB 00:00
updates | 3.4 kB 00:00
updates/filelists_db | 484 kB 00:00
updates/prestodelta | 17 kB 00:00
updates/other_db | 8.5 MB 00:00
元数据缓存已建立
[root@CentOS6 yum.repos.d]# [root@CentOS6 yum.repos.d]# rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY*
[root@CentOS6 yum.repos.d]# yum upgrade
已加载插件:fastestmirror, security
设置升级进程
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
不升级任何软件包
[root@CentOS6 yum.repos.d]# 安装上传下载工具
[root@CentOS6 yum.repos.d]# yum -y install lrzsz
已加载插件:fastestmirror, security
设置安装进程
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
解决依赖关系
--> 执行事务检查
---> Package lrzsz.x86_64 0:0.12.20-27.1.el6 will be 安装
--> 完成依赖关系计算
依赖关系解决
==============================================================================================
软件包 架构 版本 仓库 大小
==============================================================================================
正在安装:
lrzsz x86_64 0.12.20-27.1.el6 base 71 k
事务概要
==============================================================================================
Install 1 Package(s)
总下载量:71 k
Installed size: 159 k
下载软件包:
lrzsz-0.12.20-27.1.el6.x86_64.rpm | 71 kB 00:00
运行 rpm_check_debug
执行事务测试
事务测试成功
执行事务
正在安装 : lrzsz-0.12.20-27.1.el6.x86_64 1/1
Verifying : lrzsz-0.12.20-27.1.el6.x86_64 1/1
已安装:
lrzsz.x86_64 0:0.12.20-27.1.el6
完毕!
[root@CentOS6 yum.repos.d]# 下载修改前后的yum配置文件,并进行对比
[root@CentOS6 yum.repos.d]# sz -y CentOS-Base.repo*
rz
zmodem trl+C ȡ
100% 2 KB 2 KB/s 00:00:01 0 Errors
100% 1 KB 1 KB/s 00:00:01 0 Errors
[root@CentOS6 yum.repos.d]# 在secureCRT中 选项->会话选项->X/Y/Zmodem下查看下载路径
打开目录并进行对比
查看已经安装的软件包
[root@CentOS6 yum.repos.d]# rpm -aq | grep lrzsz
lrzsz-0.12.20-27.1.el6.x86_64[root@CentOS6 yum.repos.d]# yum grouplist
已加载插件:fastestmirror, security
设置组进程
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
已安装的组:
NFS 文件服务器
Perl 支持
SNMP 支持
兼容程序库
图形管理工具
基本
字体我们调整成英文显示
[root@CentOS6 yum.repos.d]# echo $LANG
zh_CN.UTF-8[root@CentOS6 yum.repos.d]# export LANG=en[root@CentOS6 yum.repos.d]# yum grouplist
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror, security
Setting up Group Process
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
Installed Groups:
Base
Compatibility libraries
Debugging Tools
Development tools
Directory Client
E-mail server然后选择里面没有安装的组进行安装(依照个人的情况,这里只是展示命令)
[root@CentOS6 yum.repos.d]# yum groupinstall "FTP server" -y
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror, security
Setting up Group Process
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
Resolving Dependencies
--> Running transaction check
---> Package vsftpd.x86_64 0:2.2.2-24.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
==============================================================================================
Package Arch Version Repository Size
==============================================================================================
Installing:
vsftpd x86_64 2.2.2-24.el6 base 156 k
Transaction Summary
==============================================================================================
Install 1 Package(s)
Total download size: 156 k
Installed size: 340 k
Downloading Packages:
vsftpd-2.2.2-24.el6.x86_64.rpm | 156 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : vsftpd-2.2.2-24.el6.x86_64 1/1
Verifying : vsftpd-2.2.2-24.el6.x86_64 1/1
Installed:
vsftpd.x86_64 0:2.2.2-24.el6
Complete!这里面-y参数取消安装提示直接安装
下面我们开始对CentOS进行基本的优化设置
1.关闭Selinux
[root@CentOS6 ~]# vi /etc/selinux/config # This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted 将SELINUX=enforcing改为SELINUX=disabled
查看修改结果
[root@CentOS6 ~]# grep SELINUX /etc/selinux/config
# SELINUX= can take one of these three values:
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
SELINUXTYPE=targeted 这个功能要求重启生效,但是在生产环境中我们又不想重启,执行以下命令
查看当前selinux状态
[root@CentOS6 ~]# getenforce
Enforcing修改
[root@CentOS6 ~]# setenforce 0
[root@CentOS6 ~]# getenforce
Permissive
2.修改运行级别
查看运行级别
[root@CentOS6 ~]# runlevel
N 3[root@CentOS6 ~]# cat /etc/inittab
# inittab is only used by upstart for the default runlevel.
#
# ADDING OTHER CONFIGURATION HERE WILL HAVE NO EFFECT ON YOUR SYSTEM.
#
# System initialization is started by /etc/init/rcS.conf
#
# Individual runlevels are started by /etc/init/rc.conf
#
# Ctrl-Alt-Delete is handled by /etc/init/control-alt-delete.conf
#
# Terminal gettys are handled by /etc/init/tty.conf and /etc/init/serial.conf,
# with configuration in /etc/sysconfig/init.
#
# For information on how to write upstart event handlers, or how
# upstart works, see init(5), init(8), and initctl(8).
#
# Default runlevel. The runlevels used are:
# 0 - halt (Do NOT set initdefault to this)
# 1 - Single user mode
# 2 - Multiuser, without NFS (The same as 3, if you do not have networking)
# 3 - Full multiuser mode
# 4 - unused
# 5 - X11
# 6 - reboot (Do NOT set initdefault to this)
#
id:3:initdefault:
3.精简开机启动的服务
在虚拟机界面下,可以用setup命令调出选项,选择system services设置开机服务,或者ntsysv
通过脚本完成设置
LANG=en
for var in `chkconfig --list|grep 3:on|awk '{print $1}'`;do chkconfig --level 3 $var off;done
for var in crond network rsyslog sshd ;do chkconfig --level 3 $var on;done
chkconfig --list|grep 3:on
[root@CentOS6 ~]# LANG=en
[root@CentOS6 ~]# for var in `chkconfig --list|grep 3:on|awk '{print $1}'`;do chkconfig --level 3 $var off;done
for var in crond network rsyslog sshd ;do chkconfig --level 3 $var on;done
chkconfig --list|grep 3:on
[root@CentOS6 ~]# for var in crond network rsyslog sshd ;do chkconfig --level 3 $var on;done
[root@CentOS6 ~]# chkconfig --list|grep 3:on
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@CentOS6 ~]# 可以通过 chkconfig --list查看所有服务的状态
[root@CentOS6 ~]# chkconfig --list
abrt-ccpp 0:off 1:off 2:off 3:off 4:off 5:on 6:off
abrtd 0:off 1:off 2:off 3:off 4:off 5:on 6:off
acpid 0:off 1:off 2:on 3:off 4:on 5:on 6:off
atd 0:off 1:off 2:off 3:off 4:on 5:on 6:off
auditd 0:off 1:off 2:on 3:off 4:on 5:on 6:off
blk-availability 0:off 1:on 2:on 3:off 4:on 5:on 6:off
cman 0:off 1:off 2:off 3:off 4:off 5:off 6:off
corosync 0:off 1:off 2:off 3:off 4:off 5:off 6:off
cpglockd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
cpuspeed 0:off 1:on 2:on 3:off 4:on 5:on 6:off
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
haldaemon 0:off 1:off 2:off 3:off 4:on 5:on 6:off
ip6tables 0:off 1:off 2:on 3:off 4:on 5:on 6:off
ipmievd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
iptables 0:off 1:off 2:on 3:off 4:on 5:on 6:off
irqbalance 0:off 1:off 2:off 3:off 4:on 5:on 6:off
kdump 0:off 1:off 2:off 3:off 4:on 5:on 6:off
libvirt-guests 0:off 1:off 2:on 3:off 4:on 5:on 6:off
lvm2-monitor 0:off 1:on 2:on 3:off 4:on 5:on 6:off
mdmonitor 0:off 1:off 2:on 3:off 4:on 5:on 6:off
messagebus 0:off 1:off 2:on 3:off 4:on 5:on 6:off
modclusterd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
netfs 0:off 1:off 2:off 3:off 4:on 5:on 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off
nfs-rdma 0:off 1:off 2:off 3:off 4:off 5:off 6:off
nfslock 0:off 1:off 2:off 3:off 4:on 5:on 6:off
ntpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
ntpdate 0:off 1:off 2:off 3:off 4:off 5:off 6:off
oddjobd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
postfix 0:off 1:off 2:on 3:off 4:on 5:on 6:off
psacct 0:off 1:off 2:off 3:off 4:off 5:off 6:off
quota_nld 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rdisc 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rdma 0:off 1:on 2:on 3:off 4:on 5:on 6:off
restorecond 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rgmanager 0:off 1:off 2:off 3:off 4:off 5:off 6:off
ricci 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rngd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rpcbind 0:off 1:off 2:on 3:off 4:on 5:on 6:off
rpcgssd 0:off 1:off 2:off 3:off 4:on 5:on 6:off
rpcidmapd 0:off 1:off 2:off 3:off 4:on 5:on 6:off
rpcsvcgssd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
smartd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
snmpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
snmptrapd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
svnserve 0:off 1:off 2:off 3:off 4:off 5:off 6:off
sysstat 0:off 1:on 2:on 3:off 4:on 5:on 6:off
udev-post 0:off 1:on 2:on 3:off 4:on 5:on 6:off
vsftpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
winbind 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[root@CentOS6 ~]#
4.SSH登录配置
备份配置文件
[root@CentOS6 ~]# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.ori
[root@CentOS6 ~]# ls /etc/ssh/ | grep sshd_config
sshd_config
sshd_config.ori
[root@CentOS6 ~]# 更改配置文件
[root@CentOS6 ~]# vi /etc/ssh/sshd_config增加以下内容
Port 52113 #更改端口
PermitRootLogin no #不允许root用户远程登录
PermitEmptyPasswords no #不允许空密码用户登录
UseDNS no #禁止DNS解析重启服务
[root@CentOS6 ~]# /etc/init.d/sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ][root@CentOS6 ~]# netstat -lnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:52113 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:53009 0.0.0.0:* LISTEN
tcp 0 0 :::47744 :::* LISTEN
tcp 0 0 :::111 :::* LISTEN
tcp 0 0 :::52113 :::* LISTEN
[root@CentOS6 ~]# 查看发现端口22不存在了
通过端口,查看是什么服务
[root@CentOS6 ~]# lsof -i :52113
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 2882 root 3u IPv4 18241 0t0 TCP *:52113 (LISTEN)
sshd 2882 root 4u IPv6 18243 0t0 TCP *:52113 (LISTEN)修改后并不能马上用新端口连接,还需要把防火墙关掉。之前设置服务启动时并没有启动防火墙,但是要使这些修改生效是需要重启服务器的。
[root@CentOS6 ~]# /etc/init.d/iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
[root@CentOS6 ~]# 关闭防火墙
[root@CentOS6 ~]# /etc/init.d/iptables stop
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]新建连接
登录成功
[test@CentOS6 ~]$ 我们在设置完端口后,原先的窗口还是可以进行操作的,我们来看下主机端口的情况
[root@CentOS6 ~]# netstat -an | grep -i est
Active Internet connections (servers and established)
tcp 0 0 2.2.2.5:52113 2.2.2.10:34584 ESTABLISHED
tcp 0 52 2.2.2.5:22 2.2.2.10:7584 ESTABLISHED
Active UNIX domain sockets (servers and established)查看有哪些用户连接
[root@CentOS6 ~]# w
05:09:01 up 9:23, 2 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 - 00:46 4:22m 0.08s 0.01s setup
root pts/0 2.2.2.10 23:14 0.00s 0.51s 0.07s w这个配置同样也可以使用脚本进行替换更改
echo "#---------------SSHConfig-------------------#"
\cp /etc/ssh/sshd_config /etc/ssh/sshd_config.`date+"%Y-%m-%d_%H-%M-%S"`
sed -i 's%#Port 22%Port 52113%' /etc/ssh/sshd_config
sed -i 's%#PermitRootLogin yes%PermitRootLogin no%' /etc/ssh/sshd_config
sed -i 's%#PermitEmptyPasswords no%PermitEmptyPasswords no%' /etc/ssh/sshd_config
sed -i 's%#UseDNS yes%UseDNS no%' /etc/ssh/sshd_config
5.权限管理
利用sudo管理用户权限,防止用户修改root密码后其他用户无法维护系统
[root@CentOS6 ~]# visudo添加test用户相关内容
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
test ALL=(ALL) /usr/sbin/useradd,/usr/sbin/userdel登录test用户试一试刚才赋予的权限
[test@CentOS6 ~]$ sudo /usr/sbin/useradd kkk
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for test:
Sorry, try again.
[sudo] password for test:
[test@CentOS6 ~]$ id kkk
uid=501(kkk) gid=501(kkk) 组=501(kkk)如果要给普通用户开放root权限,我们可以这样修改
[root@CentOS6 ~]# visudo## Allow root to run any commands anywhere
root ALL=(ALL) ALL
test ALL=(ALL) /usr/sbin/useradd,/usr/sbin/userdel
leader ALL=(ALL) ALL添加用户
[root@CentOS6 ~]# useradd leader设置leader密码
[root@CentOS6 ~]# passwd leader
Changing password for user leader.
New password:
BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.我们试一试看看权限
[root@CentOS6 ~]# su - leader
[leader@CentOS6 ~]$ su - root
密码:由于我们没有root用户密码,因此无法切换到root用户,但是通过sudo命令,我们可以切换到root用户
[leader@CentOS6 ~]$ sudo su -
[sudo] password for leader:
[root@CentOS6 ~]# 我们将test用户授予root权限,这样在无法直接用root远程登录的情况下也可以进行服务器管理
[root@CentOS6 ~]# visudo## Allow root to run any commands anywhere
root ALL=(ALL) ALL
test ALL=(ALL) ALL
leader ALL=(ALL) ALL我们不喜欢在切用户的时候总是输入密码,那么我们再做一下修改
[root@CentOS6 ~]# visudo## Allow root to run any commands anywhere
root ALL=(ALL) ALL
test ALL=(ALL) NOPASSWD: ALL
leader ALL=(ALL) NOPASSWD: ALL在普通用户下,查看自己的权限
[test@CentOS6 ~]$ sudo -l
匹配此主机上 test 的默认条目:
!visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE
INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME
LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
用户 test 可以在该主机上运行以下命令:
(ALL) NOPASSWD: ALL如果不知道命令的全路径,可以通过which命令查看命令对应的路径
[root@CentOS6 ~]# which useradd
/usr/sbin/useraddwhich是从$PATH环境变量中查找到命令的路径,我们可以查看下
[root@CentOS6 ~]# echo $PATH
/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
如果我们要执行某个命令,必须把这个命令的位置添加到$PATH环境变量中,可以通过编辑用户目录下的.bash_profile来添加
[test@CentOS6 ~]$ cd ~
[test@CentOS6 ~]$ vi .bash_profile # .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
PATH=$PATH:$HOME/bin
export PATH退出用户或者重新加载该文件
[test@CentOS6 ~]$ . .bash_profile 或者
[test@CentOS6 ~]$ source .bash_profile 6.修改字符集
修改配置文件,让系统可以显示中文
查看当前字符集
[root@CentOS6 ~]# cat /etc/sysconfig/i18n
LANG="zh_CN.UTF-8"我们先备份这个文件
[root@CentOS6 ~]# cat /etc/sysconfig/i18n
LANG="EN_US.UTF-8"
[root@CentOS6 ~]# cp /etc/sysconfig/i18n /etc/sysconfig/i18n.ori
[root@CentOS6 ~]# echo 'LANG="zh_CN.UTF-8"' > /etc/sysconfig/i18n
[root@CentOS6 ~]# cat /etc/sysconfig/i18n
LANG="ZH_CN.UTF-8"
[root@CentOS6 ~]# source /etc/sysconfig/i18n
[root@CentOS6 ~]# echo $LANG
zh_CN.GB18030我们测试一下
[test@CentOS6 ~]$ mkdir tnp
[test@CentOS6 ~]$ cd tnp/
[test@CentOS6 tnp]$ vi test.txt
Port 52113 #更改端口..........
PermitRootLogin no #不允许root用户远程登录##
PermitEmptyPasswords no #不允许空密码用户登录##
UseDNS no #禁止DNS解析##
~
~[test@CentOS6 tnp]$ cat test.txt
Port 52113 #更改端口..........
PermitRootLogin no #不允许root用户远程登录##
PermitEmptyPasswords no #不允许空密码用户登录##
UseDNS no #禁止DNS解析##
[test@CentOS6 tnp]$ 服务器端设置好后,我们在客户端SecureCRT中进行设置
选项->会话选项
7.服务器时间同步
与字符集一样,服务器时间同步必须在运行生产环境之前配置好,否则会带来不必要的麻烦
同步时间
[root@CentOS6 ~]# date
2018年 08月 10日 星期五 05:07:27 CST[root@CentOS6 ~]# which ntpdate
/usr/sbin/ntpdate
[root@CentOS6 ~]# /usr/sbin/ntpdate time.nist.gov
9 Aug 21:10:08 ntpdate[1222]: step time server 128.138.140.44 offset -28799.924708 sec[root@CentOS6 ~]# date
2018年 08月 09日 星期四 21:10:47 CST从结果上看,差的还是比较多的
如果我希望它能自己同步时间
[root@CentOS6 ~]# echo '#time sync by test at 2018-8-9' >>/var/spool/cron/root
[root@CentOS6 ~]# echo '*/5 * * * * /usr/sbin/ntpdate time.nist.gov > /dev/null 2>&1' >>/var/spool/cron/root查看定时任务
[root@CentOS6 ~]# crontab -l
#time sync by test at 2018-8-9
*/5 * * * * /usr/sbin/ntpdate time.nist.gov > /dev/null 2>&1一开始我们的服务器可能是这样的
我们可以为每一个服务器配置自动时间同步,但是如果我们的服务器不能连公网,或者服务器特别的多,我们就需要在内网设置一个时间服务器,为其他服务器提供时间同步功能
8.增加服务器文件描述符
将文件描述符设置到最大,可以保证高并发程序的正常运行
[root@CentOS6 ~]# ulimit -n
1024[root@CentOS6 ~]# echo '* - nofile 65535' >>/etc/security/limits.conf [root@CentOS6 ~]# tail -1 /etc/security/limits.conf
* - nofile 65535退出重新登录后生效
或者加到开机启动的文件中去
cat >>/etc/rc.local<<EOF
#open files
ulimit -HSn 65535
#stack size
ulimit -s 65535
EOF
9.调整内核参数文件
需要优化的内核参数如下,把他们加入到/etc/sysctl.conf中
#解决time-wait过多的参数
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
#防止syn攻击
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000 65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.core.somaxconn = 16384
net.core.netdev_max_orphans = 16384
#以下参数是对iptables防火墙的优化,防火墙不开会有报错,可以忽略
net.ipv4.ip_conntrack_max = 25000000
net.ipv4.netfilter.ip_conntrack_max = 25000000
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 180
net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120
10.定时清理clientmqueue目录垃圾文件
首先我们安装sendmail服务
[test@CentOS6 ~]$ sudo su -
[root@CentOS6 ~]# yum install sendmail -y
已加载插件:fastestmirror, security
设置安装进程
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
base | 3.7 kB 00:00
extras | 3.4 kB 00:00
updates | 3.4 kB 00:00
解决依赖关系
--> 执行事务检查
---> Package sendmail.x86_64 0:8.14.4-9.el6_8.1 will be 安装
--> 处理依赖关系 procmail,它被软件包 sendmail-8.14.4-9.el6_8.1.x86_64 需要
--> 处理依赖关系 libhesiod.so.0()(64bit),它被软件包 sendmail-8.14.4-9.el6_8.1.x86_64 需要
--> 执行事务检查
---> Package hesiod.x86_64 0:3.1.0-19.el6 will be 安装
---> Package procmail.x86_64 0:3.22-25.1.el6_5.1 will be 安装
--> 完成依赖关系计算
依赖关系解决
==============================================================================================
软件包 架构 版本 仓库 大小
==============================================================================================
正在安装:
sendmail x86_64 8.14.4-9.el6_8.1 base 717 k
为依赖而安装:
hesiod x86_64 3.1.0-19.el6 base 20 k
procmail x86_64 3.22-25.1.el6_5.1 base 162 k
事务概要
==============================================================================================
Install 3 Package(s)
总下载量:899 k
Installed size: 1.9 M
下载软件包:
(1/3): hesiod-3.1.0-19.el6.x86_64.rpm | 20 kB 00:00
(2/3): procmail-3.22-25.1.el6_5.1.x86_64.rpm | 162 kB 00:00
(3/3): sendmail-8.14.4-9.el6_8.1.x86_64.rpm | 717 kB 00:00
----------------------------------------------------------------------------------------------
总计 1.7 MB/s | 899 kB 00:00
运行 rpm_check_debug
执行事务测试
事务测试成功
执行事务
正在安装 : hesiod-3.1.0-19.el6.x86_64 1/3
正在安装 : procmail-3.22-25.1.el6_5.1.x86_64 2/3
正在安装 : sendmail-8.14.4-9.el6_8.1.x86_64 3/3
Verifying : procmail-3.22-25.1.el6_5.1.x86_64 1/3
Verifying : sendmail-8.14.4-9.el6_8.1.x86_64 2/3
Verifying : hesiod-3.1.0-19.el6.x86_64 3/3
已安装:
sendmail.x86_64 0:8.14.4-9.el6_8.1
作为依赖被安装:
hesiod.x86_64 0:3.1.0-19.el6 procmail.x86_64 0:3.22-25.1.el6_5.1
完毕!
[root@CentOS6 ~]# 手动清理
[root@CentOS6 ~]# find /var/spool/clientmqueue/ -type f | xargs rm -f
[root@CentOS6 ~]# ll /var/spool/clientmqueue/ | wc -l
1
[root@CentOS6 ~]# 定时任务清理
创建脚本文件
[root@CentOS6 ~]# mkdir /server/scripts -p
[root@CentOS6 ~]# vi /server/scripts/del.sh
find /var/spool/clientmqueue/ -type f | xargs rm -f
~
~添加到定时任务
[root@CentOS6 ~]# crontab -e
#time sync by test at 2018-8-9
*/5 * * * * /usr/sbin/ntpdate time.nist.gov > /dev/null 2>&1
#del file by test at 2018-8-10
00 00 * * 6 /bin/sh /server/scripts/del.sh > dev/null 2>&1
~
~
"/tmp/crontab.isSLZP" 4L, 182C written
crontab: installing new crontab
11.锁定关键文件,防止用户程序被恶意篡改
[root@CentOS6 ~]# chattr +i /etc/passwd
[root@CentOS6 ~]# chattr +i /etc/shadow
[root@CentOS6 ~]# chattr +i /etc/group
[root@CentOS6 ~]# chattr +i /etc/gshadow
[root@CentOS6 ~]# chattr +i /etc/inittab我们看下还能不能修改密码,创建用户
[root@CentOS6 ~]# passwd
更改用户 root 的密码 。
新的 密码:
重新输入新的 密码:
passwd: 鉴定令牌操作错误[root@CentOS6 ~]# useradd tttt
useradd:无法打开 /etc/passwd然后我们将命令重命名(这里你自己需要记住修改后的名字,否则你自己也就无法修改)
[root@CentOS6 ~]# mv /usr/bin/chattr /usr/bin/chattr_t
[root@CentOS6 ~]# chattr -i /etc/passwd
-bash: /usr/bin/chattr: 没有那个文件或目录
[root@CentOS6 ~]# chattr_t -i /etc/passwd这里我们先接触锁定,恢复命令,方便我们做实验
[root@CentOS6 ~]# mv /usr/bin/chattr_t /usr/bin/chattr
[root@CentOS6 ~]# chattr -i /etc/shadow
[root@CentOS6 ~]# chattr -i /etc/group
[root@CentOS6 ~]# chattr -i /etc/gshadow
[root@CentOS6 ~]# chattr -i /etc/inittab
12.隐藏系统输出的版本信息(理论上要讲上面的相关软件的版本也隐藏起来,后续介绍)
修改前登陆时时这样的
我们把信息清空
[root@CentOS6 ~]# cat /etc/issue
CentOS release 6.10 (Final)
Kernel \r on an \m[root@CentOS6 ~]# > /etc/issue
1071
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
