防火墙技术
配置主机名
节点配置主机名:
[root@localhost ~]# hostnamectl set-hostname user1
//退出并重新连接虚拟机
[root@user1 ~]# hostnamectl
Static hostname: user1
Icon name: computer-vm
Chassis: vm
Machine ID: 17d24d21f1c34b699c19d5e84762b3fe
Boot ID: 6ea800f863564e11afc5d91d65fafb3f
Virtualization: vmware
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 3.10.0-327.el7.x86_64
Architecture: x86-64redis2节点配置主机名:
[root@localhost ~]# hostnamectl set-hostname user2
//退出并重新连接虚拟机
[root@user2 ~]# hostnamectl
Static hostname: user2
Icon name: computer-vm
Chassis: vm
Machine ID: 17d24d21f1c34b699c19d5e84762b3fe
Boot ID: d6c808d94d6b4501b5ad740429e23aa4
Virtualization: vmware
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 3.10.0-327.el7.x86_64
Architecture: x86-64
将centos镜像上传并挂载,所有节点配置yum源
所有节点配置本地yum源。
[root@user1 ~]# mkdir /opt/centos
[root@user1 ~]# mount CentOS-7-x86_64-DVD-1511.iso /opt/centos
mount: /dev/loop0 is write-protected, mounting read-only
[root@user1 ~]# rm -rf /etc/yum.repos.d/*
[root@user1 ~]# cat /etc/yum.repos.d/local.repo
[centos]
name=centos
baseurl=file:///opt/centos
gpgcheck=0
enabled=1
在两个节点安装并启动httpd和mariadb服务,并在user2上新建一个网页。
[root@user1 ~]# yum install mariadb-server httpd -y
[root@user1 ~]# systemctl start httpd
[root@user1 ~]# systemctl start mariadb
[root@user2 ~]# yum install mariadb-server httpd -y
[root@user2 ~]# systemctl start httpd
[root@user2 ~]# systemctl start mariadb
[root@user2 ~]# echo welcome to beijing > /var/www/html/index.html
此时user2主机进行控制其他机器访问。
[root@user2 ~]# iptables -A INPUT -s 192.168.20.1,127.0.0.1 -j ACCEPT //允许本地windows系统访问
[root@user2 ~]# iptables -A INPUT -j REJECT //拒绝其他所有主机访问本机
[root@user2 ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 8 560 ACCEPT all – * * 192.168.20.1 0.0.0.0/0
2 0 0 ACCEPT all – * * 127.0.0.1 0.0.0.0/0
3 0 0 REJECT all – * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3 packets, 308 bytes)
num pkts bytes target prot opt in out source destination
[root@user2 html]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 15 1012 ACCEPT all – * * 192.168.20.1 0.0.0.0/0
2 0 0 ACCEPT all – * * 127.0.0.1 0.0.0.0/0
3 0 0 REJECT all – * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 8 packets, 1568 bytes)
num pkts bytes target prot opt in out source destination
此时user1主机无法访问user2主机。
[root@user1 ~]# curl 192.168.20.20
curl: (7) Failed connect to 192.168.20.20:80; Connection refused
此时只允许user1用户访问本机的httpd服务。
[root@user2 ~]# iptables -I INPUT 3 -s 192.168.20.10 -p tcp --dport 80 -j ACCEPT
[root@user2 ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 126 9352 ACCEPT all – * * 192.168.20.1 0.0.0.0/0
2 0 0 ACCEPT all – * * 127.0.0.1 0.0.0.0/0
3 0 0 ACCEPT tcp – * * 192.168.20.10 0.0.0.0/0 tcp dpt:80
4 1 60 REJECT all – * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 7 packets, 772 bytes)
num pkts bytes target prot opt in out source destination
此时user1主机通过TCP协议就可以访问user2主机的httpd服务内容。
[root@user1 ~]# curl 192.168.20.20
welcome to beijing
在user2主机将mysql数据库允许user1主机访问。
[root@user2 ~]# iptables -I INPUT 3 -s 192.168.20.10 -p tcp --dport 3306 -j ACCEPT
[root@user2 ~]# iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 220 16328 ACCEPT all – * * 192.168.20.1 0.0.0.0/0
2 0 0 ACCEPT all – * * 127.0.0.1 0.0.0.0/0
3 0 0 ACCEPT tcp – * * 192.168.20.10 0.0.0.0/0 tcp dpt:3306
4 6 397 ACCEPT tcp – * * 192.168.20.10 0.0.0.0/0 tcp dpt:80
5 1 60 REJECT all – * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 13 packets, 1580 bytes)
num pkts bytes target prot opt in out source destination
在user2主机将mysql数据库允许user1主机访问,并验证。
[root@user2 ~]# mysql -e “grant all on . to test@‘192.168.20.%’ identified by ‘centos’”
[root@user1 ~]# mysql -utest -pcentos -h192.168.20.20 //在user1节点验证
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 6
Server version: 5.5.44-MariaDB MariaDB Server
Copyright © 2000, 2015, Oracle, MariaDB Corporation Ab and others.
Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.
MariaDB [(none)]>
Zabbix监控
环境软件包
节点名称 ip地址 组件
controller 192.168.100.10 mysql,php,nginx,zabbix-server,zabbix-agent
compute 192.168.100.20 mysql,php,nginx,zabbix-agent
2台服务器,1台zabbix_server,1台zabbix_agent
2台服务器配置50G硬盘,内存2G以上,cpu2个
软件包zabbix-4.0.3.tar, zabbix-agent-4.0.3-1.el7.x86_64.rpm, lnmp1.6-full.tar
Zabbix server机器装载mysql,php,nginx,zabbix-server,zabbix-agent
Zabbix agent机器装载mysql,php,nginx,zabbix-agent
1.lnmp环境配置
导入lnmp1.6-full.tar,并解压出来,里面存放的是lnmp环境一键部署脚本;
tar –zxvf lnmp1.6-full.tar –C /usr/local
cd /usr/local /lnmp1.6-full
修改脚本环境变量配置文件:
vi lnmp.conf
MySQL_Data_Dir=’/data/mysql/’
执行脚本:./install.sh lnmp
目前提供了较多的MySQL、MariaDB版本和不安装数据库的选项,需要注意的是MySQL 5.6,5.7及MariaDB 10必须在1G以上内存的更高配置上才能选择!
输入对应MySQL或MariaDB版本前面的序号,回车进入下一步
设置MySQL的root密码,输入后回车进入下一步,如下图所示:
询问是否需要启用MySQL InnoDB,InnoDB引擎默认为开启,一般建议开启!直接回车或输入 y ,输入完成,回车进入下一步。
注意:选择PHP 7+版本时需要自行确认PHP版本是否与自己的程序兼容。
输入要选择的PHP版本的序号,回车进入下一步,选择是否安装内存优化:
安装完成 如果显示Nginx: OK,MySQL: OK,PHP: OK
2.zabbix安装部署
Zabbix Server编译安装 安装依赖 yum install -y libevent-devel wget tar gcc gcc-c++ make net-snmp-devel libxml2-devel libcurl-devel 创建zabbix用户 useradd -s /sbin/nologin zabbix 下载zabbix源码包 cd /usr/local/src/ rz zabbix-4.0.3.tar.gz 解压编译 tar -zxvf zabbix-4.0.3.tar.gz cd zabbix-4.0.3 mv /usr/local/src/zabbix-4.0.3/* /usr/local/zabbix ./configure --prefix=/usr/local/zabbix --enable-server --enable-agent --with-mysql=/usr/local/mysql/bin/mysql_config --with-net-snmp --with-libcurl --with-libxml2 make && make install 选项说明 1) --prefix指定安装目录 2) --enable-server安装zabbix server 3) --enable-agent安装zabbix agent 4) --with-mysql用mysql来存储 环境变量设置: vim /etc/profile export PATH=$PATH:/usr/local/zabbix/sbin/:/usr/local/zabbix/bin/ source /etc/profile echo KaTeX parse error: Expected 'EOF', got '#' at position 174: …e utf8_bin; #̲#创建zabbix库和设置格式…) { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /data/nginx/zabbix$fastcgi_script_name; include fastcgi_params; } } mkdir /data/nginx/zabbix ##创建zabbix web 的文件目录 /etc/init.d/nginx reload cp -rf /usr/local/zabbix/frontends/php/* /data/nginx/zabbix ##把源码安装包路径下的文件cp到zabbix web文件目录当中 到浏览器通过http://192.168.100.10/setup.php 配置zabbix的初始化设置;
注:这里zabbix初始化设置会有报错,需要提前修改php.ini的配置文件; vim /usr/local/php/etc/php.ini post_max_size = 32M max_execution_time = 350 max_input_time = 350 date.timezone = Asia/Shanghai always_populate_raw_post_data = -1 重启php-fpm服务 /etc/init.d/php-fpm restart
Zabbix web界面部署:
测试登录:
登陆账户是Admin
密码是zabbix
设置中文
监控报警提示:Zabbix agent on Zabbix server is unreachable for 5 minutes 此提示为zabbix agent未启动导致的!
查看端口10051是否有启动: [root@controller frontends]# netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:10051 0.0.0.0:* LISTEN 25409/zabbix_server tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 23148/php-fpm: mast tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 25395/nginx: master tcp 0 0 0.0.0.0:8081 0.0.0.0:* LISTEN 25395/nginx: master tcp 0 0 0.0.0.0:81 0.0.0.0:* LISTEN 25395/nginx: master tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1145/sshd tcp6 0 0 :::3306 ::😗 LISTEN 12591/mysqld tcp6 0 0 :::22 ::😗 LISTEN 1145/sshd
3.zabbix agent客户端安装部署
下载源码包:
wget http://repo.zabbix.com/zabbix/4.0/rhel/7/x86_64/zabbix-agent-4.0.3-1.el7.x86_64.rpm rpm -ivh zabbix-agent-4.0.3-1.el7.x86_64.rpm 安装完后我们后面经常使用的文件如路径如下 /etc/zabbix/zabbix_agentd.conf ##zabbix_agentd配置文件 /etc/zabbix/zabbix_agentd.d ##zabbix_agentd进程文件 /var/run/zabbix/zabbix_agentd.pid ##zabbix_agentd pid文件路径 /var/log/zabbix/zabbix_agentd.log ##zabbix_agentd日志文件路径 修改配置文件mv /etc/zabbix/zabbix_agentd.conf /etc/zabbix/zabbix_agentd.confbak ##备份配置 cat /etc/zabbix/zabbix_agentd.confbak | egrep -v ‘^$|#’> zabbix_agentd.conf ##过滤一下空白行和注释 PidFile=/var/run/zabbix/zabbix_agentd.pid LogFile=/var/log/zabbix/zabbix_agentd.log LogFileSize=0 ListenPort=10050 StartAgents=3 ListenIP=0.0.0.0 Server=192.168.100.10 Hostname=Api1Bearead Include=/etc/zabbix/zabbix_agentd.d/.conf
###Server和ServerActive上配置的是zabbix server的ip Hostname建议为客户端主机名
systemctl restart zabbix-agent.service ###重启zabbix_agentd systemctl status zabbix-agent.service ###查看zabbix_agentd状态 systemctl enable zabbix-agent.service ###设置开机自启
查看日志:tail -f /var/log/zabbix/zabbix_agentd.log 1097:20190621:011903.883 IPv6 support: YES 1097:20190621:011903.883 TLS support: YES 1097:20190621:011903.883 ************************** 1097:20190621:011903.883 using configuration file: /etc/zabbix/zabbix_agentd.conf 1097:20190621:011903.884 agent #0 started [main process] 1111:20190621:011903.886 agent #1 started [collector] 1120:201906a8521:011903.886 agent #5 started [active checks #1] 1119:20190621:011903.887 agent #4 started [listener #3] 1113:20190621:011903.889 agent #2 started [listener #1] 1115:20190621:011903.891 agent #3 started [listener #2] 查看端口10050是否启动:[root@compute ~]# netstat -lntp | grep zabbix
tcp 0 0 0.0.0.0:10050 0.0.0.0: LISTEN 1064/zabbix_agentd
创建客户端监控主机:
解决中文乱码无法显示问题:
修改配置文件:
4.自定义监控脚本
修改agent配置文件/etc/zabbix/zabbix_agentd.conf UnsafeUserParameters=1 UserParameter=users, /bin/bash /scripts/user.sh 配置脚本: mkdir /scripts vi /scripts/user.sh #!/bin/bash ur=$(who |wc -l) if [ $ur -gt 3 ];then echo ‘1’ else echo ‘2’ fi 添加权限: chown -R zabbix.zabbix /scripts/ chmod 777 user.sh 测试脚本: ./user.sh 如果返回值为1说明在线用户超过3个,如果返回值为2,说明在线用户不超过3个; 生效配置 systemctl restart zabbix-agent systemctl status zabbix-agent netstat -lntp ##查看端口是否都启动了 服务端测试: [root@controller fonts]# zabbix_get -s 192.168.100.20 -k users 2 通过zabbix_get去测试获取脚本数据; 进入ZABBIX WEB配置 流程:配置—>主机->监控项->创建监控项 配置—>主机->触发器>创建触发器 具体配置参数如图所示: 验证: 客户端主机开多于三个用户,看是否会触发报警!
5.报警警邮件通知
安装mail服务
yum -y install sendmail mailx 邮件发送配置/etc/mail.rc set from=****@qq.com set smtp=smtp.qq.com set smtp-auth-user=@qq.com set smtp-auth-password= //smtp授权码 set smtp-auth=login 编写邮件发送脚本 [root@controller ~]# vi /scripts/mail.sh #!/bin/bash #send mail messages=echo $3 | tr '\r\n' '\n' subject=echo $2 | tr '\r\n' '\n' echo “ m e s s a g e s " ∣ m a i l − s " {messages}" | mail -s " messages"∣mail−s"{subject}” $1 >>/tmp/mailx.log 2>&1 对脚本以及日志输出文件授权: touch /tmp/mailx.log chown -R zabbix.zabbix /tmp/mailx.log chown -R zabbix.zabbix /scripts/ chmod +x /scripts/mail.sh 测试发送邮件是否成功: /scripts/mail.sh 972808939@qq.com “hello” “safsaf”
配置告警脚本所在位置/usr/local/zabbix/etc/zabbix_server.conf AlertScriptsPath=/scripts
到zabbix web界面设置告警媒介:管理-报警媒介类型-创建报警媒介
脚本参数: {ALERT.SENDTO} 收件人 {ALERT.SUBJECT} 邮件标题 {ALERT.MESSAGE} 邮件内容 配置告警接收用户,选择告警等级
创建邮件发送动作
告警标题 Problem: {EVENT.NAME}故障{TRIGGER.STATUS},服务器:{HOSTNAME1}发生: {TRIGGER.NAME}故障! 告警内容 告警主机:{HOSTNAME1} 告警时间:{EVENT.DATE} {EVENT.TIME} 告警等级:{TRIGGER.SEVERITY} 告警信息: {TRIGGER.NAME} 告警项目:{TRIGGER.KEY1} 问题详情:{ITEM.NAME}:{ITEM.VALUE} 当前状态:{TRIGGER.STATUS}:{ITEM.VALUE1} 事件ID:{EVENT.ID} 在操作中勾选Pause operations for suppressed problems–>新的 添加一下内容:选择添加! 恢复操作与操作那边一样: 恢复标题 恢复{TRIGGER.STATUS}, 服务器:{HOSTNAME1}: {TRIGGER.NAME}已恢复! 恢复内容 恢复告警设备: {HOSTNAME1} 触发名称: {TRIGGER.NAME} 告警时间:{EVENT.DATE} {EVENT.TIME} 告警等级:{TRIGGER.SEVERITY} 恢复详情: {ITEM.NAME}:{ITEM.VALUE} 恢复当前状态为:{TRIGGER.STATUS} 事件ID:{EVENT.ID} 测试停掉nginx服务:
恢复服务:
KVM技术
虚拟化(KVM)
最低0.47元/天 解锁文章
709
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
