yum clean [packages|header|all]

packages:将已下载的软件文件删除

headers:将下载的软件文件头删除

all:将所有容器数据都删除

 

添加镜像站点:mirrorlist=http://ftp.twaren.net/Linux/CentOS/6/os/x86_64/

http://free.nchc.org.tw/drbl-core/i386/RPMS.drbl-stable/

 

 

 

[root@szm ~]# nmap  localhost

Starting Nmap 5.21 ( http://nmap.org ) at 2013-03-23 14:32 CST

Nmap scan report for localhost (127.0.0.1)

Host is up (0.000017s latency).

rDNS record for 127.0.0.1: localhost.localdomain

Not shown: 995 closed ports

PORT    STATE SERVICE

22/tcp  open  ssh

25/tcp  open  smtp

111/tcp open  rpcbind

139/tcp open  netbios-ssn

445/tcp open  microsoft-ds

 

Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds

 

 

扫描本机的TCP/UDP端口:[root@szm ~]# nmap -sTU localhost

Starting Nmap 5.21 ( http://nmap.org ) at 2013-03-23 14:31 CST

Nmap scan report for localhost (127.0.0.1)

Host is up (0.0028s latency).

rDNS record for 127.0.0.1: localhost.localdomain

Not shown: 1990 closed ports

PORT    STATE         SERVICE

22/tcp  open          ssh

25/tcp  open          smtp

111/tcp open          rpcbind

139/tcp open          netbios-ssn

445/tcp open          microsoft-ds

68/udp  open|filtered dhcpc

111/udp open          rpcbind

137/udp open          netbios-ns

138/udp open|filtered netbios-dgm

781/udp open|filtered hp-collector

Nmap done: 1 IP address (1 host up) scanned in 2.14 seconds

 

 

扫描网段主机IP情况:
[root@szm ~]# nmap -sP 172.16.128.0/24

扫描网段主机IP与端口情况:
[root@szm ~]# nmap 172.16.128.0/24
 

 stand alone:/etc/init.d/sshd restart

super daemon:/etc/init.d/xinetd restart(配置文件一般在:etc/xinetd.d)

 

关闭端口占用:
1.[root@szm ~]# netstat -tnlp | grep 111

 

tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      1878/rpcbind
tcp        0      0 :::111                      :::*                        LISTEN      1878/rpcbind
 
2.[root@szm ~]# which rpcbind
/sbin/rpcbind
 
3.[root@szm ~]# rpm -qf /sbin/rpcbind
rpcbind-0.2.0-8.el6.i686
 
4.[root@szm ~]# rpm -qc rpcbind | grep init
/etc/rc.d/init.d/rpcbind
 
telnet服务器:
[root@szm ~]# rpm -qc telnet-server
/etc/xinetd.d/telnet
 
 service telnet
{
socket_type=stream
wait=no
user=root
server=/usr/sbin/in.telnetd
log_on_failure+=USERID
disable=yes
}
第一行,说明该配置用来设置telnet服务。
第二行,说明Socket连接类型是stream,也就是TCP
第三行,是指不等待到启动完成
第四行,是指以root用户启动服务进程
第五行,是指服务进程是/usr/sbin/in.telnetd
第六行,是用于做一些出错日志
第七行,是指禁止远方telnet,如果需要开放则将该配置改为:disable=no
修改了xinetd的配置,需要重启xinetd才能够生效,有两种方法可以实现:
1) 执行如下命令:
/etc/rc.d/init.d/xinetd restart
2) 执行如下命令:
killall -HUP xinetd

 

 

 

[root@szm ~]# netstat -tnlp | grep 23

tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      2233/master

tcp        0      0 :::23                       :::*                        LISTEN      3759/xinetd

 
[root@szm ~]# chkconfig --list | grep rpcbind
rpcbind         0:off   1:off   2:on    3:on    4:on    5:on    6:off
[root@szm ~]# chkconfig --level 35 rpcbind off
 
常见必须要存在的服务:
[root@szm ~]# chkconfig --list | grep acpid 电源管理模块
acpid           0:off   1:off   2:on    3:on    4:on    5:on    6:off
[root@szm ~]# chkconfig --list | grep atd 单一计划任务
atd             0:off   1:off   2:off   3:on    4:on    5:on    6:off
[root@szm ~]# chkconfig --list | grep crond 计划任务
crond           0:off   1:off   2:on    3:on    4:on    5:on    6:off
[root@szm ~]# chkconfig --list | grep haldaemon 检测硬件变更
haldaemon       0:off   1:off   2:off   3:on    4:on    5:on    6:off
[root@szm ~]# chkconfig --list | grep iptables
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off
[root@szm ~]# chkconfig --list | grep network
network         0:off   1:off   2:on    3:on    4:on    5:on    6:off
[root@szm ~]# chkconfig --list | grep postfi 内部邮件传递服务
postfix         0:off   1:off   2:on    3:on    4:on    5:on    6:off
[root@szm ~]# chkconfig --list | grep rsyslog日志
rsyslog         0:off   1:off   2:on    3:on    4:on    5:on    6:off
[root@szm ~]# chkconfig --list | grep sshd
sshd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
[root@szm ~]# chkconfig --list | grep xinetd
xinetd          0:off   1:off   2:off   3:on    4:on    5:on    6:off
xinetd based services:
 
[root@szm ~]# rpm -qc $(rpm -qf $(which rpc.statd))
/etc/nfsmount.conf
/etc/rc.d/init.d/nfs
/etc/rc.d/init.d/nfslock
/etc/rc.d/init.d/rpcgssd
/etc/rc.d/init.d/rpcidmapd
/etc/rc.d/init.d/rpcsvcgssd
/etc/sysconfig/nfs
/var/lib/nfs/etab
/var/lib/nfs/rmtab
/var/lib/nfs/state
/var/lib/nfs/xtab
 
[root@szm bin]# sh closedaemon.sh
Shutting down NFS mountd:                                  [FAILED]
Shutting down NFS daemon:                                  [FAILED]
Shutting down NFS quotas:                                  [FAILED]
Stopping NFS statd:                                        [  OK  ]
Stopping RPC gssd:                                         [FAILED]
Stopping RPC idmapd:                                       [  OK  ]
Stopping xinetd:                                           [  OK  ]
Stopping rpcbind:                                          [  OK  ]
[root@szm bin]# cat closedaemon.sh
for daemon in nfs nfslock rpcgssd rpcidmapd rpcsvcgssd xinetd rpcbind
do
        chkconfig $daemon off
        /etc/init.d/$daemon stop
done

 SELinux使用所谓的委任式访问控制(Mandatory Access Control,MAC)

策略1 :targeted,针对网络服务限制较多,针对本机限制较少,是默认的策略

策略2 :完整的SELinux限制,限制方面较为严格

安全性环境存放在Inode内

 

 

 

[root@szm bin]# ls -Z

-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 closedaemon.sh

-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 lftp

-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 lftp.sh

-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 ping.sh

-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 ping.txt

-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 useradd.sh

 Identify:role:type(身份识别,角色,类型)

身份识别:
root:表示Root的帐号身份
system_u:表示系统程序方面的识别,通常就是程序
user_u:代表的是一般用户账号相关的身份

角色:
object_r:文件或目录等文件资源;
system_r:代表的就是程序

类型:(默认targeted策略,前两个字段基本上是不重要的)
Type:在文件资源(object)中称为类型(Type)
Domain:在主体程序(subject)中则称为域(Domain)

Selinux的三种模式:
1.Enforcing:
2.Permissive:警告,可以用于Debug
3.Disabled:

[root@szm ~]# ll -Zd /usr/sbin/httpd /var/www/html/

 

 

-rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd

drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/

 
[root@szm ~]# getenforce
Enforcing
 
(Diable)改动后必须重新启动,因为SELinux是整合到内核中的
[root@szm ~]# cat /etc/selinux/config
 
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted
 

 如果SELinux出错了,可以切换到Permissive下使用命令:restorecon -Rv /还原Selinux类型

复制SELinux会变为目标目录SELinux,移动文件SELinux不会变

 

 

[root@szm ~]# cp /etc/hosts /root/

[root@szm ~]# ls -dZ /etc/hosts /root/hosts /root/

-rw-r--r--. root root system_u:object_r:net_conf_t:s0  /etc/hosts

dr-xr-x---. root root system_u:object_r:admin_home_t:s0 /root/

-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 /root/hosts

 
[root@szm ~]# ll -Zd /tmp/ /tmp/hosts
drwxrwxrwt. root root system_u:object_r: tmp_t:s0       /tmp/
-rw-r--r--. root root unconfined_u:object_r: admin_home_t:s0 /tmp/hosts

 

 

[root@szm ~]# chcon -t net_conf_t /tmp/hosts
[root@szm ~]# ll -Z /tmp/hosts

-rw-r--r--. root root unconfined_u:object_r:net_conf_t:s0 /tmp/hosts

 
[root@szm ~]# chcon --reference=/var/spool/mail/ /tmp/hosts
[root@szm ~]# ll -Z /tmp/hosts
-rw-r--r--. root root system_u:object_r:mail_spool_t:s0 /tmp/hosts
 

 

 

 

[root@szm ~]# mv /tmp/hosts /root/

[root@szm ~]# ll -Z /root/hosts

-rw-r--r--. root root system_u:object_r:mail_spool_t:s0 /root/hosts

[root@szm ~]# restorecon -Rv /root/

restorecon reset /root/.ssh context system_u:object_r:ssh_home_t:s0->system_u:object_r:home_ssh_t:s0

restorecon reset /root/.ssh/known_hosts context unconfined_u:object_r:ssh_home_t:s0->system_u:object_r:home_ssh_t:s0

restorecon reset /root/hosts context system_u:object_r:mail_spool_t:s0->system_u:object_r:admin_home_t:s0

restorecon reset /root/.gstreamer-0.10/registry.i686.bin context unconfined_u:object_r:admin_home_t:s0->system_u:object_r:gstreamer_home_t:s0

目录默认的SELinux类型:
[root@szm ~]# ls /etc/selinux/targeted/contexts/
customizable_types      default_type            initrc_context          securetty_types         virtual_domain_context
dbus_contexts           failsafe_context        netfilter_contexts      userhelper_context      virtual_p_w_picpath_context
default_contexts        files/                  removable_context       users/                  x_contexts
 
 
 

 

semanage {boolean|login|user|port|interface|module|node|fcontext} -{l|D|E} [-n]
semanage fcontext -{ a|d|m} [-efrst] file_spec
[root@szm ~]# semanage fcontext -l | grep '/var/www/html'
/var/www/html/[^/]*/cgi-bin(/.*)?                  all files          system_u:object_r: httpd_sys_script_exec_t:s0
/var/www/html/configuration\.php                   all files          system_u:object_r: httpd_sys_rw_content_t:s0
/var/www/html/munin(/.*)?                          all files          system_u:object_r: httpd_munin_content_t:s0
/var/www/html/munin/cgi(/.*)?                      all files          system_u:object_r: httpd_munin_script_exec_t:s0
[root@szm ~]# mkdir /srv/vbird
[root@szm ~]# ll -Zd /srv/vbird/
drwxr-xr-x. root root unconfined_u:object_r: var_t:s0   /srv/vbird/
[root@szm ~]# semanage fcontext -l | grep '/srv'
/etc/rc\.d/init\.d/srvsvcd                         regular file       system_u:object_r:likewise_initrc_exec_t:s0
/srv                                               directory          system_u:object_r:var_t:s0
/srv/([^/]*/)?ftp(/.*)?                            all files          system_u:object_r: public_content_t:s0
/srv/([^/]*/)?rsync(/.*)?                          all files          system_u:object_r:public_content_t:s0
/srv/([^/]*/)?www(/.*)?                            all files          system_u:object_r:httpd_sys_content_t:s0
/srv/.*                                            all files          system_u:object_r:var_t:s0
/srv/gallery2(/.*)?                                all files          system_u:object_r:httpd_sys_content_t:s0
/srv/git(/.*)?                                     all files          system_u:object_r:git_system_content_t:s0
/usr/sbin/srvsvcd                                  regular file       system_u:object_r:srvsvcd_exec_t:s0
/var/run/srvsvcd.pid                               regular file       system_u:object_r:srvsvcd_var_run_t:s0
配置vbird下的所有文件:
[root@szm ~]# semanage fcontext -a -t public_content_t "/srv/vbird/.*)"
[root@szm ~]# semanage fcontext -l | grep '/srv/vbird'
/srv/vbird/(/.*)                                   all files          system_u:object_r: public_content_t:s0
 
查看SELinux:
[root@szm ~]# cat /etc/selinux/targeted/contexts/files/file_contexts.local
# This file is auto-generated by libsemanage
# Do not edit directly.
 
/srv/vbird/.*    system_u:object_r:public_content_t:s0
[root@szm ~]# restorecon -Rv /srv/vbird/
restorecon reset /srv/vbird context unconfined_u:object_r:var_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /srv/vbird/bbb context unconfined_u:object_r:var_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /srv/vbird/ccc context unconfined_u:object_r:var_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /srv/vbird/aaa context unconfined_u:object_r:var_t:s0->system_u:object_r:public_content_t:s0
 
配置Vbird这个文件夹和这个文件夹一的所有文件:
[root@szm ~]# semanage fcontext -a -t public_content_t "/srv/vbird(/.*)?"
[root@szm ~]# restorecon -Rv /srv/vbird/
restorecon reset /srv/vbird context unconfined_u:object_r:var_t:s0->system_u:object_r:public_content_t:s0

[root@szm ~]# yum install setools-console
[root@szm ~]# seinfo

Statistics for policy file: /etc/selinux/targeted/policy/policy.24
Policy Version & Type: v.24 (binary, mls)
 
   Classes:            77    Permissions:       229
   Sensitivities:       1    Categories:       1024
   Types:            3073    Attributes:        250
   Users:               9    Roles:              13
   Booleans:          168    Cond. Expr.:       203
   Allow:          269649    Neverallow:          0
   Auditallow:         44    Dontaudit:      162489
   Type_trans:      10914    Type_change:        38
   Type_member:        44    Role allow:         20
   Role_trans:        241    Range_trans:      2590
   Constraints:        64    Validatetrans:       0
   Initial SIDs:       27    Fs_use:             22
   Genfscon:           82    Portcon:           378
   Netifcon:            0    Nodecon:             0
   Permissives:        21    Polcap:              2
 
[root@szm ~]# seinfo -r (role)
[root@szm ~]# seinfo -u (user)
[root@szm ~]# seinfo -t (type)
[root@szm ~]# seinfo -b | grep httpd

查询SELinux解析:
[root@szm ~]# sesearch --all -t httpd_sys_content_t
[root@szm ~]# sesearch --all -b httpd_enable_homedirs

SEbool设置情况:
[root@szm ~]# getsebool -a

 

 

[root@szm ~]# getsebool httpd_enable_homedirs

httpd_enable_homedirs --> off

[root@szm ~]# setsebool -P httpd_enable_homedirs=1(-P将设置写入配置文件)

[root@szm ~]# getsebool httpd_enable_homedirs

httpd_enable_homedirs --> on

 setroubleshoot服务会将关于SELinux的错误信息与克服方法记录到/var/log/messages与/var/log/setroubleshoot/*中。

 

 [root@szm ~]# yum install setroubleshoot setroubleshoot-server

[root@szm ~]# /etc/init.d/auditd restart
Stopping auditd:                                           [  OK  ]
Starting auditd:                                           [  OK  ]
 CentOS 6.x对setroubleshoot的动作方式是:先由auditd去呼叫audispd服务,然后audispd服务去启动sedispatch程序,sedispatch再将原本的auditd信息转成setrouble

解决SELinux问题示例:
1.[root@szm ~]# cat /var/log/messages | grep setroubleshoot
 
2.[root@szm ~]# sealert -l 88a27066-910c-4f9d-bd33-e44e6200413c

3. Fix Command:

/sbin/restorecon '/var/www/html/index.html'

[root@szm ~]# vi /etc/setroubleshoot/setroubleshoot.cfg
 recipients_filepath = /var/lib/setroubleshoot/email_alert_recipients
 console = True
 
[root@szm ~]# cat /var/lib/setroubleshoot/email_alert_recipients
root@localhost
464421145@qq.com