Initialize after CentOS 7 installation is complete
Copyright statement: This article is an original article by Shaon Puppet. Please indicate the original address for reprinting. Thank you very much. https://blog.csdn.net/wh211212/article/details/52923673
1、 Add user
Add a user named "wang"
[ root@vdevops ~]# useradd wang #Add account [root@vdevops ~]# passwd wang #Setting password Changing password for user wang. New password: Retype new password: passwd: all authentication tokens updated successfully. [root@vdevops ~] # exit #Exit
Take the user "wang" as an example, set it as the only account with administrator rights
[ root@vdevops ~]# usermod -G wheel wang [root@vdevops ~]# vim /etc/pam.d/su
# %PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
# auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
# Uncomment the following line
auth required pam_wheel.so use_uid
auth substack system-auth
auth include postlogin
account sufficient pam_succeed_if.so uid =0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session include postlogin
session optional pam_xauth.so
Set up email forwarding for root account
Person who should get root's mail # The last line, uncomment, change the user name root: wang
2、 Set up firewall and SELINUX
【1】Firewall
View firewall status
[ root@vdevops ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded:loaded(/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active:active(running) since Wed 2016-10-2601:09:49 CST; 1h 36min ago
Main PID:744(firewalld)
CGroup:/system.slice/firewalld.service
└─744/usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Oct 2601:09:46 vdevops.com systemd[1]: Starting firewalld - dynamic firewall daemon...
Oct 2601:09:49 vdevops.com systemd[1]: Started firewalld - dynamic firewall daemon.
Basic firewall operation
[ root@vdevops ~]# systemctl start firewalld #Start firewall
[ root@vdevops ~]# systemctl enable firewalld #Set the firewall to start automatically
By default, the "public" zone is applied to the NIC, and dhcpv6-client and ssh are allowed. When using the "firewall-cmd" command to operate, if the input command does not carry the "--zone = ***" specification, the configuration is set to the default zone.
# Show default area
[ root@vdevops ~]# firewall-cmd --get-default-zone
public
# Show current settings
[ root@vdevops ~]# firewall-cmd --list-all
public(default, active)
interfaces: eno16777736
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
# Show all areas
[ root@vdevops ~]# firewall-cmd --list-all-zones
block
interfaces:
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
dmz
interfaces:
sources:
services: ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:...
# Show services allowed in a specific area
[ root@vdevops ~]# firewall-cmd --list-service --zone=external
ssh
# Change the default area
[ root@vdevops ~]# firewall-cmd --set-default-zone=external
success
# Change the interface of the designated area
[ root@vdevops ~]# firewall-cmd --change-interface=eth1 --zone=external
success
# Display the status of the designated area
[ root@vdevops ~]# firewall-cmd --list-all --zone=external
external(default, active)
interfaces: eno16777736 eth1
sources:
services: ssh
ports:
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:
# Note: Change the interface of the designated area, provided that the secondary interface exists in the current system
Show default defined services
[ root@vdevops ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openV** pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind rsyncd samba samba-client smtp ssh telnet tftp tftp-client transmission-client vdsm vnc-server wbem-https
# The definition file path is as follows. If you need to add a new definition file, add the corresponding XML file in the following directory
[ root@vdevops ~]# ls /usr/lib/firewalld/services
amanda-client.xml freeipa-ldap.xml ipp.xml libvirt.xml pmcd.xml RH-Satellite-6.xml tftp-client.xml
bacula-client.xml freeipa-replication.xml ipsec.xml mdns.xml pmproxy.xml rpc-bind.xml tftp.xml
bacula.xml ftp.xml iscsi-target.xml mountd.xml pmwebapis.xml rsyncd.xml transmission-client.xml
dhcpv6-client.xml high-availability.xml kerberos.xml ms-wbt.xml pmwebapi.xml samba-client.xml vdsm.xml
dhcpv6.xml https.xml kpasswd.xml mysql.xml pop3s.xml samba.xml vnc-server.xml
dhcp.xml http.xml ldaps.xml nfs.xml postgresql.xml smtp.xml wbem-https.xml
dns.xml imaps.xml ldap.xml ntp.xml proxy-dhcp.xml ssh.xml
freeipa-ldaps.xml ipp-client.xml libvirt-tls.xml openV**.xml radius.xml telnet.xml
Add or delete allowed services, and after restarting the system, the changes will be restored. If you change the settings permanently, add the "--permanent" option.
# Take adding http service as an example
[ root@vdevops ~]# firewall-cmd --add-service=http
success
[ root@vdevops ~]# firewall-cmd --list-service
http ssh
# Remove the added http
< pre name="code"class="html">[root@vdevops ~]# firewall-cmd --remove-service=http
success
[ root@vdevops ~]# firewall-cmd --list-service
ssh
# Add http service, permanent effect
[ root@vdevops ~]# firewall-cmd --add-service=http --permanentsuccess [root@vdevops ~]# firewall-cmd --reloadsuccess[root@vdevops ~]# firewall-cmd --list-servicehttp ssh
Add and remove ports
[ root@vdevops ~]# firewall-cmd --add-port=465/tcp #Add port
success
[ root@vdevops ~]# firewall-cmd --list-port
465 /tcp
[ root@vdevops ~]# firewall-cmd --remove-port=465/tcp #Remove port
success
[ root@vdevops ~]# firewall-cmd --list-port
[ root@vdevops ~]# firewall-cmd --add-port=465/tcp --permanent #Add port, permanent effect
success
[ root@vdevops ~]# firewall-cmd --reload
success
[ root@vdevops ~]# firewall-cmd --list-port
465 /tcp
Add or delete prohibited ICMP types
[ root@dlp ~]# firewall-cmd --add-icmp-block=echo-request #Add prohibit response request
success
[ root@dlp ~]# firewall-cmd --list-icmp-blocks
echo-request
[ root@dlp ~]# firewall-cmd --remove-icmp-block=echo-request #Remove added parameters
success
[ root@dlp ~]# firewall-cmd --list-icmp-blocks
[ root@dlp ~]# firewall-cmd --get-icmptypes #Show ICMP supported functions
destination-unreachable echo-reply echo-request parameter-problem redirect
router-advertisement router-solicitation source-quench time-exceeded
[2] If the firewall service is not needed, turn it off as follows
[ root@vdevops ~]# systemctl stop firewalld #Stop firewall service
[ root@vdevops ~]# systemctl disable firewalld #Prohibit the firewall from booting up
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.
3、 SELinux
[ root@vdevops ~]# getenforce #View SELINUX working mode
Enforcing
[ root@vdevops ~]# sed -i 's/SELINUX=Enforcing/SELINUX=disabled/'/etc/selinux/config #Disable SELINUX
[ root@vdevops ~]# setenforce 0 #Temporarily disable SELINUX without restarting
4、 Network setting [1], set static IP and change interface name
[ root@vdevops ~]# nmcli c modify eno16777736 ipv4.addresses 10.1.1.56/24 #Set static IP
[ root@vdevops ~]# nmcli c modify eno16777736 ipv4.gateway 10.1.1.1 #Set up the gateway
[ root@vdevops ~]# nmcli c modify eno16777736 ipv4.dns 10.1.1.1 #Set up DNS
[ root@vdevops ~]# nmcli c modify eno16777736 ipv4.method manual #Set the type of ipv4 to static
[ root@vdevops ~]# nmcli c down eno16777736;nmcli c up eno16777736 #Restart network interface
Connection 'eno16777736' successfully deactivated(D-Bus active path:/org/freedesktop/NetworkManager/ActiveConnection/0)
Connection successfully activated(D-Bus active path:/org/freedesktop/NetworkManager/ActiveConnection/1)[root@vdevops ~]# nmcli d show eno16777736 #View network interface status
GENERAL.DEVICE: eno16777736
GENERAL.TYPE: ethernet
GENERAL.HWADDR:00:0C:29:B6:F5:5E
GENERAL.MTU:1500
GENERAL.STATE:100(connected)
GENERAL.CONNECTION: eno16777736
GENERAL.CON-PATH:/org/freedesktop/NetworkManager/ActiveConnection/1
WIRED-PROPERTIES.CARRIER: on
IP4.ADDRESS[1]:10.1.1.56/24
IP4.GATEWAY:10.1.1.1
IP4.DNS[1]:10.1.1.1
IP6.ADDRESS[1]: fe80::20c:29ff:feb6:f55e/64
IP6.GATEWAY:[root@vdevops ~]# ip addr show #Check IP status
1: lo:<LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno16777736:<BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:b6:f5:5e brd ff:ff:ff:ff:ff:ff
inet 10.1.1.56/24 brd 10.1.1.255 scope global eno16777736
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:feb6:f55e/64 scope link
valid_lft forever preferred_lft forever
[2] Disable IPV6
[ root@vdevops ~]# vim /etc/default/grub
# Sixth line, add
GRUB_CMDLINE_LINUX="crashkernel=auto <span style="color:#FF0000;">ipv6.disable=1</span> rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet"[root@vdevops ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file ...
Found linux image:/boot/vmlinuz-3.10.0-327.36.2.el7.x86_64
Found initrd image:/boot/initramfs-3.10.0-327.36.2.el7.x86_64.img
Found linux image:/boot/vmlinuz-3.10.0-327.el7.x86_64
Found initrd image:/boot/initramfs-3.10.0-327.el7.x86_64.img
Found linux image:/boot/vmlinuz-0-rescue-d1b9467b8b744a3db391f2c15fe58a94
Found initrd image:/boot/initramfs-0-rescue-d1b9467b8b744a3db391f2c15fe58a94.img
done
[ root@vdevops ~]# reboot #Restart the system
[3] If you want to use the network interface name as ethX, please configure it as shown below.
[ root@vdevops ~]# vim /etc/default/grub
# Add on the sixth line
GRUB_CMDLINE_LINUX="crashkernel=auto ipv6.disable=1 <span style="color:#FF0000;">net.ifnames=0</span> rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet
[ root@vdevops ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file ...
Found linux image:/boot/vmlinuz-3.10.0-327.36.2.el7.x86_64
Found initrd image:/boot/initramfs-3.10.0-327.36.2.el7.x86_64.img
Found linux image:/boot/vmlinuz-3.10.0-327.el7.x86_64
Found initrd image:/boot/initramfs-3.10.0-327.el7.x86_64.img
Found linux image:/boot/vmlinuz-0-rescue-d1b9467b8b744a3db391f2c15fe58a94
Found initrd image:/boot/initramfs-0-rescue-d1b9467b8b744a3db391f2c15fe58a94.img
done
4、 Service settings [1], view service status
# Show running services
[ root@vdevops ~]# systemctl -t service
UNIT LOAD ACTIVE SUB DESCRIPTION
auditd.service loaded active running Security Auditing Service
avahi-daemon.service loaded active running Avahi mDNS/DNS-SD Stack
crond.service loaded active running Command Scheduler
dbus.service loaded active running D-Bus System Message Bus
[email protected] loaded active running Getty on tty1
.........
systemd-udevd.service loaded active running udev Kernel Device Manager
systemd-update-utmp.service loaded active exited Update UTMP about System Reboot/Shutdown
systemd-user-sessions.service loaded active exited Permit User Sessions
systemd-vconsole-setup.service loaded active exited Setup Virtual Console
tuned.service loaded active running Dynamic System Tuning Daemon
LOAD = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB = The low-level unit activation state, values depend on unit type.39 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.
# Show all services
[ root@vdevops ~]# systemctl list-unit-files -t service
UNIT FILE STATE
auditd.service enabled
[email protected] disabled
avahi-daemon.service enabled
blk-availability.service disabled
brandbot.service static.........
systemd-user-sessions.service static
systemd-vconsole-setup.service static
[email protected] static
tuned.service enabled
wpa_supplicant.service disabled
125 unit files listed.
[2]、 Set stop and start automatic service
[ root@vdevops ~]# systemctl stop postfix #Out of service
[ root@vdevops ~]# systemctl disable postfix
Removed symlink /etc/systemd/system/multi-user.target.wants/postfix.service.[root@vdevops ~]# systemctl start postfix
[ root@vdevops ~]# systemctl enable postfix
Created symlink from/etc/systemd/system/multi-user.target.wants/postfix.service to /usr/lib/systemd/system/postfix.service.[root@vdevops ~]# systemctl status postfix
● postfix.service - Postfix Mail Transport Agent
Loaded:loaded(/usr/lib/systemd/system/postfix.service; enabled; vendor preset: disabled)
Active:active(running) since Wed 2016-10-2618:40:35 CST; 15s ago
Main PID:10071(master)
CGroup:/system.slice/postfix.service
├─10071/usr/libexec/postfix/master -w
├─10072 pickup -l -t unix -u
└─10073 qmgr -l -t unix -u
Oct 2618:40:35 vdevops.com postfix[9999]:/usr/sbin/postconf: warning: inet_protocols: disabling IPv6 name/address support: Address ...rotocol
Oct 2618:40:35 vdevops.com postfix[9999]:/usr/sbin/postconf: warning: inet_protocols: disabling IPv6 name/address support: Address ...rotocol
Oct 2618:40:35 vdevops.com postfix[9999]: postsuper: warning: inet_protocols: disabling IPv6 name/address support: Address family no...rotocol
Oct 2618:40:35 vdevops.com postfix[9999]:/usr/sbin/postconf: warning: inet_protocols: disabling IPv6 name/address support: Address ...rotocol
Oct 2618:40:35 vdevops.com postfix/master[10071]: warning: inet_protocols: disabling IPv6 name/address support: Address family not s...rotocol
Oct 2618:40:35 vdevops.com postfix/master[10071]: warning: inet_protocols: disabling IPv6 name/address support: Address family not s...rotocol
Oct 2618:40:35 vdevops.com postfix/master[10071]: daemon started -- version 2.10.1, configuration /etc/postfix
Oct 2618:40:35 vdevops.com systemd[1]: Started Postfix Mail Transport Agent.
Oct 2618:40:35 vdevops.com postfix/qmgr[10073]: warning: inet_protocols: disabling IPv6 name/address support: Address family not sup...rotocol
Oct 2618:40:35 vdevops.com postfix/pickup[10072]: warning: inet_protocols: disabling IPv6 name/address support: Address family not s...rotocol
Hint: Some lines were ellipsized, use -l to show in full.
[3]、 There are also some SysV services. They are controlled by chkconfig as shown below
[ root@vdevops ~]# chkconfig --list
Note: This output shows SysV services only and does not include native
systemd services. SysV configuration data might be overridden by native
systemd configuration.
If you want to list systemd services use 'systemctl list-unit-files'.
To see services enabled on particular target use
' systemctl list-dependencies [target]'.
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
5、 Update the system to add other sources yum update -y
Add other sources Add some useful external repositories to install useful software [1] Install plugins to add priority to each installed repository.
[ root@vdevops ~]# yum -y install yum-plugin-priorities
# Set the priority of the official source to[priority=1][root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=1/g"/etc/yum.repos.d/CentOS-Base.repo
[2] Add EPEL repository provided from Fedora project
[ root@vdevops ~]# yum -y install epel-release
# Set priority[priority=5][root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=5/g"/etc/yum.repos.d/epel.repo
# You can set enabled=0, to control the use of the corresponding source when installing the package
[ root@vdevops ~]# sed -i -e "s/enabled=1/enabled=0/g"/etc/yum.repos.d/epel.repo
# in case[enabled=0],Use the following command to install the package
[ root@vdevops ~]# yum --enablerepo=epel install [Package]
[3] Add the CentOS SCLo software collection repository.
[ root@vdevops ~]# yum -y install centos-release-scl-rh centos-release-scl
# Set priority[priority=10][root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=10/g"/etc/yum.repos.d/CentOS-SCLo-scl.repo
[ root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=10/g"/etc/yum.repos.d/CentOS-SCLo-scl-rh.repo
# Set up[enabled=0][root@vdevops ~]# sed -i -e "s/enabled=1/enabled=0/g"/etc/yum.repos.d/CentOS-SCLo-scl.repo
[ root@vdevops ~]# sed -i -e "s/enabled=1/enabled=0/g"/etc/yum.repos.d/CentOS-SCLo-scl-rh.repo
# Set up[enabled=0],Use the corresponding source with the following command
[ root@vdevops ~]# yum --enablerepo=centos-sclo-rh install [Package][root@vdevops ~]# yum --enablerepo=centos-sclo-sclo install [Package]
[4] Add Remi’s RPM repository, which provides many useful packages
[ root@vdevops ~]# yum -y install http://rpms.famillecollet.com/enterprise/remi-release-7.rpm
# Set priority[priority=10][root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=10/g"/etc/yum.repos.d/remi-safe.repo
6、 Configure featured vim [1] install vim
[ root@vdevops ~]# yum -y install vim-enhanced
[2] Set alias Set the alias of the command. (Applicable to all users below, if you apply for a user, please write the same settings in "~/.bashrc")
[ root@dlp ~]# vi /etc/profile
# Add the following line of content at the end
alias vi='vim'[root@dlp ~]# source /etc/profile #Overload
or
echo "alias vi='vim'">>/etc/profile && source /etc/profile
[3] Configure vim, modify /etc/vimrc for all users, and modify /etc/vimrc for specific users. ~/.vimrc is mainly used for syntax highlighting, plug-in use, automatic indentation, etc. This article does not do detailed operations, and will be written later A blog post about optimizing the use of vim. If you want to do well, you must first sharpen your tools. 7. Set sudo. Configure sudo to distinguish user responsibilities. If some people share permissions, you must install sudo manually because it is installed by default, even if "minimal" Installation" [1] Set ordinary users to have all root permissions
[ root@vdevops ~]# visudo
# Add the following line to make the user "wang" have all the permissions of root
wang ALL=(ALL) ALL
# Ordinary users use the root command
# Make sure the user is'wang'[wang@vdevops ~]$ /usr/bin/cat /etc/shadow
cat:/etc/shadow: Permission denied# denied normally
[ wang@vdevops ~]$ sudo /usr/bin/cat /etc/shadow
[ sudo] password for cent:# own password
daemon:*:16231:0:99999:7:::
adm:*:16231:0:99999:7:::
lp:*:16231:0:99999:7:::......
# Enter the password of wang to see the execution result
[2] Set users not to execute dangerous commands
[ root@vdevops ~]# visudo
# 49 Row:Define alias SHUTDOWN
Cmnd_Alias SHUTDOWN =/sbin/halt,/sbin/shutdown,/sbin/poweroff,/sbin/reboot,/sbin/init
# Set user wang not to execute the command corresponding to the alias SHUTDOWN
wang ALL=(ALL) ALL,!SHUTDOWN
# Make sure the user is'wang'[wang@vdevops ~]$ sudo /sbin/shutdown -r now
Sorry, user cent is not allowed to execute '/sbin/shutdown -r now'as root on vdevops.com. # denied normally
[3] Create a special group, group users can execute some root commands
[ root@vdevops ~]# visudo
# 51 Row:Set the alias to USERMGR for several commands for managing users
Cmnd_Alias USERMGR =/usr/sbin/useradd,/usr/sbin/userdel,/usr/sbin/usermod,/usr/bin/passwd
# Add in the last line
%usermgr ALL=(ALL) USERMGR
[ root@vdevops ~]# groupadd usermgr
[ root@vdevops ~]# usermod -G usermgr wang
# Make sure the user is wang
[ wang@vdevops ~]$ sudo /usr/sbin/useradd testuser
# Enter the password of user wang, view the creation result, and show success
[ wang@vdevops ~]$ sudo /usr/bin/passwd testuser
Changing password for user testuser.
New UNIX password:
Retype newUNIX password:
passwd: all authentication tokens updated successfully.
[4] Set sudo log The sudo log is stored in /var/log/secure, but there are many types of logs in it. If you want to keep only the sudo log in a file, set it as follows:
[ root@vdevops ~]# visudo
# Add in the last line
Defaults syslog=local1
[ root@vdevops ~]# vi /etc/rsyslog.conf
# Modify in line 54 and add<span style="color:#FF6666;">local1.none</span>*.info;mail.none;authpriv.none;cron.none;<span style="color:#FF6666;">local1.none</span>/var/log/messages
# Add the following line of content
local1.*/var/log/sudo.log
[ root@vdevops ~]# systemctl restart rsyslog #Restart rsyslog service
Recommended Posts