Method to initialize after the installation of CentOS 7 is complete
- 2020-05-12 06:41:12
- OfStack
1. Add users
Add a user named "wang"
[root@vdevops ~]# useradd wang # Add account
[root@vdevops ~]# passwd wang # Set the password
Changing password for user wang.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@vdevops ~]# exit # exit
To the user "wang" For example, set it to only 1 An account with administrator privileges
[root@vdevops ~]# usermod -G wheel wang
[root@vdevops ~]# vim /etc/pam.d/su
[html] view plain copy print?
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
# To cancel the following 1 The annotations
auth required pam_wheel.so use_uid
auth substack system-auth
auth include postlogin
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session include postlogin
session optional pam_xauth.so
Set up the root Account email forwarding
# Person who should get root's mail
# The last 1 Line, uncomment and change the user name
root: wang2. Set up firewall and SELINUX
[1] firewall
View firewall status
[root@vdevops ~]# systemctl status firewalld
low firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2016-10-26 01:09:49 CST; 1h 36min ago
Main PID: 744 (firewalld)
CGroup: /system.slice/firewalld.service
└ ─ 744 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Oct 26 01:09:46 vdevops.com systemd[1]: Starting firewalld - dynamic firewall daemon...
Oct 26 01:09:49 vdevops.com systemd[1]: Started firewalld - dynamic firewall daemon.
Basic firewall operation
[root@vdevops ~]# systemctl start firewalld # Enable firewall
[root@vdevops ~]# systemctl enable firewalld # Set the firewall to boot automatically By default, the "public" area applies to NIC, dhcpv6-client and ssh are allowed.
When operating with the "firewall-cmd" command, the configuration is set to the default area if the input command does not have the "--zone = ***" specification.
# Display default area
[root@vdevops ~]# firewall-cmd --get-default-zone
public
# Display current Settings
[root@vdevops ~]# firewall-cmd --list-all
public (default, active)
interfaces: eno16777736
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
# Show all areas
[root@vdevops ~]# firewall-cmd --list-all-zones
block
interfaces:
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
dmz
interfaces:
sources:
services: ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
...
# Displays the services allowed for a specific area
[root@vdevops ~]# firewall-cmd --list-service --zone=external
ssh
# Change the default area
[root@vdevops ~]# firewall-cmd --set-default-zone=external
success
# Change the interface of the provisioning area
[root@vdevops ~]# firewall-cmd --change-interface=eth1 --zone=external
success
# Shows the status of the defined area
[root@vdevops ~]# firewall-cmd --list-all --zone=external
external (default, active)
interfaces: eno16777736 eth1
sources:
services: ssh
ports:
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:
# Note: change the interface of the setup area if the secondary interface exists in the current system Displays the services defined by default
[root@vdevops ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind rsyncd samba samba-client smtp ssh telnet tftp tftp-client transmission-client vdsm vnc-server wbem-https
# Define the file path as follows. If you need to add a new definition file, add the corresponding one in the following directory XML file
[root@vdevops ~]# ls /usr/lib/firewalld/services
amanda-client.xml freeipa-ldap.xml ipp.xml libvirt.xml pmcd.xml RH-Satellite-6.xml tftp-client.xml
bacula-client.xml freeipa-replication.xml ipsec.xml mdns.xml pmproxy.xml rpc-bind.xml tftp.xml
bacula.xml ftp.xml iscsi-target.xml mountd.xml pmwebapis.xml rsyncd.xml transmission-client.xml
dhcpv6-client.xml high-availability.xml kerberos.xml ms-wbt.xml pmwebapi.xml samba-client.xml vdsm.xml
dhcpv6.xml https.xml kpasswd.xml mysql.xml pop3s.xml samba.xml vnc-server.xml
dhcp.xml http.xml ldaps.xml nfs.xml postgresql.xml smtp.xml wbem-https.xml
dns.xml imaps.xml ldap.xml ntp.xml proxy-dhcp.xml ssh.xml
freeipa-ldaps.xml ipp-client.xml libvirt-tls.xml openvpn.xml radius.xml telnet.xmlAdd or remove the allowed services, restart the system, and the changes will resume. If you permanently change the Settings, add the "--permanent" option.
# To add a http Service as an example
[root@vdevops ~]# firewall-cmd --add-service=http
success
[root@vdevops ~]# firewall-cmd --list-service
http ssh
# Remove added http
<pre name="code" class="html">[root@vdevops ~]# firewall-cmd --remove-service=http
success
[root@vdevops ~]# firewall-cmd --list-service
ssh
# add http Service, in perpetuity
[root@vdevops ~]# firewall-cmd --add-service=http --permanentsuccess
[root@vdevops ~]# firewall-cmd --reloadsuccess[root@vdevops ~]# firewall-cmd --list-servicehttp sshAdd and remove ports
[root@vdevops ~]# firewall-cmd --add-port=465/tcp # Add the port
success
[root@vdevops ~]# firewall-cmd --list-port
465/tcp
[root@vdevops ~]# firewall-cmd --remove-port=465/tcp # Remove the port
success
[root@vdevops ~]# firewall-cmd --list-port
[root@vdevops ~]# firewall-cmd --add-port=465/tcp --permanent # Add port permanently
success
[root@vdevops ~]# firewall-cmd --reload
success
[root@vdevops ~]# firewall-cmd --list-port
465/tcpAdd or remove prohibited ICMP types
[root@dlp ~]# firewall-cmd --add-icmp-block=echo-request # Add a disabled response request
success
[root@dlp ~]# firewall-cmd --list-icmp-blocks
echo-request
[root@dlp ~]# firewall-cmd --remove-icmp-block=echo-request # Removes the added parameter
success
[root@dlp ~]# firewall-cmd --list-icmp-blocks
[root@dlp ~]# firewall-cmd --get-icmptypes # According to ICMP Supported features
destination-unreachable echo-reply echo-request parameter-problem redirect
router-advertisement router-solicitation source-quench time-exceeded[2] if you do not need firewall services, close as follows
[root@vdevops ~]# systemctl stop firewalld # Stop firewall service
[root@vdevops ~]# systemctl disable firewalld # Do not start the firewall
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.
3 , SELinux
[html] view plain copy print?
[root@vdevops ~]# getenforce # To view SELINUX Working mode
Enforcing
[root@vdevops ~]# sed -i 's/SELINUX=Enforcing/SELINUX=disabled/' /etc/selinux/config # disable SELINUX
[root@vdevops ~]# setenforce 0 # Temporarily disable SELINUX , no need to restart 4. Network Settings
[1], set static IP and change the interface name
[root@vdevops ~]# nmcli c modify eno16777736 ipv4.addresses 10.1.1.56/24 # Set the static IP
[root@vdevops ~]# nmcli c modify eno16777736 ipv4.gateway 10.1.1.1 # Set the gateway
[root@vdevops ~]# nmcli c modify eno16777736 ipv4.dns 10.1.1.1 # Set up the DNS
[root@vdevops ~]# nmcli c modify eno16777736 ipv4.method manual # Set up the ipv4 Is static
[root@vdevops ~]# nmcli c down eno16777736;nmcli c up eno16777736 # Restart network interface
Connection 'eno16777736' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/0)
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1)
[root@vdevops ~]# nmcli d show eno16777736 # View network interface status
GENERAL.DEVICE: eno16777736
GENERAL.TYPE: ethernet
GENERAL.HWADDR: 00:0C:29:B6:F5:5E
GENERAL.MTU: 1500
GENERAL.STATE: 100 (connected)
GENERAL.CONNECTION: eno16777736
GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveConnection/1
WIRED-PROPERTIES.CARRIER: on
IP4.ADDRESS[1]: 10.1.1.56/24
IP4.GATEWAY: 10.1.1.1
IP4.DNS[1]: 10.1.1.1
IP6.ADDRESS[1]: fe80::20c:29ff:feb6:f55e/64
IP6.GATEWAY:
[root@vdevops ~]# ip addr show # To view IP state
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:b6:f5:5e brd ff:ff:ff:ff:ff:ff
inet 10.1.1.56/24 brd 10.1.1.255 scope global eno16777736
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:feb6:f55e/64 scope link
valid_lft forever preferred_lft forever [2] IPV6 is disabled
[root@vdevops ~]# systemctl status firewalld
low firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2016-10-26 01:09:49 CST; 1h 36min ago
Main PID: 744 (firewalld)
CGroup: /system.slice/firewalld.service
└ ─ 744 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Oct 26 01:09:46 vdevops.com systemd[1]: Starting firewalld - dynamic firewall daemon...
Oct 26 01:09:49 vdevops.com systemd[1]: Started firewalld - dynamic firewall daemon. [3] to use the network interface name as ethX, configure it as shown below.
[root@vdevops ~]# vim /etc/default/grub
# The first 6 Add rows
GRUB_CMDLINE_LINUX="crashkernel=auto ipv6.disable=1 <span style="color:#FF0000;">net.ifnames=0</span> rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet
[root@vdevops ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-3.10.0-327.36.2.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-327.36.2.el7.x86_64.img
Found linux image: /boot/vmlinuz-3.10.0-327.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-327.el7.x86_64.img
Found linux image: /boot/vmlinuz-0-rescue-d1b9467b8b744a3db391f2c15fe58a94
Found initrd image: /boot/initramfs-0-rescue-d1b9467b8b744a3db391f2c15fe58a94.img
done4. Service Settings
[1]. Check the service status
# Displays the running service
[root@vdevops ~]# systemctl -t service
UNIT LOAD ACTIVE SUB DESCRIPTION
auditd.service loaded active running Security Auditing Service
avahi-daemon.service loaded active running Avahi mDNS/DNS-SD Stack
crond.service loaded active running Command Scheduler
dbus.service loaded active running D-Bus System Message Bus
getty@tty1.service loaded active running Getty on tty1
...
...
...
systemd-udevd.service loaded active running udev Kernel Device Manager
systemd-update-utmp.service loaded active exited Update UTMP about System Reboot/Shutdown
systemd-user-sessions.service loaded active exited Permit User Sessions
systemd-vconsole-setup.service loaded active exited Setup Virtual Console
tuned.service loaded active running Dynamic System Tuning Daemon
LOAD = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB = The low-level unit activation state, values depend on unit type.
39 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.
# Display all services
[root@vdevops ~]# systemctl list-unit-files -t service
UNIT FILE STATE
auditd.service enabled
autovt@.service disabled
avahi-daemon.service enabled
blk-availability.service disabled
brandbot.service static
...
...
...
systemd-user-sessions.service static
systemd-vconsole-setup.service static
teamd@.service static
tuned.service enabled
wpa_supplicant.service disabled
125 unit files listed.[2] set to stop starting the automatic service
[root@vdevops ~]# systemctl status firewalld
low firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2016-10-26 01:09:49 CST; 1h 36min ago
Main PID: 744 (firewalld)
CGroup: /system.slice/firewalld.service
└ ─ 744 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Oct 26 01:09:46 vdevops.com systemd[1]: Starting firewalld - dynamic firewall daemon...
Oct 26 01:09:49 vdevops.com systemd[1]: Started firewalld - dynamic firewall daemon. [3] and some SysV services. They are controlled by the chkconfig, as shown below
[root@vdevops ~]# systemctl status firewalld
low firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2016-10-26 01:09:49 CST; 1h 36min ago
Main PID: 744 (firewalld)
CGroup: /system.slice/firewalld.service
└ ─ 744 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Oct 26 01:09:46 vdevops.com systemd[1]: Starting firewalld - dynamic firewall daemon...
Oct 26 01:09:49 vdevops.com systemd[1]: Started firewalld - dynamic firewall daemon. 5. Update the system to add other sources
[root@vdevops ~]# systemctl status firewalld
low firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2016-10-26 01:09:49 CST; 1h 36min ago
Main PID: 744 (firewalld)
CGroup: /system.slice/firewalld.service
└ ─ 744 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Oct 26 01:09:46 vdevops.com systemd[1]: Starting firewalld - dynamic firewall daemon...
Oct 26 01:09:49 vdevops.com systemd[1]: Started firewalld - dynamic firewall daemon. Add other sources
Add some useful external repositories to install useful software
[1] install the plug-in to add priority to each installed repository.
[root@vdevops ~]# systemctl status firewalld
low firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2016-10-26 01:09:49 CST; 1h 36min ago
Main PID: 744 (firewalld)
CGroup: /system.slice/firewalld.service
└ ─ 744 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Oct 26 01:09:46 vdevops.com systemd[1]: Starting firewalld - dynamic firewall daemon...
Oct 26 01:09:49 vdevops.com systemd[1]: Started firewalld - dynamic firewall daemon. [2] add the EPEL repository provided from the Fedora project
[root@vdevops ~]# yum -y install epel-release
# Set priority [priority=5]
[root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=5/g" /etc/yum.repos.d/epel.repo
# You can set it enabled=0 To control the use of the appropriate source when installing the package
[root@vdevops ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/epel.repo
# if [enabled=0], Install the package using the following command
[root@vdevops ~]# yum --enablerepo=epel install [Package][3] add CentOS SCLo software collection repository.
[root@vdevops ~]# yum -y install centos-release-scl-rh centos-release-scl
# Set priority [priority=10]
[root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=10/g" /etc/yum.repos.d/CentOS-SCLo-scl.repo
[root@vdevops ~]# sed -i -e "s/\]$/\]\npriority=10/g" /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo
# Set up the [enabled=0]
[root@vdevops ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/CentOS-SCLo-scl.repo
[root@vdevops ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo
# Set up the [enabled=0], Use the corresponding source with the following command
[root@vdevops ~]# yum --enablerepo=centos-sclo-rh install [Package]
[root@vdevops ~]# yum --enablerepo=centos-sclo-sclo install [Package][4] add RPM repository for Remi, which provides many useful packages
[root@vdevops ~]# systemctl status firewalld
low firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2016-10-26 01:09:49 CST; 1h 36min ago
Main PID: 744 (firewalld)
CGroup: /system.slice/firewalld.service
└ ─ 744 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Oct 26 01:09:46 vdevops.com systemd[1]: Starting firewalld - dynamic firewall daemon...
Oct 26 01:09:49 vdevops.com systemd[1]: Started firewalld - dynamic firewall daemon. 6. Featured vim
[1] install vim
[root@vdevops ~]# yum -y install vim-enhanced[2] set aliases
Set the command alias. (applicable to all the following users, if you apply for a user, please click "〜 Write the same Settings in "/.bashrc")
[root@dlp ~]# vi /etc/profile
# Add below at the end 1 line
alias vi='vim'
[root@dlp ~]# source /etc/profile # overloading or
echo "alias vi='vim'" > > /etc/profile && source /etc/profile
[3] configure vim for all user modifications /etc/vimrc, and for specific user modifications ~/.vimrc
It mainly USES the functions of syntax highlighting, plug-in use, automatic indentation and so on. This paper will not do detailed operation, and I will write a blog post about optimizing the use of vim in the future
7. Set sudo
Configure sudo to distinguish between user responsibilities. If 1 person shares permissions, install sudo manually, as it is installed by default, even if it is "minimum installed".
[1] set that ordinary users have all the permissions of root
[root@vdevops ~]# visudo
# Add the following 1 Ok, user" wang " root All permissions of
wang ALL=(ALL) ALL
# Common user use root The command
# Ensure that the user is 'wang'
[wang@vdevops ~]$ /usr/bin/cat /etc/shadow
cat: /etc/shadow: Permission denied# denied normally
[wang@vdevops ~]$ sudo /usr/bin/cat /etc/shadow
[sudo] password for cent:# own password
daemon:*:16231:0:99999:7:::
adm:*:16231:0:99999:7:::
lp:*:16231:0:99999:7:::
...
...
# The input wang You can see the execution results [2] set that the user cannot execute the dangerous command
[root@vdevops ~]# visudo
# 49 line : Define an alias SHUTDOWN
Cmnd_Alias SHUTDOWN = /sbin/halt, /sbin/shutdown, /sbin/poweroff, /sbin/reboot, /sbin/init
# Set user wang Unable to execute alias SHUTDOWN Corresponding command
wang ALL=(ALL) ALL, !SHUTDOWN
# Ensure that the user is 'wang'
[wang@vdevops ~]$ sudo /sbin/shutdown -r now
Sorry, user cent is not allowed to execute '/sbin/shutdown -r now' as root on vdevops.com. # denied normally[3] create a special group, and the group user can execute part of the root command
[root@vdevops ~]# visudo
# 51 line : Set the alias as for several commands that manage users USERMGR
Cmnd_Alias USERMGR = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd
# The last 1 Add rows
%usermgr ALL=(ALL) USERMGR
[root@vdevops ~]# groupadd usermgr
[root@vdevops ~]# usermod -G usermgr wang
# Ensure that the user is wang
[wang@vdevops ~]$ sudo /usr/sbin/useradd testuser
# Enter the user wang To view the password creation results, show success
[wang@vdevops ~]$ sudo /usr/bin/passwd testuser
Changing password for user testuser.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.[4] set sudo log
sudo's logs are kept in/var/log/secure, but there are many kinds of logs in it. If you want to keep only sudo's log in 1 file, set it as follows:
[root@vdevops ~]# visudo
# The last 1 Add rows
Defaults syslog=local1
[root@vdevops ~]# vi /etc/rsyslog.conf
# in 54 Line modification, add <span style="color:#FF6666;">local1.none</span>
*.info;mail.none;authpriv.none;cron.none;<span style="color:#FF6666;">local1.none</span>
/var/log/messages
# Add the following 1 line
local1.* /var/log/sudo.log
[root@vdevops ~]# systemctl restart rsyslog # restart rsyslog service