1. Add users
Add a user named "wang"
[root @ vdevops ~] # useradd wang #Add account
[root @ vdevops ~] # passwd wang #Set password
Changing password for user wang.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root @ vdevops ~] # exit #quit
Take user "wang" as an example, set it as the only account with administrator rights
[root @ vdevops ~] # usermod -G wheel wang
[root @ vdevops ~] # vim /etc/pam.d/su
[html] view plain copy print?
#% PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
# Uncomment the following line
auth required pam_wheel.so use_uid
auth substack system-auth
auth include postlogin
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session include postlogin
session optional pam_xauth.so
Set up mail forwarding for the root account
# Person who should get root's mail
# Last line, uncomment, change user name
root: wang
2. Set up firewall and SELINUX
[1] Firewall
View firewall status
[root @ vdevops ~] # systemctl status firewalld
● firewalld.service-firewalld-dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2016-10-26 01:09:49 CST; 1h 36min ago
Main PID: 744 (firewalld)
CGroup: /system.slice/firewalld.service
└─744 / usr / bin / python -Es / usr / sbin / firewalld --nofork --nopid
Oct 26 01:09:46 vdevops.com systemd [1]: Starting firewalld-dynamic firewall daemon ...
Oct 26 01:09:49 vdevops.com systemd [1]: Started firewalld-dynamic firewall daemon.
Basic firewall operation
[root @ vdevops ~] # systemctl start firewalld #Start firewall
[root @ vdevops ~] # systemctl enable firewalld #Set the firewall to boot automatically
By default, the "public" area is applied to the NIC, dhcpv6-client and ssh are allowed.
When operating with the "firewall-cmd" command, if the input command does not carry the "--zone = ***" specification, the configuration is set to the default zone.
#Display default area
[root @ vdevops ~] # firewall-cmd --get-default-zone
public
#Show current settings
[root @ vdevops ~] # firewall-cmd --list-all
public (default, active)
interfaces: eno16777736
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
#Show all areas
[root @ vdevops ~] # firewall-cmd --list-all-zones
block
interfaces:
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
dmz
interfaces:
sources:
services: ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
...
#Display services allowed in a specific area
[root @ vdevops ~] # firewall-cmd --list-service --zone = external
ssh
#Change the default area
[root @ vdevops ~] # firewall-cmd --set-default-zone = external
success
#Change the interface of the designated area
[root @ vdevops ~] # firewall-cmd --change-interface = eth1 --zone = external
success
#Display the status of the designated area
[root @ vdevops ~] # firewall-cmd --list-all --zone = external
external (default, active)
interfaces: eno16777736 eth1
sources:
services: ssh
ports:
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:
#Note: Change the interface of the specified area, provided that the secondary interface exists in the current system
Show default defined services
[root @ vdevops ~] # firewall-cmd --get-services
RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kerberos kpasswd ldap ldaps libvir mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind rsyncd samba samba-client smtp ssh telnet tftp tftp-client transmission-client vdsm vnc-server wbem-https
#The definition file path is as follows, if you need to add a new definition file, add the corresponding XML file in the following directory
[root @ vdevops ~] # ls / usr / lib / firewalld / services
amanda-client.xml freeipa-ldap.xml ipp.xml libvirt.xml pmcd.xml RH-Satellite-6.xml tftp-client.xml
bacula-client.xml freeipa-replication.xml ipsec.xml mdns.xml pmproxy.xml rpc-bind.xml tftp.xml
bacula.xml ftp.xml iscsi-target.xml mountd.xml pmwebapis.xml rsyncd.xml transmission-client.xml
dhcpv6-client.xml high-availability.xml kerberos.xml ms-wbt.xml pmwebapi.xml samba-client.xml vdsm.xml
dhcpv6.xml https.xml kpasswd.xml mysql.xml pop3s.xml samba.xml vnc-server.xml
dhcp.xml http.xml ldaps.xml nfs.xml postgresql.xml smtp.xml wbem-https.xml
dns.xml imaps.xml ldap.xml ntp.xml proxy-dhcp.xml ssh.xml
freeipa-ldaps.xml ipp-client.xml libvirt-tls.xml openvpn.xml radius.xml telnet.xml
Add or delete allowed services, and restart the system, the changes will be restored. If you change the settings permanently, add the "--permanent" option.
#Take the example of adding http service
[root @ vdevops ~] # firewall-cmd --add-service = http
success
[root @ vdevops ~] # firewall-cmd --list-service
http ssh
#Remove added http
<pre name = "code" class = "html"> [root @ vdevops ~] # firewall-cmd --remove-service = http
success
[root @ vdevops ~] # firewall-cmd --list-service
ssh
#Add http service, effective permanently
[root @ vdevops ~] # firewall-cmd --add-service = http --permanentsuccess
[root @ vdevops ~] # firewall-cmd --reloadsuccess [root @ vdevops ~] # firewall-cmd --list-servicehttp ssh
Add and remove ports
[root @ vdevops ~] # firewall-cmd --add-port = 465 / tcp #add port
success
[root @ vdevops ~] # firewall-cmd --list-port
465 / tcp
[root @ vdevops ~] # firewall-cmd --remove-port = 465 / tcp #remove port
success
[root @ vdevops ~] # firewall-cmd --list-port
[root @ vdevops ~] # firewall-cmd --add-port = 465 / tcp --permanent #Add port, permanent effect
success
[root @ vdevops ~] # firewall-cmd --reload
success
[root @ vdevops ~] # firewall-cmd --list-port
465 / tcp
Add or remove prohibited ICMP types
[root @ dlp ~] # firewall-cmd --add-icmp-block = echo-request #Add prohibit response request
success
[root @ dlp ~] # firewall-cmd --list-icmp-blocks
echo-request
[root @ dlp ~] # firewall-cmd --remove-icmp-block = echo-request #Remove added parameters
success
[root @ dlp ~] # firewall-cmd --list-icmp-blocks
[root @ dlp ~] # firewall-cmd --get-icmptypes #Show the functions supported by ICMP
destination-unreachable echo-reply echo-request parameter-problem redirect
router-advertisement router-solicitation source-quench time-exceeded
[2] If firewall service is not needed, turn off as follows
[root @ vdevops ~] # systemctl stop firewalld #Stop the firewall service
[root @ vdevops ~] # systemctl disable firewalld #Prohibit the firewall from booting
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.
3. SELinux
[html] view plain copy print?
[root @ vdevops ~] # getenforce #View SELINUX working mode
Enforcing
[root @ vdevops ~] # sed -i 's / SELINUX = Enforcing / SELINUX = disabled /' / etc / selinux / config # Disable SELINUX
[root @ vdevops ~] # setenforce 0 #Temporarily disable SELINUX without restarting
4. Network settings
[1], set static IP and change interface name
[root @ vdevops ~] # nmcli c modify eno16777736 ipv4.addresses 10.1.1.56/24 #set static IP
[root @ vdevops ~] # nmcli c modify eno16777736 ipv4.gateway 10.1.1.1 #Set the gateway
[root @ vdevops ~] # nmcli c modify eno16777736 ipv4.dns 10.1.1.1 #Set DNS
[root @ vdevops ~] # nmcli c modify eno16777736 ipv4.method manual #Set the type of ipv4 to static
[root @ vdevops ~] # nmcli c down eno16777736; nmcli c up eno16777736 #Restart the network interface
Connection 'eno16777736' successfully deactivated (D-Bus active path: / org / freedesktop / NetworkManager / ActiveConnection / 0)
Connection successfully activated (D-Bus active path: / org / freedesktop / NetworkManager / ActiveConnection / 1)
[root @ vdevops ~] # nmcli d show eno16777736 #View network interface status
GENERAL.DEVICE: eno16777736
GENERAL.TYPE: ethernet
GENERAL.HWADDR: 00: 0C: 29: B6: F5: 5E
GENERAL.MTU: 1500
GENERAL.STATE: 100 (connected)
GENERAL.CONNECTION: eno16777736
GENERAL.CON-PATH: / org / freedesktop / NetworkManager / ActiveConnection / 1
WIRED-PROPERTIES.CARRIER: on
IP4.ADDRESS [1]: 10.1.1.56/24
IP4.GATEWAY: 10.1.1.1
IP4.DNS [1]: 10.1.1.1
IP6.ADDRESS [1]: fe80 :: 20c: 29ff: feb6: f55e / 64
IP6.GATEWAY:
[root @ vdevops ~] # ip addr show #View IP status
1: lo: <LOOPBACK, UP, LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link / loopback 00: 00: 00: 00: 00: 00 brd 00: 00: 00: 00: 00: 00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 :: 1/128 scope host
valid_lft forever preferred_lft forever
2: eno16777736: <BROADCAST, MULTICAST, UP, LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link / ether 00: 0c: 29: b6: f5: 5e brd ff: ff: ff: ff: ff: ff
inet 10.1.1.56/24 brd 10.1.1.255 scope global eno16777736
valid_lft forever preferred_lft forever
inet6 fe80 :: 20c: 29ff: feb6: f55e / 64 scope link
valid_lft forever preferred_lft forever
[2] Disable IPV6
[root @ vdevops ~] # vim / etc / default / grub
#Sixth line, add
GRUB_CMDLINE_LINUX = "crashkernel = auto <span style =" color: # FF0000; "> ipv6.disable = 1 </ span> rd.lvm.lv = centos / root rd.lvm.lv = centos / swap rhgb quiet"
[root @ vdevops ~] # grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-3.10.0-327.36.2.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-327.36.2.el7.x86_64.img
Found linux image: /boot/vmlinuz-3.10.0-327.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-327.el7.x86_64.img
Found linux image: / boot / vmlinuz-0-rescue-d1b9467b8b744a3db391f2c15fe58a94
Found initrd image: /boot/initramfs-0-rescue-d1b9467b8b744a3db391f2c15fe58a94.img
done
[root @ vdevops ~] # reboot #Restart the system
[3] If you want to use the network interface name as ethX, please configure as shown below.
[root @ vdevops ~] # vim / etc / default / grub
#Sixth line add
GRUB_CMDLINE_LINUX = "crashkernel = auto ipv6.disable = 1 <span style =" color: # FF0000; "> net.ifnames = 0 </ span> rd.lvm.lv = centos / root rd.lvm.lv = centos / swap rhgb quiet
[root @ vdevops ~] # grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-3.10.0-327.36.2.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-327.36.2.el7.x86_64.img
Found linux image: /boot/vmlinuz-3.10.0-327.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-327.el7.x86_64.img
Found linux image: / boot / vmlinuz-0-rescue-d1b9467b8b744a3db391f2c15fe58a94
Found initrd image: /boot/initramfs-0-rescue-d1b9467b8b744a3db391f2c15fe58a94.img
done
4. Service settings
[1], check the service status
# Display running services
[root @ vdevops ~] # systemctl -t service
UNIT LOAD ACTIVE SUB DESCRIPTION
auditd.service loaded active running Security Auditing Service
avahi-daemon.service loaded active running Avahi mDNS / DNS-SD Stack
crond.service loaded active running Command Scheduler
dbus.service loaded active running D-Bus System Message Bus
getty@tty1.service loaded active running Getty on tty1
...
...
...
systemd-udevd.service loaded active running udev Kernel Device Manager
systemd-update-utmp.service loaded active exited Update UTMP about System Reboot / Shutdown
systemd-user-sessions.service loaded active exited Permit User Sessions
systemd-vconsole-setup.service loaded active exited Setup Virtual Console
tuned.service loaded active running Dynamic System Tuning Daemon
LOAD = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB = The low-level unit activation state, values depend on unit type.
39 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.
# Show all services
[root @ vdevops ~] # systemctl list-unit-files -t service
UNIT FILE STATE
auditd.service enabled
autovt @ .service disabled
avahi-daemon.service enabled
blk-availability.service disabled
brandbot.service static
...
...
...
systemd-user-sessions.service static
systemd-vconsole-setup.service static
teamd @ .service static
tuned.service enabled
wpa_supplicant.service disabled
125 unit files listed.
[2], set to stop and start the automatic service
[root @ vdevops ~] # systemctl stop postfix #Stop the service
[root @ vdevops ~] # systemctl disable postfix
Removed symlink /etc/systemd/system/multi-user.target.wants/postfix.service.
[root @ vdevops ~] # systemctl start postfix
[root @ vdevops ~] # systemctl enable postfix
Created symlink from /etc/systemd/system/multi-user.target.wants/postfix.service to /usr/lib/systemd/system/postfix.service.
[root @ vdevops ~] # systemctl status postfix
● postfix.service-Postfix Mail Transport Agent
Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2016-10-26 18:40:35 CST; 15s ago
Main PID: 10071 (master)
CGroup: /system.slice/postfix.service
├─10071 / usr / libexec / postfix / master -w
├─10072 pickup -l -t unix -u
└─10073 qmgr -l -t unix -u
Oct 26 18:40:35 vdevops.com postfix [9999]: / usr / sbin / postconf: warning: inet_protocols: disabling IPv6 name / address support: Address ... rotocol
Oct 26 18:40:35 vdevops.com postfix [9999]: / usr / sbin / postconf: warning: inet_protocols: disabling IPv6 name / address support: Address ... rotocol
Oct 26 18:40:35 vdevops.com postfix [9999]: postsuper: warning: inet_protocols: disabling IPv6 name / address support: Address family no ... rotocol
Oct 26 18:40:35 vdevops.com postfix [9999]: / usr / sbin / postconf: warning: inet_protocols: disabling IPv6 name / address support: Address ... rotocol
Oct 26 18:40:35 vdevops.com postfix / master [10071]: warning: inet_protocols: disabling IPv6 name / address support: Address family not s ... rotocol
Oct 26 18:40:35 vdevops.com postfix / master [10071]: warning: inet_protocols: disabling IPv6 name / address support: Address family not s ... rotocol
Oct 26 18:40:35 vdevops.com postfix / master [10071]: daemon started-version 2.10.1, configuration / etc / postfix
Oct 26 18:40:35 vdevops.com systemd [1]: Started Postfix Mail Transport Agent.
Oct 26 18:40:35 vdevops.com postfix / qmgr [10073]: warning: inet_protocols: disabling IPv6 name / address support: Address family not sup ... rotocol
Oct 26 18:40:35 vdevops.com postfix / pickup [10072]: warning: inet_protocols: disabling IPv6 name / address support: Address family not s ... rotocol
Hint: Some lines were ellipsized, use -l to show in full.
[3] There are also some SysV services. They are controlled by chkconfig as shown below
[root @ vdevops ~] # chkconfig --list
Note: This output shows SysV services only and does not include native
systemd services. SysV configuration data might be overridden by native
systemd configuration.
If you want to list systemd services use 'systemctl list-unit-files'.
To see services enabled on particular target use
'systemctl list-dependencies [target]'.
netconsole 0: off 1: off 2: off 3: off 4: off 5: off 6: off
network 0: off 1: off 2: on 3: on 4: on 5: on 6: off
5. Update the system to add other sources
yum update -y
Add another source
Add some useful external repositories to install useful software
[1] Install plugins to add priority to each installed repository.
[root @ vdevops ~] # yum -y install yum-plugin-priorities
# Set the priority of the official source to [priority = 1]
[root @ vdevops ~] # sed -i -e "s / \] $ / \] \ npriority = 1 / g" /etc/yum.repos.d/CentOS-Base.repo
[2] Add the EPEL repository provided from the Fedora project
[root @ vdevops ~] # yum -y install epel-release
# Set priority [priority = 5]
[root @ vdevops ~] # sed -i -e "s / \] $ / \] \ npriority = 5 / g" /etc/yum.repos.d/epel.repo
# You can set enabled = 0 to control the corresponding source when installing the software package
[root @ vdevops ~] # sed -i -e "s / enabled = 1 / enabled = 0 / g" /etc/yum.repos.d/epel.repo
# If [enabled = 0], use the following command to install the software package
[root @ vdevops ~] # yum --enablerepo = epel install [Package]
[3] Add CentOS SCLo software collection repository.
[root @ vdevops ~] # yum -y install centos-release-scl-rh centos-release-scl
# Set priority [priority = 10]
[root @ vdevops ~] # sed -i -e "s / \] $ / \] \ npriority = 10 / g" /etc/yum.repos.d/CentOS-SCLo-scl.repo
[root @ vdevops ~] # sed -i -e "s / \] $ / \] \ npriority = 10 / g" /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo
# Set [enabled = 0]
[root @ vdevops ~] # sed -i -e "s / enabled = 1 / enabled = 0 / g" /etc/yum.repos.d/CentOS-SCLo-scl.repo
[root @ vdevops ~] # sed -i -e "s / enabled = 1 / enabled = 0 / g" /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo
# Set [enabled = 0], use the corresponding source with the following command
[root @ vdevops ~] # yum --enablerepo = centos-sclo-rh install [Package]
[root @ vdevops ~]# yum --enablerepo = centos-sclo-sclo install [Package]
[4] Add Remi's RPM repository, which provides many useful packages
[root @ vdevops ~] # yum -y install http://rpms.famillecollet.com/enterprise/remi-release-7.rpm
# Set priority [priority = 10]
[root @ vdevops ~] # sed -i -e "s / \] $ / \] \ npriority = 10 / g" /etc/yum.repos.d/remi-safe.repo
6. Configure special vim
[1] Install vim
[root @ vdevops ~] # yum -y install vim-enhanced
[2] Set alias
Set the command alias. (Applies to all users below, if you apply for a user, please write the same settings in "~ / .bashrc")
[root @ dlp ~] # vi / etc / profile
# Add the following line at the end
alias vi = 'vim'
[root @ dlp ~] # source / etc / profile #Reload
or
echo "alias vi = 'vim'" >> / etc / profile && source / etc / profile
[3] Configure vim to modify / etc / vimrc for all users and modify for specific users ~ / .vimrc
Mainly use syntax highlighting, plug-in use, automatic indentation and other functions. This article will not do detailed operations. A blog post about optimizing the use of vim will be written later.
7. Set up sudo
Configure sudo to distinguish users' responsibilities. If some people share permissions, you must manually install sudo because it is installed by default, even if it is a "minimal installation."
[1] Set ordinary users to have all permissions of root
[root @ vdevops ~] # visudo
# Add the following line so that user "wang" has all the permissions of root
wang ALL = (ALL) ALL
# Ordinary users use the root command
# Make sure the user is 'wang'
[wang @ vdevops ~] $ / usr / bin / cat / etc / shadow
cat: / etc / shadow: Permission denied # denied normally
[wang @ vdevops ~] $ sudo / usr / bin / cat / etc / shadow
[sudo] password for cent: # own password
daemon: *: 16231: 0: 99999: 7 :::
adm: *: 16231: 0: 99999: 7 :::
lp: *: 16231: 0: 99999: 7 :::
...
...
# Enter the password of wang to see the execution result
[2] Set that the user cannot execute dangerous commands
[root @ vdevops ~] # visudo
Line # 49: Define alias SHUTDOWN
Cmnd_Alias SHUTDOWN = / sbin / halt, / sbin / shutdown, / sbin / poweroff, / sbin / reboot, / sbin / init
# Set user wang to not execute the command corresponding to alias SHUTDOWN
wang ALL = (ALL) ALL,! SHUTDOWN
# Make sure the user is 'wang'
[wang @ vdevops ~] $ sudo / sbin / shutdown -r now
Sorry, user cent is not allowed to execute '/ sbin / shutdown -r now' as root on vdevops.com. # Denied normally
[3] Create a special group, group users can execute some root commands
[root @ vdevops ~] # visudo
# 51: Set the alias to USERMGR for several commands for managing users
Cmnd_Alias USERMGR = / usr / sbin / useradd, / usr / sbin / userdel, / usr / sbin / usermod, / usr / bin / passwd
# Last line added
% usermgr ALL = (ALL) USERMGR
[root @ vdevops ~] # groupadd usermgr
[root @ vdevops ~] # usermod -G usermgr wang
# Make sure the user is wang
[wang @ vdevops ~] $ sudo / usr / sbin / useradd testuser
#Enter the password of user wang, view the creation result, and display success
[wang @ vdevops ~] $ sudo / usr / bin / passwd testuser
Changing password for user testuser.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[4] Set up sudo log
Sudo's logs are kept in / var / log / secure, but there are many kinds of logs in it. If you want to keep only sudo logs in one file, set as follows:
[root @ vdevops ~] # visudo
# Last line added
Defaults syslog = local1
[root @ vdevops ~] # vi /etc/rsyslog.conf
# Modify on line 54 and add <span style = "color: # FF6666;"> local1.none </ span>
* .info; mail.none; authpriv.none; cron.none; <span style = "color: # FF6666;"> local1.none </ span>
/ var / log / messages
# Add the following line
local1. * /var/log/sudo.log
[root @ vdevops ~] # systemctl restart rsyslog #Restart rsyslog service
The above is the method that the editor introduced to you after CentOS 7 is installed. I hope it will be helpful to everyone. If you have any questions, please leave a message for me. Thank you very much for your support to the Yunqi community website!