CentOS is a system that is highly recommended for building servers in linux. it is generated by RedHatEnterpriseLinux according to Open-source regulations to remove non-open-source software, it can be said that it is a good choice for stability and cost considerations. Although security is critical to servers
CentOS is a highly respected system for building servers in linux. it is generated by Red Hat Enterprise Linux in accordance with open-source regulations to remove non-open-source software, it can be said that it is a good choice for stability and cost considerations.
Although security is crucial to servers, in the following learning stage, we only use ease of use as the main indicator, interspersed items will explain where we should consider security issues during real operation.
After installing the system, first disable SELinux, which is a function to enhance security, will bring unnecessary trouble for beginners in the learning process, and it is not too late to study later.
Set the file to/etc/syscofig/selinux and change SELINUX = enforcing to SELINUX = disabled.
I. network configuration
Nic configuration file location:/etc/sysconfig/network-scripts
Common Nic: ifcfg-eth0
Wireless Network Adapter: ifcfg-wlan0
Configuration method: Static IP and dynamic IP
Automatic Acquisition (DHCP ):
DEVICE = eth0TYPE = EthernetHWaddr 08: 00: 27: 70: 2A: 32 // MAC address UUID = 273e13cd-70cf-4a90-b3b0-f515c79ec09bONBOOT = yesNM_CONTROLLED = noBOOTPROTO = dhcp
Static IP:
DEVICE = eth0HWADDR = 08: 00: 27: 70: 2A: 32 ONBOOT = yesIPADDR = 192.168.1.106 // The static IP address BOOTPROTO = static // is opposite to dhcp. obtain the protocol, set it to none. NETMASK = 255.255.255.0TYPE = EthernetGATEWAY = 192.168.1.1DNS1 = x. x // modify IPV6INIT = no // static IPV6 according to the actual situation.
The DNS configuration file is/etc/resolv. conf.
Network service management command: service network {start | stop | status | restart | reload | force-reload}
Of course, if you think file configuration is not easy to operate, you can also install GUI software:
Sudo yum-y install setuptool ntsysv system-config-firewall-tui system-config-network-tui
Run setup to start graphical configuration.
PS:
1. disable the ping command, that is, the ICMP protocol: echo "1">/proc/sys/net/ipv4/icmp_echo_ignore_all is enabled to 0.
2. add another IP address for a single NIC: ifconfig eth0: 0 192.168.1.106 up // The third IP address is eth0: 1.
Delete: ip addr delete 192.168.1.106 dev eth0 // This method is dynamically added. restart the NIC and the configuration becomes invalid.
View ip: ip addr show or ifconfig
The static method is to create/etc/sysconfig/network-scripts/ifcfg-eth0: 0
The configuration file content is only the ifcfg-eth0, and only the IP address bound to IPADDR is different
3, dual Nic, here should know, the second Nic is eth1, the configuration file is ifcfg-eth1, the content is the same as eth0
If you want to configure a server load balancer with a dual Nic, you can set it through the ifcfg-bond0
// Ifcfg-eth0DEVICE = eth0 // The eth1 configuration file is set to eth1ONBOOT = yesBOOTPROTO = none // static also line USERCTL = noMASTER = bond0 // The configuration is handed over to bond0 unified setting SLAVE = yes
//bond0DEVICE=bond0ONBOOT=yesIPADDR=192.168.1.105BOOTPROTO=noneNETMASK=255.255.255.0GATEWAY=192.168.1.1DNS1=x.x.x.x
/// Etc/modprobe. confalias bond0 bondingoptions bond0 miimon = 100 mode = 1 // miimon indicates that the network is checked once every MS of Time // mode has 0: balance-rr load balancing 1: active-backup only works for NICs, automatic disconnection switch 2: balance-xor fault tolerance 3: all network adapters of broadcast receive data packets
4. disable IP6 (for large-scale use, disabling can improve network efficiency ):
Modify/etc/modprobe. d/dist. conf
Adding: alias net-pf-10 off
Alias ipv6 off
Reboot
II. FTP
The next step is the file sharing and Transmission Content. The first step is the installation and configuration of vftpd.
Vsftpd (Very Secure FTP Daemon)
Rpm-qa | grep vsftpd Check installation or not
Installation method: yum install vsftpd-y
PS: The Cetos firewall is configured using iptables to manage which ports are enabled,
The check command is netstat-ntlp | grep xxx (it can be a port number or a program name)
Disable service iptables stop
Adding a configuration item is also simple:/etc/sysconfig/iptables
Add two:
-A input-m state -- state NEW-m tcp-p tcp -- dport 21-j ACCEPT
Service iptables restart
The listener is started. next we will start to set vsftpd.
My configuration file is provided:
Anonymous_enable = YES // Anonymous Login is allowed, that is, no password is required. the shared file is/var/ftp/publocal_enable = YES // User account login is allowed, that is, the shared directory is/home/user folder chroot_local_user = YES // prohibit users from switching directories. Otherwise, an account can access other user directories listen = YESpam_service_name = vsftpduserlist_enable = YES/blacklist settings, in the/etc/vsftpd/user_list file, tcp_wrappers = YES/YES indicates that the IP address is restricted. The setting is in the/etc/hosts file. deny and/etc/host. in allow, local_max_rate = 300000 sets the upload/download speed to 300kuser_config_dir =/etc/vsftpd/limit //. This allows you to configure the upload/download speed of a special user. It creates a file with the user name, and adds local_max_rate = 500000. Special treatment for this user. Idle_session_timeout = 30 // 30 seconds without any operation, automatic disconnection.
Note: the comment here should be #, which is to make the content more compact, so do not copy and paste it. it is best to understand it.
There are several other configurations to add,
Pasv_enable = no // set the main mode or passive mode. if the mode is passive, check the form of the ftp client. However, it seems that ftp access in the browser still requires active mode, but most clients still adopt passive mode.
Listen_port = xx // modify the listening port.
Max_per_ip = 3 // A maximum of three ip connections are allowed.
Chroot_list_enables = YES // The Directory cannot be switched for specific users. the configuration file is in/etc/vsftpd/chroot_list, and the Directory cannot be switched with chroot_local_user.
SSL/TLS encrypted transmission, which is generally unnecessary.
Openssl needs to be installed. the method is not to mention. run rpm-qa to check whether yum install is not installed.
Here we will briefly introduce ssl, what is the secure transport layer of ssl (security socket layer), which is a layer of protocol between HTTP and TCP. why should we add this layer of protocol, because HTTP is transmitted in plain text, it means that if the data packet is intercepted, the information is directly leaked, so such an encryption layer is added.
Certificate Authority: CA is the issuing Authority of the certificate. A digital certificate is issued to each user who uses a public key. The role of a digital certificate is to prove that the user listed in the certificate legally owns the public key listed in the certificate. The digital signature of the CA prevents the attacker from forging or tampering with the certificate. It is responsible for generating, allocating, and managing digital certificates required by all individuals involved in online transactions. Therefore, it is the core part of secure electronic transactions. (From wiki)
Public/private key: either the encryption key or the decryption key, that is, the public key, is used for encryption. to parse this information, you can only use the private key, which is also called asymmetric encryption.
Generally, the public key is attached to a digital certificate (ca), and the certificate is verified to be owned by the current server based on the digital signature.
The main principle is to use certificates and keys. The process is as follows:
First, the Client sends a connection request (https) to the Server. the Server accepts the information and returns its own certificate with the public key.
The Client verifies whether the certificate is issued by the ca and then uses the public key to encrypt its session key information and returns it to the Server.
After receiving the message, the Server uses its own private key to decrypt and obtain and generate a session key. Then both parties use the negotiated key to encrypt the communication.
Create a CA certificate (not verified ):
Cd/etc/pki/tls/certs
Sudo openssl req-x509-nodes-newkey rsa: 1024-keyout vsftpd. pem-out vsftpd. pem
Enter the country, company, host name, email, and other information as Prompted. vsftpd. pem is generated in the current folder.
Sudo chmod 600 vsftpd. pem
Add the following lines to vsftpd. conf:
Rsa_cert_file =/etc/ki/tls/certs/vsftpd. pem
Ssl_enable = YES
Force_local_data_ssl = YES
Force_local_logins_ssl = YES
Service vsftpd restart
Service vsftpd {start | stop | restart | reload}
To access: ftp: user: password @ ip in the browser
III. samba file server
Samba is used to share files between windows and linux, such as creating network neighbors, uploading documents, movies, and sharing printers.
Install samba (rpm-qa | grep samba yum-y install samba-client)
Create a shared directory:
Mkdir share
Chown nobody: nobody share permission
Samba configuration file:/etc/samba/smb. conf
Security = share // share indicates anonymous logon, that is, account and password are not required. the default value is "user", indicating that account and password are required for logon. Passdb backend = tdbsam // if it is a user above, it is required. if it is a share, comment and add # workgroup = WORKGROUP // to indicate the user group, such as the user group in windows, change to this server string = Samba Server Version % v // The information displayed when you connect. netbios name = MyServer indicates the name displayed on windows; otherwise, the ip address is displayed. [Share] comment = share folder // description path =/home/share // shared folder path read only = no // readable writable guest OK = yes // support for guest browseable = yes // You can browse public = yes // if share is used, add this line. if it is in user mode, comment this line. # Valid user = @ aa // if it is a user and only some users are allowed to access it, add this line.
For [printers] shared printing, the default setting is OK.
Service smb start // start the daemon and core services
Service nmb start // image domain name resolution
Open Firewall (Port 139,445)
Test: testparm
Enter // IP address on windows, or a connection will appear in the resource manager-network.
For access on linux, you can use smbclient
Smbclient-L // The IP address indicates that an online host exists.
Smbclient // if the IP address is share, enter the password and press enter.
Smbclient // IP-U username % passwd // if it is in user mode, enter the user password to log on
View other smbclient -- help
For the user mode, samba V3.
In user mode, samba v3 uses the tdbsam database instead of the file management user and password.
Command: pdbedit-L (Lw/Lv) to list users
Pdbedit-a xx add xx user // first add a user in the system through ueradd and have the user's home directory in the home.
Pdbedit-x xx delete xx users
Pdbedit-c "[D]"-u xx temporarily disables xx users
Pdbedit-c "[]"-u xx restore xx users
If you want to mount a shared network folder to a directory in Linux, the command is
Sudo mount-t cifs // IP/share/mnt/
If you want to perform graphical management, try the SWAT-Samba WEB management tool.
PS: part of the content is taken from the "CentOS 6.x system management practices"