Linux knowledge point details, linux knowledge points

Linux knowledge point details, linux knowledge points
1. My Linux requirements

Here we will discuss my requirements for online Linux machines, so I will only discuss stable releases and a relatively conservative version. For example, the xfs of CentOS 7 is not discussed. It is not that xfs is not good, but that I need to update a lot of xfs knowledge at the current Linux level. It takes time to control xfs. CentOS 7 also killed ifconfig, netstat, and other commonly used commands. Next we will talk about my basic requirements for Linux based on CentOS 6.

1.1 minimal installation

CentOS has a minimal version, which removes many services from the standard version, such as Network Manger. The Network configuration after installing the minimum version requires admin to complete manual configuration file configuration. I personally think this is better, because we can better understand how the Linux kernel looks at these configuration files, which are really needed by the kernel, those can be directly modified to the kernel performance after modification. You can use yum install to complete some necessary monitoring tools. The Standard Edition is more suitable for normal exercises. As an online machine, the installation is minimized. services that are not enabled, and ports that can be switched off are disabled, in this way, we can not only leave valuable hardware resources to applications, but also make them more secure, because the attack entry is through the network.

1.2 safe enough

In addition to turning off the ports that can be switched off and services that are not needed, security also requires that specific services only access specific content. Even for the root account, files and folders that cannot be accessed are still inaccessible and cannot be operated. Because it is very likely that attackers can obtain the root permission, there is basically no reason for this. After SELinux is enabled, the specified service can only access specified resources without modifying SELinux.

1.3 Resource Scheduling On Demand

We often encounter this problem. Suppose that the disk sda is mounted to the/var directory, but the hard disk is eaten up due to too many logs or other factors such as uploaded files, after creating an sdb disk, you cannot mount it to the/var directory. In fact, the Linux lvm has solved this problem, and CentOS uses lvm to manage disks by default. We need to learn how to format a hard disk as an lvm and mount it to the corresponding directory. we can add a hard disk before the space is exhausted and then resize it automatically.

1.4 Network Monitoring

To put it bluntly, you should make good use of iptables locally in Linux to plan the network traffic for services and discard the network traffic. In addition, you need to use a router to create a gateway for networking. In case of network problems, use netstat to view network access exceptions. The content of the network is a lot of miscellaneous, various parameters, TCP/IP protocol stacks, and so on, but the problem often lies in the network, so we need to give high attention.

2 Concepts and basics of Linux

I admire Linux, for example, Jiang Shui ^ _ ^. I want to talk about some points about Linux.

2.1 Linux File System

Linux regards everything as a file, which is well known. What I want to say is that apart from the traditional ext file system, Linux actually has different file systems when abstracting different resources, all starting from requirements and usage, for example, the proc file system is a process abstraction, so that modifying the value of the corresponding process can directly change the process behavior. For another example, Linux has a devpts file system for remote ssh access to pts devices.

2.2 Linux permission management

Linux-rwxrwxrwx permission management is also well known. In fact, Linux itself is aware of some limitations brought about by such permission management. First, rwx permission management is based on users and groups, and is roughly divided into three categories: owner, group, and other, which cannot be further divided into finer granularity. In view of this, Access Control List (ACL) is used by default in Linux. ACL provides more fine-grained user and group management, for example, specifying which user can have what permissions. Example

getfacl abc# file: abc# owner: someone# group: someoneuser::rw-user:johny:r-xgroup::r--mask::r-xother::r--

SELinux does not provide user-and group-based permission management. SELinux is based on applications and what resources can be used by applications. What kind of resources can this application do, this is the management method of SELinux.

2.3 Service on Linux

The Service on Linux is clearly organized, and of course it is also caused by tradition. /Etc/init. d/contains all the Service startup scripts. The corresponding binary files are stored in/usr/bin,/usr/sbin,/usr/local/bin, and other directories, in general, the configuration file is under/etc/app_name, and there is a chkconfig tool to manage the services to be started under each runlevel. This Convention makes it easy for administrators to configure and use it. The standard Linux Service records logs to/var/log/messages, so that the system administrator does not need to read various logs, you can find the vast majority of logs directly in/var/log/messages to determine whether the current system is normal. Even worse, after syslogd is replaced by rsyslogd, you can send/var/log/messages content to the remote end through UDP for analysis using professional log analysis tools. We need to learn these excellent programming habits and skills of Service on Linux.

3 Disk

Based on the requirements in $1, we mainly create Linux LVM and some basic disk operations.

Df-lah view disk usage

Fdisk-l view the hard disk inserted into the disk drive; sd (a, B, c) (, 3), where a is the first disk, B is the second disk, 1, 2, 3 indicates the primary partition on the disk, up to four. Use fdisk to create partitions from the disk and format them.

LVM (logical volume manager) is mainly used to provide the function of writing data directly by adding a hard disk without the disk being full, and then fails. Lvm has several concepts: VG, PV, and LVM. format the disk lvm, create PV, create VG, add the created PV to VG, and then create lvm in VG, then we can dynamically increase the size. Note that the disk is formatted as lvm, but the lv format must use ext before mounting. Refer to this article for CentOS 6 volume group hard disk mounting tutorial

Mount-t type (ext4 | nfs)/dev/sdxn/path/dir for mounting. To restart and take effect, you must write the mounting information to/etc/fstab.

Disk I/O efficiency (IOPS) needs to be viewed using tools such as vmstat and top.

4 Network

There are many network pitfalls, and it is difficult to connect the network for 3 or 4 years. Next we will start with the basic configuration file of the network to briefly understand the network content. The most difficult aspect of the network should be how to build a reasonable and efficient LAN or man, which requires professional network knowledge.

4.1 configuration file

/Etc/hosts private IP corresponding host name

/Etc/resolv. confnameserver dns ip Address

In/etc/sysconfig/network, NETWORKING = indicates whether to have a network, HOSTNAME = Host Name, NETWORKING_IPV6 = indicates whether ipv6 is supported

/Etc/sysconfig/network-scripts/ifcfg-xxx Where DEVICE = Nic code, BOOTPROTO = whether dhcp, HWADDR, IPADDR, NETMASK, ONBOOT, GATEWAY are used

4.2 some commands designed by the Network

The router-n command used to view the route. In particular, the command with G indicates gateway, while the command with U indicates up.

Netstat-anp: view all started tcp, udp, and unix stream applications and their statuses. For details, refer to the simple analysis of TCP/IP and container ocket.

5. Security

5.1 PAM

PAM is a pluggable authentication module. According to me, it is a reusable component developed by Linux geeks. For example, if an app wants to verify whether the current login user has the permission to operate a directory, there is a ready-made module in PAM. The app only needs to include this module, A configuration file is provided. There is a very good video tutorial on PAM, please refer to here

PAM is used by applications for authentication. Early authentication was coupled with the application itself. Later, authentication was extracted separately and managed through PAM.

/Etc/pam. d/xxx is an application pam setting that can be managed by PAM. It is installed when the application is installed. /Etc/security/mmm,/lib/security/pam_mmm is a set.

In general, PAM uses the mechanism provided by the Linux system for verification.

5.2 SELinux

There is also a very good video tutorial for SELinux. Please refer to here

Getenforce to check whether SELinux is enabled

/Etc/sysconfig/selinux enforcing enable SELinux

SELinux configures and checks the "running program" for its permission to operate on the "object" (File System), while the common ACL (rwx) is determined based on the owner of the file and Its group. SELinux checks whether the bin type is compatible with the directory file type to determine whether the bin can operate resources.

5.3 Firewall

Iptables is also an informative solution, so the following is an excerpt from the learning process. In particular, you must enable the Kernel Parameter net. ipv4.ip _ forward = 1 and use sysctl-p to save it in the/etc/sysctl. conf file. Ip_forward refers to the IP packet forwarding provided by the kernel from an iface to another iface, for example, forwarding an IP packet from eth0 of 192.168.1.10 to eth1 of 10.0.0.123. Professional firewall configuration requires professional skills.

Tcp_wrapper must be supported by libwrap. so. tcp_wrapper cannot be used for all the bins not available in ldd.

Iptables is short-circuited according to the rule, that is, condition 1 is met-> action1 is executed-> ended

Iptables-save for clearer viewing

Delete all rules first, and then add them, which is relatively simple. When adding a rule, first add a policy and then add a detailed rule. In general, we need to pay attention to the INPUT and OUTPUT of the filter table.

Iptables-A (I) INPUT (OUTPUT, FORWARD)-I (o) iface-p tcp (ump, imp, all)-s (!) Source-d dest-j ACCEPT (REJECT, DROP), also supported parameter-dport-sport

6 tools

For a good Linux Command, refer to the website

6.1 CPU

Top pay special attention to load

Ps aux and ps-ef pay special attention to Process status

Vmstat 1 indicates collection once per second

Sar-u 1 view all cpu-related running times

6.2 Memory

Free

Vmstat 1 pay attention to the relationship between swap ram blocks.

Sar-r 1 memory usage

Sar-W 1 Check swap and check whether a large amount of memory swap is generated due to insufficient memory.

6.3 IO

Lsof-I: port to query which process occupies this port number

Files opened by the lsof-u username user

Files opened by the lsof-p pid Process

Miscellaneous

Here is a reference for running scripts after the system is installed.

#!/bin/bashflagFile="/root/centos6-init.executed"precheck(){if [[ "$(whoami)" != "root" ]]; thenecho "please run this script as root ." >&2exit 1fiif [ -f "$flagFile" ]; thenecho "this script had been executed, please do not execute again!!" >&2exit 1fiecho -e "\033[31m WARNING! THIS SCRIPT WILL \033[0m\n"echo -e "\033[31m *1 update the system; \033[0m\n"echo -e "\033[31m *2 setup security permissions; \033[0m\n"echo -e "\033[31m *3 stop irrelevant services; \033[0m\n"echo -e "\033[31m *4 reconfig kernel parameters; \033[0m\n"echo -e "\033[31m *5 setup timezone and sync time periodically; \033[0m\n"echo -e "\033[31m *6 setup tcp_wrapper and netfilter firewall; \033[0m\n"echo -e "\033[31m *7 setup vsftpd; \033[0m\n"sleep 5}yum_update(){yum -y update#update system at 5:40pm dailyecho "40 3 * * * root yum -y update && yum clean packages" >> /etc/crontab}permission_config(){#chattr +i /etc/shadow#chattr +i /etc/passwd}selinux(){sed -i 's/SELINUX=disabled/SELINUX=enforcing/g' /etc/sysconfig/selinuxsetenforce 1}stop_services(){for server in `chkconfig --list |grep 3:on|awk '{print $1}'`dochkconfig --level 3 $server offdonefor server in crond network rsyslog sshd iptablesdochkconfig --level 3 $server ondone}limits_config(){cat >> /etc/security/limits.conf <* soft nproc 65535* hard nproc 65535* soft nofile 65535* hard nofile 65535EOFecho "ulimit -SH 65535" >> /etc/rc.local}sysctl_config(){sed -i 's/net.ipv4.tcp_syncookies.*$/net.ipv4.tcp_syncookies = 1/g' /etc/sysctl.confsed -i 's/net.ipv4.ip_forward.*$/net.ipv4.ip_forward = 1/g' /etc/sysctl.confcat >> /etc/sysctl.conf <net.ipv4.tcp_max_syn_backlog = 65536net.core.netdev_max_backlog = 32768net.core.somaxconn = 32768net.core.wmem_default = 8388608net.core.rmem_default = 8388608net.core.rmem_max = 16777216net.core.wmem_max = 16777216net.ipv4.tcp_timestamps = 0net.ipv4.tcp_synack_retries = 2net.ipv4.tcp_syn_retries = 2net.ipv4.tcp_tw_recycle = 1net.ipv4.tcp_tw_reuse = 1net.ipv4.tcp_mem = 94500000 915000000 927000000net.ipv4.tcp_max_orphans = 3276800net.ipv4.ip_local_port_range = 1024 65535EOFsysctl -p}sshd_config(){if [ ! -f "/root/.ssh/id_rsa.pub" ]; thenssh-keygen -t rsa -P '' -f /root/.ssh/id_rsacat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keyschmod 600 /root/.ssh/authorized_keysfi#sed -i '/^#Port/s/#Port 22/Port 65535/g' /etc/ssh/sshd_configsed -i '/^#UseDNS/s/#UseDNS no/UseDNS yes/g' /etc/ssh/sshd_config#sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_configsed -i 's/#PermitEmptyPasswords yes/PermitEmptyPasswords no/g' /etc/ssh/sshd_configsed -i 's/PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config/etc/init.d/sshd restart}time_config(){#timezoneecho "TZ='Asia/Shanghai'; export TZ" >> /etc/profile# Update timeif [! -f "/usr/sbin/ntpdate"]; thenyum -y install ntpdatefi/usr/sbin/ntpdate pool.ntp.orgecho "30 3 * * * root (/usr/sbin/ntpdate pool.ntp.org && /sbin/hwclock -w) &> /dev/null" >> /etc/crontab/sbin/service crond restart}iptables(){cat > /etc/sysconfig/iptables << EOF# Firewall configuration written by system-config-securitylevel# Manual customization of this file is not recommended.*filter:INPUT DROP [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [0:0]:syn-flood - [0:0]-A INPUT -i lo -j ACCEPT-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT-A INPUT -p icmp -m limit --limit 100/sec --limit-burst 100 -j ACCEPT-A INPUT -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn-flood-A INPUT -j REJECT --reject-with icmp-host-prohibited-A syn-flood -p tcp -m limit --limit 3/sec --limit-burst 6 -j RETURN-A syn-flood -j REJECT --reject-with icmp-port-unreachableCOMMITEOF/sbin/service iptables restartsource /etc/profile}other(){# initdefaultsed -i 's/^id:.*$/id:3:initdefault:/' /etc/inittab/sbin/init q# PS1#echo 'PS1="\[\e[32m\][\[\e[35m\]\u\[\e[m\]@\[\e[36m\]\h \[\e[31m\]\w\[\e[32m\]]\[\e[36m\]$\[\e[m\]"' >> /etc/profile# Wrong password five times locked 180ssed -i '4a auth required pam_tally2.so deny=5 unlock_time=180' /etc/pam.d/system-auth}vsftpd_setup(){yum -y install vsftpdmv /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.baktouch /etc/vsftpd/chroot_listsetsebool -P ftp_home_dir=1cat >> /etc/vsftpd/vsftpd.conf <# normal user settingslocal_enable=YESwrite_enable=YESlocal_umask=022chroot_local_user=YESchroot_list_enable=YESchroot_list_file=/etc/vsftpd/chroot_listlocal_max_rate=10000000# anonymous settingsanonymous_enable=YESno_anon_password=YESanon_max_rate=1000000data_connection_timeout=60idle_session_timeout=600# ssl settings#ssl_enable=YES#allow_anon_ssl=NO#force_local_data_ssl=YES#force_local_logins_ssl=YES#ssl_tlsv1=YES#ssl_sslv2=NO#ssl_sslv3=NO#rsa_cert_file=/etc/vsftpd/vsftpd.pem# server settingsmax_clients=50max_per_ip=5use_localtime=YESdirmessage_enable=YESxferlog_enable=YESconnect_from_port_20=YESxferlog_std_format=YESlisten=YESpam_service_name=vsftpdtcp_wrappers=YES#banner_file=/etc/vsftpd/welcome.txtdual_log_enable=YESpasv_min_port=65400pasv_max_port=65410EOFchkconfig --level 3 vsftpd onservice vsftpd restart}main(){precheckprintf "\033[32m================%40s================\033[0m\n" "updating the system "yum_updateprintf "\033[32m================%40s================\033[0m\n" "re-config permission "permission_configprintf "\033[32m================%40s================\033[0m\n" "enabling selinux "selinuxprintf "\033[32m================%40s================\033[0m\n" "stopping irrelevant services "stop_servicesprintf "\033[32m================%40s================\033[0m\n" "/etc/security/limits.config "limits_configprintf "\033[32m================%40s================\033[0m\n" "/etc/sysctl.conf "sysctl_configprintf "\033[32m================%40s================\033[0m\n" "sshd re-configuring "sshd_configprintf "\033[32m================%40s================\033[0m\n" "configuring time "time_configprintf "\033[32m================%40s================\033[0m\n" "configuring firewall "# iptablesprintf "\033[32m================%40s================\033[0m\n" "someother stuff "otherprintf "\033[32m================%40s================\033[0m\n" "done! rebooting "touch "$flagFile"sleep 5reboot}main