Linux system management experience

Version

What kind of Linux version is suitable for enterprises and individuals? I think everyone will have this problem, including me, because of the open source and customizable aspects, the Linux World is blooming, and various versions are coming to our attention, therefore, we had a hard time deciding on a suitable version. This also led to the fact that at school, I had almost "played" dozens of Linux versions. Of course, it doesn't mean that you have played so many editions or something. At least later, I thought I wasted a lot of valuable time exploring deeper things.

Let's talk about the version that I use first. If you like online games and do not like to start and explore on your own, you can bypass Google. At least the current Linux World is not suitable for you. I think most people use Ubuntu when they come into contact with Linux. They are all attracted by the special effects of Ubuntu. After installing the system, they always look for various beautification methods to display their system interfaces to others, don't say that you have never done it. Because the beautiful things of love are human nature, no one would like to knock on a bunch of character interfaces every day. Maybe someone will try it, only two words can be sent to you: SB. Haha. When you see how beautiful other people's desktops are on the Internet, you will also make up your mind and make adjustments, so you can find various methods on the Internet, no, some commands are too much to remember. After a while, maybe Ubuntu has changed the desktop, and you want to change the version for fun, so OpenSUSE, Debian, LinuxMint, ArchLinux, and CentOS have become your preselects.

I personally use Debian for the longest time. In fact, there is no need to use so many versions. In my summary, you can take a closer look at the branch source and learn about the package management mechanism and package management tools of different branch sources in the Linux system. In fact, the other parts are similar, there is no need to spend time on that. I personally recommend using debian and LinuxMint as the DEB package series entry-level systems. Not only does the interface have to be too difficult to get started with, but it is also hard to learn. Why not? If you want to learn the RPM package management series, CentOS is preferred. In addition, although OpenSUSE uses rpm as the default software package, the interface is also very gorgeous. The package management tool is good and you can also learn it, although there are not many SUSE series in China, it is my personal feeling.

At this "Getting started" stage, some people gave up because they were too troublesome and ran to win. Some of them persisted and managed the Linux system as a career in the future, let's talk about the choice of the Enterprise Edition. If it is in China, I still feel that there should be a lot of CentOS, So if you select a good version, you will start to make a hard move, and the technology will start to make a hard move. When I learned this, I didn't have to install a CentOS on my machine, and I regret it when I accidentally caused the system to collapse or format it, I have no more than four orders because of my base... You can install virtual machines with the help of virtualization software such as VB and VM. To download a mini version, the fewer things to install, the better. Later installation based on requirements will not only reduce the security risks, but also reduce the inexplicable troubles in the future. Do not blindly pursue new things. After all, stability is the top priority. What kind of stage, what kind of needs, what kind of technology, and what kind of architecture.

Connect to the graph-free interface through a remote tool. Of course, you must first familiarize yourself with the most basic commands. Start to use the source code to compile and customize something. The LAMP environment must be run first. Otherwise, you will be embarrassed to say that you are a system administrator. Then we will build various network services in various enterprise environments, such as DNS, Nginx, and LVM. This process takes a certain amount of time. During this process, Google will encounter various errors and copy the error information to go into the loop state. Of course, do not enter the endless loop. When all the methods are exhausted, go to the corresponding Community to ask questions. Experts there will be happy to answer questions, provided that you have done your best, you must also learn the skills to ask questions. You can search for an article on the Internet to find the art of asking questions. Don't take a look at the title, that is, begging for a master, waiting, and so on. No one owes anyone. Most people just look at the problem and won't be a bird of you. In fact, most of the errors in Linux are indicated by ECHO prompts and logs. Some of them have been encountered and shared before, so you have to learn the search engine skills, otherwise, you may not be able to solve your problems.

Finally, we should be good at summing up and sharing the solutions to help others. The next step is to gain an in-depth understanding of some common commands, compilation and installation parameters, security configuration, and optimization. Using commands can get twice the result with half the effort. I learned more about shell scripts and actual operations. At this time, it is almost an entry point... It's still my personal feeling. When we are really engaged in linux system management, what we want to learn suddenly becomes much more powerful. In other words, we need more hands-on, brains, and good at summing up.

Security

Security is an eternal topic and a top priority. At this time, you have to learn about the principles of hacker security and attack defense. When building the overall architecture, we first test the environment and record relevant issues, because no one can guarantee that the service is completely correct when it is launched, and do not expose error information to the customer. Before going online, perform security tests on the entire program, such as common SQL injection and cross-site operations, many "hackers" can scan the program by using a tool. If it is not the program you write, you cannot control it. At least you have to record it and report it to developers, if the test is not good, try not to do it. Unless forced, at least I was forced...

Install fail2ban or denyhost protection software, check logs regularly, and shield abnormal ip addresses. The root account cannot log on to the system directly, and a user with the lowest permissions is created as the portal. After using the root account, save the history Command records and clear them, download the backup file and save it by date or put it in the hidden directory of the server. In this way, even if the backup file is intruded, no one else can quickly obtain the relevant information, in addition, the error scenario can be restored after a command error occurs. Application logs are stored independently, and permissions are set. program files are assigned with minimal permissions, which can run without affecting services. In particular, upload directories. If conditions are met, upload them to an independent server, upload permission control. Regularly compress and back up Website access, analyze program log files, and identify exceptions.

Reduce the front-end entry. If other machines do not enable the Internet, remove them all. Do not leave them on. If Nginx and other agent software are used, leave only one entry machine, do not place any services, change passwords on a regular basis, and implement access policies for ip users. Generally, it is easier to use windows on the portal machine. If you have the necessary requirements, you can buy the kvm remote control terminal, plug it into the portal machine, and disable all remote connections, this is especially troublesome, but it can save a lot of trouble. No one can make a mistake on the Internet.

To upload a program, first delete some useless and sensitive information, such as deleting the SVN file in the project. You can use the following script. [Click Here] [1]. If you have other words, find them. After other tests are completed, you can gradually narrow down the permissions and enable the firewall. During this period, you will encounter various strange problems caused by permissions and firewalls, and solve them one by one. Pay special attention to the permission access control for ftp files and corresponding directories. If you cannot change the program, you must perform security tests and records to prevent unexpected attacks. fail2ban can prevent ftp brute force cracking.

Summary: to minimize permissions, install the appropriate software as needed, change the password on a regular basis, analyze the logs, and summarize the snapshots of program files and key system files. This can be Baidu or Google.

Backup

In addition to security, this is also the most important thing. Pay special attention to some "high-risk vulnerabilities" commands, such as rm-rf (I have suffered a big loss), cp-R, sed, \ cp-R and so on. When operating the file directory, you must back up the file first. Otherwise, you may not even have the chance to regret it. When you change a file, back up two copies, one of which is the backup file, and then perform the corresponding operation after confirmation.

How can we make a reasonable backup? It is best to perform full backup every day or every two or three days. The cycle should not be too long. The commands for backing up files and descriptions of directories are also very "exquisite". If you back up a single file, I generally follow this format: ** original file name-current time-overlay description or time limit. ext ** the following example shows a description file (readme.txt). Even if it is not in English, you cannot enter Chinese characters. You can use Pinyin to avoid having forgotten it. The compressed file name is the same as the naming rule for a single file backup. Multiple files are named the same as those in the parent directory. It can be stored in a public directory, uploaded to a dedicated backup server, or downloaded to a local directory.

In-depth

When you have been working for a while, you need to have a deep understanding. At least what you know now is just a glimpse of the system architecture, security testing, and optimization, they all need to learn and practice outside of work. If you want to learn more about one or more languages in python, shell, and perl for automation, it is annoying to input commands every time. Of course, the premise is to do enough tests. For virtualization platforms such as KVM and XenServer, it is best to learn more about php. At least there will be more ways to make a living in the future, do not always talk about the advantages and disadvantages of the language. It is right to make whatever language you need. What you learn is what others do.

Recommended reading:

Linux System Management

The Linux system administrator must not know the command: sudo

Linux operating system practical tutorial courseware Chapter 2 _ Linux System Management PPT

Linux system management and maintenance-tar command