CentOS 7安装完成后初始化的方法
1、添加用户
新增名为"wang"的用户
[root@vdevops~]#useraddwang#添加账户 [root@vdevops~]#passwdwang#设置密码 Changingpasswordforuserwang. Newpassword: Retypenewpassword: passwd:allauthenticationtokensupdatedsuccessfully. [root@vdevops~]#exit#退出 以用户"wang"为例,设置其为唯一拥有管理员权限的账户 [root@vdevops~]#usermod-Gwheelwang [root@vdevops~]#vim/etc/pam.d/su [html]viewplaincopyprint? #%PAM-1.0 authsufficientpam_rootok.so #Uncommentthefollowinglinetoimplicitlytrustusersinthe"wheel"group. #authsufficientpam_wheel.sotrustuse_uid #Uncommentthefollowinglinetorequireausertobeinthe"wheel"group. #取消下面一行的注释 authrequiredpam_wheel.souse_uid authsubstacksystem-auth authincludepostlogin accountsufficientpam_succeed_if.souid=0use_uidquiet accountincludesystem-auth passwordincludesystem-auth sessionincludesystem-auth sessionincludepostlogin sessionoptionalpam_xauth.so 设置root账户的邮件转发 #Personwhoshouldgetroot'smail #最后一行,取消注释,改变用户名称 root:wang
2、设置防火墙和SELINUX
【1】防火墙
查看防火墙状态
[root@vdevops~]#systemctlstatusfirewalld ●firewalld.service-firewalld-dynamicfirewalldaemon Loaded:loaded(/usr/lib/systemd/system/firewalld.service;enabled;vendorpreset:enabled) Active:active(running)sinceWed2016-10-2601:09:49CST;1h36minago MainPID:744(firewalld) CGroup:/system.slice/firewalld.service └─744/usr/bin/python-Es/usr/sbin/firewalld--nofork--nopid Oct2601:09:46vdevops.comsystemd[1]:Startingfirewalld-dynamicfirewalldaemon... Oct2601:09:49vdevops.comsystemd[1]:Startedfirewalld-dynamicfirewalldaemon.
防火墙基本操作
[root@vdevops~]#systemctlstartfirewalld#启动防火墙 [root@vdevops~]#systemctlenablefirewalld#设置防火墙开机自启
默认情况下,“public”区域应用于NIC,dhcpv6-client和ssh是允许的。
当使用“firewall-cmd”命令操作时,如果输入命令不带“--zone=***”规范,则配置设置为默认区域。
#显示默认区域 [root@vdevops~]#firewall-cmd--get-default-zone public #显示当前设置 [root@vdevops~]#firewall-cmd--list-all public(default,active) interfaces:eno16777736 sources: services:dhcpv6-clientssh ports: masquerade:no forward-ports: icmp-blocks: richrules: #显示全部区域 [root@vdevops~]#firewall-cmd--list-all-zones block interfaces: sources: services: ports: masquerade:no forward-ports: icmp-blocks: richrules: dmz interfaces: sources: services:ssh ports: masquerade:no forward-ports: icmp-blocks: richrules: ... #显示特定区域允许的服务 [root@vdevops~]#firewall-cmd--list-service--zone=external ssh #改变默认区域 [root@vdevops~]#firewall-cmd--set-default-zone=external success #改变制定区域的接口 [root@vdevops~]#firewall-cmd--change-interface=eth1--zone=external success #显示制定区域的状态 [root@vdevops~]#firewall-cmd--list-all--zone=external external(default,active) interfaces:eno16777736eth1 sources: services:ssh ports: masquerade:yes forward-ports: icmp-blocks: richrules: #注:改变制定区域的接口,前提是次接口在当前系统是存在的
显示默认定义的服务
[root@vdevops~]#firewall-cmd--get-services RH-Satellite-6amanda-clientbaculabacula-clientdhcpdhcpv6dhcpv6-clientdnsfreeipa-ldapfreeipa-ldapsfreeipa-replicationftphigh-availabilityhttphttpsimapsippipp-clientipseciscsi-targetkerberoskpasswdldapldapslibvirtlibvirt-tlsmdnsmountdms-wbtmysqlnfsntpopenvpnpmcdpmproxypmwebapipmwebapispop3spostgresqlproxy-dhcpradiusrpc-bindrsyncdsambasamba-clientsmtpsshtelnettftptftp-clienttransmission-clientvdsmvnc-serverwbem-https #定义文件路径如下,如果需要添加新的定义文件,在下面目录添加相应的XML文件 [root@vdevops~]#ls/usr/lib/firewalld/services amanda-client.xmlfreeipa-ldap.xmlipp.xmllibvirt.xmlpmcd.xmlRH-Satellite-6.xmltftp-client.xml bacula-client.xmlfreeipa-replication.xmlipsec.xmlmdns.xmlpmproxy.xmlrpc-bind.xmltftp.xml bacula.xmlftp.xmliscsi-target.xmlmountd.xmlpmwebapis.xmlrsyncd.xmltransmission-client.xml dhcpv6-client.xmlhigh-availability.xmlkerberos.xmlms-wbt.xmlpmwebapi.xmlsamba-client.xmlvdsm.xml dhcpv6.xmlhttps.xmlkpasswd.xmlmysql.xmlpop3s.xmlsamba.xmlvnc-server.xml dhcp.xmlhttp.xmlldaps.xmlnfs.xmlpostgresql.xmlsmtp.xmlwbem-https.xml dns.xmlimaps.xmlldap.xmlntp.xmlproxy-dhcp.xmlssh.xml freeipa-ldaps.xmlipp-client.xmllibvirt-tls.xmlopenvpn.xmlradius.xmltelnet.xml
添加或删除允许的服务,重新启动系统后,更改将恢复。如果永久更改设置,请添加“--permanent”选项。
#以添加http服务为例 [root@vdevops~]#firewall-cmd--add-service=http success [root@vdevops~]#firewall-cmd--list-service httpssh #移除添加的http <prename="code"class="html">[root@vdevops~]#firewall-cmd--remove-service=http success [root@vdevops~]#firewall-cmd--list-service ssh #添加http服务,永久生效 [root@vdevops~]#firewall-cmd--add-service=http--permanentsuccess [root@vdevops~]#firewall-cmd--reloadsuccess[root@vdevops~]#firewall-cmd--list-servicehttpssh
添加和移除端口
[root@vdevops~]#firewall-cmd--add-port=465/tcp#添加端口 success [root@vdevops~]#firewall-cmd--list-port 465/tcp [root@vdevops~]#firewall-cmd--remove-port=465/tcp#移除端口 success [root@vdevops~]#firewall-cmd--list-port [root@vdevops~]#firewall-cmd--add-port=465/tcp--permanent#添加端口,永久生效 success [root@vdevops~]#firewall-cmd--reload success [root@vdevops~]#firewall-cmd--list-port 465/tcp
加或删除禁止的ICMP类型
[root@dlp~]#firewall-cmd--add-icmp-block=echo-request#添加禁止回应请求 success [root@dlp~]#firewall-cmd--list-icmp-blocks echo-request [root@dlp~]#firewall-cmd--remove-icmp-block=echo-request#移除添加的参数 success [root@dlp~]#firewall-cmd--list-icmp-blocks [root@dlp~]#firewall-cmd--get-icmptypes#显示ICMP支持的功能 destination-unreachableecho-replyecho-requestparameter-problemredirect router-advertisementrouter-solicitationsource-quenchtime-exceeded
【2】如果不需要防火墙服务,关闭如下
[root@vdevops~]#systemctlstopfirewalld#停止防火墙服务 [root@vdevops~]#systemctldisablefirewalld#禁止防火墙开机自启 Removedsymlink/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. Removedsymlink/etc/systemd/system/basic.target.wants/firewalld.service. 3、SELinux [html]viewplaincopyprint? [root@vdevops~]#getenforce#查看SELINUX工作模式 Enforcing [root@vdevops~]#sed-i's/SELINUX=Enforcing/SELINUX=disabled/'/etc/selinux/config#禁用SELINUX [root@vdevops~]#setenforce0#临时禁用SELINUX,无需重启
4、网络设置
【1】、设置静态IP和改变接口名称
[root@vdevops~]#nmclicmodifyeno16777736ipv4.addresses10.1.1.56/24#设置静态IP [root@vdevops~]#nmclicmodifyeno16777736ipv4.gateway10.1.1.1#设置网关 [root@vdevops~]#nmclicmodifyeno16777736ipv4.dns10.1.1.1#设置DNS [root@vdevops~]#nmclicmodifyeno16777736ipv4.methodmanual#设置ipv4的类型为静态 [root@vdevops~]#nmclicdowneno16777736;nmclicupeno16777736#重启网络接口 Connection'eno16777736'successfullydeactivated(D-Busactivepath:/org/freedesktop/NetworkManager/ActiveConnection/0) Connectionsuccessfullyactivated(D-Busactivepath:/org/freedesktop/NetworkManager/ActiveConnection/1) [root@vdevops~]#nmclidshoweno16777736#查看网络接口状态 GENERAL.DEVICE:eno16777736 GENERAL.TYPE:ethernet GENERAL.HWADDR:00:0C:29:B6:F5:5E GENERAL.MTU:1500 GENERAL.STATE:100(connected) GENERAL.CONNECTION:eno16777736 GENERAL.CON-PATH:/org/freedesktop/NetworkManager/ActiveConnection/1 WIRED-PROPERTIES.CARRIER:on IP4.ADDRESS[1]:10.1.1.56/24 IP4.GATEWAY:10.1.1.1 IP4.DNS[1]:10.1.1.1 IP6.ADDRESS[1]:fe80::20c:29ff:feb6:f55e/64 IP6.GATEWAY: [root@vdevops~]#ipaddrshow#查看IP状态 1:lo:<LOOPBACK,UP,LOWER_UP>mtu65536qdiscnoqueuestateUNKNOWN link/loopback00:00:00:00:00:00brd00:00:00:00:00:00 inet127.0.0.1/8scopehostlo valid_lftforeverpreferred_lftforever inet6::1/128scopehost valid_lftforeverpreferred_lftforever 2:eno16777736:<BROADCAST,MULTICAST,UP,LOWER_UP>mtu1500qdiscpfifo_faststateUPqlen1000 link/ether00:0c:29:b6:f5:5ebrdff:ff:ff:ff:ff:ff inet10.1.1.56/24brd10.1.1.255scopeglobaleno16777736 valid_lftforeverpreferred_lftforever inet6fe80::20c:29ff:feb6:f55e/64scopelink valid_lftforeverpreferred_lftforever
【2】禁用IPV6
[root@vdevops~]#vim/etc/default/grub #第六行,添加 GRUB_CMDLINE_LINUX="crashkernel=auto<spanstyle="color:#FF0000;">ipv6.disable=1</span>rd.lvm.lv=centos/rootrd.lvm.lv=centos/swaprhgbquiet" [root@vdevops~]#grub2-mkconfig-o/boot/grub2/grub.cfg Generatinggrubconfigurationfile... Foundlinuximage:/boot/vmlinuz-3.10.0-327.36.2.el7.x86_64 Foundinitrdimage:/boot/initramfs-3.10.0-327.36.2.el7.x86_64.img Foundlinuximage:/boot/vmlinuz-3.10.0-327.el7.x86_64 Foundinitrdimage:/boot/initramfs-3.10.0-327.el7.x86_64.img Foundlinuximage:/boot/vmlinuz-0-rescue-d1b9467b8b744a3db391f2c15fe58a94 Foundinitrdimage:/boot/initramfs-0-rescue-d1b9467b8b744a3db391f2c15fe58a94.img done [root@vdevops~]#reboot#重启系统
【3】如果要将网络接口名称用作ethX,请按如下所示进行配置。
[root@vdevops~]#vim/etc/default/grub #第六行添加 GRUB_CMDLINE_LINUX="crashkernel=autoipv6.disable=1<spanstyle="color:#FF0000;">net.ifnames=0</span>rd.lvm.lv=centos/rootrd.lvm.lv=centos/swaprhgbquiet [root@vdevops~]#grub2-mkconfig-o/boot/grub2/grub.cfg Generatinggrubconfigurationfile... Foundlinuximage:/boot/vmlinuz-3.10.0-327.36.2.el7.x86_64 Foundinitrdimage:/boot/initramfs-3.10.0-327.36.2.el7.x86_64.img Foundlinuximage:/boot/vmlinuz-3.10.0-327.el7.x86_64 Foundinitrdimage:/boot/initramfs-3.10.0-327.el7.x86_64.img Foundlinuximage:/boot/vmlinuz-0-rescue-d1b9467b8b744a3db391f2c15fe58a94 Foundinitrdimage:/boot/initramfs-0-rescue-d1b9467b8b744a3db391f2c15fe58a94.img done
4、服务设置
[1]、查看服务状态
#显示正在运行的服务 [root@vdevops~]#systemctl-tservice UNITLOADACTIVESUBDESCRIPTION auditd.serviceloadedactiverunningSecurityAuditingService avahi-daemon.serviceloadedactiverunningAvahimDNS/DNS-SDStack crond.serviceloadedactiverunningCommandScheduler dbus.serviceloadedactiverunningD-BusSystemMessageBus getty@tty1.serviceloadedactiverunningGettyontty1 ... ... ... systemd-udevd.serviceloadedactiverunningudevKernelDeviceManager systemd-update-utmp.serviceloadedactiveexitedUpdateUTMPaboutSystemReboot/Shutdown systemd-user-sessions.serviceloadedactiveexitedPermitUserSessions systemd-vconsole-setup.serviceloadedactiveexitedSetupVirtualConsole tuned.serviceloadedactiverunningDynamicSystemTuningDaemon LOAD=Reflectswhethertheunitdefinitionwasproperlyloaded. ACTIVE=Thehigh-levelunitactivationstate,i.e.generalizationofSUB. SUB=Thelow-levelunitactivationstate,valuesdependonunittype. 39loadedunitslisted.Pass--alltoseeloadedbutinactiveunits,too. Toshowallinstalledunitfilesuse'systemctllist-unit-files'. #显示所有服务 [root@vdevops~]#systemctllist-unit-files-tservice UNITFILESTATE auditd.serviceenabled autovt@.servicedisabled avahi-daemon.serviceenabled blk-availability.servicedisabled brandbot.servicestatic ... ... ... systemd-user-sessions.servicestatic systemd-vconsole-setup.servicestatic teamd@.servicestatic tuned.serviceenabled wpa_supplicant.servicedisabled 125unitfileslisted.
[2]、设置停止启动自动的服务
[root@vdevops~]#systemctlstoppostfix#停止服务 [root@vdevops~]#systemctldisablepostfix Removedsymlink/etc/systemd/system/multi-user.target.wants/postfix.service. [root@vdevops~]#systemctlstartpostfix [root@vdevops~]#systemctlenablepostfix Createdsymlinkfrom/etc/systemd/system/multi-user.target.wants/postfix.serviceto/usr/lib/systemd/system/postfix.service. [root@vdevops~]#systemctlstatuspostfix ●postfix.service-PostfixMailTransportAgent Loaded:loaded(/usr/lib/systemd/system/postfix.service;enabled;vendorpreset:disabled) Active:active(running)sinceWed2016-10-2618:40:35CST;15sago MainPID:10071(master) CGroup:/system.slice/postfix.service ├─10071/usr/libexec/postfix/master-w ├─10072pickup-l-tunix-u └─10073qmgr-l-tunix-u Oct2618:40:35vdevops.compostfix[9999]:/usr/sbin/postconf:warning:inet_protocols:disablingIPv6name/addresssupport:Address...rotocol Oct2618:40:35vdevops.compostfix[9999]:/usr/sbin/postconf:warning:inet_protocols:disablingIPv6name/addresssupport:Address...rotocol Oct2618:40:35vdevops.compostfix[9999]:postsuper:warning:inet_protocols:disablingIPv6name/addresssupport:Addressfamilyno...rotocol Oct2618:40:35vdevops.compostfix[9999]:/usr/sbin/postconf:warning:inet_protocols:disablingIPv6name/addresssupport:Address...rotocol Oct2618:40:35vdevops.compostfix/master[10071]:warning:inet_protocols:disablingIPv6name/addresssupport:Addressfamilynots...rotocol Oct2618:40:35vdevops.compostfix/master[10071]:warning:inet_protocols:disablingIPv6name/addresssupport:Addressfamilynots...rotocol Oct2618:40:35vdevops.compostfix/master[10071]:daemonstarted--version2.10.1,configuration/etc/postfix Oct2618:40:35vdevops.comsystemd[1]:StartedPostfixMailTransportAgent. Oct2618:40:35vdevops.compostfix/qmgr[10073]:warning:inet_protocols:disablingIPv6name/addresssupport:Addressfamilynotsup...rotocol Oct2618:40:35vdevops.compostfix/pickup[10072]:warning:inet_protocols:disablingIPv6name/addresssupport:Addressfamilynots...rotocol Hint:Somelineswereellipsized,use-ltoshowinfull.
[3]、还有一些SysV服务。它们由chkconfig控制,如下所示
[root@vdevops~]#chkconfig--list Note:ThisoutputshowsSysVservicesonlyanddoesnotincludenative systemdservices.SysVconfigurationdatamightbeoverriddenbynative systemdconfiguration. Ifyouwanttolistsystemdservicesuse'systemctllist-unit-files'. Toseeservicesenabledonparticulartargetuse 'systemctllist-dependencies[target]'. netconsole0:off1:off2:off3:off4:off5:off6:off network0:off1:off2:on3:on4:on5:on6:off
5、更新系统添加其他源
yumupdate-y
添加其它源
添加一些有用的外部存储库来安装有用的软件
【1】安装插件以向每个安装的存储库添加优先级。
[root@vdevops~]#yum-yinstallyum-plugin-priorities #设置官方源的优先级为[priority=1] [root@vdevops~]#sed-i-e"s/\]$/\]\npriority=1/g"/etc/yum.repos.d/CentOS-Base.repo
【2】添加从Fedora项目提供的EPEL存储库
[root@vdevops~]#yum-yinstallepel-release #设置优先级[priority=5] [root@vdevops~]#sed-i-e"s/\]$/\]\npriority=5/g"/etc/yum.repos.d/epel.repo #可以通过设置enabled=0,来控制安装软件包时使用相应的源 [root@vdevops~]#sed-i-e"s/enabled=1/enabled=0/g"/etc/yum.repos.d/epel.repo #如果[enabled=0],使用下面命令安装软件包 [root@vdevops~]#yum--enablerepo=epelinstall[Package]
【3】添加CentOSSCLo软件集合存储库。
[root@vdevops~]#yum-yinstallcentos-release-scl-rhcentos-release-scl #设置优先级[priority=10] [root@vdevops~]#sed-i-e"s/\]$/\]\npriority=10/g"/etc/yum.repos.d/CentOS-SCLo-scl.repo [root@vdevops~]#sed-i-e"s/\]$/\]\npriority=10/g"/etc/yum.repos.d/CentOS-SCLo-scl-rh.repo #设置[enabled=0] [root@vdevops~]#sed-i-e"s/enabled=1/enabled=0/g"/etc/yum.repos.d/CentOS-SCLo-scl.repo [root@vdevops~]#sed-i-e"s/enabled=1/enabled=0/g"/etc/yum.repos.d/CentOS-SCLo-scl-rh.repo #设置[enabled=0],通过下面命令使用相应源 [root@vdevops~]#yum--enablerepo=centos-sclo-rhinstall[Package] [root@vdevops~]#yum--enablerepo=centos-sclo-scloinstall[Package]
【4】添加Remi的RPM存储库,它提供了许多有用的包
[root@vdevops~]#yum-yinstallhttp://rpms.famillecollet.com/enterprise/remi-release-7.rpm #设置优先级[priority=10] [root@vdevops~]#sed-i-e"s/\]$/\]\npriority=10/g"/etc/yum.repos.d/remi-safe.repo
6、配置特色的vim
【1】安装vim
[root@vdevops~]#yum-yinstallvim-enhanced
【2】设置别名
设置命令别名。(适用于以下所有用户,如果您申请某个用户,请在“〜/.bashrc”中写入相同的设置)
[root@dlp~]#vi/etc/profile #在最后添加下面一行内容 aliasvi='vim' [root@dlp~]#source/etc/profile#重载
或者
echo"aliasvi='vim'">>/etc/profile&&source/etc/profile
【3】配置vim,针对所有用户生效修改/etc/vimrc,针对特定用户生效修改~/.vimrc
主要用语法高亮,插件使用,自动缩进等功能,本文不做详细操作,后续会专门写一篇关于优化vim使用的博文,工欲善其事必先利其器
7、设置sudo
配置sudo以区分用户的职责,如果一些人共享权限,必手动安装sudo,因为它默认安装,即使“最小安装”
【1】设置普通用户拥有root的所有权限
[root@vdevops~]#visudo #添加下面一行,使用户“wang”拥有root的所有权限 wangALL=(ALL)ALL #普通用户使用root命令 #确保用户为'wang' [wang@vdevops~]$/usr/bin/cat/etc/shadow cat:/etc/shadow:Permissiondenied#deniednormally [wang@vdevops~]$sudo/usr/bin/cat/etc/shadow [sudo]passwordforcent:#ownpassword daemon:*:16231:0:99999:7::: adm:*:16231:0:99999:7::: lp:*:16231:0:99999:7::: ... ... #输入wang的密码可以看到执行结果
【2】设置用户不能执行危险命令
[root@vdevops~]#visudo #49行:定义别名SHUTDOWN Cmnd_AliasSHUTDOWN=/sbin/halt,/sbin/shutdown,/sbin/poweroff,/sbin/reboot,/sbin/init #设置用户wang不能执行别名SHUTDOWN对应的命令 wangALL=(ALL)ALL,!SHUTDOWN #确保用户为'wang' [wang@vdevops~]$sudo/sbin/shutdown-rnow Sorry,usercentisnotallowedtoexecute'/sbin/shutdown-rnow'asrootonvdevops.com.#deniednormally
【3】创建一个特殊的组,组用户可以执行部分root命令
[root@vdevops~]#visudo #51行:为管理用户的几个命令设置别名为USERMGR Cmnd_AliasUSERMGR=/usr/sbin/useradd,/usr/sbin/userdel,/usr/sbin/usermod,/usr/bin/passwd #最后一行添加 %usermgrALL=(ALL)USERMGR [root@vdevops~]#groupaddusermgr [root@vdevops~]#usermod-Gusermgrwang #确保用户为wang [wang@vdevops~]$sudo/usr/sbin/useraddtestuser #输入用户wang的密码,查看创建结果,显示成功 [wang@vdevops~]$sudo/usr/bin/passwdtestuser Changingpasswordforusertestuser. NewUNIXpassword: RetypenewUNIXpassword: passwd:allauthenticationtokensupdatedsuccessfully.
【4】设置sudo日志
sudo的日志保存在/var/log/secure中,但它中有很多种类的日志。如果你想保持只有sudo的日志在一个文件,设置如下:
[root@vdevops~]#visudo #最后一行添加 Defaultssyslog=local1 [root@vdevops~]#vi/etc/rsyslog.conf #在54行修改,添加<spanstyle="color:#FF6666;">local1.none</span> *.info;mail.none;authpriv.none;cron.none;<spanstyle="color:#FF6666;">local1.none</span> /var/log/messages #添加下面一行内容 local1.*/var/log/sudo.log [root@vdevops~]#systemctlrestartrsyslog#重启rsyslog服务
以上所述是小编给大家介绍的CentOS7安装完成后初始化的方法,希望对大家有所帮助,如果大家有任何疑问请给我留言,小编会及时回复大家的。在此也非常感谢大家对毛票票网站的支持!