在 CentOS 安装好之后,安全性以及对硬件的适应性方面,可能并不完全符合我们的实际情况。在这里,对新的 CentOS 系统进行初始环境设置将以如下方面为原则:
1,为了安全,尽最大可能将访问限制限制到可能的最大程度;
2,为了节省内存及 CPU 使用率(以及安全方面的考虑),尽最大可能将不需要的服务关闭;
3,为了减少误操作可能带来的损失,平时通过 wheel 组用户登录进行系统管理;
4,为了让系统变的更加轻便、快速,将内核中不需要的模块卸载;
1,为了安全,尽最大可能将访问限制限制到可能的最大程度;
2,为了节省内存及 CPU 使用率(以及安全方面的考虑),尽最大可能将不需要的服务关闭;
3,为了减少误操作可能带来的损失,平时通过 wheel 组用户登录进行系统管理;
4,为了让系统变的更加轻便、快速,将内核中不需要的模块卸载;
【1】,建立管理员组内一般用户
在 一般情况下,一般用户通过执行“su -”命令、输入正确的root密码,可以登录为root用户来对系统进行管理员级别的配置。但是,为了更进一步加强系统的安全性,有必要建立一个管理员的 组,只允许这个组的用户来执行“su -”命令登录为root用户,而让其他组的用户即使执行“su -”、输入了正确的root密码,也无法登录为root用户。在UNIX下,这个组的名称通常为“wheel”。
[root@localhost ~]# useradd -G wheel centospub
[root@localhost ~]# passwd centospub
Changing password for user centospub.
New UNIX password:
BAD PASSWORD: it is too simplistic/systematic
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@localhost ~]# vi /etc/pam.d/su
[root@localhost ~]# passwd centospub
Changing password for user centospub.
New UNIX password:
BAD PASSWORD: it is too simplistic/systematic
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@localhost ~]# vi /etc/pam.d/su
将#auth required pam_wheel.so use_uid 改成
auth required pam_wheel.so use_uid
auth required pam_wheel.so use_uid
[root@localhost ~]# echo "SU_WHEEL_ONLY yes" >>/etc/login.defs 添加语句到末行
以上操作完成后,可以再建立一个新用户,然后用这个新建的用户测试会发现,没有加入到wheel组的用户,执行“su -”命令,即使输入了正确的root密码,也无法登录为root用户。
【2】,建立PPPoE连接(非xDSL连接方式的用户可跳过此步骤)
【2】,建立PPPoE连接(非xDSL连接方式的用户可跳过此步骤)
[root@localhost ~]# adsl-setup < 建立ADSL连接
Welcome to the ADSL client setup. First, I will run some checks on
your system to make sure the PPPoE client is installed properly...
your system to make sure the PPPoE client is installed properly...
LOGIN NAME
Enter your Login Name (default root): < 填入ADSL连接的用户名
INTERFACE
Enter the Ethernet interface connected to the ADSL modem
For Solaris, this is likely to be something like /dev/hme0.
For Linux, it will be ethX, where 'X' is a number.
(default eth0): < 指定网络设备
For Solaris, this is likely to be something like /dev/hme0.
For Linux, it will be ethX, where 'X' is a number.
(default eth0): < 指定网络设备
Do you want the link to come up on demand, or stay up continuously?
If you want it to come up on demand, enter the idle time in seconds
after which the link should be dropped. If you want the link to
stay up permanently, enter 'no' (two letters, lower-case.)
NOTE: Demand-activated links do not interact well with dynamic IP
addresses. You may have some problems with demand-activated links.
Enter the demand value (default no): < 接受默认设置
If you want it to come up on demand, enter the idle time in seconds
after which the link should be dropped. If you want the link to
stay up permanently, enter 'no' (two letters, lower-case.)
NOTE: Demand-activated links do not interact well with dynamic IP
addresses. You may have some problems with demand-activated links.
Enter the demand value (default no): < 接受默认设置
DNS
Please enter the IP address of your ISP's primary DNS server.
If your ISP claims that 'the server will provide dynamic DNS addresses',
enter 'server' (all lower-case) here.
If you just press enter, I will assume you know what you are
doing and not modify your DNS setup.
Enter the DNS information here: < 如果知道DNS服务器的在此填,不知道的跳过
If your ISP claims that 'the server will provide dynamic DNS addresses',
enter 'server' (all lower-case) here.
If you just press enter, I will assume you know what you are
doing and not modify your DNS setup.
Enter the DNS information here: < 如果知道DNS服务器的在此填,不知道的跳过
PASSWORD
Please enter your Password: < 输入ADSL的连接密码
Please re-enter your Password: < 再次输入ADSL的连接密码
Please re-enter your Password: < 再次输入ADSL的连接密码
USERCTRL
Please enter 'yes' (three letters, lower-case.) if you want to allow
normal user to start or stop DSL connection (default yes): 填入NO,不允许一般的用户连接PPPoE
normal user to start or stop DSL connection (default yes): 填入NO,不允许一般的用户连接PPPoE
FIREWALLING
Please choose the firewall rules to use. Note that these rules are
very basic. You are strongly encouraged to use a more sophisticated
firewall setup; however, these will provide basic security. If you
are running any servers on your machine, you must choose 'NONE' and
set up firewalling yourself. Otherwise, the firewall rules will deny
access to all standard servers like Web, e-mail, ftp, etc. If you
are using SSH, the rules will block outgoing SSH connections which
allocate a privileged source port.
very basic. You are strongly encouraged to use a more sophisticated
firewall setup; however, these will provide basic security. If you
are running any servers on your machine, you must choose 'NONE' and
set up firewalling yourself. Otherwise, the firewall rules will deny
access to all standard servers like Web, e-mail, ftp, etc. If you
are using SSH, the rules will block outgoing SSH connections which
allocate a privileged source port.
The firewall choices are:
0 - NONE: This script will not set any firewall rules. You are responsible
for ensuring the security of your machine. You are STRONGLY
recommended to use some kind of firewall rules.
1 - STANDALONE: Appropriate for a basic stand-alone web-surfing workstation
2 - MASQUERADE: Appropriate for a machine acting as an Internet gateway
for a LAN
Choose a type of firewall (0-2): < 输入0,不在这里设置防火墙
0 - NONE: This script will not set any firewall rules. You are responsible
for ensuring the security of your machine. You are STRONGLY
recommended to use some kind of firewall rules.
1 - STANDALONE: Appropriate for a basic stand-alone web-surfing workstation
2 - MASQUERADE: Appropriate for a machine acting as an Internet gateway
for a LAN
Choose a type of firewall (0-2): < 输入0,不在这里设置防火墙
Start this connection at boot time
Do you want to start this connection at boot time?
Please enter no or yes (default no): < 填yes,系统启动自动连接ADSL
Please enter no or yes (default no): < 填yes,系统启动自动连接ADSL
** Summary of what you entered **
Ethernet Interface: eth0
User name: root
Activate-on-demand: No
DNS: Do not adjust
Firewalling: NONE
User Control: no
Accept these settings and adjust configuration files (y/n)? < 配置信息无误后,键入y确认配置
User name: root
Activate-on-demand: No
DNS: Do not adjust
Firewalling: NONE
User Control: no
Accept these settings and adjust configuration files (y/n)? < 配置信息无误后,键入y确认配置
Adjusting /etc/sysconfig/network-scripts/ifcfg-ppp0
Adjusting /etc/ppp/chap-secrets and /etc/ppp/pap-secrets
(But first backing it up to /etc/ppp/chap-secrets.bak)
(But first backing it up to /etc/ppp/pap-secrets.bak)
Adjusting /etc/ppp/chap-secrets and /etc/ppp/pap-secrets
(But first backing it up to /etc/ppp/chap-secrets.bak)
(But first backing it up to /etc/ppp/pap-secrets.bak)
Congratulations, it should be all set up!
Type '/sbin/ifup ppp0' to bring up your xDSL link and '/sbin/ifdown ppp0'
to bring it down.
Type '/sbin/adsl-status /etc/sysconfig/network-scripts/ifcfg-ppp0'
to see the link status.
to bring it down.
Type '/sbin/adsl-status /etc/sysconfig/network-scripts/ifcfg-ppp0'
to see the link status.
[root@localhost ~]#
然后,启动ADSL
[root@localhost ~]# adsl-start < 启动ADSL连接
[root@localhost ~]# ← 稍等片刻后若启动成功后出现提示符(无任何提示即意味着连接成功)← 稍等片刻后若启动成功后出现提示符(无任何提示即意味着连接成功)
这时,通过“ifconfig”命令可以看到各网络接口的信息(IP地址等等)。
【3】,rooty用户的转送
在系统出现错误或有重要通知发送邮件给root的时候,让系统自动转送到我们通常使用的邮箱中,这样方便查阅相关报告和日志。
[root@sample ~]# vi /etc/aliases ← 编辑aliases,添加如下行到文尾
root: yourname@yourserver.com ← 加入自己的邮箱地址
[root@sample ~]# newaliases ← 重建aliasesdb
/etc/aliases: 79 aliases, longest 19 bytes, 825 bytes total
[root@sample ~]# echo test | mail root ← 发送测试邮件给root
如果成功的话,会在刚刚填入的 yourname@yourserver.com 的邮箱中收到测试的邮件。
root: yourname@yourserver.com ← 加入自己的邮箱地址
[root@sample ~]# newaliases ← 重建aliasesdb
/etc/aliases: 79 aliases, longest 19 bytes, 825 bytes total
[root@sample ~]# echo test | mail root ← 发送测试邮件给root
如果成功的话,会在刚刚填入的 yourname@yourserver.com 的邮箱中收到测试的邮件。
【4】,locate命令用数据库更新及自动更新设定
l ocate命令是Linux下告诉搜索文件用的工具,它的原理和Windows下的“Google桌面搜索”有点类似,是通过事先建立数据库的方式,来达到高速查找目标文件的目的。
[root@sample ~]# vi /etc/updatedb.conf ← 编辑locate数据库更新配置文件
DAILY_UPDATE=no ← 找到这一行,将“no”改为“yes”
↓
DAILY_UPDATE=yes ← 变为此状态后,保存、退出
[root@sample ~]# updatedb ← 运行locate数据库更新命令,稍等片刻…更新成功后出现提示符
[root@sample ~]# vi /etc/updatedb.conf ← 编辑locate数据库更新配置文件
DAILY_UPDATE=no ← 找到这一行,将“no”改为“yes”
↓
DAILY_UPDATE=yes ← 变为此状态后,保存、退出
[root@sample ~]# updatedb ← 运行locate数据库更新命令,稍等片刻…更新成功后出现提示符
【5】,定义yum的非官方库
在服务器构建的过程中,我们将要用到的一些工具不存在于CentOS中yum的官方库中,所以需要定义yum的非官方库文件,让一些必需的工具通过yum也能够安装
[root@sample ~]# vi /etc/yum.repos.d/dag.repo ← 建立dag.repo,定义非官方库
[dag]
name=Dag RPM Repository for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag
gpgcheck=1
enabled=1
[root@sample ~]# rpm --import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt ← 导入非官方库的GPG
[dag]
name=Dag RPM Repository for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag
gpgcheck=1
enabled=1
[root@sample ~]# rpm --import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt ← 导入非官方库的GPG
【6】,停止打印服务
如果不准备提供打印服务,停止默认被设置为自动启动的打印服务
[root@sample ~]# /etc/rc.d/init.d/cups stop ← 停止打印服务
Stopping cups: [ OK ] ← 停止服务成功,出现“OK”
[root@sample ~]# chkconfig cups off ← 禁止打印服务自动启动
[root@sample ~]# chkconfig --list cups ← 确认打印服务自启动设置状态
cups 0:off 1:off 2:off 3:off 4:off 5:off 6:off ← 0-6都为off的状态就OK(当前打印服务自启动被禁止中)
Stopping cups: [ OK ] ← 停止服务成功,出现“OK”
[root@sample ~]# chkconfig cups off ← 禁止打印服务自动启动
[root@sample ~]# chkconfig --list cups ← 确认打印服务自启动设置状态
cups 0:off 1:off 2:off 3:off 4:off 5:off 6:off ← 0-6都为off的状态就OK(当前打印服务自启动被禁止中)
