一、初始化基本配置
关闭SELINUX
setenforce 0
sed -i "s/enforcing/disabled/g" `grep enforcing -rl /etc/selinux/config`
配置网络接口(IP为示例,自行修改)
echo "DEVICE=ens192
ONBOOT=yes
BOOTPROTO=static
IPADDR=192.168.10.94
NETMASK=255.255.255.0
GATEWAY=192.168.10.250
DNS1=192.168.10.59" > /etc/sysconfig/network-scripts/ifcfg-ens192
service network restart
修改字符集
否则可能报 input/output error的问题,因为日志里打印了中文
localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8
export LC_ALL=zh_CN.UTF-8
echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf
设置运行级别为文本
ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
设置时钟
timedatectl set-timezone Asia/Shanghai
ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
配置NTP
yum install ntp
systemctl start ntpd
systemctl enable ntpd
安装EPEL
rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
epel国内镜像站
https://mirrors.tuna.tsinghua.edu.cn/help/epel/
sed -e 's!^metalink=!#metalink=!g' \
-e 's!^#baseurl=!baseurl=!g' \
-e 's!//download\.fedoraproject\.org/pub!//mirrors.tuna.tsinghua.edu.cn!g' \
-e 's!http://mirrors\.tuna!https://mirrors.tuna!g' \
-i /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel-testing.repo
安装软件
yum install -y epel-release
yum update -y
yum install -y htop iotop iftop atop linux_logo lrzsz vim net-tools
yum -y install nmon iptraf wget unzip
history
echo "# Set History Timestamp,Size
export HISTTIMEFORMAT=\"%Y-%m-%d %H:%M:%S \"
export HISTSIZE=1000
export HISTFILESIZE=10000
# Set open files (-n) 65535.default is 1024
ulimit -HSn 65535
# Set Alias Vi to Vim
alias vi='vim' " >> /root/.bash_profile
echo "
* soft nofile 50000
* hard nofile 65536
* soft nproc 50000
* hard nproc 50000
" >> /etc/security/limits.conf
echo "
* soft nproc 50000
root soft nproc unlimited " >> /etc/security/limits.d/90-nproc.conf
修改内核参数
cat >> /etc/sysctl.conf << EOF
#关闭ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
# 避免放大攻击
net.ipv4.icmp_echo_ignore_broadcasts = 1
# 开启恶意icmp错误消息保护
net.ipv4.icmp_ignore_bogus_error_responses = 1
#关闭路由转发
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
#开启反向路径过滤
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
#处理无源路由的包
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
#关闭sysrq功能
kernel.sysrq = 0
#core文件名中添加pid作为扩展名
kernel.core_uses_pid = 1
# 开启SYN洪水攻击保护
net.ipv4.tcp_syncookies = 1
#修改消息队列长度
kernel.msgmnb = 65536
kernel.msgmax = 65536
#设置最大内存共享段大小bytes
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
#timewait的数量,默认180000
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
#每个网络接口接收数据包的速率比内核处理这些包的速率快时,允许送到队列的数据包的最大数目
net.core.netdev_max_backlog = 262144
#限制仅仅是为了防止简单的DoS 攻击
net.ipv4.tcp_max_orphans = 3276800
#未收到客户端确认信息的连接请求的最大值
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
#内核放弃建立连接之前发送SYNACK 包的数量
net.ipv4.tcp_synack_retries = 1
#内核放弃建立连接之前发送SYN 包的数量
net.ipv4.tcp_syn_retries = 1
#启用timewait 快速回收
net.ipv4.tcp_tw_recycle = 1
#开启重用。允许将TIME-WAIT sockets 重新用于新的TCP 连接
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1
#当keepalive 起用的时候,TCP 发送keepalive 消息的频度。缺省是2 小时
net.ipv4.tcp_keepalive_time = 30
#允许系统打开的端口范围
net.ipv4.ip_local_port_range = 1024 65000
#修改防火墙表大小,默认65536
#net.netfilter.nf_conntrack_max=655350
#net.netfilter.nf_conntrack_tcp_timeout_established=1200
# 确保无人能修改路由表
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
EOF
/sbin/sysctl -p
关闭不必要的服务
systemctl stop postfix
systemctl disable postfix
1、查看服务列表状态:
systemctl list-units --type=service
2、列出所有已经安装的 服务 及 状态 :
systemctl list-unit-files
3、查看已启动的服务列表:
systemctl list-unit-files | grep enabled
配置firewall-cmd防火墙
firewall-cmd --permanent --zone=public --add-service=dns
firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --zone=public --add-port=2222/tcp --permanent
# 重新载入规则
firewall-cmd --reload
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="1.2.3.4/32" port protocol="tcp" port="4567" accept'
cat /etc/firewalld/zones/public.xml
firewall-cmd --reload
firewall-cmd --list-all
systemctl status firewalld
systemctl stop firewalld
二、准备 Python3 和 Python 虚拟环境
2.1 安装依赖包
yum -y install wget gcc epel-release git
2.2 安装 Python3.6
yum -y install python36 python36-devel
yum -y install python-pip
pip install --upgrade pip
2.3 建立 Python 虚拟环境
因为 CentOS 6/7 自带的是 Python2,而 Yum 等工具依赖原来的 Python,为了不扰乱原来的环境我们来使用 Python 虚拟环境
cd /opt
python3.6 -m venv py3
source /opt/py3/bin/activate
看到下面的提示符代表成功,以后运行 Jumpserver 都要先运行以上 source 命令,以下所有命令均在该虚拟环境中运行(py3) [root@localhost py3]
2.4 自动载入 Python 虚拟环境配置
此项仅为懒癌晚期的人员使用,防止运行 Jumpserver 时忘记载入 Python 虚拟环境导致程序无法运行。使用autoenv
cd /opt
git clone https://github.com/kennethreitz/autoenv.git
echo 'source /opt/autoenv/activate.sh' >> ~/.bashrc
source ~/.bashrc
echo "source /opt/py3/bin/activate" >> /opt/.env
三、安装 MySQL
3.1、Mysql 安装和配置
yum -y install mariadb mariadb-devel mariadb-server
systemctl enable mariadb
systemctl start mariadb
安装完成后,执行如下命令来进行 mariadb 的初始化,并根据提示设置 root 的密码(默认密码为空)
mysql_secure_installation
3.2、创建数据库 nextcloud 并授权
mysql -uroot -p
CREATE DATABASE nextcloud CHARACTER SET utf8 COLLATE utf8_general_ci;
CREATE USER 'nextcloud'@'localhost' IDENTIFIED BY 'nextcloud@123$';
GRANT ALL PRIVILEGES ON nextcloud.* TO 'nextcloud'@'localhost';
FLUSH PRIVILEGES;
quit
mysql -uroot -e "create database zabbix character set utf8;"
mysql -uroot -e "grant all privileges on zabbix.* to zabbix@localhost identified by 'zabbix';"
mysql -uroot -e "flush privileges;"
mysql -hlocalhost -unextcloud -pnextcloud@123$
show databases;
四、安装PHP7
1.若之前安装过其他版本PHP,先删除
yum remove php* -y
2.rpm安装PHP7相应的yum源
CentOS/RHEL 7.x:
rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
3.yum安装PHP7
yum -y install `yum list|grep php71w|awk '{printf ("%s ",$1)}'` --skip-broken --nogpgcheck
yum -y install php-pecl-zip
4.修改 PHP 参数
sed -i "s/;date.timezone =/date.timezone = Asia\/Shanghai/g" /etc/php.ini
sed -i "s#`grep max_execution_time /etc/php.ini`#max_execution_time = 300#g" /etc/php.ini
sed -i "s#`grep post_max_size /etc/php.ini`#post_max_size = 512M#g" /etc/php.ini
sed -i "s/max_input_time = 60/max_input_time = 300/g" /etc/php.ini
sed -i "s#`grep memory_limit /etc/php.ini`#memory_limit = 128M#g" /etc/php.ini
5. 安装完毕,测试是否安装成功
php -v
6.要运行PHP网页,要启动php-fpm解释器
systemctl start php-fpm
systemctl enable php-fpm
netstat -anpt|grep php
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 300/php-fpm: pool w
netstat -lntup|grep php-fpm
五、SSH免密登录
ssh-keygen -t rsa
ssh-copy-id -i ~/.ssh/id_rsa.pub root@IP_ADDR
ssh 'root@IP_ADDR'
六、安装Nginx
执行如下命令来安装 nginx
yum install -y nginx
#安装完成后,执行如下命令来启动 Nginx
systemctl start nginx
systemctl enable nginx
七、配置SNMP
yum -y install net-snmp net-snmp-libs net-snmp-devel net-snmp-utils
net-snmp-config --create-snmpv3-user -ro -a test@@2018 -A MD5 zxyy
systemctl start snmpd
systemctl enable snmpd
systemctl status snmpd
#本地测试:
snmpwalk -v 2c -c public localhost sysName.0
snmpwalk -v3 -u zxyy -l auth -a MD5 -A test@@2018 127.0.0.1 sysName.0
#远程测试:
snmpwalk -v3 -u zxyy -l auth -a MD5 -A test@@2018 127.0.0.1 sysName.0
文章评论