CentOS 7.6 基本配置

一、初始化基本配置

关闭SELINUX

setenforce 0
sed -i "s/enforcing/disabled/g" `grep enforcing -rl /etc/selinux/config`

修改字符集

否则可能报 input/output error的问题,因为日志里打印了中文

localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8
export LC_ALL=zh_CN.UTF-8
echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf

设置运行级别为文本

ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target

设置时钟

timedatectl set-timezone Asia/Shanghai
ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime

配置NTP

yum install ntp
systemctl start ntpd
systemctl enable ntpd

安装EPEL

rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm

安装软件

yum install -y epel-release
yum update -y
yum install -y htop iotop iftop atop linux_logo lrzsz vim net-tools
yum -y install nmon iptraf wget unzip

history

echo "# Set History Timestamp,Size
export HISTTIMEFORMAT=\"%Y-%m-%d %H:%M:%S \"
export HISTSIZE=1000
export HISTFILESIZE=10000

# Set open files (-n) 65535.default is 1024

ulimit -HSn 65535

# Set Alias Vi to Vim
alias vi='vim' " >> /root/.bash_profile

echo "
*               soft    nofile      50000
*               hard    nofile      65536
*               soft    nproc       50000
*               hard    nproc       50000
" >>  /etc/security/limits.conf

echo "
*          soft    nproc     50000
root       soft    nproc     unlimited " >> /etc/security/limits.d/90-nproc.conf

修改内核参数

cat >> /etc/sysctl.conf << EOF
#关闭ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

# 避免放大攻击
net.ipv4.icmp_echo_ignore_broadcasts = 1

# 开启恶意icmp错误消息保护
net.ipv4.icmp_ignore_bogus_error_responses = 1

#关闭路由转发
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

#开启反向路径过滤
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

#处理无源路由的包
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

#关闭sysrq功能
kernel.sysrq = 0

#core文件名中添加pid作为扩展名
kernel.core_uses_pid = 1

# 开启SYN洪水攻击保护
net.ipv4.tcp_syncookies = 1

#修改消息队列长度
kernel.msgmnb = 65536
kernel.msgmax = 65536

#设置最大内存共享段大小bytes
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
#timewait的数量,默认180000
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096        87380   4194304
net.ipv4.tcp_wmem = 4096        16384   4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216

#每个网络接口接收数据包的速率比内核处理这些包的速率快时,允许送到队列的数据包的最大数目
net.core.netdev_max_backlog = 262144

#限制仅仅是为了防止简单的DoS 攻击
net.ipv4.tcp_max_orphans = 3276800

#未收到客户端确认信息的连接请求的最大值
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
#内核放弃建立连接之前发送SYNACK 包的数量
net.ipv4.tcp_synack_retries = 1
#内核放弃建立连接之前发送SYN 包的数量
net.ipv4.tcp_syn_retries = 1

#启用timewait 快速回收
net.ipv4.tcp_tw_recycle = 1

#开启重用。允许将TIME-WAIT sockets 重新用于新的TCP 连接
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1

#当keepalive 起用的时候,TCP 发送keepalive 消息的频度。缺省是2 小时
net.ipv4.tcp_keepalive_time = 30

#允许系统打开的端口范围
net.ipv4.ip_local_port_range = 1024    65000

#修改防火墙表大小,默认65536

#net.netfilter.nf_conntrack_max=655350

#net.netfilter.nf_conntrack_tcp_timeout_established=1200

# 确保无人能修改路由表
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
EOF

/sbin/sysctl -p

关闭不必要的服务

systemctl stop postfix
systemctl disable postfix

1、查看服务列表状态:
systemctl list-units --type=service

2、列出所有已经安装的 服务 及 状态 :
systemctl list-unit-files

3、查看已启动的服务列表:
systemctl list-unit-files | grep enabled

配置firewall-cmd防火墙

firewall-cmd --permanent --zone=public --add-service=dns
firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https

firewall-cmd --zone=public --add-port=2222/tcp --permanent

# 重新载入规则
firewall-cmd --reload

firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="1.2.3.4/32" port protocol="tcp" port="4567" accept'

cat /etc/firewalld/zones/public.xml

firewall-cmd --reload
firewall-cmd --list-all
systemctl status firewalld
systemctl stop firewalld

二、准备 Python3 和 Python 虚拟环境

2.1 安装依赖包

yum -y install wget gcc epel-release git

2.2 安装 Python3.6

yum -y install python36 python36-devel
yum -y install python-pip
pip install --upgrade pip

2.3 建立 Python 虚拟环境

因为 CentOS 6/7 自带的是 Python2,而 Yum 等工具依赖原来的 Python,为了不扰乱原来的环境我们来使用 Python 虚拟环境

cd /opt
python3.6 -m venv py3
source /opt/py3/bin/activate

看到下面的提示符代表成功,以后运行 Jumpserver 都要先运行以上 source 命令,以下所有命令均在该虚拟环境中运行(py3) [root@localhost py3]

2.4 自动载入 Python 虚拟环境配置

此项仅为懒癌晚期的人员使用,防止运行 Jumpserver 时忘记载入 Python 虚拟环境导致程序无法运行。使用autoenv

cd /opt
git clone https://github.com/kennethreitz/autoenv.git
echo 'source /opt/autoenv/activate.sh' >> ~/.bashrc
source ~/.bashrc
echo "source /opt/py3/bin/activate" >> /opt/.env


三、安装 MySQL

3.1、Mysql 安装和配置

yum -y install mariadb mariadb-devel mariadb-server
systemctl enable mariadb
systemctl start mariadb

安装完成后,执行如下命令来进行 mariadb 的初始化,并根据提示设置 root 的密码(默认密码为空)

mysql_secure_installation

3.2、创建数据库 nextcloud 并授权

mysql -uroot -p
CREATE DATABASE nextcloud CHARACTER SET utf8 COLLATE utf8_general_ci;
CREATE USER 'nextcloud'@'localhost' IDENTIFIED BY 'nextcloud@123$';
GRANT ALL PRIVILEGES ON nextcloud.* TO 'nextcloud'@'localhost';
FLUSH PRIVILEGES;
quit
mysql -uroot -e "create database zabbix character set utf8;"
mysql -uroot -e "grant all privileges on zabbix.* to zabbix@localhost identified by 'zabbix';"
mysql -uroot -e "flush privileges;"
mysql -hlocalhost -unextcloud -pnextcloud@123$
show databases;

四、安装PHP7

1.若之前安装过其他版本PHP,先删除

yum remove php* -y

2.rpm安装PHP7相应的yum源

CentOS/RHEL 7.x:

rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm

3.yum安装PHP7

yum -y install `yum list|grep php71w|awk '{printf ("%s ",$1)}'` --skip-broken --nogpgcheck
yum -y install php-pecl-zip

4.修改 PHP 参数

sed -i "s/;date.timezone =/date.timezone = Asia\/Shanghai/g" /etc/php.ini
sed -i "s#`grep max_execution_time /etc/php.ini`#max_execution_time = 300#g" /etc/php.ini
sed -i "s#`grep post_max_size /etc/php.ini`#post_max_size = 512M#g" /etc/php.ini
sed -i "s/max_input_time = 60/max_input_time = 300/g" /etc/php.ini
sed -i "s#`grep memory_limit /etc/php.ini`#memory_limit = 128M#g" /etc/php.ini

5. 安装完毕,测试是否安装成功

php -v

6.要运行PHP网页,要启动php-fpm解释器

systemctl start php-fpm
systemctl enable php-fpm
netstat -anpt|grep php
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN      300/php-fpm: pool w

netstat -lntup|grep php-fpm

五、SSH免密登录

ssh-keygen -t rsa
ssh-copy-id -i ~/.ssh/id_rsa.pub root@IP_ADDR
ssh 'root@IP_ADDR'

六、安装Nginx

执行如下命令来安装 nginx

yum install -y nginx

#安装完成后,执行如下命令来启动 Nginx
systemctl start nginx
systemctl enable nginx

七、配置SNMP

yum -y install net-snmp net-snmp-libs net-snmp-devel net-snmp-utils
net-snmp-config --create-snmpv3-user -ro -a test@@2018 -A MD5 zxyy
systemctl start snmpd
systemctl enable snmpd
systemctl status snmpd
#本地测试:
snmpwalk -v 2c -c public localhost sysName.0
snmpwalk -v3 -u zxyy -l auth -a MD5 -A test@@2018 127.0.0.1 sysName.0

#远程测试:
snmpwalk -v3 -u zxyy -l auth -a MD5 -A test@@2018 127.0.0.1 sysName.0
点赞

发表评论

电子邮件地址不会被公开。必填项已用 * 标注