mirror of
https://github.com/LCTT/TranslateProject.git
synced 2025-02-25 00:50:15 +08:00
[Translated] tech/30 Things to Do After Minimal RHEL or CentOS 7 Installation--4
This commit is contained in:
ictlyh
parent
09b7c75c51
commit
263617b18d
@ -1,177 +0,0 @@
|
||||
Translating by ictlyh
|
||||
30 Things to Do After Minimal RHEL/CentOS 7 Installation--4
|
||||
================================================================================
|
||||
### 17. Installing Webmin ###
|
||||
|
||||
Webmin is a Web based configuration tool for Linux. It acts as a central system to configure various system configuration like users, disk quota, services and configurations of HTTP server, Apache, MySQL, etc.
|
||||
|
||||
# wget http://prdownloads.sourceforge.net/webadmin/webmin-1.740-1.noarch.rpm
|
||||
# rpm -ivh webmin-*.rpm
|
||||
|
||||
|
||||
Install Webmin
|
||||
|
||||
After webmin installation, you will get a message on terminal to login to your host (http://ip-address:10000) using your root password on port number 10000. If running a headless server you can forward the port and access it on a machine/server that is headed.
|
||||
|
||||
### 18. Enable Third Party Repositories ###
|
||||
|
||||
It is not a good idea to add untrusted repositories specially in production and it may be fatal. However just for example here we will be adding a few community approved trusted repositories to install third party tools and packages.
|
||||
|
||||
Add Extra Package for Enterprise Linux (EPEL) Repository.
|
||||
|
||||
# yum install epel-release
|
||||
|
||||
Add Community Enterprise Linux Repository.
|
||||
|
||||
# rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm
|
||||
|
||||
|
||||
Install Epel Repo
|
||||
|
||||
**Attention**! Extra care is needs to be taken while adding Third Party Repository.
|
||||
|
||||
### 19. Install 7-zip Utility ###
|
||||
|
||||
In the CentOS Minimal Install you don’t get utility like unzip or unrar. We have the option to install each utility as required or an utility that servers for all. 7-zip is such an utility which compress and extract files of all known types.
|
||||
|
||||
# yum install p7zip
|
||||
|
||||
|
||||
Install 7zip Tool
|
||||
|
||||
**Notice**: The package is downloaded and installed from Fedora EPEL 7 Repository.
|
||||
|
||||
### 20. Install NTFS-3G Driver ###
|
||||
|
||||
A small yet very useful NTFS driver called NTFS-3G is available for most of the UNIX-like distribution. It is useful to mount and access Windows NTFS file system. Though other alternatives like Tuxera NTFS is available, NTFS-3G is most widely used.
|
||||
|
||||
# yum install ntfs-3g
|
||||
|
||||
|
||||
Install NTFS-3G to Mount Windows Partition
|
||||
|
||||
After installing ntfs-3g has been installed, you can mount Windows NTFS partitions (where /dev/sda5 is my windows drive) using following command.
|
||||
|
||||
# mount -ro ntfs-3g /dev/sda5 /mnt
|
||||
# cd /mnt
|
||||
# ls -l
|
||||
|
||||
### 21. Install Vsftpd FTP Server ###
|
||||
|
||||
VSFTPD which stands for Very Secure File Transfer Protocol Daemon is a FTP server for UNIX-like System. It is one of the most efficient and secure FTP Server available today.
|
||||
|
||||
# yum install vsftpd
|
||||
|
||||
|
||||
Install Vsftpd FTP
|
||||
|
||||
Edit the configuration file located at ‘/etc/vsftpd/vsftpd.conf‘ to secure vsftpd.
|
||||
|
||||
# vi /etc/vsftpd/vsftpd.conf
|
||||
|
||||
Edit a few fields and leave other as it is, unless you know what you are doing.
|
||||
|
||||
anonymous_enable=NO
|
||||
local_enable=YES
|
||||
write_enable=YES
|
||||
chroot_local_user=YES
|
||||
|
||||
You may also change the port number and open vsftpd port through the firewall.
|
||||
|
||||
# firewall-cmd --add-port=21/tcp
|
||||
# firewall-cmd --reload
|
||||
|
||||
Next restart vsftpd and enable to start at boot time.
|
||||
|
||||
# systemctl restart vsftpd
|
||||
# systemctl enable vsftpd
|
||||
|
||||
### 22. Install and Configure sudo ###
|
||||
|
||||
sudo which is commonly called as super do as well as suitable user do is a program for UNIX-like operating system to execute a program with the security privileged of another user. Let’s see how to configure sudo…
|
||||
|
||||
# visudo
|
||||
|
||||
It will open the file /etc/sudoers for editing..
|
||||
|
||||
|
||||
sudoers File
|
||||
|
||||
Give all the permission (equal to root) to a user (say tecmint), that has already been created.
|
||||
|
||||
tecmint ALL=(ALL) ALL
|
||||
|
||||
Give all the permission (equal to root) to a user (say tecmint), except the permission to reboot and shutdown the server.
|
||||
|
||||
Again open the same file and edit it with the below contents.
|
||||
|
||||
cmnd_Alias nopermit = /sbin/shutdown, /sbin/reboot
|
||||
|
||||
Then add alias with Logical (!) operator.
|
||||
|
||||
tecmint ALL=(ALL) ALL,!nopermit
|
||||
|
||||
Give permission to a group (say debian) to run a few root privilege command say (add user and delete user) .
|
||||
|
||||
cmnd_Alias permit = /usr/sbin/useradd, /usr/sbin/userdel
|
||||
|
||||
And then add the permission to group debian.
|
||||
|
||||
debian ALL=(ALL) permit
|
||||
|
||||
### 23. Install and Enable SELinux ###
|
||||
|
||||
SELinux which stands for Security-Enhanced Linux is a security module at kernel level.
|
||||
|
||||
# yum install selinux-policy
|
||||
|
||||
|
||||
Install SElinux Policy
|
||||
|
||||
Check SELinux Mode.
|
||||
|
||||
# getenforce
|
||||
|
||||
|
||||
Check SELinux Mode
|
||||
|
||||
The output is enforcing mode which means SELinux policy is in effect.
|
||||
|
||||
For debugging, set selinux mode to permissive temporarily. No need to reboot.
|
||||
|
||||
# setenforce 0
|
||||
|
||||
After debugging set selinux to enforcing again without rebooting.
|
||||
|
||||
# setenforce 1
|
||||
|
||||
### 24. Install Rootkit Hunter ###
|
||||
|
||||
Rootkit Hunter abbreviated as Rkhunter is an application that scan rootkits and other potentially harmful exploits in Linux systems.
|
||||
|
||||
# yum install rkhunter
|
||||
|
||||
|
||||
Install Rootkit Hunter
|
||||
|
||||
Run rkhunter as a scheduled job, from a script file or manually to scan harmful exploits in Linux.
|
||||
|
||||
# rkhunter --check
|
||||
|
||||
|
||||
Scan for rootkits
|
||||
|
||||
|
||||
RootKit Scan Results
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: http://www.tecmint.com/things-to-do-after-minimal-rhel-centos-7-installation/4/
|
||||
|
||||
作者:[Avishek Kumar][a]
|
||||
译者:[译者ID](https://github.com/译者ID)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出
|
||||
|
||||
[a]:http://www.tecmint.com/author/avishek/
|
||||
@ -0,0 +1,176 @@
|
||||
安装完最小化 RHEL/CentOS 7 后需要做的 30 件事情--4
|
||||
================================================================================
|
||||
### 17. 安装 Webmin ###
|
||||
|
||||
Webmin 是基于 Web 的 Linux 配置工具。它像一个中央系统用于配置各种系统设置,比如用户、磁盘分配、服务以及 HTTP 服务器、Apache、MySQL 等的配置。
|
||||
|
||||
# wget http://prdownloads.sourceforge.net/webadmin/webmin-1.740-1.noarch.rpm
|
||||
# rpm -ivh webmin-*.rpm
|
||||
|
||||
|
||||
安装 Webmin
|
||||
|
||||
安装完 webmin 后,你会在终端上得到一个用你的 root 密码在 端口 10000 登录你的主机(http://ip-address:10000)的信息。 如果运行的是无头服务器(译注:无头服务器是指没有专门用于向其它计算机和它们的用户提供服务的本地接口的计算设备)你可以转发端口然后从有头机器/服务器上访问它。
|
||||
|
||||
### 18. 启用第三方库 ###
|
||||
|
||||
添加不受信任的库并不是一个好主意,尤其是在生产环境中,这可能导致致命的问题。但仅作为例子在这里我们会添加一些社区证实可信任的库用于安装第三方工具和软件包。
|
||||
|
||||
为企业版 Linux(EPEL)库添加额外的软件包。
|
||||
|
||||
# yum install epel-release
|
||||
|
||||
添加社区企业版 Linux 库
|
||||
|
||||
# rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm
|
||||
|
||||
|
||||
安装 Epel 库
|
||||
|
||||
**注意**! 添加第三方库的时候尤其需要注意。
|
||||
|
||||
### 19. 安装 7-zip 工具 ###
|
||||
|
||||
在最小化安装 CentOS 时你并没有获得类似 unzip 或者 untar 的工具。我们可以选择基于需要安装每个工具或者一个能处理所有格式的工具。7-zip 就是一个能压缩和解压所有已知类型文件的工具。
|
||||
|
||||
# yum install p7zip
|
||||
|
||||
|
||||
安装 7zip 工具
|
||||
|
||||
**注意**: 该软件包从 Fedora EPEL 7 的库中下载和安装。
|
||||
|
||||
### 20. 安装 NTFS-3G 驱动 ###
|
||||
|
||||
NTFS-3G,一个很小但非常有用的 NTFS 驱动在大部分类 UNIX 发行版上都可用。它对于挂载和访问 Windows NTFS 文件系统很有用。尽管也有其它可用的替代品,比如 Tuxera,但 NTFS-3G 是使用最广泛的。
|
||||
|
||||
# yum install ntfs-3g
|
||||
|
||||
|
||||
安装 NTFS-3G 用于挂载 Windows 分区
|
||||
|
||||
ntfs-3g 安装完成之后,你可以使用以下命令挂载 Windows NTFS 分区(我的 Windows 分区是 /dev/sda5)。
|
||||
|
||||
# mount -ro ntfs-3g /dev/sda5 /mnt
|
||||
# cd /mnt
|
||||
# ls -l
|
||||
|
||||
### 21. 安装 Vsftpd FTP 服务器 ###
|
||||
|
||||
VSFTPD 表示 Very Secure File Transfer Protocol Daemon,是用于类 UNIX 系统的 FTP 服务器。它是现今最高效和安全的 FTP 服务器之一。
|
||||
|
||||
# yum install vsftpd
|
||||
|
||||
|
||||
安装 Vsftpd FTP
|
||||
|
||||
编辑配置文件 ‘/etc/vsftpd/vsftpd.conf’ 用于保护 vsftpd。
|
||||
|
||||
# vi /etc/vsftpd/vsftpd.conf
|
||||
|
||||
编辑一些值并使其它保留原样,除非你知道自己在做什么。
|
||||
|
||||
anonymous_enable=NO
|
||||
local_enable=YES
|
||||
write_enable=YES
|
||||
chroot_local_user=YES
|
||||
|
||||
你也可以更改端口号并使 vsftpd 端口通过防火墙。
|
||||
|
||||
# firewall-cmd --add-port=21/tcp
|
||||
# firewall-cmd --reload
|
||||
|
||||
下一步重启 vsftpd 并启用随机启动。
|
||||
|
||||
# systemctl restart vsftpd
|
||||
# systemctl enable vsftpd
|
||||
|
||||
### 22. 安装和配置 sudo ###
|
||||
|
||||
sudo 通常被称为 super do 或者 suitable user do,是一个类 UNIX 操作系统中用其它用户的安全权限执行程序的软件。让我们来看看怎样配置 sudo。
|
||||
|
||||
# visudo
|
||||
|
||||
打开要编辑的文件 /etc/sudoers
|
||||
|
||||
|
||||
sudoers 文件
|
||||
|
||||
给一个已经创建的用户(比如 tecmint)赋予所有权限(等同于 root)。
|
||||
|
||||
tecmint ALL=(ALL) ALL
|
||||
|
||||
给一个已经创建的用户(比如 tecmint)赋予除重启和关闭服务器以外的所有权限(等同于 root)。
|
||||
|
||||
再一次打开文件并用下面的内容编辑文件。
|
||||
|
||||
cmnd_Alias nopermit = /sbin/shutdown, /sbin/reboot
|
||||
|
||||
用 逻辑操作符(!) 添加别名。
|
||||
|
||||
tecmint ALL=(ALL) ALL,!nopermit
|
||||
|
||||
准许一个组(比如 debian) 运行一些 root 权限命令,比如(增加或删除用户)。
|
||||
|
||||
cmnd_Alias permit = /usr/sbin/useradd, /usr/sbin/userdel
|
||||
|
||||
给组 debian 增加权限。
|
||||
|
||||
debian ALL=(ALL) permit
|
||||
|
||||
### 23. 安装并启用 SELinux ###
|
||||
|
||||
SELinux 表示 Security-Enhanced Linux,是内核级别的安全模块。
|
||||
|
||||
# yum install selinux-policy
|
||||
|
||||
|
||||
安装 SElinux 策略
|
||||
|
||||
查看 SELinux 模式。
|
||||
|
||||
# getenforce
|
||||
|
||||
|
||||
查看 SELinux 模式
|
||||
|
||||
输出是 Enforcing,意味着 SELinux 策略已经生效。
|
||||
|
||||
为了调试,可以临时设置 selinux 模式为允许。不需要重启。
|
||||
|
||||
# setenforce 0
|
||||
|
||||
调试完了之后再次设置 selinux 为强制模式,无需重启。
|
||||
|
||||
# setenforce 1
|
||||
|
||||
### 24. 安装 Rootkit Hunter ###
|
||||
|
||||
Rootkit Hunter,简写为 RKhunter,是在 Linux 系统中扫描 rootkits 和其它可能有害攻击的程序。
|
||||
|
||||
# yum install rkhunter
|
||||
|
||||
|
||||
安装 Rootkit Hunter
|
||||
|
||||
在 Linux 中,从脚本文件以计划作业的形式运行 rkhunter 或者手动扫描有害攻击。
|
||||
|
||||
# rkhunter --check
|
||||
|
||||
|
||||
扫描 rootkits
|
||||
|
||||
|
||||
RootKit 扫描结果
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: http://www.tecmint.com/things-to-do-after-minimal-rhel-centos-7-installation/4/
|
||||
|
||||
作者:[Avishek Kumar][a]
|
||||
译者:[ictlyh](https://github.com/ictlyh)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出
|
||||
|
||||
[a]:http://www.tecmint.com/author/avishek/
|
||||
Loading…
Reference in New Issue
Block a user