前 言
在 CentOS 安装好的后性以及对硬件适应性方面可能并不完全符合我们实际情况在这里对新 CentOS 系统进行环境设置将以如下方面为原则:
1为了尽最大可能将访问限制限制到可能最大程度;
2为了节省内存及 CPU 使用率(以及安全方面考虑)尽最大可能将不需要服务关闭;
3为了减少误操作可能带来损失平时通过 wheel 组用户登录进行系统管理;
4为了让系统变更加轻便、快速将内核中不需要模块卸载;
…………
CentOS 4.4 安装后环境设定
安装完毕重新启动系统后出现如下状态:
=message>CentOS release 4.4 (Final)
Kernel 2.6.9-42.EL _disibledevent=>← 根据安装时网络设置情况区别本站以“sample”其位置显示是你设置好主机名
[1] 系统登录和退出
=message>sample login: =command>root=message> =ro>← 用root用户来登录系统输入用户名root
=message>Password: =ro>← 在这里输入安装时设置root密码输入时密码不会被显示
=message>[root@sample ~]# =ro>← root用户登录成功提示符为“#”若般用户登录成功后提示符为“$”
=message>[root@sample ~]# =command>exit =ro>← 退出系统
=message>sample login: =ro>← 退出系统成功
[2] 般用户建立和删除
=message>[root@sample ~]# =command>useradd centospub =ro>← 建立用户名为 centospub 般用户
=message>[root@sample ~]# =command>passwd centospub =ro>← 为用户 centospub 设置密码
=message>Changing password for user centospub.
=message>New UNIX password: =ro>← 输入密码(密码不会被显示)
=message>Retype UNIX password: =ro>← 再次输入密码确认两次密码致
=message>passwd: all authentication tokens updated successfully. =ro>← 密码设置成功
=message>[root@sample ~]# =command>userdel -r centospub =ro>← 删除用户名为 centospub 般用户
[3] 通过般用户登录为root用户
root用户对系统具有全权操作权限为了避免些失误操作建议在般情况下以般用户登录系统必要时候需要root操作权限时再通过“su -”命令来登录为root用户进行操作
=message>[centospub@sample ~]=att1>$ =ro>← 提示符为“$”介绍说明当前状态为般用户centospub登录在系统中
=message>[centospub@sample ~]$ =command>su - =ro>← 输入登录为root用户命令
=message>Password: =ro>← 输入root密码(密码不会被显示)回车
=message>[root@sample ~]=att1># =ro>← 成功登录为root用户提示符变为“#”
=message>[root@sample ~]# =command>exit =ro>← 回到般用户登录状态
=message>[centospub@sample ~]=att1>$ =ro>← 提示符变为“$”回到了般用户centospub登录系统状态
[4] 建立管理员组内般用户
在 般情况下般用户通过执行“su -”命令、输入正确root密码可以登录为root用户来对系统进行管理员级别配置但是为了更进步加强系统安全性有必要建立个管理员组只允许这个组用户来执行“su -”命令登录为root用户而让其他组用户即使执行“su -”、输入了正确root密码也无法登录为root用户在UNIX下这个组名称通常为“wheel”
=message>[root@sample ~]# =command>usermod -G wheel centospub =ro>← 将般用户 centospub 加在管理员组wheel组中
=message>[root@sample ~]# =command>vi /etc/pam.d/su =ro>← 打开这个配置文件
=before>#auth required /lib/security/$ISA/pam_wheel.so use_uid =ro>← 找到此行去掉行首“#”
=ro> ↓
=after>auth required /lib/security/$ISA/pam_wheel.so use_uid =ro>← 变为此状态(大约在第6行位置)
=message>[root@sample ~]# =command>echo "SU_WHEEL_ONLY yes" >> /etc/login.defs =ro>← 添加语句到行末
以上操作完成后可以再建立个新用户然后用这个新建用户测试会发现没有加入到wheel组用户执行“su -”命令即使输入了正确root密码也无法登录为root用户
[5] 建立PPPoE连接(非xDSL接入方式用户可跳过此步骤)
=message>[root@sample ~]# =command>adsl-up =ro>← 建立ADSL连接
Welcome to the ADSL client up. First, I will run some checks _disibledevent=>LOGIN NAME
=message>Enter your Login Name (default root): =ro>← 填入ADSL连接用户名
INTERFACE
=message>Enter the Ethernet erface connected to the ADSL modem
For Solaris, this is likely to be something like /dev/hme0.
For Linux, it will be ethX, where 'X' is a number.
(default eth0): =ro>← 指定网络接入设备块网卡情况下般为默认eth0
=message>Do you want the link to come up _disibledevent=>← 直接按回车接受默认设置
DNS
=message>Please enter the IP address of your ISP's primary DNS server.
If your ISP claims that 'the server will provide dynamic DNS addresses',
enter 'server' (all lower-) here.
If you just press enter, I will assume you know what you are
doing and not mody your DNS up.
Enter the DNS information here: =ro>← 如果知道DNS信息在此填入不知道情况按回车跳过
PASSWORD
=message>Please enter your Password: =ro>← 输入ADSL连接密码
=message>Please re-enter your Password: =ro>← 再次确认输入ADSL连接密码
USERCTRL
=message>Please enter 'yes' (two letters, lower-.) you want to allow
normal user to start or stop DSL connection (default yes): =command>no =ro>← 填入no不允许般用户控制PPPoE连接
FIREWALLING
Please choose the firewall rules to use. Note that these rules are
very basic. You are strongly encouraged to use a more sophisticated
firewall up; however, these will provide basic security. If you
are running any servers _disibledevent=>=message>The firewall choices are:
0 - NONE: This script will not any firewall rules. You are responsible
for ensuring the security of your machine. You are STRONGLY
recommended to use some kind of firewall rules.
1 - STANDALONE: Appropriate for a basic stand-alone web-surfing workstation
2 - MASQUERADE: Appropriate for a machine acting as an Internet gateway
for a LAN
Choose a type of firewall (0-2): =command>0 =ro>← 输入0不在这里使用
Start this connection at boot time
=message>Do you want to start this connection at boot time?
Please enter no or yes (default no): =command>yes =ro>← 填入yes在系统启动时自动连接ADSL
** Summary of what you entered **
=message>Ethernet Interface: eth0
User name: [email protected]
Activate-on-demand: No
DNS: Do not adjust
Firewalling: NONE
User Control: no
Accept these tings and adjust configuration files (y/n)? =command>y =ro>← 配置信息确认无误后键入y同意设置
=message>Adjusting /etc/sysconfig/network-scripts/cfg-ppp0
Adjusting /etc/ppp/chap-secrets and /etc/ppp/pap-secrets
(But first backing it up to /etc/ppp/chap-secrets.bak)
(But first backing it up to /etc/ppp/pap-secrets.bak)
?
Congratulations, it should be all up!
Type '/sbin/up ppp0' to bring up your xDSL link and '/sbin/down ppp0'
to bring it down.
Type '/sbin/adsl-status /etc/sysconfig/network-scripts/cfg-ppp0'
to see the link status.
然后启动ADSL连接
=message>[root@sample ~]# =command>adsl-start =ro>← 启动ADSL连接
=message>[root@sample ~]# =ro>← 稍等片刻后若启动成功后出现提示符(无任何提示即意味着连接成功)
这时通过“config”命令可以看到各网络接口信息(IP地址等等)
[6] root邮件转送
在系统出现或有重要通知发送邮件给root时候让系统自动转送到我们通常使用邮箱中这样方便查阅相关报告和日志
=message>[root@sample ~]# =command>vi /etc/aliases =ro>← 编辑aliases添加如下行到文尾
=after>root: [email protected] =ro>← 加入=att2>自己邮箱地址
=message>[root@sample ~]# =command>aliases =ro>← 重建aliasesdb
=message>/etc/aliases: 79 aliases, longest 19 s, 825 s total
[root@sample ~]# =command>echo test | mail root =ro>← 发送测试邮件给root
如果成功话会在刚刚填入 [email protected] 邮箱中收到测试邮件
[7] locate命令用数据库更新及自动更新设定
locate命令是Linux下告诉搜索文件用工具它原理和下“Google桌面搜索”有点类似是通过事先建立数据库方式来达到高速查找目标文件目
=message>[root@sample ~]# =command>vi /etc/updatedb.conf =ro>← 编辑locate数据库更新配置文件
=before>DAILY_UPDATE=no =ro>← 找到这行将“no”改为“yes”
=ro> ↓
=after>DAILY_UPDATE=yes =ro>← 变为此状态后保存、退出
[root@sample ~]# =command>updatedb =ro>← 运行locate数据库更新命令稍等片刻…更新成功后出现提示符
[8] 定义yum非官方库
在构建过程中我们将要用到些工具不存在于CentOS中yum官方库中所以需要定义yum非官方库文件让些必需工具通过yum也能够安装
=message>[root@sample ~]# =command>vi /etc/yum.repos.d/dag.repo =ro>← 建立dag.repo定义非官方库
=conffile>[dag]
name=Dag RPM Repository for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag
gpgcheck=1
enabled=1
=message>[root@sample ~]# =command>rpm --import http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt =ro>← 导入非官方库GPG
[9] 停止打印服务
如果不准备提供打印服务停止默认被设置为自动启动打印服务
=message>[root@sample ~]# =command>/etc/rc.d/init.d/cups stop =ro>← 停止打印服务
=message>Stopping cups: [ =after>OK=message> ] =ro>← 停止服务成功出现“OK”
=message>[root@sample ~]# =command>chkconfig cups off =ro>← 禁止打印服务自动启动
=message>[root@sample ~]# =command>chkconfig --list cups =ro>← 确认打印服务自启动设置状态
=message>cups =att1>0:off 1:off 2:off 3:off 4:off 5:off 6:off =ro>← 0-6都为off状态就OK(当前打印服务自启动被禁止中)
[10] 停止ipv6
在CentOS默认状态下ipv6是被启用状态我们不使用ipv6所以停止ipv6以最大限度保证安全和快速
首先再次确认下ipv6功能是不是被启动状态
=message>[root@sample ~]# =command>config -a =ro>← 列出全部网络接口信息
=message>
eth0 Link encap:Ethernet HWaddr 00:0C:29:B6:16:A3
inet addr:192.168.0.13 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:feb6:16a3/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:84 errors:0 dropped:0 overruns:0 frame:0
TX packets:93 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX s:10288 (10.0 KiB) TX s:9337 (9.1 KiB)
Interrupt:185 Base address:0x1400 lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:12 errors:0 dropped:0 overruns:0 frame:0
TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX s:952 (952.0 b) TX s:952 (952.0 b)
=att1>sit0 Link encap:IPv6-in-IPv4 =ro>← 确认ipv6是被启动状态
=att1>NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX s:0 (0.0 b) TX s:0 (0.0 b)
然后修改相应配置文件停止ipv6
=message>[root@sample ~]# =command>vi /etc/modprobe.conf=att1> =ro>← 修改相应配置文件添加如下行到文尾:
=after>alias net-pf-10 off
alias ipv6 off
=message>[root@sample ~]#=command> shutdown -r now =att1> =ro>← 重新启动系统使设置生效
最后确认ipv6功能已经被关闭
=message>[root@sample ~]# =command>config -a =ro>← 列出全部网络接口信息
=message>eth0 Link encap:Ethernet HWaddr 00:0C:29:B6:16:A3
inet addr:192.168.0.13 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:feb6:16a3/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:84 errors:0 dropped:0 overruns:0 frame:0
TX packets:93 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX s:10288 (10.0 KiB) TX s:9337 (9.1 KiB)
Interrupt:185 Base address:0x1400 =message>lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:12 errors:0 dropped:0 overruns:0 frame:0
TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX s:952 (952.0 b) TX s:952 (952.0 b)
=att1>(确认ipv6相关信息没有被列出介绍说明ipv6功能已被关闭)
最新评论