选择稳定版操作系统:CentOS6.9,CentOS7.6
最小化安装:方便后期部署与升级应用
不要安装gcc,make,防止黑客入侵,直接编译
安装完系统后更新系统,使系统处于稳定状态
[root@server1 ~]# yum -y update
基本权限
root的umask值
[root@server1 ~]# umask
0022
普通用户的umask值
[zhangsan@server1 ~]$ umask
0002
root家目录权限(550)
[root@server1 ~]# ll -d
dr-xr-x---. 4 root root 175 8月 21 12:06 .
tmp目录权限(1777)
[root@server1 ~]# ll -d /tmp
drwxrwxrwt. 7 root root 93 8月 21 12:15 /tmp
特殊权限
[root@server1 ~]# chmod 4755 filename
[root@server1 ~]# chmod u-s filename
[root@server1 ~]# chmod 2755 dirname/
[root@server1 ~]# chmod g-s dirname/
[root@server1 ~]# chmod 1755 dirname/
[root@server1 ~]# chmod o-t dirname/
文件ACL:访问控制列表
[root@server1 ~]# ll
总用量 4
-rw-------. 1 root root 1243 7月 24 17:35 anaconda-ks.cfg
-rw-r--r-- 1 root root 0 8月 21 12:45 file1
-rw-rw-r--+ 1 root root 0 8月 21 12:45 file2
说明:
-rw-r--r--.如果权限后面带有‘.’号表示默认创建
-rw-r--r-- 如果权限后面说明都没有表示在关闭selinux的情况下创建
-rw-r--r--+ 如果权限后面带有‘+’号表示有ACL权限
[root@server1 ~]# getfacl file2
# file: file2
# owner: root
# group: root
user::rw-
user:zhangsan:rw-
group::r--
mask::rw-
other::r--
[root@server1 ~]# setfacl -m u:zhangsan:rw file2
#setfacl -m ::权限 filename ##设置权限
#setfacl -x : filename ##去除某个用户或者组的acl
#setfacl -b filename ##删除文件上的权限列表
文件属性
chaatr +a 文件名
只允许对文件进行追加操作,不能修改,不能删除[root@server1 ~]# chattr +a file1
[root@server1 ~]# echo "hello" > file1
-bash: file1: 不允许的操作
[root@server1 ~]# echo "hello" >> file1
[root@server1 ~]# rm -rf file1
rm: 无法删除"file1": 不允许的操作
去除该属性
[root@server1 ~]# chattr -a file1
chaatr +i 文件名
文件被锁定,只读[root@server1 ~]# chattr +i file1
[root@server1 ~]# cat file1
hello
[root@server1 ~]# echo "world" >> file1
-bash: file1: 权限不够
[root@server1 ~]# rm -rf file1
rm: 无法删除"file1": 不允许的操作
[root@server1 ~]# lsattr file1
-----a---------- file1
[root@server1 ~]# lsattr file1
----i----------- file1
锁定重要文件
[root@server1 ~]# find /bin /sbin /usr/sbin /usr/bin /etc/shadow /etc/passwd /etc/pam.d -type f -exec chattr +i {} \;
[root@server1 ~]# useradd lisi
useradd:无法打开 /etc/passwd
日志文件防删除
[root@server1 ~]# chattr +a /var/log/messages /var/log/secure
#日志切割要先去掉a属性,之后增加a属性
[root@server1 ~]# vim /etc/logrotate.d/syslog
prerotate
chattr -a /var/log/messages
endscript
...
postrotate
chattr +a /var/log/messages
endscript
}
mount命令的权限
给普通用户提升(赋予)权限的方法
设置特殊权限:suid,sgid
修改文件权限:usermod
切换用户:switching users with su
sudo提权:running commands as root with sudo
su username
仅切换用户,环境变量不切换,导致很多命令不可用su - username=
切换用户至用户家目录,环境变量会发生改变#user MACHINE=(RUN_AS_USER) COMMANDS
用户名 运行的主机=(以什么身份) 允许执行的命令
root ALL=(ALL) ALL
cephu ALL=(root) NOPASSWD:ALL
[root@server1 ~]# ll /etc/sudoers
-r--r-----. 1 root root 4365 8月 16 13:00 /etc/sudoers
[root@server1 ~]# chmod 640 /etc/sudoers
[root@server1 ~]# ll /etc/sudoers
-rw-r-----. 1 root root 4365 8月 16 13:00 /etc/sudoers
赋予zhangsan用户使用ip,fdisk,less命令的权限
[root@server1 ~]# cat /etc/sudoers|grep -Ev '^$|^#' |grep zhangsan
zhangsan ALL=/sbin/ip,/sbin/fdisk,/bin/less
赋予lisi用户使用less命令的权限且切换时不需要输入密码
[root@server1 ~]# cat /etc/sudoers|grep -Ev '^$|^#' |grep lisi
lisi ALL=NOPASSWD:/bin/less
[root@server1 ~]# groupadd students
[root@server1 ~]# useradd it01 -G students
[root@server1 ~]# useradd it02 -G students
[root@server1 ~]# cat /etc/sudoers|grep -Ev '^$|^#' |grep students
%students ALL=NOPASSWD:/sbin/ip
%students ALL=NOPASSWD:/sbin/useradd, /sbin/userdel, /bin/passwd
%students ALL=NOPASSWD:!/bin/passwd root, !/bin/passwd root --stdin, !/bin/passwd --stdin root
## Host Aliases
# Host_Alias FILESERVERS = fs1, fs2
Host_Alias MAILSERVERS = smtp, smtp2
## User Aliases
User_Alias ADMINS = jsmith, mikem
## Command Aliases
## These are groups of related commands...
## Networking
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
## Installation and management of software
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
## Services
Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig
## Updating the locate database
Cmnd_Alias LOCATE = /usr/bin/updatedb
## Storage
Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
zhangsan ALL=NOPASSWD: NETWORKING
lisi ALL=NOPASSWD: STORAGE
%students ALL=NOPASSWD: NETWORKING, STORAGE
[root@server1 ~]# grep '^authpriv' /etc/rsyslog.conf
authpriv.* /var/log/secure
[root@server1 ~]# tail -f /var/log/secure
Aug 21 15:20:41 admin su: pam_unix(su-l:auth): authentication failure; logname=zhangsan uid=1001 euid=0 tty=pts/1 ruser=zhangsan rhost= user=it01
Aug 21 15:20:56 admin passwd: pam_unix(passwd:chauthtok): password changed for it01
Aug 21 15:21:02 admin passwd: pam_unix(passwd:chauthtok): password changed for it02
Aug 21 15:21:09 admin su: pam_unix(su-l:session): session opened for user it01 by zhangsan(uid=1001)
Aug 21 15:21:27 admin sudo: it01 : TTY=pts/1 ; PWD=/home/it01 ; USER=root ; COMMAND=/sbin/useradd it03
Aug 21 15:21:27 admin sudo: pam_unix(sudo:session): session opened for user root by zhangsan(uid=0)
Aug 21 15:21:27 admin useradd[29302]: new group: name=it03, GID=1006
Aug 21 15:21:27 admin useradd[29302]: new user: name=it03, UID=1005, GID=1006, home=/home/it03, shell=/bin/bash
Aug 21 15:21:27 admin sudo: pam_unix(sudo:session): session closed for user root
Aug 21 15:36:42 admin su: pam_unix(su-l:session): session closed for user it01
PAM
自带数据库验证方式:建议使用
web验证方式:htpasswd生成用户名和密码
PAM(Pluggable Authentication Modules) 即可插拔式认证模块,它是一种高效而且灵活的用户级别的认证方式,它也是当前Linux服务器普遍使用的认证方式。
PAM可以根据用户的网段、时间、用户名、密码等实现认证
使用帮助
查看man手册
[root@server1 ~]# man pam
借用浏览器查看文档
[root@server1 ~]# firefox /usr/share/doc/pam-1.1.8/html/Linux-PAM_SAG.html
Service(进程文件) → PAM配置文件 → 相关模块文件 → 模块的配置文件
举例说明
- 进程文件/usr/sbin/sshd
- 配置文件/etc/pam.d/sshd
- 相关模块及其对应配置文件
- /lib64/security/pam_access.so → /etc/security/access.conf
- /lib64/security/pam_limits.so → /etc/security/limits.conf
- /lib64/security/pam_time.so → /etc/security/time.conf
[root@server1 ~]# vim /etc/pam.d/sshd 1 #%PAM-1.0 2 auth required pam_sepermit.so 3 auth substack password-auth 4 auth include postlogin 5 # Used with polkit to reauthorize users in remote sessions 6 -auth optional pam_reauthorize.so prepare 7 account required pam_nologin.so 8 account include password-auth 9 password include password-auth 10 # pam_selinux.so close should be the first session rule 11 session required pam_selinux.so close 12 session required pam_loginuid.so 13 # pam_selinux.so open should only be followed by sessions to be executed in the user context 14 session required pam_selinux.so open env_params 15 session required pam_namespace.so 16 session optional pam_keyinit.so force revoke 17 session include password-auth 18 session include postlogin 19 # Used with polkit to reauthorize users in remote sessions 20 -session optional pam_reauthorize.so prepare [root@server1 ~]# ls /lib64/security/ pam_access.so pam_filter pam_mkhomedir.so pam_selinux.so pam_unix_auth.so pam_cap.so pam_filter.so pam_motd.so pam_sepermit.so pam_unix_passwd.so pam_chroot.so pam_ftp.so pam_namespace.so pam_shells.so pam_unix_session.so pam_console.so pam_group.so pam_nologin.so pam_stress.so pam_unix.so pam_cracklib.so pam_issue.so pam_permit.so pam_succeed_if.so pam_userdb.so pam_debug.so pam_keyinit.so pam_postgresok.so pam_systemd.so pam_warn.so pam_deny.so pam_lastlog.so pam_pwhistory.so pam_tally2.so pam_wheel.so pam_echo.so pam_limits.so pam_pwquality.so pam_time.so pam_xauth.so pam_env.so pam_listfile.so pam_rhosts.so pam_timestamp.so pam_exec.so pam_localuser.so pam_rootok.so pam_tty_audit.so pam_faildelay.so pam_loginuid.so pam_securetty.so pam_umask.so pam_faillock.so pam_mail.so pam_selinux_permit.so pam_unix_acct.so
[root@server1 ~]# vim /etc/pam.d/sshd
1 #%PAM-1.0
2 auth required pam_sepermit.so
3 auth substack password-auth
4 auth include postlogin
5 # Used with polkit to reauthorize users in remote sessions
6 -auth optional pam_reauthorize.so prepare
7 account required pam_nologin.so
8 account include password-auth
9 password include password-auth
10 # pam_selinux.so close should be the first session rule
11 session required pam_selinux.so close
12 session required pam_loginuid.so
13 # pam_selinux.so open should only be followed by sessions to be executed in the user context
14 session required pam_selinux.so open env_params
15 session required pam_namespace.so
16 session optional pam_keyinit.so force revoke
17 session include password-auth
18 session include postlogin
19 # Used with polkit to reauthorize users in remote sessions
20 -session optional pam_reauthorize.so prepare
说明
认证类型 认证条件 认证需要的模块
PAM常见认证类型
认证条件
pam_rootok.so
[root@server1 ~]# vim /etc/pam.d/su
[root@server1 ~]# cat /etc/pam.d/su |grep pam_rootok.so
#auth sufficient pam_rootok.so
[root@server1 ~]# su - zhangsan
密码:
上一次登录:六 8月 21 12:18:35 CST 2021从 192.168.139.1pts/1 上
pam_access.so
添加pam_access.so模块
[root@server1 ~]# vim /etc/pam.d/sshd
[root@server1 ~]# cat /etc/pam.d/sshd |grep auth
auth required pam_access.so 添加该行
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
修改配置文件
[root@server1 ~]# vim /etc/security/access.conf
[root@server1 ~]# cat /etc/security/access.conf |grep -Ev "^#|^$"
-:root:192.168.139.20
验证
[root@server2 ~]# ip a
inet 192.168.139.20/24 brd 192.168.139.255 scope global noprefixroute
[root@server2 ~]# ssh [email protected]
The authenticity of host '192.168.139.10 (192.168.139.10)' can't be established.
ECDSA key fingerprint is SHA256:+RvxL8ZDWnyO030Z5rOfjBuJaOG1yFvD9ieOY9uzWBA.
ECDSA key fingerprint is MD5:d2:a2:8c:c6:60:15:46:9b:09:75:ce:3f:e1:ea:6e:aa.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.139.10' (ECDSA) to the list of known hosts.
[email protected]'s password:
Permission denied, please try again.
root@192.168.139.10's password:
Permission denied, please try again.
[email protected]'s password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
pam_listfile.so
vsftpd黑名单或白名单
[root@server1 ~]# yum install -y vsftpd
[root@server1 ~]# vim /etc/pam.d/vsftpd
1 #%PAM-1.0
2 session optional pam_keyinit.so force revoke
3 auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed 这里定义了vsftpd的黑名单
4 auth required pam_shells.so
5 auth include password-auth
6 account include password-auth
7 session required pam_loginuid.so
8 session include password-auth
sshd黑名单或白名单
[root@server1 ~]# vim /etc/pam.d/sshd
[root@server1 ~]# cat /etc/pam.d/sshd |grep auth
auth required pam_listfile.so item=user sense=allow file=/etc/ssh_users onerr=fail 仿照vsftpd黑名单,编写sshd的白名单
auth required pam_access.so
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
[root@server1 ~]# echo root >> /etc/ssh_users
pam_time.so
添加模块
[root@server1 ~]# vim /etc/pam.d/sshd
1 #%PAM-1.0
2 auth required pam_listfile.so item=user sense=allow file=/etc/ssh_users onerr=fail
3 auth required pam_access.so
4 auth required pam_sepermit.so
5 auth substack password-auth
6 auth include postlogin
7 # Used with polkit to reauthorize users in remote sessions
8 -auth optional pam_reauthorize.so prepare
9 account required pam_time.so 添加该模块
10 account required pam_nologin.so
11 account include password-auth
12 password include password-auth
13 # pam_selinux.so close should be the first session rule
14 session required pam_selinux.so close
15 session required pam_loginuid.so
16 # pam_selinux.so open should only be followed by sessions to be executed in the user context
17 session required pam_selinux.so open env_params
18 session required pam_namespace.so
19 session optional pam_keyinit.so force revoke
20 session include password-auth
21 session include postlogin
22 # Used with polkit to reauthorize users in remote sessions
23 -session optional pam_reauthorize.so prepare
修改配置文件
[root@server1 ~]# vim /etc/security/time.conf
[root@server1 ~]# cat /etc/security/time.conf |grep -Ev "^#|^$"
sshd;*;*;MoTuWeThFr0800-1700
说明
服务名;终端;用户;时间段
#该例:在周一到周五的8点到17点,所有终端的所有用户都能使用ssh连本机
验证
[root@server2 ~]# date
2021年 11月 17日 星期三 23:01:50 CST
[root@server2 ~]# ssh [email protected]
root@192.168.139.10's password:
Authentication failed.
pam_tally2.so
[root@server1 ~]# vim /etc/pam.d/sshd
[root@server1 ~]# cat /etc/pam.d/sshd |grep pam_tally2.so
auth required pam_tally2.so deny=3 even_deny_root root_unlock_time=60 unlock_time=60
说明:
#deny=3 连续错误登录最大次数,超过最大次数,将被锁定
#even_deny_root root用户也被要求锁定
#root_unlock_time root用户被锁定后等待的时间,单位为秒
#unlock_time 普通用户被锁定后等待的时间,单位为秒
查看用户错误登录次数
[root@server1 ~]# pam_tally2 -u root
Login Failures Latest failure From
root 8 11/18/21 14:13:30 192.168.139.20
清空用户错误登录次数(解除锁定)
[root@server1 ~]# pam_tally2 --reset -u root
Login Failures Latest failure From
root 8 11/18/21 14:13:30 192.168.139.20
PAM资源限制主要是对用户进行系统资源使用的限制
PAM资源限制默认已使用,我们只需要调整相应限制值即可
相关模块:pam_limits.so
<type> -
域 类型 限制项 值
* (*表所有用户) soft core 0
* hard rss 10000
@student(@表组)hard nproc 20
@faculty soft nproc 20
@faculty hard nproc 50
ftp hard nproc 0
@student - maxlogins 4
限制项
[root@server1 ~]# ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 7184
max locked memory (kbytes, -l) 64
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 7184
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
设置用户最大打开文件数
#查看
[root@server1 ~]# ulimit -n
1024
#临时设置
[root@server1 ~]# ulimit -n 2048
[root@server1 ~]# ulimit -n
2048
#永久设置
[root@server1 ~]# vim /etc/security/limits.conf
[root@server1 ~]# cat /etc/security/limits.conf |grep zhangsan
zhangsan soft nofile 10240
zhangsan hard nofile 20480
#验证
[root@server1 ~]# su - zhangsan
[zhangsan@server1 ~]$ ulimit -n -S
10240
[zhangsan@server1 ~]$ ulimit -n -H
20480
设置用户创建的最大进程数
[root@server1 ~]# ulimit -u
7184
[root@server1 ~]# vim /etc/security/limits.d/20-nproc.conf
[root@server1 ~]# cat /etc/security/limits.d/20-nproc.conf
* soft nproc 4096
#root soft nproc unlimited
* hard nproc 8192
[root@server1 ~]# su - zhangsan
[zhangsan@server1 ~]$ ulimit -u
4096
[zhangsan@server1 ~]$ ulimit -u -H
8192
控制组(CGroups)是Linux内核的一个特性,主要用来对共享资源进行隔离、限制、审计等。只有能控制分配到容器的资源,才能避免多个容器同时运行时对宿主机系统的资源竞争。控制组可以提供对容器的内存、CPU、磁盘IO等资源进行限制和计费管理。控制组的设计目标是为不同的应用情况提供统一的接口,从控制单一进程(比如nice工具)到系统级虚拟化(包括OpenVZ、Linux-VServer、LXC等)。
具体来看,控制组提供:
cgroups: Control Groups 基于进程的限制,而非用户,因此对于root运行的进程也是一
cgroup将各种子系统定义为资源,命名为controller: 可配额/可度量 - Control Groups (cgroups)
cgroups实现了对资源的配额和度量九大子系统的资源
例如:对某个进程使用内存进行限制步骤
Cgroup实现资源限制的方法:
cgroup安装
[root@server1 ~]# yum install -y libcgroup*
[root@server1 ~]# systemctl start cgconfig.service
[root@server1 ~]# systemctl enable cgconfig.service
案例1:使用CPU子系统创建两个cgroup
创建组
[root@server1 ~]# vim /etc/cgconfig.conf
[root@server1 ~]# tail /etc/cgconfig.conf
group lesscpu {
cpu {
cpu.shares=200;
}
}
group morecpu {
cpu {
cpu.shares=800;
}
}
重启服务
[root@server1 ~]# systemctl restart cgconfig.service
将程序分配到相应的group实验中,为了让两个进程抢CPU时间片,故意只留一个CPU在线
[root@server1 ~]# lscpu
#查到有两个CPU
[root@server1 ~]# echo 0 > /sys/devices/system/cpu/cpu0/online
[root@server1 ~]# echo 1 > /sys/devices/system/cpu/cpu1/online
手动分配
[root@server1 ~]# cgexec -g cpu:lesscpu sha1sum /dev/zero
[root@server1 ~]# cgexec -g cpu:morecpu md5sum /dev/zero
[root@server1 ~]# top
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
32233 root 20 0 108068 620 524 R 79.1 0.0 0:05.84 md5sum
32232 root 20 0 116760 1088 808 R 20.2 0.1 0:02.76 sha1sum
案例2:限制进程使用Memory
创建组
[root@server1 ~]# vim /etc/cgconfig.conf
[root@server1 ~]# tail -6 /etc/cgconfig.conf
group lessmem {
memory {
memory.limit_in_bytes=268435465; 物理内存限制256M
memory.memsw.limit_in_bytes=268435465; 总内存限制,物理+SWAP
}
}
重启
[root@server1 ~]# systemctl restart cgconfig.service
创建内存盘并测试
[root@server1 ~]# mkdir /mnt/mem_test
[root@server1 ~]# mount -t tmpfs /dev/shm /mnt/mem_test
[root@server1 ~]# cgexec -g memory:lessmem dd if=/dev/zero of=/mnt/mem_test/file bs=1M count=200
记录了200+0 的读入
记录了200+0 的写出
209715200字节(210 MB)已复制,1.01048 秒,208 MB/秒
[root@server1 ~]# cgexec -g memory:lessmem dd if=/dev/zero of=/mnt/mem_test/file1 bs=1M count=500
已杀死
转存中…(img-OLHuLFFn-1637225149785)]
案例2:限制进程使用Memory
创建组
[root@server1 ~]# vim /etc/cgconfig.conf
[root@server1 ~]# tail -6 /etc/cgconfig.conf
group lessmem {
memory {
memory.limit_in_bytes=268435465; 物理内存限制256M
memory.memsw.limit_in_bytes=268435465; 总内存限制,物理+SWAP
}
}
重启
[root@server1 ~]# systemctl restart cgconfig.service
创建内存盘并测试
[root@server1 ~]# mkdir /mnt/mem_test
[root@server1 ~]# mount -t tmpfs /dev/shm /mnt/mem_test
[root@server1 ~]# cgexec -g memory:lessmem dd if=/dev/zero of=/mnt/mem_test/file bs=1M count=200
记录了200+0 的读入
记录了200+0 的写出
209715200字节(210 MB)已复制,1.01048 秒,208 MB/秒
[root@server1 ~]# cgexec -g memory:lessmem dd if=/dev/zero of=/mnt/mem_test/file1 bs=1M count=500
已杀死