centos初装系统-终端翻页scroll问题

1、使用方向键 上下,可以查看命令历史记录

2、使用clear 清屏

I recognize that Up/Down will give you the command history. But, how do you look at past output by scrolling up and down?

I have used Shift+Page Up/Page DownAlt+Shift+Up/Down and Page Up/Page Downbut none of these seem to work.

How do you scroll up/down on the Linux console?

Shift+FnUP or DOWN on a Macbook will allow you to scroll.

或者

 

SHIFT+Page Up and SHIFT+Page Down. If it doesn’t work try this and then it should:

Go the terminal program, and make sure
Edit/Profile Preferences/Scrolling/Scrollback/Unlimited
is checked.

The exact location of this option might be somewhere different though, I see that you are using Redhat.

当然直接用SSH客户端连接服务器就能直接翻页scroll 和复制粘贴了。

centos初装系统-配置yum源加快下载

yum 下载慢,用 ctrl + c 取消 yum安装。我取消下载,然后重新下载速度就变快了 = _ =

配置国内yum源

系统默认的yum 源速度往往不尽人意,为了达到快速安装的目的,在这里修改yum源为国内源。

上海交通大学yum源

参考:https://www.cnblogs.com/mchina/archive/2013/01/04/2842275.html

感觉:不需要啊,因为 CentOS-Base.repo 采用的是 镜像源下载,理论上自动化,哪个下载点快,就用哪个的啊。↓↓↓↓↓

[base]
name=CentOS-$releasever - Base
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra
#baseurl=http://mirror.centos.org/altarch/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

 

centos初装系统-无法上网

运行ping时,发现ping不通

[root@www ~]# ping www.baidu.com
ping: www.baidu.com: Name or service not known

如果ping域名的时候出现ping:unknown host  xxx.xxx
但是ping IP地址的时候可以通的话
可知是dns服务器没有配置好,
查看一下配置文件/etc/resolv.conf,里面是否有nameserver xxx.xxx.xxx.xxx,比如使用dns服务器 nameserver 8.8.8.8,如果有,修改一个可用的dns服务器,如8.8.8.8或者4.4.4.4,保存退出即可!

当然,如果连ip都ping 8.8.8.8都ping不通的话,那么就说明网络配置有问题:可以这样解决:

1、编辑网络配置

vi /etc/sysconfig/network-scripts/ifcfg-enp0s3  #注 网络配置文件名可能会有不同,在输入到ifcfg时,可以连续按两下tab键,获取提示,比如我的机器 为 ifcfg-enp0s3

TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=enp0s3
UUID=098aaea2-65b0-49b7-821d-1fe636293b46
DEVICE=enp0s3
ONBOOT=yes    #### 刚打开这一行是 no ,我编辑改成了yes,只需要按 i 就能编辑,编辑完按esc退出编辑模式,然后按:wq保存文件 [注意:是英文的冒号]
ZONE=public

2、重启网络服务

centos6系统下  
service network restart

centos7系统下[速度有点慢2秒钟左右]
systemctl restart network

3、测试效果

[root@localhost ~]# ping baidu.com
PING baidu.com (39.156.69.79) 56(84) bytes of data.
64 bytes from 39.156.69.79 (39.156.69.79): icmp_seq=1 ttl=53 time=39.6 ms
64 bytes from 39.156.69.79 (39.156.69.79): icmp_seq=2 ttl=53 time=78.5 ms
64 bytes from 39.156.69.79 (39.156.69.79): icmp_seq=3 ttl=53 time=71.8 ms
64 bytes from 39.156.69.79 (39.156.69.79): icmp_seq=4 ttl=53 time=136 ms


### 按 contrl键 + c键  取消

还可以自定义DNS

vi /etc/resolv.conf 
nameserver 8.8.8.8
nameserver 8.8.4.4

4、查看本机IP

ifconfig 安装

##### 如果查看本机,发现没有 ifconfig 命令行
[root@localhost ~]# ifconfig
-bash: ifconfig: command not found
[root@localhost ~]# 


##### 首先确认下是否是环境变量没有ifconfig 引起。 
[root@localhost ~]# ls /sbin/ifconfig
ls: cannot access /sbin/ifconfig: No such file or directory
[root@localhost ~]# 


##### 以上确定了系统是没有安装ifconfig,下面我们来安装     
##### locale是本地语言设置问题可忽略
[root@localhost ~]# yum install ifconfig
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirrors.huaweicloud.com
 * extras: centosx4.centos.org
 * updates: mirrors.huaweicloud.com
No package ifconfig available.
Error: Nothing to do
[root@localhost ~]# 


### 提示没有ifconfig安装包。我们再使用yum search ifconfig来搜索下ifconfig的相关
[root@localhost ~]# yum search ifconfig
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirrors.huaweicloud.com
 * extras: mirror-hk.koddos.net
 * updates: mirrors.huaweicloud.com
=================================== Matched: ifconfig ====================================
net-tools.i686 : Basic networking tools
[root@localhost ~]# 



##### 查看ifconfig匹配的是net-tools.i686包                     
 yum install net-tools.i686 -y

ifconfig使用

### 使用ifconfig命令,可以查看本地IP,下面这个是 没有联网时的
[root@localhost ~]# ifconfig
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether 08:00:38:56:29:2c  txqueuelen 1000  (Ethernet)
        RX packets 95  bytes 9319 (9.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 104  bytes 9383 (9.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 152  bytes 13024 (12.7 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 152  bytes 13024 (12.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


### 下面这个是 联网 成功的 本机IP是 192.168.1.128

enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.128  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fd38::3d2:a2b7:39cb:278a  prefixlen 64  scopeid 0x20<link>
        ether 08:00:38:56:29:2c  txqueuelen 1000  (Ethernet)
        RX packets 111  bytes 11112 (10.8 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 124  bytes 11293 (11.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 156  bytes 13368 (13.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 156  bytes 13368 (13.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ip addr 命令(也可以查看本机ip)

[root@localhost ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:38:56:29:2c brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.128/24 brd 192.168.1.255 scope global noprefixroute dynamic enp0s3
       valid_lft 5226sec preferred_lft 5226sec
    inet6 fd38::3d2:a2b7:39cb:278a/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
[root@localhost ~]# 

netstat和ss命令(也可以查看本机ip)

  • centos6 可以使用 netstat
  • centos7 可以使用 ss -ant

5、centos6下编辑ifcfg-xxx 仍无法上网

输入ifconfig命令查看是否有内网ip地址,如果没有,那么配置一下: eth0是设备名,具体看ifconfig 显示的设备名。

ifconfig eth0 192.168.1.100  netmask 255.0.0.0 up

另外使用route命令查看一下当前的默认网关,如果没有,也配置一个,

route add default gw 192.168.1.1

配置好这两个以后,就可以正常的ping通网络了,如果还不能ping www.baidu.com,那么就要去查看dns服务器啦


参考:

https://blog.csdn.net/qq_30180559/article/details/79535596
https://jingyan.baidu.com/article/eb9f7b6d42636d869364e8c9.html

https://blog.csdn.net/menlinshuangxi/article/details/7968955

centos初装系统-系统更新后删除旧的内核kernel

CentOS7开机启动界面显示多个内核选项

正常情况下,有两个启动项,一个是“正常启动”,另一个是“救援模式启动”(rescue)。
如果启动项多于2个,说明当前系统有旧内核未删除。原因是CentOS更新后不会自动删除旧内核。
默认以新内核启动,可以在启动选项中临时选择,也可以修改配置永久指定。

修改默认启动的内核

[root@CentOS-7 ~]# uname -r   # 查看当前内核版本
3.10.0-693.5.2.el7.x86_64
[root@CentOS-7 ~]# 
[root@CentOS-7 ~]# cat /boot/grub2/grub.cfg |grep "menuentry "  # 查看所有可用内核
menuentry 'CentOS Linux (3.10.0-693.5.2.el7.x86_64) 7 (Core)' --class centos --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-3.10.0-327.el7.x86_64-advanced-88ae7d3d-ffaf-4402-9d44-56b6845789e4' {
menuentry 'CentOS Linux (3.10.0-327.el7.x86_64) 7 (Core)' --class centos --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-3.10.0-327.el7.x86_64-advanced-88ae7d3d-ffaf-4402-9d44-56b6845789e4' {
menuentry 'CentOS Linux (0-rescue-8405cda22c0b421db40478edcf9c1fb2) 7 (Core)' --class centos --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-0-rescue-8405cda22c0b421db40478edcf9c1fb2-advanced-88ae7d3d-ffaf-4402-9d44-56b6845789e4' {
[root@CentOS-7 ~]# 
[root@CentOS-7 ~]# grub2-set-default 'CentOS Linux (3.10.0-327.el7.x86_64) 7 (Core)'
[root@CentOS-7 ~]# 
[root@CentOS-7 ~]# grub2-editenv list  # 查看内核修改结果
saved_entry=CentOS Linux (3.10.0-327.el7.x86_64) 7 (Core)
[root@CentOS-7 ~]#

删除无用内核

[root@CentOS-7 ~]# uname -r   # 查看当前内核版本
3.10.0-693.5.2.el7.x86_64
[root@CentOS-7 ~]# 
[root@CentOS-7 ~]# rpm -qa |grep kernel-[0-9]  # 查看全部内核包
kernel-3.10.0-693.5.2.el7.x86_64
kernel-3.10.0-327.el7.x86_64
[root@CentOS-7 ~]# 
[root@CentOS-7 ~]# yum remove kernel-3.10.0-327.el7.x86_64  # 删除指定的无用内核
Loaded plugins: fastestmirror, langpacks
Resolving Dependencies
--> Running transaction check
---> Package kernel.x86_64 0:3.10.0-327.el7 will be erased
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================================================================================================
 Package                           Arch                              Version                                      Repository                            Size
=============================================================================================================================================================
Removing:
 kernel                            x86_64                            3.10.0-327.el7                               @anaconda                            136 M

Transaction Summary
=============================================================================================================================================================
Remove  1 Package

Installed size: 136 M
Is this ok [y/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Erasing    : kernel-3.10.0-327.el7.x86_64                                                                                                              1/1 
  Verifying  : kernel-3.10.0-327.el7.x86_64                                                                                                              1/1 

Removed:
  kernel.x86_64 0:3.10.0-327.el7                                                                                                                             

Complete!
[root@CentOS-7 ~]# 
[root@CentOS-7 ~]# rpm -qa |grep kernel-[0-9]  # 查看全部内核包
kernel-3.10.0-693.5.2.el7.x86_64
[root@CentOS-7 ~]# 
[root@CentOS-7 ~]# cat /boot/grub2/grub.cfg |grep "menuentry "
menuentry 'CentOS Linux (3.10.0-693.5.2.el7.x86_64) 7 (Core)' --class centos --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-3.10.0-327.el7.x86_64-advanced-88ae7d3d-ffaf-4402-9d44-56b6845789e4' {
menuentry 'CentOS Linux (0-rescue-8405cda22c0b421db40478edcf9c1fb2) 7 (Core)' --class centos --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-0-rescue-8405cda22c0b421db40478edcf9c1fb2-advanced-88ae7d3d-ffaf-4402-9d44-56b6845789e4' {
[root@CentOS-7 ~]#

来自:https://www.cnblogs.com/anliven/p/7944842.html

centos7初装系统-启动级别分类

在Linux中有7种启动级别:修改系统启动级别:修改系统默认启动到3多用户状态,在Linux中有7种启动级别,默认是X-Window,像是Windows的窗口模式,而Linux的操作和配置一般都采用输入命令的方式来完成,需要更改默认启动级别才可以实现。
第1步:以管理员身份进入Linux,修改文件:/etc/inittab文件。
第2步:找到“id:5:initdefault:”,其中的5就是X-Window,为默认运行级别,把5改为3即可。
7总运行级别介绍如下:
# 0 - halt (Do NOT set initdefault to this)
# 1 - Single user mode
# 2 - Multiuser, without NFS (The same as 3, if you do not have networking)
# 3 - Full multiuser mode
# 4 - unused
# 5 - X11
# 6 - reboot (Do NOT set initdefault to this)
各个运行级的详细解释:
0 为停机,机器关闭。
1 为单用户模式,就像Win9x下的安全模式类似。
2 为多用户模式,但是没有NFS支持。
3 为完整的多用户模式,是标准的运行级。
4 一般不用,在一些特殊情况下可以用它来做一些事情。例如在笔记本电脑的电池用尽时,可以切换到这个模式来做一些设置。
5 就是X11,进到X Window系统了。
6 为重启,运行init 6机器就会重启。
0和6一般不用;
运行startx可启动到级别5。

最新的 centos7 中,配置 文档 里面有 说明,需要 用 命令行 配置:
systemctl set-default graphical.target

centos7初装系统-cannot find a valid baseurl for repo:base/7/x86_64

安装CentOS7文字界面版后,无法联网,用yum安装软件提示 cannot find a valid baseurl for repo:base/7/x86_64 的解决方法

*无法联网的明显表现会有:

1、yum install出现 Error: cannot find a valid baseurl or repo:base

2、ping host会提示unknown host

 

方法一、

1、打开 vi /etc/sysconfig/network-scripts/ifcfg-eth0(每个机子都可能不一样,但格式会是“ifcfg-eth数字”),把ONBOOT=no,改为ONBOOT=yes

2、重启网络:service network restart

方法二、

1、打开 vi /etc/resolv.conf,增加 nameserver 8.8.8.8

2、重启网络: service network restart

来自:https://www.cnblogs.com/hopkings/p/6140654.html

 

我这边的文件名字是     /etc/sysconfig/network-scripts/ifcfg-enp0s3

centos初装系统-安全性加固

转载自:https://www.linode.com/docs/security/securing-your-server/

In the Getting Started guide, you learned how to deploy a Linux distribution, boot your Linode and perform basic administrative tasks. Now it’s time to harden your Linode against unauthorized access.

Update Your System–FrequentlyPermalink

Keeping your software up to date is the single biggest security precaution you can take for any operating system. Software updates range from critical vulnerability patches to minor bug fixes, and many software vulnerabilities are actually patched by the time they become public.

Automatic Security UpdatesPermalink

There are arguments for and against automatic updates on servers. Fedora’s Wikihas a good breakdown of the pros and cons, but the risk of automatic updates will be minimal if you limit them to security updates. Not all package managers make that easy or possible, though.

The practicality of automatic updates is something you must judge for yourself because it comes down to what you do with your Linode. Bear in mind that automatic updates apply only to packages sourced from repositories, not self-compiled applications. You may find it worthwhile to have a test environment that replicates your production server. Updates can be applied there and reviewed for issues before being applied to the live environment.

Add a Limited User AccountPermalink

Up to this point, you have accessed your Linode as the root user, which has unlimited privileges and can execute any command–even one that could accidentally disrupt your server. We recommend creating a limited user account and using that at all times. Administrative tasks will be done using sudo to temporarily elevate your limited user’s privileges so you can administer your server.

Note

Not all Linux distributions include sudo on the system by default, but all the images provided by Linode have sudo in their package repositories. If you get the output sudo: command not found, install sudo before continuing.

To add a new user, first log in to your Linode via SSH.

CentOS / FedoraPermalink

  1. Create the user, replacing example_user with your desired username, and assign a password:
    useradd example_user && passwd example_user
    
  2. Add the user to the wheel group for sudo privileges:
    usermod -aG wheel example_user
    

    Caution

    In CentOS 6 a wheel group is disabled by default for sudo access. You must to configure it manually. Type from root: /usr/sbin/visudo. Then find the line # %wheeland uncomment this line. To began typing in vi, press a. To save and exit press Escape, then type :w(press enter), :q(press enter)

UbuntuPermalink

  1. Create the user, replacing example_user with your desired username. You’ll then be asked to assign the user a password:
    adduser example_user
    
  2. Add the user to the sudo group so you’ll have administrative privileges:
    adduser example_user sudo
    

DebianPermalink

  1. Debian does not include sudo by default so it must be installed:
    apt install sudo
    
  2. Create the user, replacing example_user with your desired username. You’ll then be asked to assign the user a password:
    adduser example_user
    
  3. Add the user to the sudo group so you’ll have administrative privileges:
    adduser example_user sudo
    
  4. After creating your limited user, disconnect from your Linode:
    exit
    
  5. Log back in as your new user. Replace example_user with your username, and the example IP address with your Linode’s IP address:
    ssh [email protected]
    

Now you can administer your Linode from your new user account instead of root. Nearly all superuser commands can be executed with sudo (example: sudo iptables -L -nv) and those commands will be logged to /var/log/auth.log.

Harden SSH AccessPermalink

By default, password authentication is used to connect to your Linode via SSH. A cryptographic key-pair is more secure because a private key takes the place of a password, which is generally much more difficult to brute-force. In this section we’ll create a key-pair and configure the Linode to not accept passwords for SSH logins.

Create an Authentication Key-pairPermalink

  1. This is done on your local computer, not your Linode, and will create a 4096-bit RSA key-pair. During creation, you will be given the option to encrypt the private key with a passphrase. This means that it cannot be used without entering the passphrase, unless you save it to your local desktop’s keychain manager. We suggest you use the key-pair with a passphrase, but you can leave this field blank if you don’t want to use one.Linux / OS X

    Caution

    If you’ve already created an RSA key-pair, this command will overwrite it, potentially locking you out of other systems. If you’ve already created a key-pair, skip this step. To check for existing keys, run ls ~/.ssh/id_rsa*.
    ssh-keygen -b 4096
    

    Press Enter to use the default names id_rsa and id_rsa.pub in /home/your_username/.ssh before entering your passphrase.

    Windows

    This can be done using PuTTY as outlined in our guide: Use Public Key Authentication with SSH.

  2. Upload the public key to your Linode. Replace example_user with the name of the user you plan to administer the server as, and 203.0.113.10 with your Linode’s IP address.LinuxFrom your local computer:
    ssh-copy-id [email protected]
    

    OS X

    On your Linode (while signed in as your limited user):

    mkdir -p ~/.ssh && sudo chmod -R 700 ~/.ssh/
    

    From your local computer:

    scp ~/.ssh/id_rsa.pub [email protected]:~/.ssh/authorized_keys
    

    Note

    ssh-copy-id is available in Homebrew if you prefer it over SCP. Install with brew install ssh-copy-id.

    Windows

    • Option 1: This can be done using WinSCP. In the login window, enter your Linode’s public IP address as the hostname, and your non-root username and password. Click Login to connect.Once WinSCP has connected, you’ll see two main sections. The section on the left shows files on your local computer and the section on the right shows files on your Linode. Using the file explorer on the left, navigate to the file where you’ve saved your public key, select the public key file, and click Upload in the toolbar above.You’ll be prompted to enter a path where you’d like to place the file on your Linode. Upload the file to /home/example_user/.ssh/authorized_keys, replacing example_user with your username.
    • Option 2: Copy the public key directly from the PuTTY key generator into the terminal emulator connected to your Linode (as a non-root user):
      mkdir ~/.ssh; nano ~/.ssh/authorized_keys
      

      The above command will open a blank file called authorized_keys in a text editor. Copy the public key into the text file, making sure it is copied as a single line exactly as it was generated by PuTTY. Press CTRL+X, then Y, then Enter to save the file.

    Finally, you’ll want to set permissions for the public key directory and the key file itself:

    sudo chmod 700 -R ~/.ssh && chmod 600 ~/.ssh/authorized_keys
    

    These commands provide an extra layer of security by preventing other users from accessing the public key directory as well as the file itself. For more information on how this works, see our guide on how to modify file permissions.

  3. Now exit and log back into your Linode. If you specified a passphrase for your private key, you’ll need to enter it.

SSH Daemon OptionsPermalink

  1. Disallow root logins over SSH. This requires all SSH connections be by non-root users. Once a limited user account is connected, administrative privileges are accessible either by using sudo or changing to a root shell using su -.
    /etc/ssh/sshd_config
    # Authentication:
    ...
    PermitRootLogin no
  2. Disable SSH password authentication. This requires all users connecting via SSH to use key authentication. Depending on the Linux distribution, the line PasswordAuthentication may need to be added, or uncommented by removing the leading #.
    /etc/ssh/sshd_config
    # Change to no to disable tunnelled clear text passwords
    PasswordAuthentication no

    Note

    You may want to leave password authentication enabled if you connect to your Linode from many different computers. This will allow you to authenticate with a password instead of generating and uploading a key-pair for every device.
  3. Listen on only one internet protocol. The SSH daemon listens for incoming connections over both IPv4 and IPv6 by default. Unless you need to SSH into your Linode using both protocols, disable whichever you do not need. This does not disable the protocol system-wide, it is only for the SSH daemon.Use the option:
    • AddressFamily inet to listen only on IPv4.
    • AddressFamily inet6 to listen only on IPv6.

    The AddressFamily option is usually not in the sshd_config file by default. Add it to the end of the file:

    echo 'AddressFamily inet' | sudo tee -a /etc/ssh/sshd_config
    
  4. Restart the SSH service to load the new configuration.If you’re using a Linux distribution which uses systemd (CentOS 7, Debian 8, Fedora, Ubuntu 15.10+)
    sudo systemctl restart sshd
    

    If your init system is SystemV or Upstart (CentOS 6, Debian 7, Ubuntu 14.04):

    sudo service ssh restart
    

Use Fail2Ban for SSH Login ProtectionPermalink

Fail2Ban is an application that bans IP addresses from logging into your server after too many failed login attempts. Since legitimate logins usually take no more than three tries to succeed (and with SSH keys, no more than one), a server being spammed with unsuccessful logins indicates attempted malicious access.

Fail2Ban can monitor a variety of protocols including SSH, HTTP, and SMTP. By default, Fail2Ban monitors SSH only, and is a helpful security deterrent for any server since the SSH daemon is usually configured to run constantly and listen for connections from any remote IP address.

For complete instructions on installing and configuring Fail2Ban, see our guide: Securing Your Server with Fail2ban.

Remove Unused Network-Facing ServicesPermalink

Most Linux distributions install with running network services which listen for incoming connections from the internet, the loopback interface, or a combination of both. Network-facing services which are not needed should be removed from the system to reduce the attack surface of both running processes and installed packages.

Determine Running ServicesPermalink

To see your Linode’s running network services:

sudo ss -atpu

The following is an example of the output given by ss, and shows that the SSH daemon (sshd) is listening and connected. Note that because distributions run different services by default, your output will differ.

 Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port tcp LISTEN 0 128 *:ssh *:* users:(("sshd",pid=3675,fd=3)) tcp ESTAB 0 208 203.0.113.1:ssh 198.51.100.2:54820 users:(("sshd",pid=3698,fd=3)) tcp LISTEN 0 128 :::ssh :::* users:(("sshd",pid=3675,fd=4)) 

TCPPermalink

See the Peer Address:Port column of the ss readout. The process sshd is listening on *:*, which translates into any incoming IPv4 address to any port, and over any network interface. The next line shows an established SSH connection from IP address 198.51.100.2 via ephemeral port 54820. The last line, :::*denotes the sshd process listening for any incoming SSH connections over IPv6 to any port, and again over any network interface.

UDPPermalink

UDP sockets are stateless, meaning they are either open or closed and every process’s connection is independent of those which occurred before and after. This is in contrast to TCP connection states such as LISTEN, ESTABLISHED and CLOSE_WAIT. The ss output above shows no UDP connections.

Determine Which Services to RemovePermalink

A basic TCP and UDP nmap scan of your Linode without a firewall enabled would show SSH and possibly other services listening for incoming connections. By configuring a firewall you can filter those ports to your requirements. Ideally, the unused services should be disabled.

You will likely be administering your server primarily through an SSH connection, so that service needs to stay. As mentioned above, RSA keys and Fail2Ban can help protect SSH. System services like chronyd, systemd-resolved, and dnsmasqare usually listening on localhost and only occasionally contacting the outside world. Services like this are part of your operating system and will cause problems if removed and not properly substituted.

However, some services are unnecessary and should be removed unless you have a specific need for them. Some examples could be Exim, Apache and RPC.

Uninstall the Listening ServicesPermalink

How to remove the offending packages will differ depending on your distribution’s package manager.

Arch

sudo pacman -Rs package_name

CentOS

sudo yum remove package_name

Debian / Ubuntu

sudo apt purge package_name

Fedora

sudo dnf remove package_name

Run ss -atup again to verify that the unwanted services are no longer running.

Configure a FirewallPermalink

Using a firewall to block unwanted inbound traffic to your Linode provides a highly effective security layer. By being very specific about the traffic you allow in, you can prevent intrusions and network mapping. A best practice is to allow only the traffic you need, and deny everything else. See our documentation on some of the most common firewall applications:

  • Iptables is the controller for netfilter, the Linux kernel’s packet filtering framework. Iptables is included in most Linux distributions by default.
  • FirewallD is the iptables controller available for the CentOS / Fedora family of distributions.
  • UFW provides an iptables frontend for Debian and Ubuntu.

Next StepsPermalink

These are the most basic steps to harden any Linux server, but further security layers will depend on its intended use. Additional techniques can include application configurations, using intrusion detection or installing a form of access control.

Now you can begin setting up your Linode for any purpose you choose. We have a library of documentation to assist you with a variety of topics ranging from migration from shared hosting to enabling two-factor authentication to hosting a website.

See Also

centos初装系统-修改timezone

It may be better to use the same timezone which a majority of your users are located in, or that you live in to make log file timestamps more sensible.

Debian / Ubuntu

[bash]dpkg-reconfigure tzdata[/bash]

Arch Linux and CentOS 7

View the list of available time zones.

[bash]timedatectl list-timezones[/bash]

Use the Up, Down, Page Up and Page Down keys to navigate. Find the time zone which you want. Remember it, write it down or copy it as a mouse selection. Then press q to exit the list.

To set the time zone:

[bash]timedatectl set-timezone ‘America/New_York'[/bash]

Gentoo

View the list of available time zones.

[bash]ls /usr/share/zoneinfo[/bash]

Write the selected time zone to the /etc/timezone file.

Example (for Eastern Standard Time):

[bash]echo "EST" > /etc/timezone[/bash]

Configure the sys-libs/timezone-data package, which will set /etc/localtimeappropriately.

[bash]emerge –config sys-libs/timezone-data[/bash]

Check the Time

View the current date and time according to your server.

[bash]date[/bash]

The output should look similar to: Thu Feb 16 12:17:52 EST 2012.

 

转载自:https://www.linode.com/docs/getting-started/

centos初装系统-修改hostname

你系统的主机名应该是唯一的。 有些人用行星,哲学家或动物命名他们的服务器。 请注意,除了为系统本身提供名称之外,主机名与托管在其上的网站或电子邮件服务没有任何关系。 您的主机名不应该是“www”或任何太普通的名字。如果您想为您的系统分配一个完全合格的域名,请参阅我们的关于使用您系统的主机文件的指南。如果您想为您的系统分配一个完全合格的域名,请参阅我们的关于使用您系统的主机文件的指南

Arch / CentOS 7 / Debian 8 / Fedora / Ubuntu 16.04 and above

Replace example_hostname with one of your choice.

[bash]hostnamectl set-hostname example_hostname[/bash]

Debian 7 / Slackware / Ubuntu 14.04

Replace example_hostname with one of your choice.

[bash]
echo "example_hostname" &gt; /etc/hostname
hostname -F /etc/hostname
[/bash]

Note

Debian and Ubuntu include a line in their hosts file for a loopback domain by default (127.0.1.1), but even though they’re closely related, the commands above to set a hostname don’t change the loopback domain.

The result is the message when using sudo commands: sudo: unable to resolve host . To fix this, add your hostname to the hosts file as shown in the last example here.

CentOS 6

Replace hostname with one of your choice.

[bash]
echo "HOSTNAME=example_hostname" >> /etc/sysconfig/network
hostname "hostname"
[/bash]

Gentoo

Enter the following commands to set the hostname, replacing example_hostnamewith the hostname of your choice:

[bash]
echo "HOSTNAME=\"example_hostname\"" > /etc/conf.d/hostname
/etc/init.d/hostname restart
[/bash]

转载自:https://www.linode.com/docs/getting-started/

centos7初装系统-ssh登录locale编码问题

勘误,之前这篇文章有错误    http://www.01happy.com/p3204/
问题不是系统自身编码问题,是不同系统的local登录衔接问题。

locale问题起因

登录 centos7 系统时,命令行模式下会出现一个警告:

[bash]
locale: Cannot set LC_CTYPE to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
[/bash]

这个不是由于系统默认编码问题导致的,这个是因为两台电脑连接时,本地编码不能协调导致的,分析如下:

centos本机登录(没报错)

[root@localhost ~]# locale
LANG=en_US.UTF-8
LC_CTYPE="en_US.UTF-8"
LC_NUMERIC="en_US.UTF-8"
LC_TIME="en_US.UTF-8"
LC_COLLATE="en_US.UTF-8"
LC_MONETARY="en_US.UTF-8"
LC_MESSAGES="en_US.UTF-8"
LC_PAPER="en_US.UTF-8"
LC_NAME="en_US.UTF-8"
LC_ADDRESS="en_US.UTF-8"
LC_TELEPHONE="en_US.UTF-8"
LC_MEASUREMENT="en_US.UTF-8"
LC_IDENTIFICATION="en_US.UTF-8"
LC_ALL=
[root@localhost ~]#

mac本机登录(没报错)

mbpdeMacBook-Pro:~ cool$ locale
LANG=
LC_COLLATE="C"
LC_CTYPE="UTF-8"
LC_MESSAGES="C"
LC_MONETARY="C"
LC_NUMERIC="C"
LC_TIME="C"
LC_ALL=
mbpdeMacBook-Pro:~ cool$

mac连接centos登录(报错了)

[root@localhost ~]# locale
locale: Cannot set LC_CTYPE to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
LANG=en_US.UTF-8
LC_CTYPE=UTF-8
LC_NUMERIC="en_US.UTF-8"
LC_TIME="en_US.UTF-8"
LC_COLLATE="en_US.UTF-8"
LC_MONETARY="en_US.UTF-8"
LC_MESSAGES="en_US.UTF-8"
LC_PAPER="en_US.UTF-8"
LC_NAME="en_US.UTF-8"
LC_ADDRESS="en_US.UTF-8"
LC_TELEPHONE="en_US.UTF-8"
LC_MEASUREMENT="en_US.UTF-8"
LC_IDENTIFICATION="en_US.UTF-8"
LC_ALL=
[root@localhost ~]# 

locale背景知识

locale基本含义

locale就是某一个地域内的人们的语言习惯和文化传统和生活习惯。一个地区的locale就是根据这几大类的习惯定义的,这些locale定 义文件放在/usr/share/i18n/locales目录下面,例如en_US, zh_CN and de_DE@euro都是locale的定义文件,这些文件都是用文本格式书写的,你可以用写字板打开,看看里边的内容,当然出了有限的注释以外,大部分 东西可能你都看不懂,因为是用的Unicode的字符索引方式。

cat /usr/share/i18n/locales/zh_CN
comment_char %
escape_char  /
%
% Chinese language locale for the Peoples Republic of China
%
% This work is based on ISO PDTR 14652, Unicode 3.0, locale definition
% file for zh_CN revision 1.0 ([email protected], 1999-04-28) and
% charmap file for GBK version 1.0 ([email protected]).
%
% The file is designed to work with multiple charsets.  To ease the
% maintance and adding support for new charsets, all characters are
% in UCS notation and presented in Unicode order.
%
% Changelog:
% Tue Jul 25 2000 Yong Li <[email protected]>
% - first version for glibc 2.2

。。。。。。
。。。

locale内容说明

[oracle@game ~]$ locale
LANG=en_US.UTF-8
LC_CTYPE="en_US.UTF-8"
LC_NUMERIC="en_US.UTF-8"
LC_TIME="en_US.UTF-8"
LC_COLLATE="en_US.UTF-8"
LC_MONETARY="en_US.UTF-8"
LC_MESSAGES="en_US.UTF-8"
LC_PAPER="en_US.UTF-8"
LC_NAME="en_US.UTF-8"
LC_ADDRESS="en_US.UTF-8"
LC_TELEPHONE="en_US.UTF-8"
LC_MEASUREMENT="en_US.UTF-8"
LC_IDENTIFICATION="en_US.UTF-8"
LC_ALL=en_US.UTF-8
[oracle@game ~]$ 

locale把按照所涉及到的文化传统的各个方面分成12个大类,这12个大类分别是: 

1、语言符号及其分类(LC_CTYPE) 
2、数字(LC_NUMERIC) 
3、比较和排序习惯(LC_COLLATE) 
4、时间显示格式(LC_TIME) 
5、货币单位(LC_MONETARY) 
6、信息主要是提示信息,错误信息,状态信息,标题,标签,按钮和菜单等(LC_MESSAGES) 
7、姓名书写方式(LC_NAME) 
8、地址书写方式(LC_ADDRESS) 
9、电话号码书写方式(LC_TELEPHONE) 
10、度量衡表达方式 (LC_MEASUREMENT) 
11、默认纸张尺寸大小(LC_PAPER) 
12、对locale自身包含信息的概述(LC_IDENTIFICATION)。

locale格式说明

zh_CN.GB2312到底是在说什么?

Locale是软件在运行时的语言环境, 它包括语言(Language), 地域 (Territory) 和字符集(Codeset)。

一个locale的书写格式为: 语言[_地域[.字符集]]。所以说呢,locale总是和一定的字符集相联系的。

下面举几个例子:

1、我说中文,身处中华人民共和国,使用国标2312字符集来表达字符。zh_CN.GB2312=中文_中华人民共和国+国标2312字符集。

2、我说中文,身处中华人民共和国,使用国标18030字符集来表达字符。zh_CN.GB18030=中文_中华人民共和国+国标18030字符集。

3、我说中文,身处中华人民共和国台湾省,使用国标Big5字符集来表达字符。zh_TW.BIG5=中文_台湾.大五码字符集

4、我说英文,身处大不列颠,使用ISO-8859-1字符集来表达字符。 en_GB.ISO-8859-1=英文_大不列颠.ISO-8859-1字符集

5、我说德语,身处德国,使用UTF-8字符集,习惯了欧洲风格。de_DE.UTF-8@euro=德语_德国.UTF-8字符集@按照欧洲习惯加以修正,注意不是[email protected],所以完全的locale表达方式是 [语言[_地域][.字符集] [@修正值]。

对于de_DE@euro的一点说明,@后边是修正项,也就是说你可以看到两个德国的locale:/usr/share/i18n/locales /de_DE@euro和/usr/share/i18n/locales/de_DE。

打开这两个locale定义,你就会知道它们的差别在于 de_DE@euro使用的是欧洲的排序、比较和缩进习惯,而de_DE用的是德国的标准习惯。

locale优先级说明

设定locale就是设定12大类的locale分类属性,即12个LC_*。除了这12个变量可以设定以外,为了简便起见,还有两个变量:LC_ALL和LANG。它们之间有一个优先级的关系:LC_ALL > LC_* >LANG可以这么说,LC_ALL是最上级设定或者强制设定,而LANG是默认设定值。

1、如果你设定了LC_ALL=zh_CN.UTF-8,那么不管LC_*和LANG设定成什么值,它们都会被强制服从LC_ALL的设定,成为 zh_CN.UTF-8。

2、假如你设定了LANG=zh_CN.UTF-8,而其他的LC_*=en_US.UTF-8,并且没有设定LC_ALL的话,那么系统的locale设定以LC_*=en_US.UTF-8。

3、假如你设定了LANG=zh_CN.UTF-8,而其他的LC_*,和LC_ALL均未设定的话,系统会将LC_*设定成默认值,也就是LANG的值zh_CN.UTF-8。

4、假如你设定了LANG=zh_CN.UTF-8,而其他的LC_CTYPE=en_US.UTF-8,其他的LC_*,和LC_ALL均未设定的话, 那么系统的locale设定将是:LC_CTYPE=en_US.UTF-8,其余的 LC_COLLATE,LC_MESSAGES等等均会采用默认值,也就是 LANG的值,也就是LC_COLLATE=LC_MESSAGES=……= LC_PAPER=LANG=zh_CN.UTF-8。

所以,locale是这样设定的: 

1、如果你需要一个纯中文的系统的话,设定LC_ALL= zh_CN.XXXX,或者LANG=zh_CN.XXXX都可以,当然你可以两个都设定,但正如上面所讲,LC_ALL的值将覆盖所有其他的locale设定,不要作无用功。

2、如果你只想要一个可以输入中文的环境,而保持菜单、标题,系统信息等等为英文界面,那么只需要设定 LC_CTYPE=zh_CN.XXXX,LANG=en_US.XXXX就可以了这样LC_CTYPE=zh_CN.XXXX,而LC_COLLATE=LC_MESSAGES=……= LC_PAPER=LANG=en_US.XXXX。

3、假如你高兴的话,可以把12个LC_*一一设定成你需要的值,打造一个古灵精怪的系统: LC_CTYPE=zh_CN.GBK/GBK(使用中文编码内码GBK字符集); LC_NUMERIC=en_GB.ISO-8859-1(使用大不列颠的数字系统) [email protected](德国的度量衡使用ISO-8859-15字符集) 罗马的地址书写方式,美国的纸张设定……。估计没人这么干吧。

4、假如你什么也不做的话,也就是LC_ALL,LANG和LC_*均不指定特定值的话,系统将采用POSIX作为lcoale,也就是 C  locale。

也就是说如果没有设置这些环境变量的时候,在系统安装好的时候这些环境变量是有默认值的,默认值是POSIX。(这应该只针对英文系统,装中文系统的话,这些变量的默认值应该不是POSIX了。)
http://pubs.opengroup.org/onlinepubs/007908799/xbd/locale.html
http://pubs.opengroup.org/onlinepubs/007908799/xbd/locale.html#tag_005_002
这有Locale和POSIX locale的说明,有兴趣自己研究一下吧。

我的理解是,locale就相当于一个编码字符集,POSIX字符集里没有中文编码,所有如果使用POSIX编码的字符集去打开中文文件的话,就会出现乱码。

另外LANG和LANGUAGE有什么区别呢?

LANG – Specifies the default locale for all unset locale variables
LANGUAGE – Most programs use this for the language of its interface
LANGUAGE是应用程序中的设置语言的选项。而LANG是优先级很低的一个全局变量,它指定所有与locale有关的变量的默认值。

locale基本命令

### 查看系统默认的语言设置
[root@toy ~]# locale


### 查看所有语言
[root@room9pc01 ~]# locale -a
### 或者 查看系统支持的汉语区域语言
[root@toy ~]# localectl list-locales| grep zh 


### 查看当前区域配置
[root@toy ~]# localectl status
   System Locale: LANG=zh_CN.utf8
     VC Keymap: cn

     X11 Layout: cn


### 设置区域语言,其实在 /etc/locale.conf 在这个文本文件中,默认就一行 LANG=en_US.UTF-8
[root@toy ~]# localectl set-locale  LANG=zh_CN.utf8
### 查看上一条命令设置好的区域语言,
### 注意 centos6 是这个文件 /etc/sysconfig/i18n ,centos7 是 /etc/locale.conf
[root@toy ~]# cat /etc/locale.conf 
LANG=zh_CN.utf8 


### 刷新bash 或者重启,使设置生效 ###

locale问题分析

1、根据优先级:先找LC_ALL的配置,发现没有,就开始找 LC_CTYPE 。
2、然后 LC_CTYPE=UTF-8 ,在centos中找不到这个配置项,所以报错。

### 可以通过locale -a查看到系统支持的语系,
[root@localhost ~]# locale -a
aa_DJ
aa_DJ.iso88591
aa_DJ.utf8
aa_ER
aa_ER@saaho
aa_ER.utf8
aa_ER.utf8@saaho
aa_ET
。。。
。。
。

locale: Cannot set LC_CTYPE to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
这边两行的错误其实就是说LC_CTYPE这个编码文件找不到,然后LC_ALL也找不到。
3、因为前面两个都报错,所以默认就使用LANG的配置。

4、然后我们知道 /etc/sysconfig/i18n 和 /etc/sysconfig/i18n 中,都只设置了 LANG 变量,且系统连接时 LC_CTYPE 会将本机系统的值传递到远程主机的系统中。【LC_CTYPE  好像没有 设置过,应该是系统默认值】

locale问题解决方案

1、远程主机自己指定 LC_CTYPE 。在远程主机的本地化文件中添加  LC_CTYPE 的值,此优先级比客户端主机传递过来的值要高。

centos6下面全局语系的配置放在/etc/sysconfig/i18n文件,修改
$ vim /etc/sysconfig/i18n
增加   LC_CTYPE="en_US.UTF-8"
重启服务器,问题就解决了。


不过Centos7上没有/etc/sysconfig/i18n,
查了下有 /etc/locale.conf 文件起到同样的作用。
于是添加   LC_CTYPE="en_US.UTF-8"
重启服务器,问题就解决了。

2、取消客户端传递过来的 LC_CTYPE
在客户端编辑 vim /etc/ssh/ssh_config找到SendEnv LANG LC_*注释掉

3、修改客户端的  LC_CTYPE ,使得 LC_CTYPE= en_US.UTF-8,这样传递给远程主机时就能识别了。

4、在远程主机中,创建一个 UTF-8 的locale文件,这样子系统就能识别了,也就是可以找到该文件了。

举例:
编辑 /etc/locale.gen文件,反注释 en_US.UTF-8 UTF-8 一行.
执行生成命令  locale-gen
【locale-gen 好像在Ubuntu下可以,centos中没有这个命令】
http://manpages.ubuntu.com/manpages/bionic/man8/locale-gen.8.html

 

 


参考:

https://www.cloudbility.com/club/7195.html
https://www.jianshu.com/p/fb6c5d747700
https://www.jianshu.com/p/2b24861be987

https://blog.csdn.net/lemontree1945/article/details/80088986
https://www.cnblogs.com/xlmeng1988/archive/2013/01/16/locale.html

https://www.jianshu.com/p/2b24861be987