CentOS7配置

Setup

rm -f /etc/yum.repos.d/*.repo
# curl -L "http://mirrors.aliyun.com/repo/Centos-7.repo" -o /etc/yum.repos.d/Centos-7-Ali.repo
curl -L "http://mirrors.163.com/.help/CentOS7-Base-163.repo" -o /etc/yum.repos.d/CentOS7-Base-163.repo
curl -L "http://mirrors.aliyun.com/repo/epel-7.repo" -o /etc/yum.repos.d/epel-7-Ali.repo
curl -L "http://mirrors.bfsu.edu.cn/docker-ce/linux/centos/docker-ce.repo" -o /etc/yum.repos.d/docker-ce.repo
sed -i 's/mirrors.163.com/mirrors.bfsu.edu.cn/g' /etc/yum.repos.d/CentOS7-Base-163.repo
sed -i 's/mirrors.aliyun.com/mirrors.bfsu.edu.cn/g' /etc/yum.repos.d/epel-7-Ali.repo
sed -i 's/https:\/\/download.docker.com/http:\/\/mirrors.bfsu.edu.cn\/docker-ce/' /etc/yum.repos.d/docker-ce.repo

yum clean all
yum update -y
yum install dnf yum-utils device-mapper-persistent-data lvm2 axel zstd git make gcc yum-utils net-tools -y

rm -f /etc/yum.repos.d/*.repo
curl -L "http://mirrors.163.com/.help/CentOS7-Base-163.repo" -o /etc/yum.repos.d/CentOS7-Base-163.repo
curl -L "http://mirrors.aliyun.com/repo/epel-7.repo" -o /etc/yum.repos.d/epel-7-Ali.repo
curl -L "http://mirrors.bfsu.edu.cn/docker-ce/linux/centos/docker-ce.repo" -o /etc/yum.repos.d/docker-ce.repo
sed -i 's/https:\/\/download.docker.com/http:\/\/mirrors.bfsu.edu.cn\/docker-ce/' /etc/yum.repos.d/docker-ce.repo

yum clean all
yum update -y

恢复repos
rpm -iv --replacepkgs http://mirror.centos.org/centos/7/updates/x86_64/Packages/centos-release-7-9.2009.1.el7.centos.x86_64.rpm

Docker

sh <(curl -skL https://get.docker.com/)
curl -skL https://get.docker.com/ | bash
yum install -y -q docker-ce docker-ce-cli containerd.io docker-scan-plugin docker-compose-plugin docker-ce-rootless-extras docker-buildx-plugin
yum install docker-ce docker-ce-cli containerd.io docker-compose-plugin -y
#DOCKER_CONFIG=${DOCKER_CONFIG:-$HOME/.docker}
#mkdir -p $DOCKER_CONFIG/cli-plugins
#curl -SL https://get.daocloud.io/docker/compose/releases/download/v2.4.1/docker-compose-linux-x86_64 -o $DOCKER_CONFIG/cli-plugins/docker-compose
#chmod +x $DOCKER_CONFIG/cli-plugins/docker-compose
#curl -SL https://get.daocloud.io/docker/compose/releases/download/v2.9.0/docker-compose-linux-x86_64 -o /usr/libexec/docker/cli-plugins/docker-compose
mkdir -p /etc/docker/
touch /etc/docker/daemon.json
tee >/etc/docker/daemon.json <<EOF 
{"graph":"/home/lab/docker/store","registry-mirrors":["http://hub-mirror.c.163.com"]}
EOF

systemctl start docker
systemctl enable docker
systemctl daemon-reload
systemctl restart docker

Docker 调试命令

dockerd --debug

常用Docker框架 Docker Compose Setup

docker volume create portainer_data
docker run -d -p 9000:9000 --name=portainer --restart=unless-stopped -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:2.18.1-alpine


docker network create --driver=bridge --subnet=172.16.0.1/24 --gateway=172.16.0.1 npm
#mkdir -p /compose/172_016_000_002_npm
mkdir -p /compose/172_016_000_002_npm/data/nginx/custom
touch /compose/172_016_000_002_npm/docker-compose.yml
touch /compose/172_016_000_002_npm/config.json
tee >/compose/172_016_000_002_npm/docker-compose.yml <<EOF
services:
  app: 
    image: jc21/nginx-proxy-manager:latest
    container_name: npm
    hostname: npm
    restart: unless-stopped
    dns:
      - 114.114.114.114
    ports:
      - "80:80"
      - "81:81"
      - "443:443"
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ./data:/data
      - ./config.json:/app/config/production.json
#    environment:
#      - discovery.type=single-node
#    environment:
#      SERVICE_PRECONDITION: "namenode:50070"
#    env_file:
#      - .env
    networks:
      npm:
        ipv4_address: 172.16.0.2
    logging:
      driver: json-file
      options:
        max-size: 100m
        max-file: 5
#    ulimits:
#      memlock:
#        soft: -1
#        hard: -1
#      nofile:
#        soft: 65536
#        hard: 65536
#    mem_limit: 1g
#    extra_host:
#      - "npm:172.16.0.2"
#    healthcheck:
#      test: ["CMD-SHELL","wget -q --spider --proxy off 127.0.0.1:81||exit 1"]
#      interval: 30s
#      timeout: 5s
#      retries: 5
networks:
  npm:
    external: true
EOF


# /data/nginx/custom/root.conf:包含在nginx.conf的最末尾
# /data/nginx/custom/http_top.conf:包含在主http块的顶部
# /data/nginx/custom/http.conf:包含在主http块的末尾
# /data/nginx/custom/stream.conf:包含在主流块的末尾
# /data/nginx/custom/server_proxy.conf:包含在每个代理服务器块的末尾
# /data/nginx/custom/server_redirect.conf:包含在每个重定向服务器块的末尾
# /data/nginx/custom/server_stream.conf:包含在每个流服务器块的末尾
# /data/nginx/custom/server_stream_tcp.conf:包含在每个TCP流服务器块的末尾
# /data/nginx/custom/server_stream_udp.conf:包含在每个UDP流服务器块的末尾

mkdir -p /compose/172_016_000_003_portainer
touch /compose/172_016_000_003_portainer/docker-compose.yml
tee >/compose/172_016_000_003_portainer/docker-compose.yml <<EOF
services:
  app: 
    image: portainer/portainer-ce:2.11.1-alpine
    container_name: portainer
    hostname: portainer
    restart: unless-stopped
    dns:
      - 114.114.114.114
#    ports:
#      - "9000:9000"
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock
      - ./data:/data
#    environments:
#    env_file:
#      - .env
    networks:
      npm:
        ipv4_address: 172.16.0.3
    logging:
      driver: json-file
      options:
        max-size: 100m
        max-file: 5
#    extra_host:
#      - "npm:172.16.0.3"
    healthcheck:
      test: ["CMD-SHELL","wget -q --spider --proxy off 127.0.0.1:9000||exit 1"]
      interval: 30s
      timeout: 5s
networks:
  npm:
    external: true
EOF

BBR

rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm
yum --enablerepo=elrepo-kernel install kernel-ml -y
awk -F\' '$1=="menuentry " {print i++ " : " $2}' /etc/grub2.cfg
grub2-set-default 0
reboot
yum remove $(rpm -qa | grep kernel | grep -v $(uname -r))

vi /etc/sysctl.conf

net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr

sysctl -p

sysctl net.ipv4.tcp_available_congestion_control

proxychains

git clone https://github.com/rofl0r/proxychains-ng.git --depth=1 /opt/proxychains
cd /opt/proxychains
./configure --prefix=/usr --sysconfdir=/etc
make && make install
make install-config
cd ~ && rm -rf /opt/proxychains

Node.js 可能有Bug 不支持高版本Node

curl -L "https://npm.taobao.org/mirrors/node/latest/node-v18.0.0-linux-x64.tar.gz" -o /opt/node-v18.0.0-linux-x64.tar.gz
tar -xzf  /opt/node-v18.0.0-linux-x64.tar.gz -C /usr/local/src/
rm -f /opt/node-v18.0.0-linux-x64.tar.gz
ln -s /usr/local/src/node-v18.0.0-linux-x64/bin/node /usr/bin/node
ln -s /usr/local/src/node-v18.0.0-linux-x64/bin/npm /usr/bin/npm
ln -s /usr/local/src/node-v18.0.0-linux-x64/bin/npx /usr/bin/npx

//方法2
curl -sL https://deb.nodesource.com/setup_18.x | sudo -E bash -
apt update
apt install nodejs


ssh 防爆破

yum install sshguard
# 创建
/etc/sshguard.conf
#内容
BACKEND="/usr/libexec/sshguard/sshg-fw-firewalld"
#FILES="/var/log/auth.log /var/log/authlog /var/log/maillog"
LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -o cat"
THRESHOLD=10
BLOCK_TIME=120
DETECTION_TIME=1800
IPV4_SUBNET=32
#防火墙
firewall-cmd --permanent --new-ipset="sshguard4" --type="hash:net" --option="family=inet"
firewall-cmd --reload
systemctl restart sshguard
firewall-cmd --info-ipset=sshguard4

golang

tar -C /usr/local -xzf go1.15.6.linux-amd64.tar.gz
vim ~/.bash_profile
或者
vim ~/.zshrc

export PATH=$PATH:/usr/local/go/bin

export GOPATH="/mnt/c/Users/${user}/directory/to/your/golang/workspace"

source ~/.bash_profile

内核更新

yum install https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
yum --enablerepo=elrepo-kernel install kernel-ml -y
awk -F\' '$1=="menuentry " {print i++ " : " $2}' /etc/grub2.cfg
grub2-set-default 0
grub2-mkconfig -o /boot/grub2/grub.cfg
yum -y remove kernel kernel-tools
reboot
# 转载自https://blog.csdn.net/shenyuanhaojie/article/details/121133181
tee ./updateKernel.sh <<-'EOF'
#!/bin/bash
#------------------
yum install https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
yum --enablerepo=elrepo-kernel install kernel-ml -y
if [ $? -eq 0 ];then
 grub2-set-default 0 && grub2-mkconfig -o /etc/grub2.cfg
 grubby --args="user_namespace.enable=1" --update-kernel="$(grubby --default-kernel)"
fi
echo "please reboot your system quick!!!"
EOF

Linux 统计主机网络连接数

https://blog.csdn.net/shenyuanhaojie/article/details/125750390

netstat -n | awk '/^tcp/ {n=split($(NF-1),array,":");if(n<=2)++S[array[(1)]];else++S[array[(4)]];++s[$NF];++N} END {for(a in S){printf("%-20s %s\n", a, S[a]);++I}printf("%-20s %s\n","TOTAL_IP",I);for(a in s) printf("%-20s %s\n",a, s[a]);printf("%-20s %s\n","TOTAL_LINK",N);}'

Linux安全分析

https://github.com/al0ne

自定义局域网镜像

rsync -av --exclude "java-*-openjdk-*" --exclude "firefox-*" --exclude "thunderbird-*" --exclude "libreoffice-*" --exclude "chromium-*" --exclude "debug" --delete --delete-excluded rsync://mirrors.tuna.tsinghua.edu.cn/centos/7/os/x86_64/ /repo/CentOS7Repo/os/
rsync -av --exclude "java-*-openjdk-*" --exclude "firefox-*" --exclude "thunderbird-*" --exclude "libreoffice-*" --exclude "chromium-*" --exclude "debug" --delete --delete-excluded rsync://mirrors.tuna.tsinghua.edu.cn/centos/7/extras/x86_64/ /repo/CentOS7Repo/extras
rsync -av --exclude "java-*-openjdk-*" --exclude "firefox-*" --exclude "thunderbird-*" --exclude "libreoffice-*" --exclude "chromium-*" --exclude "debug" --delete --delete-excluded rsync://mirrors.tuna.tsinghua.edu.cn/centos/7/updates/x86_64/ /repo/CentOS7Repo/updates
rsync -av --exclude "java-*-openjdk-*" --exclude "firefox-*" --exclude "thunderbird-*" --exclude "libreoffice-*" --exclude "chromium-*" --exclude "debug" --delete --delete-excluded rsync://mirrors.tuna.tsinghua.edu.cn/centos/7/centosplus/x86_64/ /repo/CentOS7Repo/centosplus
rsync -av --exclude "java-*-openjdk-*" --exclude "firefox-*" --exclude "thunderbird-*" --exclude "libreoffice-*" --exclude "chromium-*" --exclude "debug" --delete --delete-excluded rsync://mirrors.tuna.tsinghua.edu.cn/epel/7Server/x86_64/ /repo/CentOS7Repo/epel/
rsync -av --exclude "java-*-openjdk-*" --exclude "firefox-*" --exclude "thunderbird-*" --exclude "libreoffice-*" --exclude "chromium-*" --exclude "debug" --delete --delete-excluded rsync://mirrors.tuna.tsinghua.edu.cn/elrepo/kernel/el7/x86_64/ /repo/CentOS7Repo/elrepo/

# 确保 docker-ce.repo 安装完毕
yumdownloader --resolve --destdir  /repo/CentOS7Repo/docker-ce/Packages docker-ce docker-ce-cli containerd.io docker-compose-plugin
# 全量 #dnf download docker-ce docker-ce-cli containerd.io docker-compose-plugin --destdir /repo/CentOS7Repo/docker-ce/Packages --alldeps --resolve


# 确保 packages-microsoft-prod 安装完毕 rpm -Uvh https://packages.microsoft.com/config/centos/7/packages-microsoft-prod.rpm
yumdownloader --resolve --destdir  /repo/CentOS7Repo/dotnet/Packages dotnet-runtime-2.1 dotnet-runtime-2.2 dotnet-runtime-3.0 dotnet-runtime-3.1 dotnet-runtime-5.0 dotnet-runtime-6.0 dotnet-sdk-2.1 dotnet-sdk-2.2 dotnet-sdk-3.0 dotnet-sdk-3.1 dotnet-sdk-5.0 dotnet-sdk-6.0
# 全量 #dnf download dotnet-runtime-2.1 dotnet-runtime-2.2 dotnet-runtime-3.0 dotnet-runtime-3.1 dotnet-runtime-5.0 dotnet-runtime-6.0 dotnet-sdk-2.1 dotnet-sdk-2.2 dotnet-sdk-3.0 dotnet-sdk-3.1 dotnet-sdk-5.0 dotnet-sdk-6.0  --destdir /repo/CentOS7Repo/dotnet/Packages --alldeps --resolve

# 确保 nodejs repo 安装完毕 
tee /etc/yum.repos.d/nodejs.repo <<-'EOF'
[node]
name=NodeJs Packages for Enterprise Linux 7 - $basearch
baseurl=https://rpm.nodesource.com/pub_16.x/el/7/$basearch
failovermethod=priority
enabled=1
EOF
yumdownloader --resolve --destdir  /repo/CentOS7Repo/nodejs/Packages nodejs

# 更新repo
createrepo --update /repo/CentOS7Repo/docker-ce
createrepo --update /repo/CentOS7Repo/dotnet
createrepo --update /repo/CentOS7Repo/nodejs

# 下载
rclone sync -P --delete-excluded --sftp-host xxxxxxxx.com --sftp-user root --sftp-port 22 --sftp-ask-password :sftp:/repo/CentOS7Repo/ X:\repo\CentOS7Repo\ --size-only
rclone sync -P --delete-excluded repo:/repo/CentOS7Repo/ X:\repo\CentOS7Repo\ --size-only
# 上传
rclone sync -P --delete-excluded X:\repo\CentOS7Repo\ --sftp-host xxxxxxxx.com --sftp-user root --sftp-port 22 --sftp-ask-password :sftp:/repo/CentOS7Repo/ --size-only
rclone sync -P --delete-excluded X:\repo\CentOS7Repo\ repo:/repo/CentOS7Repo/ --size-only

# 私网配置
tee /etc/yum.repos.d/private.repo <<-'EOF'
[base]
name=CentOS-$releasever - Base - 163.com
baseurl=replacementurl/os/
gpgcheck=0
enabled=1
sslverify=0
[updates]
name=CentOS-$releasever - Updates - 163.com
baseurl=replacementurl/updates/
gpgcheck=0
enabled=1
sslverify=0
[extras]
name=CentOS-$releasever - Extras - 163.com
baseurl=replacementurl/extras/
gpgcheck=0
enabled=1
sslverify=0
[centosplus]
name=CentOS-$releasever - Plus - 163.com
baseurl=replacementurl/centosplus/
gpgcheck=0
enabled=1
sslverify=0
[epel]
name=Epel Packages for Enterprise Linux 7 - $basearch
baseurl=replacementurl/epel/
enabled=1
gpgcheck=0
sslverify=0
[elrepo-kernel]
name=ELRepo.org Community Enterprise Linux Kernel Repository - el7
baseurl=replacementurl/elrepo/
enabled=0
gpgcheck=0
sslverify=0
[docker-ce-stable]
name=Docker CE Stable - $basearch
baseurl=replacementurl/docker-ce/
enabled=1
gpgcheck=0
sslverify=0
[packages-microsoft-com-prod]
name=packages-microsoft-com-prod
baseurl=replacementurl/dotnet/
enabled=1
gpgcheck=0
sslverify=0
[node]
name=NodeJs Packages for Enterprise Linux 7 - $basearch
baseurl=replacementurl/nodejs/
enabled=1
gpgcheck=0
sslverify=0
EOF

sed -i "s/replacementurl/file:\/\/\/repo\/CentOS7Repo/g" /etc/yum.repos.d/private.repo 

修改SELinux端口 SSH 启用RSA

yum install policycoreutils-python
sestatus -v |grep SELinux 
semanage port -l |grep ssh
semanage port -a -t ssh_port_t -p tcp 12345
semanage port -l |grep ssh 
systemctl restart sshd
cd ~/.ssh && ssh-keygen -t rsa -N "" -f id_rsa -q
sed -i 's/#PubkeyAuthentication/PubkeyAuthentication/' /etc/ssh/sshd_config
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
systemctl restart sshd

KALI docker

sudo dpkg-reconfigure locales
sudo apt install fcitx fcitx-table-wbpy
cat /proc/version 
# Debian 13 (Trixie)
# Debian 12 (bookworm) 
# Debian 11 (bullseye)
# Debian 10(buster)
# Debian 9(stretch) 
# Debian 8(jessie)

# curl -fsSL https://get.docker.com -o get-docker.sh
# sudo sh get-docker.sh

apt-get install software-properties-common dirmngr apt-transport-https  ca-certificates

curl -fsSL https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/debian/gpg | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/docker.gpg
echo 'deb https://download.docker.com/linux/debian buster stable'> /etc/apt/sources.list.d/docker.list
apt install docker-ce docker-ce-cli containerd.io docker-compose-plugin -y
sudo gpasswd -a ${USER} docker
newgrp - docker
posted @ 2021-04-25 23:26  月渊  阅读(252)  评论(0编辑  收藏  举报