CentOS7配置
Setup
rm -f /etc/yum.repos.d/*.repo
# curl -L "http://mirrors.aliyun.com/repo/Centos-7.repo" -o /etc/yum.repos.d/Centos-7-Ali.repo
curl -L "http://mirrors.163.com/.help/CentOS7-Base-163.repo" -o /etc/yum.repos.d/CentOS7-Base-163.repo
curl -L "http://mirrors.aliyun.com/repo/epel-7.repo" -o /etc/yum.repos.d/epel-7-Ali.repo
curl -L "http://mirrors.bfsu.edu.cn/docker-ce/linux/centos/docker-ce.repo" -o /etc/yum.repos.d/docker-ce.repo
sed -i 's/mirrors.163.com/mirrors.bfsu.edu.cn/g' /etc/yum.repos.d/CentOS7-Base-163.repo
sed -i 's/mirrors.aliyun.com/mirrors.bfsu.edu.cn/g' /etc/yum.repos.d/epel-7-Ali.repo
sed -i 's/https:\/\/download.docker.com/http:\/\/mirrors.bfsu.edu.cn\/docker-ce/' /etc/yum.repos.d/docker-ce.repo
yum clean all
yum update -y
yum install dnf yum-utils device-mapper-persistent-data lvm2 axel zstd git make gcc yum-utils net-tools -y
rm -f /etc/yum.repos.d/*.repo
curl -L "http://mirrors.163.com/.help/CentOS7-Base-163.repo" -o /etc/yum.repos.d/CentOS7-Base-163.repo
curl -L "http://mirrors.aliyun.com/repo/epel-7.repo" -o /etc/yum.repos.d/epel-7-Ali.repo
curl -L "http://mirrors.bfsu.edu.cn/docker-ce/linux/centos/docker-ce.repo" -o /etc/yum.repos.d/docker-ce.repo
sed -i 's/https:\/\/download.docker.com/http:\/\/mirrors.bfsu.edu.cn\/docker-ce/' /etc/yum.repos.d/docker-ce.repo
yum clean all
yum update -y
恢复repos
rpm -iv --replacepkgs http://mirror.centos.org/centos/7/updates/x86_64/Packages/centos-release-7-9.2009.1.el7.centos.x86_64.rpm
Docker
sh <(curl -skL https://get.docker.com/)
curl -skL https://get.docker.com/ | bash
yum install -y -q docker-ce docker-ce-cli containerd.io docker-scan-plugin docker-compose-plugin docker-ce-rootless-extras docker-buildx-plugin
yum install docker-ce docker-ce-cli containerd.io docker-compose-plugin -y
#DOCKER_CONFIG=${DOCKER_CONFIG:-$HOME/.docker}
#mkdir -p $DOCKER_CONFIG/cli-plugins
#curl -SL https://get.daocloud.io/docker/compose/releases/download/v2.4.1/docker-compose-linux-x86_64 -o $DOCKER_CONFIG/cli-plugins/docker-compose
#chmod +x $DOCKER_CONFIG/cli-plugins/docker-compose
#curl -SL https://get.daocloud.io/docker/compose/releases/download/v2.9.0/docker-compose-linux-x86_64 -o /usr/libexec/docker/cli-plugins/docker-compose
mkdir -p /etc/docker/
touch /etc/docker/daemon.json
tee >/etc/docker/daemon.json <<EOF
{"graph":"/home/lab/docker/store","registry-mirrors":["http://hub-mirror.c.163.com"]}
EOF
systemctl start docker
systemctl enable docker
systemctl daemon-reload
systemctl restart docker
Docker 调试命令
dockerd --debug
常用Docker框架 Docker Compose Setup
docker volume create portainer_data
docker run -d -p 9000:9000 --name=portainer --restart=unless-stopped -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:2.18.1-alpine
docker network create --driver=bridge --subnet=172.16.0.1/24 --gateway=172.16.0.1 npm
#mkdir -p /compose/172_016_000_002_npm
mkdir -p /compose/172_016_000_002_npm/data/nginx/custom
touch /compose/172_016_000_002_npm/docker-compose.yml
touch /compose/172_016_000_002_npm/config.json
tee >/compose/172_016_000_002_npm/docker-compose.yml <<EOF
services:
app:
image: jc21/nginx-proxy-manager:latest
container_name: npm
hostname: npm
restart: unless-stopped
dns:
- 114.114.114.114
ports:
- "80:80"
- "81:81"
- "443:443"
volumes:
- /etc/localtime:/etc/localtime:ro
- ./data:/data
- ./config.json:/app/config/production.json
# environment:
# - discovery.type=single-node
# environment:
# SERVICE_PRECONDITION: "namenode:50070"
# env_file:
# - .env
networks:
npm:
ipv4_address: 172.16.0.2
logging:
driver: json-file
options:
max-size: 100m
max-file: 5
# ulimits:
# memlock:
# soft: -1
# hard: -1
# nofile:
# soft: 65536
# hard: 65536
# mem_limit: 1g
# extra_host:
# - "npm:172.16.0.2"
# healthcheck:
# test: ["CMD-SHELL","wget -q --spider --proxy off 127.0.0.1:81||exit 1"]
# interval: 30s
# timeout: 5s
# retries: 5
networks:
npm:
external: true
EOF
# /data/nginx/custom/root.conf:包含在nginx.conf的最末尾
# /data/nginx/custom/http_top.conf:包含在主http块的顶部
# /data/nginx/custom/http.conf:包含在主http块的末尾
# /data/nginx/custom/stream.conf:包含在主流块的末尾
# /data/nginx/custom/server_proxy.conf:包含在每个代理服务器块的末尾
# /data/nginx/custom/server_redirect.conf:包含在每个重定向服务器块的末尾
# /data/nginx/custom/server_stream.conf:包含在每个流服务器块的末尾
# /data/nginx/custom/server_stream_tcp.conf:包含在每个TCP流服务器块的末尾
# /data/nginx/custom/server_stream_udp.conf:包含在每个UDP流服务器块的末尾
mkdir -p /compose/172_016_000_003_portainer
touch /compose/172_016_000_003_portainer/docker-compose.yml
tee >/compose/172_016_000_003_portainer/docker-compose.yml <<EOF
services:
app:
image: portainer/portainer-ce:2.11.1-alpine
container_name: portainer
hostname: portainer
restart: unless-stopped
dns:
- 114.114.114.114
# ports:
# - "9000:9000"
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock
- ./data:/data
# environments:
# env_file:
# - .env
networks:
npm:
ipv4_address: 172.16.0.3
logging:
driver: json-file
options:
max-size: 100m
max-file: 5
# extra_host:
# - "npm:172.16.0.3"
healthcheck:
test: ["CMD-SHELL","wget -q --spider --proxy off 127.0.0.1:9000||exit 1"]
interval: 30s
timeout: 5s
networks:
npm:
external: true
EOF
BBR
rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm
yum --enablerepo=elrepo-kernel install kernel-ml -y
awk -F\' '$1=="menuentry " {print i++ " : " $2}' /etc/grub2.cfg
grub2-set-default 0
reboot
yum remove $(rpm -qa | grep kernel | grep -v $(uname -r))
vi /etc/sysctl.conf
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr
sysctl -p
sysctl net.ipv4.tcp_available_congestion_control
proxychains
git clone https://github.com/rofl0r/proxychains-ng.git --depth=1 /opt/proxychains
cd /opt/proxychains
./configure --prefix=/usr --sysconfdir=/etc
make && make install
make install-config
cd ~ && rm -rf /opt/proxychains
Node.js 可能有Bug 不支持高版本Node
curl -L "https://npm.taobao.org/mirrors/node/latest/node-v18.0.0-linux-x64.tar.gz" -o /opt/node-v18.0.0-linux-x64.tar.gz
tar -xzf /opt/node-v18.0.0-linux-x64.tar.gz -C /usr/local/src/
rm -f /opt/node-v18.0.0-linux-x64.tar.gz
ln -s /usr/local/src/node-v18.0.0-linux-x64/bin/node /usr/bin/node
ln -s /usr/local/src/node-v18.0.0-linux-x64/bin/npm /usr/bin/npm
ln -s /usr/local/src/node-v18.0.0-linux-x64/bin/npx /usr/bin/npx
//方法2
curl -sL https://deb.nodesource.com/setup_18.x | sudo -E bash -
apt update
apt install nodejs
ssh 防爆破
yum install sshguard
# 创建
/etc/sshguard.conf
#内容
BACKEND="/usr/libexec/sshguard/sshg-fw-firewalld"
#FILES="/var/log/auth.log /var/log/authlog /var/log/maillog"
LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -o cat"
THRESHOLD=10
BLOCK_TIME=120
DETECTION_TIME=1800
IPV4_SUBNET=32
#防火墙
firewall-cmd --permanent --new-ipset="sshguard4" --type="hash:net" --option="family=inet"
firewall-cmd --reload
systemctl restart sshguard
firewall-cmd --info-ipset=sshguard4
golang
tar -C /usr/local -xzf go1.15.6.linux-amd64.tar.gz
vim ~/.bash_profile
或者
vim ~/.zshrc
export PATH=$PATH:/usr/local/go/bin
export GOPATH="/mnt/c/Users/${user}/directory/to/your/golang/workspace"
source ~/.bash_profile
内核更新
yum install https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
yum --enablerepo=elrepo-kernel install kernel-ml -y
awk -F\' '$1=="menuentry " {print i++ " : " $2}' /etc/grub2.cfg
grub2-set-default 0
grub2-mkconfig -o /boot/grub2/grub.cfg
yum -y remove kernel kernel-tools
reboot
# 转载自https://blog.csdn.net/shenyuanhaojie/article/details/121133181
tee ./updateKernel.sh <<-'EOF'
#!/bin/bash
#------------------
yum install https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
yum --enablerepo=elrepo-kernel install kernel-ml -y
if [ $? -eq 0 ];then
grub2-set-default 0 && grub2-mkconfig -o /etc/grub2.cfg
grubby --args="user_namespace.enable=1" --update-kernel="$(grubby --default-kernel)"
fi
echo "please reboot your system quick!!!"
EOF
Linux 统计主机网络连接数
https://blog.csdn.net/shenyuanhaojie/article/details/125750390
netstat -n | awk '/^tcp/ {n=split($(NF-1),array,":");if(n<=2)++S[array[(1)]];else++S[array[(4)]];++s[$NF];++N} END {for(a in S){printf("%-20s %s\n", a, S[a]);++I}printf("%-20s %s\n","TOTAL_IP",I);for(a in s) printf("%-20s %s\n",a, s[a]);printf("%-20s %s\n","TOTAL_LINK",N);}'
Linux安全分析
自定义局域网镜像
rsync -av --exclude "java-*-openjdk-*" --exclude "firefox-*" --exclude "thunderbird-*" --exclude "libreoffice-*" --exclude "chromium-*" --exclude "debug" --delete --delete-excluded rsync://mirrors.tuna.tsinghua.edu.cn/centos/7/os/x86_64/ /repo/CentOS7Repo/os/
rsync -av --exclude "java-*-openjdk-*" --exclude "firefox-*" --exclude "thunderbird-*" --exclude "libreoffice-*" --exclude "chromium-*" --exclude "debug" --delete --delete-excluded rsync://mirrors.tuna.tsinghua.edu.cn/centos/7/extras/x86_64/ /repo/CentOS7Repo/extras
rsync -av --exclude "java-*-openjdk-*" --exclude "firefox-*" --exclude "thunderbird-*" --exclude "libreoffice-*" --exclude "chromium-*" --exclude "debug" --delete --delete-excluded rsync://mirrors.tuna.tsinghua.edu.cn/centos/7/updates/x86_64/ /repo/CentOS7Repo/updates
rsync -av --exclude "java-*-openjdk-*" --exclude "firefox-*" --exclude "thunderbird-*" --exclude "libreoffice-*" --exclude "chromium-*" --exclude "debug" --delete --delete-excluded rsync://mirrors.tuna.tsinghua.edu.cn/centos/7/centosplus/x86_64/ /repo/CentOS7Repo/centosplus
rsync -av --exclude "java-*-openjdk-*" --exclude "firefox-*" --exclude "thunderbird-*" --exclude "libreoffice-*" --exclude "chromium-*" --exclude "debug" --delete --delete-excluded rsync://mirrors.tuna.tsinghua.edu.cn/epel/7Server/x86_64/ /repo/CentOS7Repo/epel/
rsync -av --exclude "java-*-openjdk-*" --exclude "firefox-*" --exclude "thunderbird-*" --exclude "libreoffice-*" --exclude "chromium-*" --exclude "debug" --delete --delete-excluded rsync://mirrors.tuna.tsinghua.edu.cn/elrepo/kernel/el7/x86_64/ /repo/CentOS7Repo/elrepo/
# 确保 docker-ce.repo 安装完毕
yumdownloader --resolve --destdir /repo/CentOS7Repo/docker-ce/Packages docker-ce docker-ce-cli containerd.io docker-compose-plugin
# 全量 #dnf download docker-ce docker-ce-cli containerd.io docker-compose-plugin --destdir /repo/CentOS7Repo/docker-ce/Packages --alldeps --resolve
# 确保 packages-microsoft-prod 安装完毕 rpm -Uvh https://packages.microsoft.com/config/centos/7/packages-microsoft-prod.rpm
yumdownloader --resolve --destdir /repo/CentOS7Repo/dotnet/Packages dotnet-runtime-2.1 dotnet-runtime-2.2 dotnet-runtime-3.0 dotnet-runtime-3.1 dotnet-runtime-5.0 dotnet-runtime-6.0 dotnet-sdk-2.1 dotnet-sdk-2.2 dotnet-sdk-3.0 dotnet-sdk-3.1 dotnet-sdk-5.0 dotnet-sdk-6.0
# 全量 #dnf download dotnet-runtime-2.1 dotnet-runtime-2.2 dotnet-runtime-3.0 dotnet-runtime-3.1 dotnet-runtime-5.0 dotnet-runtime-6.0 dotnet-sdk-2.1 dotnet-sdk-2.2 dotnet-sdk-3.0 dotnet-sdk-3.1 dotnet-sdk-5.0 dotnet-sdk-6.0 --destdir /repo/CentOS7Repo/dotnet/Packages --alldeps --resolve
# 确保 nodejs repo 安装完毕
tee /etc/yum.repos.d/nodejs.repo <<-'EOF'
[node]
name=NodeJs Packages for Enterprise Linux 7 - $basearch
baseurl=https://rpm.nodesource.com/pub_16.x/el/7/$basearch
failovermethod=priority
enabled=1
EOF
yumdownloader --resolve --destdir /repo/CentOS7Repo/nodejs/Packages nodejs
# 更新repo
createrepo --update /repo/CentOS7Repo/docker-ce
createrepo --update /repo/CentOS7Repo/dotnet
createrepo --update /repo/CentOS7Repo/nodejs
# 下载
rclone sync -P --delete-excluded --sftp-host xxxxxxxx.com --sftp-user root --sftp-port 22 --sftp-ask-password :sftp:/repo/CentOS7Repo/ X:\repo\CentOS7Repo\ --size-only
rclone sync -P --delete-excluded repo:/repo/CentOS7Repo/ X:\repo\CentOS7Repo\ --size-only
# 上传
rclone sync -P --delete-excluded X:\repo\CentOS7Repo\ --sftp-host xxxxxxxx.com --sftp-user root --sftp-port 22 --sftp-ask-password :sftp:/repo/CentOS7Repo/ --size-only
rclone sync -P --delete-excluded X:\repo\CentOS7Repo\ repo:/repo/CentOS7Repo/ --size-only
# 私网配置
tee /etc/yum.repos.d/private.repo <<-'EOF'
[base]
name=CentOS-$releasever - Base - 163.com
baseurl=replacementurl/os/
gpgcheck=0
enabled=1
sslverify=0
[updates]
name=CentOS-$releasever - Updates - 163.com
baseurl=replacementurl/updates/
gpgcheck=0
enabled=1
sslverify=0
[extras]
name=CentOS-$releasever - Extras - 163.com
baseurl=replacementurl/extras/
gpgcheck=0
enabled=1
sslverify=0
[centosplus]
name=CentOS-$releasever - Plus - 163.com
baseurl=replacementurl/centosplus/
gpgcheck=0
enabled=1
sslverify=0
[epel]
name=Epel Packages for Enterprise Linux 7 - $basearch
baseurl=replacementurl/epel/
enabled=1
gpgcheck=0
sslverify=0
[elrepo-kernel]
name=ELRepo.org Community Enterprise Linux Kernel Repository - el7
baseurl=replacementurl/elrepo/
enabled=0
gpgcheck=0
sslverify=0
[docker-ce-stable]
name=Docker CE Stable - $basearch
baseurl=replacementurl/docker-ce/
enabled=1
gpgcheck=0
sslverify=0
[packages-microsoft-com-prod]
name=packages-microsoft-com-prod
baseurl=replacementurl/dotnet/
enabled=1
gpgcheck=0
sslverify=0
[node]
name=NodeJs Packages for Enterprise Linux 7 - $basearch
baseurl=replacementurl/nodejs/
enabled=1
gpgcheck=0
sslverify=0
EOF
sed -i "s/replacementurl/file:\/\/\/repo\/CentOS7Repo/g" /etc/yum.repos.d/private.repo
修改SELinux端口 SSH 启用RSA
yum install policycoreutils-python
sestatus -v |grep SELinux
semanage port -l |grep ssh
semanage port -a -t ssh_port_t -p tcp 12345
semanage port -l |grep ssh
systemctl restart sshd
cd ~/.ssh && ssh-keygen -t rsa -N "" -f id_rsa -q
sed -i 's/#PubkeyAuthentication/PubkeyAuthentication/' /etc/ssh/sshd_config
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
systemctl restart sshd
KALI docker
sudo dpkg-reconfigure locales
sudo apt install fcitx fcitx-table-wbpy
cat /proc/version
# Debian 13 (Trixie)
# Debian 12 (bookworm)
# Debian 11 (bullseye)
# Debian 10(buster)
# Debian 9(stretch)
# Debian 8(jessie)
# curl -fsSL https://get.docker.com -o get-docker.sh
# sudo sh get-docker.sh
apt-get install software-properties-common dirmngr apt-transport-https ca-certificates
curl -fsSL https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/debian/gpg | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/docker.gpg
echo 'deb https://download.docker.com/linux/debian buster stable'> /etc/apt/sources.list.d/docker.list
apt install docker-ce docker-ce-cli containerd.io docker-compose-plugin -y
sudo gpasswd -a ${USER} docker
newgrp - docker
