linux系统常见设置和包管理
一、常用包编译安装
1.1 openssh升级
升级到openssh版本 8.8或更高版本,链接:《https://www.openssh.com/txt/release-8.8》。
首先查看已经安装的openssh组件:,
[root@localhost ~]$ rpm -qa | grep openssh
openssh-8.0p1-13.ky3.kb1.pg.x86_64
openssh-server-8.0p1-13.ky3.kb1.pg.x86_64
openssh-clients-8.0p1-13.ky3.kb1.pg.x86_64
注意:以上命令适用于centos、以及kylin系统。
1.1.1 准备工作
下载openssh:
[root@localhost opt]$ cd /opt
[root@localhost opt]$ sudo mkdir tools
[root@localhost opt]$ cd tools
[root@localhost opt]$ yum -y install wget
[root@localhost tools]$ sudo wget https://www.openssl.org/source/openssl-1.1.1j.tar.gz --no-check-certificate
[root@localhost tools]$ sudo wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.8p1.tar.gz --no-check-certificate
[root@localhost tools]$ sudo wget https://nchc.dl.sourceforge.net/project/libpng/zlib/1.2.11/zlib-1.2.11.tar.gz --no-check-certificate
1.1.2 编译安装zlib
# 解压
[root@localhost tools]$ sudo tar -zxvf zlib-1.2.11.tar.gz
[root@localhost tools]$ cd zlib-1.2.11
# 编译配置
[root@localhost zlib-1.2.11]$ sudo ./configure --prefix=/usr/local/zlib
# 编译安装
[root@localhost zlib-1.2.11]$ sudo make -j4
[root@localhost zlib-1.2.11]$ sudo make install
# 查看
[root@localhost zlib-1.2.11]$ ll /usr/local/zlib
总用量 0
drwxr-xr-x 2 root root 35 12月 22 16:20 include
drwxr-xr-x 3 root root 91 12月 22 16:20 lib
drwxr-xr-x 3 root root 17 12月 22 16:20 share
[root@localhost zlib-1.2.11]$ cd..
1.1.3 编译安装openssl
# 解压
[root@localhost tools]$ sudo tar -zxvf openssl-1.1.1j.tar.gz
[root@localhost tools]$ cd openssl-1.1.1j
# 编译配置
[root@localhost openssl-1.1.1j]$ sudo ./config --prefix=/usr/local/ssl -d shared
# 编译安装
[root@localhost openssl-1.1.1j]$ sudo make -j4
[root@localhost openssl-1.1.1j]$ sudo make install
# 配置动态链接库
[root@localhost openssl-1.1.1j]$ sudo vim /etc/ld.so.conf
/usr/local/ssl/lib # 最后新增
# 执行sudo /sbin/ldconfig -v生效
[root@localhost openssl-1.1.1j]$ sudo ldconfig -v
[root@localhost openssl-1.1.1j]$ /usr/local/ssl/bin/openssl version -a
OpenSSL 1.1.1j 16 Feb 2021
built on: Fri Dec 22 08:23:15 2023 UTC
platform: linux-x86_64
options: bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O0 -g -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM
OPENSSLDIR: "/usr/local/ssl/ssl"
ENGINESDIR: "/usr/local/ssl/lib/engines-1.1"
Seeding source: os-specific
# 查看
[root@localhost openssl-1.1.1j]$ ll /usr/local/ssl
总用量 0
drwxr-xr-x 2 root root 37 12月 22 16:24 bin
drwxr-xr-x 3 root root 21 12月 22 16:24 include
drwxr-xr-x 4 root root 159 12月 22 16:27 lib
drwxr-xr-x 4 root root 28 12月 22 16:25 share
drwxr-xr-x 5 root root 140 12月 22 16:24 ssl
[root@localhost openssl-1.1.1j]$ cd ..
1.1.4 编译安装openssh
[root@localhost tools]$ sudo tar -zxvf openssh-8.8p1.tar.gz
[root@localhost tools]$ cd openssh-8.8p1
[root@localhost openssh-8.8p1]$ sudo ./configure --prefix=/usr/local/openssh --with-zlib=/usr/local/zlib --with-ssl-dir=/usr/local/ssl
[root@localhost openssh-8.8p1]$ sudo make -j4
[root@localhost openssh-8.8p1]$ sudo make install
# 查看
[root@localhost openssh-8.8p1]$ ll /usr/local/openssh
总用量 0
drwxr-xr-x 2 root root 109 12月 22 16:29 bin
drwxr-xr-x 2 root root 277 12月 22 16:29 etc
drwxr-xr-x 2 root root 90 12月 22 16:29 libexec
drwxr-xr-x 2 root root 18 12月 22 16:29 sbin
drwxr-xr-x 3 root root 17 12月 22 16:29 share
1.1.5 配置
sshd_config文件修改:
[root@localhost openssh-8.8p1]$ sudo vim /usr/local/openssh/etc/sshd_config
PermitRootLogin no
#PubkeyAuthentication yes
PasswordAuthentication yes
备份原有文件,并将新的配置复制到指定目录:
back_path=/opt/openssh_bak
sudo mkdir ${back_path}
cd ${back_path}
sudo mkdir bin etc libexec sbin share
# 备份配置文件
sudo cp /etc/ssh/ssh_* ${back_path}/etc
# 备份可执行程序
sudo cp /usr/sbin/sshd ${back_path}/sbin
sudo cp /usr/bin/ssh ${back_path}/bin
sudo cp /usr/bin/sftp ${back_path}/bin
sudo cp /usr/bin/ssh ${back_path}/bin
sudo cp /usr/bin/ssh-add ${back_path}/bin
sudo cp /usr/bin/ssh-agent ${back_path}/bin
sudo cp /usr/bin/ssh-keygen ${back_path}/bin
sudo cp /usr/bin/ssh-keyscan ${back_path}/bin
sudo cp /usr/libexec/openssh/* ${back_path}/libexec
# 安装
sudo cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd
sudo cp /usr/local/openssh/bin/ssh /usr/bin/ssh
sudo cp /usr/local/openssh/bin/scp /usr/bin/scp
sudo cp /usr/local/openssh/bin/sftp /usr/bin/sftp
sudo cp /usr/local/openssh/bin/ssh-add /usr/bin/ssh-add
sudo cp /usr/local/openssh/bin/ssh-agent /usr/bin/ssh-agent
sudo cp /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen
sudo cp /usr/local/openssh/bin/ssh-keyscan /usr/bin/ssh-keyscan
sudo cp /usr/local/openssh/etc/* /etc/ssh
sudo cp /usr/local/openssh/libexec/* /usr/libexec/openssh
修改systemd参数(去掉Type或改为Type=simple):
[root@localhost openssh-8.8p1]$ sudo vim /usr/lib/systemd/system/sshd.service
[Unit]
Description=OpenSSH server daemon
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target sshd-keygen.service
Wants=sshd-keygen.service
[Service]
#Type=notify
Type=simple
EnvironmentFile=/etc/sysconfig/sshd
ExecStart=/usr/sbin/sshd -D $OPTIONS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s
[Install]
WantedBy=multi-user.target
1.1.6 重启sshd服务
[root@localhost openssh-8.8p1]$ sudo systemctl daemon-reload
[root@localhost openssh-8.8p1]$ sudo systemctl restart sshd
[root@localhost openssh-8.8p1]$ sudo systemctl status sshd
二、依赖包安装
2.1 离线安装
在无网环境部署服务器时,需要离线安装很多软件,如gcc, cmake,tmux等,这时就要提前在有网环境下下载离线安装包。
有的软件只需要一个单独的deb包安装即可,如net-tools,而有的软件有很多的依赖包,如gcc,这时就需要一个简单的方法来批量下载所有依赖deb包。
这里以在ubuntu系统安装cmake为例,介绍如何安装cmake,首先检查包是否已经安装。
以下两条命令均可以检查包是否已经安装:
root@rk3399:/opt# dpkg -l | grep cmake
root@rk3399:/opt# apt list --installed | grep cmake
2.1.1 查看依赖
这里以cmake为例:
root@rk3399:/opt# apt-cache depends cmake
cmake
Depends: libarchive13
Depends: libc6
Depends: libcurl4
Depends: libexpat1
Depends: libgcc-s1
Depends: libjsoncpp25
Depends: librhash0
Depends: libstdc++6
Depends: libuv1
Depends: zlib1g
Depends: cmake-data
Depends: procps
Recommends: gcc
Recommends: make
make-guile
Suggests: cmake-doc
Suggests: ninja-build
Suggests: cmake-format
2.1.2 下载deb及其依赖包
下载deb有两种方式,第一种方式是在服务器通过命令在线下载;
root@rk3399:/opt# mkdir cmake
root@rk3399:/opt# cd cmake
root@rk3399:/opt/cmake# apt-get download $(apt-cache depends --recurse --no-recommends --no-suggests --no-conflicts --no-breaks --no-replaces --no-enhances --no-pre-depends cmake | grep "^\w")apt-get download $(apt-cache depends --recurse --no-recommends --no-suggests --no-conflicts --no-breaks --no-replaces --no-enhances --no-pre-depends cmake | grep "^\w")
root@rk3399:/opt/cmake# ls
cdebconf_0.261ubuntu1_arm64.deb libgnutls30_3.7.3-4ubuntu1.2_arm64.deb librtmp1_2.4+20151223.gitfa8646d.1-2build4_arm64.deb
cmake-data_3.22.1-1ubuntu1.22.04.1_all.deb libgssapi-krb5-2_1.19.2-2ubuntu0.2_arm64.deb libsasl2-2_2.1.27+dfsg2-3ubuntu1.2_arm64.deb
cmake_3.22.1-1ubuntu1.22.04.1_arm64.deb libhogweed6_3.7.3-1build2_arm64.deb libsasl2-modules-db_2.1.27+dfsg2-3ubuntu1.2_arm64.deb
debconf_1.5.79ubuntu1_all.deb libicu70_70.1-2ubuntu1_arm64.deb libselinux1_3.3-1build2_arm64.deb
dh-elpa-helper_2.0.9ubuntu1_all.deb libidn2-0_2.3.2-2build1_arm64.deb libslang2_2.3.2-5build4_arm64.deb
dpkg_1.21.1ubuntu2.2_arm64.deb libjsoncpp25_1.9.5-3_arm64.deb libssh-4_0.9.6-2ubuntu0.22.04.1_arm64.deb
emacsen-common_3.0.4_all.deb libk5crypto3_1.19.2-2ubuntu0.2_arm64.deb libssl3_3.0.2-0ubuntu1.10_arm64.deb
gcc-12-base_12.3.0-1ubuntu1~22.04_arm64.deb libkeyutils1_1.6.1-2ubuntu3_arm64.deb libstdc++6_12.3.0-1ubuntu1~22.04_arm64.deb
init-system-helpers_1.62_all.deb libkrb5-3_1.19.2-2ubuntu0.2_arm64.deb libsystemd0_249.11-0ubuntu3.11_arm64.deb
libacl1_2.3.1-1_arm64.deb libkrb5support0_1.19.2-2ubuntu0.2_arm64.deb libtasn1-6_4.18.0-4build1_arm64.deb
libarchive13_3.6.0-1ubuntu1_arm64.deb libldap-2.5-0_2.5.16+dfsg-0ubuntu0.22.04.1_arm64.deb libtextwrap1_0.1-15build1_arm64.deb
libbrotli1_1.0.9-2build6_arm64.deb liblz4-1_1.9.3-2build2_arm64.deb libtinfo6_6.3-2ubuntu0.1_arm64.deb
libbz2-1.0_1.0.8-5build1_arm64.deb liblzma5_5.2.5-2ubuntu1_arm64.deb libunistring2_1.0-1_arm64.deb
libc6_2.35-0ubuntu3.4_arm64.deb libncurses6_6.3-2ubuntu0.1_arm64.deb libuv1_1.43.0-1_arm64.deb
libcom-err2_1.46.5-2ubuntu1.1_arm64.deb libncursesw6_6.3-2ubuntu0.1_arm64.deb libxml2_2.9.13+dfsg-1ubuntu0.3_arm64.deb
libcrypt1_1%3a4.4.27-1_arm64.deb libnettle8_3.7.3-1build2_arm64.deb libzstd1_1.4.8+dfsg-3build1_arm64.deb
libcurl4_7.81.0-1ubuntu1.14_arm64.deb libnewt0.52_0.52.21-5ubuntu2_arm64.deb lsb-base_11.1.0ubuntu4_all.deb
libdb5.3_5.3.28+dfsg1-0.8ubuntu3_arm64.deb libnghttp2-14_1.43.0-1build3_arm64.deb perl-base_5.34.0-3ubuntu1.2_arm64.deb
libdebian-installer4_0.122ubuntu3_arm64.deb libp11-kit0_0.24.0-6build1_arm64.deb procps_2%3a3.3.17-6ubuntu2_arm64.deb
libexpat1_2.4.7-1ubuntu0.2_arm64.deb libpcre2-8-0_10.39-3ubuntu0.1_arm64.deb tar_1.34+dfsg-1ubuntu0.1.22.04.1_arm64.deb
libffi8_3.4.2-4_arm64.deb libprocps8_2%3a3.3.17-6ubuntu2_arm64.deb zlib1g_1%3a1.2.11.dfsg-2ubuntu9.2_arm64.deb
libgcc-s1_12.3.0-1ubuntu1~22.04_arm64.deb libpsl5_0.21.0-1.2build2_arm64.deb
libgmp10_2%3a6.2.1+dfsg-3ubuntu1_arm64.deb librhash0_1.4.2-1ubuntu1_arm64.deb
此外,我们还可以通过ubuntu镜像源下载:
https://ubuntu.pkgs.org/;https://packages.ubuntu.com/;https://mirrors.aliyun.com/ubuntu/pool/main//;
比如cmake_3.22.1-1ubuntu1.22.04.1_arm64.deb:
我们可以点击链接跳转到这个页面,在这个页面内可以看到如下信息:
-
Description:当前包的描述信息; -
Requires:依赖的包; -
Download:下载地址; -
Install Howto:如何通过apt命令安装; -
Files:当前包安装的文件以及安装路径;
2.1.3 使用dpkg命令离线安装
root@rk3399:/opt/cmake# sudo dpkg -i *.deb
2.2 在线安装
2.2.1 默认版本安装
首先查看默认安装的版本:
root@rk3399:/opt/# apt show cmake
Package: cmake
Version: 3.22.1-1ubuntu1.22.04.1
Priority: optional
Section: devel
Origin: Ubuntu
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Original-Maintainer: Debian CMake Team <pkg-cmake-team@lists.alioth.debian.org>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 17.8 MB
Depends: libarchive13 (>= 3.3.3), libc6 (>= 2.34), libcurl4 (>= 7.16.2), libexpat1 (>= 2.0.1), libgcc-s1 (>= 3.3.1), libjsoncpp25 (>= 1.9.5), librhash0 (>= 1.2.6), libstdc++6 (>= 12), libuv1 (>= 1.38.0), zlib1g (>= 1:1.1.4), cmake-data (= 3.22.1-1ubuntu1.22.04.1), procps
Recommends: gcc, make
Suggests: cmake-doc, ninja-build, cmake-format
Homepage: https://cmake.org/
Download-Size: 4650 kB
APT-Sources: http://mirrors.huaweicloud.com/ubuntu-ports jammy-updates/main arm64 Packages
Description: cross-platform, open-source make system
CMake is used to control the software compilation process using
simple platform and compiler independent configuration files. CMake
generates native makefiles and workspaces that can be used in the
compiler environment of your choice. CMake is quite sophisticated: it
is possible to support complex environments requiring system
configuration, pre-processor generation, code generation, and template
instantiation.
.
CMake was developed by Kitware as part of the NLM Insight
Segmentation and Registration Toolkit project. The ASCI VIEWS project
also provided support in the context of their parallel computation
environment. Other sponsors include the Insight, VTK, and VXL open
source software communities.
N: There is 1 additional record. Please use the '-a' switch to see it
接着运行安装命令开始安装:
# Update the package index
root@rk3399:/opt# sudo apt-get update
# Install cmake deb package
root@rk3399:/opt# sudo apt-get install cmake
2.2.2 安装指定版本
比如我们想在ubuntu 22.04版本下安装其它版本,可以到《https://ubuntu.pkgs.org/》查找是否存在其他版本的deb,如果有的话,可以点击相应链接跳转到包信息页面,在Install Howto中获取安装命令:
# Update the package index:
root@rk3399:/opt# sudo apt-get update
# Install cmake-qt-gui deb package:
root@rk3399:/opt# sudo apt-get install cmake-qt-gui
当然如果安装的版本的deb包在ubuntu镜像源中无法找到,那么可以考虑源码编译安装。
三、系统配置
3.1 查看系统类型
3.1.1 查看系统类型
ubuntu@VM-4-9-ubuntu:~$ uname -a
Linux VM-4-9-ubuntu 5.15.0-94-generic #104-Ubuntu SMP Tue Jan 9 15:25:40 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
其中:
- 内核名称为:
Linux; - 主机名为:
VM-4-9-ubuntu; - 内核发行号:
5.15.0-94-generic; - 内核版本:
#104-Ubuntu SMP Tue Jan 9 15:25:40 UTC 2024; - 主机的硬件架构名称:
x86_64; - 处理器类型:
x86_64; - 硬件平台:
x86_64; - 操作系统名称:
GNU/Linux。
3.1.2 查看系统版本
ubuntu@VM-4-9-ubuntu:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04 LTS
Release: 22.04
Codename: jammy
如果lsb_release命令不可用,您还可以查看/etc/os-release文件:
ubuntu@VM-4-9-ubuntu:~$ cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04 (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy
3.2 防火墙
以下操作适用于ubuntu、centos 系统
3.2.1 开启/关闭
查看防火墙状态:
[root@localhost ~]# firewall-cmd --state
开启防火墙:
[root@localhost ~]# systemctl start firewalld.service
重启防火墙:
[root@localhost ~]# systemctl restart firewalld.service
关闭防火墙:
[root@localhost ~]# systemctl stop firewalld.service
3.2.2 配置端口
开启指定端口:
[root@localhost ~]# firewall-cmd --zone=public --add-port=80/tcp --permanent
关闭指定端口
[root@localhost ~]# firewall-cmd --zone=public --remove-port=6379/tcp --permanent
其中:
--zone:作用域;--add:添加端口,格式为:端口/通讯协议;--permanent:永久生效,没有此参数重启后失效;
重新加载后生效:
[root@localhost ~]# firewall-cmd --reload
3.2.3 查看配置
查看已开启端口:
[root@localhost ~]# firewall-cmd --list-ports
3.3 白名单
要在iptables中配置白名单,你可以使用以下命令添加允许的IP地址。
3.3.1 允许特定IP地址访问某个端口
iptables -A INPUT -p tcp -s <允许的IP> --dport <端口号> -j ACCEPT
下面我只打开22端口,看我是如何操作的,就是下面2个语句;
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
3.3.2 允许特定IP地址访问所有端口
iptables -A INPUT -s <允许的IP> -p all -j ACCEPT
如果移除白名单:
iptables -D INPUT -s <允许的IP> -p all -j ACCEPT
3.3.3 查看iptables表
iptables -L -n
当然也可以直接查看/etc/sysconfig/iptables文件,或者配置该文件。
3.4 文件拷贝
目标机器和源机器安装rsync:
[root@localhost ~]# sudo yum install rsync
[root@localhost ~]# sudo rsync -avzS --rsync-path="sudo rsync" root@192.168.0.200:/opt/xxxx .
3.5 禁用root用户
新建其它用户:
[root@localhost opt]# useradd xxxx
[root@localhost opt]# passwd xxxx
xxxx
# 设置root取消奶奶
[root@localhost opt]# echo "xxxx ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
[root@localhost opt]# sed -i -e "s/Defaults requiretty/#Defaults requiretty/" /etc/sudoers
设置禁止root用户登录:
[root@localhost opt]# vim /etc/ssh/sshd_config
PermitRootLogin no
重启SSH:
[root@localhost opt]# systemctl reload sshd
使用gpasswd 命令将用户添加到wheel组:
[root@localhost opt]# gpasswd -a xxxx wheel
注意:以上命令适用于ubuntu、centos 系统,wheel组的成员可以使用sudo权限运行linux命令。
3.6 端口检测
nc -zv <IP> <Port>: 这个命令用来扫描IP的 Port 端口。
其中:
-z表示只扫描端口而不发送数据;-v表示显示详细输出。
3.7 nc
nc -lvvp 8888: 这个命令在本地启动一个监听 8888 端口的Netcat服务。
其中:
-l表示监听模式;-v表示详细输出;-p指定端口。
四、系统日志
4.1 查看ssh登录日志
[root@localhost log]$ cd /var/log
[root@localhost log]$ sudo vim secure
Dec 26 14:46:33 localhost sshd[27737]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=root
Dec 26 14:46:33 localhost sshd[27737]: pam_tally2(sshd:auth): user root (1031) tally 178, deny 3
Dec 26 14:46:35 localhost sshd[27737]: times:0 time_stamp:1703573195428595 Failed password for user_name:root from source_ip:192.168.0.200 port:64208 on dest_ip:192.168.0.200 pid:27737
Dec 26 14:46:35 localhost sshd[27737]: socket connect to gd kylin agent servicd error No such file or directory\n
Dec 26 14:46:35 localhost sshd[27737]: Failed password for root from 192.168.0.200 port 64208 ssh2
4.1.1 查看失败次数
如果用户多次密码输入错误被锁定,查看用户登录失败次数:
[root@localhost log]$ sudo pam_tally2 --user root
Login Failures Latest failure From
root 297 12/26/23 15:01:19 localhost
4.1.2 解锁用户
解锁账户:
[root@localhost log]$ sudo pam_tally2 --user root --reset
Login Failures Latest failure From
root 307 12/26/23 15:02:34 localhost
