1、添加用户
新增名为"wang"的用户
[root@vdevops ~]# useradd wang #添加账户 [root@vdevops ~]# passwd wang #设置密码 Changing password for user wang. New password: Retype new password: passwd: all authentication tokens updated successfully. [root@vdevops ~]# exit #退出 以用户"wang"为例,设置其为唯一拥有管理员权限的账户 [root@vdevops ~]# usermod -G wheel wang [root@vdevops ~]# vim /etc/pam.d/su [html] view plain copy print? #%PAM-1.0 auth sufficient pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. # 取消下面一行的注释 auth required pam_wheel.so use_uid auth substack system-auth auth include postlogin account sufficient pam_succeed_if.so uid = 0 use_uid quiet account include system-auth password include system-auth session include system-auth session include postlogin session optional pam_xauth.so 设置root账户的邮件转发 # Person who should get root's mail # 最后一行,取消注释,改变用户名称 root: wang
2、设置防火墙和SELINUX
【1】防火墙
查看防火墙状态
[root@vdevops ~]# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2016-10-26 01:09:49 CST; 1h 36min ago Main PID: 744 (firewalld) CGroup: /system.slice/firewalld.service └─744 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid Oct 26 01:09:46 vdevops.com systemd[1]: Starting firewalld - dynamic firewall daemon... Oct 26 01:09:49 vdevops.com systemd[1]: Started firewalld - dynamic firewall daemon.
防火墙基本操作
[root@vdevops ~]# systemctl start firewalld #启动防火墙 [root@vdevops ~]# systemctl enable firewalld #设置防火墙开机自启
默认情况下,“public”区域应用于NIC,dhcpv6-client和ssh是允许的。
当使用“firewall-cmd”命令操作时,如果输入命令不带“--zone = ***”规范,则配置设置为默认区域。
#显示默认区域 [root@vdevops ~]# firewall-cmd --get-default-zone public #显示当前设置 [root@vdevops ~]# firewall-cmd --list-all public (default, active) interfaces: eno16777736 sources: services: dhcpv6-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: #显示全部区域 [root@vdevops ~]# firewall-cmd --list-all-zones block interfaces: sources: services: ports: masquerade: no forward-ports: icmp-blocks: rich rules: dmz interfaces: sources: services: ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: ... #显示特定区域允许的服务 [root@vdevops ~]# firewall-cmd --list-service --zone=external ssh #改变默认区域 [root@vdevops ~]# firewall-cmd --set-default-zone=external success #改变制定区域的接口 [root@vdevops ~]# firewall-cmd --change-interface=eth1 --zone=external success #显示制定区域的状态 [root@vdevops ~]# firewall-cmd --list-all --zone=external external (default, active) interfaces: eno16777736 eth1 sources: services: ssh ports: masquerade: yes forward-ports: icmp-blocks: rich rules: #注:改变制定区域的接口,前提是次接口在当前系统是存在的
