Linux 服务器配置教程

Linux 服务器配置教程 Linux是一套支持多用户、多任务、多线程、多CPU、多平台的免费使用和自由传播的类Unix操作系统，存在着许多不同的Linux版本，但它们都使用了Linux内核。诞生于1991年的10月，支持Intel x86系列的32位和64位硬件架构。本教程基于 Rhel6.x，详细介绍各种服务配置。 1，Putty / Winscp 软件 2，本地cdromYum配置 3，selinux 4，dhcp服务 5，dns服务 6，nfs 服务 7，ftp服务 8，samba服务 9，mail 服务 ( semdmail / postfix + dovecot + openwebmial ) 1，Putty / Winscp 软件 PuTTY是一套免费的Telnet/SSH/rlogin程序,但是功能丝毫不逊色于商业的telnet类工具。 WinSCP是一个Windows环境下使用SSH的开源图形化SFTP客户端，支持SCP协议。它的主要功能就是在本地与远程计算机间安全的复制文件。 yum -y groupinstall " Server Platform " yum -y groupinstall " Server Platform Development " 2，本地cdromYum配置 1，mkdir -p /mnt/cdrom mount /dev/cdrom /mnt/cdrom 2，配置本地cdromYum ( vim /etc/yum.repos.d/rhel-local.repo) [rhel-source] name=Red Hat Enterprise Linux $releasever - $basearch - Source baseurl=file:///mnt/cdrom/ enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release 3，Yum安装软件 yum grouplist yum -y install vim* 4, Linux 补装图形化界面 ( 区分大小写 ) [root@localhost ~]# yum -y groupinstall " X Window System " [root@localhost ~]# yum -y groupinstall " Desktop " Rhel 6.x [root@localhost ~]#yum -y groupinstall " GNOME " Rhel 5.x [root@localhost ~]#yum -y install nautilus-open-terminal 5，安装相应软件包 yum -y install make screen gcc gcc-c++ flex bison file libtool libtool-libs autoconf kernel-devel libjpeg libjpeg-devel libpng libpng-devel gd freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel glib2 glib2-devel bzip2 bzip2-devel libevent ncurses ncurses-devel curl curl-devel e2fsprogs e2fsprogs-devel krb5 krb5-devel libidn libidn-devel openssl openssl-devel vim* vim-minimal nano gettext gettext-devel ncurses-devel gmp-devel unzip libcap autoconf libjpeg libjpeg-devel libpng libpng-devel glibc glibc-devel glib2 glib2-devel openldap openldap-devel nss_ldap openldap-clients openldap-servers SELinux 一， 系统设置 如果将普通用户 GID / UID 改成和 root用户一样，那么此用户就变成了管理员 1，网卡配置 ifcongig eth0 up ifconfig eth0 192.168.0.100 netmask 255.255.255.0 Vim /etc/sysconfig/network-scripts/ifcfg-eth0 < service network restart > DEVICE=eth0 BOOTPROTO=static IPADDR=192.168.0.100 NETMASK=255.255.255.0 NETWORK=192.168.0.0. BROADCAST=192.168.0.255 ONBOOT=YES GATEWAY=192.168.0.1 TYPE=Ethernet NAME=eth0 2，开机显示登录信息 ? ( Vi /etc/issue ) issue内各代码说明： \d 本地端时间的日期 \l 显示第几个终端接口 \m 显示硬件的等级 \n 显示主机的网络名称 \o 显示域名 \r 操作系统的版本 \t 显示本地端的时间 \s 操作系统的名称 \v 操作系统的版本 3，如何查看linux 版本信息? cat /boot/grub/grub.conf cat /etc/issue uname –s –r 4，◆chmod 777 等同于 umask=000 (或 rwx) ◆chmod 666等同于umask=111 (或rw-) ◆chmod 555等同于umask=222 (或r-x) ◆chmod 444等同于umask=333 (或r--) ◆chmod 333等同于umask=444 (或-wx) ◆chmod 222等同于umask=555 (或-w-) ◆chmod 111等同于umask=666 (或--x) ◆chmod 000等同于umask=777 (或---) chgrp named named.conf 将文件 named.conf 文件改为 named 用户 chown root /var/run/httpd.pid 把/var/run/httpd.pid的所有者设置root useradd -d haoma118 删除用户并清除目录 iptables的规则是保存在/etc/sysconfig/iptables中 mkdir –p /usr/soft/file 连续建立多个目录 禁止 ping echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all ， 恢复将1改成 0 Linux系统日志路径： ( /var/log/ )： vi /var/log/messages （ 查看日志文件 ） ( tail -50 /var/log/messages > file)( 提取 /var/log/messages 文件最后50 行 输出到 file） · chkconfig --level 2345 network on · chkconfig --list network IPV4包转发 echo ”1” > /proc/sys/net/ipv4/ip_forward 二，selinux · SELinux 支持三种模式 ( vim /etc/sysconfig/selinux ) · ( 不同版本 selinux 略有区别 ) · enforcing： 强制模式，代表 SELinux 运作中 selinuxtype=targeted · permissive：宽容模式：代表 SELinux 运作中 selinuxtype=targeted · disabled： 关闭 SELinux 并没有实际运作 selinuxtype=strict 查看当前selinux模式 [root@localhost ~]# getenforce Selinux rpm 软件包 查看 SELinux 的政策 (Policy) [root@localhost ~]#sestatus 显示 / 开启某个服务的selinux 策略 getsebool –a | grep < httpd ftp named samba nfs dhcpd > setsebool -P on 提示：一般情况下，建议将selinux 策略关闭 DHCP服务 1，检查系统是否已经安装了DHCP服务 rpm -q dhcp rpm –qa |grep dhcp 2,安装DHCP服务 yum -y install dhcp 3,DHCP服务的自动加载 chkconfig --level 35 dhcpd on chkconfig --level 35 dhcrelay on (dhcp中继服务 ) 4，DHCP服务的启动/暂停 service dhcpd start / stop / restart ( 启动 / 停止 / 重新加载 ) DHCP配置文件dhcpd.conf的格式如下: 选项/参数 # 这些选项/参数全局有效 声明{ 选项/参数 # 这些选项/参数局部有效 } dhcpd.conf文件中常用的声明及功能 声明 功能 shared-network 名称 {…} 定义超级作用域 subnet 网络号 netmask 子网掩码 {…} 定义作用域（或IP子网） range 起始IP地址 终止IP地址 定义作用域（或IP子网）范围 host 主机名 {…} 定义保留地址 group {…} 定义一组参数 dhcpd.conf文件中常用的参数及功能 参数 功能 ddns-update-style 类型 定义所支持的DNS动态更新类型（必选） allow/ignore client-updates 允许/忽略客户机更新DNS记录 default-lease-time 数字 指定默认的租约期限 max-lease-time 数字 指定最大租约期限 hardware 硬件类型 MAC地址 指定网卡接口类型和MAC地址 server-name 主机名 通知DHCP客户机服务器的主机名 fixed-address IP地址 分配给客户端一个固定的IP地址 dhcpd.conf文件中常用的选项及功能 选项 功能 subnet-mask 子网掩码 为客户端指定子网掩码 domain-name “域名” 为客户端指定DNS域名 domain-name-servers IP地址 为客户端指定DNS服务器的IP地址 host-name “主机名” 为客户端指定主机名 routers IP地址 为客户端指定默认网关 broadcast-address 广播地址 为客户端指定广播地址 netbios-name-servers IP地址 为客户端指定WINS服务器的IP地址 netbios-node-type 节点类型 为客户端指定节点类型 ntp-server IP地址 为客户端指定网络时间服务器的IP地址 nis-servers IP地址 为客户端指定NIS域服务器的地址 nis-domain “名称” 为客户端指定所属的NIS域的名称 time-offset 偏移差 为客户端指定与格林尼治时间的偏移差 实例：多作用域 (启用中继代理 ) 格式 1．在DHCP服务器上设置超级作用域 修改DHCP服务器dhcpd.conf文件，加入如下格式的shared-network语句 shared-network 名称 { subnet 子网1的网络ID netmask 子网掩码 { … } subnet 子网2的网络ID netmask 子网掩码 { … } } 2,在 /etc/rc.d/rc.local 文件中加入 echo ”1” > /proc/sys/net/ipv4/ip_forward 执行sysctl –p命令使刚开启的IPV4转发功能生效 3．设置DHCP中继代理 ( 修改 /etc/sysconfig/dhcrelay 文件） # Command line options here INTERFACES= "eth0" DHCPSERVERS="192.168.0.1" 6， dhcp配置实例 ( vim /etc/dhcp/dhcpd.conf ) cp /usr/share/doc/dhcp*/dhcpd.conf.sample /etc/dhcp/dhcpd.conf # DHCP Server Configuration file. # see /usr/share/doc/dhcp*/dhcpd.conf.sample # see 'man 5 dhcpd.conf' # dhcpd.conf # # Sample configuration file for ISC dhcpd # # option definitions common to all supported networks... option domain-name "haoma118.com"; option domain-name-servers 192.168.0.180; default-lease-time 60; max-lease-time 70; # Use this to enble / disable dynamic dns updates globally. #ddns-update-style none; # If this DHCP server is the official DHCP server for the local # network, the authoritative directive should be uncommented. #authoritative; # Use this to send dhcp log messages to a different log file (you also # have to hack syslog.conf to complete the redirection). log-facility local7; # No service will be given on this subnet, but declaring it helps the # DHCP server to understand the network topology. # subnet 10.152.187.0 netmask 255.255.255.0 { # } # This is a very basic subnet declaration. # subnet 10.254.239.0 netmask 255.255.255.224 { # range 10.254.239.10 10.254.239.20; # option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org; # } # This declaration allows BOOTP clients to get dynamic addresses, # which we don't really recommend. # subnet 10.254.239.32 netmask 255.255.255.224 { # range dynamic-bootp 10.254.239.40 10.254.239.60; # option broadcast-address 10.254.239.31; # option routers rtr-239-32-1.example.org; # } # This is 192.168.0.0 internal subnet. subnet 192.168.0.0 netmask 255.255.255.0 { range 192.168.0.150 192.168.0.200; option domain-name-servers 192.168.0.180; option domain-name "haoma118.com"; option routers 192.168.0.180; option broadcast-address 192.168.0.255; default-lease-time 60; max-lease-time 70; } # This is 192.168.1.0 internal subnet. subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.120 192.168.1.200; option domain-name-servers 192.168.0.120; option domain-name "haoma118.com"; option routers 192.168.1.1; option broadcast-address 192.168.1.255; default-lease-time 60; max-lease-time 70; } # This is 192.168.2.0 internal subnet. subnet 192.168.2.0 netmask 255.255.255.0 { range 192.168.2.120 192.168.2.200; option domain-name-servers 192.168.0.120; option domain-name "haoma118.com"; option routers 192.168.2.1; option broadcast-address 192.168.2.255; default-lease-time 60; max-lease-time 70; } # Hosts which require special configuration options can be listed in # host statements. If no address is specified, the address will be # allocated dynamically (if possible), but the host-specific information # will still come from the host declaration. # host passacaglia { # hardware ethernet 0:0:c0:5d:bd:95; # filename "vmunix.passacaglia"; # server-name "toccata.fugue.com"; # } # Fixed IP addresses can also be specified for hosts. These addresses # should not also be listed as being available for dynamic assignment. # Hosts for which fixed IP addresses have been specified can boot using # BOOTP or DHCP. Hosts for which no fixed address is specified can only # be booted with DHCP, unless there is an address range on the subnet # to which a BOOTP client is connected which has the dynamic-bootp flag # set. # host fantasia { # hardware ethernet 08:00:07:26:c0:a5; # fixed-address fantasia.fugue.com; # } # You can declare a class of clients and then do address allocation # based on that. The example below shows a case where all clients # in a certain class get addresses on the 10.17.224/24 subnet, and all # other clients get addresses on the 10.0.29/24 subnet. # class "foo" { # match if substring (option vendor-class-identifier, 0, 4) = "SUNW"; # } # shared-network 224-29 { # subnet 10.17.224.0 netmask 255.255.255.0 { # option routers rtr-224.example.org; # } # subnet 10.0.29.0 netmask 255.255.255.0 { # option routers rtr-29.example.org; # } # pool { # allow members of "foo"; # range 10.17.224.10 10.17.224.250; # } # pool { # deny members of "foo"; # range 10.0.29.10 10.0.29.230; # } # } DNS服务的安装 1，检查系统是否已经安装了DNS服务 rpm -q bind rpm –qa |grep bind 如果系统还没有安装DNS服务,要安装DNS服务， rpm -ivh /mnt/Server/bind-9.3.3-7.el5.i386.rpm rpm -ivh /mnt/Server/bind-utils-*.i386.rpm rpm -ivh /mnt/Server/bind-chroot-*.i386.rpm yum -y install bind* chkconfig --level 35 named on service named restart 2，配置 dns [root@RhNginx etc]# vim /var/named/chroot/etc/named.conf // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { any; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; [root@RhNginx etc]# vim /var/named/chroot/etc/named.rfc1912.zones // named.rfc1912.zones: // // Provided by Red Hat caching-nameserver package // // ISC BIND named zone configuration for zones recommended by // RFC 1912 section 4.1 : localhost TLDs and address zones // and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt // (c)2007 R W Franks // // See /usr/share/doc/bind*/sample/ for example named configuration files. // zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; zone "haoma118.com" IN { type master; # file "named.localhost"; file "haoma118.com.zones"; allow-update { none; }; }; zone "0.168.192.in-addr.arpa" IN { type master; # file "named.loopback"; file "192.168.0.zones"; allow-update { none; }; }; 编辑正向区域文件 cp -p named.localhost haoma118.com.zones $TTL 1H @ IN SOA @ admin.haoma118.com. ( 5 1H 1H 1W 3H ) NS @ haoma118.com. IN A 192.168.0.100 www IN A 192.168.0.100 ftp IN A 192.168.0.100 mail IN A 192.168.0.100 IN MX 5 mail.haoma118.com. 编辑反向区域文件 cp -p named.loopback 192.168.0.zones $TTL 1H @ IN SOA @ rname.invalid. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS @ A 127.0.0.1 AAAA ::1 100 PTR haoma118com. 100 PTR www.haoma118.com. 100 PTR ftp.haoma118.com. 100 PTR mail.haoma118.com. NFS服务的安装 检查系统中是否已经安装了这两个包: rpm -q nfs-utils portmap 安装NFS服务 rpm -ivh /mnt/Server/ portmap-4.0-65.2.2.1.i386.rpm rpm -ivh/mnt/Server /nfs-utils-1.0.9-16.el5.i386.rpm yum -y install nfs-utils portmap chkconfig --level 35 nfs on service nfs restart 配置NFS服务 mkdir -p /usr/wanghe mkdir -p /usr/soft mkdir -p /usr/share vim /etc/exports /var/ftp/pub 192.168.0.0/24(rw,async) *(ro) /usr/wanghe 192.168.0.20(rw,sync) /usr/soft *(rw,sync) /usr/share *(sync,ro) exports文件的格式 exprots文件中每一行提供了一个共享目录的设置，其命令格式为： ＜输出目录＞ ［客户端1（选项1，选项2，…）］［客户端2（选项1，选项2，…）］ 客户端常用的指定方式 exportfs命令就是用来维护NFS服务的输出目录列表 的，命令的基本格式如下。 exportfs ［选项］ 其选项有以下几个。  -a：输出在/etc/exports文件中所设置的所有目录。  -r：重新读取/etc/exports文件中的设置，并使设置立即生效，而不需重新启动NFS服务。  -u：停止输出某一目录。  -v：在输出目录时将目录显示到屏幕上 显示当前主机中NFS服务器的连接信息 # showmount 显示指定主机中NFS服务器的连接信息 # showmount 192.168.152.131  显示当前主机中NFS服务器的输出列表 # showmount -e 显示指定NFS服务器中的共享目录列表 # showmount -e 192.168.152.131  显示当前主机NFS服务器中已经被NFS客户机挂载使用的共享目录 # showmount -d 显示当前主机中NFS服务器的客户机信息 # showmount -a  使nfs服务器重新读取exports文件中的设置 # exportfs -rv  停止当前主机中NFS服务器的所有目录输出 # exportfs -auv  输出当前主机中NFS服务器的所有共享目录 # showmount -e 挂载NFS服务器中的共享目录 # mount -t nfs 192.168.152.131:/home/share/ /mnt/nfs 卸载系统中已挂载的NFS共享目录 # umount -t nfs 192.168.152.131:/home/share/ /mnt/nfs 可移动介质(光驱) /dev/cdrom /mnt/cdrom auto ro,noauto,user,exec 0 0 user 允许用户进行挂载、卸载，否则只有‘root’有此权利,虽然光盘没有自动挂载，但由于‘/etc/fstab’中的这一条，使接下来的挂载变得很简单,输入： mount /mnt/cdrom vim /etc/fstab 在最后一行输入如下 内容 财务内部控制制度的内容财务内部控制制度的内容人员招聘与配置的内容项目成本控制的内容消防安全演练内容 ： 192.168.0.121:/nfs4 /nfs nfs defaults 0 0 NFS服务器IP地址:服务器共享出的分区挂载点 本机挂载点 文件类型 开机自动挂载 NFS？ # /etc/fstab /dev/cdrom /挂载的目录 iso9660 noauto,ro 0 0 /dev/cdrom /mnt/cdrom auto ro,noauto,user,exec 0 0 192.168.0.100:/usr/soft /mnt/nfsoft nfs defaults 0 0 192.168.0.100:/var/ftp/pub /mnt/ntftp nfs defaults 0 0 挂载NFS服务器上的输出目录的命令格式为： mount -t NFS服务器名或IP地址:输出目录 本地挂载目录 【例】将NFS服务器（192.168.16.177）上的/nfs/public共享目录挂载到本机（Fedora4）上的/mnt/nfs目录。具体的步骤如下。 ① 使用下面的命令来建立/mnt/nfs目录。 mkdir /mnt/nfs ② 使用下面的命令来挂载NFS服务器上的输出目录。 mount -t nfs 192.168.16.177:/nfs/public /mnt/nfs FTP服务 检查是否安装vsftpd rpm –qa vsftp 安装vsftpd yum -y install vsftpd chkconfig --level 35 vsftpd on service vsftpd restart useradd haoma118 -s /sbin/nologin passwd haoma118 配置vsftpd 服务 vim /etc/vsftpd/vsftpd.conf # Example config file /etc/vsftpd/vsftpd.conf # # The default compiled in settings are fairly paranoid. This sample file # loosens things up a bit, to make the ftp daemon more usable. # Please see vsftpd.conf.5 for all compiled in defaults. # # READ THIS: This example file is NOT an exhaustive list of vsftpd options. # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's # capabilities. # # Allow anonymous FTP? (Beware - allowed by default if you comment this out). anonymous_enable=YES # # Uncomment this to allow local users to log in. local_enable=YES local_root=/usr/soft # # Uncomment this to enable any form of FTP write command. write_enable=YES # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) local_umask=022 # # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. anon_upload_enable=YES # # Uncomment this if you want the anonymous FTP user to be able to create # new directories. anon_mkdir_write_enable=YES # # Activate directory messages - messages given to remote users when they # go into a certain directory. dirmessage_enable=YES # # The target log file can be vsftpd_log_file or xferlog_file. # This depends on setting xferlog_std_format parameter xferlog_enable=YES # # Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES # # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not # recommended! #chown_uploads=YES #chown_username=whoever # # The name of log file when xferlog_enable=YES and xferlog_std_format=YES # WARNING - changing this filename affects /etc/logrotate.d/vsftpd.log #xferlog_file=/var/log/xferlog # # Switches between logging into vsftpd_log_file and xferlog_file files. # NO writes to vsftpd_log_file, YES to xferlog_file xferlog_std_format=YES # # You may change the default value for timing out an idle session. #idle_session_timeout=600 # # You may change the default value for timing out a data connection. #data_connection_timeout=120 # # It is recommended that you define on your system a unique user which the # ftp server can use as a totally isolated and unprivileged user. #nopriv_user=ftpsecure # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. async_abor_enable=YES # # By default the server will pretend to allow ASCII mode but in fact ignore # the request. Turn on the below options to have the server actually do ASCII # mangling on files when in ASCII mode. # Beware that on some FTP servers, ASCII support allows a denial of service # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd # predicted this attack and has always been safe, reporting the size of the # raw file. # ASCII mangling is a horrible feature of the protocol. ascii_upload_enable=YES ascii_download_enable=YES # You may fully customise the login banner string: ftpd_banner=Welcome to blah FTP service. # You may specify a file of disallowed anonymous e-mail addresses. Apparently # useful for combatting certain DoS attacks. #deny_email_enable=YES # (default follows) #banned_email_file=/etc/vsftpd/banned_emails # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). chroot_local_user=YES chroot_list_enable=YES # (default follows) #chroot_list_file=/etc/vsftpd/chroot_list # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option, so there is a strong case for enabling it. #ls_recurse_enable=YES # When "listen" directive is enabled, vsftpd runs in standalone mode and # listens on IPv4 sockets. This directive cannot be used in conjunction # with the listen_ipv6 directive. listen=YES # This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6 # sockets, you must run two copies