====== Configuração inicial - CentOS 8/OracleLinux 8 ======
===== Configurando o sudo para o usuário suporte =====
$ su -
# usermod -aG wheel suporte
# exit
sair
$ sudo vim /etc/sudoers
[...]
suporte ALL=(ALL) NOPASSWD: ALL
[...]
Para que a configuração surta efeito, é necessário sair e acessar o servidor novamente.
$ exit
sair
Connection to 177.75.176.35 closed
ssh suporte@177.75.176.35
suporte@177.75.176.35's password:
Last login: Fri May 20 08:54:40 2022 from 172.20.64.23
===== Instalação de utilitário e bibliotecas ecenssiais para operar o sistema =====
$ sudo dnf groupinstall "Development Tools"
$ sudo dnf install dnf-utils vim-enhanced bash-completion wget bind-utils tcpdump traceroute
FIXME Se o servidor estiver em um servidor ESXI é necessário instalar a biblioteca //open-vm-tools//
$ sudo dnf install open-vm-tools
===== Configuração de IPs =====
$ sudo nmcli con mod ens160 ipv4.method manual ipv4.addresses 177.75.176.35/27 ipv4.gateway 177.75.176.33
$ sudo nmcli con mod ens160 ipv6.method manual ipv6.addresses 2804:694:3000:8000::35/64 ipv6.gateway 2804:694:3000:8000::
$ sudo nmcli con mod ens160 ipv4.dns "177.75.176.25"
$ sudo nmcli con mod ens160 ipv6.dns "2804:694:4c00:4001::1"
$ sudo nmcli connection down ens160 ; sudo nmcli c up ens160
$ ip -br address show
lo UNKNOWN 127.0.0.1/8 ::1/128
ens160 UP 177.75.176.35/27 2804:694:3000:8000::35/64 fe80::20c:29ff:fe51:b1a0/64
===== Configurando o hostname =====
$ sudo hostnamectl set-hostname pa-mba-vm-01.juntotelecom.com.br
$ echo -e "$(hostname -I | cut -f1 -d' ')\t$(hostname -f)\t$(hostname -s)" | sudo tee -a /etc/hosts
177.75.176.35 pa-mba-vm-01.juntotelecom.com.br pa-mba-vm-01
$ echo -e "$(hostname -I | cut -f2 -d' ')\t$(hostname -f)\t$(hostname -s)" | sudo tee -a /etc/hosts
2804:694:3000:8000::35 pa-mba-vm-01.juntotelecom.com.br pa-mba-vm-01
===== Ajustando o relógio - NTP =====
$ sudo timedatectl set-time '2022-05-21 10:05:00'
$ timedatectl list-timezones | grep Sao_Paulo
America/Sao_Paulo
$ sudo timedatectl set-timezone America/Sao_Paulo
$ sudo cp -p /etc/chrony.conf{,.dist}
$ sudo sed -i '/pool 2.pool.ntp.org iburst/s/^#*/#/' /etc/chrony.conf
$ sudo sed -i '/#pool 2.pool.ntp.org iburst/a pool pool.ntp.br iburst' /etc/chrony.conf
$ sudo cat /etc/chrony.conf | egrep "#pool 2.pool.ntp.org iburst" -A1
#pool 2.pool.ntp.org iburst
pool pool.ntp.br iburst
$ sudo systemctl restart chronyd
$ chronyc sources -v
.-- Source mode '^' = server, '=' = peer, '#' = local clock.
/ .- Source state '*' = current best, '+' = combined, '-' = not combined,
| / 'x' = may be in error, '~' = too variable, '?' = unusable.
|| .- xxxx [ yyyy ] +/- zzzz
|| Reachability register (octal) -. | xxxx = adjusted offset,
|| Log2(Polling interval) --. | | yyyy = measured offset,
|| \ | | zzzz = estimated error.
|| | | \
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^+ a.st1.ntp.br 1 6 17 17 +6180ns[ +163us] +/- 47ms
^+ b.ntp.br 2 6 17 19 -557us[ -557us] +/- 90ms
^* gps.jd.ntp.br 1 6 17 21 -115us[ +42us] +/- 48ms
^+ b.st1.ntp.br 2 6 17 20 -142us[ -142us] +/- 64ms
===== Desativando o acesso SSH para o usuário root =====
$ sudo cp -p /etc/ssh/sshd_config{,.dist}
sudo sed -i '/PermitRootLogin yes/s/^#*/#/' /etc/ssh/sshd_config
sudo sed -i '/#PermitRootLogin yes/a PermitRootLogin no' /etc/ssh/sshd_config
**Ou**
sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
$ sudo cat /etc/ssh/sshd_config | egrep "#PermitRootLogin yes" -A1
#PermitRootLogin yes
PermitRootLogin no
===== Alterando a porta do SSH =====
$ sudo sed -i '/#Port 22/a Port 22022' /etc/ssh/sshd_config
[suporte@podman ~]$ sudo cat /etc/ssh/sshd_config | egrep "#Port" -A1
#Port 22
Port 22022
==== Conextos selinux ====
$ sudo semanage port -a -t ssh_port_t -p tcp 22022
sudo: semanage: comando não encontrado
$ sudo dnf whatprovides semanage
Última verificação de data de vencimento de metadados: 2:57:15 atrás em sex 20 mai 2022 15:39:40 -03.
policycoreutils-python-utils-2.8-16.1.0.1.el8.noarch : SELinux policy core python utilities
Repo : ol8_baseos_latest
Resultado a partir de:
Nome de arquivo : /usr/sbin/semanage
policycoreutils-python-utils-2.9-3.0.1.el8.noarch : SELinux policy core python utilities
Repo : ol8_baseos_latest
Resultado a partir de:
Nome de arquivo : /usr/sbin/semanage
policycoreutils-python-utils-2.9-3.0.1.el8_1.1.noarch : SELinux policy core python utilities
Repo : ol8_baseos_latest
Resultado a partir de:
Nome de arquivo : /usr/sbin/semanage
policycoreutils-python-utils-2.9-9.0.1.el8.noarch : SELinux policy core python utilities
Repo : ol8_baseos_latest
Resultado a partir de:
Nome de arquivo : /usr/sbin/semanage
policycoreutils-python-utils-2.9-14.0.1.el8.noarch : SELinux policy core python utilities
Repo : ol8_baseos_latest
Resultado a partir de:
Nome de arquivo : /usr/sbin/semanage
policycoreutils-python-utils-2.9-16.0.1.el8.noarch : SELinux policy core python utilities
Repo : ol8_baseos_latest
Resultado a partir de:
Nome de arquivo : /usr/sbin/semanage
policycoreutils-python-utils-2.9-19.0.1.el8.noarch : SELinux policy core python utilities
Repo : ol8_baseos_latest
Resultado a partir de:
Nome de arquivo : /usr/sbin/semanage
$ sudo dnf provides *bin/semanage
Última verificação de data de vencimento de metadados: 2:58:09 atrás em sex 20 mai 2022 15:39:40 -03.
policycoreutils-python-utils-2.8-16.1.0.1.el8.noarch : SELinux policy core python utilities
Repo : ol8_baseos_latest
Resultado a partir de:
Outro : *bin/semanage
policycoreutils-python-utils-2.9-3.0.1.el8.noarch : SELinux policy core python utilities
Repo : ol8_baseos_latest
Resultado a partir de:
Outro : *bin/semanage
policycoreutils-python-utils-2.9-3.0.1.el8_1.1.noarch : SELinux policy core python utilities
Repo : ol8_baseos_latest
Resultado a partir de:
Outro : *bin/semanage
policycoreutils-python-utils-2.9-9.0.1.el8.noarch : SELinux policy core python utilities
Repo : ol8_baseos_latest
Resultado a partir de:
Outro : *bin/semanage
policycoreutils-python-utils-2.9-14.0.1.el8.noarch : SELinux policy core python utilities
Repo : ol8_baseos_latest
Resultado a partir de:
Outro : *bin/semanage
policycoreutils-python-utils-2.9-16.0.1.el8.noarch : SELinux policy core python utilities
Repo : ol8_baseos_latest
Resultado a partir de:
Outro : *bin/semanage
policycoreutils-python-utils-2.9-19.0.1.el8.noarch : SELinux policy core python utilities
Repo : ol8_baseos_latest
Resultado a partir de:
Outro : *bin/semanage
$ sudo dnf install policycoreutils-python-utils
$ sudo semanage port -a -t ssh_port_t -p tcp 22022
$ sudo systemctl restart sshd.service
[suporte@podman ~]$ ss -nltp | grep 22022
LISTEN 0 128 0.0.0.0:22022 0.0.0.0:*
LISTEN 0 128 [::]:22022 [::]:*
===== Ajustes das regras de firewall =====
==== Listando todas as zonas ====
$ sudo firewall-cmd --list-all-zones
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
forward: no
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client mdns samba-client ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client mdns samba-client ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
nm-shared
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services: dhcp dns ssh
ports:
protocols: icmp ipv6-icmp
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule priority="32767" reject
public (active)
target: default
icmp-block-inversion: no
interfaces: ens160
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
trusted
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
==== Listando as zonas com regras padrão ====
$ sudo firewall-cmd --list-all --zone=home
home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client mdns samba-client ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
$ sudo firewall-cmd --list-all --zone=internal
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client mdns samba-client ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
$ sudo firewall-cmd --list-all --zone=nm-shared
nm-shared
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services: dhcp dns ssh
ports:
protocols: icmp ipv6-icmp
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule priority="32767" reject
$ sudo firewall-cmd --list-all --zone=public
public (active)
target: default
icmp-block-inversion: no
interfaces: ens160
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
$ sudo firewall-cmd --list-all --zone=work
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
==== Ajustando as regras do SSH da zona ativa - principal/padrão ====
$ sudo firewall-cmd --get-default-zone
public
$ sudo firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens160
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
$ sudo firewall-cmd --permanent --zone=public --remove-service=ssh
success
$ sudo firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="172.20.64.0/27" destination address=177.75.176.35/32 port port="22022" protocol="tcp" accept'
$ sudo firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="177.75.182.133/32" destination address=177.75.176.35/32 port port="22022" protocol="tcp" accept'
$ sudo firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="177.75.187.195/32" destination address=177.75.176.35/32 port port="22022" protocol="tcp" accept'
$ sudo firewall-cmd --permanent --add-rich-rule 'rule family="ipv6" source address="2804:694:4c00:4005::/64" destination address=2804:694:3000:8000::35/128 port port="22022" protocol="tcp" accept'
$ sudo firewall-cmd --permanent --add-rich-rule 'rule family="ipv6" source address="2804:694:3000:4000::/64" destination address=2804:694:3000:8000::35/128 port port="22022" protocol="tcp" accept'
[suporte@podman ~]$ sudo firewall-cmd --reload
$ sudo firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens160
sources:
services: cockpit dhcpv6-client
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv6" source address="2804:694:4c00:4005::/64" destination address="2804:694:3000:8000::35/128" port port="22022" protocol="tcp" accept
rule family="ipv4" source address="177.75.187.195/32" destination address="177.75.176.35/32" port port="22022" protocol="tcp" accept
rule family="ipv4" source address="172.20.64.0/27" destination address="177.75.176.35/32" port port="22022" protocol="tcp" accept
rule family="ipv4" source address="177.75.182.133/32" destination address="177.75.176.35/32" port port="22022" protocol="tcp" accept
rule family="ipv6" source address="2804:694:3000:4000::/64" destination address="2804:694:3000:8000::35/128" port port="22022" protocol="tcp" accept
===== Configuração do vim =====
[[vimrc_v2|vimrc]]
===== Configuração do bash =====
#vim ~/.bashrc
# .bashrc
# Cores
Preto='\[\033[01;30m\]'
Vermelho='\[\033[01;31m\]'
Verde='\[\033[01;32m\]'
Amarelo='\[\033[01;33m\]'
Azul='\[\033[01;34m\]'
Roxo='\[\033[01;35m\]'
Ciano='\[\033[01;36m\]'
Branco='\[\033[01;37m\]'
Cinza='\[\033[01;38m\]'
PS1="$Branco\u$Azul@$Ciano\h$Roxo:\w$Branco$ \[\033[00m\]"
HISTTIMEFORMAT='%d-%m-%Y %H:%M- '
HISTCONTROL=ignoreboth
HISTSIZE=1000
HISTFILESIZE=2000
shopt -s checkwinsize
EDITOR='vim'
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
alias echo='/bin/echo'
alias egrep='egrep --color=auto'
alias fgrep='fgrep --color=auto'
alias grep='grep --color=auto'
alias l.='ls -d .* --color=auto'
alias ll='ls -l --color=auto'
alias ls='ls --color=auto'
alias vi='vim'
alias ping='ping -c3'
[...]