Differences

This shows you the differences between two versions of the page.

--- initial_config_centos8 [2025/07/26 17:09] – - Imported by DokuWiki Advanced Plugin wikiadm
+++ initial_config_centos8 [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1
@@ Line 1: / Line 1: @@
-====== Configuração inicial - CentOS 8/OracleLinux 8 ======
-===== Configurando o sudo para o usuário suporte =====
-<file bash>
-$ su -
-</file>
-<file bash>
-# usermod -aG wheel suporte
-# exit
-sair
-</file>
-<file bash>
-$ sudo vim /etc/sudoers
-[...]
-suporte         ALL=(ALL)       NOPASSWD: ALL
-[...]
-</file>
-Para que a configuração surta efeito, é necessário sair e acessar o servidor novamente.
-<file bash>
-$ exit
-sair
-Connection to 177.75.176.35 closed
-</file>
-<file bash>
-ssh suporte@177.75.176.35
-suporte@177.75.176.35's password:
-Last login: Fri May 20 08:54:40 2022 from 172.20.64.23
-</file>
-===== Instalação de utilitário e bibliotecas ecenssiais para operar o sistema =====
-<file bash>
-$ sudo dnf groupinstall "Development Tools"
-</file>
-<file bash>
-$ sudo dnf install dnf-utils vim-enhanced bash-completion wget bind-utils tcpdump traceroute
-</file>
-FIXME Se o servidor estiver em um servidor ESXI é necessário instalar a biblioteca //open-vm-tools//
-<file bash>
-$ sudo dnf install open-vm-tools
-</file>
-===== Configuração de IPs =====
-<file bash>
-$ sudo nmcli con mod ens160 ipv4.method manual ipv4.addresses 177.75.176.35/27 ipv4.gateway 177.75.176.33
-$ sudo nmcli con mod ens160 ipv6.method manual ipv6.addresses 2804:694:3000:8000::35/64 ipv6.gateway 2804:694:3000:8000::
-$ sudo nmcli con mod ens160 ipv4.dns "177.75.176.25"
-$ sudo nmcli con mod ens160 ipv6.dns "2804:694:4c00:4001::1"
-$ sudo nmcli connection down ens160 ; sudo nmcli c up ens160
-</file>
-<file bash>
-$ ip -br address show
-lo               UNKNOWN        127.0.0.1/8 ::1/128
-ens160           UP             177.75.176.35/27 2804:694:3000:8000::35/64 fe80::20c:29ff:fe51:b1a0/64
-</file>
-===== Configurando o hostname =====
-<file bash>
-$ sudo hostnamectl set-hostname pa-mba-vm-01.juntotelecom.com.br
-</file>
-<file bash>
-$ echo -e "$(hostname -I | cut -f1 -d' ')\t$(hostname -f)\t$(hostname -s)" | sudo tee -a /etc/hosts
-.75.176.35   pa-mba-vm-01.juntotelecom.com.br        pa-mba-vm-01
-</file>
-<file bash>
-$ echo -e "$(hostname -I | cut -f2 -d' ')\t$(hostname -f)\t$(hostname -s)" | sudo tee -a /etc/hosts
-:694:3000:8000::35  pa-mba-vm-01.juntotelecom.com.br        pa-mba-vm-01
-</file>
-===== Ajustando o relógio - NTP =====
-<file bash>
-$ sudo timedatectl set-time '2022-05-21 10:05:00'
-</file>
-<file bash>
-$ timedatectl list-timezones | grep Sao_Paulo
-America/Sao_Paulo
-</file>
-<file bash>
-$ sudo timedatectl set-timezone America/Sao_Paulo
-</file>
-<file bash>
-$ sudo cp -p /etc/chrony.conf{,.dist}
-</file>
-<file bash>
-$ sudo sed -i '/pool 2.pool.ntp.org iburst/s/^#*/#/' /etc/chrony.conf
-$ sudo sed -i '/#pool 2.pool.ntp.org iburst/a pool pool.ntp.br iburst' /etc/chrony.conf
-</file>
-<file bash>
-$ sudo cat /etc/chrony.conf | egrep "#pool 2.pool.ntp.org iburst" -A1
-#pool 2.pool.ntp.org iburst
-pool pool.ntp.br iburst
-</file>
-<file bash>
-$ sudo systemctl restart chronyd
-</file>
-<file bash>
-$ chronyc sources -v
-  .-- Source mode  '^' = server, '=' = peer, '#' = local clock.
- / .- Source state '*' = current best, '+' = combined, '-' = not combined,
-| /             'x' = may be in error, '~' = too variable, '?' = unusable.
-||                                                 .- xxxx [ yyyy ] +/- zzzz
-||      Reachability register (octal) -.           |  xxxx = adjusted offset,
-||      Log2(Polling interval) --.      |          |  yyyy = measured offset,
-||                                \     |          |  zzzz = estimated error.
-||                                 |    |           \
-MS Name/IP address         Stratum Poll Reach LastRx Last sample
-===============================================================================
-^+ a.st1.ntp.br                  1   6    17    17  +6180ns[ +163us] +/-   47ms
-^+ b.ntp.br                      2   6    17    19   -557us[ -557us] +/-   90ms
-^* gps.jd.ntp.br                 1   6    17    21   -115us[  +42us] +/-   48ms
-^+ b.st1.ntp.br                  2   6    17    20   -142us[ -142us] +/-   64ms
-</file>
-===== Desativando o acesso SSH para o usuário root =====
-<file bash>
-$ sudo cp -p /etc/ssh/sshd_config{,.dist}
-</file>
-<file bash>
-sudo sed -i '/PermitRootLogin yes/s/^#*/#/' /etc/ssh/sshd_config
-sudo sed -i '/#PermitRootLogin yes/a PermitRootLogin no' /etc/ssh/sshd_config
-</file>
-**Ou**
-<file bash>
-sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
-</file>
-<file bash>
-$ sudo cat /etc/ssh/sshd_config | egrep "#PermitRootLogin yes" -A1
-#PermitRootLogin yes
-PermitRootLogin no
-</file>
-===== Alterando a porta do SSH =====
-<file bash>
-$ sudo sed -i '/#Port 22/a Port 22022' /etc/ssh/sshd_config
-</file>
-<file bash>
-[suporte@podman ~]$ sudo cat /etc/ssh/sshd_config | egrep "#Port" -A1
-#Port 22
-Port 22022
-</file>
-==== Conextos selinux ====
-<file bash>
-$ sudo semanage port -a -t ssh_port_t -p tcp 22022
-sudo: semanage: comando não encontrado
-</file>
-<file bash>
-$ sudo dnf whatprovides semanage
-Última verificação de data de vencimento de metadados: 2:57:15 atrás em sex 20 mai 2022 15:39:40 -03.
-policycoreutils-python-utils-2.8-16.1.0.1.el8.noarch : SELinux policy core python utilities
-Repo        : ol8_baseos_latest
-Resultado a partir de:
-Nome de arquivo    : /usr/sbin/semanage
-policycoreutils-python-utils-2.9-3.0.1.el8.noarch : SELinux policy core python utilities
-Repo        : ol8_baseos_latest
-Resultado a partir de:
-Nome de arquivo    : /usr/sbin/semanage
-policycoreutils-python-utils-2.9-3.0.1.el8_1.1.noarch : SELinux policy core python utilities
-Repo        : ol8_baseos_latest
-Resultado a partir de:
-Nome de arquivo    : /usr/sbin/semanage
-policycoreutils-python-utils-2.9-9.0.1.el8.noarch : SELinux policy core python utilities
-Repo        : ol8_baseos_latest
-Resultado a partir de:
-Nome de arquivo    : /usr/sbin/semanage
-policycoreutils-python-utils-2.9-14.0.1.el8.noarch : SELinux policy core python utilities
-Repo        : ol8_baseos_latest
-Resultado a partir de:
-Nome de arquivo    : /usr/sbin/semanage
-policycoreutils-python-utils-2.9-16.0.1.el8.noarch : SELinux policy core python utilities
-Repo        : ol8_baseos_latest
-Resultado a partir de:
-Nome de arquivo    : /usr/sbin/semanage
-policycoreutils-python-utils-2.9-19.0.1.el8.noarch : SELinux policy core python utilities
-Repo        : ol8_baseos_latest
-Resultado a partir de:
-Nome de arquivo    : /usr/sbin/semanage
-</file>
-<file bash>
-$ sudo dnf provides *bin/semanage
-Última verificação de data de vencimento de metadados: 2:58:09 atrás em sex 20 mai 2022 15:39:40 -03.
-policycoreutils-python-utils-2.8-16.1.0.1.el8.noarch : SELinux policy core python utilities
-Repo        : ol8_baseos_latest
-Resultado a partir de:
-Outro       : *bin/semanage
-policycoreutils-python-utils-2.9-3.0.1.el8.noarch : SELinux policy core python utilities
-Repo        : ol8_baseos_latest
-Resultado a partir de:
-Outro       : *bin/semanage
-policycoreutils-python-utils-2.9-3.0.1.el8_1.1.noarch : SELinux policy core python utilities
-Repo        : ol8_baseos_latest
-Resultado a partir de:
-Outro       : *bin/semanage
-policycoreutils-python-utils-2.9-9.0.1.el8.noarch : SELinux policy core python utilities
-Repo        : ol8_baseos_latest
-Resultado a partir de:
-Outro       : *bin/semanage
-policycoreutils-python-utils-2.9-14.0.1.el8.noarch : SELinux policy core python utilities
-Repo        : ol8_baseos_latest
-Resultado a partir de:
-Outro       : *bin/semanage
-policycoreutils-python-utils-2.9-16.0.1.el8.noarch : SELinux policy core python utilities
-Repo        : ol8_baseos_latest
-Resultado a partir de:
-Outro       : *bin/semanage
-policycoreutils-python-utils-2.9-19.0.1.el8.noarch : SELinux policy core python utilities
-Repo        : ol8_baseos_latest
-Resultado a partir de:
-Outro       : *bin/semanage
-</file>
-<file bash>
-$ sudo dnf install policycoreutils-python-utils
-</file>
-<file bash>
-$ sudo semanage port -a -t ssh_port_t -p tcp 22022
-</file>
-<file bash>
-$ sudo systemctl restart sshd.service
-</file>
-<file bash>
-[suporte@podman ~]$ ss -nltp | grep 22022
-LISTEN 0      128          0.0.0.0:22022      0.0.0.0:*
-LISTEN 0      128             [::]:22022         [::]:*
-</file>
-===== Ajustes das regras de firewall =====
-==== Listando todas as zonas ====
-<file bash>
-$ sudo firewall-cmd --list-all-zones
-block
-  target: %%REJECT%%
-  icmp-block-inversion: no
-  interfaces:
-  sources:
-  services:
-  ports:
-  protocols:
-  forward: no
-  masquerade: no
-  forward-ports:
-  source-ports:
-  icmp-blocks:
-  rich rules:
-dmz
-  target: default
-  icmp-block-inversion: no
-  interfaces:
-  sources:
-  services: ssh
-  ports:
-  protocols:
-  forward: no
-  masquerade: no
-  forward-ports:
-  source-ports:
-  icmp-blocks:
-  rich rules:
-drop
-  target: DROP
-  icmp-block-inversion: no
-  interfaces:
-  sources:
-  services:
-  ports:
-  protocols:
-  forward: no
-  masquerade: no
-  forward-ports:
-  source-ports:
-  icmp-blocks:
-  rich rules:
-external
-  target: default
-  icmp-block-inversion: no
-  interfaces:
-  sources:
-  services: ssh
-  ports:
-  protocols:
-  forward: no
-  masquerade: yes
-  forward-ports:
-  source-ports:
-  icmp-blocks:
-  rich rules:
-home
-  target: default
-  icmp-block-inversion: no
-  interfaces:
-  sources:
-  services: cockpit dhcpv6-client mdns samba-client ssh
-  ports:
-  protocols:
-  forward: no
-  masquerade: no
-  forward-ports:
-  source-ports:
-  icmp-blocks:
-  rich rules:
-internal
-  target: default
-  icmp-block-inversion: no
-  interfaces:
-  sources:
-  services: cockpit dhcpv6-client mdns samba-client ssh
-  ports:
-  protocols:
-  forward: no
-  masquerade: no
-  forward-ports:
-  source-ports:
-  icmp-blocks:
-  rich rules:
-nm-shared
-  target: ACCEPT
-  icmp-block-inversion: no
-  interfaces:
-  sources:
-  services: dhcp dns ssh
-  ports:
-  protocols: icmp ipv6-icmp
-  forward: no
-  masquerade: no
-  forward-ports:
-  source-ports:
-  icmp-blocks:
-  rich rules:
-        rule priority="32767" reject
-public (active)
-  target: default
-  icmp-block-inversion: no
-  interfaces: ens160
-  sources:
-  services: cockpit dhcpv6-client ssh
-  ports:
-  protocols:
-  forward: no
-  masquerade: no
-  forward-ports:
-  source-ports:
-  icmp-blocks:
-  rich rules:
-trusted
-  target: ACCEPT
-  icmp-block-inversion: no
-  interfaces:
-  sources:
-  services:
-  ports:
-  protocols:
-  forward: no
-  masquerade: no
-  forward-ports:
-  source-ports:
-  icmp-blocks:
-  rich rules:
-work
-  target: default
-  icmp-block-inversion: no
-  interfaces:
-  sources:
-  services: cockpit dhcpv6-client ssh
-  ports:
-  protocols:
-  forward: no
-  masquerade: no
-  forward-ports:
-  source-ports:
-  icmp-blocks:
-  rich rules:
-</file>
-==== Listando as zonas com regras padrão ====
-<file bash>
-$ sudo firewall-cmd --list-all --zone=home
-home
-  target: default
-  icmp-block-inversion: no
-  interfaces:
-  sources:
-  services: cockpit dhcpv6-client mdns samba-client ssh
-  ports:
-  protocols:
-  forward: no
-  masquerade: no
-  forward-ports:
-  source-ports:
-  icmp-blocks:
-  rich rules:
-</file>
-<file bash>
-$ sudo firewall-cmd --list-all --zone=internal
-internal
-  target: default
-  icmp-block-inversion: no
-  interfaces:
-  sources:
-  services: cockpit dhcpv6-client mdns samba-client ssh
-  ports:
-  protocols:
-  forward: no
-  masquerade: no
-  forward-ports:
-  source-ports:
-  icmp-blocks:
-  rich rules:
-</file>
-<file bash>
-$ sudo firewall-cmd --list-all --zone=nm-shared
-nm-shared
-  target: ACCEPT
-  icmp-block-inversion: no
-  interfaces:
-  sources:
-  services: dhcp dns ssh
-  ports:
-  protocols: icmp ipv6-icmp
-  forward: no
-  masquerade: no
-  forward-ports:
-  source-ports:
-  icmp-blocks:
-  rich rules:
-        rule priority="32767" reject
-</file>
-<file bash>
-$ sudo firewall-cmd --list-all --zone=public
-public (active)
-  target: default
-  icmp-block-inversion: no
-  interfaces: ens160
-  sources:
-  services: cockpit dhcpv6-client ssh
-  ports:
-  protocols:
-  forward: no
-  masquerade: no
-  forward-ports:
-  source-ports:
-  icmp-blocks:
-  rich rules:
-</file>
-<file bash>
-$ sudo firewall-cmd --list-all --zone=work
-work
-  target: default
-  icmp-block-inversion: no
-  interfaces:
-  sources:
-  services: cockpit dhcpv6-client ssh
-  ports:
-  protocols:
-  forward: no
-  masquerade: no
-  forward-ports:
-  source-ports:
-  icmp-blocks:
-  rich rules:
-</file>
-==== Ajustando as regras do SSH da zona ativa - principal/padrão ====
-<file bash>
-$ sudo firewall-cmd --get-default-zone
-public
-</file>
-<file bash>
-$ sudo firewall-cmd --list-all
-public (active)
-  target: default
-  icmp-block-inversion: no
-  interfaces: ens160
-  sources:
-  services: cockpit dhcpv6-client ssh
-  ports:
-  protocols:
-  forward: no
-  masquerade: no
-  forward-ports:
-  source-ports:
-  icmp-blocks:
-  rich rules:
-</file>
-<file bash>
-$ sudo firewall-cmd --permanent --zone=public --remove-service=ssh
-success
-</file>
-<file bash>
-$ sudo firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="172.20.64.0/27" destination address=177.75.176.35/32 port port="22022" protocol="tcp" accept'
-$ sudo firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="177.75.182.133/32" destination address=177.75.176.35/32 port port="22022" protocol="tcp" accept'
-$ sudo firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="177.75.187.195/32" destination address=177.75.176.35/32 port port="22022" protocol="tcp" accept'
-$ sudo firewall-cmd --permanent --add-rich-rule 'rule family="ipv6" source address="2804:694:4c00:4005::/64" destination address=2804:694:3000:8000::35/128 port port="22022" protocol="tcp" accept'
-$ sudo firewall-cmd --permanent --add-rich-rule 'rule family="ipv6" source address="2804:694:3000:4000::/64" destination address=2804:694:3000:8000::35/128 port port="22022" protocol="tcp" accept'
-[suporte@podman ~]$ sudo firewall-cmd --reload
-</file>
-<file bash>
-$ sudo firewall-cmd --list-all
-public (active)
-  target: default
-  icmp-block-inversion: no
-  interfaces: ens160
-  sources:
-  services: cockpit dhcpv6-client
-  ports:
-  protocols:
-  forward: no
-  masquerade: no
-  forward-ports:
-  source-ports:
-  icmp-blocks:
-  rich rules:
-        rule family="ipv6" source address="2804:694:4c00:4005::/64" destination address="2804:694:3000:8000::35/128" port port="22022" protocol="tcp" accept
-        rule family="ipv4" source address="177.75.187.195/32" destination address="177.75.176.35/32" port port="22022" protocol="tcp" accept
-        rule family="ipv4" source address="172.20.64.0/27" destination address="177.75.176.35/32" port port="22022" protocol="tcp" accept
-        rule family="ipv4" source address="177.75.182.133/32" destination address="177.75.176.35/32" port port="22022" protocol="tcp" accept
-        rule family="ipv6" source address="2804:694:3000:4000::/64" destination address="2804:694:3000:8000::35/128" port port="22022" protocol="tcp" accept
-</file>
-===== Configuração do vim =====
-[[vimrc_v2|vimrc]]
-===== Configuração do bash =====
-<file bash bashrc>
-#vim ~/.bashrc
-# .bashrc
-# Cores
-Preto='\[\033[01;30m\]'
-Vermelho='\[\033[01;31m\]'
-Verde='\[\033[01;32m\]'
-Amarelo='\[\033[01;33m\]'
-Azul='\[\033[01;34m\]'
-Roxo='\[\033[01;35m\]'
-Ciano='\[\033[01;36m\]'
-Branco='\[\033[01;37m\]'
-Cinza='\[\033[01;38m\]'
-PS1="$Branco\u$Azul@$Ciano\h$Roxo:\w$Branco$ \[\033[00m\]"
-HISTTIMEFORMAT='%d-%m-%Y %H:%M- '
-HISTCONTROL=ignoreboth
-HISTSIZE=1000
-HISTFILESIZE=2000
-shopt -s checkwinsize
-EDITOR='vim'
-alias rm='rm -i'
-alias cp='cp -i'
-alias mv='mv -i'
-alias echo='/bin/echo'
-alias egrep='egrep --color=auto'
-alias fgrep='fgrep --color=auto'
-alias grep='grep --color=auto'
-alias l.='ls -d .* --color=auto'
-alias ll='ls -l --color=auto'
-alias ls='ls --color=auto'
-alias vi='vim'
-alias ping='ping -c3'
-[...]
-</file>