wikiv1:initial_config_centos8
Table of Contents
Configuração inicial - CentOS 8/OracleLinux 8
Configurando o sudo para o usuário suporte
$ su -
# usermod -aG wheel suporte # exit sair
$ sudo vim /etc/sudoers [...] suporte ALL=(ALL) NOPASSWD: ALL [...]
Para que a configuração surta efeito, é necessário sair e acessar o servidor novamente.
$ exit
sair
Connection to 177.75.176.35 closed
ssh suporte@177.75.176.35 suporte@177.75.176.35's password: Last login: Fri May 20 08:54:40 2022 from 172.20.64.23
Instalação de utilitário e bibliotecas ecenssiais para operar o sistema
$ sudo dnf groupinstall "Development Tools"
$ sudo dnf install dnf-utils vim-enhanced bash-completion wget bind-utils tcpdump traceroute
Se o servidor estiver em um servidor ESXI é necessário instalar a biblioteca open-vm-tools
$ sudo dnf install open-vm-tools
Configuração de IPs
$ sudo nmcli con mod ens160 ipv4.method manual ipv4.addresses 177.75.176.35/27 ipv4.gateway 177.75.176.33 $ sudo nmcli con mod ens160 ipv6.method manual ipv6.addresses 2804:694:3000:8000::35/64 ipv6.gateway 2804:694:3000:8000:: $ sudo nmcli con mod ens160 ipv4.dns "177.75.176.25" $ sudo nmcli con mod ens160 ipv6.dns "2804:694:4c00:4001::1" $ sudo nmcli connection down ens160 ; sudo nmcli c up ens160
$ ip -br address show lo UNKNOWN 127.0.0.1/8 ::1/128 ens160 UP 177.75.176.35/27 2804:694:3000:8000::35/64 fe80::20c:29ff:fe51:b1a0/64
Configurando o hostname
$ sudo hostnamectl set-hostname pa-mba-vm-01.juntotelecom.com.br
$ echo -e "$(hostname -I | cut -f1 -d' ')\t$(hostname -f)\t$(hostname -s)" | sudo tee -a /etc/hosts 177.75.176.35 pa-mba-vm-01.juntotelecom.com.br pa-mba-vm-01
$ echo -e "$(hostname -I | cut -f2 -d' ')\t$(hostname -f)\t$(hostname -s)" | sudo tee -a /etc/hosts 2804:694:3000:8000::35 pa-mba-vm-01.juntotelecom.com.br pa-mba-vm-01
Ajustando o relógio - NTP
$ sudo timedatectl set-time '2022-05-21 10:05:00'
$ timedatectl list-timezones | grep Sao_Paulo America/Sao_Paulo
$ sudo timedatectl set-timezone America/Sao_Paulo
$ sudo cp -p /etc/chrony.conf{,.dist}
$ sudo sed -i '/pool 2.pool.ntp.org iburst/s/^#*/#/' /etc/chrony.conf $ sudo sed -i '/#pool 2.pool.ntp.org iburst/a pool pool.ntp.br iburst' /etc/chrony.conf
$ sudo cat /etc/chrony.conf | egrep "#pool 2.pool.ntp.org iburst" -A1 #pool 2.pool.ntp.org iburst pool pool.ntp.br iburst
$ sudo systemctl restart chronyd
$ chronyc sources -v .-- Source mode '^' = server, '=' = peer, '#' = local clock. / .- Source state '*' = current best, '+' = combined, '-' = not combined, | / 'x' = may be in error, '~' = too variable, '?' = unusable. || .- xxxx [ yyyy ] +/- zzzz || Reachability register (octal) -. | xxxx = adjusted offset, || Log2(Polling interval) --. | | yyyy = measured offset, || \ | | zzzz = estimated error. || | | \ MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^+ a.st1.ntp.br 1 6 17 17 +6180ns[ +163us] +/- 47ms ^+ b.ntp.br 2 6 17 19 -557us[ -557us] +/- 90ms ^* gps.jd.ntp.br 1 6 17 21 -115us[ +42us] +/- 48ms ^+ b.st1.ntp.br 2 6 17 20 -142us[ -142us] +/- 64ms
Desativando o acesso SSH para o usuário root
$ sudo cp -p /etc/ssh/sshd_config{,.dist}
sudo sed -i '/PermitRootLogin yes/s/^#*/#/' /etc/ssh/sshd_config sudo sed -i '/#PermitRootLogin yes/a PermitRootLogin no' /etc/ssh/sshd_config
Ou
sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
$ sudo cat /etc/ssh/sshd_config | egrep "#PermitRootLogin yes" -A1 #PermitRootLogin yes PermitRootLogin no
Alterando a porta do SSH
$ sudo sed -i '/#Port 22/a Port 22022' /etc/ssh/sshd_config
[suporte@podman ~]$ sudo cat /etc/ssh/sshd_config | egrep "#Port" -A1 #Port 22 Port 22022
Conextos selinux
$ sudo semanage port -a -t ssh_port_t -p tcp 22022 sudo: semanage: comando não encontrado
$ sudo dnf whatprovides semanage Última verificação de data de vencimento de metadados: 2:57:15 atrás em sex 20 mai 2022 15:39:40 -03. policycoreutils-python-utils-2.8-16.1.0.1.el8.noarch : SELinux policy core python utilities Repo : ol8_baseos_latest Resultado a partir de: Nome de arquivo : /usr/sbin/semanage policycoreutils-python-utils-2.9-3.0.1.el8.noarch : SELinux policy core python utilities Repo : ol8_baseos_latest Resultado a partir de: Nome de arquivo : /usr/sbin/semanage policycoreutils-python-utils-2.9-3.0.1.el8_1.1.noarch : SELinux policy core python utilities Repo : ol8_baseos_latest Resultado a partir de: Nome de arquivo : /usr/sbin/semanage policycoreutils-python-utils-2.9-9.0.1.el8.noarch : SELinux policy core python utilities Repo : ol8_baseos_latest Resultado a partir de: Nome de arquivo : /usr/sbin/semanage policycoreutils-python-utils-2.9-14.0.1.el8.noarch : SELinux policy core python utilities Repo : ol8_baseos_latest Resultado a partir de: Nome de arquivo : /usr/sbin/semanage policycoreutils-python-utils-2.9-16.0.1.el8.noarch : SELinux policy core python utilities Repo : ol8_baseos_latest Resultado a partir de: Nome de arquivo : /usr/sbin/semanage policycoreutils-python-utils-2.9-19.0.1.el8.noarch : SELinux policy core python utilities Repo : ol8_baseos_latest Resultado a partir de: Nome de arquivo : /usr/sbin/semanage
$ sudo dnf provides *bin/semanage Última verificação de data de vencimento de metadados: 2:58:09 atrás em sex 20 mai 2022 15:39:40 -03. policycoreutils-python-utils-2.8-16.1.0.1.el8.noarch : SELinux policy core python utilities Repo : ol8_baseos_latest Resultado a partir de: Outro : *bin/semanage policycoreutils-python-utils-2.9-3.0.1.el8.noarch : SELinux policy core python utilities Repo : ol8_baseos_latest Resultado a partir de: Outro : *bin/semanage policycoreutils-python-utils-2.9-3.0.1.el8_1.1.noarch : SELinux policy core python utilities Repo : ol8_baseos_latest Resultado a partir de: Outro : *bin/semanage policycoreutils-python-utils-2.9-9.0.1.el8.noarch : SELinux policy core python utilities Repo : ol8_baseos_latest Resultado a partir de: Outro : *bin/semanage policycoreutils-python-utils-2.9-14.0.1.el8.noarch : SELinux policy core python utilities Repo : ol8_baseos_latest Resultado a partir de: Outro : *bin/semanage policycoreutils-python-utils-2.9-16.0.1.el8.noarch : SELinux policy core python utilities Repo : ol8_baseos_latest Resultado a partir de: Outro : *bin/semanage policycoreutils-python-utils-2.9-19.0.1.el8.noarch : SELinux policy core python utilities Repo : ol8_baseos_latest Resultado a partir de: Outro : *bin/semanage
$ sudo dnf install policycoreutils-python-utils
$ sudo semanage port -a -t ssh_port_t -p tcp 22022
$ sudo systemctl restart sshd.service
[suporte@podman ~]$ ss -nltp | grep 22022 LISTEN 0 128 0.0.0.0:22022 0.0.0.0:* LISTEN 0 128 [::]:22022 [::]:*
Ajustes das regras de firewall
Listando todas as zonas
$ sudo firewall-cmd --list-all-zones block target: %%REJECT%% icmp-block-inversion: no interfaces: sources: services: ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: dmz target: default icmp-block-inversion: no interfaces: sources: services: ssh ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: drop target: DROP icmp-block-inversion: no interfaces: sources: services: ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: external target: default icmp-block-inversion: no interfaces: sources: services: ssh ports: protocols: forward: no masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules: home target: default icmp-block-inversion: no interfaces: sources: services: cockpit dhcpv6-client mdns samba-client ssh ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: internal target: default icmp-block-inversion: no interfaces: sources: services: cockpit dhcpv6-client mdns samba-client ssh ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: nm-shared target: ACCEPT icmp-block-inversion: no interfaces: sources: services: dhcp dns ssh ports: protocols: icmp ipv6-icmp forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule priority="32767" reject public (active) target: default icmp-block-inversion: no interfaces: ens160 sources: services: cockpit dhcpv6-client ssh ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: trusted target: ACCEPT icmp-block-inversion: no interfaces: sources: services: ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: work target: default icmp-block-inversion: no interfaces: sources: services: cockpit dhcpv6-client ssh ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
Listando as zonas com regras padrão
$ sudo firewall-cmd --list-all --zone=home home target: default icmp-block-inversion: no interfaces: sources: services: cockpit dhcpv6-client mdns samba-client ssh ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
$ sudo firewall-cmd --list-all --zone=internal internal target: default icmp-block-inversion: no interfaces: sources: services: cockpit dhcpv6-client mdns samba-client ssh ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
$ sudo firewall-cmd --list-all --zone=nm-shared nm-shared target: ACCEPT icmp-block-inversion: no interfaces: sources: services: dhcp dns ssh ports: protocols: icmp ipv6-icmp forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule priority="32767" reject
$ sudo firewall-cmd --list-all --zone=public public (active) target: default icmp-block-inversion: no interfaces: ens160 sources: services: cockpit dhcpv6-client ssh ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
$ sudo firewall-cmd --list-all --zone=work work target: default icmp-block-inversion: no interfaces: sources: services: cockpit dhcpv6-client ssh ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
Ajustando as regras do SSH da zona ativa - principal/padrão
$ sudo firewall-cmd --get-default-zone public
$ sudo firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: ens160 sources: services: cockpit dhcpv6-client ssh ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
$ sudo firewall-cmd --permanent --zone=public --remove-service=ssh success
$ sudo firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="172.20.64.0/27" destination address=177.75.176.35/32 port port="22022" protocol="tcp" accept' $ sudo firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="177.75.182.133/32" destination address=177.75.176.35/32 port port="22022" protocol="tcp" accept' $ sudo firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="177.75.187.195/32" destination address=177.75.176.35/32 port port="22022" protocol="tcp" accept' $ sudo firewall-cmd --permanent --add-rich-rule 'rule family="ipv6" source address="2804:694:4c00:4005::/64" destination address=2804:694:3000:8000::35/128 port port="22022" protocol="tcp" accept' $ sudo firewall-cmd --permanent --add-rich-rule 'rule family="ipv6" source address="2804:694:3000:4000::/64" destination address=2804:694:3000:8000::35/128 port port="22022" protocol="tcp" accept' [suporte@podman ~]$ sudo firewall-cmd --reload
$ sudo firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: ens160 sources: services: cockpit dhcpv6-client ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv6" source address="2804:694:4c00:4005::/64" destination address="2804:694:3000:8000::35/128" port port="22022" protocol="tcp" accept rule family="ipv4" source address="177.75.187.195/32" destination address="177.75.176.35/32" port port="22022" protocol="tcp" accept rule family="ipv4" source address="172.20.64.0/27" destination address="177.75.176.35/32" port port="22022" protocol="tcp" accept rule family="ipv4" source address="177.75.182.133/32" destination address="177.75.176.35/32" port port="22022" protocol="tcp" accept rule family="ipv6" source address="2804:694:3000:4000::/64" destination address="2804:694:3000:8000::35/128" port port="22022" protocol="tcp" accept
Configuração do vim
Configuração do bash
- bashrc
#vim ~/.bashrc # .bashrc # Cores Preto='\[\033[01;30m\]' Vermelho='\[\033[01;31m\]' Verde='\[\033[01;32m\]' Amarelo='\[\033[01;33m\]' Azul='\[\033[01;34m\]' Roxo='\[\033[01;35m\]' Ciano='\[\033[01;36m\]' Branco='\[\033[01;37m\]' Cinza='\[\033[01;38m\]' PS1="$Branco\u$Azul@$Ciano\h$Roxo:\w$Branco$ \[\033[00m\]" HISTTIMEFORMAT='%d-%m-%Y %H:%M- ' HISTCONTROL=ignoreboth HISTSIZE=1000 HISTFILESIZE=2000 shopt -s checkwinsize EDITOR='vim' alias rm='rm -i' alias cp='cp -i' alias mv='mv -i' alias echo='/bin/echo' alias egrep='egrep --color=auto' alias fgrep='fgrep --color=auto' alias grep='grep --color=auto' alias l.='ls -d .* --color=auto' alias ll='ls -l --color=auto' alias ls='ls --color=auto' alias vi='vim' alias ping='ping -c3' [...]
wikiv1/initial_config_centos8.txt · Last modified: by 127.0.0.1