###selinux的初級管理###
1.什麼時selinux
selinux,內核級加強型防火牆
2.如何管理selinux級別
selinux開啓或者關閉)
vim /etc/sysconfig/selinux
selinux=disabled ##關閉狀態
selinux=Enforcing ##強制狀態
selinux=Permissive ##警告狀態
getenforce ##查看狀態
當selinux開啓時
setenforce 0|1 ##更改selinux運行級別
3.如何更改文件安全上下文
臨時更改)
chcon -t 安全上下文 文件
chcon -t public_content_t /publicftp -R
永久更改)
semanage fcontext -l ##列出內核安全上下文列表內容
semanage fcontext -a -t public_content_t '/publicftp(/.*)?'
restorecon -FvvR /publicftp/
4.如何控制selinux對服務功能的開關
getsebool -a | grep 服務名稱
getsebool -a | grep ftp
setsebool -P 功能bool值 on|off
setsebool -P ftpd_anon_write on
5.監控selinux的錯誤信息
setroubleshoot-server
###系統恢復###
1.系統啓動流程
通電
||
bios(主板上的只讀存儲中,basic input or output system)
作用,硬件檢測,激活硬件
||
grub系統引導(grub引導分爲兩個階段)
1)階段1 mbr(主引導記錄)主引導記錄在硬盤上的0磁道,一扇區,446個字節
*)dd if=/dev/zero of=/dev/vda bs=446 count=1 可以清空mbr
*)進入到挽救模式,執行chroot /mnt/sysp_w_picpath切換到真實/環境,
並執行grub2-install /dev/vda
2)階段2 grub文件引導階段
找到/boot分區
讀取/boot/grub2/grub.cfg
文件丟失,grub2-mkconfig >/boot/grub2/grub.cfg
||
啓動內核,只讀掛載/設備
檢測設備
對設備驅動進行初始化
進入系統初始化階段
內核丟失,從新安裝內核安裝包就可以解決
rpm -ivh kernel-xxxxx.rpm --force
||
系統初始化階段
系統初始化階段加載initrd鏡像
開啓初始化進程systemd
開始selinux
加載內核參數
初始化系統時鐘,鍵盤,主機名稱
重新讀寫掛載/設備
激活raid,lvm
激活配額
啓動multi-user.target.wants中的所有服務
開啓虛擬控制檯
啓動圖形
initramfs-`uname -r`.img丟失用:
mkinitrd initramfs-`uname -r`.img `uname -r`
恢復
改密碼
###dns高速緩存###
第一步(服務配置):
修改server主機ip爲172.25.254.118 (作爲dns服務器端)
修改server主機ip爲172.25.254.218 (作爲dns客戶端)
兩臺主機同時做:
修改yum源爲http://172.25.254.250/rhel7
yum install bind -y
systemctl status named
systemctl start named
systemctl enable named
server主機:
firewall-cmd --permanent --add-service=dns
firewall-cmd --reload
vim /etc/named.conf
修改內容爲:
行數 內容
11 listen-on port 53 { any; }; ##設定端口開放,any表示所有interface都開
17 allow-query { any; }; ##回答所有人的問題
18 forwarders { 172.25.254.250; }; ##緩存誰的答案
32 dnssec-validation no; ##表示不發佈dns表
desktop主機:
vim /etc/resolv.conf
添加內容爲:
nameserver 172.25.254.118 ##在第三行添加
然後進行測試,如:
dig www.xxx.com
示例:
[root@client-dns ~]# dig www.qq.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> www.qq.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26942
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.qq.com. IN A
;; ANSWER SECTION:
www.qq.com. 300 IN A 113.142.21.81
;; AUTHORITY SECTION:
www.qq.com. 83653 IN NS ns-cnc1.qq.com.
www.qq.com. 83653 IN NS ns-tel1.qq.com.
www.qq.com. 83653 IN NS ns-os1.qq.com.
www.qq.com. 83653 IN NS ns-cmn1.qq.com.
;; ADDITIONAL SECTION:
ns-cmn1.qq.com. 2939 IN A 183.232.120.59
ns-cmn1.qq.com. 2939 IN A 182.254.16.102
ns-cmn1.qq.com. 2939 IN A 182.254.111.100
;; Query time: 53 msec
;; SERVER: 172.25.254.118#53(172.25.254.118)
;; WHEN: Sun Nov 20 01:53:10 EST 2016
;; MSG SIZE rcvd: 190
第二步(正向解析,規範名稱-CNAME):
配置(server主機):
修改/etc/named.conf文件的內容:
刪除第18行,即,刪除 forwarders { 172.25.254.250; };
退出保存
vim /etc/named.rfc1912.zones
修改內容爲:
在第25行添加內容爲:
25 zone "westos.com" IN {
26 type master;
27 file "westos.com.zone";
28 allow-update { none; };
29 };
30
退出保存,然後執行:
cd /var/named
cp -p named.localhost westos.com.zone ##一定要加-p,-p的作用是權限
vim /var/named/westos.com.zone
修改文件/var/named/westos.com.zone內容爲:
(!!!@@@注意:修改此文件時一定要注意“.”的存在,若不帶"."則系統自動往後面添加.westos.com)
1 $TTL 1D
2 @ IN SOA dns.westos.com. root.westos.com. (注意“.”) (
3 0 ; serial
4 1D ; refresh
5 1H ; retry
6 1W ; expire
7 3H ) ; minimum
8 NS dns.westos.com.(注意“.”)
9 dns A 172.25.254.118
10 www A 172.25.254.18
11 AAAA ::1
12 bbs CNAME www.westos.com.
13 westos.com. MX 1 172.25.254.118. ##發送郵件的地址
退出保存後,執行:
systemctl restart named
測試(desktop主機):
[root@client-dns ~]# dig www.westos.com
;www.westos.com. IN A
;; ANSWER SECTION:
www.westos.com. 86400 IN A 172.25.254.18
;; AUTHORITY SECTION:
westos.com. 86400 IN NS dns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com. 86400 IN A 172.25.254.118
;; Query time: 2 msec
;; SERVER: 172.25.254.107#53(172.25.254.107)
;; WHEN: Sun Nov 20 02:26:03 EST 2016
;; MSG SIZE rcvd: 93
[root@client-dns ~]# dig bbs.westos.com
;bbs.westos.com. IN A
;; ANSWER SECTION:
bbs.westos.com. 86400 IN CNAME www.westos.com.
www.westos.com. 86400 IN A 172.25.254.18
;; AUTHORITY SECTION:
westos.com. 86400 IN NS dns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com. 86400 IN A 172.25.254.118
;; Query time: 2 msec
;; SERVER: 172.25.254.118#53(172.25.254.118)
;; WHEN: Sun Nov 20 02:54:42 EST 2016
;; MSG SIZE rcvd: 111
第三步(反向解析):
vim /etc/named.rfc1912.zones
編寫/etc/named.rfc1912.zones文件內容:
在第43行添加:
43 zone "254.25.172.in-addr.arpa" IN {
44 type master;
45 file "westos.com.ptr";
46 allow-update { none; };
47 };
退出保存後
cd /var/named
cp -p named.loopback westos.com.ptr
vim westos.com.ptr
內容爲:
1 $TTL 1D
2 @ IN SOA dns.westos.com. root.westos.com. (
3 0 ; serial
4 1D ; refresh
5 1H ; retry
6 1W ; expire
7 3H ) ; minimum
8 NS dns.westos.com.
9 A 172.25.254.118
10 AAAA ::1
11 111 PTR www.westos.com.
12 110 PTR www.lover.com.
退出保存後,執行:
systemctl restart named
測試(desktop主機):
使用命令: dig -x 172.25.254.110 (ip值)
[root@client-dns ~]# dig -x 172.25.254.110
;110.254.25.172.in-addr.arpa. IN PTR
;; ANSWER SECTION:
110.254.25.172.in-addr.arpa. 86400 IN PTR www.lover.com.
;; AUTHORITY SECTION:
254.25.172.in-addr.arpa. 86400 IN NS dns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com. 86400 IN A 172.25.254.118
;; Query time: 2 msec
;; SERVER: 172.25.254.118#53(172.25.254.118)
;; WHEN: Sun Nov 20 03:09:51 EST 2016
;; MSG SIZE rcvd: 124
[root@client-dns ~]# dig -x 172.25.254.111
;111.254.25.172.in-addr.arpa. IN PTR
;; ANSWER SECTION:
111.254.25.172.in-addr.arpa. 86400 IN PTR www.westos.com.
;; AUTHORITY SECTION:
254.25.172.in-addr.arpa. 86400 IN NS dns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com. 86400 IN A 172.25.254.118
;; Query time: 2 msec
;; SERVER: 172.25.254.118#53(172.25.254.118)
;; WHEN: Sun Nov 20 03:09:57 EST 2016
;; MSG SIZE rcvd: 118
第四步(雙向解析):
配置/etc/named.conf文件,如下:
50 /*zone "." IN {
51 type hint;
52 file "named.ca";
53 };
54
55 include "/etc/named.rfc1912.zones";
56 include "/etc/named.root.key";
57 */
58 view localnet {
59 match-clients { 172.25.254.118; };
60 zone "." IN {
61 type hint;
62 file "named.ca";
63 };
64 include "/etc/named.rfc1912.zones";
65 };
66
67
68 view internet {
69 match-clients { any; };
70 zone "." IN {
71 type hint;
72 file "named.ca";
73 };
74 include "/etc/named.rfc1912.zones.inter";
75 };
退出保存
cp -p /etc/named.rfc1912.zones /etc/named.rfc1912.zones.inter
vim /etc/named.rfc1912.zones.inter
內容爲:
25 zone "westos.com" IN {
26 type master;
27 file "westos.com.inter";
28 allow-update { none; };
29 };
30
43 zone "254.25.172.in-addr.arpa" IN {
44 type master;
45 file "westos.com.ptr.inter";
46 allow-update { none; };
退出保存
cp -p /var/named/westos.com.zone /var/named/westos.com.inter
vim /etc/named/westos.com.inter
修改內容爲:
8 NS dns.westos.com.
9 dns A 172.25.0.118
10 www A 172.25.0.18
11 AAAA ::1
12 bbs CNAME www.westos.com.
13 westos.com. MX 1 172.25.0.218.
退出保存
cp -p /var/named/westos.com.ptr /var/named/westos.com.ptr.inter
vim /var/named/westos.com.ptr.inter
修改內容爲:
8 NS dns.westos.com.
9 A 172.25.254.118
10 AAAA ::1
11 111 PTR www.force.com.
12 110 PTR www.250.com.
退出保存
然後執行:
systemctl restart named
按照上述順序,在此處重啓服務正常,若想在配置完/etc/named.conf文件後,立即restart服務,則需要把上述順序顛倒
測試一(server主機):
@@@注意:若出現不匹配現象,則需要修改/etc/resolv.conf 文件,文件內容修改爲:
nameserver 172.25.254.118 ##在第三行添加
[root@dns-server named]# dig -x 172.25.254.110
;110.254.25.172.in-addr.arpa. IN PTR
;; ANSWER SECTION:
110.254.25.172.in-addr.arpa. 86400 IN PTR www.lover.com.
;; AUTHORITY SECTION:
254.25.172.in-addr.arpa. 86400 IN NS dns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com. 86400 IN A 172.25.254.118
;; Query time: 2 msec
;; SERVER: 172.25.254.118#53(172.25.254.118)
;; WHEN: Sun Nov 20 04:04:21 EST 2016
;; MSG SIZE rcvd: 124
[root@dns-server ~]# dig www.westos.com
;www.westos.com. IN A
;; ANSWER SECTION:
www.westos.com. 86400 IN A 172.25.254.18
;; AUTHORITY SECTION:
westos.com. 86400 IN NS dns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com. 86400 IN A 172.25.254.118
;; Query time: 1 msec
;; SERVER: 172.25.254.118#53(172.25.254.118)
;; WHEN: Sun Nov 20 04:00:23 EST 2016
;; MSG SIZE rcvd: 93
測試二(desktop主機):
[root@client-dns ~]# dig www.westos.com
;www.westos.com. IN A
;; ANSWER SECTION:
www.westos.com. 86400 IN A 172.25.0.18
;; AUTHORITY SECTION:
westos.com. 86400 IN NS dns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com. 86400 IN A 172.25.0.118
;; Query time: 2 msec
;; SERVER: 172.25.254.118#53(172.25.254.118)
;; WHEN: Sun Nov 20 04:00:02 EST 2016
;; MSG SIZE rcvd: 93
[root@client-dns ~]# dig -x 172.25.254.110
;110.254.25.172.in-addr.arpa. IN PTR
;; ANSWER SECTION:
110.254.25.172.in-addr.arpa. 86400 IN PTR www.250.com.
;; AUTHORITY SECTION:
254.25.172.in-addr.arpa. 86400 IN NS dns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com. 86400 IN A 172.25.0.118
;; Query time: 1 msec
;; SERVER: 172.25.254.118#53(172.25.254.118)
;; WHEN: Sun Nov 20 04:04:38 EST 2016
;; MSG SIZE rcvd: 122
1
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.