By

文章目录
  1. 1. Linux Distribution OS
  2. 2. 必要的安全设置
    1. 2.1. 保持服务器系统更新
      1. 2.1.1. 自动更新安全更新
    2. 2.2. 添加访问受限的用户账号
    3. 2.3. SSH 守护进程配置
      1. 2.3.1. 拒绝Root用户通过SSH登录
      2. 2.3.2. 设置fail2ban
  3. 3. 必要的软件
    1. 3.1. 系统、开发相关

Linux Distribution OS

CentOS 7

必要的安全设置

保持服务器系统更新

自动更新安全更新

  • CentOS 使用 yum-cron 自动更新
  • Fedora 使用 dnf-automatic
  • Debian Ubuntu 使用 unattended upgrade

添加访问受限的用户账号

  • 创建用户 (以用户名 devop 为例, 可以替换成你想创建的用户名)
1
useradd devop && passwd devop
  • 添加该用户到wheel组
1
usermod -aG wheel devop

SSH 守护进程配置

拒绝Root用户通过SSH登录

修改配置文件/etc/ssh/sshd_config

1
2
3
# Authentication:
...
PermitRootLogin no
1
2
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

然后重启sshd服务 

1
sudo systemctl restart sshd

设置fail2ban

1
yum install fail2ban

开启服务:

1
2
systemctl start fail2ban
systemctl enable fail2ban

配置服务:

1
2
cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

CentOS 或者是 Fedora 需要修改jail.local配置文件配置: 

1
backend = systemd

并注释掉下面这些配置

1
2
[sshd]
enabled = true

更多fail2ban配置:A Tutorial for Using Fail2ban to Secure Your Server

更多服务器安全配置:linode 服务器安全配置

必要的软件

系统、开发相关

  • EPEL 
1
sudo yum install epel-release
  • Python3 virtualenv 
1
sudo yum install python34 python-pip

然后紧接着升级pip和安装 virtualenv

1
2
sudo pip install -U pip
sudo pip install -U virtualenv

在CentOS7上使用源码编译安装Python3.6

1
2
3
sudo yum install gcc
sudo yum install zlib-devel
sudo yum --enablerepo=base --enablerepo=updates install openssl-devel
1
2
3
4
5
6
cd /usr/src
wget https://www.python.org/ftp/python/3.6.2/Python-3.6.2.tgz
tar xzf Python-3.6.2.tgz
cd Python-3.6.2
./configure --enable-optimizations
make altinstall
1
2
cd ..
rm Python-3.6.2.tgz
  • MySQL

首先更新yum

1
sudo yum update

然后下载安装MySQL社区版仓库

1
2
3
wget http://repo.mysql.com/mysql-community-release-el7-5.noarch.rpm
sudo rpm -ivh mysql-community-release-el7-5.noarch.rpm
yum update

然后安装、重启MySQL

1
2
sudo yum install mysql-server
sudo systemctl start mysqld

然后安全配置MySQL

1
sudo mysql_secure_installation

更多MySQL配置

  • Redis

添加EPEL仓库,更新yum

1
2
sudo yum install epel-release
sudo yum update

安装Redis 

1
sudo yum install redis

启动并配置随机自启 

1
2
3
sudo systemctl start redis

sudo systemctl enable redis

更多Redis配置

  • Nginx
    首先配置EPEL和yum更新
1
2
3
4
5
6
7
8
sudo yum install epel-release
yum update
```  

其次安装Nginx  

```BASH
yum install nginx

配置启动Nginx

1
2
systemctl enable nginx.service
systemctl start nginx.service
  • centOS 防火墙打开对http/https协议端口限制
1
2
3
4
$ sudo firewall-cmd --add-service=http --permanent
$ sudo firewall-cmd --add-service=https --permanent

$ sudo firewall-cmd --reload

查看防火墙支持协议:

1
$ sudo firewall-cmd --list-all

  • docker

    • 设置yum 仓库地址
    1
    2
    3
    4
    5
    $ sudo yum install -y yum-utils

    $ sudo yum-config-manager \
      --add-repo \
      https://download.docker.com/linux/centos/docker-ce.repo
    • 安装docker
    1
    $ sudo yum install docker
    • 配置docker为linux service
    1
    2
    $ sudo systemctl start docker
    $ sudo systemctl enable docker

    如果没有提示错误,应该就是已经成功安装,如果不是很放心可以使用下面命令检查服务状态。

    1
    $ sudo systemctl status docker
    • 运行一个helloworld
    1
    $ sudo docker run hello-world

    成功运行容器会有下面的信息提示: 

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    Hello from Docker!
    This message shows that your installation appears to be working correctly.

    To generate this message, Docker took the following steps:
    1. The Docker client contacted the Docker daemon.
    2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
        (amd64)
    3. The Docker daemon created a new container from that image which runs the
        executable that produces the output you are currently reading.
    4. The Docker daemon streamed that output to the Docker client, which sent it
        to your terminal.

    To try something more ambitious, you can run an Ubuntu container with:
    $ docker run -it ubuntu bash

    Share images, automate workflows, and more with a free Docker ID:
    https://hub.docker.com/

    For more examples and ideas, visit:
    https://docs.docker.com/get-started/

  • Git 服务器
    配置链接
    Git Hook 配置Git自动部署
    How To Set Up Automatic Deployment with Git with a VPS

  • jenkins

    • 使用Docker安装
      选择jenkins/jenkins镜像,注意不是docker官方镜像(官方镜像版本较老,并且长时间未更新)
    • 获取镜像
    1
    sudo docker pull jenkins/jenkins
    • 创建jenkins需要挂载的host volume目录,并赋予docker用户(uid = 1000)的访问权限
      mkdir /path/to/jekins/home
    • 创建并启动jenkins容器
    1
    sudo docker run -p 8080:8080 -p 50000:50000 -v /path/to/jekins/home:/var/jenkins_home --name=jenkins  jenkins/jenkins:lts
    • 在浏览器中对 http://<host_ip>:8080 或者 http://<jenkins_domain>(需要使用反向代理upstream 端口为8080的jenkins服务) 进行后续的jenkins设置

  • Redis docker 容器

    1
    sudo docker pull redis
    • 创建host本地持久化文件

    mkdir /path/to/redis/home
    touch /path/to/redis/home/redis.conf

    • 创建并启动redis容器
    1
    docker run -p 6379:6379 -v /path/to/redis/home/:/usr/local/etc/redis/ --name redis-latest redis redis-server /usr/local/etc/redis/redis.conf

  • Ansible
    An Introduction to Ansible: Installing Jenkins on your server
    Deployment with Ansible, Docker, Jenkins and Git
    Automated Servers and Deployments with Ansible & Jenkins

  • ApacheBench(ab)

1
sudo yum install httpd-tools

用法

1
2
ab -c 并发数 -n 请求数 URL
ab -c 10000 -n 100 http://localhost/
文章目录
  1. 1. Linux Distribution OS
  2. 2. 必要的安全设置
    1. 2.1. 保持服务器系统更新
      1. 2.1.1. 自动更新安全更新
    2. 2.2. 添加访问受限的用户账号
    3. 2.3. SSH 守护进程配置
      1. 2.3.1. 拒绝Root用户通过SSH登录
      2. 2.3.2. 设置fail2ban
  3. 3. 必要的软件
    1. 3.1. 系统、开发相关