Centos 7.x 防火墙管理

0、设置 firewall 开机自启

systemctl enable firewalld.service

 

1、查看 firewall 服务状态

systemctl status firewalld

 

2、查看 firewall 的状态

firewall-cmd --state

 

3、开启、重启、关闭、firewalld.service 服务
# 开启

service firewalld start

# 重启

service firewalld restart

# 关闭

service firewalld stop

 

4、查看防火墙规则

firewall-cmd --list-all 

 

5、查询、开放、关闭端口
# 查询端口是否开放

firewall-cmd --query-port=8080/tcp

# 开放 80 端口

firewall-cmd --permanent --add-port=80/tcp

# 移除端口

firewall-cmd --permanent --remove-port=8080/tcp

# 重启防火墙 (修改配置后要重启防火墙)

firewall-cmd --reload

 

CentOS 新建一个用户并配置 root 权限

新建一个用户

useradd webadmin

为用户配置密码

passwd webadmin
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.

查看用户详情

cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
...
webadmin:x:1000:1000::/home/webadmin:/bin/bash

用户详情对应名称
root:x:0:0:root:/root:/bin/bash
username:password:Uid:Gid:description:homepath:loginmethod

编辑用户配置

vi /etc/passwd

将 webadmin:x:1000:1000::/home/webadmin:/bin/bash 修改为 webadmin:x:0:0::/home/webadmin:/bin/bash

已将该用户从普通用户权限更改为 root 权限

cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
...
webadmin:x:0:0::/home/webadmin:/bin/bash

CentOS release 6.8 (Final) 安装 Zabbix 3.2.6

1、检查和卸载系统存在的相关软件名,避免出现问题

[root@localhost ~]# yum remove -y mysql* httpd* php* nginx* zabbix*

2、安装 yum 扩展源

[root@localhost ~]# rpm -ivh http://repo.webtatic.com/yum/el6/latest.rpm

3、安装 php 所需包

[root@localhost ~]# yum -y install httpd php56w php56w-gd php56w-mysql php56w-bcmath php56w-mbstring php56w-xml php56w-ldap wget ntpdate net-snmp*
[root@localhost ~]# yum install -y gcc mysql-community-devel libxml2-devel unixODBC-devel net-snmp-devel libcurl-devel libssh2-devel OpenIPMI-devel openssl-devel openldap-devel

4、mysql 安装及账号创建

[root@localhost ~]# yum -y install mysql-server mysql mysql-devel
[root@localhost ~]# /etc/init.d/mysqld start

5、创建 zabbix 数据库

[root@localhost ~]# mysql -u root
mysql> CREATE DATABASE zabbix CHARACTER SET utf8 COLLATE utf8_bin;
mysql> GRANT ALL PRIVILEGES ON zabbix.* TO zabbix@localhost IDENTIFIED BY 'zabbix';
mysql> quit
Bye

6、创建 zabbix 组与用户

[root@localhost ~]# groupadd zabbix
[root@localhost ~]# useradd -g zabbix zabbix

7、下载 zabbix3.2.x 安装包
下载页面 https://www.zabbix.com/download

[root@localhost ~]# wget https://nchc.dl.sourceforge.net/project/zabbix/ZABBIX%20Latest%20Stable/3.2.6/zabbix-3.2.6.tar.gz

8、导入 zabbix 数据到数据库中

[root@localhost ~]# tar zxvf zabbix-3.2.6.tar.gz
[root@localhost ~]# cd zabbix-3.2.6/database/mysql/
[root@localhost mysql]# mysql -u zabbix -p zabbix < schema.sql
Enter password: (zabbix)
[root@localhost mysql]# mysql -u zabbix -p zabbix < images.sql
Enter password: (zabbix)
[root@localhost mysql]# mysql -u zabbix -p zabbix < data.sql
Enter password: (zabbix)

9、编译安装 zabbix

[root@localhost ~]# cd /root/zabbix-3.2.6/
[root@localhost zabbix-3.2.6]# ./configure --enable-server  --with-mysql --enable-ipv6 --with-net-snmp --with-libcurl --with-libxml2 --with-unixodbc --with-ssh2 --with-openipmi --with-openssl
[root@localhost zabbix-3.2.6]# make install

9.1 如果提示 “WARNING: ‘automake-1.14’ is missing on your system.”
说明 antomake 没有对应版本或没有这个软件,执行以下内容

[root@localhost ~]# wget http://ftp.gnu.org/gnu/automake/automake-1.14.1.tar.gz
[root@localhost ~]# tar -xvf automake-1.14.1.tar.gz
[root@localhost ~]# cd automake-1.14.1
[root@localhost automake-1.14.1]# ./configure
[root@localhost automake-1.14.1]# make
[root@localhost automake-1.14.1]# make install

10、修改配置启动文件

[root@localhost ~]# vim /usr/local/etc/zabbix_server.conf
DBName=zabbix
DBUser=zabbix
DBPassword=zabbix

11、创建 zabbix web 页面目录

[root@localhost ~]# mkdir /var/www/html/zabbix
[root@localhost ~]# cd /root/zabbix-3.2.6/frontends/php/
[root@localhost ~]# cp -a . /var/www/html/zabbix/

12、安全设置

12.1 创建一个规则允许 web 服务器访问前端文件

[root@localhost ~]# chcon -Rv --type=httpd_sys_content_t /var/www/html

12.2 运行 apache 和 zabbix 访问外网

[root@localhost ~]# setsebool -P httpd_can_network_connect=1
[root@localhost ~]# setsebool -P zabbix_can_network=1

12.3 设置 apache 用户 web 接口文件的所有者

[root@localhost ~]# chown -R apache:apache /var/www/html/zabbix

12.4 为 zabbix web 界面添加权限

[root@localhost ~]# chmod +x /var/www/html/zabbix/conf/
[root@localhost ~]# cp /root/zabbix-3.2.6/misc/init.d/fedora/core/zabbix_server /etc/init.d/zabbix_server
[root@localhost ~]# chkconfig --add /etc/init.d/zabbix_server

12.5 启用 zabbix 服务器 apache 和 mysql 服务启动

[root@localhost ~]# chkconfig httpd on
[root@localhost ~]# chkconfig mysqld on
[root@localhost ~]# chkconfig zabbix_server on

13、启动 httpd 和 zabbix_server

[root@localhost ~]# /etc/init.d/httpd start
[root@localhost ~]# service zabbix_server start

14、优化 php

[root@localhost ~]# vim /etc/php.ini
post_max_size=16M
max_execution_time=300
max_input_time=300
date.timezone=Asia/Shanghai
always_populate_raw_post_data=-1

14.1 修改完成后重启 httpd

[root@localhost ~]# /etc/init.d/httpd restart

15、配置防火墙

[root@localhost ~]# vim /etc/sysconfig/iptables
iptables -I INPUT -p tcp --dport 10050 -j ACCEPT
iptables -I INPUT -p tcp --dport 10051 -j ACCEPT

16、访问 zabbix web 管理页面
http://zabbix_server_IP/zabbix/

17、配置 zabbix

17.1 检查参数
进入在 zaibbix web 管理界面后将进行以下配置

Check of pre-requisites
Current value	Required	
PHP version	5.6.40	5.4.0	OK
PHP option "memory_limit"	128M	128M	OK
PHP option "post_max_size"	16M	16M	OK
PHP option "upload_max_filesize"	2M	2M	OK
PHP option "max_execution_time"	300	300	OK
PHP option "max_input_time"	300	300	OK
PHP option "date.timezone"	Asia/Shanghai		OK
PHP databases support	MySQL OK
PHP bcmath	on		OK
PHP mbstring	on		OK
PHP option "mbstring.func_overload"	off	off	OK
PHP option "always_populate_raw_post_data"	off	off	OK
PHP sockets	on		OK
PHP gd	2.1.0	2.0	OK
PHP gd PNG support	on		OK
PHP gd JPEG support	on		OK
PHP gd FreeType support	on		OK
PHP libxml	2.7.6	2.6.15	OK
PHP xmlwriter	on		OK
PHP xmlreader	on		OK
PHP ctype	on		OK
PHP session	on		OK
PHP option "session.auto_start"	off	off	OK
PHP gettext	on		OK
PHP option "arg_separator.output"	&	&	OK

17.2 数据库链接

Configure DB connection
Please create database manually, and set the configuration parameters for connection to this database. Press "Next step" button when done.

Database type MySQL

Database host localhost
Database port 0 (0 - use default port)
Database name zabbix
User zabbix
Password ••••••

17.3 服务器配置

Zabbix server details
Please enter the host name or host IP address and port number of the Zabbix server, as well as the name of the installation (optional).

Host localhost
Port 10051
Name Zabbix3.2

17.4 配置确认清单

Pre-installation summary
Please check configuration parameters. If all is correct, press "Next step" button, or "Back" button to change configuration parameters.

Database type	MySQL
Database server	localhost
Database port	default
Database name	zabbix
Database user	zabbix
Database password	******
 	
Zabbix server	localhost
Zabbix server port	10051
Zabbix server name	zabbix3.2

17.5 完成

Congratulations! You have successfully installed Zabbix frontend.
Configuration file "/var/www/html/zabbix/conf/zabbix.conf.php" created.

18、登录 zabbix web

用户名:Admin
密码:zabbix

18.1 如果忘记密码,使用以下方式可以重置
18.1.1 查询 zabbix 数据库用户记录

[root@localhost ~]# mysql -uroot -p -e "select * from zabbix.users\G"
Enter password: 
*************************** 1. row ***************************
        userid: 1
         alias: Admin
          name: Zabbix
       surname: Administrator
        passwd: 5fce1b3e34b520afeffb37ce08c7cd66
           url: 
     autologin: 1
    autologout: 0
          lang: en_GB
       refresh: 30
          type: 3
         theme: default
attempt_failed: 0
    attempt_ip: 139.226.86.62
 attempt_clock: 1553099872
 rows_per_page: 50

18.1.2 修改 zabbix 数据库用户信息

[root@localhost ~]# mysql -u root
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 82
Server version: 5.6.43 MySQL Community Server (GPL)

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> use zabbix;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> update users set passwd='5fce1b3e34b520afeffb37ce08c7cd66' where userid='1';
Query OK, 0 rows affected (0.00 sec)
Rows matched: 1  Changed: 0  Warnings: 0

mysql> quit
Bye

完成,可使用 用户名:Admin 密码:zabbix 登录 zabbix web。

18.2 登录后务必立即修改默认密码,右上角 —— 用户头像 —— 用户 —— 密码 —— 修改密码。

19、安全设置
建议将 /var/www/html/zabbix 目录下的 setup.php 文件重命名备用,否则任意人员都可任意时间访问这个文件来配置 Zabbix。

20、安装客户端 zabbix_agent

[root@localhost ~]# yum -y install http://repo.zabbix.com/zabbix/3.2/rhel/6/x86_64/zabbix-release-3.2-1.el6.noarch.rpm
[root@localhost ~]# yum install zabbix-agent -y

21、配置客户端 zabbix_agent

[root@localhost ~]# vim /etc/zabbix/zabbix_agentd.conf
Server=127.0.0.1 (服务端 IP)
PidFile=/var/run/zabbix/zabbix_agentd.pid
LogFile=/var/log/zabbix/zabbix_agentd.log
LogFileSize=0
Server=127.0.0.1 (服务端 IP)
ServerActive=127.0.0.1 (服务端 IP)
Hostname=Zabbix server

22、添加被监测主机
当前所安装 zabbix 的主机已经默认被添加监测,从 zabbix – 配置 – 主机 – 即可找到 “Zabbix server”,默认状态为 “已停用,需要手动开启”。

HTTPS 时代,使用 Certbot (Let’s Encrypt)

nginx on centos install certbot (letsencrypt)

[root@hexingxing ~]#  yum install epel-release //更新系统
[root@hexingxing ~]#  yum install -y git //安装 git
[root@hexingxing ~]#  git clone https://github.com/certbot/certbot //git 下载 certbot
Initialized empty Git repository in /certbot/.git/
remote: Counting objects: 51598, done.
remote: Compressing objects: 100% (133/133), done.
remote: Total 51598 (delta 101), reused 99 (delta 48), pack-reused 51415
Receiving objects: 100% (51598/51598), 16.12 MiB | 2.64 MiB/s, done.
Resolving deltas: 100% (36980/36980), done.
[root@hexingxing ~]#  cd certbot 切换到 certbot 目录
[root@hexingxing certbot]# ./certbot-auto 执行自动 TUI 模式生成证书

Bootstrapping dependencies for RedHat-based OSes... (you can skip this with --no-bootstrap)
yum is /usr/bin/yum
Loaded plugins: fastestmirror, refresh-packagekit, security
…

如果提示 “Could not install OS dependencies. Aborting bootstrap!” 那么按提示的详细说明操作,
如果提示 “Transaction check error: ” 类信息说明库的新旧版本不对,删除对应的版本即可,例如 “krb5-libs-1.10.3-57.el6.x86_64”,命令如下:

[root@hexingxing certbot]# rpm -e krb5-libs-1.10.3-57.el6.x86_64

然后再次./certbot-auto,直接后面的操作出现如下提示要求输入 email 地址,

[root@hexingxing certbot]# ./certbot-auto
Creating virtual environment...
Installing Python packages...
Installation succeeded.
/opt/eff.org/certbot/venv/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: 
Python 2.6 is no longer supported by the Python core team, please upgrade your Python. 
A future version of cryptography will drop support for Python 2.6
DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): //输入你常用的邮箱地址

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: a //接受协议或条款之类,必选 a

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: n //是不是愿意公开你的邮箱地址,按自己想法

How would you like to authenticate and install certificates?
-------------------------------------------------------------------------------
1: Apache Web Server plugin - Beta (apache)
2: Nginx Web Server plugin - Alpha (nginx)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 //选择 apache 或 nginx 程序
Plugins selected: Authenticator nginx, Installer nginx
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter 'c' to cancel): //第一种情况:没有检测到域名配置文件,手动输入域名

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: test.hexingxing.cn //第二种情况,如果是已配置 SSL.conf,这里会显示你服务器已配置的域名列表,on:/etc/nginx/conf.d/
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1 //选择你要创建证书的域名
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for test.hexingxing.cn
Waiting for verification...
Cleaning up challenges
Deployed Certificate to VirtualHost /etc/nginx/conf.d/test.hexingxing.conf for set(['test.hexingxing.cn'])

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 //是否立即生效重定向到 https
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/test.hexingxing.conf

-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://test.hexingxing.cn //恭喜! 您已成功启用 https://test.hexingxing.cn

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=test.hexingxing.cn //可以访问这个链接测试你的 HTTPS 质量
-------------------------------------------------------------------------------

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
// 此处省略了很多字,关于证书密钥文件的存放情况以及到期时间

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

90 天后自动续期:
设置自动续期定时任务
先使用以下命令测试手动模拟更新证书

[root@hexingxing ~]# {certbot 的绝对或相对路径}/certbot-auto renew --dry-run

输出类似以下提示说明命令配置正常

[root@hexingxing ~]# -------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/example.com.conf
-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/example.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.

使用 crontab -e 命令设置定时任务,自动更新证书

[root@hexingxing ~]# crontab -e
0 3 1 * * {certbot 的绝对或相对路径}/certbot-auto renew >> /var/log/le-renew.log

执行时间为:每个月的 1 日凌晨 3 点 0 分 执行 renew 任务
执行以下命令后查看输出的日志是否正常,一般不到指定更新时间内输出 “No renewals were attempted.” 提示

[root@hexingxing ~]# {certbot 的绝对或相对路径}/certbot-auto renew >> /var/log/le-renew.log

如果需要强制执行,可使用以下命令,输出的内容会提示已经更新。

[root@hexingxing ~]# {certbot 的绝对或相对路径}/certbot-auto renew --force-renew

nginx https 证书配置

HTTP 301 重定向 HTTPS