r1.1 2020/07/23
CentOS7 minimal install 後に実施している共通設定、パッケージインストールのメモです。
CentOS7 の インストール
minimal にてインストール
CentOS7 のインストール後の基本設定
sudo の設定
su -
visudo
/*
User_Alias ADMINS = amanatsu
ADMINS ALL=(ALL) ALL
Defaults syslog=authpriv,logfile=/var/log/sudo.log
*/
selinux の無効化
vi /etc/selinux/config
/*
# SELINUX=enforcing
SELINUX=disabled
*/
IPv6 の無効化
vi /etc/sysctl.d/disable_ipv6.conf
/*
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
/*
ホスト名の設定
vi /etc/hostname
/*
server.example.com
*/
vi /etc/hosts
/*
# ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.0.71 server server.example.co.jp.
*/
参照する DNS の指定
vi /etc/resolv.conf
/*
domain example.co.jp.
search example.co.jp.
nameserver 192.168.0.1
*/
パッケージのインストール
epel パッケージのインストール
yum install -y epel-release
基本パッケージのインストール
サーバ運用に必要なソフトウェアを追加します。
※私のお勧めパッケージです。
vi /root/install_package.sh
/*
yum install -y tcsh
yum install -y telnet
yum install -y openssh-clients
yum install -y bind-utils
yum install -y openldap-clients
yum install -y traceroute
yum install -y tcpdump
yum install -y perl
yum install -y expect
yum install -y ntp ntpdate
yum install -y zip
yum install -y unzip
yum install -y bzip2
yum install -y curl
yum install -y wget
yum install -y git
yum install -y rsync
yum install -y sysstat
yum install -y logwatch
yum install -y --enablerepo=epel swatch
yum install -y lsof
yum install -y audit
yum install -y aide
yum install -y net-snmp
yum install -y net-snmp-utils
yum install -y net-tools
yum install -y iptables
yum install -y logrotate
yum install -y man
yum install -y man-pages
yum install -y mailx
yum install -y psacct
yum install -y kernel-devel
yum install -y gcc
yum install -y make
yum install -y patch
yum install --enablerepo=epel -y fail2ban
yum install -y cronie-noanacron
yum remove -y cronie-anacron
yum update -y
*/
sh -x /root/install_package.sh
ホストの再起動
shutdown -r now
再起動後の確認
IPv6 の無効化の確認
ip address
→ IPv6 のアドレスが表示されていないこと
/*
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:20:c7:cf brd ff:ff:ff:ff:ff:ff
inet 192.168.11.101/24 brd 192.168.11.255 scope global noprefixroute enp0s3
valid_lft forever preferred_lft forever
*/
selinux 無効化の確認
getenforce
→ Disabled と表示されること
サービスプロセスの自動起動
systemctl list-units --type=service --no-pager
/*
UNIT LOAD ACTIVE SUB DESCRIPTION
auditd.service loaded active running Security Auditing Service
crond.service loaded active running Command Scheduler
dbus.service loaded active running D-Bus System Message Bus
firewalld.service loaded active running firewalld - dynamic firewall
getty@tty1.service loaded active running Getty on tty1
kmod-static-nodes.service loaded active exited Create list of required stati
lvm2-lvmetad.service loaded active running LVM2 metadata daemon
lvm2-monitor.service loaded active exited Monitoring of LVM2 mirrors, s
lvm2-pvscan@8:2.service loaded active exited LVM2 PV scan on device 8:2
network.service loaded active exited LSB: Bring up/down networking
NetworkManager-wait-online.service loaded active exited Network Manager Wait Online
NetworkManager.service loaded active running Network Manager
polkit.service loaded active running Authorization Manager
postfix.service loaded active running Postfix Mail Transport Agent
rhel-dmesg.service loaded active exited Dump dmesg to /var/log/dmesg
rhel-domainname.service loaded active exited Read and set NIS domainname f
rhel-import-state.service loaded active exited Import network configuration
rhel-readonly.service loaded active exited Configure read-only root supp
rsyslog.service loaded active running System Logging Service
sshd.service loaded active running OpenSSH server daemon
sysstat.service loaded active exited Resets System Activity Logs
systemd-journal-flush.service loaded active exited Flush Journal to Persistent S
systemd-journald.service loaded active running Journal Service
systemd-logind.service loaded active running Login Service
systemd-random-seed.service loaded active exited Load/Save Random Seed
systemd-remount-fs.service loaded active exited Remount Root and Kernel File
systemd-sysctl.service loaded active exited Apply Kernel Variables
systemd-tmpfiles-setup-dev.service loaded active exited Create Static Device Nodes in
systemd-tmpfiles-setup.service loaded active exited Create Volatile Files and Dir
systemd-udev-trigger.service loaded active exited udev Coldplug all Devices
systemd-udevd.service loaded active running udev Kernel Device Manager
systemd-update-utmp.service loaded active exited Update UTMP about System Boot
systemd-user-sessions.service loaded active exited Permit User Sessions
systemd-vconsole-setup.service loaded active exited Setup Virtual Console
tuned.service loaded active running Dynamic System Tuning Daemon
LOAD = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB = The low-level unit activation state, values depend on unit type.
35 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.
*/
systemctl list-unit-files --no-pager
/*
UNIT FILE STATE
proc-sys-fs-binfmt_misc.automount static
dev-hugepages.mount static
dev-mqueue.mount static
proc-sys-fs-binfmt_misc.mount static
sys-fs-fuse-connections.mount static
sys-kernel-config.mount static
sys-kernel-debug.mount static
tmp.mount disabled
brandbot.path disabled
systemd-ask-password-console.path static
systemd-ask-password-plymouth.path static
systemd-ask-password-wall.path static
session-1.scope static
arp-ethers.service disabled
auditd.service enabled
autovt@.service enabled
blk-availability.service disabled
brandbot.service static
console-getty.service disabled
console-shell.service disabled
container-getty@.service static
cpupower.service disabled
crond.service enabled
dbus-org.fedoraproject.FirewallD1.service enabled
dbus-org.freedesktop.hostname1.service static
dbus-org.freedesktop.import1.service static
dbus-org.freedesktop.locale1.service static
dbus-org.freedesktop.login1.service static
dbus-org.freedesktop.machine1.service static
dbus-org.freedesktop.NetworkManager.service enabled
dbus-org.freedesktop.nm-dispatcher.service enabled
dbus-org.freedesktop.timedate1.service static
dbus.service static
debug-shell.service disabled
dm-event.service static
dracut-cmdline.service static
dracut-initqueue.service static
dracut-mount.service static
dracut-pre-mount.service static
dracut-pre-pivot.service static
dracut-pre-trigger.service static
dracut-pre-udev.service static
dracut-shutdown.service static
ebtables.service disabled
emergency.service static
fail2ban.service disabled
firewalld.service enabled
fstrim.service static
getty@.service enabled
halt-local.service static
initrd-cleanup.service static
initrd-parse-etc.service static
initrd-switch-root.service static
initrd-udevadm-cleanup-db.service static
iprdump.service disabled
iprinit.service disabled
iprupdate.service disabled
irqbalance.service enabled
kdump.service disabled
kmod-static-nodes.service static
lvm2-lvmetad.service static
lvm2-lvmpolld.service static
lvm2-monitor.service enabled
lvm2-pvscan@.service static
messagebus.service static
microcode.service enabled
NetworkManager-dispatcher.service enabled
NetworkManager-wait-online.service enabled
NetworkManager.service enabled
ntpd.service disabled
ntpdate.service disabled
plymouth-halt.service disabled
plymouth-kexec.service disabled
plymouth-poweroff.service disabled
plymouth-quit-wait.service disabled
plymouth-quit.service disabled
plymouth-read-write.service disabled
plymouth-reboot.service disabled
plymouth-start.service disabled
plymouth-switch-root.service static
polkit.service static
postfix.service enabled
psacct.service disabled
qemu-guest-agent.service enabled
quotaon.service static
rc-local.service static
rdisc.service disabled
rescue.service static
rhel-autorelabel-mark.service disabled
rhel-autorelabel.service enabled
rhel-configure.service enabled
rhel-dmesg.service enabled
rhel-domainname.service enabled
rhel-import-state.service enabled
rhel-loadmodules.service enabled
rhel-readonly.service enabled
rsyncd.service disabled
rsyncd@.service static
rsyslog.service enabled
selinux-policy-migrate-local-changes@.service static
serial-getty@.service disabled
snmpd.service disabled
snmptrapd.service disabled
sshd-keygen.service static
sshd.service enabled
sshd@.service static
sysstat.service enabled
systemd-ask-password-console.service static
systemd-ask-password-plymouth.service static
systemd-ask-password-wall.service static
systemd-backlight@.service static
systemd-binfmt.service static
systemd-bootchart.service disabled
systemd-firstboot.service static
systemd-fsck-root.service static
systemd-fsck@.service static
systemd-halt.service static
systemd-hibernate-resume@.service static
systemd-hibernate.service static
systemd-hostnamed.service static
systemd-hwdb-update.service static
systemd-hybrid-sleep.service static
systemd-importd.service static
systemd-initctl.service static
systemd-journal-catalog-update.service static
systemd-journal-flush.service static
systemd-journald.service static
systemd-kexec.service static
systemd-localed.service static
systemd-logind.service static
systemd-machine-id-commit.service static
systemd-machined.service static
systemd-modules-load.service static
systemd-nspawn@.service disabled
systemd-poweroff.service static
systemd-quotacheck.service static
systemd-random-seed.service static
systemd-readahead-collect.service enabled
systemd-readahead-done.service indirect
systemd-readahead-drop.service enabled
systemd-readahead-replay.service enabled
systemd-reboot.service static
systemd-remount-fs.service static
systemd-rfkill@.service static
systemd-shutdownd.service static
systemd-suspend.service static
systemd-sysctl.service static
systemd-timedated.service static
systemd-tmpfiles-clean.service static
systemd-tmpfiles-setup-dev.service static
systemd-tmpfiles-setup.service static
systemd-udev-settle.service static
systemd-udev-trigger.service static
systemd-udevd.service static
systemd-update-done.service static
systemd-update-utmp-runlevel.service static
systemd-update-utmp.service static
systemd-user-sessions.service static
systemd-vconsole-setup.service static
teamd@.service static
tuned.service enabled
wpa_supplicant.service disabled
-.slice static
machine.slice static
system.slice static
user-0.slice static
user.slice static
dbus.socket static
dm-event.socket enabled
lvm2-lvmetad.socket enabled
lvm2-lvmpolld.socket enabled
rsyncd.socket disabled
sshd.socket disabled
syslog.socket static
systemd-initctl.socket static
systemd-journald.socket static
systemd-shutdownd.socket static
systemd-udevd-control.socket static
systemd-udevd-kernel.socket static
basic.target static
bluetooth.target static
cryptsetup-pre.target static
cryptsetup.target static
ctrl-alt-del.target disabled
default.target enabled
emergency.target static
final.target static
getty-pre.target static
getty.target static
graphical.target static
halt.target disabled
hibernate.target static
hybrid-sleep.target static
initrd-fs.target static
initrd-root-fs.target static
initrd-switch-root.target static
initrd.target static
iprutils.target disabled
kexec.target disabled
local-fs-pre.target static
local-fs.target static
machines.target disabled
multi-user.target enabled
network-online.target static
network-pre.target static
network.target static
nss-lookup.target static
nss-user-lookup.target static
paths.target static
poweroff.target disabled
printer.target static
reboot.target disabled
remote-cryptsetup.target disabled
remote-fs-pre.target static
remote-fs.target enabled
rescue.target disabled
rpcbind.target static
runlevel0.target disabled
runlevel1.target disabled
runlevel2.target enabled
runlevel3.target enabled
runlevel4.target enabled
runlevel5.target static
runlevel6.target disabled
shutdown.target static
sigpwr.target static
sleep.target static
slices.target static
smartcard.target static
sockets.target static
sound.target static
suspend.target static
swap.target static
sysinit.target static
system-update.target static
time-sync.target static
timers.target static
umount.target static
fstrim.timer disabled
systemd-readahead-done.timer indirect
systemd-tmpfiles-clean.timer static
241 unit files listed.
*/
fail2ban の有効化
systemctl list-unit-files | fgrep -i 'fail2ban'
/*
fail2ban.service disabled
*/
cp -p /etc/fail2ban/jail.conf /etc/fail2ban/jail.d/jail.local
vi /etc/fail2ban/jail.d/jail.local
/*
[sshd]
enabled = true
*/
systemctl enable fail2ban
/*
fail2ban.service enabled
*/
systemctl start fail2ban
systemctl status fail2ban
/*
* fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2019-08-14 12:37:59 JST; 57s ago
Docs: man:fail2ban(1)
Process: 10830 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS)
Main PID: 10833 (fail2ban-server)
CGroup: /system.slice/fail2ban.service
`-10833 /usr/bin/python2 -s /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fa..
*/
fail2ban-client status
/*
Status
|- Number of jail: 1
`- Jail list: sshd
*/
fail2ban-client status sshd
/*
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 3
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 2
|- Total banned: 2
`- Banned IP list: 114.113.126.163 197.55.144.72
*/
kdump の無効化
systemctl list-unit-files | fgrep 'kdump'
/*
kdump.service disabled
/*
※ enabled となっている場合は下記のコマンドを実行
systemctl disable kdump
systemctl list-unit-files | fgrep 'kdump'
/*
kdump.service disabled
/*
ntpd の有効化
systemctl list-unit-files | fgrep 'ntp'
/*
ntpd.service disabled
ntpdate.service disabled
/*
systemctl enable ntpdate
/*
Created symlink from /etc/systemd/system/multi-user.target.wants/ntpdate.service to /usr/lib/systemd/system/ntpdate.service.
/*
systemctl enable ntpd
/*
Created symlink from /etc/systemd/system/multi-user.target.wants/ntpd.service to /usr/lib/systemd/system/ntpd.service.
/*
cp -pi /etc/ntp.conf /etc/ntp.conf.default
vi /etc/ntp.conf
diff /etc/ntp.conf /etc/ntp.conf.default
/*
14c14
< #restrict ::1
---
> restrict ::1
21,25c21,24
< #server 0.centos.pool.ntp.org iburst
< #server 1.centos.pool.ntp.org iburst
< #server 2.centos.pool.ntp.org iburst
< #server 3.centos.pool.ntp.org iburst
< server ntp.nict.jp iburst
---
> server 0.centos.pool.ntp.org iburst
> server 1.centos.pool.ntp.org iburst
> server 2.centos.pool.ntp.org iburst
> server 3.centos.pool.ntp.org iburst
/*
systemctl start ntpdate
systemctl status ntpdate
/*
ntpdate.service - Set time via NTP
Loaded: loaded (/usr/lib/systemd/system/ntpdate.service; enabled; vendor preset: disabled)
Active: active (exited) since Sat 2019-07-06 17:26:48 JST; 4s ago
Process: 1835 ExecStart=/usr/libexec/ntpdate-wrapper (code=exited, status=0/SUCCESS)
Main PID: 1835 (code=exited, status=0/SUCCESS)
Jul 06 17:26:44 centos7.s-idc.net systemd[1]: Starting Set time via NTP...
Jul 06 17:26:48 centos7.s-idc.net systemd[1]: Started Set time via NTP.
/*
systemctl start ntpd
systemctl status ntpd
/*
?? ntpd.service - Network Time Service
Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2019-07-06 17:27:07 JST; 16ms ago
Process: 1868 ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS (code=exited, status=0/SUCCESS)
Main PID: 1869 (ntpd)
CGroup: /system.slice/ntpd.service
mq1869 /usr/sbin/ntpd -u ntp:ntp -g
Jul 06 17:27:07 centos7.s-idc.net systemd[1]: Starting Network Time Service...
Jul 06 17:27:07 centos7.s-idc.net systemd[1]: Started Network Time Service.
Jul 06 17:27:08 centos7.s-idc.net ntpd[1869]: proto: precision = 0.044 usec
Jul 06 17:27:08 centos7.s-idc.net ntpd[1869]: 0.0.0.0 c01d 0d kern kernel ti...d
Hint: Some lines were ellipsized, use -l to show in full.
/*
grub.cfg の修正
vi /boot/grub2/grub.cfg
/*
rhgb quiet
/*
マシンの再起動
shutdown -r now
(以上)