5月技术考核1

CentOS系统基本设置（考试20分钟） 1.修改ssh远程端口为12345,验证能用12345端口登录即可。 2.设置开启CentOS防火墙，并通过tcp的12345和3306端口，只能设置一条规则。 3.在配置文件里面关闭SELINUX，在不重启系统的情况下生效。

查看ssh端口，一般是默认的22 [root@mysql200 ~]# netstat -antulp | grep sshd tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1101/sshd
tcp6 0 0 :::22 :::* LISTEN 1101/sshd
修改ssh端口，找到第18行，加一行Port 12345，保存退出 [root@mysql200 ~]# vim /etc/ssh/sshd_config

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#

#Port 22 Port 12345 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: 重启ssh服务才能生效，再查看端口，修改成功 [root@mysql200 ~]# systemctl restart sshd [root@mysql200 ~]# netstat -antulp | grep sshd tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN 3463/sshd
tcp6 0 0 :::12345 :::* LISTEN 3463/sshd

查看防火墙状态 [root@mysql200 ~]# firewall-cmd --state Running 若果没开启就运行 [root@mysql200 ~]# systemctl start firewalld [root@mysql200 ~]# firewall-cmd --state Running

防火墙服务预设的安全区域 public、trusted、drop public 区域：为默认区域，只允许针对本机的 SSH 服务，其他都拒绝 trusted 区域：对本机的任何访问都被允许 drop 区域：访问本机的任何数据包都会被拒绝

[root@mysql200 ~]# firewall-cmd --list-all You're performing an operation over default zone ('trusted'), but your connections/interfaces are in zone 'public' (see --get-active-zones) You most likely need to use --zone=public option.

trusted target: ACCEPT icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: 修改默认 [root@mysql200 ~]# firewall-cmd --set-default-zone=public Success [root@mysql200 ~]# firewall-cmd --reload Success [root@mysql200 ~]# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: ens33 sources: services: ssh dhcpv6-client ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: 添加通过tcp的12345和3306端口 [root@mysql200 ~]# firewall-cmd --permanent --zone=public --add-port=12345/tcp --add-port=3306/tcp success [root@mysql200 ~]# firewall-cmd --reload success [root@mysql200 ~]# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: ens33 sources: services: ssh dhcpv6-client ports: 12345/tcp 3306/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:

在配置文件里面关闭SELINUX，在不重启系统的情况下生效。

修改selinux配置文件，SELINUX=disabled vim /etc/selinux/ #* This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.*

SELINUXTYPE=targeted 查看selinux’状态 [root@mysql200 selinux]# getenforce Enforcing 强制

临时关闭 [root@mysql200 selinux]# setenforce 0 [root@mysql200 selinux]# getenforce Permissive