(Introduction)
When you first create a new CentOS 8 server, there are a few configuration steps that you should take early on as part of the basic setup. This will increase the security and usability of your server and will give you a solid foundation for subsequent actions.
首次创建新的CentOS 8服务器时,您应该在基本设置的早期阶段执行一些配置步骤。 这将提高服务器的安全性和可用性,并为后续操作奠定坚实的基础。
(Step 1 — Logging in as Root)
To log into your server, you will need to know your server’s public IP address. You will also need the password or, if you installed an SSH key for authentication, the private key for the root user’s account. If you have not already logged into your server, you may want to follow our documentation on how to connect to your Droplet with SSH, which covers this process in detail.
要登录服务器,您需要知道服务器的公共IP地址 。 您还将需要密码,或者,如果您安装了用于身份验证的SSH密钥,还需要root用户帐户的私钥。 如果您尚未登录服务器,则可能需要遵循我们的文档以了解如何使用SSH连接到Droplet的详细信息。
If you are not already connected to your server, log in as the root user now using the following command (substitute the highlighted portion of the command with your server’s public IP address):
如果尚未连接到服务器,请立即使用以下命令以root用户身份登录(用服务器的公共IP地址替换命令中突出显示的部分):
- ssh root@your_server_ip
ssh root @ your_server_ip
Accept the warning about host authenticity if it appears. If you are using password authentication, provide your root password to log in. If you are using an SSH key that is passphrase protected, you may be prompted to enter the passphrase the first time you use the key each session. If this is your first time logging into the server with a password, you may also be prompted to change the root password.
接受有关主机真实性的警告(如果显示)。 如果使用密码认证,请提供root密码登录。如果使用受密码保护的SSH密钥,则首次在每个会话中第一次使用密钥时,系统可能会提示您输入密码。 如果这是您第一次使用密码登录服务器,则可能还会提示您更改root密码。
(About Root)
The root user is the administrative user in a Linux environment, and it has very broad privileges. Because of the heightened privileges of the root account, you are discouraged from using it on a regular basis. This is because part of the power inherent with the root account is the ability to make very destructive changes, even by accident.
root用户是Linux环境中的管理用户,它具有非常广泛的特权。 由于root帐户具有更高的特权,因此不建议您定期使用它。 这是因为root帐户固有的部分能力是即使在偶然的情况下也可以进行具有破坏性的更改。
As such, the next step is to set up an alternative user account with a reduced scope of influence for day-to-day work. This account will still be able to gain increased privileges when necessary.
因此,下一步是建立替代用户帐户,以减少对日常工作的影响范围。 必要时,该帐户仍将能够获得更多的特权。
(Step 2 — Creating a New User)
Once you are logged in as root, you can create the new user account that we will use to log in from now on.
以root用户身份登录后,您可以创建新的用户帐户,从现在开始我们将使用该帐户登录。
This example creates a new user called sammy, but you should replace it with any username that you prefer:
本示例创建一个名为sammy的新用户,但您应将其替换为您喜欢的任何用户名:
- adduser sammy
adduser sammy
Next, set a strong password for the sammy
user:
其次,设置强密码sammy
用户:
- passwd sammy
密码萨米
You will be prompted to enter the password twice. After doing so, your user will be ready to use, but first we’ll give this user additional privileges to use the sudo
command. This will allow us to run commands as root when necessary.
系统将提示您输入两次密码。 这样做之后,您的用户就可以使用了,但是首先我们将授予该用户其他使用sudo
命令的特权。 这将使我们能够在必要时以root用户身份运行命令。
(Step 3 — Granting Administrative Privileges)
Now, we have a new user account with regular account privileges. However, we may sometimes need to do administrative tasks.
现在,我们有了一个具有常规帐户特权的新用户帐户。 但是,有时我们可能需要执行管理任务。
To avoid having to log out of our normal user and log back in as the root account, we can set up what is known as “superuser” or root privileges for our normal account. This will allow our normal user to run commands with administrative privileges by putting the word sudo
before each command.
为了避免注销普通用户并以root帐户重新登录,我们可以为普通帐户设置所谓的“超级用户”或root特权。 通过在每个命令之前加上sudo
字样,这将使我们的普通用户能够以管理权限运行命令。
To add these privileges to our new user, we need to add the new user to the wheel group. By default, on CentOS 8, users who belong to the wheel group are allowed to use the sudo
command.
要将这些特权添加到新用户,我们需要将新用户添加到wheel组。 默认情况下,在CentOS 8上,允许属于wheel组的用户使用sudo
命令。
As root, run this command to add your new user to the wheel group (substitute the highlighted word with your new username):
以root身份运行此命令,将您的新用户添加到wheel组(用新的用户名替换突出显示的单词):
- usermod -aG wheel sammy
usermod -aG车轮萨米
Now, when logged in as your regular user, you can type sudo
before commands to perform actions with superuser privileges.
现在,以普通用户身份登录后,您可以在命令前键入sudo
来执行具有超级用户特权的操作。
(Step 4 — Setting Up a Basic Firewall)
Firewalls provide a basic level of security for your server. These applications are responsible for denying traffic to every port on your server, except for those ports/services you have explicitly approved. CentOS has a service called firewalld
to perform this function. A tool called firewall-cmd
is used to configure firewalld
firewall policies.
防火墙为您的服务器提供了基本的安全性。 这些应用程序负责拒绝到服务器上每个端口的流量,但您明确批准的端口/服务除外。 CentOS有一项名为firewalld
的服务来执行此功能。 称为firewall-cmd
工具用于配置firewalld
防火墙策略。
Note: If your servers are running on DigitalOcean, you can optionally use DigitalOcean Cloud Firewalls instead of firewalld
. We recommend using only one firewall at a time to avoid conflicting rules that may be difficult to debug.
注意:如果服务器在DigitalOcean上运行,则可以选择使用DigitalOcean Cloud Firewalls而不是firewalld
。 我们建议一次只使用一个防火墙,以避免可能难以调试的冲突规则。
First install firewalld
:
首先安装firewalld
:
- dnf install firewalld -y
The default firewalld
configuration allows ssh
connections, so we can turn the firewall on immediately:
默认的firewalld
配置允许ssh
连接,因此我们可以立即打开防火墙:
- systemctl start firewalld
Check the status of the service to make sure it started:
检查服务的状态以确保它已启动:
- systemctl status firewalld
Output
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2020-02-06 16:39:40 UTC; 3s ago
Docs: man:firewalld(1)
Main PID: 13180 (firewalld)
Tasks: 2 (limit: 5059)
Memory: 22.4M
CGroup: /system.slice/firewalld.service
└─13180 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --nopid
Note that it is both active
and enabled
, meaning it will start by default if the server is rebooted.
请注意,它是active
和enabled
,这意味着如果重新启动服务器,它将默认启动。
Now that the service is up and running, we can use the firewall-cmd
utility to get and set policy information for the firewall.
现在该服务已启动并正在运行,我们可以使用firewall-cmd
实用程序来获取和设置防火墙的策略信息。
First let’s list which services are already allowed:
首先让我们列出已经允许的服务:
- firewall-cmd --permanent --list-all
Output
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0 eth1
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
To see the additional services that you can enable by name, type:
要查看可以按名称启用的其他服务,请键入:
- firewall-cmd --get-services
To add a service that should be allowed, use the --add-service
flag:
要添加应允许的服务,请使用--add-service
标志:
- firewall-cmd --permanent --add-service=http
This would add the http
service and allow incoming TCP traffic to port 80
. The configuration will update after you reload the firewall:
这将添加http
服务,并允许传入TCP流量到端口80
。 重新加载防火墙后,配置将更新:
- firewall-cmd --reload
Remember that you will have to explicitly open the firewall (with services or ports) for any additional services that you may configure later.
请记住,您将必须为以后可能配置的任何其他服务显式打开防火墙(带有服务或端口)。
(Step 5 — Enabling External Access for Your Regular User)
Now that we have a regular non-root user for daily use, we need to make sure we can use it to SSH into our server.
现在我们有了一个日常的常规非root用户,我们需要确保可以使用它来SSH进入我们的服务器。
Note: Until verifying that you can log in and use sudo
with your new user, we recommend staying logged in as root. This way, if you have problems, you can troubleshoot and make any necessary changes as root. If you are using a DigitalOcean Droplet and experience problems with your root SSH connection, you can log into the Droplet using the DigitalOcean Console.
注意:在确认您可以登录并与新用户一起使用sudo
,我们建议保持root身份登录。 这样,如果遇到问题,您可以进行故障排除并以root身份进行任何必要的更改。 如果您正在使用DigitalOcean Droplet并遇到根 SSH连接问题,则可以使用DigitalOcean Console登录到Droplet 。
The process for configuring SSH access for your new user depends on whether your server’s root account uses a password or SSH keys for authentication.
为新用户配置SSH访问的过程取决于服务器的root帐户是使用密码还是SSH密钥进行身份验证。
(If the Root Account Uses Password Authentication)
If you logged in to your root account using a password, then password authentication is enabled for SSH. You can SSH to your new user account by opening up a new terminal session and using SSH with your new username:
如果您使用password登录到root帐户,那么将为SSH启用密码身份验证。 您可以通过打开新的终端会话并使用带有新用户名的SSH SSH到新用户帐户:
- ssh sammy@your_server_ip
ssh sammy @ your_server_ip
After entering your regular user’s password, you will be logged in. Remember, if you need to run a command with administrative privileges, type sudo
before it like this:
输入普通用户的密码后,您将登录。请记住,如果您需要运行具有管理特权的sudo
,请像下面这样键入sudo
:
- sudo command_to_run
须藤command_to_run
You will be prompted for your regular user password when using sudo
for the first time each session (and periodically afterwards).
在每个会话中首次使用sudo
时,系统将提示您输入常规用户密码(此后定期)。
To enhance your server’s security, we strongly recommend setting up SSH keys instead of using password authentication. Follow our guide on setting up SSH keys on CentOS 8 to learn how to configure key-based authentication.
为了增强服务器的安全性, 强烈建议您设置SSH密钥,而不要使用密码身份验证 。 遵循我们在CentOS 8上设置SSH密钥的指南,以了解如何配置基于密钥的身份验证。
(If the Root Account Uses SSH Key Authentication)
If you logged in to your root account using SSH keys, then password authentication is disabled for SSH. You will need to add a copy of your public key to the new user’s ~/.ssh/authorized_keys
file to log in successfully.
如果您使用SSH密钥登录到根帐户,则SSH的密码身份验证被禁用 。 您需要将公共密钥的副本添加到新用户的~/.ssh/authorized_keys
文件中才能成功登录。
Since your public key is already in the root account’s ~/.ssh/authorized_keys
file on the server, we can copy that file and directory structure to our new user account.
由于您的公钥已经在服务器上根帐户的~/.ssh/authorized_keys
文件中,因此我们可以将该文件和目录结构复制到我们的新用户帐户中。
The simplest way to copy the files with the correct ownership and permissions is with the rsync
command. This will copy the root user’s .ssh
directory, preserve the permissions, and modify the file owners, all in a single command. Make sure to change the highlighted portions of the command below to match your regular user’s name:
复制具有正确所有权和权限的文件的最简单方法是使用rsync
命令。 这将复制root用户的.ssh
目录,保留权限,并修改文件所有者,所有操作均在单个命令中。 确保更改以下命令中突出显示的部分,以匹配普通用户的名称:
Note: The rsync
command treats sources and destinations that end with a trailing slash differently than those without a trailing slash. When using rsync
below, be sure that the source directory (~/.ssh
) does not include a trailing slash (check to make sure you are not using ~/.ssh/
).
注意: rsync
命令将以尾斜杠结尾的源和目标与不以尾斜杠结尾的源和目标区别对待。 在下面使用rsync
,请确保源目录( ~/.ssh
) 不包含斜杠(检查以确保您未使用~/.ssh/
)。
If you accidentally add a trailing slash to the command, rsync
will copy the contents of the root account’s ~/.ssh
directory to the sudo
user’s home directory instead of copying the entire ~/.ssh
directory structure. The files will be in the wrong location and SSH will not be able to find and use them.
如果不小心在命令后添加了斜杠, rsync
会将根帐户的~/.ssh
目录的内容复制到sudo
用户的主目录中,而不是复制整个~/.ssh
目录结构。 这些文件将位于错误的位置,并且SSH将无法找到和使用它们。
- rsync --archive --chown=sammy:sammy ~/.ssh /home/sammy
rsync的--archive --chown = 森美 森美的〜/ .ssh /家/ 萨米
Now, back in a new terminal on your local machine, open up a new SSH session with your non-root user:
现在,回到本地计算机上的新终端,与您的非root用户打开新的SSH会话:
- ssh sammy@your_server_ip
ssh sammy @ your_server_ip
You should be logged in to the new user account without using a password. Remember, if you need to run a command with administrative privileges, type sudo
before it like this:
您应该不使用密码登录到新用户帐户。 请记住,如果您需要运行具有管理特权的命令,请在sudo
之前输入sudo
,如下所示:
- sudo command_to_run
须藤command_to_run
You will be prompted for your regular user password when using sudo
for the first time each session (and periodically afterwards).
在每个会话中首次使用sudo
时,系统将提示您输入常规用户密码(此后定期)。
(Conclusion)
At this point, you have a solid foundation for your server. You can install any of the software you need on your server now.
至此,您已经为服务器奠定了坚实的基础。 您现在可以在服务器上安装所需的任何软件。
翻译自: https://www.digitalocean.com/community/tutorials/initial-server-setup-with-centos-8