一、SUDO,PAM配置规范说明
SUDO
在suduers配置文件下修改,或者是在suduers.d的文件夹下修改
-r--r----- 1 root root 4463 Aug 5 10:37 sudoers
drwxr-x---. 2 root root 6 Apr 20 2022 sudoers.d
## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax: #suduers文件下的配置修改
##
## user MACHINE = (runas) COMMANDS
## #执行权限的用户名 登入的主机 =(代表的用户) 要执行的命令
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
ma ALL=(root) /usr/bin/mount /dev/cdrom /mnt/,/usr/bin/umount /mnt
ma ALL= /bin/cat /var/log/vmware-network*
PAM
type control module-path arguments
type:指模块类型,即功能
control :PAM库该如何处理与该服务相关的PAM模块的成功或失败情况,一个关健词实现
module-path: 用来指明本模块对应的程序文件的路径名
Arguments: 用来传递给该模块的参数
[11:04:07 root@rocky8 ~]#ls /lib64/security/*.so #模块文件
/lib64/security/pam_access.so /lib64/security/pam_group.so /lib64/security/pam_pwhistory.so /lib64/security/pam_timestamp.so
/lib64/security/pam_cap.so /lib64/security/pam_issue.so /lib64/security/pam_pwquality.so /lib64/security/pam_tty_audit.so
/lib64/security/pam_chroot.so /lib64/security/pam_keyinit.so /lib64/security/pam_rhosts.so /lib64/security/pam_umask.so
/lib64/security/pam_console.so /lib64/security/pam_lastlog.so /lib64/security/pam_rootok.so /lib64/security/pam_unix_acct.so
/lib64/security/pam_cracklib.so /lib64/security/pam_limits.so /lib64/security/pam_securetty.so /lib64/security/pam_unix_auth.so
/lib64/security/pam_debug.so /lib64/security/pam_listfile.so /lib64/security/pam_selinux_permit.so /lib64/security/pam_unix_passwd.so
/lib64/security/pam_deny.so /lib64/security/pam_localuser.so /lib64/security/pam_selinux.so /lib64/security/pam_unix_session.so
/lib64/security/pam_echo.so /lib64/security/pam_loginuid.so /lib64/security/pam_sepermit.so /lib64/security/pam_unix.so
/lib64/security/pam_env.so /lib64/security/pam_mail.so /lib64/security/pam_shells.so /lib64/security/pam_userdb.so
/lib64/security/pam_exec.so /lib64/security/pam_mkhomedir.so /lib64/security/pam_sss_gss.so /lib64/security/pam_usertype.so
/lib64/security/pam_faildelay.so /lib64/security/pam_motd.so /lib64/security/pam_sss.so /lib64/security/pam_warn.so
/lib64/security/pam_faillock.so /lib64/security/pam_namespace.so /lib64/security/pam_stress.so /lib64/security/pam_wheel.so
/lib64/security/pam_filter.so /lib64/security/pam_nologin.so /lib64/security/pam_succeed_if.so /lib64/security/pam_xauth.so
/lib64/security/pam_ftp.so /lib64/security/pam_permit.so /lib64/security/pam_systemd.so
/lib64/security/pam_google_authenticator.so /lib64/security/pam_postgresok.so /lib64/security/pam_time.so
[11:04:23 root@rocky8 ~]#ls /etc/pam.d/ #系统程序调用的专有模块配置文件
atd chsh crond login passwd polkit-1 remote runuser-l smtp sshd su sudo-i system-auth vlock
chfn config-util fingerprint-auth other password-auth postlogin runuser smartcard-auth smtp.postfix sssd-shadowutils sudo su-l systemd-user vmtoolsd
[11:09:53 root@rocky8 ~]#ls /etc/security/ #模块的专有配置文件
access.conf console.apps console.perms faillock.conf limits.conf namespace.conf namespace.init pam_env.conf pwquality.conf.d time.conf
chroot.conf console.handlers console.perms.d group.conf limits.d namespace.d opasswd pwquality.conf sepermit.conf
[11:11:51 root@rocky8 ~]#vim /etc/pam.d/sshd #配置模块详细内容
#%PAM-1.0
#type control module-path arguments 模块类型 模块控制 模块路径 参数
auth substack password-auth
auth include postlogin
account required pam_sepermit.so
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session optional pam_motd.so
session include password-auth
session include postlogin
二、chrony搭建私有ntp服务
[11:41:42 root@rocky8 ~]#yum -y install chrony #先安装chrony服务
Last metadata expiration check: 2:25:24 ago on Sat 05 Aug 2023 09:16:32 AM CST.
Package chrony-4.1-1.el8.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
#服务器端
[11:41:57 root@rocky8 ~]#vim /etc/chrony.conf #设置服务器的同步功能
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
#pool 2.pool.ntp.org iburst
server ntp.aliyun.com iburst
server time1-5.cloud.tencent.com iburst
server ntp1-7.aliyun.com iburst
# Allow NTP client access from local network.
#allow 192.168.0.0/16
allow 10.0.0.0/24 #允许与服务器同步的网段
# Serve time even if not synchronized to a time source.
local stratum 10 #在互联网无法连接时,仍然能为客户端提供时间同步服务
[11:50:11 root@rocky8 ~]#systemctl restart chronyd #重启服务
#客户端
[11:51:17 root@rocky8 ~]#vim /etc/chrony.conf
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
#pool 2.pool.ntp.org iburst
server 10.0.0.8 iburst #客户机以服务器地址为时间同步的目标地址
[11:56:10 root@rocky8 ~]#systemctl restart chronyd #重启服务
[11:56:27 root@rocky8 ~]#chronyc sources -v
.-- Source mode '^' = server, '=' = peer, '#' = local clock.
/ .- Source state '*' = current best, '+' = combined, '-' = not combined,
| / 'x' = may be in error, '~' = too variable, '?' = unusable.
|| .- xxxx [ yyyy ] +/- zzzz
|| Reachability register (octal) -. | xxxx = adjusted offset,
|| Log2(Polling interval) --. | | yyyy = measured offset,
|| \ | | zzzz = estimated error.
|| | | \
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* 10.0.0.8 3 6 17 6 -955ns[ -43us] +/- 30ms #^*表示同步成功
三、说明CDN原理
本质上就是提供就近服务器的域名和转发
1.给浏览器输入一个域名,浏览器第一次发现本地没有DNS缓存,则向网站的DNS服务器请求。
2.网站的DNS域名解析设置了CNAME,请求指向了CDN网络中的只能DNS负载均衡系统。
3.只能DNS负载均衡系统解析域名,把用户响应速度最快的IP节点返回给用户。
4.用户向该IP节点(CDN服务器)发出请求
5.由于是第一次访问,CDN服务器会通过Cache内部专用DNS解析得到此域名的原web站点IP,向原站点服务器发起请求,并在CDN服务器上缓存内容。
6.请求结果发给用户。
四、搭建智能DNS,实现不同地域客户端解析到不同主机
#每个机器配置好IP
[13:20:11 root@rocky8 ~]#ip a
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:92:cf:ce brd ff:ff:ff:ff:ff:ff
inet 10.0.0.8/24 brd 10.0.0.255 scope global noprefixroute eth0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:92:cf:d8 brd ff:ff:ff:ff:ff:ff
inet 192.168.10.8/24 brd 192.168.10.255 scope global noprefixroute eth1
[13:06:07 root@centos7 ~]#ip a
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:e9:e6:bc brd ff:ff:ff:ff:ff:ff
inet 10.0.0.7/24 brd 10.0.0.255 scope global noprefixroute eth0
[13:19:44 root@rocky8 ~]#ip a
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:7f:6a:1b brd ff:ff:ff:ff:ff:ff
inet 192.168.10.7/24 brd 192.168.10.255 scope global noprefixroute eth0
#在DNS服务器端配置
[13:23:43 root@rocky8 ~]#vim /etc/named.conf
acl beijingnet {
10.0.0.0/24;
};
acl shanghainet {
192.168.10.0/24;
};
acl othernet {
any;
};
// listen-on port 53 { 127.0.0.1; }; #注释
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
// allow-query { localhost; }; #注释
view beijingview {
match-clients { beijingnet;};
include "/etc/named.rfc1912.zones.bj";
};
view shanghaiview {
match-clients { shanghainet;};
include "/etc/named.rfc1912.zones.sh";
};
view otherview {
match-clients { othernet;};
include "/etc/named.rfc1912.zones.other";
};
#有view视图的情况下不能有zone所以把下方的znoe挪到对应的/etc/named.rfc1912.zones数据文件下。
#配置对应的区域文件
[13:46:01 root@rocky8 ~]#vim /etc/named.rfc1912.zones.bj
zone "." IN {
type hint;
file "named.ca";
};
zone "mazhuobo.com" IN {
type master;
file "mazhuobo.com.zone.bj";
};
[13:49:18 root@rocky8 ~]#vim /etc/named.rfc1912.zones.sh
zone "." IN {
type hint;
file "named.ca";
};
zone "mazhuobo.com" IN {
type master;
file "mazhuobo.com.zone.sh";
};
[13:52:24 root@rocky8 ~]#vim /etc/named.rfc1912.zones.other
zone "." IN {
type hint;
file "named.ca";
};
zone "mazhuobo.com" IN {
type master;
file "mazhuobo.com.zone.other";
};
[13:53:52 root@rocky8 ~]#ll /etc/named.rfc1912.zones.*
-rw-r----- 1 root root 1177 Aug 5 13:49 /etc/named.rfc1912.zones.bj
-rw-r----- 1 root root 1186 Aug 5 13:53 /etc/named.rfc1912.zones.other
-rw-r----- 1 root root 1176 Aug 5 13:52 /etc/named.rfc1912.zones.sh
#更改他们的所有组 chgrp named /etc/named.rfc1912.zones.*
[13:54:46 root@rocky8 ~]#ll /etc/named.rfc1912.zones.*
-rw-r----- 1 root named 1177 Aug 5 13:49 /etc/named.rfc1912.zones.bj
-rw-r----- 1 root named 1186 Aug 5 13:53 /etc/named.rfc1912.zones.other
-rw-r----- 1 root named 1176 Aug 5 13:52 /etc/named.rfc1912.zones.sh
#配置区域数据库文件
[13:54:48 root@rocky8 ~]#vim /var/named/mazhuobo.com.zone.bj
$TTL 1D
@ IN SOA master admin.mazhuobo.com. (
2023080510 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
master A 10.0.0.8
websrv A 10.0.0.7
www CNAME websrv
[14:00:57 root@rocky8 ~]#vim /var/named/mazhuobo.com.zone.sh
$TTL 1D
@ IN SOA master admin.mazhuobo.com. ( 2023080510 ; serial 1D ; refresh 1H ; retry1W ; expire3H ) ; minimum
NS master
master A 10.0.0.8
websrv A 192.168.10.7
www CNAME websrv
[14:08:18 root@rocky8 ~]#vim /var/named/mazhuobo.com.zone.other
$TTL 1D
@ IN SOA master admin.mazhuobo.com. (
2023080510 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
master A 10.0.0.8
websrv A 127.0.0.1
www CNAME websrv
[14:07:17 root@rocky8 ~]#ll /var/named/mazhuobo.com.zone.*
-rw-r--r-- 1 root root 340 Aug 5 13:59 /var/named/mazhuobo.com.zone.bj
-rw-r--r-- 1 root root 338 Aug 5 14:06 /var/named/mazhuobo.com.zone.other
-rw-r--r-- 1 root root 212 Aug 5 14:05 /var/named/mazhuobo.com.zone.sh
#更改他们的所有组chgrp named /var/named/mazhuobo.com.zone.*
[14:09:35 root@rocky8 ~]#ll /var/named/mazhuobo.com.zone.*
-rw-r--r-- 1 root named 340 Aug 5 13:59 /var/named/mazhuobo.com.zone.bj
-rw-r--r-- 1 root named 340 Aug 5 14:08 /var/named/mazhuobo.com.zone.other
-rw-r--r-- 1 root named 212 Aug 5 14:05 /var/named/mazhuobo.com.zone.sh
#重启服务器
systemctl restart named
#web服务器上安装http
[14:51:25 root@rocky8 ~]#yum install httpd -y
#分别写入数据
echo www.mazhuobo.com in * > /var/www/html/index.html
#重启服务
systemctl restart httpd
#测试确保网关正确
# 10.0.0.8
[15:03:35 root@rocky8 ~]#cat /etc/resolv.conf
# Generated by NetworkManager
search mazhuobo
nameserver 192.168.10.2
[15:03:37 root@rocky8 ~]#curl www.mazhuobo.com
www.mazhuobo.com in Other
#10.0.0.28
[15:00:47 root@rocky8 ~]#cat /etc/resolv.conf;
# Generated by NetworkManager
search mazhuobo
nameserver 10.0.0.8
[15:00:51 root@rocky8 ~]#curl www.mazhuobo.com
www.mazhuobo.com in Beijing
#192.168.10.6
[15:01:27 root@rocky8 ~]#cat /etc/resolv.conf
# Generated by NetworkManager
search mazhuobo
nameserver 192.168.10.8
[15:01:46 root@rocky8 ~]#curl www.mazhuobo.com
www.mazhuobo.com in Shanghai
五、解释DNS解析流程
迭代查询:查询目标地址先访问DNS代理解析服务器,代理服务器也没有地址去访问>>.根服务器,根没有去访问>>.com域名服务器,.com域名服务器没有去访问>>二级域名服务器>>依次迭代>>返回域名
递归查询:访问DNS代理解析查找到缓存有地址直接返回
DNS原理
六、.iptables 5表5链解释
5链
INPUT,OUTPUT,FORWARD,PREROUTING,POSTROUTING
三种报文流向
流入本机:PREROUTING --> INPUT-->用户空间进程
流出本机:用户空间进程 -->OUTPUT--> POSTROUTING
转发:PREROUTING --> FORWARD --> POSTROUTING
5链
5表5链的搭配
5表
五个表table:filter、nat、mangle、raw、security
filter:过滤规则表,根据预定义的规则过滤符合条件的数据包,默认表
nat:network address translation 地址转换规则表
mangle:修改数据标记位规则表
raw:关闭启用的连接跟踪机制,加快封包穿越防火墙速度
security:用于强制访问控制(MAC)网络规则,由Linux安全模块(如SELinux)实现
优先级从高到底排序
security -->raw-->mangle-->nat-->filter
七、iptables/firewalld/nftable 实现主机防火墙。5000-6000端口仅192.168.0.0/24网段内的主机访间
iptables
[09:44:45 root@rocky8 ~]#iptables -A INPUT ! -s 192.168.0.0/24 -p tcp --dport 5000:6000 -j REJECT
firewalld
[10:15:36 root@rocky8 ~]#firewall-cmd --add-port=5000-6000/tcp
success
[10:15:49 root@rocky8 ~]#firewall-cmd --list-port
5000-6000/tcp
[10:16:37 root@rocky8 ~]#firewall-cmd --add-source=192.168.0.0/24
success
[10:16:42 root@rocky8 ~]#firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources: 192.168.0.0/24
services: cockpit dhcpv6-client ssh
ports: 5000-6000/tcp
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[10:22:43 root@rocky8 ~]#firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.0.0/24 port port=5000-6000 protocol=tcp accept'
success
nftable
#先创建一个表
[10:33:47 root@rocky8 ~]#nft add table inet test_table
#在表中创建一个链
[10:36:40 root@rocky8 ~]#nft add chain inet test_table test_filter_input_chain {type filter hook input priority 0 \; }
#添加规则
[10:46:50 root@rocky8 ~]#nft add rule inet test_table test_filter_input_chain ip saddr 10.0.0.1 accept
[10:53:16 root@rocky8 ~]#nft add rule inet test_table test_filter_input_chain ip saddr 192.168.0.0/24 tcp dport 5000-6000 accept
[10:53:24 root@rocky8 ~]#nft add rule inet test_table test_filter_input_chain ip saddr 0.0.0.0/24 tcp dport 5000-6000 reject
#查看规则
[10:55:39 root@rocky8 ~]#nft list ruleset
table inet test_table {
chain test_filter_input_chain {
type filter hook input priority filter; policy accept;
ip saddr 10.0.0.1 accept
ip saddr 192.168.0.0/24 tcp dport 5000-6000 accept
ip saddr 0.0.0.0/24 tcp dport 5000-6000 reject
}
}
八、mysql的各发行版有哪些 ?
关系型数据库和非关系型数据库
关系型数据库常见的有
MySQL: MySQL, MariaDB, Percona Server
PostgreSQL: 简称为pgsql,EnterpriseDB
Oracle
MSSQL Server
DB2非关系型数据库常见的
redis
mysql有MySQL Enterprise Edition(企业版)、MySQL Cluster CGE(集群)、MySQL Community(社区版)
MySQL 的三大主要分支
MySQL
Mariadb
Percona Server版本的演变
MySQL:5.1 --> 5.5 --> 5.6 --> 5.7 -->8.0
MariaDB:5.1 -->5.5 -->10.0--> 10.1 --> 10.2 --> 10.3 --> 10.4 --> 10.5
九、mysql索引的作用
索引是帮助 MySQL 高效获取数据的数据结构(有序)。在数据之外,数据库系统还维护着满足特定查找算法的数据结构,这些数据结构以某种方式引用(指向)数据,这样就可以在这些数据结构上实现高级查询算法,这种数据结构就是索引。
优缺点:
优点:
- 提高数据检索效率,降低数据库的IO成本
- 通过索引列对数据进行排序,降低数据排序的成本,降低CPU的消耗
缺点:
- 索引列也是要占用空间的
- 索引大大提高了查询效率,但降低了更新的速度,比如 INSERT、UPDATE、DELETE
十、mysql btree索引的原理
B-tree
就是每一个节点上都有指针和数据,通过判断插入key的大小,来确定一个数据插入的位置,比如一个5阶B-tree,那就是每个节点最多有4key,5个指针
B-tree
B-tree的动画演示 B-Tree Visualization (usfca.edu)
B+tree
就是只有叶子节点才有数据,而且所有叶子节点形成一个单向链表
B+tree
B+tree的动画演示 B+ Tree Visualization (usfca.edu)
十一、mysql安全加固?
mysql的安全加固脚本主要针对于MySQL5.6之前的版本
运行mysql_secure_installation脚本
MySQL5.6之前
设置数据库管理员root口令
禁止root远程登录
删除anonymous用户帐号
删除test数据库
在5.6版本之后可以不用执行安全加固脚本
