# systemctl stop postfix # systemctl stop avahi-daemon # systemctl disable postfix # systemctl disable avahi-daemon
$ chmod +x /etc/rc.d/rc.local $ systemctl enable rc-local $ systemctl start rc-local $ systemctl status rc-local
[root@www.netkiller.cn ~]# systemctl is-enabled mongod enabled [root@www.netkiller.cn ~]# systemctl is-enabled spring disabled
# systemctl list-unit-files UNIT FILE STATE proc-sys-fs-binfmt_misc.automount static dev-hugepages.mount static dev-mqueue.mount static proc-sys-fs-binfmt_misc.mount static sys-fs-fuse-connections.mount static sys-kernel-config.mount static sys-kernel-debug.mount static tmp.mount disabled brandbot.path disabled systemd-ask-password-console.path static systemd-ask-password-plymouth.path static systemd-ask-password-wall.path static session-1.scope static session-2.scope static session-3.scope static session-4.scope static auditd.service enabled autovt@.service disabled avahi-daemon.service enabled blk-availability.service disabled brandbot.service static console-getty.service disabled console-shell.service disabled cpupower.service disabled crond.service enabled dbus-org.fedoraproject.FirewallD1.service enabled dbus-org.freedesktop.Avahi.service enabled dbus-org.freedesktop.hostname1.service static dbus-org.freedesktop.locale1.service static dbus-org.freedesktop.login1.service static dbus-org.freedesktop.machine1.service static dbus-org.freedesktop.NetworkManager.service enabled dbus-org.freedesktop.nm-dispatcher.service enabled dbus-org.freedesktop.timedate1.service static dbus.service static debug-shell.service disabled dm-event.service disabled dnsmasq.service disabled dracut-cmdline.service static dracut-initqueue.service static dracut-mount.service static dracut-pre-mount.service static dracut-pre-pivot.service static dracut-pre-trigger.service static dracut-pre-udev.service static dracut-shutdown.service static ebtables.service disabled emergency.service static firewalld.service enabled getty@.service enabled halt-local.service static initrd-cleanup.service static initrd-parse-etc.service static initrd-switch-root.service static initrd-udevadm-cleanup-db.service static irqbalance.service enabled kdump.service enabled kmod-static-nodes.service static lvm2-lvmetad.service disabled lvm2-monitor.service enabled lvm2-pvscan@.service static messagebus.service static microcode.service enabled NetworkManager-dispatcher.service enabled NetworkManager-wait-online.service disabled NetworkManager.service enabled plymouth-halt.service disabled plymouth-kexec.service disabled plymouth-poweroff.service disabled plymouth-quit-wait.service disabled plymouth-quit.service disabled plymouth-read-write.service disabled plymouth-reboot.service disabled plymouth-start.service disabled plymouth-switch-root.service static polkit.service static postfix.service enabled quotaon.service static rc-local.service static rdisc.service disabled rescue.service static rhel-autorelabel-mark.service static rhel-autorelabel.service static rhel-configure.service static rhel-dmesg.service disabled rhel-domainname.service disabled rhel-import-state.service static rhel-loadmodules.service static rhel-readonly.service static rsyslog.service enabled serial-getty@.service disabled sshd-keygen.service static sshd.service enabled sshd@.service static systemd-ask-password-console.service static systemd-ask-password-plymouth.service static systemd-ask-password-wall.service static systemd-backlight@.service static systemd-binfmt.service static systemd-fsck-root.service static systemd-fsck@.service static systemd-halt.service static systemd-hibernate.service static systemd-hostnamed.service static systemd-hybrid-sleep.service static systemd-initctl.service static systemd-journal-flush.service static systemd-journald.service static systemd-kexec.service static systemd-localed.service static systemd-logind.service static systemd-machined.service static systemd-modules-load.service static systemd-nspawn@.service disabled systemd-poweroff.service static systemd-quotacheck.service static systemd-random-seed.service static systemd-readahead-collect.service enabled systemd-readahead-done.service static systemd-readahead-drop.service enabled systemd-readahead-replay.service enabled systemd-reboot.service static systemd-remount-fs.service static systemd-shutdownd.service static systemd-suspend.service static systemd-sysctl.service static systemd-timedated.service static systemd-tmpfiles-clean.service static systemd-tmpfiles-setup-dev.service static systemd-tmpfiles-setup.service static systemd-udev-settle.service static systemd-udev-trigger.service static systemd-udevd.service static systemd-update-utmp-runlevel.service static systemd-update-utmp.service static systemd-user-sessions.service static systemd-vconsole-setup.service static teamd@.service static tuned.service enabled wpa_supplicant.service disabled -.slice static machine.slice static system.slice static user.slice static avahi-daemon.socket enabled dbus.socket static dm-event.socket enabled lvm2-lvmetad.socket enabled sshd.socket disabled syslog.socket static systemd-initctl.socket static systemd-journald.socket static systemd-shutdownd.socket static systemd-udevd-control.socket static systemd-udevd-kernel.socket static basic.target static bluetooth.target static cryptsetup.target static ctrl-alt-del.target disabled default.target enabled emergency.target static final.target static getty.target static graphical.target disabled halt.target disabled hibernate.target static hybrid-sleep.target static initrd-fs.target static initrd-root-fs.target static initrd-switch-root.target static initrd.target static kexec.target disabled local-fs-pre.target static local-fs.target static multi-user.target enabled network-online.target static network.target static nss-lookup.target static nss-user-lookup.target static paths.target static poweroff.target disabled printer.target static reboot.target disabled remote-fs-pre.target static remote-fs.target enabled rescue.target disabled rpcbind.target static runlevel0.target disabled runlevel1.target disabled runlevel2.target disabled runlevel3.target disabled runlevel4.target disabled runlevel5.target disabled runlevel6.target disabled shutdown.target static sigpwr.target static sleep.target static slices.target static smartcard.target static sockets.target static sound.target static suspend.target static swap.target static sysinit.target static system-update.target static time-sync.target static timers.target static umount.target static systemd-readahead-done.timer static systemd-tmpfiles-clean.timer static 210 unit files listed.
# systemctl --failed UNIT LOAD ACTIVE SUB DESCRIPTION ● spring.service loaded failed failed Spring Boot Application LOAD = Reflects whether the unit definition was properly loaded. ACTIVE = The high-level unit activation state, i.e. generalization of SUB. SUB = The low-level unit activation state, values depend on unit type. 1 loaded units listed. Pass --all to see loaded but inactive units, too. To show all installed unit files use 'systemctl list-unit-files'.
$ systemctl list-units --type=target UNIT LOAD ACTIVE SUB DESCRIPTION basic.target loaded active active Basic System cryptsetup.target loaded active active Encrypted Volumes getty.target loaded active active Login Prompts local-fs-pre.target loaded active active Local File Systems (Pre) local-fs.target loaded active active Local File Systems multi-user.target loaded active active Multi-User System network-online.target loaded active active Network is Online network.target loaded active active Network paths.target loaded active active Paths slices.target loaded active active Slices sockets.target loaded active active Sockets swap.target loaded active active Swap sysinit.target loaded active active System Initialization timers.target loaded active active Timers LOAD = Reflects whether the unit definition was properly loaded. ACTIVE = The high-level unit activation state, i.e. generalization of SUB. SUB = The low-level unit activation state, values depend on unit type. 14 loaded units listed. Pass --all to see loaded but inactive units, too. To show all installed unit files use 'systemctl list-unit-files'.
$ systemctl list-units | more UNIT LOAD ACTIVE SUB DESCRIPTION proc-sys-fs-binfmt_misc.automount loaded active running Arbitrary Executable File Formats File System Automount Point sys-devices-platform-serial8250-tty-ttyS0.device loaded active plugged /sys/devices/platform/serial8250/tty/ttyS0 sys-devices-platform-serial8250-tty-ttyS1.device loaded active plugged /sys/devices/platform/serial8250/tty/ttyS1 sys-devices-platform-serial8250-tty-ttyS2.device loaded active plugged /sys/devices/platform/serial8250/tty/ttyS2 sys-devices-platform-serial8250-tty-ttyS3.device loaded active plugged /sys/devices/platform/serial8250/tty/ttyS3 sys-devices-vbd\x2d51728-block-xvdb-xvdb1.device loaded active plugged /sys/devices/vbd-51728/block/xvdb/xvdb1 sys-devices-vbd\x2d51728-block-xvdb.device loaded active plugged /sys/devices/vbd-51728/block/xvdb sys-devices-vbd\x2d768-block-xvda-xvda1.device loaded active plugged /sys/devices/vbd-768/block/xvda/xvda1 sys-devices-vbd\x2d768-block-xvda.device loaded active plugged /sys/devices/vbd-768/block/xvda sys-devices-vif\x2d0-net-eth0.device loaded active plugged /sys/devices/vif-0/net/eth0 sys-devices-vif\x2d1-net-eth1.device loaded active plugged /sys/devices/vif-1/net/eth1 sys-devices-virtual-net-tun0.device loaded active plugged /sys/devices/virtual/net/tun0 sys-module-configfs.device loaded active plugged /sys/module/configfs sys-subsystem-net-devices-eth0.device loaded active plugged /sys/subsystem/net/devices/eth0 sys-subsystem-net-devices-eth1.device loaded active plugged /sys/subsystem/net/devices/eth1 sys-subsystem-net-devices-tun0.device loaded active plugged /sys/subsystem/net/devices/tun0 -.mount loaded active mounted / dev-hugepages.mount loaded active mounted Huge Pages File System dev-mqueue.mount loaded active mounted POSIX Message Queue File System opt.mount loaded active mounted /opt proc-sys-fs-binfmt_misc.mount loaded active mounted Arbitrary Executable File Formats File System proc-xen.mount loaded active mounted /proc/xen run-user-0.mount loaded active mounted /run/user/0 sys-kernel-config.mount loaded active mounted Configuration File System sys-kernel-debug.mount loaded active mounted Debug File System brandbot.path loaded active waiting Flexible branding systemd-ask-password-plymouth.path loaded active waiting Forward Password Requests to Plymouth Directory Watch systemd-ask-password-wall.path loaded active waiting Forward Password Requests to Wall Directory Watch session-231.scope loaded active running Session 231 of user root session-571.scope loaded active running Session 571 of user root aegis.service loaded active running LSB: aegis update. agentwatch.service loaded active running SYSV: Starts and stops guest agent cloudmonitor.service loaded active running LSB: @app.long.name@ crond.service loaded active running Command Scheduler dbus.service loaded active running D-Bus System Message Bus exim.service loaded active running Exim Mail Transport Agent getty@tty1.service loaded active running Getty on tty1 gitlab-runsvdir.service loaded active running GitLab Runit supervision process iptables.service loaded active exited IPv4 firewall with iptables jexec.service loaded active exited LSB: Supports the direct execution of binary formats. kmod-static-nodes.service loaded active exited Create list of required static device nodes for the current kernel lvm2-lvmetad.service loaded active running LVM2 metadata daemon lvm2-monitor.service loaded active exited Monitoring of LVM2 mirrors, snapshots etc. using dmeventd or progress polling mysqld.service loaded active running MySQL Server network.service loaded active exited LSB: Bring up/down networking nscd.service loaded active running Name Service Cache Daemon ntpd.service loaded active running Network Time Service openvpn@server.service loaded active running OpenVPN Robust And Highly Flexible Tunneling Application On server rhel-dmesg.service loaded active exited Dump dmesg to /var/log/dmesg rhel-import-state.service loaded active exited Import network configuration from initramfs rhel-readonly.service loaded active exited Configure read-only root support rsyslog.service loaded active running System Logging Service --More--
# service nginx Usage: nginx {start|stop|restart|condrestart|try-restart|force-reload|upgrade|reload|status|help|configtest} # service nginx stop # service nginx start # service nginx restart
[ ] NetworkManager 自动在多种网络连接中进行转换,如果你的电脑有Wireless WiFi 和 Ethernet多种网络连接类型的话,可以选择开启。 [ ] acpid (Advanced Configuration and Power Interface)是为替代传统的APM电源管理标准而推出的新型电源管理标准。通常笔记本电脑需要启动电源进行管理。 [*] anacron 自动化运行任务守护进程 [*] atd 自动化运行任务守护进程 [ ] auditd 审核信息,将消息写入控制台以及 audit_warn 电子邮件别名。用于存放内核生成的系统审查记录,这些记录会被一些程序使用。特别是对于SELinux用户来说。 [ ] autofs 自动挂载/卸载文件系统服务,可以自动挂载想访问但还未挂载的文件系统,自动卸载长期不访问的文件系统,自动安装管理进程automount,与NFS 相关,依赖于NIS [ ] avahi-daemon Zeroconf service discovery守护进程,Avahi是zeroconf协议的实现。它可以在没有DNS服务的局域网里发现基于zeroconf协议的设备和服务。它跟mDNS一样。除非你有兼容的设备或使用 zeroconf 协议的服务,否则就可以关闭。 [ ] avahi-dnsconfd /etc/avahi/dnsconf.action脚本守护进程 [ ] bluetooth 蓝牙 [ ] conman 控制台管理 [ ] cpuspeed 监测系统空闲百分比,降低或加快CPU时钟速度和电压 [*] crond 一个传统的UNIX程序crontab,可以周期地运行用户调度的任务。 [ ] cups 通用UNIX打印守护进程,(Common UNIX Printing System)公共UNIX打印支持,为Linux提供打印功能。 安装打印机时需要的服务。 [ ] dnsmasq Dns cache server守护进程 [ ] dund 蓝牙拨号网络 [ ] firstboot 安装完之后的用户配置向导,用于第一次设置系统 [ ] gpm 为文本模式下的Linux程序提供鼠标支持、拷贝、粘贴操作、弹出式菜单 [ ] haldaemon 硬件监控系统 [ ] hidd 蓝牙H.I.D.服务器 [ ] httpd Apache服务器 [ ] ip6tables 防火墙守护进程 [*] iptables 防火墙守护进程 [ ] irda 红外端口守护进程 [*] irqbalance 多系统处理器环境下的系统中断请求进行负载平衡,单CPU无用 [ ] kudzu 硬件自动检测程序,如不增加新硬件,可以关闭 [ ] lvm2-monitor LVM2 mirror devices守护进程 [ ] mcstrans SELinux Context Translation System Daemon [ ] mdmonitor RAID相关设备的守护程序 [ ] mdmpd RAID相关设备的守护程序 [*] messagebus 事件监控服务,在必要时向所有用户发送广播信息 [ ] microcode_ctl 可编码以及发送新微代码到内核以更新Intel IA32系列处理器守护进程 [ ] multipathd Manage device-mapper multipath devices [ ] netconsole Initializes network console logging [ ] netfs 安装和卸载NFS、SAMBA和NCP网络文件系统 [ ] netplugd 服务监控网络界面,根据信号关闭或启动它,用于手提电脑 [*] network 激活已配置网络接口的脚本程序 [ ] nfs 网络文件系统守护进程 [ ] nfslock NFS文件锁定功能 [ ] nscd 密码与群查找服务 [ ] ntpd 网络时间同步 [ ] oddjobd [ ] pand 蓝牙个人区域网络 [ ] pcscd 智能卡支持 [ ] portmap 用来支持RPC连接,RPC被用于NFS以及NIS 等服务 [ ] psacct 进程审计守护进程 [ ] rawdevices rawdevices to block devices。Oracle数据库使用 [ ] rdisc discovers routers守护进程 [ ] readahead_early 开机内存载入优化 [ ] readahead_later 开机内存载入优化 [ ] restorecond SELinux相关联 [ ] rpcgssd manages RPCSEC GSS contexts for the NFSv4 server [ ] rpcidmapd rpcidmapd for NFSv4 that maps user names to UID and GID nu [ ] rpcsvcgssd rpcsvcgssd manages RPCSEC GSS contexts for the NFSv4 server [ ] saslauthd 使用SASL的认证守护进程 [*] sendmail 邮件服务器sendmail守护进程 [*] smartd 监控硬盘故障 [*] sshd OpenSSH服务器守护进程 [*] syslog 系统日志 [ ] winbind 用于Samba服务器 [ ] wpa_supplicant 无线设备支持 [ ] xfs X Window字型服务器守护进程,为本地和远程X服务器提供字型集 [ ] ypbind 为NIS客户机激活ypbind服务进程 [ ] yum-updatesd RPM操作系统自动升级和软件包管理守护进程
chkconfig acpid off
[root@development ~]# chkconfig --add mysqld [在服务清单中添加mysql服务] [root@development ~]# chkconfig mysqld on [设置mysql服务开机启动] [root@development ~]# chkconfig --list mysqld [设置mysql启动级别] mysqld 0:off 1:off 2:on 3:on 4:on 5:on 6:off
chkconfig --level 3 mysqld on chkconfig --level 3 mysqld off
# yum -y install xinetd
# yum install -y tftp-server tftp
/etc/xinetd.d/tftp
# vim /etc/xinetd.d/tftp # default: off # description: The tftp server serves files using the trivial file transfer \ # protocol. The tftp protocol is often used to boot diskless \ # workstations, download configuration files to network-aware printers, \ # and to start the installation process for some operating systems. service tftp { socket_type = dgram protocol = udp wait = yes user = root server = /usr/sbin/in.tftpd server_args = -s /tftpboot disable = yes per_source = 11 cps = 100 2 flags = IPv4 }
disable = yes 改为 disable = no
mkdir /tftpboot /etc/init.d/xinetd restart
# yum install -y atftp-server atftp
/etc/xinetd.d/tftp
# cat /etc/xinetd.d/tftp # default: off # description: The tftp server serves files using the trivial file transfer protocol. The tftp protocol is often used to boot diskless workstations, download configuration files to network-aware printers, and to start the installation process for some operating systems. service tftp { disable = no socket_type = dgram protocol = udp wait = yes user = root server = /usr/sbin/in.tftpd server_args = /tftpboot per_source = 11 cps = 100 2 flags = IPv4 }
atftp-server 是一个可以不依赖xinetd的tftp服务器
# vim /etc/xinetd.d/rsync # default: off # description: The rsync server is a good addition to an ftp server, as it \ # allows crc checksumming etc. service rsync { disable = no socket_type = stream wait = no user = root server = /usr/bin/rsync server_args = --daemon log_on_failure += USERID }
/etc/xinetd.d/rsh
# cat /etc/xinetd.d/rsh # default: on # description: The rshd server is the server for the rcmd(3) routine and, \ # consequently, for the rsh(1) program. The server provides \ # remote execution facilities with authentication based on \ # privileged port numbers from trusted hosts. service shell { socket_type = stream wait = no user = root log_on_success += USERID log_on_failure += USERID server = /usr/sbin/in.rshd disable = no }
访问权限配置
# cat /etc/hosts.allow # # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # in.rshd : your.example.com 192.168.0.1
# cat /etc/hosts.deny # # hosts.deny This file describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # # The portmap line is redundant, but it is left to remind you that # the new secure portmap uses hosts.deny and hosts.allow. In particular # you should know that NFS uses portmap! all : all
访问主机设置
# cat ~/.rhosts your.example.com user 192.168.0.1 user
# rpcinfo -p 192.168.187.75 program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100024 1 udp 697 status 100024 1 tcp 700 status 100011 1 udp 864 rquotad 100011 2 udp 864 rquotad 100011 1 tcp 867 rquotad 100011 2 tcp 867 rquotad 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 100003 4 udp 2049 nfs 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfs 100003 4 tcp 2049 nfs 100021 1 udp 32778 nlockmgr 100021 3 udp 32778 nlockmgr 100021 4 udp 32778 nlockmgr 100021 1 tcp 35837 nlockmgr 100021 3 tcp 35837 nlockmgr 100021 4 tcp 35837 nlockmgr 100005 1 udp 880 mountd 100005 1 tcp 883 mountd 100005 2 udp 880 mountd 100005 2 tcp 883 mountd 100005 3 udp 880 mountd 100005 3 tcp 883 mountd
禁用SElinux编辑/etc/selinux/config,修改如下内容:
SELINUX=disabled
使用命令
getenforce setenforce 0
lokkit --selinux=disabled
原文出处:Netkiller 系列 手札
本文作者:陈景峯
转载请与作者联系,同时请务必标明文章原始出处和作者信息及本声明。