[Linux] What should I do when I get a virtual machine Linux?
introduction
Many times we like to install a Linux virtual machine on our computer to play, but after each installation, we are basically blind and don’t know what to do next, so this article is mainly to solve the problem of installing Linux, it is recommended to do Some operations to help quickly build a locally available environment.
The Linux version demonstrated in this article is CenterOs7.9, the image used is the official 7.9 CentOS-7-x86_64-Minimal-2009 version (that is, the minimum size version), and the VM Tool version is 16.2.3 build-19376536. The whole process is very simple and suitable for beginners.
1. Steps
1.1 Virtual Machine Connection
Log in to LInux through the virtual machine, switch the Root role, and use sudo vi /etc/ssh/sshd_config to modify the file, be careful not to change the wrong file.
sudo vi /etc/ssh/sshd_config
# 修改端口
Port 10022
# 由于是新的Linux虚拟机,建议还是先保留22端口,等能正常用10022登陆再去掉,万一10022登不上就嗝屁了(并不会)
Port 22
# 不允许 ROOT 登陆,不成文规定
PermitRootLogin: no1.2 Prohibit root login
Execute the command vi /etc/ssh/sshd_config , find PermitRootLogin , and change the following yes to no.
Remember to cancel the previous comment # , so that root cannot log in remotely! Usually log in with an ordinary account, and use the command su root to enter the system when root is required.
You can also build a user with sudo privileges to operate your own virtual machine (described below), in short, do not log in directly with Root.
vi The command has no color prompt, so if you want a better configuration reading experience, you usually need to install vim , the command yum install vim -y .
It is emphasized again that the first-hand operation after getting the virtual machine is to close the root login , regardless of whether it is a local LInux service.
# 不允许 ROOT 登陆
PermitRootLogin: noRendering after modification:
If you can't find the configuration, check if you are modifying the ssh_config , not the sshd_config file!
## 1.3 Change the login port (ssh)
Temporary new port method is not recommended, here record the way to change the file to take effect permanently.
Because it is your own local virtual machine, so you can save trouble and turn off the firewall, so that you don't have to configure ports all the time.
vi /etc/ssh/sshd_config Add the port you need according to the requirements, remove the comment of #Port 22 and add Port 10022 in a newline. If you want to directly modify the port instead of adding it, it is recommended to keep port 22 first. Wait for the new port to log in and then remove it .
In addition, 443 is the port used by https, 3128 is the port used by squid, and ports within 10,000 are frequently used.
If you use it yourself, it is recommended to use a large port, such as 10000~65535 or more, there will be basically no middleware and other conflicts.
For some ports used by your own programs, it is also recommended to add a 1 in front of the thousands digits, which can basically ensure that there is no conflict.
After the modification, you must remember to restart the ssh service : systemctl restart sshd.service , or restart the virtual machine Linux system directly.
Check how many open ports you have added : firewall-cmd --zone=public --list-ports . Of course, my demonstration here is to directly turn off the firewall, and the outside world is unobstructed.
Temporary new method (not recommended): firewall-cmd --zone=public --add-port=12280/tcp --permanent , --permanent is to make the port take effect permanently
It is not recommended to use the reason. The first is that you don't know what the port is used for, and it is easy to forget later. The second is that this operation can only take effect temporarily , and it will be restored after restarting.
Another reason not to recommend is that executing this command will clear all comments from the file ! !
Note that trying to connect externally after changing the port is invalid, because there are still selinux and firewalls to be dealt with.
1.4 Turn off the linux internal firewall
The basic usage of firewalld is as follows:
启动:`systemctl start firewalld`
关闭: `systemctl stop firewalld`
查看状态:`systemctl status firewalld`
开机禁用 : `systemctl disable firewalld`
开机启用 : `systemctl enable firewalld`We need to turn off the firewall. Of course, this can only be used in our own virtual machine. The main purpose is to avoid unnecessary troubles when we fiddle around with learning. In the real production environment, it is actually turned on in more cases.
In addition, if it is a cloud server provider, this configuration is usually turned off, and a safety net is made externally instead.
step
Use systemctl status firewalld to check the status.
Close systemctl status firewalld.serivce .
There is a very painful step on the pit, I feel like this piece was written by two people (weird), usingsystemctl stop firewalldis a temporary shutdown, after restarting the firewall will automatically open again,systemctl status firewalld.serivceis to permanently close the firewall service .
1.5 Turn off SeLinux
Simple explanation
After turning off the firewall, it's time to turn off SeLinux .
# 注意需要ROOT 权限
vi /etc/selinux/config
# 将 SELINUX=disabled 表示关闭
SELINUX=disabled After the operation is completed, use : add -x to save, and then suggest reboot .
Difference between x and wq?
x 执行操作完毕,如果修改了文件,文件的最后修改时间会产生变化,没有,则不变化
wq 执行操作完毕,不管文件有没有改动,最后修改时间都会产生变化babysitter explained
For a permanent method, execute the command vi /etc/selinux/config [ ROOT permission required], and the following text appears.
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted By default SELINUX is enforcing , we only need to modify this part:
SELINUX=disabled Finally reboot look.
1.6 Sudo privilege user build
Use Root to add a new user, configure the password:
# 添加新用户
useradd 想要添加的用户名(英文)
# 修改密码
passwd 想要添加的用户名(英文)
# 之后提示输入密码 Let the new user have SUDO permissions, vi /etc/sudoers , or give this file write permissions chmod u+w /etc/sudoers (direct Root operation is more convenient).
## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
## user MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
zxd ALL=(ALL) ALLSubsequent users can have root privileges by adding the sudo command, but will be prompted for a password.
Such users can log in externally and operate relatively safely. Although they have sudo permissions, they are actually a little smaller than Root. Root is still the highest-privileged administrator of Linux.
Another Approach: Error Demonstration
The general method below is to wear a Root clothes for ordinary users, but in this case, the login will be recognized as Root login, which conflicts with disabling Root . To put it bluntly, you cannot log in to the system (embarrassing).
It is not recommended to do this operation from the perspective of user management, because it is essentially equivalent to copying a Root.
Create a new user, but give the same privileges as root, we call it a normal user of pseudo Root, in other words called system administrator.
We need to perform the following steps:
# 添加新用户
useradd 想要添加的用户名(英文)
# 修改密码
passwd 想要添加的用户名(英文)
# 之后提示输入密码The next step is to configure the user's Root permissions. Here we need to use the Root identity to operate:
vim /etc/passwdThe first line is the root identity, so we directly assign the relevant configuration to the new user.
#第一行内容
root:x:0:0:root:/root:/bin/bash
# 新增用户(通常新增用户的最底部)
zxd:x:1000:1000:zxd:/home/zxd:/bin/bash
# 进行修改操作
# 修改之前(通常新增用户的最底部)
zxd:x:1000:1000:zxd:/home/zxd:/bin/bash
# 修改之后
# 删除掉
# zxd:x:1000:1000:zxd:/home/zxd:/bin/bash
# 新增下面这一行
新增用户名:x:0:0:root:/root:/bin/bash Finally, verify that if the content displayed in front of su 新建用户名 is Root, the disguise is successful:
[root@localhost zxd]# su zxd1.7 Verification
Here, Xshell is used directly for testing, using 10022 to log in, the 22 port cannot log in, and the root login cannot be used.
Second, extended thinking
After completing the basic configuration of the Linux system, we can start from the following aspects, and then the second half is basically a suggestion for extended learning:
- Close selinux.
SSH changes the port (ssh), the port within 1024 needs to be started by root. The more common ports are generally prohibited from occupying:
- 0-65535;
- ssl443;
- twenty two ;
- 8080;
- 80;
- 1433;
- 3306;
- 10022 (login port after modification);
- 5022;
- Prohibit root login;
- Create new users and groups and give permissions to the directory.
- Open linux internal firewall (iptables 6 (not maintained), firewalld 7).
- Mount the hard drive.
- NFS file sharing.
- LAN copy.
- Files are automatically synced.
- Check server disk space.
- The shell automatically cleans up the disk.
- Build soft links, hard links (windows, linux).
- yum local source.
- Mount the CD-ROM ([In the case of not being able to connect to the Internet, learn to use the local source])
- Time setting, time synchronization, time zone modification.
- Common commands are familiar.
- Common software installation.
- The server security rectification report given by Party A's security assessment and other units, or set some difficult challenges by yourself (if possible).
3. Summary
Easy and simple article, hope this article will be helpful for readers.
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。