5月技術考核1

CentOS系統基本設置（考試20分鐘）
1.修改ssh遠程端口為12345,驗證能用12345端口登錄即可。
2.設置開啟CentOS防火墻，並通過tcp的12345和3306端口，只能設置一條規則。
3.在配置文件裏面關閉SELINUX，在不重啟系統的情況下生效。

查看ssh端口，一般是默認的22
[root@mysql200 ~]# netstat -antulp | grep sshd
tcp 0 0 0.0.0.0:22 0.0.0.0: LISTEN 1101/sshd
tcp6 0 0 :::22 :::

LISTEN 1101/sshd
修改ssh端口，找到第18行，加一行Port 12345，保存退出
[root@mysql200 ~]# vim /etc/ssh/sshd_config

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#

#Port 22
Port 12345
#AddressFamily any

#ListenAddress 0.0.0.0
#ListenAddress ::
重啟ssh服務才能生效，再查看端口，修改成功
[root@mysql200 ~]# systemctl restart sshd
[root@mysql200 ~]# netstat -antulp | grep sshd
tcp 0 0 0.0.0.0:12345 0.0.0.0: LISTEN 3463/sshd
tcp6 0 0 :::12345 ::: LISTEN 3463/sshd

查看防火墻狀態
[root@mysql200 ~]# firewall-cmd --state
Running
若果沒開啟就運行
[root@mysql200 ~]# systemctl start firewalld
[root@mysql200 ~]# firewall-cmd --state
Running

防火墻服務預設的安全區域 public、trusted、drop
public 區域：為默認區域，只允許針對本機的 SSH 服務，其他都拒絕
trusted 區域：對本機的任何訪問都被允許
drop 區域：訪問本機的任何數據包都會被拒絕

[root@mysql200 ~]# firewall-cmd --list-all
You‘re performing an operation over default zone (‘trusted‘),
but your connections/interfaces are in zone ‘public‘ (see --get-active-zones)
You most likely need to use --zone=public option.

trusted
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
修改默認
[root@mysql200 ~]# firewall-cmd --set-default-zone=public
Success
[root@mysql200 ~]# firewall-cmd --reload
Success
[root@mysql200 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
添加通過tcp的12345和3306端口
[root@mysql200 ~]# firewall-cmd --permanent --zone=public --add-port=12345/tcp --add-port=3306/tcp
success
[root@mysql200 ~]# firewall-cmd --reload
success
[root@mysql200 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: ssh dhcpv6-client
ports: 12345/tcp 3306/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

在配置文件裏面關閉SELINUX，在不重啟系統的情況下生效。

修改selinux配置文件，SELINUX=disabled
vim /etc/selinux/
#* This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.*

SELINUXTYPE=targeted
查看selinux’狀態
[root@mysql200 selinux]# getenforce
Enforcing 強制

臨時關閉
[root@mysql200 selinux]# setenforce 0
[root@mysql200 selinux]# getenforce
Permissive

5月技術考核1