====== Systemeinstellungen bei CentOS 7 ======
Jeder CentOS 7-Server mit Minimal-Installation aufgesetzt
* Min RAM: 1536MB
* Tastatur: Deutsch
* kdump disabled
==== zusätzliche Pakete ====
* acpid
* bash-completion
* epel-release
* rsync
* vim
* wget
* xinetd
==== SELinux ====
Bei internen Servern wird SELinux von enforcing auf disabled umgestellt. Reboot erforderlich.
[root@server]# vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
==== Useranlage ====
[root@virtserv]# useradd -u 1010 -m backuppc
[root@virtserv]# su - backuppc
[backuppc@virtserv ~]$ scheffe@backuppc4
The authenticity of host 'backuppc4 (192.168.13.41)' can't be established.
ECDSA key fingerprint is SHA256:kbl36qOtGqCKzFTf9shprve4bw3LemJCfGTfY9Iy/R4.
ECDSA key fingerprint is MD5:a5:32:de:b1:72:4c:c2:c6:f3:68:15:95:ce:0f:57:1d.
Are you sure you want to continue connecting (yes/no)? no
Host key verification failed.
[backuppc@virtserv ~]$ cd .ssh/
[backuppc@virtserv .ssh]$ vi authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArYzOt9RYxEvLeZ2s1pr94f1AaS6ebhol3fi+oZasUBIJezVK29dX6t+i+U0cejxr+mR8wCHfQHB02iOyxQ6fk0jn119UuViqFwSVpTIpQRl61MoZFnpThbwHihPsmggHATnuGn7V0F5ZN/9szh2OZDuqnP3rS7e7kr/wqgwNqcoBTSZSCv88WPR8k4sdNdqWS9WruEUVIwtMbwz/NH0OVpOYvDWi4LzLVhc9rTLTU1ShfpEQDbrv5Lhfcl273eHpXdF1eH3SlqhJbciRuFR9sL6pUsSXFUncuGQOK8xBx9nt4D5qEuPX2Lhf/3MXcgld1CeafaXJK5N47cTLc7BFgw== backuppc@backup.lan.klotzbuecher.biz
[backuppc@virtserv .ssh]$ chmod 600 authorized_keys
==== SSH ====
in /etc/ssh/sshd_config
# no default banner path
#Banner none
auf folgendes ändern:
# no default banner path
Banner /etc/issue.net
In /etc/issue.net geben wir einen Hinweistext aus, der beim Login per SSH erscheint.
[root@server ~]# cat /etc/issue.net
##############################################################################
# #
# This is a private home server. #
# #
# Unauthorized access to this system is prohibited ! #
# #
# This system is actively monitored and all connections may be logged. #
# By accessing this system, you consent to this monitoring. #
# #
##############################################################################
==== Postfix ====
folgendes in /etc/postfix/main.cf am Ende hinzufügen. Dadurch kann der Server Mails am Mailserver einwerfen, jedoch keine empfangen.
mydomain = lan.klotzbuecher.biz
myhostname = server.lan.klotzbuecher.biz
myorigin = $mydomain
mynetworks = 127.0.0.0/8
smtp_generic_maps = hash:/etc/postfix/generic
smtp_tls_security_level = may
relayhost = mailserv.lan.klotzbuecher.biz
==== Sudoers ====
[root@server ~]# visudo -f /etc/sudoers.d/backuppc
# Allows backuppc to do backups and restores
# BackupPC 3
#backuppc ALL=NOPASSWD: /usr/bin/rsync --server *
# BackupPC 4
backuppc ALL=NOPASSWD: /usr/bin/rsync *
==== vim ====
Globale Einstellungen für vim können in der /etc/vim/vimrc durcgeführt werden.
Passt die Farben für dunklen Hintergrund an.
set background=dark
==== Repo ====
Für die CentOS7-Repos Base, Updates, Extras sowie für das Epel-Repo gibt es einen lokalen Spiegel. Um den lokalen Spiegel nutzen zu können, müssen die repo-Dateien angepaßt werden.
[root@server ~]# more /etc/yum.repos.d/CentOS-Base.repo
# CentOS-Base.repo
#
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client. You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the mirrorlist= does not work for you, as a fall back you can try the
# remarked out baseurl= line instead.
#
#
[base]
name=CentOS-$releasever - Base (local)
baseurl=http://repo.lan.klotzbuecher.biz/repos/CentOS/7/os/x86_64/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
#released updates
[updates]
name=CentOS-$releasever - Updates (local)
baseurl=http://repo.lan.klotzbuecher.biz/repos/CentOS/7/updates/x86_64/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras (local)
baseurl=http://repo.lan.klotzbuecher.biz/repos/CentOS/7/extras/x86_64/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
[root@server ~]# more /etc/yum.repos.d/epel.repo
[epel]
name=Extra Packages for Enterprise Linux 7 - $basearch
baseurl=http://repo.lan.klotzbuecher.biz/repos/epel/7/
enabled=1
gpgcheck=1
gpgkey=http://repo.lan.klotzbuecher.biz/repos/epel/RPM-GPG-KEY-EPEL-$releasever
==== Firewall ====
Port 6556 für Überwachung
[root@virtserv]# firewall-cmd --add-port=6556/tcp
[root@virtserv]# firewall-cmd --permanent --add-port=6556/tcp
==== xinetd ====
Zugriff von check_mk beschränken
==== bashrc ====