赞
踩
在suduers配置文件下修改,或者是在suduers.d的文件夹下修改
-r–r----- 1 root root 4463 Aug 5 10:37 sudoers
drwxr-x—. 2 root root 6 Apr 20 2022 sudoers.d
## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax: #suduers文件下的配置修改
##
## user MACHINE = (runas) COMMANDS
## #执行权限的用户名 登入的主机 =(代表的用户) 要执行的命令
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
ma ALL=(root) /usr/bin/mount /dev/cdrom /mnt/,/usr/bin/umount /mnt
ma ALL= /bin/cat /var/log/vmware-network*
type control module-path arguments
type:指模块类型,即功能
control :PAM库该如何处理与该服务相关的PAM模块的成功或失败情况,一个关健词实现
module-path: 用来指明本模块对应的程序文件的路径名
Arguments: 用来传递给该模块的参数
[11:04:07 root@rocky8 ~]#ls /lib64/security/*.so #模块文件 /lib64/security/pam_access.so /lib64/security/pam_group.so /lib64/security/pam_pwhistory.so /lib64/security/pam_timestamp.so /lib64/security/pam_cap.so /lib64/security/pam_issue.so /lib64/security/pam_pwquality.so /lib64/security/pam_tty_audit.so /lib64/security/pam_chroot.so /lib64/security/pam_keyinit.so /lib64/security/pam_rhosts.so /lib64/security/pam_umask.so /lib64/security/pam_console.so /lib64/security/pam_lastlog.so /lib64/security/pam_rootok.so /lib64/security/pam_unix_acct.so /lib64/security/pam_cracklib.so /lib64/security/pam_limits.so /lib64/security/pam_securetty.so /lib64/security/pam_unix_auth.so /lib64/security/pam_debug.so /lib64/security/pam_listfile.so /lib64/security/pam_selinux_permit.so /lib64/security/pam_unix_passwd.so /lib64/security/pam_deny.so /lib64/security/pam_localuser.so /lib64/security/pam_selinux.so /lib64/security/pam_unix_session.so /lib64/security/pam_echo.so /lib64/security/pam_loginuid.so /lib64/security/pam_sepermit.so /lib64/security/pam_unix.so /lib64/security/pam_env.so /lib64/security/pam_mail.so /lib64/security/pam_shells.so /lib64/security/pam_userdb.so /lib64/security/pam_exec.so /lib64/security/pam_mkhomedir.so /lib64/security/pam_sss_gss.so /lib64/security/pam_usertype.so /lib64/security/pam_faildelay.so /lib64/security/pam_motd.so /lib64/security/pam_sss.so /lib64/security/pam_warn.so /lib64/security/pam_faillock.so /lib64/security/pam_namespace.so /lib64/security/pam_stress.so /lib64/security/pam_wheel.so /lib64/security/pam_filter.so /lib64/security/pam_nologin.so /lib64/security/pam_succeed_if.so /lib64/security/pam_xauth.so /lib64/security/pam_ftp.so /lib64/security/pam_permit.so /lib64/security/pam_systemd.so /lib64/security/pam_google_authenticator.so /lib64/security/pam_postgresok.so /lib64/security/pam_time.so [11:04:23 root@rocky8 ~]#ls /etc/pam.d/ #系统程序调用的专有模块配置文件 atd chsh crond login passwd polkit-1 remote runuser-l smtp sshd su sudo-i system-auth vlock chfn config-util fingerprint-auth other password-auth postlogin runuser smartcard-auth smtp.postfix sssd-shadowutils sudo su-l systemd-user vmtoolsd [11:09:53 root@rocky8 ~]#ls /etc/security/ #模块的专有配置文件 access.conf console.apps console.perms faillock.conf limits.conf namespace.conf namespace.init pam_env.conf pwquality.conf.d time.conf chroot.conf console.handlers console.perms.d group.conf limits.d namespace.d opasswd pwquality.conf sepermit.conf [11:11:51 root@rocky8 ~]#vim /etc/pam.d/sshd #配置模块详细内容 #%PAM-1.0 #type control module-path arguments 模块类型 模块控制 模块路径 参数 auth substack password-auth auth include postlogin account required pam_sepermit.so account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session optional pam_motd.so session include password-auth session include postlogin
[11:41:42 root@rocky8 ~]#yum -y install chrony #先安装chrony服务 Last metadata expiration check: 2:25:24 ago on Sat 05 Aug 2023 09:16:32 AM CST. Package chrony-4.1-1.el8.x86_64 is already installed. Dependencies resolved. Nothing to do. Complete! #服务器端 [11:41:57 root@rocky8 ~]#vim /etc/chrony.conf #设置服务器的同步功能 # Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html). #pool 2.pool.ntp.org iburst server ntp.aliyun.com iburst server time1-5.cloud.tencent.com iburst server ntp1-7.aliyun.com iburst # Allow NTP client access from local network. #allow 192.168.0.0/16 allow 10.0.0.0/24 #允许与服务器同步的网段 # Serve time even if not synchronized to a time source. local stratum 10 #在互联网无法连接时,仍然能为客户端提供时间同步服务 [11:50:11 root@rocky8 ~]#systemctl restart chronyd #重启服务 #客户端 [11:51:17 root@rocky8 ~]#vim /etc/chrony.conf # Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html). #pool 2.pool.ntp.org iburst server 10.0.0.8 iburst #客户机以服务器地址为时间同步的目标地址 [11:56:10 root@rocky8 ~]#systemctl restart chronyd #重启服务 [11:56:27 root@rocky8 ~]#chronyc sources -v .-- Source mode '^' = server, '=' = peer, '#' = local clock. / .- Source state '*' = current best, '+' = combined, '-' = not combined, | / 'x' = may be in error, '~' = too variable, '?' = unusable. || .- xxxx [ yyyy ] +/- zzzz || Reachability register (octal) -. | xxxx = adjusted offset, || Log2(Polling interval) --. | | yyyy = measured offset, || \ | | zzzz = estimated error. || | | \ MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^* 10.0.0.8 3 6 17 6 -955ns[ -43us] +/- 30ms #^*表示同步成功
本质上就是提供就近服务器的域名和转发
1.给浏览器输入一个域名,浏览器第一次发现本地没有DNS缓存,则向网站的DNS服务器请求。
2.网站的DNS域名解析设置了CNAME,请求指向了CDN网络中的只能DNS负载均衡系统。
3.只能DNS负载均衡系统解析域名,把用户响应速度最快的IP节点返回给用户。
4.用户向该IP节点(CDN服务器)发出请求
5.由于是第一次访问,CDN服务器会通过Cache内部专用DNS解析得到此域名的原web站点IP,向原站点服务器发起请求,并在CDN服务器上缓存内容。
6.请求结果发给用户。
#每个机器配置好IP [13:20:11 root@rocky8 ~]#ip a 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:0c:29:92:cf:ce brd ff:ff:ff:ff:ff:ff inet 10.0.0.8/24 brd 10.0.0.255 scope global noprefixroute eth0 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:0c:29:92:cf:d8 brd ff:ff:ff:ff:ff:ff inet 192.168.10.8/24 brd 192.168.10.255 scope global noprefixroute eth1 [13:06:07 root@centos7 ~]#ip a 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:0c:29:e9:e6:bc brd ff:ff:ff:ff:ff:ff inet 10.0.0.7/24 brd 10.0.0.255 scope global noprefixroute eth0 [13:19:44 root@rocky8 ~]#ip a 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:0c:29:7f:6a:1b brd ff:ff:ff:ff:ff:ff inet 192.168.10.7/24 brd 192.168.10.255 scope global noprefixroute eth0 #在DNS服务器端配置 [13:23:43 root@rocky8 ~]#vim /etc/named.conf acl beijingnet { 10.0.0.0/24; }; acl shanghainet { 192.168.10.0/24; }; acl othernet { any; }; // listen-on port 53 { 127.0.0.1; }; #注释 listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; secroots-file "/var/named/data/named.secroots"; recursing-file "/var/named/data/named.recursing"; // allow-query { localhost; }; #注释 view beijingview { match-clients { beijingnet;}; include "/etc/named.rfc1912.zones.bj"; }; view shanghaiview { match-clients { shanghainet;}; include "/etc/named.rfc1912.zones.sh"; }; view otherview { match-clients { othernet;}; include "/etc/named.rfc1912.zones.other"; }; #有view视图的情况下不能有zone所以把下方的znoe挪到对应的/etc/named.rfc1912.zones数据文件下。 #配置对应的区域文件 [13:46:01 root@rocky8 ~]#vim /etc/named.rfc1912.zones.bj zone "." IN { type hint; file "named.ca"; }; zone "mazhuobo.com" IN { type master; file "mazhuobo.com.zone.bj"; }; [13:49:18 root@rocky8 ~]#vim /etc/named.rfc1912.zones.sh zone "." IN { type hint; file "named.ca"; }; zone "mazhuobo.com" IN { type master; file "mazhuobo.com.zone.sh"; }; [13:52:24 root@rocky8 ~]#vim /etc/named.rfc1912.zones.other zone "." IN { type hint; file "named.ca"; }; zone "mazhuobo.com" IN { type master; file "mazhuobo.com.zone.other"; }; [13:53:52 root@rocky8 ~]#ll /etc/named.rfc1912.zones.* -rw-r----- 1 root root 1177 Aug 5 13:49 /etc/named.rfc1912.zones.bj -rw-r----- 1 root root 1186 Aug 5 13:53 /etc/named.rfc1912.zones.other -rw-r----- 1 root root 1176 Aug 5 13:52 /etc/named.rfc1912.zones.sh #更改他们的所有组 chgrp named /etc/named.rfc1912.zones.* [13:54:46 root@rocky8 ~]#ll /etc/named.rfc1912.zones.* -rw-r----- 1 root named 1177 Aug 5 13:49 /etc/named.rfc1912.zones.bj -rw-r----- 1 root named 1186 Aug 5 13:53 /etc/named.rfc1912.zones.other -rw-r----- 1 root named 1176 Aug 5 13:52 /etc/named.rfc1912.zones.sh #配置区域数据库文件 [13:54:48 root@rocky8 ~]#vim /var/named/mazhuobo.com.zone.bj $TTL 1D @ IN SOA master admin.mazhuobo.com. ( 2023080510 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS master master A 10.0.0.8 websrv A 10.0.0.7 www CNAME websrv [14:00:57 root@rocky8 ~]#vim /var/named/mazhuobo.com.zone.sh $TTL 1D @ IN SOA master admin.mazhuobo.com. ( 2023080510 ; serial 1D ; refresh 1H ; retry1W ; expire3H ) ; minimum NS master master A 10.0.0.8 websrv A 192.168.10.7 www CNAME websrv [14:08:18 root@rocky8 ~]#vim /var/named/mazhuobo.com.zone.other $TTL 1D @ IN SOA master admin.mazhuobo.com. ( 2023080510 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS master master A 10.0.0.8 websrv A 127.0.0.1 www CNAME websrv [14:07:17 root@rocky8 ~]#ll /var/named/mazhuobo.com.zone.* -rw-r--r-- 1 root root 340 Aug 5 13:59 /var/named/mazhuobo.com.zone.bj -rw-r--r-- 1 root root 338 Aug 5 14:06 /var/named/mazhuobo.com.zone.other -rw-r--r-- 1 root root 212 Aug 5 14:05 /var/named/mazhuobo.com.zone.sh #更改他们的所有组chgrp named /var/named/mazhuobo.com.zone.* [14:09:35 root@rocky8 ~]#ll /var/named/mazhuobo.com.zone.* -rw-r--r-- 1 root named 340 Aug 5 13:59 /var/named/mazhuobo.com.zone.bj -rw-r--r-- 1 root named 340 Aug 5 14:08 /var/named/mazhuobo.com.zone.other -rw-r--r-- 1 root named 212 Aug 5 14:05 /var/named/mazhuobo.com.zone.sh #重启服务器 systemctl restart named #web服务器上安装http [14:51:25 root@rocky8 ~]#yum install httpd -y #分别写入数据 echo www.mazhuobo.com in * > /var/www/html/index.html #重启服务 systemctl restart httpd #测试确保网关正确 # 10.0.0.8 [15:03:35 root@rocky8 ~]#cat /etc/resolv.conf # Generated by NetworkManager search mazhuobo nameserver 192.168.10.2 [15:03:37 root@rocky8 ~]#curl www.mazhuobo.com www.mazhuobo.com in Other #10.0.0.28 [15:00:47 root@rocky8 ~]#cat /etc/resolv.conf; # Generated by NetworkManager search mazhuobo nameserver 10.0.0.8 [15:00:51 root@rocky8 ~]#curl www.mazhuobo.com www.mazhuobo.com in Beijing #192.168.10.6 [15:01:27 root@rocky8 ~]#cat /etc/resolv.conf # Generated by NetworkManager search mazhuobo nameserver 192.168.10.8 [15:01:46 root@rocky8 ~]#curl www.mazhuobo.com www.mazhuobo.com in Shanghai
迭代查询:查询目标地址先访问DNS代理解析服务器,代理服务器也没有地址去访问>>.根服务器,根没有去访问>>.com域名服务器,.com域名服务器没有去访问>>二级域名服务器>>依次迭代>>返回域名
递归查询:访问DNS代理解析查找到缓存有地址直接返回
INPUT,OUTPUT,FORWARD,PREROUTING,POSTROUTING
流入本机:PREROUTING --> INPUT–>用户空间进程
流出本机:用户空间进程 -->OUTPUT–> POSTROUTING
转发:PREROUTING --> FORWARD --> POSTROUTING
filter:过滤规则表,根据预定义的规则过滤符合条件的数据包,默认表
nat:network address translation 地址转换规则表
mangle:修改数据标记位规则表
raw:关闭启用的连接跟踪机制,加快封包穿越防火墙速度
security:用于强制访问控制(MAC)网络规则,由Linux安全模块(如SELinux)实现
###优先级从高到底排序
security -->raw–>mangle–>nat–>filter
[09:44:45 root@rocky8 ~]#iptables -A INPUT ! -s 192.168.0.0/24 -p tcp --dport 5000:6000 -j REJECT
[10:15:36 root@rocky8 ~]#firewall-cmd --add-port=5000-6000/tcp success [10:15:49 root@rocky8 ~]#firewall-cmd --list-port 5000-6000/tcp [10:16:37 root@rocky8 ~]#firewall-cmd --add-source=192.168.0.0/24 success [10:16:42 root@rocky8 ~]#firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: 192.168.0.0/24 services: cockpit dhcpv6-client ssh ports: 5000-6000/tcp protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
[10:22:43 root@rocky8 ~]#firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.0.0/24 port port=5000-6000 protocol=tcp accept'
success
#先创建一个表 [10:33:47 root@rocky8 ~]#nft add table inet test_table #在表中创建一个链 [10:36:40 root@rocky8 ~]#nft add chain inet test_table test_filter_input_chain {type filter hook input priority 0 \; } #添加规则 [10:46:50 root@rocky8 ~]#nft add rule inet test_table test_filter_input_chain ip saddr 10.0.0.1 accept [10:53:16 root@rocky8 ~]#nft add rule inet test_table test_filter_input_chain ip saddr 192.168.0.0/24 tcp dport 5000-6000 accept [10:53:24 root@rocky8 ~]#nft add rule inet test_table test_filter_input_chain ip saddr 0.0.0.0/24 tcp dport 5000-6000 reject #查看规则 [10:55:39 root@rocky8 ~]#nft list ruleset table inet test_table { chain test_filter_input_chain { type filter hook input priority filter; policy accept; ip saddr 10.0.0.1 accept ip saddr 192.168.0.0/24 tcp dport 5000-6000 accept ip saddr 0.0.0.0/24 tcp dport 5000-6000 reject } }
关系型数据库和非关系型数据库
关系型数据库常见的有
MySQL: MySQL, MariaDB, Percona Server
PostgreSQL: 简称为pgsql,EnterpriseDB
Oracle
MSSQL Server
DB2非关系型数据库常见的
redis
mysql有MySQL Enterprise Edition(企业版)、MySQL Cluster CGE(集群)、MySQL Community(社区版)
MySQL 的三大主要分支
MySQL
Mariadb
Percona Server版本的演变
MySQL:5.1 --> 5.5 --> 5.6 --> 5.7 -->8.0
MariaDB:5.1 -->5.5 -->10.0–> 10.1 --> 10.2 --> 10.3 --> 10.4 --> 10.5
索引是帮助 MySQL 高效获取数据的数据结构(有序)。在数据之外,数据库系统还维护着满足特定查找算法的数据结构,这些数据结构以某种方式引用(指向)数据,这样就可以在这些数据结构上实现高级查询算法,这种数据结构就是索引。
优缺点:
优点:
- 提高数据检索效率,降低数据库的IO成本
- 通过索引列对数据进行排序,降低数据排序的成本,降低CPU的消耗
缺点:
- 索引列也是要占用空间的
- 索引大大提高了查询效率,但降低了更新的速度,比如 INSERT、UPDATE、DELETE
B-tree
就是每一个节点上都有指针和数据,通过判断插入key的大小,来确定一个数据插入的位置,比如一个5阶B-tree,那就是每个节点最多有4key,5个指针
B-tree的动画演示 B-Tree Visualization (usfca.edu)
B+tree
就是只有叶子节点才有数据,而且所有叶子节点形成一个单向链表
B+tree的动画演示 B+ Tree Visualization (usfca.edu)
mysql的安全加固脚本主要针对于MySQL5.6之前的版本
运行mysql_secure_installation脚本
MySQL5.6之前
设置数据库管理员root口令
禁止root远程登录
删除anonymous用户帐号
删除test数据库
在5.6版本之后可以不用执行安全加固脚本
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。