9장 Configure and secure openssh service
1. Openssh Client & server config
1) Client - ssh, scp, sftp
- /etc/ssh/ssh_config
- ~/.ssh/config
- ~/.ssh/id_*
- ~/.ssh/known_hosts : 다운로드 받은 공개키가 저장되는 폴더
2) Server - sshd
- /etc/ssh/sshd_config : 포트번호 설정,
22 # The default requires explicit activation of protocol 1
23 #Protocol 2 <---- 주석해제하면 protocol 2로만 접속하겠다.
.....
49 #PermitRootLogin yes <--- 원격으로 root 로그인 가능하다ㄱ ㅏ default.
.....
57 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
58 # but this is overridden so installations will only check .ssh/authorized_keys
59 AuthorizedKeysFile .ssh/authorized_keys <---- 접속하려는 상대방 대상의 .ssh 폴더 아래 저 파일이 있어야 한다...
(?? sshd 설정인데 왜 client성 설정이 있는거지ㅡㅡ)
.......
76 # To disable tunneled clear text passwords, change to no here!
77 #PasswordAuthentication yes
78 #PermitEmptyPasswords no
79 PasswordAuthentication yes <------- 패스워드 인증 허용
.......
136 # no default banner path
137 #Banner none
138 Banner /etc/issue <----- 배너 보이도록. 로컬 접속했을때 뜨는 메세지가 /etc/issue
(\S
Kernel \r on an \m)
- /etc/ssh/ssh_host_*key*
2. Transferring Files
1) sftp : interactive 파일전송
2) scp : non-interactive 파일전송
scp 경로명(원본) 유저명@ip주소:경로명 (대상)
3. 윈도우용 클라이언트
1) winscp : scp/sftp
2) 한글푸티 : http://hputty.org
10장 Analyzing and storing logs
1. VM 만들 프로그램 설치
yum -y install qemu-kvm virt-manager virt-viewer libvirt
2. 파티션 생성
[root@station7 base]# fdisk /dev/sda
The device presents a logical sector size that is smaller than
the physical sector size. Aligning to a physical sector (or optimal
I/O) size boundary is recommended, or performance may be impacted.
Welcome to fdisk (util-linux 2.23.2).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
Command (m for help): n
Partition type:
p primary (2 primary, 0 extended, 2 free)
e extended
Select (default p): p
Partition number (3,4, default 3): 3
First sector (72706048-976773167, default 72706048): 그냥 엔터
Using default value 72706048
Last sector, +sectors or +size{K,M,G} (72706048-976773167, default 976773167): +100G
Partition 3 of type Linux and of size 100 GiB is set
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
The kernel still uses the old table. The new table will be used at
the next reboot or after you run partprobe(8) or kpartx(8)
Syncing disks.
[root@station7 base]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 465.8G 0 disk
├─sda1 8:1 0 500M 0 part /boot
└─sda2 8:2 0 34.2G 0 part
├─vg0-root 253:0 0 8G 0 lvm /
├─vg0-swap 253:1 0 512M 0 lvm [SWAP]
├─vg0-tmp 253:2 0 1G 0 lvm /tmp
└─vg0-var 253:3 0 2G 0 lvm /var
sr0 11:0 1 1024M 0 rom
[root@station7 base]# partprobe /dev/sda ---> 파티션 변경 내용 업데이트
[root@station7 base]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 465.8G 0 disk
├─sda1 8:1 0 500M 0 part /boot
├─sda2 8:2 0 34.2G 0 part
│ ├─vg0-root 253:0 0 8G 0 lvm /
│ ├─vg0-swap 253:1 0 512M 0 lvm [SWAP]
│ ├─vg0-tmp 253:2 0 1G 0 lvm /tmp
│ └─vg0-var 253:3 0 2G 0 lvm /var
└─sda3 8:3 0 100G 0 part
sr0 11:0 1 1024M 0 rom
[root@station7 base]# mkfs.xfs -f /dev/sda3
meta-data=/dev/sda3 isize=512 agcount=4, agsize=6553600 blks
= sectsz=4096 attr=2, projid32bit=1
= crc=1 finobt=0, sparse=0
data = bsize=4096 blocks=26214400, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0 ftype=1
log =internal log bsize=4096 blocks=12800, version=2
= sectsz=4096 sunit=1 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
[root@station7 base]# vim /etc/fstab
[root@station7 base]# mount -a
[root@station7 base]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg0-root 8.0G 5.2G 2.9G 65% /
devtmpfs 3.9G 0 3.9G 0% /dev
tmpfs 3.9G 24M 3.9G 1% /dev/shm
tmpfs 3.9G 8.7M 3.9G 1% /run
tmpfs 3.9G 0 3.9G 0% /sys/fs/cgroup
/dev/sda1 494M 151M 344M 31% /boot
/dev/mapper/vg0-tmp 1014M 52M 963M 6% /tmp
/dev/mapper/vg0-var 2.0G 1.6G 419M 80% /var
tmpfs 792M 20K 792M 1% /run/user/0
server1:/export/netinstall 232G 28G 205G 12% /net/server1/export/netinstall
server1:/export/courserepos 232G 28G 205G 12% /net/server1/export/courserepos
/dev/sda3 100G 33M 100G 1% /var/lib/libvirt/images
재부팅해야 커널에 vm 만들수 있는게 올라온다.
#
# /etc/fstab
# Created by anaconda on Wed Jul 11 17:47:48 2018
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/vg0-root / xfs defaults 0 0
UUID=0e736d9c-f5e7-4647-ab5b-ca8895ac7cbf /boot xfs defaults 0 0
/dev/mapper/vg0-tmp /tmp xfs defaults 0 0
/dev/mapper/vg0-var /var xfs defaults 0 0
/dev/mapper/vg0-swap swap swap defaults 0 0
/dev/sda3 /var/lib/libvirt/images xfs defaults 0 2
재부팅 후....
[root@station7 ~]# virt-manager
3. journal
[root@station13 ~]# mkdir -p /var/log/journal -> /run/log/journal 메모리영역에 안 쓰고 저장하기 위해서는 일단 디렉토리 생성. (/run 영역은 재부팅하면 사라짐)
[root@station13 ~]#
[root@station13 ~]# ll /run/log/journal/
total 0
drwxr-s---+ 2 root systemd-journal 60 Jul 16 13:46 da6c0e4346124ee6bcbceecd1a3deb7e
[root@station13 ~]#
[root@station13 ~]#
[root@station13 ~]# systemctl restart systemd-journald
[root@station13 ~]# ll /run/log/journal/
ls: cannot access /run/log/journal/: No such file or directory
[root@station13 ~]# journalctl --setup-keys --interval=10m --> verify 키 생성
Generating seed...
Generating key pair...
Generating sealing key...
Failed to set file attributes: Operation not supported
The new key pair has been generated. The secret sealing key has been written to
the following local file. This key file is automatically updated when the
sealing key is advanced. It should not be used on multiple hosts.
/var/log/journal/da6c0e4346124ee6bcbceecd1a3deb7e/fss
Please write down the following secret verification key. It should be stored
at a safe location and should not be saved locally on disk.
97f532-8b4c5d-68d3ce-4f5dcc/26f41d-23c34600
The sealing key is automatically changed every 10min.
The keys have been generated for host station13.example.com/da6c0e4346124ee6bcbceecd1a3deb7e.
To transfer the verification key to your phone please scan the QR code below:
█████████████████████████████████████████████████
█████████████████████████████████████████████████
████ ▄▄▄▄▄ █▀▀▀ █ ▀█▀▀ ▀██▄▄ ▀█▀▄▀ ▄ █ ▄▄▄▄▄ ████
████ █ █ █▀█ █▄▄▀▀ ▀▀██▄ ███▄ ▀▀█▄█ █ █ ████
████ █▄▄▄█ █▀ ███▄▀ ▀█ ▄ ▄▄█▀▀▀ █▄▄▀█ █▄▄▄█ ████
████▄▄▄▄▄▄▄█▄▀▄▀ ▀▄▀▄▀▄▀▄▀ ▀ █▄█▄█ ▀▄█▄▄▄▄▄▄▄████
████ ▄▄▄▀▄ █ ███▄█ ▀██▀▄ ▀ ▀▄▄ ▄▄▀▄▀▄█▄█████
████▀▀▀▀█▀▄▄▄▄▀▄▄█▀▀▀█▄▀█▄▀▀▄▄▀ ▄▄▀▄▄ ▄▄▄▄████
████▄█████▄▄█▄ █▄▀▀▀▀▄█▄█ ██▄▄▄██▀▄█▄ ▀▄ ▄▄▄▀████
█████▀ ▀ ▄▄▄█▄ ▄█▄█▀ █ ▄ ▄▀▀█ █▄██▄▄▄▀▄▀▄▄█▀████
████ ▄ ▄█▄▄█▀▀▄ ▀ █▀▀▄▀▄ ██▀▄ ▄██▄▄ ▀▄▀▄▀█ ▀████
████▄▀▀██ ▄█▄▄█ ▀ ▄▀ ▄▄█ ▄▀▀▄▄▀ ▀▄█▀▄ ▀▀█▄ ▀████
████▄ █▀ ▀▄ ████▀█▄▀▄▀▄▀▀▄▀▀ ▄█ ▄▄▄██ ▀▄ █ ▄▀████
█████▀▀▄ ▄▄▄█▄██▀ ▄ ▄▀█▀▄ ▀█▄█▄▄▀▀▄ ▀▄█▄▄▀▀████
████▀▀ ▄█ ▄▄▀█ █ █▄▄█ ▄▄█▀ ▀ ▄█▀ ▄ ▄ ▀▀▀▀ ▀▀████
████▀▄▀▀▀▄▄▀▄ ▀ █▀ ▄▄██ ▀▀ ▀▀▄▄▄▄▀█▄ ▀▄▄▄▀████
████▀▀▄ █▄▄▄▄▀▄█▄▀▀▀▀ ███▀ █ ▄▄▄ ██▄█▄ █ ▀████
████ █ █ ▀▄▄▄▀▀ ▄█▄█▀█▀▀▄▀█▀▀▄▀▄▄█ ▄▄█▄▄▀▄▀▀█████
████▄█▄██▄▄█ ▀▀ ▄▀█ █▄▀▀▀▀ ▄▄▀ ▀█ ▄▄▄ █▄████
████ ▄▄▄▄▄ █▄▄ ▄▄ ▄ ▄▄▀▄▀▀▀█ ▀▄▄▀▄ █▄█ ▄▄▀▀████
████ █ █ █ ▄ ▄▀█▄▀█ ▀█▀▀█ █▀ ▀███▄ ▄ ▄▄▄▀▀████
████ █▄▄▄█ █ ▄▀█▀▄▄ ██▀ ▄▀▀ ▀▄▀▄▄█▀█ ▀ ▀ ▄▄ █████
████▄▄▄▄▄▄▄█▄█▄█▄████▄█▄██▄▄▄▄██▄▄▄███▄██▄███████
█████████████████████████████████████████████████
█████████████████████████████████████████████████
[root@station13 ~]#
[root@station13 ~]# journalctl --verify --verify-key=97f532-8b4c5d-68d3ce-4f5dcc/26f41d-23c34600
PASS: /var/log/journal/da6c0e4346124ee6bcbceecd1a3deb7e/system.journal
[root@station13 ~]#
4. rsyslog
1) selector
- 이런 현상이 발생되면
mail.* , cron.* ....... (facility,priority, 서비스.이벤트등급)
- Facility 표
Facility | Description |
auth/authpriv | security/authorization messages |
cron | crond and atd daemons messages |
daemon | other system daemons |
kern | kernel messages |
local0-local7 | reserved for local use (사용자 정의 facility) |
lpr | line printer subsystem |
mail | mail subsystem |
news | Usenet news subsystem (지금 사용 X) |
syslog | rsyslog 자체로그 |
| user | generic user-level messages |
| uucp | UUCP subsystem (Unix to Unix copy 기록. 요샌 사용X) |
- Priority 표
Priority | Description |
emerg 0 | System in unusable |
alert 1 | action must be taken immediately |
crit 2 | critical conditions |
err 3 | error conditions |
warning 4 | warning contions |
notice 5 | normal, but significant condition |
info 6 | informational messages |
debug 7 | debugging messages |
2) Actions
- 이런 액션을 취하라
- 파일, 장치명, 터미널, 원격시스템, 유저 등등.....
- 그 중 젤 마니 등장하는 건 파일.
- -/var/log/maillog, /var/log/cron ....
- action 앞에 - 가 붙으면 async (비동기)
- " :omusrmsg:* "는 :* ->모든 유저에 대해서 :om ->outputmodule , usrmsg라는 모듈을 통해서, 터미널 통해서 뿌려주겠다.
[root@station13 ~]# cat -n /etc/rsyslog.conf
1 # rsyslog configuration file
2
3 # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
4 # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
5
6 #### MODULES ####
7
8 # The imjournal module bellow is now used as a message source instead of imuxsock.
9 $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
10 $ModLoad imjournal # provides access to the systemd journal
11 #$ModLoad imklog # reads kernel messages (the same are read from journald)
12 #$ModLoad immark # provides --MARK-- message capability
13
14 # Provides UDP syslog reception
## UDP 통해서 원격에서 로그를 받을 수 있게 설정. (내가 dest가 됨)
15 #$ModLoad imudp
16 #$UDPServerRun 514
17
18 # Provides TCP syslog reception
## TCP 통해서 원격에서 로그를 받을 수 있게 설정. (내가 dest가 됨)
19 #$ModLoad imtcp
20 #$InputTCPServerRun 514
21
22
23 #### GLOBAL DIRECTIVES ####
24
25 # Where to place auxiliary files
26 $WorkDirectory /var/lib/rsyslog
27
28 # Use default timestamp format
29 $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
30
31 # File syncing capability is disabled by default. This feature is usually not required,
32 # not useful and an extreme performance hit
33 #$ActionFileEnableSync on
34
35 # Include all config files in /etc/rsyslog.d/
## 아래 서브 설정 포함하겠다.
36 $IncludeConfig /etc/rsyslog.d/*.conf
37
38 # Turn off message reception via local log socket;
39 # local messages are retrieved through imjournal now.
40 $OmitLocalLogging on
41
42 # File to store the position in the journal
43 $IMJournalStateFile imjournal.state
44
45
46 #### RULES ####
47
48 # Log all kernel messages to the console.
49 # Logging much else clutters up the screen.
50 #kern.* /dev/console (화면)
51
52 # Log anything (except mail) of level info or higher.
53 # Don't log private authentication messages!
54 *.info;mail.none;authpriv.none;cron.none /var/log/messages
55
56 # The authpriv file has restricted access.
57 authpriv.* /var/log/secure
58
59 # Log all the mail messages in one place.
60 mail.* -/var/log/maillog
61
62
63 # Log cron stuff
64 cron.* /var/log/cron
65
66 # Everybody gets emergency messages
67 *.emerg :omusrmsg:*
68
69 # Save news errors of level crit and higher in a special file.
70 uucp,news.crit /var/log/spooler
71
72 # Save boot messages also to boot.log
73 local7.* /var/log/boot.log
74
75
76 # ### begin forwarding rule ###
77 # The statement between the begin ... end define a SINGLE forwarding
78 # rule. They belong together, do NOT split them. If you create multiple
79 # forwarding rules, duplicate the whole block!
80 # Remote Logging (we use TCP for reliable delivery)
81 #
82 # An on-disk queue is created for this action. If the remote host is
83 # down, messages are spooled to disk and sent when it is up again.
84 #$ActionQueueFileName fwdRule1 # unique name prefix for spool files
85 #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
86 #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
87 #$ActionQueueType LinkedList # run asynchronously
88 #$ActionResumeRetryCount -1 # infinite retries if host is down
89 # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
90 #*.* @@remote-host:514
91 # ### end of the forwarding rule ###
### 물리 vm 동시 설정
# setenforce 0
# systemctl stop firewalld
5. log mgmt
[root@station13 log]# cat -n /etc/logrotate.conf
1 # see "man logrotate" for details
2 # rotate log files weekly
3 weekly
4
5 # keep 4 weeks worth of backlogs
6 rotate 4
7
8 # create new (empty) log files after rotating old ones
9 create
10
11 # use date as a suffix of the rotated file
12 dateext
13
14 # uncomment this if you want your log files compressed
15 #compress
16
17 # RPM packages drop log rotation information into this directory
18 include /etc/logrotate.d
19
20 # no packages own wtmp and btmp -- we'll rotate them here
## 위까지는 디폴트 설정, 아래는 별도의 설정 따로 가져가겠다.
## wtmp는 last 의 내용. 텍스트파일이 아니라 last명령어로 봐야한다. (well)
21 /var/log/wtmp {
22 monthly
23 create 0664 root utmp // 소유자는 root, 소유그룹은 utmp라는 파일그룹으로 만들어주셈
24 minsize 1M // 최소 1M는 되어야 로테이트 시켜라
25 rotate 1
26 }
27
## btmp는 lastb 의 내용. 텍스트파일이 아니라 lastb명령어로 봐야한다.
## 시스템에 정상적으로 로그인되지 못한 유저들의 정보를 보는 명령어. (bad)
28 /var/log/btmp {
29 missingok // 해당 파일이 없어도 에러메세지 보내지 마라.
30 monthly
31 create 0600 root utmp
32 rotate 1
33 }
34
35 # system-specific logs may be also be configured here.
[root@station13 log]# vim /etc/logrotate.d/test
[root@station13 log]#
[root@station13 log]# cat /etc/logrotate.d/test
/var/log/testlog.txt{
weekly
rotate 2
create 0600 root hpuser
size +100
compress
}
[root@station13 log]# cat -n /etc/cron.daily/logrotate
1 #!/bin/sh
2
3 /usr/sbin/logrotate -s /var/lib/logrotate/logrotate.status /etc/logrotate.conf
4 EXITVALUE=$?
5 if [ $EXITVALUE != 0 ]; then
6 /usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]"
7 fi
8 exit 0
[root@station13 log]# logrotate /etc/logrotate.conf
11장 Manage RHEL networking
1. 물리적 랜카드번호
1) 6까지는... ethXX
2) 7부터는... 이제 ethXX는 안 씀.
- en : ethernet
- wl : wireless lan (WLAN)
- ww : wireless wide area network (wwan)
- oX : 온보드 ( ex, eno1 : 이더넷 온보드 1번카드)
- sX : PCI 익스프레스 핫플러그 슬롯 인덱스 넘버 (ex: ens1)
- pXsX : PCI geographical location (PCI 몇번버스의 몇번슬롯)
(보드 슬롯에 꽂는 PCI, 일반적인 카드, EX: enp2s0, )
- 만약 ethxx 형식으로 써야 한다고 하면......
- /etc/default/grub 파일에 GRUB_CMDLINE_LINUX 변수에 net.ifname=0 을 설정해줘야 함.
- 위와 같이 부트로더 파일 수정이 필요.
2. 랜카드 속성/정보 확인
[root@station13 default]# ethtool enp2s0
Settings for enp2s0:
Supported ports: [ TP MII ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Half 1000baseT/Full
Supported pause frame use: No
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Advertised pause frame use: Symmetric Receive-only
Advertised auto-negotiation: Yes
Link partner advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Link partner advertised pause frame use: Symmetric Receive-only
Link partner advertised auto-negotiation: Yes
Speed: 1000Mb/s
Duplex: Full
Port: MII // Media Interface Independant. 케이블 문제여부 확인 기능.
PHYAD: 0
Transceiver: internal
Auto-negotiation: on // 스위치에 설정된 속도 확인해서 오토로 설정.
Supports Wake-on: pumbg
Wake-on: g
Current message level: 0x00000033 (51)
drv probe ifdown ifup
Link detected: yes // 링크 연결/끊어졌는지 탐지할 수 있는 기능.
[root@station13 default]#
[root@station13 network-scripts]# ethtool -i enp2s0 // 랜카드 드라이버, 펌웨어 버전 확인
driver: r8169
version: 2.3LK-NAPI
firmware-version: rtl8168g-2_0.0.1 02/06/13
expansion-rom-version:
bus-info: 0000:02:00.0
supports-statistics: yes
supports-test: no
supports-eeprom-access: no
supports-register-dump: yes
supports-priv-flags: no
// 7버전에서는 이 파일을 직접 수정하는 걸 권장하지 않는다.
[root@station13 network-scripts]# vim /etc/sysconfig/network-scripts/ifcfg-enp2s0 // NIC 설정 변경
## ifcfg-enp2s0 파일 내용
# Generated by dracut initrd
NAME="enp2s0"
DEVICE="enp2s0"
ONBOOT="yes"
NETBOOT="yes"
UUID="09592b50-25a4-44c2-9972-c3ff687b007b"
IPV6INIT="yes"
BOOTPROTO=dhcp
TYPE="Ethernet"
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
PEERDNS=yes
PEERROUTES=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
3. 랜카드 속성 수정 - NetworkManager
1) CLI : # nmcli
2) TUI : # nmtui
[root@localhost ~]# nmcli dev // 장치 이름,상태 확인
장치 유형 상태 연결
virbr0 bridge 연결됨 virbr0
eth0 ethernet 연결됨 eth0
lo loopback 관리되지 않음 --
virbr0-nic tun 관리되지 않음 --
[root@localhost ~]# LANG=
[root@localhost ~]# nmcli dev
DEVICE(장치명) TYPE STATE CONNECTION (설정파일명)
virbr0 bridge connected virbr0
eth0 ethernet connected eth0
lo loopback unmanaged --
virbr0-nic tun unmanaged --
[root@localhost ~]# nmcli con del eth0 (eth0 삭제)
Connection 'eth0' (5b53b851-7547-42b0-868f-a7919bf9d12b) successfully deleted.
[root@localhost ~]#
[root@localhost ~]# ls /etc/sysconfig/network-scripts/
ifcfg-lo ifdown-isdn ifup-aliases ifup-post
ifdown ifdown-post ifup-bnep ifup-ppp
ifdown-Team ifdown-ppp ifup-eth ifup-routes
ifdown-TeamPort ifdown-routes ifup-ib ifup-sit
ifdown-bnep ifdown-sit ifup-ippp ifup-tunnel
ifdown-eth ifdown-tunnel ifup-ipv6 ifup-wireless
ifdown-ib ifup ifup-isdn init.ipv6-global
ifdown-ippp ifup-Team ifup-plip network-functions
ifdown-ipv6 ifup-TeamPort ifup-plusb network-functions-ipv6
[root@localhost ~]#
[root@localhost ~]# nmcli con add type (이 다음에 탭키 2번 누르면 아래와 같이 머 적을수 있는지 다 나온다.)
adsl bridge-slave infiniband pppoe vpn
bluetooth cdma ip-tunnel team vxlan
bond ethernet macvlan team-slave wifi
bond-slave generic no-slave tun wimax
bridge gsm olpc-mesh vlan
[root@localhost ~]# nmcli con add type ethernet con-name eth0 ifname
eth0 lo virbr0 virbr0-nic
[root@localhost ~]# nmcli con add type ethernet con-name eth0 ifname eth0 autoconnect yes
연결 'eth0' (d8f640a3-e162-44ab-9acd-74336e74c3d9)이 성공적으로 추가되었습니다.
[root@localhost ~]#
[root@localhost network-scripts]# nmcli con mod eth0 ipv4.addresses '192.168.122.11/24' ipv4.gateway 192.168.122.1 ipv4.dns 192.168.122.1 ipv4.method manualㅋ
[root@localhost network-scripts]# systemctl restart network
[root@localhost network-scripts]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.122.11 netmask 255.255.255.0 broadcast 192.168.122.255
inet6 fe80::876b:e65b:3c6a:5a4f prefixlen 64 scopeid 0x20<link>
ether 52:54:00:d1:b8:da txqueuelen 1000 (Ethernet)
RX packets 410895 bytes 960436141 (915.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 323918 bytes 22980953 (21.9 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@localhost network-scripts]# nmcli dev
DEVICE TYPE STATE CONNECTION
virbr0 bridge connected virbr0
eth0 ethernet connected eth0
lo loopback unmanaged --
virbr0-nic tun unmanaged --
[root@localhost network-scripts]# cat ifcfg-eth0
TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=eth0
UUID=d8f640a3-e162-44ab-9acd-74336e74c3d9
DEVICE=eth0
ONBOOT=yes
IPADDR=192.168.122.11
PREFIX=24
GATEWAY=192.168.122.1
DNS1=192.168.122.1
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
4. 라우팅 수정
그냥 ip route add 이렇게 하면 재부팅하면 사라진다.
파일에 저장해 놔야 함.
1. 디폴트 게이트웨이
/etc/sysconfig/network
---> GATEWAY=xx.xx.xx.xx
2. 별도 라우팅테이블 생성 (~6버전, 7에서도 먹힘)
/etc/sysconfig/network-scripts/route-eth0
---> ADDRESS0=192.168.2.0
NETMASK0=255.255.255.0
GATEWAY0=10.2.3.200
3. 별도 라우팅테이블 생성 (7에서만)
/etc/sysconfig/network-scripts/route-eth0
---> 192.168.2.0/24 via 10.2.3.200
5. ARP
- 메모리에 캐싱 (시간 지나면 사라짐.)
- 브로드캐스트함
--> ARP는 응답하는 그대로 믿음. (검증 안 함)
--> ARP Spoofing (스푸핑)
- 7버전부터는 ip neigh 로 추가..
// 아래와 같이 맥어드레스 / ip 지정 가능.
[root@station13 ~]# arp -s 59.29.224.222 00:11:22:33:44:55
[root@station13 ~]# arp -a | grep 222
? (59.29.224.222) at 00:11:22:33:44:55 [ether] PERM on enp2s0
6. DNS Clients
1) /etc/resolv.conf
- Identifies name servers and name resolution options.
[root@localhost network-scripts]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.122.1
<--- 내가 언제 네트워크매니저로 dns 생성햇지 ㅋㅋㅋㅋㅋ
위에서 nmcli 두번째에서 dns 설정했넹
2) /etc/hosts
- 별칭 설정
7. NTP
1) timedatectl
[root@station13 ~]# timedatectl
Local time: Tue 2018-07-17 09:49:04 KST
Universal time: Tue 2018-07-17 00:49:04 UTC
RTC time: Tue 2018-07-17 00:49:04
Time zone: Asia/Seoul (KST, +0900)
NTP enabled: yes
NTP synchronized: yes
RTC in local TZ: no
DST active: n/a
[root@station13 ~]# timedatectl list-timezones | grep -i seoul //grep -i : 대소문자 구분없이
Asia/Seoul
[root@station13 ~]# timedatectl set-timezone Asia/Seoul
2) NTPD : ~6버전까지는 NTP가 대세....
3) chrony : 7버전부터 새롭게 등장. 디폴트 타임서비스가 바뀜.
[root@station13 ~]# rpm -qa | grep chrony
chrony-2.1.1-4.el7.centos.x86_64
[root@station13 ~]#
[root@station13 ~]# vim /etc/chrony.conf
[root@station13 ~]# chronyc sources -v (설명이 나옴)
210 Number of sources = 2
.-- Source mode '^' = server, '=' = peer, '#' = local clock.
/ .- Source state '*' = current synced, '+' = combined , '-' = not combined,
| / '?' = unreachable, 'x' = time may be in error, '~' = time too variable.
|| .- xxxx [ yyyy ] +/- zzzz
|| Reachability register (octal) -. | xxxx = adjusted offset,
|| Log2(Polling interval) --. | | yyyy = measured offset,
|| \ | | zzzz = estimated error.
|| | | \
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* 183.111.227.229 2 6 17 11 +28us[ +381us] +/- 37ms
^- 210.98.16.101 3 6 17 9 -664us[ -664us] +/- 17ms
/etc/chrony.conf
1 # Use public servers from the pool.ntp.org project.
2 # Please consider joining the pool (http://www.pool.ntp.org/join.html).
3 #server 0.centos.pool.ntp.org iburst
4 #server 1.centos.pool.ntp.org iburst
5 #server 2.centos.pool.ntp.org iburst
6 #server 3.centos.pool.ntp.org iburst
7
8 server 183.111.227.229 iburst // iburst : 재깍재깍 동기화하라 의미
9 server 210.98.16.101 iburst
10
11 # Ignore stratum in source selection.
12 stratumweight 0
'UNIX > Redhat' 카테고리의 다른 글
| Linux 관리자 단기집중과정 -중급 5일차 (0) | 2018.07.18 |
|---|---|
| Linux 관리자 단기집중과정 -중급 4일차 (0) | 2018.07.17 |
| Linux 관리자 단기집중과정 -중급 2일차 (0) | 2018.07.13 |
| 카카오톡설치에러 (0) | 2018.07.12 |
| Linux 관리자 단기집중과정 -중급 1일차 (0) | 2018.07.12 |