さくらVPSの1Gプランを利用していましたが、乗り換えキャンペーン実施中ということで、2GBプランに移行することにしました。
# cat /etc/redhat-release
Scientific Linux release 6.2 (Carbon)
ユーザー作成とセキュリティ設定
普段使用するユーザーIDを作成。
# useradd hoge
# passwd hoge
ユーザー hoge のパスワードを変更。
新しいパスワード:
新しいパスワードを再入力してください:
passwd: 全ての認証トークンが正しく更新できました。
# usermod -G wheel hoge
#
sshでのrootログインを禁止する。
/etc/ssh/sshd_configファイルを編集。
Port 2022
Protocol 2
SyslogFacility AUTHPRIV
PermitRootLogin no
PasswordAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
Subsystem sftp /usr/libexec/openssh/sftp-server
sshデーモンを再起動して、rootでログインできないことを確認。
# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
# logout
logout
Connection to 49.212.129.72 closed.
client:~ hoge$ ssh -p 2022 root@49.212.129.72
root@49.212.129.72's password:
Permission denied, please try again.
/etc/pam.d/suを編集し、suできるユーザーをwheelグループに限定。
auth required pam_wheel.so use_uid
wheelグループにsudoを許可。
# visudo
%wheel ALL=(ALL) NOPASSWD: ALL
ロケール設定
/etc/sysconfig/i18nを編集して、ロケールをUTF-8に設定。
LANG="ja_JP.UTF-8"
ネットワーク設定
IPv6が有効になっている場合には、無効にする。
# ifconfig -a
eth0 Link encap:Ethernet HWaddr 52:54:06:00:42:98
inet addr:49.212.129.72 Bcast:49.212.129.255 Mask:255.255.254.0
inet6 addr: fe80::5054:6ff:fe00:4298/64 Scope:Link
# echo 'options ipv6 disable=1' >/etc/modprobe.d/disable-ipv6.conf
# chkconfig ip6tables off
# reboot
APIPAが有効になっている場合には、無効にする。
# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
49.212.128.0 0.0.0.0 255.255.254.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
# sudo echo "NOZEROCONF=yes" >>/etc/sysconfig/network
# service network restart
インターフェース eth0 を終了中: [ OK ]
ループバックインターフェースを終了中 [ OK ]
ループバックインターフェイスを呼び込み中 [ OK ]
インターフェース eth0 を活性化中: [ OK ]
# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
49.212.128.0 0.0.0.0 255.255.254.0 U 0 0 0 eth0
yum関連
yumのプラグインを追加。
- yum-plugin-priorities: 外部リポジトリと混ぜて使用する際に標準リポジトリのバージョンを優先
# yum -y install yum-plugin-priorities
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
* sl: ftp.riken.jp
* sl-security: ftp.riken.jp
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package yum-plugin-priorities.noarch 0:1.1.30-10.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository
Size
================================================================================
Installing:
yum-plugin-priorities noarch 1.1.30-10.el6 sl 21 k
Transaction Summary
================================================================================
Install 1 Package(s)
Total download size: 21 k
Installed size: 28 k
Downloading Packages:
yum-plugin-priorities-1.1.30-10.el6.noarch.rpm | 21 kB 00:00
警告: rpmts_HdrFromFdno: ヘッダ V4 DSA/SHA1 Signature, key ID 192a7d7d: NOKEY
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-sl
Importing GPG key 0x192A7D7D:
Userid : Scientific Linux (RPM signing key for Scientific Linux)
Package: sl-release-6.2-1.1.x86_64 (@Scientific Linux/6.1)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-sl
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-sl6
Importing GPG key 0x9B1FD350:
Userid : Scientific Linux (RPM signing key for Scientific Linux 6)
Package: sl-release-6.2-1.1.x86_64 (@Scientific Linux/6.1)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-sl6
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-cern
Importing GPG key 0x1D1E034B:
Userid : CERN Linux Support (RPM signing key for CERN Linux Support)
Package: sl-release-6.2-1.1.x86_64 (@Scientific Linux/6.1)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-cern
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : yum-plugin-priorities-1.1.30-10.el6.noarch 1/1
Installed:
yum-plugin-priorities.noarch 0:1.1.30-10.el6
Complete!
/etc/yum.repos.d/に移動し、sl.repoとsl-other.repoのプライオリティを1(優先)に設定。
各セクションの最後に
priority=1を追加。
EPELをリポジトリに追加。
# yum -y install epel-release
Loaded plugins: fastestmirror, priorities, security
Loading mirror speeds from cached hostfile
* sl: ftp.riken.jp
* sl-security: ftp.riken.jp
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package epel-release.noarch 0:6-5 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
epel-release noarch 6-5 sl 13 k
Transaction Summary
================================================================================
Install 1 Package(s)
Total download size: 13 k
Installed size: 22 k
Downloading Packages:
epel-release-6-5.noarch.rpm | 13 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : epel-release-6-5.noarch 1/1
Installed:
epel-release.noarch 0:6-5
Complete!
IUS Yumリポジトリを追加。
# wget http://dl.iuscommunity.org/pub/ius/stable/Redhat/6/x86_64/ius-release-1.0-10.ius.el6.noarch.rpm
--2012-04-14 16:35:46-- http://dl.iuscommunity.org/pub/ius/stable/Redhat/6/x86_64/ius-release-1.0-10.ius.el6.noarch.rpm
dl.iuscommunity.org をDNSに問いあわせています... 50.57.54.209
dl.iuscommunity.org|50.57.54.209|:80 に接続しています... 接続しました。
HTTP による接続要求を送信しました、応答を待っています... 200 OK
長さ: 7608 (7.4K) [application/x-rpm]
`ius-release-1.0-10.ius.el6.noarch.rpm' に保存中
100%[=========================================================>] 7,608 --.-K/s 時間 0s
2012-04-14 16:35:48 (442 MB/s) - `ius-release-1.0-10.ius.el6.noarch.rpm' へ保存完了 [7608/7608]
# rpm -Uvh ius-release-1.0-10.ius.el6.noarch.rpm
警告: ius-release-1.0-10.ius.el6.noarch.rpm: ヘッダ V4 DSA/SHA1 Signature, key ID 9cd4953f: NOKEY
準備中... ########################################### [100%]
1:ius-release ########################################### [100%]
IPTABLESの設定
ssh(2022), http(80), smtp(25)を許可するスクリプトを作成。
#!/bin/sh
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD DROP
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/sbin/iptables -A INPUT -s 10.0.0.0/8 -j DROP
/sbin/iptables -A INPUT -s 172.16.0.0/12 -j DROP
/sbin/iptables -A INPUT -s 192.168.0.0/16 -j DROP
/sbin/iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 2022 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -j LOG --log-prefix "IPTABLES_INPUT_LOG:" --log-level=info
/etc/rc.d/init.d/iptables save
vsftpd
vsftpd用のユーザーを作成。
# groupadd ftpsecure
# useradd -g ftpsecure -d /var/ftpsecure -s /sbin/nologin -d /var/ftpsecure -m -k /dev/null ftpsecure
vsftpdのインストールと設定。
# yum -y install vsftpd
Loaded plugins: fastestmirror, priorities, security
Loading mirror speeds from cached hostfile
* epel: ftp.iij.ad.jp
* sl: ftp.riken.jp
* sl-security: ftp.riken.jp
102 packages excluded due to repository priority protections
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package vsftpd.x86_64 0:2.2.2-6.el6_0.1 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
vsftpd x86_64 2.2.2-6.el6_0.1 sl 149 k
Transaction Summary
================================================================================
Install 1 Package(s)
Total download size: 149 k
Installed size: 331 k
Downloading Packages:
vsftpd-2.2.2-6.el6_0.1.x86_64.rpm | 149 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : vsftpd-2.2.2-6.el6_0.1.x86_64 1/1
Installed:
vsftpd.x86_64 0:2.2.2-6.el6_0.1
Complete!
/etc/vsftpd/vsftpd.confを編集。
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
nopriv_user=ftpsecure
listen=YES
pam_service_name=vsftpd
userlist_enable=NO
tcp_wrappers=YES
自動起動にする。
# chkconfig vsftpd on
# service vsftpd start
logwatch
# yum -y install logwatch
Loaded plugins: fastestmirror, priorities, security
Loading mirror speeds from cached hostfile
* epel: ftp.iij.ad.jp
* sl: ftp.riken.jp
* sl-security: ftp.riken.jp
102 packages excluded due to repository priority protections
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package logwatch.noarch 0:7.3.6-49.el6 will be installed
--> Processing Dependency: perl(Date::Manip) for package: logwatch-7.3.6-49.el6.noarch
--> Running transaction check
---> Package perl-Date-Manip.noarch 0:6.24-1.el6 will be installed
--> Processing Dependency: perl(YAML::Syck) for package: perl-Date-Manip-6.24-1.el6.noarch
--> Running transaction check
---> Package perl-YAML-Syck.x86_64 0:1.07-4.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=======================================================================================================
Package Arch Version Repository Size
=======================================================================================================
Installing:
logwatch noarch 7.3.6-49.el6 sl 297 k
Installing for dependencies:
perl-Date-Manip noarch 6.24-1.el6 sl 1.3 M
perl-YAML-Syck x86_64 1.07-4.el6 sl 74 k
Transaction Summary
=======================================================================================================
Install 3 Package(s)
Total download size: 1.7 M
Installed size: 11 M
Downloading Packages:
(1/3): logwatch-7.3.6-49.el6.noarch.rpm | 297 kB 00:00
(2/3): perl-Date-Manip-6.24-1.el6.noarch.rpm | 1.3 MB 00:00
(3/3): perl-YAML-Syck-1.07-4.el6.x86_64.rpm | 74 kB 00:00
-------------------------------------------------------------------------------------------------------
Total 2.1 MB/s | 1.7 MB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : perl-YAML-Syck-1.07-4.el6.x86_64 1/3
Installing : perl-Date-Manip-6.24-1.el6.noarch 2/3
Installing : logwatch-7.3.6-49.el6.noarch 3/3
Installed:
logwatch.noarch 0:7.3.6-49.el6
Dependency Installed:
perl-Date-Manip.noarch 0:6.24-1.el6 perl-YAML-Syck.x86_64 0:1.07-4.el6
Complete!
不要なサービスを停止
停止前のサービス一覧
# chkconfig
acpid 0:off 1:off 2:on 3:on 4:on 5:on 6:off
atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
auditd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
cpuspeed 0:off 1:on 2:off 3:off 4:off 5:off 6:off
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
cups 0:off 1:off 2:off 3:off 4:off 5:off 6:off
haldaemon 0:off 1:off 2:off 3:off 4:off 5:off 6:off
ip6tables 0:off 1:off 2:off 3:off 4:off 5:off 6:off
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
irqbalance 0:off 1:off 2:off 3:on 4:on 5:on 6:off
kdump 0:off 1:off 2:off 3:off 4:off 5:off 6:off
lvm2-monitor 0:off 1:on 2:off 3:off 4:off 5:off 6:off
mdmonitor 0:off 1:off 2:off 3:off 4:off 5:off 6:off
messagebus 0:off 1:off 2:off 3:off 4:off 5:off 6:off
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
netfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
ntpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
ntpdate 0:off 1:off 2:on 3:on 4:on 5:on 6:off
portreserve 0:off 1:off 2:off 3:off 4:off 5:off 6:off
postfix 0:off 1:off 2:on 3:on 4:on 5:on 6:off
psacct 0:off 1:off 2:off 3:off 4:off 5:off 6:off
quota_nld 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rdisc 0:off 1:off 2:off 3:off 4:off 5:off 6:off
restorecond 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
smartd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sysstat 0:off 1:on 2:on 3:on 4:on 5:on 6:off
udev-post 0:off 1:on 2:off 3:off 4:off 5:off 6:off
vsftpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
以下のサービスを停止
# chkconfig acpid off
# chkconfig --level=1 cpuspeed off
# chkconfig --level=1 lvm2-monitor off
# chkconfig ntpdate off
# chkconfig --level=1 udev-post off
ntpの設定
デフォルトのままで動作確認。
# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
*ntp1.sakura.ad. 133.243.238.244 2 u 17 64 377 9.964 -0.070 0.143
0 件のコメント:
コメントを投稿