Shulou(Shulou.com)06/02 Report--

Time server, log server, sudo time server

Centos7 later began to use chrony as a time server, chrony is compatible with NTP services. Listens on 123s (traditional NTP service ports) and 323s (chrony service ports) so that the client can be either ntp or chrony.

Next, time synchronization is explained by the fact that both the server and the client are chrony

Machine A: 172.20.10.5 (time server), machine B: 172.20.10.6 (client)

Machine A: install the chrony#yum install chrony-y modification configuration file vim / etc/chrony.confserver 0.centos.pool.ntp.org iburstallow 172.20.10.0/24server to specify the upper-level time synchronization server. Allow indicates that that IP segment is allowed to synchronize time with the local time server. Specify the 192.168.184.0ax 24 network segment to restart the chrony service # systemctl restart chronyd.service#ss-tunlp view port 323 after configuration

Machine B:

Install chronyyum install chrony-y to modify the configuration file # vim/etc/chrony.conf#server 0.centos.pool.ntp.org iburst#server 1.centos.pool.ntp.org iburst#server 2.centos.pool.ntp.org iburst#server 3.centos.pool.ntp.org iburstserver 172.20.10.5 iburst to comment out other server Configure chrony service with A machine as time server and restart client # systemctl restart chronyd.service#systemctl enable chronyd.service boot self-starting service to view synchronization source (time server) chronyc sources view synchronization status # chronyc sourcestats

two。 Log server

(1) in order to better manage the logs of applications and operating systems, using log servers for management, we need to use rsyslog, which is an upgraded version of the early syslog. It collects events during system boot startup, application startup, and the running of applications (especially service applications).

The format of the record is: event generation date and time host process PID event content.

Rsyslog features: multithreading, support for TCP, UDP, SSL, TLS, RELP protocols. It can store information in log, mysql and other database management systems. Log information can be filtered and the output format can be customized.

(2) install rsyslog

Yum install rsyslog its main program is rsyslogd, its configuration file is / etc/rsyslog.conf, / etc/rsyslog.d/*.conf main configuration file rsyslog.conf is mainly composed of three parts: MODULES represents loaded module list GLOBAL DIRECTIVES represents global configuration RULES represents logging rules (emphasis) where: the format of MODULES segment is $ModLoad module name if the module name is im, it means input module. If you start with om, the GLOBAL DIRECTIVES segment of the output module mainly defines some common settings, for example: $WorkDirectory indicates that the format of the RULES segment of the working directory is: facility.priority target where facility: facility, which classifies log collection functionally or programmatically, such as: auth,authpriv,cron,daemon,kern,lpr,mail,mark,news,security,user,uucp,local0~local7,syslogpriority: priority, log level, as follows (from left to right From low to high): debug,info,notice,warn (warning), err (error), crit (critical), alert,emerg (panic) specify levels: *: all levels None: no level; priority: this level and all levels above this level) = priority: this level only; generally requires that the log level is warn, that is, logs at warn and above warn should be logged. Debug-level logs are generally not opened in production, because too many logging will cause io to be busy. Target: log writes to the target file: writes log events to the specified file. The log file is usually located in the / var/log directory, and the file path is preceded by "-" to indicate that the file is written asynchronously. User: notify the specified user of the log event by sending the information to the terminal of the user logged on to the system. Log server: @ host, send the log to the specified server host, make sure that the host log server is listening and providing logging services on port 514 of tcp or udp protocol. Pipeline: | COMMAND sends it to a command for processing

(3) experiment:

Machine A: 172.20.10.5 (log server), machine B: 172.20.10.6 (client)

An on machine:

# yum install rsyslog modifies the configuration file vim / etc/rsyslog.conf#Provides UDP syslog reception$ModLoad imudp$UDPServerRun 514$ Provides TCP syslog reception$ModLoad imtcp$InputTCPServerRun 514 after removing the comments on the configuration lines, it will enable listening on port 514 agreed on by tcp and UDP. Restart the rsyslog service # systemctl restart rsyslog.service#ss-tunl to see port 514 listening.

On the B machine:

# yum install rsyslog modify configuration file # vim / etc/rsyslog.conf#*.info;mail.none;authpriv.none;cron.none / var/log/messages*.info;mail.none;authpriv.none Cron.none @ 172.20.10.5 change its target to @ log server IP and restart the client's rsyslog service # systemctl restart rsyslog.service so that no logs are recorded in / var/log/message on machine B. Instead, it is recorded on log server A, and the configuration file on the log server determines where the log is recorded. We did not change to the RULES log rule on machine A, so it is written to the log server / var/log/message (in order to see the effect, you need to set a different hostname in advance)

Save the log in the mysql device (A):

Install rsyslog-mysql module # yum install rsyslog-mysql View installation file location # rpm-ql rsyslog-mysql install mariadb database # yum install mariadb-server mariadb# vi / etc/my.cnf.d/ server.cnf [mysqld] skip_name_resolve=ONinnodb_file_per_table=ON start the database and import data systemctl start mariadb.service# mysql mysql > GRANT ALL ON Syslog.* TO 'rsyslog'@'192.168.184.%' IDENTIFIED BY' rsyspass';mysql > flush privileges;mysql > quit Modify the rsyslog configuration file # vi / etc/rsyslog.conf#### MODULES # $ModLoad ommysql#### RULES # * .info on the log server; mail.none;authpriv.none;cron.none: ommysql:192.168.184.136,Syslog,rsyslog,rsyspass loads the ommysql module and configures the target to ommysql, followed by: ommysql: database host, database name, database user, database password. Then restart rsyslog.service# systemctl restart rsyslog.service login user and logout user operation on machine B, and then check the database of machine An and find that a new record is generated.

Web display API: loganalyzer

Configure lamp combination httpd, php, php-mysql, php-gd install loganalyzer#tar xf loganalyzer-3.6.5.tar.gz#cp-r loganalyzer-3.6.5/src / var/www/html/loganalyzer#cp-r loganalyzer-3.6.5/contrib/*.sh / var/www/html/loganalyzer/#cd / var/www/html/loganalyzer/#chmod + x * .sh#. / configure.sh

3.sudo secure handoff

Sudo enables an authorized user to run a specified command as another user (usually the root user)

The authorization profile / etc/sudoers, but is generally edited using the visudo command. The system is abnormal due to misoperation.

Format of authorization profile:

Users hosts= (runas) commands

This means that users (groups) in the users list can run commands in the commands command list as runas users at the location of the hosts list.

The possible values for each field are:

Users: user name or uid% user group name or% gid of the originator of the sudo command (note here that the user needs to switch the basic group to this user group To use sudo) User_Alias user aliases hosts: allowed address ip address host name NetAddrHost_Alias host aliases runas: execute user name or uidRunas_Alias user aliases as a user commands: specified command list command (complete absolute path is recommended for commands)! Command means to prohibit a command directorysudoedit: special permission, which can be used to grant sudo permissions to other users. Cmnd_Alias command alias

All of these fields hosts,runas and commands can be represented by ALL.

How to define an alias:

ALIAS_TYPE NAME=item1,item2,item3,...NAME: alias name. You must use the all-uppercase character ALIAS_TYPE: User_Alias,Host_Alias,Runas_Alias. Users will be required to enter their own password when the Cmnd_Aliassodu command is executed. In order to avoid frequent secret verification and security, the successful authentication result can be recorded for a period of time. The default is 5 minutes, that is, there is no need to verify the user's password within 5 minutes.

To run the specified command as sudo

Sudo [options] COMMAND

-l lists the commands that the user can execute in the sudo configuration file-k clears the previous cache of the user's successful authentication results, and then verifies the user's password when running sudo again. If you want users to enter some commands without password verification, in the commands list section of the sudo configuration file, you can add "NOPASSWD" before the command list, and subsequent commands do not need a password. If some commands require a password, add "PASSWD" before them. So the commands list can be in this format: NOPASSWD does not need a password command list PASSWD requires a password command list security hint: in the sudo configuration file root ALL= (ALL) ALL%wheel ALL= (ALL) ALL there is no problem with the root user line configured above, but the% wheel line should be noted that if a user is added to the% wheel group When users switch from basic group to wheel group, they can run commands like root users. Examples of risky commands are as follows: sudo su-root can switch to root user sudo passwd root to change root user password without entering the original password. It is recommended that% wheel be changed to% wheel ALL= (ALL) all magnetism binmax root

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.