标签归档:centos

CentOS7 安装 Wireguard 服务的方法

内核模块补丁

CentOS7 安装 Wireguard 前需要安装 wireGuard 模块,官方给出来了3种安装方式,任选一种即可:

系统:centos 7.x
内核要求:> 3.10 (uname -r)

### Method 1: a signed module is available as built-in to CentOS's kernel-plus:
$ sudo yum install yum-utils epel-release
$ sudo yum-config-manager --setopt=centosplus.includepkgs=kernel-plus --enablerepo=centosplus --save
$ sudo sed -e 's/^DEFAULTKERNEL=kernel$/DEFAULTKERNEL=kernel-plus/' -i /etc/sysconfig/kernel
$ sudo yum install kernel-plus wireguard-tools
$ sudo reboot
### Method 2: users wishing to stick with the standard kernel may use ELRepo's pre-built module:
$ sudo yum install epel-release elrepo-release
$ sudo yum install yum-plugin-elrepo
$ sudo yum install kmod-wireguard wireguard-tools
### Method 3: users running non-standard kernels may wish to use the DKMS package instead:
$ sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
$ sudo curl -o /etc/yum.repos.d/jdoss-wireguard-epel-7.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
$ sudo yum install wireguard-dkms wireguard-tools

安装完成后重启服务器。

利用 docker 安装 WireGuard

version: '3.5'
services:
  wireguard:
    image: weejewel/wg-easy
    restart: unless-stopped
    ports:
      - 51820:51820/udp
      - 51821:51821/tcp
    environment:
      - WG_HOST=wg.host.com
      - PASSWORD=password
      # - WG_PORT=51820
      # - WG_DEFAULT_ADDRESS=10.8.0.x
      - WG_DEFAULT_DNS=114.114.114.114
      # - WG_MTU=1420
      # - WG_ALLOWED_IPS=192.168.0.0/24, 10.8.0.0/24
      # - WG_PRE_UP=echo "Pre Up" > /etc/wireguard/pre-up.txt
      # - WG_POST_UP=echo "Post Up" > /etc/wireguard/post-up.txt
      # - WG_PRE_DOWN=echo "Pre Down" > /etc/wireguard/pre-down.txt
      # - WG_POST_DOWN=echo "Post Down" > /etc/wireguard/post-down.txt
    volumes:
      - ./data:/etc/wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1

# 参考:https://raw.githubusercontent.com/WeeJeWel/wg-easy/master/docker-compose.yml

将以上内容保存为 docker-compose.yml 文件,并执行 docker-compose up -d 启动服务。在浏览器中输入服务器地址(端口 51821 )登录管理界面。

注意:

  • 通常服务位于路由或防火墙后面,WG_PORT 是映射的外网端口,WG_HOST 是外网访问地址。
  • WG_ALLOWED_IPS 如果设为 0.0.0.0 ,那客户端的所有流量都会走 VPN,所以应该仅设置需要代理的 IP 域。

centos7 安装 fail2ban

yum install -y fail2ban
cp /etc/fail2ban/jail.{conf,local}
cat << EOF > /tmp/sshd.local

[sshd]

enabled = true findtime = 1h maxretry = 5 bantime = 1y ignoreip = 127.0.0.1/8 ::1 192.168.0.0/24 port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s EOF cp /tmp/sshd.local /etc/fail2ban/jail.d/sshd.local systemctl enable –now fail2ban systemctl restart fail2ban

可接受的缩写标记:

years?, yea?, yy?
months?, mon?
weeks?, wee?, ww?
days?, da, dd?
hours?, hou?, hh?
minutes?, min?, mm?
seconds?, sec?, ss?
  • ? 代表可选标记,因此要以天为单位设置时间,例如 days / day / da / dd / d
  • 可以组合多个标记,格式为空格分隔,不带分隔符,例如:1y6mo 或 1d12h30m
  • 标记 m 和 mm 表示分钟,月份使用缩写 mo 或 mon

参考:https://denisrasulev.medium.com/server-protection-with-fail2ban-bfbe38a775b0

升级 CentOS7 内核

载入ELRepo仓库的公共密钥

rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org

安装ELRepo仓库的yum源

rpm -Uvh https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm

载入elrepo-kernel元数据

yum --disablerepo="*" --enablerepo="elrepo-kernel" repolist

查看可用的系统内核包,长期维护版本为lt,最新主线稳定版为ml

yum --disablerepo="*" --enablerepo="elrepo-kernel" list available

安装最新的内核,长期维护版本kernel-lt 最新稳定版选择kernel-ml

yum  --enablerepo=elrepo-kernel  install  -y  kernel-lt

查看可用内核版本及启动顺序

awk -F\' '$1=="menuentry " {print i++ " : " $2}' /boot/grub2/grub.cfg

安装辅助工具

yum install -y grub2-pc

设置内核默认启动顺序

grub2-set-default 0

编辑/etc/default/grub文件

设置 GRUB_DEFAULT=saved 为 GRUB_DEFAULT=0

生成 grub 配置文件

grub2-mkconfig -o /boot/grub2/grub.cfg

删除旧版本工具包–可选

yum remove kernel-tools-libs.x86_64 kernel-tools.x86_64

升级内核工具包

yum --disablerepo=\* --enablerepo=elrepo-kernel install -y kernel-lt-tools.x86_64

centos7 安装图形界面

yum groupinstall "Server with GUI"

gnome

yum update -y
yum groupinstall "GNOME Desktop" -y

kde

yum groupinstall "KDE Plasma Workspaces" -y
# 中文支持
yum install kde-l10n-Chinese

安装完中文包后要在设置的 local 中设置首选语言为中文,并注销重登录。

自动进入图形界面

ln -sf /lib/systemd/system/runlevel5.target /etc/systemd/system/default.target

单纯在 ssh 连接时使用客户端图形界面,当出现 X11 forwarding request failed on channel 0 时,安装以下命令:

yum install xorg-x11-xauth

centos 7 设置应用最大连接数

修改 /etc/systemd/system.conf ,添加如下配置项:

[Manager]
DefaultLimitCORE=infinity
DefaultLimitNOFILE=10240000
DefaultLimitNPROC=10240000

使配置生效:

sudo systemctl daemon-reload

用户服务需要重启,如:

sudo systemctl restart nginx

验证:

cat /proc/[PID]/limits

CentOS 添加新网卡

查看当前网卡

nmcli con show
  • 进入 /etc/sysconfig/network-scripts/
  • 复制现有网络配置(如 ifcfg-eth0
  • 修改新配置的 NAME UUID DEVICE 核心配置,并按需修改IP等即可,方法参考

centos 7 更换阿里源

mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.bak
curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
mv /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel.repo.bak
curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
yum clean all
yum makecache

centos7 安装 mysql

wget http://dev.mysql.com/get/mysql57-community-release-el7-8.noarch.rpm
yum localinstall mysql57-community-release-el7-8.noarch.rpm
mysql-community-server

可以修改 /etc/yum.repos.d/mysql-community.repo 源,改变默认安装的mysql版本。比如要安装5.6版本,将5.7源的 enabled=1 改成 enabled=0 。然后再将5.6源的 enabled=0 改成 enabled=1 即可。

CentOS 7下yum安装MariaDB

CentOS 7下mysql下替换成MariaDB了。

把以下内容放到 /etc/yum.repos.d/MariaDB.repo 文件中

# MariaDB 10.4 CentOS repository list - created 2019-11-27 06:40 UTC
# http://downloads.mariadb.org/mariadb/repositories/
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.4/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1

更多发行版:https://downloads.mariadb.org/mariadb/repositories/

安装

yum install mariadb mariadb-server
systemctl start mariadb   #启动mariadb
systemctl enable mariadb  #设置开机自启动
mysql_secure_installation #设置root密码等相关
mysql -uroot -p           #测试登录

centos 7 清理 yum 缓存

CentOS 7 update 时出现 正在尝试其它镜像 的解决办法:

sudo yum clean all && sudo yum clean metadata && sudo yum clean dbcache && sudo yum makecache && sudo yum update