####################3.磁盘加密####################
1.磁盘加密
fdisk /dev/vdb
cryptsetup luksFormat /dev/vdb1
cryptsetup open /dev/vdb1 westos
mkfs.xfs /dev/mapper/westos
mount /dev/mapper/westos /mnt/
umount /mnt/
cryptsetup close westos
磁盘加密提高了安全性能,但是增加了CPU的负载
通常只对重要区域进行加密
流程:
先加密(装一个盖子),解锁(打开盖子),格式化(安装文件系统),挂载,解除挂载,上锁(扣上盖子)
2.加密磁盘的永久挂载
vim /etc/crypttab
解密后设备管理文件 设备 加密字符存放文件
redhat /dev/vdb1 /root/lukspsfile
vim /root/lukspsfile
密码
chmod 600 /root/lukspsfile
cryptsetup luksAddkey /dev/vdb1 /root/lukspsfile
vim /etc/fstab
/dev/mapper/redhat /mnt xfs defaults 0 0
reboot
3.加密清除
vim /etc/fstab
删除"/dev/mapper/redhat /mnt xfs defaults 0 0"
> /etc/crypttab
rm -fr /root/lukspsfile
umount /mnt/
cryptsetup close redhat
mkfs.xfs /dev/vdb1 -f
####################4.磁盘阵列####################
watch -n 1 cat /proc/mdstat ##监控命令
百度"/proc/mdstat":
这个文件包含了由md设备驱动程序控制的RAID设备信息
fdisk /dev/vdb
t ##修改分区功能id
fd ##Linux raid auto
mdadm -C /dev/md0 -a yes -l 1 -n 2 -x 1 /dev/vdb{1..3} ##create
-a ##没有md0,则自动创建
-l ##级别(比如:0,1,5)
-n ##用两块硬盘做raid
-x ##闲置一块
mkfs.xfs /dev/md0
mount /dev/md0 /mnt/
mdadm -f /dev/md0 /dev/vdb1 ##set faulty
mdadm -D /dev/md0 ##detail
mdadm -r /dev/md0 /dev/vdb1 ##delete
mdadm -a /dev/md0 /dev/vdb1 ##add
umount /mnt/
mdadm -S /dev/md0 ##stop
--raid--
软raid:用软件实现的raid
硬raid:企业里常用的,需要raid卡
raid0:两个磁盘里面各一半,写的快
raid1:两个磁盘里都是完整的数据,读的快
raid5:两个磁盘做raid0,再和另一个做raid1,费磁盘
####################5.配额####################
mount -o usrquota /dev/vdb1 /pub ##设置挂载参数
quotaon -uv /dev/vdb1 ##激活磁盘配额功能;"-u"用户,默认参数;"-v"显示信息
edquota -u student ##编辑用户配额;"-u"用户,默认参数
Disk quotas for user student (uid 1000):
Filesystem blocks soft hard inodes soft hard
/dev/vdb1 0 0 51200 0 0 0
"soft"软限制,"hard"硬限制,软限制不能大于硬限制
su - student
dd if=/dev/zero of=/pub/file bs=1M count=51
dd: error writing ‘/pub/file’: Disk quota exceeded ##提示超出配额
51+0 records in
50+0 records out
52428800 bytes (52 MB) copied, 0.039447 s, 1.3 GB/s
quota
Disk quotas for user student (uid 1000):
Filesystem blocks quota limit grace files quota limit grace
/dev/vdb1 51200* 0 51200 1 0 0
quotaoff /dev/vdb1 ##取消磁盘配额功能
配额是针对分区的,设定某个用户在这个分区下只能写入多少数据
vim /etc/fstab
/dev/vdb1 /pub xfs defaults,usrquota 0 0
###################
##### 5.LVM #####
###################
LVM ##逻辑卷管理,全称是"Logical Volume Manager"
PV ##物理卷,安装lvm软件的物理分区
VG ##物理卷组
PE ##物理拓展,lvm最小的存储单元
pvs|pvdisplay ##report information about physical volumes
vgs|vgdisplay ##report information about volume groups
lvs|lvdisplay ##report information about logical volumes
监控命令:
watch -n 1 \
'echo "=== pvinfo ==="; \
pvs; \
echo "=== vginfo ==="; \
vgs; \
echo "=== lvinfo ==="; \
lvs; \
echo "=============="; \
df -h /mnt;'
####################1.LVM建立####################
1.使用fdisk命令划分物理分区并把分区id修改为8e
pvcreate /dev/vdb1
vgcreate westos /dev/vdb1
lvcreate -L 100M -n lv0 westos
mkfs.xfs /dev/westos/lv0
mount /dev/westos/lv0 /mnt/
####################2.LVM扩展####################
lvextend -L 200M /dev/westos/lv0
xfs_growfs /dev/westos/lv0
pvcreate /dev/vdb2
vgextend westos /dev/vdb2
lvextend -L 600M /dev/westos/lv0
最多增大到18eb,因为xfs文件系统最大尺寸为18eb
####################3.LVM缩减####################
umount /mnt/
e2fsck -f /dev/westos/lv0
resize2fs /dev/westos/lv0 550M
lvreduce -L 550M /dev/westos/lv0
pvmove /dev/vdb1 /dev/vdb2
vgreduce westos /dev/vdb1
pvremove /dev/vdb1
LVM缩减是基于文件系统的,xfs文件系统不能进行缩减
ext4文件系统在执行扩展操作的时候,使用resize2fs命令后面不跟size,表示一下全部扩满
####################4.LVM快照####################
lvcreate -L 10M -n lv0-backup -s /dev/westos/lv0
-L ##Gives the size to allocate for the new logical volume.
-n ##Sets the name for the new logical volume.
-s ##snapshot
lvremove /dev/westos/lv0-backup
####################5.LVM删除####################
umount /mnt
lvremove /dev/westos/lv0-backup
lvremove /dev/westos/lv0
vgremove westos
pvremove /dev/vdb2,lvm最小的存储单元
fdisk /dev/vdb删除分区
####################使用"<
---------------------------------
#!/bin/bash
fdisk /dev/vdb <
&#43;1G
wq
end
:wq
----------------------------------
[root&#64;localhost Desktop]# sh fdisk.sh
Welcome to fdisk (util-linux 2.23.2).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
Command (m for help): Partition type:
p primary (1 primary, 0 extended, 3 free)
e extended
Select (default p): Using default response p
Partition number (2-4, default 2): First sector (2099200-20971519, default 2099200): Using default value 2099200
Last sector, &#43;sectors or &#43;size{K,M,G} (2099200-20971519, default 20971519): Partition 2 of type Linux and of size 1 GiB is set
Command (m for help): The partition table has been altered!
Calling ioctl() to re-read partition table.
WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
The kernel still uses the old table. The new table will be used at
the next reboot or after you run partprobe(8) or kpartx(8)
Syncing disks.
[root&#64;localhost Desktop]# fdisk -l /dev/vdb
Disk /dev/vdb: 10.7 GB, 10737418240 bytes, 20971520 sectors
Units &#61; sectors of 1 * 512 &#61; 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0xd640d34e
Device Boot Start End Blocks Id System
/dev/vdb1 2048 2099199 1048576 83 Linux
/dev/vdb2 2099200 4196351 1048576 83 Linux
&#61;&#61;&#61;&#61;&#61;"<
root&#64;172.25.50.100&#39;s password:
Last login: Thu Nov 10 21:48:23 2016 from 172.25.50.250
[root&#64;localhost ~]# exit
logout
Connection to 172.25.50.100 closed.
[root&#64;foundation50 Desktop]# ssh root&#64;172.25.50.100 <
> end
Pseudo-terminal will not be allocated because stdin is not a terminal.
root&#64;172.25.50.100&#39;s password: ^C
[root&#64;foundation50 Desktop]#
####################Expect####################
Expect是一个用来实现自动交互功能的软件
spawn ##启动一个新的进程
expect ##等待期望的字符串参数或者正则表达式参数
send ##接收一个字符串参数&#xff0c;并将其发送到进程
interact ##允许用户交互
set timeout 30 ##设置超时时间30s。如果设为-1&#xff0c;代表永不超时
--expect语法--
1.单一分支模式语法
expect "hi" {send "You said hi"}
##匹配到"hi"&#xff0c;输出"you said hi"
2.多分支模式语法
expect "hi" { send "You said hi\n" } \
"hello" { send "Hello yourself\n" } \
"bye" { send "That was unexpected\n" }
等同于
expect {
"hi" { send "You said hi\n"}
"hello" { send "Hello yourself\n"}
"bye" { send "That was unexpected\n"}
}
##匹配到"hi/hello/bye"中的任意一个字符串&#xff0c;执行相应的输出
####################
[root&#64;localhost ~]# yum install expect -y
......&#xff08;略&#xff09;
[root&#64;localhost ~]# ssh root&#64;172.25.50.250
root&#64;172.25.50.250&#39;s password:
Last login: Fri Nov 11 11:50:22 2016 from 172.25.50.100
[root&#64;foundation50 ~]# exit
logout
Connection to 172.25.50.250 closed.
[root&#64;localhost ~]# vim ssh.sh
---------------------------------
#!/usr/bin/expect
spawn ssh root&#64;172.25.50.250
expect "*password*"
send "redhat\r"
interact
---------------------------------
##"\r"表示回车
[root&#64;localhost ~]# chmod u&#43;x ssh.sh
[root&#64;localhost ~]# ./ssh.sh
spawn ssh root&#64;172.25.50.250
root&#64;172.25.50.250&#39;s password:
Last login: Fri Nov 11 11:56:39 2016 from 172.25.50.100
[root&#64;foundation50 ~]# exit
logout
Connection to 172.25.50.250 closed.
[root&#64;localhost ~]#
####################
####################光盘修复mbr####################
[root&#64;localhost Desktop]# fdisk -l /dev/vda
Disk /dev/vda: 10.7 GB, 10737418240 bytes, 20971520 sectors
Units &#61; sectors of 1 * 512 &#61; 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x00000000
Device Boot Start End Blocks Id System
/dev/vda1 * 2048 20970332 10484142&#43; 83 Linux
[root&#64;localhost Desktop]# dd if&#61;/dev/zero of&#61;/dev/vda bs&#61;446 count&#61;1
1&#43;0 records in
1&#43;0 records out
446 bytes (446 B) copied, 0.000197836 s, 2.3 MB/s
##注意&#xff1a;必须是446字节&#xff0c;多一点都不行。
>此时mbr已被破坏&#xff0c;一旦重启就启不起来了
>使用以下命令恢复&#xff1a;
[root&#64;localhost ~]# grub2-install /dev/vda
Installing for i386-pc platform.
Installation finished. No error reported.
>如果没有使用以上命令&#xff0c;直接重启
[root&#64;localhost Desktop]# reboot
>发现卡在"Booting from Hard Disk..."不往下走了
&#61;&#61;&#61;&#61;&#61;使用pxe进行系统恢复&#61;&#61;&#61;&#61;&#61;
>之前学过pxe网络安装服务&#xff0c;配置还在&#xff0c;这里只做更改
[root&#64;foundation50 Desktop]# vim /var/lib/tftpboot/pxelinux.cfg/default
----------------------------------
88 label rescue
89 menu indent count 5
90 menu label ^Rescue a Red Hat Enterprise Linux system
91 text help
92 If the system will not boot, this lets you access files
93 and edit config files to try to get it booting again.
94 endtext
95 kernel vmlinuz
96 append initrd&#61;initrd.img inst.stage2&#61;hd:LABEL&#61;RHEL-7.0\x20Server.x86_64 rescue quiet
将96行更改为&#xff1a;
96 append initrd&#61;initrd.img repo&#61;http://172.25.50.250/rhel7.0 rescue quiet
:wq
----------------------------------
>使用虚拟机管理将“从网卡启动”&#xff0c;调为最优
>将虚拟机Force off&#xff0c;再开启
Troubleshooting-->Rescue a Red Hat Enterprise Linux system
选择"Continue"进入下一页
注意提示&#xff1a;
If you would like to make your system the root environment, run the command:
chroot /mnt/sysp_w_picpath
sh-4.2# chroot /mnt/sysp_w_picpath
bash-4.2# grub2-install /dev/vda
bash-4.2# exit
sh-4.2# exit
系统重启
>使用虚拟机管理将“从硬盘启动”&#xff0c;调为最优
>将虚拟机Force off&#xff0c;再开启
系统恢复正常&#xff01;&#xff01;&#xff01;
####################密码破解####################
1.用引导修复盘或者pxe&#xff0c;引导系统
2.chroot /mnt/sysp_w_picpath
3.修改"/etc/shadow"文件&#xff0c;将里面的root行&#xff0c;密码加密部分直接清空
4.root登陆系统