| lvm asm disk 安全

linux常用命令

2022年第二周笔记,lvm asm disk 基线扫描

AIX

1
2
3
4
5
6
7
8
9
upadm
show vlun
bootinfo -s hdiskx
cfgmgr -v
chmod 660 rhdisk16
chown grid:asmadmin rhdisk16
chdev -l hdisk16 -a reserve_policy=no_reserve
chdev -l hdiskX -a queue_depth=4 -P
lsattr -El hdisk19 |grep reser

LINUX

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
ls /sys/class/scsi_host/
echo "- - -" > /sys/class/scsi_host/host0/scan
echo "- - -" > /sys/class/scsi_host/host1/scan
echo "- - -" > /sys/class/scsi_host/host2/scan
fdisk -l
fdisk /dev/sda
n p 1 w
mkfs -t ext3 /dev/sdb1
mkdir /oradata
mount /dev/sdb1 /oradata
vi /etc/fstab
hostnamectl set-hostname ywsjk03
#tmpfs
unmount tmpfs
mount -t tmpfs -o size=156G /dev/shm
vi /etc/fstab
tmpfs  /dev/shm tmpfs defaults,size=156G 0 0 
#swap
dd if=/dev/zero of=/home/oracle/swap.file bs=1024m count=15
mkswap /home/oracle/swap.file
swapon /home/oracle/swap.file
grep Swap /proc/meminfo
vi /etc/fstab
/home/oracle/swap.file  swap                   swap    defaults 0 0
#图形界面
vi /etc/ssh/sshd_config
X11Forwarding yes 
##root用户: 
xhost +
access control diabled,clients can connect from any host
echo $DISPLAY
cp ./.Xauthority /home/oracle
##oracle 用户:
export DISPLAY=localhost:11.0
xhost +

LVM

1
2
3
4
5
6
7
8
9
pvcreate /dev/sdg
vgcreate vg_oradata /dev/sda /dev/sdb
vgextend vg_oradata /dev/sdg
vgdisplay vg_oradata
lvcreate -L 10G -n cslv vg_oradata
#lvremove  /dev/vg_oradata/cslv
lvextend -L +500G /dev/vg_oradata/lv_oradata
resize2fs  /dev/vg_oradata/lv_oradata
#fsck -f   /dev/vg_oradata/lv_oradata

ASM

1
2
3
4
# 外部冗余(external redundancy)  默认冗余(normal redundancy) 2倍  高度冗余(high redundancy) 3倍
create diskgroup data external redundancy disk '/dev/rlv_asm*';
alter diskgroup DATA add disk '/dev/rhdisk16'
alter system set asm_diskstring='/dev/rlv_asm*'

基线扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
touch /etc/ssh_banner 
chown bin:bin /etc/ssh_banner 
chmod 644 /etc/ssh_banner 
echo " Authorized only. All activity will be monitored and reported " > /etc/ssh_banner 
vi /etc/ssh/sshd_config
Banner /etc/ssh_banner 
PermitRootLogin no
Protocol 2
service sshd restart 

vi /etc/pam.d/su
auth sufficient /lib64/security/pam_rootok.so
auth required /lib64/security/pam_wheel.so  use_uid   group=wheel
usermod –G wheel user
groups user

vi /etc/login.defs
PASS_MIN_DAYS = 7
PASS_WARN_AGE = 30

echo "xxxxx" |passwd --stdin root

vi /etc/syslog.conf
*.* @loghost
/etc/init.d/rsyslog restart

chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group

rpm -qa|grep snmp
rpm -e net-snmp-5.5-41.el6.x86_64 --nodeps
rpm -e net-snmp-libs-5.5-41.el6.x86_64 --nodeps

cp -p /etc/sysctl.conf /etc/sysctl.conf.bak
sysctl -w net.ipv4.conf.all.accept_source_route=""0""
sysctl -w net.ipv4.conf.all.accept_redirects=""0""

vi /etc/init/control-alt-delete.conf
#exec /sbin/shutdown -r now "Control-Alt-Delete pressed"

vi /etc/profile
export HISTFILESIZE=5
export TMOUT=300
export HISTSIZE=5

grub-md5-crypt
vi /boot/grub/menu.lst
password --md5 XXXXXXXX

vi /etc/securetty
#注释掉tty*项和pts/*
CONSOLE=/dev/tty01

#iptables
iptables -L
 #清空所有默认规则
iptables -F  
#开启全通
iptables -P INPUT ACCEPT 
#允许来自于lo接口的数据包(本地访问)
iptables -A INPUT -i lo -j ACCEPT
#ssh卡慢
iptables -A INPUT -m state --state  RELATED,ESTABLISHED -j ACCEPT
#常用操作
iptables -A INPUT -p tcp -s 192.168.0/24  --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -–dport 80 -s 124.115.0.0/24 -j DROP
#删除策略
iptables -D INPUT 顺序
#关闭全通
iptables -P INPUT DROP
#保存策略
service iptables save
systemctl enable iptables.service
systemctl start     iptables.service


#firewall
firewall-cmd --list-all
firewall-cmd --reload
systemctl start firewalld.service
systemctl stop firewalld.service
systemctl status firewalld
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="x.x.x.x" port protocol="tcp" port="1-65535" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="x.x.x.0/24" port port="1-65535" protocol="tcp" accept"

Linux Shell 并发操作

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
#!/bin/bash
v_dir=/var/lib/hadoop-hdfs/tools/pri_sp
v_exec_time=`date +%Y%m%d%H%M%S`
mkdir -p  $v_dir/log/$v_exec_time
#允许的进程数
THREAD_NUM=10
#定义描述符为9的管道
mkfifo tmp
exec 9<>tmp
#预先写入指定数量的换行符,一个换行符代表一个进程
for ((i=0;i<$THREAD_NUM;i++))
do
echo -ne "\n" 1>&9
done
while read -r line 
do
{
 #进程控制
 read -u 9
 { read v_ds v_tab v_hive<<< `echo $line |awk -F '|' '{print $1,$2,$3}'` 
   #echo $v_hive
   hive --hiveconf hive.cli.errors.ignore=true -e "$v_hive" >$v_dir/log/$v_exec_time/${v_ds}_${v_tab}.log 2>&1
   #sleep 20
   echo -ne "\n" 1>&9
 }&
}
done <$v_dir/pri_sp_list.ini
wait
echo "执行结束"
rm tmp
  • 代码段用&修饰可以变成后台执行,从而实现并发
  • 利用管道的存取来实现并发数控制,每次循环取一个管道的值,执行完之后写入管道,当管道无值时等待,从而实现固定数量的并发
ESC