1 | $ VBoxManage createvm --name "Kali Dev" --register |
1 | $ VBoxManage list ostypes |
1 | $ VBoxManage modifyvm "Kali Dev" --ostype Debian_64 --memory 1024 --vram 36 --audio coreaudio --audiocontroller ac97 --acpi on --boot1 dvd --nic1 nat |
1 2 3 | $ VBoxManage createhd --filename "Kali Dev.vdi" --size 8192 --variant Standard $ VBoxManage storagectl "Kali Dev" --name "SATA" --add sata --controller IntelAHCI $ VBoxManage storageattach "Kali Dev" --storagectl "SATA" --port 0 --device 0 -- type hdd --medium "Kali Dev.vdi" |
这三条命令分别为客户机 Kali Dev 创建好了一个大小为 8 G的动态硬盘、将类型为 IntelAHCI 的 SATA 控制器关联到 Kali Dev 上、再将 8 G 的动态硬盘关联到了 Kali Dev 客户机。至此,客户机 Kali Dev 创建完成,可通过下述方式查看它的所有参数设定
1 | $ VBoxManage showvminfo "Kali Dev" |
1 2 | $ cd ~ /Downloads $ wget http: //mirrors .163.com /fedora/releases/18/Live/x86_64/Fedora-18-x86_64-Live-Desktop .iso |
1 | $ VBoxManage storageattach "Kali Dev" --storagectl "SATA" --port 1 --device 0 -- type dvddrive --medium ~ /Downloads/Fedora-18-x86_64-Live-Desktop .iso |
1 | $ VBoxManage startvm "Kali Dev" |
1 | $ ping http: //www .kali.org |
1 | $ su - |
1 2 | # fdisk -l # fdisk /dev/sda |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | #!/bin/bash VMDISK="/dev/sda" fdisk ${VMDISK} &> /dev/null <<EOF n p 1 +512M t 2 82 n p 2 w EOF |
1 2 | # chmod +x fdisk_vm.sh # ./fdisk_vm.sh |
1 2 | # mkswap /dev/sda1 # mke2fs -j /dev/sda2 |
1 2 | # mkdir /mnt/kali # mount /dev/sda2 /mnt/kali |
1 | # swapon /dev/sda1 |
1 2 | # cd ~/ # wget http://http.kali.org/kali/pool/main/d/debootstrap/debootstrap_1.0.48+kali1_all.deb |
1 | # ar -xf debootstrap_1.0.48+kali1_all.deb && tar zxvpf data.tar.gz -C / |
1 | # yum install binutils |
1 | # debootstrap --arch amd64 sid /mnt/kali http://http.kali.org/kali |
1 | # cp -L /etc/resolv.conf /mnt/kali/etc/resolv.conf |
1 2 3 | # mount -t proc none /mnt/kali/proc # mount -t sysfs none /mnt/kali/sys # mount -o bind /dev /mnt/kali/dev |
1 | # chroot /mnt/kali /bin/bash |
1 2 3 4 5 6 7 8 9 10 11 | # cat << EOF > /etc/apt/sources.list ## Kali Official Repositories deb http: //http .kali.org /kali kali main non- free contrib deb-src http: //http .kali.org /kali kali main non- free contrib ## Kali proposed updates deb http: //http .kali.org /kali kali-proposed-updates main non- free contrib deb-src http: //http .kali.org /kali kali-proposed-updates main non- free contrib ## Security updates deb http: //security .kali.org /kali-security kali /updates main contrib non- free deb-src http: //security .kali.org /kali-security kali /updates main contrib non- free EOF |
1 2 3 4 5 | # cat << EOF > /etc/apt/sources.list ## Kali Official Repositories deb http: //http .kali.org /kali kali-dev main non- free contrib deb-src http: //http .kali.org /kali kali-dev main non- free contrib EOF |
1 2 3 4 5 | # cat << EOF > /etc/apt/sources.list ## Kali Official Repositories deb http: //http .kali.org /kali kali-bleeding-edge main non- free contrib deb-src http: //http .kali.org /kali kali-bleeding-edge main non- free contrib EOF |
1 2 3 4 5 6 7 8 | # cat << EOF > /etc/apt/sources.list ## Kali Official Repositories deb http: //http .kali.org /kali kali-rolling main non- free contrib deb-src http: //http .kali.org /kali kali-rolling main non- free contrib ## Security updates deb http: //security .kali.org /kali-security kali-rolling /updates main contrib non- free deb-src http: //security .kali.org /kali-security kali-rolling /updates main contrib non- free EOF |
1 2 3 4 | # echo "## Debian Offical Mirrors deb http: //mirrors .163.com /debian sid main non- free contrib deb-src http: //mirrors .163.com /debian sid main non- free contrib" >> /etc/apt/sources .list |
1 2 3 4 5 6 7 | # cat > /etc/apt/apt.conf.d/01apt << EOF APT::Default-Release "sid" ; APT::Get::Show-Upgraded "true" ; APT::Get::Purge "true" ; APT::Get::Show-Versions "true" ; APT::Cache::NamesOnly "true" ; EOF |
1 | # apt-get update |
1 2 | # apt-get install netselect-apt # netselect-apt |
1 | W: GPG error: <a href="http://http.kali.org">http://http.kali.org</a> lucid Release: The following signatures were invalid: BADSIG 54422A4B98AB5139 Oracle Corporation (VirtualBox archive signing key) |
1 2 3 | # apt-key del 16126D3A3E5C1192 # apt-get update # apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 16126D3A3E5C1192 |
1 2 3 4 5 6 | # apt-get clean # Remove cached packages # cd /var/lib/apt # mv lists lists.old # Backup mirror info # mkdir -p lists/partial # Recreate directory structure # apt-get clean # apt-get update # Fetch mirror info |
1 | # apt-get install tzdata |
1 | # dpkg-reconfigure tzdata |
1 2 | # nano -w /etc/timezone Asia /Shanghai |
1 2 | # rm /etc/localtime # cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime |
1 | # nano -w /etc/default/rcS |
1 | UTC=no |
1 | # apt-get install locales |
1 | # dpkg-reconfigure locales |
1 2 3 4 5 6 | # nano -w /etc/locale.gen en_US.UTF-8 UTF-8 zh_CN.UTF-8 UTF-8 zh_CN.GB18030 GB18030 zh_CN.GB2312 GB2312 zh_CN.GBK GBK |
1 | # locale-gen |
1 | # apt-get install keyboard-configuration |
debconf 会自动提示用户设置键盘布局。如果以后想修改的话,可执行下述命令
1 | # dpkg-reconfigure keyboard-configuration |
1 | # apt-cache search linux-image |
1 | # apt-get install linux-image-3.7-trunk-amd64 |
1 2 | # apt-cache search linux-source # apt-get install linux-source-3.7 |
1 2 | # apt-get source linux-3.7 # tar jxf linux-source-3.7.tar.bz2 -C /usr/src/ |
1 2 3 4 5 6 7 8 9 10 11 | # nano -w /etc/network/interfaces auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 192.168.159.62 network 192.168.0.0 netmask 255.255.255.0 broadcast 192.168.0.255 gateway 192.168.159.1 |
1 2 3 4 5 6 | # nano -w /etc/network/interfaces auto lo iface lo inet loopback auto eth0 iface eth0 inet dhcp |
1 2 3 4 5 6 7 8 9 10 11 12 13 | # nano -w /etc/network/interfaces auto lo iface lo inet loopback auto wlan0 iface wlan0 inet static address 192.168.159.62 network 192.168.0.0 netmask 255.255.255.0 broadcast 192.168.0.255 gateway 192.168.159.1 wpa-essid yourssid wpa-psk yourpassword |
1 2 3 4 5 6 | # nano -w /etc/network/interfaces auto lo iface lo inet loopback auto wlan0 iface wlan0 inet dhcp |
1 | # apt-get install iw wpasupplicant wireless-tools |
根据需要调整域名解析服务配置,这里只给出一个例子:
1 2 3 4 | # nano -w /etc/resolv.conf ## A simple example /etc/resolv.conf: nameserver 10.1.1.36 nameserver 192.168.9.100 |
1 | # echo "KALI" > /etc/hostname |
1 | # echo "127.0.0.1 KALI" >> /etc/hosts |
1 | # invoke-rc.d networking restart |
1 | # passwd |
1 2 | # apt-get install sudo # nano -w /etc/sudoers |
1 | %sudo ALL=(ALL:ALL) NOPASSWD: ALL |
1 2 | # adduser easior -a sudo # passwd easior |
1 2 3 4 5 | # cat /etc/fstab /dev/sda1 none swap sw 0 0 /dev/sda2 / ext4 noatime 0 1 /dev/cdrom /mnt/cdrom iso9660 noauto,ro 0 0 proc /proc proc defaults 0 0 |
1 2 3 | # apt-get install grub2 # grub2-install /dev/hda # update-grub |
1 2 3 4 5 6 7 | # exit # umount /mnt/kali/dev # umount /mnt/kali/sys # umount /mnt/kali/proc # umount /mnt/kali # swapoff # reboot |
1 2 | $ VBoxManage storageattach "Kali Dev" --storagectl "SATA" --port 1 --device 0 -- type dvddrive --medium none $ VBoxManage closemedium dvd ~ /Downloads/Fedora-18-x86_64-Live-Desktop .iso |
1 2 | login: easior password: |
1 | $ sudo apt-get install xserver-xorg |
1 2 | $ sudo apt-get install pciutils $ lspci |
1 | $ sudo apt-get install xserver-xorg-core xserver-xorg-video-intel xserver-xorg-input-evdev xserver-xorg-input-synpatic |
1 | $ sudo apt-get install gnome-core kali-defaults kali-root-login desktop-base |
1 | $ sudo apt-get install gdm3 |
1 | $ sudo apt-get install gnome-icon-theme gnome-themes-standard |
1 | $ gnome-shell --replace |
1 | $ gsettings set org.gnome.desktop.session session-name gnome |
1 | $ gsettings set org.gnome.desktop.session session-name gnome-fallback |
1 | $ sudo apt-get install nautilus nautilus- open -terminal |
1 | $ sudo apt-get install alsa-utils gnome-media |
1 | $ sudo apt-get install network-manager network-manager-gnome |
需要注意,Linux 系统中有两套网络服务管理工具:由 ifupdown 提供的/etc/init.d/networking 以及由 network-manager 提供的 /etc/init.d/network-manager。前者常用于没有桌面环境的系统,后者应用于桌面环境,两套网络服务不能同时运行,但可以共存。前面已经由 /etc/init.d/networking 包接管了网络,若现在想换用 network-manager,请先停用它:
1 2 | $ sudo invoke-rc.d networking stop $ sudo update-rc.d networking disable |
接着开启 /etc/init.d/network-manager:
1 | $ sudo invoke-rc.d network-manager start |
若想完全由 network-manager 接管网络服务,作如下配置
1 2 3 | $ sudo nano -w /etc/NetworkManager/NetworkManager .conf [ifupdwon] manager= true |
其中 manager 由原先的 false 改成了 true。并重启 /etc/init.d/network-manager 服务:
1 | $ sudo invoke-rc.d network-manager restart |
若觉得 ifupdown 包没有必要存在,可删除它
1 | $ sudo apt-get remove ifupdown |
1 | $ sudo apt-get install netspeed |
1 | $ sudo apt-get install file -roller |
1 | $ sudo apt-get remove --purge gnash |
1 | $ sudo apt-get install iceweasel iceweasel-l10n-zh-cn |
1 2 | $ sudo apt-get install flashplugin-nonfree $ sudo update-flashplugin-nonfree -- install |
1 | $ sudo apt-get install evolution |
1 | $ sudo apt-get install gdebi |
1 | $ sudo apt-get install synaptic |
1 | $ sudo apt-get install software-center |
1 | $ sudo apt-get install packagekit gnome-packagekit |
1 | $ sudo apt-get install acpi acpid hibernate cpufreqd hotkeys |
1 | $ sudo apt-get install hotplug usbutils discover |
1 | $ sudo apt-get install hdparm |
1 | $ sudo apt-get install rcconf |
1 | $ sudo apt-get install prelink |
1 | $ sudo prelink -am |
1 | $ sudo reboot |
1 | $ sudo apt-get install gnome-tweak-tool |
1 | $ sudo apt-get install tff-wqy-microhei tff-wqy-zenhei fonts-liberations ttf-mscorefonts-installer |
1 | $ mkdir -p ~/.fonts /truetype |
1 | $ sudo mkdir -p /usr/local/share/fonts/truetype |
1 | $ cp sim*.tt* ~/.fonts /truetype/ |
1 2 3 4 | $ sudo apt-get install xfonts-utils $ cd ~/.fonts /truetype/ $ mkfontscale $ mkfontsdir |
1 2 3 | $ sudo nano -w /etc/X11/Xorg .conf.d /10-fonts .conf FontPath "/usr/share/fonts/truetype/" FontPath "~/.fonts/truetype/" |
1 | $ fc-cache - v -f |
1 2 3 4 5 6 | $ su # cat << EOF > /etc/default/locale LC_ALL= "zh_CN.UTF-8" LANG= "zh_CN.UTF-8" EOF $ su easior |
1 2 3 4 | export LANG=zh_CN.GB18030 export G_FILENAME_ENCODING=@GB18030 export LC_ALL=zh_CN.GB18030 export G_BROKEN_FILENAMES=1 |
1 | $ sudo apt-get install manpages-zh |
1 | $ sudo apt-get install convmv iconv easytag |
1 | $ sudo apt-get install ibus ibus-rime |
1 | $ ibus-setup |
1 | $ sudo apt-get install linux-headers-` uname -r` virtualbox-guest-dkms virtualbox-guest-x11 |
1 | $ VBoxManage modifyvm "Kali Dev" --clipboard bidirectional --draganddrop bidirectional |
1 | $ VBoxManage sharedfolder add "Kali Dev" --name "vbmeida" --hostpath "~/Downloads/" |
1 2 | $ lsmod | grep vboxsf $ sudo modprobe vboxsf |
1 | $ su -c 'echo vboxsf >> /etc/modules' |
1 | $ sudo gpasswd -a easior vboxsf |
1 2 3 | $ sudo mkdir /mnt/share/ $ sudo mount -t vboxsf vbmedia /mnt/share/ $ ls /mnt/share |
1 | $ su -c "echo 'vbmedia /mnt/share default 0 0' >> /etc/fstab" |
1 | $ sudo apt-get install build-essential gcc-4.8-multilib gcc-4.8-locales gcc-4.8-doc gdb automake libtool |
安装更多的手册页 例如 C API 手册页、posix 函数以及开发文档的手册页、C API 手册页、标准类库手册页、C++ API 手册页:
1 | $ sudo apt-get install manpages-dev manpages-posix manpages-posix-dev glibc-doc stl-manual libstdc++6-4.3-doc |
C/C++ 的集成开发环境 Linux 下也有很多集成开发环境可以选择,例如 Code::Blocks、CodeLite、Eclipse+cdt 等,这里选择安装 Code::Blocks,最好连带安装上它插件需要的工具 valgrind、asytle、doxygen、cppcheck、cccc、cscope 等:
1 | $ sudo apt-get install codeblocks valgrind asytle cppcheck cccc cscope doxygen |
Java 运行环境或者开发工具
1 | $ sudo apt-get default-jre |
或者
1 | $ sudo apt-get default-jdk |
通常,默认安装是由 OpenJRE 或者 OpenJDK 提供的 Java。接着可以安装浏览器的 Java 插件了
1 | $ sudo apt-get install icedtea-7-plugin |
Java 集成开发环境
1 | $ sudo apt-get install eclipse |
1 | $ sudo apt-get install python-dev python-vte python-appindicator |
Python 的集成开发环境也有很多选择,例如 pycharm、Eclipse+pydev。通常选择前者,不过需要首先确认 Java 开发环境已经安装,然后便可以开始下载并安装它了
1 2 3 4 5 | $ wget http: //download-cf .jetbrains.com /python/pycharm-community-4 .5.1. tar .gz $ sudo tar zxvf pycharm-community-4.5.1. tar .gz -C /usr/local/ $ sudo sh -c ' cat > /etc/profile .d /pycharm-4 .5.1.sh << EOF /usr/local/pycharm/bin/ EOF' |
第一次运行 PyCharm,需先执行
1 | $ pycharm.sh |
以后执行非常简单。
1 | $ sudo apt-get install libgtk2.0-dev libgtk-3.0-dev devhelp libgtk2.0-doc |
若想使用 wxWidgets 作界面开发库,则
1 | $ sudo apt-get install wx3.0-doc libwxgtk3.0-dev python-wxgtk3.0-dev |
版本控制工具:
1 | $ sudo apte-get install git gitg bzr subversion |
1 | $ sudo apt-get install bzip2 zip unzip gzip p7zip unrar arj |
1 | $ sudo apt-get install gnome-keyring seahorse pinentry-gtk2 keychain |
1 | $ sudo apt-get install keepassX |
1 | $ sudo apt-get install amule transmission transmission-cli ftp gftp wget gwget |
1 | $ sudo apt-get install openssh-client xtightvncviewer rdesktop |
1 2 | $ wget http: //download .teamviewer.com /download/teamviewer_linux_x64 .deb $ sudo dpkg -i teamviewer_linux_x64.deb |
1 | $ sudo apt-get install xchat pan liferea |
1 2 | $ sudo dpkg --add-architecture i386 $ sudo apt-get update |
1 2 | $ wget http: //skype .tom.com /download/linux/skype-debian_4 .2.0.11-1_i386.deb $ sudo dpkg -i skype-debian_4.2.0.11-1_i386.deb |
1 2 | $ sudo apt-get upgrade $ sudo apt-get install -f skype-debian |
1 | $ sudo apt-get install pcmanx-gtk2 qterm |
1 | $ sudo apt-get install nano emacs gedit |
1 | $ sudo apt-get install bluefish |
1 | $ sudo apt-get install evince |
1 2 3 | $ su -c " echo 'deb http: //www .deb-multimedia.org/ sid main non- free deb-src http: //www .deb-multimedia.org/ sid main non- free ' >> /etc/apt/sources .list" $ sudo apt-get update |
1 | W: GPG error: <a href="http://www.deb-multimedia.org">http://www.deb-multimedia.org</a> sid InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 07DC563D1F41B907 |
1 | $ sudo apt-key adv --keyserver pgp.mit.edu --recv-keys 07DC563D1F41B907 |
1 | $ sudo apt-get update |
1 | $ sudo apt-get install acroread-chfonts acroread acroread-plugins |
1 | $ wget http: //wdl .cache.ijinshan.com /wps/download/Linux/unstable/wps-office_8 .1.0.3724~b1p2_i386.deb |
1 2 | $ sudo dpkg --add-architecture i386 $ sudo apt-get update |
1 | $ sudo dpkg -i wps-office_8.1.0.3724~b1p2_i386.deb |
1 | $ sudo apt-get install stardict-langdao-ec-gb stardict-oxford-gb stardict-xdict-ec-gb stardict-xdict-ce-gb stardict-langdao-ce-gb sdcv |
1 | $ sudo apt-get install gimp imagemagick eog |
1 | $ sudo apt-get install xchm chmsee |
1 | $ sudo apt-get install audacious mplayer smplayer gnome-mplayer |
1 | $ sudo apt-get install avidemux cinelerra lives pitivi winff ffmpeg |
1 | $ sudo apt-get install audacity mhwaveedit mencoder |
1 | $ sudo apt-get install brasero |
1 | $ sudo apt-get install gparted |
安装 plymouth
Debian 默认的启动画面确实很酷,但是一行一行的文字滚动确实很丑陋,为了不给人留下 Dos 命令行的错觉,还是装一个splash,让开机变得漂亮一点。有两种 splash 的选择,一个是 splashy,一个是 plymouth。不过 splashy 似乎有些过时,对 KMS 支持的不好。于是安装 plymouth。
1 | $ sudo apt-get install plymouth plymouth-themes-all |
安装以后,需要进行配置。修改 /etc/initramfs-tools/modules 添加以下三行
1 2 3 4 | $ sudo nano -w /etc/initramfs-tools/module intel_agp drm i915 modeset=1 |
如果使用的是 nvidia 或者 ATI 的显卡,设置会有所不同,具体参考 /usr/share/doc/plymouth 下的文档。接着修改grub 的配置文件
1 2 3 | $ sudo nano -w /etc/default/grub #GRUB_GFXMODE="" GRUB_CMDLINE_LINUX_DEFAULT= "quiet" |
修改为
1 2 | GRUB_CMDLINE_LINUX_DEFAULT= "quiet splash" GRUB_GFXMODE=1024x768 |
运行
1 | $ sudo update-grub2 |
使上面的修改生效。请喝杯茶继续,革命还未成功。先列出已安装的所有主题
1 | $ sudo plymouth- set -default-theme --list |
设定主题
1 | $ sudo plymouth- set -default-theme solar |
重新生成 initramfs
1 | $ sudo update-initramfs -u -k all |
安装 Dropbox,首先添加 Debian 源
1 2 | $ su -c " echo 'deb https: //linux .dropbox.com /debian sid main deb-src https: //linux .dropbox.com /debian sid main' >> /etc/apt/source .list" |
1 | $ sudo apt-get install apt-transport-https |
1 2 3 | $ wget https: //linux .dropbox.com /fedora/rpm-public-key .asc $ sudo apt-key add rpm-public-key.asc $ rm rpm-public-key.asc |
1 | $ sudo apt-get update |
1 | $ sudo apt-get install dropbox |
1 | $ sudo apt-get install python-gpgme |
1 2 3 4 5 | $ su -c " echo 'deb http: //dl .google.com /linux/chrome/deb/ stable main deb http: //dl .google.com /linux/earth/deb/ stable main deb http: //dl .google.com /linux/musicmanager/deb/ stable main deb http: //dl .google.com /linux/talkplugin/deb/ stable main deb http: //dl .google.com /linux/mod-pagespeed/deb/ stable main' >> /etc/apt-source .list" |
1 2 3 | $ wget https: //dl-ssl .google.com /linux/linux_signing_key .pub $ sudo apt-key add linux_signing_key.pub $ rm linux_signing_key.pub |
1 | $ sudo apt-get update |
1 | $ sudo apt-get install google-chrome google-earth google-musicmanage google-talkplugin |
有关 Debian 更多的第三方仓库,请看 https://wiki.debian.org/UnofficialRepositories 的介绍。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | General setup ---> [*] Initial RAM filesystem and RAM disk (initramfs/initrd) support (/usr/share/v86d/initramfs) Initramfs source file(s) Device Drivers -> Input Device Support ---> <*> Event Interface <*> Connector - unified userspace <-> kernelspace linker ---> Graphics support ---> [*] Support for frame buffer devices ---> [*] Enable firmware EDID <*> Userspace VESA VGA graphics support Console display driver support ---> [*] VGA text console [*] Enable Scrollback Buffer in System RAM (64) Scrollback Buffer Size (in KB) <*> Framebuffer Console support -*- Map the console to the primary display device [ ] Framebuffer Console Rotation [*] Support for the Framebuffer Console Decorations [ ] Select compiled-in fonts |
1 2 | $ lsmod | grep fb fbcon vesafb vga16b |
1 | $ sudo modprobe fbcon vesafb vga16b |
1 2 | $ sudo nano -w /etc/modules fbcon vesafb vga16b |
1 2 | $ sudo apt-get install hwinfo $ hwinfo --framebuffer | grep Mode |
1 | vga=0x317 |
1 | $ sudo apt-get install fbset |
1 | $ sudo apt-get install console-setup console-data |
1 | $ sudo apt-get install fbterm ibus-fbterm |
1 | $ sudo apt-get console-tools |
1 | $ sudo apt-get install lynx links2 w3m w3m-img |
1 | $ sudo apt-get install finch irssi |
1 | $ sudo apt-get install fbcat |
1 | $ sudo apt-get install fbi |
1 | $ sudo apt-get install fbida-fbgs |
1 | $ sudo apt-get install gpm |
1 | $ sudo /etc/init .d /gpm start |
J、在 Kali Linux 中开启 SELinux 与 iptables 防火墙
配置 SELinux,需要确认 Linux 内核与文件系统是否支持。目前包括 btrfs、ext2、ext3、ext4、jfs 与 xfs 在内的文件系统都是支持 SELinux。其次,凡是基于 Debian 内核的 Linux 系统都是具备了运行 SELinux 的能力。但是,如果内核是自行编译的话,请务必确认内核选项 CONFIG_AUDIT 与 CONFIG_SECURITY_SELINUX 已经开启。如果不然,请重新编译内核。一切就绪之后就可以开始配置 SELinux 了。 先安装 SELinux 的基本工具集以及默认策略:
1 | $ sudo apt-get install selinux-basics selinux-policy-default auditd |
1 | $ sudo selinux-activate |
1 | $ sudo check-selinux-installation |
1 | $ audit2why -al |
1 | $ sudo setenforce 1 |
或者可以在 /etc/default/grub 中增加 enforcing=1 参数到内核命令行然后重启系统永久生效。
防火墙服务有很多,这里以最简单的方式提供,先安装软件
1 | $ sudo apt-get install iptables |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 | $ sudo sh -c ' cat > /etc/iptables .rules << EOF *filter # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT ! -i lo -d 127.0.0.0 /8 -j REJECT # Accepts all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allows all outbound traffic # You could modify this to only allow certain traffic -A OUTPUT -j ACCEPT # Allows HTTP and HTTPS connections from anywhere (the normal ports for websites) -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT # Allows SSH connections # The --dport number is the same as in /etc/ssh/sshd_config -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT # Now you should read up on iptables rules and consider whether ssh access # for everyone is really desired. Most likely you will only allow access from certain IPs. # Allow ping # note that blocking other types of icmp packets is considered a bad idea by some # remove -m icmp --icmp-type 8 from this line to allow all kinds of icmp: -A INPUT -p icmp -m icmp --icmp- type 8 -j ACCEPT # log iptables denied calls (access via 'dmesg' command) -A INPUT -m limit --limit 5 /min -j LOG --log-prefix "iptables denied: " --log-level 7 # Reject all other inbound - default deny unless explicitly allowed policy: -A INPUT -j REJECT -A FORWARD -j REJECT COMMIT EOF' |
1 2 3 | $ sudo iptables-restore < /etc/iptables .rules $ sudo iptables -L $ netstat -nat |
1 2 3 4 5 | $ sudo sh -c ' cat > /etc/network/if-pre-up .d /iptables << EOF #!/bin/bash iptables-restore < /etc/iptables .rules EOF' |
防火墙服务配置完成。
K、最后,Kali Linux/Debian 的日常维护工作:
1 2 3 | $ sudo apt-get update $ sudo apt-get upgrade $ sudo apt-get dist-upgrade |