安裝linux系統後調優及安全設置
阿新 • • 發佈:2017-11-06
ras sync 完成 sap ssh連接 bin 建議 歷史 2.6
環境說明:
[root@server1 ~]# cat /etc/redhat-release CentOS release 6.9 (Final) [root@server1 ~]# uname -r 2.6.32-696.el6.x86_64
1、更改yum源:
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup <<-備份系統自帶yum源 wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo <<—國內使用阿裏雲yum源速度比較快wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-6.repo 註:鏡像官方網址http://mirrors.aliyun.com/ 如有自建yum倉可以更改成自建yum倉地址信息
2、關閉selinux
永久關閉(需要重啟系統) sed -i ‘s/SELINUX=enforcing/SELINUX=disabled/‘ /etc/selinux/config 臨時關閉(無需重啟) setenforce 0 數字0表示Premissive,即給出警告提示,不會阻止操作,相當於disabled 數字1表示Enfocing,即表示SELinux為開啟狀態getenforce <<-查看selinux當前狀態
3、關閉iptables
/etc/init.d/iptables stop <<-關閉iptables服務 /etc/init.d/iptables status <<-查看iptables狀態 chkconfig iptables off <<—開機啟動關閉
4、精簡開機啟動
chkconfig|egrep -v "crond|sshd|network|rsyslog|sysstat"|awk ‘{print "chkconfig",$1,"off"}‘|bash <<-關閉服務 chkconfig --list|grep 3:on <<-檢查開機啟動的服務
5、更改字符集(選做)
cp /etc/sysconfig/i18n /etc/sysconfig/i18n.ori echo ‘LANG="zh_CN.UTF-8"‘ >/etc/sysconfig/i18n source /etc/sysconfig/i18n echo $LANG
6、普通用戶提權(mmod)
useradd mmod echo 123456|passwd --stdin mmod \cp /etc/sudoers /etc/sudoers.ori echo "mmod ALL=(ALL) NOPASSWD: ALL " >>/etc/sudoers tail -1 /etc/sudoers visudo -c
7、時間同步
echo ‘#time sync by mmod at 2015-2-1‘ >>/var/spool/cron/root echo ‘*/5 * * * * /usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1‘ >>/var/spool/cron/root crontab -l 註:集群中有時間服務器,更改成時間服務器地址
8、命令行安全(選配)
設置閑置賬號超時時間
echo ‘export TMOUT=300‘ >>/etc/profile
命令行歷史記錄數 echo ‘export HISTSIZE=5‘ >>/etc/profile echo ‘export HISTFILESIZE=5‘ >>/etc/profile tail -3 /etc/profile ./etc/profile
9、加大文件描述
echo ‘* - nofile 65535‘ >>/etc/security/limits.conf tail -1 /etc/security/limits.conf
10、內核優化
cat >>/etc/sysctl.conf<<EOF net.ipv4.tcp_fin_timeout = 2 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_keepalive_time = 600 net.ipv4.ip_local_port_range = 4000 65000 net.ipv4.tcp_max_syn_backlog = 16384 net.ipv4.tcp_max_tw_buckets = 36000 net.ipv4.route.gc_timeout = 100 net.ipv4.tcp_syn_retries = 1 net.ipv4.tcp_synack_retries = 1 net.core.somaxconn = 16384 net.core.netdev_max_backlog = 16384 net.ipv4.tcp_max_orphans = 16384 #以下參數是對iptables防火墻的優化,防火墻不開會提示,可以忽略不理。 net.nf_conntrack_max = 25000000 net.netfilter.nf_conntrack_max = 25000000 net.netfilter.nf_conntrack_tcp_timeout_established = 180 net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120 net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60 net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120 EOF sysctl –p <<-配置完成後查看
11、下載安裝基礎軟件
yum install lrzsz nmap tree dos2unix nc -y
12、定時清理郵件服務臨時目錄垃圾文件
centos 5版本 find /var/spool/clientmqueue/ -type f | xargs rm -f centos 6.x版本 find /var/spool/postfix/maildrop/ -type f | xargs rm -f 寫成腳本,做定時任務 mkdir -p /server/scripts/ echo "find /var/spool/postfix/maildrop/ -type f | xargs rm -f " > /server/scripts/del_mailfile.sh echo "00 00 * * * /bin/bash /server/scripts/del_mailfile.sh > /dev/null 2>&1"
13、隱藏linux版本信息顯示
[root@server1 ~]# > /etc/issue [root@server1 ~]# > /etc/issue.net [root@server1 ~]# cat /etc/issue.net [root@server1 ~]# cat /etc/issue
14、鎖定關鍵系統文件,防止被提權篡改
chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab
使用lsattr 進行查看,chattr -i進行解鎖
15、為grub菜單加密
先利用/sbin/grub-md5-crypt 產生一個MD5密鑰串,命令如下: [root@m01 ~]# /sbin/grub-md5-crypt Password: Retype password: $1$SQxvZ/$AXRHUbkNy9EkDHtmoEoQS0 修改grub.conf文件,命令如下: [root@m01 ~]# vim /etc/grub.conf # grub.conf generated by anaconda # # Note that you do not have to rerun grub after making changes to this file # NOTICE: You have a /boot partition. This means that # all kernel and initrd paths are relative to /boot/, eg. # root (hd0,0) # kernel /vmlinuz-version ro root=/dev/sda3 # initrd /initrd-[generic-]version.img #boot=/dev/sda default=0 timeout=5 splashimage=(hd0,0)/grub/splash.xpm.gz hiddenmenu passwd --md5 $1$SQxvZ/$AXRHUbkNy9EkDHtmoEoQS0 #註意:password要加在splashimage和title之間,否則無法生效 title CentOS 6 (2.6.32-696.el6.x86_64) root (hd0,0) kernel /vmlinuz-2.6.32-696.el6.x86_64 ro root=UUID=33ec961c-16e1-4234-bdbf-644bfdabf1eb rd_NO_LUKS KEYBOARDTYPE=pc KEYTABLE=us rd_NO_MD crashkernel=auto LANG=zh_CN.UTF-8 rd_NO_LV
16、禁止linux系統被ping(選配)
echo "net.ipv4.icmp_echo_ignore_all=1" >> /etc/sysctl.conf sysctl -p
拓展:設置特定ip可以ping
iptables -t filter -I INPUT -p icmp --icmp-type 8 -i eth0 -s 10.0.0.0/24 -j ACCEPT
17、升級具有典型漏洞
查看相關軟件的版本號,命令如下: [root@m01 ~]# rpm -qa openssl openssh bash openssl-1.0.1e-57.el6.x86_64 bash-4.1.2-48.el6.x86_64 openssh-5.3p1-122.el6.x86_64 升級已知漏洞的軟件版本到最新,命令如下: yum install openssl openssh bash -y
18、更改ssh服務端遠程登錄的配置
1 修改默認文件路徑 2 vim /etc/ssh/sshd_config 3 4 修改的參數 5 port #端口 6 PermitEmptyPasswords #是否允許密碼為空的用戶遠程登錄 7 PermitRootLogin #是否允許root登錄 8 UseDNS #指定sshd是否應該對遠程主機名進行反向解析,以檢查主機名是否與其IP地址真實對應。默認yes.建議改成no ,否則可能會導致SSH連接很慢。 9 GSSAPIAuthentication no #解決linux之間使用SSH遠程連接慢的問題 10 ListenAddress #監聽指定的IP地址 11 12 批量操作: 13 sed -ir ‘13 iPort 55666\nPermitRootLogin no\nPermitEmptyPasswords no\nUseDNS no\nGSSAPIAuthentication no‘ /etc/ssh/sshd_config
安裝linux系統後調優及安全設置