linux系统优化及安全全集
1、关闭不必要的服务
systemctl stop NetworkManager
systemctl disable NetworkManager
systemctl stop postfix
systemctl disable postfix
systemctl stop rpcbind
systemctl disable rpcbind
2、配置防火墙
#关闭firewalld
systemctl status firewalld
systemctl stop firewalld
systemctl disable firewalld
#配置iptables
yum install iptables-services -y
#添加防火墙规则,做白名单,根据环境放行ip访问ssh端口22
vi /etc/sysconfig/iptables
-A INPUT -s 192.168.1.0/24 -p tcp --dport 22 -j ACCPET
systemctl enable iptables.service
systemctl start iptables.service
3、关闭selinux
sed -i s#SELINUX=enforcing#SELINUX=disabled#g /etc/selinux/config
setenforce 0
#优化ssh登录
sed -ri s/GSSAPIAuthentication yes/GSSAPIAuthentication no/ /etc/ssh/sshd_config
sed -ri s/#UseDNS yes/UseDNS no/ /etc/ssh/sshd_config #解决系统登陆慢
4、修改SSH端口
sed -i s/#Port 22/Port 10022/g /etc/ssh/sshd_config #端口自己定
sed -i s/#PermitEmptyPasswords no/PermitEmptyPasswords no/g /etc/ssh/sshd_config #禁止空密码帐户登入服务器
sed -i s/GSSAPIAuthentication yes/GSSAPIAuthentication no/ /etc/ssh/sshd_config
sed -i s/#UseDNS yes/UseDNS no/g /etc/ssh/sshd_config #加速SSH登录
systemctl restart sshd
vi /etc/sysconfig/iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 10022 -j ACCEPT"
5、配置yum源
cd /etc/yum.repos.d/
mkdir backup
mv *.repo backup/
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
yum clean all
yum makecache
6、安装常用工具
yum install lrzsz wget vim net-tools gcc gcc-c++ curl telnet unzip -y
#安装网络及性能监控工具
yum -y install telnet net-tools sysstat iftop lsof iotop htop dstat
#安装bash命令tab自动补全组件
yum -y install bash-completion
#安装源码编译工具及开发组件
yum -y install cmake gcc gcc-c++ zib zlib-devel open openssl-devel pcre pcre-devel curl"
#安装压缩解压工具
yum -y install zip unzip bzip2 gdisk
7、时间同步
yum install ntpdate -y
ntpdate time.windows.com
echo ""*/5 * * * * /usr/sbin/ntpdate time.windows.com >/dev/null 2 >&1"" >>/var/spool/cron/root
echo ""*/20 * * * * /usr/sbin/ntpdate ntp.api.bz >/dev/null 2 >&1"" >> /var/spool/cron/root
#时间同步
yum install chrony -y && systemctl enable chronyd && systemctl start chronyd
timedatectl set-timezone Asia/Shanghai && timedatectl set-ntp yes
8、修改文件描述符
ulimit -SHn 65535
cat >> /etc/security/limits.conf <<EOF
* soft nproc 65535
* hard nproc 65535
* soft nofile 655350
* hard nofile 655350
EOF
sed -i s#4096#65535#g /etc/security/limits.d/20-nproc.conf
9、优化Linux内核参数
cat >> /etc/sysctl.conf <<EOF
kernel.sysrq = 0
kernel.core_uses_pid = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 50000
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_max_tw_buckets = 50000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1800
net.ipv4.ip_local_port_range = 1024 65535
vm.swappiness = 0
vm.min_free_kbytes = 524288
fs.inotify.max_user_instances = 8192
fs.inotify.max_user_watches = 262144
fs.file-max = 1048576
EOF
10、修改root帐户密码
echo "$adDF12B" |passwd --stdin root #密码复杂化,最小8位,数字、字母大小写、特殊字符组合
11、远程5分钟无操作自动注销
vim /etc/profile
最后添加:
export TMOUT=300 ---5分钟自动注销下来
找到
HISTSIZE=1000
修改为:
HISTSIZE=100 --减少日记字节为100KB,太大内容过多容易漏重要信息。
12、禁止ping 用户使用ping不做任何反映
echo 1 >
/proc/sys/net/ipv4/icmp_echo_ignore_all -- 禁止pingecho 0 >
/proc/sys/net/ipv4/icmp_echo_ignore_all -- 解除禁止ping操作13、防止DOS攻击
vim /etc/security/limits.conf
加入以下配置:
* hard core 0
* hard rss 10000
* hard nproc 50
以上根据需求而定
14、注释不需要的用户和用户组
vi /etc/passwd 注释不需要的用户,“#”注释,如下:
#games:x:12:100:games:/usr/games:/sbin/nologin
#gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
#ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
#adm:x:3:4:adm:/var/adm:/sbin/nologin
#lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
#sync:x:5:0:sync:/sbin:/bin/sync
#shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
#halt:x:7:0:halt:/sbin:/sbin/halt
#uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
#operator:x:11:0:operator:/root:/sbin/nologin
vi /etc/group 注释不需要的用户组,如下:
#adm:x:4:root,adm,daemon
#lp:x:7:daemon,lp
#uucp:x:14:uucp
#games:x:20:
#dip:x:40:
#news:x:9:13:news:/etc/news
15、限制ip登陆
vi /etc/hosts.deny
sshd:ALL
vi /etc/hosts.allow
sshd:192.168.0.1:allow
16、查看有登陆权限的用户
awk -F: ($7=="/bin/bash"){print $1} /etc/passwd
awk -F: ($3==0) /etc/passwd 查看UID为0的账号
awk -F: ($2=="") /etc/shadow 查看空口令账号
17、对Linux用户进行登录及操作进行记录(审计)
1.创建用户审计文件存放目录和审计日志文件 ;
touch /var/log/Command_history.log
2.将日志文件所有者赋予一个最低权限的用户;
chown nobody.nobody /var/log/Command_history.log
3.给该日志文件赋予所有人的写权限;
chmod 002 /var/log/Command_history.log
4.设置文件权限,使所有用户对该文件只有追加权限 ;
chattr +a /var/log/Command_history.log
5.编辑/etc/profile文件,添加如下任意脚本命令;
export HISTORY_FILE=/var/log/Command_history.log
export PROMPT_COMMAND={ date "+%Y-%m-%d %T ##### USER:$USER IP:$SSH_CLIENT PS:$SSH_TTY ppid=$PPID pwd=$PWD #### $(history 1 | { read x cmd; echo "$cmd"; })";} >>$HISTORY_FILE
6.使配置生效
source /etc/profile
18、升级内核
wget https://elrepo.org/linux/kernel/el7/x86_64/RPMS/kernel-ml-5.0.4-1.el7.elrepo.x86_64.rpm
wget https://elrepo.org/linux/kernel/el7/x86_64/RPMS/kernel-ml-devel-5.0.4-1.el7.elrepo.x86_64.rpm
yum -y install kernel-ml-5.0.4-1.el7.elrepo.x86_64.rpm kernel-ml-devel-5.0.4-1.el7.elrepo.x86_64.rpm
rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-4.el7.elrepo.noarch.rpm
yum --enablerepo=elrepo-kernel install -y kernel-lt
rpm -qa | grep kernel
grub2-set-default kernel-lt-5.4.99-1.el7.elrepo.x86_64
19、检查脚本运行用户是否为root
if [ $(id -u) !=0 ];then
echo -e ""\033[1;31m Error! You must be root to run this script! \033[0m""
exit 10
fi
如果您喜欢本文,就请动动您的发财手为本文点赞评论转发,让我们一起学习更多运维相关知识,最后请记得关注我。
本文系作者 @河马 原创发布在河马博客站点。未经许可,禁止转载。
暂无评论数据