linux系统优化及安全全集
systemctl stop NetworkManager
systemctl disable NetworkManager
systemctl stop postfix
systemctl disable postfix
systemctl stop rpcbind
systemctl disable rp
|
1、关闭不必要的服务 systemctl stop NetworkManager systemctl disable NetworkManager systemctl stop postfix systemctl disable postfix systemctl stop rpcbind systemctl disable rpcbind 2、配置防火墙 #关闭firewalld systemctl status firewalld systemctl stop firewalld systemctl disable firewalld #配置iptables yum install iptables-services -y #添加防火墙规则,做白名单linux系统安全,根据环境放行ip访问ssh端口22 vi /etc/sysconfig/iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 22 -j ACCPET systemctl enable iptables.service systemctl start iptables.service 3、关闭selinux sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config setenforce 0 #优化ssh登录 sed -ri 's/GSSAPIAuthentication yes/GSSAPIAuthentication no/' /etc/ssh/sshd_config sed -ri 's/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config #解决系统登陆慢 4、修改SSH端口 sed -i 's/#Port 22/Port 10022/g' /etc/ssh/sshd_config #端口自己定 sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/g' /etc/ssh/sshd_config #禁止空密码帐户登入服务器 sed -i 's/GSSAPIAuthentication yes/GSSAPIAuthentication no/' /etc/ssh/sshd_config sed -i 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config #加速SSH登录 systemctl restart sshd vi /etc/sysconfig/iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 10022 -j ACCEPT" 5、配置yum源 cd /etc/yum.repos.d/ mkdir backup mv *.repo backup/ wget -O /etc/yum.repos.d/CentOS-Base.repo wget -O /etc/yum.repos.d/epel.repo yum clean all yum makecache 6、安装常用工具 yum install lrzsz wget vim net-tools gcc gcc-c++ curl telnet unzip -y #安装网络及性能监控工具 yum -y install telnet net-tools sysstat iftop lsof iotop htop dstat #安装bash命令tab自动补全组件 yum -y install bash-completion #安装源码编译工具及开发组件 yum -y install cmake gcc gcc-c++ zib zlib-devel open openssl-devel pcre pcre-devel curl" #安装压缩解压工具 yum -y install zip unzip bzip2 gdisk 7、时间同步 yum install ntpdate -y ntpdate time.windows.com echo ""*/5 * * * * /usr/sbin/ntpdate time.windows.com >/dev/null 2 >&1"" >>/var/spool/cron/root echo ""*/20 * * * * /usr/sbin/ntpdate ntp.api.bz >/dev/null 2 >&1"" >> /var/spool/cron/root #时间同步 yum install chrony -y && systemctl enable chronyd && systemctl start chronyd timedatectl set-timezone Asia/Shanghai && timedatectl set-ntp yes 8、修改文件描述符 ulimit -SHn 65535 cat >> /etc/security/limits.conf > /etc/sysctl.conf /proc/sys/net/ipv4/icmp_echo_ignore_all -- 禁止ping echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all -- 解除禁止ping操作 13、防止DOS攻击 vim /etc/security/limits.conf 加入以下配置: * hard core 0 * hard rss 10000 * hard nproc 50 以上根据需求而定 14、注释不需要的用户和用户组 vi /etc/passwd 注释不需要的用户,“#”注释,如下: #games:x:12:100:games:/usr/games:/sbin/nologin #gopher:x:13:30:gopher:/var/gopher:/sbin/nologin #ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin #adm:x:3:4:adm:/var/adm:/sbin/nologin #lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin #sync:x:5:0:sync:/sbin:/bin/sync #shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown #halt:x:7:0:halt:/sbin:/sbin/halt #uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin #operator:x:11:0:operator:/root:/sbin/nologin vi /etc/group 注释不需要的用户组,如下: #adm:x:4:root,adm,daemon #lp:x:7:daemon,lp #uucp:x:14:uucp #games:x:20: #dip:x:40: #news:x:9:13:news:/etc/news 15、限制ip登陆 vi /etc/hosts.deny sshd:ALL vi /etc/hosts.allow sshd:192.168.0.1:allow 16、查看有登陆权限的用户 awk -F: '($7=="/bin/bash"){print $1}' /etc/passwd awk -F: '($3==0)' /etc/passwd 查看UID为0的账号 awk -F: '($2=="")' /etc/shadow 查看空口令账号 17、对Linux用户进行登录及操作进行记录(审计) 1.创建用户审计文件存放目录和审计日志文件 ; touch /var/log/Command_history.log 2.将日志文件所有者赋予一个最低权限的用户; chown nobody.nobody /var/log/Command_history.log 3.给该日志文件赋予所有人的写权限; chmod 002 /var/log/Command_history.log 4.设置文件权限,使所有用户对该文件只有追加权限 ; chattr +a /var/log/Command_history.log 5.编辑/etc/profile文件,添加如下任意脚本命令; export HISTORY_FILE=/var/log/Command_history.log export PROMPT_COMMAND='{ date "+%Y-%m-%d %T ##### USER:$USER IP:$SSH_CLIENT PS:$SSH_TTY ppid=$PPID pwd=$PWD #### $(history 1 | { read x cmd; echo "$cmd"; })";} >>$HISTORY_FILE' 6.使配置生效 source /etc/profile 18、升级内核 wget wget yum -y install kernel-ml-5.0.4-1.el7.elrepo.x86_64.rpm kernel-ml-devel-5.0.4-1.el7.elrepo.x86_64.rpm rpm -Uvh yum --enablerepo=elrepo-kernel install -y kernel-lt rpm -qa | grep kernel grub2-set-default 'kernel-lt-5.4.99-1.el7.elrepo.x86_64' 19、检查脚本运行用户是否为root if [ $(id -u) !=0 ];then echo -e ""\033[1;31m Error! You must be root to run this script! \033[0m"" exit 10 fi
如果您喜欢本文,就请动动您的发财手为本文点赞评论转发,让我们一起学习更多运维相关知识,最后请记得关注我。 (编辑:鹰潭站长网) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |
