Centos7 系统基本优化

爬也要爬着前进

已于 2022-08-22 16:58:42 修改

阅读量542

点赞数

分类专栏： Linux基础文章标签： linux bash 运维

于 2022-08-22 16:49:13 首次发布

本文链接：https://blog.csdn.net/JackNiMaBaBa/article/details/126468171

版权

Linux基础专栏收录该内容

3 篇文章 0 订阅

订阅专栏

可以把内容拷贝到sh文件，执行
注：linux下需要set编码set ff=unix

一、系统基础优化

#变量设置：
HOSTNAME=‘web-001’
IP=‘192.168.1.100’
NETMASK=‘255.255.255.0’
GW=‘192.168.1.1’
DNS1=‘114.114.114.114’
DNS2=‘8.8.8.8’

1.1 关闭selinux

/usr/sbin/setenforce 0
/bin/sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux
/bin/sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config`

1.2 关闭firewalld

systemctl stop firewalld.service
systemctl disable firewalld.service

1.3 配置IP地址

/bin/cat > /etc/sysconfig/network-scripts/ifcfg-eth0 << EOF
DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=static
IPADDR=${IP}
NETMASK=${NETMASK}
GATEWAY=${GW}
EOF
systemctl restart network

1.4 配置DNS

/bin/cat > /etc/resolv.conf << EOF
nameserver ${DNS1}
nameserver ${DNS2}
EOF

1.5 配置主机名

hostnamectl set-hostname ${HOSTNAME}
echo "${IP} ${HOSTNAME}" >> /etc/hosts

1.6 更新yum源，安装依赖包

wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
yum clean all
yum makecache
/usr/bin/yum -y install epel-release
/usr/bin/yum -y install unzip zlib zlib-devel openssl openssl-devel gcc* ncurses-devel cmake rsync vim wget expect telnet openssh-clients sysstat ntpdate lrzsz iotop dstat

1.7 添加普通登录用户,并授权目录权限

useradd oldboy
echo '123456' | passwd --stdin oldboy
/bin/mkdir /home/app
/bin/mkdir /home/app/shell
/bin/chmod 755 /home/app/ -R
/bin/chowno  oldboy.oldboy  /home/app/ -R

1.8 修改历史记录存储条数

/bin/sed -i 's/HISTSIZE=1000/HISTSIZE=0/g' /etc/profile
source /etc/profile

1.9 配置中文编码

/bin/echo 'LANG="zh_CN.UTF-8"' >> /etc/profile
/bin/echo 'TMOUT=300' >> /etc/profile
/bin/echo 'umask 027' >> /etc/profile
source /etc/profile

1.10 同步系统时间

/usr/sbin/ntpdate asia.pool.ntp.org 
/bin/echo '0 0 * * * /usr/sbin/ntpdate asia.pool.ntp.org' >> /var/spool/cron/root

1.11 优化内核参数

/bin/cat > /etc/sysctl.conf << EOF
#参考系统优化参数
#关闭ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
#避免放大攻击
net.ipv4.icmp_echo_ignore_broadcasts = 1
#开启恶意icmp错误消息保护
net.ipv4.icmp_ignore_bogus_error_responses = 1
#关闭路由转发
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
#开启反向路径过滤
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
#处理无源路由的包
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
#关闭sysrq功能
kernel.sysrq = 0
#core文件名中添加pid作为扩展名
kernel.core_uses_pid = 1
#开启SYN洪水攻击保护
net.ipv4.tcp_syncookies = 1
#修改消息队列长度
kernel.msgmnb = 65536
kernel.msgmax = 65536
#设置最大内存共享段大小bytes
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
#timewait的数量，默认180000
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096        87380   4194304
net.ipv4.tcp_wmem = 4096        16384   4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
#每个网络接口接收数据包的速率比内核处理这些包的速率快时，允许送到队列的数据包的最大数目
net.core.netdev_max_backlog = 262144
#限制仅仅是为了防止简单的DoS 攻击
net.ipv4.tcp_max_orphans = 3276800
#未收到客户端确认信息的连接请求的最大值
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
#内核放弃建立连接之前发送SYNACK 包的数量
net.ipv4.tcp_synack_retries = 1
#内核放弃建立连接之前发送SYN 包的数量
net.ipv4.tcp_syn_retries = 1
#启用timewait 快速回收
net.ipv4.tcp_tw_recycle = 1
#开启重用。允许将TIME-WAIT sockets 重新用于新的TCP 连接
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1
#当keepalive 起用的时候，TCP 发送keepalive 消息的频度。缺省是2 小时
net.ipv4.tcp_keepalive_time = 30
#允许系统打开的端口范围
net.ipv4.ip_local_port_range = 1024    65000
#修改防火墙表大小，默认65536
#net.netfilter.nf_conntrack_max=655350
#net.netfilter.nf_conntrack_tcp_timeout_established=1200
#确保无人能修改路由表
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
EOF

1.12 调整系统连接数限制

sed -i 's/^\*/\#\*/g'  /etc/security/limits.d/20-nproc.conf 
/bin/cat >>  /etc/security/limits.conf << EOF
* soft nproc 65535
* hard nproc 65535
* soft nofile 65535
* hard nofile 65535
* hard maxlogins 5
EOF

二、安全相关配置

2.1 配置iptables服务

yum  -y install iptables-services
/bin/cat > /etc/sysconfig/iptables  << EOF
#Firewall configuration written by system-config-firewall
#Manual customization of this file is not recommended.
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.1.0/24 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22612 -j DROP
COMMIT
EOF
systemctl restart iptables.service
systemctl enable iptables.service

2.2 系统安全策略

#/bin/chmod 640 /var/log/boot.log
#/usr/sbin/usermod -G wheel oldboy
#/bin/sed -i '43i *.err;kern.debug;daemon.notice\t\t\t\t/var/log/messages' /etc/rsyslog.conf
#/etc/init.d/rsyslog restart
#/bin/sed -i '2a auth\t\trequired\tpam_wheel.so use_uid' /etc/pam.d/su

2.3 修改SSH端口,禁止root用户

添加强算法(可能导致远程不了，请在测试机测试是否可行)

/bin/sed -i  's/#Port 22/Port 2222/' /etc/ssh/sshd_config
/bin/sed -i  's/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config  
/bin/sed -i  's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
echo 'Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc' >> /etc/ssh/sshd_config
echo  'ServerKeyBits 2048'  >>  /etc/ssh/sshd_config

2.4 密码策略

sed -i 's/^PASS_MAX_DAYS.*$/PASS_MAX_DAYS 90/g' /etc/login.defs
sed -i 's/^PASS_MIN_DAYS.*$/PASS_MIN_DAYS 1/g' /etc/login.defs
sed -i 's/^PASS_MIN_LEN.*$/PASS_MIN_LEN 8/g' /etc/login.defs
sed -i 's/^PASS_WARN_AGE.*$/PASS_WARN_AGE 28/g' /etc/login.defs

2.5 密码复杂度

sed -i 's/^password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=/password    requisite     pam_pwquality.so minlen=8 dcredit=-2 ucredit=-1 lcredit=-1 ocredit=-1 try_first_pass local_users_only retry=3 authtok_type=/'  /etc/pam.d/system-auth

2.6 密码错误锁定

sed -i '2i auth     required       pam_tally2.so onerr=fail deny=3 unlock_time=300 even_deny_root root_unlock_time=300'   /etc/pam.d/sshd

2.7 安装杀毒软件

#mv ./set_to_weixin.sh /home/app/shell/
#mv ./VirusSan.sh /home/app/shell/
#mv ./AideCheck.sh /home/app/shell/
#chmod +x /home/app/shell/*.sh
#yum install –y clamav clamav-update
#yum -y install aide
#sed -i 's#^/root   NORMAL#!/root   NORMAL#g' /etc/aide.conf 
#aide -c /etc/aide.conf --init
#cp -f /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
#/bin/echo '0 4 * * * sh /home/app/shell/VirusSan.sh' >> /var/spool/cron/root
#/bin/echo '0 5 * * * sh /home/app/shell/AideCheck.sh' >> /var/spool/cron/root

2.8 完善Linux系统日志记录

需添加kernel类型日志和debug、warn级别日志,日志未保留180天以上

echo 'kern.warning;*.err;authpriv.none                /var/log/kernel'  >>  /etc/rsyslog.conf 
sed -i 's/rotate 4/rotate 26/g' /etc/logrotate.conf
sed -i 's/rotate 1/rotate 26/g' /etc/logrotate.conf

2.9 Linux系统的umask

建立文件时预设的权限)为002，应配置为022

sed -i 's/umask 002/umask 022/g' /etc/profile

2.10 reboot system

init 6