关闭关闭selinux
[root@localhost-01 ~]# getenforce
Enforcing
[root@localhost-01 ~]# setenforce 0
永久性关闭selinux防火墙
说明:把SELINUX=Enforcing 更改为 SELINUX=disabled
[root@localhost-01 ~]# vim /etc/selinux/config
更改iptables防火墙服务
#关闭服务
[root@localhost-01 ~]# systemctl stop firewalld
#停止开机启动
[root@localhost-01 ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.
安装netfilter
[root@localhost-01 ~]# yum install -y iptables-services
开机启动netfilter
[root@localhost-01 ~]# systemctl enable iptables
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
开启iptables服务
[root@localhost-01 ~]# systemctl start iptables
配置iptables默认规则
#备份iptables 规则
[root@localhost-01 ~]# service iptables save >> /tmp/iptables.txt
#清空iptables规则
[root@localhost-01 ~]# iptables -F
[root@localhost-01 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 62 packets, 4108 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 35 packets, 3452 bytes)
pkts bytes target prot opt in out source destination
配置普通用户登录
创建普通用户--aming_user
[root@localhost-01 ~]# useradd aming_user
更改aming_user用户密码为 123123aa
[root@localhost-01 ~]# passwd aming_user
更改用户 aming_user 的密码 。
新的 密码:
无效的密码: 密码未通过字典检查 - 它没有包含足够的不同字符
重新输入新的 密码:
passwd:所有的身份验证令牌已经成功更新。
修改普通用户免密码切换root
[root@localhost-01 ~]# vim /etc/sudoers
在配置文件末行添加
aming_user ALL=(ALL) NOPASSWD: ALL
:wq! 因为是只读文件需要强制保存退出
配置禁用root登录
[root@localhost-01 ~]# vim /etc/ssh/sshd_config
打开注释
#PermitRootLogin yes
更改为
PermitRootLogin no
重启sshd服务
[root@localhost-01 ~]# systemctl restart sshd.service
创建密钥目录文件
[root@localhost-01 ~]# mkdir /home/aming_user/.ssh
[root@localhost-01 ~]# chmod 700 /home/aming_user/.ssh
[root@localhost-01 ~]# chown aming_user:aming_user /home/aming_user/.ssh/
在/home/aming_user/.ssh目录下创建authhorized_keys 公钥文件
[root@localhost-01 ~]# vim /home/aming_user/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAot77+G7o7txOCMZIsKriwUY3yioXtPWPJesTlqH7KXv7vc/COyToP0IAMI39SeqIX4Ncg7vU6sQl4T0Wm8KowoZgzR0kel9ca8B8gIY4Mv6++PGzMtk2cci2XnwHkR6NH6oEJDxwrlmDR8h98eeJY4MUUXGHP5qoYLVLC6xlXwz63XIGGhDk3yGVf6V3Uzu2NsIewNzixf4oHCEg1PJTQfXNvHSfv8Y5sHLvMkg8AYqJ+miskCjkr4Pxesmt7U9IKw8754lyuDi1e1X8kzLigqebIFlqxATXJSa+sumDxiYdvX+YTtTG2yFfL+SFG+U7KOtq1KNfyMQ5kH6HcA+56w==
#设置权限
[root@localhost-01 ~]# chmod 600 /home/aming_user/.ssh/authorized_keys
[root@localhost-01 ~]# chown aming_user:aming_user /home/aming_user/.ssh/authorized_keys
配置审计系统
#创建 记录所有用户命令历史目录文件
[root@localhost-01 ~]# mkdir -p /usr/local/domob/records/
#任务用户都有权限去些
chmod 777 /usr/local/domob/records/
#增加 t 权限防删除位,防止用户的操作删除修改
[root@localhost-01 ~]# chmod +t /usr/local/domob/records/
[root@localhost-01 ~]# chown nobody:nobody /usr/local/domob/records/
vim /etc/profile 在最后添加下面的代码//系统级别全局变量配置文件
[root@localhost-01 ~]# vim /etc/profile
if [ ! -d /usr/local/domob/records/${LOGNAME} ]
then
mkdir -p /usr/local/domob/records/${LOGNAME}
chmod 300 /usr/local/domob/records/${LOGNAME}vim
fi
export HISTORY_FILE="/usr/local/domob/records/${LOGNAME}/bash_history"
export PROMPT_COMMAND='{ date "+%Y-%m-%d %T ##### $(who am i |awk "{print \$1\" \"\$2\" \"\$5}") #### $(history 1 | { read x cmd; echo "$cmd"; })"; } >>$HISTORY_FILE'
#刷新配置
[root@localhost-01 ~]# source /etc/profile