主機剛安裝完系統,會做一些配置上的優化。
修改時區
通過命令將時區設置為亞洲/上海。
timedatectl set-timezone Asia/Shanghai #centos7 cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime #centos6
關閉seLinux
修改配置文件
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config setenforce 0
關閉防火牆
生產環境中網絡層面會做出一些限制,所以主機基本上不會設置防火牆策略。
systemctl stop firewalld systemctl disable firewalld
禁止IPV6登陸與修改網卡名稱eth0
修改網卡文件名,
mv /etc/sysconfig/network-scripts/ifcfg-ens33 /etc/sysconfig/network-scripts/ifcfg-eth0
修改系統grub參數,
vim /etc/default/grub #修改以下參數 GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet net.ifnames=0 biosdevname=0 ipv6.disable=1"
crashkernel=auto:為kdump預留的內存,
net.ifnames=0 biosdevname=0:修改網卡為eth0
ipv6.disable=1:禁止IPV6
grub2-mkconfig -o /boot/grub2/grub.cfg #重新生成GRUB配置並更新內核,重啟后才能生效
重啟后ip a查看,網卡名已變為eht0
用戶登陸密碼設置
vim /etc/login.defs #修改以下參數 PASS_MAX_DAYS 90 PASS_MIN_DAYS 0 PASS_MIN_LEN 15 PASS_WARN_AGE 15
添加密碼強度策略
vim /etc/pam.d/system-auth
#添加以下策略
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 minlen=15 lcredit=-2 ucredit=-2 dcredit=-2 ocredit=-2
retry=3設置新密碼時,有三次機會輸入;minlen最小長度,lcredit小寫字母,ucredit大寫字母,dcredit數字,ocredit特殊字符,-2不少於兩位。
限制普通用戶su權限
vim /etc/pam.d/su #添加以下策略 auth required pam_wheel.so use_uid
只允許wheel組的用戶可以使用su命令,可以把允許使用su的用戶的附加組指定為wheel。
密碼錯誤鎖定
vim /etc/pam.d/sshd #添加以下策略 auth required pam_tally2.so deny=5 unlock_time=600 even_deny_root root_unlock_time=300
普通用戶登陸密碼錯誤5次,則用戶鎖定600秒;root用戶則鎖定300秒。
設置會話超時時間
vim /etc/profile #添加以下策略 export TMOUT=1800
優化ssh服務
vim /etc/ssh/sshd_config #修改以下參數 Port 22 Port 1022 #添加備用端口 PermitRootLogin no #禁止Root直接登陸 MaxAuthTries 6 #可以限制密碼暴力破解攻擊 GSSAPIAuthentication no UseDNS no #禁止DNS解析主機名
#修改完重啟服務
systemctl restart sshd
禁止熱鍵關機
刪除配置文件/usr/lib/systemd/system/ctrl-alt-del.target即可
rm -f /usr/lib/systemd/system/ctrl-alt-del.target
禁止yum 升級內核參數
內核升級有時候會出現不可意料的錯誤,一般情況不建議升級內核;
vim /etc/yum.conf #添加以下策略 exclude=kernel*
優化ulimit
limits.conf文件是pam_limits.so的配置文件,對系統訪問資源做出保護性限制,限制用戶最大文件和進程數;
編輯配置文件
vim /etc/security/limits.conf #添加一下內容 * soft nofile 655350 * hard nofile 655350 * soft nproc 655360 * hard nproc 655360 zf soft nofile 655350 zf hard nofile 655350 zf soft nproc 655360 zf hard nproc 655360
優化內核參數
sysctl -p 重新加載系統參數
vim /etc/sysctl.conf #添加以下內容 net.ipv4.tcp_max_tw_buckets = 6000 #允許TIME-WAIT套接字數量的最大值。超過些數字,TIME-WAIT套接字將立刻被清除同時打印警告信息。默認是180000,過多的TIME-WAIT套接字會使webserver變慢 net.core.netdev_max_backlog = 65535 #每個網絡接口接收數據包的速率比內核處理這些包的速率快時,允許發送到隊列的數據包的最大數目 net.core.somaxconn = 65535 #該參數用於調節系統同時發起的TCP連接數,該默認值較小,肯那個導致連接超時或重傳問題 net.ipv4.tcp_timestamps = 0 #該參數用於設置時間戳,可以避免序列號的卷繞。一個1Gbps的鏈路肯定會遇到以前用過的序列號。時間戳能夠讓內核接受這種“異常”的數據包 net.ipv4.tcp_synack_retries = 1 #該參數用於設置內核放棄TCP連接之前向客戶端發送SYN+ACK包的數量。 net.ipv4.tcp_syn_retries = 1 #該參數的作用與上一個參數類似,設置內核放棄建立連接之前發送SYN包的數量 net.ipv4.tcp_tw_reuse = 1 #1代表允許將狀態為TIME-WAIT狀態的socket連接重新用於新的連接。 net.ipv4.tcp_fin_timeout = 15 #當服務器主動關閉鏈接時,socket保持FN-WAIT-2狀態的最大時間 net.ipv4.tcp_keepalive_time = 30 #當keepalive啟用時,TCP發送keepalive消息的頻率。默認是2個小時。將其調小一些,可以更快的清除無用的連接 net.ipv4.ip_local_port_range = 10240 65000 #UDP和TCP連接中本地端口(不包括連接的遠端)的取值范圍 net.ipv4.tcp_tw_recycle = 1 #允許將TIME-WAIT sockets重新用於新的TCP連接 net.ipv4.tcp_max_tw_buckets = 20000 #容納TIME_WAIT狀態的連接數,如果超過,則立即銷毀TIME_WAIT套接字
初始化腳本
此腳本只能用於centos7,測試機器為centos7.4最小化安裝,腳本沒有問題,但如使用需要對time_zone、ssh_conf等模塊根據實際修改。
#!/bin/bash # ### system release ### system_check(){ RELEASE=`cat /etc/redhat-release |awk '{print $(NF-1)}' | awk -F\. '{print $1}'` USER=`whoami` if [ $RELEASE -eq 7 ];then echo -e "\033[34m system check completed \033[0m" else echo -e "\033[31m this script only support centos7 system \033[0m" exit 1 fi if [ $USER != 'root' ];then echo -e "\033[31m the current user is not \"root\" \033[0m" exit 1 fi } ### install package ### yum_install(){ PACKAGE="ntpdate wget bc vim gcc gcc-c++ openssl openssl-devel lrzsz pcre-devel sysstat iftop lsof tcpdump telnet nmap traceroute net-tools" yum install -y $PACKAGE 1>/dev/null 2>&1 echo -e "\033[34m package install completed \033[0m" } ### time zone ### time_zone(){ NTP_PATH=`which ntpdate` if [ `date +%z` != '+0800' ];then timedatectl set-timezone Asia/Shanghai if [ `date +%z` == '+0800' ];then echo -e "\033[34m timezone set completed \033[0m" else echo -e "\033[31m timezone set failed \033[0m" fi fi grep ntpserver /etc/hosts || echo "X.X.X.X ntpserver">>/etc/hosts grep ntpserver /var/spool/cron/root || echo "10 * * * * ${NTP_PATH} ntpserver" >>/var/spool/cron/root $NTP_PATH ntpserver &> /dev/null && echo -e "\033[34m time sync completed \033[0m" || echo -e "\033[31m time sync failed \033[0m" } ### disable selinux ### disable_selinux(){ FILE="/etc/selinux/config" BACKUP="/etc/selinux/config.$DATE" if [ ! -f $BACKUP ];then cp $FILE $BACKUP fi setenforce 0 sed -i 's/SELINUX=enforcing/SELINUX=disabled/' $FILE grep 'SELINUX=disabled' $FILE && echo -e "\033[34m disable selinux completed \033[0m" || echo -e "\033[31m disable selinux failed \033[0m" } ### disable firewalld ### disable_firewalld(){ systemctl stop firewalld systemctl disable firewalld &>/dev/null if [ `systemctl is-enabled firewalld` == 'disabled' ];then echo -e "\033[34m disable firewalld completed \033[0m" else echo -e "\033[31m disable firewalld failed \033[0m" fi } ### ban ipv6 and modify eth0 ### #modify_grub(){ # FILE="/etc/default/grub" # BACKUP="/tmp/grub.$DATE" # DEFUALT_PARAMS=`grep "GRUB_CMDLINE_LINUX" $FILE | awk -F\" '{print $2}'` # REPLACE_PARAMS="GRUB_CMDLINE_LINUX=\"$DEFUALT_PARAMS crashkernel=auto net.ifnames=0 biosdevname=0 ipv6.disable=1\"" # cp $FILE $BACKUP # sed -i 's/GRUB_CMDLINE_LINUX.*/'$REPLACE_PARAMS'/g' $FILE # grep 'net.ifnames=0 biosdevname=0 ipv6.disable=1' $FILE && echo -e "\033[34m modify grub completed \033[0m" || echo -e "\033[31m modify grub failed \033[0m" # grub2-mkconfig -o /boot/grub2/grub.cfg &>dev/null # mv /etc/sysconfig/network-scripts/ifcfg-ens* /etc/sysconfig/network-scripts/ifcfg-eth0 #} ### password expiry ### passwd_expiry(){ FILE="/etc/login.defs" BACKUP="/etc/login.defs.$DATE" cp $FILE $BACKUP sed -i 's/PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/g' $FILE sed -i 's/PASS_MIN_DAYS.*/PASS_MIN_DAYS 0/g' $FILE sed -i 's/PASS_MIN_LEN.*/PASS_MIN_LEN 15/g' $FILE sed -i 's/PASS_WARN_AGE.*/PASS_WARN_AGE 15/g' $FILE echo -e "\033[34m passwd expiry modify completed \033[0m" } ### password complex ### paawd_complex(){ FILE="/etc/pam.d/system-auth" BACKUP="/etc/pam.d/system-auth.$DATE" cp $FILE $BACKUP sed -i 's/.*pam_pwquality.so.*try_first_pass.*/password requisite pam_pwquality.so try_first_pass local_users_only retry=3 minlen=15 lcredit=-2 ucredit=-2 dcredit=-2 ocredit=-2/g' $FILE echo -e "\033[34m passwd complex set completed \033[0m" } ### password lock ### passwd_lock(){ FILE="/etc/pam.d/sshd" BACKUP="/etc/pam.d/sshd.$DATE" cp $FILE $BACKUP sed -i '1a\auth required pam_tally2.so deny=5 unlock_time=600 even_deny_root root_unlock_time=300' $FILE grep 'pam_tally2.so' $FILE && echo -e "\033[34m passwd lock set completed \033[0m" || echo -e "\033[31m passwd lock set failed \033[0m" } ### ban user su ### user_su(){ FILE="/etc/pam.d/su" BACKUP="/etc/pam.d/su.$DATE" cp $FILE $BACKUP sed -i 's#/sbin:/bin:/usr/sbin:/usr/bin#/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin#' /etc/sudoers sed -i 's/^%wheel\tALL=(ALL).*/%wheel\tALL=(ALL)\tNOPASSWD: ALL/g' /etc/sudoers sed -i '/pam_wheel.so use_uid/a\auth\t\trequired\tpam_wheel.so use_uid' $FILE grep '^auth.*use_uid' $FILE && echo -e "\033[34m ban su set completed \033[0m" || echo -e "\033[31m ban su set failed \033[0m" } ### timeout time ### timeout(){ FILE="/etc/profile" echo "export TMOUT=1800" >> $FILE source $FILE grep "TMOUT=1800" $FILE && echo -e "\033[34m timeout set completed \033[0m" || echo -e "\033[31m timeout set failed \033[0m" } ### set ssh ### ssh_conf(){ FILE="/etc/ssh/sshd_config" BACKUP="/etc/ssh/sshd_config.$DATE" cp $FILE $BACKUP sed -i '/^#Port 22/a\Port 22\nPort 1022' $FILE sed -i '/^#PermitRootLogin.*/a\PermitRootLogin no' $FILE sed -i 's/^GSSAPIAuthentication.*/GSSAPIAuthentication no/g' $FILE sed -i '/^#UseDNS/a\UseDNS no' $FILE systemctl reload sshd echo -e "\033[34m ssh set completed \033[0m" } ### hotkey reboot ### hotkey_reboot(){ FILE="/usr/lib/systemd/system/ctrl-alt-del.target" BACKUP="/usr/lib/systemd/system/ctrl-alt-del.target.default" mv $FILE $BACKUP ls /usr/lib/systemd/system/ctrl-alt-del.target &>/dev/null && echo -e "\033[31m hotkey set failed \033[0m" || echo -e "\033[34m hotkey set completed \033[0m" } ### ban kernel update ### kernel_update(){ FILE="/etc/yum.conf" BACKUP="/etc/yum.conf.$DATE" cp $FILE $BACKUP sed -i '/\[main\]/a\exclude=kernel*' $FILE grep 'exclude=kernel' $FILE && echo -e "\033[34m ban kernel update completed \033[0m" || echo -e "\033[31m ban kernel update failed \033[0m" } ### set ulimit ### set_ulimit(){ FILE="/etc/security/limits.conf" BACKUP="/etc/security/limits.conf.default" mv $FILE $BACKUP cat >> $FILE << EOF * soft nofile 655350 * hard nofile 655350 * soft nproc 655360 * hard nproc 655360 zf soft nofile 655350 zf hard nofile 655350 zf soft nproc 655360 zf hard nproc 655360 EOF egrep -v "^#|^$" $FILE echo -e "\033[34m unlimit set completed \033[0m" } ### kernel params ### kernel_params(){ FILE="/etc/sysctl.conf" BACKUP="/etc/sysctl.conf.default" cp $FILE $BACKUP cat >> $FILE <<EOF net.ipv4.tcp_max_tw_buckets = 6000 net.core.netdev_max_backlog = 65535 net.core.somaxconn = 65535 net.ipv4.tcp_timestamps = 0 net.ipv4.tcp_synack_retries = 1 net.ipv4.tcp_syn_retries = 1 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_fin_timeout = 15 net.ipv4.tcp_keepalive_time = 30 net.ipv4.ip_local_port_range = 10240 65000 ###增加回收機制 net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_max_tw_buckets = 20000 EOF egrep -v "^#|^$" $FILE echo -e "\033[34m kernel params set completed \033[0m" } ### host user ### user_create(){ useradd -G wheel sadmin echo "123456" | passwd sadmin --stdin useradd zf echo "123456" | passwd zf --stdin chage -M 99999 sadmin } main(){ system_check yum_install time_zone disable_selinux disable_firewalld passwd_expiry paawd_complex passwd_lock user_su timeout ssh_conf hotkey_reboot kernel_update set_ulimit kernel_params user_create } ### excute mian ### DATE=`date +%F` main