centos7.6 最小化安裝后的操作
一、修改網卡信息
cat >/etc/sysconfig/network-scripts/ifcfg-ens33<<"EOF" TYPE="Ethernet" PROXY_METHOD="none" BROWSER_ONLY="no" BOOTPROTO="static" DEFROUTE="yes" IPV4_FAILURE_FATAL="no" IPV6INIT="yes" IPV6_AUTOCONF="yes" IPV6_DEFROUTE="yes" IPV6_FAILURE_FATAL="no" IPV6_ADDR_GEN_MODE="stable-privacy" NAME="ens33" UUID="cfd1e3b1-5c3c-4aff-8878-7159bda66163" DEVICE="ens33" ONBOOT="yes" IPV6_PRIVACY="no" IPADDR=10.192.42.236 #本機地址 NETMASK=255.255.248.0 #子網掩碼 GATEWAY=10.192.47.254 #默認網關 EOF # 重啟網卡服務 systemctl restart network.service # 或 service network restart
二、DNS設置
# DNS設置 cat >>/etc/resolv.conf<<"EOF" nameserver 10.192.68.66 EOF
三、永久修改主機
# 修改主機名
hostnamectl set-hostname db236
四、安裝系統工具包
yum install -y net-tools yum install -y wget
五、切換yum源
# 切換aliyun的yum源 cd /etc/yum.repos.d/ mv CentOS-Base.repo CentOS-Base.repo.bak wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo # 重建源數據緩存 yum clean all yum makecache yum -y install vim-enhanced wget net-tools telnet vim lrzsz ntp yum -y install lshw pciutils gdisk system-storage-manager yum -y install bash-completion zip unzip bzip2 tree tmpwatch pinfo man-pages yum -y install nano vim-enhanced tmux screen yum -y install net-tools psmisclsof sysstat yum -y install yum-plugin-security yum-utils createrepo yum -y install get wget curl eliks lynx lftp mailx mutt reync yum -y install libaio make cmake gcc-c++ gcc zib zlib-devel open openssl-devel pcre pcre-devel
六、設置時間同步
yum -t install ntp ntpdate asia.pool.ntp.org # systemctl stop ntpd.service cat >>/var/spool/cron/root<<"EOF" */10 * * * * /usr/sbin/ntpdate asia.pool.ntp.org >/dev/null EOF
七、防火牆配置
# 關閉CentOS7自帶的防火牆 firewall 啟用 IPtable systemctl stop firewalld systemctl disable firewalld.service #安裝IPtables防火牆 yum install -y iptables-services #開放443端口(HTTPS) iptables -A INPUT -p tcp --dport 443 -j ACCEPT #保存上述規則 service iptables save #開啟服務 systemctl restart iptables.service systemctl enable iptables.service
# 修改iptables配置文件,開放以下端口 (默認開啟了22端口, # 以便putty等軟件的連接,實例開啟80端口和3306端口, # 以便后期lamp環境使用,注:80 為Apache默認端口,3306為MySQL的默認端口) iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT service iptables save service iptables reload
##################### iptables ##################### cat >fwiptables.sh<<"EOF" #!/bin/bash IPT=`which iptables` $IPT -F $IPT -X $IPT -P INPUT DROP $IPT -P FORWARD ACCEPT $IPT -P OUTPUT ACCEPT $IPT -N syn-flood ##本地回環 內網允許任何 $IPT -A INPUT -i lo -j ACCEPT $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT -m state --state NEW -s 10.0.0.0/8 -j ACCEPT # ssh 端口開放 任何IP $IPT -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT # 根據需求填寫相應的端口 $IPT -A INPUT -p tcp -m multiport --dports 80,8087,89,3306 -j ACCEPT # zabbix監控地址 $IPT -A INPUT -p tcp -s 10.192.42.236 -m state --state NEW -m tcp --dport 10050 -j ACCEPT # ICMP 規則控制 $IPT -A INPUT -p icmp -m limit --limit 100/sec --limit-burst 100 -j ACCEPT $IPT -A INPUT -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT # DOS防護 $IPT -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn-flood $IPT -A INPUT -j REJECT --reject-with icmp-host-prohibited $IPT -A syn-flood -p tcp -m limit --limit 3/sec --limit-burst 6 -j RETURN $IPT -A syn-flood -j REJECT --reject-with icmp-port-unreachable EOF sh fwiptables.sh ########################################################################
八、關閉selinux
# 關閉selinux cp /etc/selinux/config /etc/selinux/config.bak sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config sed -i 's/SELINUXTYPE=targeted/# SELINUXTYPE=targeted/' /etc/selinux/config setenforce 0
九、精簡開機啟動服務
#精簡開機自啟動服務 # systemctl 是管制服務的主要工具,它整合了chkconfig 與 service功能於一體。 systemctl is-enabled iptables.service #查詢防火牆是否開機啟動 systemctl restart sshd #有可能不需要加service systemctl is-enabled servicename.service #查詢服務是否開機啟動 systemctl enable *.service #開機運行服務 systemctl disable *.service #取消開機運行 systemctl start *.service #啟動服務 systemctl stop *.service #停止服務 systemctl restart *.service #重啟服務 systemctl reload *.service #重新加載服務配置文件 systemctl status *.service #查詢服務運行狀態 systemctl --failed #顯示啟動失敗的服務
十、定時清理郵箱目錄下的垃圾文件
定時自動清理cat /var/spool/postfix/maildrop/目錄垃圾文件,放置inode節點被占滿;centos7默認安裝了postfix郵件服務,
因此郵件位置 /var/spool/postfix/maildrop/會存在垃圾文件,如果長時間不清理,會導致inode數量不夠用,從而無法存放文件。
mkdir -p /usr/local/scripts cat >/usr/local/scriptsspool_clean.sh<<"EOF" #!/bin/sh find /var/spool/clientmqueue/ -type f -mtime +30 | xargs rm -f EOF #然后將其加入到crontab定時任務中 echo '*/30 * * * * /bin/sh /server/scripts/spool_clean.sh >/dev/null 2>&1' >> /var/spool/cron/root
十一、鎖定關鍵文件系統
# 鎖定關鍵文件系統 [root@db236 ~]# chattr +i /etc/passwd [root@db236 ~]# lsattr /etc/passwd ----i----------- /etc/passwd # 去鎖,可以修改文件 [root@db236 ~]# chattr -i /etc/passwd [root@db236 ~]# lsattr /etc/passwd ---------------- /etc/passwd [root@db236 ~]#
十二、文件描述符大小調整
文件描述符是由無符號整數表示的句柄,進程使用它來標識打開的文件。
sed -i 's/4096/unlimited/' /etc/security/limits.d/20-nproc.conf cat >>/etc/sysctl.conf <<"EOF" ################################################################ net.ipv4.tcp_keepalive_time =600 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_timestamps=1 net.ipv4.tcp_tw_recycle=1 net.ipv4.tcp_fin_timeout = 30 net.ipv4.ip_local_port_range = 32768 60999 net.ipv4.tcp_max_syn_backlog = 1024 net.core.somaxconn = 1024 net.ipv4.tcp_max_tw_buckets = 5000 net.ipv4.tcp_syn_retries = 1 net.ipv4.tcp_synack_retries = 1 net.core.netdev_max_backlog = 1000 net.ipv4.tcp_max_orphans = 2000 net.nf_conntrack_max = 25000000 net.netfilter.nf_conntrack_max = 25000000 net.netfilter.nf_conntrack_tcp_timeout_established = 180 net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120 net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60 net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120 # 結合DDOS和TIME_WAIT過多,建議增加如下參數設置: # Use TCP syncookies when needed net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_synack_retries=3 net.ipv4.tcp_syn_retries=3 net.ipv4.tcp_max_syn_backlog=2048 # Enable TCP window scaling # net.ipv4.tcp_window_scaling: = 1 # Increase TCP max buffer size net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 # Increase Linux autotuning TCP buffer limits net.ipv4.tcp_rmem = 4096 87380 16777216 net.ipv4.tcp_wmem = 4096 65536 16777216 # Increase number of ports available net.ipv4.tcp_fin_timeout = 30 net.ipv4.tcp_keepalive_time = 300 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_tw_recycle = 1 net.ipv4.ip_local_port_range = 5000 65000 ################################################################ EOF sysctl -p cat >>/etc/bashrc<<"EOF" ulimit -u 65536 EOF source /etc/bashrc cat >>/etc/security/limits.conf <<"EOF" * hard nofile 1000000 * soft nofile 1000000 EOF
十三、修改字符集
# 修改字符編碼,默認是LANG=en_US.UTF-8 # 修改該文件之前,可以先查看已經安裝的語言包: locale -a 可通過grep過濾查看是否有中文語言包 # 如果沒有語言包 yum -y install kde-l10n-Chinese yum -y reinstall glibc-common # 安裝完成后通過vi命令編輯配置文件 vim /etc/locale.conf LANG="zh_CN.UTF-8" source /etc/locale.conf #去除系統及內核版本登錄前的屏幕顯示 # cat /etc/redhat-release CentOS Linux release 7.6.1810 (Core) # cat /etc/issue \S Kernel \r on an \m
十四、禁止ping設置
# 開啟禁止ping echo "net.ipv4.icmp_echo_ignore_all=1" 1>> /etc/sysctl.conf sysctl -p # 關閉禁止ping # 首先要刪除 /etc/sysctl.conf 里面 net.ipv4.icmp_echo_ignore_all = 1 # 之后執行如下命令 echo 0 1> /proc/sys/net/ipv4/icmp_echo_ignore_all # 后續就可以通過更改 cat /proc/sys/net/ipv4/icmp_echo_ignore_all文件 # 0 關閉 1 開啟
十五、歷史記錄設置
# 以下都是臨時生效,默認1000不需要更改 # 設置的是閑置賬號的超時時間 export TMOUT=10 10秒后提示超時時間 # 設置終端history顯示條數 export HISTSIZE=5 只顯示最近5條信息 # 上面的終端顯示對應的是 cat ~/.bash_history export HISTFILESIZE=5 該文件只保存5條信息 # 清空歷史記錄 history -c # 指定條數刪除 history -d 歷史記錄條屬