centos7.6 最小化安装后的操作
一、修改网卡信息
cat >/etc/sysconfig/network-scripts/ifcfg-ens33<<"EOF" TYPE="Ethernet" PROXY_METHOD="none" BROWSER_ONLY="no" BOOTPROTO="static" DEFROUTE="yes" IPV4_FAILURE_FATAL="no" IPV6INIT="yes" IPV6_AUTOCONF="yes" IPV6_DEFROUTE="yes" IPV6_FAILURE_FATAL="no" IPV6_ADDR_GEN_MODE="stable-privacy" NAME="ens33" UUID="cfd1e3b1-5c3c-4aff-8878-7159bda66163" DEVICE="ens33" ONBOOT="yes" IPV6_PRIVACY="no" IPADDR=10.192.42.236 #本机地址 NETMASK=255.255.248.0 #子网掩码 GATEWAY=10.192.47.254 #默认网关 EOF # 重启网卡服务 systemctl restart network.service # 或 service network restart
二、DNS设置
# DNS设置 cat >>/etc/resolv.conf<<"EOF" nameserver 10.192.68.66 EOF
三、永久修改主机
# 修改主机名
hostnamectl set-hostname db236
四、安装系统工具包
yum install -y net-tools yum install -y wget
五、切换yum源
# 切换aliyun的yum源 cd /etc/yum.repos.d/ mv CentOS-Base.repo CentOS-Base.repo.bak wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo # 重建源数据缓存 yum clean all yum makecache yum -y install vim-enhanced wget net-tools telnet vim lrzsz ntp yum -y install lshw pciutils gdisk system-storage-manager yum -y install bash-completion zip unzip bzip2 tree tmpwatch pinfo man-pages yum -y install nano vim-enhanced tmux screen yum -y install net-tools psmisclsof sysstat yum -y install yum-plugin-security yum-utils createrepo yum -y install get wget curl eliks lynx lftp mailx mutt reync yum -y install libaio make cmake gcc-c++ gcc zib zlib-devel open openssl-devel pcre pcre-devel
六、设置时间同步
yum -t install ntp ntpdate asia.pool.ntp.org # systemctl stop ntpd.service cat >>/var/spool/cron/root<<"EOF" */10 * * * * /usr/sbin/ntpdate asia.pool.ntp.org >/dev/null EOF
七、防火墙配置
# 关闭CentOS7自带的防火墙 firewall 启用 IPtable systemctl stop firewalld systemctl disable firewalld.service #安装IPtables防火墙 yum install -y iptables-services #开放443端口(HTTPS) iptables -A INPUT -p tcp --dport 443 -j ACCEPT #保存上述规则 service iptables save #开启服务 systemctl restart iptables.service systemctl enable iptables.service
# 修改iptables配置文件,开放以下端口 (默认开启了22端口, # 以便putty等软件的连接,实例开启80端口和3306端口, # 以便后期lamp环境使用,注:80 为Apache默认端口,3306为MySQL的默认端口) iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT service iptables save service iptables reload
##################### iptables ##################### cat >fwiptables.sh<<"EOF" #!/bin/bash IPT=`which iptables` $IPT -F $IPT -X $IPT -P INPUT DROP $IPT -P FORWARD ACCEPT $IPT -P OUTPUT ACCEPT $IPT -N syn-flood ##本地回环 内网允许任何 $IPT -A INPUT -i lo -j ACCEPT $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT -m state --state NEW -s 10.0.0.0/8 -j ACCEPT # ssh 端口开放 任何IP $IPT -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT # 根据需求填写相应的端口 $IPT -A INPUT -p tcp -m multiport --dports 80,8087,89,3306 -j ACCEPT # zabbix监控地址 $IPT -A INPUT -p tcp -s 10.192.42.236 -m state --state NEW -m tcp --dport 10050 -j ACCEPT # ICMP 规则控制 $IPT -A INPUT -p icmp -m limit --limit 100/sec --limit-burst 100 -j ACCEPT $IPT -A INPUT -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT # DOS防护 $IPT -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn-flood $IPT -A INPUT -j REJECT --reject-with icmp-host-prohibited $IPT -A syn-flood -p tcp -m limit --limit 3/sec --limit-burst 6 -j RETURN $IPT -A syn-flood -j REJECT --reject-with icmp-port-unreachable EOF sh fwiptables.sh ########################################################################
八、关闭selinux
# 关闭selinux cp /etc/selinux/config /etc/selinux/config.bak sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config sed -i 's/SELINUXTYPE=targeted/# SELINUXTYPE=targeted/' /etc/selinux/config setenforce 0
九、精简开机启动服务
#精简开机自启动服务 # systemctl 是管制服务的主要工具,它整合了chkconfig 与 service功能于一体。 systemctl is-enabled iptables.service #查询防火墙是否开机启动 systemctl restart sshd #有可能不需要加service systemctl is-enabled servicename.service #查询服务是否开机启动 systemctl enable *.service #开机运行服务 systemctl disable *.service #取消开机运行 systemctl start *.service #启动服务 systemctl stop *.service #停止服务 systemctl restart *.service #重启服务 systemctl reload *.service #重新加载服务配置文件 systemctl status *.service #查询服务运行状态 systemctl --failed #显示启动失败的服务
十、定时清理邮箱目录下的垃圾文件
定时自动清理cat /var/spool/postfix/maildrop/目录垃圾文件,放置inode节点被占满;centos7默认安装了postfix邮件服务,
因此邮件位置 /var/spool/postfix/maildrop/会存在垃圾文件,如果长时间不清理,会导致inode数量不够用,从而无法存放文件。
mkdir -p /usr/local/scripts cat >/usr/local/scriptsspool_clean.sh<<"EOF" #!/bin/sh find /var/spool/clientmqueue/ -type f -mtime +30 | xargs rm -f EOF #然后将其加入到crontab定时任务中 echo '*/30 * * * * /bin/sh /server/scripts/spool_clean.sh >/dev/null 2>&1' >> /var/spool/cron/root
十一、锁定关键文件系统
# 锁定关键文件系统 [root@db236 ~]# chattr +i /etc/passwd [root@db236 ~]# lsattr /etc/passwd ----i----------- /etc/passwd # 去锁,可以修改文件 [root@db236 ~]# chattr -i /etc/passwd [root@db236 ~]# lsattr /etc/passwd ---------------- /etc/passwd [root@db236 ~]#
十二、文件描述符大小调整
文件描述符是由无符号整数表示的句柄,进程使用它来标识打开的文件。
sed -i 's/4096/unlimited/' /etc/security/limits.d/20-nproc.conf cat >>/etc/sysctl.conf <<"EOF" ################################################################ net.ipv4.tcp_keepalive_time =600 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_timestamps=1 net.ipv4.tcp_tw_recycle=1 net.ipv4.tcp_fin_timeout = 30 net.ipv4.ip_local_port_range = 32768 60999 net.ipv4.tcp_max_syn_backlog = 1024 net.core.somaxconn = 1024 net.ipv4.tcp_max_tw_buckets = 5000 net.ipv4.tcp_syn_retries = 1 net.ipv4.tcp_synack_retries = 1 net.core.netdev_max_backlog = 1000 net.ipv4.tcp_max_orphans = 2000 net.nf_conntrack_max = 25000000 net.netfilter.nf_conntrack_max = 25000000 net.netfilter.nf_conntrack_tcp_timeout_established = 180 net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120 net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60 net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120 # 结合DDOS和TIME_WAIT过多,建议增加如下参数设置: # Use TCP syncookies when needed net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_synack_retries=3 net.ipv4.tcp_syn_retries=3 net.ipv4.tcp_max_syn_backlog=2048 # Enable TCP window scaling # net.ipv4.tcp_window_scaling: = 1 # Increase TCP max buffer size net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 # Increase Linux autotuning TCP buffer limits net.ipv4.tcp_rmem = 4096 87380 16777216 net.ipv4.tcp_wmem = 4096 65536 16777216 # Increase number of ports available net.ipv4.tcp_fin_timeout = 30 net.ipv4.tcp_keepalive_time = 300 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_tw_recycle = 1 net.ipv4.ip_local_port_range = 5000 65000 ################################################################ EOF sysctl -p cat >>/etc/bashrc<<"EOF" ulimit -u 65536 EOF source /etc/bashrc cat >>/etc/security/limits.conf <<"EOF" * hard nofile 1000000 * soft nofile 1000000 EOF
十三、修改字符集
# 修改字符编码,默认是LANG=en_US.UTF-8 # 修改该文件之前,可以先查看已经安装的语言包: locale -a 可通过grep过滤查看是否有中文语言包 # 如果没有语言包 yum -y install kde-l10n-Chinese yum -y reinstall glibc-common # 安装完成后通过vi命令编辑配置文件 vim /etc/locale.conf LANG="zh_CN.UTF-8" source /etc/locale.conf #去除系统及内核版本登录前的屏幕显示 # cat /etc/redhat-release CentOS Linux release 7.6.1810 (Core) # cat /etc/issue S Kernel on an m
十四、禁止ping设置
# 开启禁止ping echo "net.ipv4.icmp_echo_ignore_all=1" 1>> /etc/sysctl.conf sysctl -p # 关闭禁止ping # 首先要删除 /etc/sysctl.conf 里面 net.ipv4.icmp_echo_ignore_all = 1 # 之后执行如下命令 echo 0 1> /proc/sys/net/ipv4/icmp_echo_ignore_all # 后续就可以通过更改 cat /proc/sys/net/ipv4/icmp_echo_ignore_all文件 # 0 关闭 1 开启
十五、历史记录设置
# 以下都是临时生效,默认1000不需要更改 # 设置的是闲置账号的超时时间 export TMOUT=10 10秒后提示超时时间 # 设置终端history显示条数 export HISTSIZE=5 只显示最近5条信息 # 上面的终端显示对应的是 cat ~/.bash_history export HISTFILESIZE=5 该文件只保存5条信息 # 清空历史记录 history -c # 指定条数删除 history -d 历史记录条属