主机刚安装完系统,会做一些配置上的优化。
修改时区
通过命令将时区设置为亚洲/上海。
timedatectl set-timezone Asia/Shanghai #centos7 cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime #centos6
关闭seLinux
修改配置文件
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config setenforce 0
关闭防火墙
生产环境中网络层面会做出一些限制,所以主机基本上不会设置防火墙策略。
systemctl stop firewalld systemctl disable firewalld
禁止IPV6登陆与修改网卡名称eth0
修改网卡文件名,
mv /etc/sysconfig/network-scripts/ifcfg-ens33 /etc/sysconfig/network-scripts/ifcfg-eth0
修改系统grub参数,
vim /etc/default/grub #修改以下参数 GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet net.ifnames=0 biosdevname=0 ipv6.disable=1"
crashkernel=auto:为kdump预留的内存,
net.ifnames=0 biosdevname=0:修改网卡为eth0
ipv6.disable=1:禁止IPV6
grub2-mkconfig -o /boot/grub2/grub.cfg #重新生成GRUB配置并更新内核,重启后才能生效
重启后ip a查看,网卡名已变为eht0
用户登陆密码设置
vim /etc/login.defs #修改以下参数 PASS_MAX_DAYS 90 PASS_MIN_DAYS 0 PASS_MIN_LEN 15 PASS_WARN_AGE 15
添加密码强度策略
vim /etc/pam.d/system-auth
#添加以下策略
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 minlen=15 lcredit=-2 ucredit=-2 dcredit=-2 ocredit=-2
retry=3设置新密码时,有三次机会输入;minlen最小长度,lcredit小写字母,ucredit大写字母,dcredit数字,ocredit特殊字符,-2不少于两位。
限制普通用户su权限
vim /etc/pam.d/su #添加以下策略 auth required pam_wheel.so use_uid
只允许wheel组的用户可以使用su命令,可以把允许使用su的用户的附加组指定为wheel。
密码错误锁定
vim /etc/pam.d/sshd #添加以下策略 auth required pam_tally2.so deny=5 unlock_time=600 even_deny_root root_unlock_time=300
普通用户登陆密码错误5次,则用户锁定600秒;root用户则锁定300秒。
设置会话超时时间
vim /etc/profile #添加以下策略 export TMOUT=1800
优化ssh服务
vim /etc/ssh/sshd_config #修改以下参数 Port 22 Port 1022 #添加备用端口 PermitRootLogin no #禁止Root直接登陆 MaxAuthTries 6 #可以限制密码暴力破解攻击 GSSAPIAuthentication no UseDNS no #禁止DNS解析主机名
#修改完重启服务
systemctl restart sshd
禁止热键关机
删除配置文件/usr/lib/systemd/system/ctrl-alt-del.target即可
rm -f /usr/lib/systemd/system/ctrl-alt-del.target
禁止yum 升级内核参数
内核升级有时候会出现不可意料的错误,一般情况不建议升级内核;
vim /etc/yum.conf #添加以下策略 exclude=kernel*
优化ulimit
limits.conf文件是pam_limits.so的配置文件,对系统访问资源做出保护性限制,限制用户最大文件和进程数;
编辑配置文件
vim /etc/security/limits.conf #添加一下内容 * soft nofile 655350 * hard nofile 655350 * soft nproc 655360 * hard nproc 655360 zf soft nofile 655350 zf hard nofile 655350 zf soft nproc 655360 zf hard nproc 655360
优化内核参数
sysctl -p 重新加载系统参数
vim /etc/sysctl.conf #添加以下内容 net.ipv4.tcp_max_tw_buckets = 6000 #允许TIME-WAIT套接字数量的最大值。超过些数字,TIME-WAIT套接字将立刻被清除同时打印警告信息。默认是180000,过多的TIME-WAIT套接字会使webserver变慢 net.core.netdev_max_backlog = 65535 #每个网络接口接收数据包的速率比内核处理这些包的速率快时,允许发送到队列的数据包的最大数目 net.core.somaxconn = 65535 #该参数用于调节系统同时发起的TCP连接数,该默认值较小,肯那个导致连接超时或重传问题 net.ipv4.tcp_timestamps = 0 #该参数用于设置时间戳,可以避免序列号的卷绕。一个1Gbps的链路肯定会遇到以前用过的序列号。时间戳能够让内核接受这种“异常”的数据包 net.ipv4.tcp_synack_retries = 1 #该参数用于设置内核放弃TCP连接之前向客户端发送SYN+ACK包的数量。 net.ipv4.tcp_syn_retries = 1 #该参数的作用与上一个参数类似,设置内核放弃建立连接之前发送SYN包的数量 net.ipv4.tcp_tw_reuse = 1 #1代表允许将状态为TIME-WAIT状态的socket连接重新用于新的连接。 net.ipv4.tcp_fin_timeout = 15 #当服务器主动关闭链接时,socket保持FN-WAIT-2状态的最大时间 net.ipv4.tcp_keepalive_time = 30 #当keepalive启用时,TCP发送keepalive消息的频率。默认是2个小时。将其调小一些,可以更快的清除无用的连接 net.ipv4.ip_local_port_range = 10240 65000 #UDP和TCP连接中本地端口(不包括连接的远端)的取值范围 net.ipv4.tcp_tw_recycle = 1 #允许将TIME-WAIT sockets重新用于新的TCP连接 net.ipv4.tcp_max_tw_buckets = 20000 #容纳TIME_WAIT状态的连接数,如果超过,则立即销毁TIME_WAIT套接字
初始化脚本
此脚本只能用于centos7,测试机器为centos7.4最小化安装,脚本没有问题,但如使用需要对time_zone、ssh_conf等模块根据实际修改。
#!/bin/bash # ### system release ### system_check(){ RELEASE=`cat /etc/redhat-release |awk '{print $(NF-1)}' | awk -F. '{print $1}'` USER=`whoami` if [ $RELEASE -eq 7 ];then echo -e "�33[34m system check completed �33[0m" else echo -e "�33[31m this script only support centos7 system �33[0m" exit 1 fi if [ $USER != 'root' ];then echo -e "�33[31m the current user is not "root" �33[0m" exit 1 fi } ### install package ### yum_install(){ PACKAGE="ntpdate wget bc vim gcc gcc-c++ openssl openssl-devel lrzsz pcre-devel sysstat iftop lsof tcpdump telnet nmap traceroute net-tools" yum install -y $PACKAGE 1>/dev/null 2>&1 echo -e "�33[34m package install completed �33[0m" } ### time zone ### time_zone(){ NTP_PATH=`which ntpdate` if [ `date +%z` != '+0800' ];then timedatectl set-timezone Asia/Shanghai if [ `date +%z` == '+0800' ];then echo -e "�33[34m timezone set completed �33[0m" else echo -e "�33[31m timezone set failed �33[0m" fi fi grep ntpserver /etc/hosts || echo "X.X.X.X ntpserver">>/etc/hosts grep ntpserver /var/spool/cron/root || echo "10 * * * * ${NTP_PATH} ntpserver" >>/var/spool/cron/root $NTP_PATH ntpserver &> /dev/null && echo -e "�33[34m time sync completed �33[0m" || echo -e "�33[31m time sync failed �33[0m" } ### disable selinux ### disable_selinux(){ FILE="/etc/selinux/config" BACKUP="/etc/selinux/config.$DATE" if [ ! -f $BACKUP ];then cp $FILE $BACKUP fi setenforce 0 sed -i 's/SELINUX=enforcing/SELINUX=disabled/' $FILE grep 'SELINUX=disabled' $FILE && echo -e "�33[34m disable selinux completed �33[0m" || echo -e "�33[31m disable selinux failed �33[0m" } ### disable firewalld ### disable_firewalld(){ systemctl stop firewalld systemctl disable firewalld &>/dev/null if [ `systemctl is-enabled firewalld` == 'disabled' ];then echo -e "�33[34m disable firewalld completed �33[0m" else echo -e "�33[31m disable firewalld failed �33[0m" fi } ### ban ipv6 and modify eth0 ### #modify_grub(){ # FILE="/etc/default/grub" # BACKUP="/tmp/grub.$DATE" # DEFUALT_PARAMS=`grep "GRUB_CMDLINE_LINUX" $FILE | awk -F" '{print $2}'` # REPLACE_PARAMS="GRUB_CMDLINE_LINUX="$DEFUALT_PARAMS crashkernel=auto net.ifnames=0 biosdevname=0 ipv6.disable=1"" # cp $FILE $BACKUP # sed -i 's/GRUB_CMDLINE_LINUX.*/'$REPLACE_PARAMS'/g' $FILE # grep 'net.ifnames=0 biosdevname=0 ipv6.disable=1' $FILE && echo -e "�33[34m modify grub completed �33[0m" || echo -e "�33[31m modify grub failed �33[0m" # grub2-mkconfig -o /boot/grub2/grub.cfg &>dev/null # mv /etc/sysconfig/network-scripts/ifcfg-ens* /etc/sysconfig/network-scripts/ifcfg-eth0 #} ### password expiry ### passwd_expiry(){ FILE="/etc/login.defs" BACKUP="/etc/login.defs.$DATE" cp $FILE $BACKUP sed -i 's/PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/g' $FILE sed -i 's/PASS_MIN_DAYS.*/PASS_MIN_DAYS 0/g' $FILE sed -i 's/PASS_MIN_LEN.*/PASS_MIN_LEN 15/g' $FILE sed -i 's/PASS_WARN_AGE.*/PASS_WARN_AGE 15/g' $FILE echo -e "�33[34m passwd expiry modify completed �33[0m" } ### password complex ### paawd_complex(){ FILE="/etc/pam.d/system-auth" BACKUP="/etc/pam.d/system-auth.$DATE" cp $FILE $BACKUP sed -i 's/.*pam_pwquality.so.*try_first_pass.*/password requisite pam_pwquality.so try_first_pass local_users_only retry=3 minlen=15 lcredit=-2 ucredit=-2 dcredit=-2 ocredit=-2/g' $FILE echo -e "�33[34m passwd complex set completed �33[0m" } ### password lock ### passwd_lock(){ FILE="/etc/pam.d/sshd" BACKUP="/etc/pam.d/sshd.$DATE" cp $FILE $BACKUP sed -i '1aauth required pam_tally2.so deny=5 unlock_time=600 even_deny_root root_unlock_time=300' $FILE grep 'pam_tally2.so' $FILE && echo -e "�33[34m passwd lock set completed �33[0m" || echo -e "�33[31m passwd lock set failed �33[0m" } ### ban user su ### user_su(){ FILE="/etc/pam.d/su" BACKUP="/etc/pam.d/su.$DATE" cp $FILE $BACKUP sed -i 's#/sbin:/bin:/usr/sbin:/usr/bin#/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin#' /etc/sudoers sed -i 's/^%wheel ALL=(ALL).*/%wheel ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers sed -i '/pam_wheel.so use_uid/aauth required pam_wheel.so use_uid' $FILE grep '^auth.*use_uid' $FILE && echo -e "�33[34m ban su set completed �33[0m" || echo -e "�33[31m ban su set failed �33[0m" } ### timeout time ### timeout(){ FILE="/etc/profile" echo "export TMOUT=1800" >> $FILE source $FILE grep "TMOUT=1800" $FILE && echo -e "�33[34m timeout set completed �33[0m" || echo -e "�33[31m timeout set failed �33[0m" } ### set ssh ### ssh_conf(){ FILE="/etc/ssh/sshd_config" BACKUP="/etc/ssh/sshd_config.$DATE" cp $FILE $BACKUP sed -i '/^#Port 22/aPort 22 Port 1022' $FILE sed -i '/^#PermitRootLogin.*/aPermitRootLogin no' $FILE sed -i 's/^GSSAPIAuthentication.*/GSSAPIAuthentication no/g' $FILE sed -i '/^#UseDNS/aUseDNS no' $FILE systemctl reload sshd echo -e "�33[34m ssh set completed �33[0m" } ### hotkey reboot ### hotkey_reboot(){ FILE="/usr/lib/systemd/system/ctrl-alt-del.target" BACKUP="/usr/lib/systemd/system/ctrl-alt-del.target.default" mv $FILE $BACKUP ls /usr/lib/systemd/system/ctrl-alt-del.target &>/dev/null && echo -e "�33[31m hotkey set failed �33[0m" || echo -e "�33[34m hotkey set completed �33[0m" } ### ban kernel update ### kernel_update(){ FILE="/etc/yum.conf" BACKUP="/etc/yum.conf.$DATE" cp $FILE $BACKUP sed -i '/[main]/aexclude=kernel*' $FILE grep 'exclude=kernel' $FILE && echo -e "�33[34m ban kernel update completed �33[0m" || echo -e "�33[31m ban kernel update failed �33[0m" } ### set ulimit ### set_ulimit(){ FILE="/etc/security/limits.conf" BACKUP="/etc/security/limits.conf.default" mv $FILE $BACKUP cat >> $FILE << EOF * soft nofile 655350 * hard nofile 655350 * soft nproc 655360 * hard nproc 655360 zf soft nofile 655350 zf hard nofile 655350 zf soft nproc 655360 zf hard nproc 655360 EOF egrep -v "^#|^$" $FILE echo -e "�33[34m unlimit set completed �33[0m" } ### kernel params ### kernel_params(){ FILE="/etc/sysctl.conf" BACKUP="/etc/sysctl.conf.default" cp $FILE $BACKUP cat >> $FILE <<EOF net.ipv4.tcp_max_tw_buckets = 6000 net.core.netdev_max_backlog = 65535 net.core.somaxconn = 65535 net.ipv4.tcp_timestamps = 0 net.ipv4.tcp_synack_retries = 1 net.ipv4.tcp_syn_retries = 1 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_fin_timeout = 15 net.ipv4.tcp_keepalive_time = 30 net.ipv4.ip_local_port_range = 10240 65000 ###增加回收机制 net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_max_tw_buckets = 20000 EOF egrep -v "^#|^$" $FILE echo -e "�33[34m kernel params set completed �33[0m" } ### host user ### user_create(){ useradd -G wheel sadmin echo "123456" | passwd sadmin --stdin useradd zf echo "123456" | passwd zf --stdin chage -M 99999 sadmin } main(){ system_check yum_install time_zone disable_selinux disable_firewalld passwd_expiry paawd_complex passwd_lock user_su timeout ssh_conf hotkey_reboot kernel_update set_ulimit kernel_params user_create } ### excute mian ### DATE=`date +%F` main