zoukankan      html  css  js  c++  java

  • centos6调优及安全设置

    1、更改阿里云yum源

    mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup   

wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo  

wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-6.repo

    2、常用软件下载

    yum install -y vim wget lrzsz telnet tools  ntpdate sysstat  tree  dos2unix  nc nmap

    3、关闭selinux

    永久关闭(需要重启系统)
sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config

临时关闭(无需重启)
setenforce 0

    4、关闭iptables

    /etc/init.d/iptables stop          <<-关闭iptables服务
/etc/init.d/iptables status        <<-查看iptables状态
chkconfig iptables off              <<—开机启动关闭

    5、 精简开机启动

    for oldboy in `chkconfig --list |grep "3:on"|awk '{print $1}'|grep -vE "crond|sshd|network|rsyslog|sysstat"`;do chkconfig $oldboy off ;done <<-关闭服务
[root@oldboy-39 ~]# chkconfig --list|grep 3:on <<-检查开机启动的服务
crond                     0:off     1:off      2:on      3:on      4:on      5:on             6:off
network                  0:off     1:off      2:on      3:on      4:on      5:on             6:off
rsyslog                    0:off     1:off      2:on      3:on      4:on      5:on             6:off
sshd                      0:off     1:off      2:on      3:on      4:on      5:on             6:off
sysstat                     0:off     1:on      2:on      3:on      4:on      5:on             6:off

    6、更改字符集(选做)

    cp /etc/sysconfig/i18n /etc/sysconfig/i18n.ori
echo LANG="zh_CN.UTF-8"  >/etc/sysconfig/i18n
source /etc/sysconfig/i18n

    7、普通用户提权

    useradd oldboy
echo 123456|passwd --stdin oldboy
cp /etc/sudoers /etc/sudoers.ori
echo "oldboy  ALL=(ALL) NOPASSWD: ALL " >>/etc/sudoers
tail -1 /etc/sudoers
visudo -c

    8、时间同步

    echo '#time sync by oldboy at 2015-2-1' >>/var/spool/cron/root
echo '*/5 * * * * /usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1' >>/var/spool/cron/root
crontab -l

    9、 命令行安全(选配)

    设置闲置账号超时时间

echo 'export TMOUT=300' >>/etc/profile

命令行历史记录数
echo 'export HISTFILESIZE=500' >>/etc/profile
tail -3 /etc/profile
. /etc/profile

    10、加大文件描述

    echo '*               -       nofile          65535' >>/etc/security/limits.conf
tail -1 /etc/security/limits.conf

    11、内核优化

    cat >>/etc/sysctl.conf<<EOF
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000    65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.core.somaxconn = 16384
net.core.netdev_max_backlog = 16384
net.ipv4.tcp_max_orphans = 16384
#以下参数是对iptables防火墙的优化,防火墙不开会提示,可以忽略不理。
net.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_tcp_timeout_established = 180
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
EOF    
sysctl –p       <<-配置完成后查看

    12、定时清理邮件服务临时目录垃圾文件

    centos 5版本
find /var/spool/clientmqueue/ -type f | xargs rm -f
 
centos 6.x版本
find /var/spool/postfix/maildrop/ -type f | xargs rm -f
 
写成脚本,做定时任务
mkdir -p /server/scripts/
echo "find /var/spool/postfix/maildrop/ -type f | xargs rm -f " > /server/scripts/del_mailfile.sh
 
echo "00 00 * * * /bin/bash  /server/scripts/del_mailfile.sh > /dev/null  2>&1"

    13、隐藏linux版本信息显示

    [root@server1 ~]# > /etc/issue
[root@server1 ~]# >  /etc/issue.net 
[root@server1 ~]# cat /etc/issue.net 
[root@server1 ~]# cat /etc/issue

    14、 锁定关键系统文件,防止被提权篡改

    chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab

使用lsattr 进行查看,chattr -i进行解锁

    15、 为grub菜单加密

    先利用/sbin/grub-md5-crypt 产生一个MD5密钥串,命令如下:
[root@m01 ~]# /sbin/grub-md5-crypt 
Password: 
Retype password: 
$1$SQxvZ/$AXRHUbkNy9EkDHtmoEoQS0
 
修改grub.conf文件,命令如下:
[root@m01 ~]# vim /etc/grub.conf 
 
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You have a /boot partition.  This means that
#          all kernel and initrd paths are relative to /boot/, eg.
#          root (hd0,0)
#          kernel /vmlinuz-version ro root=/dev/sda3
#          initrd /initrd-[generic-]version.img
#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
passwd --md5 $1$SQxvZ/$AXRHUbkNy9EkDHtmoEoQS0
#注意:password要加在splashimage和title之间,否则无法生效
title CentOS 6 (2.6.32-696.el6.x86_64)
        root (hd0,0)
        kernel /vmlinuz-2.6.32-696.el6.x86_64 ro root=UUID=33ec961c-16e1-4234-bdbf-644bfdabf1eb rd_NO_LUKS  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_MD crashkernel=auto LANG=zh_CN.UTF-8 rd_NO_LV

    16、禁止linux系统被ping(选配)

    echo "net.ipv4.icmp_echo_ignore_all=1"  >> /etc/sysctl.conf
 
sysctl -p



拓展:设置特定ip可以ping

iptables -t filter -I INPUT -p icmp --icmp-type 8 -i eth0 -s 10.0.0.0/24 -j ACCEPT

    17、升级具有典型漏洞

    查看相关软件的版本号,命令如下:
[root@m01 ~]# rpm -qa openssl openssh bash
openssl-1.0.1e-57.el6.x86_64
bash-4.1.2-48.el6.x86_64
openssh-5.3p1-122.el6.x86_64
 
升级已知漏洞的软件版本到最新,命令如下:
yum install openssl openssh bash -y

    18、更改ssh服务端远程登录的配置

     修改默认文件路径
 vim /etc/ssh/sshd_config
  
 修改的参数
 port       #端口
 PermitEmptyPasswords   #是否允许密码为空的用户远程登录
 PermitRootLogin             #是否允许root登录
 UseDNS                        #指定sshd是否应该对远程主机名进行反向解析,以检查主机名是否与其IP地址真实对应。默认yes.建议改成no ,否则可能会导致SSH连接很慢。
 GSSAPIAuthentication no   #解决linux之间使用SSH远程连接慢的问题
 ListenAddress    #监听指定的IP地址

批量操作:
sed -ir '13 iPort 55666
PermitRootLogin  no
PermitEmptyPasswords  no
UseDNS no
GSSAPIAuthentication no'  /etc/ssh/sshd_config
  • 相关阅读:
    [BFS][51nod]1649 齐头并进
    [最短路] [洛谷] P1629 邮递员送信
    [HDUOJ] 1233 还是畅通工程
    [HDUOJ] 1873 看病要排队
    [树直径] [POJ] CowMarathon
    [暴搜] 树直径
    [模板] 最小生成树
    [洛谷] P1276 校门外的树(增强版)
    1140 Look-and-say Sequence (20 分)
    string与char数组互相转换(一)
  • 原文地址:https://www.cnblogs.com/wangyong-blog/p/9668971.html
Copyright © 2011-2022 走看看