目录
修改主机名
# centos6
cat /etc/sysconfig/network
# centos7
hostnamectl set-hostname node01
vim /etc/hostname
"""
node01
"""
# ubuntu
关闭防火墙和SELINUX
iptables -F
iptabls -L
systemctl stop firewalld
systemctl disable firewalld
vim /etc/selinux/config
"""
#SELINUX=enforcing
#SELINUXTYPE=targeted
SELINUX=disabled
"""
getenforce
配置网络
vim /etc/sysconfig/network-scripts/ifcfg-eno16777728
"""
TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
NAME=eno16777728
UUID=f6e84975-d398-4925-bbbc-883aa2735a87
DEVICE=eno16777728
ONBOOT=yes
IPADDR=172.16.0.1
GATEWAY=172.16.0.1
NETMASK=255.255.0.0
DNS1=172.16.0.1
"""
systemctl restart network.service ##重启服务
service network restart
ip addr ###查看网络状态
修改yum源
# 本地源
cd /etc/yum.repo.d/
vim media.repo
"""
[base]
name=media
baseurl=file:///media/cdrom
gpgcheck=0
"""
mkdir /media/cdrom
mount /dev/cdrom /media/cdrom
# 国内yum源
wget http://mirrors.aliyun.com/repo/Centos-7.repo
wget http://mirrors.163.com/.help/CentOS7-Base-163.repo
# epel源
yum list | grep epel-release
yum install -y epel-release
wget -O /etc/yum.repos.d/epel-7.repo http://mirrors.aliyun.com/repo/epel-7.repo
yum clean all
yum makecache
yum repolist enabled
yum repolist all
时间同步
echo '#time sync by oldboy at 2010-2-1' >>/var/spool/cron/root
echo '*/5 * * * * /usr/sbin/ntpdate ntp1.aliyun.com >/dev/null 2>&1' >> /var/spool/cron/root
crontab -l
精简自启程序
chkconfig --list | egrep -v "crond|network|rsyslog|sshd|sysstat" | awk -F "" '{print "chkconfig",$1,"off"}' | bash
必须最低保留的启动服务:
crond:定时任务服务
network:网络服务
rsyslog:日志服务
sshd:远程链接服务
sysstat:系统监控服务(涉及一系列监控工具)
安装常用软件并更新已有软件
yum install lrzsz nmap tree dos2unix nc -y
yum update
yum upgrade
yum -y update # 升级所有包,改变软件设置和系统设置,系统版本内核都升级
yum -y upgrade # 升级所有包,不改变软件设置和系统设置,系统版本升级,内核不改变
中文字符集
# centos6
yum -y groupinstall chinese-support # 安装中文包
cp /etc/sysconfig/i18n /etc/sysconfig/i18n.ori
echo 'LANG="zh_CN.UTF-8"' >/etc/sysconfig/i18n
source /etc/sysconfig/i18n
echo $LANG
# centos7
locale # 查看系统语言
vim /etc/locale.conf
"""
LANG="zh_CN.GB18030" # 英文en_US.UTF-8
LANGUAGE="zh_CN.GB18030:zh_CN.GB2312:zh_CN"
SUPPORTED="zh_CN.UTF8:zh_CN:zh:en_US.UTF-8:en_US:en"
SYSFONT="lat0-sun16"
"""
修改终端提示符
为了区分生产环境和测试环境
echo 'PS1="\[\e[1;5;41;32m\][\u@\h \W]\\$\[\e[0m\]"' >> ~/.bash_profile
PS1="[\e[1;5;41;33m][\u@\h \W]\$[\e[0m] " 红色背景黄色字体闪烁,建议写到root环境变量中
PS1="[\e[1;33m][\u@\h \W]\$[\e[0m] " 写入到普通用户环境变量中
31m:红色
32m:绿色
33m:黄色
34m:蓝色
35m:紫色
\u 当前用户
\h 主机名简称
\H 主机名
\w 当前工作目录
\W 当前工作目录基名
\t 24小时时间格式
\T 12小时时间格式
! 命令历史数
# 开机后命令历史数
ssh优化
cp /etc/ssh/sshd_config{,.bak}
vim /etc/ssh/sshd_config
"""
Port 22
PermitEmptyPasswords no
PermitRootLogin no
UseDNS no
"""
service sshd restart
超时注销登录
cat /etc/profile
cp -p /etc/profile /etc/profile_bak
vi /etc/profile
"""
TMOUT=600 # 秒
"""
历史命令保留数
cat /etc/profile | grep HISTSIZE
cp -p /etc/profile /etc/profile_bak
vi /etc/profile
"""
HISTSIZE=10000
"""
最大保存1000条,且是上次注销前最近的1000条记录
加大文件描述
echo '* - nofile 65535 ' >>/etc/security/limits.conf
tail -1 /etc/security/limits.conf
内核优化
cat >>/etc/sysctl.conf << EOF
"""
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000 65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.core.somaxconn = 16384
net.core.netdev_max_backlog = 16384
net.ipv4.tcp_max_orphans = 16384
# 以下参数是对iptables防火墙的优化,防火墙不开会提示,可以忽略不理。
net.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_tcp_timeout_established = 180
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
EOF
"""
设置系统口令策略
# 查看密码策略设置
cat /etc/login.defs | grep PASS
cp -p /etc/login.defs /etc/login.defs_bak
vim /etc/login.defs
"""
PASS_MAX_DAYS 90 # 新建用户的密码最长使用天数
PASS_MIN_DAYS 0 # 新建用户的密码最短使用天数
PASS_WARN_AGE 7 # 新建用户的密码到期提前提醒天数
PASS_MIN_LEN 8 # 最小密码长度9
"""
注:如果需要单独对某个用户密码不限制最长时间
passwd –x 99999 用户名;或者passwd –x -1 用户名
ssh连接限制
cat /etc/ssh/sshd_config # 查看有无AllowUsers的语句
cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config_bak
vi /etc/ssh/sshd_config
"""
AllowUsers *@10.138.*.* # 仅允许10.138.0.0/16网段所有用户通过ssh访问
"""
service sshd restart
屏蔽登录banner信息
at /etc/ssh/sshd_config 查看文件中是否存在Banner字段,或banner字段为NONE
cat /etc/motd 查看文件内容,该处内容将作为banner信息显示给登录用户。
cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config_bak
cp -p /etc/motd /etc/motd_bak
vi /etc/ssh/sshd_config
"""
banner NONE
"""
vi /etc/motd
"""
删除全部内容或更新成自己想要添加的内容
"""
禁止Ctrl+Alt+Del重启系统
cat /etc/inittab | grep ctrlaltdel 查看输入行是否被注释
cp -p /etc/inittab /etc/inittab_bak
vi /etc/inittab
"""
#ca::ctrlaltdel:/sbin/shutdown -t3 -r now
"""
禁ping
# 1
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all # 0允许ping
# 2
cat /etc/sysconfig/iptables
"""
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j DROP
"""
CTCDN系统优化参数
cat /etc/sysctl.conf
#关闭ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
# 避免放大攻击
net.ipv4.icmp_echo_ignore_broadcasts = 1
# 开启恶意icmp错误消息保护
net.ipv4.icmp_ignore_bogus_error_responses = 1
#关闭路由转发
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
#开启反向路径过滤
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
#处理无源路由的包
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
#关闭sysrq功能
kernel.sysrq = 0
#core文件名中添加pid作为扩展名
kernel.core_uses_pid = 1
# 开启SYN洪水攻击保护
net.ipv4.tcp_syncookies = 1
#修改消息队列长度
kernel.msgmnb = 65536
kernel.msgmax = 65536
#设置最大内存共享段大小bytes
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
#timewait的数量,默认180000
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
#每个网络接口接收数据包的速率比内核处理这些包的速率快时,允许送到队列的数据包的最大数目
net.core.netdev_max_backlog = 262144
#限制仅仅是为了防止简单的DoS 攻击
net.ipv4.tcp_max_orphans = 3276800
#未收到客户端确认信息的连接请求的最大值
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
#内核放弃建立连接之前发送SYNACK 包的数量
net.ipv4.tcp_synack_retries = 1
#内核放弃建立连接之前发送SYN 包的数量
net.ipv4.tcp_syn_retries = 1
#启用timewait 快速回收
net.ipv4.tcp_tw_recycle = 1
#开启重用。允许将TIME-WAIT sockets 重新用于新的TCP 连接
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1
#当keepalive 起用的时候,TCP 发送keepalive 消息的频度。缺省是2 小时
net.ipv4.tcp_keepalive_time = 30
#允许系统打开的端口范围
net.ipv4.ip_local_port_range = 1024 65000
#修改防火墙表大小,默认65536
#net.netfilter.nf_conntrack_max=655350
#net.netfilter.nf_conntrack_tcp_timeout_established=1200
# 确保无人能修改路由表
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0