linux系统调优与安全设置


Linux系统调优及安全设置
1、更改yum源:

              mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup <<-备份系统自带yum源
              wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo
              <<—国内使用阿里云yum源速度比较快
              wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-6.repo
              
注:镜像官方网址http://mirrors.aliyun.com/
如有自建yum仓可以更改成自建yum仓地址信息
2、关闭selinux
永久关闭(需要重启系统)
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
临时关闭(无需重启)
setenforce 0
数字0表示Premissive,即给出警告提示,不会阻止操作,相当于disabled
数字1表示Enfocing,即表示SELinux为开启状态
getenforce <<-查看selinux当前状态
3、关闭iptables
/etc/init.d/iptables stop <<-关闭iptables服务
/etc/init.d/iptables status <<-查看iptables状态
chkconfig iptables off <<—开机启动关闭
4、精简开机启动
              chkconfig|egrep -v "crond|sshd|network|rsyslog|sysstat"|awk '{print "chkconfig",$1,"off"}'|bash
              <<-关闭服务
              chkconfig --list|grep 3:on <<-检查开机启动的服务 5、更改字符集(选做) cp /etc/sysconfig/i18n /etc/sysconfig/i18n.ori
              echo 'LANG="zh_CN.UTF-8"'>/etc/sysconfig/i18n
              source /etc/sysconfig/i18n
              echo $LANG
              
6、普通用户提权(mmod)
              useradd mmod
              echo 123456|passwd --stdin mmod
              \cp /etc/sudoers /etc/sudoers.ori
              echo "mmod ALL=(ALL) NOPASSWD: ALL " >>/etc/sudoers
              tail -1 /etc/sudoers
              visudo -c
              
7、时间同步
              echo '#time sync by mmod at 2015-2-1' >>/var/spool/cron/root
              echo '*/5 * * * * /usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1' >>/var/spool/cron/root
              crontab -l
              
注:集群中有时间服务器,更改成时间服务器地址
8、命令行安全(选配)
              设置闲置账号超时时间
              echo 'export TMOUT=300' >>/etc/profile

              命令行历史记录数
              echo 'export HISTSIZE=5' >>/etc/profile
              echo 'export HISTFILESIZE=5' >>/etc/profile
              tail -3 /etc/profile
              ./etc/profile
              
9、加大文件描述
              echo '* - nofile 65535' >>/etc/security/limits.conf
              tail -1 /etc/security/limits.conf
              
10、内核优化
              cat >>/etc/sysctl.conf<<EOF
              net.ipv4.tcp_fin_timeout = 2
              net.ipv4.tcp_tw_reuse = 1
              net.ipv4.tcp_tw_recycle = 1
              net.ipv4.tcp_syncookies = 1
              net.ipv4.tcp_keepalive_time = 600
              net.ipv4.ip_local_port_range = 4000 65000
              net.ipv4.tcp_max_syn_backlog = 16384
              net.ipv4.tcp_max_tw_buckets = 36000
              net.ipv4.route.gc_timeout = 100
              net.ipv4.tcp_syn_retries = 1
              net.ipv4.tcp_synack_retries = 1
              net.core.somaxconn = 16384
              net.core.netdev_max_backlog = 16384
              net.ipv4.tcp_max_orphans = 16384
              #以下参数是对iptables防火墙的优化,防火墙不开会提示,可以忽略不理。
              net.nf_conntrack_max = 25000000
              net.netfilter.nf_conntrack_max = 25000000
              net.netfilter.nf_conntrack_tcp_timeout_established = 180
              net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
              net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
              net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
              EOF
              sysctl –p <<-配置完成后查看
              
11、下载安装基础软件
yum install lrzsz nmap tree dos2unix nc -y
12、定时清理邮件服务临时目录垃圾文件
              centos 5版本
              find /var/spool/clientmqueue/ -type f | xargs rm -f

              centos 6.x版本
              find /var/spool/postfix/maildrop/ -type f | xargs rm -f

              写成脚本,做定时任务
              mkdir -p /server/scripts/
              echo "find /var/spool/postfix/maildrop/ -type f | xargs rm -f " > /server/scripts/del_mailfile.sh

              echo "00 00 * * * /bin/bash /server/scripts/del_mailfile.sh > /dev/null 2>&1"
              
13、隐藏linux版本信息显示
              [root@server1 ~]# > /etc/issue
              [root@server1 ~]# > /etc/issue.net
              [root@server1 ~]# cat /etc/issue.net
              [root@server1 ~]# cat /etc/issue
              
14、锁定关键系统文件,防止被提权篡改
chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab
使用lsattr 进行查看,chattr -i进行解锁
15、为grub菜单加密
先利用/sbin/grub-md5-crypt 产生一个MD5密钥串,命令如下:
              [root@m01 ~]# /sbin/grub-md5-crypt
              Password:
              Retype password:
              $1$SQxvZ/$AXRHUbkNy9EkDHtmoEoQS0

              修改grub.conf文件,命令如下:
              [root@m01 ~]# vim /etc/grub.conf

              # grub.conf generated by anaconda
              #
              # Note that you do not have to rerun grub after making changes to this file
              # NOTICE: You have a /boot partition. This means that
              # all kernel and initrd paths are relative to /boot/, eg.
              # root (hd0,0)
              # kernel /vmlinuz-version ro root=/dev/sda3
              # initrd /initrd-[generic-]version.img
              #boot=/dev/sda
              default=0
              timeout=5
              splashimage=(hd0,0)/grub/splash.xpm.gz
              hiddenmenu
              passwd --md5 $1$SQxvZ/$AXRHUbkNy9EkDHtmoEoQS0
              #注意:password要加在splashimage和title之间,否则无法生效
              title CentOS 6 (2.6.32-696.el6.x86_64)
              root (hd0,0)
              kernel /vmlinuz-2.6.32-696.el6.x86_64 ro root=UUID=33ec961c-16e1-4234-bdbf-644bfdabf1eb rd_NO_LUKS
              KEYBOARDTYPE=pc KEYTABLE=us rd_NO_MD crashkernel=auto LANG=zh_CN.UTF-8 rd_NO_LV
              
16、禁止linux系统被ping(选配)
              echo "net.ipv4.icmp_echo_ignore_all=1" >> /etc/sysctl.conf

              sysctl -p

              拓展:设置特定ip可以ping
              iptables -t filter -I INPUT -p icmp --icmp-type 8 -i eth0 -s 10.0.0.0/24 -j ACCEPT
              
17、升级具有典型漏洞
查看相关软件的版本号,命令如下:
              [root@m01 ~]# rpm -qa openssl openssh bash
              openssl-1.0.1e-57.el6.x86_64
              bash-4.1.2-48.el6.x86_64
              openssh-5.3p1-122.el6.x86_64
              
升级已知漏洞的软件版本到最新,命令如下:
yum install openssl openssh bash -y
18、更改ssh服务端远程登录的配置
              1 修改默认文件路径
              2 vim /etc/ssh/sshd_config
              3
              4 修改的参数
              5 port #端口
              6 PermitEmptyPasswords #是否允许密码为空的用户远程登录
              7 PermitRootLogin #是否允许root登录
              8 UseDNS #指定sshd是否应该对远程主机名进行反向解析,以检查主机名是否与其IP地址真实对应。默认yes.建议改成no ,否则可能会导致SSH连接很慢。
              9 GSSAPIAuthentication no #解决linux之间使用SSH远程连接慢的问题
              10 ListenAddress #监听指定的IP地址
              11
              12 批量操作:
              13 sed -ir '13 iPort 55666\nPermitRootLogin no\nPermitEmptyPasswords no\nUseDNS no\nGSSAPIAuthentication
              no' /etc/ssh/sshd_config
              

100次点赞 100次阅读