centos作为服务器开放的服务多了,难免一些服务软件有漏洞,开放的端口号越多,上线的服务器越危险,所以我们必须在服务器上线之前把centos里面不必要的服务全部干掉,不让坏人有可乘之机。
首先看一下机器里面运行了哪些服务:(我的机器运行级别是3,只看3:on的服务就可以了)
[root@centos ~]# chkconfig --list | grep "3:on" NetworkManager 0:off 1:off 2:on 3:on 4:on 5:on 6:off abrt-ccpp 0:off 1:off 2:on 3:on 4:on 5:on 6:off abrtd 0:off 1:off 2:on 3:on 4:on 5:on 6:off acpid 0:off 1:off 2:on 3:on 4:on 5:on 6:off atd 0:off 1:off 2:on 3:on 4:on 5:on 6:off auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off autofs 0:off 1:off 2:on 3:on 4:on 5:on 6:off blk-availability 0:off 1:on 2:on 3:on 4:on 5:on 6:off certmonger 0:off 1:off 2:on 3:on 4:on 5:on 6:off cgconfig 0:off 1:off 2:on 3:on 4:on 5:on 6:off cgred 0:off 1:off 2:on 3:on 4:on 5:on 6:off cpuspeed 0:off 1:on 2:on 3:on 4:on 5:on 6:off crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off cups 0:off 1:off 2:on 3:on 4:on 5:on 6:off dnsmasq 0:off 1:off 2:on 3:on 4:on 5:on 6:off haldaemon 0:off 1:off 2:on 3:on 4:on 5:on 6:off ip6tables 0:off 1:off 2:on 3:on 4:on 5:on 6:off ipsec 0:off 1:off 2:on 3:on 4:on 5:on 6:off iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off irqbalance 0:off 1:off 2:on 3:on 4:on 5:on 6:off kdump 0:off 1:off 2:on 3:on 4:on 5:on 6:off lvm2-monitor 0:off 1:on 2:on 3:on 4:on 5:on 6:off mcelogd 0:off 1:off 2:on 3:on 4:on 5:on 6:off mdmonitor 0:off 1:off 2:on 3:on 4:on 5:on 6:off messagebus 0:off 1:off 2:on 3:on 4:on 5:on 6:off netconsole 0:off 1:off 2:on 3:on 4:on 5:on 6:off netfs 0:off 1:off 2:on 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off nfs 0:off 1:off 2:on 3:on 4:on 5:on 6:off nfslock 0:off 1:off 2:on 3:on 4:on 5:on 6:off ntpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off ntpdate 0:off 1:off 2:on 3:on 4:on 5:on 6:off numad 0:off 1:off 2:on 3:on 4:on 5:on 6:off oddjobd 0:off 1:off 2:on 3:on 4:on 5:on 6:off portreserve 0:off 1:off 2:on 3:on 4:on 5:on 6:off postfix 0:off 1:off 2:on 3:on 4:on 5:on 6:off pppoe-server 0:off 1:off 2:on 3:on 4:on 5:on 6:off psacct 0:off 1:off 2:on 3:on 4:on 5:on 6:off quota_nld 0:off 1:off 2:on 3:on 4:on 5:on 6:off rdisc 0:off 1:off 2:on 3:on 4:on 5:on 6:off restorecond 0:off 1:off 2:on 3:on 4:on 5:on 6:off rngd 0:off 1:off 2:on 3:on 4:on 5:on 6:off rpcbind 0:off 1:off 2:on 3:on 4:on 5:on 6:off rpcgssd 0:off 1:off 2:on 3:on 4:on 5:on 6:off rpcsvcgssd 0:off 1:off 2:on 3:on 4:on 5:on 6:off rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off saslauthd 0:off 1:off 2:on 3:on 4:on 5:on 6:off smartd 0:off 1:off 2:on 3:on 4:on 5:on 6:off sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off sssd 0:off 1:off 2:on 3:on 4:on 5:on 6:off svnserve 0:off 1:off 2:on 3:on 4:on 5:on 6:off sysstat 0:off 1:on 2:on 3:on 4:on 5:on 6:off udev-post 0:off 1:on 2:on 3:on 4:on 5:on 6:off winbind 0:off 1:off 2:on 3:on 4:on 5:on 6:off wpa_supplicant 0:off 1:off 2:on 3:on 4:on 5:on 6:off ypbind 0:off 1:off 2:on 3:on 4:on 5:on 6:off
开的服务这么多,这要是直接放到互联网怎么了得,所以我们第一步先把所有的服务统统关掉,第二步再把要必须保留的服务开启。
第一步,关掉系统所有的服务,这么多内容只能用循环脚本了,一条一条chkconfig service off 猴年马月去了,直接看命令:
我把所有开着的服务名称 通过awk取出来,再用for循环 chkconfig service off
[root@centos ~]# for n in `chkconfig --list | grep "3:on" | awk '{print $1}'`;do chkconfig $n off;done [root@centos ~]# chkconfig --list | grep 3:on [root@centos ~]# [root@centos ~]# [root@centos ~]# //这会儿发现服务都被我一下子kill掉了
这会儿问题来了,我们的服务器哪些服务必须保留呢?
- network提供网络的服务,服务器不上网怎么能行呢?
- crond时间计划任务服务,服务器日常的计划执行离不开这个服务
- sshd 我们需要通过ssh 才能远程连接到我们的Linux,总不能天天在idc机房拿kvm来工作吧
- rsyslog 服务器做了哪些事情都需要靠日志才能知道,rsyslog就是用来记录日志的,原来名字叫syslog
- sysstat 监控系统性能的服务,对服务器掌控怎么能离得了它,sar,mpstat,iostat,vmstat都是非常有用的工具,都在这个服务里面
总结一下,系统必须开启的服务有network,sshd,crond,rsyslog,sysstat五个
我们要做的是开启这些服务,然后验证收工,go...
[root@centos ~]# for n in crond sshd network rsyslog sysstat ;do chkconfig $n on ; done [root@centos ~]# chkconfig --list | grep 3:on crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off sysstat 0:off 1:on 2:on 3:on 4:on 5:on 6:off
另外一种思路:我把该留下的留下,其他全部干掉
直接给答案:
[root@centos ~]# chkconfig --list | grep 3:on | egrep -v "sshd|network|rsyslog|sysstat|crond" | awk '{print "chkconfig",$1,"off"}' chkconfig NetworkManager off chkconfig abrt-ccpp off chkconfig abrtd off chkconfig acpid off chkconfig atd off chkconfig auditd off chkconfig autofs off chkconfig blk-availability off chkconfig certmonger off chkconfig cgconfig off chkconfig cgred off chkconfig cpuspeed off chkconfig cups off chkconfig dnsmasq off chkconfig haldaemon off chkconfig ip6tables off chkconfig ipsec off chkconfig iptables off chkconfig irqbalance off chkconfig kdump off chkconfig lvm2-monitor off chkconfig mcelogd off chkconfig mdmonitor off chkconfig messagebus off chkconfig netconsole off chkconfig netfs off chkconfig nfs off chkconfig nfslock off chkconfig ntpd off chkconfig ntpdate off chkconfig numad off chkconfig oddjobd off chkconfig portreserve off chkconfig postfix off chkconfig pppoe-server off chkconfig psacct off chkconfig quota_nld off chkconfig rdisc off chkconfig restorecond off chkconfig rngd off chkconfig rpcbind off chkconfig rpcgssd off chkconfig rpcsvcgssd off chkconfig saslauthd off chkconfig smartd off chkconfig sssd off chkconfig svnserve off chkconfig udev-post off chkconfig winbind off chkconfig wpa_supplicant off chkconfig ypbind off
[root@centos ~]# chkconfig --list | grep 3:on | egrep -v "sshd|network|rsyslog|sysstat|crond" | awk '{print "chkconfig",$1,"off"}' | bash