• Linux系统初始化配置项(centos7)


    主机刚安装完系统,会做一些配置上的优化。

    修改时区

      通过命令将时区设置为亚洲/上海。

    timedatectl set-timezone Asia/Shanghai
    #centos7
    
    cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
    #centos6

    关闭seLinux

      修改配置文件

    sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
    setenforce 0
    

    关闭防火墙

      生产环境中网络层面会做出一些限制,所以主机基本上不会设置防火墙策略。

    systemctl stop firewalld
    systemctl disable firewalld

    禁止IPV6登陆与修改网卡名称eth0

      修改网卡文件名,

    mv /etc/sysconfig/network-scripts/ifcfg-ens33 /etc/sysconfig/network-scripts/ifcfg-eth0
    

      修改系统grub参数,

    vim /etc/default/grub
    #修改以下参数
    GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet net.ifnames=0 biosdevname=0 ipv6.disable=1"

      crashkernel=auto:为kdump预留的内存,

      net.ifnames=0 biosdevname=0:修改网卡为eth0

      ipv6.disable=1:禁止IPV6

    grub2-mkconfig -o /boot/grub2/grub.cfg
    #重新生成GRUB配置并更新内核,重启后才能生效

      重启后ip a查看,网卡名已变为eht0

    用户登陆密码设置

    vim /etc/login.defs
    #修改以下参数
      PASS_MAX_DAYS 90
      PASS_MIN_DAYS   0
      PASS_MIN_LEN 15
      PASS_WARN_AGE 15
    

    添加密码强度策略

    vim /etc/pam.d/system-auth
    #添加以下策略
        password requisite pam_pwquality.so try_first_pass local_users_only retry=3  minlen=15 lcredit=-2 ucredit=-2 dcredit=-2 ocredit=-2
    

      retry=3设置新密码时,有三次机会输入;minlen最小长度,lcredit小写字母,ucredit大写字母,dcredit数字,ocredit特殊字符,-2不少于两位。

    限制普通用户su权限

    vim /etc/pam.d/su
    #添加以下策略
      auth    required    pam_wheel.so use_uid
    

      只允许wheel组的用户可以使用su命令,可以把允许使用su的用户的附加组指定为wheel。

    密码错误锁定

    vim /etc/pam.d/sshd
    #添加以下策略
      auth required pam_tally2.so deny=5 unlock_time=600 even_deny_root root_unlock_time=300
    

      普通用户登陆密码错误5次,则用户锁定600秒;root用户则锁定300秒。

    设置会话超时时间

    vim /etc/profile
    #添加以下策略
      export TMOUT=1800

    优化ssh服务

    vim /etc/ssh/sshd_config
    #修改以下参数
      Port 22
      Port 1022    #添加备用端口
      PermitRootLogin no    #禁止Root直接登陆
      MaxAuthTries 6    #可以限制密码暴力破解攻击
      GSSAPIAuthentication no
      UseDNS no    #禁止DNS解析主机名

    #修改完重启服务
    systemctl restart sshd

    禁止热键关机

      删除配置文件/usr/lib/systemd/system/ctrl-alt-del.target即可

    rm -f /usr/lib/systemd/system/ctrl-alt-del.target

    禁止yum 升级内核参数

      内核升级有时候会出现不可意料的错误,一般情况不建议升级内核;

    vim /etc/yum.conf
    #添加以下策略
      exclude=kernel*

    优化ulimit

      limits.conf文件是pam_limits.so的配置文件,对系统访问资源做出保护性限制,限制用户最大文件和进程数;

      编辑配置文件

    vim /etc/security/limits.conf  
    #添加一下内容
      * soft nofile 655350
      * hard nofile 655350
      * soft nproc 655360
      * hard nproc 655360
      zf soft nofile 655350
      zf hard nofile 655350
      zf soft nproc 655360
      zf hard nproc 655360

    优化内核参数

      sysctl -p 重新加载系统参数

    vim /etc/sysctl.conf
    #添加以下内容
      net.ipv4.tcp_max_tw_buckets = 6000
      #允许TIME-WAIT套接字数量的最大值。超过些数字,TIME-WAIT套接字将立刻被清除同时打印警告信息。默认是180000,过多的TIME-WAIT套接字会使webserver变慢
    
      net.core.netdev_max_backlog = 65535
      #每个网络接口接收数据包的速率比内核处理这些包的速率快时,允许发送到队列的数据包的最大数目
    
      net.core.somaxconn = 65535
      #该参数用于调节系统同时发起的TCP连接数,该默认值较小,肯那个导致连接超时或重传问题
    
      net.ipv4.tcp_timestamps = 0
      #该参数用于设置时间戳,可以避免序列号的卷绕。一个1Gbps的链路肯定会遇到以前用过的序列号。时间戳能够让内核接受这种“异常”的数据包
    
      net.ipv4.tcp_synack_retries = 1
      #该参数用于设置内核放弃TCP连接之前向客户端发送SYN+ACK包的数量。
    
      net.ipv4.tcp_syn_retries = 1
      #该参数的作用与上一个参数类似,设置内核放弃建立连接之前发送SYN包的数量
    
      net.ipv4.tcp_tw_reuse = 1
      #1代表允许将状态为TIME-WAIT状态的socket连接重新用于新的连接。
    
      net.ipv4.tcp_fin_timeout = 15
      #当服务器主动关闭链接时,socket保持FN-WAIT-2状态的最大时间
    
      net.ipv4.tcp_keepalive_time = 30
      #当keepalive启用时,TCP发送keepalive消息的频率。默认是2个小时。将其调小一些,可以更快的清除无用的连接
    
      net.ipv4.ip_local_port_range = 10240    65000
      #UDP和TCP连接中本地端口(不包括连接的远端)的取值范围
    
      net.ipv4.tcp_tw_recycle = 1
      #允许将TIME-WAIT sockets重新用于新的TCP连接
    
      net.ipv4.tcp_max_tw_buckets = 20000
      #容纳TIME_WAIT状态的连接数,如果超过,则立即销毁TIME_WAIT套接字
    

     初始化脚本

      此脚本只能用于centos7,测试机器为centos7.4最小化安装,脚本没有问题,但如使用需要对time_zone、ssh_conf等模块根据实际修改。

    #!/bin/bash
    #
    ### system release ###
    system_check(){
        RELEASE=`cat /etc/redhat-release |awk '{print $(NF-1)}' | awk -F. '{print $1}'`
        USER=`whoami`
        if [ $RELEASE -eq 7 ];then
            echo -e "33[34m system check completed 33[0m"
        else
            echo -e "33[31m this script only support centos7 system 33[0m"
            exit 1
        fi
        if [ $USER != 'root' ];then
            echo -e "33[31m the current user is not "root" 33[0m"
            exit 1
        fi
    }
    ### install package ###
    yum_install(){
        PACKAGE="ntpdate wget bc vim gcc gcc-c++ openssl openssl-devel lrzsz pcre-devel sysstat iftop lsof tcpdump telnet nmap traceroute net-tools"
        yum install -y $PACKAGE 1>/dev/null 2>&1
        echo -e "33[34m package install completed 33[0m"
    }
    ### time zone ###
    time_zone(){
        NTP_PATH=`which ntpdate`
        if [ `date +%z` != '+0800' ];then
            timedatectl set-timezone Asia/Shanghai
            if [ `date +%z` == '+0800' ];then
                echo -e "33[34m timezone set completed 33[0m"
            else
                echo -e "33[31m timezone set failed 33[0m"
            fi
        fi
        grep ntpserver /etc/hosts || echo "X.X.X.X ntpserver">>/etc/hosts
        grep ntpserver /var/spool/cron/root || echo "10 * * * * ${NTP_PATH} ntpserver" >>/var/spool/cron/root
        $NTP_PATH ntpserver &> /dev/null && echo -e "33[34m time sync completed 33[0m" || echo -e "33[31m time sync failed 33[0m"
    }
    
    ### disable selinux ###
    disable_selinux(){
        FILE="/etc/selinux/config"
        BACKUP="/etc/selinux/config.$DATE"
        if [ ! -f $BACKUP ];then
            cp $FILE $BACKUP
        fi
        setenforce 0
        sed -i 's/SELINUX=enforcing/SELINUX=disabled/' $FILE
        grep 'SELINUX=disabled' $FILE && echo -e "33[34m disable selinux completed 33[0m" || echo -e "33[31m disable selinux failed 33[0m"
    }
    ### disable firewalld ###
    disable_firewalld(){
        systemctl stop firewalld
        systemctl disable firewalld &>/dev/null
        if [ `systemctl is-enabled firewalld` == 'disabled' ];then
            echo -e "33[34m disable firewalld completed 33[0m"
        else
            echo -e "33[31m disable firewalld failed 33[0m"
        fi
    }
    ### ban ipv6 and modify eth0 ###
    #modify_grub(){
    #    FILE="/etc/default/grub"
    #    BACKUP="/tmp/grub.$DATE"
    #    DEFUALT_PARAMS=`grep "GRUB_CMDLINE_LINUX" $FILE | awk -F" '{print $2}'`
    #    REPLACE_PARAMS="GRUB_CMDLINE_LINUX="$DEFUALT_PARAMS crashkernel=auto net.ifnames=0 biosdevname=0 ipv6.disable=1""
    #    cp $FILE $BACKUP
    #    sed -i 's/GRUB_CMDLINE_LINUX.*/'$REPLACE_PARAMS'/g' $FILE
    #    grep 'net.ifnames=0 biosdevname=0 ipv6.disable=1' $FILE && echo -e "33[34m modify grub completed 33[0m" || echo -e "33[31m modify grub failed 33[0m"
    #    grub2-mkconfig -o /boot/grub2/grub.cfg &>dev/null
    #    mv /etc/sysconfig/network-scripts/ifcfg-ens* /etc/sysconfig/network-scripts/ifcfg-eth0
    #}
    ### password expiry ###
    passwd_expiry(){
        FILE="/etc/login.defs"
        BACKUP="/etc/login.defs.$DATE"
        cp $FILE $BACKUP
        sed -i 's/PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/g' $FILE
        sed -i 's/PASS_MIN_DAYS.*/PASS_MIN_DAYS 0/g' $FILE
        sed -i 's/PASS_MIN_LEN.*/PASS_MIN_LEN 15/g' $FILE
        sed -i 's/PASS_WARN_AGE.*/PASS_WARN_AGE 15/g' $FILE
        echo -e "33[34m passwd expiry modify completed 33[0m"
    }
    ### password complex ###
    paawd_complex(){
        FILE="/etc/pam.d/system-auth"
        BACKUP="/etc/pam.d/system-auth.$DATE"
        cp $FILE $BACKUP
        sed -i 's/.*pam_pwquality.so.*try_first_pass.*/password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 minlen=15 lcredit=-2 ucredit=-2 dcredit=-2 ocredit=-2/g' $FILE
        echo -e "33[34m passwd complex set completed 33[0m"
    }
    ### password lock ###
    passwd_lock(){
        FILE="/etc/pam.d/sshd"
        BACKUP="/etc/pam.d/sshd.$DATE"
        cp $FILE $BACKUP
        sed    -i '1aauth required pam_tally2.so deny=5 unlock_time=600 even_deny_root root_unlock_time=300' $FILE
        grep 'pam_tally2.so' $FILE && echo -e "33[34m passwd lock set completed 33[0m" || echo -e "33[31m passwd lock set failed 33[0m"
    }
    ### ban user su ###
    user_su(){
        FILE="/etc/pam.d/su"
        BACKUP="/etc/pam.d/su.$DATE"
        cp $FILE $BACKUP
        sed -i 's#/sbin:/bin:/usr/sbin:/usr/bin#/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin#' /etc/sudoers
        sed -i 's/^%wheel	ALL=(ALL).*/%wheel	ALL=(ALL)	NOPASSWD: ALL/g' /etc/sudoers
        sed -i '/pam_wheel.so use_uid/aauth		required	pam_wheel.so use_uid' $FILE
        grep '^auth.*use_uid' $FILE && echo -e "33[34m ban su set completed 33[0m" || echo -e "33[31m ban su set failed 33[0m"
    }
    ### timeout time ###
    timeout(){
        FILE="/etc/profile"
        echo "export TMOUT=1800" >> $FILE
        source $FILE
        grep "TMOUT=1800" $FILE && echo -e "33[34m timeout set completed 33[0m" || echo -e "33[31m timeout set failed 33[0m"
    }
    ### set ssh ###
    ssh_conf(){
        FILE="/etc/ssh/sshd_config"
        BACKUP="/etc/ssh/sshd_config.$DATE"
        cp $FILE $BACKUP
        sed -i '/^#Port 22/aPort 22
    Port 1022' $FILE
        sed -i '/^#PermitRootLogin.*/aPermitRootLogin no' $FILE
        sed -i 's/^GSSAPIAuthentication.*/GSSAPIAuthentication no/g' $FILE
        sed -i '/^#UseDNS/aUseDNS no' $FILE
        systemctl reload sshd
        echo -e "33[34m ssh set completed 33[0m"
    }
    ### hotkey reboot ###
    hotkey_reboot(){
        FILE="/usr/lib/systemd/system/ctrl-alt-del.target"
        BACKUP="/usr/lib/systemd/system/ctrl-alt-del.target.default"
        mv $FILE $BACKUP
        ls /usr/lib/systemd/system/ctrl-alt-del.target &>/dev/null && echo -e "33[31m hotkey set failed 33[0m" || echo -e "33[34m hotkey set completed 33[0m"
    }
    ### ban kernel update ###
    kernel_update(){
        FILE="/etc/yum.conf"
        BACKUP="/etc/yum.conf.$DATE"
        cp $FILE $BACKUP
        sed -i '/[main]/aexclude=kernel*' $FILE
        grep 'exclude=kernel' $FILE && echo -e "33[34m ban kernel update completed 33[0m" || echo -e "33[31m ban kernel update failed 33[0m"
    }
    ### set ulimit ###
    set_ulimit(){
        FILE="/etc/security/limits.conf"
        BACKUP="/etc/security/limits.conf.default"
        mv $FILE $BACKUP  
        cat >> $FILE << EOF
    * soft nofile 655350
    * hard nofile 655350
    * soft nproc 655360
    * hard nproc 655360
    zf soft nofile 655350
    zf hard nofile 655350
    zf soft nproc 655360
    zf hard nproc 655360
    EOF
        egrep -v "^#|^$" $FILE
        echo -e "33[34m unlimit set completed 33[0m"
    }
    ### kernel params ###
    kernel_params(){
        FILE="/etc/sysctl.conf"
        BACKUP="/etc/sysctl.conf.default"
        cp $FILE $BACKUP
        cat >> $FILE <<EOF
    net.ipv4.tcp_max_tw_buckets = 6000
    net.core.netdev_max_backlog = 65535
    net.core.somaxconn = 65535
    net.ipv4.tcp_timestamps = 0
    net.ipv4.tcp_synack_retries = 1
    net.ipv4.tcp_syn_retries = 1
    net.ipv4.tcp_tw_reuse = 1
    net.ipv4.tcp_fin_timeout = 15
    net.ipv4.tcp_keepalive_time = 30
    net.ipv4.ip_local_port_range = 10240    65000
    ###增加回收机制
    net.ipv4.tcp_tw_recycle = 1
    net.ipv4.tcp_max_tw_buckets = 20000
    EOF
        egrep -v "^#|^$" $FILE 
        echo -e "33[34m kernel params set completed 33[0m"
    }
    ### host user ###
    user_create(){
        useradd -G wheel sadmin
        echo "123456" | passwd sadmin --stdin
        useradd zf
        echo "123456" | passwd zf --stdin
        chage -M 99999 sadmin
    }
    main(){
        system_check
        yum_install
        time_zone
        disable_selinux
        disable_firewalld
        passwd_expiry
        paawd_complex
        passwd_lock
        user_su
        timeout
        ssh_conf
        hotkey_reboot
        kernel_update
        set_ulimit
        kernel_params
        user_create
    }
    ### excute mian ###
    DATE=`date +%F`
    main  
  • 相关阅读:
    LVS/NAT 配置
    LVS 介绍
    Nagios 服务安装
    Mysql 主从复制搭建
    GitHub托管BootStrap资源汇总
    基于bootstrap的datatable控件
    微信在线客服系统-微信公众平台开发
    UI Prototype Design IDE( 界面原型设计工具 )
    vlc多功能播放器
    javaC#php主流语言实现FMS流媒体传输协议RTMP的开源组件
  • 原文地址:https://www.cnblogs.com/houyongchong/p/10097222.html
Copyright © 2020-2023  润新知