1、關閉不必要的服務
systemctl stop NetworkManager
systemctl disable NetworkManager
systemctl stop postfix
systemctl disable postfix
systemctl stop rpcbind
systemctl disable rpcbind
2、配置防火牆
#關閉firewalld
systemctl status firewalld
systemctl stop firewalld
systemctl disable firewalld
#配置iptables
yum install iptables-services -y
#新增防火牆規則,做白名單,根據環境放行ip訪問ssh埠22
vi /etc/sysconfig/iptables
-A INPUT -s 192。168。1。0/24 -p tcp ——dport 22 -j ACCPET
systemctl enable iptables。service
systemctl start iptables。service
3、關閉selinux
sed -i ‘s#SELINUX=enforcing#SELINUX=disabled#g’ /etc/selinux/config
setenforce 0
#最佳化ssh登入
sed -ri ‘s/GSSAPIAuthentication yes/GSSAPIAuthentication no/’ /etc/ssh/sshd_config
sed -ri ‘s/#UseDNS yes/UseDNS no/’ /etc/ssh/sshd_config #解決系統登陸慢
4、修改SSH埠
sed -i ‘s/#Port 22/Port 10022/g’ /etc/ssh/sshd_config #埠自己定
sed -i ‘s/#PermitEmptyPasswords no/PermitEmptyPasswords no/g’ /etc/ssh/sshd_config #禁止空密碼帳戶登入伺服器
sed -i ‘s/GSSAPIAuthentication yes/GSSAPIAuthentication no/’ /etc/ssh/sshd_config
sed -i ‘s/#UseDNS yes/UseDNS no/g’ /etc/ssh/sshd_config #加速SSH登入
systemctl restart sshd
vi /etc/sysconfig/iptables
-A INPUT -m state ——state NEW -m tcp -p tcp ——dport 10022 -j ACCEPT
5、配置yum源
cd /etc/yum。repos。d/
mkdir backup
mv *。repo backup/
wget -O /etc/yum。repos。d/CentOS-Base。repo http://mirrors。aliyun。com/repo/Centos-7。repo
wget -O /etc/yum。repos。d/epel。repo http://mirrors。aliyun。com/repo/epel-7。repo
yum clean all
yum makecache
6、安裝常用工具
yum install lrzsz wget vim net-tools gcc gcc-c++ curl telnet unzip -y
#安裝網路及效能監控工具
yum -y install telnet net-tools sysstat iftop lsof iotop htop dstat
#安裝bash命令tab自動補全元件
yum -y install bash-completion
#安裝原始碼編譯工具及開發元件
yum -y install cmake gcc gcc-c++ zib zlib-devel open openssl-devel pcre pcre-devel curl
#安裝壓縮解壓工具
yum -y install zip unzip bzip2 gdisk
7、時間同步
yum install ntpdate -y
ntpdate time。windows。com
echo “*/5 * * * * /usr/sbin/ntpdate time。windows。com >/dev/null 2 >&1” >>/var/spool/cron/root
echo “*/20 * * * * /usr/sbin/ntpdate ntp。api。bz >/dev/null 2 >&1” >> /var/spool/cron/root
#時間同步
yum install chrony -y && systemctl enable chronyd && systemctl start chronyd
timedatectl set-timezone Asia/Shanghai && timedatectl set-ntp yes
8、修改檔案描述符
ulimit -SHn 65535
cat >> /etc/security/limits。conf < * soft nproc 65535 * hard nproc 65535 * soft nofile 655350 * hard nofile 655350 EOF sed -i ‘s#4096#65535#g’ /etc/security/limits。d/20-nproc。conf 9、最佳化Linux核心引數 cat >> /etc/sysctl。conf < kernel。sysrq = 0 kernel。core_uses_pid = 1 kernel。msgmnb = 65536 kernel。msgmax = 65536 kernel。shmmax = 68719476736 kernel。shmall = 4294967296 net。core。wmem_default = 8388608 net。core。rmem_default = 8388608 net。core。rmem_max = 16777216 net。core。wmem_max = 16777216 net。core。netdev_max_backlog = 262144 net。core。somaxconn = 50000 net。ipv4。ip_forward = 1 net。ipv4。conf。default。rp_filter = 1 net。ipv4。conf。default。accept_source_route = 0 net。ipv4。tcp_syncookies = 1 net。ipv4。tcp_max_orphans = 3276800 net。ipv4。tcp_max_syn_backlog = 262144 net。ipv4。tcp_timestamps = 0 net。ipv4。tcp_synack_retries = 1 net。ipv4。tcp_syn_retries = 1 net。ipv4。tcp_tw_recycle = 0 net。ipv4。tcp_tw_reuse = 1 net。ipv4。tcp_mem = 94500000 915000000 927000000 net。ipv4。tcp_max_tw_buckets = 50000 net。ipv4。tcp_sack = 1 net。ipv4。tcp_window_scaling = 1 net。ipv4。tcp_rmem = 4096 87380 4194304 net。ipv4。tcp_wmem = 4096 16384 4194304 net。ipv4。tcp_fin_timeout = 30 net。ipv4。tcp_keepalive_time = 1800 net。ipv4。ip_local_port_range = 1024 65535 vm。swappiness = 0 vm。min_free_kbytes = 524288 fs。inotify。max_user_instances = 8192 fs。inotify。max_user_watches = 262144 fs。file-max = 1048576 EOF 10、修改root帳戶密碼 echo “$adDF12B” |passwd ——stdin root #密碼複雜化,最小8位,數字、字母大小寫、特殊字元組合 11、遠端5分鐘無操作自動登出 vim /etc/profile 最後新增: export TMOUT=300 ——-5分鐘自動登出下來 找到 HISTSIZE=1000 修改為: HISTSIZE=100 ——減少日記位元組為100KB,太大內容過多容易漏重要資訊。 12、禁止ping 使用者使用ping不做任何反映 echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all —— 禁止ping echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all —— 解除禁止ping操作 13、防止DOS攻擊 vim /etc/security/limits。conf 加入以下配置: * hard core 0 * hard rss 10000 * hard nproc 50 以上根據需求而定 14、註釋不需要的使用者和使用者組 vi /etc/passwd 註釋不需要的使用者,“#”註釋,如下: #games:x:12:100:games:/usr/games:/sbin/nologin #gopher:x:13:30:gopher:/var/gopher:/sbin/nologin #ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin #adm:x:3:4:adm:/var/adm:/sbin/nologin #lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin #sync:x:5:0:sync:/sbin:/bin/sync #shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown #halt:x:7:0:halt:/sbin:/sbin/halt #uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin #operator:x:11:0:operator:/root:/sbin/nologin vi /etc/group 註釋不需要的使用者組,如下: #adm:x:4:root,adm,daemon #lp:x:7:daemon,lp #uucp:x:14:uucp #games:x:20: #dip:x:40: #news:x:9:13:news:/etc/news 15、限制ip登陸 vi /etc/hosts。deny sshd:ALL vi /etc/hosts。allow sshd:192。168。0。1:allow 16、檢視有登陸許可權的使用者 awk -F: ‘($7==“/bin/bash”){print $1}’ /etc/passwd awk -F: ‘($3==0)’ /etc/passwd 檢視UID為0的賬號 awk -F: ‘($2==“”)’ /etc/shadow 檢視空口令賬號 17、對Linux使用者進行登入及操作進行記錄(審計) 1。建立使用者審計檔案存放目錄和審計日誌檔案 ; touch /var/log/Command_history。log 2。將日誌檔案所有者賦予一個最低許可權的使用者; chown nobody。nobody /var/log/Command_history。log 3。給該日誌檔案賦予所有人的寫許可權; chmod 002 /var/log/Command_history。log 4。設定檔案許可權,使所有使用者對該檔案只有追加許可權 ; chattr +a /var/log/Command_history。log 5。編輯/etc/profile檔案,新增如下任意指令碼命令; export HISTORY_FILE=/var/log/Command_history。log export PROMPT_COMMAND=‘{ date “+%Y-%m-%d %T ##### USER:$USER IP:$SSH_CLIENT PS:$SSH_TTY ppid=$PPID pwd=$PWD #### $(history 1 | { read x cmd; echo ”$cmd“; })”;} >>$HISTORY_FILE’ 6。使配置生效 source /etc/profile 18、升級核心 wget https://elrepo。org/linux/kernel/el7/x86_64/RPMS/kernel-ml-5。0。4-1。el7。elrepo。x86_64。rpm wget https://elrepo。org/linux/kernel/el7/x86_64/RPMS/kernel-ml-devel-5。0。4-1。el7。elrepo。x86_64。rpm yum -y install kernel-ml-5。0。4-1。el7。elrepo。x86_64。rpm kernel-ml-devel-5。0。4-1。el7。elrepo。x86_64。rpm rpm -Uvh http://www。elrepo。org/elrepo-release-7。0-4。el7。elrepo。noarch。rpm yum ——enablerepo=elrepo-kernel install -y kernel-lt rpm -qa | grep kernel grub2-set-default ‘kernel-lt-5。4。99-1。el7。elrepo。x86_64’ 19、檢查指令碼執行使用者是否為root if [ $(id -u) !=0 ];then echo -e “\033[1;31m Error! You must be root to run this script! \033[0m” exit 10 fi
