linux基础优化与安全小结
1、调整yum安装源
2、关闭selinux
3、关闭iptables
4、精简开机自启动服务
5、配置时间同步
6、内核调整
7、调整字符集
8、调整历史记录以及终端超时
9、增加用户,使用普通用户登录
10、调整文件描述符
11、锁定关键文件
12、隐藏系统登录信息,设置提示信息
13、更改默认的远程连接ssd服务端口,禁止root用户远程连接,甚至要更改ssh服务只监听内网ip
14、定时自动清理邮件临时目录垃圾文件,防止磁盘的inodes数被占满
15、为grub引导菜单加密码
16、禁止主机被ping
17、打补丁并升级有已知漏洞的软件
##close service
chkconfig --list |grep 3:on|awk '{print $1}'|grep -Ev "sshd|network|rsyslog|crond|sysstat"|awk '{print "service " $1 " stop"}'|bash
##close enforce
sed -i 's#=enforcing#=disabled#g' /etc/selinux/config
grep SELINUX=disabled /etc/selinux/config
setenforce 0
getenforce
##close iptables
/etc/init.d/iptables stop
/etc/init.d/iptables stop
chkconfig iptables off
##change chkconfig
chkconfig --list |grep 3:on|awk '{print $1}'|grep -Ev "sshd|network|rsyslog|crond|sysstat"|awk '{print "chkconfig " $1 " off"}'|bash
chkconfig --list|grep 3:on
##LANG
echo 'export LANG="en_US.UTF-8"' >> /etc/profile
export LANG="en_US.UTF-8"
source /etc/profile
##ulimit
echo '*- nofile 65535' >>/etc/security/limits.conf
echo "ulimit -SHn 65535" >> /etc/rc.local
##时间超时 历史纪录
echo 'export TMOUT=600' >> /etc/rc.local
echo 'export HISTSIZE=50' >> /etc/rc.local
echo 'export HISTFILESIZE=50' >> /etc/rc.local
##ssh 禁止ssh远程登陆
sed -i.ori '13i Port 22nPermitRootLogin nonPermitEmptyPasswords nonUseDNS nonGSSAPIAuthentication no' /etc/ssh/sshd_config
sed -i '/GSSAPIAuthentication yes/d' /etc/ssh/sshd_config
service sshd restart
##允许ssh远程 登录
sed -i '13i Port 22nPermitRootLogin yesnPermitEmptyPasswords yesnUseDNS yesnGSSAPIAuthentication yes' /etc/ssh/sshd_config
service sshd restart
##yum
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo
##sudo
useradd syaving && echo 123456|passwd --stdin syaving;
cp /etc/sudoers{,.ori}
echo "syaving ALL=(ALL) NOPASSWD:ALL">>/etc/sudoers
visudo -c
##NTP
echo '#time sync by syaving at 2016-8-8 ' >>/var/spool/cron/root
echo '*/5 * * * * /usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1' >>/var/spool/cron/roo
##kenel
cat >>/etc/sysctl.conf<
net.ipv4.tcp_fin_timeout=2
net.ipv4.tcp_tw_reuse=1
net.ipv4.tcp_tw_recycle=1
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_keepalive_time=600
net.ipv4.ip_local_port_range = 4000 65000
net.ipv4.tcp_max_syn_backlog= 16384
net.ipv4.tcp_max_tw_buckets=36000
net.ipv4.route.gc_timeout=100
net.ipv4.tcp_syn_retries=1
net.ipv4.tcp_synack_retries=1
net.core.somaxconn=16384
net.core.netdev_max_backlog=16384
net.ipv4.tcp_max_orphans=16384
net.nf conntrack max=25000000
net.netfilter.nf_conntrack_max=25000000
net.netfilter.nf_conntrack_tcp_timeout_established=180
net.netfilter.nf_conntrack_tcp_timeout_time_wait=120
net.netfilter.nf_conntrack_tcp_timeout_close_wait=60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait=120EOF
sysctl -p
##update
yum install tree telnet dos2unix lrzsz openssh bash -y
yum upgrade -y
#定时清理邮件临时目录垃圾文件
find /var/spool/clientmqueue/ -type f |xargs rm -f C5的sendmail服务
find /var/spool/postfix/maildrop/ -type f |xargs rm -f C6的postfix服务
#创建脚本加入定时任务
mkdir -p /service/scriptsecho "find /var/spool/postfix/maildrop/ -type f |xargs rm -f" >/service/scripts/del_file.sh
echo "00 00 * * * /bin/sh /service/scripts/del_file.sh >/dev/null 2>&1" >>/var/spool/cron/root
#禁止被ping
echo "net.ipv4.icmp_echo_ignore_all=1" >> /etc/sysctl.conf
sysctl -p
