Loading
0

linux基础优化与安全小结

1、调整yum安装源
2、关闭selinux
3、关闭iptables
4、精简开机自启动服务
5、配置时间同步
6、内核调整
7、调整字符集
8、调整历史记录以及终端超时
9、增加用户,使用普通用户登录
10、调整文件描述符
11、锁定关键文件
12、隐藏系统登录信息,设置提示信息
13、更改默认的远程连接ssd服务端口,禁止root用户远程连接,甚至要更改ssh服务只监听内网ip
14、定时自动清理邮件临时目录垃圾文件,防止磁盘的inodes数被占满
15、为grub引导菜单加密码
16、禁止主机被ping
17、打补丁并升级有已知漏洞的软件

##close service

chkconfig --list |grep 3:on|awk '{print $1}'|grep -Ev "sshd|network|rsyslog|crond|sysstat"|awk '{print "service " $1 " stop"}'|bash
##close enforce
sed -i 's#=enforcing#=disabled#g'  /etc/selinux/config
grep SELINUX=disabled /etc/selinux/config
setenforce 0
getenforce
##close iptables
/etc/init.d/iptables stop
/etc/init.d/iptables stop
chkconfig iptables off
##change chkconfig
chkconfig --list |grep 3:on|awk '{print $1}'|grep -Ev "sshd|network|rsyslog|crond|sysstat"|awk '{print "chkconfig " $1 " off"}'|bash
chkconfig --list|grep 3:on
##LANG
echo 'export LANG="en_US.UTF-8"' >> /etc/profile
export LANG="en_US.UTF-8"
source /etc/profile
##ulimit
echo '*- nofile 65535' >>/etc/security/limits.conf
echo "ulimit -SHn 65535" >> /etc/rc.local
##时间超时  历史纪录
echo 'export  TMOUT=600' >> /etc/rc.local
echo 'export  HISTSIZE=50' >> /etc/rc.local
echo 'export  HISTFILESIZE=50' >> /etc/rc.local
##ssh 禁止ssh远程登陆
sed -i.ori '13i Port 22\nPermitRootLogin no\nPermitEmptyPasswords no\nUseDNS no\nGSSAPIAuthentication no' /etc/ssh/sshd_config
sed -i '/GSSAPIAuthentication yes/d' /etc/ssh/sshd_config
service sshd restart
##允许ssh远程 登录
sed -i '13i Port 22\nPermitRootLogin yes\nPermitEmptyPasswords yes\nUseDNS yes\nGSSAPIAuthentication yes' /etc/ssh/sshd_config
service sshd restart
##yum
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo
##sudo
useradd syaving && echo 123456|passwd --stdin syaving;
\cp /etc/sudoers{,.ori}
echo "syaving  ALL=(ALL)  NOPASSWD:ALL">>/etc/sudoers
visudo -c

##NTP
echo '#time sync by syaving at 2016-8-8 ' >>/var/spool/cron/root
echo '*/5 * * * * /usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1' >>/var/spool/cron/roo
##kenel
cat >>/etc/sysctl.conf<<EOF
net.ipv4.tcp_fin_timeout=2
net.ipv4.tcp_tw_reuse=1
net.ipv4.tcp_tw_recycle=1
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_keepalive_time=600
net.ipv4.ip_local_port_range = 4000  65000
net.ipv4.tcp_max_syn_backlog= 16384
net.ipv4.tcp_max_tw_buckets=36000
net.ipv4.route.gc_timeout=100
net.ipv4.tcp_syn_retries=1
net.ipv4.tcp_synack_retries=1
net.core.somaxconn=16384
net.core.netdev_max_backlog=16384
net.ipv4.tcp_max_orphans=16384
net.nf conntrack max=25000000
net.netfilter.nf_conntrack_max=25000000
net.netfilter.nf_conntrack_tcp_timeout_established=180
net.netfilter.nf_conntrack_tcp_timeout_time_wait=120
net.netfilter.nf_conntrack_tcp_timeout_close_wait=60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait=120EOF
sysctl -p
##update
yum install tree telnet dos2unix lrzsz openssh bash -y
yum upgrade -y
#定时清理邮件临时目录垃圾文件
find /var/spool/clientmqueue/ -type f |xargs rm -f       C5的sendmail服务
find /var/spool/postfix/maildrop/ -type f |xargs rm -f   C6的postfix服务
#创建脚本加入定时任务
mkdir -p /service/scriptsecho "find /var/spool/postfix/maildrop/ -type f |xargs rm -f" >/service/scripts/del_file.sh
echo "00 00 * * * /bin/sh /service/scripts/del_file.sh >/dev/null 2>&1" >>/var/spool/cron/root

#禁止被ping
echo "net.ipv4.icmp_echo_ignore_all=1" >> /etc/sysctl.conf
sysctl -p

【声明】:8090安全小组门户(https://www.8090-sec.com)登载此文出于传递更多信息之目的,并不代表本站赞同其观点和对其真实性负责,仅适于网络安全技术爱好者学习研究使用,学习中请遵循国家相关法律法规。如有问题请联系我们,联系邮箱hack@ddos.kim 或 hack@ddos.social,我们会在最短的时间内进行处理。