一 系统初始化标签:初始化,1net,CentOS,tcp,手册,etc,ipv4,HISTDIR,swap From: https://blog.51cto.com/zzzhao/6132701
操作系统版本为:CentOS_x86-x64 7.4.1708
1 配置域名解析
cat >>/etc/resolv.conf << EOF
nameserver 202.106.0.20
EOF
2 基础库安装
yum -y install wgetsysstat bind-utils httpd-tools lsof lrzsz curl gcc gcc-c++ ntp bzip2 treetraceroute nmap unzip openssh-clients dmidecode hdparm pciutils man autoconfparted
3 配置国内yum源
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
yum clean all
yum makecache
4 配置时间同步
/usr/sbin/ntpdate cn.pool.ntp.org
echo "* 4 * * */usr/sbin/ntpdate cn.pool.ntp.org > /dev/null 2>&1" >>/var/spool/cron/root
systemctl enab crond.service
systemctl enable crond.service
5 设置最大打开文件描述符数
echo "ulimit -cunlimited" >> /etc/profile
echo "ulimit -sunlimited" >> /etc/profile
echo "ulimit-SHn 102400" >> /etc/profile
source /etc/profile
cat >>/etc/security/limits.conf << EOF
* soft nofile 655350
* hard nofile 655350
EOF
6 禁用SElinux
sed -i's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
setenforce 0
7 关闭防火墙
systemctl disable firewalld.service
systemctl stop firewalld.service
8 加固ssh
Port 30158
PermitRootLogin no
LoginGraceTime 60
AllowUsers opdfq
PermitEmptyPasswordsno
UsePAM no
X11Forwarding no
UseDNS no
GSSAPIAuthenticationno
Protocol 2
MaxAuthTries 6
MaxSessions 3
systemctl restart sshd.service
9 内核参数优化
cat >>/etc/sysctl.conf << EOF
vm.overcommit_memory= 1
net.ipv4.tcp_fin_timeout= 30
net.ipv4.tcp_keepalive_time= 1200
net.ipv4.tcp_mem =94500000 915000000 927000000
net.ipv4.tcp_syncookies= 1
net.ipv4.tcp_tw_reuse= 1
net.ipv4.tcp_tw_recycle= 1
net.ipv4.tcp_timestamps= 0
net.ipv4.tcp_synack_retries= 1
net.ipv4.tcp_syn_retries= 1
net.ipv4.tcp_abort_on_overflow= 0
net.core.rmem_max =16777216
net.core.wmem_max =16777216
net.core.netdev_max_backlog= 262144
net.ipv4.tcp_max_orphans= 3276800
net.ipv4.tcp_max_syn_backlog= 262144
net.core.wmem_default= 8388608
net.core.rmem_default= 8388608
net.ipv4.ip_local_port_range= 1024 65535
net.ipv6.conf.all.disable_ipv6= 1
net.ipv6.conf.default.disable_ipv6= 1
net.ipv4.ip_forward =1
fs.file-max=6553560
EOF
/sbin/sysctl -p
10 配置管理用户
useradd herlly
echo “Asdf1234” |passwd –stdin herlly
cat >>/etc/sudoers <<EOF
herlly ALL=(ALL) NOPASSWD:ALL,!/usr/bin/passwd,/usr/bin/passwd [A-Za-z]*,!/usr/bin/passwd root
EOF
vi /etc/pam.d/sshd
auth requiredpam_listfile.so item-user sense=allow file=/etc/sshusers onerr=fail
cat>>/etc/sshusers <<EOF
herlly
EOF
11 配置命令记录
echo '' >>/etc/profile
cat >>/etc/profile <<EOF
ulimit -c unlimited
ulimit -s unlimited
ulimit -SHn 102400
USER_IP=`who -u am i2>/dev/null |awk '{print $NF}' |sed -e 's/[()]//g'`
HISTDIR=/usr/share/.history
if [ -z $USER_IP];then
USER_IP=`hostname`
fi
if [ ! -d $HISTDIR];then
mkdir -p $HISTDIR
chmod 777 $HISTDIR
fi
if [ ! -d $HISTDIR/${LOGNAME} ];then
mkdir -p $HISTDIR/${LOGNAME}
chmod 300 $HISTDIR/${LOGNAME}
fi
export HISTSIZE=4000
DT=`date+%Y%m%d-%H%m%S`
export HISTFILE="$HISTDIR/${LOGNAME}/${USER_IP}.history.$DT"
export HISTTIMEFORMAT="%F %T `whoami` "
chmod 600 $HISTDIR/${LOGNAME}/*.history* 2>/dev/null
12 更新软件并重启
yum -y update
13 备注命令
检查是否存在空口令账号
awk -F: '($2 =="") { print $1 }' /etc/shadow
检查除了root账号意外是否存在其他账号的UID为0
awk -F: '($3 == 0) {print $1 }' /etc/passwd
增加swap分区
free -m
dd if=/dev/zeroof=/var/swap bs=1024M count=16
mkswap /var/swap
swapon /var/swap
cat >>/etc/fstab <<EOF
/var/swap swap swapdefaults 0 0
EOF
关闭swap分区
swapoff /var/swap
rm /var/swap
清除/etc/fstab 中的swap配置
查看进程数
netstat -n | awk'/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}'