1、关闭不必要的服务
systemctlstopNetworkManager
systemctldisableNetworkManager
systemctlstoppostfix
systemctldisablepostfix
systemctlstoprpcbind
systemctldisablerpcbind
2、配置防火墙
#关闭firewalld
systemctlstatusfirewalld
systemctlstopfirewalld
systemctldisablefirewalld
#配置iptables
yuminstalliptables-services-y
#添加防火墙规则,做白名单,根据环境放行ip访问ssh端口22
vi/etc/sysconfig/iptables
-AINPUT-s192.168.1.0/24-ptcp--dport22-jACCPET
systemctlenableiptables.service
systemctlstartiptables.service
3、关闭selinux
sed-i's#SELINUX=enforcing#SELINUX=disabled#g'/etc/selinux/config
setenforce0
#优化ssh登录
sed-ri's/GSSAPIAuthenticationyes/GSSAPIAuthenticationno/'/etc/ssh/sshd_config
sed-ri's/#UseDNSyes/UseDNSno/'/etc/ssh/sshd_config#解决系统登陆慢
4、修改SSH端口
sed-i's/#Port22/Port10022/g'/etc/ssh/sshd_config#端口自己定
sed-i's/#PermitEmptyPasswordsno/PermitEmptyPasswordsno/g'/etc/ssh/sshd_config#禁止空密码帐户登入服务器
sed-i's/GSSAPIAuthenticationyes/GSSAPIAuthenticationno/'/etc/ssh/sshd_config
sed-i's/#UseDNSyes/UseDNSno/g'/etc/ssh/sshd_config#加速SSH登录
systemctlrestartsshd
vi/etc/sysconfig/iptables
-AINPUT-mstate--stateNEW-mtcp-ptcp--dport10022-jACCEPT"
5、配置yum源
cd/etc/yum.repos.d/
mkdirbackup
mv*.repobackup/
wget-O/etc/yum.repos.d/CentOS-Base.repohttp://mirrors.aliyun.com/repo/Centos-7.repo
wget-O/etc/yum.repos.d/epel.repohttp://mirrors.aliyun.com/repo/epel-7.repo
yumcleanall
yummakecache
6、安装常用工具
yuminstalllrzszwgetvimnet-toolsgccgcc-c++curltelnetunzip-y
#安装网络及性能监控工具
yum-yinstalltelnetnet-toolssysstatiftoplsofiotophtopdstat
#安装bash命令tab自动补全组件
yum-yinstallbash-completion
#安装源码编译工具及开发组件
yum-yinstallcmakegccgcc-c++zibzlib-developenopenssl-develpcrepcre-develcurl"
#安装压缩解压工具
yum-yinstallzipunzipbzip2gdisk
7、时间同步
yuminstallntpdate-y
ntpdatetime.windows.com
echo""*/5****/usr/sbin/ntpdatetime.windows.com>/dev/null2>&1"">>/var/spool/cron/root
echo""*/20****/usr/sbin/ntpdatentp.api.bz>/dev/null2>&1"">>/var/spool/cron/root
#时间同步
yuminstallchrony-y&&systemctlenablechronyd&&systemctlstartchronyd
timedatectlset-timezoneAsia/Shanghai&&timedatectlset-ntpyes
8、修改文件描述符
ulimit-SHn65535
cat>>/etc/security/limits.conf<<EOF
*softnproc65535
*hardnproc65535
*softnofile655350
*hardnofile655350
EOF
sed-i's#4096#65535#g'/etc/security/limits.d/20-nproc.conf
9、优化Linux内核参数
cat>>/etc/sysctl.conf<<EOF
kernel.sysrq=0
kernel.core_uses_pid=1
kernel.msgmnb=65536
kernel.msgmax=65536
kernel.shmmax=68719476736
kernel.shmall=4294967296
net.core.wmem_default=8388608
net.core.rmem_default=8388608
net.core.rmem_max=16777216
net.core.wmem_max=16777216
net.core.netdev_max_backlog=262144
net.core.somaxconn=50000
net.ipv4.ip_forward=1
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.default.accept_source_route=0
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_max_orphans=3276800
net.ipv4.tcp_max_syn_backlog=262144
net.ipv4.tcp_timestamps=0
net.ipv4.tcp_synack_retries=1
net.ipv4.tcp_syn_retries=1
net.ipv4.tcp_tw_recycle=0
net.ipv4.tcp_tw_reuse=1
net.ipv4.tcp_mem=94500000915000000927000000
net.ipv4.tcp_max_tw_buckets=50000
net.ipv4.tcp_sack=1
net.ipv4.tcp_window_scaling=1
net.ipv4.tcp_rmem=4096873804194304
net.ipv4.tcp_wmem=4096163844194304
net.ipv4.tcp_fin_timeout=30
net.ipv4.tcp_keepalive_time=1800
net.ipv4.ip_local_port_range=102465535
vm.swappiness=0
vm.min_free_kbytes=524288
fs.inotify.max_user_instances=8192
fs.inotify.max_user_watches=262144
fs.file-max=1048576
EOF
10、修改root帐户密码
echo"$adDF12B"|passwd--stdinroot#密码复杂化,最小8位,数字、字母大小写、特殊字符组合
11、远程5分钟无操作自动注销
vim/etc/profile
最后添加:
exportTMOUT=300---5分钟自动注销下来
找到
HISTSIZE=1000
修改为:
HISTSIZE=100--减少日记字节为100KB,太大内容过多容易漏重要信息。
12、禁止ping用户使用ping不做任何反映
echo1>/proc/sys/net/ipv4/icmp_echo_ignore_all--禁止ping
echo0>/proc/sys/net/ipv4/icmp_echo_ignore_all--解除禁止ping操作
13、防止DOS攻击
vim/etc/security/limits.conf
加入以下配置:
*hardcore0
*hardrss10000
*hardnproc50
以上根据需求而定
14、注释不需要的用户和用户组
vi/etc/passwd注释不需要的用户,“#”注释,如下:
#games:x:12:100:games:/usr/games:/sbin/nologin
#gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
#ftp:x:14:50:FTPUser:/var/ftp:/sbin/nologin
#adm:x:3:4:adm:/var/adm:/sbin/nologin
#lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
#sync:x:5:0:sync:/sbin:/bin/sync
#shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
#h alt:x:7:0:h alt:/sbin:/sbin/h alt
#uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
#operator:x:11:0:operator:/root:/sbin/nologin
vi/etc/group注释不需要的用户组,如下:
#adm:x:4:root,adm,daemon
#lp:x:7:daemon,lp
#uucp:x:14:uucp
#games:x:20:
#dip:x:40:
#news:x:9:13:news:/etc/news
15、限制ip登陆
vi/etc/hosts.deny
sshd:ALL
vi/etc/hosts.allow
sshd:192.168.0.1:allow
16、查看有登陆权限的用户
awk-F:'($7=="/bin/bash"){print$1}'/etc/passwd
awk-F:'($3==0)'/etc/passwd查看UID为0的账号
awk-F:'($2=="")'/etc/shadow查看空口令账号
17、对Linux用户进行登录及操作进行记录(审计)
1.创建用户审计文件存放目录和审计日志文件;
touch/var/log/Command_history.log
2.将日志文件所有者赋予一个最低权限的用户;
chownnobody.nobody/var/log/Command_history.log
3.给该日志文件赋予所有人的写权限;
chmod002/var/log/Command_history.log
4.设置文件权限,使所有用户对该文件只有追加权限;
chattr+a/var/log/Command_history.log
5.编辑/etc/profile文件,添加如下任意脚本命令;
exportHISTORY_FILE=/var/log/Command_history.log
exportPROMPT_COMMAND='{date"+%Y-%m-%d%T#####USER:$USERIP:$SSH_CLIENTPS:$SSH_TTYppid=$PPIDpwd=$PWD####$(history1|{readxcmd;echo"$cmd";})";}>>$HISTORY_FILE'
6.使配置生效
source/etc/profile
18、升级内核
wgethttps://elrepo.org/linux/kernel/el7/x86_64/RPMS/kernel-ml-5.0.4-1.el7.elrepo.x86_64.rpm
wgethttps://elrepo.org/linux/kernel/el7/x86_64/RPMS/kernel-ml-devel-5.0.4-1.el7.elrepo.x86_64.rpm
yum-yinstallkernel-ml-5.0.4-1.el7.elrepo.x86_64.rpmkernel-ml-devel-5.0.4-1.el7.elrepo.x86_64.rpm
rpm-Uvhhttp://www.elrepo.org/elrepo-release-7.0-4.el7.elrepo.noarch.rpm
yum--enablerepo=elrepo-kernelinstall-ykernel-lt
rpm-qa|grepkernel
grub2-set-default'kernel-lt-5.4.99-1.el7.elrepo.x86_64'
19、检查脚本运行用户是否为root
if[$(id-u)!=0];then
echo-e""\033[1;31mError!Youmustberoottorunthisscript!\033[0m""
exit10
fi