苹果系统怎么优化系统linux系统优化及安全全集如何优化苹果系统




苹果系统怎么优化系统linux系统优化及安全全集如何优化苹果系统

2022-07-20 21:48:26 网络知识 官方管理员

1、关闭不必要的服务

systemctlstopNetworkManager

systemctldisableNetworkManager

systemctlstoppostfix

systemctldisablepostfix

systemctlstoprpcbind

systemctldisablerpcbind

2、配置防火墙

#关闭firewalld

systemctlstatusfirewalld

systemctlstopfirewalld

systemctldisablefirewalld

#配置iptables

yuminstalliptables-services-y

#添加防火墙规则,做白名单,根据环境放行ip访问ssh端口22

vi/etc/sysconfig/iptables

-AINPUT-s192.168.1.0/24-ptcp--dport22-jACCPET

systemctlenableiptables.service

systemctlstartiptables.service

3、关闭selinux

sed-i's#SELINUX=enforcing#SELINUX=disabled#g'/etc/selinux/config

setenforce0

#优化ssh登录

sed-ri's/GSSAPIAuthenticationyes/GSSAPIAuthenticationno/'/etc/ssh/sshd_config

sed-ri's/#UseDNSyes/UseDNSno/'/etc/ssh/sshd_config#解决系统登陆慢

4、修改SSH端口

sed-i's/#Port22/Port10022/g'/etc/ssh/sshd_config#端口自己定

sed-i's/#PermitEmptyPasswordsno/PermitEmptyPasswordsno/g'/etc/ssh/sshd_config#禁止空密码帐户登入服务器

sed-i's/GSSAPIAuthenticationyes/GSSAPIAuthenticationno/'/etc/ssh/sshd_config

sed-i's/#UseDNSyes/UseDNSno/g'/etc/ssh/sshd_config#加速SSH登录

systemctlrestartsshd

vi/etc/sysconfig/iptables

-AINPUT-mstate--stateNEW-mtcp-ptcp--dport10022-jACCEPT"

5、配置yum源

cd/etc/yum.repos.d/

mkdirbackup

mv*.repobackup/

wget-O/etc/yum.repos.d/CentOS-Base.repohttp://mirrors.aliyun.com/repo/Centos-7.repo

wget-O/etc/yum.repos.d/epel.repohttp://mirrors.aliyun.com/repo/epel-7.repo

yumcleanall

yummakecache

6、安装常用工具

yuminstalllrzszwgetvimnet-toolsgccgcc-c++curltelnetunzip-y

#安装网络及性能监控工具

yum-yinstalltelnetnet-toolssysstatiftoplsofiotophtopdstat

#安装bash命令tab自动补全组件

yum-yinstallbash-completion

#安装源码编译工具及开发组件

yum-yinstallcmakegccgcc-c++zibzlib-developenopenssl-develpcrepcre-develcurl"

#安装压缩解压工具

yum-yinstallzipunzipbzip2gdisk

7、时间同步

yuminstallntpdate-y

ntpdatetime.windows.com

echo""*/5****/usr/sbin/ntpdatetime.windows.com>/dev/null2>&1"">>/var/spool/cron/root

echo""*/20****/usr/sbin/ntpdatentp.api.bz>/dev/null2>&1"">>/var/spool/cron/root

#时间同步

yuminstallchrony-y&&systemctlenablechronyd&&systemctlstartchronyd

timedatectlset-timezoneAsia/Shanghai&&timedatectlset-ntpyes

8、修改文件描述符

ulimit-SHn65535

cat>>/etc/security/limits.conf<<EOF

*softnproc65535

*hardnproc65535

*softnofile655350

*hardnofile655350

EOF

sed-i's#4096#65535#g'/etc/security/limits.d/20-nproc.conf

9、优化Linux内核参数

cat>>/etc/sysctl.conf<<EOF

kernel.sysrq=0

kernel.core_uses_pid=1

kernel.msgmnb=65536

kernel.msgmax=65536

kernel.shmmax=68719476736

kernel.shmall=4294967296

net.core.wmem_default=8388608

net.core.rmem_default=8388608

net.core.rmem_max=16777216

net.core.wmem_max=16777216

net.core.netdev_max_backlog=262144

net.core.somaxconn=50000

net.ipv4.ip_forward=1

net.ipv4.conf.default.rp_filter=1

net.ipv4.conf.default.accept_source_route=0

net.ipv4.tcp_syncookies=1

net.ipv4.tcp_max_orphans=3276800

net.ipv4.tcp_max_syn_backlog=262144

net.ipv4.tcp_timestamps=0

net.ipv4.tcp_synack_retries=1

net.ipv4.tcp_syn_retries=1

net.ipv4.tcp_tw_recycle=0

net.ipv4.tcp_tw_reuse=1

net.ipv4.tcp_mem=94500000915000000927000000

net.ipv4.tcp_max_tw_buckets=50000

net.ipv4.tcp_sack=1

net.ipv4.tcp_window_scaling=1

net.ipv4.tcp_rmem=4096873804194304

net.ipv4.tcp_wmem=4096163844194304

net.ipv4.tcp_fin_timeout=30

net.ipv4.tcp_keepalive_time=1800

net.ipv4.ip_local_port_range=102465535

vm.swappiness=0

vm.min_free_kbytes=524288

fs.inotify.max_user_instances=8192

fs.inotify.max_user_watches=262144

fs.file-max=1048576

EOF

10、修改root帐户密码

echo"$adDF12B"|passwd--stdinroot#密码复杂化,最小8位,数字、字母大小写、特殊字符组合

11、远程5分钟无操作自动注销

vim/etc/profile

最后添加:

exportTMOUT=300---5分钟自动注销下来

找到

HISTSIZE=1000

修改为:

HISTSIZE=100--减少日记字节为100KB,太大内容过多容易漏重要信息。

12、禁止ping用户使用ping不做任何反映

echo1>/proc/sys/net/ipv4/icmp_echo_ignore_all--禁止ping

echo0>/proc/sys/net/ipv4/icmp_echo_ignore_all--解除禁止ping操作

13、防止DOS攻击

vim/etc/security/limits.conf

加入以下配置:

*hardcore0

*hardrss10000

*hardnproc50

以上根据需求而定

14、注释不需要的用户和用户组

vi/etc/passwd注释不需要的用户,“#”注释,如下:

#games:x:12:100:games:/usr/games:/sbin/nologin

#gopher:x:13:30:gopher:/var/gopher:/sbin/nologin

#ftp:x:14:50:FTPUser:/var/ftp:/sbin/nologin

#adm:x:3:4:adm:/var/adm:/sbin/nologin

#lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin

#sync:x:5:0:sync:/sbin:/bin/sync

#shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown

#h alt:x:7:0:h alt:/sbin:/sbin/h alt

#uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin

#operator:x:11:0:operator:/root:/sbin/nologin

vi/etc/group注释不需要的用户组,如下:

#adm:x:4:root,adm,daemon

#lp:x:7:daemon,lp

#uucp:x:14:uucp

#games:x:20:

#dip:x:40:

#news:x:9:13:news:/etc/news

15、限制ip登陆

vi/etc/hosts.deny

sshd:ALL

vi/etc/hosts.allow

sshd:192.168.0.1:allow

16、查看有登陆权限的用户

awk-F:'($7=="/bin/bash"){print$1}'/etc/passwd

awk-F:'($3==0)'/etc/passwd查看UID为0的账号

awk-F:'($2=="")'/etc/shadow查看空口令账号

17、对Linux用户进行登录及操作进行记录(审计)

1.创建用户审计文件存放目录和审计日志文件;

touch/var/log/Command_history.log

2.将日志文件所有者赋予一个最低权限的用户;

chownnobody.nobody/var/log/Command_history.log

3.给该日志文件赋予所有人的写权限;

chmod002/var/log/Command_history.log

4.设置文件权限,使所有用户对该文件只有追加权限;

chattr+a/var/log/Command_history.log

5.编辑/etc/profile文件,添加如下任意脚本命令;

exportHISTORY_FILE=/var/log/Command_history.log

exportPROMPT_COMMAND='{date"+%Y-%m-%d%T#####USER:$USERIP:$SSH_CLIENTPS:$SSH_TTYppid=$PPIDpwd=$PWD####$(history1|{readxcmd;echo"$cmd";})";}>>$HISTORY_FILE'

6.使配置生效

source/etc/profile

18、升级内核

wgethttps://elrepo.org/linux/kernel/el7/x86_64/RPMS/kernel-ml-5.0.4-1.el7.elrepo.x86_64.rpm

wgethttps://elrepo.org/linux/kernel/el7/x86_64/RPMS/kernel-ml-devel-5.0.4-1.el7.elrepo.x86_64.rpm

yum-yinstallkernel-ml-5.0.4-1.el7.elrepo.x86_64.rpmkernel-ml-devel-5.0.4-1.el7.elrepo.x86_64.rpm

rpm-Uvhhttp://www.elrepo.org/elrepo-release-7.0-4.el7.elrepo.noarch.rpm

yum--enablerepo=elrepo-kernelinstall-ykernel-lt

rpm-qa|grepkernel

grub2-set-default'kernel-lt-5.4.99-1.el7.elrepo.x86_64'

19、检查脚本运行用户是否为root

if[$(id-u)!=0];then

echo-e""\033[1;31mError!Youmustberoottorunthisscript!\033[0m""

exit10

fi

发表评论:

最近发表
网站分类
标签列表