系统初始化
安装常用软件
1
yum install -y net-tools vim wget lrzsz tree bash-completion epel-release ntpdate
关闭防火墙
1
systemctl disable --now firewalld
关闭 Selinux
1
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
更换 YUM 仓库
1
2
3
4
5
6
7
8
9
10
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
sed -i 's/mirrors.cloud.aliyuncs.com/url_tmp/g' /etc/yum.repos.d/CentOS-Base.repo && \
sed -i 's/mirrors.aliyun.com/mirrors.cloud.aliyuncs.com/g' /etc/yum.repos.d/CentOS-Base.repo && \
sed -i 's/url_tmp/mirrors.aliyun.com/g' /etc/yum.repos.d/CentOS-Base.repo
yum clean all && yum makecache修改醒目 PS1
1
2
3
4
5
6
7
8
9
10
11
12cat >> /etc/profile<<EOF
# 修改 PS1 样式
export PS1='\[\e[37;40m\][\[\e[32;40m\]\u\[\e[37;40m\]@\[\e[33;40m\]\h \[\e[35;40m\]\W\[\e[0m\]]\\$ '
# 修改历史命令格式
export HISTTIMEFORMAT="%Y-%m-%d %H:%M:%S \$(whoami) "
export PROMPT_COMMAND='{ msg=\$(history 1 | { read x y; echo \$y; }); logger "[euid=\$(whoami)]":\$(who am i):[\$(pwd)]"\$msg";}'
# 设置回话超时时间
export TMOUT=300
EOF设置 SSH 登录警告语
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21# 编辑 vim /etc/ssh/sshd_config 配置文件,找到 #Banner none 参数,在其下一行增加以下内容
sed -i 's_#Banner none_Banner /etc/ssh/alert_' /etc/ssh/sshd_config
# 新增告警信息文件 /etc/ssh/alert。文件内容如下
cat > /etc/ssh/alert <<EOF
***************************************************************************
警告: 你正在登录到重要服务器,所有从操作将被记录。请谨慎操作 !!!
***************************************************************************
EOF
# 修改 /etc/motd 文件,内容如下
cat > /etc/motd <<EOF
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! !!!
!!! You have successfully logged on to the Prometheus server, !!!
!!! All your actions will be recorded, please be carefully! !!!
!!! !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
EOF设置自动同步时间
1
2echo '05 01 * * * /usr/sbin/ntpdate time2.aliyun.com >/dev/null' >> /var/spool/cron/root
echo '/usr/sbin/ntpdate time2.aliyun.com' >> /etc/rc.local关闭 SSH 配置中 UseDNS
1
sed -i 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config
系统安全加固
设置口令策略
1
2
3
4
5
6# 使用命令 vim /etc/login.defs 修改配置文件
PASS_MAX_DAYS 30 #新建用户的密码最长使用天数
PASS_MIN_DAYS 0 #新建用户的密码最短使用天数
PASS_MIN_LEN 10 #密码最小长度
PASS_WARN_AGE 7 #新建用户的密码到期提前提醒天数密码复杂度,将
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
注释并在其下面新增1行1
2vim /etc/pam.d/system-auth
password requisite pam_cracklib.so try_first_pass minlen=8 difok=5 dcredit=-1 lcredit=-1 ocredit=-1 retry=1 type=try_first_pass: 当 pam_unix 验证模块与 password 验证类型一起使用时,该选项主要用来防止用户新设定的密码与以前的旧密码相同。
minlen=8: 最小长度8位
difok=5: 新、旧密码最少5个字符不同
dcredit=-1: 最少1个数字
lcredit=-1: 最少1个小写字符,(ucredit=-1:最少1个大写字符)
ocredit=-1: 最少1个特殊字符
retry=1: 1次错误后返回错误信息
type=xxx: 此选项用来修改缺省的密码提示文本新口令不能与4个最近使用的相同
1
2# 编辑配置文件 vim /etc/pam.d/system-auth,在 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok 所在行的后面添加
remember=5禁止关键文件的修改
1
chattr +i /etc/passwd /etc/shadow
开启内核的 SYN cookie 保护
1
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
设置 umask 值
1
2echo 'umask 027' >> /etc/bashrc
echo 'umask 027' >> /etc/profile隐藏系统版本信息
1
2mv /etc/issue /etc/issue.bak
mv /etc/issue.net /etc/issue.net.bak设置登录失败锁定(终端锁定)
1
echo 'auth required pam_tally2.so deny=5 unlock_time=1800 even_deny_root root_unlock_time=1800' >> /etc/pam.d/system-auth
通过终端登录,5次登录失败后锁定账号30分钟,锁定期间此账号无法再次登录。
SSH 安全加固参数增强
1
2
3
4
5
6
7
8
9
10
11
12
13
14# 禁止 root 用户远程登录
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
# 禁止空密码登录
sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/' /etc/ssh/sshd_config
# 关闭 ssh 的 tcp 转发
sed -i 's/#AllowTcpForwarding yes/AllowTcpForwarding no/' /etc/ssh/sshd_config
# 关闭 s/Key(质疑-应答)认证方式
sed -i 's/#ChallengeResponseAuthentication yes/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config
# 重启 sshd 服务
systemctl restart sshd限制登录的来源IP,白名单设置(hosts.allow 优先级最高)
- 通过iptables设置ssh端口的白名单, 如下设置只允许192.168.64.0/24网段的客户机可以远程连接本机
1
iptables -A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 2222 -j ACCEPT
- 通过/etc/hosts.allow里面进行限制(如下),/etc/hosts.deny文件不要任何内容编辑,保持默认!
1
2
3vim /etc/hosts.allow
sshd:192.168.64.,192.168.1.,124.65.197.154,61.148.60.42,103.10.86.7:allow
sshd:all:deny
系统调优
配置服务器 limits 限制
1
2
3
4
5
6
7
8
9
10# 临时设置
ulimit -SHn 655350
# 永久设置
sed -i '/^# End/i\* soft nofile 655350' /etc/security/limits.conf
sed -i '/^# End/i\* hard nofile 131072' /etc/security/limits.conf
sed -i '/^# End/i\* soft nproc 655350' /etc/security/limits.conf
sed -i '/^# End/i\* hard nproc 655350' /etc/security/limits.conf
sed -i '/^# End/i\* soft memlock unlimited' /etc/security/limits.conf
sed -i '/^# End/i\* hard memlock unlimited' /etc/security/limits.conf配置 nf_conntrack
1
2
3
4
5
6
7
8
9
10cat > /etc/modules-load.d/ipvs.conf <<EOF
nf_conntrack
nf_conntrack_ipv4
EOF
systemctl enable --now systemd-modules-load.service
echo options nf_conntrack hashsize=131072 > /etc/modprobe.d/nf_conntrack.conf
# 检查模块是否加载
lsmod | grep -e ip_vs -e nf_conntrack配置内核调优参数
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37# 备份原有配置
mv /etc/sysctl.conf{,_bak}
# 创建新配置
cat > /etc/sysctl.conf << EOF
fs.file-max=1000000
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.ipv4.tcp_max_syn_backlog = 16384
net.core.netdev_max_backlog = 32768
net.core.somaxconn = 32768
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_fin_timeout = 20
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_syncookies = 1
#net.ipv4.tcp_tw_len = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.ip_local_port_range = 1024 65000
net.nf_conntrack_max = 6553500
net.netfilter.nf_conntrack_max = 6553500
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_established = 3600
EOF
sysctl -p