安裝Linux系統調優(yōu)及安全設置方法
發(fā)布時(shí)間:2021-09-14 18:13
來(lái)源:億速云
閱讀:0
作者:chen
欄目: 服務(wù)器
歡迎投稿:712375056
本篇內容主要講解“安裝Linux系統調優(yōu)及安全設置方法”�,感興趣的朋友不妨來(lái)看看�����。本文介紹的方法操作簡(jiǎn)單快捷��,實(shí)用性強�。下面就讓小編來(lái)帶大家學(xué)習“安裝Linux系統調優(yōu)及安全設置方法”吧!
1.1 關(guān)閉SElinux功能
sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config
setenforce 0
1.2 設定運行級別為3(文本模式)
/etc/inittab
systemctl get-default multi-user.target
1.3 精簡(jiǎn)開(kāi)機系統啟動(dòng) sshd�、rsyslog��、network����、crond����、sysstat
centos6:
LANG=en
chkconfig --list
chkconfig --list | grep "3:on" | grep -E "sshd|rsyslog|network|crond|sysstat" | awk '{print "chkconfig " $1 " on"}'| bash
chkconfig --list | grep "3:on" | grep -vE "sshd|rsyslog|network|crond|sysstat" | awk '{print "chkconfig " $1 " off"}'| bash
centos7:
1.4 關(guān)閉iptables防火墻
systemctl stop firewalld.service
systemctl disable firewalld.service
1.5 更改SSH遠程登錄的配置
Port 52113
Use no
PermitRootLogin yes
PermitEmptyPasswords no
GSSAPIAuthentication no
1.6 利用sudo控制用戶(hù)對系統命令的使用權限
visudo(/etc/sudoers)
glk All=(All) NOPASSWD:All
1.7 Linux中文顯示設置
cat /etc/sysconfg/i18n
echo 'LANG="zh_CN.UTF-8" ' > /etc/sysconfg/i18n
1.8 設置Linux服務(wù)器時(shí)間同步
/usr/sbin/ntpdate ntp1.aliyun.com
echo "*/5 * * * * /usr/sbin/ntpdate ntp1.aliyun.com &> /dev/null" >> /var/spool/cron/root
1.9 歷史記錄數和登錄超時(shí)環(huán)境變量設置
1.設置限制賬號超時(shí)時(shí)間 export TMOUT=10
2.設置Linux的命令行的歷史記錄數 export HISTSIZE=1000
3.歷史文件的命令數量變量 export HISTFILESIZE=1000
1.10 調整Linux系統文件描述符數量
查看 ulimit -n
echo "* - nofile 65535" >> /etc/security/limits.conf
1.11 Linux服務(wù)器內核參數優(yōu)化
net.core.rmem_default = 262144
net.core.rmem_max = 16777216
net.core.wmem_default = 262144
net.core.wmem_max = 16777216
net.core.somaxconn = 262144
net.core.netdev_max_backlog = 262144
net.ipv4.tcp_max_orphans = 262144
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_max_tw_buckets = 10000
net.ipv4.ip_local_port_range = 1024 65500
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.tcp_mem = 786432 1048576 1572864
1.12 定時(shí)清理郵件服務(wù)器臨時(shí)目錄垃圾文件
centos6:
find /var/spool/postfix/maildrop/ -type f | xargs rm -rf
centos5:
find /var/spool/postfix/clientmqueue/ -type f | xargs rm -rf
1.13 隱藏Linux版本信息
> /etc/issue
> /etc/issue.net
1.14 鎖定關(guān)鍵系統文件��,防止被提權篡改
上鎖命令: chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab
解鎖命令: chattr -i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab
1.15 清楚多余的系統虛擬賬號
不必要的賬號: bin adm lp halt mail uucp operator games gopher ftp dbus vcsa abrt ntp saslauth postfix tcpdump
1.16 為grub菜單加密
1./sbin/grub-md5-crypt生成MD5密碼串
2.把密碼串放入grub.conf文件splashimage和title之間
password --md5 $1$hoY96$dM9G1bjKLbi/GV8J9neOm1
1.17 禁止Linux系統被ping
內核級禁ping:
echo "net.ipv4.icmp_echo_ignore_all = 1" > /etc/sysctl.conf
解除內核級禁ping:
刪除/etc/sysctl.conf中的 "net.ipv4.icmp_echo_ignore_all = 1"�����,保存后執行以下命令:
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
防火墻級別禁ping:
iptables -t filter -I INPUT -p icmp -icmp-type 8 -i eth0 -s 192.168.1.0/24 -j ACCEPT
1.18 升級具有典型漏洞的軟件版本
rpm -qa openssl openssh bash
yum -y install openssl openssh bash
