安装常用命令
yum install lrzsz lsof nmap tree nc dos2unix bash-completion net-tools bind-utils -y
阿里云ECS安全优化
yum update vim bash libuser grep openssh bind-libs ntp libxml2 libreport openldap kernel nss subversion libpng sqlite glibc libgcrypt openssl libtiff -y
更新时间服务器,低版本的存在漏洞
yum -y install ntp
删除不用的用户
lp,mail,ftp,postfix,games(如果不使用 X Window,则删除)
禁止root用户远程登录,并只允许指定用户切换root
grep Root /etc/ssh/sshd_config
sed -i 's@PermitRootLogin yes@PermitRootLogin no@g' /etc/ssh/sshd_config
sed -i 's@#auth required@auth required@g' /etc/pam.d/su
useradd cby
echo 123456|passwd --stdin cby
usermod -G wheel cby
给重要配置文件,敏感文件加锁
chattr +i /etc/{passwd,shadow,group,gshadow}
lsattr -a /etc/{passwd,shadow,group,gshadow}
属主必须是root,权限设置600
chattr +i /etc/services #此文件为端口号和服务的对应关系
更改yum源
CentOS 6已经随着2020年11月的结束进入了EOL(Reaches End of Life)。所以在2020年12月2日,CentOS官方停止了对CentOS 6的所有更新,并且下架了包括官方所有的CentOS6源,目前阿里、163、清华等CentOS6源已无法使用。
因此,目前在CentOS6系统上执行Yum命令时会提示404错误。
目前的各个版本的最后维护更新时间,如下:
CentoS 6 停止维护更新日期2020年11月30日
CentOS 7 停止维护更新日期2024年6月30日
CentOS 8 停止维护更新日期2029年5月31日
官方地址:https://wiki.centos.org/About/Product
更换阿里源(已经无法使用)
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup &&
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo
更换腾讯源(CentOS6目前还可用的源)
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.cloud.tencent.com/repo/centos6_base.repo
sed -i 's#http#https#g' /etc/yum.repos.d/CentOS-Base.repo
yum clean all
yum makecache
关闭selinux
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
grep SELINUX=disabled /etc/selinux/config
setenforce 0
getenforce
关闭iptables
/etc/init.d/iptables stop
/etc/init.d/iptables stop
chkconfig iptables off
关闭centos7防火墙
systemctl stop firewalld.service
精简开机自启动服务
chkconfig|egrep -v "crond|sshd|network|rsyslog|sysstat"|awk '{print "chkconfig",$1,"off"}'|bash
export LANG=en
chkconfig --list|grep 3:on
提权cby可以sudo
useradd cby
echo 123456|passwd --stdin cby
cp /etc/sudoers /etc/sudoers.ori
echo "cby ALL=(ALL) NOPASSWD: ALL " >>/etc/sudoers
tail -1 /etc/sudoers
visudo -c
中文字符集
cp /etc/sysconfig/i18n /etc/sysconfig/i18n.ori
echo 'LANG="zh_CN.UTF-8"' >/etc/sysconfig/i18n
source /etc/sysconfig/i18n
echo $LANG
时间同步
echo '#time sync by cby at 2017-9-16' >>/var/spool/cron/root
echo '*/5 * * * * /usr/sbin/ntpdate time.nist.gov &>/dev/null' >>/var/spool/cron/root
crontab -l
定期清理临时目录(防止ionde满了)
find /var/spool/postfix/maildrop/ -type f|xargs rm -f
find /var/spool/clientmqueue/ -type f|xargs rm -f #centos-5的邮件目录
命令行安全
echo 'export TMOUT=300' >>/etc/profile
echo 'export HISTSIZE=5' >>/etc/profile
echo 'export HISTFILESIZE=5' >>/etc/profile
tail -3 /etc/profile
. /etc/profile
加大文件描述
echo '* - nofile 65535 ' >>/etc/security/limits.conf
tail -1 /etc/security/limits.conf
自定义内核优化
cat >>/etc/sysctl.conf<<EOF
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.ipv4.ip_local_port_range = 10000 65000
net.core.somaxconn = 65535
net.core.netdev_max_backlog = 65535
net.ipv4.tcp_max_syn_backlog = 65535
net.ipv4.tcp_fastopn = 3
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_probes = 10
net.ipv4.tcp_keepalive_intvl = 2
EOF
sysctl -p
内核优化
cat >>/etc/sysctl.conf<<EOF
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_max_syn_backlog = 65535
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.ipv4.ip_local_port_range = 10000 65000
net.core.somaxconn = 65535
net.core.netdev_max_backlog = 65535
net.ipv4.tcp_max_orphans = 16384
#以下参数是对iptables防火墙的优化,防火墙不开会提示,可以忽略不理。
net.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_tcp_timeout_established = 180
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
EOF