CentOS7日常配置
升级系统
yum -y update && yum -y upgrade
修改计算机名
hostnamectl --static set-hostname v2 && su
配置网络
nmtui-edit 测试 ping -c3 google.com mii-tool enp0s3 ethtool enp0s3
常用组件
yum install epel-release yum install bash-completion bash-completion-extras bind-utils net-tools ntpdate links htop tree tcpdump lsof vim ftp curl wget curl mtr tmux htop httpd-tools iotop iftop lrzsz sysstat screen telnet psmisc iptraf-ng nmap ntfs-3g xorg-x11-xauth xorg-x11-apps xorg-x11-utils xorg-x11-fonts-* fail2ban -y
源
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.bak mv /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel.repo.bak mv /etc/yum.repos.d/epel-testing.repo /etc/yum.repos.d/epel-testing.repo.bak wget -O /etc/yum.repos.d/Centos-7.repo http://mirrors.aliyun.com/repo/Centos-7.repo wget -O /etc/yum.repos.d/epel-7.repo http://mirrors.aliyun.com/repo/epel-7.repo 执行yum makecache #如果遇到-primary.sqlite.bz2: [Errno 14] HTTP Error 404 - Not Found错误 yum clean all rpm --rebuilddb yum -y install yum-cron vim /etc/yum/yum-cron.conf 改为 # Whether updates should be applied when they are available. Note # that download_updates must also be yes for the update to be applied. apply_updates = yes systemctl start crond systemctl start yum-cron
添加用户
adduser vos echo "vos用户名":"voscn密码" | chpasswd vim /etc/sudoers 添加到 ## Allow root to run any commands anywhere root ALL=(ALL) ALL vos ALL=(ALL) NOPASSWD: ALL
基本配置
sed -i 's%#Port 22%Port 22222%' /etc/ssh/sshd_config sed -i 's%#UseDNS yes%UseDNS no%' /etc/ssh/sshd_config sed -i 's%GSSAPIAuthentication yes%GSSAPIAuthentication no%' /etc/ssh/sshd_config sed -i 's%#PermitEmptyPasswords no%PermitEmptyPasswords no%' /etc/ssh/sshd_config sed -i 's%#PermitRootLogin yes%PermitRootLogin no%' /etc/ssh/sshd_config sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config && setenforce 0 systemctl stop firewalld.service && systemctl disable firewalld.service systemctl stop postfix.service && systemctl disable postfix.service
设置history命令时间戳
vi /etc/profile 添加 export HISTTIMEFORMAT="%Y-%m-%d:%H-%M-%S:`whoami`:" export HISTSIZE="10000" 执行source /etc/profile
禁止Control+Alt+Delete重启系统
cp -a /usr/lib/systemd/system/ctrl-alt-del.target /usr/lib/systemd/system/ctrl-alt-del.target.default rm -rf /usr/lib/systemd/system/ctrl-alt-del.target
隐藏系统版本信息
mv /etc/issue /etc/issue.bak mv /etc/issue.net /etc/issue.net.bak
修改最大文件打开数
cp -a /etc/security/limits.conf /etc/security/limits.conf.default vim /etc/security/limits.conf 添加 * soft nofile 65536 * hard nofile 65536 * soft nproc 65535 * hard nproc 65535
配置时区时间
timedatectl set-timezone Asia/Shanghai ntpdate ntp.aliyun.com hwclock -w
防ssh爆破
vim /etc/fail2ban/jail.local 添加 [DEFAULT] ignoreip = 127.0.0.1/8 222.222.222.222 bantime = 86400 findtime = 600 maxretry = 3 banaction = firewallcmd-ipset banaction_allports = firewallcmd-allports backend = systemd [sshd] enabled = true filter = sshd port = 2222 action = iptables[name=SSH, port=2222, protocol=tcp] logpath = /var/log/secure maxretry = 2 bantime = 86400 [vsftpd] enabled = true filter = vsftpd action = iptables[name=VSFTPD, port=21, protocol=tcp] logpath = /var/log/vsftpd.log maxretry = 2 bantime = 1800 [nginx] enabled = true port = http,https filter = nginx action = iptables[name=nginx, port=http, protocol=tcp] logpath = /var/log/access.log bantime = 3600 findtime = 60 maxretry = 5 vim /etc/fail2ban/filter.d/nginx.conf 添加 [Definition] failregex = <HOST> -.*- .*HTTP/1.* 404 .*$ ignoreregex = systemctl start fail2ban systemctl enable fail2ban fail2ban-client status sshd systemctl restart fail2ban
修改内核参数
vim /etc/sysctl.conf 添加 kernel.sysrq = 0 kernel.core_uses_pid = 1 kernel.msgmnb = 65536 kernel.msgmax = 65536 kernel.shmmax = 68719476736 kernel.shmall = 4294967296 net.core.wmem_default = 8388608 net.core.rmem_default = 8388608 net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 net.core.netdev_max_backlog = 262144 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.icmp_echo_ignore_all = 1 net.ipv4.ip_forward = 0 net.ipv4.ip_local_port_range = 1024 65000 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_orphans = 3276800 net.ipv4.tcp_max_syn_backlog = 262144 net.ipv4.tcp_timestamps = 0 net.ipv4.tcp_synack_retries = 1 net.ipv4.tcp_syn_retries = 1 #net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_mem = 94500000 915000000 927000000 net.ipv4.tcp_fin_timeout = 1 net.ipv4.tcp_keepalive_time = 30 net.ipv4.tcp_max_tw_buckets = 6000 net.ipv4.tcp_sack = 1 net.ipv4.tcp_window_scaling = 1 net.ipv4.tcp_rmem = 4096 87380 4194304 net.ipv4.tcp_wmem = 4096 16384 4194304 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 执行sysctl -p
开启防火墙
systemctl enable firewalld.service systemctl start firewalld.service firewall-cmd --zone=public --remove-service=dhcpv6-client --permanent firewall-cmd --zone=public --remove-service=ssh --permanent firewall-cmd --zone=public --add-port=21/tcp --permanent firewall-cmd --zone=public --add-port=22222/tcp --permanent firewall-cmd --zone=public --add-port=80/tcp --permanent firewall-cmd --zone=public --add-port=443/tcp --permanent firewall-cmd --reload
本站所有文章均可随意转载,转载时请保留原文链接及作者。