当前位置:首页 > 系统 > CentOS7日常配置

CentOS7日常配置

系统2年前 (2019-12-24)

CentOS7日常配置

升级系统

yum -y update && yum -y upgrade


修改计算机名

hostnamectl --static set-hostname v2 && su


配置网络

nmtui-edit

测试
ping -c3 google.com
mii-tool enp0s3
ethtool enp0s3


常用组件

yum install epel-release
yum install bash-completion bash-completion-extras bind-utils net-tools ntpdate links htop tree tcpdump lsof vim ftp curl wget curl mtr tmux htop httpd-tools iotop iftop lrzsz sysstat screen telnet psmisc iptraf-ng nmap ntfs-3g xorg-x11-xauth xorg-x11-apps xorg-x11-utils xorg-x11-fonts-* fail2ban -y


mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.bak
mv /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel.repo.bak
mv /etc/yum.repos.d/epel-testing.repo /etc/yum.repos.d/epel-testing.repo.bak

wget -O /etc/yum.repos.d/Centos-7.repo http://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/epel-7.repo http://mirrors.aliyun.com/repo/epel-7.repo

执行yum makecache
#如果遇到-primary.sqlite.bz2: [Errno 14] HTTP Error 404 - Not Found错误
yum clean all
rpm --rebuilddb

yum -y install yum-cron
vim /etc/yum/yum-cron.conf
改为
# Whether updates should be applied when they are available.  Note
# that download_updates must also be yes for the update to be applied.
apply_updates = yes

systemctl start crond
systemctl start yum-cron


添加用户

adduser vos
echo "vos用户名":"voscn密码" | chpasswd

vim /etc/sudoers
添加到
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
vos    ALL=(ALL)  NOPASSWD:   ALL


基本配置

sed -i 's%#Port 22%Port 22222%' /etc/ssh/sshd_config
sed -i 's%#UseDNS yes%UseDNS no%' /etc/ssh/sshd_config    
sed -i 's%GSSAPIAuthentication yes%GSSAPIAuthentication no%' /etc/ssh/sshd_config  
sed -i 's%#PermitEmptyPasswords no%PermitEmptyPasswords no%' /etc/ssh/sshd_config  
sed -i 's%#PermitRootLogin yes%PermitRootLogin no%' /etc/ssh/sshd_config 
sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config  && setenforce 0 
systemctl stop firewalld.service && systemctl disable firewalld.service   
systemctl stop postfix.service && systemctl disable postfix.service


设置history命令时间戳

vi /etc/profile
添加
export HISTTIMEFORMAT="%Y-%m-%d:%H-%M-%S:`whoami`:"
export HISTSIZE="10000"

执行source /etc/profile


禁止Control+Alt+Delete重启系统

cp -a /usr/lib/systemd/system/ctrl-alt-del.target /usr/lib/systemd/system/ctrl-alt-del.target.default
rm -rf /usr/lib/systemd/system/ctrl-alt-del.target


隐藏系统版本信息

mv /etc/issue /etc/issue.bak 
mv /etc/issue.net /etc/issue.net.bak


修改最大文件打开数

cp -a /etc/security/limits.conf  /etc/security/limits.conf.default
vim /etc/security/limits.conf
添加
* soft nofile 65536
* hard nofile 65536
* soft nproc 65535
* hard nproc 65535


配置时区时间

timedatectl set-timezone Asia/Shanghai
ntpdate ntp.aliyun.com
hwclock -w


防ssh爆破

vim /etc/fail2ban/jail.local
添加
[DEFAULT]
ignoreip = 127.0.0.1/8 222.222.222.222
bantime  = 86400
findtime = 600
maxretry = 3
banaction = firewallcmd-ipset
banaction_allports = firewallcmd-allports
backend = systemd

[sshd]
enabled  = true
filter   = sshd
port = 2222
action   = iptables[name=SSH, port=2222, protocol=tcp]
logpath  = /var/log/secure
maxretry = 2
bantime = 86400

[vsftpd]
enabled  = true
filter   = vsftpd
action   = iptables[name=VSFTPD, port=21, protocol=tcp]
logpath  = /var/log/vsftpd.log
maxretry = 2
bantime  = 1800

[nginx]
enabled = true
port = http,https
filter = nginx
action = iptables[name=nginx, port=http, protocol=tcp]
logpath = /var/log/access.log
bantime = 3600
findtime = 60
maxretry = 5

vim /etc/fail2ban/filter.d/nginx.conf
添加
[Definition]
failregex = <HOST> -.*- .*HTTP/1.* 404 .*$
ignoreregex =

systemctl start fail2ban
systemctl enable fail2ban
fail2ban-client status sshd
systemctl restart fail2ban


修改内核参数

vim /etc/sysctl.conf
添加
kernel.sysrq = 0
kernel.core_uses_pid = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.ip_forward = 0
net.ipv4.ip_local_port_range = 1024    65000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
#net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_keepalive_time = 30
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096        87380   4194304
net.ipv4.tcp_wmem = 4096        16384   4194304
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0

执行sysctl -p


开启防火墙

systemctl enable firewalld.service
systemctl start firewalld.service
firewall-cmd --zone=public --remove-service=dhcpv6-client --permanent
firewall-cmd --zone=public --remove-service=ssh --permanent
firewall-cmd --zone=public --add-port=21/tcp --permanent
firewall-cmd --zone=public --add-port=22222/tcp --permanent
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-cmd --reload


本站所有文章均可随意转载,转载时请保留原文链接及作者。

本文链接:https://www.vos.cn/os/375.html

相关文章

Windows Server2019 DNS服务为Oracle RAC解析SCAN

Windows Server2019 DNS服务为Oracle RAC解析SCAN

Windows Server 2019 Datacenter搭建DNS服务,为Oracle RAC环境解析节点Public、VIP和三个Scan IP安装DNS服务给服务器添加静态IP后,打...

RHEL7.4 KVM虚拟Windows10

RHEL7.4 KVM虚拟Windows10

RHEL7.4使用KVM虚拟windows10安装组件查看CPU虚拟化支持情况lscpu | grep Virtualization安装组件并启动服务yum i...

CentOS7.6 使用Google身份验证器实现两次认证

CentOS7.6 使用Google身份验证器实现两次认证

CentOS7.6 安装Google Authenticator身份验证器,使用手机上生成两步验证码进行登录安装验证器yum install -y epel-releas...

解决CentOS7登陆提示ulimit:open files:cannot modify limit:Operation not permitted

解决CentOS7登陆提示ulimit:open files:cannot modify limit:Operation not permitted

CentOS7非root用户登陆提示的,因为最近只新增加nginx服务,先修改nginx文件打开数登陆提示ulimit:open files:cannot modify limit:Operation...

IIS7中出现An error occurred on the server when processing the URL

IIS7中出现An error occurred on the server when processing the URL

本地调试asp的网站,IIS提示An error occurred on the server when processing the URL. Please contact the system a...

解压出现gzip: stdin: not in gzip format

解压出现gzip: stdin: not in gzip format

今天解压quagga的tar包的时候一直提示gzip: stdin: not in gzip format的错误查看文件也是tar文件没问题最后试了下去掉z参数就好了tar -xvf&nbs...