升级系统

yum -y update && yum -y upgrade

修改计算机名

hostnamectl --static set-hostname v2 && su

配置网络

nmtui-edit

测试
ping -c3 google.com
mii-tool enp0s3
ethtool enp0s3

常用组件

yum install epel-release
yum install bash-completion bash-completion-extras net-tools ntpdate links htop tree tcpdump lsof vim ftp curl wget curl mtr tmux htop httpd-tools iotop iftop lrzsz sysstat screen telnet psmisc iptraf-ng nmap ntfs-3g xorg-x11-xauth xorg-x11-apps xorg-x11-utils xorg-x11-fonts-* fail2ban -y

源

mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.bak
mv /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel.repo.bak
mv /etc/yum.repos.d/epel-testing.repo /etc/yum.repos.d/epel-testing.repo.bak

wget -O /etc/yum.repos.d/Centos-7.repo http://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/epel-7.repo http://mirrors.aliyun.com/repo/epel-7.repo

执行yum makecache
#如果遇到-primary.sqlite.bz2: [Errno 14] HTTP Error 404 - Not Found错误
yum clean all
rpm --rebuilddb

yum -y install yum-cron
vim /etc/yum/yum-cron.conf
改为
# Whether updates should be applied when they are available.  Note
# that download_updates must also be yes for the update to be applied.
apply_updates = yes

systemctl start crond
systemctl start yum-cron

添加用户

adduser vos
echo "vos用户名":"voscn密码" | chpasswd

vim /etc/sudoers
添加到
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
vos    ALL=(ALL)  NOPASSWD:   ALL

基本配置

sed -i 's%#Port 22%Port 22222%' /etc/ssh/sshd_config
sed -i 's%#UseDNS yes%UseDNS no%' /etc/ssh/sshd_config    
sed -i 's%GSSAPIAuthentication yes%GSSAPIAuthentication no%' /etc/ssh/sshd_config  
sed -i 's%#PermitEmptyPasswords no%PermitEmptyPasswords no%' /etc/ssh/sshd_config  
sed -i 's%#PermitRootLogin yes%PermitRootLogin no%' /etc/ssh/sshd_config 
sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config  && setenforce 0 
systemctl stop firewalld.service && systemctl disable firewalld.service   
systemctl stop postfix.service && systemctl disable postfix.service

设置history命令时间戳

vi /etc/profile
添加
export HISTTIMEFORMAT="%Y-%m-%d:%H-%M-%S:`whoami`:"
export HISTSIZE="10000"

执行source /etc/profile

禁止Control+Alt+Delete重启系统

cp -a /usr/lib/systemd/system/ctrl-alt-del.target /usr/lib/systemd/system/ctrl-alt-del.target.default
rm -rf /usr/lib/systemd/system/ctrl-alt-del.target

隐藏系统版本信息

mv /etc/issue /etc/issue.bak 
mv /etc/issue.net /etc/issue.net.bak

修改最大文件打开数

cp -a /etc/security/limits.conf  /etc/security/limits.conf.default
vim /etc/security/limits.conf
添加
* soft nofile 65536
* hard nofile 65536
* soft nproc 65535
* hard nproc 65535

配置时区时间

timedatectl set-timezone Asia/Shanghai
ntpdate ntp.aliyun.com
hwclock -w

防ssh爆破

vim /etc/fail2ban/jail.local
添加
[DEFAULT]
ignoreip = 127.0.0.1/8 222.222.222.222
bantime  = 86400
findtime = 600
maxretry = 3
banaction = firewallcmd-ipset
banaction_allports = firewallcmd-allports
backend = systemd

[sshd]
enabled  = true
filter   = sshd
port = 2222
action   = iptables[name=SSH, port=2222, protocol=tcp]
logpath  = /var/log/secure
maxretry = 2
bantime = 86400

[vsftpd]
enabled  = true
filter   = vsftpd
action   = iptables[name=VSFTPD, port=21, protocol=tcp]
logpath  = /var/log/vsftpd.log
maxretry = 2
bantime  = 1800

[nginx]
enabled = true
port = http,https
filter = nginx
action = iptables[name=nginx, port=http, protocol=tcp]
logpath = /var/log/access.log
bantime = 3600
findtime = 60
maxretry = 5

vim /etc/fail2ban/filter.d/nginx.conf
添加
[Definition]
failregex = <HOST> -.*- .*HTTP/1.* 404 .*$
ignoreregex =

systemctl start fail2ban
systemctl enable fail2ban
fail2ban-client status sshd
systemctl restart fail2ban

修改内核参数

vim /etc/sysctl.conf
添加
kernel.sysrq = 0
kernel.core_uses_pid = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.ip_forward = 0
net.ipv4.ip_local_port_range = 1024    65000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
#net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_keepalive_time = 30
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096        87380   4194304
net.ipv4.tcp_wmem = 4096        16384   4194304
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0

执行sysctl -p

开启防火墙

systemctl enable firewalld.service
systemctl start firewalld.service
firewall-cmd --zone=public --remove-service=dhcpv6-client --permanent
firewall-cmd --zone=public --remove-service=ssh --permanent
firewall-cmd --zone=public --add-port=21/tcp --permanent
firewall-cmd --zone=public --add-port=22222/tcp --permanent
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-cmd --reload