基本原则:
[root@localhost etc]# uname -r
2.6.32-504.el6.x86_64
[root@localhost etc]# uname -a
Linux localhost.localdomain 2.6.32-504.el6.x86_64 #1 SMP Wed Oct 15 04:27:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost etc]# uname -m
x86_64
[root@localhost etc]# cat /etc/rehat-release
cat: /etc/rehat-release: 没有那个文件或目录
[root@localhost etc]# cat /etc/redhat-release
CentOS release 6.5 (Final)
使用setup命令或编辑/etc/sysconfig/network-scripts/ifcfg-eth0内容
网卡配置完成后执行
ifup eth0 启动网卡ifconfig eth0 查看获取的ipping baidu.com 检测网卡是否畅通
尽量不用/etc/init.d/network restart重启网卡,这会影响物理机上的所有网卡
[root@localhost ~]# ifdown eth0 && ifup eth0 快速重启
网卡配置文件
[root@localhost ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0 # 网卡名, eth1第二块网卡名,以此类推
TYPE=Ethernet # 上网类型,以太网
UUID=8d6bdf86-1fda-4334-99bb-74b634018e9d # 唯一标志码
ONBOOT=yes # 开机自启动
NM_CONTROLLED=yes # 是否通过NetworkManager管理网卡设备
BOOTPROTO=dhcp # 启动协议,none|bootp|dhcp三种选项
HWADDR=00:0C:29:50:98:80 # 网卡mac地址
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no # 是否支持IP6
LAST_CONNECT=1486401226
IPADDR=10.0.1.16 # 固定IP
PREFIX=23
GATEWAY=10.0.0.1
NETMASK=255.255.255.0 #子网掩码
DNS1=114.114.114.114 # 主DNS,默认会覆盖/etc/resolv.conf的配置
[root@localhost ~]# cp/etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
[root@localhost ~]# <span>wget</span> <span>-</span><span>O</span> <span>/</span><span>etc</span><span>/</span><span>yum</span><span>.repos</span><span>.d</span><span>/</span><span>CentOS</span><span>-</span><span>Base</span><span>.repo</span> <span>http</span><span>:</span><span>/</span><span>/</span><span>mirrors</span><span>.</span><span>163.com</span><span>/</span><span>.help</span><span>/</span><span>CentOS6</span><span>-</span><span>Base</span><span>-</span><span>163.repo</span>
[root@localhost ~]# yum clean all
[root@localhost ~]# yum makecache
[root@localhost ~]# yum update -y # 更新系统,打补丁
[root@localhost ~]# yum install tree telnet dos2unix sysstat lrzsz nc nmap -y
sysstat包含了iostat(cpu使用率和硬盘吞吐率)、mpstat(单个或多个)处理器相关的数据、sor(收集报告并存储系统活跃信息)
yum grouplist 查看所有包名称yum groupinstall "Development Tools" 指定包组名安装,注意需要双引号
1、检查物理链路是否有问题(客户端执行)
ping 10.0.0.7 # 排查线路问题
windows:tracert -d 10.0.0.7 # 检查线路是否畅通 -d 不进行反向解析
linux:traceroute 10.0.0.7 -n
2、服务是否开启端口(客户端执行)
telnet 10.0.0.7 22
nmap 10.0.0.7 -p 22 (linux环境,需要安装)
3、是否防火墙阻挡(服务端执行)
/etc/init.d/iptables status
例如:检查ssh服务是否开启
[root@localhost ~]# ps -ef | grep sshd | grep -v grep
root 1225 1 0 15:47 ? 00:00:00 sshd: xpp [priv]
xpp 1228 1225 0 15:47 ? 00:00:10 sshd: xpp@pts/0
root 2424 1 0 17:31 ? 00:00:00 /usr/sbin/sshd
[root@localhost ~]# netstat -lntup | grep sshd
tcp 0 0 0.0.0.0:52113 0.0.0.0:* LISTEN 2424/sshd
tcp 0 0 :::52113 :::* LISTEN 2424/sshd
[root@localhost ~]#
[root@localhost ~]# useradd xpp
[root@localhost ~]# passwd xpp
Changing password for user xpp.
New password:
BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.
注释掉系统不需要的用户和用户组
[root@localhost ~]# cp /etc/passwd /etc/passwdbak #修改之前先备份
[root@localhost ~]# vi /etc/passwd #编辑用户,在前面加上#注释掉此行
#adm:x:3:4:adm:/var/adm:/sbin/nologin
#lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
#sync:x:5:0:sync:/sbin:/bin/sync
#shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
#halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
#uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
#operator:x:11:0:operator:/root:/sbin/nologin
#games:x:12:100:games:/usr/games:/sbin/nologin
#gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
#ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
[root@localhost ~]# cp /etc/group /etc/groupbak #修改之前先备份
[root@localhost ~]# vi /etc/group #编辑用户组,在前面加上#注释掉此行
#adm:x:4:root,adm,daemon
#lp:x:7:daemon,lp
#uucp:x:14:uucp
#games:x:20:
#dip:x:40:
方法1:
执行ntsysv命令
方法2:
执行setuo命令->system service,然后在弹出的窗口中进行设置
[root@localhost ~]# chkconfig | grep 3:on #检查开机自启动的服务
[root@localhost ~]# for oldboy in `chkconfig --list|grep "3:on"|awk '{print $1}'|grep -vE "crond|network|sshd|rsyslog|sysstat"`;do chkconfig $oldboy off;done
只保留五个服务
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sysstat 0:off 1:on 2:on 3:on 4:on 5:on 6:off
关闭seLinux及iptables(在工作场景,如果有外部IP一般要打开)
[root@localhost ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config #关闭selinx
[root@localhost ~]# /etc/init.d/iptables stop #关闭防火墙
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]# /etc/init.d/iptables stop #重复执行确认已关闭
[root@localhost ~]# chkconfig iptables off #关闭开机自启动命令,前面已经关闭这里无需执行
[root@localhost ~]# chkconfig --list|grep ipt
iptables 0:off 1:off 2:off 3:off 4:off 5:off 6:off
跟改SSH服务端远程登录配置
echo "#-----------------sshConfig修改ssh默认登录端口,禁止root登录----------#"
\cp /etc/ssh/sshd_config /etc/ssh/sshd_config.`date +"%F%H%M%S"`
sed -i 's%#Port 22%Port 52113%' /etc/ssh/sshd_config #修改端口
sed -i 's%#PermitRootLogin yes%PermitRootLogin no%' /etc/ssh/sshd_config #是否允许密码为空的用户远程登录
sed -i 's%#UseDNS yes%UseDNS no%' /etc/ssh/sshd_config #指定sshd是否应该对远程主机名进行反向解析
sed -i 's%GSSAPIAuthentication yes%GSSAPIAuthentication no%' /etc/ssh/sshd_config #解决linux之间使用ssh远程连接慢的问题
egrep "UseDNS|52113|RootLogin|EmptyPass|GSSAPIAuthentication" /etc/ssh/sshd_config
/etc/init.d/sshd reload
添加密钥
[xpp@localhost ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/xpp/.ssh/id_rsa):
Created directory '/home/xpp/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/xpp/.ssh/id_rsa.
Your public key has been saved in /home/xpp/.ssh/id_rsa.pub.
The key fingerprint is:
09:ee:a6:b7:c7:bc:20:20:46:e4:54:d0:c3:50:e6:46 xpp@localhost.localdomain
The key's randomart image is:
+--[ RSA 2048]----+
| =BE |
|+ ++ |
| o o. . |
|. . . . . |
|... . S |
|.. . . |
| . +o |
| +..+ |
| ...o.. |
+-----------------+
具体参考:http://www.xuepanpan.com/blog/299
根据自己服务器给普通账号设置sudo
具体参考: http://www.xuepanpan.com/blog/299
删除系统登录欢迎信息
删除/etc/issue、/etc/issue.net、/etc/redhat-release和/etc/motd文件内容
[root@localhost ~]# echo /dev/null >/etc/issue
[root@localhost ~]# echo /dev/null >/etc/issue.net
[root@localhost ~]# echo /dev/null >/etc/redhat-release
[root@localhost ~]# echo /dev/null >/etc/motd
禁止 Control-Alt-Delete 键盘关闭命令
[root@localhost ~]# vim /etc/init/control-alt-delete.conf
找到如下内容:exec /sbin/shutdown -r now “Control-Alt-Delete pressed”在之前加上“ #”,注释掉即可
设置Shell历史命令记录功能
[root@localhost ~]# vim /etc/bashrc
加入下面四行内容让history命令自动记录所有shell命令的执行时间
HISTFILESIZE=4000
HISTSIZE=4000
export HISTTIMEFORMAT
设置tcp_wrappers 防火墙只允许固定IP登录
查看系统是否安装了 Tcp_Wrappers
[root@localhost ~]# rpm -q tcp_wrappers
tcp_wrappers-7.6-57.el6.x86_64
[root@localhost xpp]# rpm -qa | grep tcp
tcp_wrappers-libs-7.6-57.el6.x86_64
tcpdump-4.0.0-3.20090921gitdf3cb4.2.el6.x86_64
tcp_wrappers-7.6-57.el6.x86_64
[root@localhost ~]# vim /etc/hosts.allow
添加内容:
sshd:172.16.1.118
[root@localhost ~]# vim /etc/hosts.allow
添加内容:
sshd:ALL
[root@localhost etc]# cat /etc/sysconfig/i18n
[root@localhost etc]# cp /etc/sysconfig/i18n /etc/sysconfig/i18n.ori
[root@localhost etc]# echo 'LANG="zh_CN.UTF-8"' >/etc/sysconfig/i18n
[root@localhost etc]# source /etc/sysconfig/i18n #使上文修改生效
[root@localhost etc]# echo $LANG
zh_CN.UTF-8
[root@localhost ~]# echo "#times sync by lee at $(date +%F)" >>/var/spool/cron/root
[root@localhost ~]# echo "*/5 * * * * /usr/sbin/ntpdate time.windows.com >/dev/null 2>&1" >> /var/spool/cron/root
[root@localhost ~]# crontab -l
#times sync by lee at 2017-12-28
*/5 * * * * /usr/sbin/ntpdate time.windows.com >/dev/null 2>&1
调整Linux文件描述符数量
TBD
Linux内核参数优化
TBD
定时清理邮件服务临时目录垃圾文件
TBD
锁定关键文件,防止篡改
TBD
禁止系统被Ping
TBD
升级具有典型漏洞的软件版本
TBD