1.添加一个普通用户
useradd oldboy
echo 123456 | passwd --stdin oldboy
2.加到sudo管理
visudo #100行左右
oldboy ALL=(ALL) NOPASSWD: ALL
grep -w oldboy /etc/sudoers
安装最后一步将oldboy设置为管理员了,是加入到wheel组里了
3.禁用root远程登陆,改为oldboy用户登陆
企业场景 修改默认端口22为52113 优化远程ssh配置
vim /etc/ssh/sshd_config
PermitEmptyPasswords no
UseDNS no
GSSAPIAuthentication no
38行改为
PermitRootLogin no
ListenAddress 172.16.1.7:52113
systemctl restart sshd
测试ssh root连接
root@oldboy ~]$ssh root@10.0.0.128
root@10.0.0.128's password:
Permission denied, please try again.
以后登陆通过oldboy登陆,通过sudo su -切换root
4.更新yum源
配置yum源-阿里云
mv /etc/yum.repos.d/CentOS-Base.repo{,.backup}
wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
curl -s -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
第三方源
wget -O /etc/yum.repos.d/epel.repo https://mirrors.aliyun.com/repo/epel-7.repo
curl -s -o /etc/yum.repos.d/epel.repo https://mirrors.aliyun.com/repo/epel-7.repo
5.安装常用软件
yum -y update #更新所有软件到最新,可以不装
yum -y install tree nmap dos2unix lrzsz nc lsof wget tcpdump htop iftop iotop sysstat nethogs
yum -y install psmisc net-toos bash-completion vim-enhanced
6.安全优化
a.关闭selinux
sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config
grep 'SELINUX=disabled' /etc/selinux/config
setenforce 0
getenforce
b.暂时关闭防火墙
systemctl stop firewalld
systemctl disable firewalld
systemctl status firewalld|grep inactive
7.手工添加管理员帐帐号(可选)
useradd oldgirl -G wheel
id oldgirl
echo 111111|passwd --stdinoldgirl
8.设置字符集(可选)
方法1
cp /etc/locale.conf{,.ori}
echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf
source /etc/locale.conf
echo $LANG
方法2
cp /etc/locale.conf{,.ori}
localectl set-locale LANG="zh_CN.UTF-8"
cat /etc/locale.conf
9.时间同步
yum -y install ntpdate
/sbin/ntpdate ntp3.aliyun.com
echo "*/5* * * * /sbin/ntpdate ntp3.aliyun.com &>/dev/null" >> /var/spool/cron/root
crontab -l
10.基础优化操作项:提升命令安全(可选)
echo 'export TMOUT=300' >> /etc/profile
echo 'export HISTSIZE=5' >> /etc/profile
echo 'export HISTFILESIZE=5' >> /etc/profile
tail -3 /etc/profile
. /etc/profile
11.加大文件描述符
echo '* - nofile 65535' >> /etc/security/limits.conf
tail -1 /etc/security/limits.conf
ulimit -SHn 65535
ulimit -n
12.基础优化操作,优化系统内核
cat >>/etc/sysctl.conf<<EOF
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syncookies= 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000 65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.core.somaxconn = 16384
net.core.netdev_max_backlog = 16384
net.ipv4.tcp_max_orphans = 16384
#以下是ip防火墙,防火墙不开,可以忽略
net.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_tcp_timeout_established = 180
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
#NFS共享优化
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.wmem_max = 16777216
net.core.rmem_max = 16777216
EOF
sysctl -p
13.修改yum配置文件
/etc/yum.conf 里的keepcache=0改为keepcache=1
sed -i.bak 's#keepcache=0#keepcache=1#g' /etc/yum.conf
grep 'keepcache=1' /etc/yum.conf
14.锁定关键文件
chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab
lsattr /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab
15.清空/etc/issue、/etc/issue.net
[root@oldboy ~]$> /etc/issue
[root@oldboy ~]$> /etc/issue.net
16.清理虚拟帐号
17.grup菜单加密(可选) grub2-setpassword
18.禁止ping(内核参数)
net.ipv4.icmp_echo_ignore_all = 1 #禁止ping
19.精简开机自启动保留
sshd|crond|sysstat|rsyslog|NetworkManager|irqbalance
20.规范目录
mkdir -p /server/tools
mkdir -p /server/scripts
mkdir -p /application
mkdir -p /application/nginx
mkdir -p /application/nginx/html
mkdir -p /application/nginx/logs
mkdir -p /application/mysql
mkdir -p /backup
mkdir -p /data
