Vmware新建一台1核1G的虚拟机,当做镜像模板,装好CentOS7系统,然后再做基础优化

1.添加一个普通用户

useradd oldboy
echo 123456 | passwd --stdin oldboy

2.加到sudo管理

visudo #100行左右
oldboy  ALL=(ALL)       NOPASSWD: ALL
grep -w oldboy /etc/sudoers

提示:如果在系统安装时候添加普通用户,其实是将oldboy添加到到wheel组里了,在/etc/sudoers里的wheel是管理员组。

3.禁用root远程登陆,改为oldboy用户登陆
企业场景,修改默认端口22为52113,优化远程ssh配置

vim /etc/ssh/sshd_config
PermitEmptyPasswords no
UseDNS no
GSSAPIAuthentication no
#38行改为
PermitRootLogin no
ListenAddress 172.16.1.7:52113
systemctl restart sshd

测试ssh root连接

root@oldboy ~]$ssh root@192.168.238.128
root@192.168.238.128's password: 
Permission denied, please try again.

以后登陆通过oldboy登陆,通过sudo su -切换root

4.更新yum源
配置yum源-阿里云

mv /etc/yum.repos.d/CentOS-Base.repo{,.backup}
wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
curl -s -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo

第三方源

wget -O /etc/yum.repos.d/epel.repo https://mirrors.aliyun.com/repo/epel-7.repo
curl -s -o /etc/yum.repos.d/epel.repo https://mirrors.aliyun.com/repo/epel-7.repo

5.安装常用软件

yum -y update #更新所有软件到最新,可以不装
yum -y install tree nmap dos2unix lrzsz nc lsof wget tcpdump htop iftop iotop sysstat nethogs rsync
yum -y install psmisc net-toos bash-completion vim-enhanced

yum -y install lrzsz openssh-clients telnet gcc gcc-c++ wget sysstat net-tools nss nss-devel unix2dos dos2unix unzip bc
yum -y update  bash glibc glibc-devel glibc-common glibc-headers
yum -y install ncurses-devel make cmake bison automake autoconf openssl openssl-devel libtirpc libtirpc-devel
yum -y install gd gd-devel libjpeg libjpeg-devel libpng libpng-devel zlib zlib-devel freetype freetype-devel libxml2 libxml2-devel curl curl-devel libxslt libxslt-devel pcre pcre-devel libtool

6.安全优化
a.关闭selinux

sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config
grep 'SELINUX=disabled' /etc/selinux/config
setenforce 0
getenforce

b.暂时关闭防火墙

systemctl stop firewalld
systemctl disable firewalld
systemctl status firewalld|grep inactive

8.手工添加管理员帐帐号(可选)

useradd oldgirl -G wheel
id oldgirl
echo 111111|passwd --stdinoldgirl

9.设置字符集(可选)
方法1

cp /etc/locale.conf{,.ori}
echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf
source /etc/locale.conf
echo $LANG

方法2

cp /etc/locale.conf{,.ori}
localectl set-locale LANG="zh_CN.UTF-8"
cat /etc/locale.conf

9.时间同步

yum -y install ntpdate
/sbin/ntpdate ntp3.aliyun.com

echo "*/5 * * * * /sbin/ntpdate ntp3.aliyun.com &>/dev/null" >> /var/spool/cron/root
crontab -l

10.基础优化操作项:提升命令安全(可选)

echo 'export TMOUT=300' >> /etc/profile
echo 'export HISTSIZE=5' >> /etc/profile
echo 'export HISTFILESIZE=5' >> /etc/profile
tail -3 /etc/profile
. /etc/profile

11.加大文件描述符

echo '*               -       nofile          65535' >> /etc/security/limits.conf
tail -1 /etc/security/limits.conf
ulimit -SHn 65535
ulimit -n

12.基础优化操作,优化系统内核

cat >>/etc/sysctl.conf<<EOF
#BASE
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1    #建议设置为0,因为涉及到NAT的网络访问问题
net.ipv4.tcp_syncookies= 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000 65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1 
net.ipv4.tcp_synack_retries = 1
net.core.somaxconn = 16384
net.core.netdev_max_backlog = 16384
net.ipv4.tcp_max_orphans = 16384
#以下是ip防火墙,防火墙不开,可以忽略
net.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_tcp_timeout_established = 180
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
#NFS共享优化
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.wmem_max = 16777216
net.core.rmem_max = 16777216
EOF

sysctl -p

13.修改yum配置文件

/etc/yum.conf 里的keepcache=0改为keepcache=1
sed -i.bak 's#keepcache=0#keepcache=1#g' /etc/yum.conf
grep 'keepcache=1' /etc/yum.conf

14.锁定关键文件

chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab
lsattr /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab

15.清空/etc/issue /etc/issue.net

[root@oldboy ~]$ > /etc/issue && > /etc/issue.net

16.清理虚拟帐号(可选)
17.grup菜单加密(可选)

grub2-setpassword

18.禁止ping(内核参数)

#/etc/sysctl.conf添加禁ping参数
net.ipv4.icmp_echo_ignore_all = 1

19.精简开机自启动保留

sshd|crond|sysstat|rsyslog|NetworkManager|irqbalance