文章目录[隐藏]
前言
centos 越来越普及了,通过一些面板很多小白都可以使用centos、但是安全方面却不行、今天学派吧整理下 centos安全相关的资料
发布出来、供小白学习、
设置
1 修改网卡为eth0
2 更新系统
3 给/etc/rc.local添加执行权限
4 添加用户hequan
5 禁用selinux
6 关闭防火墙安装iptables
7 修改主机名
8 查看并管理服务
9 设置字符集
10 yum
11 配置sshd
12 加大打开文件数的限制(open files)
13 优化内核
14 时间设置
15 man 中文版
16 vim基本设置
1 修改网卡为eth0
cd /etc/sysconfig/network-scripts/ vim ifcfg-eno16777729 TYPE=Ethernet BOOTPROTO=static IPADDR=192.168.1.201 NETMASK=255.255.255.0 GATEWAY=192.168.1.1 DEFROUTE=yes PEERDNS=yes PEERROUTES=yes IPV4_FAILURE_FATAL=no NAME=eth0 UUID=efd17b9a-a5ab-4c94-be62-d2c32eb48a7e DEVICE=eth0 ONBOOT=yes DNS1=202.106.0.20
mv ifcfg-eno16777729 ifcfg-eth0 vi /etc/sysconfig/grub GRUB_TIMEOUT=5 GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)" GRUB_DEFAULT=saved GRUB_DISABLE_SUBMENU=true GRUB_TERMINAL_OUTPUT="console" GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0 rhgb quiet" #添加 net.ifnames=0 biosdevname=0 GRUB_DISABLE_RECOVERY="true"
grub2-mkconfig -o /boot/grub2/grub.cfg #生成启动菜单 Generating grub configuration file ... Found linux image: /boot/vmlinuz-3.10.0-327.el7.x86_64 Found initrd image: /boot/initramfs-3.10.0-327.el7.x86_64.img Found linux image: /boot/vmlinuz-0-rescue-e8675ae79abd41309dac42388f8d9116 Found initrd image: /boot/initramfs-0-rescue-e8675ae79abd41309dac42388f8d9116.img
reboot
ip addr 或者 yum install net-tools #默认centos7不支持ifconfig 需要看装net-tools包 ifconfig eth0 #再次查看网卡信息
2 更新系统
yum update -y
3 给/etc/rc.local添加执行权限
[root@bogon ~]# ll /etc/rc.local
lrwxrwxrwx. 1 root root 13 Feb 6 07:28 /etc/rc.local -> rc.d/rc.local
[root@bogon ~]# ll /etc/rc.d/rc.local
-rw-r--r--. 1 root root 473 May 12 2016 /etc/rc.d/rc.local
[root@bogon ~]# chmod +x /etc/rc.d/rc.local
4 添加用户hequan
[root@bogon ~]# useradd hequan
[root@bogon ~]# echo 123456 | passwd --stdin hequan
Changing password for user hequan.
passwd: all authentication tokens updated successfully.
[root@bogon ~]# usermod -G wheel hequan
[root@bogon ~]# sed -i '6s/^#//g' /etc/pam.d/su
[root@bogon ~]# grep wheel /etc/pam.d/su #只有WHEEL组的可以su
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth required pam_wheel.so use_uid
扩展:为用户hequan添加sudo,除关机外的其他所有操作:
[root@www ~]# visudo
Cmnd_Alias SHUTDOWN = /sbin/halt, /sbin/shutdown, /sbin/poweroff, /sbin/reboot, /sbin/init
hequan ALL=(ALL) ALL,!SHUTDOWN
%wheel ALL=(ALL) ALL,!SHUTDOWN #修改wheel组的权限,禁止关机
Defaults logfile=/var/log/sudo.log
5 禁用selinux
[root@bogon ~]# grep -i ^selinux /etc/selinux/config
SELINUX=enforcing
SELINUXTYPE=targeted
[root@bogon ~]# sed -i '/^SELINUX/s/enforcing/disabled/g' /etc/selinux/config
[root@bogon ~]# grep -i ^selinux /etc/selinux/config
SELINUX=disabled
SELINUXTYPE=targeted
[root@bogon ~]# getenforce
Enforcing
[root@bogon ~]# reboot
6 关闭防火墙安装iptables
systemctl stop firewalld.service
systemctl disable firewalld.service
yum install iptables-services -y #安装
7修改主机名
[root@bogon ~]# hostnamectl set-hostname hequan.com
[root@bogon ~]# hostname
xp8.net
8 查看并管理服务
[root@hequan ~]# systemctl -t service
[root@hequan ~]# systemctl list-unit-files -t service
yum install -y bash-completion #补全服务名称,退出bash再进就可以
9 设置字符集
[root@hequan ~]# echo $LANG
zh_CN.UTF-8
[root@hequan ~]# vi /etc/locale.conf
LANG="en_US.UTF-8"
[root@hequan ~]# source /etc/locale.conf
10 yum
yum install gcc cmake bzip2-devel curl-devel db4-devel libjpeg-devel libpng-devel freetype-devel libXpm-devel gmp-devel libc-client-devel openldap-devel unixODBC-devel postgresql-devel sqlite-devel aspell-devel net-snmp-devel libxslt-devel libxml2-devel pcre-devel mysql-devel pspell-devel libmemcached libmemcached-devel zlib-devel vim wget lrzsz tree
安装163源
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
cd /etc/yum.repos.d/
wget http://mirrors.163.com/.help/CentOS7-Base-163.repo
yum clean all
yum makecache
其他
yum -y install yum-plugin-priorities ##安装优先级插件 sed -i -e "s/\]$/\]\npriority=1/g" /etc/yum.repos.d/CentOS-Base.repo ##设置基本yum源的优先级为1 yum -y install epel-release ##安装epel源 sed -i -e "s/\]$/\]\npriority=5/g" /etc/yum.repos.d/epel.repo ##设置优先级为5 sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/epel.repo ##禁用epel源 yum -y install http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el7.rf.x86_64.rpm ##安装rpmforge的源 sed -i -e "s/\]$/\]\npriority=10/g" /etc/yum.repos.d/rpmforge.repo ##设置优先级为10 sed -i -e "s/enabled = 1/enabled = 0/g" /etc/yum.repos.d/rpmforge.repo ##禁用yum源 使用方法:yum --enablerepo=rpmforge install [Package]
11 配置sshd
sed -i -e '49s/^#//g' /etc/ssh/sshd_config ##启用49行配置 sed -i -e '49s/yes/no/g' /etc/ssh/sshd_config ##禁止root使用ssh登录 sed -i -e '129s/#/ /g' /etc/ssh/sshd_config ##禁止UseDNS sed -i -e '129s/yes$/no/g' /etc/ssh/sshd_config sed -i '/^GSS/s/yes/no/g' /etc/ssh/sshd_config ##禁用GSSAPI认证加快登录速度 systemctl restart sshd ##重新启动服务 systemctl enable sshd ##设置为开机启动 systemctl status sshd ##查看状态 ● sshd.service - OpenSSH server daemon Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled) Active: active (running) since 一 2016-06-06 00:16:26 CST; 1min 3s ago
12 加大打开文件数的限制(open files)
ulimit -n ulimit -a vi /etc/security/limits.conf 最后添加 * soft nofile 1024000 * hard nofile 1024000 hive - nofile 1024000 hive - nproc 1024000 用户进程限制 [root@hequan ~]# sed -i 's#4096#65535#g' /etc/security/limits.d/20-nproc.conf #加大普通用户限制 也可以改为unlimited [root@hequan ~]# egrep -v "^$|^#" /etc/security/limits.d/20-nproc.conf * soft nproc 65535 root soft nproc unlimited reboot
13 优化内核
cat /etc/sysctl.conf #CTCDN系统优化参数 #关闭ipv6 net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 #决定检查过期多久邻居条目 net.ipv4.neigh.default.gc_stale_time=120 #使用arp_announce / arp_ignore解决ARP映射问题 net.ipv4.conf.default.arp_announce = 2 net.ipv4.conf.all.arp_announce=2 net.ipv4.conf.lo.arp_announce=2 # 避免放大攻击 net.ipv4.icmp_echo_ignore_broadcasts = 1 # 开启恶意icmp错误消息保护 net.ipv4.icmp_ignore_bogus_error_responses = 1 #关闭路由转发 net.ipv4.ip_forward = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 #开启反向路径过滤 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 #处理无源路由的包 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 #关闭sysrq功能 kernel.sysrq = 0 #core文件名中添加pid作为扩展名 kernel.core_uses_pid = 1 # 开启SYN洪水攻击保护 net.ipv4.tcp_syncookies = 1 #修改消息队列长度 kernel.msgmnb = 65536 kernel.msgmax = 65536 #设置最大内存共享段大小bytes kernel.shmmax = 68719476736 kernel.shmall = 4294967296 #timewait的数量,默认180000 net.ipv4.tcp_max_tw_buckets = 6000 net.ipv4.tcp_sack = 1 net.ipv4.tcp_window_scaling = 1 net.ipv4.tcp_rmem = 4096 87380 4194304 net.ipv4.tcp_wmem = 4096 16384 4194304 net.core.wmem_default = 8388608 net.core.rmem_default = 8388608 net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 #每个网络接口接收数据包的速率比内核处理这些包的速率快时,允许送到队列的数据包的最大数目 net.core.netdev_max_backlog = 262144 #限制仅仅是为了防止简单的DoS 攻击 net.ipv4.tcp_max_orphans = 3276800 #未收到客户端确认信息的连接请求的最大值 net.ipv4.tcp_max_syn_backlog = 262144 net.ipv4.tcp_timestamps = 0 #内核放弃建立连接之前发送SYNACK 包的数量 net.ipv4.tcp_synack_retries = 1 #内核放弃建立连接之前发送SYN 包的数量 net.ipv4.tcp_syn_retries = 1 #启用timewait 快速回收 net.ipv4.tcp_tw_recycle = 1 #开启重用。允许将TIME-WAIT sockets 重新用于新的TCP 连接 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_mem = 94500000 915000000 927000000 net.ipv4.tcp_fin_timeout = 1 #当keepalive 起用的时候,TCP 发送keepalive 消息的频度。缺省是2 小时 net.ipv4.tcp_keepalive_time = 1800 net.ipv4.tcp_keepalive_probes = 3 net.ipv4.tcp_keepalive_intvl = 15 #允许系统打开的端口范围 net.ipv4.ip_local_port_range = 1024 65000 #修改防火墙表大小,默认65536 net.netfilter.nf_conntrack_max=655350 net.netfilter.nf_conntrack_tcp_timeout_established=1200 # 确保无人能修改路由表 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 sysctl -p #生效
本身也是搜集网络技术资料,给很多小白也是一个参考、如果有更好的文章、欢迎投稿到我们学派吧、 关注学派 一起学习 加我们QQ群 右上角
