centos作爲服務器開放的服務多了,難免一些服務軟件有漏洞,開放的端口號越多,上線的服務器越危險,所以我們必須在服務器上線之前把centos裏面不必要的服務全部幹掉,不讓壞人有可乘之機。
首先看一下機器裏面運行了哪些服務:(我的機器運行級別是3,只看3:on的服務就可以了)
[root@centos ~]# chkconfig --list | grep "3:on"
NetworkManager 0:off 1:off 2:on 3:on 4:on 5:on 6:off
abrt-ccpp 0:off 1:off 2:on 3:on 4:on 5:on 6:off
abrtd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
acpid 0:off 1:off 2:on 3:on 4:on 5:on 6:off
atd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
autofs 0:off 1:off 2:on 3:on 4:on 5:on 6:off
blk-availability 0:off 1:on 2:on 3:on 4:on 5:on 6:off
certmonger 0:off 1:off 2:on 3:on 4:on 5:on 6:off
cgconfig 0:off 1:off 2:on 3:on 4:on 5:on 6:off
cgred 0:off 1:off 2:on 3:on 4:on 5:on 6:off
cpuspeed 0:off 1:on 2:on 3:on 4:on 5:on 6:off
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
cups 0:off 1:off 2:on 3:on 4:on 5:on 6:off
dnsmasq 0:off 1:off 2:on 3:on 4:on 5:on 6:off
haldaemon 0:off 1:off 2:on 3:on 4:on 5:on 6:off
ip6tables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
ipsec 0:off 1:off 2:on 3:on 4:on 5:on 6:off
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
irqbalance 0:off 1:off 2:on 3:on 4:on 5:on 6:off
kdump 0:off 1:off 2:on 3:on 4:on 5:on 6:off
lvm2-monitor 0:off 1:on 2:on 3:on 4:on 5:on 6:off
mcelogd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
mdmonitor 0:off 1:off 2:on 3:on 4:on 5:on 6:off
messagebus 0:off 1:off 2:on 3:on 4:on 5:on 6:off
netconsole 0:off 1:off 2:on 3:on 4:on 5:on 6:off
netfs 0:off 1:off 2:on 3:on 4:on 5:on 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
nfs 0:off 1:off 2:on 3:on 4:on 5:on 6:off
nfslock 0:off 1:off 2:on 3:on 4:on 5:on 6:off
ntpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
ntpdate 0:off 1:off 2:on 3:on 4:on 5:on 6:off
numad 0:off 1:off 2:on 3:on 4:on 5:on 6:off
oddjobd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
portreserve 0:off 1:off 2:on 3:on 4:on 5:on 6:off
postfix 0:off 1:off 2:on 3:on 4:on 5:on 6:off
pppoe-server 0:off 1:off 2:on 3:on 4:on 5:on 6:off
psacct 0:off 1:off 2:on 3:on 4:on 5:on 6:off
quota_nld 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rdisc 0:off 1:off 2:on 3:on 4:on 5:on 6:off
restorecond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rngd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rpcbind 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rpcgssd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rpcsvcgssd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
saslauthd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
smartd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sssd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
svnserve 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sysstat 0:off 1:on 2:on 3:on 4:on 5:on 6:off
udev-post 0:off 1:on 2:on 3:on 4:on 5:on 6:off
winbind 0:off 1:off 2:on 3:on 4:on 5:on 6:off
wpa_supplicant 0:off 1:off 2:on 3:on 4:on 5:on 6:off
ypbind 0:off 1:off 2:on 3:on 4:on 5:on 6:off開的服務這麼多,這要是直接放到互聯網怎麼了得,所以我們第一步先把所有的服務統統關掉,第二步再把要必須保留的服務開啓。
第一步,關掉系統所有的服務,這麼多內容只能用循環腳本了,一條一條chkconfig service off 猴年馬月去了,直接看命令:
我把所有開着的服務名稱 通過awk取出來,再用for循環 chkconfig service off
[root@centos ~]# for n in `chkconfig --list | grep "3:on" | awk '{print $1}'`;do chkconfig $n off;done
[root@centos ~]# chkconfig --list | grep 3:on
[root@centos ~]#
[root@centos ~]#
[root@centos ~]# //這會兒發現服務都被我一下子kill掉了
這會兒問題來了,我們的服務器哪些服務必須保留呢?
- network提供網絡的服務,服務器不上網怎麼能行呢?
- crond時間計劃任務服務,服務器日常的計劃執行離不開這個服務
- sshd 我們需要通過ssh 才能遠程連接到我們的Linux,總不能天天在idc機房拿kvm來工作吧
- rsyslog 服務器做了哪些事情都需要靠日誌才能知道,rsyslog就是用來記錄日誌的,原來名字叫syslog
- sysstat 監控系統性能的服務,對服務器掌控怎麼能離得了它,sar,mpstat,iostat,vmstat都是非常有用的工具,都在這個服務裏面
總結一下,系統必須開啓的服務有network,sshd,crond,rsyslog,sysstat五個
我們要做的是開啓這些服務,然後驗證收工,go...
[root@centos ~]# for n in crond sshd network rsyslog sysstat ;do chkconfig $n on ; done
[root@centos ~]# chkconfig --list | grep 3:on
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sysstat 0:off 1:on 2:on 3:on 4:on 5:on 6:off另外一種思路:我把該留下的留下,其他全部幹掉
直接給答案:
[root@centos ~]# chkconfig --list | grep 3:on | egrep -v "sshd|network|rsyslog|sysstat|crond" | awk '{print "chkconfig",$1,"off"}'
chkconfig NetworkManager off
chkconfig abrt-ccpp off
chkconfig abrtd off
chkconfig acpid off
chkconfig atd off
chkconfig auditd off
chkconfig autofs off
chkconfig blk-availability off
chkconfig certmonger off
chkconfig cgconfig off
chkconfig cgred off
chkconfig cpuspeed off
chkconfig cups off
chkconfig dnsmasq off
chkconfig haldaemon off
chkconfig ip6tables off
chkconfig ipsec off
chkconfig iptables off
chkconfig irqbalance off
chkconfig kdump off
chkconfig lvm2-monitor off
chkconfig mcelogd off
chkconfig mdmonitor off
chkconfig messagebus off
chkconfig netconsole off
chkconfig netfs off
chkconfig nfs off
chkconfig nfslock off
chkconfig ntpd off
chkconfig ntpdate off
chkconfig numad off
chkconfig oddjobd off
chkconfig portreserve off
chkconfig postfix off
chkconfig pppoe-server off
chkconfig psacct off
chkconfig quota_nld off
chkconfig rdisc off
chkconfig restorecond off
chkconfig rngd off
chkconfig rpcbind off
chkconfig rpcgssd off
chkconfig rpcsvcgssd off
chkconfig saslauthd off
chkconfig smartd off
chkconfig sssd off
chkconfig svnserve off
chkconfig udev-post off
chkconfig winbind off
chkconfig wpa_supplicant off
chkconfig ypbind off
[root@centos ~]# chkconfig --list | grep 3:on | egrep -v "sshd|network|rsyslog|sysstat|crond" | awk '{print "chkconfig",$1,"off"}' | bash