Centos 7系統優化

1 修改網卡名稱爲eth0

#mv ifcfg-eno16777729 ifcfg-eth0
#vi /etc/sysconfig/grub
    GRUB_TIMEOUT=5
    GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
    GRUB_DEFAULT=saved
    GRUB_DISABLE_SUBMENU=true
    GRUB_TERMINAL_OUTPUT="console"
    GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0 rhgb quiet net.ifnames=0 biosdevname=0"
    GRUB_DISABLE_RECOVERY="true"

修改 /etc/udev/rules.d/90-eno-fix.rules名稱

#grub2-mkconfig -o /boot/grub2/grub.cfg #生成啓動菜單
    Generating grub configuration file ...
    Found linux image: /boot/vmlinuz-3.10.0-327.el7.x86_64
    Found initrd image: /boot/initramfs-3.10.0-327.el7.x86_64.img
    Found linux image: /boot/vmlinuz-0-rescue-e8675ae79abd41309dac42388f8d9116
    Found initrd image: /boot/initramfs-0-rescue-e8675ae79abd41309dac42388f8d9116.img

#reboot
#ip addr 或者
#yum install net-tools #默認centos7不支持ifconfig 需要看裝net-tools包

2.更新系統

3.修改文件屬性,最低權限原則

chmod 700 /bin/rpm 只有root權限用戶纔可以使用rpm命定,安裝軟件包
chmod 664 /etc/hosts
chmod 644 /etc/passwd
chmod 644 /etc/exports
chmod 644 /etc/issue
chmod 664 /var/log/wtmp
chmod 664 /var/log/btmp
chmod 644 /etc/services
chmod 600 /etc/shadow
chmod 600 /etc/login.defs
chmod 600 /etc/hosts.allow
chmod 600 /etc/hosts.deny
chmod 600 /etc/securetty
chmod 600 /etc/security
chmod 600 /etc/ssh/ssh_host_key
chmod 600 /etc/ssh/sshd_config
chmod 600 /var/log/lastlog
chmod 600 /var/log/messages

4. 添加用戶fang

[root@bogon ~]# useradd fang
[root@bogon ~]# echo 123456 | passwd --stdin fang
    Changing password for user fang.
    passwd: all authentication tokens updated successfully.

[root@bogon ~]# usermod -G wheel fang
[root@bogon ~]# sed -i '6s/^#//g' /etc/pam.d/su
[root@bogon ~]# grep wheel /etc/pam.d/su #只有WHEEL組的可以su
    Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
#Uncomment the following line to require a user to be in the "wheel" group.
auth required pam_wheel.so use_uid

擴展:爲用戶fang添加sudo，除關機外的其他所有操作：

 visudo
Cmnd_Alias SHUTDOWN = /sbin/halt, /sbin/shutdown, /sbin/poweroff, /sbin/reboot, /sbin/init
fang ALL=(ALL) ALL,!SHUTDOWN
%wheel ALL=(ALL) ALL,!SHUTDOWN #修改wheel組的權限，禁止關機
Defaults logfile=/var/log/sudo.log

5 禁用selinux

[root@bogon ~]# grep -i ^selinux /etc/selinux/config
        SELINUX=enforcing
        SELINUXTYPE=targeted
[root@bogon ~]# sed -i '/^SELINUX/s/enforcing/disabled/g' /etc/selinux/config
[root@bogon ~]# getenforce
Enforcing

6.關閉防火牆安裝iptables

systemctl stop firewalld.service 
systemctl disable firewalld.service
yum install iptables-services -y #安裝

7.修改主機名

[root@bogon ~]# hostnamectl set-hostname hequan.com
[root@bogon ~]# hostname

8.查看並管理服務

[root@hequan ~]# systemctl -t service
[root@hequan ~]# systemctl list-unit-files -t service
yum install -y bash-completion #補全服務名稱，退出bash再進就可以

9.設置字符集

[root@hequan ~]# echo $LANG
    zh_CN.UTF-8
[root@hequan ~]# vi /etc/locale.conf
    LANG="en_US.UTF-8"
[root@hequan ~]# source /etc/locale.conf

10.yum

yum install -y cmake vim wget lrzsz htop

安裝163源

mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
cd /etc/yum.repos.d/
wget http://mirrors.163.com/.help/CentOS7-Base-163.repo
yum clean all
yum makecache

其他

yum -y install yum-plugin-priorities ##安裝優先級插件
sed -i -e "s/\]$/\]\npriority=1/g" /etc/yum.repos.d/CentOS-Base.repo ##設置基本yum源的優先級爲1
yum -y install epel-release ##安裝epel源
sed -i -e "s/\]$/\]\npriority=5/g" /etc/yum.repos.d/epel.repo ##設置優先級爲5
sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/epel.repo ##禁用epel源
yum -y install http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el7.rf.x86_64.rpm ##安裝rpmforge的源
sed -i -e "s/\]$/\]\npriority=10/g" /etc/yum.repos.d/rpmforge.repo ##設置優先級爲10
sed -i -e "s/enabled = 1/enabled = 0/g" /etc/yum.repos.d/rpmforge.repo ##禁用yum源
使用方法：yum --enablerepo=rpmforge install [Package]
安裝epel源 yum -y install epel-release

11 配置sshd

ListenAddress 0.0.0.0 ##只啓用ipv4
/etc/ssh/sshd_config

PermitRootLogin no ##禁止root使用ssh登錄
MaxAuthTries 2 ##兩次不行就切斷重新SSH啓動登入

PubkeyAuthentication no ##禁止證書登陸AuthorizedKeysFile /dev/null
ChallengeResponseAuthentication yes禁止SSH客戶端記住密碼

加快ssh登錄速度
GSSAPIAuthentication no ##關閉 GSSAPIUseDNS no ##禁止DNS 反向解析
一般 SSH 依次進行的認證方法的是 publickey, gssapi-keyex, gssapi-with-mic, password， 這個你可以ssh -v開啓 debug 模式在連接日誌看到。   一般用戶只使用 password 認證方式，但前面 3 個認證過程系統還是會嘗試，這就浪費時間了，也就造成 SSH 登錄慢

AllowTcpForwarding no禁止使用SSH映射Socks5等等

12 加大打開文件數的限制（open files）

ulimit -n
ulimit -a

vi /etc/security/limits.conf
最後添加
    * soft nofile 1024000
    * hard nofile 1024000
    hive - nofile 1024000
    hive - nproc 1024000

用戶進程限制

#sed -i 's#4096#65535#g' /etc/security/limits.d/20-nproc.conf #加大普通用戶限制 也可以改爲unlimited
#egrep -v "^$|^#" /etc/security/limits.d/20-nproc.conf 
    * soft nproc 65535
    root soft nproc unlimited

reboot

13 優化內核

cat /etc/sysctl.conf
    #CTCDN系統優化參數
    #關閉ipv6節省系統資源
    net.ipv6.conf.all.disable_ipv6 = 1
    net.ipv6.conf.default.disable_ipv6 = 1
    #決定檢查過期多久鄰居條目
    net.ipv4.neigh.default.gc_stale_time=120
    #使用arp_announce / arp_ignore解決ARP映射問題
    net.ipv4.conf.default.arp_announce = 2
    net.ipv4.conf.all.arp_announce=2
    net.ipv4.conf.lo.arp_announce=2
    #避免放大gj
    net.ipv4.icmp_echo_ignore_broadcasts = 1
    #開啓惡意icmp錯誤消息保護
    net.ipv4.icmp_ignore_bogus_error_responses = 1
    #關閉路由轉發
    net.ipv4.ip_forward = 0
    net.ipv4.conf.all.send_redirects = 0
    net.ipv4.conf.default.send_redirects = 0
    #開啓反向路徑過濾
    net.ipv4.conf.all.rp_filter = 1
    net.ipv4.conf.default.rp_filter = 1
    #處理無源路由的包
    net.ipv4.conf.all.accept_source_route = 0
    net.ipv4.conf.default.accept_source_route = 0
    #關閉sysrq功能
    kernel.sysrq = 0
    #core文件名中添加pid作爲擴展名
    kernel.core_uses_pid = 1
    #開啓SYN洪水gj保護
    net.ipv4.tcp_syncookies = 1
    #修改消息隊列長度
    kernel.msgmnb = 65536
    kernel.msgmax = 65536
    #設置最大內存共享段大小bytes
    kernel.shmmax = 68719476736
    kernel.shmall = 4294967296
    #timewait的數量，默認180000
    net.ipv4.tcp_max_tw_buckets = 6000
    net.ipv4.tcp_sack = 1
    net.ipv4.tcp_window_scaling = 1
    net.ipv4.tcp_rmem = 4096 87380 4194304
    net.ipv4.tcp_wmem = 4096 16384 4194304
    net.core.wmem_default = 8388608
    net.core.rmem_default = 8388608
    net.core.rmem_max = 16777216
    net.core.wmem_max = 16777216
    #每個網絡接口接收數據包的速率比內核處理這些包的速率快時，允許送到隊列的數據包的最大數目
    net.core.netdev_max_backlog = 262144
    #限制僅僅是爲了防止簡單的DoS gj
    net.ipv4.tcp_max_orphans = 3276800
    #未收到客戶端確認信息的連接請求的最大值
    net.ipv4.tcp_max_syn_backlog = 262144
    net.ipv4.tcp_timestamps = 0
    #內核放棄建立連接之前發送SYNACK 包的數量
    net.ipv4.tcp_synack_retries = 1
    #內核放棄建立連接之前發送SYN 包的數量
    net.ipv4.tcp_syn_retries = 1
    #啓用timewait 快速回收
    net.ipv4.tcp_tw_recycle = 1
    #開啓重用。允許將TIME-WAIT sockets 重新用於新的TCP 連接
    net.ipv4.tcp_tw_reuse = 1
    net.ipv4.tcp_mem = 94500000 915000000 927000000
    net.ipv4.tcp_fin_timeout = 1
    #當keepalive 起用的時候，TCP 發送keepalive 消息的頻度。缺省是2 小時
    net.ipv4.tcp_keepalive_time = 1800
    net.ipv4.tcp_keepalive_probes = 3
    net.ipv4.tcp_keepalive_intvl = 15
    #允許系統打開的端口範圍
    net.ipv4.ip_local_port_range = 1024 65000
    #修改防火牆表大小，默認65536
    net.netfilter.nf_conntrack_max=655350
    net.netfilter.nf_conntrack_tcp_timeout_established=1200
    #確保無人能修改路由表
    net.ipv4.conf.all.accept_redirects = 0
    net.ipv4.conf.default.accept_redirects = 0
    net.ipv4.conf.all.secure_redirects = 0
    net.ipv4.conf.default.secure_redirects = 0
sysctl -p #生效

14 時間設置

yum install chrony

vi /etc/chrony.conf
    server 0.centos.pool.ntp.org
    server 3.europe.pool.ntp.org

systemctl enable chronyd.service
systemctl start chronyd.service

timedatectl set-timezone Asia/Shanghai
timedatectl set-time "2015-01-21 11:50:00"（可以只修改其中一個）修改日期時間
timedatectl 查看時間狀態
chronyc sources -v 查看時間同步源
chronyc sourcestats -v
hwclock -w #先同步一遍時間到硬件時間

15、遠程5分鐘無操作自動註銷:

vim /etc/profile
    最後添加:
    export TMOUT=300   ---5分鐘自動註銷下來
    找到
    HISTSIZE=1000
    修改爲:
    HISTSIZE=100 --減少日記字節爲100KB,太大內容過多容易漏重要信息.
    HISTTIMEFORMAT=”%Y-%m-%d %H:%M:%S”

16.禁止IP僞裝

vim /etc/host.conf
    在裏面加上：
    nospoof on

17臨時文件安全

臨時文件不應該有執行權限
/tmp
/dev/sda3 /tmp ext4 nosuid，noexec，nodev，rw 0 0
同時使用符號連接將/var/tmp 指向 /tmp
/dev/shm
none /dev/shm tmpfs defaults，nosuid，noexec，rw 0 0

18 PAM 插件認證加固配置

配置文件
ls /etc/pam.d/chfn crond login passwd remote runuser-l smtp ssh-keycat sudo-i system-auth-acchsh fingerprint-auth newrole password-auth run_init smartcard-auth smtp.postfix su su-lconfig-util fingerprint-auth-ac other password-auth-ac runuser smartcard-auth-ac sshd sudo system-auth
認證插件
ls /lib64/security/

18.1. pam_tally2.so

此模塊的功能是，登陸錯誤輸入密碼3次，5分鐘後自動解禁，在未解禁期間輸入正確密碼也無法登陸。
在配置文件 /etc/pam.d/sshd 頂端加入
auth required pam_tally2.so deny=3 onerr=fail unlock_time=300
查看失敗次數
#pam_tally2Login Failures Latest failure Fromroot 14 07/12/13 15:44:37 192.168.6.2neo 8 07/12/13 15:45:36 192.168.6.2
重置計數器
#pam_tally2 -r -u rootLogin Failures Latest failure Fromroot 14 07/12/13 15:44:37 192.168.6.2# pam_tally2 -r -u neoLogin Failures Latest failure Fromneo 8 07/12/13 15:45:36 192.168.6.2
pam_tally2 計數器日誌保存在 /var/log/tallylog 注意，這是二進制格式的文件

例 1. /etc/pam.d/sshd - pam_tally2.so
#cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_tally2.so deny=3 onerr=fail unlock_time=300auth required pam_sepermit.soauth include password-authaccount required pam_nologin.soaccount include password-authpassword include password-auth# pam_selinux.so close should be the first session rulesession required pam_selinux.so closesession required pam_loginuid.so# pam_selinux.so open should only be followed by sessions to be executed in the user contextsession required pam_selinux.so open env_paramssession optional pam_keyinit.so force revokesession include password-auth

以上配置root用戶不受限制, 如果需要限制root用戶，參考下面
auth required pam_tally2.so deny=3 unlock_time=5 even_deny_root root_unlock_time=1800

18.2. pam_listfile.so

用戶登陸限制
將下面一行添加到 /etc/pam.d/sshd 中，這裏採用白名單方式，你也可以採用黑名單方式
auth required pam_listfile.so item=user sense=allow file=/etc/ssh/whitelist onerr=fail

將允許登陸的用戶添加到 /etc/ssh/whitelist，除此之外的用戶將不能通過ssh登陸到你的系統
#cat /etc/ssh/whitelistneowww

例 2. /etc/pam.d/sshd - pam_listfile.so
#cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_listfile.so item=user sense=allow file=/etc/ssh/whitelist onerr=failauth required pam_tally2.so deny=3 onerr=fail unlock_time=300auth required pam_sepermit.soauth include password-authaccount required pam_nologin.soaccount include password-authpassword include password-auth# pam_selinux.so close should be the first session rulesession required pam_selinux.so closesession required pam_loginuid.so# pam_selinux.so open should only be followed by sessions to be executed in the user contextsession required pam_selinux.so open env_paramssession optional pam_keyinit.so force revokesession include password-auth

sense=allow 白名單方式, sense=deny 黑名單方式
auth required pam_listfile.so item=user sense=deny file=/etc/ssh/blacklist onerr=fail
更多細節請查看手冊 $ man pam_listfile

18.3. pam_access.so

編輯 /etc/pam.d/sshd 文件，加入下面一行
account required pam_access.so
保存後重啓sshd進程

編輯 /etc/security/access.conf 文件cat >> /etc/security/access.conf << EOF- : root : ALL EXCEPT 192.168.6.1EOF
只能通過 192.168.6.1 登陸, 添加多個IP地址
- : root : ALL EXCEPT 192.168.6.1 192.168.6.2
測試是否生效

18.4. pam_wheel.so

限制普通用戶通過su命令提升權限至root. 只有屬於wheel組的用戶允許通過su切換到root用戶
編輯 /etc/pam.d/su 文件，去掉下面的註釋

auth required pam_wheel.so use_uid
修改用戶組別，添加到wheel組
#usermod -G wheel www# id wwwuid=501(www) gid=501(www) groups=501(www),10(wheel)
沒有加入到wheel組的用戶使用su時會提示密碼不正確。
$ su - rootPassword:su: incorrect password

18.5設定用戶登錄，普通用戶登錄識別超過6次鎖定300s.

echo "account required pam_tally.so deny=100 no_magic_root reset" >>/etc/pam.d/system-auth
echo "auth required pam_tally.so onerr=fail deny=6 unlock_time=300" >>/etc/pam.d/system-auth