Centos7.2 system optimization original

1 Modify the network card name to eth0

mv ifcfg-eno16777729 ifcfg-eth0

vi /etc/sysconfig/grub

GRUB_TIMEOUT=5

GRUB_DISTRIBUTOR="(sed 's, release .*,,g' /etc/system-release)"

GRUB_DEFAULT=saved

GRUB_DISABLE_SUBMENU=true

GRUB_TERMINAL_OUTPUT="console"

GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0 rhgb quiet net.ifnames=0 biosdevname=0"

GRUB_DISABLE_RECOVERY="true"

Modify the name of /etc/udev/rules.d/90-eno-fix.rules

grub2-mkconfig -o /boot/grub2/grub.cfg #Generate boot menu

Generating grub configuration file ...

Found linux image: /boot/vmlinuz-3.10.0-327.el7.x86_64

Found initrd image: /boot/initramfs-3.10.0-327.el7.x86_64.img

Found linux image: /boot/vmlinuz-0-rescue-e8675ae79abd41309dac42388f8d9116

Found initrd image: /boot/initramfs-0-rescue-e8675ae79abd41309dac42388f8d9116.img

reboot

ip addr or

yum install net-tools #default centos7 does not support ifconfig, you need to look at the net-tools package

2. Update system

3. Modify file attributes, the principle of least privilege

chmod 700 /bin/rpm Only users with root privileges can use rpm to specify and install software packages

chmod 664 /etc/hosts

chmod 644 /etc/passwd

chmod 644 /etc/exports

chmod 644 /etc/issue

chmod 664 /var/log/wtmp

chmod 664 /var/log/btmp

chmod 644 /etc/services

chmod 600 /etc/shadow

chmod 600 /etc/login.defs

chmod 600 /etc/hosts.allow

chmod 600 /etc/hosts.deny

chmod 600 /etc/securetty

chmod 600 /etc/security

chmod 600 /etc/ssh/ssh_host_key

chmod 600 /etc/ssh/sshd_config

chmod 600 /var/log/lastlog

chmod 600 /var/log/messages

**4. Add user **fang

[ root@bogon ~]# useradd fang

[ root@bogon ~]# echo 123456 | passwd --stdin fang

Changing password for user fang.

passwd: all authentication tokens updated successfully.

[ root@bogon ~]# usermod -G wheel fang

[ root@bogon ~]# sed -i '6s/^#//g' /etc/pam.d/su

[ root@bogon ~]# grep wheel /etc/pam.d/su #Only WHEEL group can su

Uncomment the following line to implicitly trust users in the "wheel" group.

auth sufficient pam_wheel.so trust use_uid

Uncomment the following line to require a user to be in the "wheel" group.

auth required pam_wheel.so use_uid

Extension: add sudo for user fang, all operations except shutdown:

visudo

Cmnd_Alias SHUTDOWN = /sbin/halt, /sbin/shutdown, /sbin/poweroff, /sbin/reboot, /sbin/init

fang ALL=(ALL) ALL,!SHUTDOWN

%wheel ALL=(ALL) ALL,!SHUTDOWN #Modify the permissions of the wheel group and prohibit shutdown

Defaults logfile=/var/log/sudo.log

5 Disable selinux

[ root@bogon ~]# grep -i ^selinux /etc/selinux/config

SELINUX=enforcing

SELINUXTYPE=targeted

[ root@bogon ~]# sed -i '/^SELINUX/s/enforcing/disabled/g' /etc/selinux/config

[ root@bogon ~]# getenforce

Enforcing

6. Close the firewall to install iptables

systemctl stop firewalld.service

systemctl disable firewalld.service

yum install iptables-services -y #install

7. Modify host name

[ root@bogon ~]# hostnamectl set-hostname hequan.com

[ root@bogon ~]# hostname

hequan.com

8. View and manage services

[ root@hequan ~]# systemctl -t service

[ root@hequan ~]# systemctl list-unit-files -t service

yum install -y bash-completion #Complete the service name, exit bash and then enter

9. Set character set

[ root@hequan ~]# echo $LANG

zh_CN.UTF-8

[ root@hequan ~]# vi /etc/locale.conf

LANG="en_US.UTF-8"

[ root@hequan ~]# source /etc/locale.conf

10. yum

yum install -y cmake vim wget lrzsz htop

Install 163 sources

mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup

cd /etc/yum.repos.d/

wget http://mirrors.163.com/.help/CentOS7-Base-163.repo

yum clean all

yum makecache

other

yum -y install yum-plugin-priorities ##Install priority plugin

sed -i -e "s/]$/]\npriority=1/g" /etc/yum.repos.d/CentOS-Base.repo ##Set the priority of the basic yum source to 1

yum -y install epel-release ##Install epel source

sed -i -e "s/]$/]\npriority=5/g" /etc/yum.repos.d/epel.repo ##Set priority to 5

sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/epel.repo ##Disable epel source

yum -y install http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el7.rf.x86_64.rpm ##Install the source of rpmforge

sed -i -e "s/]$/]\npriority=10/g" /etc/yum.repos.d/rpmforge.repo ##Set the priority to 10

sed -i -e "s/enabled = 1/enabled = 0/g" /etc/yum.repos.d/rpmforge.repo ##Disable yum source

How to use: yum --enablerepo=rpmforge install [Package]

Install epel source

yum -y install epel-release

11 Configure sshd

ListenAddress 0.0.0.0 ##Only enable ipv4

/etc/ssh/sshd_config

PermitRootLogin no ##Forbid root to log in using ssh

MaxAuthTries 2 ## Cut off and restart SSH login if it fails twice

PubkeyAuthentication no ##Prohibit certificate login AuthorizedKeysFile /dev/null

ChallengeResponseAuthentication yes prohibits SSH clients from remembering passwords

Speed up ssh login speed

GSSAPIAuthentication no ##Close GSSAPIUseDNS no ##Prohibit DNS reverse resolution

General SSH authentication methods in sequence are publickey, gssapi-keyex, gssapi-with-mic, password, you can see this in the connection log when you turn on debug mode with ssh -v. General users only use password authentication, but the system will still try the first 3 authentication processes, which wastes time and causes slow SSH login

AllowTcpForwarding no prohibits the use of SSH mapping Socks5 to access foreign websites, etc.

12 Increase the limit on the number of open files (open files)

ulimit -n

ulimit -a

vi /etc/security/limits.conf

Finally add

• soft nofile 1024000

• hard nofile 1024000

hive - nofile 1024000

hive - nproc 1024000

User process limit

sed -i's#4096#65535#g' /etc/security/limits.d/20-nproc.conf #Increase the limit of ordinary users can also be changed to unlimited

egrep -v "^$|^#" /etc/security/limits.d/20-nproc.conf

• soft nproc 65535

root soft nproc unlimited

reboot

13 Optimize the kernel

cat /etc/sysctl.conf

CTCDN system optimization parameters

Turn off ipv6 to save system resources

net.ipv6.conf.all.disable_ipv6 = 1

net.ipv6.conf.default.disable_ipv6 = 1

Decide how long to check expired neighbor entries

net.ipv4.neigh.default.gc_stale_time=120

Use arp_announce/arp_ignore to solve ARP mapping problem

net.ipv4.conf.default.arp_announce = 2

net.ipv4.conf.all.arp_announce=2

net.ipv4.conf.lo.arp_announce=2

Avoid amplification attacks

net.ipv4.icmp_echo_ignore_broadcasts = 1

Enable malicious icmp error message protection

net.ipv4.icmp_ignore_bogus_error_responses = 1

Turn off routing and forwarding

net.ipv4.ip_forward = 0

net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.default.send_redirects = 0

Turn on reverse path filtering

net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.default.rp_filter = 1

Handling passively routed packets

net.ipv4.conf.all.accept_source_route = 0

net.ipv4.conf.default.accept_source_route = 0

Turn off sysrq function

kernel.sysrq = 0

Add pid to the core file name as the extension

kernel.core_uses_pid = 1

Enable SYN flood attack protection

net.ipv4.tcp_syncookies = 1

Modify the length of Message Queue

kernel.msgmnb = 65536

kernel.msgmax = 65536

Set the maximum memory shared segment size in bytes

kernel.shmmax = 68719476736

kernel.shmall = 4294967296

The number of timewait, the default is 180000

net.ipv4.tcp_max_tw_buckets = 6000

net.ipv4.tcp_sack = 1

net.ipv4.tcp_window_scaling = 1

net.ipv4.tcp_rmem = 4096 87380 4194304

net.ipv4.tcp_wmem = 4096 16384 4194304

net.core.wmem_default = 8388608

net.core.rmem_default = 8388608

net.core.rmem_max = 16777216

net.core.wmem_max = 16777216

The maximum number of data packets that are allowed to be sent to the queue when the rate at which each network interface receives data packets is faster than the rate at which the kernel processes these packets

net.core.netdev_max_backlog = 262144

The restriction is only to prevent simple DoS attacks

net.ipv4.tcp_max_orphans = 3276800

The maximum number of connection requests that have not received client confirmation

net.ipv4.tcp_max_syn_backlog = 262144

net.ipv4.tcp_timestamps = 0

The number of SYNACK packets sent before the kernel gives up establishing a connection

net.ipv4.tcp_synack_retries = 1

The number of SYN packets sent before the kernel gives up establishing a connection

net.ipv4.tcp_syn_retries = 1

Enable timewait fast recovery

net.ipv4.tcp_tw_recycle = 1

Turn on reuse. Allow TIME-WAIT sockets to be reused for new TCP connections

net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_mem = 94500000 915000000 927000000

net.ipv4.tcp_fin_timeout = 1

When keepalive is enabled, how often TCP sends keepalive messages. The default is 2 hours

net.ipv4.tcp_keepalive_time = 1800

net.ipv4.tcp_keepalive_probes = 3

net.ipv4.tcp_keepalive_intvl = 15

Allow the system to open the port range

net.ipv4.ip_local_port_range = 1024 65000

Modify the firewall table size, the default is 65536

net.netfilter.nf_conntrack_max=655350

net.netfilter.nf_conntrack_tcp_timeout_established=1200

Ensure that no one can modify the routing table

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.all.secure_redirects = 0

net.ipv4.conf.default.secure_redirects = 0

sysctl -p #effective

14 time setting

yum install chrony

vi /etc/chrony.conf

server 0.centos.pool.ntp.org

server 3.europe.pool.ntp.org

systemctl enable chronyd.service

systemctl start chronyd.service

timedatectl set-timezone Asia/Shanghai

timedatectl set-time "2015-01-21 11:50:00" (you can modify only one of them) modify the date and time

timedatectl View time status

chronyc sources -v View time synchronization source

chronyc sourcestats -v

hwclock -w #Sync time to hardware time first

15、 Remote 5 minutes without operation automatic logout:

vim /etc/profile

Finally add:

export TMOUT=300 - Automatically log out in 5 minutes

turn up

HISTSIZE=1000

change into:

HISTSIZE=100 - Reduce the diary byte to 100KB, too large and too much content, it is easy to miss important information.

HISTTIMEFORMAT=”%Y-%m-%d %H:%M:%S”

16. Prohibit IP masquerading

vim /etc/host.conf

Add:

nospoof on

17 Temporary file security

Temporary files should not have execute permissions

/tmp

/dev/sda3 /tmp ext4 nosuid，noexec，nodev，rw 0 0

At the same time use a symbolic link to point /var/tmp to /tmp

/dev/shm

none /dev/shm tmpfs defaults，nosuid，noexec，rw 0 0

18 PAM plug-in authentication reinforcement configuration

Configuration file

ls /etc/pam.d/chfn crond login passwd remote runuser-l smtp ssh-keycat sudo-i system-auth-acchsh fingerprint-auth newrole password-auth run_init smartcard-auth smtp.postfix su su-lconfig-util fingerprint-auth-ac other password-auth-ac runuser smartcard-auth-ac sshd sudo system-auth

Authentication plugin

ls /lib64/security/

18.1.  pam_tally2.so

The function of this module is to enter the wrong password three times for login, and the ban will be automatically released after 5 minutes. You cannot log in if you enter the correct password while the ban is not released.

Add at the top of the configuration file /etc/pam.d/sshd

auth required pam_tally2.so deny=3 onerr=fail unlock_time=300

View the number of failures

pam_tally2Login Failures Latest failure Fromroot 14 07/12/13 15:44:37 192.168.6.2neo 8 07/12/13 15:45:36 192.168.6.2

Reset counter

pam_tally2 -r -u rootLogin Failures Latest failure Fromroot 14 07/12/13 15:44:37 192.168.6.2# pam_tally2 -r -u neoLogin Failures Latest failure Fromneo 8 07/12/13 15:45:36 192.168.6.2

The pam_tally2 counter log is saved in /var/log/tallylog. Note that this is a binary format file

Example 1. /etc/pam.d/sshd-pam_tally2.so

cat /etc/pam.d/sshd

%PAM-1.0auth required pam_tally2.so deny=3 onerr=fail unlock_time=300auth required pam_sepermit.soauth include password-authaccount required pam_nologin.soaccount include password-authpassword include password-auth# pam_selinux.so close should be the first session rulesession required pam_selinux.so closesession required pam_loginuid.so# pam_selinux.so open should only be followed by sessions to be executed in the user contextsession required pam_selinux.so open env_paramssession optional pam_keyinit.so force revokesession include password-auth

The above configuration is not restricted to the root user, if you need to restrict the root user, refer to the following

auth required pam_tally2.so deny=3 unlock_time=5 even_deny_root root_unlock_time=1800

18.2.  pam_listfile.so

User login restrictions

Add the following line to /etc/pam.d/sshd, the whitelist method is used here, you can also use the blacklist method

auth required pam_listfile.so item=user sense=allow file=/etc/ssh/whitelist onerr=fail

Add users who are allowed to log in to /etc/ssh/whitelist, other users will not be able to log in to your system via ssh

cat /etc/ssh/whitelistneowww

Example 2. /etc/pam.d/sshd-pam_listfile.so

cat /etc/pam.d/sshd#%PAM-1.0auth required pam_listfile.so item=user sense=allow file=/etc/ssh/whitelist onerr=failauth required pam_tally2.so deny=3 onerr=fail unlock_time=300auth required pam_sepermit.soauth include password-authaccount required pam_nologin.soaccount include password-authpassword include password-auth# pam_selinux.so close should be the first session rulesession required pam_selinux.so closesession required pam_loginuid.so# pam_selinux.so open should only be followed by sessions to be executed in the user contextsession required pam_selinux.so open env_paramssession optional pam_keyinit.so force revokesession include password-auth

sense=allow whitelist method, sense=deny blacklist method

auth required pam_listfile.so item=user sense=deny file=/etc/ssh/blacklist onerr=fail

For more details, please see the manual $ man pam_listfile

18.3.  pam_access.so

Edit the /etc/pam.d/sshd file and add the following line

account required pam_access.so

Restart the sshd process after saving

Edit /etc/security/access.conf file cat >> /etc/security/access.conf << EOF-: root: ALL EXCEPT 192.168.6.1EOF

Only log in through 192.168.6.1, add multiple IP addresses

• : root : ALL EXCEPT 192.168.6.1 192.168.6.2

Whether the test works

18.4.  pam_wheel.so

Restrict ordinary users from raising their privileges to root through the su command. Only users belonging to the wheel group are allowed to switch to the root user through su

Edit the /etc/pam.d/su file and remove the comments below

auth required pam_wheel.so use_uid

Modify user group and add to wheel group

usermod -G wheel www# id wwwuid=501(www) gid=501(www) groups=501(www),10(wheel)

Users who have not joined the wheel group will prompt that the password is incorrect when they use su.

$ su - rootPassword:su: incorrect password

18.5 Set user login, common user login recognition exceeds 6 times and lock for 300s.

echo "account required pam_tally.so deny=100 no_magic_root reset" >>/etc/pam.d/system-auth

echo "auth required pam_tally.so onerr=fail deny=6 unlock_time=300" >>/etc/pam.d/system-auth

( adsbygoogle = window.adsbygoogle || []).push({});