This paper is organized according to lecture notes
1, how to minimize the installation of the system
Thin installation policy:
Installation only, on-demand installation, no need to install
Development package, basic network package, basic application Package
Settings under centos6.x:
650) this.width=650; "Src=" Http://s4.51cto.com/wyfs02/M02/83/F4/wKioL1eBjaiyMzUqAAHidRZzp4Y779.png-wh_500x0-wm_3 -wmp_4-s_3736553842.png "title=" 6.png "alt=" Wkiol1ebjaiymzuqaahidrzzp4y779.png-wh_50 "/>
Settings under centos7.x:
650) this.width=650; "Src=" Http://s4.51cto.com/wyfs02/M02/83/F5/wKiom1eBjbqQWIuXAAF-Wxysrrs400.png-wh_500x0-wm_3 -wmp_4-s_3499239800.png "title=" 7.png "alt=" Wkiom1ebjbqqwiuxaaf-wxysrrs400.png-wh_50 "/>
2, network setup problems and experience
1), Server IP address configuration
/etc/sysconfig/network-scripts/ifcfg-eth0/1/2 ....
To restart the NIC command:
Service network restart or/etc/init.d/network restart
2), Gateway/host name configuration
/etc/sysconfig/network
3), DNS configuration
/etc/resolv.conf
4), Hosts file configuration
/etc/hosts
3, SELinux, iptables policy settings
1), SELinux configuration (how to turn off SELinux)
Cat/etc/selinux/config
Status of SELinux:
Enforcing Open state
Permissive Status of reminders
Disabled off state
Command-line shutdown: Setenforce 0
2), iptables configuration
/etc/sysconfig/iptables
Recommended configuration:
Iptables-p INPUT ACCEPT
Iptables-f
Iptables-a input-p tcp-m TCP--dport 80-j ACCEPT
Iptables-a input-s 1.1.1.0/24-p tcp-m tcp--dport 22-j ACCEPT
Iptables-a input-s 2.2.2.2/32-p tcp-m tcp--dport 22-j ACCEPT
Iptables-a input-i eth1-j ACCEPT
Iptables-a input-i lo-j ACCEPT
Iptables-a input-m State--state related,established-j ACCEPT
Iptables-a input-p tcp-m tcp--tcp-flags Fin,syn,rst,psh,ack,urg none-j DROP
Iptables-a input-p tcp-m tcp--tcp-flags Fin,syn fin,syn-j DROP
Iptables-a input-p tcp-m tcp--tcp-flags syn,rst syn,rst-j DROP
Iptables-a input-p tcp-m tcp--tcp-flags fin,rst fin,rst-j DROP
Iptables-a input-p tcp-m tcp--tcp-flags fin,ack fin-j DROP
Iptables-a input-p tcp-m tcp--tcp-flags psh,ack psh-j DROP
Iptables-a input-p tcp-m tcp--tcp-flags Ack,urg urg-j DROP
Iptables-p INPUT DROP
Iptables-p OUTPUT ACCEPT
Iptables-p FORWARD DROP
4. SSH Login System Policy
1), Login policy
Backup: Cp/etc/ssh/sshd_config Sshd_config_bak (operation and maintenance required code)
Vi/etc/ssh/sshd_config
#SSH链接默认端口, modify the default port number of 22 ports to 10,000 or more to avoid being scanned and attacked.
Port 22221
#不使用DNS反查 to increase SSH connection speed
Usedns No
#关闭GSSAPI验证 to increase SSH connection speed
Gssapiauthentication No
#禁止root账号登陆
Permitrootlogin No
2) User Rights policy
The root user is not allowed to log on to the system, authorized only the normal user login system, requires administrator privileges to execute sudo, to avoid the root user login.
How to authorize user login with sudo settings?
/etc/sudoers file
<user list>
Common configurations:
Martin All= (Root) nopasswd:/BIN/MV,/bin/chmod
5, update Yum source and necessary software installation
A few common yum sources
EPEL Source: Https://fedoraproject.org/wiki/EPEL
Repoforge Source: http://repoforge.org/use/
6, scheduled automatic Update server time
1. Set time synchronization via Crontab
Recommended time server: ntp.sjtu.edu.cn
/usr/sbin/ntpdate ntp.sjtu.edu.cn >>/var/log/ntp.log 2>&1; /sbin/hwclock–w
2. Erecting NTP server
Follow two files:
/etc/ntp/ntpserver.conf
/etc/ntp.conf
7. Streamlined boot-up service
Services recommended for on-line servers
Crond,network,syslog,sshd, Iptables, Udev-post, Sysstat
Quick Start Method:
First Close all
For serv in ' chkconfig--list|grep 3:on|awk ' {print '} ';d o chkconfig--level 3 $serv off;done
Then turn on the services you need:
For serv in ' Crond network syslog sshd iptables udev-post sysstat ';d o chkconfig--level 3 $serv on;done
650) this.width=650; "Src=" Http://s5.51cto.com/wyfs02/M02/83/F5/wKiom1eBkC3RJGaPAABjfFtpeZM441.jpg-wh_500x0-wm_3 -wmp_4-s_4113126494.jpg "title=" 8.jpg "alt=" Wkiom1ebkc3rjgapaabjfftpezm441.jpg-wh_50 "/>
8. Delete unnecessary system users and groups
System users and groups that can be deleted
#删除不必要的用户
Userdel ADM
Userdel LP
Userdel Sync
Userdel shutdown
Userdel Halt
Userdel News
Userdel UUCP
Userdel Video
Userdel Games
Userdel Gopher
Userdel FTP
#删除不必要的群组
Groupdel ADM
Groupdel LP
Groupdel News
Groupdel UUCP
Groupdel Games
9. Automatically clean up junk files at regular intervals
Find a large File method: Du–sh/*
/var/spool/clientmqueue/directory to prevent inode nodes from being fully occupied
10. Important File Security Policy
Chattr +i/etc/sudoers
Chattr +i/etc/shadow
Chattr +i/etc/passwd
Chattr +i/etc/grub.conf
11. Simple optimization of kernel parameters
1. Follow Ulimit command
Focus on configuration files
[Email protected] alertscripts]# ls/etc/security/limits.
Limits.conf limits.d/
Need to focus on: Ulimit–c,-F,-N,-u
12. System Troubleshooting concerns
1), Tail-f/var/log/messages #应用日志查询
2), Tail-f/var/log/secure #登录日志查询
3), DMESG #系统日志查询
4),/var/tmp,/tmp #容易攻击点查询
5), Crontab-l,/etc/crontab #计划任务查询 (frequently attacked objects)
This article from "Martin" blog, declined reprint!
Linux operations experience sharing and thinking