Linux operation and maintenance experience sharing and thinking

This paper is organized according to lecture notes

1, how to minimize the installation of the system

Thin installation policy:

Installation only, on-demand installation, no need to install

Development package, basic network package, basic application Package

Settings under centos6.x:

650) this.width=650; "Src=" Http://s4.51cto.com/wyfs02/M02/83/F4/wKioL1eBjaiyMzUqAAHidRZzp4Y779.png-wh_500x0-wm_3 -wmp_4-s_3736553842.png "title=" 6.png "alt=" Wkiol1ebjaiymzuqaahidrzzp4y779.png-wh_50 "/>

Settings under centos7.x:

650) this.width=650; "Src=" Http://s4.51cto.com/wyfs02/M02/83/F5/wKiom1eBjbqQWIuXAAF-Wxysrrs400.png-wh_500x0-wm_3 -wmp_4-s_3499239800.png "title=" 7.png "alt=" Wkiom1ebjbqqwiuxaaf-wxysrrs400.png-wh_50 "/>

2, network setup problems and experience

1), Server IP address configuration

/etc/sysconfig/network-scripts/ifcfg-eth0/1/2 ....

To restart the NIC command:

Service network restart or/etc/init.d/network restart

2), Gateway/host name configuration

/etc/sysconfig/network

3), DNS configuration

/etc/resolv.conf

4), Hosts file configuration

/etc/hosts

3, SELinux, iptables policy settings

1), SELinux configuration (how to turn off SELinux)

Cat/etc/selinux/config

Status of SELinux:

Enforcing Open state

Permissive Status of reminders

Disabled off state

Command-line shutdown: Setenforce 0

2), iptables configuration

/etc/sysconfig/iptables

Recommended configuration:

Iptables-p INPUT ACCEPT

Iptables-f

Iptables-a input-p tcp-m TCP--dport 80-j ACCEPT

Iptables-a input-s 1.1.1.0/24-p tcp-m tcp--dport 22-j ACCEPT

Iptables-a input-s 2.2.2.2/32-p tcp-m tcp--dport 22-j ACCEPT

Iptables-a input-i eth1-j ACCEPT

Iptables-a input-i lo-j ACCEPT

Iptables-a input-m State--state related,established-j ACCEPT

Iptables-a input-p tcp-m tcp--tcp-flags Fin,syn,rst,psh,ack,urg none-j DROP

Iptables-a input-p tcp-m tcp--tcp-flags Fin,syn fin,syn-j DROP

Iptables-a input-p tcp-m tcp--tcp-flags syn,rst syn,rst-j DROP

Iptables-a input-p tcp-m tcp--tcp-flags fin,rst fin,rst-j DROP

Iptables-a input-p tcp-m tcp--tcp-flags fin,ack fin-j DROP

Iptables-a input-p tcp-m tcp--tcp-flags psh,ack psh-j DROP

Iptables-a input-p tcp-m tcp--tcp-flags Ack,urg urg-j DROP

Iptables-p INPUT DROP

Iptables-p OUTPUT ACCEPT

Iptables-p FORWARD DROP

4. SSH Login System Policy

1), Login policy

Backup: Cp/etc/ssh/sshd_config Sshd_config_bak (operation and maintenance required code)

Vi/etc/ssh/sshd_config

#SSH链接默认端口, modify the default port number of 22 ports to 10,000 or more to avoid being scanned and attacked.

Port 22221

#不使用DNS反查 to increase SSH connection speed

Usedns No

#关闭GSSAPI验证 to increase SSH connection speed

Gssapiauthentication No

#禁止root账号登陆

Permitrootlogin No

2) User Rights policy

The root user is not allowed to log on to the system, authorized only the normal user login system, requires administrator privileges to execute sudo, to avoid the root user login.

How to authorize user login with sudo settings?

/etc/sudoers file

<user list>

Common configurations:

Martin All= (Root) nopasswd:/BIN/MV,/bin/chmod

5, update Yum source and necessary software installation

A few common yum sources

EPEL Source: Https://fedoraproject.org/wiki/EPEL

Repoforge Source: http://repoforge.org/use/

6, scheduled automatic Update server time

1. Set time synchronization via Crontab

Recommended time server: ntp.sjtu.edu.cn

/usr/sbin/ntpdate ntp.sjtu.edu.cn >>/var/log/ntp.log 2>&1; /sbin/hwclock–w

2. Erecting NTP server

Follow two files:

/etc/ntp/ntpserver.conf

/etc/ntp.conf

7. Streamlined boot-up service

Services recommended for on-line servers

Crond,network,syslog,sshd, Iptables, Udev-post, Sysstat

Quick Start Method:

First Close all

For serv in ' chkconfig--list|grep 3:on|awk ' {print '} ';d o chkconfig--level 3 $serv off;done

Then turn on the services you need:

For serv in ' Crond network syslog sshd iptables udev-post sysstat ';d o chkconfig--level 3 $serv on;done

650) this.width=650; "Src=" Http://s5.51cto.com/wyfs02/M02/83/F5/wKiom1eBkC3RJGaPAABjfFtpeZM441.jpg-wh_500x0-wm_3 -wmp_4-s_4113126494.jpg "title=" 8.jpg "alt=" Wkiom1ebkc3rjgapaabjfftpezm441.jpg-wh_50 "/>

8. Delete unnecessary system users and groups

System users and groups that can be deleted

#删除不必要的用户

Userdel ADM

Userdel LP

Userdel Sync

Userdel shutdown

Userdel Halt

Userdel News

Userdel UUCP

Userdel Video

Userdel Games

Userdel Gopher

Userdel FTP

#删除不必要的群组

Groupdel ADM

Groupdel LP

Groupdel News

Groupdel UUCP

Groupdel Games

9. Automatically clean up junk files at regular intervals

Find a large File method: Du–sh/*

/var/spool/clientmqueue/directory to prevent inode nodes from being fully occupied

10. Important File Security Policy

Chattr +i/etc/sudoers

Chattr +i/etc/shadow

Chattr +i/etc/passwd

Chattr +i/etc/grub.conf

11. Simple optimization of kernel parameters

1. Follow Ulimit command

Focus on configuration files

[Email protected] alertscripts]# ls/etc/security/limits.

Limits.conf limits.d/

Need to focus on: Ulimit–c,-F,-N,-u

12. System Troubleshooting concerns

1), Tail-f/var/log/messages #应用日志查询

2), Tail-f/var/log/secure #登录日志查询

3), DMESG #系统日志查询

4),/var/tmp,/tmp #容易攻击点查询

5), Crontab-l,/etc/crontab #计划任务查询 (frequently attacked objects)

This article from "Martin" blog, declined reprint!

Linux operations experience sharing and thinking