The latest and most comprehensive Linux system tuning Guide (CENTOS7. X

Linux System Tuning Guide (CENTOS7. X

Welcome to follow my latest blog address: https://owelinux.github.io/

Turn off unnecessary services (such as print services, etc.)

for owelinux in `chkconfig --list | grep "3:on" | awk ‘{print $1}‘`; do chkconfig $owelinux off; donefor owelinux in crond network sshd rsyslog sysstat iptables; do chkconfig $owelinux on; done

Turn off unwanted TTY

\cp /etc/securetty  /etc/securetty.bak>/etc/securettyecho "tty1" >>/etc/securettyecho "tty2" >>/etc/securettyecho "tty3" >>/etc/securetty

Resizing a Linux file descriptor

\cp /etc/security/limits.conf /etc/security/limits.conf.$(date +%F)ulimit -HSn 65535echo -ne "* soft nofile 65535* hard nofile 65535" >>/etc/security/limits.confecho "ulimit -c unlimited" >> /etc/profilesource /etc/profile

Modify the number of history records and connection time-outs for Shell commands

echo "export HISTCONTROL=ignorespace" >>/etc/profileecho "export HISTCONTROL=erasedups" >>/etc/profileecho "HISTSIZE=500" >> /etc/profile#修改帐户TMOUT值，设置自动注销时间echo "export TMOUT=300" >>/etc/profile echo "set autologout=300" >>/etc/csh.cshrcsource /etc/profile

Emptying the system version information join the login warning

>/etc/motd >/etc/issue>/etc/redhat-releaseecho "Authorized uses only. All activity may be monitored   and reported." >>/etc/motdecho "Authorized uses only. All activity may be monitored   and reported." >> /etc/issueecho "Authorized uses only. All activity may be monitored   and reported." >> /etc/issue.netchown root:root /etc/motd /etc/issue  /etc/issue.netchmod 644 /etc/motd /etc/issue  /etc/issue.net

Optimizing Kernel TCP Parameters

cat >>/etc/sysctl.conf<<EOF  net.ipv4.tcp_fin_timeout = 1  net.ipv4.tcp_keepalive_time = 1200  net.ipv4.tcp_mem = 94500000 915000000 927000000  net.ipv4.tcp_tw_reuse = 1  net.ipv4.tcp_timestamps = 0  net.ipv4.tcp_synack_retries = 1  net.ipv4.tcp_syn_retries = 1  net.ipv4.tcp_tw_recycle = 1  net.core.rmem_max = 16777216  net.core.wmem_max = 16777216  net.core.netdev_max_backlog = 262144  net.ipv4.tcp_max_orphans = 3276800  net.ipv4.tcp_max_syn_backlog = 262144  net.core.wmem_default = 8388608  net.core.rmem_default = 8388608  EOF/sbin/sysctl -p

Log in to the machine to send an email alert

yum -y install mailxcat >>/root/.bashrc << EOFecho ‘ALERT - Root Shell Access (Server Name) on:‘ \`date\`\`who\`\`hostname\` | mail -s "Alert:Root Access from \`who | cut -d "(" -f2 | cut -d ")" #-f1\`" [email protected]EOF

Timing Server Time Correction

echo ‘0 * * * * /usr/sbin/ntpdate -u  0.cn.pool.ntp.org;/sbin/hwclock -w > /dev/null 2>&1‘ >> /var/spool/cron/root/usr/sbin/ntpdate -u  0.cn.pool.ntp.org;/sbin/hwclock -w systemctl  

Stop IPv6

echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6

Modify Yum Source

mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backupwget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repoyum -y reinstall epel-releaseyum clean allyum makecache

Turn off SELinux

Install the necessary services and update the system software

yum -y groupinstall "Development tools"yum -y install ntpdate sysstat lrzsz wget nmap tree curl  epel-release lsof nano bash-completion net-tools lsof vim-enhanced

SSH optimized for faster connection speeds

#1, configure the time-out interval for idle logout: #2, disable. rhosts File # #, disable host-based authentication # #, prohibit root account login via ssh, banner#6 with warning, iptables firewall handles SSH port 22123#7, modify S SH port and restricted IP binding: #8, disable blank password: #9, log: mv/etc/ssh//etc/sshbakmkdir-p/application/toolscd/application/toolsyum-y Install W Get C gcc ccwget https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-7.6p1.tar.gztar-zxf openssh-7.6p1.tar.gzcd Openssh-7.6p1yum install-y zlib-devel openssl-devel Pam pam-devel./configure--prefix=/usr--sysconfdir=/etc/ssh-- Without-zlib-version-check--with-pamchmod 600/etc/ssh/*_keymake-j4rpm-e--nodeps ' Rpm-qa | grep openssh ' make install SSH-VCP contrib/redhat/sshd.init/etc/init.d/sshdchkconfig--add sshdmv/etc/ssh/sshd_config /etc/ssh/sshd_config_ ' Date +%f ' cat >/etc/ssh/sshd_config<<eofport 22123pidfile/var/run/ Sshd.pidsyslogfacility authloglevel infologingracetime 30PermitRootLogin nostrictmodes yesmaxauthtries 3MaxSessions 15#allowusers root lovelinuxpubkeyauthentication yesauthorizedkeysfile. ssh/authorized_keyspAsswordauthentication yespermitemptypasswords nochallengeresponseauthentication yesGSSAPIAuthentication Nogssapicleanupcredentials yesusepam no clientaliveinterval 0ClientAliveCountMax 3UseDNS nosubsystem sftp/usr/lib/s Sh/sftp-serverciphers aes128-ctr,aes192-ctr,aes256-ctrmacs Hmac-sha2-256,hmac-sha2-512eofecho "#save sshd messages Also to Sshd.log ">>/etc/rsyslog.conf echo" local5.*/var/log/sshd.log ">>/etc/rsyslog.conf systemctl Restart Rsyslogsystemctl Stop sshd && systemctl start Sshdsystemctl Reload sshd

Remove users and user groups that are not required by the system

   for i in adm lp sync shutdown halt news uucp operator games gopher   do      userdel $i  2>/dev/null   done && action "delete user: " /bin/true || action "delete user: " /bin/false   for i in adm  news uucp games dip pppusers popusers slipusers   do      groupdel $i  2>/dev/null   done

Modify the complexity of password authentication, and the Expiration time

Mv/etc/pam.d/system-auth/etc/pam.d/system-auth_ ' Date +%f ' cat >/etc/pam.d/system-auth<<eof#%pam-1.0# this File is auto-generated.# User changes would be destroyed the next time Authconfig is Run.auth required pam_env. Soauth Required pam_tally.so onerr=fail deny=6 Unlock_time=1800auth sufficient pam_unix.so Nullok Try_first_pass    Auth requisite pam_succeed_if.so uid >= Quietauth required Pam_deny.soauth sufficient /lib/security/pam_unix.so Likeauth Nullokaccount required Pam_unix.soaccount sufficient PAM_LOCALUSER.SOAC     Count sufficient pam_succeed_if.so UID < quietaccount required Pam_permit.sopassword requisite pam_cracklib.so try_first_pass retry=3 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 Ocredit=-1password sufficient p Am_unix.so sha512 Shadow Nullok try_first_pass Use_authtokpassword required pam_deny.sosession optional p   Am_keyinit.so revokesession  Required Pam_limits.sosession [Success=1 Default=ignore] pam_succeed_if.so service in Crond quiet Use_uidsessio N Required Pam_unix.soetc/pam.d/system-auth eofcat >/etc/pam.d/sshd<<eof #%pam-1.0#auth required P am_google_authenticator.so Nullokauth required Pam_sepermit.soauth substack Password-authauth in Clude postlogin# used with Polkit to reauthorize users in remote Sessions-auth optional pam_reauthorize.so p Repareaccount required pam_nologin.soaccount include Password-authpassword include password-auth# PA M_selinux.so close should be the first session rulesession required pam_selinux.so closesession required Pam _loginuid.so# pam_selinux.so Open should only being followed by sessions to being executed in the user contextsession require D pam_selinux.so Open env_paramssession required pam_namespace.sosession optional pam_keyinit.so Force R Evokesession include     Password-authsession include postlogin# used with Polkit to reauthorize users in remote sessions-session op tional pam_reauthorize.so prepareeof

Use the Noatime file system Mount option to remove the SendMail from CentOS, using postfix to increase the swap partition size (typically twice times the memory)

dd if=/dev/zero of=/mnt/swapfile bs=4M count=1024mkswap /mnt/swapfile swapon /mnt/swapfile echo "/mnt/swapfile swap swap defaults 0 0" >>/etc/fstabmount -afree -m | grep -i swap

Use Iptables to close ports that do not need to be opened

systemctl disable firewalldsystemctl stop firewalldyum -y install iptables-servicessystemctl start iptablessystemctl start ip6tablessystemctl enable iptablessystemctl enable ip6tablesiptables -Fiptables -A INPUT -i lo -j ACCEPTiptables -A INPUT -p tcp --dport 22123 -j ACCEPTiptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPTiptables -A INPUT -p icmp -j ACCEPTiptables -A INPUT -j DROPservice iptables save

Start the System Audit service

Yum install audit*.*-ycat >>/etc/audit/audit.rules<<eof-w/var/log/audit/-K log_audit-w/etc/audit/-p wa- K cfg_audit-w/etc/sysconfig/auditd-p wa-k cfg_auditd.conf-w/etc/libaudit.conf-p wa-k CFG_libaudit.conf-w/etc/audisp /-P wa-k cfg_audisp-w/etc/cups/-P wa-k cfg_cups-w/etc/init.d/cups-p wa-k cfg_initd_cups-w/etc/netlabel.rules-p W A-k cfg_netlabel.rules-w/etc/selinux/mls/-P wa-k cfg_mac_policy-w/usr/share/selinux/mls/-P wa-k CFG_MAC_policy-w/E Tc/selinux/semanage.conf-p wa-k cfg_mac_policy-w/usr/sbin/stunnel-p x-w/etc/security/rbac-self-test.conf-p wa-k CFG _rbac_self_test-w/etc/aide.conf-p wa-k cfg_aide.conf-w/etc/cron.allow-p wa-k cfg_cron.allow-w/etc/cron.deny-p wa-  K cfg_cron.deny-w/etc/cron.d/-P wa-k cfg_cron.d-w/etc/cron.daily/-P wa-k cfg_cron.daily-w/etc/cron.hourly/-P wa-k Cfg_cron.hourly-w/etc/cron.monthly/-P wa-k cfg_cron.monthly-w/etc/cron.weekly/-P wa-k CFG_cron.weekly-w/etc/cronta B-p wa-k cfg_crontab-w/var/spool/cron/root-k cfg_crontab_root-w/etc/group-p wa-k cfg_group-w/etc/passwd-p wa-k CFG_passwd-w/etc/gshadow -K cfg_gshadow-w/etc/shadow-k cfg_shadow-w/etc/security/opasswd-k cfg_opasswd-w/etc/login.defs-p wa-k CFG_login.def S-w/etc/securetty-p wa-k cfg_securetty-w/var/log/faillog-p wa-k log_faillog-w/var/log/lastlog-p wa-k LOG_lastlog- W/var/log/tallylog-p wa-k log_tallylog-w/etc/hosts-p wa-k cfg_hosts-w/etc/sysconfig/network-scripts/-P wa-k CFG_n Etwork-w/etc/inittab-p wa-k cfg_inittab-w/etc/rc.d/init.d/-P wa-k cfg_initscripts-w/etc/ld.so.conf-p wa-k CFG_ld. So.conf-w/etc/localtime-p wa-k cfg_localtime-w/etc/sysctl.conf-p wa-k cfg_sysctl.conf-w/etc/modprobe.conf-p wa-k Cfg_modprobe.conf-w/etc/pam.d/-P wa-k cfg_pam-w/etc/security/limits.conf-p wa-k cfg_pam-w/etc/security/pam_env.con F-P wa-k cfg_pam-w/etc/security/namespace.conf-p wa-k cfg_pam-w/etc/security/namespace.init-p wa-k CFG_pam-w/etc/ Aliases-p wa-k Cfg_aliaSes-w/etc/postfix/-P wa-k cfg_postfix-w/etc/ssh/sshd_config-k cfg_sshd_config-w/etc/vsftpd.ftpusers-k CFG_VSFTPD.F Tpusers-a exit,always-f arch=b32-s sethostname-w/etc/issue-p wa-k cfg_issue-w/etc/issue.net-p wa-k CFG_issue.netEO Fsystemctl Enable Auditdservice auditd restart

Deployment Integrity Check Tool software

yum -y install aide#1）执行初始化，建立第一份样本库aide -imv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz#2）更新到样本库aide -ucd /var/lib/aide/mv aide.db.new.gz aide.db.gz#3）定期执行***检测，并发送报告# crontab -e#45 17 * * * /usr/sbin/aide -C -V4 | /bin/mail -s ”AIDE REPORT $（date +%Y%m%d）” abcdefg#163.comecho ‘45 23 * * * aide -C >> /var/log/aide/`date +%Y%m%d`_aide.log‘ >> /var/spool/cron/root#记录aide可执行文件的md5 checksum：md5sum /usr/sbin/aide

Turn off Ctrl+alt+del Restart the machine

rm -f /usr/lib/systemd/system/ctrl-alt-del.targe && init q#恢复  ln -s /usr/lib/systemd/system/reboot.target /usr/lib/systemd/system/ctrl-alt-del.target

File locking and modify default permissions

#1、限制   at/cron给授权的用户:rm -f /etc/cron.deny /etc/at.denyecho root >/etc/cron.allowecho root >/etc/at.allowchown root:root /etc/cron.allow /etc/at.allowchmod 400 /etc/cron.allow /etc/at.allow#2、Crontab文件限制访问权限:chown root:root /etc/crontabchmod 400 /etc/crontabchown -R root:root /var/spool/cronchmod -R go-rwx /var/spool/cronchown -R root:root /etc/cron.*chmod -R go-rwx /etc/cron.*#3、加锁重要口令文件和组文件chattr +i /etc/passwdchattr +i /etc/shadowchattr +i /etc/groupchattr +i /etc/gshadowchattr +i /etc/xinetd.confchattr +i /etc/services

The latest and most comprehensive Linux system tuning Guide (CENTOS7. X