Linux System Tuning Guide (CENTOS7. X
Welcome to follow my latest blog address: https://owelinux.github.io/
Turn off unnecessary services (such as print services, etc.)
for owelinux in `chkconfig --list | grep "3:on" | awk ‘{print $1}‘`; do chkconfig $owelinux off; donefor owelinux in crond network sshd rsyslog sysstat iptables; do chkconfig $owelinux on; done
Turn off unwanted TTY
\cp /etc/securetty /etc/securetty.bak>/etc/securettyecho "tty1" >>/etc/securettyecho "tty2" >>/etc/securettyecho "tty3" >>/etc/securetty
Resizing a Linux file descriptor
\cp /etc/security/limits.conf /etc/security/limits.conf.$(date +%F)ulimit -HSn 65535echo -ne "* soft nofile 65535* hard nofile 65535" >>/etc/security/limits.confecho "ulimit -c unlimited" >> /etc/profilesource /etc/profile
Modify the number of history records and connection time-outs for Shell commands
echo "export HISTCONTROL=ignorespace" >>/etc/profileecho "export HISTCONTROL=erasedups" >>/etc/profileecho "HISTSIZE=500" >> /etc/profile#修改帐户TMOUT值,设置自动注销时间echo "export TMOUT=300" >>/etc/profile echo "set autologout=300" >>/etc/csh.cshrcsource /etc/profile
Emptying the system version information join the login warning
>/etc/motd >/etc/issue>/etc/redhat-releaseecho "Authorized uses only. All activity may be monitored and reported." >>/etc/motdecho "Authorized uses only. All activity may be monitored and reported." >> /etc/issueecho "Authorized uses only. All activity may be monitored and reported." >> /etc/issue.netchown root:root /etc/motd /etc/issue /etc/issue.netchmod 644 /etc/motd /etc/issue /etc/issue.net
Optimizing Kernel TCP Parameters
cat >>/etc/sysctl.conf<<EOF net.ipv4.tcp_fin_timeout = 1 net.ipv4.tcp_keepalive_time = 1200 net.ipv4.tcp_mem = 94500000 915000000 927000000 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_timestamps = 0 net.ipv4.tcp_synack_retries = 1 net.ipv4.tcp_syn_retries = 1 net.ipv4.tcp_tw_recycle = 1 net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 net.core.netdev_max_backlog = 262144 net.ipv4.tcp_max_orphans = 3276800 net.ipv4.tcp_max_syn_backlog = 262144 net.core.wmem_default = 8388608 net.core.rmem_default = 8388608 EOF/sbin/sysctl -p
Log in to the machine to send an email alert
yum -y install mailxcat >>/root/.bashrc << EOFecho ‘ALERT - Root Shell Access (Server Name) on:‘ \`date\`\`who\`\`hostname\` | mail -s "Alert:Root Access from \`who | cut -d "(" -f2 | cut -d ")" #-f1\`" [email protected]EOF
Timing Server Time Correction
echo ‘0 * * * * /usr/sbin/ntpdate -u 0.cn.pool.ntp.org;/sbin/hwclock -w > /dev/null 2>&1‘ >> /var/spool/cron/root/usr/sbin/ntpdate -u 0.cn.pool.ntp.org;/sbin/hwclock -w systemctl
Stop IPv6
echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
Modify Yum Source
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backupwget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repoyum -y reinstall epel-releaseyum clean allyum makecache
Turn off SELinux
Install the necessary services and update the system software
yum -y groupinstall "Development tools"yum -y install ntpdate sysstat lrzsz wget nmap tree curl epel-release lsof nano bash-completion net-tools lsof vim-enhanced
SSH optimized for faster connection speeds
#1, configure the time-out interval for idle logout: #2, disable. rhosts File # #, disable host-based authentication # #, prohibit root account login via ssh, banner#6 with warning, iptables firewall handles SSH port 22123#7, modify S SH port and restricted IP binding: #8, disable blank password: #9, log: mv/etc/ssh//etc/sshbakmkdir-p/application/toolscd/application/toolsyum-y Install W Get C gcc ccwget https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-7.6p1.tar.gztar-zxf openssh-7.6p1.tar.gzcd Openssh-7.6p1yum install-y zlib-devel openssl-devel Pam pam-devel./configure--prefix=/usr--sysconfdir=/etc/ssh-- Without-zlib-version-check--with-pamchmod 600/etc/ssh/*_keymake-j4rpm-e--nodeps ' Rpm-qa | grep openssh ' make install SSH-VCP contrib/redhat/sshd.init/etc/init.d/sshdchkconfig--add sshdmv/etc/ssh/sshd_config /etc/ssh/sshd_config_ ' Date +%f ' cat >/etc/ssh/sshd_config<<eofport 22123pidfile/var/run/ Sshd.pidsyslogfacility authloglevel infologingracetime 30PermitRootLogin nostrictmodes yesmaxauthtries 3MaxSessions 15#allowusers root lovelinuxpubkeyauthentication yesauthorizedkeysfile. ssh/authorized_keyspAsswordauthentication yespermitemptypasswords nochallengeresponseauthentication yesGSSAPIAuthentication Nogssapicleanupcredentials yesusepam no clientaliveinterval 0ClientAliveCountMax 3UseDNS nosubsystem sftp/usr/lib/s Sh/sftp-serverciphers aes128-ctr,aes192-ctr,aes256-ctrmacs Hmac-sha2-256,hmac-sha2-512eofecho "#save sshd messages Also to Sshd.log ">>/etc/rsyslog.conf echo" local5.*/var/log/sshd.log ">>/etc/rsyslog.conf systemctl Restart Rsyslogsystemctl Stop sshd && systemctl start Sshdsystemctl Reload sshd
Remove users and user groups that are not required by the system
for i in adm lp sync shutdown halt news uucp operator games gopher do userdel $i 2>/dev/null done && action "delete user: " /bin/true || action "delete user: " /bin/false for i in adm news uucp games dip pppusers popusers slipusers do groupdel $i 2>/dev/null done
Modify the complexity of password authentication, and the Expiration time
Mv/etc/pam.d/system-auth/etc/pam.d/system-auth_ ' Date +%f ' cat >/etc/pam.d/system-auth<<eof#%pam-1.0# this File is auto-generated.# User changes would be destroyed the next time Authconfig is Run.auth required pam_env. Soauth Required pam_tally.so onerr=fail deny=6 Unlock_time=1800auth sufficient pam_unix.so Nullok Try_first_pass Auth requisite pam_succeed_if.so uid >= Quietauth required Pam_deny.soauth sufficient /lib/security/pam_unix.so Likeauth Nullokaccount required Pam_unix.soaccount sufficient PAM_LOCALUSER.SOAC Count sufficient pam_succeed_if.so UID < quietaccount required Pam_permit.sopassword requisite pam_cracklib.so try_first_pass retry=3 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 Ocredit=-1password sufficient p Am_unix.so sha512 Shadow Nullok try_first_pass Use_authtokpassword required pam_deny.sosession optional p Am_keyinit.so revokesession Required Pam_limits.sosession [Success=1 Default=ignore] pam_succeed_if.so service in Crond quiet Use_uidsessio N Required Pam_unix.soetc/pam.d/system-auth eofcat >/etc/pam.d/sshd<<eof #%pam-1.0#auth required P am_google_authenticator.so Nullokauth required Pam_sepermit.soauth substack Password-authauth in Clude postlogin# used with Polkit to reauthorize users in remote Sessions-auth optional pam_reauthorize.so p Repareaccount required pam_nologin.soaccount include Password-authpassword include password-auth# PA M_selinux.so close should be the first session rulesession required pam_selinux.so closesession required Pam _loginuid.so# pam_selinux.so Open should only being followed by sessions to being executed in the user contextsession require D pam_selinux.so Open env_paramssession required pam_namespace.sosession optional pam_keyinit.so Force R Evokesession include Password-authsession include postlogin# used with Polkit to reauthorize users in remote sessions-session op tional pam_reauthorize.so prepareeof
Use the Noatime file system Mount option to remove the SendMail from CentOS, using postfix to increase the swap partition size (typically twice times the memory)
dd if=/dev/zero of=/mnt/swapfile bs=4M count=1024mkswap /mnt/swapfile swapon /mnt/swapfile echo "/mnt/swapfile swap swap defaults 0 0" >>/etc/fstabmount -afree -m | grep -i swap
Use Iptables to close ports that do not need to be opened
systemctl disable firewalldsystemctl stop firewalldyum -y install iptables-servicessystemctl start iptablessystemctl start ip6tablessystemctl enable iptablessystemctl enable ip6tablesiptables -Fiptables -A INPUT -i lo -j ACCEPTiptables -A INPUT -p tcp --dport 22123 -j ACCEPTiptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPTiptables -A INPUT -p icmp -j ACCEPTiptables -A INPUT -j DROPservice iptables save
Start the System Audit service
Yum install audit*.*-ycat >>/etc/audit/audit.rules<<eof-w/var/log/audit/-K log_audit-w/etc/audit/-p wa- K cfg_audit-w/etc/sysconfig/auditd-p wa-k cfg_auditd.conf-w/etc/libaudit.conf-p wa-k CFG_libaudit.conf-w/etc/audisp /-P wa-k cfg_audisp-w/etc/cups/-P wa-k cfg_cups-w/etc/init.d/cups-p wa-k cfg_initd_cups-w/etc/netlabel.rules-p W A-k cfg_netlabel.rules-w/etc/selinux/mls/-P wa-k cfg_mac_policy-w/usr/share/selinux/mls/-P wa-k CFG_MAC_policy-w/E Tc/selinux/semanage.conf-p wa-k cfg_mac_policy-w/usr/sbin/stunnel-p x-w/etc/security/rbac-self-test.conf-p wa-k CFG _rbac_self_test-w/etc/aide.conf-p wa-k cfg_aide.conf-w/etc/cron.allow-p wa-k cfg_cron.allow-w/etc/cron.deny-p wa- K cfg_cron.deny-w/etc/cron.d/-P wa-k cfg_cron.d-w/etc/cron.daily/-P wa-k cfg_cron.daily-w/etc/cron.hourly/-P wa-k Cfg_cron.hourly-w/etc/cron.monthly/-P wa-k cfg_cron.monthly-w/etc/cron.weekly/-P wa-k CFG_cron.weekly-w/etc/cronta B-p wa-k cfg_crontab-w/var/spool/cron/root-k cfg_crontab_root-w/etc/group-p wa-k cfg_group-w/etc/passwd-p wa-k CFG_passwd-w/etc/gshadow -K cfg_gshadow-w/etc/shadow-k cfg_shadow-w/etc/security/opasswd-k cfg_opasswd-w/etc/login.defs-p wa-k CFG_login.def S-w/etc/securetty-p wa-k cfg_securetty-w/var/log/faillog-p wa-k log_faillog-w/var/log/lastlog-p wa-k LOG_lastlog- W/var/log/tallylog-p wa-k log_tallylog-w/etc/hosts-p wa-k cfg_hosts-w/etc/sysconfig/network-scripts/-P wa-k CFG_n Etwork-w/etc/inittab-p wa-k cfg_inittab-w/etc/rc.d/init.d/-P wa-k cfg_initscripts-w/etc/ld.so.conf-p wa-k CFG_ld. So.conf-w/etc/localtime-p wa-k cfg_localtime-w/etc/sysctl.conf-p wa-k cfg_sysctl.conf-w/etc/modprobe.conf-p wa-k Cfg_modprobe.conf-w/etc/pam.d/-P wa-k cfg_pam-w/etc/security/limits.conf-p wa-k cfg_pam-w/etc/security/pam_env.con F-P wa-k cfg_pam-w/etc/security/namespace.conf-p wa-k cfg_pam-w/etc/security/namespace.init-p wa-k CFG_pam-w/etc/ Aliases-p wa-k Cfg_aliaSes-w/etc/postfix/-P wa-k cfg_postfix-w/etc/ssh/sshd_config-k cfg_sshd_config-w/etc/vsftpd.ftpusers-k CFG_VSFTPD.F Tpusers-a exit,always-f arch=b32-s sethostname-w/etc/issue-p wa-k cfg_issue-w/etc/issue.net-p wa-k CFG_issue.netEO Fsystemctl Enable Auditdservice auditd restart
Deployment Integrity Check Tool software
yum -y install aide#1)执行初始化,建立第一份样本库aide -imv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz#2)更新到样本库aide -ucd /var/lib/aide/mv aide.db.new.gz aide.db.gz#3)定期执行***检测,并发送报告# crontab -e#45 17 * * * /usr/sbin/aide -C -V4 | /bin/mail -s ”AIDE REPORT $(date +%Y%m%d)” abcdefg#163.comecho ‘45 23 * * * aide -C >> /var/log/aide/`date +%Y%m%d`_aide.log‘ >> /var/spool/cron/root#记录aide可执行文件的md5 checksum:md5sum /usr/sbin/aide
Turn off Ctrl+alt+del Restart the machine
rm -f /usr/lib/systemd/system/ctrl-alt-del.targe && init q#恢复 ln -s /usr/lib/systemd/system/reboot.target /usr/lib/systemd/system/ctrl-alt-del.target
File locking and modify default permissions
#1、限制 at/cron给授权的用户:rm -f /etc/cron.deny /etc/at.denyecho root >/etc/cron.allowecho root >/etc/at.allowchown root:root /etc/cron.allow /etc/at.allowchmod 400 /etc/cron.allow /etc/at.allow#2、Crontab文件限制访问权限:chown root:root /etc/crontabchmod 400 /etc/crontabchown -R root:root /var/spool/cronchmod -R go-rwx /var/spool/cronchown -R root:root /etc/cron.*chmod -R go-rwx /etc/cron.*#3、加锁重要口令文件和组文件chattr +i /etc/passwdchattr +i /etc/shadowchattr +i /etc/groupchattr +i /etc/gshadowchattr +i /etc/xinetd.confchattr +i /etc/services
The latest and most comprehensive Linux system tuning Guide (CENTOS7. X