The latest and most comprehensive Linux system tuning Guide (CENTOS7. X

Source: Internet
Author: User
Tags hmac sessions iptables root access ssh port rsyslog

Linux System Tuning Guide (CENTOS7. X

Welcome to follow my latest blog address: https://owelinux.github.io/

Turn off unnecessary services (such as print services, etc.)
for owelinux in `chkconfig --list | grep "3:on" | awk ‘{print $1}‘`; do chkconfig $owelinux off; donefor owelinux in crond network sshd rsyslog sysstat iptables; do chkconfig $owelinux on; done
Turn off unwanted TTY
\cp /etc/securetty  /etc/securetty.bak>/etc/securettyecho "tty1" >>/etc/securettyecho "tty2" >>/etc/securettyecho "tty3" >>/etc/securetty
Resizing a Linux file descriptor
\cp /etc/security/limits.conf /etc/security/limits.conf.$(date +%F)ulimit -HSn 65535echo -ne "* soft nofile 65535* hard nofile 65535" >>/etc/security/limits.confecho "ulimit -c unlimited" >> /etc/profilesource /etc/profile
Modify the number of history records and connection time-outs for Shell commands
echo "export HISTCONTROL=ignorespace" >>/etc/profileecho "export HISTCONTROL=erasedups" >>/etc/profileecho "HISTSIZE=500" >> /etc/profile#修改帐户TMOUT值,设置自动注销时间echo "export TMOUT=300" >>/etc/profile echo "set autologout=300" >>/etc/csh.cshrcsource /etc/profile
Emptying the system version information join the login warning
>/etc/motd >/etc/issue>/etc/redhat-releaseecho "Authorized uses only. All activity may be monitored   and reported." >>/etc/motdecho "Authorized uses only. All activity may be monitored   and reported." >> /etc/issueecho "Authorized uses only. All activity may be monitored   and reported." >> /etc/issue.netchown root:root /etc/motd /etc/issue  /etc/issue.netchmod 644 /etc/motd /etc/issue  /etc/issue.net
Optimizing Kernel TCP Parameters
cat >>/etc/sysctl.conf<<EOF  net.ipv4.tcp_fin_timeout = 1  net.ipv4.tcp_keepalive_time = 1200  net.ipv4.tcp_mem = 94500000 915000000 927000000  net.ipv4.tcp_tw_reuse = 1  net.ipv4.tcp_timestamps = 0  net.ipv4.tcp_synack_retries = 1  net.ipv4.tcp_syn_retries = 1  net.ipv4.tcp_tw_recycle = 1  net.core.rmem_max = 16777216  net.core.wmem_max = 16777216  net.core.netdev_max_backlog = 262144  net.ipv4.tcp_max_orphans = 3276800  net.ipv4.tcp_max_syn_backlog = 262144  net.core.wmem_default = 8388608  net.core.rmem_default = 8388608  EOF/sbin/sysctl -p
Log in to the machine to send an email alert
yum -y install mailxcat >>/root/.bashrc << EOFecho ‘ALERT - Root Shell Access (Server Name) on:‘ \`date\`\`who\`\`hostname\` | mail -s "Alert:Root Access from \`who | cut -d "(" -f2 | cut -d ")" #-f1\`" [email protected]EOF
Timing Server Time Correction
echo ‘0 * * * * /usr/sbin/ntpdate -u  0.cn.pool.ntp.org;/sbin/hwclock -w > /dev/null 2>&1‘ >> /var/spool/cron/root/usr/sbin/ntpdate -u  0.cn.pool.ntp.org;/sbin/hwclock -w systemctl  
Stop IPv6
echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
Modify Yum Source
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backupwget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repoyum -y reinstall epel-releaseyum clean allyum makecache
Turn off SELinux
Install the necessary services and update the system software
yum -y groupinstall "Development tools"yum -y install ntpdate sysstat lrzsz wget nmap tree curl  epel-release lsof nano bash-completion net-tools lsof vim-enhanced
SSH optimized for faster connection speeds
#1, configure the time-out interval for idle logout: #2, disable. rhosts File # #, disable host-based authentication # #, prohibit root account login via ssh, banner#6 with warning, iptables firewall handles SSH port 22123#7, modify S SH port and restricted IP binding: #8, disable blank password: #9, log: mv/etc/ssh//etc/sshbakmkdir-p/application/toolscd/application/toolsyum-y Install W Get C gcc ccwget https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-7.6p1.tar.gztar-zxf openssh-7.6p1.tar.gzcd Openssh-7.6p1yum install-y zlib-devel openssl-devel Pam pam-devel./configure--prefix=/usr--sysconfdir=/etc/ssh-- Without-zlib-version-check--with-pamchmod 600/etc/ssh/*_keymake-j4rpm-e--nodeps ' Rpm-qa | grep openssh ' make install SSH-VCP contrib/redhat/sshd.init/etc/init.d/sshdchkconfig--add sshdmv/etc/ssh/sshd_config /etc/ssh/sshd_config_ ' Date +%f ' cat >/etc/ssh/sshd_config<<eofport 22123pidfile/var/run/ Sshd.pidsyslogfacility authloglevel infologingracetime 30PermitRootLogin nostrictmodes yesmaxauthtries 3MaxSessions 15#allowusers root lovelinuxpubkeyauthentication yesauthorizedkeysfile. ssh/authorized_keyspAsswordauthentication yespermitemptypasswords nochallengeresponseauthentication yesGSSAPIAuthentication Nogssapicleanupcredentials yesusepam no clientaliveinterval 0ClientAliveCountMax 3UseDNS nosubsystem sftp/usr/lib/s Sh/sftp-serverciphers aes128-ctr,aes192-ctr,aes256-ctrmacs Hmac-sha2-256,hmac-sha2-512eofecho "#save sshd messages Also to Sshd.log ">>/etc/rsyslog.conf echo" local5.*/var/log/sshd.log ">>/etc/rsyslog.conf systemctl Restart Rsyslogsystemctl Stop sshd && systemctl start Sshdsystemctl Reload sshd
Remove users and user groups that are not required by the system
   for i in adm lp sync shutdown halt news uucp operator games gopher   do      userdel $i  2>/dev/null   done && action "delete user: " /bin/true || action "delete user: " /bin/false   for i in adm  news uucp games dip pppusers popusers slipusers   do      groupdel $i  2>/dev/null   done
Modify the complexity of password authentication, and the Expiration time
Mv/etc/pam.d/system-auth/etc/pam.d/system-auth_ ' Date +%f ' cat >/etc/pam.d/system-auth<<eof#%pam-1.0# this File is auto-generated.# User changes would be destroyed the next time Authconfig is Run.auth required pam_env. Soauth Required pam_tally.so onerr=fail deny=6 Unlock_time=1800auth sufficient pam_unix.so Nullok Try_first_pass    Auth requisite pam_succeed_if.so uid >= Quietauth required Pam_deny.soauth sufficient /lib/security/pam_unix.so Likeauth Nullokaccount required Pam_unix.soaccount sufficient PAM_LOCALUSER.SOAC     Count sufficient pam_succeed_if.so UID < quietaccount required Pam_permit.sopassword requisite pam_cracklib.so try_first_pass retry=3 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 Ocredit=-1password sufficient p Am_unix.so sha512 Shadow Nullok try_first_pass Use_authtokpassword required pam_deny.sosession optional p   Am_keyinit.so revokesession  Required Pam_limits.sosession [Success=1 Default=ignore] pam_succeed_if.so service in Crond quiet Use_uidsessio N Required Pam_unix.soetc/pam.d/system-auth eofcat >/etc/pam.d/sshd<<eof #%pam-1.0#auth required P am_google_authenticator.so Nullokauth required Pam_sepermit.soauth substack Password-authauth in Clude postlogin# used with Polkit to reauthorize users in remote Sessions-auth optional pam_reauthorize.so p Repareaccount required pam_nologin.soaccount include Password-authpassword include password-auth# PA M_selinux.so close should be the first session rulesession required pam_selinux.so closesession required Pam _loginuid.so# pam_selinux.so Open should only being followed by sessions to being executed in the user contextsession require D pam_selinux.so Open env_paramssession required pam_namespace.sosession optional pam_keyinit.so Force R Evokesession include     Password-authsession include postlogin# used with Polkit to reauthorize users in remote sessions-session op tional pam_reauthorize.so prepareeof
Use the Noatime file system Mount option to remove the SendMail from CentOS, using postfix to increase the swap partition size (typically twice times the memory)
dd if=/dev/zero of=/mnt/swapfile bs=4M count=1024mkswap /mnt/swapfile swapon /mnt/swapfile echo "/mnt/swapfile swap swap defaults 0 0" >>/etc/fstabmount -afree -m | grep -i swap
Use Iptables to close ports that do not need to be opened
systemctl disable firewalldsystemctl stop firewalldyum -y install iptables-servicessystemctl start iptablessystemctl start ip6tablessystemctl enable iptablessystemctl enable ip6tablesiptables -Fiptables -A INPUT -i lo -j ACCEPTiptables -A INPUT -p tcp --dport 22123 -j ACCEPTiptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPTiptables -A INPUT -p icmp -j ACCEPTiptables -A INPUT -j DROPservice iptables save
Start the System Audit service
Yum install audit*.*-ycat >>/etc/audit/audit.rules<<eof-w/var/log/audit/-K log_audit-w/etc/audit/-p wa- K cfg_audit-w/etc/sysconfig/auditd-p wa-k cfg_auditd.conf-w/etc/libaudit.conf-p wa-k CFG_libaudit.conf-w/etc/audisp /-P wa-k cfg_audisp-w/etc/cups/-P wa-k cfg_cups-w/etc/init.d/cups-p wa-k cfg_initd_cups-w/etc/netlabel.rules-p W A-k cfg_netlabel.rules-w/etc/selinux/mls/-P wa-k cfg_mac_policy-w/usr/share/selinux/mls/-P wa-k CFG_MAC_policy-w/E Tc/selinux/semanage.conf-p wa-k cfg_mac_policy-w/usr/sbin/stunnel-p x-w/etc/security/rbac-self-test.conf-p wa-k CFG _rbac_self_test-w/etc/aide.conf-p wa-k cfg_aide.conf-w/etc/cron.allow-p wa-k cfg_cron.allow-w/etc/cron.deny-p wa-  K cfg_cron.deny-w/etc/cron.d/-P wa-k cfg_cron.d-w/etc/cron.daily/-P wa-k cfg_cron.daily-w/etc/cron.hourly/-P wa-k Cfg_cron.hourly-w/etc/cron.monthly/-P wa-k cfg_cron.monthly-w/etc/cron.weekly/-P wa-k CFG_cron.weekly-w/etc/cronta B-p wa-k cfg_crontab-w/var/spool/cron/root-k cfg_crontab_root-w/etc/group-p wa-k cfg_group-w/etc/passwd-p wa-k CFG_passwd-w/etc/gshadow -K cfg_gshadow-w/etc/shadow-k cfg_shadow-w/etc/security/opasswd-k cfg_opasswd-w/etc/login.defs-p wa-k CFG_login.def S-w/etc/securetty-p wa-k cfg_securetty-w/var/log/faillog-p wa-k log_faillog-w/var/log/lastlog-p wa-k LOG_lastlog- W/var/log/tallylog-p wa-k log_tallylog-w/etc/hosts-p wa-k cfg_hosts-w/etc/sysconfig/network-scripts/-P wa-k CFG_n Etwork-w/etc/inittab-p wa-k cfg_inittab-w/etc/rc.d/init.d/-P wa-k cfg_initscripts-w/etc/ld.so.conf-p wa-k CFG_ld. So.conf-w/etc/localtime-p wa-k cfg_localtime-w/etc/sysctl.conf-p wa-k cfg_sysctl.conf-w/etc/modprobe.conf-p wa-k Cfg_modprobe.conf-w/etc/pam.d/-P wa-k cfg_pam-w/etc/security/limits.conf-p wa-k cfg_pam-w/etc/security/pam_env.con F-P wa-k cfg_pam-w/etc/security/namespace.conf-p wa-k cfg_pam-w/etc/security/namespace.init-p wa-k CFG_pam-w/etc/ Aliases-p wa-k Cfg_aliaSes-w/etc/postfix/-P wa-k cfg_postfix-w/etc/ssh/sshd_config-k cfg_sshd_config-w/etc/vsftpd.ftpusers-k CFG_VSFTPD.F Tpusers-a exit,always-f arch=b32-s sethostname-w/etc/issue-p wa-k cfg_issue-w/etc/issue.net-p wa-k CFG_issue.netEO Fsystemctl Enable Auditdservice auditd restart
Deployment Integrity Check Tool software
yum -y install aide#1)执行初始化,建立第一份样本库aide -imv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz#2)更新到样本库aide -ucd /var/lib/aide/mv aide.db.new.gz aide.db.gz#3)定期执行***检测,并发送报告# crontab -e#45 17 * * * /usr/sbin/aide -C -V4 | /bin/mail -s ”AIDE REPORT $(date +%Y%m%d)” abcdefg#163.comecho ‘45 23 * * * aide -C >> /var/log/aide/`date +%Y%m%d`_aide.log‘ >> /var/spool/cron/root#记录aide可执行文件的md5 checksum:md5sum /usr/sbin/aide
Turn off Ctrl+alt+del Restart the machine
rm -f /usr/lib/systemd/system/ctrl-alt-del.targe && init q#恢复  ln -s /usr/lib/systemd/system/reboot.target /usr/lib/systemd/system/ctrl-alt-del.target
File locking and modify default permissions
#1、限制   at/cron给授权的用户:rm -f /etc/cron.deny /etc/at.denyecho root >/etc/cron.allowecho root >/etc/at.allowchown root:root /etc/cron.allow /etc/at.allowchmod 400 /etc/cron.allow /etc/at.allow#2、Crontab文件限制访问权限:chown root:root /etc/crontabchmod 400 /etc/crontabchown -R root:root /var/spool/cronchmod -R go-rwx /var/spool/cronchown -R root:root /etc/cron.*chmod -R go-rwx /etc/cron.*#3、加锁重要口令文件和组文件chattr +i /etc/passwdchattr +i /etc/shadowchattr +i /etc/groupchattr +i /etc/gshadowchattr +i /etc/xinetd.confchattr +i /etc/services

The latest and most comprehensive Linux system tuning Guide (CENTOS7. X

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.