cat /etc/redhat-release; # 查看centos版本
# 国内服务器,需换repo源
# 备份 mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup # centos7 wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo # centos8 wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-8.repo # 生成缓存 yum makecache # almalinux sed -e 's|^mirrorlist=|#mirrorlist=|g' -e 's|^# baseurl=https://repo.almalinux.org|baseurl=https://mirrors.aliyun.com|g' -i.bak /etc/yum.repos.d/almalinux*.repo sed -i 's|^#baseurl=https://download.example/pub|baseurl=https://mirrors.aliyun.com|' /etc/yum.repos.d/epel* sed -i 's|^metalink|#metalink|' /etc/yum.repos.d/epel* sed -i 's|^metalink=.*|#&|' /etc/yum.repos.d/epel-cisco-openh264.repo sed -i 's/enabled=.*/enabled=0/g' /etc/yum.repos.d/epel-cisco-openh264.repo
# 阿里云等保加固脚本
https://abc.htmltoo.com/thread-46063.htm
# init.sh
wget https://abc.htmltoo.com/tools/shell/init.tar
mv init.tar init.sh && chmod -R 777 init.sh && sh ./init.sh && rm -rf init.sh
#!/bin/sh
#---------------------------------------#
# description: centos7系统优化脚本 #
# author: 13850000249 #
# email: 522588122@qq.com #
#---------------------------------------#
# 更新软件
yum check-update
yum update -y
yum clean all
# 禁用并关闭selinux,防火墙
# getenforce: 查看状态
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
setenforce 0
systemctl stop iptables.service
chkconfig iptables off
systemctl stop firewalld.service
systemctl disable firewalld.service
# 停止firewalld服务
systemctl stop firewalld
# 禁用firewalld服务
systemctl mask firewalld
systemctl daemon-reload
# 停止rpcbind进程
systemctl stop rpcbind.socket
systemctl stop rpcbind
# 禁止rpcbind随开机启动
systemctl disable rpcbind.socket
systemctl disable rpcbind
# 禁用并停止systemd-resolved的服务:
systemctl disable systemd-resolved.service
systemctl stop systemd-resolved
# 禁用共享打印
systemctl stop cups
systemctl disable cups
systemctl status cups
yum remove cups -y
# 所有服务清单
#systemctl list-unit-files -t service
# 禁用systemd-resolved:5355
service systemd-resolved stop
systemctl disable systemd-resolved.service
# 禁用cockpit:9090
systemctl disable cockpit.socket
systemctl stop cockpit.socket
systemctl mask cockpit.socket
# Centos系统的文本登录界面中的提示信息是存放在文件/etc/motd或者目录/etc/motd.d/中的
rm -rf /etc/motd.d/cockpit
#禁止Control-Alt-Delete 键盘重启系统命令
rm -rf /usr/lib/systemd/system/ctrl-alt-del.target
#systemctl mask ctrl-alt-del.target
# 禁用postfix, 是否enable:
systemctl list-unit-files | grep postfix
# 查看postfix进程的侦听端口:
netstat -tulp
# 关闭postfix服务:
systemctl stop postfix
在CentOS中彻底删除postfix相关文件:
yum -y remove postfix
chkconfig postfix off
# 查询postfix
rpm -qa | grep -i postfix
rpm -e --nodeps postfix
# 创建admin用户组及admin用户
groupadd admin
useradd admin -g admin
#passwd admin # @a Wdqdmm@54321
#passwd 命令提供了 --stdin 选项,用于批量给用户设置初始密码。别人可以在/root/.bash_history中找到设置密码的这个命令.
echo "Wdqdmm@54321" | passwd --stdin admin
# 更改文件夹及内部文件的所属用户及组
chown -R admin:admin /home/admin
# 为用户添加sudo权限
#echo 'admin ALL=(ALL) ALL' >> /etc/sudoers
echo 'admin ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
#主机名
# 版本,内存, 如: 8 ; 8G
CHECK_CENTOS=$( cat /etc/redhat-release|sed -r 's/.* ([0-9]+)\..*/\1/' )
CHECK_RAM=$( cat /proc/meminfo | grep "MemTotal" | awk -F" " '{ram=$2/1000000}{printf("%.0f",ram)}' )
intranet_ip=`/sbin/ifconfig -a|grep inet|grep -v 127.0.0.1|grep -v 172.17.0.1|grep -v inet6|awk '{print $2}'|tr -d "addr:"`
host_name=`echo $intranet_ip | awk -F"." '{print $3"-"$4}'` # 格式:1-100
#host_name=`grep $intranet_ip /root/host_name.txt|awk '{print $2}'` # 匹配指定文件,显示主机名,第2个字段 master
echo "$host_name" > /etc/hostname
echo "HOSTNAME=$host_name" >> /etc/sysconfig/network
hostnamectl set-hostname $host_name
# 安装基础应用
yum -y install --skip-broken epel-release vim vim-enhanced net-tools rsync iproute iputils procps bzip2 lrzsz unzip zip wget ftp lsof screen curl iftop sysstat dstat htop iotop lrzsz lftp bash-completion psmisc xz python-simplejson libselinux-python smartmontools automake autoconf libtool ntp ntpdate bison openssl-devel;
yum -y install gcc gcc-c++ make intltool kernel-headers;
yum -y install --skip-broken rsyslog telnet-server telnet.*;
yum -y groupinstall "Development Tools";
yum -y groupinstall "Development Libraries";
yum -y install gettext-devel openssl-devel perl-CPAN perl-devel zlib-devel libcurl-devel expat-devel;
yum -y install pigz pbzip2
# centos7
yum install -y curl-devel expat-devel gettext-devel openssl-devel zlib-devel intltool
yum install -y gcc perl-ExtUtils-MakeMaker
yum install -y ntpdate
# 1.centos7-git2, https://abc.htmltoo.com/thread-46576.htm
yum install https://repo.ius.io/ius-release-el7.rpm https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum remove -y git && yum -y install git236;
git --version
# centos8
yum -y install git python39 chrony;
# Git处理大文件的版本控制
yum -y install git-lfs
git lfs install
# mwget
git clone https://github.com/rayylee/mwget.git
cd mwget
./configure
make && make install
# Kernel性能调优
cat >> /etc/sysctl.conf<<EOF
net.ipv4.tcp_mem = 768432 2097152 15242880
net.ipv4.tcp_wmem = 40960 163840 4194304
net.ipv4.tcp_rmem = 40960 873800 4194304
#net.core.somaxconn=6553600
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 524288000
net.core.wmem_max = 524288000
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_max_syn_backlog=81920
net.ipv4.tcp_timestamps=0
# 参数的值决定了内核放弃链接之前发送SYN+ACK包的数量,该参数对应系统路径为:/proc/sys/net/ipv4/tcp_synack_retries,默认是2
net.ipv4.tcp_synack_retries=3
# 表示内核放弃建立链接之前发送SYN包的数量,该参数对应系统路径为:/proc/sys/net/ipv4/tcp_syn_retries,默认是6
net.ipv4.tcp_syn_retries=3
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 300
net.ipv4.ip_local_port_range = 20000 65000
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.route.max_size = 5242880
kernel.sem=250 65536 100 2048
kernel.msgmnb = 4203520
kernel.msgmni = 64
kernel.msgmax = 65535
# 设置最大内存共享段大小bytes
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.tcp_tw_reuse=1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_no_metrics_save=1
# 开启SYN洪水攻击保护
kernel.core_uses_pid = 1
net.ipv4.conf.lo.arp_announce=2
net.ipv4.tcp_sack = 1
kernel.randomize_va_space=1
# 避免放大攻击
net.ipv4.icmp_echo_ignore_broadcasts=1
# 关闭ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
# 开启恶意icmp错误消息保护
net.ipv4.icmp_ignore_bogus_error_responses = 1
# 开启路由转发
net.ipv4.ip_forward = 1 #0-关闭
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# 开启反向路径过滤
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# 处理无源路由的包
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# 关闭sysrq功能
kernel.sysrq = 0
# 每个网络接口接收数据包的速率比内核处理这些包的速率快时,允许送到队列的数据包的最大数目
net.core.netdev_max_backlog = 262144
# 限制仅仅是为了防止简单的DoS 攻击
net.ipv4.tcp_max_orphans = 3276800
# 确保无人能修改路由表
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
vm.swappiness = 0
# 决定检查过期多久邻居条目
net.ipv4.neigh.default.gc_stale_time=120
fs.file-max = 40000500
fs.nr_open = 40000500
kernel.perf_cpu_time_max_percent=60
net.core.optmem_max= 25165824
vm.max_map_count=655360
net.core.somaxconn = 65535
# 使用arp_announce / arp_ignore解决ARP映射问题
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.all.arp_announce=2
net.ipv4.conf.lo.arp_announce=2
net.ipv4.ip_nonlocal_bind=1
vm.overcommit_memory=1
EOF
sysctl -p
#当出现SYN等待队列溢出时,启用cookies来处理,可防范少量SYN攻击,默认为0,表示关闭;
echo "1" >/proc/sys/net/ipv4/tcp_syncookies
#减少SWAP使用
echo "0" > /proc/sys/vm/swappiness
# 禁止定时任务向发送邮件
#sed -i 's/^MAILTO=root/MAILTO=""/' /etc/crontab
# 提高系统打开文件数、打开进程数限制,减小默认栈空间大小限制
grep -q "* soft nofile 60000" /etc/security/limits.conf || cat >> /etc/security/limits.conf << EOF
########################################
* soft nofile 60000
* hard nofile 65536
* soft nproc 2048
* hard nproc 16384
* soft stack 10240
* hard stack 32768
EOF
# 系统core dump状态
echo -e "\n* soft core 0" >> /etc/security/limits.conf
echo -e "\n* hard core 0" >> /etc/security/limits.conf
# 口令锁定策略
#PASS_MAX_DAYS 口令最大有效期:建议设置为 90
#PASS_MIN_DAYS 两次修改口令的最小间隔时间:建议设置为 10
#PASS_WARN_AGE 口令过期前开始提示天数:建议设置为 7
sed -i '/^PASS_MAX_DAYS/cPASS_MAX_DAYS 90' /etc/login.defs
sed -i '/^PASS_MIN_DAYS/cPASS_MIN_DAYS 10' /etc/login.defs
# 口令复杂度
#minlen = 8 口令长度至少包含 8 个字符
#dcredit = -1 口令包含N个数字
#ucredit = -1 口令包含N大写字母
#ocredit = -1 口令包含N个特殊字符
#lcredit = -1 口令包含N个小写字母
#N<0可以自行man pwquality.conf查看解释
cat >>/etc/security/pwquality.conf << EOF
minlen = 8
dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -1
EOF
# 提高Shell打开文件数、打开进程数限制,减小默认栈空间大小限制
grep -q "ulimit -Sn 60000" /etc/profile || cat >> /etc/profile << EOF
########################################
ulimit -Sn 60000
ulimit -Hn 65536
ulimit -Su 2048
ulimit -Hu 16384
ulimit -Ss 10240
ulimit -Hs 32768
alias grep='grep --color=auto'
export HISTTIMEFORMAT="%Y-%m-%d %H:%M:%S"
EOF
# 安装中文
yum -y groupinstall "fonts"
#centos7
yum -y install kde-l10n-Chinese glibc-common
localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8 && export LC_ALL=zh_CN.UTF-8
echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf
# 安装中文
#centos8
yum install -y langpacks-zh_CN
echo 'LANG="zh_CN.UTF-8"' >> /etc/profile && source /etc/profile
echo 'LANG="zh_CN.UTF-8"' >> /etc/locale.conf && source /etc/locale.conf
# 修改系统语言环境,修改时区
ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
echo Asia/Shanghai > /etc/timezone;
#centos7
ntpdate time.windows.com && hwclock -w && hwclock --systohc
#centos8
systemctl enable chronyd
systemctl restart chronyd
# 查看时间同步状态
timedatectl status
# 开启网络时间同步
timedatectl set-ntp true
# 优化SSH
sed -i 's/.*#Port 22/Port 52341/' /etc/ssh/sshd_config
sed -i 's/.*#PermitEmptyPasswords no/PermitEmptyPasswords no/' /etc/ssh/sshd_config
sed -i 's/.*#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config
sed -i 's/.*#GSSAPIAuthentication yes/GSSAPIAuthentication no/' /etc/ssh/sshd_config
sed -i 's/.*#MaxAuthTries.*$/MaxAuthTries 4/' /etc/ssh/sshd_config
sed -i 's/.*#LoginGraceTime.*$/LoginGraceTime 60/' /etc/ssh/sshd_config
#sed -i 's/.*#PubkeyAuthentication.*$/PubkeyAuthentication yes/' /etc/ssh/sshd_config
sed -i "s/.*#X11Forwarding yes/X11Forwarding no/g" /etc/ssh/sshd_config
sed -i "s/.*X11Forwarding yes/X11Forwarding no/g" /etc/ssh/sshd_config
#sed -i "s/.*#Banner none/Banner \/etc\/issue.net/g" /etc/ssh/sshd_config
# 禁用root远程登陆
#sed -i 's/.*PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
# SSH空闲超时间隔
#ClientAliveInterval设置了ssh服务器端向其客户端发送请求消息(alive消息)的间隔时间,以检测客户端是否还存在;
#ClientAliveCountMax设置了ssh服务允许客户端在接收到服务端的alive消息未响应的最大超时次数,如果客户端在最大超时次数内均未响应,ssh服务会自动终止与客户端的会话。
# 如果ClientAliveInterval设置为15,ClientAliveCountMax设置为3,那么无应答的客户端会在45秒后被强制断开。
cat /etc/ssh/sshd_config | grep ClientAliveInterval
cat /etc/ssh/sshd_config | grep ClientAliveCountMax
sed -i "s/#ClientAliveInterval 0/ClientAliveInterval 300/g" /etc/ssh/sshd_config
sed -i "s/#ClientAliveCountMax 3/ClientAliveCountMax 3/g" /etc/ssh/sshd_config
#echo "Authorized users only. All activity may be monitored and reported.">/etc/issue.net
# 国外服务器,优化DNS
cat > /etc/resolv.conf << EOF
nameserver 8.8.8.8
nameserver 8.8.4.4
EOF
# 更新软件
yum check-update
yum update -y
yum clean all
# 升级最新内核
rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
#centos7
rpm -Uvh https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
#centos8
rpm -Uvh https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm
#centos9
rpm -Uvh https://www.elrepo.org/elrepo-release-9.el9.elrepo.noarch.rpm
yum -y --enablerepo=elrepo-kernel install kernel-ml# 内核升级
https://abc.htmltoo.com/thread-570.htm
# 修改内核启动顺序, 重启
grub2-set-default 0 -centos8 grub2-mkconfig -o /boot/grub2/grub.cfg reboot
# 修改history命令,清除系统日志痕迹,不记录历史命令
https://abc.htmltoo.com/thread-46051.htm
# docker.sh
groupadd docker
usermod -aG docker admin
# 安装网络yum源
yum -y install epel-release
yum clean all
# 安装依赖环境
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --enable extras
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
# 安装 Docker
yum -y install docker-ce
mkdir -p /etc/docker/
cat >> /etc/docker/daemon.json<<EOF
{
"max-concurrent-downloads": 2,
"max-concurrent-uploads": 1,
"exec-opts": ["native.cgroupdriver=systemd"],
"insecure-registries":["hub.htmltoo.com:5000"],
"storage-driver": "overlay2",
"log-driver": "json-file",
"log-opts": {
"max-size": "10m",
"max-file": "3"
}
}
EOF
systemctl daemon-reload
systemctl start docker
systemctl enable docker
systemctl restart docker# kernel.sh
# 开启BBR加速 echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf && echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf sysctl -p # 查看所有内核 rpm -qa | grep kernel # 卸载旧内核 yum -y remove ....
追梦赤子心:domsn.com
签名:这个人很懒,什么也没有留下!
收藏的用户(0)
X
正在加载信息~
最新回复 (0)