colben/www.colben.cn
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

update

Browse Source
This commit is contained in:
colben
2021-11-14 14:32:08 +08:00
parent f75ad8bedd
commit b0f6120151
152 changed files with 22219 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

189
content/post/centos7.md Normal file
View File

@@ -0,0 +1,189 @@
---
title: "CentOS7 笔记"
date: 2019-10-30T10:58:18+08:00
lastmod: 2019-10-30T10:58:18+08:00
keywords: []
tags: ["centos"]
categories: ["os"]
---
# 常用初始配置
- 系统更新
```bash
yum update
```
- 禁用 firewalld
```bash
systemctl stop firewalld
systemctl disable firewalld
```
- 禁用 NetworkManager
```bash
systemctl stop NetworkManager
systemctl disable NetworkManager
```
- 禁用 postfix
```bash
systemctl stop postfix
systemctl disable postfix
```
- 如果不用 NFS可以禁用 rpcbind
```bash
systemctl stop rpcbind
systemctl disable rpcbind
```
- 禁用 selinux可能需要重启操作系统
```bash
sed -i '/^SELINUX=/cSELINUX=disabled' /etc/selinux/config
setenforce 0
# 可能需要重启
```
- 配置网卡静态地址
```bash
cd /etc/sysconfig/network-scripts
sed -i -e '/^BOOTPROTO/d' -e '/^ONBOOT/d' \
-e '/^IPADDR/d' -e '/^NETMASK/d' -e '/^PREFIX/d' \
-e '/^GATEWAY/d' -e '/^DNS/d' ${ifcfg}
cat >> ${ifcfg} <<-END
ONBOOT=yes
BOOTPROTO=static
IPADDR=${ip}
PREFIX=${mask}
GATEWAY=${gw}
DNS1=${dns}
END
systemctl restart network
```
- 修改 sysctl.conf
```bash
cat >> /etc/sysctl.conf <<-END
# 防止一个套接字在有过多试图连接到达时引起过载
net.ipv4.tcp_syncookies = 1
# 连接队列的长度默认值为128
net.core.somaxconn = 1024
# timewait的超时时间设置短一些
net.ipv4.tcp_fin_timeout = 10
# os直接使用timewait的连接
net.ipv4.tcp_tw_reuse = 1
# 回收timewait连接
net.ipv4.tcp_tw_recycle = 1
END
sysctl -p
```
- 修改主机名
```bash
hostnamectl set-hostname ${hostname}
sed -i "/[ \t]\+${hostname}[ \t]*$/d" /etc/hosts
echo "${ip} ${hostname}" >> /etc/hosts
```
- 禁用 sshd 域名解析
```bash
sed -i '/UseDNS/d' /etc/ssh/sshd_config
echo 'UseDNS no' >> /etc/ssh/sshd_config
```
- 删除可能存在的 TMOUT 环境变量
```bash
sed -i '/^export[ \t]\+TMOUT=/d' /etc/profile
```
- 配置 history 命令数量和执行时间
```bash
echo 'export HISTSIZE=10000' > /etc/profile.d/history.sh
echo 'export HISTTIMEFORMAT="[%F %T] "' >> /etc/profile.d/history.sh
```
- 修改时间同步服务器地址
```bash
sed -i '/^server /d' /etc/chrony.conf
echo "server ${ip|domain} iburst" >> /etc/chrony.conf
```
- 修改 rsyslog 服务的时间格式
```bash
cat > /etc/rsyslog.d/custom.conf <<EOF
template(name="CustomTime" type="list"){
property(name="timereported" dateformat="year")
constant(value="-")
property(name="timereported" dateformat="month")
constant(value="-")
property(name="timereported" dateformat="day")
constant(value=" ")
property(name="timereported" dateformat="hour")
constant(value=":")
property(name="timereported" dateformat="minute")
constant(value=":")
property(name="timereported" dateformat="second")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="syslogtag")
constant(value=" ")
property(name="msg" droplastlf="on")
constant(value="\n")
}
$ActionFileDefaultTemplate CustomTime
EOF
```
- 其他检查
- 卸载 ntpdate换 chrony
- 检查 /etc/rc.d/rc.local
# 安全设置
- /etc/pam.d/sshd
- 用户 ssh 登陆密码错误 3 次后锁住用户 10 分钟
```
auth required pam_tally2.so deny=3 unlock_time=600 even_deny_root
```
- /etc/login.defs
- 密码过期天数
```
PASS_MAX_DAYS 60
```
- 过期前警告天数
```
PASS_WARN_AGE 7
```
- 最短使用天数
```
PASS_MIN_DAYS 1
```
- 最短长度
```
PASS_MIN_LEN 8
```
- /etc/pam.d/system-auth
- 密码与前 5 次不同
```
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5
```
- /etc/security/pwquality.conf
- 密码最小长度 8 位
```bash
authconfig --passminlen=8 --update
```
- 密码最少 2 种字符
```bash
authconfig --passminclass=2 --update
```
- 最多 2 个连续相同字符
```bash
authconfig --passmaxrepeat=2 --update
```
- 最多 4 个连续同类字符
```bash
authconfig --passmaxclassrepeat=4 --update
```
- 至少 1 个小写字符
```bash
authconfig --enablereqlower --update
```
- 至少 1 个大写字符
```bash
authconfig --enablerequpper --update
```
- 至少 1 个数字
```bash
authconfig --enablereqdigit --update
```
- 至少 1 个特殊字符
```bash
authconfig --enablereqother --update
```