colben/www.colben.cn
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
www.colben.cn/content/post/centos7.md
colben b0f6120151 update
2021-11-14 14:32:08 +08:00

190 lines
4.9 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: "CentOS7 笔记"
date: 2019-10-30T10:58:18+08:00
lastmod: 2019-10-30T10:58:18+08:00
keywords: []
tags: ["centos"]
categories: ["os"]
---
# 常用初始配置
- 系统更新
```bash
yum update
```
- 禁用 firewalld
```bash
systemctl stop firewalld
systemctl disable firewalld
```
- 禁用 NetworkManager
```bash
systemctl stop NetworkManager
systemctl disable NetworkManager
```
- 禁用 postfix
```bash
systemctl stop postfix
systemctl disable postfix
```
- 如果不用 NFS可以禁用 rpcbind
```bash
systemctl stop rpcbind
systemctl disable rpcbind
```
- 禁用 selinux可能需要重启操作系统
```bash
sed -i '/^SELINUX=/cSELINUX=disabled' /etc/selinux/config
setenforce 0
# 可能需要重启
```
- 配置网卡静态地址
```bash
cd /etc/sysconfig/network-scripts
sed -i -e '/^BOOTPROTO/d' -e '/^ONBOOT/d' \
-e '/^IPADDR/d' -e '/^NETMASK/d' -e '/^PREFIX/d' \
-e '/^GATEWAY/d' -e '/^DNS/d' ${ifcfg}
cat >> ${ifcfg} <<-END
ONBOOT=yes
BOOTPROTO=static
IPADDR=${ip}
PREFIX=${mask}
GATEWAY=${gw}
DNS1=${dns}
END
systemctl restart network
```
- 修改 sysctl.conf
```bash
cat >> /etc/sysctl.conf <<-END
# 防止一个套接字在有过多试图连接到达时引起过载
net.ipv4.tcp_syncookies = 1
# 连接队列的长度默认值为128
net.core.somaxconn = 1024
# timewait的超时时间设置短一些
net.ipv4.tcp_fin_timeout = 10
# os直接使用timewait的连接
net.ipv4.tcp_tw_reuse = 1
# 回收timewait连接
net.ipv4.tcp_tw_recycle = 1
END
sysctl -p
```
- 修改主机名
```bash
hostnamectl set-hostname ${hostname}
sed -i "/[ \t]\+${hostname}[ \t]*$/d" /etc/hosts
echo "${ip} ${hostname}" >> /etc/hosts
```
- 禁用 sshd 域名解析
```bash
sed -i '/UseDNS/d' /etc/ssh/sshd_config
echo 'UseDNS no' >> /etc/ssh/sshd_config
```
- 删除可能存在的 TMOUT 环境变量
```bash
sed -i '/^export[ \t]\+TMOUT=/d' /etc/profile
```
- 配置 history 命令数量和执行时间
```bash
echo 'export HISTSIZE=10000' > /etc/profile.d/history.sh
echo 'export HISTTIMEFORMAT="[%F %T] "' >> /etc/profile.d/history.sh
```
- 修改时间同步服务器地址
```bash
sed -i '/^server /d' /etc/chrony.conf
echo "server ${ip|domain} iburst" >> /etc/chrony.conf
```
- 修改 rsyslog 服务的时间格式
```bash
cat > /etc/rsyslog.d/custom.conf <<EOF
template(name="CustomTime" type="list"){
property(name="timereported" dateformat="year")
constant(value="-")
property(name="timereported" dateformat="month")
constant(value="-")
property(name="timereported" dateformat="day")
constant(value=" ")
property(name="timereported" dateformat="hour")
constant(value=":")
property(name="timereported" dateformat="minute")
constant(value=":")
property(name="timereported" dateformat="second")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="syslogtag")
constant(value=" ")
property(name="msg" droplastlf="on")
constant(value="\n")
}
$ActionFileDefaultTemplate CustomTime
EOF
```
- 其他检查
- 卸载 ntpdate换 chrony
- 检查 /etc/rc.d/rc.local
# 安全设置
- /etc/pam.d/sshd
- 用户 ssh 登陆密码错误 3 次后锁住用户 10 分钟
```
auth required pam_tally2.so deny=3 unlock_time=600 even_deny_root
```
- /etc/login.defs
- 密码过期天数
```
PASS_MAX_DAYS 60
```
- 过期前警告天数
```
PASS_WARN_AGE 7
```
- 最短使用天数
```
PASS_MIN_DAYS 1
```
- 最短长度
```
PASS_MIN_LEN 8
```
- /etc/pam.d/system-auth
- 密码与前 5 次不同
```
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5
```
- /etc/security/pwquality.conf
- 密码最小长度 8 位
```bash
authconfig --passminlen=8 --update
```
- 密码最少 2 种字符
```bash
authconfig --passminclass=2 --update
```
- 最多 2 个连续相同字符
```bash
authconfig --passmaxrepeat=2 --update
```
- 最多 4 个连续同类字符
```bash
authconfig --passmaxclassrepeat=4 --update
```
- 至少 1 个小写字符
```bash
authconfig --enablereqlower --update
```
- 至少 1 个大写字符
```bash
authconfig --enablerequpper --update
```
- 至少 1 个数字
```bash
authconfig --enablereqdigit --update
```
- 至少 1 个特殊字符
```bash
authconfig --enablereqother --update
```
Reference in New Issue View Git Blame Copy Permalink