|
1、本地yum源 rm -rf /etc/yum.repos.d/* cat << 'EOF' > /etc/yum.repos.d/rocky.repo [baseos] name=Rocky Linux $releasever - BaseOS baseurl=https://mirrors.aliyun.com/rockylinux/$releasever/BaseOS/$basearch/os/ gpgcheck=1 enabled=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-$releasever [appstream] name=Rocky Linux $releasever - AppStream baseurl=https://mirrors.aliyun.com/rockylinux/$releasever/AppStream/$basearch/os/ gpgcheck=1 enabled=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-$releasever EOF cat << 'EOF' > /etc/yum.repos.d/rocky-extras.repo [extras] name=Rocky Linux $releasever - Extras baseurl=https://mirrors.aliyun.com/rockylinux/$releasever/extras/$basearch/os/ gpgcheck=1 enabled=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-9 EOF cat << 'EOF' > /etc/yum.repos.d/epel.repo [epel] name=Extra Packages for Enterprise Linux $releasever - $basearch # It is much more secure to use the metalink, but if you wish to use a local mirror # place its address here. baseurl=https://mirrors.aliyun.com/epel/$releasever/Everything/$basearch/ enabled=1 gpgcheck=1 gpgkey=https://mirrors.aliyun.com/epel/RPM-GPG-KEY-EPEL-$releasever EOF yum update -y 设置网络 # 设置配置文件 cat << 'EOF' > /etc/NetworkManager/system-connections/ens32.nmconnection [connection] id=ens32 #id名称必须和配置文件名称一致 type=ethernet autoconnect-priority=-999 interface-name=ens32 #interface名称必须和配置文件名称一致 timestamp=1712627482 [ethernet] [ipv4] address1=192.168.4.4/24,192.168.4.1 #设置IP地址、掩码、网关 dns=10.10.12.7;10.10.12.6; #设置DNS method=manual [ipv6] addr-gen-mode=eui64 method=disabled [proxy] EOF http://www.it.net.cn it网 # 设置完成后重启网络 nmcli connection reload nmcli connection down ens32 nmcli connection up ens32 安装基本工具 yum install net-tools wget tar zip sysstat -y 关闭selinux sed -i 's/^SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux sed -i 's/^SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config setenforce 0 优化sysctl cat << 'EOF' >> /etc/sysctl.conf net.ipv6.conf.all.disable_ipv6 = 1 #关闭ipv6 net.ipv6.conf.default.disable_ipv6 = 1 #关闭ipv6 net.ipv4.icmp_echo_ignore_broadcasts = 1 #忽略icmp ping广播包 net.ipv4.icmp_ignore_bogus_error_responses = 1 # 开启恶意icmp错误消息保护 net.ipv4.conf.all.accept_source_route = 0 #处理无源路由的包 net.ipv4.conf.default.accept_source_route = 0 #处理无源路由的包 net.ipv4.tcp_syncookies = 1 # 开启SYN洪水攻击保护 net.ipv4.ip_local_port_range = 10000 65000 #允许系统打开的端口范围 EOF sysctl -p 优化ls命令和history命令显示格式,显示时间完整格式 cat << 'EOF' >> /etc/profile.d/time.sh USER_IP=`who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'` if [ -z $USER_IP ] then USER_IP=`hostname` fi HISTTIMEFORMAT="%F_%T $USER_IP:`whoami` " TIME_STYLE='+%Y-%m-%d_%H:%M:%S' export HISTTIMEFORMAT TIME_STYLE EOF cp /etc/profile.d/time.sh /etc/profile.d/time.csh source /etc/profile sed -i 's/^HISTSIZE=1000/HISTSIZE=10000/g' /etc/profile 关闭登陆提示 echo '' > /etc/issue && echo '' > /etc/issue.net 优化SSH cat << 'EOF' > /etc/ssh/sshd_config Include /etc/ssh/sshd_config.d/*.conf Port 22 AddressFamily inet #ListenAddress 0.0.0.0 AllowUsers admin PermitRootLogin no AuthorizedKeysFile .ssh/authorized_keys UseDNS no Banner none Subsystem sftp /usr/libexec/openssh/sftp-server EOF systemctl restart sshd SSH修改端口 如果不修改SELinux直接重启sshd,会出现Bind to port xxxx on 0.0.0.0 failed: Permission denied错误 新增selinux中sshd的端口 semanage port -a -t ssh_port_t -p tcp 2222 配置NTP客户端 cat << 'EOF' > /etc/chrony.conf server ntp.vizionfocus.cn iburst driftfile /var/lib/chrony/drift makestep 1.0 3 rtcsync keyfile /etc/chrony.keys ntsdumpdir /var/lib/chrony leapsectz right/UTC logdir /var/log/chrony port 0 cmdport 0 EOF systemctl enable chronyd && systemctl restart chronyd 设置时区 ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime 安装配置vmtool yum install -y open-vm-tools systemctl enable vmtoolsd && systemctl start vmtoolsd 安装配置zabbix yum install -y zabbix-agent cat << 'EOF' > /etc/zabbix/zabbix_agentd.conf PidFile=/run/zabbix/zabbix_agentd.pid LogFile=/var/log/zabbix/zabbix_agentd.log LogFileSize=100 Server=zabbix.vizionfocus.cn ListenPort=10050 ServerActive=zabbix.vizionfocus.cn Timeout=30 UnsafeUserParameters=1 EOF cat << 'EOF' > /etc/zabbix_agentd.conf PidFile=/run/zabbix/zabbix_agentd.pid LogFile=/var/log/zabbix/zabbix_agentd.log LogFileSize=100 Server=zabbix.vizionfocus.cn ListenPort=10050 ServerActive=zabbix.vizionfocus.cn Timeout=30 UnsafeUserParameters=1 EOF systemctl enable zabbix-agent && systemctl restart zabbix-agent firewall-cmd --zone=public --add-port=10050/tcp --permanent firewall-cmd --zone=public --add-port=10050/tcp 设置账户策略 sed -i 's/^PASS_MAX_DAYS.*$/PASS_MAX_DAYS 90/g' /etc/login.defs #密码最长有效期90天 sed -i 's/^PASS_MIN_DAYS.*$/PASS_MIN_DAYS 0/g' /etc/login.defs #密码最短有效期0天,可以立即更改密码 sed -i 's/^PASS_WARN_AGE.*$/PASS_WARN_AGE 7/g' /etc/login.defs #密码过期前7天提示 or cat << 'EOF' > /etc/login.defs MAIL_DIR /var/spool/mail UMASK 022 HOME_MODE 0700 PASS_MAX_DAYS 90 PASS_MIN_DAYS 0 PASS_WARN_AGE 7 UID_MIN 1000 UID_MAX 60000 SYS_UID_MIN 201 SYS_UID_MAX 999 SUB_UID_MIN 100000 SUB_UID_MAX 600100000 SUB_UID_COUNT 65536 GID_MIN 1000 GID_MAX 60000 SYS_GID_MIN 201 SYS_GID_MAX 999 SUB_GID_MIN 100000 SUB_GID_MAX 600100000 SUB_GID_COUNT 65536 ENCRYPT_METHOD SHA512 USERGROUPS_ENAB yes CREATE_HOME yes HMAC_CRYPTO_ALGO SHA512 EOF 设置密码策略 # 设置密码策略 #账号密码必须至少包含1个字符、1个数字、1个大写字母和一个小写字母,长度在12位以上 sed -i "s/^password.*.requisite.*.pam_pwquality.so.*$/password requisite pam_pwquality.so try_first_pass local_users_only retry=3 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 minlen=12/g" $2 /etc/pam.d/system-auth #设置密码锁定策略,密码输错3次,锁定1分钟 echo "auth required pam_tally.so onerr=fail deny=3 unlock_time=60" >> /etc/pam.d/system-auth cat << 'EOF' > /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authselect is run. auth required pam_env.so auth sufficient pam_unix.so try_first_pass nullok auth required pam_deny.so auth required pam_tally.so onerr=fail deny=3 unlock_time=60 account required pam_unix.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=12 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so EOF 关闭多余账户 for user in $(cat /etc/passwd | grep -v root | cut -d ":" -f 1 ) do str=(adm lp sync shutdown halt news uucp operator games gopher dip pppusers popusers slipusers) for i in ${str[*]} do if [[ $i =~ $user ]] then usermod -L $i break fi done done 删除密码缓存文件 find / -name .netrc | xargs rm # 删除ftp缓存密码 find / -name .rhosts| xargs rm # 删除密码缓存文件 SSH限制IP登陆 echo "sshd:ALL" >> /etc/hosts.deny echo "sshd:192.168.4.0/24" >> /etc/hosts.allow 禁用不必要服务 systemctl disable ctrl-alt-del.target NetworkManager-dispatcher systemctl stop ctrl-alt-del.target NetworkManager-dispatcher (责任编辑:IT) |