Rocky Linux基础设置
时间:2024-09-06 13:56 来源:www.it.net.cn 作者:IT
1、本地yum源
rm -rf /etc/yum.repos.d/*
cat << 'EOF' > /etc/yum.repos.d/rocky.repo
[baseos]
name=Rocky Linux $releasever - BaseOS
baseurl=https://mirrors.aliyun.com/rockylinux/$releasever/BaseOS/$basearch/os/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-$releasever
[appstream]
name=Rocky Linux $releasever - AppStream
baseurl=https://mirrors.aliyun.com/rockylinux/$releasever/AppStream/$basearch/os/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-$releasever
EOF
cat << 'EOF' > /etc/yum.repos.d/rocky-extras.repo
[extras]
name=Rocky Linux $releasever - Extras
baseurl=https://mirrors.aliyun.com/rockylinux/$releasever/extras/$basearch/os/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-9
EOF
cat << 'EOF' > /etc/yum.repos.d/epel.repo
[epel]
name=Extra Packages for Enterprise Linux $releasever - $basearch
# It is much more secure to use the metalink, but if you wish to use a local mirror
# place its address here.
baseurl=https://mirrors.aliyun.com/epel/$releasever/Everything/$basearch/
enabled=1
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/epel/RPM-GPG-KEY-EPEL-$releasever
EOF
yum update -y
设置网络
# 设置配置文件
cat << 'EOF' > /etc/NetworkManager/system-connections/ens32.nmconnection
[connection]
id=ens32 #id名称必须和配置文件名称一致
type=ethernet
autoconnect-priority=-999
interface-name=ens32 #interface名称必须和配置文件名称一致
timestamp=1712627482
[ethernet]
[ipv4]
address1=192.168.4.4/24,192.168.4.1 #设置IP地址、掩码、网关
dns=10.10.12.7;10.10.12.6; #设置DNS
method=manual
[ipv6]
addr-gen-mode=eui64
method=disabled
[proxy]
EOF
http://www.it.net.cn it网
# 设置完成后重启网络
nmcli connection reload
nmcli connection down ens32
nmcli connection up ens32
安装基本工具
yum install net-tools wget tar zip sysstat -y
关闭selinux
sed -i 's/^SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux
sed -i 's/^SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
setenforce 0
优化sysctl
cat << 'EOF' >> /etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 1 #关闭ipv6
net.ipv6.conf.default.disable_ipv6 = 1 #关闭ipv6
net.ipv4.icmp_echo_ignore_broadcasts = 1 #忽略icmp ping广播包
net.ipv4.icmp_ignore_bogus_error_responses = 1 # 开启恶意icmp错误消息保护
net.ipv4.conf.all.accept_source_route = 0 #处理无源路由的包
net.ipv4.conf.default.accept_source_route = 0 #处理无源路由的包
net.ipv4.tcp_syncookies = 1 # 开启SYN洪水攻击保护
net.ipv4.ip_local_port_range = 10000 65000 #允许系统打开的端口范围
EOF
sysctl -p
优化ls命令和history命令显示格式,显示时间完整格式
cat << 'EOF' >> /etc/profile.d/time.sh
USER_IP=`who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'`
if [ -z $USER_IP ]
then
USER_IP=`hostname`
fi
HISTTIMEFORMAT="%F_%T $USER_IP:`whoami` "
TIME_STYLE='+%Y-%m-%d_%H:%M:%S'
export HISTTIMEFORMAT TIME_STYLE
EOF
cp /etc/profile.d/time.sh /etc/profile.d/time.csh
source /etc/profile
sed -i 's/^HISTSIZE=1000/HISTSIZE=10000/g' /etc/profile
关闭登陆提示
echo '' > /etc/issue && echo '' > /etc/issue.net
优化SSH
cat << 'EOF' > /etc/ssh/sshd_config
Include /etc/ssh/sshd_config.d/*.conf
Port 22
AddressFamily inet
#ListenAddress 0.0.0.0
AllowUsers admin
PermitRootLogin no
AuthorizedKeysFile .ssh/authorized_keys
UseDNS no
Banner none
Subsystem sftp /usr/libexec/openssh/sftp-server
EOF
systemctl restart sshd
SSH修改端口
如果不修改SELinux直接重启sshd,会出现Bind to port xxxx on 0.0.0.0 failed: Permission denied错误
新增selinux中sshd的端口
semanage port -a -t ssh_port_t -p tcp 2222
配置NTP客户端
cat << 'EOF' > /etc/chrony.conf
server ntp.vizionfocus.cn iburst
driftfile /var/lib/chrony/drift
makestep 1.0 3
rtcsync
keyfile /etc/chrony.keys
ntsdumpdir /var/lib/chrony
leapsectz right/UTC
logdir /var/log/chrony
port 0
cmdport 0
EOF
systemctl enable chronyd && systemctl restart chronyd
设置时区
ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
安装配置vmtool
yum install -y open-vm-tools
systemctl enable vmtoolsd && systemctl start vmtoolsd
安装配置zabbix
yum install -y zabbix-agent
cat << 'EOF' > /etc/zabbix/zabbix_agentd.conf
PidFile=/run/zabbix/zabbix_agentd.pid
LogFile=/var/log/zabbix/zabbix_agentd.log
LogFileSize=100
Server=zabbix.vizionfocus.cn
ListenPort=10050
ServerActive=zabbix.vizionfocus.cn
Timeout=30
UnsafeUserParameters=1
EOF
cat << 'EOF' > /etc/zabbix_agentd.conf
PidFile=/run/zabbix/zabbix_agentd.pid
LogFile=/var/log/zabbix/zabbix_agentd.log
LogFileSize=100
Server=zabbix.vizionfocus.cn
ListenPort=10050
ServerActive=zabbix.vizionfocus.cn
Timeout=30
UnsafeUserParameters=1
EOF
systemctl enable zabbix-agent && systemctl restart zabbix-agent
firewall-cmd --zone=public --add-port=10050/tcp --permanent
firewall-cmd --zone=public --add-port=10050/tcp
设置账户策略
sed -i 's/^PASS_MAX_DAYS.*$/PASS_MAX_DAYS 90/g' /etc/login.defs #密码最长有效期90天
sed -i 's/^PASS_MIN_DAYS.*$/PASS_MIN_DAYS 0/g' /etc/login.defs #密码最短有效期0天,可以立即更改密码
sed -i 's/^PASS_WARN_AGE.*$/PASS_WARN_AGE 7/g' /etc/login.defs #密码过期前7天提示
or
cat << 'EOF' > /etc/login.defs
MAIL_DIR /var/spool/mail
UMASK 022
HOME_MODE 0700
PASS_MAX_DAYS 90
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
UID_MIN 1000
UID_MAX 60000
SYS_UID_MIN 201
SYS_UID_MAX 999
SUB_UID_MIN 100000
SUB_UID_MAX 600100000
SUB_UID_COUNT 65536
GID_MIN 1000
GID_MAX 60000
SYS_GID_MIN 201
SYS_GID_MAX 999
SUB_GID_MIN 100000
SUB_GID_MAX 600100000
SUB_GID_COUNT 65536
ENCRYPT_METHOD SHA512
USERGROUPS_ENAB yes
CREATE_HOME yes
HMAC_CRYPTO_ALGO SHA512
EOF
设置密码策略
# 设置密码策略
#账号密码必须至少包含1个字符、1个数字、1个大写字母和一个小写字母,长度在12位以上
sed -i "s/^password.*.requisite.*.pam_pwquality.so.*$/password requisite pam_pwquality.so try_first_pass local_users_only retry=3 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 minlen=12/g" $2 /etc/pam.d/system-auth
#设置密码锁定策略,密码输错3次,锁定1分钟
echo "auth required pam_tally.so onerr=fail deny=3 unlock_time=60" >> /etc/pam.d/system-auth
cat << 'EOF' > /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authselect is run.
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass nullok
auth required pam_deny.so
auth required pam_tally.so onerr=fail deny=3 unlock_time=60
account required pam_unix.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=12 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
EOF
关闭多余账户
for user in $(cat /etc/passwd | grep -v root | cut -d ":" -f 1 )
do
str=(adm lp sync shutdown halt news uucp operator games gopher dip pppusers popusers slipusers)
for i in ${str[*]}
do
if [[ $i =~ $user ]]
then
usermod -L $i
break
fi
done
done
删除密码缓存文件
find / -name .netrc | xargs rm # 删除ftp缓存密码
find / -name .rhosts| xargs rm # 删除密码缓存文件
SSH限制IP登陆
echo "sshd:ALL" >> /etc/hosts.deny
echo "sshd:192.168.4.0/24" >> /etc/hosts.allow
禁用不必要服务
systemctl disable ctrl-alt-del.target NetworkManager-dispatcher
systemctl stop ctrl-alt-del.target NetworkManager-dispatcher
(责任编辑:IT)
1、本地yum源 rm -rf /etc/yum.repos.d/* cat << 'EOF' > /etc/yum.repos.d/rocky.repo [baseos] name=Rocky Linux $releasever - BaseOS baseurl=https://mirrors.aliyun.com/rockylinux/$releasever/BaseOS/$basearch/os/ gpgcheck=1 enabled=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-$releasever [appstream] name=Rocky Linux $releasever - AppStream baseurl=https://mirrors.aliyun.com/rockylinux/$releasever/AppStream/$basearch/os/ gpgcheck=1 enabled=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-$releasever EOF cat << 'EOF' > /etc/yum.repos.d/rocky-extras.repo [extras] name=Rocky Linux $releasever - Extras baseurl=https://mirrors.aliyun.com/rockylinux/$releasever/extras/$basearch/os/ gpgcheck=1 enabled=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-9 EOF cat << 'EOF' > /etc/yum.repos.d/epel.repo [epel] name=Extra Packages for Enterprise Linux $releasever - $basearch # It is much more secure to use the metalink, but if you wish to use a local mirror # place its address here. baseurl=https://mirrors.aliyun.com/epel/$releasever/Everything/$basearch/ enabled=1 gpgcheck=1 gpgkey=https://mirrors.aliyun.com/epel/RPM-GPG-KEY-EPEL-$releasever EOF yum update -y 设置网络 # 设置配置文件 cat << 'EOF' > /etc/NetworkManager/system-connections/ens32.nmconnection [connection] id=ens32 #id名称必须和配置文件名称一致 type=ethernet autoconnect-priority=-999 interface-name=ens32 #interface名称必须和配置文件名称一致 timestamp=1712627482 [ethernet] [ipv4] address1=192.168.4.4/24,192.168.4.1 #设置IP地址、掩码、网关 dns=10.10.12.7;10.10.12.6; #设置DNS method=manual [ipv6] addr-gen-mode=eui64 method=disabled [proxy] EOF http://www.it.net.cn it网 # 设置完成后重启网络 nmcli connection reload nmcli connection down ens32 nmcli connection up ens32 安装基本工具 yum install net-tools wget tar zip sysstat -y 关闭selinux sed -i 's/^SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux sed -i 's/^SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config setenforce 0 优化sysctl cat << 'EOF' >> /etc/sysctl.conf net.ipv6.conf.all.disable_ipv6 = 1 #关闭ipv6 net.ipv6.conf.default.disable_ipv6 = 1 #关闭ipv6 net.ipv4.icmp_echo_ignore_broadcasts = 1 #忽略icmp ping广播包 net.ipv4.icmp_ignore_bogus_error_responses = 1 # 开启恶意icmp错误消息保护 net.ipv4.conf.all.accept_source_route = 0 #处理无源路由的包 net.ipv4.conf.default.accept_source_route = 0 #处理无源路由的包 net.ipv4.tcp_syncookies = 1 # 开启SYN洪水攻击保护 net.ipv4.ip_local_port_range = 10000 65000 #允许系统打开的端口范围 EOF sysctl -p 优化ls命令和history命令显示格式,显示时间完整格式 cat << 'EOF' >> /etc/profile.d/time.sh USER_IP=`who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'` if [ -z $USER_IP ] then USER_IP=`hostname` fi HISTTIMEFORMAT="%F_%T $USER_IP:`whoami` " TIME_STYLE='+%Y-%m-%d_%H:%M:%S' export HISTTIMEFORMAT TIME_STYLE EOF cp /etc/profile.d/time.sh /etc/profile.d/time.csh source /etc/profile sed -i 's/^HISTSIZE=1000/HISTSIZE=10000/g' /etc/profile 关闭登陆提示 echo '' > /etc/issue && echo '' > /etc/issue.net 优化SSH cat << 'EOF' > /etc/ssh/sshd_config Include /etc/ssh/sshd_config.d/*.conf Port 22 AddressFamily inet #ListenAddress 0.0.0.0 AllowUsers admin PermitRootLogin no AuthorizedKeysFile .ssh/authorized_keys UseDNS no Banner none Subsystem sftp /usr/libexec/openssh/sftp-server EOF systemctl restart sshd SSH修改端口 如果不修改SELinux直接重启sshd,会出现Bind to port xxxx on 0.0.0.0 failed: Permission denied错误 新增selinux中sshd的端口 semanage port -a -t ssh_port_t -p tcp 2222 配置NTP客户端 cat << 'EOF' > /etc/chrony.conf server ntp.vizionfocus.cn iburst driftfile /var/lib/chrony/drift makestep 1.0 3 rtcsync keyfile /etc/chrony.keys ntsdumpdir /var/lib/chrony leapsectz right/UTC logdir /var/log/chrony port 0 cmdport 0 EOF systemctl enable chronyd && systemctl restart chronyd 设置时区 ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime 安装配置vmtool yum install -y open-vm-tools systemctl enable vmtoolsd && systemctl start vmtoolsd 安装配置zabbix yum install -y zabbix-agent cat << 'EOF' > /etc/zabbix/zabbix_agentd.conf PidFile=/run/zabbix/zabbix_agentd.pid LogFile=/var/log/zabbix/zabbix_agentd.log LogFileSize=100 Server=zabbix.vizionfocus.cn ListenPort=10050 ServerActive=zabbix.vizionfocus.cn Timeout=30 UnsafeUserParameters=1 EOF cat << 'EOF' > /etc/zabbix_agentd.conf PidFile=/run/zabbix/zabbix_agentd.pid LogFile=/var/log/zabbix/zabbix_agentd.log LogFileSize=100 Server=zabbix.vizionfocus.cn ListenPort=10050 ServerActive=zabbix.vizionfocus.cn Timeout=30 UnsafeUserParameters=1 EOF systemctl enable zabbix-agent && systemctl restart zabbix-agent firewall-cmd --zone=public --add-port=10050/tcp --permanent firewall-cmd --zone=public --add-port=10050/tcp 设置账户策略 sed -i 's/^PASS_MAX_DAYS.*$/PASS_MAX_DAYS 90/g' /etc/login.defs #密码最长有效期90天 sed -i 's/^PASS_MIN_DAYS.*$/PASS_MIN_DAYS 0/g' /etc/login.defs #密码最短有效期0天,可以立即更改密码 sed -i 's/^PASS_WARN_AGE.*$/PASS_WARN_AGE 7/g' /etc/login.defs #密码过期前7天提示 or cat << 'EOF' > /etc/login.defs MAIL_DIR /var/spool/mail UMASK 022 HOME_MODE 0700 PASS_MAX_DAYS 90 PASS_MIN_DAYS 0 PASS_WARN_AGE 7 UID_MIN 1000 UID_MAX 60000 SYS_UID_MIN 201 SYS_UID_MAX 999 SUB_UID_MIN 100000 SUB_UID_MAX 600100000 SUB_UID_COUNT 65536 GID_MIN 1000 GID_MAX 60000 SYS_GID_MIN 201 SYS_GID_MAX 999 SUB_GID_MIN 100000 SUB_GID_MAX 600100000 SUB_GID_COUNT 65536 ENCRYPT_METHOD SHA512 USERGROUPS_ENAB yes CREATE_HOME yes HMAC_CRYPTO_ALGO SHA512 EOF 设置密码策略 # 设置密码策略 #账号密码必须至少包含1个字符、1个数字、1个大写字母和一个小写字母,长度在12位以上 sed -i "s/^password.*.requisite.*.pam_pwquality.so.*$/password requisite pam_pwquality.so try_first_pass local_users_only retry=3 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 minlen=12/g" $2 /etc/pam.d/system-auth #设置密码锁定策略,密码输错3次,锁定1分钟 echo "auth required pam_tally.so onerr=fail deny=3 unlock_time=60" >> /etc/pam.d/system-auth cat << 'EOF' > /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authselect is run. auth required pam_env.so auth sufficient pam_unix.so try_first_pass nullok auth required pam_deny.so auth required pam_tally.so onerr=fail deny=3 unlock_time=60 account required pam_unix.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=12 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so EOF 关闭多余账户 for user in $(cat /etc/passwd | grep -v root | cut -d ":" -f 1 ) do str=(adm lp sync shutdown halt news uucp operator games gopher dip pppusers popusers slipusers) for i in ${str[*]} do if [[ $i =~ $user ]] then usermod -L $i break fi done done 删除密码缓存文件 find / -name .netrc | xargs rm # 删除ftp缓存密码 find / -name .rhosts| xargs rm # 删除密码缓存文件 SSH限制IP登陆 echo "sshd:ALL" >> /etc/hosts.deny echo "sshd:192.168.4.0/24" >> /etc/hosts.allow 禁用不必要服务 systemctl disable ctrl-alt-del.target NetworkManager-dispatcher systemctl stop ctrl-alt-del.target NetworkManager-dispatcher (责任编辑:IT) |