> Rocky Linux >

Rocky Linux基础设置

1、本地yum源

rm -rf /etc/yum.repos.d/*
cat << 'EOF' > /etc/yum.repos.d/rocky.repo
[baseos]
name=Rocky Linux $releasever - BaseOS
baseurl=https://mirrors.aliyun.com/rockylinux/$releasever/BaseOS/$basearch/os/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-$releasever

[appstream]
name=Rocky Linux $releasever - AppStream
baseurl=https://mirrors.aliyun.com/rockylinux/$releasever/AppStream/$basearch/os/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-$releasever
EOF

cat << 'EOF' > /etc/yum.repos.d/rocky-extras.repo
[extras]
name=Rocky Linux $releasever - Extras
baseurl=https://mirrors.aliyun.com/rockylinux/$releasever/extras/$basearch/os/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-9
EOF

cat << 'EOF' > /etc/yum.repos.d/epel.repo
[epel]
name=Extra Packages for Enterprise Linux $releasever - $basearch
# It is much more secure to use the metalink, but if you wish to use a local mirror
# place its address here.
baseurl=https://mirrors.aliyun.com/epel/$releasever/Everything/$basearch/
enabled=1
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/epel/RPM-GPG-KEY-EPEL-$releasever
EOF


yum update -y





设置网络
# 设置配置文件
cat << 'EOF' > /etc/NetworkManager/system-connections/ens32.nmconnection
[connection]
id=ens32                                           #id名称必须和配置文件名称一致
type=ethernet
autoconnect-priority=-999
interface-name=ens32                               #interface名称必须和配置文件名称一致
timestamp=1712627482
[ethernet]
[ipv4]
address1=192.168.4.4/24,192.168.4.1               #设置IP地址、掩码、网关
dns=10.10.12.7;10.10.12.6;                        #设置DNS
method=manual
[ipv6]
addr-gen-mode=eui64
method=disabled
[proxy]
EOF


http://www.it.net.cn it网
# 设置完成后重启网络
nmcli connection reload
nmcli connection down ens32
nmcli connection up ens32


安装基本工具
yum install net-tools wget tar zip sysstat -y


关闭selinux
sed -i 's/^SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux
sed -i 's/^SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
setenforce 0


优化sysctl
cat << 'EOF' >> /etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 1 #关闭ipv6
net.ipv6.conf.default.disable_ipv6 = 1 #关闭ipv6
net.ipv4.icmp_echo_ignore_broadcasts = 1 #忽略icmp ping广播包
net.ipv4.icmp_ignore_bogus_error_responses = 1 # 开启恶意icmp错误消息保护
net.ipv4.conf.all.accept_source_route = 0 #处理无源路由的包
net.ipv4.conf.default.accept_source_route = 0 #处理无源路由的包
net.ipv4.tcp_syncookies = 1 # 开启SYN洪水攻击保护
net.ipv4.ip_local_port_range = 10000 65000 #允许系统打开的端口范围
EOF
sysctl -p


优化ls命令和history命令显示格式,显示时间完整格式
cat << 'EOF' >> /etc/profile.d/time.sh
USER_IP=`who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'`
if [ -z $USER_IP ]
then
USER_IP=`hostname`
fi
HISTTIMEFORMAT="%F_%T $USER_IP:`whoami` "
TIME_STYLE='+%Y-%m-%d_%H:%M:%S'
export HISTTIMEFORMAT TIME_STYLE
EOF
cp /etc/profile.d/time.sh /etc/profile.d/time.csh
source /etc/profile

sed -i 's/^HISTSIZE=1000/HISTSIZE=10000/g'  /etc/profile


关闭登陆提示
echo '' > /etc/issue && echo '' > /etc/issue.net


优化SSH
cat << 'EOF' > /etc/ssh/sshd_config
Include /etc/ssh/sshd_config.d/*.conf
Port 22
AddressFamily inet
#ListenAddress 0.0.0.0
AllowUsers admin
PermitRootLogin no
AuthorizedKeysFile      .ssh/authorized_keys
UseDNS no
Banner none
Subsystem       sftp    /usr/libexec/openssh/sftp-server
EOF
systemctl restart sshd


SSH修改端口

如果不修改SELinux直接重启sshd,会出现Bind to port xxxx on 0.0.0.0 failed: Permission denied错误

新增selinux中sshd的端口
semanage port -a -t ssh_port_t -p tcp 2222


配置NTP客户端
cat << 'EOF' > /etc/chrony.conf
server ntp.vizionfocus.cn  iburst
driftfile /var/lib/chrony/drift
makestep 1.0 3
rtcsync
keyfile /etc/chrony.keys
ntsdumpdir /var/lib/chrony
leapsectz right/UTC
logdir /var/log/chrony
port 0
cmdport 0
EOF

systemctl enable chronyd && systemctl restart chronyd


设置时区
ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime


安装配置vmtool
yum install -y open-vm-tools
systemctl enable vmtoolsd && systemctl start vmtoolsd


安装配置zabbix
yum install -y zabbix-agent
cat << 'EOF' > /etc/zabbix/zabbix_agentd.conf
PidFile=/run/zabbix/zabbix_agentd.pid
LogFile=/var/log/zabbix/zabbix_agentd.log
LogFileSize=100
Server=zabbix.vizionfocus.cn
ListenPort=10050
ServerActive=zabbix.vizionfocus.cn
Timeout=30
UnsafeUserParameters=1
EOF

cat << 'EOF' > /etc/zabbix_agentd.conf
PidFile=/run/zabbix/zabbix_agentd.pid
LogFile=/var/log/zabbix/zabbix_agentd.log
LogFileSize=100
Server=zabbix.vizionfocus.cn
ListenPort=10050
ServerActive=zabbix.vizionfocus.cn
Timeout=30
UnsafeUserParameters=1
EOF
systemctl enable zabbix-agent && systemctl restart zabbix-agent
firewall-cmd --zone=public --add-port=10050/tcp --permanent
firewall-cmd --zone=public --add-port=10050/tcp


设置账户策略
sed -i 's/^PASS_MAX_DAYS.*$/PASS_MAX_DAYS   90/g' /etc/login.defs        #密码最长有效期90天
sed -i 's/^PASS_MIN_DAYS.*$/PASS_MIN_DAYS   0/g' /etc/login.defs         #密码最短有效期0天,可以立即更改密码
sed -i 's/^PASS_WARN_AGE.*$/PASS_WARN_AGE   7/g' /etc/login.defs         #密码过期前7天提示


or

cat << 'EOF' > /etc/login.defs
MAIL_DIR        /var/spool/mail
UMASK           022
HOME_MODE       0700
PASS_MAX_DAYS   90
PASS_MIN_DAYS   0
PASS_WARN_AGE   7
UID_MIN                  1000
UID_MAX                 60000
SYS_UID_MIN               201
SYS_UID_MAX               999
SUB_UID_MIN                100000
SUB_UID_MAX             600100000
SUB_UID_COUNT               65536
GID_MIN                  1000
GID_MAX                 60000
SYS_GID_MIN               201
SYS_GID_MAX               999
SUB_GID_MIN                100000
SUB_GID_MAX             600100000
SUB_GID_COUNT               65536
ENCRYPT_METHOD SHA512
USERGROUPS_ENAB yes
CREATE_HOME     yes
HMAC_CRYPTO_ALGO SHA512
EOF


设置密码策略
# 设置密码策略 
#账号密码必须至少包含1个字符、1个数字、1个大写字母和一个小写字母,长度在12位以上
sed -i "s/^password.*.requisite.*.pam_pwquality.so.*$/password    requisite    pam_pwquality.so try_first_pass local_users_only retry=3 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 minlen=12/g" $2  /etc/pam.d/system-auth
#设置密码锁定策略,密码输错3次,锁定1分钟
echo "auth required pam_tally.so onerr=fail deny=3 unlock_time=60" >>  /etc/pam.d/system-auth


cat << 'EOF' > /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authselect is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so try_first_pass nullok
auth        required      pam_deny.so
auth        required      pam_tally.so onerr=fail deny=3 unlock_time=60

account     required      pam_unix.so
password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=12 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1
password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
EOF




关闭多余账户
for user in $(cat /etc/passwd | grep -v root | cut -d ":" -f 1 )
do
    str=(adm lp sync shutdown halt news uucp operator games gopher dip pppusers popusers slipusers)
    for i in ${str[*]}
    do
        if [[ $i =~ $user ]]
            then
            usermod -L $i
            break
        fi
    done
done


删除密码缓存文件
find / -name .netrc | xargs rm # 删除ftp缓存密码
find / -name .rhosts| xargs rm # 删除密码缓存文件


SSH限制IP登陆
echo "sshd:ALL" >> /etc/hosts.deny
echo "sshd:192.168.4.0/24" >> /etc/hosts.allow


禁用不必要服务
systemctl disable  ctrl-alt-del.target NetworkManager-dispatcher
systemctl stop  ctrl-alt-del.target NetworkManager-dispatcher

(责任编辑:IT)