7 centos6.3 x86_64 linux系统优化设置2

更改ssh服务远程登录的配置
windows默认远程端口和管理员用户:
3389 administrator/guest

linux远程链接默认端口和超级用户:
22 root

[root@crmn ~]# vim /etc/ssh/sshd_config //#号的为默认值
Port 52113 //增加；ssh链接默认的端口，谁都知道，必须要改！
43 PermitRootLogin no //不让root用户通过ssh协议（远程）登录；root用户黑客都知道，禁止它远程登录。
123 UseDNS no //不使用DNS
66 PermitEmptyPasswords no //禁止空密码登录
[root@crmn ssh]# vimdiff sshd_config sshd_config_bak 检查
[root@crmn ~]# /etc/init.d/sshd reload //等价于service sshd restart
Reloading sshd: [ OK ]
[root@crmn ~]# /etc/init.d/iptables stop //关闭防火墙
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]

退出终端，重新连接，失败：
The remote system refused the connection.
重新改端口为52113即可重连成功！
[oldboy@crmn ~]$ whoami
oldboy

//查看网络状态： l列表；n数字；tTCP协议；uUDP协议；p进程名； a：all n
[root@crmn ~]# netstat -an|grep 192.168.0.104 //连接协议关系保留故原来的secureCRT终端还在继续连接。
tcp 0 52 192.168.0.104:22 192.168.0.103:1236 ESTABLISHED
tcp 0 0 192.168.0.104:52113 192.168.0.103:2183 ESTABLISHED
[root@crmn ~]# netstat -an|grep 192.168.0.103
tcp 0 52 192.168.0.104:22 192.168.0.103:1236 ESTABLISHED
tcp 0 0 192.168.0.104:52113 192.168.0.103:2183 ESTABLISHED

[oldboy@crmn ~]$ whoami
oldboy
[oldboy@crmn ~]$ netstat -an|grep 192.168.0.103
tcp 0 0 192.168.0.104:22 192.168.0.103:1236 ESTABLISHED
tcp 0 0 192.168.0.104:52113 192.168.0.103:2183 ESTABLISHED
[oldboy@crmn ~]$ netstat -an|grep 192.168.0.103 //root用户断开后
tcp 0 52 192.168.0.104:52113 192.168.0.103:2183 ESTABLISHED

//linux下权限控制很严格很细致，故安全！
[oldboy@crmn ~]$ su - root //不安全
Password:
[root@crmn ~]# whoami
root

[root@crmn ~]# visudo //cat /etc/sudoers
97 ## Allow root to run any commands anywhere
98 root ALL=(ALL) ALL
99
//修改成：
97 ## Allow root to run any commands anywhere
98 root ALL=(ALL) ALL
99 oldboy ALL=(ALL) /usr/sbin/useradd //赋予oldboy一些权限
100

[root@crmn ~]# passwd oldboy //root下修改oldboy用户密码
Changing password for user oldboy.
New password: //111111
BAD PASSWORD: it does not contain enough DIFFERENT characters
BAD PASSWORD: is a palindrome
Retype new password:
passwd: all authentication tokens updated successfully.

[oldboy@crmn ~]$ whoami
oldboy
[oldboy@crmn ~]$ passwd oldboy
passwd: Only root can specify a user name.
[oldboy@crmn ~]$ useradd kkk //虽然被root赋予权限，但没带授权书，失败！
-bash: /usr/sbin/useradd: Permission denied
[oldboy@crmn ~]$ sudo useradd kkk //必须带授权书sudo去执行任务！

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

[sudo] password for oldboy: //111111
[oldboy@crmn ~]$ tail -1 /etc/passwd
kkk:x:501:501::/home/kkk:/bin/bash

[oldboy@crmn ~]$ whoami
oldboy
[oldboy@crmn ~]$ su -
Password:
[root@crmn ~]# whoami
root
[root@crmn ~]# su - oldboy
[oldboy@crmn ~]$ whoami
oldboy

//现在改成这样：
97 ## Allow root to run any commands anywhere
98 root ALL=(ALL) ALL
99 oldboy ALL=(ALL) NOPASSWD:ALL
[oldboy@crmn ~]$ whoami
oldboy
[oldboy@crmn ~]$ su -
Password: //现在行不通了
[oldboy@crmn ~]$ sudo su - //本来要oldboy密码
[root@crmn ~]# whoami
root
//sudo权限管理目的：既能让菜鸟干活，又不能威胁系统安全。
[oldboy@crmn ~]$ sudo -l //查看当前有啥权限
Matching Defaults entries for oldboy on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User oldboy may run the following commands on this host:
(ALL) NOPASSWD: ALL //

　　
[root@crmn ~]# cat /oldboy/oldboy
echo 123
[root@crmn ~]# chmod +x /oldboy/oldboy
[root@crmn ~]# /oldboy/oldboy
123
[root@crmn ~]# oldboy
-bash: oldboy: command not found
[root@crmn ~]# PATH=$PATH:/oldboy/ //环境变量举例
[root@crmn ~]# oldboy
123
[root@crmn ~]# echo $PATH
/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin:/oldboy/

//重启就没了，永久生效：
[root@crmn ~]# echo 'PATH=$PATH:/oldboy/' >> /etc/profile
[root@crmn ~]# source /etc/profile
[root@crmn ~]# tail -1 /etc/profile
PATH=$PATH:/oldboy/

[oldboy@crmn ~]$ netstat -lntup|grep ssh
(No info could be read for "-p": geteuid()=500 but you should be root.)
[oldboy@crmn ~]$ sudo netstat -lntup|grep ssh
tcp 0 0 0.0.0.0:52113 0.0.0.0:* LISTEN 32112/sshd
tcp 0 0 :::52113 :::* LISTEN 32112/sshd

[root@crmn ~]# lsof -i //查看端口
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
master 1410 root 12u IPv4 13150 0t0 TCP localhost:smtp (LISTEN)
master 1410 root 13u IPv6 13152 0t0 TCP localhost:smtp (LISTEN)
sshd 32112 root 3u IPv4 50862 0t0 TCP *:52113 (LISTEN)
sshd 32112 root 4u IPv6 50864 0t0 TCP *:52113 (LISTEN)
^C
[root@crmn ~]# lsof -i :52113
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 32112 root 3u IPv4 50862 0t0 TCP *:52113 (LISTEN)
sshd 32112 root 4u IPv6 50864 0t0 TCP *:52113 (LISTEN)
sshd 32178 root 3r IPv4 50916 0t0 TCP 192.168.0.104:52113->192.168.0.103:cgn-config (ESTABLISHED)
sshd 32182 oldboy 3u IPv4 50916 0t0 TCP 192.168.0.104:52113->192.168.0.103:cgn-config (ESTABLISHED)
sshd 32295 root 3r IPv4 51600 0t0 TCP 192.168.0.104:52113->192.168.0.103:hdl-srv (ESTABLISHED)
sshd 32299 oldboy 3u IPv4 51600 0t0 TCP 192.168.0.104:52113->192.168.0.103:hdl-srv (ESTABLISHED)
sshd 32412 root 3r IPv4 52214 0t0 TCP 192.168.0.104:52113->192.168.0.103:pwrsevent (ESTABLISHED)
sshd 32417 oldboy 3u IPv4 52214 0t0 TCP 192.168.0.104:52113->192.168.0.103:pwrsevent (ESTABLISHED)

//修改中文显示
字符集：一套文字符号及其编码。
常用字符集：
GBK--定长；双字节；不是国际标准，支持的系统很多。
UTF-8：非定长；1-4字节；广泛支持，MYSQL也使用UTF-8。
[root@crmn ~]# cat /etc/sysconfig/i18n
LANG="en_US.UTF-8" //英文字符集
SYSFONT="latarcyrheb-sun16"
[root@crmn ~]# cat /etc/sysconfig/i18n //修改后
#LANG="en_US.UTF-8"
LANG="zh_CN.GB18030" //中文字符集
SYSFONT="latarcyrheb-sun16"
[root@crmn ~]# echo $LANG
en_US.UTF-8
[root@crmn ~]# source /etc/sysconfig/i18n
[root@crmn ~]# echo $LANG //生效显示
zh_CN.GB18030

//服务器时间同步
windows时间同步：

linux时间同步：ntp服务时间同步
[root@crmn ~]# which ntpdate
/usr/sbin/ntpdate
[root@crmn ~]# date
201715:45:49 CST
[root@crmn ~]# /usr/sbin/ntpdate time.nist.gov //更新时间；临时定时
25 Nov 11:46:02 ntpdate[32711]: no server suitable for synchronization found

[root@crmn ~]# crontab -l
no crontab for root
[root@crmn ~]# echo '#time sync by oldboy at 2017-11-29' >> /var/spool/cron/root //定时任务的配置文件
[root@crmn ~]# echo '*/5 * * * * /usr/sbin/ntpdate time.nist.gov > /dev/null 2>&1' >> /var/spool/cron/root
//每5分钟做一次互联网的时间同步（执行命令）
[root@crmn ~]# crontab -l
#time sync by oldboy at 2017-11-29
*/5 * * * * /usr/sbin/ntpdate time.nist.gov > /dev/null 2>&1
//作业：ntp服务器的配置？

//加大服务器文件描述符

　　
[root@crmn ~]# ulimit -n
1024
[root@crmn ~]# ulimit -HSn 65535 //临时加大，重启失效
[root@crmn ~]# ulimit -n
65535
[root@crmn ~]# logout
[oldboy@crmn ~]$ su - root
Password:
[root@crmn ~]# ulimit -n
1024

[root@crmn ~]# echo '* - nofile 65535' >> /etc/security/limits.conf //永久配置加大服务器文件描述符数量
[root@crmn ~]# tail -1 /etc/security/limits.conf
* - nofile 65535
[root@crmn ~]# source /etc/security/limits.conf //source失效
-bash: anaconda-ks.cfg: command not found
[root@crmn ~]# logout
[oldboy@crmn ~]$ logout

Last login: Sat Nov 25 11:26:32 2017 from 192.168.0.103
[oldboy@crmn ~]$ su - root
[root@crmn ~]# ulimit -n
65535

//调整内核参数文件
[root@crmn ~]# cat /etc/sysctl.conf
[root@crmn ~]# sysctl -p //修改后生效/不同的文件生效方式不同！

//定时清理clientmqueue目录垃圾文件防止占满磁盘空间
[root@crmn ~]# cat /var/spool/clientmqueue/sendmail //默认没有
cat: /var/spool/clientmqueue/sendmail: ûĿ¼
[root@crmn ~]# ls /var/spool/clientmqueue/sendmail
ls: cannot access /var/spool/clientmqueue/sendmail: No such file or directory
[root@crmn ~]# ls /var/spool/clientmqueue/
ls: cannot access /var/spool/clientmqueue/: No such file or directory
[root@crmn ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 9.2G 1.5G 7.3G 18% /
tmpfs 491M 0 491M 0% /dev/shm
/dev/sda1 194M 28M 157M 15% /boot
[root@crmn ~]# df -ih //iNode被占完可能是clientmqueue目录垃圾文件的问题
Filesystem Inodes IUsed IFree IUse% Mounted on
/dev/sda3 597K 54K 543K 9% /
tmpfs 123K 1 123K 1% /dev/shm
/dev/sda1 50K 38 50K 1% /boot

//隐藏系统版本；一般漏洞和系统版本号有关！
[root@crmn ~]# cat /etc/issue
CentOS release 6.3 (Final)
Kernel \r on an \m

[root@crmn ~]# >/etc/issue //清空该文件
[root@crmn ~]# cat /etc/issue
[root@crmn ~]# cat /dev/null >/etc/issue //清空该文件
[root@crmn ~]# cat /etc/issue
[root@crmn ~]#

//锁定关键系统文件
[root@crmn ~]# chattr +i /etc/passwd /etc/shadow /etc/group /etc/inittab //加锁
[root@crmn ~]# cp /etc/passwd /opt/
[root@crmn ~]# rm -rf /etc/passwd
rm: cannot remove `/etc/passwd': Operation not permitted //锁定的好处，锁定后root都不能随意删除，相对安全！
[root@crmn ~]# chattr -i /etc/passwd /etc/shadow /etc/group /etc/inittab //解锁
/usr/bin/chattr
[root@crmn ~]# mv /usr/bin/chattr /usr/bin/myattr //伪装好锁子让黑客无法知晓，高明！
[root@crmn ~]# chattr -i /etc/passwd /etc/shadow /etc/group /etc/inittab
-bash: /usr/bin/chattr: No such file or directory
[root@crmn ~]#
[root@crmn ~]# myattr -i /etc/passwd /etc/shadow /etc/group /etc/inittab //变成这样解锁
[root@crmn ~]# mv /usr/bin/myattr /usr/bin/chattr //改回来
//一切的安全都是相对的，没有绝对的安全！门槛越高安全越好！

[root@crmn ~]# chattr +i /etc/passwd
[root@crmn ~]# lsattr /etc/passwd //查看是否加锁，有i
----i--------e- /etc/passwd
[root@crmn ~]# chattr -i /etc/passwd
[root@crmn ~]# lsattr /etc/passwd
-------------e- /etc/passwd

http://blog.51cto.com/oldboy/988726

//CentOS（5.8/6.4）linux生产环境若干优化实战
http://blog.51cto.com/oldboy/1336488
//linux内核参数注释与优化
http://blog.51cto.com/yangrong/1321594

posted @ 2017-11-28 21:41 bkycrmn 阅读(168) 评论(0) 收藏举报

刷新页面返回顶部

7 centos6.3 x86_64 linux系统优化设置2

公告