1.系统最小化安装

系统采用iso最小化min安装

2.关闭不必要的服务

systemctl stop NetworkManager

systemctl disable NetworkManager

systemctl stop postfix

systemctl disable postfix

systemctl stop rpcbind

systemctl disable rpcbind

3.配置防火墙

#关闭firewalld

systemctl status firewalld

systemctl stop firewalld

systemctl disable firewalld

#配置iptables

yum install iptables-services -y

#添加防火墙规则,做白名单,根据环境放行ip访问ssh端口22

vi /etc/sysconfig/iptables

-A INPUT -s 192.168.1.0/24 -p tcp –dport 22 -j ACCPET

systemctl enable iptables.service

systemctl start iptables.service

4. 关闭selinux

sed -i ‘s#SELINUX=enforcing#SELINUX=disabled#g’ /etc/selinux/config

setenforce 0

5.修改SSH端口

sed -i ‘s/#Port 22/Port 10022/g’ /etc/ssh/sshd_config #端口自己定

sed -i ‘s/#PermitEmptyPasswords no/PermitEmptyPasswords no/g’ /etc/ssh/sshd_config #禁止空密码帐户登入服务器

sed -i ‘s/GSSAPIAuthentication yes/GSSAPIAuthentication no/‘ /etc/ssh/sshd_config

sed -i ‘s/#UseDNS yes/UseDNS no/g’ /etc/ssh/sshd_config #加速SSH登录

systemctl restart sshd

vi /etc/sysconfig/iptables

-A INPUT -m state –state NEW -m tcp -p tcp –dport 10022 -j ACCEPT

6.配置YUM源

cd /etc/yum.repos.d/

mkdir backup

mv *.repo backup/

wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo

wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo

yum clean all

yum makecache

安装常用工具:

yum install lrzsz wget vim net-tools gcc gcc-c++ curl telnet unzip -y

7.时间同步

yum install ntpdate -y

ntpdate time.windows.com

echo “*/5 * * * * /usr/sbin/ntpdate time.windows.com >/dev/null 2 >&1” >>/var/spool/cron/root

echo “*/20 * * * * /usr/sbin/ntpdate ntp.api.bz >/dev/null 2 >&1” >> /var/spool/cron/root

8.修改文件描述符

ulimit -SHn 65535

cat >> /etc/security/limits.conf <<EOF

* soft nproc 65535

* hard nproc 65535

* soft nofile 655350

* hard nofile 655350

EOF

9.优化Linux内核参数

cat >> /etc/sysctl.conf <<EOF

kernel.sysrq = 0

kernel.core_uses_pid = 1

kernel.msgmnb = 65536

kernel.msgmax = 65536

kernel.shmmax = 68719476736

kernel.shmall = 4294967296

net.core.wmem_default = 8388608

net.core.rmem_default = 8388608

net.core.rmem_max = 16777216

net.core.wmem_max = 16777216

net.core.netdev_max_backlog = 262144

net.core.somaxconn = 50000

net.ipv4.ip_forward = 1

net.ipv4.conf.default.rp_filter = 1

net.ipv4.conf.default.accept_source_route = 0

net.ipv4.tcp_syncookies = 1

net.ipv4.tcp_max_orphans = 3276800

net.ipv4.tcp_max_syn_backlog = 262144

net.ipv4.tcp_timestamps = 0

net.ipv4.tcp_synack_retries = 1

net.ipv4.tcp_syn_retries = 1

net.ipv4.tcp_tw_recycle = 0

net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_mem = 94500000 915000000 927000000

net.ipv4.tcp_max_tw_buckets = 50000

net.ipv4.tcp_sack = 1

net.ipv4.tcp_window_scaling = 1

net.ipv4.tcp_rmem = 4096 87380 4194304

net.ipv4.tcp_wmem = 4096 16384 4194304

net.ipv4.tcp_fin_timeout = 30

net.ipv4.tcp_keepalive_time = 1800

net.ipv4.ip_local_port_range = 1024 65535

vm.swappiness = 0

vm.min_free_kbytes = 524288

fs.inotify.max_user_instances = 8192

fs.inotify.max_user_watches = 262144

fs.file-max = 1048576

EOF

modprobe br_netfilter #模块开机自动

sysctl -p

10.修改root账户密码

echo “$adDF12B” |passwd –stdin root #密码复杂化,最小8位,数字、字母大小写、特殊字符组合

11.远程5分钟误操作自动注销

vim /etc/profile

最后添加:

export TMOUT=300 —5分钟自动注销下来

找到

HISTSIZE=1000

修改为:

HISTSIZE=100 –减少日记字节为100KB,太大内容过多容易漏重要信息。

12.禁止ping用户使用ping不做任何反映(非必要,看需求)

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all – 禁止ping

echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all – 解除禁止ping操作

13.防止DOS攻击(非必要,看需求)

vim /etc/security/limits.conf

加入以下配置:

* hard core 0

* hard rss 10000

* hard nproc 50

以上根据需求而定

14.注释不需要的用户和用户组

vi /etc/passwd 注释不需要的用户,“#”注释,如下:

#games:x:12:100:games:/usr/games:/sbin/nologin

#gopher:x:13:30:gopher:/var/gopher:/sbin/nologin

#ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

#adm:x:3:4:adm:/var/adm:/sbin/nologin

#lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin

#sync:x:5:0:sync:/sbin:/bin/sync

#shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown

#halt:x:7:0:halt:/sbin:/sbin/halt

#uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin

#operator:x:11:0:operator:/root:/sbin/nologin

vi /etc/group 注释不需要的用户组,如下:

#adm:x:4:root,adm,daemon

#lp:x:7:daemon,lp

#uucp:x:14:uucp

#games:x:20:

#dip:x:40:

#news:x:9:13:news:/etc/news