Linux 系统优化
1、网卡绑定
systemctl stop NetworkManager
systemctl disable NetworkManager
# modprobe --first-time bonding
# lsmod |grep bonding
# cat <<EOF> /etc/sysconfig/network-scripts/ifcfg-bond0
# DEVICE=bond0
# TYPE=Bond
# IPADDR=
# NETMASK=
# GATEWAY=
# USERCTL=no
# BOOTPROTO=none
# ONBOOT=yes
# BONDING_MASTER=yes
# EOF
# cat <<EOF> /etc/modprobe.d/bond.conf
# alias bond0 bonding
# options bond0 million=100 mode=0
# EOF
# if [[ `ifconfig|wc -l` > 1 ]];then
# ENS2=`ifconfig |grep ens|grep -v 'ens33'|awk -F: '{print $1}'`
# if [ -f /etc/sysconfig/network-scripts/ifcfg-$ENS2 ];then
# echo "is $ENS2"
# ## 双网卡文件
# ENS=`ifconfig |grep ens|awk -F: '{print $1}'`
# for i in $ENS
# do
# sed -i "s/DEVICE.*/DEVICE=$ENS2/g" /etc/sysconfig/network-scripts/ifcfg-$i
# sed -i 's/BOOT.*/BOOTPROTO=none/g' /etc/sysconfig/network-scripts/ifcfg-$i
# sed -i '/UUID.*/d' /etc/sysconfig/network-scripts/ifcfg-$i
# sed -i '$a\USERCTL=no\n\MASTER=bond0' /etc/sysconfig/network-scripts/ifcfg-$i
# done
# else
# ## 单网卡文件
# echo "not $ENS2"
# sed -i 's/BOOT.*/BOOTPROTO=none/g' /etc/sysconfig/network-scripts/ifcfg-ens33
# sed -i '/UUID.*/d' /etc/sysconfig/network-scripts/ifcfg-ens33
# sed -i '$a\USERCTL=no\n\MASTER=bond0' /etc/sysconfig/network-scripts/ifcfg-ens33
# ENS2=`ifconfig |grep ens|grep -v 'ens33'|awk -F: '{print $1}'`
# cp /etc/sysconfig/network-scripts/ifcfg-ens33 /etc/sysconfig/network-scripts/ifcfg-$ENS2
# sed -i "s/DEVICE.*/DEVICE=$ENS2/g" /etc/sysconfig/network-scripts/ifcfg-$ENS2
# fi
# fi
2、FTP服务优化
sed -i 's/anonymous_enable=YES/anonymous_enable=NO/' /etc/vsftpd.conf
sed -i 's/local_enable=NO/local_enable=YES/' /etc/vsftpd.conf
sed -i 's/write_enable=NO/write_enable=YES/' /etc/vsftpd.conf
sed -i 's/root/#root/' /etc/ftpusers
systemctl restart vsftpd
3、文件句柄优化
echo ' * soft nproc 65535 ' >>/etc/security/limits.conf
echo ' * hard nproc 65535 ' >>/etc/security/limits.conf
echo ' * soft nofile 163840 ' >>/etc/security/limits.conf
echo ' * hard nofile 163840 ' >>/etc/security/limits.conf
ulimit -n 163840
4、ssh优化
sed -i '/#UseDNS.*/a\UseDNS no' /etc/ssh/sshd_config
sed -i '/GSSAPIAuthentication.*/a\GSSAPIAuthentication no' /etc/ssh/sshd_config
systemctl restart sshd
5、关闭防火墙和SeLinux
systemctl stop firewalld
systemctl disable firewalld
sed -i 's/SELINUX.*/SELINUX=disabled/g' /etc/selinux/config
setenforce 0
6、优化内核参数
cat <<EOF>/etc/sysctl.conf
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
# linux 4.x内核之后已弃用
# net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_syn_retries = 1
EOF
sysctl -p
7、 SSH 连接超时
# /etc/ssh/sshd_config
# ClientAliveInterval 900
# ClientAliveCountMax 3
sed -i '/#ClientAliveInterval/a\ClientAliveInterval 900' /etc/ssh/sshd_config
sed -i '/#ClientAliveCountMax/a\ClientAliveCountMax 3' /etc/ssh/sshd_config
8、 密码重用限制
### 最近五次的密码不能重复
# /etc/pam.d/password-auth
# /etc/pam.d/system-auth中password
# sufficient pam_unix.so
### 添加remember参数
# sufficient pam_unix.so remember=5
sed -i 's/^password sufficient.*/& remember=5/g' /etc/pam.d/system-auth
sed -i 's/^password sufficient.*/& remember=5/g' /etc/pam.d/password-auth
9、 系统密码复杂性
### 密码不低于10位,包含大小写字母、数字、特殊符号中的三种
# /etc/security/pwquality.conf
# minlen=10
# minclass=3
sed -i '/# minlen =/a\minlen = 10' /etc/security/pwquality.conf
sed -i '/# minclass =/a\minclass = 3' /etc/security/pwquality.conf
10、 密码失效时间
### 密码失效时间改为180天失效
# /etc/login.defs
# PASS_MAX_DAYS 180
sed -i 's/^PASS_MAX_DAYS/#PASS_MAX_DAYS/g' /etc/login.defs
sed -i '/#PASS_MAX_DAYS/a\PASS_MAX_DAYS 180' /etc/login.defs
11、 系统密码弱口令
# echo 'root:XXXX'|chpasswd
12、 设置密码修改最小间隔时间
### 修改密码后七天后才能再次更改
# /etc/login.defs
# PASS_MIN_DAYS 7
sed -i 's/^PASS_MIN_DAYS/#PASS_MIN_DAYS/g' /etc/login.defs
sed -i '/#PASS_MIN_DAYS/a\PASS_MIN_DAYS 7' /etc/login.defs
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
