centos minimizes basic tuning and security Settings after installing the system
- 2020-05-06 12:08:44
- OfStack
cleans up service
that starts automatically on startup
Displays the startup status
for all run levels of all services
# chkconfig � list
Stop all services
that were started on startup at run level 3
for oldboy in 'chkconfig, list |grep 3:on |awk' {print $1}' '; do chkconfig, level 3, oldboy off; done
Commonly used in open service, crond network, rsyslog, sshd
#for oldboy in crond network rsyslog sshd; do chkconfig level 3 $oldboy on; done
Displays all the services at all 3 runlevels (depending on which service is started)
# chkconfig � list | grep 3: on
ssh security configuration
installation ssh
#yum install ssh
Backup configuration files (backup is required before changing the configuration files)
#cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
modifies the sshd configuration file (to improve system security)
#vi /etc/ssh/sshd_config
Port 52101 changes the default port of ssh to port 22
PermitRootLogin no does not allow ROOT users to log in
PermitEmptyPasswords no does not allow an empty password to log into
UseDns no is not applicable to DNS
man sshd_config
Switch user
Identifier
The $ prompt is $for normal user
The prompt # is # to indicate that the administrator root user
Switching between users
The administrator needs to enter the password
for normal users to switch
The administrator does not need to enter the password
to switch to normal users
grants root administrative rights
to ordinary users
Edit /etc/sudoers
using the visudo command
#user MACHINE=COMMANDS
root ALL=(ALL) ALL
xu ALL=(ALL) ALL
logs in
using xu user
sudo cat etc shadow shadow
The password entered here is not the administrator's password, but the xu user's own password,
user environment variable
#echo $PATH
/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
$echo $PATH
/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/home/xu/bin
The normal user and the administrator have different paths. The normal user USES the PATH path in the variable
For example: $useradd aaa
-bash: useradd: command not found
When an ordinary user enters a command, the system will look for the path in the PATH variable, if the prompt command not found
LINUX character set
After installing the operating system in English, if there is Chinese in the system, the gargoyles will be displayed and the character set
needs to be modified
#vim /etc/sysconfig/i18n
LANG = "en_US. UTF - 8"
SYSFONT latarcyrheb - sun16 = ""
en_US. Es230en-8
zh_CN.GB18030 Chinese character set
Make changes immediately available
#source /etc/sysconfig/i18n
Update server time
with ntp service
ntp network time protocol
install ntp
#yum install ntp
Update time
#ntpdate time.windows.com
Update
every 5 minutes
#echo '*/5 * * * * ntpdate time.windows.com
>
/dev/null 2
>
&1
>
>
/var/spool/cron/root
view task
# crontab � l
increases the server file descriptor
When system services are turned on, the volume of access increases and more file descriptors
are used
Displays the current file descriptor number
# uimits � n
1024
Increase the number of file descriptors by
#vim /etc/security/limits.conf
* - nofile nofile nofile # add
on the last line of the text
Login the user again and view the file descriptor
again
# ulimit � n
65536
adjusts the kernel parameter
#vim /etc/sysctl.conf
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000 65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.ipv4.ip_conntrack_max = 25000000
net.ipv4.netfilter.ip_conntrack_max=25000000
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=180
net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait=120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait=60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait=120
Make the changes effective immediately
# sysctl � p