页面“C基础”与“Centos7服务器初始化”之间的差异
(页面间的差异)
跳到导航
跳到搜索
第1行: | 第1行: | ||
+ | =站内相关资源= | ||
+ | [[容器初始化]] | ||
+ | = 如果机器多[[Salt-ssh批量初始化机器]]= | ||
+ | [[Salt-ssh批量初始化机器]] | ||
+ | =如果机器少= | ||
+ | ==我现在用的shell== | ||
+ | <pre> | ||
+ | #!/bin/bash | ||
+ | #Authon: linuxsa.org 201911 | ||
+ | # usage bash osinit.sh 2>&1 | tee osinit.log | ||
+ | #http://wiki.linuxchina.net/index.php/Centos7%E5%88%9D%E5%A7%8B%E5%8C%96 | ||
+ | #常用开发包 gcc etc | ||
+ | yum groupinstall "Development Tools" -y | ||
+ | #常用命令 ifconfig etc | ||
+ | yum install -y net-tools yum-utils rsync | ||
− | + | yum install epel-release -y | |
− | + | yum install iftop tcpdump -y | |
− | |||
+ | # ins docker | ||
+ | # step 1: 安装必要的一些系统工具 | ||
+ | yum install -y yum-utils device-mapper-persistent-data lvm2 | ||
+ | # Step 2: 添加软件源信息 | ||
+ | yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo | ||
− | + | # Step 3: 更新并安装 Docker-CE | |
+ | yum makecache fast | ||
− | + | yum -y install docker-ce | |
+ | # Step 4: 开启Docker服务 | ||
+ | systemctl enable docker | ||
+ | systemctl start docker | ||
− | |||
− | |||
− | + | rpm -ivh https://repo.zabbix.com/zabbix/4.0/rhel/7/x86_64/zabbix-release-4.0-1.el7.noarch.rpm | |
− | + | yum install zabbix-agent -y && systemctl enable zabbix-agent | |
+ | #install docker-compose etc | ||
+ | yum -y install vim wget curl yum-utils bash-completion bash-completion-extras epel-release lrzsz telnet python-pip | ||
+ | #这个看情况 | ||
+ | sudo curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose | ||
+ | #mv docker-compose /usr/local/bin/docker-compose | ||
+ | sudo chmod +x /usr/local/bin/docker-compose | ||
+ | chmod +x /usr/local/bin/docker-compose | ||
+ | #pip install docker-compose | ||
− | + | #mkdir -p /home/data/docker | |
− | + | mkdir -p /data/docker | |
− | + | echo '{"graph": "/data/docker"}' >/etc/docker/daemon.json | |
− | + | # cat /etc/docker/daemon.json | |
+ | #{"graph": "/home/data/docker"} | ||
− | + | systemctl restart docker | |
− | + | #验证docker储存位置 | |
− | + | docker system info | grep "Root Dir" | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | #开机自启动要用的 | |
− | + | chmod +x /etc/rc.d/rc.local | |
− | + | setenforce 0 | |
+ | sed -i 's/enforcing/disabled/g' /etc/selinux/config | ||
− | + | #firewall | |
+ | systemctl enable firewalld | ||
− | |||
− | + | #修改源 | |
+ | #CentOS 7 | ||
+ | wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo | ||
+ | #或者 | ||
+ | curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo | ||
− | + | #CentOS 8 | |
+ | wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-8.repo | ||
+ | #或者 | ||
+ | curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-8.repo | ||
− | + | #3. 运行 yum makecache 生成缓存 | |
+ | yum makecache | ||
+ | </pre> | ||
− | + | ==centos7初始化 == | |
− | == | + | == ssh config== |
+ | <pre> | ||
+ | echo "ssh-rsa AAAAB3NzaC you_prk_key root@ops | ||
+ | " >> /root/.ssh/authorized_keys | ||
− | + | sed -i "s/#PubkeyAuthentication yes/PubkeyAuthentication yes/g" /etc/ssh/sshd_config | |
− | + | sed -i "s/^PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config | |
− | + | systemctl restart sshd | |
+ | #service sshd restart | ||
− | + | </pre> | |
+ | ==网络配置== | ||
+ | <pre> | ||
+ | cat /etc/sysconfig/network-scripts/ifcfg-eth0 | ||
+ | TYPE="Ethernet" | ||
+ | BOOTPROTO=static | ||
+ | IPADDR0=192.168.0.16 | ||
+ | NETMASK=255.255.255.0 | ||
+ | GATEWAY0=192.168.0.1 | ||
+ | DNS1=223.5.5.5 | ||
+ | DNS2=114.114.114.114 | ||
− | + | DEVICE="eth0" | |
+ | ONBOOT="yes" | ||
− | + | </pre> | |
− | + | == 安装常用软件== | |
+ | <pre> yum install python-devel | ||
+ | yum install vim wget net-tools psmisc links lsof telnet zlib-devel curl tmux mariadb -y # screen | ||
− | + | yum groupinstall "Development Tools" -y | |
+ | </pre> | ||
+ | ===CentOS7 安装ifconfig=== | ||
+ | <pre> | ||
− | + | 不知道dig 是哪个软件包 提供的 请用 yum provides command #绝对路径 | |
− | + | yum provides /sbin/ifconfig | |
− | + | ****** | |
+ | net-tools-1.60-114.el6.x86_64 : Basic networking tools | ||
+ | Repo : base | ||
+ | 匹配来自于: | ||
+ | Filename : /sbin/ifconfig | ||
+ | ***** | ||
+ | 由上可见安装的软件为net-tools | ||
+ | ifconfig, netstat, route, and other | ||
+ | [root@centos7 hcmdb]# yum info net-tools | ||
+ | 已安装的软件包 | ||
+ | 名称 :net-tools | ||
+ | 架构 :x86_64 | ||
+ | 版本 :2.0 | ||
+ | 发布 :0.17.20131004git.el7 | ||
+ | 大小 :917 k | ||
+ | 源 :installed | ||
+ | 简介 : Basic networking tools | ||
+ | 网址 :http://sourceforge.net/projects/net-tools/ | ||
+ | 协议 : GPLv2+ | ||
+ | 描述 : The net-tools package contains basic networking tools, | ||
+ | : including ifconfig, netstat, route, and others. | ||
+ | : Most of them are obsolete. For replacement check iproute package. | ||
− | + | yum -y install net-tools vim wget | |
+ | #yum/dnf install net-tools vim wget | ||
− | + | centos7精简安装后,使用中发现没有killall命令。 | |
− | + | 可以通过以下命令解决: | |
+ | yum install psmisc | ||
+ | |||
+ | 简单介绍一下 psmisc : | ||
− | + | Psmisc软件包包含三个帮助管理/proc目录的程序。 | |
+ | 安装下列程序: fuser, killall,pstree和pstree.x11(到pstree的链接) | ||
+ | fuser 显示使用指定文件或者文件系统的进程的PID。 | ||
+ | killall 杀死某个名字的进程,它向运行指定命令的所有进程发出信号。 | ||
+ | pstree 树型显示当前运行的进程。 | ||
+ | pstree.x11 与pstree功能相同,只是在退出前需要确认 | ||
− | |||
− | + | </pre> | |
+ | ==常用软件== | ||
+ | <pre> | ||
− | + | wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo | |
− | + | yum install nmap-ncat lsof -y #nc (nmap-ncat) | |
− | + | lsof -i:1080 | |
− | + | yum groupinstall "Development Libraries" | |
− | + | yum groupinstall "Development Tools" | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
</pre> | </pre> | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | == | + | ==nginx== |
<pre> | <pre> | ||
− | + | yum install wget -y | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | wget https://mirrors.tuna.tsinghua.edu.cn/epel/7/x86_64/Packages/e/epel-release-7-12.noarch.rpm | |
− | + | wget https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-7-12.noarch.rpm | |
− | - | + | yum install nginx -y |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
</pre> | </pre> | ||
− | + | ==jdk== | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | = | ||
<pre> | <pre> | ||
+ | java.security.InvalidKeyException: Illegal key size or default parameters | ||
+ | new vm 就要加上 unlime | ||
− | + | 文件 UnlimitedJCEPolicyJDK7.zip | |
− | + | 规制办法 | |
− | + | evan@evankalilatop:~/xk/jdk$ cat jdkpath | |
− | + | 替换 ${jdk_home}/jre/lib/security 下local_policy.jar, US_export_policy.jar | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
</pre> | </pre> | ||
− | = | + | ==修改文件句柄数== |
<pre> | <pre> | ||
+ | #临时修改,立刻生效 | ||
+ | ulimit -n 655350 | ||
− | /* | + | #永久修改 |
− | + | echo "* soft nofile 655360" >> /etc/security/limits.conf | |
− | + | echo "* hard nofile 655360" >> /etc/security/limits.conf | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
</pre> | </pre> | ||
− | + | [https://www.jianshu.com/p/23ee9db2a620 使用ulimit 命令、/etc/security/limits.conf、proc 调整系统参数] | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | ==kernel 优化== | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
<pre> | <pre> | ||
− | / | + | #set sysctl 有空把这些意思拿出来 |
− | + | sysctl_config(){ | |
− | + | cp /etc/sysctl.conf /et/sysctl.conf.bak | |
− | + | cat > /etc/sysctl.conf << EOF | |
− | + | net.ipv4.ip_forward = 0 | |
− | + | net.ipv4.conf.default.rp_filter = 1 | |
− | + | net.ipv4.conf.default.accept_source_route = 0 | |
− | + | kernel.sysrq = 0 | |
− | + | kernel.core_uses_pid = 1 | |
− | + | net.ipv4.tcp_syncookies = 1 | |
− | + | kernel.msgmnb = 65536 | |
− | + | kernel.msgmax = 65536 | |
− | + | kernel.shmmax = 68719476736 | |
− | + | kernel.shmall = 4294967296 | |
− | + | net.ipv4.tcp_max_tw_buckets = 6000 | |
− | + | net.ipv4.tcp_sack = 1 | |
− | + | net.ipv4.tcp_window_scaling = 1 | |
− | + | net.ipv4.tcp_rmem = 4096 87380 4194304 | |
− | + | net.ipv4.tcp_wmem = 4096 16384 4194304 | |
− | + | net.core.wmem_default = 8388608 | |
+ | net.core.rmem_default = 8388608 | ||
+ | net.core.rmem_max = 16777216 | ||
+ | net.core.wmem_max = 16777216 | ||
+ | net.core.netdev_max_backlog = 262144 | ||
+ | net.core.somaxconn = 262144 | ||
+ | net.ipv4.tcp_max_orphans = 3276800 | ||
+ | net.ipv4.tcp_max_syn_backlog = 262144 | ||
+ | net.ipv4.tcp_timestamps = 0 | ||
+ | net.ipv4.tcp_synack_retries = 1 | ||
+ | net.ipv4.tcp_syn_retries = 1 | ||
+ | net.ipv4.tcp_tw_recycle = 1 | ||
+ | net.ipv4.tcp_tw_reuse = 1 | ||
+ | net.ipv4.tcp_mem = 94500000 915000000 927000000 | ||
+ | net.ipv4.tcp_fin_timeout = 1 | ||
+ | net.ipv4.tcp_keepalive_time = 1200 | ||
+ | net.ipv4.ip_local_port_range = 1024 65535 | ||
+ | EOF | ||
+ | /sbin/sysctl -p | ||
+ | echo "sysctl set OK!!" | ||
} | } | ||
− | + | 使用PAM模块限制资源: | |
− | + | # vi /etc/pam.d/login | |
− | + | session required pam_limits.so | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
</pre> | </pre> | ||
− | = | + | ==可以禁用ipv6 == |
− | |||
<pre> | <pre> | ||
− | + | cat >> /etc/modprobe.d/ipv6.conf <<EOF | |
− | + | alias net-pf-10 off | |
− | + | alias ipv6 off | |
− | + | EOF | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
</pre> | </pre> | ||
− | + | ==去除ssh远程DNS认证 == | |
− | == | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
<pre> | <pre> | ||
− | + | sed -i 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config | |
− | + | sed -i 's/GSSAPIAuthentication yes/GSSAPIAuthentication no/g' /etc/ssh/sshd_config | |
− | |||
+ | sed -i "s/#PubkeyAuthentication yes/PubkeyAuthentication yes/g" /etc/ssh/sshd_config | ||
− | + | sed -i "s/^PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config | |
− | |||
+ | systemctl restart sshd | ||
− | |||
</pre> | </pre> | ||
− | = | + | ==关闭不要的用户和服务== |
− | == | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | == 安全== | |
− | = | ||
− | |||
<pre> | <pre> | ||
− | + | 关闭 selinux 如果是在内网机器关了也没关系 | |
− | + | sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config | |
+ | setenforce 0 | ||
− | + | 查看SELinux状态 | |
+ | getenforce | ||
− | |||
− | + | #临时关闭防火墙 | |
+ | systemctl stop firewalld | ||
+ | #永久防火墙开机自启动 | ||
+ | systemctl disable firewalld | ||
+ | #临时打开防火墙 | ||
+ | systemctl start firewalld | ||
+ | #防火墙开机启动 | ||
+ | systemctl enable firewalld | ||
+ | #查看防火墙状态 | ||
+ | systemctl status firewalld | ||
− | |||
− | |||
− | |||
− | + | 新机器 测试 web 不关闭可能报错 | |
− | + | ERR_ADDRESS_UNREACHABLE | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
+ | fail2ban | ||
</pre> | </pre> | ||
− | == | + | ==设置时区== |
+ | 如果时间不对 请 看 | ||
+ | [[Linux时间同步的那些事儿]] | ||
<pre> | <pre> | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
+ | yum install ntp | ||
+ | timedatectl set-ntp true | ||
</pre> | </pre> | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
<pre> | <pre> | ||
− | + | rm -f /etc/localtime | |
− | + | cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
</pre> | </pre> | ||
− | + | ==参考== | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
+ | [https://www.jianshu.com/p/d0ef5bd18610 centos7初始化脚本.bash] | ||
− | [https:// | + | [https://blog.csdn.net/kxwinxp/article/details/78895373 CentOS 7 运维优化] |
− | [ | + | [https://blog.csdn.net/wh211212/article/details/52923673 CentOS 7安装完成后初始化] |
− | [https:// | + | [https://blog.51cto.com/wzlinux/2043592 CentOS 7 新装服务器部署流程] |
− | + | [https://www.cnblogs.com/sdhzdtwhm/p/8027928.html CentOS7操作系统初始化] | |
− | [https://www. | ||
− | + | [https://linux.cn/article-5067-1.html 如何使用 fail2ban 防御 SSH 服务器的暴力破解攻击] | |
− | + | [http://www.cnblogs.com/txk1452/p/6361559.html CentOS7 安装ifconfig] | |
− | [ | ||
− | + | [http://blog.51cto.com/feihan21/1060365 Linux服务器初始化配置脚本] | |
− | [https:// | + | [https://blog.imdst.com/linux-fu-wu-qi-chu-shi-hua-an-quan-jia-gu/ Linux服务器初始化调优及安全加固] |
− | |||
− | [https:// | + | [https://www.cnblogs.com/stulzq/p/7610100.html Centos7 初始化硬盘分区、挂载] |
− | https:// | + | ==kernel== |
− | [[category: | + | [https://blog.csdn.net/lufeisan/article/details/53339991 Linux系统swappiness参数在内存与交换分区之间优化作用] |
+ | [[category:linux]][[category:ops]] |
2021年4月24日 (六) 07:51的版本
目录
站内相关资源
如果机器多Salt-ssh批量初始化机器
如果机器少
我现在用的shell
#!/bin/bash #Authon: linuxsa.org 201911 # usage bash osinit.sh 2>&1 | tee osinit.log #http://wiki.linuxchina.net/index.php/Centos7%E5%88%9D%E5%A7%8B%E5%8C%96 #常用开发包 gcc etc yum groupinstall "Development Tools" -y #常用命令 ifconfig etc yum install -y net-tools yum-utils rsync yum install epel-release -y yum install iftop tcpdump -y # ins docker # step 1: 安装必要的一些系统工具 yum install -y yum-utils device-mapper-persistent-data lvm2 # Step 2: 添加软件源信息 yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo # Step 3: 更新并安装 Docker-CE yum makecache fast yum -y install docker-ce # Step 4: 开启Docker服务 systemctl enable docker systemctl start docker rpm -ivh https://repo.zabbix.com/zabbix/4.0/rhel/7/x86_64/zabbix-release-4.0-1.el7.noarch.rpm yum install zabbix-agent -y && systemctl enable zabbix-agent #install docker-compose etc yum -y install vim wget curl yum-utils bash-completion bash-completion-extras epel-release lrzsz telnet python-pip #这个看情况 sudo curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose #mv docker-compose /usr/local/bin/docker-compose sudo chmod +x /usr/local/bin/docker-compose chmod +x /usr/local/bin/docker-compose #pip install docker-compose #mkdir -p /home/data/docker mkdir -p /data/docker echo '{"graph": "/data/docker"}' >/etc/docker/daemon.json # cat /etc/docker/daemon.json #{"graph": "/home/data/docker"} systemctl restart docker #验证docker储存位置 docker system info | grep "Root Dir" #开机自启动要用的 chmod +x /etc/rc.d/rc.local setenforce 0 sed -i 's/enforcing/disabled/g' /etc/selinux/config #firewall systemctl enable firewalld #修改源 #CentOS 7 wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo #或者 curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo #CentOS 8 wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-8.repo #或者 curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-8.repo #3. 运行 yum makecache 生成缓存 yum makecache
centos7初始化
ssh config
echo "ssh-rsa AAAAB3NzaC you_prk_key root@ops " >> /root/.ssh/authorized_keys sed -i "s/#PubkeyAuthentication yes/PubkeyAuthentication yes/g" /etc/ssh/sshd_config sed -i "s/^PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config systemctl restart sshd #service sshd restart
网络配置
cat /etc/sysconfig/network-scripts/ifcfg-eth0 TYPE="Ethernet" BOOTPROTO=static IPADDR0=192.168.0.16 NETMASK=255.255.255.0 GATEWAY0=192.168.0.1 DNS1=223.5.5.5 DNS2=114.114.114.114 DEVICE="eth0" ONBOOT="yes"
安装常用软件
yum install python-devel yum install vim wget net-tools psmisc links lsof telnet zlib-devel curl tmux mariadb -y # screen yum groupinstall "Development Tools" -y
CentOS7 安装ifconfig
不知道dig 是哪个软件包 提供的 请用 yum provides command #绝对路径 yum provides /sbin/ifconfig ****** net-tools-1.60-114.el6.x86_64 : Basic networking tools Repo : base 匹配来自于: Filename : /sbin/ifconfig ***** 由上可见安装的软件为net-tools ifconfig, netstat, route, and other [root@centos7 hcmdb]# yum info net-tools 已安装的软件包 名称 :net-tools 架构 :x86_64 版本 :2.0 发布 :0.17.20131004git.el7 大小 :917 k 源 :installed 简介 : Basic networking tools 网址 :http://sourceforge.net/projects/net-tools/ 协议 : GPLv2+ 描述 : The net-tools package contains basic networking tools, : including ifconfig, netstat, route, and others. : Most of them are obsolete. For replacement check iproute package. yum -y install net-tools vim wget #yum/dnf install net-tools vim wget centos7精简安装后,使用中发现没有killall命令。 可以通过以下命令解决: yum install psmisc 简单介绍一下 psmisc : Psmisc软件包包含三个帮助管理/proc目录的程序。 安装下列程序: fuser, killall,pstree和pstree.x11(到pstree的链接) fuser 显示使用指定文件或者文件系统的进程的PID。 killall 杀死某个名字的进程,它向运行指定命令的所有进程发出信号。 pstree 树型显示当前运行的进程。 pstree.x11 与pstree功能相同,只是在退出前需要确认
常用软件
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo yum install nmap-ncat lsof -y #nc (nmap-ncat) lsof -i:1080 yum groupinstall "Development Libraries" yum groupinstall "Development Tools"
nginx
yum install wget -y wget https://mirrors.tuna.tsinghua.edu.cn/epel/7/x86_64/Packages/e/epel-release-7-12.noarch.rpm wget https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-7-12.noarch.rpm yum install nginx -y
jdk
java.security.InvalidKeyException: Illegal key size or default parameters new vm 就要加上 unlime 文件 UnlimitedJCEPolicyJDK7.zip 规制办法 evan@evankalilatop:~/xk/jdk$ cat jdkpath 替换 ${jdk_home}/jre/lib/security 下local_policy.jar, US_export_policy.jar
修改文件句柄数
#临时修改,立刻生效 ulimit -n 655350 #永久修改 echo "* soft nofile 655360" >> /etc/security/limits.conf echo "* hard nofile 655360" >> /etc/security/limits.conf
使用ulimit 命令、/etc/security/limits.conf、proc 调整系统参数
kernel 优化
#set sysctl 有空把这些意思拿出来 sysctl_config(){ cp /etc/sysctl.conf /et/sysctl.conf.bak cat > /etc/sysctl.conf << EOF net.ipv4.ip_forward = 0 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 kernel.sysrq = 0 kernel.core_uses_pid = 1 net.ipv4.tcp_syncookies = 1 kernel.msgmnb = 65536 kernel.msgmax = 65536 kernel.shmmax = 68719476736 kernel.shmall = 4294967296 net.ipv4.tcp_max_tw_buckets = 6000 net.ipv4.tcp_sack = 1 net.ipv4.tcp_window_scaling = 1 net.ipv4.tcp_rmem = 4096 87380 4194304 net.ipv4.tcp_wmem = 4096 16384 4194304 net.core.wmem_default = 8388608 net.core.rmem_default = 8388608 net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 net.core.netdev_max_backlog = 262144 net.core.somaxconn = 262144 net.ipv4.tcp_max_orphans = 3276800 net.ipv4.tcp_max_syn_backlog = 262144 net.ipv4.tcp_timestamps = 0 net.ipv4.tcp_synack_retries = 1 net.ipv4.tcp_syn_retries = 1 net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_mem = 94500000 915000000 927000000 net.ipv4.tcp_fin_timeout = 1 net.ipv4.tcp_keepalive_time = 1200 net.ipv4.ip_local_port_range = 1024 65535 EOF /sbin/sysctl -p echo "sysctl set OK!!" } 使用PAM模块限制资源: # vi /etc/pam.d/login session required pam_limits.so
可以禁用ipv6
cat >> /etc/modprobe.d/ipv6.conf <<EOF alias net-pf-10 off alias ipv6 off EOF
去除ssh远程DNS认证
sed -i 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config sed -i 's/GSSAPIAuthentication yes/GSSAPIAuthentication no/g' /etc/ssh/sshd_config sed -i "s/#PubkeyAuthentication yes/PubkeyAuthentication yes/g" /etc/ssh/sshd_config sed -i "s/^PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config systemctl restart sshd
关闭不要的用户和服务
安全
关闭 selinux 如果是在内网机器关了也没关系 sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config setenforce 0 查看SELinux状态 getenforce #临时关闭防火墙 systemctl stop firewalld #永久防火墙开机自启动 systemctl disable firewalld #临时打开防火墙 systemctl start firewalld #防火墙开机启动 systemctl enable firewalld #查看防火墙状态 systemctl status firewalld 新机器 测试 web 不关闭可能报错 ERR_ADDRESS_UNREACHABLE fail2ban
设置时区
如果时间不对 请 看
yum install ntp timedatectl set-ntp true
rm -f /etc/localtime cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
参考
如何使用 fail2ban 防御 SSH 服务器的暴力破解攻击