Vmware新建一台1核1G的虚拟机,当做镜像模板,装好CentOS7系统,然后再做基础优化
1.添加一个普通用户
useradd oldboy echo 123456 | passwd --stdin oldboy
2.加到sudo管理
visudo #100行左右 oldboy ALL=(ALL) NOPASSWD: ALL grep -w oldboy /etc/sudoers
提示:如果在系统安装时候添加普通用户,其实是将oldboy添加到到wheel组里了,在/etc/sudoers里的wheel是管理员组。
3.禁用root远程登陆,改为oldboy用户登陆 企业场景,修改默认端口22为52113,优化远程ssh配置
vim /etc/ssh/sshd_config PermitEmptyPasswords no UseDNS no GSSAPIAuthentication no #38行改为 PermitRootLogin no ListenAddress 172.16.1.7:52113 systemctl restart sshd
测试ssh root连接
root@oldboy ~]$ssh root@192.168.238.128 root@192.168.238.128's password: Permission denied, please try again.
以后登陆通过oldboy登陆,通过sudo su -切换root
4.更新yum源 配置yum源-阿里云
mv /etc/yum.repos.d/CentOS-Base.repo{,.backup}
wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
curl -s -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo第三方源
wget -O /etc/yum.repos.d/epel.repo https://mirrors.aliyun.com/repo/epel-7.repo curl -s -o /etc/yum.repos.d/epel.repo https://mirrors.aliyun.com/repo/epel-7.repo
5.安装常用软件
yum -y update #更新所有软件到最新,可以不装 yum -y install tree nmap dos2unix lrzsz nc lsof wget tcpdump htop iftop iotop sysstat nethogs rsync yum -y install psmisc net-toos bash-completion vim-enhanced yum -y install lrzsz openssh-clients telnet gcc gcc-c++ wget sysstat net-tools nss nss-devel unix2dos dos2unix unzip bc yum -y update bash glibc glibc-devel glibc-common glibc-headers yum -y install ncurses-devel make cmake bison automake autoconf openssl openssl-devel libtirpc libtirpc-devel yum -y install gd gd-devel libjpeg libjpeg-devel libpng libpng-devel zlib zlib-devel freetype freetype-devel libxml2 libxml2-devel curl curl-devel libxslt libxslt-devel pcre pcre-devel libtool
6.安全优化 a.关闭selinux
sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config grep 'SELINUX=disabled' /etc/selinux/config setenforce 0 getenforce
b.暂时关闭防火墙
systemctl stop firewalld systemctl disable firewalld systemctl status firewalld|grep inactive
8.手工添加管理员帐帐号(可选)
useradd oldgirl -G wheel id oldgirl echo 111111|passwd --stdinoldgirl
9.设置字符集(可选) 方法1
cp /etc/locale.conf{,.ori}
echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf
source /etc/locale.conf
echo $LANG方法2
cp /etc/locale.conf{,.ori}
localectl set-locale LANG="zh_CN.UTF-8"
cat /etc/locale.conf9.时间同步
yum -y install ntpdate /sbin/ntpdate ntp3.aliyun.com echo "*/5 * * * * /sbin/ntpdate ntp3.aliyun.com &>/dev/null" >> /var/spool/cron/root crontab -l
10.基础优化操作项:提升命令安全(可选)
echo 'export TMOUT=300' >> /etc/profile echo 'export HISTSIZE=5' >> /etc/profile echo 'export HISTFILESIZE=5' >> /etc/profile tail -3 /etc/profile . /etc/profile
11.加大文件描述符
echo '* - nofile 65535' >> /etc/security/limits.conf tail -1 /etc/security/limits.conf ulimit -SHn 65535 ulimit -n
12.基础优化操作,优化系统内核
cat >>/etc/sysctl.conf<13.修改yum配置文件
/etc/yum.conf 里的keepcache=0改为keepcache=1 sed -i.bak 's#keepcache=0#keepcache=1#g' /etc/yum.conf grep 'keepcache=1' /etc/yum.conf14.锁定关键文件
chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab lsattr /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab15.清空/etc/issue /etc/issue.net
[root@oldboy ~]$ > /etc/issue && > /etc/issue.net16.清理虚拟帐号(可选) 17.grup菜单加密(可选)
grub2-setpassword18.禁止ping(内核参数)
#/etc/sysctl.conf添加禁ping参数 net.ipv4.icmp_echo_ignore_all = 119.精简开机自启动保留
sshd|crond|sysstat|rsyslog|NetworkManager|irqbalance