1、linux系统优化安全升级
电信RHEL6.6
-4.Hostname
sed -i "2c HOSTNAME=abm25" /etc/sysconfig/network
>/etc/resolv.conf
echo 'secure@1W'|passwd root --stdin
iptables -F
service iptables save
-3.vmtools
lftp -u weihu,pi=3yuaN sftp://136.5.176.162< 2、
tar zxvf VMwareTools-8.6.11-1310128.tar.gz
cd vmware-tools*
./vmware-install.pl --default
-2.Yum
mv /etc/yum.repos.d/rhel-source.repo /tmp
vi /etc/yum.repos.d/rhel-source.repo
[rhel-source]
name=Red Hat Enterprise Linux $releasever - $basearch - Source
baseurl=http://136.5.176.162/iso/redh 3、at6.6/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
sed -i "3c baseurl=http://136.5.176.162/iso/redhat6.4/" /etc/yum.repos.d/rhel-source.repo
yum clean all
yum makecache
yum install -y ftp lftp zlib* openssl* pam* gdm ruby telnet* vsftpd* \
gcc dstat mce 4、log iotop lsscsi libstdc++* libcap*
yum groupinstall -y basic-desktop x11 development eclipse \
compat-libraries storage-client-multipath nfs-file-server \
-1.双网卡
cd /etc/sysconfig/network-scripts/
mv ifcfg-enp1s0f0 bakifcfg-enp1s0f0
mv ifcfg-enp130s0f1 bakifcfg-enp130s0f1
echo "ifensla 5、ve bond0 eth1 eth5">>/etc/rc.d/rc.local
cat ifcfg-bond0
vi ifcfg-bond0
DEVICE=bond0
BOOTPROTO=yes
IPADDR=136.5.225.100
GATEWAY=136.5.225.97
NETMASK=255.255.255.224
ONBOOT=yes
BONDING_OPTS="mode=1 miimon=200"
--------------
cat ifcfg-enp130s0f1
vi ifcfg-eth1
DEVICE=eth1
ONBOOT 6、yes
BOOTPROTO=none
MASTER=bond0
SLAVE=yes
TYPE=Ethernet
--------------
cat ifcfg-enp1s0f0
vi ifcfg-eth1
DEVICE=enp1s0f0
ONBOOT=yes
BOOTPROTO=none
MASTER=bond0
SLAVE=yes
TYPE=Ethernet
0.ueradd
useradd ibnms
echo "Wfz#2015"|passwd ibnms --stdin
mkdir /ibnms
chown ibnms:ibnms 7、 /ibnms
usermod -d /ibnms ibnms
useradd weihu
echo "pi=3yuaN"|passwd weihu --stdin
useradd user
echo "user,.123"|passwd user --stdin
userdel nobody
userdel ftp
1. profile
echo "TMOUT=300">>/etc/profile
sed -i 's/HISTSIZE=1000/HISTSIZE=50000/g' /etc/profile
echo 'stty erase ^H'>> / 8、etc/profile
echo "" >> /etc/profile
#2.su
cp /etc/pam.d/su /etc/pam.d/su.bak
sed -i "6c auth required pam_wheel.so use_uid" /etc/pam.d/su
usermod -a -G wheel weihu
echo 'SU_WHEEL_ONLY yes'>>/etc/login.defs
#3.密码
cp /etc/login.defs /etc/login.defs.bak
sed -i "25c PASS_MAX_DAYS 60" /etc/ 9、login.defs
sed -i "27c PASS_MIN_LEN 8" /etc/login.defs
sed -i "26c PASS_MIN_DAYS 10" /etc/login.defs
sed -i 's/UMASK/#UMASK/g' /etc/login.defs
echo "UMASK 027">>/etc/login.defs
sed -i "s/umask 022/umask 027/g" /etc/profile
echo 'password requisite pam_cracklib.so retry=3 difok=3 minlen=8 10、ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1'>>/etc/pam.d/system-auth
echo 'auth required pam_tally.so onerr=fail deny=5 unlock_time=300'>>/etc/pam.d/system-auth
cp -avx /etc/passwd /tmp
#4.禁止root
echo 'PermitRootLogin no'>>/etc/ssh/sshd_config
#5.启用syslog
sed -i "s/rotate 4/rotate 20/g" /e 11、tc/logrotate.conf
echo 'authpriv.* /var/log/secure'>>/etc/syslog.conf
echo 'cron.*'>>/etc/syslog.conf
echo '*.* @127.0.0.1'>>/etc/syslog.conf
chmod 744 /var/log/messages
chmod 744 /var/log/secure
chmod 744 /var/log/maillog
chmod 744 /var/log/cron
chmod 744 /var/log/spooler
chmod 744 /v 12、ar/log/boot.log
chmod 644 /etc/passwd
chmod 400 /etc/shadow
chmod 644 /etc/group
chmod 644 /etc/services
chmod 600 /etc/xinetd.conf
chmod 600 /etc/security
#6.banner
mv /etc/issue /etc/issue.bak
mv /etc/ /etc/.bak
echo " Authorized only. All activity will be monitored and reported " 13、> /etc/ssh_banner
#9.内核(old)
echo "* soft nproc 65535">>/etc/security/limits.conf
echo "* hard nproc 65535">>/etc/security/limits.conf
echo "* soft nofile 65535">>/etc/security/limits.conf
echo "* hard nofile 65535">>/etc/security/limits.conf
echo "* - maxlogins 65535">>/etc/security/limits 14、conf
sed -i 's/1024/65535/g' /etc/security/limits.d/90-nproc.conf
#10.权限
#11.time(old)
echo "server 136.0.24.13">>/etc/ntp.conf
chkconfig ntpd on
service ntpd restart
#12.服务
chkconfig apmd off
chkconfig netfs off
chkconfig yppasswdd off
chkconfig ypserv off
chkconfig dhcpd off
chkc 15、onfig portmap off
chkconfig lpd off
chkconfig nfs off
chkconfig sendmail off
chkconfig snmpd off
chkconfig snmptrapd off
chkconfig rstatd off
chkconfig atd off
chkconfig cups off
chkconfig bluetooth off
chkconfig hidd off
chkconfig ip6tables off
chkconfig ipsec off
chkconfig autofs off
16、
chkconfig avahi-daemon off #5353 mdns
chkconfig avahi-dnsconfd off
chkconfig cpuspeed off
chkconfig isdn off
chkconfig nfslock off
chkconfig nscd off
chkconfig pcscd off
chkconfig acpid off
chkconfig firstboot off
chkconfig mcstrans off
chkconfig microcode_ctl off
chkconfig rpcgssd off 17、
chkconfig rpcidmapd off
chkconfig rpcbind off
chkconfig portreserve on
chkconfig postfix off #smtp 25
chkconfig setroubleshoot off
chkconfig xfs off
chkconfig xinetd off
chkconfig restorecond off
chkconfig anacron off
chkconfig ypbind off
chkconfig tftp off
chkconfig pox off
chkconfig 18、printer off
chkconfig telnet off
chkconfig NetworkManager off
chkconfig tog-pegasus off #https 5989
chkconfig portreserve off #udp 631
chkconfig rawdevices on
chkconfig mcelogd on
chkconfig crond on
chkconfig kudzu on
chkconfig network on
chkconfig readahead_early on
chkconfig sshd on
19、
chkconfig syslog on
chkconfig auditd on
service NetworkManager stop && service network restart
service snmptrapd stop
#14.hosts
sed -i 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
#15.iptables(old)
service iptables 20、stop
#7.登录提示(old)
export netbond=`ifconfig |grep bond|wc -l`
if [$netbond ge 1];then
export woip=`ifconfig bond0 |awk -F '[ :]+' 'NR==2 {print $4}'`
echo -e "\n${HOSTNAME}@${woip}\n"> /etc/motd
else
export woip=`ifconfig eth1 |awk -F '[ :]+' 'NR==2 {print $4}'`
echo -e "\n${HOSTNAME}@${woip} 21、\n"> /etc/motd
fi
##cp
mv /etc/yum.repos.d/rhel-source.repo /etc/yum.repos.d/rhel-source.repo.bak
cp rhel-source.repo /etc/yum.repos.d/rhel-source.repo
cp nmon /usr/bin
chmod 775 /usr/bin/nmon
#13.ftp(old)
sed -i 's/anonymous_enable=YES/anonymous_enable=NO/g' /etc/vsftpd/vsftpd.conf
#se 22、d -i 's/#chroot_local_user=YES/chroot_local_user=YES/g' /etc/vsftpd/vsftpd.conf
sed -i 's/#ftpd_banner/ftpd_banner/g' /etc/vsftpd/vsftpd.conf
echo 'dual_log_enable=YES' >> /etc/vsftpd/vsftpd.conf
echo 'vsftpd_log_file=/var/log/vsftpd.log' >> /etc/vsftpd/vsftpd.conf
sed -i '/#nopriv_user=/c nopri 23、v_user=weihu' /etc/vsftpd/vsftpd.conf
chkconfig vsftpd on
service vsftpd start
user_list允许
ftpusers 禁止
#15.glibc
mkdir glibc
cd glibc
lftp -u weihu,pi=3yuaN sftp://136.5.176.162< 24、62< 25、p 3
make && make install
mv /etc/init.d/sshd /tmp/sshd
cp contrib/redhat/sshd.init /etc/init.d/sshd
service sshd restart
ssh -V
cd
17.nmon
lftp -u weihu,pi=3yuaN sftp://136.5.176.162< 26、l
* * * * 1 find /home/weihu/nmon/ -type f -mtime +7 -exec rm -rf {} \;
1 1 * * * nmon -s60 -c1430 -f -m /home/weihu/nmon/
18.kdump
service kdump status
19.Xmanager不做了
yum install -y gdm
vi /etc/gdm/custom.conf
[security]
AllowRoot=true
AllowRemoteRoot=true
[xdmcp]
Port=177
Enable=tru 27、e
20.itsm 不做了
su - ibnms
lftp -u weihu,pi=3yuaN sftp://136.5.176.162< 28、ftp://136.5.176.162<






