1、禁用密码登录系统
## 备份原文件cp /etc/ssh/sshd_config /etc/ssh/sshd_config-`date +%Y%m%d%H`## 禁用密码登录sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config && service sshd restartsed -i '63a\ \ \StrictHostKeyChecking no' /etc/ssh/ssh_configsed -i '63a\ \ \UserKnownHostsFile /dev/null' /etc/ssh/ssh_configecho root >/etc/cron.allow
2、配置用户登录权限
## 根据需要修改连接端口和密钥认证文件
##### LITB OPS #####
#Port 22
#Port 25552
PermitRootLogin yes
MaxAuthTries 5
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/auth_keys
UseDNS no
MaxAuthTries 5
ClientAliveINterval 90
ClientAliveCountMax 3
MaxStartups 10:30:100
IgnoreRhosts yes
PermitUserEnvironment no
MACs hmac-sha2-512,hmac-sha2-256
Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
AllowGroups root admin dev sync ezops ezdev wheel
AllowUsers root ezops ezdev
AllowUsers redis@10.50.0.226
Denyusers dev sync consul work oracle mysql mongo
3、清理temp目录
cd /tmp/
rm log_to_s3.log ssh-* .X* .T* .I* .f* h* -rf
4、用户进程数修改
cat <<EOF>>/etc/security/limits.d/20-nproc.conf
soft nproc 65535
hard nproc 65535
EOF
5、修改系统内核参数
cat <<EOF>>/etc/sysctl.conf
## elight-ops
net.ipv6.conf.eth0.accept_dad = 0
net.ipv6.conf.eth0.accept_ra = 1
net.ipv6.conf.eth0.accept_ra_defrtr = 1
net.ipv6.conf.eth0.accept_ra_rtr_pref = 1
net.ipv6.conf.eth0.accept_ra_rt_info_max_plen = 1
#vm.swappiness=10
#net.ipv4.neigh.default.gc_stale_time=120
# see details in https://help.aliyun.com/knowledge_detail/39428.html
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.default.arp_announce=2
net.ipv4.conf.lo.arp_announce=2
net.ipv4.conf.all.arp_announce=2
# see details in https://help.aliyun.com/knowledge_detail/41334.html
net.ipv4.tcp_max_tw_buckets=5000
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_max_syn_backlog=1024
net.ipv4.tcp_synack_retries=2
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1
#kernel.sysrq=1
#net.nf_conntrack_max=1048576
#net.netfilter.nf_conntrack_max=1048576
#net.bridge.bridge-nf-call-iptables=1
net.ipv4.ip_forward=1
fs.file-max=655360
vm.max_map_count=500000net.ipv4.tcp_sack=0
net.ipv4.tcp_max_orphans=655360
net.core.netdev_max_backlog=64000
net.ipv4.tcp_max_syn_backlog=65536
net.core.netdev_max_backlog = 65535
net.core.somaxconn = 65535
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.ip_local_port_range = 15000 65000
net.ipv4.tcp_max_syn_backlog = 3240000
net.ipv4.tcp_rmem = 10240 87380 12582912
net.ipv4.tcp_wmem = 10240 87380 12582912
net.ipv4.tcp_mem = 12582912 12582912 12582912
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_moderate_rcvbuf = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_max_tw_buckets = 10240
net.ipv4.tcp_congestion_control = cubic
net.ipv4.tcp_keepalive_time = 200
EOF
#### CPU 压力测试
sysbench cpu run --threads=16 --time=60
6、limit配置修改
cat <<EOF>>/etc/security/limits.conf
root soft nofile 655350
root hard nofile 65535
* soft nofile 655350
* hard nofile 655350
* soft nproc 655350
* hard nproc 655350
* soft core 0
* hard core 0
* soft stack unlimited
* hard stack unlimited
* soft memlock unlimited
* hard memlock unlimited
EOF
7、路由配置
cat <<EOF>>/etc/sysconfig/network-scripts/route-em2
10.50.0.0/16 via 172.16.0.204
#10.20.0.0/16 via 172.16.0.204
172.27.0.0/16 via 172.16.0.66
172.23.0.0/16 via 172.16.0.66
172.18.0.0/16 via 172.16.0.192
172.19.0.0/16 via 172.16.0.192
EOF
8、修改系统时区
rm /etc/localtime -rf
## cst
ln -s /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
## PDT
ln -s /usr/share/zoneinfo/America/Los_Angeles /etc/localtime
## utc
ln -s /usr/share/zoneinfo/UTC /etc/localtime
8、配置邮件服务
cat <<EOF>> /etc/mail.rc
set from=ops_monitor@lightthebox.com
#set smtp=smtphz.qiye.163.com
set smtp=hwsmtp.exmail.qq.com
#set smtp=smtp.exmail.qq.com
set smtp-auth-user=ops_monitor@lightthebox.com
set smtp-auth-password=2Ps=n~9|8XUfxvin
set smtp-auth=login
set ssl-verify=ignore
set nss-config-dir=/etc/maildbs/
EOF
9、clean_cache
#!/bin/bash
#by author:albert.dong
#Mailto:dongliang101@gmail.com
# The Nginx logs path
#0 0 * * * /data/scripts/clean_cache.sh
#######################################################
#set -x
mem_total=`free -m | awk 'NR==2' | awk '{print $2}'`
mem_free=`free -m | awk 'NR==3' | awk '{print $4}'`
## 当前已使用内存大小
mem_used=`free -m | grep Mem | awk '{print $3}'`
echo "$mem_used " >>/tmp/memstat_$(date +%Y%m%d_%H%M).log
#if (($mem_used != 0)); then
#mem_per=0`echo "scale=2;``mem_free/``mem_total" | bc`
#DATA="$(date -d "today" +"%Y-%m-%d-%H-%M") free percent is : $mem_per"
#echo $DATA >> /var/log/mem_detect.log
#
#
#mem_warn=0.20
#mem_now=`expr ``mem_per \> ``mem_warn`
#
#
#if (($mem_now == 0)); then
sync
#表示清除pagecache和slab分配器中的缓存对象。
echo 3 > /proc/sys/vm/drop_caches
echo 1 > /proc/sys/vm/drop_caches
free -m >>/tmp/memstat_$(date +%Y%m%d_%H%M).log
ps aux|head -1;ps aux|grep -v PID|sort -rn -k +4|head >>/tmp/memstat_$(date +%Y%m%d_%H%M).log
ps aux|head -1;ps aux|grep -v PID|sort -rn -k +3|head >>/tmp/memstat_$(date +%Y%m%d_%H%M).log
echo "--->`date +%Y%m%d%H%M` ! " >>/tmp/memstat_$(date +%Y%m%d_%H%M).log
#echo "--->`date +%Y%m%d%H%M` ! " >>/tmp/memstat_$(date +%Y%m%d_%H%M%S).log
echo "--->release memory OK ! " >>/tmp/memstat_$(date +%Y%m%d_%H%M).log
find /tmp/ -name "memstat*" -mtime +30 -print |xargs rm -rf >> /tmp/memstat_$(date +%Y%m%d_%H%M).log
#fi
#fi
echo "01 00 * * * root bash /data/scripts/clean_cache.sh" >>/etc/crontab
10、手动封IP
/etc/hosts.allow
sshd: x.x.x.x,192.168.1.0/24,10.21.0.0/8,172.29.0.0/16
/etc/hosts.deny
sshd: all
ALL: x.x.x.x,192.168.1.0/24,10.21.0.0/8,172.29.0.0/16
11、fail2ban 配置ssh自动拦截
## centos
yum install -y fail2ban-* pwgen expect nmap masscan arp-scan arping bash-completion qpress bash-completion-extras bind-utils libevent libevent-devel nfs-utils wget vim tree nmap telnet
## debian
apt-get install -y fail2ban* lrzsz vim wget curl rsync lsof man-pages-zh-CN
systemctl enable fail2ban.service
sed -i '287aenabled = true' /etc/fail2ban/jail.conf
sed -i '288amaxretry = 5' /etc/fail2ban/jail.conf
sed -i '289afindtime = 60' /etc/fail2ban/jail.conf
sed -i '290abantime = 3600' /etc/fail2ban/jail.conf
sed -i '295aenabled = true' /etc/fail2ban/jail.conf
sed -i '301aenabled = true' /etc/fail2ban/jail.conf
## 启动服务
systemctl enable fail2ban.service &&systemctl restart fail2ban.service
## 查看ssh 异常IP拦截状态
fail2ban-client status sshd
12、bash环境变量配置
cat <<EOF>>/etc/bashrc
### by author:albert-dong
alias grep='grep --color=auto'
alias ls='ls -hF --color=auto'
alias la='ls -ahF --color=auto'
alias dir='ls --color=auto --format=long'
alias ll='ls -l --color=auto'
alias drop='f(){ sync;sleep 3; echo 3 > /proc/sys/vm/drop_caches; free -h;}; f'
alias p100='ping -c 100 -i 0.01'
alias tarl='f(){ tar -tvf \$1;};f'
alias size='f(){ du -sh \$1* | sort -hr; }; f'
alias cd='f(){ cd \$1;ls -lrtkh;};f'
alias nets='netstat -ntlp'
### 历史记录
HISTSIZE=
HISTFILESIZE=
USER_IP=\`who -u am i 2>/dev/null| awk '{print \$NF}'|sed -e 's/[()]//g'\`
export HISTTIMEFORMAT="%F %T [\${USER_IP}] \`whoami\`: "
alias cman='man -M /usr/share/man/zh_CN'
alias sd='sudo su - '
alias ll='ls -l --color=auto'
export PS1='\[\033[1;33;1m\][\[\033[0;32;1m\]\u@\h \[\033[1;33;1m\]\W\[\033[1;33;1m\]]\[\033[1;33;1m\]\\$\[\033[0m\]'
#export PS1="[\\u@\\h \\W \\A]\\$ "
export HISTCONTROL=ignorespace:erasedups:ignoredups
HISTIGNORE="&:[ ]*:exit:chattr:ls:bg:fg:history:clear:vim:chattr:vi:mysql:useradd:chpasswd"
#eval "\$(thefuck --alias)"
EOF
systemctl start rc-local.service
systemctl enable rc-local.service
chmod +x /etc/rc.d/rc.local
echo "ulimit -HSn 65536" >>/etc/rc.local
echo "swapoff -a" >>/etc/rc.local
13、iptables&firewalld 防火墙配
iptables
iptables -A INPUT -s 139.198.15.88/32 -p tcp -m tcp --dport 8088 -j ACCEPT
iptables -I INPUT 5 -s 139.198.15.88/32 -p tcp -m tcp --dport 8088 -j ACCEPT
iptables -I INPUT 5 -s 139.198.15.88/32 -j ACCEPT
iptables -I INPUT 5 -s 114.113.156.210/32 -j ACCEPT
iptables -A INPUT -s 192.168.1.5 -j DROP
## 防火墙配置备份
iptables-save >>/root/`hostname`-iptables_`date +%Y%m%d%H%M
### 启用firewall 防火墙
systemctl start firewalld.service
systemctl enable firewalld.service
### 查看防火墙配置
iptables -nL --line-number
firewalld
### 启用firewall 防火墙
systemctl start firewalld.service
systemctl enable firewalld.service
### 查看规则
firewall-cmd --list-all
### 配置放行规则
## tcp
firewall-cmd --permanent --zone=public --add-port=443/tcp
firewall-cmd --permanent --zone=public --add-port=10050/tcp
firewall-cmd --permanent --zone=public --add-port=10051/tcp
firewall-cmd --permanent --zone=public --add-port=22/tcp
firewall-cmd --permanent --zone=public --add-port=25066/tcp
firewall-cmd --permanent --zone=public --add-port=2287/tcp
firewall-cmd --permanent --zone=public --add-port=80/tcp
## udp
firewall-cmd --permanent --zone=public --add-port=323/udp
firewall-cmd --permanent --zone=public --add-port=123/udp
## 允许网段访问
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.50.0.0/24" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.50.10.0/24" accept"
## manager server
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.50.10.186" accept"
## docker server
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.50.0.5" port protocol="tcp" port="2375-2377" accept"
## 拒绝IP访问
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.1.100" reject"
## 重新加载配置
firewall-cmd --reload
firewall-cmd --list-all
14、vim配置
cat <<EOF>> /etc/vimrc
"### by author:albert-dong
set nu
syntax on
set showfulltag
"set ignorecase "忽略大小写
"#term
highlight Keyword term=reverse,bold
filetype plugin on " 开启插件
set nowrapscan " 禁止在搜索到文件两端时重新搜索
set incsearch " 输入搜索内容时就显示搜索结果
set hlsearch " 搜索时高亮显示被找到的文本
set noerrorbells " 关闭错误信息响铃
set novisualbell " 关闭使用可视响铃代替呼叫
set t_vb= " 置空错误铃声的终端代码
set tabstop=4
set shiftwidth=4
set softtabstop=4
set expandtab
EOF
15、ssh端口转发
ssh -C -f -N -g -R 1526:172.23.8.113:1521 opssa@172.23.8.113
16、用户known_host配置
cat <<EOF>> ~/.ssh/config
Host *
#AddKeysToAgent yes
Compression yes
ConnectTimeout 10s
# UseKeychain yes
ForwardAgent yes
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
ServerAliveInterval 60
ServerAliveCountMax 5
ControlMaster auto
#ControlPersist 3h
#ControlPath /tmp/sockets/%r@%h-%p
EOF
17、syslog 日志收集
## chrony 时间同步
sed -i 's@^[^#]*centos.pool@#&@g' /etc/chrony.conf
sed -i '6aserver ntpserver-co.ezbuy.me iburst' /etc/chrony.conf
sed -i '6a#server 10.50.0.5 iburst' /etc/chrony.conf
grep 'syslog-co.ezbuy.me' /etc/rsyslog.conf
echo "*.* @@syslog-co.ezbuy.me:514" >>/etc/rsyslog.conf
systemctl restart rsyslog && systemctl restart chronyd
##删除最后一行
#sed -i '$d' /etc/rsyslog.conf
18、禁止普通用户使用cron
echo root >/etc/cron.allow
19、主要文件权限修改
/bin/cp /etc/group /etc/bak_group
/bin/cp /etc/passwd /etc/bak_passwd
/bin/cp /etc/shadow /etc/bak_shadow
#chmod o-r /etc/group
#chmod o-r /etc/passwd
chmod o-r /etc/shadow
chmod go-rx /usr/bin/gcc
chmod go-rx /usr/bin/g++
chmod u-x /usr/bin/chmod
chmod o-x /usr/bin/chmod
chmod o-x /usr/bin/rm
chmod o-x /usr/bin/dd
chmod o-x /usr/bin/telnet
chmod o-x /usr/bin/passwd
chmod o-x /usr/bin/curl
chmod o-x /usr/bin/wget
chmod o-x /usr/bin/mv
chmod o-x /usr/sbin/mkfs
chmod o-x /usr/sbin/mkfs.ext2
chmod o-x /usr/sbin/mkfs.ext3
chmod o-x /usr/sbin/mkfs.ext4
chmod +400 /etc/shadow
chmod +600 /etc/grup.conf
chmod +600 /etc/grup2.conf
chmod +600 /etc/security
chmod 750 /tmp/ -R
chmod 750 /etc/rc.d/init.d
chmod 755 /var/log/cron*
chmod +400 /etc/shadow
chmod +600 /etc/grub.conf
chmod +600 /etc/security
chmod 750 /tmp/ -R
chmod 750 /etc/rc.d/init.d
chmod 755 /var/log/cron*
chattr +i /etc/passwd
chattr +i /etc/group
chattr +i /etc/shadow
chattr +i /etc/ssh/sshd_config
chattr +i /etc/cron.allow
chattr +i /etc/crontab
若有收获,就点个赞吧
0 人点赞
