查看系统32位还是64位
[root@i-92x8m5i3 logs]# uname -r
2.6.32-504.16.2.el6.x86_64
[root@i-92x8m5i3 logs]# uname -a
Linux i-92x8m5i3 2.6.32-504.16.2.el6.x86_64 #1 SMP Wed Apr 22 06:48:29 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
[root@i-92x8m5i3 logs]# ls -d /lib64
/lib64
[root@local-dev ~]# uname -m
x86_64
[root@local-dev ~]# cat /etc/redhat-release
CentOS release 6.5 (Final)
配置网卡
使用setup
命令或编辑/etc/sysconfig/network-scripts/ifcfg-eth0
内容
网卡配置完成后执行ifup eth0
启动网卡ifconfig eth0
查看获取的ip
·ping baidu.com· 检测网卡是否畅通
尽量不用
/etc/init.d/network restart
重启网卡,这会影响物理机上的所有网卡
[root@localhost ~]# ifdown eth0 && ifup eth0
快速重启
网络畅通步骤一,查看网卡
[root@local-dev ~]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:50:56:94:6B:B4
inet addr:10.0.1.16 Bcast:10.0.1.255 Mask:255.255.254.0
inet6 addr: fe80::250:56ff:fe94:6bb4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9005200 errors:0 dropped:0 overruns:0 frame:0
TX packets:11334373 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1388103677 (1.2 GiB) TX bytes:6820763127 (6.3 GiB)
网络畅通步骤二,查看默认网关
[root@local-dev ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 0.0.0.0 255.255.254.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
0.0.0.0 10.0.0.1 0.0.0.0 UG 0 0 0 eth0
网络畅通步骤三,查看dns设置
[root@local-dev ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 114.114.114.114
在centos6.6中,只在确定的ifcfg-eth0网卡配置文件上配置dns,如果在/etc/resolv.conf上配置dns,使用命令
/etc/init.d/network restart
会清除/etc/resolv.conf的dns配置
经过网络畅通三步骤
应该就可以上网了
网卡的配置文件
[root@localhost ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0 # 网卡名, eth1第二块网卡名,以此类推
TYPE=Ethernet # 上网类型,以太网
UUID=8d6bdf86-1fda-4334-99bb-74b634018e9d # 唯一标志码
ONBOOT=yes # 开机自启动
NM_CONTROLLED=yes # 是否通过NetworkManager管理网卡设备
BOOTPROTO=dhcp # 启动协议,none|bootp|dhcp三种选项
HWADDR=00:0C:29:50:98:80 # 网卡mac地址
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no # 是否支持IP6
NAME="System eth0"
LAST_CONNECT=1486401226
IPADDR=10.0.1.16 # 固定IP
PREFIX=23
GATEWAY=10.0.0.1
NETMASK=255.255.255.0 #子网掩码
DNS1=114.114.114.114 # 主DNS,默认会覆盖/etc/resolv.conf的配置
更新系统,打补丁
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
wget http://mirrors.163.com/.help/CentOS6-Base-163.repo
yum clean all
yum makecache
yum update -y # 更新系统,打补丁
安装额外的工具软件包
[root@localhost ~]# yum install tree telnet dos2unix sysstat lrzsz nc nmap -y
sysstat包含了iostat(cpu使用率和硬盘吞吐率)、mpstat(单个或多个)处理器相关的数据、sor(收集报告并存储系统活跃信息)
yum grouplist
查看所有包名称yum groupinstall "Development Tools"
指定包组名安装,注意需要双引号
连接不上服务排查
一、检查物理链路是否有问题(客户端执行)
ping 10.0.0.7 # 排查线路问题
windows:tracert -d 10.0.0.7 # 检查线路是否畅通 -d 不进行反向解析
linux:traceroute 10.0.0.7 -n
二、服务是否开启端口(客户端执行)
telnet 10.0.0.7 22
nmap 10.0.0.7 -p 22 (linux环境,需要安装)
三、是否防火墙阻挡(服务端执行)
/etc/init.d/iptables status
例如:检查ssh服务是否开启
[root@i-92x8m5i3 backend]# ps -ef | grep sshd | grep -v grep
root 1075 1 0 May04 ? 00:00:00 /usr/sbin/sshd
root 2100 1075 0 10:25 ? 00:00:00 sshd: root@pts/2
root 5565 1075 0 12:21 ? 00:00:00 sshd: root@pts/3
root 19821 1075 0 Jun26 ? 00:00:03 sshd: root@pts/0,pts/1
[root@i-92x8m5i3 backend]# netstat -lntup | grep sshd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1075/sshd
tcp 0 0 :::22 :::* LISTEN 1075/sshd
用户
[root@local-dev ~]# useradd ljq
[root@local-dev ~]# passwd ljq
Changing password for user ljq.
New password:
BAD PASSWORD: it is too simplistic/systematic
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.
[root@local-dev ~]# su - ljq
[ljq@chuangxin ~]$ whoami
ljq
[ljq@chuangxin ~]$ su - root
Password:
一句话完成密码设置,但是需要该用户已存在
[root@local-dev ~]# echo “1234” | passwd –stdin ljq && history -c
Changing password for user ljq.
passwd: all authentication tokens updated successfully.
[ljq@chuangxin ~]$ 普通用户为$美元符号
[root@local-dev ~]# root用户为#符号
[root@i-92x8m5i3 backend]# whoami # 查看当前用户
root
[root@i-92x8m5i3 backend]# hostname # 查看当前主机名
i-92x8m5i3
[root@local-dev ~]# echo $PS1 #设置PS1变量
\[\e[37;40m\][\[\e[32;40m\]\u\[\e[37;40m\]@local-dev \[\e[35;40m\]\W\[\e[0m\]]\$
安全设置
关闭SELinux
1、修改SELinux配置文件,使之永远失效
[root@localhost ~]# sed -i 's/SELINUX=enforcing/SELinux=disabled/' /etc/selinux/config
[root@localhost ~]# grep SELINUX=disabled /etc/selinux/config
SELINUX=disabled
2、结合手动关闭,可避免重启
[root@localhost ~]# setenforce 0
setenforce: SELinux is disabled
[root@localhost ~]# getenforce
Disabled
设定运行基本为3(文本模式)
[root@localhost ~]# runlevel
N 3
[root@localhost ~]# grep 3:initdefault /etc/inittab
id:3:initdefault:
实现精简开机
默认启动只需要开启如下5种服务即可
sshd
rsylog 系统的守护进程使用rsylog程序将各种信息写到各个系统日志文件中
network 激活或关闭各个网络接口
crond
sysstat 检测系统性能及运行效率的工具
设置开机自自动项
方式一,执行命令完成设置
执行ntsysv
命令或执行setup命令,选择system service选项
退出按Tab键进行选择Exit退出
方式二,使用shell完成设置
注意:只查找3级别的服务项即可
1、先全部关闭,在开启保留项
# 1、先查看level 3的服务开关状况
[root@localhost ~]# LANG=en
[root@localhost ~]# echo $LANG
en
[root@localhost ~]# chkconfig --list
auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
blk-availability 0:off 1:on 2:on 3:on 4:on 5:on 6:off
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
ip6tables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
lvm2-monitor 0:off 1:on 2:on 3:on 4:on 5:on 6:off
messagebus 0:off 1:off 2:on 3:on 4:on 5:on 6:off
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
postfix 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rdisc 0:off 1:off 2:off 3:off 4:off 5:off 6:off
restorecond 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
udev-post 0:off 1:on 2:on 3:on 4:on 5:on 6:off
#2、关闭后,查看关闭状况
[root@localhost ~]# for oldboy in `chkconfig --list|grep 3:on|awk '{print $1}'`;do chkconfig --level 3 $oldboy off;done
[root@localhost ~]# chkconfig --list
auditd 0:off 1:off 2:on 3:off 4:on 5:on 6:off
blk-availability 0:off 1:on 2:on 3:off 4:on 5:on 6:off
crond 0:off 1:off 2:on 3:off 4:on 5:on 6:off
ip6tables 0:off 1:off 2:on 3:off 4:on 5:on 6:off
iptables 0:off 1:off 2:on 3:off 4:on 5:on 6:off
lvm2-monitor 0:off 1:on 2:on 3:off 4:on 5:on 6:off
messagebus 0:off 1:off 2:on 3:off 4:on 5:on 6:off
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
netfs 0:off 1:off 2:off 3:off 4:on 5:on 6:off
network 0:off 1:off 2:on 3:off 4:on 5:on 6:off
postfix 0:off 1:off 2:on 3:off 4:on 5:on 6:off
rdisc 0:off 1:off 2:off 3:off 4:off 5:off 6:off
restorecond 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rsyslog 0:off 1:off 2:on 3:off 4:on 5:on 6:off
saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
sshd 0:off 1:off 2:on 3:off 4:on 5:on 6:off
udev-post 0:off 1:on 2:on 3:off 4:on 5:on 6:off
# 3、开启后,查看开启状况
[root@localhost ~]# for oldboy in crond network rsyslog sshd sysstat;do chkconfig --level 3 $oldboy on;done
[root@localhost ~]# chkconfig --list
auditd 0:off 1:off 2:on 3:off 4:on 5:on 6:off
blk-availability 0:off 1:on 2:on 3:off 4:on 5:on 6:off
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
ip6tables 0:off 1:off 2:on 3:off 4:on 5:on 6:off
iptables 0:off 1:off 2:on 3:off 4:on 5:on 6:off
lvm2-monitor 0:off 1:on 2:on 3:off 4:on 5:on 6:off
messagebus 0:off 1:off 2:on 3:off 4:on 5:on 6:off
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
netfs 0:off 1:off 2:off 3:off 4:on 5:on 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
postfix 0:off 1:off 2:on 3:off 4:on 5:on 6:off
rdisc 0:off 1:off 2:off 3:off 4:off 5:off 6:off
restorecond 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
udev-post 0:off 1:on 2:on 3:off 4:on 5:on 6:off
2、一条命令shell搞定
默认情况下,需要保留的服务,已经开启了,只需要把不用的状态关闭掉即可
[root@localhost ~]# for oldboy in `chkconfig --list | grep "3:on" | awk '{print $1}' | grep -vE "crond|network|sshd|rsyslog|sysstat"`;do chkconfig $oldboy off;done
[root@localhost ~]# chkconfig --list
auditd 0:off 1:off 2:on 3:off 4:on 5:on 6:off
blk-availability 0:off 1:on 2:on 3:off 4:on 5:on 6:off
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
ip6tables 0:off 1:off 2:on 3:off 4:on 5:on 6:off
iptables 0:off 1:off 2:on 3:off 4:on 5:on 6:off
lvm2-monitor 0:off 1:on 2:on 3:off 4:on 5:on 6:off
messagebus 0:off 1:off 2:on 3:off 4:on 5:on 6:off
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
netfs 0:off 1:off 2:off 3:off 4:on 5:on 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
postfix 0:off 1:off 2:on 3:off 4:on 5:on 6:off
rdisc 0:off 1:off 2:off 3:off 4:off 5:off 6:off
restorecond 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rsyslog 0:off 1:off 2:off 3:on 4:off 5:off 6:off
saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sysstat 0:off 1:on 2:on 3:on 4:on 5:on 6:off
udev-post 0:off 1:on 2:on 3:off 4:on 5:on 6:off
3、循环语句搞定
原理如2,使用命令拼出处理的字符串,然后通过bash将其当做命令执行
[root@localhost ~]# chkconfig --list | grep -vE "crond|sshd|network|rsyslog|sysstat" | awk '{print "chkconfig " $1 " off"}' | bash
# 另外一种写法
[root@localhost ~]# chkconfig --list | grep 3:on | grep -vE "crond|sshd|network|rsyslog|sysstat" | awk '{print $1}' | sed -r 's#(.*)#chkconfig \1 off#g' | bash
上面的操作会把iptables防火墙也关闭掉,当前系统没有关闭,需要执行
[root@localhost ~]# /etc/init.d/iptables stop iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Flushing firewall rules: [ OK ] iptables: Unloading modules: [ OK ] [root@localhost ~]# /etc/init.d/iptables stop # 重复执行,确认关闭
修改ssh登录端口
1、改配置文件方式
2、使用sed命令改
sudo命令控制用户对系统命令的使用权限
TBD
Linux中文显示设置
[root@localhost ~]# cat /etc/sysconfig/i18n
LANG="zh_CN.UTF-8"
[root@localhost ~]# cp /etc/sysconfig/i18n /etc/sysconfig/i18n.ori
[root@localhost ~]# echo 'LANG="en_us.UTF-8"' > /etc/sysconfig/i18n
[root@localhost ~]# echo $LANG
en_us.UTF-8
[root@localhost ~]# source /etc/sysconfig/i18n # 马上生效
设置Linux时间同步
TBD
历史数据history文件和登录超时设置
TBD
调整Linux文件描述符数量
TBD
Linux内核参数优化
TBD
定时清理邮件服务临时目录垃圾文件
TBD
隐藏Linux版本信息显示
TBD
锁定关键文件,防止篡改
TBD
清除多余虚拟账号
TBD
禁止系统被Ping
TBD
升级具有典型漏洞的软件版本
TBD
基础优化与安全
不用root登录,使用普通用户,通过sudo授权
更改默认ssh端口,禁止root远程登录,甚至修改ssh只监听内网IP
定时自动更新系统时间
更新yum源
关闭SELinux和iptables
调整文件描述符数量。进程及文件的打开都会消耗文件描述符数量
定时自动清零邮件临时目录,防止磁盘inode数量被小文件占满
精简开机任务(如只保留crond、sshd、network、rsyslog、systat)
linux内核优化/etc/sysctl.conf,执行sysctl -p生效
更改系统字符集LANG=en_us.UTF-8或LANG=zh_CN.UTF-8
锁定系统关键文件,如/etc/passwd、/etc/shadow、/etc/group、/etc/gshadow、/etc/inittab,处理以上内容吧chattr、lsatr改名为oldboy并转移,这样就安全多了。
清除系统版本信息,清空或修改/etc/issue、/etc/issue.net,去除登录后的系统信息显示
清除系统多余的虚拟用户账号