linux 新建服务器基线
yum -y install ntp vim net-tools lsof nc telnet bind-utils python3 python3-devel python3-setuptools python3-pip python3-rpm-generators python3-libs python3-rpm-macros wget
NTP时钟服务器
centos
/etc/ntp.conf
#注释driftfile /var/lib/ntp/drift
#server 0.centos.pool.ntp.org iburst
#server 1.centos.pool.ntp.org iburst
#server 2.centos.pool.ntp.org iburst
#server 3.centos.pool.ntp.org iburst
--ADD
driftfile /var/lib/ntp/drift/ntp.drift
#公网地址
server ntp.aliyun.com minpoll 4 maxpoll 4 prefer
server ntp1.aliyun.com minpoll 4 maxpoll 4 prefer
server ntp2.aliyun.com minpoll 4 maxpoll 4 prefer
server ntp3.aliyun.com minpoll 4 maxpoll 4 prefer
server ntp4.aliyun.com minpoll 4 maxpoll 4 prefer
server ntp5.aliyun.com minpoll 4 maxpoll 4 prefer
server ntp6.aliyun.com minpoll 4 maxpoll 4 prefer
server ntp7.aliyun.com minpoll 4 maxpoll 4 prefer
#专用网络VPC内网
ntp7.cloud.aliyuncs.com minpoll 4 maxpoll 4 prefer
ntp8.cloud.aliyuncs.com minpoll 4 maxpoll 4 prefer
ntp9.cloud.aliyuncs.com minpoll 4 maxpoll 4 prefer
ntp10.cloud.aliyuncs.com minpoll 4 maxpoll 4 prefer
ntp11.cloud.aliyuncs.com minpoll 4 maxpoll 4 prefer
ntp12.cloud.aliyuncs.com minpoll 4 maxpoll 4 prefer
#经典网络内网
ntp1.cloud.aliyuncs.com minpoll 4 maxpoll 4 prefer
ntp2.cloud.aliyuncs.com minpoll 4 maxpoll 4 prefer
ntp3.cloud.aliyuncs.com minpoll 4 maxpoll 4 prefer
ntp4.cloud.aliyuncs.com minpoll 4 maxpoll 4 prefer
ntp5.cloud.aliyuncs.com minpoll 4 maxpoll 4 prefer
ntp6.cloud.aliyuncs.com minpoll 4 maxpoll 4 prefer
ubuntu [system-timesyncd]
列出所有可用的时区
timedatectl list-timezones
修改时区
timedatectl set-timezone Asia/Shanghai
date -R查看时间
hwclock 写入硬件时间
要修改时间同步服务器,需要修改配置文件/etc/systemd/timesyncd.conf
把 [Time]下的注释取消掉。NTP为主时间同步服务器,FallbackNTP 为备用服务器。
[Time]
NTP=ntp.aliyun.com
FallbackNTP=ntp1.aliyun.com,ntp2.aliyun.com,ntp3.aliyun.com minpoll
RootDistanceMaxSec=5
PollIntervalMinSec=32
PollIntervalMaxSec=2048
systemctl restart systemd-timesyncd
修改24小时时间制
echo "LC_TIME=en_DK.UTF-8" >> /etc/default/locale && cat /etc/default/locale
ubuntu [ntp]
/etc/ntp.conf
注释
#pool 0.ubuntu.pool.ntp.org iburst
#pool 1.ubuntu.pool.ntp.org iburst
#pool 2.ubuntu.pool.ntp.org iburst
#pool 3.ubuntu.pool.ntp.org iburst
#公网地址
server ntp.aliyun.com minpoll 4 maxpoll 4 prefer
server ntp1.aliyun.com minpoll 4 maxpoll 4 prefer
server ntp2.aliyun.com minpoll 4 maxpoll 4 prefer
server ntp3.aliyun.com minpoll 4 maxpoll 4 prefer
server ntp4.aliyun.com minpoll 4 maxpoll 4 prefer
server ntp5.aliyun.com minpoll 4 maxpoll 4 prefer
server ntp6.aliyun.com minpoll 4 maxpoll 4 prefer
server ntp7.aliyun.com minpoll 4 maxpoll 4 prefer
/etc/systemd/system.conf
修改DefaultTasksMax=infinity
/etc/systemd/logind.conf
修改RemoveIPC=no
修改UserTasksMax=infinity
/etc/ssh/sshd_config
修改UseDNS no
/etc/ssh/ssh_config
修改StrictHostKeyChecking no
用户登陆失败锁定策略 | 用户密码复杂度策略
centos
echo -e "auth required pam_tally2.so onerr=fail deny=10 unlock_time=3600\naccount required pam_tally2.so" >> /etc/pam.d/password-auth-ac
echo -e "auth required pam_tally2.so onerr=fail deny=10 unlock_time=3600\naccount required pam_tally2.so" >> /etc/pam.d/system-auth-ac
sed -i "s/^\(password[[:space:]]*requisite[[:space:]]*pam_pwquality.so\).*/\1 try_first_pass local_users_only retry=10 minlen=8 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 authtok_type=/g" /etc/pam.d/system-auth-ac
ubuntu
/etc/pam.d/login
auth required pam_tally2.so onerr=fail deny=10 unlock_time=3600 even_deny_root root_unlock_time=3600
apt-get install -y libpam-cracklib
/etc/pam.d/common-password
password requisite pam_cracklib.so retry=10 minlen=8 difok=3 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1
用户密码过期策略
centos
/etc/longin.defs
PASS_MAX_DAYS 90 [密码最长180天过期]
PASS_MIN_DAYS 0 [密码最小过期天数]
PASS_MIN_LEN 8 [密码最小长度]
PASS_WARN_AGE 14 [密码过期提前14天提醒]
ubuntu
/etc/longin.defs
PASS_MAX_DAYS 90 [密码最长180天过期]
PASS_MIN_DAYS 0 [密码最小90天过期]
#PASS_MIN_LEN 8 [密码最小长度]
PASS_WARN_AGE 14 [密码过期提前14天提醒]
/etc/sysctl.conf
kernel.core_uses_pid = 1
kernel.core_pattern = core-%e-%p-%t
net.ipv4.ip_forward = 0
net.ipv4.ip_local_port_range = 32768 65500
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_keepalive_intvl = 25
net.ipv4.tcp_keepalive_probes = 4
net.ipv4.tcp_retries2 = 3
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_tw_reuse = 0
net.ipv4.tcp_max_tw_buckets = 262144
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.tcp_timestamps=0
net.core.somaxconn = 65535
net.ipv6.conf.all.forwarding = 0
net.netfilter.nf_conntrack_max = 655350
net.netfilter.nf_conntrack_tcp_timeout_established = 1200
kernel.sem = 2048 262144 100 256
kernel.pid_max = 4194304
vm.swappiness = 0
vm.min_free_kbytes = 131072
vm.overcommit_memory = 1
kernel.shmall = 131804808
kernel.shmmax = 431897994854
kernel.shmmni = 4096
fs.aio-max-nr = 3145728
fs.file-max = 6815744
net.core.rmem_default = 262144
net.core.rmem_max = 4194304
net.core.wmem_default = 262144
net.core.wmem_max = 1048576
kernel.panic_on_oops = 1
vm.hugetlb_shm_group = 302
net.ipv4.ipfrag_high_thresh = 16777215
net.ipv4.ipfrag_low_thresh = 15272864
vm.max_map_count = 262144
/etc/profile
#Setting for BASE_LINE
user_id=`id -u`
if [ $user_id = 0 ]; then
export PS1='$LOGNAME'@$(hostname):'$PWD'"#"
else
export PS1='$LOGNAME'@$(hostname):'$PWD'"$"
fi
TMOUT=600
IP=`who -u am i | awk '{print $NF}' | sed -e 's/[()]//g'`
HISTSIZE=100000
HISTTIMEFORMAT="${IP} `whoami` %Y-%m-%d %H:%M:%S "
centos
/etc/security/limits.d/20-nproc.conf
* soft nofile 819200
* hard nofile 819200
* soft nproc 819200
* hard nproc 819200
* soft stack 10240
* hard stack 32768
* soft memlock unlimited
* hard memlock unlimited
ubuntu
/etc/security/limits.conf
root soft nofile 65535
root hard nofile 65535
root soft nproc 65535
root hard nproc 65535
root soft stack 65535
root hard stack 65535
* soft nofile 819200
* hard nofile 819200
* soft nproc 819200
* hard nproc 819200
* soft stack 10240
* hard stack 32768
* soft memlock unlimited
* hard memlock unlimited
echo "
-a exit,always -F arch=b64 -S execve -k exec
-a exit,always -F arch=b32 -S execve -k exec
-w /etc/crontab -p wa -k crontab
-w /etc/hosts -p wa -k hosts
-w /etc/hosts.allow -p wa -k hosts-allow
-w /etc/hosts.deny -p wa -k hosts-deny
-w /etc/fstab -p wa -k fstab
-w /etc/passwd -p wa -k passwd
-w /etc/shadow -p wa -k shadow
-w /etc/group -p wa -k group
-w /etc/gshadow -p wa -k gshadow
-w /etc/chrony.conf -p wa -k ntp
-w /etc/sysctl.conf -p wa -k sysctl
-w /etc/security/limits.conf -p wa -k limits
-w /boot/grub2/grub.cfg -p wa -k grub
-w /etc/ssh/sshd_config -p wa -k ssh
-w /etc/udev/rules.d/ -p wa -k udev
-w /etc/profile -p wa -k profile
-w /etc/kdump.conf -p wa -k kdump
-w /etc/lvm/lvm.conf -p wa -k lvm
-w /etc/login.defs -p wa -k login-defs
-w /etc/rsyslog.conf -p wa -k rsyslog
-w /etc/locale.conf -p wa -k i18n
-w /etc/sysconfig/network -p wa -k network
-w /etc/multipath.conf -p wa -k multipath
" >> /etc/audit/rules.d/audit.rules
/etc/audit/auditd.conf
max_log_file = 50
num_logs = 4
flush = NONE
查看透明大页
cat /sys/kernel/mm/transparent_hugepage/enabled
/boot/efi/EFI/centos/grub.cfg
修改linuxefi /vmlinuz-3.10.0-1160.el7.x86_64 root=/dev/mapper/system-root ro crashkernel=1024M transparent_hugepage=never rd.lvm.lv=system/root rd.lvm.lv=system/swap rd.lvm.lv=system/lv_usr rhgb quiet LANG=en_US.UTF-8
修改 linuxefi /vmlinuz-0-rescue-99012d63c55f4dfa9a35e5b91ce7ff62 root=/dev/mapper/system-root ro crashkernel=1024M transparent_hugepage=never rd.lvm.lv=system/root rd.lvm.lv=system/swap rd.lvm.lv=system/lv_usr rhgb quiet
/etc/default/grub
修改GRUB_CMDLINE_LINUX配置项,增加transparent_hugepage=never
关闭透明大页
-centos
-/boot/efi/EFI/centos/grub.cfg
-/boot/grub2/grub.cfg
-linux16 /vmlinuz-3.10.0-1160.el7.x86_64 root=/dev/mapper/system-root ro crashkernel=1024M rd.lvm.lv=system/root rd.lvm.lv=system/lv_usr rhgb quiet LANG=en_US.UTF-8 transparent_hugepage=never
-linux16 /vmlinuz-0-rescue-a8c65c2df2e8491dbb1b8a0fcfb6a5ae root=/dev/mapper/system-root ro crashkernel=1024M rd.lvm.lv=system/root rd.lvm.lv=system/lv_usr rhgb quiet transparent_hugepage=never
-ubuntu
/boot/grub/grub.cfg
-linux /boot/vmlinuz-4.15.0-136-generic root=UUID=558c12b2-c059-4be7-936b-49bcbf3b52a7 ro net.ifnames=0 consoleblank=600 console=tty0 console=ttyS0,115200n8 nospectre_v2 nopti noibrs noibpb transparent_hugepage=never
-linux /boot/vmlinuz-4.15.0-136-generic root=UUID=558c12b2-c059-4be7-936b-49bcbf3b52a7 ro net.ifnames=0 consoleblank=600 console=tty0 console=ttyS0,115200n8 nospectre_v2 nopti noibrs noibpb transparent_hugepage=never