將Selinux 設為警示但不強制
vi /etc/sysconfig/selinux
SELINUX=permissive
2.設定網路介面卡
dmesg | grep eth 查詢網卡有沒有被系統抓到
有GUI可以先使用NetworkManager,進入gui畫面後將各介面卡先設定完成
systemctl start NetworkManager.service
會自動產生/etc/sysconfig/network-scripts/介面設定檔
設完之後可以將它永遠關掉
systemctl stop NetworkManager.service
systemctl disable NetworkManager.service
以後若要調整可以直接去/etc/sysconfig/network-scripts/下調整
systemctl start network
3.開機執行與開啟NAT轉送功能
echo "1" > /proc/sys/net/ipv4/ip_forward
vi /etc/sysctl.conf 確認是否有加入進來,搭配防火牆批次檔
net.ipv4.ip_forward=1
chmod +x /etc/rc.d/rc.local 確保rc.local能開機被執行
4.修改主機名稱及上層DNS查詢
vi /etc/hosts
vi /etc/resolv.conf
5.yum 增加epel程式庫&更新系統
yum install epel-release
若裝好後epel出現無法找到mirrorlist,可以修改 /etc/yum.repos.d/epel.repo
把mirrorlist mark#掉, 使用baseurl
yum update –y
可以設入排程vi /etc/crontab
範例: 30 04 * * * root yum update –y
6.裝一些必要程式
yum install httpd php -y
yum install openssh* -y
記得要開啟systemctl enable XXXXX.service
7.設定通知管理員
所有系統都會預設通知root,但我們不會去收root的信件
可以利用別名的方式收取信件
vi /etc/aliases 修改最後一行
root: (yourname)
把自己的ID加進來
postalias hash:/etc/aliases
8.關掉排程通知
vi /etc/crontab
MAILTO=root 改成 MAILTO=""
vi /etc/anacrontab (這是每小時跑的程式)
MAILTO=root 改成 MAILTO=""
ssh 連線安全相關
1.更改PORT
vim /etc/ssh/sshd_config
Port 22 改成 5位數xxxxx
2.限制連線IP
vim /etc/hosts.allow
sshd:192.168.x.x:allow
vim /etc/hosts.deny
sshd:ALL
3.防火牆再加強
外部不開放PORT xxxxx
內部鎖IP
iptables -A INPUT -p TCP -i eth0 -s 192.168.x.x --dport xxxxx -j ACCEPT
iptables -A INPUT -p TCP -i eth0 --dport xxxxx -j DROP
iptables -A INPUT -i eth0 -j ACCEPT
10.停止messages記錄 Started Session xxx of user root
echo 'if $programname == "systemd" and ($msg contains "Starting Session" or $msg contains "Started Session" or $msg contains "Created slice" or $msg contains "Starting user-") then stop' >/etc/rsyslog.d/ignore-systemd-session-slice.conf
systemctl restart rsyslog
11.每天校準時間
手動方式:
ntpdate -s time.stdtime.gov.tw
寫入排程:
vi /etc/crontab
01 6 * * * root /usr/sbin/ntpdate time.stdtime.gov.tw ; /sbin/hwclock -w
12.若想限制網頁存取,可以這樣做
這邊的寫法是拒絕所有連線,僅接受特定連線
2.2版:
<Directory "/var/www/html/XXX">
Options FollowSymLinks
AllowOverride None
Order deny,allow
deny from all
allow from 192.168.1.0/24
</Directory>
2.4版:
Order deny,allow
deny from all 改成 Require all denied
allow from 192.168.1.0/24 改成 Require 192.168.1.0/24
13.遮敝messages 內重覆的log檔
例如:
Jun 10 04:10:01 dajing systemd: Starting User Slice of root.
Jun 10 04:10:05 dajing systemd: Removed slice User Slice of root.
Jun 10 04:10:05 dajing systemd: Stopping User Slice of root.
echo 'if $programname == "systemd" and ($msg contains "Starting Session" or $msg contains "Started Session" or $msg contains "Created slice" or $msg contains "Starting user-" or $msg contains "Starting User Slice of" or $msg contains "Removed session" or $msg contains "Removed slice User Slice of" or $msg contains "Stopping User Slice of") then stop' >/etc/rsyslog.d/ignore-systemd-session-slice.conf
沒有留言:
張貼留言