{"id":277,"date":"2022-06-28T09:40:00","date_gmt":"2022-06-28T01:40:00","guid":{"rendered":"http:\/\/154.215.192.82:8081\/?p=277"},"modified":"2024-10-17T11:40:38","modified_gmt":"2024-10-17T03:40:38","slug":"centos%e5%9f%ba%e6%9c%ac%e5%ae%89%e5%85%a8%e5%84%aa%e5%8c%96","status":"publish","type":"post","link":"https:\/\/support.hkguard.com\/index.php\/2022\/06\/28\/centos%e5%9f%ba%e6%9c%ac%e5%ae%89%e5%85%a8%e5%84%aa%e5%8c%96\/","title":{"rendered":"centos\u57fa\u672c\u5b89\u5168\u512a\u5316"},"content":{"rendered":"\n

\u4e00.\u95dc\u9589selinux<\/strong><\/h3>\n\n\n\n
    \n
  1. #\u4fee\u6539\u914d\u7f6e\u6587\u4ef6\u53ef\u4f7f\u914d\u7f6e\u6587\u4ef6\u751f\u6548,\u4f46\u5fc5\u9808\u8981\u91cd\u555f\u7cfb\u7d71,\u6b64\u6b65\u9a5f\u662fsed\u5feb\u901f\u4fee\u6539\u65b9\u6cd5,\u4e5f\u53ef\u4ee5\u901a\u904evim\u7de8\u8f2f\/etc\/selinux\/confi<\/mark>g\u4f86\u4fee\u6539\u6b64\u6587\u4ef6.<\/li>\n\n\n\n
  2. sed -i ‘\/^SELINUX\/s\/enforcing\/disabled\/g’ <\/mark> \/etc\/selinux\/config<\/li>\n\n\n\n
  3. \u6aa2\u67e5\u66ff\u63db\u7d50\u679c\u70badisabled\u5c31\u8868\u793a\u6210\u529f\u4e86.<\/li>\n\n\n\n
  4. grep SELINUX=disabled \/etc\/selinux\/config<\/li>\n\n\n\n
  5. SELINUX=disabled<\/li>\n\n\n\n
  6. #\u81e8\u6642\u95dc\u9589<\/li>\n\n\n\n
  7. setenforce<\/li>\n\n\n\n
  8. usage: setenforce [ Enforcing | Permissive | 1 | 0 ]<\/li>\n\n\n\n
  9. 0 \u8868\u793aPermissive,\u5373\u7d66\u51fa\u8b66\u544a\uff0c\u4f46\u4e0d\u6703\u963b\u6b62\u64cd\u4f5c,\u76f8\u7576\u65bcdisabled.<\/li>\n\n\n\n
  10. 1 \u8868\u793aEnforcing\uff0c \u5373\u8868\u793aSELinux\u70ba\u958b\u555f\u72c0\u614b.<\/li>\n\n\n\n
  11. setenforce 0 #\u81e8\u6642\u5c07SELinux\u8abf\u70baPermissive\u72c0\u614b.<\/li>\n\n\n\n
  12. getenforce #\u67e5\u770bSELinux\u7576\u524d\u72c0\u614b.<\/li>\n<\/ol>\n\n\n\n

    \u4e8c.\u66f4\u6539\u70ba\u963f\u88cfyum\u6e90<\/h3>\n\n\n\n
      \n
    1. mv \/etc\/yum.repos.d\/CentOS-Base.repo \/etc\/yum.repos.d\/CentOS-Base.repo.backup<\/li>\n\n\n\n
    2. wget -O \/etc\/yum.repos.d\/CentOS-Base.repo http:\/\/mirrors.aliyun.com\/repo\/Centos-7.repo<\/li>\n\n\n\n
    3. yum makecache<\/li>\n<\/ol>\n\n\n\n

      \u4e09.\u63d0\u6b0adm\u7528\u6236\u53ef\u4ee5\u4f7f\u7528sudo<\/h3>\n\n\n\n
        \n
      1. \u5099\u4efd\/etc\/sudoers<\/mark>\u6587\u4ef6<\/li>\n\n\n\n
      2. cp<\/mark>  \/etc\/sudoers \/etc\/sudoers.2018-08-20.bak<\/li>\n\n\n\n
      3. sudo\u63d0\u6b0a\u914d\u7f6e\u8aaa\u660e    <\/li>\n\n\n\n
      4. \u7528\u6236\u6216\u7d44        \u6a5f\u5668=\u6388\u6b0a\u89d2\u8272        \u53ef\u4ee5\u57f7\u884c\u7684\u547d\u4ee4<\/li>\n\n\n\n
      5. user MACHINA= COMMANDS<\/li>\n\n\n\n
      6. dm ALL=(ALL) \/usr\/sbin\/useradd,\/usr\/sbin\/userdel<\/li>\n\n\n\n
      7. useradd dm<\/li>\n\n\n\n
      8. echo<\/mark> 123456 | passwd –stdin dm<\/li>\n\n\n\n
      9. echo<\/mark> “dm ALL=(ALL) NOPASSWD: ALL” >>\/etc\/sudoers #\u7d50\u5c3e\u7684ALL\u8868\u793adm\u53ef\u64c1\u6709\u5b8c\u5168\u7684\u7cfb\u7d71\u7ba1\u7406\u6b0a\u9650,NOPASSSWD\u8868\u793a\u63d0\u6b0a\u57f7\u884c\u547d\u4ee4\u6642\u4e0d\u63d0\u793a\u5bc6\u78bc;<\/li>\n\n\n\n
      10. grep<\/mark> dm \/etc\/sudoers<\/li>\n\n\n\n
      11. visudo -c &>\/dev\/null<\/li>\n<\/ol>\n\n\n\n

        \u56db.\u512a\u5316ssh\u9060\u7a0b\u767b\u9304\u914d\u7f6e<\/h3>\n\n\n\n
          \n
        1. \u5099\u4efd\/etc\/ssh\/sshd_conf<\/mark><\/li>\n\n\n\n
        2. cp<\/mark> \/etc\/ssh\/sshd_config \/etc\/ssh\/sshd_config.2018-08-20.bak<\/li>\n\n\n\n
        3. \u4e0d\u5141\u8a31\u57fa\u65bcGSSAPI\u7684\u7528\u6236\u8a8d\u8b49<\/li>\n\n\n\n
        4. sed<\/mark> -i ‘s\/^GSSAPIAuthentication yes$\/GSSAPIAuthentication no\/’ \/etc\/ssh\/sshd_config<\/mark><\/li>\n\n\n\n
        5. \u4e0d\u5141\u8a31sshd\u5c0d\u9060\u7a0b\u4e3b\u6a5f\u540d\u9032\u884c\u53cd\u5411\u89e3\u6790<\/li>\n\n\n\n
        6. sed <\/mark>-i ‘s\/#UseDNS yes\/UseDNS no\/’ \/etc\/ssh\/sshd_config<\/mark><\/li>\n\n\n\n
        7. \u7981\u6b62root\u7528\u6236\u767b\u9304<\/li>\n\n\n\n
        8. sed<\/mark> -i ‘s%#PermitRootLogin yes%PermitRootLogin no%’ \/etc\/ssh\/sshd_config<\/mark><\/li>\n\n\n\n
        9. \u4e0d\u5141\u8a31\u7a7a\u5bc6\u78bc\u767b\u9304<\/li>\n\n\n\n
        10. sed<\/mark> -i ‘s%#PermitEmptyPasswords no%PermitEmptyPasswords no%’ \/etc\/ssh\/sshd_config<\/mark><\/li>\n\n\n\n
        11. systemctl restart sshd<\/li>\n<\/ol>\n\n\n\n

          \u4e94.\u8a2d\u7f6e\u4e2d\u6587\u5b57\u7b26\u96c6<\/h3>\n\n\n\n
            \n
          1. localectl set-locale LANG=zh_CN.UTF-8<\/li>\n\n\n\n
          2. localectl status<\/li>\n<\/ol>\n\n\n\n

            \u516d.\u8a2d\u7f6e\u6642\u9593\u540c\u6b65<\/h3>\n\n\n\n
              \n
            1. \u6aa2\u67e5\u662f\u5426\u5b89\u88ddntpdate<\/li>\n\n\n\n
            2. rpm -qa|grep ntpdate<\/li>\n\n\n\n
            3. ntpdate-4.2.6p5-28.el7.centos.x86_64<\/li>\n\n\n\n
            4. \u5982\u679c\u6c92\u6709\u5b89\u88dd\uff0c\u5247\u4f7f\u7528yum\u5b89\u88dd<\/li>\n\n\n\n
            5. yum install<\/mark> -y ntpdate<\/li>\n\n\n\n
            6. \u6dfb\u52a0\u8a08\u5283\u4efb\u52d9,\u6bcf5\u5206\u9418\u540c\u6b65\u4e00\u6b21\u6642\u9593;<\/li>\n\n\n\n
            7. echo<\/mark> ‘#time sync by dm at 2018-8-20’<\/mark> >>\/var\/spool\/cron\/root<\/li>\n\n\n\n
            8. echo<\/mark> ‘*\/5 * * * * \/usr\/sbin\/ntpdate -u ntp.api.bz >\/dev\/null 2>$1’ <\/mark>>>\/var\/spool\/cron\/root<\/li>\n\n\n\n
            9. crontab -l<\/li>\n<\/ol>\n\n\n\n

              \u4e03.\u6b77\u53f2\u8a18\u9304\u6578\u53ca\u767b\u9304\u8d85\u6642\u74b0\u5883\u8b8a\u91cf\u8a2d\u7f6e<\/h3>\n\n\n\n
              \u8a2d\u7f6e\u9591\u7f6e\u8d85\u6642\u6642\u9593\u70ba300s<\/mark>\n\necho<\/mark>  'export TMOUT=300' <\/mark>           >>\/etc\/profile<\/mark>\n\n\u8a2d\u7f6e\u6b77\u53f2\u8a18\u9304\u6587\u4ef6\u7684\u547d\u4ee4\u6578\u91cf\u70ba100<\/mark>\n\necho<\/mark>  'export HISTFILESIZE=100' <\/mark>       >>\/etc\/profile<\/mark>\n\n\u8a2d\u7f6e\u547d\u4ee4\u884c\u7684\u6b77\u53f2\u8a18\u9304\u6578\u91cf<\/mark>\n\necho<\/mark> 'export HISTSIZE=100'<\/mark>      >>\/etc\/profile <\/mark>\n\n\u683c\u5f0f\u5316\u8f38\u51fa\u6b77\u53f2\u8a18\u9304(\u4ee5\u5e74\u6708\u65e5\u5206\u6642\u79d2\u7684\u683c\u5f0f\u8f38\u51fa)<\/mark>\n\necho<\/mark>   'export HISTTIMEFORMAT=\"%Y-%m-%d %H:%M:%S\"' <\/mark>       >>\/etc\/profile<\/mark>\n\nsource \/etc\/profile\n\ntail  -4 \/etc\/profile<\/mark><\/code><\/pre>\n\n\n\n
              \u516b.\u8abf\u6574Linux\u63cf\u8ff0\u7b26<\/h3>\n\n\n\n
              \u6587\u4ef6\u63cf\u8ff0\u7b26\u662f\u7531\u7121\u7b26\u865f\u6574\u6578\u8868\u793a\u7684\u53e5\u67c4\uff0c\u9032\u7a0b\u4f7f\u7528\u5b83\u4f86\u6a19\u8b58\u6253\u958b\u7684\u6587\u4ef6\u3002\u6587\u4ef6\u63cf\u8ff0\u7b26\u8207\u5305\u62ec\u76f8\u95dc\u4fe1\u606f(\u5982\u6587\u4ef6\u7684\u6253\u958b\u6a21\u5f0f\uff0c\u6587\u4ef6\u7684\u4f4d\u7f6e\u985e\u578b\uff0c\u6587\u4ef6\u7684\u521d\u59cb\u985e\u578b\u7b49) \u7684\u6587\u4ef6\u5c0d\u8c61\u76f8\u95dc\u806f\uff0c\u9019\u4e9b\u4fe1\u606f\u88ab\u7a31\u4f5c\u6587\u4ef6\u7684\u4e0a\u4e0b\u6587\u3002\u6587\u4ef6\u63cf\u8ff0\u7b26\u7684\u6709\u6548\u7bc4\u570d\u662f0 \u5230 OPEN_MAX.<\/p>\n\n\n\n

              \u5c0d\u65bc\u5167\u6838\u800c\u8a00,\u6240\u6709\u6253\u958b\u7684\u6587\u4ef6\u90fd\u662f\u901a\u904e\u6587\u4ef6\u7684\u63cf\u8ff0\u7b26\u5f15\u7528\u7684.\u7576\u6253\u958b\u4e00\u500b\u73fe\u6709\u6587\u4ef6\u6216\u5275\u5efa\u4e00\u500b\u65b0\u6587\u4ef6\u6642\uff0c\u5167\u6838\u5411\u9032\u7a0b\u8fd4\u56de\u4e00\u500b\u6587\u4ef6\u63cf\u8ff0\u7b26\uff0c\u7576\u8b80\u6216\u5beb\u4e00\u500b\u6587\u4ef6\u6642\uff0c\u4f7f\u7528 open \u6216 create \u8fd4\u56de\u7684\u6587\u4ef6\u63cf\u8ff0\u7b26\u6a19\u8b58\u8a72\u6587\u4ef6\uff0c\u4e26\u5c07\u5176\u4f5c\u70ba\u53c3\u6578\u50b3\u905e\u7d66 read \u6216 write.<\/p>\n\n\n\n

              \u67e5\u770b\u7cfb\u7d71\u6587\u4ef6\u63cf\u8ff0\u7b26\u8a2d\u7f6e\u7684\u60c5\u6cc1\u53ef\u4ee5\u4f7f\u7528\u4e0b\u9762\u7684\u547d\u4ee4\uff0c\u6587\u4ef6\u63cf\u8ff0\u7b26\u5927\u5c0f\u9ed8\u8a8d\u662f1024<\/strong>.
              ulimit -n
              \u5c0d\u65bc\u9ad8\u4e26\u767c\u7684\u696d\u52d9 Linux \u670d\u52d9\u5668\u4f86\u8aaa\uff0c\u9019\u500b\u9ed8\u8a8d\u7684\u8a2d\u7f6e\u503c\u662f\u4e0d\u5920\u7684\uff0c\u9700\u8981\u8abf\u6574<\/p>\n\n\n\n

              \u8abf\u6574\u65b9\u6cd5\u4e00:<\/strong>
              \u8abf\u6574\u7cfb\u7d71\u6587\u4ef6\u63cf\u8ff0\u7b26\u70ba65535
              echo<\/mark>   ‘* – nofile 65535’ <\/mark>     >>\/etc\/security\/limits.conf
              tail<\/mark>    -l \/etc\/security\/limits.conf
               
              \u8abf\u6574\u65b9\u6cd5\u4e8c:<\/strong>
              \u76f4\u63a5\u628a ulimit -SHn 65535\u547d\u4ee4\u52a0\u5165\/etc\/rc.d\/rc.local\uff0c\u7528\u4ee5\u8a2d\u7f6e\u6bcf\u6b21\u958b\u6a5f\u555f\u52d5\u6642\u914d\u7f6e\u751f\u6548,\u547d\u4ee4\u5982\u4e0b:
              echo<\/mark>   ” ulimit -HSn 65535″ <\/mark>  >>\/etc\/rc.d\/rc.local
              echo<\/mark>   ” ulimit -s 65535″   <\/mark>>>\/etc\/rc.d\/rc.local<\/p>\n\n\n\n
              \u4e5d.\u5b9a\u6642\u6e05\u7406\u90f5\u4ef6\u670d\u52d9\u81e8\u6642\u76ee\u9304\u5783\u573e\u6587\u4ef6<\/h3>\n\n\n\n
              centos7 \u9ed8\u8a8d\u662f\u5b89\u88dd\u4e86Postfix\u90f5\u4ef6\u670d\u52d9\u7684\uff0c\u56e0\u6b64\u90f5\u4ef6\u81e8\u6642\u5b58\u653e\u5730\u9ede\u7684\u8def\u5f91\u70ba\/var\/spool\/postfix\/maildrop<\/mark>\uff0c\u70ba\u4e86\u9632\u6b62\u76ee\u9304\u88ab\u5783\u573e\u6587\u4ef6\u586b\u6eff\uff0c\u5c0e\u81f4\u7cfb\u7d71\u984dinode\u6578\u91cf\u4e0d\u5920\u7528,\u9700\u8981\u5b9a\u671f\u6e05\u7406.<\/p>\n\n\n\n
              \u5b9a\u6642\u6e05\u7406\u7684\u65b9\u6cd5\u70ba\uff1a\u5c07\u6e05\u7406\u547d\u4ee4\u5beb\u6210\u8173\u672c,\u7136\u5f8c\u505a\u6210\u5b9a\u6642\u4efb\u52d9\uff0c\u6bcf\u65e5\u6de9\u66680\u9ede\u57f7\u884c\u4e00\u6b21.<\/p>\n\n\n\n
              #\u5275\u5efa\u5b58\u653e\u8173\u672c\u7684\u76ee\u9304
               [ -d \/server\/scripts\/shell ] && echo “directory already exists.” || mkdir \/server\/scripts\/shell -p<\/p>\n\n\n\n
              #\u7de8\u5beb\u8173\u672c\u6587\u4ef6
              echo<\/mark>   ‘find \/var\/spool\/postfix\/maildrop\/ -type f|xargs rm -f’ >\/server\/scripts\/shell\/del_mail_file.sh<\/p>\n\n\n\n
              #\u67e5\u770b
              cat \/server\/scripts\/shell\/del_mail_file.sh<\/p>\n\n\n\n
              #\u52a0\u5165\u8a08\u5283\u4efb\u52d9
              echo<\/mark> “00 00 * * * \/bin\/bash \/server\/scripts\/shell\/del_mail_file.sh >\/dev\/null &1” >>\/var\/spool\/cron\/root<\/p>\n\n\n\n
              crontab -l<\/p>\n\n\n\n
              \u5341.\u9396\u5b9a\u95dc\u9375\u7cfb\u7d71\u6587\u4ef6\uff0c\u9632\u6b62\u88ab\u63d0\u6b0a\u7be1\u6539<\/h3>\n\n\n\n
                \n
              1. \u8981\u9396\u5b9a\u95dc\u9375\u7cfb\u7d71\u6587\u4ef6,\u5fc5\u9808\u5c0d\u8cec\u865f\u5bc6\u78bc\u6211\u90a3\u4ef6\u53ca\u555f\u52d5\u6587\u4ef6\u52a0\u9396,\u9632\u6b62\u88ab\u7be1\u6539,\u52a0\u9396\u547d\u4ee4\u5982\u4e0b:<\/li>\n\n\n\n
              2. chattr +i \/etc\/passwd \/etc\/shadow \/etc\/group \/etc\/gshadow \/etc\/inittab<\/li>\n\n\n\n
              3. lsattr \/etc\/passwd \/etc\/shadow \/etc\/group \/etc\/gshadow \/etc\/inittab<\/li>\n\n\n\n
              4. \u4e0a\u9396\u5f8c,\u6240\u6709\u7528\u6236\u90fd\u4e0d\u80fd\u5c0d\u6587\u4ef6\u9032\u884c\u4fee\u6539\u522a\u9664.\u5982\u679c\u9700\u8981\u4fee\u6539,\u53ef\u4ee5\u57f7\u884c\u4e0b\u9762\u7684\u547d\u4ee4\u89e3\u9396\u5f8c,\u518d\u9032\u884c\u4fee\u6539.<\/li>\n\n\n\n
              5. chattr -i \/etc\/passwd \/etc\/shadow \/etc\/group \/etc\/gshadow \/etc\/inittab<\/li>\n\n\n\n
              6. lsattr \/etc\/passwd \/etc\/shadow \/etc\/group \/etc\/gshadow \/etc\/inittab<\/li>\n\n\n\n
              7. \u5982\u679c\u60f3\u8981\u66f4\u52a0\u5b89\u5168,\u53ef\u4ee5\u628achattr\u6539\u540d\u8f49\u79fb,\u9632\u6b62\u88ab\u9ed1\u5ba2\u5229\u7528.<\/li>\n\n\n\n
              8. mv \/usr\/bin\/chattr \/usr\/bin\/dm1<\/li>\n<\/ol>\n\n\n\n
                \u5ba2\u6236\u5728\u522a\u9664\u5bf6\u5854\u7db2\u7ad9\u6839\u76ee\u9304\u6642,\u4f7f\u7528rm -rf \u547d\u4ee4\u6642\u6703\u63d0\u793a\u7121\u6cd5\u522a\u9664\u76ee\u9304\u4e0b\u7684\u67d0\u4e00\u500b\u6587\u4ef6\uff0c\u5c31\u662f\u56e0\u70ba\u9019\u500b\u6587\u4ef6\u88ab\u9396\u5c0e\u81f4\u7684\uff0c\u53ef\u4ee5\u4f7f\u7528chattr -i\u547d\u4ee4\u89e3\u9664\u6587\u4ef6\u9396\u4e4b\u5f8c\u518d\u522a\u9664\u5c31\u53ef\u4ee5\u4e86\u3002<\/p>\n\n\n\n
                \u5341\u4e00.SSH\u9650\u88fdIP\u767b\u9304<\/h3>\n\n\n\n
                \u65b9\u6cd5\u4e00\uff1a<\/strong>
                \u53ea\u5141\u8a31\u6307\u5b9a\u7528\u6236\u9032\u884c\u767b\u9304\uff08\u767d\u540d\u55ae\uff09\uff1a
                \u5728 \/etc\/ssh\/sshd_config <\/mark>\u914d\u7f6e\u6587\u4ef6\u4e2d\u8a2d\u7f6e AllowUsers \u9078\u9805\uff0c\uff08\u914d\u7f6e\u5b8c\u6210\u9700\u8981\u91cd\u555f SSHD \u670d\u52d9\uff09\u683c\u5f0f\u5982\u4e0b\uff1a
                AllowUsers            <\/mark>root@192.168.1.11<\/mark>
                \u5141\u8a31 IP    192.168.1.1 <\/mark>     \u767b\u9304root \u901a\u904e\u5e33\u6236\u767b\u9304\u7cfb\u7d71\u3002
                \u53ea\u62d2\u7d55\u6307\u5b9a\u7528\u6236\u9032\u884c\u767b\u9304\uff08\u9ed1\u540d\u55ae\uff09\uff1a
                \u5728\/etc\/ssh\/sshd_config<\/mark> \u914d\u7f6e\u6587\u4ef6\u4e2d\u8a2d\u7f6e DenyUsers \u9078\u9805\uff0c\uff08\u914d\u7f6e\u5b8c\u6210\u9700\u8981\u91cd\u555fSSHD\u670d\u52d9\uff09\u683c\u5f0f\u5982\u4e0b\uff1a
                DenyUsers root@192.168.1.10<\/mark> #Linux\u7cfb\u7d71\u8cec\u6236
                \u62d2\u7d55 IP 192.168.1.10 <\/mark>\u767b\u9304root \u901a\u904e\u5e33\u6236\u767b\u9304\u7cfb\u7d71\u3002<\/p>\n\n\n\n
                \u65b9\u6cd5\u4e8c\uff1a<\/strong>
                \u5141\u8a31192.168.200.0\u6bb5\u7684IP\u767b\u9304
                echo “sshd:192.168.200.0\/24:allow”<\/mark> >>\/etc\/hosts.allow<\/p>\n\n\n\n
                #\u7981\u6b62\u6240\u6709\u7684\u5176\u4ed6IP\u6bb5\u7684IP\u767b\u9304
                echo “sshd:all:deny” <\/mark>         >>\/etc\/hosts.deny
                hosts.allow \u548chosts.deny \u5169\u500b\u6587\u4ef6\u540c\u6642\u8a2d\u7f6e\u898f\u5247\u7684\u6642\u5019\uff0chosts.allow \u6587\u4ef6\u4e2d\u7684\u898f\u5247\u512a\u5148\u7d1a\u9ad8\uff0c\u6309\u7167\u6b64\u65b9\u6cd5\u8a2d\u7f6e\u5f8c\u670d\u52d9\u5668\u53ea\u5141\u8a31  192.168.200.0<\/mark>\/24\u9019\u500b\u6bb5\u7684 IP \u5730\u5740\u7684 ssh \u767b\u9304\uff0c\u5176\u5b83\u7684 IP \u90fd\u6703\u62d2\u7d55\u3002<\/p>\n\n\n\n
                \u65b9\u6cd5\u4e09\uff1a<\/strong>
                \u5141\u8a31 192.168.100.10<\/mark> \u767b\u9304ssh
                firewall-cmd –permanent –add-rich-rule ‘<\/mark>rule family=ipv4 source address=192.168.100.10 service name=ssh accept’<\/mark><\/p>\n\n\n\n
                \u62d2\u7d55192.168.200.0\/24<\/mark>\u767b\u9304ssh
                firewall-cmd –permanent –add-rich-rule ‘rule family=ipv4 source address=192.168.200.0\/24 service name=ssh reject’<\/mark><\/p>\n\n\n\n
                firewall-cmd –reload<\/p>\n\n\n\n
                \u5341\u4e8c.\u70bagrub\u83dc\u55ae\u52a0\u5bc6<\/h3>\n\n\n\n
                \u70bagrub\u83dc\u55ae\u52a0\u5bc6\u7684\u76ee\u7684\u662f\u9632\u6b62\u4ed6\u4eba\u4fee\u6539grub\u9032\u884c\u5167\u6838\u7b49\u555f\u52d5\u8a2d\u7f6e,\u4ee5\u53ca\u7528\u55ae\u7528\u6236\u6a21\u5f0f\u555f\u52d5\u9032\u884c\u7834\u89e3root\u5bc6\u78bc\u7b49\u64cd\u4f5c,\u5be6\u969b\u4e0a\u6b64\u6b65\u9a5f\u53ef\u4ee5\u5728\u5b89\u88dd\u7cfb\u7d71\u7684\u904e\u7a0b\u4e2d\u8a2d\u5b9a.<\/p>\n\n\n\n

                \u5b89\u88dd\u7cfb\u7d71\u5f8c\u7684\u5177\u9ad4\u8a2d\u5b9a\u6b65\u9a5f\u5982\u4e0b:<\/p>\n\n\n\n
                \u8a2d\u7f6e\u5bc6\u78bc\uff1a
                grub2-setpassword<\/mark>
                \u67e5\u770b\u8a2d\u7f6e\u7684\u5bc6\u78bc\uff1a
                cat \/boot\/grub2\/user.cfg<\/mark><\/p>\n\n\n\n
                #\u5728\/etc\/grub.d\/01_users<\/mark>\u6587\u4ef6\u4e2d\u53ef\u4ee5\u770b\u5230grub\u7528\u6236\u540d\u70baroot\uff0c\u7136\u5f8c\u901a\u904e grub2-setpassword<\/mark> \u4f86\u8a2d\u7f6egrub\u7684\u5bc6\u78bc\uff0c\u5bc6\u78bc\u8a2d\u7f6e\u6210\u529f\u5f8c\u6703\u751f\u6210 \/boot\/grub2\/user.cfg<\/mark> \u6587\u4ef6\uff0c\u53ef\u4ee5\u901a\u904e \/boot\/grub2\/user.cfg<\/mark> \u6587\u4ef6\u67e5\u770b\u8a2d\u7f6e\u7684\u5bc6\u78bc\uff0c\u67e5\u770b\u5230\u7684\u5bc6\u78bc\u70ba\u52a0\u5bc6\u7684\u5bc6\u78bc\u3002<\/p>\n\n\n\n
                \u5341\u4e09.\u512a\u5316\u958b\u6a5f\u81ea\u555f\u670d\u52d9<\/h3>\n\n\n\n
                \u5341\u56db.\u5167\u6838\u512a\u5316<\/h3>\n\n\n\n
                Linux\u670d\u52d9\u5668\u5167\u6838\u53c3\u6578\u512a\u5316,\u4e3b\u8981\u662f\u6307\u5728Linux\u7cfb\u7d71\u4e2d\u91dd\u5c0d\u696d\u52d9\u670d\u52d9\u61c9\u7528\u800c\u9032\u884c\u7684\u7cfb\u7d71\u5167\u6838\u53c3\u6578\u8abf\u6574\uff0c\u512a\u5316\u4e26\u7121\u4e00\u5b9a\u7684\u6a19\u6e96\u3002\u4e0b\u9762\u662f\u751f\u7522\u74b0\u5883\u4e0bLinux\u5e38\u898b\u7684\u5167\u6838\u512a\u5316\uff1a<\/p>\n\n\n\n
                cat >>\/etc\/sysctl.conf<<EOF
                #kernel_flag
                #\u95dc\u9589ipv6
                net.ipv6.conf.all.disable_ipv6 = 1
                net.ipv6.conf.default.disable_ipv6 = 1
                # \u907f\u514d\u653e\u5927\u653b\u64ca
                net.ipv4.icmp_echo_ignore_broadcasts = 1
                # \u958b\u555f\u60e1\u610ficmp\u932f\u8aa4\u6d88\u606f\u4fdd\u8b77
                net.ipv4.icmp_ignore_bogus_error_responses = 1
                #\u95dc\u9589\u8def\u7531\u8f49\u767c
                #net.ipv4.ip_forward = 0
                #net.ipv4.conf.all.send_redirects = 0
                #net.ipv4.conf.default.send_redirects = 0
                #\u958b\u555f\u53cd\u5411\u8def\u5f91\u904e\u6ffe
                net.ipv4.conf.all.rp_filter = 1
                net.ipv4.conf.default.rp_filter = 1
                #\u8655\u7406\u7121\u6e90\u8def\u7531\u7684\u5305
                net.ipv4.conf.all.accept_source_route = 0
                net.ipv4.conf.default.accept_source_route = 0
                #\u95dc\u9589sysrq\u529f\u80fd
                kernel.sysrq = 0
                #core\u6587\u4ef6\u540d\u4e2d\u6dfb\u52a0pid\u4f5c\u70ba\u64f4\u5c55\u540d
                kernel.core_uses_pid = 1
                # \u958b\u555fSYN\u6d2a\u6c34\u653b\u64ca\u4fdd\u8b77
                net.ipv4.tcp_syncookies = 1
                #\u4fee\u6539\u6d88\u606f\u968a\u5217\u9577\u5ea6
                kernel.msgmnb = 65536
                kernel.msgmax = 65536
                #\u8a2d\u7f6e\u6700\u5927\u5167\u5b58\u5171\u4eab\u6bb5\u5927\u5c0fbytes
                kernel.shmmax = 68719476736
                kernel.shmall = 4294967296
                #timewait\u7684\u6578\u91cf\uff0c\u9ed8\u8a8d180000
                net.ipv4.tcp_max_tw_buckets = 6000
                net.ipv4.tcp_sack = 1
                net.ipv4.tcp_window_scaling = 1
                net.ipv4.tcp_rmem = 4096        87380   4194304
                net.ipv4.tcp_wmem = 4096        16384   4194304
                net.core.wmem_default = 8388608
                net.core.rmem_default = 8388608
                net.core.rmem_max = 16777216
                net.core.wmem_max = 16777216
                #\u6bcf\u500b\u7db2\u7d61\u63a5\u53e3\u63a5\u6536\u6578\u64da\u5305\u7684\u901f\u7387\u6bd4\u5167\u6838\u8655\u7406\u9019\u4e9b\u5305\u7684\u901f\u7387\u5feb\u6642\uff0c\u5141\u8a31\u9001\u5230\u968a\u5217\u7684\u6578\u64da\u5305\u7684\u6700\u5927\u6578\u76ee
                net.core.netdev_max_backlog = 262144
                #\u9650\u88fd\u50c5\u50c5\u662f\u70ba\u4e86\u9632\u6b62\u7c21\u55ae\u7684DoS \u653b\u64ca
                net.ipv4.tcp_max_orphans = 3276800
                #\u672a\u6536\u5230\u5ba2\u6236\u7aef\u78ba\u8a8d\u4fe1\u606f\u7684\u9023\u63a5\u8acb\u6c42\u7684\u6700\u5927\u503c
                net.ipv4.tcp_max_syn_backlog = 262144
                net.ipv4.tcp_timestamps = 0
                #\u5167\u6838\u653e\u68c4\u5efa\u7acb\u9023\u63a5\u4e4b\u524d\u767c\u9001SYNACK \u5305\u7684\u6578\u91cf
                net.ipv4.tcp_synack_retries = 1
                #\u5167\u6838\u653e\u68c4\u5efa\u7acb\u9023\u63a5\u4e4b\u524d\u767c\u9001SYN \u5305\u7684\u6578\u91cf
                net.ipv4.tcp_syn_retries = 1
                #\u555f\u7528timewait \u5feb\u901f\u56de\u6536
                net.ipv4.tcp_tw_recycle = 1
                #\u958b\u555f\u91cd\u7528\u3002\u5141\u8a31\u5c07TIME-WAIT sockets \u91cd\u65b0\u7528\u65bc\u65b0\u7684TCP \u9023\u63a5
                net.ipv4.tcp_tw_reuse = 1
                net.ipv4.tcp_mem = 94500000 915000000 927000000
                net.ipv4.tcp_fin_timeout = 1
                #\u7576keepalive \u8d77\u7528\u7684\u6642\u5019\uff0cTCP \u767c\u9001keepalive \u6d88\u606f\u7684\u983b\u5ea6\u3002\u7f3a\u7701\u662f2 \u5c0f\u6642
                net.ipv4.tcp_keepalive_time = 30
                #\u5141\u8a31\u7cfb\u7d71\u6253\u958b\u7684\u7aef\u53e3\u7bc4\u570d
                net.ipv4.ip_local_port_range = 1024    65000
                #\u4fee\u6539\u9632\u706b\u58bb\u8868\u5927\u5c0f\uff0c\u9ed8\u8a8d65536
                #net.netfilter.nf_conntrack_max=655350
                #net.netfilter.nf_conntrack_tcp_timeout_established=1200
                # \u78ba\u4fdd\u7121\u4eba\u80fd\u4fee\u6539\u8def\u7531\u8868
                #net.ipv4.conf.all.accept_redirects = 0
                #net.ipv4.conf.default.accept_redirects = 0
                #net.ipv4.conf.all.secure_redirects = 0
                #net.ipv4.conf.default.secure_redirects = 0
                EOF
                \/sbin\/sysctl -p<\/pre>\n\n\n\n
                \u5341\u4e94.\u66f4\u65b0\u7cfb\u7d71\u5230\u6700\u65b0<\/h3>\n\n\n\n
                  \n
                1. \u66f4\u65b0\u88dc\u4e01\u4e26\u5347\u7d1a\u7cfb\u7d71\u7248\u672c<\/li>\n\n\n\n
                2. yum<\/mark>     update     -y<\/li>\n\n\n\n
                3. #\u53ea\u66f4\u65b0\u5b89\u5168\u88dc\u4e01\uff0c\u4e0d\u5347\u7d1a\u7cfb\u7d71\u7248\u672c<\/li>\n\n\n\n
                4. yum<\/mark>      –security check-update                     #\u6aa2\u67e5\u662f\u5426\u6709\u5b89\u5168\u88dc\u4e01<\/li>\n\n\n\n
                5. yum<\/mark>      update –security                   #\u66f4\u65b0\u5b89\u5168\u88dc\u4e01<\/li>\n<\/ol>\n\n\n\n
                  <\/p>\n","protected":false},"excerpt":{"rendered":"
                  \u4e00.\u95dc\u9589selinux \u4e8c.\u66f4\u6539\u70ba\u963f\u88cfyum\u6e90 \u4e09.\u63d0\u6b0adm\u7528\u6236\u53ef\u4ee5\u4f7f\u7528sudo \u56db.\u512a\u5316ssh\u9060\u7a0b…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"[]"},"categories":[7],"tags":[],"class_list":["post-277","post","type-post","status-publish","format-standard","hentry","category-centos"],"_links":{"self":[{"href":"https:\/\/support.hkguard.com\/index.php\/wp-json\/wp\/v2\/posts\/277","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/support.hkguard.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/support.hkguard.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/support.hkguard.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/support.hkguard.com\/index.php\/wp-json\/wp\/v2\/comments?post=277"}],"version-history":[{"count":5,"href":"https:\/\/support.hkguard.com\/index.php\/wp-json\/wp\/v2\/posts\/277\/revisions"}],"predecessor-version":[{"id":284,"href":"https:\/\/support.hkguard.com\/index.php\/wp-json\/wp\/v2\/posts\/277\/revisions\/284"}],"wp:attachment":[{"href":"https:\/\/support.hkguard.com\/index.php\/wp-json\/wp\/v2\/media?parent=277"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/support.hkguard.com\/index.php\/wp-json\/wp\/v2\/categories?post=277"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/support.hkguard.com\/index.php\/wp-json\/wp\/v2\/tags?post=277"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}