1. 用户组创建
groupadd -g 500 sysadm
groupadd -g 501 appadm
2. 用户创建
useradd -u 500 -g 500 sysctl -m
passwd sysctl
Gf9Jk6Hvuh
useradd -u 501 -g 500 sysadm -m
passwd sysadm
TAZk9TmpR6
useradd -u 502 -g 501 nflow -m
passwd nflow
DPe2cU4Ggb
3. 导入共钥
/home/sysctl/.ssh(mode 755)
/home/sysctl/.ssh/authorized_keys(mode 600)
/home/sysadm/.ssh(mode 755)
/home/sysadm/.ssh/authorized_keys(mode 600)
/home/nflow/.ssh(mode 755)
/home/nflow/.ssh/authorized_keys(mode 600)
4. 关闭ssh密码登录
/etc/ssh/sshd_config
PasswordAuthentication no
5. 开启公钥登录
/etc/ssh/sshd_config
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
6. 关闭root ssh登录
/etc/ssh/sshd_config
PermitRootLogin no
7. 增加sudoer组
/etc/sudoers
%sysadm ALL=(ALL) NOPASSWD: ALL
8. 优化系统内核参数
/etc/sysctl.conf
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_abort_on_overflow = 1
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_tw_reuse = 1
net.ipv4.ip_local_port_range = 10000 65000
net.ipv4.ip_forward = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.core.netdev_max_backlog = 8192
net.core.somaxconn = 256
net.core.rmem_default = 262144
net.core.rmem_max = 4194304
net.core.wmem_default = 262144
net.core.wmem_max = 1048586
fs.file-max = 6553500
kernel.core_uses_pid = 1
kernel.shmmax = 2147483648
kernel.shmall = 1048576
kernel.shmmni = 4096
kernel.msgmnb = 65536
kernel.msgmax = 8192
kernel.perf_event_paranoid = 2
sysctl -p
9. 优化程序运行参数
/etc/security/limits.conf
root soft nofile 65535
root hard nofile 65535
* soft nofile 65535
* hard nofile 65535
/etc/security/limits.d/20-nproc.conf
* soft nproc 65536
root soft nproc unlimited
10. 优化shell环境参数
/etc/profile
ulimit -SHn 65535
11. 修改Shell提示符
/etc/bashrc
[ "$PS1" = "\\s-\\v\\\$ " ] && PS1="\[\033[0;32m\]<\u@\h \w>\\$ \[\033[0m\]"
12. 传递环境变量
/etc/sudoers
Defaults env_keep += "SSH_CLIENT"
13. 保存命令历史至指定日志文件
/etc/bashrc
readonly export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$(whoami) [$$]: ${SSH_CLIENT}: $(history 1 | sed "s/^[ ]*[0-9]\+[ ]*//" ) [$RETRN_VAL]"'
/etc/rsyslog.d/bash.conf
local6.* /var/log/commands_history.log
systemctl restart rsyslog
网友评论