|
---1.使用Shell历史命令记录功能#/etc/bashrcHISTFILESIZE=4000 HISTSIZE=4000 HISTTIMEFORMAT='%F %T' export HISTTIMEFORMAT source /etc/bashrc---2.删减系统登录欢迎信息---2.1删除记录了操作系统的名称和版本号# vi /etc/ssh/sshd_config #添加如下记录Banner /etc/issue.net ---2.2 删除全部内容或更新成自己想要添加的内容 # vi /etc/motd---3.system timeout 5 minite auto logoutecho "TMOUT=300" >>/etc/profilesource /etc/profile----4.加固# chmod危险文件chmod 700 /bin/pingchmod 700 /usr/bin/fingerchmod 700 /usr/bin/whochmod 700 /usr/bin/wchmod 700 /usr/bin/locatechmod 700 /usr/bin/whereischmod 700 /sbin/ifconfigchmod 700 /usr/bin/picochmod 700 /bin/vichmod 700 /usr/bin/whichchmod 700 /usr/bin/gccchmod 700 /usr/bin/makechmod 700 /bin/rpm# history安全chattr +a /root/.bash_historychattr +i /root/.bash_history# chattr /etc/passwd /etc/shadowchattr +i /etc/passwdchattr +i /etc/shadowchattr +i /etc/groupchattr +i /etc/gshadow# add syncookie enable /etc/sysctl.confecho "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.confsysctl -p#修改配置文件vi /etc/login.defsPASS_MAX_DAYS 90 #新建用户的密码最长使用天数 PASS_MIN_DAYS 0 #新建用户的密码最短使用天数 PASS_WARN_AGE 7 #新建用户的密码到期提前提醒天数 PASS_MIN_LEN 9 #最小密码长度9---5.限制哪些账户能切换到root1) #vi /etc/pam.d/suauth required /lib/security/pam_wheel.so group=dba#usermod -Gdba test 将test用户加入到dba组---6.系统内核安全vi /etc/sysctl.conf# Kernel sysctl configuration file for Red Hat Linux## For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and# sysctl.conf(5) for more details.# Controls IP packet forwardingnet.ipv4.ip_forward = 0# Controls source route verificationnet.ipv4.conf.default.rp_filter = 1# Controls the System Request debugging functionality of the kernelkernel.sysrq = 0# Controls whether core dumps will append the PID to the core filename.# Useful for debugging multi-threaded applications.kernel.core_uses_pid = 1#Prevent SYN attacknet.ipv4.tcp_syncookies = 1net.ipv4.tcp_max_syn_backlog = 2048net.ipv4.tcp_synack_retries = 2# Disables packet forwardingnet.ipv4.ip_forward=0# Disables IP source routingnet.ipv4.conf.all.accept_source_route = 0net.ipv4.conf.lo.accept_source_route = 0net.ipv4.conf.eth0.accept_source_route = 0net.ipv4.conf.default.accept_source_route = 0# Enable IP spoofing protection, turn on source route verificationnet.ipv4.conf.all.rp_filter = 1net.ipv4.conf.lo.rp_filter = 1net.ipv4.conf.eth0.rp_filter = 1net.ipv4.conf.default.rp_filter = 1# Disable ICMP Redirect Acceptancenet.ipv4.conf.all.accept_redirects = 0net.ipv4.conf.lo.accept_redirects = 0net.ipv4.conf.eth0.accept_redirects = 0net.ipv4.conf.default.accept_redirects = 0# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packetsnet.ipv4.conf.all.log_martians = 1net.ipv4.conf.lo.log_martians = 1net.ipv4.conf.eth0.log_martians = 1# Disables IP source routingnet.ipv4.conf.all.accept_source_route = 0net.ipv4.conf.lo.accept_source_route = 0net.ipv4.conf.eth0.accept_source_route = 0net.ipv4.conf.default.accept_source_route = 0# Enable IP spoofing protection, turn on source route verificationnet.ipv4.conf.all.rp_filter = 1net.ipv4.conf.lo.rp_filter = 1net.ipv4.conf.eth0.rp_filter = 114net.ipv4.conf.default.rp_filter = 1# Disable ICMP Redirect Acceptancenet.ipv4.conf.all.accept_redirects = 0net.ipv4.conf.lo.accept_redirects = 0net.ipv4.conf.eth0.accept_redirects = 0net.ipv4.conf.default.accept_redirects = 0# Disables the magic-sysrq keykernel.sysrq = 0# Modify system limits for Ensim WEBppliancefs.file-max = 65000# Decrease the time default value for tcp_fin_timeout connectionnet.ipv4.tcp_fin_timeout = 15# Decrease the time default value for tcp_keepalive_time connectionnet.ipv4.tcp_keepalive_time = 1800# Turn off the tcp_window_scalingnet.ipv4.tcp_window_scaling = 0# Turn off the tcp_sacknet.ipv4.tcp_sack = 0# Turn off the tcp_timestampsnet.ipv4.tcp_timestamps = 0# Enable TCP SYN Cookie Protectionnet.ipv4.tcp_syncookies = 1# Enable ignoring broadcasts requestnet.ipv4.icmp_echo_ignore_broadcasts = 1# Enable bad error message Protectionnet.ipv4.icmp_ignore_bogus_error_responses = 1# Log Spoofed Packets, Source Routed Packets, Redirect Packetsnet.ipv4.conf.all.log_martians = 1# Set maximum amount of memory allocated to shm to 256MBkernel.shmmax = 268435456# Improve file system performancevm.bdflush = 100 1200 128 512 15 5000 500 1884 2# Improve virtual memory performancevm.buffermem = 90 10 60# Increases the size of the socket queue (effectively, q0).net.ipv4.tcp_max_syn_backlog = 1024# Increase the maximum total TCP buffer-space allocatablenet.ipv4.tcp_mem = 57344 57344 65536# Increase the maximum TCP write-buffer-space allocatablenet.ipv4.tcp_wmem = 32768 65536 52428815# Increase the maximum TCP read-buffer space allocatablenet.ipv4.tcp_rmem = 98304 196608 1572864# Increase the maximum and default receive socket buffer sizenet.core.rmem_max = 524280net.core.rmem_default = 524280# Increase the maximum and default send socket buffer sizenet.core.wmem_max = 524280net.core.wmem_default = 524280# Increase the tcp-time-wait buckets pool sizenet.ipv4.tcp_max_tw_buckets = 1440000# Allowed local port rangenet.ipv4.ip_local_port_range = 16384 65536# Increase the maximum memory used to reassemble IP fragmentsnet.ipv4.ipfrag_high_thresh = 512000net.ipv4.ipfrag_low_thresh = 446464# Increase the maximum amount of option memory buffersnet.core.optmem_max = 57344# Increase the maximum number of skb-heads to be cachednet.core.hot_list_length = 1024## DO NOT REMOVE THE FOLLOWING LINE!## nsobuild:20051206 sysctl -p
(以上内容不代表本站观点。) --------------------------------- |
本網站是"非商業"(non-commercial)。
