查看系统32位还是64位
[root@i-92x8m5i3 logs]# uname -r
2.6.32-504.16.2.el6.x86_64
[root@i-92x8m5i3 logs]# uname -a
Linux i-92x8m5i3 2.6.32-504.16.2.el6.x86_64 #1 SMP Wed Apr 22 06:48:29 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
[root@i-92x8m5i3 logs]# ls -d /lib64
/lib64
[root@local-dev ~]# uname -m
x86_64
[root@local-dev ~]# cat /etc/redhat-release
CentOS release 6.5 (Final)配置网卡
使用setup命令或编辑/etc/sysconfig/network-scripts/ifcfg-eth0内容
网卡配置完成后执行ifup eth0 启动网卡ifconfig eth0 查看获取的ip
·ping baidu.com· 检测网卡是否畅通
尽量不用
/etc/init.d/network restart重启网卡,这会影响物理机上的所有网卡
[root@localhost ~]# ifdown eth0 && ifup eth0快速重启
网络畅通步骤一,查看网卡
[root@local-dev ~]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:50:56:94:6B:B4
inet addr:10.0.1.16 Bcast:10.0.1.255 Mask:255.255.254.0
inet6 addr: fe80::250:56ff:fe94:6bb4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9005200 errors:0 dropped:0 overruns:0 frame:0
TX packets:11334373 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1388103677 (1.2 GiB) TX bytes:6820763127 (6.3 GiB)网络畅通步骤二,查看默认网关
[root@local-dev ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 0.0.0.0 255.255.254.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
0.0.0.0 10.0.0.1 0.0.0.0 UG 0 0 0 eth0网络畅通步骤三,查看dns设置
[root@local-dev ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 114.114.114.114在centos6.6中,只在确定的ifcfg-eth0网卡配置文件上配置dns,如果在/etc/resolv.conf上配置dns,使用命令
/etc/init.d/network restart会清除/etc/resolv.conf的dns配置
经过网络畅通三步骤应该就可以上网了
网卡的配置文件
[root@localhost ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0 # 网卡名, eth1第二块网卡名,以此类推
TYPE=Ethernet # 上网类型,以太网
UUID=8d6bdf86-1fda-4334-99bb-74b634018e9d # 唯一标志码
ONBOOT=yes # 开机自启动
NM_CONTROLLED=yes # 是否通过NetworkManager管理网卡设备
BOOTPROTO=dhcp # 启动协议,none|bootp|dhcp三种选项
HWADDR=00:0C:29:50:98:80 # 网卡mac地址
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no # 是否支持IP6
NAME="System eth0"
LAST_CONNECT=1486401226
IPADDR=10.0.1.16 # 固定IP
PREFIX=23
GATEWAY=10.0.0.1
NETMASK=255.255.255.0 #子网掩码
DNS1=114.114.114.114 # 主DNS,默认会覆盖/etc/resolv.conf的配置更新系统,打补丁
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
wget http://mirrors.163.com/.help/CentOS6-Base-163.repo
yum clean all
yum makecache
yum update -y # 更新系统,打补丁安装额外的工具软件包
[root@localhost ~]# yum install tree telnet dos2unix sysstat lrzsz nc nmap -ysysstat包含了iostat(cpu使用率和硬盘吞吐率)、mpstat(单个或多个)处理器相关的数据、sor(收集报告并存储系统活跃信息)
yum grouplist查看所有包名称yum groupinstall "Development Tools"指定包组名安装,注意需要双引号
连接不上服务排查
一、检查物理链路是否有问题(客户端执行)
ping 10.0.0.7 # 排查线路问题
windows:tracert -d 10.0.0.7 # 检查线路是否畅通 -d 不进行反向解析
linux:traceroute 10.0.0.7 -n
二、服务是否开启端口(客户端执行)
telnet 10.0.0.7 22
nmap 10.0.0.7 -p 22 (linux环境,需要安装)
三、是否防火墙阻挡(服务端执行)
/etc/init.d/iptables status
例如:检查ssh服务是否开启
[root@i-92x8m5i3 backend]# ps -ef | grep sshd | grep -v grep
root 1075 1 0 May04 ? 00:00:00 /usr/sbin/sshd
root 2100 1075 0 10:25 ? 00:00:00 sshd: root@pts/2
root 5565 1075 0 12:21 ? 00:00:00 sshd: root@pts/3
root 19821 1075 0 Jun26 ? 00:00:03 sshd: root@pts/0,pts/1
[root@i-92x8m5i3 backend]# netstat -lntup | grep sshd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1075/sshd
tcp 0 0 :::22 :::* LISTEN 1075/sshd 用户
[root@local-dev ~]# useradd ljq
[root@local-dev ~]# passwd ljq
Changing password for user ljq.
New password:
BAD PASSWORD: it is too simplistic/systematic
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.
[root@local-dev ~]# su - ljq
[ljq@chuangxin ~]$ whoami
ljq
[ljq@chuangxin ~]$ su - root
Password: 一句话完成密码设置,但是需要该用户已存在
[root@local-dev ~]# echo "1234" | passwd --stdin ljq && history -c
Changing password for user ljq.
passwd: all authentication tokens updated successfully.
[ljq@chuangxin ~]$ 普通用户为$美元符号
[root@local-dev ~]# root用户为#符号
[root@i-92x8m5i3 backend]# whoami # 查看当前用户
root
[root@i-92x8m5i3 backend]# hostname # 查看当前主机名
i-92x8m5i3
[root@local-dev ~]# echo $PS1 #设置PS1变量
\[\e[37;40m\][\[\e[32;40m\]\u\[\e[37;40m\]@local-dev \[\e[35;40m\]\W\[\e[0m\]]\$安全设置
关闭SELinux
1、修改SELinux配置文件,使之永远失效
[root@localhost ~]# sed -i 's/SELINUX=enforcing/SELinux=disabled/' /etc/selinux/config
[root@localhost ~]# grep SELINUX=disabled /etc/selinux/config
SELINUX=disabled2、结合手动关闭,可避免重启
[root@localhost ~]# setenforce 0
setenforce: SELinux is disabled
[root@localhost ~]# getenforce
Disabled设定运行基本为3(文本模式)
[root@localhost ~]# runlevel
N 3
[root@localhost ~]# grep 3:initdefault /etc/inittab
id:3:initdefault:实现精简开机
默认启动只需要开启如下5种服务即可
sshd
rsylog 系统的守护进程使用rsylog程序将各种信息写到各个系统日志文件中
network 激活或关闭各个网络接口
crond
sysstat 检测系统性能及运行效率的工具
设置开机自自动项
方式一,执行命令完成设置
执行ntsysv命令或执行setup命令,选择system service选项
退出按Tab键进行选择Exit退出
方式二,使用shell完成设置
注意:只查找3级别的服务项即可
1、先全部关闭,在开启保留项
# 1、先查看level 3的服务开关状况
[root@localhost ~]# LANG=en
[root@localhost ~]# echo $LANG
en
[root@localhost ~]# chkconfig --list
auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
blk-availability 0:off 1:on 2:on 3:on 4:on 5:on 6:off
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
ip6tables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
lvm2-monitor 0:off 1:on 2:on 3:on 4:on 5:on 6:off
messagebus 0:off 1:off 2:on 3:on 4:on 5:on 6:off
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
postfix 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rdisc 0:off 1:off 2:off 3:off 4:off 5:off 6:off
restorecond 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
udev-post 0:off 1:on 2:on 3:on 4:on 5:on 6:off
#2、关闭后,查看关闭状况
[root@localhost ~]# for oldboy in `chkconfig --list|grep 3:on|awk '{print $1}'`;do chkconfig --level 3 $oldboy off;done
[root@localhost ~]# chkconfig --list
auditd 0:off 1:off 2:on 3:off 4:on 5:on 6:off
blk-availability 0:off 1:on 2:on 3:off 4:on 5:on 6:off
crond 0:off 1:off 2:on 3:off 4:on 5:on 6:off
ip6tables 0:off 1:off 2:on 3:off 4:on 5:on 6:off
iptables 0:off 1:off 2:on 3:off 4:on 5:on 6:off
lvm2-monitor 0:off 1:on 2:on 3:off 4:on 5:on 6:off
messagebus 0:off 1:off 2:on 3:off 4:on 5:on 6:off
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
netfs 0:off 1:off 2:off 3:off 4:on 5:on 6:off
network 0:off 1:off 2:on 3:off 4:on 5:on 6:off
postfix 0:off 1:off 2:on 3:off 4:on 5:on 6:off
rdisc 0:off 1:off 2:off 3:off 4:off 5:off 6:off
restorecond 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rsyslog 0:off 1:off 2:on 3:off 4:on 5:on 6:off
saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
sshd 0:off 1:off 2:on 3:off 4:on 5:on 6:off
udev-post 0:off 1:on 2:on 3:off 4:on 5:on 6:off
# 3、开启后,查看开启状况
[root@localhost ~]# for oldboy in crond network rsyslog sshd sysstat;do chkconfig --level 3 $oldboy on;done
[root@localhost ~]# chkconfig --list
auditd 0:off 1:off 2:on 3:off 4:on 5:on 6:off
blk-availability 0:off 1:on 2:on 3:off 4:on 5:on 6:off
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
ip6tables 0:off 1:off 2:on 3:off 4:on 5:on 6:off
iptables 0:off 1:off 2:on 3:off 4:on 5:on 6:off
lvm2-monitor 0:off 1:on 2:on 3:off 4:on 5:on 6:off
messagebus 0:off 1:off 2:on 3:off 4:on 5:on 6:off
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
netfs 0:off 1:off 2:off 3:off 4:on 5:on 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
postfix 0:off 1:off 2:on 3:off 4:on 5:on 6:off
rdisc 0:off 1:off 2:off 3:off 4:off 5:off 6:off
restorecond 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
udev-post 0:off 1:on 2:on 3:off 4:on 5:on 6:off2、一条命令shell搞定
默认情况下,需要保留的服务,已经开启了,只需要把不用的状态关闭掉即可
[root@localhost ~]# for oldboy in `chkconfig --list | grep "3:on" | awk '{print $1}' | grep -vE "crond|network|sshd|rsyslog|sysstat"`;do chkconfig $oldboy off;done
[root@localhost ~]# chkconfig --list
auditd 0:off 1:off 2:on 3:off 4:on 5:on 6:off
blk-availability 0:off 1:on 2:on 3:off 4:on 5:on 6:off
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
ip6tables 0:off 1:off 2:on 3:off 4:on 5:on 6:off
iptables 0:off 1:off 2:on 3:off 4:on 5:on 6:off
lvm2-monitor 0:off 1:on 2:on 3:off 4:on 5:on 6:off
messagebus 0:off 1:off 2:on 3:off 4:on 5:on 6:off
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
netfs 0:off 1:off 2:off 3:off 4:on 5:on 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
postfix 0:off 1:off 2:on 3:off 4:on 5:on 6:off
rdisc 0:off 1:off 2:off 3:off 4:off 5:off 6:off
restorecond 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rsyslog 0:off 1:off 2:off 3:on 4:off 5:off 6:off
saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sysstat 0:off 1:on 2:on 3:on 4:on 5:on 6:off
udev-post 0:off 1:on 2:on 3:off 4:on 5:on 6:off3、循环语句搞定
原理如2,使用命令拼出处理的字符串,然后通过bash将其当做命令执行
[root@localhost ~]# chkconfig --list | grep -vE "crond|sshd|network|rsyslog|sysstat" | awk '{print "chkconfig " $1 " off"}' | bash
# 另外一种写法
[root@localhost ~]# chkconfig --list | grep 3:on | grep -vE "crond|sshd|network|rsyslog|sysstat" | awk '{print $1}' | sed -r 's#(.*)#chkconfig \1 off#g' | bash上面的操作会把iptables防火墙也关闭掉,当前系统没有关闭,需要执行
[root@localhost ~]# /etc/init.d/iptables stop iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Flushing firewall rules: [ OK ] iptables: Unloading modules: [ OK ] [root@localhost ~]# /etc/init.d/iptables stop # 重复执行,确认关闭
修改ssh登录端口
1、改配置文件方式
2、使用sed命令改
sudo命令控制用户对系统命令的使用权限
TBD
Linux中文显示设置
[root@localhost ~]# cat /etc/sysconfig/i18n
LANG="zh_CN.UTF-8"
[root@localhost ~]# cp /etc/sysconfig/i18n /etc/sysconfig/i18n.ori
[root@localhost ~]# echo 'LANG="en_us.UTF-8"' > /etc/sysconfig/i18n
[root@localhost ~]# echo $LANG
en_us.UTF-8
[root@localhost ~]# source /etc/sysconfig/i18n # 马上生效设置Linux时间同步
TBD
历史数据history文件和登录超时设置
TBD
调整Linux文件描述符数量
TBD
Linux内核参数优化
TBD
定时清理邮件服务临时目录垃圾文件
TBD
隐藏Linux版本信息显示
TBD
锁定关键文件,防止篡改
TBD
清除多余虚拟账号
TBD
禁止系统被Ping
TBD
升级具有典型漏洞的软件版本
TBD
基础优化与安全
不用root登录,使用普通用户,通过sudo授权
更改默认ssh端口,禁止root远程登录,甚至修改ssh只监听内网IP
定时自动更新系统时间
更新yum源
关闭SELinux和iptables
调整文件描述符数量。进程及文件的打开都会消耗文件描述符数量
定时自动清零邮件临时目录,防止磁盘inode数量被小文件占满
精简开机任务(如只保留crond、sshd、network、rsyslog、systat)
linux内核优化/etc/sysctl.conf,执行sysctl -p生效
更改系统字符集LANG=en_us.UTF-8或LANG=zh_CN.UTF-8
锁定系统关键文件,如/etc/passwd、/etc/shadow、/etc/group、/etc/gshadow、/etc/inittab,处理以上内容吧chattr、lsatr改名为oldboy并转移,这样就安全多了。
清除系统版本信息,清空或修改/etc/issue、/etc/issue.net,去除登录后的系统信息显示
清除系统多余的虚拟用户账号
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。