首页 > 代码库 > linux安装后的基本调优和安全设置

linux安装后的基本调优和安全设置

关闭Selinux

  1. 方法一:用vi /etc/selinux/config修改

[root@liangenyu ~]# vi /etc/selinux/config 

# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

#     enforcing - SELinux security policy is enforced.

#     permissive - SELinux prints warnings instead of enforcing.

#     disabled - No SELinux policy is loaded.

SELINUX=disable

# SELINUXTYPE= can take one of these two values:

#     targeted - Targeted processes are protected,

#     mls - Multi Level Security protection.

SELINUXTYPE=targeted 


2.方法二:

sed -i s:替换并且修改文件

[root@liangenyu ~]# sed -i ‘s/SELINUX=enforcing/SELINUX=disable/‘ /etc/selinux/config

查看一下配置是否成功?

[root@liangenyu ~]# grep SELINUX=disable /etc/selinux/config 

SELINUX=disable


因为修改了配置需要重启才生效,工作中不可能经常重启系统,我们也将临时生效修改下!

[root@liangenyu ~]# setenforce 0

[root@liangenyu ~]# getenforce 

Permissive


修改系统启动模式

runlevel: 查看运行级别

init: 切换运行级别

[root@liangenyu ~]# runlevel 

N 3


不同模式切换:

init 0 重启

init 3 命令行模式

init 5 图形模式


用vi永久修改默认运行级别:

[root@liangenyu ~]# vi /etc/inittab 

# Default runlevel. The runlevels used are:

#   0 - halt (Do NOT set initdefault to this) 关机

#   1 - Single user mode 单用户模式

#   2 - Multiuser, without NFS (The same as 3, if you do not have networking) 多用户模式

#   3 - Full multiuser mode 命令行模式

#   4 - unused 不常用

#   5 - X11 图形模式

#   6 - reboot (Do NOT set initdefault to this) 重启

id:3:initdefault: 这里默认是第3命令行模式


精简启动程序:

前期需要启动的四个基本服务:crond network rsyslog ssh

查看级别3启动的服务名称:


[root@liangenyu ~]# LANG=en

[root@liangenyu ~]# chkconfig --list|grep "3:on"

NetworkManager 0:off1:off2:on3:on4:on5:on6:off

abrt-ccpp      0:off1:off2:off3:on4:off5:on6:off

abrtd          0:off1:off2:off3:on4:off5:on6:off

acpid          0:off1:off2:on3:on4:on5:on6:off

atd            0:off1:off2:off3:on4:on5:on6:off

auditd         0:off1:off2:on3:on4:on5:on6:off

autofs         0:off1:off2:off3:on4:on5:on6:off

blk-availability0:off1:on2:on3:on4:on5:on6:off

bluetooth      0:off1:off2:off3:on4:on5:on6:off

certmonger     0:off1:off2:off3:on4:on5:on6:off

cpuspeed       0:off1:on2:on3:on4:on5:on6:off

crond          0:off1:off2:on3:on4:on5:on6:off

cups           0:off1:off2:on3:on4:on5:on6:off

haldaemon      0:off1:off2:off3:on4:on5:on6:off


写个脚本一键完成处理:

[root@liangenyu ~]# vim serviceoff.sh

#/bin/bash

LANG=en

for liangenyu in `chkconfig --list|grep 3:on|awk ‘{print $1}‘`;

do chkconfig --level 3 $liangenyu off;

done

for liangenyu in crond network rsyslog sshd;

do chkconfig --level 3 $liangenyu on;


查看已成功:

[root@liangenyu ~]# chkconfig --list|grep "3:on"

crond          0:off1:off2:on3:on4:on5:on6:off

network        0:off1:off2:on3:on4:on5:on6:off

rsyslog        0:off1:off2:on3:on4:on5:on6:off

sshd           0:off1:off2:on3:on4:on5:on6:off




脚本二:


[root@liangenyu ~]# vim serviceon.sh 

#!/bin/bash

for liangenyu in `chkconfig --list|grep "3:on"|awk ‘{print $1}‘|grep -vE "crond|network|sshd|rsyslog"`;

do chkconfig $liangenyu off;

done

执行脚本,并且查看已成功!


[root@liangenyu ~]# ./serviceon.sh 

[root@liangenyu ~]# chkconfig --list|grep "3:on"

crond          0:off1:off2:on3:on4:on5:on6:off

network        0:off1:off2:on3:on4:on5:on6:off

rsyslog        0:off1:off2:on3:on4:on5:on6:off

sshd           0:off1:off2:on3:on4:on5:on6:off


更改SSH服务远程登录配置:

linux远程默认端口:22


默认超级用户:root

[root@liangenyu ~]# vim /etc/ssh//ssh_config 



#       $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $


# This is the sshd server system-wide configuration file.  See

# sshd_config(5) for more information.


# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin


# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented.  Uncommented options change a

# default value.

Port 52113 修改端口为52113

#Port 22   提示默认端口是22

#AddressFamily any

#ListenAddress 0.0.0.0

#ListenAddress ::


# To disable tunneled clear text passwords, change to no here!

#PasswordAuthentication yes

PermitEmptyPasswords no 改为不允许空密码登录

PasswordAuthentication yes


#LoginGraceTime 2m

PermitRootLogin no  ssh远程不能用root登录

#StrictModes yes

#MaxAuthTries 6

#MaxSessions 10




#AllowAgentForwarding yes

#AllowTcpForwarding yes

#GatewayPorts no

#X11Forwarding no

X11Forwarding yes

#X11DisplayOffset 10

#X11UseLocalhost yes

#PrintMotd yes

#PrintLastLog yes

#TCPKeepAlive yes

#UseLogin no

#UsePrivilegeSeparation yes

#PermitUserEnvironment no

#Compression delayed

#ClientAliveInterval 0

#ClientAliveCountMax 3

#ShowPatchLevel no

UseDNS no  DNS改为no

#PidFile /var/run/sshd.pid

#MaxStartups 10

#PermitTunnel no

#ChrootDirectory none


重启sshd服务

/etc/init.d/sshd restart==service sshd restart

[root@liangenyu ssh]# service sshd restart

停止 sshd:                                                [确定]

正在启动 sshd:                                            [确定]










本文出自 “linux运维分享” 博客,请务必保留此出处http://liangey.blog.51cto.com/9097868/1571432

linux安装后的基本调优和安全设置