Linux操作系统基础优化系列
2022-11-18 本文已影响0人
小屁孩云熙
1. yum 源优化
1.1 Base源 和 epel源
# 01. 备份原来的 repo 文件
mkdir -p /etc/yum.repos.d/backup
mv /etc/yum.repos.d/*.repo /etc/yum.repos.d/backup/
# 02. 配置阿里源
## 原始配置
curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
curl -o /etc/yum.repos.d/epel.repo https://mirrors.aliyun.com/repo/epel-7.repo
## 经过优化
cat >/etc/yum.repos.d/CentOS-Base.repo <<'EOF'
[base]
name=CentOS-$releasever - Base - mirrors.aliyun.com
failovermethod=priority
baseurl=http://mirrors.aliyun.com/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-7
[updates]
name=CentOS-$releasever - Updates - mirrors.aliyun.com
failovermethod=priority
baseurl=http://mirrors.aliyun.com/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-7
[extras]
name=CentOS-$releasever - Extras - mirrors.aliyun.com
failovermethod=priority
baseurl=http://mirrors.aliyun.com/centos/$releasever/extras/$basearch/
gpgcheck=1
gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-7
EOF
cat >/etc/yum.repos.d/epel.repo <<'EOF'
[epel]
name=Extra Packages for Enterprise Linux 7 - $basearch
baseurl=http://mirrors.aliyun.com/epel/7/$basearch
failovermethod=priority
enabled=1
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
EOF
1.2 docker 源 和 k8s源
# 01. docker 源
curl -o /etc/yum.repos.d/docker-ce.repo https://download.docker.com/linux/centos/docker-ce.repo
sed -i 's+download.docker.com+mirrors.tuna.tsinghua.edu.cn/docker-ce+' /etc/yum.repos.d/docker-ce.repo
# 可查看所有版本 并指定 版本安装
yum list docker-ce --showduplicates
yum -y install docker-ce-19.03.8 docker-ce-cli-19.03.8
# 02. k8s 源
cat > /etc/yum.repos.d/kubernetes.repo <<'EOF'
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=0
repo_gpgcheck=0
EOF
# 查看所有版本 并 指定版本安装
yum -y list kubeadm --showduplicates | sort -r
yum -y install kubeadm-1.18.0-0 kubelet-1.18.0-0 kubectl-1.18.0-0
2. 安全优化
2.1 关闭安全设备
# 关闭防火墙
systemctl stop firewalld
systemctl disable firewalld
# 关闭 selinux
setenforce 0
sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config
# 检查
systemctl status firewalld
getenforce
grep SELINUX /etc/selinux/config
2.2 开启防火墙
# firewalld 系列
firewall-cmd --zone=public --add-port=$port/tcp --permanent && firewall-cmd --reload
# 配置文件
cat /etc/firewalld/zones/public.xml
# iptables 系列
iptables -I INPUT -s 0.0.0.0/0 -p tcp --dport $port -j ACCEPT && /etc/init.d/iptables save >/dev/null 2>&1
# 7版本需要安装
yum install iptables-services -y
systemctl start iptables
# 加载防火墙内核
## 防火墙相关模块 加载到内核中
## 写入到 开机自启动
cat >> /etc/rc.local <<EOF
modprobe ip_tables
modprobe iptables_filter
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ipt_state
EOF
# 检查加载的内容
lsmod | grep -E 'filter|nat|ipt'
[root@lb01 ~]# lsmod | grep -E 'filter|nat|ipt'
nf_nat_ftp 12809 0
nf_conntrack_ftp 18478 1 nf_nat_ftp
iptable_nat 12875 0
nf_nat_ipv4 14115 1 iptable_nat
nf_nat 26583 2 nf_nat_ftp,nf_nat_ipv4
ipt_REJECT 12541 2
nf_reject_ipv4 13373 1 ipt_REJECT
iptable_filter 12810 1
nf_conntrack 139264 8 nf_nat_ftp,ip_vs,nf_nat,xt_state,nf_nat_ipv4,xt_conntrack,nf_conntrack_ftp,nf_conntrack_ipv4
ip_tables 27126 2 iptable_filter,iptable_nat
libcrc32c 12644 4 xfs,ip_vs,nf_nat,nf_conntrack
# 保存输出到屏幕
iptables-save
# 保存至文件(可自定义文件)
iptables-save > /etc/sysconfig/iptables
# 恢复
iptables-restore < /etc/sysconfig/iptables
3. 常用软件优化
yum install -y vim tree wget bash-completion bash-completion-extras lrzsz net-tools sysstat iotop iftop htop unzip nc nmap telnet bc psmisc httpd-tools bind-utils nethogs expect ntpdate
4. 优化 ssh
sed -i -e 's/#UseDNS yes/UseDNS no/g' -e 's#GSSAPIAuthentication yes#GSSAPIAuthentication no#g' /etc/ssh/sshd_config
systemctl restart sshd
5. 配置时间同步
ntp1.aliyun.com
ntp2.aliyun.com
ntp1.tencent.com
ntp2.tencent.com
5.1 通过定时任务实现
# 编辑定时任务
crontab -e
# cron-id-001: sync the system time by yunxi
*/5 * * * * /sbin/ntpdate ntp1.aliyun.com &>/dev/null
5.2 通过 chrony 服务实现
# 01. 安装软件
yum install chrony -y
# 02. 修改配置 (/etc/chrony.conf)
server ntp1.aliyun.com iburst
server ntp1.tencent.com iburst
# 03. 启动服务
systemctl enable --now chronyd
## 注意:时间异常之后,需要重启服务,才能同步
6. 网络服务优化
# 关闭 NetworkManager 服务
systemctl stop NetworkManager
systemctl disable NetworkManager
# 优化网卡配置文件 eth0
cat >/etc/sysconfig/network-scripts/ifcfg-eth0 <<'EOF'
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=yes
NAME=eth0
DEVICE=eth0
ONBOOT=yes
IPADDR=10.0.0.210
PREFIX=24
GATEWAY=10.0.0.2
DNS1=223.5.5.5
EOF
# 优化网卡配置文件 eth1
cat >/etc/sysconfig/network-scripts/ifcfg-eth1 <<'EOF'
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=yes
NAME=eth1
DEVICE=eth1
ONBOOT=yes
IPADDR=172.16.1.210
PREFIX=24
EOF
# 重启网络服务
systemctl restart network
7. 修改文件描述符
# 永久修改
echo "* - nofile 65535" >>/etc/security/limits.conf
# 临时修改
ulimit -SHn 65535
8. 普通用户提权
## 建议使用 密钥认证(没有有效期)
# 创建普通用户(CloudScope@110119)
useradd tadmin
echo '123456'|passwd --stdin tadmin
# 禁止root用户远程登录
sed -i.bak 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/g' /etc/ssh/sshd_config
sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
systemctl restart sshd
# 配置sudo提权
cp -a /etc/sudoers{,.bak}
echo "tadmin ALL=(ALL) ALL" >> /etc/sudoers
visudo -c
# 密钥对
.ssh/authorized_keys
9. 用户登录超时时间 配置
#设置登录超时时间为15分钟
echo "export TMOUT=900" >>/etc/profile
source /etc/profile
10. 修改账号密码 有效期
# 备份 /etc/login.defs 文件
cp /etc/login.defs{,.bak}
# 配置密码有效期
sed -i -r 's/PASS_MAX_DAYS.*[0-9]+$/PASS_MAX_DAYS 90/g' /etc/login.defs
# 配置密码最小长度
sed -i -r 's/PASS_MIN_LEN.*[0-9]+$/PASS_MIN_LEN 12/g' /etc/login.defs
