1. 用戶組創(chuàng)建

groupadd -g 500 sysadm

groupadd -g 501 appadm

2. 用戶創(chuàng)建

useradd -u 500 -g 500 sysctl -m

passwd sysctl

? ? ? Gf9Jk6Hvuh

useradd -u 501 -g 500 sysadm -m

passwd sysadm

? ? ? TAZk9TmpR6

useradd -u 502 -g 501 nflow -m

passwd nflow

? ? ? DPe2cU4Ggb

3. 導(dǎo)入共鑰

/home/sysctl/.ssh(mode 755)

/home/sysctl/.ssh/authorized_keys(mode 600)

/home/sysadm/.ssh(mode 755)

/home/sysadm/.ssh/authorized_keys(mode 600)

/home/nflow/.ssh(mode 755)

/home/nflow/.ssh/authorized_keys(mode 600)

4. 關(guān)閉ssh密碼登錄

/etc/ssh/sshd_config

? ? ??PasswordAuthentication no

5. 開啟公鑰登錄

/etc/ssh/sshd_config

RSAAuthentication yes

? ? ? PubkeyAuthentication yes

AuthorizedKeysFile .ssh/authorized_keys

6.?關(guān)閉root ssh登錄

/etc/ssh/sshd_config

? ? ??PermitRootLogin no

7. 增加sudoer組

/etc/sudoers

? ? ??%sysadm ? ? ? ? ALL=(ALL) ? ? ? NOPASSWD: ALL

8. 優(yōu)化系統(tǒng)內(nèi)核參數(shù)

/etc/sysctl.conf

net.ipv4.tcp_syn_retries = 2

net.ipv4.tcp_abort_on_overflow = 1

net.ipv4.tcp_fin_timeout = 15

net.ipv4.tcp_keepalive_time = 1200

net.ipv4.tcp_keepalive_intvl = 30

net.ipv4.tcp_keepalive_probes = 3

net.ipv4.tcp_tw_reuse = 1

net.ipv4.ip_local_port_range = 10000 65000

net.ipv4.ip_forward = 0

net.ipv4.conf.default.accept_source_route = 0

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.all.secure_redirects = 0

net.ipv4.conf.default.secure_redirects = 0

net.core.netdev_max_backlog = 8192

net.core.somaxconn = 256

net.core.rmem_default = 262144

net.core.rmem_max = 4194304

net.core.wmem_default = 262144

net.core.wmem_max = 1048586

fs.file-max = 6553500

kernel.core_uses_pid = 1

kernel.shmmax = 2147483648

kernel.shmall = 1048576

kernel.shmmni = 4096

kernel.msgmnb = 65536

kernel.msgmax = 8192

kernel.perf_event_paranoid = 2

sysctl -p

9. 優(yōu)化程序運(yùn)行參數(shù)

/etc/security/limits.conf

root soft nofile 65535

root hard nofile 65535

* soft nofile 65535

* hard nofile 65535

/etc/security/limits.d/20-nproc.conf

* soft nproc 65536

root soft nproc unlimited

10. 優(yōu)化shell環(huán)境參數(shù)

/etc/profile

ulimit -SHn 65535

11. 修改Shell提示符

/etc/bashrc

?[ "$PS1" = "\\s-\\v\\\$ " ] && PS1="\[\033[0;32m\]<\u@\h \w>\\$ \[\033[0m\]"

12. 傳遞環(huán)境變量

/etc/sudoers

Defaults ? ?env_keep += "SSH_CLIENT"

13. 保存命令歷史至指定日志文件

/etc/bashrc

readonly export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$(whoami) [$$]: ${SSH_CLIENT}: $(history 1 | sed "s/^[ ]*[0-9]\+[ ]*//" ) [$RETRN_VAL]"'

/etc/rsyslog.d/bash.conf

local6.* ? ?/var/log/commands_history.log

systemctl restart rsyslog