惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

A
About on SuperTechFans
Cloudbric
Cloudbric
C
CERT Recently Published Vulnerability Notes
G
GRAHAM CLULEY
V
Vulnerabilities – Threatpost
C
Cisco Blogs
T
Tenable Blog
P
Privacy International News Feed
T
The Exploit Database - CXSecurity.com
I
Intezer
AWS News Blog
AWS News Blog
IT之家
IT之家
博客园 - 司徒正美
C
Cybersecurity and Infrastructure Security Agency CISA
博客园 - 【当耐特】
The Hacker News
The Hacker News
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Spread Privacy
Spread Privacy
S
SegmentFault 最新的问题
博客园 - Franky
人人都是产品经理
人人都是产品经理
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
V
Visual Studio Blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
H
Hacker News: Front Page
Latest news
Latest news
Scott Helme
Scott Helme
腾讯CDC
宝玉的分享
宝玉的分享
大猫的无限游戏
大猫的无限游戏
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
A
Arctic Wolf
S
Securelist
雷峰网
雷峰网
The GitHub Blog
The GitHub Blog
Project Zero
Project Zero
Google DeepMind News
Google DeepMind News
P
Palo Alto Networks Blog
F
Fortinet All Blogs
Schneier on Security
Schneier on Security
云风的 BLOG
云风的 BLOG
Security Archives - TechRepublic
Security Archives - TechRepublic
The Last Watchdog
The Last Watchdog
WordPress大学
WordPress大学
MongoDB | Blog
MongoDB | Blog
L
LINUX DO - 最新话题
S
Schneier on Security
NISL@THU
NISL@THU
Jina AI
Jina AI
M
MIT News - Artificial intelligence

lvbibir's Blog

shell | 磁盘空间分析脚本 Linux cat 和 tee 命令写入文件 python | 使用 uv 管理你的 python 环境 Claude Code 完整配置指南 windows | mihomo 内核独立部署指南 linux | 磁盘扩容 wsl | 释放长久运行占用的磁盘空间 mysql | 线程上限问题处理 麒麟 7.6 安装谷歌 OTP 认证模块 suse 12sp5 升级 openssh 及 openssl suse 12sp5 部署 mysql 5.7 《谁的青春不迷茫》 docker | centos7 部署 docker vim | 基础配置和使用 windows | rime 输入法 & 雾凇方案 shell | sshpass 批量传输文件及执行命令 wsl | 原生 linux 方式安装 docker nodejs | fnm + pnpm 开发环境配置 wsl | 安装配置 miniconda 虚拟环境 wsl | 自动更新系统代理 wsl | bashrc 环境变量不正确加载的处理方法 wsl | win10 安装 wsl2 troubleshooting | ssh 成功但是 scp 失败 linux | 常用命令总结 docker 部署 piclist shell | 检测网站存活并自动钉钉告警 Zabbix | 监控端口连通性并自动追踪 TCP 路由 windows | 自定义开机快速启动项 windows | miniconda 配置 python 虚拟环境 Zabbix | 监控主机到指定 ip 的流量大小 loki (二) 部署 loki (一) 简介 prometheus (六) Alertmanager prometheus (五) 记录规则与告警规则 prometheus (四) 黑盒监控 prometheus (三) 服务发现 prometheus (二) 静态配置 prometheus (一) 简介及部署 traefik (四) TraefikService 服务 traefik (三) Middleware 中间件 traefik (二) ingressRoute 路由 traefik (一) 简介、部署和配置 kubernetes | Gateway API 简介及部署 linux | dns 配置文件中 search 和 options ndots 详解 kubernetes | command args 和 dockerfile 中的 ENTRYPOINT CMD kubernetes | statefulset 控制器详解 docker | dockerfile 最佳实践 docker | dockerfile 指令详解 linux | kill 命令详解以及 linux 中的信号 troubleshooting | elasticsearch 安装插件报错 shell | if 条件判断 docker | 下载外网镜像的几种方式 python | 鬼谷子数学问题 steam挂刀教程 linux | history 命令的格式化输出 shell | 将本地镜像批量推送到 harbor windows | hosts 文件修复 kubernetes | configmap & secret kubernetes | RBAC 鉴权和 NetworkPolicy kubernetes | service & ingress kubernetes | 存储 kubernetes | 滚动升级和自动伸缩 kubernetes | 控制器 kubernetes | 日志 kubernetes | 调度 kubernetes | pod kubernetes | 杂记 linux | set 命令详解 ceph | openeuler 部署 ceph-v16 ceph | ceph-v16 离线安装解决方案 pxe 如何应对复杂的服务器硬件环境 python | 批量修改目录下文件名 《微习惯》 ceph | openeuler (aarch64) 部署 ceph-v16 troubleshooting | glibc 误升级后修复 pxe 安装配置大全 《人间失格》 跑步日常 [置顶] Hello, hugo! shell | 检索某 url 中所有文件的内容 shell | 不同执行方式的区别 shell | 开启 debug 模式 vscode | 常见问题 windows & linux 多网卡时设置默认路由以及添加静态路由 mysql (二) 主从复制原理 GTID 并行复制 mysql (一) 部署 mysql | 杂记 cicd | jenkins 部署 mall-swarm 项目 httpd 源码打包编译成 rpm 包 openssl 源码打包编译成 rpm 包 centos7 | 修改网卡名称 ceph | pool pg_num 配置 docker | 脚本方式批量导出/导入镜像 centos 密码尝试次数过多问题处理 centos7 | 升级内核至 5.10 CVE-1999-0526 ceph | centos7 部署 ceph-v12 python | 修改 pip 源 troubleshooting | 安装 cloud-init 后导致 ssh 连接失败 windows | autohotkey 常用脚本
shell | centos 初始化
lvbibir · 2023-08-01 · via lvbibir's Blog

0 前言

以 centos7 为例, 通常我们新装完操作系统后需要进行配置 yum 源, iptables, selinux, ntp 以及优化 kernel 等操作, 现分享一些较为通用的配置. 同时博主将这些配置整理成了脚本, 可以一键执行.

1 常用配置

1.1 iptables & selinux

sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config
setenforce 0

iptables -F
systemctl disable --now firewalld

1.2 PS1 终端美化

cat > /etc/profile.d/PS1_conf.sh << 'EOF'
export PS1="\n[\[\e[31m\]\u\[\e[m\]@\[\e[32m\]\h\[\e[m\]] -\$?- \[\e[33m\]\$(pwd)\[\e[m\] \[\e[34m\]\$(date +'%F %T')\[\e[m\] \n(\#)$ "
EOF

source /etc/profile.d/PS1_conf.sh

1.3 history 格式化

cat > /etc/profile.d/history_conf.sh << 'EOF'
export HISTFILE="$HOME/.bash_history"  # 写入文件
export HISTSIZE=1000  # history输出记录数
export HISTFILESIZE=10000  # HISTFILE文件记录数
export HISTIGNORE="cmd1:cmd2:..."  # 忽略指定cmd1,cmd2...的命令不被记录到文件;(加参数时会记录)
export HISTCONTOL=ignoredups   # ignoredups 不记录“重复”的命令;连续且相同 方为“重复” 
export PROMPT_COMMAND="history -a"  # 设置每条命令执行完立即写入HISTFILE(默认等待退出会话写入)
export HISTTIMEFORMAT="$(whoami) %F %T "  # 设置命令执行时间格式,记录文件增加时间戳
shopt -s histappend  # 防止会话退出时覆盖其他会话写到HISTFILE的内容
EOF

source /etc/profile.d/history_conf.sh

1.4 ssh 公钥

mkdir /root/.ssh || true
chmod 700 /root/.ssh
cat > /root/.ssh/authorized_keys << 'EOF'
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCeQZmPg93SNx6zzR/l4RiPnHtFPbDTSOL7AtJOIvrlMm300x1OM8a48VqYuKEx7B7WM7UhszVndg8efJv9UdOtOaa0o8L0Wd2uujn2rFKKok69c5i7c/jmU1my9MkEsKpkx1MHQWVZTFqayv/DB9L5GaE/ShChsTSlXoQ6rc6JC4k1zgSsoNSTLwPrbZcDOZWprt/AOhqCklf9mL1E50WTx9XsjxBLqJIwwVEzmHAhzIiVowjBKjJpQ6hEvygCz67gNVn0vAvHPvCz3amrkCQa333Z9r8tbY7mJpq2Anj4qWtlnL9kHreVK6YoKGvM8+DrbVoT5/zM7wMZ+tdLmreUsu4OhgDkE4IgUMHWQ3T1GyD1EjCkqCdSfJbrLaAR8v7g92uDXO5irIyYMc/iQJ8v4okus9Iid61zFF0SPgZEykOVfT7jJqH0a/630D41uD0TK90v5PicVdh1FfEfok8P4F4UHGLUly2jRVBESQ/TXVGPaMITHPEtYEpmT3kmnOk= 15810243114@163.com
EOF

chmod 600 /root/.ssh/authorized_keys

1.5 加速 ssh 连接

echo "UseDNS no" >> /etc/ssh/sshd_config

1.6 配置 yum 源

以实测最快的中科大源为例

mkdir /etc/yum.repos.d/bak || true
mv /etc/yum.repos.d/*.repo /etc/yum.repos.d/bak/ || true

cat > /etc/yum.repos.d/centos-ustc.repo << 'EOF'
[base]
name=CentOS-$releasever - Base
baseurl=https://mirrors.ustc.edu.cn/centos-vault/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

[updates]
name=CentOS-$releasever - Updates
baseurl=https://mirrors.ustc.edu.cn/centos-vault/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

[extras]
name=CentOS-$releasever - Extras
baseurl=https://mirrors.ustc.edu.cn/centos-vault/centos/$releasever/extras/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

[centosplus]
name=CentOS-$releasever - Plus
baseurl=https://mirrors.ustc.edu.cn/centos-vault/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
EOF

cat > /etc/yum.repos.d/epel-ustc.repo << 'EOF'
[epel]
name=Extra Packages for Enterprise Linux $releasever - $basearch
baseurl=https://mirrors.ustc.edu.cn/epel-archive/7/x86_64/
enabled=1
gpgcheck=1
countme=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-$releasever

[epel-debuginfo]
name=Extra Packages for Enterprise Linux $releasever - $basearch - Debug
baseurl=https://mirrors.ustc.edu.cn/epel-archive/7/x86_64/debug/
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-$releasever
gpgcheck=1

[epel-source]
name=Extra Packages for Enterprise Linux $releasever - $basearch - Source
baseurl=https://mirrors.ustc.edu.cn/epel-archive/7/source/tree/
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-$releasever
gpgcheck=1
EOF

yum clean all
yum makecache fast
yum install -y wget net-tools vim bash-completion ntpdate

1.7 时间配置

timedatectl set-timezone Asia/Shanghai
ntpdate time.windows.com

1.8 limit

cat >> /etc/security/limits.conf << 'EOF'
* soft nofile 65535
* hard nofile 65535
* soft nproc 65535
* hard nproc 65535
EOF

1.9 kernel

cat >> /etc/sysctl.d/99-sysctl.conf << 'EOF'
# 关闭ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

# 避免放大攻击
net.ipv4.icmp_echo_ignore_broadcasts = 1

# 开启恶意icmp错误消息保护
net.ipv4.icmp_ignore_bogus_error_responses = 1

# 开启反向路径过滤
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# 关闭sysrq功能
kernel.sysrq = 0

# core文件名中添加pid作为扩展名
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1

# 修改消息队列长度
kernel.msgmnb = 65536
kernel.msgmax = 65536

# 设置最大内存共享段大小bytes
kernel.shmmax = 68719476736
kernel.shmall = 4294967296

# timewait的数量,默认180000
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096        87380   4194304
net.ipv4.tcp_wmem = 4096        16384   4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144

# 限制仅仅是为了防止简单的DoS 攻击
net.ipv4.tcp_max_orphans = 3276800

# 收到客户端确认信息的连接请求的最大值
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0

# 内核放弃建立连接之前发送SYNACK 包的数量
net.ipv4.tcp_synack_retries = 1

# 内核放弃建立连接之前发送SYN 包的数量
net.ipv4.tcp_syn_retries = 1

# 启用timewait 快速回收
net.ipv4.tcp_tw_recycle = 1

# 开启重用。允许将TIME-WAIT sockets 重新用于新的TCP连接
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1

# 当keepalive 起用的时候,TCP 发送keepalive 消息的频度。缺省是2 小时
net.ipv4.tcp_keepalive_time = 30

# 修改防火墙表大小,默认65536
#net.netfilter.nf_conntrack_max=655350
#net.netfilter.nf_conntrack_tcp_timeout_established=1200

EOF

sysctl -p

2 一键脚本

#!/bin/bash

set -e

if [ "$(id -u)" -ne 0 ]; then
    echo "当前用户不是管理员。请使用管理员权限运行此脚本。"
    exit 1
fi

echo "========start============="

function setup_selinux_firewalld() {

    echo "========selinux==========="
    sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config
    setenforce 0

    echo "========firewalld========="
    iptables -F
    systemctl disable --now firewalld

}

function setup_format_history() {

    echo "========history format========"
    cat > /etc/profile.d/history_conf.sh << 'EOF'
export HISTFILE="$HOME/.bash_history"  # 写入文件
export HISTSIZE=1000  # history输出记录数
export HISTFILESIZE=10000  # HISTFILE文件记录数
export HISTIGNORE="cmd1:cmd2:..."  # 忽略指定cmd1,cmd2...的命令不被记录到文件;(加参数时会记录)
export HISTCONTOL=ignoredups   # ignoredups 不记录“重复”的命令;连续且相同 方为“重复” 
export PROMPT_COMMAND="history -a"  # 设置每条命令执行完立即写入HISTFILE(默认等待退出会话写入)
export HISTTIMEFORMAT="$(whoami) %F %T "  # 设置命令执行时间格式,记录文件增加时间戳
shopt -s histappend  # 防止会话退出时覆盖其他会话写到HISTFILE的内容
EOF

    source /etc/profile.d/history_conf.sh

}

function setup_ssh() {

    echo "========add ssh key========"
    mkdir /root/.ssh || true
    chmod 700 /root/.ssh
    cat > /root/.ssh/authorized_keys << 'EOF'
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCeQZmPg93SNx6zzR/l4RiPnHtFPbDTSOL7AtJOIvrlMm300x1OM8a48VqYuKEx7B7WM7UhszVndg8efJv9UdOtOaa0o8L0Wd2uujn2rFKKok69c5i7c/jmU1my9MkEsKpkx1MHQWVZTFqayv/DB9L5GaE/ShChsTSlXoQ6rc6JC4k1zgSsoNSTLwPrbZcDOZWprt/AOhqCklf9mL1E50WTx9XsjxBLqJIwwVEzmHAhzIiVowjBKjJpQ6hEvygCz67gNVn0vAvHPvCz3amrkCQa333Z9r8tbY7mJpq2Anj4qWtlnL9kHreVK6YoKGvM8+DrbVoT5/zM7wMZ+tdLmreUsu4OhgDkE4IgUMHWQ3T1GyD1EjCkqCdSfJbrLaAR8v7g92uDXO5irIyYMc/iQJ8v4okus9Iid61zFF0SPgZEykOVfT7jJqH0a/630D41uD0TK90v5PicVdh1FfEfok8P4F4UHGLUly2jRVBESQ/TXVGPaMITHPEtYEpmT3kmnOk= 15810243114@163.com
EOF
    chmod 600 /root/.ssh/authorized_keys

    echo "=========setup ssh========"
    echo "UseDNS no" >> /etc/ssh/sshd_config

}

function setup_yum() {

    echo "====backup repo==========="
    mkdir /etc/yum.repos.d/bak || true
    mv /etc/yum.repos.d/*.repo /etc/yum.repos.d/bak/ || true

    echo "====configure tuna repo===="
    cat > /etc/yum.repos.d/centos-tuna.repo << 'EOF'
[base]
name=CentOS-$releasever - Base
baseurl=https://mirrors.ustc.edu.cn/centos-vault/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

[updates]
name=CentOS-$releasever - Updates
baseurl=https://mirrors.ustc.edu.cn/centos-vault/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

[extras]
name=CentOS-$releasever - Extras
baseurl=https://mirrors.ustc.edu.cn/centos-vault/centos/$releasever/extras/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

[centosplus]
name=CentOS-$releasever - Plus
baseurl=https://mirrors.ustc.edu.cn/centos-vault/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

EOF


    cat > /etc/yum.repos.d/epel-ustc.repo << 'EOF'
[epel]
name=Extra Packages for Enterprise Linux $releasever - $basearch
baseurl=https://mirrors.ustc.edu.cn/epel-archive/7/x86_64/
enabled=1
gpgcheck=1
countme=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-$releasever

[epel-debuginfo]
name=Extra Packages for Enterprise Linux $releasever - $basearch - Debug
baseurl=https://mirrors.ustc.edu.cn/epel-archive/7/x86_64/debug/
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-$releasever
gpgcheck=1

[epel-source]
name=Extra Packages for Enterprise Linux $releasever - $basearch - Source
baseurl=https://mirrors.ustc.edu.cn/epel-archive/7/source/tree/
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-$releasever
gpgcheck=1
EOF



    echo "====upgrade yum============"
    yum clean all
    yum makecache fast

    echo "====dowload tools========="
    yum install -y wget net-tools vim bash-completion ntpdate

}

function setup_time_limit() {

    echo "=======setup timezone and ntp======"
    timedatectl set-timezone Asia/Shanghai
    ntpdate time.windows.com

    echo "=======modify limit========="
    cat >> /etc/security/limits.conf << 'EOF'
* soft nofile 65535
* hard nofile 65535
* soft nproc 65535
* hard nproc 65535
EOF

}

function setup_kernel() {

    echo "========Optimize kernel========"
    cat >> /etc/sysctl.d/99-sysctl.conf << 'EOF'
# 关闭ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

# 避免放大攻击
net.ipv4.icmp_echo_ignore_broadcasts = 1

# 开启恶意icmp错误消息保护
net.ipv4.icmp_ignore_bogus_error_responses = 1

# 开启反向路径过滤
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# 关闭sysrq功能
kernel.sysrq = 0

# core文件名中添加pid作为扩展名
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1

# 修改消息队列长度
kernel.msgmnb = 65536
kernel.msgmax = 65536

# 设置最大内存共享段大小bytes
kernel.shmmax = 68719476736
kernel.shmall = 4294967296

# timewait的数量,默认180000
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096        87380   4194304
net.ipv4.tcp_wmem = 4096        16384   4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144

# 限制仅仅是为了防止简单的DoS 攻击
net.ipv4.tcp_max_orphans = 3276800

# 收到客户端确认信息的连接请求的最大值
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0

# 内核放弃建立连接之前发送SYNACK 包的数量
net.ipv4.tcp_synack_retries = 1

# 内核放弃建立连接之前发送SYN 包的数量
net.ipv4.tcp_syn_retries = 1

# 启用timewait 快速回收
net.ipv4.tcp_tw_recycle = 1

# 开启重用。允许将TIME-WAIT sockets 重新用于新的TCP连接
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1

# 当keepalive 起用的时候,TCP 发送keepalive 消息的频度。缺省是2 小时
net.ipv4.tcp_keepalive_time = 30

# 修改防火墙表大小,默认65536
#net.netfilter.nf_conntrack_max=655350
#net.netfilter.nf_conntrack_tcp_timeout_established=1200

EOF

    sysctl -p

}

setup_selinux_firewalld
setup_format_history
setup_ssh
setup_yum
setup_time_limit
setup_kernel

echo "=========finish============"

exit 0

以上

wechat_pay

微信

alipay

支付宝