linux安装后的基本调优和安全设置

43teer

关闭Selinux

• 方法一：用vi /etc/selinux/config修改
  
  

[iyunv@liangenyu ~]# vi /etc/selinux/config
# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disable
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

2.方法二：
sed -i s:替换并且修改文件
[iyunv@liangenyu ~]# sed -i 's/SELINUX=enforcing/SELINUX=disable/' /etc/selinux/config
查看一下配置是否成功？
[iyunv@liangenyu ~]# grep SELINUX=disable /etc/selinux/config
SELINUX=disable

因为修改了配置需要重启才生效，工作中不可能经常重启系统，我们也将临时生效修改下！

[iyunv@liangenyu ~]# setenforce 0
[iyunv@liangenyu ~]# getenforce
Permissive

修改系统启动模式：
runlevel: 查看运行级别
init: 切换运行级别
[iyunv@liangenyu ~]# runlevel
N 3

不同模式切换：

init 0 重启

init 3 命令行模式

init 5 图形模式

用vi永久修改默认运行级别：

[iyunv@liangenyu ~]# vi /etc/inittab
# Default runlevel. The runlevels used are:
#   0 - halt (Do NOT set initdefault to this) 关机
#   1 - Single user mode 单用户模式
#   2 - Multiuser, without NFS (The same as 3, if you do not have networking) 多用户模式
#   3 - Full multiuser mode 命令行模式
#   4 - unused 不常用
#   5 - X11 图形模式
#   6 - reboot (Do NOT set initdefault to this) 重启
id:3:initdefault: 这里默认是第3命令行模式

精简启动程序：
前期需要启动的四个基本服务：crond network rsyslog ssh
查看级别3启动的服务名称：


[iyunv@liangenyu ~]# LANG=en
[iyunv@liangenyu ~]# chkconfig --list|grep "3:on"
NetworkManager 0:off1:off2:on3:on4:on5:on6:off
abrt-ccpp      0:off1:off2:off3:on4:off5:on6:off
abrtd          0:off1:off2:off3:on4:off5:on6:off
acpid          0:off1:off2:on3:on4:on5:on6:off
atd            0:off1:off2:off3:on4:on5:on6:off
auditd         0:off1:off2:on3:on4:on5:on6:off
autofs         0:off1:off2:off3:on4:on5:on6:off
blk-availability0:off1:on2:on3:on4:on5:on6:off
bluetooth      0:off1:off2:off3:on4:on5:on6:off
certmonger     0:off1:off2:off3:on4:on5:on6:off
cpuspeed       0:off1:on2:on3:on4:on5:on6:off
crond          0:off1:off2:on3:on4:on5:on6:off
cups           0:off1:off2:on3:on4:on5:on6:off
haldaemon      0:off1:off2:off3:on4:on5:on6:off

写个脚本一键完成处理：

[iyunv@liangenyu ~]# vim serviceoff.sh
#/bin/bash

LANG=en
for liangenyu in `chkconfig --list|grep 3:on|awk '{print $1}'`;
do chkconfig --level 3 $liangenyu off;
done
for liangenyu in crond network rsyslog sshd;
do chkconfig --level 3 $liangenyu on;
查看已成功：

[iyunv@liangenyu ~]# chkconfig --list|grep "3:on"
crond          0:off1:off2:on3:on4:on5:on6:off
network        0:off1:off2:on3:on4:on5:on6:off
rsyslog        0:off1:off2:on3:on4:on5:on6:off
sshd           0:off1:off2:on3:on4:on5:on6:off



脚本二：

[iyunv@liangenyu ~]# vim serviceon.sh
#!/bin/bash
for liangenyu in `chkconfig --list|grep "3:on"|awk '{print $1}'|grep -vE "crond|network|sshd|rsyslog"`;
do chkconfig $liangenyu off;
done
执行脚本，并且查看已成功！

[iyunv@liangenyu ~]# ./serviceon.sh
[iyunv@liangenyu ~]# chkconfig --list|grep "3:on"
crond          0:off1:off2:on3:on4:on5:on6:off
network        0:off1:off2:on3:on4:on5:on6:off
rsyslog        0:off1:off2:on3:on4:on5:on6:off
sshd           0:off1:off2:on3:on4:on5:on6:off
更改SSH服务远程登录配置：
linux远程默认端口：22

默认超级用户:root

[iyunv@liangenyu ~]# vim /etc/ssh//ssh_config


#       $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.
Port 52113 修改端口为52113
#Port 22   提示默认端口是22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
PermitEmptyPasswords no 改为不允许空密码登录
PasswordAuthentication yes

#LoginGraceTime 2m
PermitRootLogin no  ssh远程不能用root登录
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10



#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
UseDNS no  DNS改为no
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none
重启sshd服务
/etc/init.d/sshd restart==service sshd restart
[iyunv@liangenyu ssh]# service sshd restart
停止 sshd：                                                [确定]
正在启动 sshd：                                            [确定]