1、 vim /etc/profile 插入以下即可
ulimit -c unlimited
ulimit -s unlimited
ulimit -SHn 65535
建议设置成无限制(unlimited)的一些重要设置是:
数据段长度:ulimit –d unlimited
最大内存大小:ulimit –m unlimited
堆栈大小:ulimit –s unlimited
CPU 时间:ulimit –t unlimited
虚拟内存:ulimit –v unlimited
source /etc/profile 执行生效
2、
vim /etc/sysctl.conf
插入以下:
net.ipv4.tcp_max_syn_backlog = 65536
net.core.netdev_max_backlog = 32768
net.core.somaxconn = 32768
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_tw_recycle = 1
#net.ipv4.tcp_tw_len = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 120
net.ipv4.ip_local_port_range = 1024 65535
执行以下命令使内核配置立马生效:
/sbin/sysctl -p
3、
vim /usr/include/bits/typesizes.h
修改 #define __FD_SETSIZE 65536
4、ntsysv保留
anacron
cpuspeed
crond
gpm
irqbalance
kudzu
lm_sensors
lvm2-monitor
mdmonitor
messagebus
microcde_ctl
network
pcscd
psacct
readahead_early
readahead_later
smartd
sshd
syslog
xfs
service NetworkManager stop
service NetworkManagerDispatcher stop
service acpid stop
service anacron start
service atd stop
service auditd stop
service autofs stop
service avahi-daemon stop
service avahi-dnsconfd stop
service bluetooth stop
service capi stop
service conman stop
service cpuspeed start
service crond start
service cups stop
service dhcdbd stop
service dkms_autoinstaller stop
service dund stop
service firstboot stop
service gpm start
service haldaemon stop
service hidd stop
service hplip stop
service ip6tables stop
service iptables stop
service irda stop
service irqbalance start
service isdn stop
service kudzu start
service lm_sensors start
service lvm2-monitor start
service mcstrans stop
service mdmonitor start
service mdmpd stop
service messagebus start
service microcode_ctl start
service multipathd stop
service netconsole stop
service netfs stop
service netplugd stop
service network start
service nfs stop
service nfslock stop
service nscd stop
service ntpd stop
service oddjobd stop
service pand stop
service pcscd start
service portmap stop
service psacct start
service rdisc stop
service readahead_early start
service readahead_later start
service restorecond stop
service rpcgssd stop
service rpcidmapd stop
service rpcsvcgssd stop
service saslauthd stop
service sendmail stop
service smartd start
service snmptrapd stop
service sshd start
service syslog start
service vncserver stop
service wdaemon stop
service winbind stop
service wpa_supplicant stop
service xfs start
service ypbind stop
service yum-updatesd stop
5、修改SSH 端口
vim /etc/ssh/sshd_config
Port 22 修改
PermitEmptyPasswords no 把#注销掉-禁止空密码帐户登入服务器!
MaxAuthTries 2 两次不行就切断重新SSH启动登入
6、远程5分钟无操作自动注销:
vim /etc/profile
最后添加:
export TMOUT=300 ---5分钟自动注销下来
找到
HISTSIZE=1000
修改为:
HISTSIZE=100 --减少日记字节为100KB,太大内容过多容易漏重要信息.
7、修改文件属性
chmod 700 /bin/rpm 只有root权限用户才可以使用rpm命定,安装软件包
chmod 664 /etc/hosts
chmod 644 /etc/passwd
chmod 644 /etc/exports
chmod 644 /etc/issue
chmod 664 /var/log/wtmp
chmod 664 /var/log/btmp
chmod 644 /etc/services
chmod 600 /etc/shadow
chmod 600 /etc/login.defs
chmod 600 /etc/hosts.allow
chmod 600 /etc/hosts.deny
chmod 600 /etc/securetty
chmod 600 /etc/security
chmod 600 /etc/ssh/ssh_host_key
chmod 600 /etc/ssh/sshd_config
chmod 600 /var/log/lastlog
chmod 600 /var/log/messages
8、禁止ping 用户使用ping不做任何反映
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all -- 禁止ping
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all -- 解除禁止ping操作
9、禁止IP伪装
vim /etc/host.conf
在里面加上:
nospoof on
10、防止DOS攻击:
vim /etc/security/limits.conf
加入以下配置:
* hard core 0
* hard rss 10000
* hard nproc 20
以上根据需求而论!
11、修改root帐户密码越复杂越好:
1、含有大小写字母;
2、含有数字;
3、含有字符;
4、不用自己生日等常关联的字母数字及字符。
12、删除部分不需要的用户和组:
# cut -d: -f1 /etc/passwd # 查看系统所有用户
# cut -d: -f1 /etc/group # 查看系统所有组
userdel adm
userdel lp
userdel news
userdel uucp
userdel games
groupdel adm
groupdel lp
groupdel news
groupdel uucp
groupdel games
groupdel dip
13、垃圾IP封杀
# more /var/log/secure
首先通过以上命定观察多次扫描欲远程登入服务器的垃圾IP;
然后在
vim /etc/hosts.deny
增加:
sshd:192.168.1.1 ---这以192.168.1.1这个垃圾IP为例!
保存即可!