跳转至

01-生产环境准备-centos7.x

禁止系统多余服务

systemctl stop NetworkManager firewalld postfix chronyd
systemctl disable NetworkManager firewalld postfix chronyd

设置系统时区

设置系统时区为: Asia/Shanghai

配置服务器免密

跳板机端操作:

1.需要生成一个密钥对 (10.129.175.211)
ll /root/.ssh/
ssh-keygen  生成一对密钥
ls -l /root/.ssh/id_rsa*
/root/.ssh/id_rsa.pub 公钥
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCgVlkGuHqounr92staRvYEoUbmqwKyRqTTDqf614ySINhj4J5I4+qW7Y5imUBwWvVpF3cC4PVdmdIdVONOp/WtrUyhjs1nqlQ1smlO1sB72vMqDjgHAgDqZ1d/bnoT8pIPl0AIzH2zE97lBuS+Jbx/i+Pis5NHcVFegqLkPX2H/e3U4DrWH3/dqFhYTej8mSz5+AiEklWlPnePuVXsJQ/1LSRQRZI3CqgbH0TRklApxLiPZZZJqwZygHI155UQLnrsCgxZt2Wuw+7jteLXVmie4WvmBhQlIkTRuPRlN/DOXNpdkcBGzaaYqzLcWCrRbfwfv0U60rfQU2EH02XlWkzf root@bj02-ceph-10e129e175e211

免密服务器端操作:

mkdir -p /root/.ssh/
chmod 600 /root/.ssh/
touch /root/.ssh/authorized_keys
chmod 644 /root/.ssh/authorized_keys
echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCgVlkGuHqounr92staRvYEoUbmqwKyRqTTDqf614ySINhj4J5I4+qW7Y5imUBwWvVpF3cC4PVdmdIdVONOp/WtrUyhjs1nqlQ1smlO1sB72vMqDjgHAgDqZ1d/bnoT8pIPl0AIzH2zE97lBuS+Jbx/i+Pis5NHcVFegqLkPX2H/e3U4DrWH3/dqFhYTej8mSz5+AiEklWlPnePuVXsJQ/1LSRQRZI3CqgbH0TRklApxLiPZZZJqwZygHI155UQLnrsCgxZt2Wuw+7jteLXVmie4WvmBhQlIkTRuPRlN/DOXNpdkcBGzaaYqzLcWCrRbfwfv0U60rfQU2EH02XlWkzf root@bj02-ceph-10e129e175e211' >>/root/.ssh/authorized_keys

配置系统DNS服务

[root@localhost ~]# cat /etc/resolv.conf
nameserver 114.114.114.114

配置本地YUM源

cat /etc/yum.repos.d/centos.repo 
[MJQ-CTyun-Yum-Base]
name=CentOS-$releasever - Base
baseurl=http://10.129.178.104/ctyun/centos/$releasever/os/$basearch/
gpgcheck=0
enabled=1

[MJQ-CTyun-Yum-Updates]
name=CentOS-$releasever - Updates
baseurl=http://10.129.178.104/ctyun/centos/$releasever/updates/$basearch/
gpgcheck=0
enabled=1

[MJQ-CTyun-Yum-Extras]
name=CentOS-$releasever - Extras
baseurl=http://10.129.178.104/ctyun/centos/$releasever/extras/$basearch/
gpgcheck=0
enabled=1

[MJQ-CTyun-Yum-Qemu-Ev]
name=CentOS-$releasever - QEMU EV
baseurl=http://10.129.178.104/ctyun/centos/$releasever/virt/$basearch/kvm-common/
gpgcheck=0
enabled=1

[MJQ-CTyun-Yum-epel]
name=CentOS-$releasever - epel
baseurl=http://10.129.178.104/ctyun/epel/$releasever/$basearch/
failovermethod=priority
gpgcheck=0
enabled=1

[MJQ-CTyun-Yum-Zabbix]
name=Zabbix Official Repository - $basearch
baseurl=http://10.129.178.104/ctyun/zabbix/3.0/rhel/$releasever/$basearch/
enabled=1
gpgcheck=0

[MJQ-CTyun-Yum-Zabbix-Non-Supported]
name=Zabbix Official Repository non-supported - $basearch
baseurl=http://10.129.178.104/ctyun/zabbix/3.0/rhel/$releasever/non-supported/
enabled=1
gpgcheck=0

#[CTyun-Yum-Ceph-Rpm-Luminous]
#name=CentOS-$releasever - Ceph luminous
#baseurl=http://10.129.178.104/ctyun/rpm-luminous/el7/$basearch/
#gpgcheck=0
#enabled=1

配置本地NTP服务

# cat /etc/ntp.conf 
driftfile /var/lib/ntp/drift
restrict default nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict ::1
server 10.129.169.102 iburst
#server  127.127.1.0  iburst     local  clock
includefile /etc/ntp/crypto/pw
keys /etc/ntp/keys
disable monitor

调整文件描述符

# cat /etc/security/limits.conf
# 文件最后插入如下内容
# End of file
*   soft    nofile  655350
*   hard    nofile  655350
*   soft    nproc   102400
*   hard    nproc   102400

检查命令:
# ulimit -n
655350

优化系统内核参数

# cat /etc/sysctl.conf 
# 文件最后插入如下内容
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_fin_timeout=30
net.ipv4.tcp_tw_recycle=1
net.ipv4.tcp_tw_reuse=1
net.ipv4.tcp_max_syn_backlog=10240
net.core.netdev_max_backlog=10240
net.ipv4.icmp_echo_ignore_broadcasts=1
net.core.somaxconn=4096
net.core.wmem_default=8388608
net.core.rmem_default=8388608
net.core.rmem_max=16777216
net.core.wmem_max=16777216
net.ipv4.conf.all.rp_filter=1
net.ipv4.tcp_keepalive_time=300
net.ipv4.tcp_synack_retries=2
net.ipv4.tcp_syn_retries=2
net.ipv4.tcp_max_orphans=3276800
net.ipv4.ip_local_port_range=20000    65000
net.ipv4.neigh.default.gc_thresh1=10240
net.ipv4.neigh.default.gc_thresh2=20480
net.ipv4.neigh.default.gc_thresh3=40960
fs.inotify.max_user_instances=8192
net.netfilter.nf_conntrack_max=1048576
net.ipv4.tcp_sack=0

关闭selinux

# cat /etc/sysconfig/selinux 
SELINUX=disabled

检查命令:
# getenforce 
Disabled

更改root密码

将系统密码更改为默认规范的密码

升级dns软件包

dnsmasq-2.78-1.el7.x86_64.rpm
dnsmasq-utils-2.78-1.el7.x86_64.rpm

退出系统tty登陆界面

echo 'for n in `seq 1 1000`;do pkill -kill -t tty$n ;done' > /tmp/exit_root_tty ; sh /tmp/exit_root_tty ; rm -f /tmp/exit_root_tty

添加安全账户

- name: Add users
  user: name={{ item.name }} groups=wheel
  with_items:
    - { name: 'secure' }
  tags: add_user

- name: Sudoer config Defaults requiretty
  shell: sed -i "s@Defaults    requiretty@#Defaults    requiretty@g" /etc/sudoers
  tags: add_user

- name: Sudoer config
  lineinfile: dest=/etc/sudoers state=present line={{ item }} validate='visudo -cf %s'
  with_items:
    - 'User_Alias SYSADMINS = secure'
    - 'SYSADMINS       ALL=(ALL)       NOPASSWD:ALL'
  tags: add_user

- name: Set secure passwd
#  shell: "echo '{{ root_passwd }}'|passwd --stdin secure ; sudo chage -M 99999 secure"
  shell: "echo 'Tianyiyun0512@rootCtcm'|passwd --stdin secure ; sudo chage -M 99999 secure"
  tags: add_user

- name: Create .ssh dir
  file: path=/home/secure/.ssh/ state=directory mode=0700 owner=secure group=secure
  tags: add_user

- name: Send public other key
  shell: sudo chage -M 99999 secure ; sudo \cp /home/secure/.ssh/authorized_keys /home/secure/.ssh/authorized_keys_bak ; sudo cat /root/.ssh/authorized_keys /etc/authorized_keys /home/secure/.ssh/authorized_keys_bak|sort|uniq >/home/secure/.ssh/authorized_keys ; sudo chmod 644 /home/secure/.ssh/authorized_keys ; sudo chown secure.secure /home/secure/.ssh/authorized_keys ; sudo rm -f /home/secure/.ssh/authorized_keys_bak
  ignore_errors: True
  tags: add_user

设置SSH超时时间

vim /etc/profile
# 文件最后插入如下内容
export TMOUT=300
生效命令
source /etc/profile

设置历史命令记录数

vim /etc/profile
# 文件最后插入如下内容
export HISTSIZE=10
export HISTFILESIZE=10
生效命令
source /etc/profile

优化SSH服务

# vim /etc/ssh/sshd_config 
Port 10000    #设置ssh端口
UseDNS no    #优化ssh连接
PasswordAuthentication no  #关闭密码登陆

Ciphers aes128-ctr,aes192-ctr,aes256-ctr  #ssh安全加固相关设置
MACs hmac-sha1,hmac-ripemd160   #ssh安全加固相关设置
生效命令:
systemctl restart sshd