公司wiki centos7 建置步驟

新增VM主機，規格為vcpu x2，ram 2G, 硬碟30GB(thin模式)

 

CentOS 6.x (64位元)安裝過程，

請選擇

1.Install system with basic video driver

2.英文介面，

3.時區為Asia/Taipei，system clock user utc不選

4.硬碟分割為：

  /boot  200MB

  /      27.8GGB

  SWAP 2GB

  /boot,/檔案格式皆為ext4

5.最小安裝(minimal)

 

系統設定

@網路卡設定

vi /etc/sysconfig/network-scripts/ifcfg-ethX

=

ONBOOT=yes

NM_CONTROLLED=no

=

 

@關掉 selinux

vi /etc/sysconfig/selinux     

=

SELINUX=disabled

=

 

@安裝套件

yum install vim bind-utils nfs-utils ntsysv setuptool telnet dig wget net-snmp sysstat openssh-clients dmidecode ntpdate rsync mlocate glibc libgcc unzip man mailx tcpdump tracert traceroute mutt

 

@安裝開發套件

yum groupinstall "Development Tools"

 

@安裝EPEL套件

wget http://mirror01.idc.hinet.net/EPEL/6...6-8.noarch.rpm

rpm -ivh epel-release-6-8.noarch.rpm

 

@建立相關管理路徑

mkdir -p /manage/script

mkdir -p /manage/cronjob

 

@關閉IPv6

vi /etc/modprobe.d/blacklist-ipv6.conf

=

install ipv6 /bin/true

blacklist ipv6

=

yum remove iptables-ipv6

 

@5.4.2 Disable IPv6

vi /etc/sysconfig/network

=

NETWORKING_IPV6=no

=

 

vi /etc/sysconfig/network

=

IPV6INIT=no

=

 

vi /etc/modprobe.d/ipv6.conf

=

options ipv6 disable=1

=

 

@5.4.1.1 Disable IPv6 Router Advertisements

/sbin/sysctl -w net.ipv6.conf.all.accept_ra=0

/sbin/sysctl -w net.ipv6.conf.default.accept_ra=0

 

@5.4.1.2 Disable IPv6 Redirect Acceptance 

/sbin/sysctl -w net.ipv6.conf.all.accept_redirects=0

/sbin/sysctl -w net.ipv6.conf.default.accept_redirects=0

 

 

@自動斷線

Profile

echo "export TMOUT=600" >> /etc/profile

 

@密碼設定

PAM

#6.3.2 Set Password Creation Requirement Parameters Using pam_cracklib

sed -i 's/pam_cracklib.so try_first_pass retry=3 type= /pam_cracklib.so try_first_pass retry=3 type= minlen=7 difok=3 dcredit=-1/g' /etc/pam.d/system-auth

 

vi /etc/pam.d/system-auth

=

password    requisite     pam_cracklib.so try_first_pass retry=3 type= minlen=7 difok=3 dcredit=-1

=

 

vi /etc/login.defs

=

PASS_MAX_DAYS   90   --> 密碼有效天數，多久要變更密碼

PASS_MIN_DAYS     0       --> 變更密碼後要多久才能再修改密碼

PASS_MIN_LEN        5       --> 密碼的最小長度

PASS_WARN_AGE   7       --> 密碼失效之前幾天發出警告訊息

=

 

@系統日誌設定

log每日產生，保存30天。

vi /etc/logrotate.conf

=

daily 

rotate 30

#compress 如需壓縮取消#

notifempty 空白檔案，不留存

=

 

@校時設定

NTP setting

vi /etc/crontab

=

## Date 

0 * * * * root ntpdate 192.168.11.210 && /sbin/hwclock

=

 

@安全性設定  /etc/sysctl.conf

TCP TIMESTAMPS Security

/sbin/sysctl -w net.ipv4.tcp_timestamps=0

 

5.2.2 Disable ICMP Redirect Acceptance 

/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0

/sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0

 

5.2.4 Log Suspicious Packets (Scored)

/sbin/sysctl -w net.ipv4.conf.all.log_martians=1

/sbin/sysctl -w net.ipv4.conf.default.log_martians=1

 

5.2.5 Enable Ignore Broadcast Requests (Scored)

/sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1

 

5.2.6 Enable Bad Error Message Protection (Scored)

/sbin/sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1

 

5.2.7 Enable RFC-recommended Source Route Validation

/sbin/sysctl -w net.ipv4.conf.all.rp_filter=1

/sbin/sysctl -w net.ipv4.conf.default.rp_filter=1

 

5.2.8 Enable TCP SYN Cookies 

/sbin/sysctl -w net.ipv4.tcp_syncookies=1

 

@SSH Server設定  /etc/ssh/sshd_config

#6.2.8 Disable SSH Root Login

sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config

 

#6.2.12 Set Idle Timeout Interval for User Login

sed -i 's/#ClientAliveInterval 0/ClientAliveInterval 600/g' /etc/ssh/sshd_config

sed -i 's/#ClientAliveCountMax 3/ClientAliveCountMax 1/g' /etc/ssh/sshd_config

 

檢查以下設定: /etc/ssh/sshd_config

#6.2.1 Set SSH Protocol to 2

Protocol 2

 

#6.2.2 Set LogLevel to INFO

LogLevel INFO

 

#6.2.4 Disable SSH X11 Forwarding

X11Forwarding no

 

#6.2.5 Set SSH MaxAuthTries to 4 or Less

MaxAuthTries 4

 

#6.2.6 Set SSH IgnoreRhosts to Yes

IgnoreRhosts yes

 

#6.2.9 Set SSH PermitEmptyPasswords to No

PermitEmptyPasswords no

 

#6.2.10 Do Not Allow Users to Set Environment Options

PermitUserEnvironment no

 

#Disable the Weak Encryption Algorithms

ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc

 

#Disable the Weak MAC Algorithms

macs hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160

 

#Disable DNS reverse

echo ‘UseDNS no’ >> /etc/ssh/sshd_config

 

#Disable GSSAPIAuthentication

echo 'GSSAPIAuthentication no' >> /etc/ssh/sshd_config

 

 

@修改hostname

vim /etc/sysconfig/network

NETWORKING=yes

HOSTNAME=a.b.c

 

vim /etc/hosts

127.0.0.1 a.b.c a localhost localhost4 localhost4.localdomain4

192.168.111.xx a.b.c a

 

=======開發機先不安裝====

@防止暴力攻擊

FAIL2BAN

yum install -y fail2ban

 

vim /etc/fail2ban/jail.conf

=

[ssh-iptables]

maxretry = 3

=

 

主機名稱it-dev01~it-dev03

192.168.1.231~233