2018年9月13日 星期四

公司wiki centos7 建置步驟

新增VM主機,規格為vcpu x2,ram 2G, 硬碟30GB(thin模式)
 
CentOS 6.x (64位元)安裝過程,
請選擇
1.Install system with basic video driver
2.英文介面,
3.時區為Asia/Taipei,system clock user utc不選
4.硬碟分割為:
  /boot  200MB
  /      27.8GGB
  SWAP 2GB
  /boot,/檔案格式皆為ext4
5.最小安裝(minimal)
 
系統設定
@網路卡設定
vi /etc/sysconfig/network-scripts/ifcfg-ethX
=
ONBOOT=yes
NM_CONTROLLED=no
=
 
@關掉 selinux
vi /etc/sysconfig/selinux     
=
SELINUX=disabled
=
 
@安裝套件
yum install vim bind-utils nfs-utils ntsysv setuptool telnet dig wget net-snmp sysstat openssh-clients dmidecode ntpdate rsync mlocate glibc libgcc unzip man mailx tcpdump tracert traceroute mutt
 
@安裝開發套件
yum groupinstall "Development Tools"
 
@安裝EPEL套件
rpm -ivh epel-release-6-8.noarch.rpm
 
@建立相關管理路徑
mkdir -p /manage/script
mkdir -p /manage/cronjob
 
@關閉IPv6
vi /etc/modprobe.d/blacklist-ipv6.conf
=
install ipv6 /bin/true
blacklist ipv6
=
yum remove iptables-ipv6
 
@5.4.2 Disable IPv6
vi /etc/sysconfig/network
=
NETWORKING_IPV6=no
=
 
vi /etc/sysconfig/network
=
IPV6INIT=no
=
 
vi /etc/modprobe.d/ipv6.conf
=
options ipv6 disable=1
=
 
@5.4.1.1 Disable IPv6 Router Advertisements
/sbin/sysctl -w net.ipv6.conf.all.accept_ra=0
/sbin/sysctl -w net.ipv6.conf.default.accept_ra=0
 
@5.4.1.2 Disable IPv6 Redirect Acceptance 
/sbin/sysctl -w net.ipv6.conf.all.accept_redirects=0
/sbin/sysctl -w net.ipv6.conf.default.accept_redirects=0
 
 
@自動斷線
Profile
echo "export TMOUT=600" >> /etc/profile
 
@密碼設定
PAM
#6.3.2 Set Password Creation Requirement Parameters Using pam_cracklib
sed -i 's/pam_cracklib.so try_first_pass retry=3 type= /pam_cracklib.so try_first_pass retry=3 type= minlen=7 difok=3 dcredit=-1/g' /etc/pam.d/system-auth
 
vi /etc/pam.d/system-auth
=
password    requisite     pam_cracklib.so try_first_pass retry=3 type= minlen=7 difok=3 dcredit=-1
=
 
vi /etc/login.defs
=
PASS_MAX_DAYS   90   --> 密碼有效天數,多久要變更密碼
PASS_MIN_DAYS     0       --> 變更密碼後要多久才能再修改密碼
PASS_MIN_LEN        5       --> 密碼的最小長度
PASS_WARN_AGE   7       --> 密碼失效之前幾天發出警告訊息
=
 
@系統日誌設定
log每日產生,保存30天。
vi /etc/logrotate.conf
=
daily 
rotate 30
#compress 如需壓縮取消#
notifempty 空白檔案,不留存
=
 
@校時設定
NTP setting
vi /etc/crontab
=
## Date 
0 * * * * root ntpdate 192.168.11.210 && /sbin/hwclock
=
 
@安全性設定  /etc/sysctl.conf
TCP TIMESTAMPS Security
/sbin/sysctl -w net.ipv4.tcp_timestamps=0
 
5.2.2 Disable ICMP Redirect Acceptance 
/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0
/sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0
 
5.2.4 Log Suspicious Packets (Scored)
/sbin/sysctl -w net.ipv4.conf.all.log_martians=1
/sbin/sysctl -w net.ipv4.conf.default.log_martians=1
 
5.2.5 Enable Ignore Broadcast Requests (Scored)
/sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
 
5.2.6 Enable Bad Error Message Protection (Scored)
/sbin/sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
 
5.2.7 Enable RFC-recommended Source Route Validation
/sbin/sysctl -w net.ipv4.conf.all.rp_filter=1
/sbin/sysctl -w net.ipv4.conf.default.rp_filter=1
 
5.2.8 Enable TCP SYN Cookies 
/sbin/sysctl -w net.ipv4.tcp_syncookies=1
 
@SSH Server設定  /etc/ssh/sshd_config
#6.2.8 Disable SSH Root Login
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
 
#6.2.12 Set Idle Timeout Interval for User Login
sed -i 's/#ClientAliveInterval 0/ClientAliveInterval 600/g' /etc/ssh/sshd_config
sed -i 's/#ClientAliveCountMax 3/ClientAliveCountMax 1/g' /etc/ssh/sshd_config
 
檢查以下設定: /etc/ssh/sshd_config
#6.2.1 Set SSH Protocol to 2
Protocol 2
 
#6.2.2 Set LogLevel to INFO
LogLevel INFO
 
#6.2.4 Disable SSH X11 Forwarding
X11Forwarding no
 
#6.2.5 Set SSH MaxAuthTries to 4 or Less
MaxAuthTries 4
 
#6.2.6 Set SSH IgnoreRhosts to Yes
IgnoreRhosts yes
 
#6.2.9 Set SSH PermitEmptyPasswords to No
PermitEmptyPasswords no
 
#6.2.10 Do Not Allow Users to Set Environment Options
PermitUserEnvironment no
 
#Disable the Weak Encryption Algorithms
ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc
 
#Disable the Weak MAC Algorithms
macs hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160
 
#Disable DNS reverse
echo ‘UseDNS no’ >> /etc/ssh/sshd_config
 
#Disable GSSAPIAuthentication
echo 'GSSAPIAuthentication no' >> /etc/ssh/sshd_config
 
 
@修改hostname
vim /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=a.b.c
 
vim /etc/hosts
127.0.0.1 a.b.c a localhost localhost4 localhost4.localdomain4
192.168.111.xx a.b.c a
 
=======開發機先不安裝====
@防止暴力攻擊
FAIL2BAN
yum install -y fail2ban
 
vim /etc/fail2ban/jail.conf
=
[ssh-iptables]
maxretry = 3
=
 
主機名稱it-dev01~it-dev03
192.168.1.231~233