注册
登录控制台
→
新的CentOS 7.9服务器在部署业务之前,必须进行一系列初始化配置和安全加固。
▶一、初始登录与基础配置
code
# 以root登录后修改root密码
passwd
# 创建普通管理用户
useradd admin
passwd admin
usermod -aG wheel admin
# 设置主机名
hostnamectl set-hostname server01.example.com
# 配置时间同步
timedatectl set-timezone Asia/Shanghai
yum install -y chrony
systemctl enable --now chrony▶二、系统更新
code
# 更新所有软件包
yum update -y
# 安装常用工具
yum install -y wget curl vim net-tools bind-utils lsof tcpdump▶三、SSH安全配置
code
# /etc/ssh/sshd_config 推荐配置
Port 2222
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
ClientAliveInterval 300
systemctl restart sshd▶四、防火墙配置
code
systemctl enable --now firewalld
firewall-cmd --set-default-zone=drop
firewall-cmd --permanent --add-port=2222/tcp
firewall-cmd --permanent --add-port=80,443/tcp
firewall-cmd --reload▶五、内核参数优化
code
cat >> /etc/sysctl.conf << 'EOF'
net.core.somaxconn = 65535
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 1
kernel.randomize_va_space = 2
EOF
sysctl -p▶六、配置SELinux
code
setenforce 1
sed -i 's/SELINUX=disabled/SELINUX=enforcing/' /etc/selinux/config▶七、NTP时间同步配置
code
# 安装chrony
yum install -y chrony
# 配置 /etc/chrony.conf
server ntp.aliyun.com iburst
server ntp.tencent.com iburst
server cn.pool.ntp.org iburst
# 启动并启用
systemctl enable --now chronyd
# 验证同步
chronyc sources -v
chronyc tracking
timedatectl▶八、日志审计配置
code
# 安装auditd
yum install -y audit
systemctl enable --now auditd
# 配置审计规则 /etc/audit/rules.d/security.rules
# 监控重要文件变化
-w /etc/passwd -p wa -k passwd_changes
-w /etc/shadow -p wa -k shadow_changes
-w /etc/group -p wa -k group_changes
-w /etc/sudoers -p wa -k sudoers_changes
-w /var/log/wtmp -p wa -k logins
-w /etc/ssh/sshd_config -p wa -k sshd_config
# 监控系统调用
-a always,exit -S unlink -S rmdir -S rename -k file_deletion
-a always,exit -S chmod -S chown -S setxattr -k file_permissions
# 重新加载规则
service auditd restart
# 查看审计日志
ausearch -k passwd_changes | aureport -f▶九、系统巡检脚本
code
#!/bin/bash
# /usr/local/bin/security-audit.sh
# 每日安全巡检
echo "=== 系统巡检报告 ==="
date
echo ""
echo "1. 最近登录记录"
last -10
echo ""
echo "2. 失败登录尝试"
lastb | head -10
echo ""
echo "3. 开放端口"
ss -tlnp
echo ""
echo "4. 系统负载"
uptime
echo ""
echo "5. 磁盘使用"
df -h | grep -v tmpfs
echo ""
echo "6. 内存使用"
free -h
echo ""
echo "7. 正在运行的登录会话"
who