linux系统优化
修改系统日志记录周期
vim /etc/logrotate.conf
重启后生效
systemctl restart rsyslog
内存历史登录命令限制
vim /etc/profile
让配置生效:
source /etc/profile
密码保护措施优化
vim /etc/login.defs
用户在新建文件或目录的权限
vim /etc/login.defs
限制登录ip
限制登录可分别从服务端,系统端、防火墙端来完成只允许固定ip进行登录。
服务端限制
vim /etc/ssh/sshd_config
修改ssh端口
# Port 22
Port 2201
允许跳板机ip
AllowUsers VVise@122.193.30.*
AllowUsers root@122.193.30.*
AllowUsers root@192.168.0.*
AllowUsers VVise@192.168.0.*
配置完成后
systemctl restart sshd
系统端限制
编辑hosts.deny
vim /etc/host.deny
添加一下内容
sshd : ALL
编辑hosts.allow
vim /etc/hosts.allow
添加下面的内容
sshd : 192.168.0.*
这两个文件优先级为先检查hosts.deny,再检查hosts.allow,(值得一说的是centos 8 已经取消了这两个文件)
重启
systemctl restart sshd
从防火墙限制
先删除自带的相关规则
rm -rf /usr/lib/firewalld/services/ssh.xml
或者直接输入命令
firewall-cmd --zone=public --remove-port=2201/tcp --permanent
上述目的是先干掉2201端口,然后重启
firewall-cmd --reload
添加防火墙规则
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=192.168.0.0/24 port protocol=tcp port=2201 accept'
#(限制某一个IP访问使用此条规则:firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=192.168.3.101/32 port protocol=tcp port=2201 accept')
上述命令的目的是允许服务器通过一个网段或者一个ip来访问。
重启
firewall-cmd –reload
验证
firewall-cmd --list-all
firewall-cmd --list-ports
数据库远程登录权限修改
原本权限
回收权限
revoke ALL PRIVILEGES ON *.* from 'wlhy_bz'@'%';
revoke GRANT OPTION ON *.* from 'wlhy_bz'@'%';
放开权限
grant all privileges on *.* to 'wlhy_bz'@'localhost' identified by 'xxx' with grant option;
修改权限后:
mysql 加密传输
首先需要查看mysql是否支持ssl服务,如果不支持,则开启即可。
查看mysql是否支持ssl服务
show variables like '%ssl%';
很明显小猿的这台电脑是支持的。
生成证书
在 MySQL 5.7 中, 提供了一个名为 mysql_ssl_rsa_setup 的工具, 通过它, 我们可以很方便地创建 SSL 连接所需要的各种证书与文件。
此命令可以参考mysql的mysql_ssl_rsa_setup 命令说明。
mysql_ssl_rsa_setup简介
This program creates the SSL certificate and key files and RSA key-pair files required to support secure connections using SSL and secure password exchange using RSA over unencrypted connections, if those files are missing. mysql_ssl_rsa_setup can also be used to create new SSL files if the existing ones have expired.
具体细节小猿再不做过多解释:
值得注意的是执行mysql_ssl_rsa_setup命令之前,必须确保 OpenSSL的安装。
基本命令参数如下所示:
–help, ?
Display a help message and exit.
–datadir=dir_name
The path to the directory that mysql_ssl_rsa_setup should check for default SSL and RSA files and in which it should create files if they are missing. The default is the compiled-in data directory.
–suffix=str
The suffix for the Common Name attribute in X.509 certificates. The suffix value is limited to 17 characters. The default is based on the MySQL version number.
–uid=name, -v
The name of the user who should be the owner of any created files. The value is a user name, not a numeric user ID. In the absence of this option, files created by mysql_ssl_rsa_setup are owned by the user who executes it. This option is valid only if you execute the program as root on a system that supports the chown() system call.
–verbose, -v
Verbose mode. Produce more output about what the program does. For example, the program shows the openssl commands it runs, and produces output to indicate whether it skips SSL or RSA file creation because some default file already exists.
–version, -V
Display version information and exit.
如果已经有残留证书,小猿建议先删除,再次执行下面的命令,如果没有则可直接执行
./mysql_ssl_rsa_setup --datadir=/data/mysql_data1/ --uid=mysql --verbose
一般情况下客户端和服务端都需要配置证书
配置客户端证书
ssl-ca=/mnt/sdc/data/mysql/data/s1/ca.pem
ssl-cert=/mnt/sdc/data/mysql/data/s1/client-cert.pem
ssl-key=/mnt/sdc/data/mysql/data/s1/client-key.pem
配置服务端证书
#set secure ssl transmition protocal
#set secure ssl transmition protocal
ssl-ca=/mnt/sdc/data/mysql/data/s1/ca.pem
ssl-cert=/mnt/sdc/data/mysql/data/s1/server-cert.pem
ssl-key=/mnt/sdc/data/mysql/data/s1/server-key.pem
重启mysql
service mysql restart
建立测试账户并授权
grant all privileges on *.* to 'xueshanfeitian'@'%' identified by 'xueshanfeitian' REQUIRE SSL;
只允许用ssl登录的方式
当不选择ssl时,远程连接会报错
当勾选ssl协议后就不会报错
用上述开启ssl加密的方式,保障应用程序和sql程序的通讯安全。
至此所有关于系统安全优化的注意要点就到此为止了,以后遇到更深层次的问题,小猿会再次做探讨。