1. Change the remote connection user and port
[root@linux-node1 ~]# cp /etc/ssh/sshd_config{,.bak_$(date +%F)}
[root@linux-node1 ~]# vim /etc/ssh/sshd_config
Port 28888 #Change the ssh remote connection port
PermitRootLogin no #Prohibit root user ssh remote login
PermitEmptyPasswords no #Prohibit empty password login
GSSAPIAuthentication no #To prevent GSSAPI from slowing down SSH connections
UseDNS no #Prohibit the use of DNS
2. Close SELINUX
[root@linux-node1 ~]# sed -i s#SELINUX=enforcing#SELINUX=disabled#g /etc/selinux/config [root@linux-node1 ~]# getenforce Disabled
3. Modify the character set
[root@linux-node1 ~]# vim /etc/locale.conf LANG="en_US.UTF-8" [root@linux-node1 ~]# source /etc/locale.conf [root@linux-node1 ~]# echo $LANG en_US.UTF-8
4. Turn off the firewall and clear iptables rules
[root@linux-node1 ~]# systemctl status firewalld.service [root@linux-node1 ~]# systemctl stop firewalld.service [root@linux-node1 ~]# systemctl disable firewalld.service [root@linux-node1 ~]# iptables -F [root@linux-node1 ~]# iptables-save
5. Set up Linux server time synchronization
[root@linux-node1 ~]# yum install -y ntpdate [root@linux-node1 ~]# ntpdate time1.aliyun.com 28 Mar 09:51:17 ntpdate[3090]: step time server 203.107.6.88 offset 165452.420118 sec [root@linux-node1 ~]# date Wed Mar 28 09:51:22 CST 2018 [root@linux-node1 ~]# crontab -e no crontab for root - using an empty one crontab: installing new crontab [root@linux-node1 ~]# crontab -l */5 * * * * /usr/sbin/ntpdate time1.aliyun.com > /dev/null
6. Configure the number of historical command records and account login timeout environment variables
[root@linux-node1 ~]# echo "export TMOUT=300" >> /etc/profile #Configure the connection timeout control variable [root@linux-node1 ~]# echo "export HISTSIZE=5" >> /etc/profile #Number of history records on the command line variable [root@linux-node1 ~]# echo "export HISTFILESIZE=5" >> /etc/profile #Number of commands in the history file variable [root@linux-node1 ~]# source /etc/profile
7. Adjust the number of file descriptors in the Linux system
A file descriptor is a handle represented by an unsigned integer that a process uses to identify an open file. A file descriptor is associated with a file object that includes related information (such as the file's open mode, the file's location type, the file's initial type, etc.), which is called the file's context. The valid range of file descriptors is 0 to OPEN_MAX
[root@linux-node1 ~]# ulimit -n 1024 [root@linux-node1 ~]# echo '* - nofile 65535' >> /etc/security/limits.conf [root@linux-node1 ~]# ulimit -n 65535
8. Lock system critical files
[root@linux-node1 ~]# chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab [root@linux-node1 ~]# mv /usr/bin/chattr /usr/bin/666 #Rename chattr to prevent the server from being exploited