CentOS7 Linux alap konfiguráció
Ahol sok virtuális gépet használunk, célszerű egy jól felkonfigurált template gépet telepíteni, amit másolva csak a specifikus beállításokat kell elvégezni.
CentOS7 esetén az alábbi alap Linux konfigurációt szoktam elvégezni:
Alapcsomagok
yum install epel-release
yum install mc less openssh-server nano telnet net-tools wget curl nload subversion screen
Kernel konfigurácó
/etc/sysctl.d/kerneltuning.conf
vm.swappiness = 10
net.core.somaxconn = 2048
net.ipv4.tcp_max_syn_backlog = 512
net.ipv4.ip_forward = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 30
Tmp mount
/etc/fstab
tmpfs /tmp tmpfs defaults,nodev,noexec,nosuid,noatime 0 0
Helyi hálózat
systemctl disable NetworkManager
/etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
BOOTPROTO=none
ONBOOT=yes
TYPE=Ethernet
Ipaddr=192.168.10.251
Prefix=24
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=no
NAME=\"System eth1\"
ZONE=dmz
Gateway=192.168.10.254
/etc/sysconfig/network-scripts/ifcfg-eth2
DEVICE=eth2
BOOTPROTO=none
ONBOOT=yes
TYPE=Ethernet
Ipaddr=192.168.11.251
Prefix=24
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=no
NAME=\"System eth2\"
ZONE=internal
Hostname
/etc/sysconfig/network
Hostname
/etc/hosts
fqdn
/etc/postfix/main.cf
myhostname
relayhost = mailrelay.local
/etc/aliases
root: admin@organization
newaliases
NTP
yum install ntp ntpdate
systemctl enable ntpd
systemctl disable chronyd
systemctl restart ntpd
Selinux
/etc/sysconfig/selinux
SELINUX=permissive
Yum-cron
yum install yum-cron
/etc/yum/yum-cron.conf
update_cmd = security
apply_updates = yes
systemctl enable yum-cron
Fail2ban
yum install fail2ban
systemctl enable fail2ban
/etc/fail2ban/jail.d/01-ssh.conf
[default]
# Ban hosts for one hour:
bantime = 3600
# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport
[sshd]
enabled = true
systemctl restart fail2ban
Firewall
systemctl enable firewalld
firewall-cmd --zone=public --change-interface=eth0
firewall-cmd --zone=dmz --change-interface=eth1
firewall-cmd --zone=internal --change-interface=eth2
firewall-cmd --reload
Monitoring
Zabbix agent
rpm -Uvh http://repo.zabbix.com/zabbix/2.4/rhel/7/x86_64/zabbix-release-2.4-1.el7.noarch.rpm
yum install zabbix-agent zabbix-sender
systemctl enable zabbix-agent
Syslog-ng
yum install syslog-ng
systemctl enable syslog-ng
/etc/syslog-ng/syslog-ng.conf
...
destination logserver { tcp(\"logcenter.local\" port(514) ); };log { source(s_sys); destination(logserver); };
filter f_iptables { facility(kern) and message(\"IN=\") and message(\"OUT=\"); };
destination firewall { file(\"/var/log/firewall\" suppress(30)); };
log { source(s_sys); filter(f_iptables); destination(firewall); };