Skip to main content

CentOS/RedHat Tips

停用不必要的服務

CentOS 7/8: secure-linux.sh

#!/usr/bin/env bash
# Author: A.Lang(alang.hsu[AT]gmail.com)
# File: secure-linux.sh
# Created by 2019/3/1
#
#
SVC_LIST="
############# Start #############
#
## bluetooth services
bluetooth

## SELinux
auditd

## Disk Monitoring
smartd

## Linux Virtualization with KVM
libvirtd

## ABRT - Automatic Bug Reporting Tool
abrtd
abrt-ccpp

## More Services
firewalld
avahi-daemon
#chronyd
cups
autofs
#
#
############# End #############
"

# function report_result <service name> <status>
report_result() {
    printf "%20s ..................%s\n" "$1" "[$2]"
}

## Main program
#echo "$SVC_LIST" | sed -e '/^#/d' -e '/^$/d'
echo
echo "The following services will be disabled:"
echo "$SVC_LIST" | sed -e '/^#/d' -e '/^$/d' | while read name
do
   chkconfig $line off 2>/dev/null
   systemctl disable $name 2>/dev/null
   if [ $? -eq 0 ]; then
      report_result $name "OK"
   else
      report_result $name "**"
   fi
done

## Disable SELinux
SVC="SELinux"
sed -i 's/SELINUX=.*$/SELINUX=disabled/' /etc/selinux/config 2>/dev/null
if [ $? -eq 0 ]; then
    report_result $SVC "OK"
else
    report_result $SVC "**"
fi

echo "All done, please reboot NOW."

CentOS 6: secure-linux.sh

#!/usr/bin/env bash
# Author: A.Lang(alang.hsu[AT]gmail.com)
# File: secure-linux.sh
# Created by 2011-11-27
# Updated by 2016-11-2
#
SVC_LIST="
############# Start #############
#
## Disable if the system is ACPI capable
apmd

## bluetooth services
bluetooth
hidd

## IR device
irda

## only needed the first time a system is configured
firstboot
readahead_early

## SELinux
auditd
setroubleshoot

## Disk Monitoring
smartd

## More Services
anacron
avahi-daemon
avahi-daemon
cups
isdn
ip6tables
iptables
iscsi
iscsid
mcstrans
pcscd
autofs
yum-updatesd
NetworkManager
#
#
############# End #############
"

# function report_result <service name> <status>
report_result() {
    printf "%20s ..................%s\n" "$1" "[$2]"
}

## Main program
#echo "$SVC_LIST" | sed -e '/^#/d' -e '/^$/d'
echo
echo "The following services will be disabled:"
echo "$SVC_LIST" | sed -e '/^#/d' -e '/^$/d' | while read line
do
   chkconfig $line off 2>/dev/null
   if [ $? -eq 0 ]; then
      report_result $line "OK"
   else
      report_result $line "**"
   fi
done

## Disable SELinux
SVC="SELinux"
sed -i 's/SELINUX=.*$/SELINUX=disabled/' /etc/selinux/config 2>/dev/null
if [ $? -eq 0 ]; then
    report_result $SVC "OK"
else
    report_result $SVC "**"
fi

echo "All done, please reboot NOW."
Post-Tasks to Install some common tools
  • chrony
  • screen or tmux
  • vim-enhanced
  • Rsync
  • mailx
  • bind-utils (with dig/nslookup)
  • net-snmp
  • net-snmp-utils
  • yum-utils
  • sysstat
  • open-vm-tools (if running on vmware)
# RedHat 7/8
yum install chrony tmux vim-enhanced rsync mailx bind-utils net-snmp net-snmp-utils yum-utils sysstat
Remove virbr0 network interface

Case 1: Not using libvirtd service and virbr0 interface

# Stop and Disable the service
systemctl stop libvirtd.service
systemctl disable libvirtd.service

# Reboot the host to remove the virbr0 interface
systemctl reboot

Case 2: Using libvirtd and dont want "virbr0"

# List the default network set-up for the virtual machines
virsh net-list

Name       State    Autostart    Persistent
----------------------------------------------------------
default    active   yes          yes

# Destroy the network default.
virsh net-destroy default

Network default destroyed

# Permanently remove the default vitual network from the configuration.
virsh net-undefine default

Network default has been undefined

# The interface virbr0 is now gone. You can verify it in the ifconfig or ip command output.
ifconfig virbr0

virbr0: error fetching interface information: Device not found

Case 3: Removing virbr0 interface on running machines ( non-persistence across reboots )

# First, list out the virtual bridge interfaces available on the system using the below command.
brctl show

bridge name     bridge id               STP enabled     interfaces
virbr0          8000.5254003008b6       yes             virbr0-nic

# Make the bridge interface down before removal.
ip link set virbr0 down

# Now, remove the bridge
brctl delbr virbr0

# check if the bridge is removed
brctl show

bridge name     bridge id               STP enabled     interfaces

Removing lxcbr0 interface

# change the below line in /etc/sysconfig/lxc. This will be effective after reboot. change the line from

USE_LXC_BRIDGE="true"
# to
USE_LXC_BRIDGE="false"

# remove the lxcbr0 bridge interface for the running system
brctl show
ip link set lxcbr0 down
brctl delbr lxcbr0
brctl show