CentOS/RedHat Tips
停用不必要的服務
CentOS 7/8: secure-linux.sh
#!/usr/bin/env bash
# Author: A.Lang(alang.hsu[AT]gmail.com)
# File: secure-linux.sh
# Created by 2019/3/1
#
#
SVC_LIST="
############# Start #############
#
## bluetooth services
bluetooth
## SELinux
auditd
## Disk Monitoring
smartd
## Linux Virtualization with KVM
libvirtd
## ABRT - Automatic Bug Reporting Tool
abrtd
abrt-ccpp
## More Services
firewalld
avahi-daemon
#chronyd
cups
autofs
#
#
############# End #############
"
# function report_result <service name> <status>
report_result() {
printf "%20s ..................%s\n" "$1" "[$2]"
}
## Main program
#echo "$SVC_LIST" | sed -e '/^#/d' -e '/^$/d'
echo
echo "The following services will be disabled:"
echo "$SVC_LIST" | sed -e '/^#/d' -e '/^$/d' | while read name
do
chkconfig $line off 2>/dev/null
systemctl disable $name 2>/dev/null
if [ $? -eq 0 ]; then
report_result $name "OK"
else
report_result $name "**"
fi
done
## Disable SELinux
SVC="SELinux"
sed -i 's/SELINUX=.*$/SELINUX=disabled/' /etc/selinux/config 2>/dev/null
if [ $? -eq 0 ]; then
report_result $SVC "OK"
else
report_result $SVC "**"
fi
echo "All done, please reboot NOW."
CentOS 6: secure-linux.sh
#!/usr/bin/env bash
# Author: A.Lang(alang.hsu[AT]gmail.com)
# File: secure-linux.sh
# Created by 2011-11-27
# Updated by 2016-11-2
#
SVC_LIST="
############# Start #############
#
## Disable if the system is ACPI capable
apmd
## bluetooth services
bluetooth
hidd
## IR device
irda
## only needed the first time a system is configured
firstboot
readahead_early
## SELinux
auditd
setroubleshoot
## Disk Monitoring
smartd
## More Services
anacron
avahi-daemon
avahi-daemon
cups
isdn
ip6tables
iptables
iscsi
iscsid
mcstrans
pcscd
autofs
yum-updatesd
NetworkManager
#
#
############# End #############
"
# function report_result <service name> <status>
report_result() {
printf "%20s ..................%s\n" "$1" "[$2]"
}
## Main program
#echo "$SVC_LIST" | sed -e '/^#/d' -e '/^$/d'
echo
echo "The following services will be disabled:"
echo "$SVC_LIST" | sed -e '/^#/d' -e '/^$/d' | while read line
do
chkconfig $line off 2>/dev/null
if [ $? -eq 0 ]; then
report_result $line "OK"
else
report_result $line "**"
fi
done
## Disable SELinux
SVC="SELinux"
sed -i 's/SELINUX=.*$/SELINUX=disabled/' /etc/selinux/config 2>/dev/null
if [ $? -eq 0 ]; then
report_result $SVC "OK"
else
report_result $SVC "**"
fi
echo "All done, please reboot NOW."
Post-Tasks to Install some common tools
- chrony
- screen or tmux
- vim-enhanced
- Rsync
- mailx
- bind-utils (with dig/nslookup)
- net-snmp
- net-snmp-utils
- yum-utils
- sysstat
- nfs-utils
- redhat-lsb-core
- lsof
- open-vm-tools (if running on vmware)
# RedHat 7/8
yum install chrony tmux vim-enhanced rsync mailx bind-utils net-snmp net-snmp-utils yum-utils sysstat nfs-utils redhat-lsb-core lsof
Remove virbr0 network interface
Case 1: Not using libvirtd service and virbr0 interface
# Stop and Disable the service
systemctl stop libvirtd.service
systemctl disable libvirtd.service
# Reboot the host to remove the virbr0 interface
systemctl reboot
Case 2: Using libvirtd and dont want "virbr0"
# List the default network set-up for the virtual machines
virsh net-list
Name State Autostart Persistent
----------------------------------------------------------
default active yes yes
# Destroy the network default.
virsh net-destroy default
Network default destroyed
# Permanently remove the default vitual network from the configuration.
virsh net-undefine default
Network default has been undefined
# The interface virbr0 is now gone. You can verify it in the ifconfig or ip command output.
ifconfig virbr0
virbr0: error fetching interface information: Device not found
Case 3: Removing virbr0 interface on running machines ( non-persistence across reboots )
# First, list out the virtual bridge interfaces available on the system using the below command.
brctl show
bridge name bridge id STP enabled interfaces
virbr0 8000.5254003008b6 yes virbr0-nic
# Make the bridge interface down before removal.
ip link set virbr0 down
# Now, remove the bridge
brctl delbr virbr0
# check if the bridge is removed
brctl show
bridge name bridge id STP enabled interfaces
Removing lxcbr0 interface
# change the below line in /etc/sysconfig/lxc. This will be effective after reboot. change the line from
USE_LXC_BRIDGE="true"
# to
USE_LXC_BRIDGE="false"
# remove the lxcbr0 bridge interface for the running system
brctl show
ip link set lxcbr0 down
brctl delbr lxcbr0
brctl show
New Changes to RedHat 9
- SSH from RHEL 9 to RHEL 6 systems does not work
- The following algorithms are disabled in the LEGACY, DEFAULT and FUTURE crypto policies provided with RHEL 9:
- TLS older than version 1.2 (since RHEL 9, was < 1.0 in RHEL 8)
- DTLS older than version 1.2 (since RHEL 9, was < 1.0 in RHEL 8)
- DH with parameters < 2048 bits (since RHEL 9, was < 1024 bits in RHEL 8)
- RSA with key size < 2048 bits (since RHEL 9, was < 1024 bits in RHEL 8)
- DSA (since RHEL 9, was < 1024 bits in RHEL 8)
- 3DES (since RHEL 9)
- RC4 (since RHEL 9)
- FFDHE-1024 (since RHEL 9)
- DHE-DSS (since RHEL 9)
- Camellia (since RHEL 9)
- ARIA
- SEED
- IDEA
- Integrity-only cipher suites
- TLS CBC mode cipher suites using SHA-384 HMAC
- AES-CCM8
- All ECC curves incompatible with TLS 1.3, including secp256k1
- IKEv1 (since RHEL 8)
- SCP not supported in RHEL 9
- OpenSSH root password login disabled by default
- GnuTLS no longer supports TPM 1.2
- Support for disabling SELinux through
/etc/selinux/config
has been removed. If your scenario requires disabling SELinux, add theselinux=0
parameter to your kernel command line. - Network teams are deprecated
- RHEL 9 does not contain the
network-scripts
package that provided the deprecated legacy network scripts in RHEL 8. To configure network connections in RHEL 9, use NetworkManager.
sosreport 系統診斷工具
Redhat/CentOS 從 4.6 以後版本,都內建這個指令,一旦系統需要故障排除時,可以透過這指令蒐集系統的各項資訊,然後提供給專家做分析用。
基本用法:
# 安裝 sosreport 如果沒安裝時
yum install sos
# 蒐集系統資訊
sosreport#sosreport
# NOTE: 過程中會耗時幾分鐘時間,而且會使用到目錄 /tmp,指令完成後會產生一個 sosreport-*.tar.bz2 檔案。
# Updated by 2023/2/1
# 從 RHEL 8 起,以下指令取代了 sosreport,而且輸出位置改成 /var/tmp。
sos report
# 指定暫存檔目錄,某些情況預設的 /tmp 空間不足時可改用此指令
sosreportsos report --tmp-dir /path/to/directory
sosreport 更多用法可以參閱 https://access.redhat.com/solutions/3592 。
專家:如何分析這個資訊
- 解開檔案後,目錄 sos_reports 內有一個 sosreport.html 網頁,開啟後可以透過網頁搜尋方式,快速找到各項的系統資訊。
- xsos - Github 的專案