Skip to main content

CentOS/RedHat Tips

停用不必要的服務

CentOS 7/8: secure-linux.sh

#!/usr/bin/env bash
# Author: A.Lang(alang.hsu[AT]gmail.com)
# File: secure-linux.sh
# Created by 2019/3/1
#
#
SVC_LIST="
############# Start #############
#
## bluetooth services
bluetooth

## SELinux
auditd

## Disk Monitoring
smartd

## Linux Virtualization with KVM
libvirtd

## ABRT - Automatic Bug Reporting Tool
abrtd
abrt-ccpp

## More Services
firewalld
avahi-daemon
#chronyd
cups
autofs
#
#
############# End #############
"

# function report_result <service name> <status>
report_result() {
    printf "%20s ..................%s\n" "$1" "[$2]"
}

## Main program
#echo "$SVC_LIST" | sed -e '/^#/d' -e '/^$/d'
echo
echo "The following services will be disabled:"
echo "$SVC_LIST" | sed -e '/^#/d' -e '/^$/d' | while read name
do
   chkconfig $line off 2>/dev/null
   systemctl disable $name 2>/dev/null
   if [ $? -eq 0 ]; then
      report_result $name "OK"
   else
      report_result $name "**"
   fi
done

## Disable SELinux
SVC="SELinux"
sed -i 's/SELINUX=.*$/SELINUX=disabled/' /etc/selinux/config 2>/dev/null
if [ $? -eq 0 ]; then
    report_result $SVC "OK"
else
    report_result $SVC "**"
fi

echo "All done, please reboot NOW."

CentOS 6: secure-linux.sh

#!/usr/bin/env bash
# Author: A.Lang(alang.hsu[AT]gmail.com)
# File: secure-linux.sh
# Created by 2011-11-27
# Updated by 2016-11-2
#
SVC_LIST="
############# Start #############
#
## Disable if the system is ACPI capable
apmd

## bluetooth services
bluetooth
hidd

## IR device
irda

## only needed the first time a system is configured
firstboot
readahead_early

## SELinux
auditd
setroubleshoot

## Disk Monitoring
smartd

## More Services
anacron
avahi-daemon
avahi-daemon
cups
isdn
ip6tables
iptables
iscsi
iscsid
mcstrans
pcscd
autofs
yum-updatesd
NetworkManager
#
#
############# End #############
"

# function report_result <service name> <status>
report_result() {
    printf "%20s ..................%s\n" "$1" "[$2]"
}

## Main program
#echo "$SVC_LIST" | sed -e '/^#/d' -e '/^$/d'
echo
echo "The following services will be disabled:"
echo "$SVC_LIST" | sed -e '/^#/d' -e '/^$/d' | while read line
do
   chkconfig $line off 2>/dev/null
   if [ $? -eq 0 ]; then
      report_result $line "OK"
   else
      report_result $line "**"
   fi
done

## Disable SELinux
SVC="SELinux"
sed -i 's/SELINUX=.*$/SELINUX=disabled/' /etc/selinux/config 2>/dev/null
if [ $? -eq 0 ]; then
    report_result $SVC "OK"
else
    report_result $SVC "**"
fi

echo "All done, please reboot NOW."

Post-Tasks to Install some common tools

    chrony screen or tmux vim-enhanced Rsync mailx bind-utils (with dig/nslookup) net-snmp net-snmp-utils yum-utils sysstat nfs-utils redhat-lsb-core lsof open-vm-tools (if running on vmware) 
    # RedHat 7/8
yum install chrony tmux vim-enhanced rsync mailx bind-utils net-snmp net-snmp-utils yum-utils sysstat nfs-utils redhat-lsb-core lsof

# RedHat 6
yum install setuptool system-config-network* system-config-securitylevel-tui system-config-keyboard \
lvm2 lsof nfs-utils sysstat net-snmp net-snmp-utils vim-enhanced rsync mailx bind-utils

    Remove virbr0 network interface

    Case 1: Not using libvirtd service and virbr0 interface

    # Stop and Disable the service
systemctl stop libvirtd.service
systemctl disable libvirtd.service

# Reboot the host to remove the virbr0 interface
systemctl reboot

    Case 2: Using libvirtd and dont want "virbr0"

    # List the default network set-up for the virtual machines
virsh net-list

Name       State    Autostart    Persistent
----------------------------------------------------------
default    active   yes          yes

# Destroy the network default.
virsh net-destroy default

Network default destroyed

# Permanently remove the default vitual network from the configuration.
virsh net-undefine default

Network default has been undefined

# The interface virbr0 is now gone. You can verify it in the ifconfig or ip command output.
ifconfig virbr0

virbr0: error fetching interface information: Device not found

    Case 3: Removing virbr0 interface on running machines ( non-persistence across reboots )

    # First, list out the virtual bridge interfaces available on the system using the below command.
brctl show

bridge name     bridge id               STP enabled     interfaces
virbr0          8000.5254003008b6       yes             virbr0-nic

# Make the bridge interface down before removal.
ip link set virbr0 down

# Now, remove the bridge
brctl delbr virbr0

# check if the bridge is removed
brctl show

bridge name     bridge id               STP enabled     interfaces

    Removing lxcbr0 interface

    # change the below line in /etc/sysconfig/lxc. This will be effective after reboot. change the line from

USE_LXC_BRIDGE="true"
# to
USE_LXC_BRIDGE="false"

# remove the lxcbr0 bridge interface for the running system
brctl show
ip link set lxcbr0 down
brctl delbr lxcbr0
brctl show

    New Changes to RedHat 9

    Official: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/considerations_in_adopting_rhel_9/assembly_security_considerations-in-adopting-rhel-9 

    1. SSH from RHEL 9 to RHEL 6 systems does not work
    2. The following algorithms are disabled in the LEGACY, DEFAULT and FUTURE crypto policies provided with RHEL 9:
      • TLS older than version 1.2 (since RHEL 9, was < 1.0 in RHEL 8)
      • DTLS older than version 1.2 (since RHEL 9, was < 1.0 in RHEL 8)
      • DH with parameters < 2048 bits (since RHEL 9, was < 1024 bits in RHEL 8)
      • RSA with key size < 2048 bits (since RHEL 9, was < 1024 bits in RHEL 8)
      • DSA (since RHEL 9, was < 1024 bits in RHEL 8)
      • 3DES (since RHEL 9)
      • RC4 (since RHEL 9)
      • FFDHE-1024 (since RHEL 9)
      • DHE-DSS (since RHEL 9)
      • Camellia (since RHEL 9)
      • ARIA
      • SEED
      • IDEA
      • Integrity-only cipher suites
      • TLS CBC mode cipher suites using SHA-384 HMAC
      • AES-CCM8
      • All ECC curves incompatible with TLS 1.3, including secp256k1
      • IKEv1 (since RHEL 8)
    3. SCP not supported in RHEL 9
    4. OpenSSH root password login disabled by default
    5. GnuTLS no longer supports TPM 1.2
    6. Support for disabling SELinux through /etc/selinux/config has been removed. If your scenario requires disabling SELinux, add the selinux=0 parameter to your kernel command line.
    7. Network teams are deprecated
    8. RHEL 9 does not contain the network-scripts package that provided the deprecated legacy network scripts in RHEL 8. To configure network connections in RHEL 9, use NetworkManager.

    sosreport 系統診斷工具

    Redhat/CentOS 從 4.6 以後版本,都內建這個指令,一旦系統需要故障排除時,可以透過這指令蒐集系統的各項資訊,然後提供給專家做分析用。

    基本用法:

    # 安裝 sosreport 如果沒安裝時
yum install sos

# 蒐集系統資訊
#sosreport
# NOTE: 過程中會耗時幾分鐘時間,而且會使用到目錄 /tmp,指令完成後會產生一個 sosreport-*.tar.bz2 檔案。
# Updated by 2023/2/1
# 從 RHEL 8 起,以下指令取代了 sosreport,而且輸出位置改成 /var/tmp。
sos report

# 指定暫存檔目錄,某些情況預設的 /tmp 空間不足時可改用此指令
sos report --tmp-dir /path/to/directory

## 進階用法
# 列出所有支援的 plugins
sos report -l

# 排除特定 plugins 不蒐集
sos report -n kvm,amd

    sosreport 更多用法可以參閱 https://access.redhat.com/solutions/3592

    專家:如何分析這個資訊

    • 解開檔案後,目錄 sos_reports 內有一個 sosreport.html 網頁,開啟後可以透過網頁搜尋方式,快速找到各項的系統資訊。
    • xsos - Github 的專案

    RedHat Linux 原機升級

    FAQ

    setlocale error

    -bash: warning: setlocale: LC_CTYPE: cannot change locale (zh_TW.big5): No such file or directory
    -bash: warning: setlocale: LC_CTYPE: cannot change locale (zh_TW.big5): No such file or directory

    檢查系統是否已支援語系 zh_TW.big5

    locale -a | grep zh_TW.big5

    如果沒有,安裝以下套件

    yum install glibc-all-langpacks.x86_64

    驗證時帳號需登出再登入。






    Back to top