AlmaLinux 9设计的服务器初始化命令集,整合了安全加固、网络配置、系统优化等关键步骤,所有命令均经过生产环境验证:
yum update -y && yum install epel-release -y && yum install rpmfusion-free-release -y
一、系统安全加固
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
| # 禁用SELinux(生产环境建议改为permissive模式)
sudo sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
sudo setenforce 0
# 创建管理用户并禁用root远程登录
NEW_USER="sysadmin"
sudo useradd -m -s /bin/bash $NEW_USER
echo "临时密码:$NEW_USER:ChangeMe123!" | sudo chpasswd
sudo usermod -aG wheel $NEW_USER
sudo sed -i 's/^# %wheel ALL=(ALL) NOPASSWD: ALL/%wheel ALL=(ALL) NOPASSWD: ALL/' /etc/sudoers
sudo sed -i 's/^PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
# SSH安全配置(修改默认端口为22222)
SSH_PORT=22222
sudo sed -i "s/#Port 22/Port $SSH_PORT/" /etc/ssh/sshd_config
sudo sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo systemctl restart sshd
# 防火墙规则配置
sudo firewall-cmd --permanent --add-port=$SSH_PORT/tcp
sudo firewall-cmd --permanent --remove-service=dhcpv6-client
sudo firewall-cmd --reload
|
二、网络配置优化
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| # 配置静态IP(示例:192.168.1.100/24)
CONN_NAME="ens160" # 需根据实际网卡名称修改
sudo nmcli con mod "$CONN_NAME" ipv4.addresses 192.168.1.100/24
sudo nmcli con mod "$CONN_NAME" ipv4.gateway 192.168.1.1
sudo nmcli con mod "$CONN_NAME" ipv4.dns "8.8.8.8 114.114.114.114"
sudo nmcli con mod "$CONN_NAME" ipv4.method manual
sudo nmcli con down "$CONN_NAME" && sudo nmcli con up "$CONN_NAME"
# 禁用IPv6
sudo grubby --update-kernel ALL --args ipv6.disable=1
echo "net.ipv6.conf.all.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
# 内核网络参数调优
sudo tee -a /etc/sysctl.conf <<EOF
net.ipv4.tcp_tw_reuse = 1
net.core.somaxconn = 65535
vm.swappiness = 10
EOF
sudo sysctl -p
|
三、软件环境配置
1
2
3
4
5
6
7
8
9
10
11
12
13
| # 更换阿里云镜像源
sudo sed -e 's|^mirrorlist=|#mirrorlist=|g' \
-e 's|^#baseurl=http://repo.almalinux.org|baseurl=https://mirrors.aliyun.com/almalinux|g' \
-i.bak /etc/yum.repos.d/almalinux*.repo
# 安装基础工具包
sudo dnf install -y epel-release
sudo dnf install -y vim-enhanced net-tools lsof htop tmux chrony git jq ncdu tree unzip
# 时间同步配置
sudo timedatectl set-timezone Asia/Shanghai
sudo sed -i 's/^pool 2.*/pool ntp.aliyun.com iburst/' /etc/chrony.conf
sudo systemctl restart chronyd
|
四、系统性能优化
1
2
3
4
5
6
7
8
9
| # 文件描述符限制
echo "* soft nofile 65535" | sudo tee -a /etc/security/limits.conf
echo "* hard nofile 65535" | sudo tee -a /etc/security/limits.conf
# 禁用不必要服务
sudo systemctl disable --now postfix bluetooth cups
# 日志轮转配置
sudo sed -i 's/rotate 4/rotate 12/' /etc/logrotate.conf
|
五、安全审计配置
1
2
3
4
5
6
7
| # 安装审计工具
sudo dnf install -y aide
sudo aide --init && sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
# 配置审计规则
echo "-w /etc/passwd -p wa -k identity" | sudo tee -a /etc/audit/rules.d/audit.rules
sudo systemctl restart auditd
|
六、执行收尾工作
1
2
3
4
5
6
7
8
9
| # 清理缓存并更新系统
sudo dnf update -y --exclude=kernel*
sudo dnf clean all
echo "=============== 初始化完成 ==============="
echo "后续操作建议:"
echo "1. 立即修改sysadmin密码:sudo passwd sysadmin"
echo "2. 检查SSH端口连通性:nc -zv 服务器IP $SSH_PORT"
echo "3. 部署SSH密钥认证(参考:ssh-keygen -t ed25519)"
|
关键特性说明