标签:man 内容 lan rip conf display 不能 code win
centos作为服务器开放的服务多了,难免一些服务软件有漏洞,开放的端口号越多,上线的服务器越危险,所以我们必须在服务器上线之前把centos里面不必要的服务全部干掉,不让坏人有可乘之机。
首先看一下机器里面运行了哪些服务:(我的机器运行级别是3,只看3:on的服务就可以了)
[root@centos ~]# chkconfig --list | grep "3:on" NetworkManager 0:off 1:off 2:on 3:on 4:on 5:on 6:off abrt-ccpp 0:off 1:off 2:on 3:on 4:on 5:on 6:off abrtd 0:off 1:off 2:on 3:on 4:on 5:on 6:off acpid 0:off 1:off 2:on 3:on 4:on 5:on 6:off atd 0:off 1:off 2:on 3:on 4:on 5:on 6:off auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off autofs 0:off 1:off 2:on 3:on 4:on 5:on 6:off blk-availability 0:off 1:on 2:on 3:on 4:on 5:on 6:off certmonger 0:off 1:off 2:on 3:on 4:on 5:on 6:off cgconfig 0:off 1:off 2:on 3:on 4:on 5:on 6:off cgred 0:off 1:off 2:on 3:on 4:on 5:on 6:off cpuspeed 0:off 1:on 2:on 3:on 4:on 5:on 6:off crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off cups 0:off 1:off 2:on 3:on 4:on 5:on 6:off dnsmasq 0:off 1:off 2:on 3:on 4:on 5:on 6:off haldaemon 0:off 1:off 2:on 3:on 4:on 5:on 6:off ip6tables 0:off 1:off 2:on 3:on 4:on 5:on 6:off ipsec 0:off 1:off 2:on 3:on 4:on 5:on 6:off iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off irqbalance 0:off 1:off 2:on 3:on 4:on 5:on 6:off kdump 0:off 1:off 2:on 3:on 4:on 5:on 6:off lvm2-monitor 0:off 1:on 2:on 3:on 4:on 5:on 6:off mcelogd 0:off 1:off 2:on 3:on 4:on 5:on 6:off mdmonitor 0:off 1:off 2:on 3:on 4:on 5:on 6:off messagebus 0:off 1:off 2:on 3:on 4:on 5:on 6:off netconsole 0:off 1:off 2:on 3:on 4:on 5:on 6:off netfs 0:off 1:off 2:on 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off nfs 0:off 1:off 2:on 3:on 4:on 5:on 6:off nfslock 0:off 1:off 2:on 3:on 4:on 5:on 6:off ntpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off ntpdate 0:off 1:off 2:on 3:on 4:on 5:on 6:off numad 0:off 1:off 2:on 3:on 4:on 5:on 6:off oddjobd 0:off 1:off 2:on 3:on 4:on 5:on 6:off portreserve 0:off 1:off 2:on 3:on 4:on 5:on 6:off postfix 0:off 1:off 2:on 3:on 4:on 5:on 6:off pppoe-server 0:off 1:off 2:on 3:on 4:on 5:on 6:off psacct 0:off 1:off 2:on 3:on 4:on 5:on 6:off quota_nld 0:off 1:off 2:on 3:on 4:on 5:on 6:off rdisc 0:off 1:off 2:on 3:on 4:on 5:on 6:off restorecond 0:off 1:off 2:on 3:on 4:on 5:on 6:off rngd 0:off 1:off 2:on 3:on 4:on 5:on 6:off rpcbind 0:off 1:off 2:on 3:on 4:on 5:on 6:off rpcgssd 0:off 1:off 2:on 3:on 4:on 5:on 6:off rpcsvcgssd 0:off 1:off 2:on 3:on 4:on 5:on 6:off rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off saslauthd 0:off 1:off 2:on 3:on 4:on 5:on 6:off smartd 0:off 1:off 2:on 3:on 4:on 5:on 6:off sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off sssd 0:off 1:off 2:on 3:on 4:on 5:on 6:off svnserve 0:off 1:off 2:on 3:on 4:on 5:on 6:off sysstat 0:off 1:on 2:on 3:on 4:on 5:on 6:off udev-post 0:off 1:on 2:on 3:on 4:on 5:on 6:off winbind 0:off 1:off 2:on 3:on 4:on 5:on 6:off wpa_supplicant 0:off 1:off 2:on 3:on 4:on 5:on 6:off ypbind 0:off 1:off 2:on 3:on 4:on 5:on 6:off
开的服务这么多,这要是直接放到互联网怎么了得,所以我们第一步先把所有的服务统统关掉,第二步再把要必须保留的服务开启。
第一步,关掉系统所有的服务,这么多内容只能用循环脚本了,一条一条chkconfig service off 猴年马月去了,直接看命令:
我把所有开着的服务名称 通过awk取出来,再用for循环 chkconfig service off
[root@centos ~]# for n in `chkconfig --list | grep "3:on" | awk ‘{print $1}‘`;do chkconfig $n off;done [root@centos ~]# chkconfig --list | grep 3:on [root@centos ~]# [root@centos ~]# [root@centos ~]# //这会儿发现服务都被我一下子kill掉了
这会儿问题来了,我们的服务器哪些服务必须保留呢?
我们要做的是开启这些服务,然后验证收工,go...
[root@centos ~]# for n in crond sshd network rsyslog sysstat ;do chkconfig $n on ; done [root@centos ~]# chkconfig --list | grep 3:on crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off sysstat 0:off 1:on 2:on 3:on 4:on 5:on 6:off
另外一种思路:我把该留下的留下,其他全部干掉
直接给答案:
[root@centos ~]# chkconfig --list | grep 3:on | egrep -v "sshd|network|rsyslog|sysstat|crond" | awk ‘{print "chkconfig",$1,"off"}‘ chkconfig NetworkManager off chkconfig abrt-ccpp off chkconfig abrtd off chkconfig acpid off chkconfig atd off chkconfig auditd off chkconfig autofs off chkconfig blk-availability off chkconfig certmonger off chkconfig cgconfig off chkconfig cgred off chkconfig cpuspeed off chkconfig cups off chkconfig dnsmasq off chkconfig haldaemon off chkconfig ip6tables off chkconfig ipsec off chkconfig iptables off chkconfig irqbalance off chkconfig kdump off chkconfig lvm2-monitor off chkconfig mcelogd off chkconfig mdmonitor off chkconfig messagebus off chkconfig netconsole off chkconfig netfs off chkconfig nfs off chkconfig nfslock off chkconfig ntpd off chkconfig ntpdate off chkconfig numad off chkconfig oddjobd off chkconfig portreserve off chkconfig postfix off chkconfig pppoe-server off chkconfig psacct off chkconfig quota_nld off chkconfig rdisc off chkconfig restorecond off chkconfig rngd off chkconfig rpcbind off chkconfig rpcgssd off chkconfig rpcsvcgssd off chkconfig saslauthd off chkconfig smartd off chkconfig sssd off chkconfig svnserve off chkconfig udev-post off chkconfig winbind off chkconfig wpa_supplicant off chkconfig ypbind off
[root@centos ~]# chkconfig --list | grep 3:on | egrep -v "sshd|network|rsyslog|sysstat|crond" | awk ‘{print "chkconfig",$1,"off"}‘ | bash 标签:man 内容 lan rip conf display 不能 code win
原文地址:https://www.cnblogs.com/heqiuyu/p/10372024.html
