Tip: 前端等特殊情况下最好也安装一下 dynfw , 它提供的 ipdrop、tcplimit、host-tcplimit 能够有效抵抗恶意访问或攻击
SELINUX
一般选择关闭SELINUX,虽然SELINUX会提升系统安全级别,但是会给很多应用的运行造成困扰,也有很大的性能开销,如果不是极其注重安全的领域,建议关闭SELINUX
代码语言:javascript复制[root@check-list ~]# getenforce
Enforcing
[root@check-list ~]# vim /etc/sysconfig/selinux
[root@check-list ~]# grep SELINUX /etc/sysconfig/selinux
# SELINUX= can take one of these three values:
#SELINUX=enforcing
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
SELINUXTYPE=targeted
[root@check-list ~]#重启后就可以生效,如果要立刻生效,可以使用 setenforce 0
代码语言:javascript复制[root@check-list ~]# getenforce
Enforcing
[root@check-list ~]# setenforce 0
[root@check-list ~]# getenforce
Permissive
[root@check-list ~]# sestatus -v
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: disabled
Policy version: 24
Policy from config file: targeted
Process contexts:
Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Init context: system_u:system_r:init_t:s0
/sbin/mingetty system_u:system_r:getty_t:s0
/usr/sbin/sshd system_u:system_r:sshd_t:s0-s0:c0.c1023
File contexts:
Controlling term: unconfined_u:object_r:user_devpts_t:s0
/etc/passwd system_u:object_r:etc_t:s0
/etc/shadow system_u:object_r:shadow_t:s0
/bin/bash system_u:object_r:shell_exec_t:s0
/bin/login system_u:object_r:login_exec_t:s0
/bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0
/sbin/agetty system_u:object_r:getty_exec_t:s0
/sbin/init system_u:object_r:init_exec_t:s0
/sbin/mingetty system_u:object_r:getty_exec_t:s0
/usr/sbin/sshd system_u:object_r:sshd_exec_t:s0
/lib/libc.so.6 system_u:object_r:lib_t:s0 -> system_u:object_r:lib_t:s0
/lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> system_u:object_r:ld_so_t:s0
[root@check-list ~]#
