CentOS 8 설치 후 기본설정

CentOS 8 설치 후 기본 설정하는 방법에 대해서 알아보겠습니다.

크게 아래 적어놓은 내용에 대해서 설정 하겠습니다.(자세한 설명은 패스하겠습니다.)

네트워크 설정
EPEL 레포지토리 등록
필요 패키지 설치
selinux 비활성화
쉘 프롬프트 설정
명령어 히스토리에 시간 기록하기
vim 에디터 환경 설정
히스토리로그를 syslog로 남기기
시간동기화
오픈파일 갯수 늘리기
SSH 보안 설정
SFTP 로그 설정
cron 보안 설정
핵심 명령어/파일 퍼미션 조정
패키지 업데이트

네트워크 설정

여러가지 방법이 있겠으나 설정파일을 수정하는 방법으로 진행하겠습니다.

설정파일 위치는 /etc/sysconfig/network-scripts/ifcfg-[devicename] 입니다.
제 서버를 기준으로 보면 /etc/sysconfig/network-scripts/ifcfg-ens3 이네요.

저 파일을 다음과 같이 수정해 줍니다.

TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens3
UUID=747a6adc-304d-41a5-b766-55a161ba5b77
DEVICE=ens3
ONBOOT=yes
IPADDR=192.168.0.10
PREFIX=24
GATEWAY=192.168.0.1
DNS1=8.8.8.8
DNS2=164.124.101.2
USERCTL=no

파일 저장 후 아래 명령어로 적용해 줍니다.

systemctl restart NetworkManager

systemctl restart NetworkManager

EPEL 레포지토리 등록

dnf -y install epel-release

dnf -y install epel-release

필요 패키지 설치

dnf -y install sysstat telnet lrzsz rsync wget gcc vim iptraf bc kernel-devel smartmontools

dnf -y install sysstat telnet lrzsz rsync wget gcc vim iptraf bc kernel-devel smartmontools

selinux 비활성화

sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config

sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config

쉘 프롬프트 설정

echo 'export PS1="[\u@\H \W]# "' >> /root/.bashrc

echo 'export PS1="[\u@\H \W]$ "' >> /etc/skel/.bashrc

echo 'export PS1="[\u@\H \W]# "' >> /root/.bashrc echo 'export PS1="[\u@\H \W]$ "' >> /etc/skel/.bashrc

echo 'export PS1="[\u@\H \W]# "' >> /root/.bashrc
echo 'export PS1="[\u@\H \W]$ "' >> /etc/skel/.bashrc

명령어 히스토리에 시간 기록하기

echo 'HISTTIMEFORMAT="%Y-%m-%d %H:%M:%S "' >> /root/.bashrc

echo 'HISTTIMEFORMAT="%Y-%m-%d %H:%M:%S "' >> /etc/skel/.bashrc

echo 'HISTTIMEFORMAT="%Y-%m-%d %H:%M:%S "' >> /root/.bashrc echo 'HISTTIMEFORMAT="%Y-%m-%d %H:%M:%S "' >> /etc/skel/.bashrc

echo 'HISTTIMEFORMAT="%Y-%m-%d %H:%M:%S "' >> /root/.bashrc
echo 'HISTTIMEFORMAT="%Y-%m-%d %H:%M:%S "' >> /etc/skel/.bashrc

vim 에디터 환경 설정

echo "alias vi='vim'" >> /root/.bashrc

echo "alias vi='vim'" >> /etc/skel/.bashrc

echo "set ts=4" > /root/.vimrc

source /root/.bashrc

echo "alias vi='vim'" >> /root/.bashrc echo "alias vi='vim'" >> /etc/skel/.bashrc echo "set ts=4" > /root/.vimrc source /root/.bashrc

echo "alias vi='vim'" >> /root/.bashrc
echo "alias vi='vim'" >> /etc/skel/.bashrc
echo "set ts=4" > /root/.vimrc
source /root/.bashrc

히스토리로그를 syslog로 남기기

echo 'function logging' >> /etc/profile.d/cmd_logging.sh

echo '{' >> /etc/profile.d/cmd_logging.sh

echo ' stat="$?"' >> /etc/profile.d/cmd_logging.sh

echo ' cmd=$(history|tail -1)' >> /etc/profile.d/cmd_logging.sh

echo ' if [ "$cmd" != "$cmd_old" ]; then' >> /etc/profile.d/cmd_logging.sh

echo ' logger -p local1.notice "[2] STAT=$stat"' >> /etc/profile.d/cmd_logging.sh

echo ' logger -p local1.notice "[1] PID=$$, PWD=$PWD, CMD=$cmd"' >> /etc/profile.d/cmd_logging.sh

echo ' fi' >> /etc/profile.d/cmd_logging.sh

echo ' cmd_old=$cmd' >> /etc/profile.d/cmd_logging.sh

echo '}' >> /etc/profile.d/cmd_logging.sh

echo 'trap logging DEBUG' >> /etc/profile.d/cmd_logging.sh

echo 'local1.* /var/log/cmd.log' >> /etc/rsyslog.conf

sed -i "s/cron.none/cron.none;local1.none/g" /etc/rsyslog.conf

systemctl restart rsyslog

echo 'function logging' >> /etc/profile.d/cmd_logging.sh echo '{' >> /etc/profile.d/cmd_logging.sh echo ' stat="$?"' >> /etc/profile.d/cmd_logging.sh echo ' cmd=$(history|tail -1)' >> /etc/profile.d/cmd_logging.sh echo ' if [ "$cmd" != "$cmd_old" ]; then' >> /etc/profile.d/cmd_logging.sh echo ' logger -p local1.notice "[2] STAT=$stat"' >> /etc/profile.d/cmd_logging.sh echo ' logger -p local1.notice "[1] PID=$$, PWD=$PWD, CMD=$cmd"' >> /etc/profile.d/cmd_logging.sh echo ' fi' >> /etc/profile.d/cmd_logging.sh echo ' cmd_old=$cmd' >> /etc/profile.d/cmd_logging.sh echo '}' >> /etc/profile.d/cmd_logging.sh echo 'trap logging DEBUG' >> /etc/profile.d/cmd_logging.sh echo 'local1.* /var/log/cmd.log' >> /etc/rsyslog.conf sed -i "s/cron.none/cron.none;local1.none/g" /etc/rsyslog.conf systemctl restart rsyslog

echo 'function logging'  >> /etc/profile.d/cmd_logging.sh
echo '{'  >> /etc/profile.d/cmd_logging.sh
echo '        stat="$?"'  >> /etc/profile.d/cmd_logging.sh
echo '        cmd=$(history|tail -1)'  >> /etc/profile.d/cmd_logging.sh
echo '        if [ "$cmd" != "$cmd_old" ]; then'  >> /etc/profile.d/cmd_logging.sh
echo '                logger -p local1.notice "[2] STAT=$stat"'  >> /etc/profile.d/cmd_logging.sh
echo '                logger -p local1.notice "[1] PID=$$, PWD=$PWD, CMD=$cmd"'  >> /etc/profile.d/cmd_logging.sh
echo '        fi'  >> /etc/profile.d/cmd_logging.sh
echo '        cmd_old=$cmd'  >> /etc/profile.d/cmd_logging.sh
echo '}'  >> /etc/profile.d/cmd_logging.sh
echo 'trap logging DEBUG'  >> /etc/profile.d/cmd_logging.sh
echo 'local1.*                                                /var/log/cmd.log'  >> /etc/rsyslog.conf
sed -i "s/cron.none/cron.none;local1.none/g" /etc/rsyslog.conf
systemctl restart rsyslog

시간동기화

dnf -y install chrony

dnf -y install chrony

sed -i "s/pool 2.centos.pool.ntp.org iburst/server 0.centos.pool.ntp.org iburst\nserver 1.centos.pool.ntp.org iburst\nserver 2.centos.pool.ntp.org iburst\nserver 3.centos.pool.ntp.org iburst/g" /etc/chrony.conf

sed -i "s/pool 2.centos.pool.ntp.org iburst/server 0.centos.pool.ntp.org iburst\nserver 1.centos.pool.ntp.org iburst\nserver 2.centos.pool.ntp.org iburst\nserver 3.centos.pool.ntp.org iburst/g" /etc/chrony.conf

systemctl enable chronyd

systemctl restart chronyd

systemctl enable chronyd systemctl restart chronyd

systemctl enable chronyd
systemctl restart chronyd

오픈파일 갯수 늘리기

echo -e "* soft nofile 65536\n* hard nofile 65536" >> /etc/security/limits.conf

echo -e "fs.file-max = 65536" >> /etc/sysctl.conf

sysctl -p

echo -e "* soft nofile 65536\n* hard nofile 65536" >> /etc/security/limits.conf echo -e "fs.file-max = 65536" >> /etc/sysctl.conf sysctl -p

echo -e "*               soft    nofile          65536\n*               hard    nofile          65536" >> /etc/security/limits.conf
echo -e "fs.file-max = 65536" >> /etc/sysctl.conf
sysctl -p

SSH 보안 설정

sed -i "s/#UseDNS yes/UseDNS no/g" /etc/ssh/sshd_config

sed -i "s/#Port 22/Port 2022/g" /etc/ssh/sshd_config

systemctl restart sshd

sed -i "s/#UseDNS yes/UseDNS no/g" /etc/ssh/sshd_config sed -i "s/#Port 22/Port 2022/g" /etc/ssh/sshd_config systemctl restart sshd

sed -i "s/#UseDNS yes/UseDNS no/g" /etc/ssh/sshd_config
sed -i "s/#Port 22/Port 2022/g" /etc/ssh/sshd_config
systemctl restart sshd

SFTP 로그 설정

sed -i "s/$.*sftp$/#\1/g" /etc/ssh/sshd_config

sed -i '/sftp/a Subsystem sftp /usr/libexec/openssh/sftp-server -f local2 -l INFO' /etc/ssh/sshd_config

echo -e "\n#sftp logging" >> /etc/rsyslog.conf

echo 'local2.* /var/log/sftp.log' >> /etc/rsyslog.conf

sed -i '/spooler/a \/var\/log\/sftp.log' /etc/logrotate.d/syslog

systemctl restart sshd.service

systemctl restart rsyslog.service

sed -i "s/$.*sftp$/#\1/g" /etc/ssh/sshd_config sed -i '/sftp/a Subsystem sftp /usr/libexec/openssh/sftp-server -f local2 -l INFO' /etc/ssh/sshd_config echo -e "\n#sftp logging" >> /etc/rsyslog.conf echo 'local2.* /var/log/sftp.log' >> /etc/rsyslog.conf sed -i '/spooler/a \/var\/log\/sftp.log' /etc/logrotate.d/syslog systemctl restart sshd.service systemctl restart rsyslog.service

sed -i "s/\(.*sftp\)/#\1/g" /etc/ssh/sshd_config 
sed -i '/sftp/a Subsystem    sftp    /usr/libexec/openssh/sftp-server -f local2 -l INFO' /etc/ssh/sshd_config 
echo -e "\n#sftp logging" >> /etc/rsyslog.conf 
echo 'local2.*            /var/log/sftp.log' >> /etc/rsyslog.conf 
sed -i '/spooler/a \/var\/log\/sftp.log' /etc/logrotate.d/syslog

systemctl restart sshd.service
systemctl restart rsyslog.service

cron 보안 설정

echo 'daemon' >> /etc/cron.deny

echo 'apache' >> /etc/cron.deny

echo 'nginx' >> /etc/cron.deny

echo 'daemon' >> /etc/cron.deny echo 'apache' >> /etc/cron.deny echo 'nginx' >> /etc/cron.deny

echo 'daemon' >>  /etc/cron.deny
echo 'apache' >>  /etc/cron.deny
echo 'nginx' >>  /etc/cron.deny

핵심 명령어/파일 퍼미션 조정

chgrp wheel $(which perl)

chgrp wheel $(which find)

chgrp wheel $(which finger)

chgrp wheel $(which nslookup)

chgrp wheel $(which gcc)

chgrp wheel $(which suidperl)

chgrp wheel $(which whereis)

chgrp wheel $(which cc)

chgrp wheel $(which c++)

chgrp wheel $(which make)

chgrp wheel $(which pstree)

chgrp wheel $(which rlog)

chgrp wheel $(which rlogin)

chgrp wheel $(which which)

chgrp wheel $(which who)

chgrp wheel $(which w)

chgrp wheel $(which mail)

chgrp wheel $(which sendmail)

chgrp wheel $(which top)

chgrp wheel $(which free)

chgrp wheel $(which last)

chgrp wheel $(which lynx)

chgrp wheel $(which wget)

chgrp wheel $(which curl)

chgrp wheel $(which ps)

chgrp wheel $(which df)

chgrp wheel $(which ping)

chgrp wheel $(which netstat)

chgrp wheel $(which ftp)

chgrp wheel $(which ncftp)

chgrp wheel $(which suidperl)

chgrp wheel $(which rz)

chgrp wheel $(which sz)

chgrp wheel $(which tar)

chgrp wheel /etc/hosts

chgrp wheel /etc/hosts.deny

chgrp wheel /etc/hosts.allow

chgrp wheel /etc/named.conf

chgrp wheel $(which perl) chgrp wheel $(which find) chgrp wheel $(which finger) chgrp wheel $(which nslookup) chgrp wheel $(which gcc) chgrp wheel $(which suidperl) chgrp wheel $(which whereis) chgrp wheel $(which cc) chgrp wheel $(which c++) chgrp wheel $(which make) chgrp wheel $(which pstree) chgrp wheel $(which rlog) chgrp wheel $(which rlogin) chgrp wheel $(which which) chgrp wheel $(which who) chgrp wheel $(which w) chgrp wheel $(which mail) chgrp wheel $(which sendmail) chgrp wheel $(which sendmail) chgrp wheel $(which top) chgrp wheel $(which free) chgrp wheel $(which last) chgrp wheel $(which lynx) chgrp wheel $(which wget) chgrp wheel $(which curl) chgrp wheel $(which ps) chgrp wheel $(which df) chgrp wheel $(which ping) chgrp wheel $(which netstat) chgrp wheel $(which ftp) chgrp wheel $(which ncftp) chgrp wheel $(which suidperl) chgrp wheel $(which rz) chgrp wheel $(which sz) chgrp wheel $(which tar) chgrp wheel /etc/hosts chgrp wheel /etc/hosts.deny chgrp wheel /etc/hosts.allow chgrp wheel /etc/named.conf

chgrp wheel $(which perl)
chgrp wheel $(which find)
chgrp wheel $(which finger)
chgrp wheel $(which nslookup)
chgrp wheel $(which gcc)
chgrp wheel $(which suidperl)
chgrp wheel $(which whereis)
chgrp wheel $(which cc)
chgrp wheel $(which c++)
chgrp wheel $(which make)
chgrp wheel $(which pstree)
chgrp wheel $(which rlog)
chgrp wheel $(which rlogin)
chgrp wheel $(which which)
chgrp wheel $(which who)
chgrp wheel $(which w)
chgrp wheel $(which mail)
chgrp wheel $(which sendmail)
chgrp wheel $(which sendmail)
chgrp wheel $(which top)
chgrp wheel $(which free)
chgrp wheel $(which last)
chgrp wheel $(which lynx)
chgrp wheel $(which wget)
chgrp wheel $(which curl)
chgrp wheel $(which ps)
chgrp wheel $(which df)
chgrp wheel $(which ping)
chgrp wheel $(which netstat)
chgrp wheel $(which ftp)
chgrp wheel $(which ncftp)
chgrp wheel $(which suidperl)
chgrp wheel $(which rz)
chgrp wheel $(which sz)
chgrp wheel $(which tar)
chgrp wheel /etc/hosts
chgrp wheel /etc/hosts.deny
chgrp wheel /etc/hosts.allow
chgrp wheel /etc/named.conf

chmod 750 $(which perl)

chmod 750 $(which find)

chmod 750 $(which finger)

chmod 750 $(which nslookup)

chmod 750 $(which gcc)

chmod 750 $(which suidperl)

chmod 750 $(which whereis)

chmod 750 $(which cc)

chmod 750 $(which c++)

chmod 750 $(which make)

chmod 750 $(which pstree)

chmod 750 $(which rlog)

chmod 750 $(which rlogin)

chmod 750 $(which which)

chmod 750 $(which who)

chmod 750 $(which w)

chmod 750 $(which mail)

chmod 750 $(which sendmail)

chmod 750 $(which top)

chmod 750 $(which free)

chmod 750 $(which last)

chmod 750 $(which lynx)

chmod 750 $(which wget)

chmod 750 $(which curl)

chmod 750 $(which ps)

chmod 750 $(which df)

chmod 750 $(which ping)

chmod 750 $(which netstat)

chmod 750 $(which ftp)

chmod 750 $(which ncftp)

chmod 750 $(which suidperl)

chmod 750 $(which rz)

chmod 750 $(which sz)

chmod 750 $(which tar)

chmod 750 /etc/hosts

chmod 750 /etc/hosts.deny

chmod 750 /etc/hosts.allow

chmod 750 /etc/named.conf

chmod 750 $(which perl) chmod 750 $(which find) chmod 750 $(which finger) chmod 750 $(which nslookup) chmod 750 $(which gcc) chmod 750 $(which suidperl) chmod 750 $(which whereis) chmod 750 $(which cc) chmod 750 $(which c++) chmod 750 $(which make) chmod 750 $(which pstree) chmod 750 $(which rlog) chmod 750 $(which rlogin) chmod 750 $(which which) chmod 750 $(which who) chmod 750 $(which w) chmod 750 $(which mail) chmod 750 $(which sendmail) chmod 750 $(which sendmail) chmod 750 $(which top) chmod 750 $(which free) chmod 750 $(which last) chmod 750 $(which lynx) chmod 750 $(which wget) chmod 750 $(which curl) chmod 750 $(which ps) chmod 750 $(which df) chmod 750 $(which ping) chmod 750 $(which netstat) chmod 750 $(which ftp) chmod 750 $(which ncftp) chmod 750 $(which suidperl) chmod 750 $(which rz) chmod 750 $(which sz) chmod 750 $(which tar) chmod 750 /etc/hosts chmod 750 /etc/hosts.deny chmod 750 /etc/hosts.allow chmod 750 /etc/named.conf

chmod 750 $(which perl)
chmod 750 $(which find)
chmod 750 $(which finger)
chmod 750 $(which nslookup)
chmod 750 $(which gcc)
chmod 750 $(which suidperl)
chmod 750 $(which whereis)
chmod 750 $(which cc)
chmod 750 $(which c++)
chmod 750 $(which make)
chmod 750 $(which pstree)
chmod 750 $(which rlog)
chmod 750 $(which rlogin)
chmod 750 $(which which)
chmod 750 $(which who)
chmod 750 $(which w)
chmod 750 $(which mail)
chmod 750 $(which sendmail)
chmod 750 $(which sendmail)
chmod 750 $(which top)
chmod 750 $(which free)
chmod 750 $(which last)
chmod 750 $(which lynx)
chmod 750 $(which wget)
chmod 750 $(which curl)
chmod 750 $(which ps)
chmod 750 $(which df)
chmod 750 $(which ping)
chmod 750 $(which netstat)
chmod 750 $(which ftp)
chmod 750 $(which ncftp)
chmod 750 $(which suidperl)
chmod 750 $(which rz)
chmod 750 $(which sz)
chmod 750 $(which tar)
chmod 750 /etc/hosts
chmod 750 /etc/hosts.deny
chmod 750 /etc/hosts.allow
chmod 750 /etc/named.conf

패키지 업데이트

dnf -y update

dnf -y update

위 설정들은 대부분 필수로 설정해야 하는 부분이 아니니 자신의 시스템에 적절한 설정만 적용하면 됩니다.

이상입니다.