|
linux系统基础调优 1. 关闭selinux,清空iptables sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config grep SELINUX=disabled /etc/selinux/config setenforce 0 iptables -F iptables -X iptables -Z iptables -L /etc/init.d/iptables save /etc/init.d/iptables stop chkconfig iptables off 2. 添加普通用户并进行sudo授权管理 useradd liwen echo '123456'|passwd --stdin liwen&&history -c echo 'liwen ALL=(ALL) NOPASSWD: ALL' >>/etc/sudoers tail /etc/sudoers 3. 更新yum源及必要软件安装 yum install -y wget cd /etc/yum.repos.d/ /bin/mv CentOS-Base.repo CentOS-Base.repo.bak sed -i 's#$releasever#6#g' CentOS-Base.repo yum clean all yum makecache yum install lrzsz ntpdate sysstat openssh openssl expect telnet tree dos2unix nmap -y 4. 定时自动更新服务器时间 echo '*/5 * * * * /usr/sbin/ntpdate -u ntp.api.bz && /sbin/hwclock -w ' >>/var/spool/cron/root 5. 精简开机自启动服务 for sun in `chkconfig --list|grep 3  n|awk '{print $1}'`;do chkconfig --level 3 $sun off;done for sun in crond rsyslog sshd network;do chkconfig --level 3 $sun on;done chkconfig --list|grep 3 n 6. 修改字符集支持中文 cp /etc/sysconfig/i18n /etc/sysconfig/i18n.$(date +%Y%m%d%k%I%M) cat >/etc/sysconfig/i18n<<EOF LANG="zh_CN.UTF-8" SYSFONT="latarcyrheb-sun16" EOF source /etc/sysconfig/i18n 临时更改:export LANG="en_US.UTF-8"和export LANGUAGE="en_US:en" 7. 变更默认的ssh服务端口,禁止root用户远程连接 sed -i 's/#Port 22/Port 52113/g' /etc/ssh/sshd_config sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/g' /etc/ssh/sshd_config sed -i 's/GSSAPIAuthentication yes/GSSAPIAuthentication no/g' /etc/ssh/sshd_config sed -i 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config cat /etc/ssh/sshd_config|egrep 'PermitEmptyPasswords|UseDNS|Port|GSSAPIAuthentication|PermitRootLogin' /etc/init.d/sshd restart 对于云服务器可添加如下防止ssh连接中断 ClientAliveInterval 60 ClientAliveCountMax 86400 8. 添加历史命令记录 [root@node1 ~]# vim /etc/profile #添加如下 LOG_DIR=/var/log/.history USER_IP=`who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'` if [ "$USER_IP" = "" ]; then USER_IP=`hostname` fi if [ ! -d $LOG_DIR ]; then mkdir $LOG_DIR chmod 777 $LOG_DIR fi if [ ! -d ${LOG_DIR}/${LOGNAME} ];then mkdir ${LOG_DIR}/${LOGNAME} chmod 300 ${LOG_DIR}/${LOGNAME} fi export HISTSIZE=4096 DT=`date +"%F_%H%M%S"` export HISTFILE="${LOG_DIR}/${LOGNAME}/${DT}_${USER_IP}.history" chmod 600 ${LOG_DIR}/${LOGNAME}/*history* 2>/tmp/history.error.log readonly PROMPT_COMMAND='{ date "+%F %T ##### $(who am i |awk "{print \$1\" \"\$2\" \"\$5}") #### $(pwd) #### $(history 1 | { read x cmd; echo "$cmd"; })"; } >> $HISTFILE' 2>/tmp/history.error.log 9. 锁定关键文件系统 chattr +i /etc/passwd chattr +i /etc/inittab chattr +i /etc/shadow chattr +i /etc/group chattr +i /etc/gshadow 使用chattr命令后,为了安全我们需要将其改名 /bin/mv /usr/bin/chattr /usr/bin/任意名称 10. 调整文件描述符大小 ulimit –n echo '* - nofile 65535' >> /etc/security/limits.conf 11. 调整字符集,使其支持中文 sed -i 's#LANG=.*$#LANG="zh_CN.UTF-8"#g' /etc/sysconfig/i18n source /etc/sysconfig/i18n 12. 去除系统及内核版本登录前的屏幕显示 >/etc/redhat-release >/etc/issue >/etc/issue.net >/etc/motd 13. 内核参数优化 本优化适合apache,nginx,squid多种等web应用,特殊的业务也可能需要略作调整 cat >>/etc/sysctl.conf<<EOF net.ipv4.tcp_syn_retries = 1 net.ipv4.tcp_synack_retries = 1 net.ipv4.tcp_keepalive_time = 600 net.ipv4.tcp_keepalive_probes = 3 net.ipv4.tcp_keepalive_intvl =15 net.ipv4.tcp_retries2 = 5 net.ipv4.tcp_fin_timeout = 2 net.ipv4.tcp_max_tw_buckets = 36000 net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_max_orphans = 32768 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_syn_backlog = 16384 net.ipv4.tcp_wmem = 8192 131072 16777216 net.ipv4.tcp_rmem = 32768 131072 16777216 net.ipv4.tcp_mem = 786432 1048576 1572864 net.ipv4.ip_local_port_range = 1024 65000 net.core.somaxconn = 16384 net.core.netdev_max_backlog = 16384 EOF tail /etc/sysctl.conf /sbin/sysctl -p 将上面的内核参数值加入/etc/sysctl.conf文件中然后/sbin/sysctl -p使其生效 防火墙的优化参数 net.nf_conntrack_max = 25000000 net.netfilter.nf_conntrack_max = 25000000 net.netfilter.nf_conntrack_tcp_timeout_established = 180 net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120 net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60 net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
| 
发表于 2020-4-15 17:24:53