2019独角兽企业重金招聘Python工程师标准>>>
系统信息:
[root@nfs01 ~]# uname -r
2.6.32-696.el6.x86_64
[root@nfs01 ~]# uname -m
x86_64
[root@nfs01 ~]# cat /etc/redhat-release
CentOS release 6.9 (Final)
更改yum源
mv /etc/yum.repos.d/CentOS-Base.repo{,.$(date +%F_%T).backup}
关闭SELinux
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-6.repo
yum makecache
\cp /etc/selinux/config{,.$(date +%F_%T).backup}
关闭iptables
sed -i "s#SELINUX=enforcing#SELINUX=disabled#g" /etc/selinux/config
grep 'SELINUX=disable' /etc/selinux/config
setenforce 0
getenforce
/etc/init.d/iptables stop
精简开机自启动服务
/etc/init.d/iptables stop
chkconfig iptables off
export LANG=en
提权abc可以sudo
chkconfig --list | egrep "3:on"|egrep -v "crond|network|sshd|rsyslog|sysstat" | awk '{print "chkconfig",$1,"off"}' | bash
chkconfig --list | grep 3:on
useradd abc
时间同步
\cp /etc/sudoers{,.$(date +%F_%T).backup}
echo "abc ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
tail -1 /etc/sudoers
visudo -c
echo '# time sync by odlboy at 2018-2-1' >> /var/spool/cron/root
加大文件描述
echo '*/5 * * * * /usr/sbin/ntpdate ntp1.aliyun.com >/dev/null 2>&1' >> /var/spool/cron/root
crontab -l
\cp /etc/security/limits.conf{,.$(date +%F_%T).backup}
内核优化
echo '* - nofile 65535' >> /etc/security/limits.conf
tail -1 /etc/security/limits.conf
# 重启生效
ulimit -n
\cp /etc/sysctl.conf{,.$(date +%F_%T).backup}
下载安装系统基础软件
cat >>/etc/sysctl.conf<net.ipv4.tcp_fin_timeout &#61; 2
net.ipv4.tcp_tw_reuse &#61; 1
net.ipv4.tcp_tw_recycle &#61; 1
net.ipv4.tcp_synCOOKIEs &#61; 1
net.ipv4.tcp_keepalive_time &#61; 600
net.ipv4.ip_local_port_range &#61; 4000 65000
net.ipv4.tcp_max_syn_backlog &#61; 16384
net.ipv4.tcp_max_tw_buckets &#61; 36000
net.ipv4.route.gc_timeout &#61; 100
net.ipv4.tcp_syn_retries &#61; 1
net.ipv4.tcp_synack_retries &#61; 1
net.core.somaxconn &#61; 16384
net.core.netdev_max_backlog &#61; 16384
net.ipv4.tcp_max_orphans &#61;16384
# 以下参数是对iptables防火墙的优化&#xff0c;防火墙不开会提示&#xff0c;可以忽略不理
net.nf_conntrack_max &#61; 25000000
net.netfilter.nf_conntrack_max &#61; 25000000
net.netfilter.nf_conntrack_tcp_timeout_established &#61; 180
net.netfilter.nf_conntrack_tcp_timeout_time_wait &#61; 120
net.netfilter.nf_conntrack_tcp_timeout_close-wait &#61; 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait &#61; 120
EOF
# 让内核配置文件中的参数生效
sysctl -p
yum -y install tree lrzsz telnet nc nmap dos2unix sysstat htop nload iptraf iftop
更改SSH服务器远程登录的配置(选择性修改&#xff0c;自己别登不上了)
\cp /etc/ssh/sshd_config{,.$(date &#43;%F_%T).backup}sed -i &#39;s/#Port 22/Port 52113/g&#39; /etc/ssh/sshd_config
禁止Linux系统被ping
sed -i &#39;s/#PermitRootLogin yes/PermitRootLogin no/g&#39; /etc/ssh/sshd_config
sed -i &#39;s/#PermitEmptyPasswords no/PermitEmptyPasswords no/g&#39; /etc/ssh/sshd_config sed -i &#39;s/GSSAPIAuthentication yes/GSSAPIAuthentication no/g&#39; /etc/ssh/sshd_config
sed -i &#39;s/#UseDNS yes/UseDNS no/g&#39; /etc/ssh/sshd_config
/etc/init.d/sshd reload
# 禁止ping
修复部分软件漏洞
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
# 允许ping
# echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
rpm -qa openssh openssl bash
yum install -y openssh openssl bash
Linux基础优化与完全重点小结1&#xff09;不用root登录管理系统&#xff0c;而以普通用户登录通过sudo授权管理
2&#xff09;更改默认远程连接ssh服务端口&#xff0c;禁止root用户远程连接&#xff0c;甚至要更改ssh服务只监听内网ip
3&#xff09;定时自动更新服务器的时间&#xff0c;使其和互联网时间同步
4&#xff09;配置yum更新源&#xff0c;从国内更新源下载安装软件包
5&#xff09;关闭SELinux及iptables&#xff08;在工作场景中&#xff0c;如果有外部ip一般要打开iptables&#xff0c;高并发高流量的服务器可能无法开启&#xff09;
6&#xff09;调整文件描述符的数量&#xff0c;进程及文件的打开都会消耗文件描述数量
7&#xff09;定时自动清理邮件目录垃圾文件&#xff0c;防止磁盘的inodes数被小文件占满&#xff08;注意CentOS6和Cnetos5要清理的目录不同&#xff09;
8&#xff09;精简并保留必要的自启动服务开机&#xff08;如&#xff1a;crond、shhd、network、rsyslog、sysstat&#xff09;
9&#xff09;Linux内核参数优化/etc/sysctl.conf&#xff0c;执行sysctl -p生效
10&#xff09;更改系统字符集为“zh_CN.UTF-8”,使其支持中文&#xff0c;防止出现乱码问题
11&#xff09;锁定关键系统文件&#xff0c;如:/etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab&#xff0c;处理以上内容后把chattr、lsattr改名为oldboy&#xff0c;转移走&#xff0c;这样就安全多了
12&#xff09;清空/etc/issue /etc/issue.net&#xff0c;去除系统及内核版本登录前的屏幕显示
13&#xff09;清除多余的系统虚拟用户账号
14&#xff09;为grub引导菜单加密码
15&#xff09;禁止主机被ping
16&#xff09;打补丁并升级有已知漏洞的软件
注&#xff1a;此博客仅供参考&#xff0c;读者可根据自己的实际情况进行合理的配置&#xff0c;博客内容参考老男孩书籍《web集群实战》一书