Centos6.9系统部分基础优化（更新时间2018/04/19）

2019独角兽企业重金招聘Python工程师标准>>>

系统信息&＃xff1a;
[root&＃64;nfs01 ~]# uname -r 2.6.32-696.el6.x86_64 [root&＃64;nfs01 ~]# uname -m x86_64 [root&＃64;nfs01 ~]# cat /etc/redhat-release CentOS release 6.9 (Final)

更改yum源
mv /etc/yum.repos.d/CentOS-Base.repo{,.$(date &＃43;%F_%T).backup} wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-6.repo yum makecache 关闭SELinux
\cp /etc/selinux/config{,.$(date &＃43;%F_%T).backup} sed -i "s#SELINUX&＃61;enforcing#SELINUX&＃61;disabled#g" /etc/selinux/config grep &＃39;SELINUX&＃61;disable&＃39; /etc/selinux/config setenforce 0 getenforce 关闭iptables
/etc/init.d/iptables stop /etc/init.d/iptables stop chkconfig iptables off 精简开机自启动服务
export LANG&＃61;en chkconfig --list | egrep "3:on"|egrep -v "crond|network|sshd|rsyslog|sysstat" | awk &＃39;{print "chkconfig",$1,"off"}&＃39; | bash chkconfig --list | grep 3:on 提权abc可以sudo
useradd abc \cp /etc/sudoers{,.$(date &＃43;%F_%T).backup} echo "abc ALL&＃61;(ALL) NOPASSWD:ALL" >> /etc/sudoers tail -1 /etc/sudoers visudo -c 时间同步
echo &＃39;# time sync by odlboy at 2018-2-1&＃39; >> /var/spool/cron/root echo &＃39;*/5 * * * * /usr/sbin/ntpdate ntp1.aliyun.com >/dev/null 2>&1&＃39; >> /var/spool/cron/root crontab -l 加大文件描述
\cp /etc/security/limits.conf{,.$(date &＃43;%F_%T).backup} echo &＃39;* - nofile 65535&＃39; >> /etc/security/limits.conf tail -1 /etc/security/limits.conf # 重启生效 ulimit -n 内核优化
\cp /etc/sysctl.conf{,.$(date &＃43;%F_%T).backup} cat >>/etc/sysctl.conf<net.ipv4.tcp_fin_timeout &＃61; 2 net.ipv4.tcp_tw_reuse &＃61; 1 net.ipv4.tcp_tw_recycle &＃61; 1 net.ipv4.tcp_synCOOKIEs &＃61; 1 net.ipv4.tcp_keepalive_time &＃61; 600 net.ipv4.ip_local_port_range &＃61; 4000 65000 net.ipv4.tcp_max_syn_backlog &＃61; 16384 net.ipv4.tcp_max_tw_buckets &＃61; 36000 net.ipv4.route.gc_timeout &＃61; 100 net.ipv4.tcp_syn_retries &＃61; 1 net.ipv4.tcp_synack_retries &＃61; 1 net.core.somaxconn &＃61; 16384 net.core.netdev_max_backlog &＃61; 16384 net.ipv4.tcp_max_orphans &＃61;16384 # 以下参数是对iptables防火墙的优化&＃xff0c;防火墙不开会提示&＃xff0c;可以忽略不理 net.nf_conntrack_max &＃61; 25000000 net.netfilter.nf_conntrack_max &＃61; 25000000 net.netfilter.nf_conntrack_tcp_timeout_established &＃61; 180 net.netfilter.nf_conntrack_tcp_timeout_time_wait &＃61; 120 net.netfilter.nf_conntrack_tcp_timeout_close-wait &＃61; 60 net.netfilter.nf_conntrack_tcp_timeout_fin_wait &＃61; 120 EOF # 让内核配置文件中的参数生效 sysctl -p 下载安装系统基础软件
yum -y install tree lrzsz telnet nc nmap dos2unix sysstat htop nload iptraf iftop 更改SSH服务器远程登录的配置(选择性修改&＃xff0c;自己别登不上了)
\cp /etc/ssh/sshd_config{,.$(date &＃43;%F_%T).backup}sed -i &＃39;s/#Port 22/Port 52113/g&＃39; /etc/ssh/sshd_config sed -i &＃39;s/#PermitRootLogin yes/PermitRootLogin no/g&＃39; /etc/ssh/sshd_config sed -i &＃39;s/#PermitEmptyPasswords no/PermitEmptyPasswords no/g&＃39; /etc/ssh/sshd_config sed -i &＃39;s/GSSAPIAuthentication yes/GSSAPIAuthentication no/g&＃39; /etc/ssh/sshd_config sed -i &＃39;s/#UseDNS yes/UseDNS no/g&＃39; /etc/ssh/sshd_config /etc/init.d/sshd reload 禁止Linux系统被ping
# 禁止ping echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all # 允许ping # echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all 修复部分软件漏洞
rpm -qa openssh openssl bash yum install -y openssh openssl bash

Linux基础优化与完全重点小结
1&＃xff09;不用root登录管理系统&＃xff0c;而以普通用户登录通过sudo授权管理
2&＃xff09;更改默认远程连接ssh服务端口&＃xff0c;禁止root用户远程连接&＃xff0c;甚至要更改ssh服务只监听内网ip
3&＃xff09;定时自动更新服务器的时间&＃xff0c;使其和互联网时间同步
4&＃xff09;配置yum更新源&＃xff0c;从国内更新源下载安装软件包
5&＃xff09;关闭SELinux及iptables&＃xff08;在工作场景中&＃xff0c;如果有外部ip一般要打开iptables&＃xff0c;高并发高流量的服务器可能无法开启&＃xff09;
6&＃xff09;调整文件描述符的数量&＃xff0c;进程及文件的打开都会消耗文件描述数量
7&＃xff09;定时自动清理邮件目录垃圾文件&＃xff0c;防止磁盘的inodes数被小文件占满&＃xff08;注意CentOS6和Cnetos5要清理的目录不同&＃xff09;
8&＃xff09;精简并保留必要的自启动服务开机&＃xff08;如&＃xff1a;crond、shhd、network、rsyslog、sysstat&＃xff09;
9&＃xff09;Linux内核参数优化/etc/sysctl.conf&＃xff0c;执行sysctl -p生效
10&＃xff09;更改系统字符集为“zh_CN.UTF-8”,使其支持中文&＃xff0c;防止出现乱码问题
11&＃xff09;锁定关键系统文件&＃xff0c;如:/etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab&＃xff0c;处理以上内容后把chattr、lsattr改名为oldboy&＃xff0c;转移走&＃xff0c;这样就安全多了
12&＃xff09;清空/etc/issue /etc/issue.net&＃xff0c;去除系统及内核版本登录前的屏幕显示
13&＃xff09;清除多余的系统虚拟用户账号
14&＃xff09;为grub引导菜单加密码
15&＃xff09;禁止主机被ping
16&＃xff09;打补丁并升级有已知漏洞的软件