linux优化

Posted 2020-08-26

linux系统基础调优

 1.    关闭selinux，清空iptables

sed -i ‘s/SELINUX=enforcing/SELINUX=disabled/g‘/etc/selinux/config

grep SELINUX=disabled /etc/selinux/config

setenforce 0

iptables -F

iptables -X

iptables -Z

iptables -L

/etc/init.d/iptables save

 2.    添加普通用户并进行sudo授权管理

useradd liwen

echo ‘123456‘|passwd --stdin liwen&&history-c

echo ‘liwen      ALL=(ALL)      NOPASSWD: ALL‘>>/etc/sudoers

tail /etc/sudoers

 3.    更新yum源及必要软件安装

yum install-y wget

cd /etc/yum.repos.d/

/bin/mv CentOS-Base.repo CentOS-Base.repo.bak

wget -O /etc/yum.repos.d/CentOS-Base.repohttp://mirrors.aliyun.com/repo/Centos-6.repo

sed -i ‘s#$releasever#6#g‘ CentOS-Base.repo

yum clean all

yum makecache 

yum install lrzszntpdate sysstat openssh openssl expect telnet tree dos2unix nmap -y

 4.   定时自动更新服务器时间

echo‘*/5 * * * * /usr/sbin/ntpdate time.windows.com >/dev/null 2>&1‘>>/var/spool/cron/root

 5.    精简开机自启动服务

for sun in `chkconfig --list|grep 3:on|awk ‘{print$1}‘`;do chkconfig --level 3 $sun off;done

for sun in crond rsyslog sshd network;do chkconfig--level 3 $sun on;done

chkconfig --list|grep 3:on

 6.    变更默认的ssh服务端口，禁止root用户远程连接

sed -i ‘s/#Port 22/Port 52113/g‘/etc/ssh/sshd_config

sed -i ‘s/#PermitRootLogin yes/PermitRootLoginno/g‘ /etc/ssh/sshd_config

sed -i ‘s/#PermitEmptyPasswordsno/PermitEmptyPasswords no/g‘ /etc/ssh/sshd_config

sed -i ‘s/GSSAPIAuthenticationyes/GSSAPIAuthentication no/g‘ /etc/ssh/sshd_config

sed -i ‘s/#UseDNS yes/UseDNS no/g‘/etc/ssh/sshd_config

cat /etc/ssh/sshd_config|egrep‘PermitEmptyPasswords|UseDNS|Port|GSSAPIAuthentication|PermitRootLogin‘

/etc/init.d/sshd restart

 7.    锁定关键文件系统

chattr +i /etc/passwd

chattr +i /etc/inittab

chattr +i /etc/shadow

chattr +i /etc/group

chattr +i /etc/gshadow

使用chattr命令后，为了安全我们需要将其改名

/bin/mv /usr/bin/chattr /usr/bin/任意名称

 8.    调整文件描述符大小

ulimit –n

echo ‘*  - nofile  65535‘ >>/etc/security/limits.conf

 9.    调整字符集，使其支持中文

sed -i ‘s#LANG=.*$#LANG="zh_CN.UTF-8"#g‘/etc/sysconfig/i18n

source /etc/sysconfig/i18n

 10.   去除系统及内核版本登录前的屏幕显示

>/etc/redhat-release

>/etc/issue

>/etc/issue.net

>/etc/motd

 11.   内核参数优化

本优化适合apache，nginx，squid多种等web应用，特殊的业务也可能需要略作调整

cat >>/etc/sysctl.conf<<EOF

net.ipv4.tcp_syn_retries = 1

net.ipv4.tcp_synack_retries = 1

net.ipv4.tcp_keepalive_time = 600

net.ipv4.tcp_keepalive_probes = 3

net.ipv4.tcp_keepalive_intvl =15

net.ipv4.tcp_retries2 = 5

net.ipv4.tcp_fin_timeout = 2

net.ipv4.tcp_max_tw_buckets = 36000

net.ipv4.tcp_tw_recycle = 1

net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_max_orphans = 32768

net.ipv4.tcp_syncookies = 1

net.ipv4.tcp_max_syn_backlog = 16384

net.ipv4.tcp_wmem = 8192 131072 16777216

net.ipv4.tcp_rmem = 32768 131072 16777216

net.ipv4.tcp_mem = 786432 1048576 1572864

net.ipv4.ip_local_port_range = 1024 65000

net.core.somaxconn = 16384

net.core.netdev_max_backlog = 16384

EOF

tail /etc/sysctl.conf

/sbin/sysctl -p

将上面的内核参数值加入/etc/sysctl.conf文件中然后/sbin/sysctl -p使其生效

防火墙的优化参数

net.nf_conntrack_max = 25000000

net.netfilter.nf_conntrack_max = 25000000

net.netfilter.nf_conntrack_tcp_timeout_established= 180