Linux之系统优化配置

时间:2021-11-16 16:09:22

Linux系统优化配置

  1. 更新国内镜像源

    国内速度快的常用更新源如下:

    http://mirrors.sohu.com

    http://mirrors.163.com

    [root@greymouster ~]# cd /etc/yum.repos.d/
    [root@greymouster yum.repos.d]# ll
    total 16
    -rw-r--r--. 1 root root 1926 Nov 27  2013 CentOS-Base.repo
    -rw-r--r--. 1 root root  638 Nov 27  2013 CentOS-Debuginfo.repo
    -rw-r--r--. 1 root root  630 Nov 27  2013 CentOS-Media.repo
    -rw-r--r--. 1 root root 3664 Nov 27  2013 CentOS-Vault.repo
    [root@greymouster yum.repos.d]# cp CentOS-Base.repo  CentOS-Base.repo.ori
    [root@greymouster yum.repos.d]# wget http://mirrors.163.com/.help/CentOS6-Base-163.repo
    [root@greymouster yum.repos.d]# cp CentOS6-Base-163.repo CentOS-Base.repo
  2. 安装必要的软件包

    yum install tree telnet dos2unix sysstat lrzsz -y

    yum grouplist 查看系统安装了哪些安装包

  3. 关闭selinux

    # 该命令永久将selinux关闭,但是必须要重启系统
    sed -i 's/SELINUX=enforcing/SELINUX=disabled/g'  /etc/selinux/config
    
    # 临时修改命令(不用重启系统)
     setenforce 0  
    
     # 查看selinux当前状态
     getenforce
  4. 设定开机运行级别为3

    [root@greymouster ~]# grep 3:initdefault /etc/inittab
    id:3:initdefault:
    [root@greymouster ~]# init 3
  5. 精简开机系统启动的服务

    # 先关闭所有开机自启动服务
    for i in `chkconfig --list|grep 3:on|awk '{print $1}'`;do chkconfig --level 3 $i off;done
    
    
    # 然后再开启指定开机自启动服务
    for i in crond network rsyslog sshd;do chkconfig --level 3 $i on;done
  6. 更改ssh服务远程登陆的配置

    [root@greymouster ~]# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.ori
    [root@greymouster ~]# vi /etc/ssh/sshd_config
     #Port 22  #ssh连接默认端口22
     #PermitRootLogin no # root用户是否禁止远程登录
     #PermitEmptyPasswords no #禁止空密码登录
     #UseDNS no    #不使用DNS
     #GSSAPIAuthentication no #让ssh连接更快
     [root@greymouster ~]# /etc/init.d/sshd restart
     [root@greymouster ~]# /etc/init.d/iptables stop //临时关闭防火墙
  7. 将普通账号加入sudo管理

    [root@greymouster ~]# visudo
    98gg   //定位到98行
    
    root    ALL=(ALL)       ALL
    greymouster ALL=(ALL)   /usr/sbin/useradd
    或者这样修改:拥有全部的权限但不需要密码
    greymouster ALL=(ALL)   NOPASSWD:ALL
    
    %用户组  机器=(授权那个角色的权利) /usr/sbin/useradd
    
    [root@greymouster ~]# su - greymouster
    [greymouster@greymouster ~]$ useradd kkk
    -bash: /usr/sbin/useradd: Permission denied
    [greymouster@greymouster ~]$ sudo useradd kkk
    [sudo] password for greymouster: 
    [greymouster@greymouster ~]$ tail -1 /etc/passwd
    kkk:x:502:502::/home/kkk:/bin/bash
    [greymouster@greymouster ~]$ netstat -lntup|grep ssh
    (No info could be read for "-p": geteuid()=501 but you should be root.)
    [greymouster@greymouster ~]$ sudo netstat -lntup|grep ssh
    tcp 0 0 0.0.0.0:60222 0.0.0.0:* LISTEN 28683/sshd 
    tcp 0 0 :::60222 :::* LISTEN 28683/sshd 
    [greymouster@greymouster ~]$
  8. 服务器时间同步

    # 系统方法
    [root@PLF ~]# /usr/sbin/ntpdate time.nist.gov
    27 May 20:08:05 ntpdate[25792]: step time server 132.163.97.2 offset 95.328349 sec
    [root@PLF ~]# echo "# time sync" >>/var/spool/cron/root
    [root@PLF ~]# echo '*/5 * * * * /usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1' >>/var/spool/cron/root 
    [root@PLF ~]# crontab -l
    # time sync
    */5 * * * * /usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1
    [root@PLF ~]# 
    
  9. 加大服务器的文件描述符

    echo '*  soft  nofile 65535' >>/etc/security/limits.conf
    echo '*  hard  nofile 65535' >>/etc/security/limits.conf
  10. 调整内核参数文件/et/sysctl.conf

    net.ipv4.tcp_fin_timeout = 2
    net.ipv4.tcp_tw_reuse = 1
    net.ipv4.tcp_tw_recycle = 1
    net.ipv4.tcp_syncookies = 1
    net.ipv4.tcp_keepalive_time = 600
    net.ipv4.ip_local_port_range = 4000  65000
    net.ipv4.tcp_max_syn_backlog = 16384
    net.ipv4.tcp_max_tw_buckets = 36000
    net.ipv4.route.gc_timeout = 100
    net.ipv4.tcp_syn_retries = 1
    net.ipv4.tcp_synack_retries = 1
    net.core.somaxconn = 16384
    net.core.netdev_max_backlog = 16384
    net.ipv4.tcp_max_orphans = 16384
    
    # 防火墙的优化则添加以下,在6.4上是,如下:
    net.nf_conntrack_max = 25000000
    net.netfilter.nf_conntrack_max = 25000000
    net.netfilter.nf_conntrack_tcp_timeout_established = 180
    net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
    net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
    net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
    
    
    [root@greymouster ~]# sysctl -p   //生效
  11. 锁定关键文件系统

    [root@greymouster ~]# chattr +i /etc/passwd
    [root@greymouster ~]# chattr +i  /etc/inittab
    [root@greymouster ~]# chattr +i /etc/group
    [root@greymouster ~]# chattr +i /etc/shadow
    [root@greymouster ~]# chattr +i /etc/gshadow 
    
    # 使用chattr命令后,为了安全我们需要将其改名
    [root@greymouster ~]# /bin/mv /usr/bin/chattr   /usr/bin/任意名称
    
    # 查看枷锁:
    lsattr  /etc/passwd
  12. 去除系统及内核版本登陆前的屏幕显示

    [root@greymouster ~]# /etc/redhat-release
    [root@greymouster ~]#  cat /dev/null >/etc/issue