1 安装基础软件
yum -y install wget net-tools screen lsof tcpdump nc mtr openssl-devel vim bash-completion lrzsz nmap telnet tree gcc-c++ make
2 同步时间
yum install -y ntp ntpdate
# date --确认时间与现在时间一致
# ntpdate 0.rhel.pool.ntp.org --如果还没有同步成功,你可以用此命令手动同步一下
# hwclock -w
# ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime -- 修改时区
3 加大打开文件数的限制(open files)
ulimit -n
ulimit -a
vi /etc/security/limits.conf
最后添加
* soft nofile 65535
* hard nofile 65535
或者
echo " ulimit -HSn 65535" >>/etc/rc.d/rc.local
echo " ulimit -s 65535" >>/etc/rc.d/rc.local
4 设置字符集
[root@hequan ~]# echo $LANG
zh_CN.UTF-8
[root@hequan ~]# vi /etc/locale.conf
LANG="en_US.UTF-8"
[root@hequan ~]# source /etc/locale.conf
5 禁用selinux
[root@bogon ~]# grep -i ^selinux /etc/selinux/config
SELINUX=enforcing
SELINUXTYPE=targeted
[root@bogon ~]# sed -i '/^SELINUX/s/enforcing/disabled/g' /etc/selinux/config
[root@bogon ~]# getenforce
Enforcing
6.关闭防火墙安装iptables
systemctl stop firewalld.service
systemctl disable firewalld.service
yum install iptables-services -y #安装
7.修改主机名
cat >>/etc/sysconfig/network<<EOF
NETWORKING=yes
HOSTNAME=你想要的主机名
EOF
hostnamectl set-hostname bj305app01
8 基本操作四:网络配置
# systemctl stop NetworkManager --停止服务
# systemctl status NetworkManager --查看状态,确认为关闭了
# systemctl disable NetworkManager --设置为开机不自动启动
# vim /etc/sysconfig/network-scripts/ifcfg-enp2s0 --网卡名如果不一样,找到对应的文件就行
BOOTPROTO="static"
NAME="enp2s0"
DEVICE="enp2s0"
ONBOOT="yes"
IPADDR=172.16.13.X
NETMASK=255.255.255.0
GATEWAY=172.16.13.254
DNS1=114.114.114.114
# /etc/init.d/network restart --network服务这里默认还是可以使用原来的管理方法
9 优化内核
cat /etc/sysctl.conf
#CTCDN系统优化参数
#关闭ipv6节省系统资源
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
#决定检查过期多久邻居条目
net.ipv4.neigh.default.gc_stale_time=120
#使用arp_announce / arp_ignore解决ARP映射问题
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.all.arp_announce=2
net.ipv4.conf.lo.arp_announce=2
# 避免放大攻击
net.ipv4.icmp_echo_ignore_broadcasts = 1
# 开启恶意icmp错误消息保护
net.ipv4.icmp_ignore_bogus_error_responses = 1
#关闭路由转发
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
#开启反向路径过滤
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
#处理无源路由的包
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
#关闭sysrq功能
kernel.sysrq = 0
#core文件名中添加pid作为扩展名
kernel.core_uses_pid = 1
# 开启SYN洪水攻击保护
net.ipv4.tcp_syncookies = 1
#修改消息队列长度
kernel.msgmnb = 65536
kernel.msgmax = 65536
#设置最大内存共享段大小bytes
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
#timewait的数量,默认180000
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
#每个网络接口接收数据包的速率比内核处理这些包的速率快时,允许送到队列的数据包的最大数目
net.core.netdev_max_backlog = 262144
#限制仅仅是为了防止简单的DoS 攻击
net.ipv4.tcp_max_orphans = 3276800
#未收到客户端确认信息的连接请求的最大值
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
#内核放弃建立连接之前发送SYNACK 包的数量
net.ipv4.tcp_synack_retries = 1
#内核放弃建立连接之前发送SYN 包的数量
net.ipv4.tcp_syn_retries = 1
#启用timewait 快速回收
net.ipv4.tcp_tw_recycle = 1
#开启重用。允许将TIME-WAIT sockets 重新用于新的TCP 连接
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1
#当keepalive 起用的时候,TCP 发送keepalive 消息的频度。缺省是2 小时
net.ipv4.tcp_keepalive_time = 1800
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl = 15
#允许系统打开的端口范围
net.ipv4.ip_local_port_range = 1024 65000
#修改防火墙表大小,默认65536
net.netfilter.nf_conntrack_max=655350
net.netfilter.nf_conntrack_tcp_timeout_established=1200
# 确保无人能修改路由表
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
sysctl -p #生效