Linux之系统优化配置

Linux系统优化配置

1. 更新国内镜像源

   国内速度快的常用更新源如下：

   ​ http://mirrors.sohu.com

   ​ http://mirrors.163.com

   [root@greymouster ~]# cd /etc/yum.repos.d/
   [root@greymouster yum.repos.d]# ll
   total 16
   -rw-r--r--. 1 root root 1926 Nov 27  2013 CentOS-Base.repo
   -rw-r--r--. 1 root root  638 Nov 27  2013 CentOS-Debuginfo.repo
   -rw-r--r--. 1 root root  630 Nov 27  2013 CentOS-Media.repo
   -rw-r--r--. 1 root root 3664 Nov 27  2013 CentOS-Vault.repo
   [root@greymouster yum.repos.d]# cp CentOS-Base.repo  CentOS-Base.repo.ori
   [root@greymouster yum.repos.d]# wget http://mirrors.163.com/.help/CentOS6-Base-163.repo
   [root@greymouster yum.repos.d]# cp CentOS6-Base-163.repo CentOS-Base.repo
   

2. 安装必要的软件包

   yum install tree telnet dos2unix sysstat lrzsz -y

   yum grouplist 查看系统安装了哪些安装包

3. 关闭selinux

   # 该命令永久将selinux关闭，但是必须要重启系统
   sed -i 's/SELINUX=enforcing/SELINUX=disabled/g'  /etc/selinux/config
   
   # 临时修改命令(不用重启系统)
    setenforce 0  
    
    # 查看selinux当前状态
    getenforce
   

4. 设定开机运行级别为3

   [root@greymouster ~]# grep 3:initdefault /etc/inittab
   id:3:initdefault:
   [root@greymouster ~]# init 3
   

5. 精简开机系统启动的服务

   # 先关闭所有开机自启动服务
   for i in `chkconfig --list|grep 3:on|awk '{print $1}'`;do chkconfig --level 3 $i off;done
   
   
   # 然后再开启指定开机自启动服务
   for i in crond network rsyslog sshd;do chkconfig --level 3 $i on;done
   

6. 更改ssh服务远程登陆的配置

   [root@greymouster ~]# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.ori
   [root@greymouster ~]# vi /etc/ssh/sshd_config
    #Port 22  #ssh连接默认端口22
    #PermitRootLogin no # root用户是否禁止远程登录
    #PermitEmptyPasswords no #禁止空密码登录
    #UseDNS no    #不使用DNS
    #GSSAPIAuthentication no #让ssh连接更快
    [root@greymouster ~]# /etc/init.d/sshd restart
    [root@greymouster ~]# /etc/init.d/iptables stop //临时关闭防火墙
   

7. 将普通账号加入sudo管理

   [root@greymouster ~]# visudo
   98gg   //定位到98行
   
   root    ALL=(ALL)       ALL
   greymouster ALL=(ALL)   /usr/sbin/useradd
   或者这样修改：拥有全部的权限但不需要密码
   greymouster ALL=(ALL)   NOPASSWD:ALL
   
   %用户组  机器=（授权那个角色的权利） /usr/sbin/useradd
   
   [root@greymouster ~]# su - greymouster
   [greymouster@greymouster ~]$ useradd kkk
   -bash: /usr/sbin/useradd: Permission denied
   [greymouster@greymouster ~]$ sudo useradd kkk
   [sudo] password for greymouster: 
   [greymouster@greymouster ~]$ tail -1 /etc/passwd
   kkk:x:502:502::/home/kkk:/bin/bash
   [greymouster@greymouster ~]$ netstat -lntup|grep ssh
   (No info could be read for "-p": geteuid()=501 but you should be root.)
   [greymouster@greymouster ~]$ sudo netstat -lntup|grep ssh
   tcp 0 0 0.0.0.0:60222 0.0.0.0:* LISTEN 28683/sshd 
   tcp 0 0 :::60222 :::* LISTEN 28683/sshd 
   [greymouster@greymouster ~]$
   

8. 服务器时间同步

   # 系统方法
   [root@PLF ~]# /usr/sbin/ntpdate time.nist.gov
   27 May 20:08:05 ntpdate[25792]: step time server 132.163.97.2 offset 95.328349 sec
   [root@PLF ~]# echo "# time sync" >>/var/spool/cron/root
   [root@PLF ~]# echo '*/5 * * * * /usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1' >>/var/spool/cron/root 
   [root@PLF ~]# crontab -l
   # time sync
   */5 * * * * /usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1
   [root@PLF ~]# 
   
   

9. 加大服务器的文件描述符

   echo '*  soft  nofile 65535' >>/etc/security/limits.conf
   echo '*  hard  nofile 65535' >>/etc/security/limits.conf
   

10. 调整内核参数文件/et/sysctl.conf

    net.ipv4.tcp_fin_timeout = 2
    net.ipv4.tcp_tw_reuse = 1
    net.ipv4.tcp_tw_recycle = 1
    net.ipv4.tcp_syncookies = 1
    net.ipv4.tcp_keepalive_time = 600
    net.ipv4.ip_local_port_range = 4000  65000
    net.ipv4.tcp_max_syn_backlog = 16384
    net.ipv4.tcp_max_tw_buckets = 36000
    net.ipv4.route.gc_timeout = 100
    net.ipv4.tcp_syn_retries = 1
    net.ipv4.tcp_synack_retries = 1
    net.core.somaxconn = 16384
    net.core.netdev_max_backlog = 16384
    net.ipv4.tcp_max_orphans = 16384
    
    # 防火墙的优化则添加以下，在6.4上是，如下：
    net.nf_conntrack_max = 25000000
    net.netfilter.nf_conntrack_max = 25000000
    net.netfilter.nf_conntrack_tcp_timeout_established = 180
    net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
    net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
    net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
    
    
    [root@greymouster ~]# sysctl -p   //生效
    

11. 锁定关键文件系统

    [root@greymouster ~]# chattr +i /etc/passwd
    [root@greymouster ~]# chattr +i  /etc/inittab
    [root@greymouster ~]# chattr +i /etc/group
    [root@greymouster ~]# chattr +i /etc/shadow
    [root@greymouster ~]# chattr +i /etc/gshadow 
    
    # 使用chattr命令后，为了安全我们需要将其改名
    [root@greymouster ~]# /bin/mv /usr/bin/chattr   /usr/bin/任意名称
    
    # 查看枷锁：
    lsattr  /etc/passwd
    

12. 去除系统及内核版本登陆前的屏幕显示

    [root@greymouster ~]# /etc/redhat-release
    [root@greymouster ~]#  cat /dev/null >/etc/issue