系统基础优化概述
系统用户优化
系统下载优化: yum下载安装
系统安全优化: 安全相关服务关闭
PS: 系统安全 反比 系统性能
性能就是效率、更加方便,比如和别人合租房子,把门关上就安全了,但是更不方便进进出出。
系统时间优化: 系统时间同步, 和所在时区同步
日志文件: 京东服务器 -- 用户购物订单日志文件
字符编码优化: 解决中文乱码 系统提示信息变为中文
远程连接优化: 提升远程连接速度
一系统用户优化
创建用户、设置用户密码、使用用户
创建用户: useradd 用户名称
[root@centos7 ~]# useradd wang
useradd: user 'wang' already exists
id 用户名称
查看确认用户是否创建成功
[root@centos7 ~]# id wang
uid=1000(wang) gid=1000(wang) groups=1000(wang)
设置用户密码
交互式设置密码:passwd
[root@centos7 ~]# passwd
Changing password for user root.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
免交互设置密码
echo 123456 | passwd --stdin 用户名称
把口令标准输入到命令里面
[root@centos7 ~]# echo 123456 | passwd --stdin wang
Changing password for user wang.
passwd: all authentication tokens updated successfully.
使用用户
法一: 在xshell里面重新建立远程连接
法二: 直接切换用户信息
su - 用户
PS: 皇帝root -无需密码信息- 平民oldboy
平民oldboy-需要密码信息- 皇帝root
删除用户
[root@centos7 ~]# userdel wang
[root@centos7 ~]# id wang
id: wang: no such user
报错是因为当前用户真正运行,退出该用户再删除
userdel: user ooo is currently used by process 8275
二系统下载优化yum
优化选择软件仓库:
1软件仓库中软件比较全面,定期更新
2软件仓库服务器网络必须稳定
建议从阿里云或者清华源下载软件
阿里源: https://developer.aliyun.com/mirror/centos?spm=a2c6h.13651102.0.0.53322f70iBkVGV
清华源: https://mirrors.tuna.tsinghua.edu.cn/help/centos/
yum仓库目录: /etc/yum.repos.d/
使用 curl或者wget下载文件,就会自动创建yum源仓库配置文件
[root@centos7 ~]# curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2523 100 2523 0 0 8498 0 --:--:-- --:--:-- --:--:-- 8523
[root@centos7 ~]# ll /etc/yum.repos.d/CentOS-Base.repo
-rw-r--r--. 1 root root 2523 Dec 5 10:34 /etc/yum.repos.d/CentOS-Base.repo
[root@centos7 ~]# cat /etc/yum.repos.d/CentOS-Base.repo
# CentOS-Base.repo
#
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client. You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the mirrorlist= does not work for you, as a fall back you can try the
# remarked out baseurl= line instead.
#
#
[base]
name=CentOS-$releasever - Base - mirrors.aliyun.com
failovermethod=priority
baseurl=http://mirrors.aliyun.com/centos/$releasever/os/$basearch/
http://mirrors.aliyuncs.com/centos/$releasever/os/$basearch/
http://mirrors.cloud.aliyuncs.com/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-7
#released updates
[updates]
name=CentOS-$releasever - Updates - mirrors.aliyun.com
failovermethod=priority
baseurl=http://mirrors.aliyun.com/centos/$releasever/updates/$basearch/
http://mirrors.aliyuncs.com/centos/$releasever/updates/$basearch/
http://mirrors.cloud.aliyuncs.com/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-7
#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras - mirrors.aliyun.com
failovermethod=priority
baseurl=http://mirrors.aliyun.com/centos/$releasever/extras/$basearch/
http://mirrors.aliyuncs.com/centos/$releasever/extras/$basearch/
http://mirrors.cloud.aliyuncs.com/centos/$releasever/extras/$basearch/
gpgcheck=1
gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-7
#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus - mirrors.aliyun.com
failovermethod=priority
baseurl=http://mirrors.aliyun.com/centos/$releasever/centosplus/$basearch/
http://mirrors.aliyuncs.com/centos/$releasever/centosplus/$basearch/
http://mirrors.cloud.aliyuncs.com/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-7
#contrib - packages by Centos Users
[contrib]
name=CentOS-$releasever - Contrib - mirrors.aliyun.com
failovermethod=priority
baseurl=http://mirrors.aliyun.com/centos/$releasever/contrib/$basearch/
http://mirrors.aliyuncs.com/centos/$releasever/contrib/$basearch/
http://mirrors.cloud.aliyuncs.com/centos/$releasever/contrib/$basearch/
gpgcheck=1
enabled=0
gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-7
epel下载源
Extra Packages for Enterprise Linux
开发人员开发完成软件,放入不同平台,要审核
Base软件平台:审核操作标准严格
epel软件平台:审核操作标准松,
下载地址: https://developer.aliyun.com/mirror/epel?spm=a2c6h.13651102.0.0.53322f70iBkVGV
使用命令创建yum源配置文件:wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
使用命令创建yum源配置文件:wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
[root@centos7 ~]# wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo --2019-12-05 15:30:36-- http://mirrors.aliyun.com/repo/epel-7.repo Resolving mirrors.aliyun.com (mirrors.aliyun.com)... 111.7.173.101, 111.32.172.242, 111.32.130.243, ... Connecting to mirrors.aliyun.com (mirrors.aliyun.com)|111.7.173.101|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 664 [application/octet-stream] Saving to: ‘/etc/yum.repos.d/epel.repo’ 100%[==============================================================>] 664 --.-K/s in 0s 2019-12-05 15:30:36 (120 MB/s) - ‘/etc/yum.repos.d/epel.repo’ saved [664/664]
[root@centos7 ~]# ll /etc/yum.repos.d/epel.repo -rw-r--r--. 1 root root 664 May 11 2018 /etc/yum.repos.d/epel.repo [root@centos7 ~]# cat /etc/yum.repos.d/epel.repo [epel] name=Extra Packages for Enterprise Linux 7 - $basearch baseurl=http://mirrors.aliyun.com/epel/7/$basearch failovermethod=priority enabled=1 gpgcheck=0 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 [epel-debuginfo] name=Extra Packages for Enterprise Linux 7 - $basearch - Debug baseurl=http://mirrors.aliyun.com/epel/7/$basearch/debug failovermethod=priority enabled=0 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 gpgcheck=0 [epel-source] name=Extra Packages for Enterprise Linux 7 - $basearch - Source baseurl=http://mirrors.aliyun.com/epel/7/SRPMS failovermethod=priority enabled=0 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 gpgcheck=0
[root@centos7 ~]# yum repolist Loaded plugins: fastestmirror Repository base is listed more than once in the configuration Loading mirror speeds from cached hostfile * base: mirrors.aliyun.com * extras: mirrors.aliyun.com * updates: mirrors.aliyun.com repo id repo name status base/7/x86_64 CentOS-7 - Base - mirrors.aliyun.com 10,097 epel/x86_64 Extra Packages for Enterprise Linux 7 - x86_64 13,483 extras/7/x86_64 CentOS-7 - Extras - mirrors.aliyun.com 305 updates/7/x86_64 CentOS-7 - Updates - mirrors.aliyun.com 953 repolist: 24,838
下载好玩的软件包
[root@centos7 ~]# yum install -y sl cowsay Loaded plugins: fastestmirror Repository base is listed more than once in the configuration Loading mirror speeds from cached hostfile * base: mirrors.aliyun.com * extras: mirrors.aliyun.com * updates: mirrors.aliyun.com Resolving Dependencies --> Running transaction check ---> Package cowsay.noarch 0:3.04-4.el7 will be installed ---> Package sl.x86_64 0:5.02-1.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ======================================================================================================== Package Arch Version Repository Size ======================================================================================================== Installing: cowsay noarch 3.04-4.el7 epel 42 k sl x86_64 5.02-1.el7 epel 14 k Transaction Summary ======================================================================================================== Install 2 Packages Total download size: 56 k Installed size: 94 k Downloading packages: (1/2): sl-5.02-1.el7.x86_64.rpm | 14 kB 00:00:00 (2/2): cowsay-3.04-4.el7.noarch.rpm | 42 kB 00:00:00 -------------------------------------------------------------------------------------------------------- Total 73 kB/s | 56 kB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : sl-5.02-1.el7.x86_64 1/2 Installing : cowsay-3.04-4.el7.noarch 2/2 Verifying : cowsay-3.04-4.el7.noarch 1/2 Verifying : sl-5.02-1.el7.x86_64 2/2 Installed: cowsay.noarch 0:3.04-4.el7 sl.x86_64 0:5.02-1.el7 Complete!
[root@centos7 ~]# cow cowsay cowthink [root@centos7 ~]# cowthink 1 ___ ( 1 ) --- o ^__^ o (oo)\_______ (__) )/ ||----w | || || [root@centos7 ~]# cowthink 哈哈 ____ ( 哈哈 ) ---- o ^__^ o (oo)\_______ (__) )/ ||----w | || || [root@centos7 ~]# cowsay 你真棒 _____ < 你真棒 > ----- ^__^ (oo)\_______ (__) )/ ||----w | || ||
[root@centos7 ~]# animalsay happy _______ < happy > ------- / / (__) / (oo) O O _/_ // * ( ) // (\ // ( \ ) ( \ ) / ___[\______/^^^^^^^\__/) o-)__ |\__[=======______//________)__ |_______________//____________| ||| || //|| ||| ||| || @.|| ||| || / ./ || . . '.'.` COW-OPERATION [root@centos7 ~]# animalsay happy _______ < happy > ------- . . . . . . ` , .; . : .' : : : . i..`: i` i.i.,i i . `,--.|i |i|ii|ii|i: UooU.'@@@@@@`.||' \__/(@@@@@@@@@@)' (@@@@@@@@) `YY~~~~YY' || || [root@centos7 ~]# [root@centos7 ~]# animalsay happy _______ < happy > ------- ____ / | ^__^ | | (oo) |______ | (__) | )/ \____/|----w | || || Moofasa
[root@centos7 ~]# yum whatprovides animalsay Loaded plugins: fastestmirror Repository base is listed more than once in the configuration Loading mirror speeds from cached hostfile * base: mirrors.aliyun.com * extras: mirrors.aliyun.com * updates: mirrors.aliyun.com cowsay-3.04-4.el7.noarch : Configurable speaking/thinking cow Repo : epel Matched from: Filename : /usr/bin/animalsay cowsay-3.04-4.el7.noarch : Configurable speaking/thinking cow Repo : @epel Matched from: Filename : /usr/bin/animalsay
三网络安全优化
(一)firewalld 防火墙服务
某些公司有网络安全的部门,可以留意一下
firewalld 防火墙服务:关闭
攻击者(入侵渗透) 外面防火墙(安全策略默认)里面网站架构
用户访问 防火墙(安全策略默认) 里面网站架构
临时关闭
systemctl stop firewalld
查看是否关闭
systemctl status firewalld
systemctl is-active firewalld
[root@centos7 ~]# systemctl stop firewalld
[root@centos7 ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Thu 2019-12-05 11:33:55 CST; 8s ago
Docs: man:firewalld(1)
Process: 6798 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0/SUCCESS)
Main PID: 6798 (code=exited, status=0/SUCCESS)
Dec 05 08:34:04 centos7.com systemd[1]: Starting firewalld - dynamic firewall daemon...
Dec 05 08:34:09 centos7.com systemd[1]: Started firewalld - dynamic firewall daemon.
Dec 05 11:33:55 centos7.com systemd[1]: Stopping firewalld - dynamic firewall daemon...
Dec 05 11:33:55 centos7.com systemd[1]: Stopped firewalld - dynamic firewall daemon.
[root@centos7 ~]# systemctl is-active firewalld
inactive
永久关闭
systemctl disable firewalld
查看是否开机禁止
systemctl is-enabled firewalld.service
[root@centos7 ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@centos7 ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
Dec 05 08:34:04 centos7.com systemd[1]: Starting firewalld - dynamic firewall daemon...
Dec 05 08:34:09 centos7.com systemd[1]: Started firewalld - dynamic firewall daemon.
Dec 05 11:33:55 centos7.com systemd[1]: Stopping firewalld - dynamic firewall daemon...
Dec 05 11:33:55 centos7.com systemd[1]: Stopped firewalld - dynamic firewall daemon.
[root@centos7 ~]# systemctl sta firewalld
start status
[root@centos7 ~]# systemctl status firewalld | grep dis
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
[root@centos7 ~]# systemctl is-enabled firewalld.service
disabled
(二)selinux安全服务
root:管理员用户相当于皇帝,权力至高无上,利用selinux程序配置限制皇帝能力
普通用户相当于平民,权力本身就限制
所以此服务针对的是root用户,一般是关闭
采用了计算机的二进制,0和1就相当于功能的开关
[root@centos7 ~]# getenforce
Enforcing
[root@centos7 ~]# setenforce
usage: setenforce [ Enforcing | Permissive | 1 | 0 ]
解释配置文件的注释说明
#enforcing-SELinux security policy is enforced.
selinux安全策略被强制执行-安全策略启用
#permissive-SELinux prints warnings instead of enforcing.
selinux输出警告信息代替强制执行--临时关闭
#disabled-No SELinux policy is loaded.
没有selinux策略被加载-永久关闭策略功能
永久关闭selinux
SELINUX=disabled
永久关闭生效:重启系统
永久启动程序:修改配置文件--重启系统等待很长时间,重新加载elinux程序
[root@centos7 ~]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
四系统时间优化
系统时间优化就是时间信息同步,特别重要,比如查看日志会显示时间,在集群环境里面两个服务建立通信需要同步时间。
(一)timedatectl自动同步时间
timedatectl命令使用方法/参数说明
status Show current time settings
显示目前时间设置信息
set-time TIME Set system time
手动调整设置时间
set-timezone ZONE Set system time zone
设置系统时区
list-timezones Show known time zones
展示系统已知所有时区
set-local-rtc BOOL Control whether RTC is in local time
控制RTC功能是否开启 0关闭 1开启
10 整数字符
10.01 浮点字符
abc char 字符串
0 1 布尔类型字符
RTC 是否将系统时间同步到主板上
set-ntp BOOL Control whether NTP is enabled
是否开启network time protocol (实现时间网络同步)
timedatectl自动同步时间步骤
显示目前时间设置信息
[root@centos7 ~]# timedatectl status Local time: Thu 2019-12-05 15:50:26 CST Universal time: Thu 2019-12-05 07:50:26 UTC RTC time: Thu 2019-12-05 07:50:26 Time zone: Asia/Shanghai (CST, +0800) NTP enabled: yes NTP synchronized: yes RTC in local TZ: no DST active: n/a
修改时区,可以查看系统时区的格式书写
注意城市有大小写,加i忽略大小写
[root@centos7 ~]# timedatectl list-timezones | grep -i shanghai Asia/Shanghai
[root@centos7 ~]# timedatectl list-timezones | grep -i new America/New_York America/North_Dakota/New_Salem
现在模拟系统时间不准确了
[root@centos7 ~]# timedatectl set-timezone America/New_York [root@centos7 ~]# timedatectl status Local time: Thu 2019-12-05 02:53:29 EST Universal time: Thu 2019-12-05 07:53:29 UTC RTC time: Thu 2019-12-05 07:53:29 Time zone: America/New_York (EST, -0500) NTP enabled: yes NTP synchronized: yes RTC in local TZ: no DST active: no Last DST change: DST ended at Sun 2019-11-03 01:59:59 EDT Sun 2019-11-03 01:00:00 EST Next DST change: DST begins (the clock jumps one hour forward) at Sun 2020-03-08 01:59:59 EST Sun 2020-03-08 03:00:00 EDT
修改为正确的时区时间
[root@centos7 ~]# timedatectl set-timezone Asia/Shanghai [root@centos7 ~]# timedatectl status Local time: Thu 2019-12-05 15:54:27 CST Universal time: Thu 2019-12-05 07:54:27 UTC RTC time: Thu 2019-12-05 07:54:27 Time zone: Asia/Shanghai (CST, +0800) NTP enabled: yes NTP synchronized: yes RTC in local TZ: no DST active: n/a
开启时间同步功能
timedatectl set-ntp 1
注意布尔类型0、1,也可以写成false、true
[root@centos7 ~]# timedatectl set-ntp false true [root@centos7 ~]# timedatectl set-ntp true [root@centos7 ~]# timedatectl status Local time: Thu 2019-12-05 15:55:14 CST Universal time: Thu 2019-12-05 07:55:14 UTC RTC time: Thu 2019-12-05 07:55:14 Time zone: Asia/Shanghai (CST, +0800) NTP enabled: yes NTP synchronized: yes RTC in local TZ: no DST active: n/a
下载时间同步软件
[root@centos7 ~]# yum install -y chrony Loaded plugins: fastestmirror Repository base is listed more than once in the configuration Loading mirror speeds from cached hostfile * base: mirrors.aliyun.com * extras: mirrors.aliyun.com * updates: mirrors.aliyun.com Resolving Dependencies --> Running transaction check ---> Package chrony.x86_64 0:3.2-2.el7 will be updated ---> Package chrony.x86_64 0:3.4-1.el7 will be an update --> Finished Dependency Resolution Dependencies Resolved ======================================================================================================== Package Arch Version Repository Size ======================================================================================================== Updating: chrony x86_64 3.4-1.el7 base 251 k Transaction Summary ======================================================================================================== Upgrade 1 Package Total download size: 251 k Downloading packages: Delta RPMs disabled because /usr/bin/applydeltarpm not installed. chrony-3.4-1.el7.x86_64.rpm | 251 kB 00:00:01 Running transaction check Running transaction test Transaction test succeeded Running transaction Updating : chrony-3.4-1.el7.x86_64 1/2 Cleanup : chrony-3.2-2.el7.x86_64 2/2 Verifying : chrony-3.4-1.el7.x86_64 1/2 Verifying : chrony-3.2-2.el7.x86_64 2/2 Updated: chrony.x86_64 0:3.4-1.el7 Complete!
启动服务&&开机自启
[root@centos7 ~]# systemctl start chrony Failed to start chrony.service: Unit not found. [root@centos7 ~]# systemctl start chrony Failed to start chrony.service: Unit not found.
[root@centos7 ~]# systemctl start chronyd [root@centos7 ~]# ss -tnl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:22 *:* LISTEN 0 100 127.0.0.1:25 *:* LISTEN 0 128 :::22 :::* LISTEN 0 100 ::1:25 :::* [root@centos7 ~]# ss -tnlu Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port udp UNCONN 0 0 127.0.0.1:323 *:* udp UNCONN 0 0 ::1:323 :::* tcp LISTEN 0 128 *:22 *:* tcp LISTEN 0 100 127.0.0.1:25 *:* tcp LISTEN 0 128 :::22 :::* tcp LISTEN 0 100 ::1:25 :::*
报错,看看服务的正确写法
列出并且过滤服务名称
[root@centos7 ~]# systemctl list-unit-files --type=service | grep chrony chrony-dnssrv@.service static chrony-wait.service disabled chronyd.service enabled [root@centos7 ~]# systemctl daemon-reload [root@centos7 ~]# systemctl list-unit-files --type=service | grep chrony chrony-dnssrv@.service static chrony-wait.service disabled chronyd.service enabled
[root@centos7 ~]# systemctl enable chrony Failed to execute operation: No such file or directory [root@centos7 ~]# systemctl enable chronyd
(二)timedatectl手动修改时间
[root@centos7 ~]# date Thu Dec 5 16:08:23 CST 2019 [root@centos7 ~]# timedatectl set-time "2019-12-5 11:27" Failed to set time: Automatic time synchronization is enabled [root@centos7 ~]# date Thu Dec 5 16:08:50 CST 2019
关闭时间同步功能
[root@centos7 ~]# timedatectl set-ntp 0 [root@centos7 ~]# timedatectl list-timezones set-local-rtc set-ntp set-time set-timezone status [root@centos7 ~]# timedatectl status Local time: Thu 2019-12-05 16:10:35 CST Universal time: Thu 2019-12-05 08:10:35 UTC RTC time: Thu 2019-12-05 08:10:35 Time zone: Asia/Shanghai (CST, +0800) NTP enabled: no NTP synchronized: yes RTC in local TZ: no DST active: n/a [root@centos7 ~]# timedatectl set-time "2019-12-5 11:27" [root@centos7 ~]# date Thu Dec 5 11:27:03 CST 2019
方式二: 实现时间自动同步 利用ntpdate
ntpdate 找时间服务器
ntpdate ntp1.aliyun.com
1500=12:10——1900
Windows的时间是正确的,因为联网进行了同步
主板上有时钟芯片,所以可以让Windows的时间正确
注意时间同步法一视频讲得很好,多看