Ubuntu虚拟机镜像最佳实践
分区
/boot >1G
/root >10G
/var >5G
配swap空间,内存的2倍
vi /etc/security/limits.conf
* soft nofile 40960
* hard nofile 40960
root soft nofile 40960
root hard nofile 40960
vi /etc/sysctl.conf
#增加本地端口数量
net.ipv4.ip_local_port_range=1024 65000
#增加网络连接跟踪表size
net.netfilter.nf_conntrack_max = 655350
#增肌socket最大连接数
net.core.somaxconn = 655350
配置:
net.core.netdev_max_backlog = 262144
net.ipv4.tcp_max_syn_backlog = 262144
系统参数优化
kernel.shmall = 2097152
kernel.shmmax = 2147483648
kernel.shmmni = 4096
kernel.sem = 250 32000 100 128
fs.file-max = 655360
安全加固
a) /etc/ssh/sshd_config
Protocol 2
PasswordAuthentication no
PermitRootLogin no
PermitEmptyPasswords no
b) sudo
日志
c) syslog操作日志
/etc/profile 增加
USER_IP=`who -u am i 2>/dev/null|awk '{print $NF}'|sed -e 's/[()]//g'`
ORIGIN_USER=`who -u am i 2>/dev/null|awk '{print $1}'|sed -e 's/[()]//g'`
HISTDIR=/var/log/.bash_history
if [ -z $USER_IP ]
then
USER_IP=`hostname`
fi
if [ ! -d $HISTDIR ]
then
mkdir -p $HISTDIR
chmod 777 $HISTDIR
fi
export HISTSIZE=9999
DT=`date +%Y%m%d`
export HISTFILE="$HISTDIR/history.$DT"
export HISTTIMEFORMAT="|normal|%F %T|$USER_IP|$ORIGIN_USER:$LOGNAME|$$|"
chmod 644 %HISTDIR/histroy* 2>/dev/null
export PROMPT_COMMAND='builtin history 1 >> $HISTFILE'
编辑 /etc/rsyslog.d/bash_log.conf
module(load="imfile" PollingInterval="1")
input(type="imfile" File="/var/log/.bash_history/*history*"
Tag="bash-log"
Facility="local7"
Severity="debug"
deleteStateOnFileDelete="on"
)
编辑/etc/rsyslog.d/logserver.conf
*.* @192.168.0.15
d) iptables
默认拒绝
打开22,3306,8080,8443,9042,7000
被管理
zabbix:
salt:
工具:iostat,vmstat,perf,top,iftop
时钟同步
应用镜像
非root帐号安装和部署
tomcat 配置优化
mysql 配置优化