Linux系统优化思路

 

 

\cp /etc/bashrc{,.bak} 
cat >>/etc/bashrc<<DUDU
alias grep='grep --color=auto'
alias egrep='egrep --color=auto'
DUDU
. /etc/bashrc
yum install lrzsz tree telnet -y
\cp /etc/selinux/config{,.bak}
sed 's/=enforcing/=disabled/' /etc/selinux/config -i
setenforce 0
getenforce
/etc/init.d/iptables stop
/etc/init.d/iptables status
chkconfig iptables off
chkconfig |grep "3:on"|egrep -v "sshd|sysstat|network|rsyslog|crond|netfs"|awk '{print "chkconfig",$1,"off"}'|bash
chkconfig --list|grep "3:on"
echo '#!/bin/sh' >>/var/spool/cron/root
echo "##Time synchronization timing tasks --时间同步定时任务" >>/var/spool/cron/root
echo "*/5 * * * * /usr/sbin/ntpdate time.nist.gov &>/dev/null" >>/var/spool/cron/root
\cp /etc/profile{,.bak}
echo 'export TMOUT=300' >>/etc/profile
echo 'export HISTSIZE=5' >>/etc/profile
echo 'export HISTFILESIZE=5' >>/etc/profile
. /etc/profile
\cp /etc/security/limits.conf{,.bak}
echo '*               -       nofile          65535' >>/etc/security/limits.conf
\cp /etc/sysctl.conf{,.bak}
cat >>/etc/sysctl.conf<<DUDU

##########################################################
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000    65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.core.somaxconn = 16384
net.core.netdev_max_backlog = 16384
net.ipv4.tcp_max_orphans = 16384
##以下参数是对iptables防火墙的优化
net.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_tcp_timeout_established = 180
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
DUDU
\cp /etc/ssh/sshd_config{,.bak}
sed 's/GSSAPIAuthentication yes/GSSAPIAuthentication no/' /etc/ssh/sshd_config
sed 's/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config
/etc/init.d/sshd restart
系统优化操作脚本
linux系统优化(CentOS6)

△ grep优化:
\cp /etc/bashrc{,.bak}
cat >>/etc/bashrc<<DUDU
alias grep='grep --color=auto'
alias egrep='egrep --color=auto'
DUDU
. /etc/bashrc
△ 基础软件优化:
rpm -qa |grep "lrzsz|telnet|tree" -E
yum install lrzsz tree telnet -y
rpm -qa |grep "lrzsz|telnet|tree" -E



1、    关闭SELinux,/etc/selinux/config(setenforce、getenforce)
\cp /etc/selinux/config{,.bak}
sed 's/=enforcing/=disabled/' /etc/selinux/config -i
setenforce 0
getenforce

2、    关闭iptables,/etc/sysconfig/iptables(/etc/init.d/iptables stop,chkconfig); 
/etc/init.d/iptables stop
/etc/init.d/iptables status
chkconfig iptables off
chkconfig --list iptables

3、    精简开机自启动服务
chkconfig |grep "3:on"|egrep -v "sshd|sysstat|network|rsyslog|crond|netfs"|awk '{print "chkconfig",$1,"off"}'|bash
chkconfig --list|grep "3:on"

4、    提权Caiyun用户可以sudo
useradd Caiyun
echo '123456'|passwd --stdin Caiyun
\cp /etc/sudoers{,.bak}
echo "Caiyun  ALL=(ALL)       NOPASSWD:ALL" >>/etc/sudoers
tail -1 /etc/sudoers
visudo -c

5、    中文字符集
\cp /etc/sysconfig/i18n{,.bak}
echo 'LANG="zh_CN.UTF-8"' >/etc/sysconfig/i18n
source /etc/sysconfig/i18n
echo $LANG

6、    时间同步
echo '#!/bin/sh' >>/var/spool/cron/root
echo "##Time synchronization timing tasks --时间同步定时任务" >>/var/spool/cron/root
echo "*/5 * * * * /usr/sbin/ntpdate time.nist.gov &>/dev/null" >>/var/spool/cron/root
crontab -l

7、    命令行安全
\cp /etc/profile{,.bak}
echo 'export TMOUT=300' >>/etc/profile
echo 'export HISTSIZE=5' >>/etc/profile
echo 'export HISTFILESIZE=5' >>/etc/profile
. /etc/profile
tail -3 /etc/profile

8、    加大文件描述
\cp /etc/security/limits.conf{,.bak}
echo '*               -       nofile          65535' >>/etc/security/limits.conf
tail -1 /etc/security/limits.conf

9、    内核优化
\cp /etc/sysctl.conf{,.bak}
cat >>/etc/sysctl.conf<<DUDU

##########################################################
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000    65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.core.somaxconn = 16384
net.core.netdev_max_backlog = 16384
net.ipv4.tcp_max_orphans = 16384
##以下参数是对iptables防火墙的优化
net.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_tcp_timeout_established = 180
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
DUDU
tail -25 /etc/sysctl.conf

10、SSH简单优化
1)    \cp /etc/ssh/sshd_config{,.bak}
    sed '13i GSSAPIAuthentication no\nUseDNS no' /etc/ssh/sshd_config -i
    grep -nE "GSSAPIAuthentication|UseDNS" /etc/ssh/sshd_config
    /etc/init.d/sshd restart
    /etc/init.d/sshd status
    
2)    \cp /etc/ssh/sshd_config{,.bak}
    sed 's/GSSAPIAuthentication yes/GSSAPIAuthentication no/' /etc/ssh/sshd_config
    sed 's/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config
    egrep -n "GSSAPIAuthentication|UseDNS" /etc/ssh/sshd_config
    /etc/init.d/sshd restart
    /etc/init.d/sshd status
    
Linux系统基础优化与安全优化
    1)不用root登录管理系统,而以普通用户登录通过sudo授权管理
    2)更改默认的远程连接SSH服务端口,禁止root用户远程连接,甚至更改SSH服务只监听内网IP
    3)定时自动更新服务器的时间,使其和互联网时间同步(ntp服务器)
    4)配置yum更新源,从国内更新源下载安装软件包
    5)关闭SELinux及iptables(在工作场景中,如果有外部IP一般要打开iptables,高并发高流量的服务器可能无法开启)
    6)调整文件描述符的数量,进程及文件的打开都会消耗文件描述符的数量
    7)定时自动清理邮件临时目录垃圾文件,防止磁盘的inodes数被小文件占满(CentOS6和CentOS5的目录不同)
    8)精简并保留必要的开机自启动服务(如crond、sshd、network、rsyslog、sysstat)
    9)Linux内核参数优化/etc/sysctl.conf,执行 sysctl -p 生效
    10)更改系统字符集为"zh_CN.UTF-8",使其支持中文,防止出现乱码问题
    11)锁定关键系统文件如/etc/passwd,/etc/shadow,/etc/group,/etc/gshadow,/etc/inittab,处理以上内容后把chattr、lsattr命令改名并转移走
    12)清空/etc/issue,/etc/issue.net,去除系统及内核版本登录前的屏幕显示
    13)清除多余的系统虚拟用户账号
    14)为grub引导菜单加密码
    15)禁止主机被ping
    16)打补丁并升级有已知漏洞的软件

 

posted @ 2019-03-11 16:18  糕事情  阅读(79)  评论(0)    收藏  举报