Linux之系统优化配置
Linux系统优化配置
-
更新国内镜像源
国内速度快的常用更新源如下:
[root@greymouster ~]# cd /etc/yum.repos.d/ [root@greymouster yum.repos.d]# ll total 16 -rw-r--r--. 1 root root 1926 Nov 27 2013 CentOS-Base.repo -rw-r--r--. 1 root root 638 Nov 27 2013 CentOS-Debuginfo.repo -rw-r--r--. 1 root root 630 Nov 27 2013 CentOS-Media.repo -rw-r--r--. 1 root root 3664 Nov 27 2013 CentOS-Vault.repo [root@greymouster yum.repos.d]# cp CentOS-Base.repo CentOS-Base.repo.ori [root@greymouster yum.repos.d]# wget http://mirrors.163.com/.help/CentOS6-Base-163.repo [root@greymouster yum.repos.d]# cp CentOS6-Base-163.repo CentOS-Base.repo
-
安装必要的软件包
yum install tree telnet dos2unix sysstat lrzsz -y
yum grouplist 查看系统安装了哪些安装包
-
关闭selinux
# 该命令永久将selinux关闭,但是必须要重启系统 sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config # 临时修改命令(不用重启系统) setenforce 0 # 查看selinux当前状态 getenforce
-
设定开机运行级别为3
[root@greymouster ~]# grep 3:initdefault /etc/inittab id:3:initdefault: [root@greymouster ~]# init 3
-
精简开机系统启动的服务
# 先关闭所有开机自启动服务 for i in `chkconfig --list|grep 3:on|awk '{print $1}'`;do chkconfig --level 3 $i off;done # 然后再开启指定开机自启动服务 for i in crond network rsyslog sshd;do chkconfig --level 3 $i on;done
-
更改ssh服务远程登陆的配置
[root@greymouster ~]# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.ori [root@greymouster ~]# vi /etc/ssh/sshd_config #Port 22 #ssh连接默认端口22 #PermitRootLogin no # root用户是否禁止远程登录 #PermitEmptyPasswords no #禁止空密码登录 #UseDNS no #不使用DNS #GSSAPIAuthentication no #让ssh连接更快 [root@greymouster ~]# /etc/init.d/sshd restart [root@greymouster ~]# /etc/init.d/iptables stop //临时关闭防火墙
-
将普通账号加入sudo管理
[root@greymouster ~]# visudo 98gg //定位到98行 root ALL=(ALL) ALL greymouster ALL=(ALL) /usr/sbin/useradd 或者这样修改:拥有全部的权限但不需要密码 greymouster ALL=(ALL) NOPASSWD:ALL %用户组 机器=(授权那个角色的权利) /usr/sbin/useradd [root@greymouster ~]# su - greymouster [greymouster@greymouster ~]$ useradd kkk -bash: /usr/sbin/useradd: Permission denied [greymouster@greymouster ~]$ sudo useradd kkk [sudo] password for greymouster: [greymouster@greymouster ~]$ tail -1 /etc/passwd kkk:x:502:502::/home/kkk:/bin/bash [greymouster@greymouster ~]$ netstat -lntup|grep ssh (No info could be read for "-p": geteuid()=501 but you should be root.) [greymouster@greymouster ~]$ sudo netstat -lntup|grep ssh tcp 0 0 0.0.0.0:60222 0.0.0.0:* LISTEN 28683/sshd tcp 0 0 :::60222 :::* LISTEN 28683/sshd [greymouster@greymouster ~]$
-
服务器时间同步
# 系统方法 [root@PLF ~]# /usr/sbin/ntpdate time.nist.gov 27 May 20:08:05 ntpdate[25792]: step time server 132.163.97.2 offset 95.328349 sec [root@PLF ~]# echo "# time sync" >>/var/spool/cron/root [root@PLF ~]# echo '*/5 * * * * /usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1' >>/var/spool/cron/root [root@PLF ~]# crontab -l # time sync */5 * * * * /usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1 [root@PLF ~]#
-
加大服务器的文件描述符
echo '* soft nofile 65535' >>/etc/security/limits.conf echo '* hard nofile 65535' >>/etc/security/limits.conf
-
调整内核参数文件/et/sysctl.conf
net.ipv4.tcp_fin_timeout = 2 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_keepalive_time = 600 net.ipv4.ip_local_port_range = 4000 65000 net.ipv4.tcp_max_syn_backlog = 16384 net.ipv4.tcp_max_tw_buckets = 36000 net.ipv4.route.gc_timeout = 100 net.ipv4.tcp_syn_retries = 1 net.ipv4.tcp_synack_retries = 1 net.core.somaxconn = 16384 net.core.netdev_max_backlog = 16384 net.ipv4.tcp_max_orphans = 16384 # 防火墙的优化则添加以下,在6.4上是,如下: net.nf_conntrack_max = 25000000 net.netfilter.nf_conntrack_max = 25000000 net.netfilter.nf_conntrack_tcp_timeout_established = 180 net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120 net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60 net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120 [root@greymouster ~]# sysctl -p //生效
-
锁定关键文件系统
[root@greymouster ~]# chattr +i /etc/passwd [root@greymouster ~]# chattr +i /etc/inittab [root@greymouster ~]# chattr +i /etc/group [root@greymouster ~]# chattr +i /etc/shadow [root@greymouster ~]# chattr +i /etc/gshadow # 使用chattr命令后,为了安全我们需要将其改名 [root@greymouster ~]# /bin/mv /usr/bin/chattr /usr/bin/任意名称 # 查看枷锁: lsattr /etc/passwd
-
去除系统及内核版本登陆前的屏幕显示
[root@greymouster ~]# /etc/redhat-release [root@greymouster ~]# cat /dev/null >/etc/issue