系统优化脚本----基本优化
#!/bin/bash
#this script is only for CentOS 7.x
#check the OS
#######检查网络
ifconfig
ping -c 3 -i 0.5 baidu.com
#添加公网DNS地址
cat >> /etc/resolv.conf << EOF
nameserver 8.8.8.8
nameserver 114.114.114.114
EOF
#Yum源更换为国内阿里源
yum install telnet
#add the epel
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
# rpm -ivh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-8.noarch.rpm
#yum重新建立缓存
yum clean all
yum makecache
#同步时间
yum -y install ntp
/usr/sbin/ntpdate cn.pool.ntp.org
echo "* 4 * * * /usr/sbin/ntpdate cn.pool.ntp.org > /dev/null 2>&1" >> /var/spool/cron/root
systemctl restart crond.service
#安装vim
yum -y install vim
#设置最大打开文件描述符数
echo "ulimit -SHn 102400" >> /etc/rc.local
cat >> /etc/security/limits.conf << EOF
* soft nproc 65535
* hard nproc 65535
* soft nofile 65535
* hard nofile 65535
EOF
##########ulimit参数修改#########
ulimit -n 65535
ulimit -f 50000
ulimit -l 65525
#禁用selinux
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
setenforce 0
#关闭防火墙
systemctl disable firewalld.service
systemctl stop firewalld.service
#set ssh
sed -i 's/^GSSAPIAuthentication yes$/GSSAPIAuthentication no/' /etc/ssh/sshd_config
sed -i 's/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config
systemctl restart sshd.service
#内核参数优化
cat >> /etc/sysctl.conf << EOF
EOF
/sbin/sysctl -p
#update soft
#########文件系统挂载优化
sed -i 's#defauts#defauts,noatime,nodirtime,async#' /etc/fstab
##########历史记录保存条数 ###############
sed -i 's/^HISTSIZE=1000/HISTSIZE=5/' /etc/profile
yum -y updat
##################grub优化###################################
2、编辑grub文件:
[root@localhost network-scripts]# cp -a /etc/sysconfig/grub /etc/sysconfig/grub.bak #备份文件
[root@localhost network-scripts]# vim /etc/sysconfig/grub
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="crashkernel=auto net.ifnames=0 biosdevname=0 rhgb quiet" #这行添加net.ifnames=0 biosdevname=0
GRUB_DISABLE_RECOVERY="true"
3、生成启动菜单:
[root@localhost network-scripts]# grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-3.10.0-514.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-514.el7.x86_64.img
Found linux image: /boot/vmlinuz-0-rescue-7d9a96ac2162427d937e06ede5350e9e
Found initrd image: /boot/initramfs-0-rescue-7d9a96ac2162427d937e06ede5350e9e.img
done
4、然后重启服务器:reboot,重启服务器后查看网卡信息 修改ssh默认端口并禁止root用户远程登陆
linux系统下都有一个默认的超级管理员root,ssh服务的默认端口是22,圈内都知道,那么接下来我们可以修改一下我们的默认端口和禁止root用户远程登录,初步提高一下服务器的安全
1、首先修改ssh的默认端口 # sed -i "s#\#Port 22#Port 23451#g" /etc/ssh/sshd_config #端口可以改成任意端口,建议改成较大的端口,因为一万以内的端口常用的服务有占用,防止冲突(需要注意的是:这个端口要记住,否则连接不上服务器) 2、禁止root用户远程登陆 a):添加一个普通用户并设置密码(注:这一步必须执行,否则将造成远程连接不上服务器) # useradd xxx #添加xxx用户 # echo "pass" | passwd --stdin xxx #给xxx用户设置密码为pass b):修改ssh服务配置文件并撑起服务 # sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config # systemctl restart sshd
内核参数优化(实际生产)
net.ipv4.ip_forward = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.core.rmem_max=16777216
net.core.wmem_max=16777216
net.ipv4.tcp_rmem=4096 87380 16777216
net.ipv4.tcp_wmem=4096 65536 16777216
net.ipv4.tcp_fin_timeout = 10
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_window_scaling = 0
net.ipv4.tcp_sack = 0
net.core.netdev_max_backlog = 30000
net.ipv4.tcp_no_metrics_save=1
net.ipv4.tcp_max_orphans = 262144
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
fs.inotify.max_user_instances=655350
fs.inotify.max_user_watches=655350
