linux系统调优指南(centos7.X)
欢迎关注我最新博客地址:https://owelinux.github.io/
关闭不必要的服务(如打印服务等)
for owelinux in `chkconfig --list | grep "3:on" | awk '{print $1}'`; do chkconfig $owelinux off; done
for owelinux in crond network sshd rsyslog sysstat iptables; do chkconfig $owelinux on; done
关闭不需要的tty
\cp /etc/securetty /etc/securetty.bak
>/etc/securetty
echo "tty1" >>/etc/securetty
echo "tty2" >>/etc/securetty
echo "tty3" >>/etc/securetty
调整linux 文件描述符大小
\cp /etc/security/limits.conf /etc/security/limits.conf.$(date +%F)
ulimit -HSn 65535
echo -ne "
* soft nofile 65535
* hard nofile 65535
" >>/etc/security/limits.conf
echo "ulimit -c unlimited" >> /etc/profile
source /etc/profile
修改shell命令的history 记录个数和连接超时时间
echo "export HISTCONTROL=ignorespace" >>/etc/profile
echo "export HISTCONTROL=erasedups" >>/etc/profile
echo "HISTSIZE=500" >> /etc/profile
#修改帐户TMOUT值,设置自动注销时间
echo "export TMOUT=300" >>/etc/profile
echo "set autologout=300" >>/etc/csh.cshrc
source /etc/profile
清空系统版本信息加入登录警告
>/etc/motd
>/etc/issue
>/etc/redhat-release
echo "Authorized uses only. All activity may be monitored and reported." >>/etc/motd
echo "Authorized uses only. All activity may be monitored and reported." >> /etc/issue
echo "Authorized uses only. All activity may be monitored and reported." >> /etc/issue.net
chown root:root /etc/motd /etc/issue /etc/issue.net
chmod 644 /etc/motd /etc/issue /etc/issue.net
优化内核TCP参数
cat >>/etc/sysctl.conf<
登录机器发邮件告警
yum -y install mailx
cat >>/root/.bashrc << EOF
echo 'ALERT - Root Shell Access (Server Name) on:' \`date\`\`who\`\`hostname\` | mail -s "Alert:Root Access from \`who | cut -d "(" -f2 | cut -d ")" #-f1\`" [email protected]
EOF
定时校正服务器时间
echo '0 * * * * /usr/sbin/ntpdate -u 0.cn.pool.ntp.org;/sbin/hwclock -w > /dev/null 2>&1' >> /var/spool/cron/root
/usr/sbin/ntpdate -u 0.cn.pool.ntp.org;/sbin/hwclock -w
systemctl restart crond
停止ipv6
echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
修改yum源
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
yum -y reinstall epel-release
yum clean all
yum makecache
关闭Selinux
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
安装必要的服务,更新系统软件
yum -y groupinstall "Development tools"
yum -y install ntpdate sysstat lrzsz wget nmap tree curl epel-release lsof nano bash-completion net-tools lsof vim-enhanced
ssh优化,加快连接速度
#1、配置空闲登出的超时间隔:
#2、禁用 .rhosts 文件
#3、禁用基于主机的认证
#4、禁止 root 帐号通过 SSH 登录
#5、用警告的 Banner
#6、iptables防火墙处理 SSH 端口22123
#7、修改 SSH 端口和限制 IP 绑定:
#8、禁用空密码:
#9、记录日志:
mv /etc/ssh/ /etc/sshbak
mkdir -p /application/tools
cd /application/tools
yum -y install wget C gcc cc
wget https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-7.6p1.tar.gz
tar -zxf openssh-7.6p1.tar.gz
cd openssh-7.6p1
yum install -y zlib-devel openssl-devel pam pam-devel
./configure --prefix=/usr --sysconfdir=/etc/ssh --without-zlib-version-check --with-pam
chmod 600 /etc/ssh/*_key
make -j4
rpm -e --nodeps `rpm -qa | grep openssh`
make install
ssh -V
cp contrib/redhat/sshd.init /etc/init.d/sshd
chkconfig --add sshd
mv /etc/ssh/sshd_config /etc/ssh/sshd_config_`date +%F`
cat >/etc/ssh/sshd_config<>/etc/rsyslog.conf
echo "local5.* /var/log/sshd.log" >>/etc/rsyslog.conf
systemctl restart rsyslog
systemctl stop sshd && systemctl start sshd
systemctl reload sshd
删除系统不需要的用户和用户组
for i in adm lp sync shutdown halt news uucp operator games gopher
do
userdel $i 2>/dev/null
done && action "delete user: " /bin/true || action "delete user: " /bin/false
for i in adm news uucp games dip pppusers popusers slipusers
do
groupdel $i 2>/dev/null
done
修改密码认证的复杂度,和过期时间
mv /etc/pam.d/system-auth /etc/pam.d/system-auth_`date +%F`
cat >/etc/pam.d/system-auth<= 500 quiet
auth required pam_deny.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.soetc/pam.d/system-auth
EOF
cat >/etc/pam.d/sshd<
使用noatime文件系统挂载选项
删除CentOS自带的sendmail,改用postfix
增加SWAP分区大小(一般是内存的2倍)
dd if=/dev/zero of=/mnt/swapfile bs=4M count=1024
mkswap /mnt/swapfile
swapon /mnt/swapfile
echo "/mnt/swapfile swap swap defaults 0 0" >>/etc/fstab
mount -a
free -m | grep -i swap
使用iptables关闭不需要对外开放的端口
systemctl disable firewalld
systemctl stop firewalld
yum -y install iptables-services
systemctl start iptables
systemctl start ip6tables
systemctl enable iptables
systemctl enable ip6tables
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 22123 -j ACCEPT
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -j DROP
service iptables save
启动系统审计服务
yum install audit*.* -y
cat >>/etc/audit/audit.rules<
部署完整性检查工具软件
yum -y install aide
#1)执行初始化,建立第一份样本库
aide -i
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
#2)更新到样本库
aide -u
cd /var/lib/aide/
mv aide.db.new.gz aide.db.gz
#3)定期执行***检测,并发送报告
# crontab -e
#45 17 * * * /usr/sbin/aide -C -V4 | /bin/mail -s ”AIDE REPORT $(date +%Y%m%d)” abcdefg#163.com
echo '45 23 * * * aide -C >> /var/log/aide/`date +%Y%m%d`_aide.log' >> /var/spool/cron/root
#记录aide可执行文件的md5 checksum:
md5sum /usr/sbin/aide
关闭ctrl+alt+del重启机器
rm -f /usr/lib/systemd/system/ctrl-alt-del.targe && init q
#恢复 ln -s /usr/lib/systemd/system/reboot.target /usr/lib/systemd/system/ctrl-alt-del.target
文件加锁及修改默认权限
#1、限制 at/cron给授权的用户:
rm -f /etc/cron.deny /etc/at.deny
echo root >/etc/cron.allow
echo root >/etc/at.allow
chown root:root /etc/cron.allow /etc/at.allow
chmod 400 /etc/cron.allow /etc/at.allow
#2、Crontab文件限制访问权限:
chown root:root /etc/crontab
chmod 400 /etc/crontab
chown -R root:root /var/spool/cron
chmod -R go-rwx /var/spool/cron
chown -R root:root /etc/cron.*
chmod -R go-rwx /etc/cron.*
#3、加锁重要口令文件和组文件
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/gshadow
chattr +i /etc/xinetd.conf
chattr +i /etc/services