1.关闭防火墙和SElinux
有外网机器的要开启配置防火墙,仅开启需要提供服务的端口
#iptables
service iptables stop
/sbin/chkconfig iptables off
#selinux
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
2.更改yum源
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
wget http://mirrors.163.com/.help/CentOS6-Base-163.repo -O /etc/yum.repos.d/CentOS-Base.repo
3.精简开机自启动服务
LANG=en #如果是中文字符集需要执行一下
for i in `chkconfig --list|grep 3:on|awk '{print $1}'|grep -Ev "crond|network|rsyslog|sshd|sysstat"`;do chkconfig --level 3 $i off;done
4.优化ssh登录策略
# /etc/ssh/sshd_config
Port22 连接端口
PermitRootLogin no 禁止root远程登录
PermitEmptyPasswords 禁止空密码登录
UseDNS no 不适用DNS
GSSAPIAuthentication no linux下SSH远程连接服务慢解决方案
###
sed -i 's/#Port 22/Port 52113/' /etc/ssh/sshd_config
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/^#PermitEmptyPasswords no/PermitEmptyPasswords no/' /etc/ssh/sshd_config
sed -i 's/^GSSAPIAuthentication yes$/GSSAPIAuthentication no/' /etc/ssh/sshd_config
sed -i 's/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config
/etc/init.d/sshd restart
5.优化用户与登录策略
username='sysadmin'
password='sysadmin'
useradd $username && echo $password | passwd --stdin $username &>/dev/null
sed -i "99i sysadmin ALL=(ALL) NOPASSWD:ALL" /etc/sudoers
echo "Defaults logfile=/var/log/sudo.log" >>/etc/sudoers
echo "local2.debug /var/log/sudo.log" >>/etc/rsyslog.conf
6.添加定时任务服务器进行时间同步
/usr/sbin/ntpdate pool.ntp.org &>/dev/null
echo '#Update time' >>/var/spool/cron/root
echo '*/5 * * * * /usr/sbin/ntpdate pool.ntp.org >/dev/null 2>&1' >>/var/spool/cron/root
7.调整文件描述符大小
ulimit -HSn 65535
cat >> /etc/security/limits.conf << EOF
* soft nofile 65535
* hard nofile 65535
EOF
8.内核参数优化
cat >> /etc/sysctl.conf << EOF
vm.swappiness = 0
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000 65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.core.somaxconn = 16384
net.core.netdev_max_backlog = 16384
net.ipv4.tcp_max_orphans = 16384
net.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_max=25000000
net.netfilter.nf_conntrack_tcp_timeout_established=180
net.netfilter.nf_conntrack_tcp_timeout_time_wait=120
net.netfilter.nf_conntrack_tcp_timeout_close_wait=60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait=120
EOF
/sbin/sysctl -p
#net.ipv4.tcp_fin_timeout = 2 表示如果套接字由本端要求关闭,这个参数决定了它保持在FIN-WAIT-2的状态时间,单位是秒,这个就是四次断开的最后一下,减少等待时间。
#net.ipv4.tcp_tw_reuse = 1 表示开启重用。允许TIME-WAIT套接字重新用于新的TCP链接。默认是0表示关闭。
#net.ipv4.tcp_tw_recycle = 1 表示开启TCP连接中的TIME-WAIT套接字的快速回收,默认是0表示关闭
#net.ipv4.tcp_syncookies = 1 表示开启SYN Cookies。当出现SYN等待队列溢出时,启用cookie来处理,可防范少量的SYN攻击。默认为0,表示关闭。
#net.ipv4.tcp_keepalive_time =600 表示当keepalive启用时,TCP发送keepalive消息的频率,默认是2小时,这里改为10分钟
#net.ipv4.ip_local_port_range = 4096 65000 #表示向外连接的端口范围,默认很少,32768~65535
#net.ipv4.tcp_max_syn_backlog = 16384 表示SYN队列的长度,默认为1024,加大队列长度为16384,可以容纳更多等待连接的网络连接数。
#net.ipv4.tcp_max_tw_buckets = 36000 示系统同时保持TIME_WAIT套接字的最大数量,如果超过这个数 字,TIME_WAIT套接字将立刻被清除并打印警告信息。默认为180000,改为36000。对于Apache、Nginx等服务器,前面介绍的几个参 数已经可以很好地减少TIME_WAIT套接字数量,但是对于Squid来说,效果却不大。有了此参数就可以控制TIME_WAIT套接字的最大数量,避 免Squid服务器被大量的TIME_WAIT套接字拖死。
#net.ipv4.route.gc_timeout = 100 路由缓存刷新频率,当一个路由失败后多长时间跳到另一个默认是300秒
#net.ipv4.tcp_syn_retries = 1 对于一个新建连接,内核要发送多少个 SYN 连接请求才决定放弃。不应该大于255,默认值是5,对应于180秒左右。
#net.ipv4.tcp_synack_retries = 1 对于远端的连接请求SYN,内核会发送SYN + ACK数据报,以确认收到上一个 SYN连接请求包。这是所谓的三次握手( threeway handshake)机制的第二个步骤。这里决定内核在放弃连接之前所送出的 SYN+ACK 数目。不应该大于255,默认值是5,对应于180秒左右时间。
#net.core.somaxconn = 16384 用来限制监听(LISTEN)队列最大数据包的数量,超过这个数量就会导致链接超时或者触发重传机制。web应用中listen函数的backlog默认会给我们内核参数的net.core.somaxconn限制到128,而nginx定义的NGX_LISTEN_BACKLOG默认为511,所以有必要调整这个值。对繁忙的服务器,增加该值有助于网络性能。默认是128.
#net.core.netdev_max_backlog = 16384 每个网络接口接收数据包的速率比内核处理这些包的速率快时,允许送到队列的数据包的最大数目,对重负载服务器而言,该值需要调高一点。默认是1024
#net.ipv4.tcp_max_orphans = 16384 系统所能处理不属于任何进程的TCP sockets最大数量。假如超过这个数量﹐那么不属于任何进程的连接会被立即reset,并同时显示警告信息。之所以要设定这个限制﹐纯粹为了抵御那些简单的 DoS 攻击﹐千万不要依赖这个或是人为的降低这个限制。如果内存大更应该增加这个值。默认值是8192.
#一下参数是对iptables防火墙的优化,防火墙不开会有提示,可以忽略不理。
#net.ipv4.ip_conntrack_max = 25000000 系统支持的最大ipv4连接数,默认65536,同时这个值和你的内存大小有关,如果内存128M,这个值最大8192,1G以上内存这个值都是默认65536
#net.nf_conntrack_max = 25000000
#net.netfilter.nf_conntrack_max = 25000000
#net.netfilter.nf_conntrack_tcp_timeout_established = 180 已建立的tcp连接的超时时间,默认432000,也就是5天,这个值过大将导致一些可能已经不用的连接常驻于内存中,占用大量链接资源,从而可能导致NAT ip_conntrack: table full的问题,这里调小了
#net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
#net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
#net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
9.锁定关键系统文件
锁定关键系统文件:chattr +i files -i 解锁
/etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab /etc/services /etc/rc.local
lsattr file :查看文件是否加锁
10.history显示时间
# cat /etc/profile #加上下面一句话
HISTTIMEFORMAT="%F %T `whoami` "
# source /etc/profile #生效一下
11.删除登录信息
>/etc/issue
>/etc/motd
12.安装必要的软件
yum install lrzsz ntpdate sysstat tree wget nmap telnet -y
13.修改系统默认字符集
# vi /etc/sysconfig/i18n
LANG=”zh_CN.UTF-8″ #这里改成你想要的字符集,如果想搞成gbk就这样LANG=”zh_CN.GB18030″
# source /etc/sysconfig/i18n #使生效
14.历史命令记录数量调小
sed -i “s/HISTSIZE=1000/HISTSIZE=10/” /etc/profile #将历史记录值由1000变为10
source /etc/profile #使生效
15.禁ping(非必须)
echo "net.ipv4.icmp_echo_ignore_all=1" >> /etc/sysctl.conf
16.grub加密码(非必须)
1)先用/sbin/grub-md5-crypt产生一个MD5密码串
# /sbin/grub-md5-crypt
Password:
Retype password:
$1$7XIYM/$L4is2wwmH0CZqGH1Oq4RY.
2)修改grub.conf文件
# vim /etc/grub.conf
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
password --md5 $1$jJJYM/$lfH83xAKeks/dkptv7wx9. #注意:password必须加在plashimage和title之间这段,否则不能生效
title CentOS (2.6.32-431.el6.x86_64)
17.lvs/haproxy负载均衡代理内核参数配置
#vm.swappiness = 0
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000 65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
#net.ipv4.tcp_max_orphans = 16384
# iptables -V
net.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_max=25000000
net.netfilter.nf_conntrack_tcp_timeout_established=180
net.netfilter.nf_conntrack_tcp_timeout_time_wait=120
net.netfilter.nf_conntrack_tcp_timeout_close_wait=60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait=120
18.nginx/apache生产内核参数优化
net.ipv4.tcp_max_syn_backlog = 65536
net.core.somaxconn = 32768
net.core.netdev_max_backlog = 32768
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_fin_timeout = 10
net.ipv4.tcp_keepalive_time = 120
net.ipv4.ip_local_port_range = 2048 65535
19.squid/varnish/nginx proxy 生产内核优化
CDN公司cache服务器内核优化
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_max_tw_buckets = 1800000
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 10
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_retriesl = 22
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_synack_retries = 3
net.ipv4.tcp_syn_retries = 3
以下脚本包含优化的前8项:
# cat system_optimization.sh
#!/bin/bash
. /etc/init.d/functions
#Require root to run this script.
if [ "`whoami`" != "root" ];then
echo "Please run this script as root."
exit 1
fi
close_iptables_selinux(){
#stop iptables and SELinux
/etc/init.d/iptables stop &> /dev/null
/sbin/chkconfig iptables off
sel=`getenforce`
if [ "$sel" == "Enforcing" ];then
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
fi
if [ $? -eq 0 ];then
action "close iptables and selinux" /bin/true
else
action "close iptables and selinux" /bin/false
fi
}
update_yum_repo(){
#make the 163.com as the default yum repo
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
wget http://mirrors.163.com/.help/CentOS6-Base-163.repo -O /etc/yum.repos.d/CentOS-Base.repo &>/dev/null
#ls -l /etc/yum.repos.d/
if [ $? -eq 0 ];then
action "Update yum repo" /bin/true
else
action "Update yum repo" /bin/false
fi
}
service(){
#Service optimization
for i in `chkconfig --list|grep 3:on|awk '{print $1}'|grep -Ev "crond|network|rsyslog|sshd|sysstat"`;do chkconfig --level 3 $i off;done
if [ $? -eq 0 ];then
action "Service optimization" /bin/true
else
action "Service optimization" /bin/false
fi
}
ssh(){
#set ssh
sed -i 's/#Port 22/Port 52113/' /etc/ssh/sshd_config
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/^#PermitEmptyPasswords no/PermitEmptyPasswords no/' /etc/ssh/sshd_config
sed -i 's/^GSSAPIAuthentication yes$/GSSAPIAuthentication no/' /etc/ssh/sshd_config
sed -i 's/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config
/etc/init.d/sshd restart &>/dev/null
grep "Port 52113" /etc/ssh/sshd_config &>/dev/null
if [ $? -eq 0 ];then
action "Optimization of SSH" /bin/true
else
action "Optimization of SSH" /bin/false
fi
}
sudo(){
#sudo
username='sysadmin'
password='sysadmin'
useradd $username && echo $password | passwd --stdin $username &>/dev/null
sed -i "99i sysadmin ALL=(ALL) NOPASSWD:ALL" /etc/sudoers
echo "Defaults logfile=/var/log/sudo.log" >>/etc/sudoers
echo "local2.debug /var/log/sudo.log" >>/etc/rsyslog.conf
#Sudo authorization
if [ $? -eq 0 ];then
action "Sudo authorization" /bin/true
else
action "Sudo authorization" /bin/false
fi
}
update_time(){
#Update time
/usr/sbin/ntpdate pool.ntp.org &>/dev/null
if [ $? -eq 0 ];then
action "Update time" /bin/true
else
action "Update time" /bin/false
fi
echo '#Update time' >>/var/spool/cron/root
echo '*/5 * * * * /usr/sbin/ntpdate pool.ntp.org >/dev/null 2>&1' >>/var/spool/cron/root
}
set_file_limit(){
#set the file limit
ulimit -HSn 65535
cat >> /etc/security/limits.conf << EOF
* - nofile 65535
EOF
if [ $? -eq 0 ];then
action "Set file limit" /bin/true
else
action "Set file limit" /bin/false
fi
#tail -2 /etc/security/limits.conf
}
kernel(){
#tune kernel parametres
cat >> /etc/sysctl.conf << EOF
vm.swappiness = 0
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000 65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.core.somaxconn = 16384
net.core.netdev_max_backlog = 16384
net.ipv4.tcp_max_orphans = 16384
net.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_max=25000000
net.netfilter.nf_conntrack_tcp_timeout_established=180
net.netfilter.nf_conntrack_tcp_timeout_time_wait=120
net.netfilter.nf_conntrack_tcp_timeout_close_wait=60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait=120
EOF
/sbin/sysctl -p &>/dev/null
grep "net.nf_conntrack_max = 25000000" /etc/sysctl.conf &>/dev/null
if [ $? -eq 0 ];then
action "Tune kernel parametres" /bin/true
else
action "Tune kernel parametres" /bin/false
fi
}
close_iptables_selinux
update_yum_repo
service
ssh
sudo
update_time
set_file_limit
kernel
cat << EOF
+-------------------------------------------------+
| optimizer is done |
| it's recommond to restart this server ! |
+-------------------------------------------------+
EOF