Centos 6.X基础优化

  • 关闭防火墙和SElinux
  • 更改yum源
  • 精简开机自启动服务
  • 优化ssh登录策略
  • 优化用户与登录策略
  • 添加定时任务服务器进行时间同步
  • 调整文件描述符大小
  • 内核参数优化
  • 锁定关键系统文件
  • history显示时间
  • 删除登录信息
  • 安装必要的软件
  • 修改系统默认字符集
  • 历史命令记录数量调小
  • 禁ping
  • grub加密码
  • lvs/haproxy负载均衡代理内核参数配置
  • nginx/apache生产内核参数优化
  • squid/varnish/nginx proxy 生产内核优化

1.关闭防火墙和SElinux

有外网机器的要开启配置防火墙,仅开启需要提供服务的端口

#iptables
service iptables stop
/sbin/chkconfig iptables off

#selinux
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config

2.更改yum源

mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
wget http://mirrors.163.com/.help/CentOS6-Base-163.repo -O /etc/yum.repos.d/CentOS-Base.repo

3.精简开机自启动服务

LANG=en     #如果是中文字符集需要执行一下
for i in `chkconfig --list|grep 3:on|awk '{print $1}'|grep -Ev "crond|network|rsyslog|sshd|sysstat"`;do chkconfig --level 3 $i off;done

4.优化ssh登录策略

# /etc/ssh/sshd_config
Port22 连接端口
PermitRootLogin no 禁止root远程登录
PermitEmptyPasswords  禁止空密码登录
UseDNS no   不适用DNS
GSSAPIAuthentication no linux下SSH远程连接服务慢解决方案

###
sed -i 's/#Port 22/Port 52113/' /etc/ssh/sshd_config
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/^#PermitEmptyPasswords no/PermitEmptyPasswords no/' /etc/ssh/sshd_config
sed -i 's/^GSSAPIAuthentication yes$/GSSAPIAuthentication no/' /etc/ssh/sshd_config
sed -i 's/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config
/etc/init.d/sshd restart 

5.优化用户与登录策略

username='sysadmin'
password='sysadmin'
useradd $username && echo $password | passwd --stdin $username &>/dev/null
sed -i "99i sysadmin    ALL=(ALL)       NOPASSWD:ALL" /etc/sudoers
echo "Defaults      logfile=/var/log/sudo.log" >>/etc/sudoers
echo "local2.debug      /var/log/sudo.log" >>/etc/rsyslog.conf

6.添加定时任务服务器进行时间同步

/usr/sbin/ntpdate pool.ntp.org &>/dev/null

echo '#Update time' >>/var/spool/cron/root
echo '*/5 * * * * /usr/sbin/ntpdate pool.ntp.org >/dev/null 2>&1' >>/var/spool/cron/root

7.调整文件描述符大小

ulimit -HSn 65535
cat >> /etc/security/limits.conf << EOF
*           soft   nofile       65535
*           hard   nofile       65535
EOF

8.内核参数优化

cat >> /etc/sysctl.conf << EOF
vm.swappiness = 0
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000     65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.core.somaxconn = 16384
net.core.netdev_max_backlog = 16384
net.ipv4.tcp_max_orphans = 16384  
net.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_max=25000000
net.netfilter.nf_conntrack_tcp_timeout_established=180
net.netfilter.nf_conntrack_tcp_timeout_time_wait=120
net.netfilter.nf_conntrack_tcp_timeout_close_wait=60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait=120
EOF
/sbin/sysctl -p

#net.ipv4.tcp_fin_timeout = 2 表示如果套接字由本端要求关闭,这个参数决定了它保持在FIN-WAIT-2的状态时间,单位是秒,这个就是四次断开的最后一下,减少等待时间。
#net.ipv4.tcp_tw_reuse = 1  表示开启重用。允许TIME-WAIT套接字重新用于新的TCP链接。默认是0表示关闭。
#net.ipv4.tcp_tw_recycle = 1 表示开启TCP连接中的TIME-WAIT套接字的快速回收,默认是0表示关闭
#net.ipv4.tcp_syncookies = 1 表示开启SYN Cookies。当出现SYN等待队列溢出时,启用cookie来处理,可防范少量的SYN攻击。默认为0,表示关闭。
#net.ipv4.tcp_keepalive_time =600 表示当keepalive启用时,TCP发送keepalive消息的频率,默认是2小时,这里改为10分钟
#net.ipv4.ip_local_port_range = 4096    65000 #表示向外连接的端口范围,默认很少,32768~65535
#net.ipv4.tcp_max_syn_backlog = 16384 表示SYN队列的长度,默认为1024,加大队列长度为16384,可以容纳更多等待连接的网络连接数。
#net.ipv4.tcp_max_tw_buckets = 36000 示系统同时保持TIME_WAIT套接字的最大数量,如果超过这个数 字,TIME_WAIT套接字将立刻被清除并打印警告信息。默认为180000,改为36000。对于Apache、Nginx等服务器,前面介绍的几个参 数已经可以很好地减少TIME_WAIT套接字数量,但是对于Squid来说,效果却不大。有了此参数就可以控制TIME_WAIT套接字的最大数量,避 免Squid服务器被大量的TIME_WAIT套接字拖死。
#net.ipv4.route.gc_timeout = 100 路由缓存刷新频率,当一个路由失败后多长时间跳到另一个默认是300秒
#net.ipv4.tcp_syn_retries = 1  对于一个新建连接,内核要发送多少个 SYN 连接请求才决定放弃。不应该大于255,默认值是5,对应于180秒左右。
#net.ipv4.tcp_synack_retries = 1  对于远端的连接请求SYN,内核会发送SYN + ACK数据报,以确认收到上一个 SYN连接请求包。这是所谓的三次握手( threeway handshake)机制的第二个步骤。这里决定内核在放弃连接之前所送出的 SYN+ACK 数目。不应该大于255,默认值是5,对应于180秒左右时间。
#net.core.somaxconn = 16384 用来限制监听(LISTEN)队列最大数据包的数量,超过这个数量就会导致链接超时或者触发重传机制。web应用中listen函数的backlog默认会给我们内核参数的net.core.somaxconn限制到128,而nginx定义的NGX_LISTEN_BACKLOG默认为511,所以有必要调整这个值。对繁忙的服务器,增加该值有助于网络性能。默认是128.
#net.core.netdev_max_backlog = 16384 每个网络接口接收数据包的速率比内核处理这些包的速率快时,允许送到队列的数据包的最大数目,对重负载服务器而言,该值需要调高一点。默认是1024
#net.ipv4.tcp_max_orphans = 16384 系统所能处理不属于任何进程的TCP sockets最大数量。假如超过这个数量﹐那么不属于任何进程的连接会被立即reset,并同时显示警告信息。之所以要设定这个限制﹐纯粹为了抵御那些简单的 DoS 攻击﹐千万不要依赖这个或是人为的降低这个限制。如果内存大更应该增加这个值。默认值是8192.

#一下参数是对iptables防火墙的优化,防火墙不开会有提示,可以忽略不理。
#net.ipv4.ip_conntrack_max = 25000000 系统支持的最大ipv4连接数,默认65536,同时这个值和你的内存大小有关,如果内存128M,这个值最大8192,1G以上内存这个值都是默认65536
#net.nf_conntrack_max = 25000000
#net.netfilter.nf_conntrack_max = 25000000
#net.netfilter.nf_conntrack_tcp_timeout_established = 180 已建立的tcp连接的超时时间,默认432000,也就是5天,这个值过大将导致一些可能已经不用的连接常驻于内存中,占用大量链接资源,从而可能导致NAT ip_conntrack: table full的问题,这里调小了
#net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
#net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
#net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120

9.锁定关键系统文件

锁定关键系统文件:chattr +i files    -i 解锁
/etc/passwd  /etc/shadow  /etc/group  /etc/gshadow  /etc/inittab /etc/services /etc/rc.local
lsattr file :查看文件是否加锁

10.history显示时间

# cat /etc/profile  #加上下面一句话
HISTTIMEFORMAT="%F %T `whoami` "
# source /etc/profile  #生效一下

11.删除登录信息

>/etc/issue
>/etc/motd

12.安装必要的软件

yum install lrzsz ntpdate sysstat tree wget nmap telnet -y

13.修改系统默认字符集

# vi  /etc/sysconfig/i18n
LANG=”zh_CN.UTF-8″   #这里改成你想要的字符集,如果想搞成gbk就这样LANG=”zh_CN.GB18030″
# source  /etc/sysconfig/i18n #使生效

14.历史命令记录数量调小

sed -i “s/HISTSIZE=1000/HISTSIZE=10/” /etc/profile #将历史记录值由1000变为10
source  /etc/profile  #使生效

15.禁ping(非必须)

echo "net.ipv4.icmp_echo_ignore_all=1" >> /etc/sysctl.conf

16.grub加密码(非必须)

1)先用/sbin/grub-md5-crypt产生一个MD5密码串
# /sbin/grub-md5-crypt 
Password: 
Retype password: 
$1$7XIYM/$L4is2wwmH0CZqGH1Oq4RY.   
2)修改grub.conf文件
# vim /etc/grub.conf
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
password --md5 $1$jJJYM/$lfH83xAKeks/dkptv7wx9.  #注意:password必须加在plashimage和title之间这段,否则不能生效
title CentOS (2.6.32-431.el6.x86_64)

17.lvs/haproxy负载均衡代理内核参数配置

#vm.swappiness = 0
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000     65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
#net.ipv4.tcp_max_orphans = 16384
# iptables -V   
net.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_max=25000000
net.netfilter.nf_conntrack_tcp_timeout_established=180
net.netfilter.nf_conntrack_tcp_timeout_time_wait=120
net.netfilter.nf_conntrack_tcp_timeout_close_wait=60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait=120

18.nginx/apache生产内核参数优化

net.ipv4.tcp_max_syn_backlog = 65536
net.core.somaxconn = 32768
net.core.netdev_max_backlog = 32768

net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216

net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_max_orphans = 3276800

net.ipv4.tcp_fin_timeout = 10
net.ipv4.tcp_keepalive_time = 120
net.ipv4.ip_local_port_range = 2048 65535

19.squid/varnish/nginx proxy 生产内核优化

CDN公司cache服务器内核优化
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_max_tw_buckets = 1800000
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 10
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_retriesl = 22
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_synack_retries = 3
net.ipv4.tcp_syn_retries = 3

以下脚本包含优化的前8项:

# cat system_optimization.sh 
#!/bin/bash
. /etc/init.d/functions

#Require root to run this script.
if [ "`whoami`" != "root" ];then
        echo "Please run this script as root."
        exit 1
fi

close_iptables_selinux(){
#stop iptables and SELinux
/etc/init.d/iptables stop &> /dev/null
/sbin/chkconfig iptables off
sel=`getenforce`
if [ "$sel" == "Enforcing" ];then
        setenforce 0
        sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
fi

if [ $? -eq 0 ];then
        action "close iptables and selinux" /bin/true
else
        action "close iptables and selinux" /bin/false
fi
}

update_yum_repo(){
#make the 163.com as the default yum repo
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
wget http://mirrors.163.com/.help/CentOS6-Base-163.repo -O /etc/yum.repos.d/CentOS-Base.repo &>/dev/null
#ls -l /etc/yum.repos.d/
if [ $? -eq 0 ];then
        action "Update yum repo" /bin/true
else
        action "Update yum repo" /bin/false
fi
}

service(){
#Service optimization
for i in `chkconfig --list|grep 3:on|awk '{print $1}'|grep -Ev "crond|network|rsyslog|sshd|sysstat"`;do chkconfig --level 3 $i off;done

if [ $? -eq 0 ];then
        action "Service optimization" /bin/true
else
        action "Service optimization" /bin/false
fi
}

ssh(){
#set ssh
sed -i 's/#Port 22/Port 52113/' /etc/ssh/sshd_config
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/^#PermitEmptyPasswords no/PermitEmptyPasswords no/' /etc/ssh/sshd_config
sed -i 's/^GSSAPIAuthentication yes$/GSSAPIAuthentication no/' /etc/ssh/sshd_config
sed -i 's/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config
/etc/init.d/sshd restart &>/dev/null
grep "Port 52113" /etc/ssh/sshd_config &>/dev/null
if [ $? -eq 0 ];then
        action "Optimization of SSH" /bin/true
else
        action "Optimization of SSH" /bin/false
fi
}


sudo(){
#sudo
username='sysadmin'
password='sysadmin'
useradd $username && echo $password | passwd --stdin $username &>/dev/null
sed -i "99i sysadmin    ALL=(ALL)       NOPASSWD:ALL" /etc/sudoers
echo "Defaults      logfile=/var/log/sudo.log" >>/etc/sudoers
echo "local2.debug      /var/log/sudo.log" >>/etc/rsyslog.conf
#Sudo authorization
if [ $? -eq 0 ];then
        action "Sudo authorization" /bin/true
else
        action "Sudo authorization" /bin/false
fi
}

update_time(){
#Update time
/usr/sbin/ntpdate pool.ntp.org &>/dev/null
if [ $? -eq 0 ];then
        action "Update time" /bin/true
else
        action "Update time" /bin/false
fi
echo '#Update time' >>/var/spool/cron/root
echo '*/5 * * * * /usr/sbin/ntpdate pool.ntp.org >/dev/null 2>&1' >>/var/spool/cron/root
}

set_file_limit(){
#set the file limit
ulimit -HSn 65535
cat >> /etc/security/limits.conf << EOF
*                -       nofile          65535
EOF
if [ $? -eq 0 ];then
        action "Set file limit" /bin/true
else
        action "Set file limit" /bin/false
fi
#tail -2 /etc/security/limits.conf
}


kernel(){
#tune kernel parametres
cat >> /etc/sysctl.conf << EOF
vm.swappiness = 0
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000     65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.core.somaxconn = 16384
net.core.netdev_max_backlog = 16384
net.ipv4.tcp_max_orphans = 16384  
net.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_max=25000000
net.netfilter.nf_conntrack_tcp_timeout_established=180
net.netfilter.nf_conntrack_tcp_timeout_time_wait=120
net.netfilter.nf_conntrack_tcp_timeout_close_wait=60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait=120
EOF
/sbin/sysctl -p &>/dev/null
grep "net.nf_conntrack_max = 25000000" /etc/sysctl.conf &>/dev/null
if [ $? -eq 0 ];then
        action "Tune kernel parametres" /bin/true
else
        action "Tune kernel parametres" /bin/false
fi
}

close_iptables_selinux
update_yum_repo
service
ssh
sudo
update_time
set_file_limit
kernel

cat << EOF
+-------------------------------------------------+
|               optimizer is done                 |
|   it's recommond to restart this server !       |
+-------------------------------------------------+
EOF

你可能感兴趣的:(linux)