centos系统优化

#!/bin/bash

#安装系统需要的基本应用工具

yum -y install ntp yum-plugin* nmap telnet lrzsz gcc*

#系统内核参数优化，适用于高并发服务如nginx\varnish\lvs

sysctl(){
cat /dev/null >/etc/sysctl.conf
cat >> /etc/sysctl.conf <<eof
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
# sysctl.conf(5) for more details.
# 不开启路由转发功能
net.ipv4.ip_forward = 0
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1
# Disable netfilter on bridges.
#net.bridge.bridge-nf-call-ip6tables = 0
#net.bridge.bridge-nf-call-iptables = 0
#net.bridge.bridge-nf-call-arptables = 0
# Controls the default maxmimum size of a mesage queue
kernel.msgmnb = 65536
# Controls the maximum size of a message, in bytes
kernel.msgmax = 65536
# Controls the maximum shared segment size, in bytes
kernel.shmmax = 68719476736
# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296
#开启重复使用,允许TIME-WAIT socket重新用于tcp连接
net.ipv4.tcp_tw_reuse = 1
#开启TIME-WAIT连接的快速回收
net.ipv4.tcp_tw_recycle = 1
#表示如果套接字由本端要求关闭，这个参数决定了它保持在FIN-WAIT-2状态的时间
net.ipv4.tcp_fin_timeout = 30
#内核放弃建立连接之前发送SYN包的数量
net.ipv4.tcp_syn_retries = 2
#当keepalive启用时，tcp发送keepalive的频度
net.ipv4.tcp_keepalive_time = 1200
#本端试图关闭TCP连接之前重试多少次
net.ipv4.tcp_orphan_retries = 3
#该参数决定了，网络设备接收数据包的速率比内核处理这些包的速率快时，允许送到队列的数据包的最大数目
net.core.netdev_max_backlog = 3000
# 为了打开对端的连接，内核需要发送一个SYN并附带一个回应前面一个SYN的ACK,也就是所谓三次握手中的第二次握手。这个设置决定了内核放弃连接之前发送SYN+ACK包的数量
net.ipv4.tcp_synack_retries = 2
#文件句柄的最大数量。文件句柄设置表示在linux系统中可以打开的文件数量
fs.file-max=65535
#网络连接可以使用的端口范围
net.ipv4.ip_local_port_range = 1024 65535
#网络连接可以等待的队列数
net.ipv4.tcp_max_syn_backlog = 8192
#表示系统同时保持TIME_WAIT套接字的最大数量，如果超过这个数字，TIME_WAIT套接字将立刻被清除并打印警告信息
net.ipv4.tcp_max_tw_buckets = 6000
#接收套接字缓冲区大小的最大值单位字节
net.core.rmem_max = 8388608
#接收套接字缓冲区大小的缺省值单位字节
net.core.rmem_default = 65536
#发送套接字缓存区大小的最大值单位字节
net.core.wmem_max = 8388608
#发送套接字缓冲区大小的缺省值单位字节
net.core.wmem_default = 65536
#低于net.ipv4.tcp_mem[0]值,TCP没有内存压力.
#低于net.ipv4.tcp_mem[1]值,进入内存压力阶段.
#高于net.ipv4.tcp_mem[2]值,TCP拒绝分配socket.
net.ipv4.tcp_mem = 16777216 16777216 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
#此值调整使用物理内存和交换空间的概率，越小使用交换空间的概率越小，若是内存对内存有强烈依赖的服务可设为0 如mysql\redis
vm.swappiness=20
EOF
/sbin/sysctl -p
}

#以3级别启动系统，注销ctl+alt+del重启功能

initab(){
sed -i 's/id:5:initdefault:/id:3:initdefault:/' /etc/initab
sed -i 's/start on control-alt-delete/#start on control-alt-delete/' /etc/init/control-alt-delete.conf
}

#重要文件加不可操作权限

purview(){
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/gshadow
chattr +i /etc/inittab
#将chattr命令隐藏
mv /usr/bin/chattr /usr/bin/bdmlcha
}

#关闭selinux

selinux(){
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
}

#校正系统时间

ntpdate(){
echo "0 4 * * * /usr/sbin/ntpdate 210.72.145.44 > /dev/null 2>&1" >>/var/spool/cron/root
clock -w
}

#进程可打开文件数限制

ulimit(){
echo
"*   -   nofile  102400" >> /etc/security/limits.conf
echo "ulimit -SHn 102400"
}

#调整语系、字符集支持

lang(){
sed-i 's/LANG="en_US.UTF-8"/LANG="zh_CN.GB18030/' /etc/sysconfig/i18n
source/etc/sysconfig/i18n
}

#ssh 设置

ssh(){
#不允许空密码登陆
sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/' /etc/ssh/sshd_config
#不允许root远程登陆
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
#不适用dns反向解析
sed -i 's/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config
#修该端口号
sed -i 's/#Port 22/Port 32168/' /etc/ssh/sshd_config
service sshd restart
}

#关闭不必要的tty端口

tty(){
sed -i 's/6\]/2\]/' /etc/init/start-ttys.conf
}

#优化系统开启服务管理

services(){
for SERVER in `chkconfig --list | awk '{print $1}'`
do
chkconfig $SERVER off
done
for SERVER in sshd messagebus rngd network crond rsyslog irqbalance lvm2-monitor
do
chkconfig --level 35 $SERVER on
done
}
sysctl
initab
purview
ntpdate
ulimit
ssh
lang
tty
services