linux基础优化
----------------------------------------------------
cat > /etc/sysconfig/network-scripts/ifcfg-eth0 << EOF
DEVICE=eth0
BOOTPROTO=static
IPADDR=192.168.1.113
NETMASK=255.255.255.0
ONBOOT=yes
GATEWAY=192.168.1.1
/etc/init.d/network restart
2.修改DNS配置,注意不要在网卡配置里设置DNS参数,不要配置/etc/hosts
----------------------------------------------------------------------------------
echo "search local.com" >> /etc/resolv.conf
echo "nameserver 192.168.1.200" >> /etc/resolv.conf
echo "nameserver 192.168.1.201" >> /etc/resolv.conf
/etc/init.d/network restart
---------------------------------------------
yum -y install wget vim
mkdir -p /soft
cd /soft
cd /etc/yum.repos.d/
wget http://mirrors.163.com/.help/CentOS6-Base-163.repo
/bin/mv CentOS-Base.repo CentOS-Base.repo.bak
/bin/mv CentOS6-Base-163.repo CentOS-Base.repo
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY*
yum clean all
yum makecache
#yum makecache是建立install安装包的索引,也可以不用执行这条命令
yum install ntpdate lsof dos2unix nmap nc sysstat gcc-c++ lrzsz openssl-devel openssl tree setuptool expect man rsync sysstat -y
#yum groupinstall "Compatibility libraries" "Base" "Development tools" -y
#yum groupinstall "Performance Tools" "debugging Tools" "Dial-up Networking Support" -y
#yum upgrade -y
#安装必要的软件
#yum upgrade -y会把系统升级,如centos6.4升级成centos6.5,因此不建议
----------------------------------------
刚装完操作系统可以只保留crond,network,syslog,sshd这四个服务。(Centos6.4为rsyslog)
LANG=en
for service in `chkconfig --list | grep 3|awk '{print $1}'`;
do
chkconfig --level 3 $service off;
done
chkconfig --list | grep 3:on
for service in crond network rsyslog sshd ;
do
chkconfig --level 3 $service on;
done
chkconfig --list | grep 3:on
---------------------------------------------------------------------------------------------------
本优化点,在6.4上可以忽略不需要操作即可!
mkdir /server/scripts -p
cat > /server/scripts/spool_clean.sh << EOF
#!/bin/sh
find /var/spool/clientmqueue/ -type f -mtime +30|xargs rm -f
EOF
echo '*/10 * * * * /bin/sh /server/scripts/spool_clean.sh >/dev/null 2>&1'>>/var/spool/cron/root
--------------------------------------------------------------------------------
/bin/cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
sed -i 's%#PermitRootLogin yes%PermitRootLogin no%g' /etc/ssh/sshd_config
sed -i 's%#PermitEmptyPasswords no%PermitEmptyPasswords no%g' /etc/ssh/sshd_config
sed -i 's%#UseDNS yes%UseDNS no%g' /etc/ssh/sshd_config
egrep 'Port 22|PermitRootLogin no|PermitEmptyPasswords no|UseDNS no' /etc/ssh/sshd_config
/etc/init.d/sshd reload
netstat -lntup
lsof -i tcp:22
## sed -i 's%#Port 22%Port 52113%g' /etc/ssh/sshd_config
9、锁定关键文件系统
-----------------------------------------
chattr +i /etc/passwd
chattr +i /etc/inittab
chattr +i /etc/group
chattr +i /etc/shadow
chattr +i /etc/gshadow
----------------------------------------------------------------
echo '* - nofile 65535' >> /etc/security/limits.conf
ulimit -HSn 65535
ulimit -n
文件描述符在形式上是一个非负整数。实际上,它是一个索引值,指向内核为每一个进程所维护的该进程打开文件的记录表。当程序打开一个现有文件或者创建一个新文件时,内核向进程返回一个文件描述符。在程序设计中,一些涉及底层的程序编写往往会围绕着文件描述符展开。但是文件描述符这一概念往往只适用于Unix、Linux这样的操作系统。
习惯上,标准输入(standard input)的文件描述符是 0,标准输出(standard output)是 1,标准错误(standard error)是 2。尽管这种习惯并非Unix内核的特性,但是因为一些 shell 和很多应用程序都使用这种习惯,因此,如果内核不遵循这种习惯的话,很多应用程序将不能使用。
--------------------------------------------------------------
cat /etc/sysconfig/i18n
LANG="en_US.UTF-8"
sed -i 's#LANG="en_US.UTF-8"#LANG="zh_CN.GB18030"#' /etc/sysconfig/i18n
source /etc/sysconfig/i18n
#注意,需要保持CRT的字符集也是zh_CN.GB18030,在CRT会话设置中选择默认即可
简单的说就是一套文字符号及其编码。常用的字符集有:
GBK 定长双字节不是国际标准,支持系统不少
UTF-8 非定长 1-4字节广泛支持,MYSQL也使用UTF-8
-----------------------------------------------------------------
# >/etc/redhat-release
# >/etc/issue
/bin/cp /etc/sysctl.conf /etc/sysctl.conf.bak
modprobe bridge
lsmod|grep bridge
cat >>/etc/sysctl.conf <<EOF
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000 65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.core.somaxconn = 16384
net.core.netdev_max_backlog = 16384
net.ipv4.tcp_max_orphans = 16384
EOF
sysctl -p
#针对CentOS6.4的防火墙内核优化
cat >>/etc/sysctl.conf <<EOF
net.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_tcp_timeout_established = 180
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
EOF
sysctl -p
=============================
#更多的优化参数,暂时不适用这个,因为不熟悉
/bin/cp /etc/sysctl.conf /etc/sysctl.conf.bak
modprobe bridge
lsmod|grep bridge
cat >>/etc/sysctl.conf <<EOF
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_max_orphans = 3276800
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_wmem = 4096 87380 16777216
net.ipv4.tcp_rmem = 4096 65536 16777216
net.core.netdev_max_backlog = 32768
net.core.somaxconn = 32768
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.tcp_max_syn_backlog = 65535
net.ipv4.ip_local_port_range = 4000 65000
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
EOF
sysctl -p
=================================
14.安装snmp,并设置相关参数
---------------------------------------------
yum -y install net-snmp*
ll /etc/snmp/snmpd.conf
cat >/etc/snmp/snmpd.conf <<EOF
com2sec local localhost cisco
com2sec mynetwork 192.168.0.0/16 cisco
group MyRWGroup v1 local
group MyRWGroup v2c local
group MyRWGroup usm local
group MyROGroup v1 mynetwork
group MyROGroup v2c mynetwork
group MyROGroup usm mynetwork
view all included .1 80
access MyROGroup "" any noauth exact all none none
access MyRWGroup "" any noauth exact all all none
syslocation etiantian.org
syscontact Me <[email protected]>
proc mountd
proc ntalkd 4
proc sendmail 10 1
proc httpd 10 1
exec echotest /bin/echo hello world
exec disk_used_shell /bin/sh /root/current_disk_used.sh
exec httpd_proc /bin/sh /root/current_httpd_proc.sh
disk / 10000
disk /boot 10000
load 12 14 14
EOF
/etc/init.d/snmpd restart
lsof -i :161
lsof -i udp:161
15.安装NAGIOS客户端并设置相关参数
---------------------------------------------
1.解决perl插件编译安装问题
echo 'export LC_ALL=C' >> /etc/profile
source /etc/profile
echo $LC_ALL
2.客户端添加nagios用户
/usr/sbin/useradd nagios -M -s /sbin/nologin
3.安装客户端nagios-plugins-1.4.16.tar.gz
yum -y install perl-CPAN
cd /soft
wget http://soft.local.com/nagios-plugins-1.4.16.tar.gz
tar zxf nagios-plugins-1.4.16.tar.gz
cd nagios-plugins-1.4.16
./configure --with-nagios-user=nagios --with-nagios-group=nagios --enable-perl-modules
make
make install
#如果报错,可指定mysql的安装路径则加上 --with-mysql=/var/lib/mysql可能会解决问题
#如客户端是mysql可能需要加上--with-mysql参数,因为可能需要客户端check_mysql的插件
---------------------------------------------
tips:
make clean仅仅是清除之前编译的可执行文件及配置文件。
而make distclean要清除所有生成的文件。
-----------------------------------------
ll /usr/local/nagios/libexec/check_mysql
#如果客户端不安装mysql的话猫客户端可能就没有check_mysql的插件
4.客户端安装nrpe,因为nagios是主动查询报警
cd /soft
wget http://soft.local.com/nrpe-2.12.tar.gz
tar zxf nrpe-2.12.tar.gz
cd nrpe-2.12
./configure
echo $?
make all
echo $?
make install-plugin
make install-daemon
make install-daemon-config
ll /usr/local/nagios/libexec/check_nrpe
5.安装其它插件,check_iostat需要的依赖包
cd /soft
wget http://soft.local.com/Params-Validate-0.91.tar.gz
wget http://soft.local.com/Class-Accessor-0.31.tar.gz
wget http://soft.local.com/Config-Tiny-2.12.tar.gz
wget http://soft.local.com/Math-Calc-Units-1.07.tar.gz
wget http://soft.local.com/Regexp-Common-2010010201.tar.gz
wget http://soft.local.com/Nagios-Plugin-0.34.tar.gz
cd /soft
tar zxf Params-Validate-0.91.tar.gz
cd Params-Validate-0.91
perl Makefile.PL
make
make install
echo $?
cd /soft
tar zxf Class-Accessor-0.31.tar.gz
cd Class-Accessor-0.31
perl Makefile.PL
make
make install
echo $?
cd /soft
tar zxf Config-Tiny-2.12.tar.gz
cd Config-Tiny-2.12
perl Makefile.PL
make
make install
echo $?
cd /soft
tar zxf Math-Calc-Units-1.07.tar.gz
cd Math-Calc-Units-1.07
perl Makefile.PL
make
make install
echo $?
cd /soft
tar zxf Regexp-Common-2010010201.tar.gz
cd Regexp-Common-2010010201
perl Makefile.PL
make
make install
echo $?
cd /soft
tar zxf Nagios-Plugin-0.34.tar.gz
cd Nagios-Plugin-0.34
perl Makefile.PL
make
make install
echo $?
6.配置几个基础插件,额外的比较好用的插件
cd /soft
wget http://soft.local.com/nagios-scripts.tar.gz
tar zxf nagios-scripts.tar.gz
/bin/cp /soft/check_iostat /usr/local/nagios/libexec/
/bin/cp /soft/check_memory.pl /usr/local/nagios/libexec/
/bin/cp /soft/check_mysql /usr/local/nagios/libexec/
chmod 755 /usr/local/nagios/libexec/check_memory.pl
chmod 755 /usr/local/nagios/libexec/check_iostat
chmod 755 /usr/local/nagios/libexec/check_mysql
dos2unix /usr/local/nagios/libexec/check_memory.pl
dos2unix /usr/local/nagios/libexec/check_iostat
7.修改nrpe的配置文件,配置监控插件
cp /usr/local/nagios/etc/nrpe.cfg /usr/local/nagios/etc/nrpe.cfg.bak
sed -i 's#allowed_hosts=127.0.0.1#allowed_hosts=192.168.1.18#g' /usr/local/nagios/etc/nrpe.cfg
cat /usr/local/nagios/etc/nrpe.cfg | grep allowed_hosts=
cat >> /usr/local/nagios/etc/nrpe.cfg <<EOF
command[check_mem]=/usr/local/nagios/libexec/check_memory.pl -w 10% -c 3%
command[check_disk]=/usr/local/nagios/libexec/check_disk -w 15% -c 7% -p /
command[check_swap]=/usr/local/nagios/libexec/check_swap -w 20% -c 10%
command[check_iostat]=/usr/local/nagios/libexec/check_iostat -w 6 -c 10
EOF
sed -i '201d' /usr/local/nagios/etc/nrpe.cfg
#删除201行,检查磁盘的选项
8.启动nrpe
/usr/local/nagios/bin/nrpe -c /usr/local/nagios/etc/nrpe.cfg -d
ps -ef | grep nrpe | grep -v grep
echo '/usr/local/nagios/bin/nrpe -c /usr/local/nagios/etc/nrpe.cfg -d' >> /etc/rc.local
lsof -i tcp:5666
pkill nrpe
#-c指定配置文件,-d指定后台独立运行
#nrpe的默认端口是tcp:5666
#关闭nrpe
16.统一windows域联合认证
-----------------------------------------------
Linux加入windows域
1.安装必要软件
yum -y install pam_krb5* krb5-libs* krb5-workstation* krb5-devel* krb5-auth* samba samba-winbind* samba-client* samba-swat*
2.修改/etc/samba/smb.conf
cat > /etc/samba/smb.conf <<EOF
[global]
workgroup = LOCAL
password server = DC.LOCAL.COM
realm = LOCAL.COM
security = ads
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = true
template homedir = /home/%U
winbind separator = /
winbind enum users = Yes
winbind enum groups = Yes
EOF
3.修改/etc/krb5.conf
cat > /etc/krb5.conf <<EOF
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = LOCAL.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
LOCAL.COM = {
kdc = DC.LOCAL.COM
admin_server = DC.LOCAL.COM
default_domain = LOCAL.COM
}
[domain_realm]
.local.com = LOCAL.COM
local.com = LOCAL.COM
EOF
4.修改/etc/nsswitch.conf
sed -i 's#passwd: files#passwd: files winbind#g' /etc/nsswitch.conf
sed -i 's#shadow: files#shadow: files winbind#g' /etc/nsswitch.conf
sed -i 's#group: files#group: files winbind#g' /etc/nsswitch.conf
cat /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
......
5.设置开机自动启动
chkconfig smb on
chkconfig winbind on
chkconfig --list | grep 3:on
/etc/init.d/smb restart
/etc/init.d/winbind restart
6.通过SETUP配置认证方式,通过修改文本需要配置的地方太多,不建议
1.使用setup配置工具,并选择“验证配置”,选择下面三项:按F12直接下一步
“use winbind” ##对应中文“使用winbind”
“use kerberos” ##对应中文“使用kerberos”
“use winbind authertication” ##对应中文“使用winbind验证”
2.然后点击【下一步】,按如下填写:
域:LOCAL.COM
KDC:DC.LOCAL.COM
管理服务器:DC.LOCAL.COM
勾选下面两个选项。
3.再次点击【下一步】,按如下选择或填写:
安全模型:ads
域:LOCAL ##注意大写
域控制器: DC.LOCAL.COM
ADS域: LOCAL.COM
模板Shell: /bin/bash
6.加入域,需要重启才能生效
net ads join -U [email protected]
reboot
#需要在DNS服务器上添加A记录,否则加域会报一个错误
7.检查加域信息
wbinfo -t
checking the trust secret via RPC calls succeeded
#说明主机信任已成功建立
wbinfo -u
#使用wbinfo �Cu 可以列出AD中注册的帐号信息
wbinfo -g
#wbinfo �Cg可以返回AD中的组信息
wbinfo -m
#查看内置组,默认组
8.修改visudo将域用户加入sudo
echo " %yyy ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
visudo -c
##注意yyy是windows的安全组,不是OU
9.解决域用户登录后没有家目录的问题
echo "session required pam_mkhomedir.so skel=/etc/skel umask=0077" >> /etc/pam.d/system-auth
echo "session required pam_mkhomedir.so skel=/etc/skel umask=0077" >> /etc/pam.d/sshd
10.关于Linux虚拟机的复制
1.rm -rf /etc/udev/rules.d/70-persistent-net.rules
2.修改主机名和IP地址
3.修改web服务器的主机头别名alias
4.重新运行net ads join -U [email protected]
5.建议在做虚拟机模板前不要先加域,非常重要
17.
------------------------------------------------------