linux基础优化

linux基础优化

1、修改ip地址、网关、主机名、DNS

----------------------------------------------------

cat  > /etc/sysconfig/network-scripts/ifcfg-eth0 << EOF
DEVICE=eth0
BOOTPROTO=static
IPADDR=192.168.1.113
NETMASK=255.255.255.0
ONBOOT=yes

GATEWAY=192.168.1.1

EOF

/etc/init.d/network restart

2.修改DNS配置,注意不要在网卡配置里设置DNS参数,不要配置/etc/hosts

----------------------------------------------------------------------------------

echo "search local.com" >> /etc/resolv.conf

echo "nameserver 192.168.1.200" >> /etc/resolv.conf

echo "nameserver 192.168.1.201" >> /etc/resolv.conf

/etc/init.d/network restart

3.关闭防火墙

------------------------------------------

/etc/init.d/iptables stop

4.关闭SELINUX

------------------------------------

setenforce 0
sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config

grep SELINUX=disabled /etc/selinux/config
getenforce

5.修改主机名,建议以“主机名+域名”的方式

-----------------------------------------

cat > /etc/sysconfig/network  << EOF

NETWORKING=yes
HOSTNAME=C07.local.com

EOF

hostname C07.local.com

6.更新yum源及必要软件安装

---------------------------------------------

yum -y install wget vim

mkdir -p /soft

cd /soft

cd /etc/yum.repos.d/

wget http://mirrors.163.com/.help/CentOS6-Base-163.repo

/bin/mv CentOS-Base.repo CentOS-Base.repo.bak
/bin/mv CentOS6-Base-163.repo CentOS-Base.repo

rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY*

yum clean all
yum makecache
#yum makecache是建立install安装包的索引,也可以不用执行这条命令

yum install  ntpdate  lsof dos2unix nmap nc sysstat gcc-c++ lrzsz openssl-devel openssl  tree setuptool expect  man rsync sysstat -y

#yum groupinstall "Compatibility libraries" "Base" "Development tools" -y
#yum groupinstall "Performance Tools" "debugging Tools" "Dial-up Networking Support" -y

#yum upgrade -y

#安装必要的软件

#yum upgrade -y会把系统升级,如centos6.4升级成centos6.5,因此不建议

7.同步时间,DC可以做时间服务器,并写入BIOS

-----------------------------------------------

cat >> /var/spool/cron/root << EOF

*/5 * * * *  /usr/sbin/ntpdate dc.local.com >/dev/null 2 >&1;/usr/sbin/hwclock -w >/dev/null 2 >&1

EOF

6、精简开机自启动服务

----------------------------------------

刚装完操作系统可以只保留crond,network,syslog,sshd这四个服务。(Centos6.4为rsyslog)

LANG=en

for service in `chkconfig --list | grep 3|awk '{print $1}'`;
do
chkconfig --level 3 $service off;
done
chkconfig --list | grep 3:on

for service in crond network rsyslog sshd ;

do

chkconfig --level 3 $service on;

done

chkconfig --list | grep 3:on

7、定时自动清理/var/spool/clientmqueue/目录垃圾文件,放置inode节点被占满

---------------------------------------------------------------------------------------------------

本优化点,在6.4上可以忽略不需要操作即可!

mkdir /server/scripts -p
cat > /server/scripts/spool_clean.sh << EOF
#!/bin/sh
find /var/spool/clientmqueue/ -type f -mtime +30|xargs rm -f

EOF
echo '*/10 * * * * /bin/sh /server/scripts/spool_clean.sh >/dev/null 2>&1'>>/var/spool/cron/root

8、变更默认的ssh服务端口,禁止root用户远程连接

--------------------------------------------------------------------------------

/bin/cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

sed -i 's%#PermitRootLogin yes%PermitRootLogin no%g' /etc/ssh/sshd_config

sed -i 's%#PermitEmptyPasswords no%PermitEmptyPasswords no%g' /etc/ssh/sshd_config

sed -i 's%#UseDNS yes%UseDNS no%g' /etc/ssh/sshd_config

egrep 'Port 22|PermitRootLogin no|PermitEmptyPasswords no|UseDNS no' /etc/ssh/sshd_config

/etc/init.d/sshd reload

netstat -lntup
lsof -i tcp:22

## sed -i 's%#Port 22%Port 52113%g' /etc/ssh/sshd_config

9、锁定关键文件系统

-----------------------------------------
chattr +i /etc/passwd
chattr +i /etc/inittab
chattr +i /etc/group
chattr +i /etc/shadow
chattr +i /etc/gshadow

10、调整文件描述符大小

----------------------------------------------------------------

echo '*          -        nofile      65535'  >> /etc/security/limits.conf

ulimit -HSn 65535

ulimit -n

扩展:文件描述符

文件描述符在形式上是一个非负整数。实际上,它是一个索引值,指向内核为每一个进程所维护的该进程打开文件的记录表。当程序打开一个现有文件或者创建一个新文件时,内核向进程返回一个文件描述符。在程序设计中,一些涉及底层的程序编写往往会围绕着文件描述符展开。但是文件描述符这一概念往往只适用于Unix、Linux这样的操作系统。

习惯上,标准输入(standard input)的文件描述符是 0,标准输出(standard output)是 1,标准错误(standard error)是 2。尽管这种习惯并非Unix内核的特性,但是因为一些 shell 和很多应用程序都使用这种习惯,因此,如果内核不遵循这种习惯的话,很多应用程序将不能使用。

11、调整字符集,使其支持中文

--------------------------------------------------------------

cat /etc/sysconfig/i18n
LANG="en_US.UTF-8"

sed -i 's#LANG="en_US.UTF-8"#LANG="zh_CN.GB18030"#' /etc/sysconfig/i18n
source /etc/sysconfig/i18n


#注意,需要保持CRT的字符集也是zh_CN.GB18030,在CRT会话设置中选择默认即可

扩展:什么是字符集?

简单的说就是一套文字符号及其编码。常用的字符集有:

GBK 定长双字节不是国际标准,支持系统不少

UTF-8 非定长 1-4字节广泛支持,MYSQL也使用UTF-8

12、去除系统及内核版本登录前的屏幕显示

-----------------------------------------------------------------

# >/etc/redhat-release
# >/etc/issue

13、内核参数优化

----------------------------------------------------------------

说明:本优化适合apache,nginx,squid多种等web应用,特殊的业务也可能需要略作调整。

/bin/cp /etc/sysctl.conf /etc/sysctl.conf.bak
modprobe bridge
lsmod|grep bridge
cat >>/etc/sysctl.conf <<EOF
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000  65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.core.somaxconn = 16384
net.core.netdev_max_backlog = 16384
net.ipv4.tcp_max_orphans = 16384
EOF
sysctl -p

#针对CentOS6.4的防火墙内核优化

cat >>/etc/sysctl.conf <<EOF

net.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_tcp_timeout_established = 180
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120

EOF

sysctl -p

=============================

#更多的优化参数,暂时不适用这个,因为不熟悉

/bin/cp /etc/sysctl.conf /etc/sysctl.conf.bak
modprobe bridge
lsmod|grep bridge
cat >>/etc/sysctl.conf <<EOF
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_max_orphans = 3276800
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_wmem = 4096 87380 16777216
net.ipv4.tcp_rmem =  4096 65536 16777216
net.core.netdev_max_backlog = 32768
net.core.somaxconn = 32768
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.tcp_max_syn_backlog = 65535
net.ipv4.ip_local_port_range = 4000  65000
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
EOF
sysctl -p

=================================

14.安装snmp,并设置相关参数

---------------------------------------------

yum -y install net-snmp*
ll /etc/snmp/snmpd.conf
cat >/etc/snmp/snmpd.conf <<EOF
com2sec local     localhost      cisco
com2sec mynetwork  192.168.0.0/16   cisco

group MyRWGroup v1         local
group MyRWGroup v2c        local
group MyRWGroup usm        local
group MyROGroup v1         mynetwork
group MyROGroup v2c        mynetwork
group MyROGroup usm        mynetwork
view all    included  .1                               80
access MyROGroup ""      any       noauth    exact  all    none   none
access MyRWGroup ""      any       noauth    exact  all    all    none
syslocation etiantian.org
syscontact Me <[email protected]>
proc mountd
proc ntalkd 4
proc sendmail 10 1
proc httpd 10 1
exec echotest /bin/echo hello world
exec disk_used_shell  /bin/sh  /root/current_disk_used.sh
exec httpd_proc  /bin/sh  /root/current_httpd_proc.sh
disk /       10000
disk /boot   10000
load 12 14 14
EOF
/etc/init.d/snmpd restart

lsof -i :161

lsof -i udp:161

15.安装NAGIOS客户端并设置相关参数

---------------------------------------------

1.解决perl插件编译安装问题

echo 'export LC_ALL=C' >> /etc/profile

source /etc/profile

echo $LC_ALL

2.客户端添加nagios用户

/usr/sbin/useradd nagios -M -s /sbin/nologin

3.安装客户端nagios-plugins-1.4.16.tar.gz

yum -y install perl-CPAN

cd /soft

wget http://soft.local.com/nagios-plugins-1.4.16.tar.gz

tar zxf nagios-plugins-1.4.16.tar.gz
cd nagios-plugins-1.4.16

./configure --with-nagios-user=nagios --with-nagios-group=nagios --enable-perl-modules

make

make install

#如果报错,可指定mysql的安装路径则加上 --with-mysql=/var/lib/mysql可能会解决问题

#如客户端是mysql可能需要加上--with-mysql参数,因为可能需要客户端check_mysql的插件

---------------------------------------------

tips:

make clean仅仅是清除之前编译的可执行文件及配置文件。
而make distclean要清除所有生成的文件。

-----------------------------------------

ll /usr/local/nagios/libexec/check_mysql

#如果客户端不安装mysql的话猫客户端可能就没有check_mysql的插件

4.客户端安装nrpe,因为nagios是主动查询报警

cd  /soft

wget http://soft.local.com/nrpe-2.12.tar.gz

tar zxf nrpe-2.12.tar.gz 
cd nrpe-2.12
./configure 
echo $?
make all
echo $?
make install-plugin
make install-daemon
make install-daemon-config
ll /usr/local/nagios/libexec/check_nrpe

5.安装其它插件,check_iostat需要的依赖包

cd  /soft

wget http://soft.local.com/Params-Validate-0.91.tar.gz

wget http://soft.local.com/Class-Accessor-0.31.tar.gz

wget http://soft.local.com/Config-Tiny-2.12.tar.gz

wget http://soft.local.com/Math-Calc-Units-1.07.tar.gz

wget http://soft.local.com/Regexp-Common-2010010201.tar.gz

wget http://soft.local.com/Nagios-Plugin-0.34.tar.gz

cd  /soft

tar zxf Params-Validate-0.91.tar.gz
cd Params-Validate-0.91
perl Makefile.PL
make
make install

echo $?

cd  /soft

tar zxf Class-Accessor-0.31.tar.gz
cd Class-Accessor-0.31
perl Makefile.PL
make
make install

echo $?

cd  /soft

tar zxf Config-Tiny-2.12.tar.gz
cd Config-Tiny-2.12
perl Makefile.PL
make
make install

echo $?

cd  /soft

tar zxf Math-Calc-Units-1.07.tar.gz
cd Math-Calc-Units-1.07
perl Makefile.PL
make
make install

echo $?

cd  /soft

tar zxf Regexp-Common-2010010201.tar.gz
cd Regexp-Common-2010010201
perl Makefile.PL
make
make install

echo $?

cd  /soft

tar zxf Nagios-Plugin-0.34.tar.gz
cd Nagios-Plugin-0.34
perl Makefile.PL
make
make install

echo $?

6.配置几个基础插件,额外的比较好用的插件

cd /soft

wget http://soft.local.com/nagios-scripts.tar.gz

tar zxf nagios-scripts.tar.gz

/bin/cp /soft/check_iostat /usr/local/nagios/libexec/
/bin/cp /soft/check_memory.pl /usr/local/nagios/libexec/

/bin/cp /soft/check_mysql /usr/local/nagios/libexec/

chmod 755 /usr/local/nagios/libexec/check_memory.pl
chmod 755 /usr/local/nagios/libexec/check_iostat

chmod 755 /usr/local/nagios/libexec/check_mysql

dos2unix /usr/local/nagios/libexec/check_memory.pl

dos2unix /usr/local/nagios/libexec/check_iostat

7.修改nrpe的配置文件,配置监控插件

cp /usr/local/nagios/etc/nrpe.cfg /usr/local/nagios/etc/nrpe.cfg.bak

sed -i 's#allowed_hosts=127.0.0.1#allowed_hosts=192.168.1.18#g' /usr/local/nagios/etc/nrpe.cfg

cat /usr/local/nagios/etc/nrpe.cfg | grep allowed_hosts=

cat >> /usr/local/nagios/etc/nrpe.cfg <<EOF

command[check_mem]=/usr/local/nagios/libexec/check_memory.pl -w 10% -c 3%
command[check_disk]=/usr/local/nagios/libexec/check_disk -w 15% -c 7% -p /
command[check_swap]=/usr/local/nagios/libexec/check_swap -w 20% -c 10%
command[check_iostat]=/usr/local/nagios/libexec/check_iostat -w 6 -c 10

EOF

sed -i '201d'  /usr/local/nagios/etc/nrpe.cfg

#删除201行,检查磁盘的选项

8.启动nrpe

/usr/local/nagios/bin/nrpe -c /usr/local/nagios/etc/nrpe.cfg -d

ps -ef | grep nrpe | grep -v grep

echo '/usr/local/nagios/bin/nrpe -c /usr/local/nagios/etc/nrpe.cfg -d' >> /etc/rc.local

lsof -i tcp:5666

pkill nrpe

#-c指定配置文件,-d指定后台独立运行

#nrpe的默认端口是tcp:5666

#关闭nrpe

16.统一windows域联合认证

-----------------------------------------------

Linux加入windows域

1.安装必要软件

yum -y install pam_krb5* krb5-libs* krb5-workstation* krb5-devel* krb5-auth* samba samba-winbind* samba-client* samba-swat*

2.修改/etc/samba/smb.conf

cat > /etc/samba/smb.conf <<EOF

[global]

    workgroup = LOCAL

    password server = DC.LOCAL.COM

    realm = LOCAL.COM

    security = ads

    idmap uid = 10000-20000

    idmap gid = 10000-20000

    template shell = /bin/bash

    winbind use default domain = true

    winbind offline logon = true

    template homedir = /home/%U

    winbind separator = /

    winbind enum users = Yes

    winbind enum groups = Yes

EOF

3.修改/etc/krb5.conf

cat > /etc/krb5.conf <<EOF

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

[libdefaults]

default_realm = LOCAL.COM

dns_lookup_realm = true

dns_lookup_kdc = true

ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = true

[realms]

LOCAL.COM = {

  kdc = DC.LOCAL.COM

  admin_server = DC.LOCAL.COM

  default_domain = LOCAL.COM

}

[domain_realm]

.local.com = LOCAL.COM

local.com = LOCAL.COM

EOF

4.修改/etc/nsswitch.conf

sed -i 's#passwd:     files#passwd:     files winbind#g'      /etc/nsswitch.conf

sed -i 's#shadow:     files#shadow:     files winbind#g'      /etc/nsswitch.conf

sed -i 's#group:      files#group:      files winbind#g'          /etc/nsswitch.conf

cat /etc/nsswitch.conf

passwd:     files winbind

shadow:     files winbind

group:      files winbind

......

5.设置开机自动启动

chkconfig smb on

chkconfig winbind on

chkconfig --list | grep 3:on

/etc/init.d/smb restart

/etc/init.d/winbind restart

6.通过SETUP配置认证方式,通过修改文本需要配置的地方太多,不建议

   1.使用setup配置工具,并选择“验证配置”,选择下面三项:按F12直接下一步

          “use winbind” ##对应中文“使用winbind”

          “use kerberos” ##对应中文“使用kerberos”

          “use winbind authertication” ##对应中文“使用winbind验证”

   2.然后点击【下一步】,按如下填写:

         域:LOCAL.COM

         KDC:DC.LOCAL.COM

        管理服务器:DC.LOCAL.COM

        勾选下面两个选项。

   3.再次点击【下一步】,按如下选择或填写:

         安全模型:ads

         域:LOCAL   ##注意大写

         域控制器:   DC.LOCAL.COM

         ADS域:         LOCAL.COM

         模板Shell:     /bin/bash

6.加入域,需要重启才能生效

net ads join -U [email protected]

reboot

#需要在DNS服务器上添加A记录,否则加域会报一个错误

7.检查加域信息

wbinfo -t

checking the trust secret via RPC calls succeeded

#说明主机信任已成功建立

wbinfo -u

#使用wbinfo �Cu 可以列出AD中注册的帐号信息

wbinfo -g

#wbinfo �Cg可以返回AD中的组信息

wbinfo -m

#查看内置组,默认组

8.修改visudo将域用户加入sudo

echo " %yyy          ALL=(ALL)       NOPASSWD: ALL"  >> /etc/sudoers

visudo -c

##注意yyy是windows的安全组,不是OU

9.解决域用户登录后没有家目录的问题

echo "session required pam_mkhomedir.so skel=/etc/skel umask=0077" >> /etc/pam.d/system-auth

echo "session required pam_mkhomedir.so skel=/etc/skel umask=0077" >> /etc/pam.d/sshd

10.关于Linux虚拟机的复制

          1.rm -rf /etc/udev/rules.d/70-persistent-net.rules

          2.修改主机名和IP地址

          3.修改web服务器的主机头别名alias

          4.重新运行net ads join -U [email protected]

  5.建议在做虚拟机模板前不要先加域,非常重要

17.

------------------------------------------------------

你可能感兴趣的:(linux,主机,IP地址)