centos 系统优化

#!/bin/bash

#0.disable selinux

setenforce 0

sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/sysconfig/selinux

#1.set ip address 

#

#read -p "input interface num[eth0,eth1]:" int

#read -p "input ip address:" ip

#read -p "input netmask:" ms

#read -p "input gateway:" gw

#

#cat > /etc/sysconfig/network-scripts/ifcfg-$int << EOF

#DEVICE=$int

#TYPE=Ethernet

#ONBOOT=yes

#NM_CONTROLLED=no

#BOOTPROTO=static

#IPADDR=$ip

#NETMASK=$ms

#GATEWAY=$gw

#EOF

#

#2.set dns

#read -p "input dns server[df:114.114.114.114]:" dns

#if [ $dns = 0 ];then

dns="114.114.114.114"

echo "nameserver $dns" >> /etc/resolv.conf 

#else

#echo "nameserver $dns" >> /etc/resolv.conf

#fi

#3.set iptables

iptables -F

iptables -X

iptables -Z

/etc/init.d/iptables save

cat > /etc/sysconfig/iptables << EOF

*filter

:INPUT DROP [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -s 10.0.8.0/24 -j ACCEPT 

-A INPUT -s 10.0.10.0/24 -j ACCEPT 

-A INPUT -s 121.9.13.0/24 -p tcp -m state --state NEW -m tcp -j ACCEPT 

-A INPUT -s 121.9.243.0/24 -p tcp -m state --state NEW -m tcp -j ACCEPT 

COMMIT

EOF

/etc/init.d/iptables restart

#4.add login user

#pw="x+y-z=`echo ${ip} | awk -F'.' '{print $NF}'`"

#useradd youboy 

#echo "$pw" |passwd --stdin youboy

#5.modify ssh port

#sed -i  's/#Port 22/Port 22612/' /etc/ssh/sshd_config  

#sed -i  's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config 

#/etc/init.d/sshd reload

#6.sync time 

echo '0 0 * * * /usr/sbin/ntpdate cn.pool.ntp.org' >> /var/spool/cron/root

#7.The kernel optimization

cat > /etc/sysctl.conf << EOF

net.ipv4.ip_forward = 0

net.ipv4.conf.default.rp_filter = 1

net.ipv4.conf.default.accept_source_route = 0

kernel.sysrq = 0

kernel.core_uses_pid = 1

net.ipv4.tcp_syncookies = 1

kernel.msgmnb = 65536

kernel.msgmax = 65536

kernel.shmmax = 68719476736

kernel.shmall = 4294967296

net.ipv4.tcp_max_tw_buckets = 20000

net.ipv4.tcp_sack = 1

net.ipv4.tcp_window_scaling = 1

net.ipv4.tcp_rmem = 4096 87380 4194304

net.ipv4.tcp_wmem = 4096 16384 4194304

net.core.wmem_default = 8388608

net.core.rmem_default = 8388608

net.core.rmem_max = 16777216

net.core.wmem_max = 16777216

net.core.netdev_max_backlog = 262144

net.core.somaxconn = 262144

net.ipv4.tcp_max_orphans = 3276800

net.ipv4.tcp_max_syn_backlog = 262144

net.ipv4.tcp_timestamps = 0

net.ipv4.tcp_synack_retries = 1

net.ipv4.tcp_syn_retries = 1

net.ipv4.tcp_tw_recycle = 1

net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_mem = 94500000 915000000 927000000

net.ipv4.tcp_fin_timeout = 1

net.ipv4.tcp_keepalive_time = 1200

net.ipv4.ip_local_port_range = 1024 65535

net.ipv4.netfilter.ip_conntrack_max = 102400

net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 86400

EOF

#8.set connetions limit

cat >>  /etc/security/limits.conf << EOF

* soft nproc 4000

* hard nproc 4000

* soft nofile 65535

* hard nofile 65535

* soft stack 4000

* hard stack 4000

EOF

#9.tunoff powered up service 

for i in `ls /etc/rc3.d/S*`

do

              CURSRV=`echo $i|cut -c 15-`

echo $CURSRV

case $CURSRV in

          network | sshd | syslog | iptables |vncserver | libvirtd | libvirt-guests |  master |  java |  snmpd  )

      echo "Base services, Skip!"

      ;;

      *)

          echo "change $CURSRV to off"

          chkconfig --level 235 $CURSRV off

          service $CURSRV stop

      ;;

esac

done

#10.reboot 

echo 'system init is done,now reboot!'

#init 6