Basic linux System Optimization

Basic linux System Optimization
1. Basic Linux system optimization 1. What is SELinux disabled? Security tools, which are too strict in control, are not used in the production environment, and other security measures are used. Introduction: SELinux provides Linux with a flexible and configurable MAC mechanism. Security-Enhanced Linux (SELinux) consists of the following two parts: 1) Kernel SELinux module (/kernel/security/selinux) 2) User-mode tool SELinux is a Security architecture, it is integrated into Linux Kernel 2.6.x through the LSM (Linux Security Modules) framework. It is a joint project of the NSA (United States National Security Agency) and SELinux communities. SELinux provides a flexible MAC system embedded in Linux Kernel. SELinux defines the access and transformation permissions for each user, process, application, and file in the system, it then uses a security policy to control the interaction between these entities (users, processes, applications, and files), and the security policy specifies how to perform strict or loose checks. SELinux is transparent to system users. Only the system administrator needs to consider how to develop strict policies on his server. The policy can be strict or loose as needed. Method for disabling SElinux: 1) Use vi/etc/selinux/config to enter the configuration file for modification. 2) use the sed command to perform the following operations: sed-I's # SELINUX = enforcing # SELINUX = disabled # G'/etc/selinux/config output: [root @ oldboy ~] # Cp/etc/selinux/config. ori backup before operation [root @ oldboy ~] # Sed-I's # SELINUX = enforcing # SELINUX = disabled # G'/etc/selinux/config directly modify the source file [root @ oldboy ~] # Grep SELINUX = disabled/etc/selinux/config SELINUX = disabled view the modified results and compare the modified files: Implementation command :( vimdiff) diff/etc/selinux/config. ori/etc/selinux/config output: 7c7 <SELINUX = enforcing ---> SELINUX = disabledSELINUX = disabled (valid permanently) restart the system --------------- [root @ bigboy ~] # Getenforce (check whether selinux is disabled in the command line) Enforcing [root @ bigboy ~] # Setenforce (set selinux) usage: setenforce [Enforcing | Permissive | 1 | 0] [root @ bigboy ~] # Setenforce 0 (command line selinux disabled) [root @ bigboy ~] # Getenforce Permissive (temporarily effective) 2. What is the running level? runlevel: a status label during runlevel linux running. This label is represented by a number. Running status: 0 halt, shutdown status 1 single user, retrieval root password 2 multiuser without nfs multiple users do not have NFS Network File System 3 text mode (Full multiuser mode) * ****** the working mode is 4unused5. How to view the linux running level after the desktop and xforwarreboot restart: run the command: runlevel output: [root @ oldboy ~] # RunlevelN (previous time) 3 (current time) change the running level: init 3. Why do you need to set auto-start when starting the system? 1. Saving boot time, accelerating startup speed 2. Saving Resource overhead 3. Reducing security risks requiring retained boot auto-start: sshd: remote connection to linux Server rsyslog: is a mechanism provided by the operating system. The system daemon usually uses rsylog to enable and disable the network interfaces crond: sysstat is a software package that periodically executes the system and user-configured task plans (scheduled task services that periodically handle repetitive issues, the Sysstat software package, a group of tools that monitor system performance and efficiency, integrates the following main tools: the iostat tool provides data mpstat for CPU usage and Hard Disk Throughput efficiency. It provides data sar tools related to one or more processors to collect, report, and store information about active systems. How can this problem be achieved? Method 1: Use setup to modify Method 2: Use ntsysv to modify method 3: Use chkconfig to implement a. [root @ bigboy ~] # Chkconfig -- list | grep 3: on | awk '{print $1}' | grep-Ev "sshd | network | rsyslog | crond | sysstat" | awk '{print "chkconfig" $1 "off "}' | bash [root @ bigboy ~] # Chkconfig -- list | grep 3: oncrond 0: off 1: off 2: on 3: on 4: on 5: on 6: offnetwork 0: off 1: off 2: on 3: on 4: on 5: on 6: offrsyslog 0: off 1: off 2: on 3: on 4: on 5: on 6: offsshd 0: off 1: off 2: on 3: on 4: on 5: on 6: offsysstat 0: off 1: on 2: on 3: on 4: on 5: on 6: off B. [root @ bigboy ~] # Chkconfig -- list | grep 3: on | awk '{print $1}' | grep-Ev "sshd | network | rsyslog | crond | sysstat" | sed-r's #(. *) # chkconfig \ 1 off # G' | bash [root @ bigboy ~] # Chkconfig -- list | grep 3: oncrond 0: off 1: off 2: on 3: on 4: on 5: on 6: offnetwork 0: off 1: off 2: on 3: on 4: on 5: on 6: offrsyslog 0: off 1: off 2: on 3: on 4: on 5: on 6: offsshd 0: off 1: off 2: on 3: on 4: on 5: on 6: offsysstat 0: off 1: on 2: on 3: on 4: on 5: on 6: off c. [root @ bigboy ~] # For name in 'chkconfig -- list | grep 3: on | awk '{print $1}' | grep-Ev "sshd | network | rsyslog | crond | sysstat "'; do chkconfig $ name off; done [root @ bigboy ~] # Chkconfig -- list | grep 3: on crond 0: off 1: off 2: on 3: on 4: on 5: on 6: offnetwork 0: off 1: off 2: on 3: on 4: on 5: on 6: offrsyslog 0: off 1: off 2: on 3: on 4: on 5: on 6: offsshd 0: off 1: off 2: on 3: on 4: on 5: on 6: offsysstat 0: off 1: on 2: on 3: on 4: on 5: on 6: off 4. disable iptables firewall view firewall: iptables-L-n disable firewall: Implementation command:/etc/init. d/iptables stop output: [root @ oldboy ~] #/Etc/init. d/iptables stopiptables: Set the chain to the policy ACCEPT: filter [OK] iptables: Clear the firewall rule: [OK] iptables: uninstalling the module: [OK] view the Firewall Status: implementation command:/etc/init. d/iptables status output: root @ bigboy ~] #/Etc/init. d/iptables status [root @ bigboy ~] #/Etc/init. d/iptables statusTable: filterChain INPUT (policy ACCEPT) num target prot opt source destination Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination 5. principle of minimization of linux O & M philosophy: more than one thing! 1. Minimize installation of linux systems, minimize selection of packages, and minimize installation of yum software packages. Useless packages are not installed. 2. Minimize Automatic startup. 3. Minimize operation commands. For example, use rm-f test.txt instead of rm-fr test.txt. 4. Minimize logon to linux. Usually there is no need to log on without using the root user. you can log on with a common user. 5. You can minimize the permissions granted to a common user. That is, you can only give the required management system commands. 6. The permission settings for linux system files and directories are minimized. Creation, modification, and deletion are prohibited. Theoretically, it is limited. 6. change the configuration of remote logon to the SSH server (configuration file:/etc/ssh/sshd_config): Method 1: use vi to enter the configuration file and modify vi/etc/ssh/sshd_config #### by oldboy #2011-11-24 # Port 52113 PermitRootLogin using noUseDNS noGSSAPIAuthentication no ### by oldboy #2011-11-24 # # Method 2: use the sed command to modify sed-ir '13 I Port 52113 \ nPermitRootLogin no \ nPermitEmptyPasswords no \ nUseDNS no \ nGSSAPIAuthentication no' sshd_config to restart and take effect:/etc/init. d/sshd reload [smooth restart does not affect use User] (restart) for solutions to slow SSH remote connection service in Linux, see old boy's blog: http://oldboy.blog.51cto.com/2561410/1300964 8. Use sudo to manage file descriptions and add the command path of common user to the file in mongodo so that sudo can be used to operate commands in the common user environment. Allow root torun any commands anywhereroot ALL = (ALL) ALLoldboy ALL = (ALL) NOPASSWD: ALL/bin/ls user-managed machines temporarily own user roles/bin/ls note: sudo cannot be used with built-in commands. 9. linux character display settings: character set is a set of text symbols and Their encoding: GBK, UTF-8 (widely used by enterprises) Adjust server-side character set: adjust character set path (/etc/sysconfig/i18n) remember [root @ bigboy/] # cat/etc/sysconfig/i18nLANG = "en_US.UTF-8" English character SYSFONT = "latarcyrheb-sun16" [root @ bigboy/] # cat/etc/sysconfig/i18nLANG = "en_US.UTF-8" SYSFONT = "latarcyrheb-sun16" [root @ bigboy/] # cp/etc/sysconfig/i18n/etc/sysconfig/i18n. oldboy.20151003 backup before modifying the file [root @ bigboy/] # sed-I's # LANG = "en_US.UTF-8" # LANG = "zh_CN.UTF -8 "# G'/etc/sysconfig/i18n use sed to replace the character file and change it to a Chinese character [root @ bigboy/] # cat/etc/sysconfig/i18nLANG =" zh_CN.UTF-8 "SYSFONT = "latarcyrheb-sun16" [root @ bigboy/] # echo $ LANG view the effect of the modified characters After en_US.UTF-8 [root @ bigboy/] # source/etc/sysconfig/i18n make the modified File effective [root @ bigboy/] # echo $ LANG zh_CN.UTF-8 10. set linux server time synchronization Internet synchronization time [root @ bigboy/]/usr/sbin/ntpdate time. nist. govov Internet synchronization time [root @ bigboy/] # date-s "October 03, 2015" On Saturday 09:34:00 CST [root @ bigboy/] # ntpdate time.nist.gov set the date and time viaNTP 3 Oct 09:35:21 ntpdate [28135]: adjust timeserver 13.03.4.103 offset 0.286494 sec [root @ bigboy/] # date view time-s modification time: Saturday, September 09:48:46 CST [root @ bigboy/] # hwclock query and set the hardwareclock Saturday, September 08: 59 minutes 12 seconds-0.737654 secondscrond: the scheduled task is synchronized every 5 minutes. [root @ bigboy/] # echo "*/5 *****/usr/sbin/ntpda Te time.nist.gov/dev/null2> & 1 ">/var/spool/cron/root [root @ bigboy/] # crontab-l takes effect at regular intervals */5 ****/ usr/sbin/ntpdate time.nist.gov/dev/null 2> & 1 11. Set the timeout value to take effect temporarily [root @ bigboy/] # export TMOUT = 300 set the timeout value to 300 S [root @ bigboy /] # echo "export TMOUT = 300">/etc/profile [root @ bigboy/] # source/etc/profile make the settings take effect [root @ bigboy/] # echo $ TMOUT300 12. the number of history records takes effect temporarily [root @ bigboy/] # export HISTSIZE = 5 define the number of historical records 5 [root @ big Boy/] # history 728 cat ~ /. Bash_history 729 HISTFILESIZE = 5 730 cat ~ /. Bash_history 731 HISTSIZE = 5 732 history [root @ bigboy/] # export HISTFILESIZE = 5 define the number of history files 5 [root @ bigboy/] # cat ~ /. Bash_historymongodosu-oldboysu oldboynetstat-an | grep ESTsu oldboy takes effect permanently [root @ oldboy ~] # Echo 'export TMOUT = 300 '>/etc/profile [root @ oldboy ~] # Echo 'exporthistsize = 5'>/etc/profile [root @ oldboy ~] # Echo 'exporthistfilesize = 5'>/etc/profile [root @ oldboy ~] # Tail-3/etc/profileexport TMOUT = 300 export HISTSIZE = 5 export HISTFILESIZE = 5 [root @ oldboy ~] # Source/etc/profile make the file take effect [root @ oldboy ~] # Echo $ TMOUT 300 [root @ oldboy ~] # Echo $ HISTSIZE5 13. Adjust the number of file descriptors in the linux system. The file descriptor is a handle represented by an unsigned integer, which is used by the process to mark opening the file. File descriptor concept: 1. It is an INTEGER (0-65535). 2. It occupies the file descriptor (indicating that the file is opened) view the default file descriptor ulimit-n 3. Adjust the file descriptor [root @ bigboy ~] # Ulimit-SHn 65535 set the number of file descriptors [root @ bigboy ~] # Ulimit-n65535 (32768) [root @ bigboy ~] # Echo '*-nofile 65535'>/etc/security/limits. conf: write the number of modified descriptors to the file [root @ bigboy ~] # Tail-1/etc/security/limits. conf *-nofile 65535 fourteen. adjust the Kernel Parameter file (/etc/sysctl. conf) vim/etc/sysctl. conf Linux kernel optimization parameters: -------------------------------------------------------------------- net. ipv4.tcp _ fin_timeout = 2net. ipv4.tcp _ tw_reuse = 1net. ipv4.tcp _ tw_recycle = 1net. ipv4.tcp _ syncookies = 1net. ipv4.tcp _ keepalive_time = 600net. ipv4.ip _ local_port_range = 4000 65000net. ipv4.tcp _ max_syn_backlog = 16384n Et. ipv4.tcp _ max_tw_buckets = 36000net. route 4.route. gc_timeout = 100net. ipv4.tcp _ syn_retries = 1net. ipv4.tcp _ synack_retries = 1net. core. somaxconn = 16384net. core. netdev_max_backlog = 16384net. ipv4.tcp _ max_orphans = 16384 # The following parameters are used to optimize the iptables firewall. If the firewall does not have a meeting prompt, ignore it. Net. nf_conntrack_max = 2520.00net. netfilter. nf_conntrack_max = 2520.00net. netfilter. nf_conntrack_tcp_timeout_established = 180net. netfilter. nf_conntrack_tcp_timeout_time_wait = 120net. netfilter. nf_conntrack_tcp_timeout_close_wait = 60net. netfilter. nf_conntrack_tcp_timeout_fin_wait = 120 ---------------------------------------------------------------- network status description and optimization command and optimization details reference please see: http://yangrong.blog. 51 Upload-p makes the loaded parameters take effect 15. Hide the linux version: [root @ oldboy ~] # Cat/etc/issueCentOS release 6.7 (Final) Kernel \ r on an \ m [root @ oldboy ~] # Cat/etc/issue. netCentOS release 6.7 (Final) Kernel \ r on an \ m [root @ oldboy ~] #>/Etc/issue [root @ oldboy ~] #>/Etc/issue.net [root @ oldboy ~] # Cat/etc/issue 16. lock System File-related system files:/etc/passwd/etc/shadow/etc/group/etc/gshadow/etc/inittab [root @ oldboy ~] # Chattr + I/etc/passwd/etc/shadow/etc/group/etc/gshadow/etc/inittab + I lock the system file [root @ oldboy ~] # Useradd dddduseradd: cannot open/etc/passwd [root @ oldboy ~] # Rm-f/etc/passwdDo not use rm command.-f/etc/passwd [root @ oldboy ~] # \ Rm-f/etc/passwdrm: cannot delete "/etc/passwd": operation not allowed [root @ oldboy ~] # Chattr-I/etc/passwd/etc/shadow/etc/group/etc/gshadow/etc/inittab-I remove the system file [root @ oldboy ~] # Useradd dddd [root @ oldboy ~] # Chattr + I/etc/passwd/etc/shadow/etc/group/etc/gshadow/etc/inittab [root @ oldboy ~] # Lsattr/etc/passwd view system file attributes ---- I -------- e-/etc/passwd [root @ oldboy ~] # Chattr-I/etc/passwd/etc/shadow/etc/group/etc/gshadow/etc/inittab [root @ oldboy ~] # Lsattr/etc/passwd ------------- e-/etc/passwd 17. disable linux from being pinged to the kernel. Disable pingecho 0>/proc/sys/net/ipv4/icmp_echo_ignore_all [root @ www ~]. # Echo "net. ipv4.icmp _ echo_ignore_all = 1">/etc/sysctl. conf [root @ www ~] # Tail-1/etc/sysctl. confnet. ipv4.icmp _ echo_ignore_all = 1 [root @ www ~] # Sysctl-p: [root @ www ~] # Echo "net. ipv4.icmp _ echo_ignore_all = 1">/etc/sysctl. conf [root @ www ~] # Tail-1/etc/sysctl. confnet. ipv4.icmp _ echo_ignore_all = 1 [root @ www ~] # Ping: echo 0>/proc/sys/net/ipv4/icmp_echo_ignore_all 18. the dmail service is installed by default when the system of the centos5 series regularly clears the temporary directory of the mail service. Therefore, the path of the temporary location of the mail is/var/spool/clientmqueue /. by default, centos6 does not support the Sendmail service, but modifies the Posfix service. Therefore, the mail storage path is: /var/spool/postfit/maildrop/the above two directories are easily filled with junk files, resulting in insufficient inode quantity in the system, resulting in manual cleanup of files stored in no place: find/var/spool/clientmqueue/-typef | xargs rm-f is suitable for centOS5 sendmail service find/var/spool/postfix/maildrop/-typef | xargs rm-f is suitable for Centos6 the method for regularly clearing the postfix service is as follows: write the preceding command as a script, and then perform a scheduled task. Execute the command once every night (scheduled task). Summary: how to optimize linux: 1. Disable SElinux2 and firewall, set the running level to 3.3, streamline boot self-starting services 4, and SSH Security Control (set up common users in advance) 5. sudo user authorization 6. Adjust file descriptor 7. Change the appropriate character set 8. Lock key system files 9. Disable kernel version and System Version Information 10. Set Session Timeout and 11 historical records, PING12 prohibited, Linux kernel optimized parameter 13, specific vulnerability yum/rpm upgrade 14, clear redundant system virtual account 15, server time synchronization 16, patch download software adjusted to domestic (adjust yum source) 17. regularly clear junk files in the temporary directory of the mail service. 18. Add a password to the grub menu.