Viewing the system environment
[Email protected] ~]# Cat/etc/redhat-releasecentos release 6.6 (Final)
[Email protected] ~]# uname–alinux xuliangwei.com 2.6.32-504.el6.x86_64 #1 SMP Wed Oct 04:27:16 UTC x86_64 x86_6 4 x86_64 Gnu/linux
1. Streamlined Boot system
Reserved 5 must: Sshd|rsyslog|network|crond|sysstat
Sshd
This server program is required to connect to a Linux server remotely, so it must be turned on or it will not connect to the Linux server.
Rsyslog
is a mechanism provided by the operating system, the system daemon usually uses Rsyslog to record various information in the system log file, Centos6 the previous server name as Syslog
Network
If you want to activate/deactivate each network interface when the system starts, you should (must) consider turning it on.
Crond
This service is used to perform periodic system and user-configured task schedules. There are tasks to be performed periodically, and to be turned on, this service is almost a software that must be used in production scenarios.
Sysstat
Sysstat is a software package that contains a set of tools to detect system performance and efficiency, which is useful for system performance data, such as CPU usage, hard disk and network throughput data, which can be used to determine whether the system is functioning properly, so it is a better system operation efficiency, The assistant that runs the server safely.
The main tools for Sysstat package integration are:
The Iostat tool provides data on CPU utilization and hard drive throughput efficiency;
The Mpstat tool provides data related to single or multiple processors;
The SAR tool collects, reports and stores information that is active on the system;
Other processing methods that do not start with boot:
1). setup-->systemservices--> Cancel * indicates off
2) netsysv--> Cancel * indicates off
3) use Chkconfig to close
Chkconfig name off
Using a For loop, with awk cleanup does not require a start-up service
For i in ' chkconfig--list | awk ' {print '} ' | Grep-ev "Sshd|network|rsyslog|sysstat|crond"; Do chkconfig $i off; Donechkconfig--list |grep 3:on |awk ' {print $} ' |grep-ev ' Crond|network|rsyslog|sshd|sysstat ' |sed-r ' s/(. *)/chkconfig \1 off/g ' |bash
2.Linux Minimized installation
The principle of minimizing operation and maintenance thought
2.1, install the Linux system to minimize, that is, the package is minimized, yum installation package should be minimized, useless package does not install.
2.2, the operation of the command to minimize. For example: Use Rm-f text.txt without RM-RF
2.3, login Linux users to minimize. Usually no need to log in without root, with ordinary users login.
2.4, the ordinary user authorized permission to minimize, that is, only to the necessary management system commands.
2.5, the Linux system files and directories to minimize the permissions set, prohibit arbitrarily create, change, delete. (Theoretically forbidden)
3.SSH optimization
Configuration file
/etc/ssh/sshd_config Service side
/etc/ssh/ssh_config Client
Port52113 modifying ports 52113
Usedns Yes to no will reverse query the client hostname for authentication to prevent client spoofing
Permitrootlogin No Disable root login
Gssapiauthentication Yes Cancel, open no to solve the problem of using SSH connection between Linux is slow
PermitempasswordsNo prohibit use of blank password (default is empty)
ListenAddress192.168.1.x Only run the intranet address on the server for remote connection, the external network address directly refused, you can use a VPN springboard into the local area network, through such access, more secure
Configuration file Modification
##### #xuliangwei ##### #Port 52113UseDNS nopermitrootlogin nogssapiauthentication no##### #20150627 ######
You can use SED to add
[Email protected] ~]# sed-ir ' iport 52113\nusedns no\npermitrootlogin no\ngssapiauthentication No '/etc/ssh/sshd_con Fig
4. Other Optimizations
4.0 Chinese Characters
The Client Connection tool must also be UTF-8
Temporary entry into force
Export Lang=en_us. UTF-8
Permanent effect
vim/etc/sysconfig/i18n change lang= "en_US. UTF-8 "
4.1 Time synchronization
Time server
Time.nist.govtime.windows.com
Manual modification Time
Date-s "2015/05/28 12:00"
Ntpdate timing and Internet time synchronization
echo "*/5 * * * * * ntpdate time.windows.com >/dev/null 2>&1"
The server can build time synchronization server between 50-100 units NtpServer
4.2 Optimization History
History view default 100 entries
Parameters:
-C: Clear History
-D: Specify to delete a row
Export Hisisize=5 (Control terminal)
Histfilesize=5(Control of records under User's home directory)
[Email protected] ~]# histfilesize=5 [[email protected] ~]# cat ~/.bash_history testwelcome to Xuliangwei linuxeofexit[[e Mail protected] ~]#
Clear the history terminal
[[email protected] ~]# History-c[[email protected] ~]# history 734 History
4.3 Terminal timeout
Temporary entry into force
[Email protected] ~]# export tmout=300ms
Permanent effect
echo "Export tmout=300ms" >>/etc/profile
4.4 Increasing file descriptors
Each process startup consumes the file descriptor, which causes the process to fail to start if the file descriptor is too
View Default file descriptors
Ulinit-n
Parameters:
-S: Soft
-H: Hard
Adjust file descriptors
Temporary entry into force
Ulimit-shn 65535
Permanent effect
echo "*-Nofile 65535" >>/etc/security/limits.conf
4.5 Locking System Relationship files
Locking the file system
[Email protected] ~]# chattr +i/etc/passwd/etc/shadow/etc/gshadow/etc/inittab
viewing locked files
[Email protected] ~]# lsattr/etc/passwd/etc/shadow/etc/gshadow/etc/inittab----i--------e-/etc/ passwd----I--------e/etc/shadow----i--------e-/etc/gshadow----i--------e-/etc/inittab
Release lock
[Email protected] ~]# chattr-i/etc/passwd/etc/shadow/etc/gshadow/etc/inittab
Check Again
[Email protected] ~]# lsattr/etc/passwd/etc/shadow/etc/gshadow/etc/inittab-------------e-/etc/ passwd-------------e-/etc/shadow-------------e-/etc/gshadow-------------e-/etc/inittab
4.6 Disable Linux being ping
Prohibit Linux from being ping to increase system security
echo "Net.ipv4.icmp_echo_ignore_all=1" >>/etc/sysctl.conf
Make it effective
Sysctl-p
Do not prohibit this in the work, generally use the firewall to filter
4.7 Adjusting the Yum source
Since the default Yum source is downloaded from the CentOS official website it will be very slow and will be much faster to adjust to the domestic.
Backing up Yum sources
mv/etc/yum.repos.d/centos-base.repo/etc/yum.repos.d/centos-base.repo.xuliangwei.20150629
CentOS 5 Source
[Email protected] ~]# Wget-o/etc/yum.repos.d/centos-base.repo Http://mirrors.aliyun.com/repo/Centos-5.repo
CentOS6 Source
[Email protected] ~]# Wget-o/etc/yum.repos.d/centos-base.repo Http://mirrors.aliyun.com/repo/Centos-6.repo
CentOS 7 Source [[email protected] ~]# Wget-o/etc/yum.repos.d/centos-base.repo Http://mirrors.aliyun.com/repo/Centos-7.repo
4.8 Hide Linux Version number
[[email protected] ~]# >/etc/issue[[email protected] ~]# >/etc/issue = cat >/dev/null/etc/issue
Edit/ETC/MOTD (Set login prompt information)
[email protected] ~]# cat >>/etc/motd << eof> Welcome to Xuliangwei linux> EOF
4.9 Adding a password for grub
[Email protected] ~]#/sbin/grub-md5-crypt password:retype Password: $1$gavdj$90lqgr4wta/.9kfeafw7f/
Edit/etc/grub.conf
Add the password to, between title and Splashimage.
5. Scheduled cleanup of the Mail Service temp directory junk files
The SendMail service is installed by default on the CentOS5 series, so the size of the mail temporary storage location
/var/spool/clientmqueue/
CentOS6 by default, the SendMail service is not installed, but the Postfix service is modified, so the path to the mail storage location is
/var/spool/postfix/maildrop/
The above two directories are easily filled with garbage files, resulting in insufficient inode count, resulting in the inability to store files.
The manual cleanup method is as follows:
[[Email protected] ~] #find/var/spool/clientmqueue/-type F | Xargs rm-f
SendMail Service for CentOS5
[[Email protected] ~] #find/var/spool/postfix/maildrop/-type F | Xarfs rm-f
Postfix Service for CentOS6
The timing cleanup method is: write the above command into a script, and then do the scheduled task, every night 0 o'clock to execute.
6. Turn off the firewall
6.1 Shutting down the iptables firewall
Learn to shut down the firewall normally, if the production environment is doing debugging
View Firewall
[[email protected] ~]# iptables-l-nchain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy accept) target prot opt source destination Chain OUTPUT (policy accept) Target Prot O PT Source Destination
Shutting down the firewall
[Email protected] ~]#/etc/init.d/iptables stopiptables:setting chains to Policy accept:filter [OK]iptabl es:flushing firewall rules: [OK]iptables:unloading modules: [OK ]
6.2 Turn off SELinux firewall
Modify/etc/selinux/config
Selinux=enforcing modified to Selinux=disabled
Use SED to replace off SELinux
Sed-i ' s/selinux=enforcing/selinux=disabled/g '/etc/selinux/config
Temporarily closed
Getenforce View
Setenforce1. Turn on 0.permissive
7.Linux Kernel optimization
The parameters listed here are the usual parameters of the old boys ' teacher production:
Add parameters to/etc/sysctl.conf and execute sysctl-p to make the parameters effective and permanent
Net.ipv4.tcp_syn_retries = 1net.ipv4.tcp_synack_retries = 1net.ipv4.tcp_keepalive_time = 600net.ipv4.tcp_keepalive_probes = 3net.ipv4.tcp_keepalive_intvl =15net.ipv4.tcp_ retries2 = 5net.ipv4.tcp_fin_timeout = 2net.ipv4.tcp_max_tw_buckets = 36000net.ipv4.tcp_tw_recycle = 1net.ipv4.tcp_tw_reuse = 1net.ipv4.tcp_max_orphans = 32768net.ipv4.tcp_syncookies = 1net.ipv4.tcp_max_syn_backlog = 16384net.ipv4.tcp_ wmem = 8192 131072 16777216net.ipv4.tcp_rmem = 32768 131072 16777216net.ipv4.tcp_mem = 786432 1048576 1572864net.ipv4.ip_local_port_range = 1024 65000net.ipv4.ip_conntrack_max = 65536net.ipv4.netfilter.ip_conntrack_max= 65536net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=180net.core.somaxconn = 16384net.core.netdev_max_backlog = 16384
Enterprise interview: How Linux systems are optimized
How is the Linux system optimized?
1. Without root management, in the name of ordinary users through sudo authorization management.
2. Change the default remote connection SSH service port, prohibit the root user to connect remotely, even changed to only listen to the intranet IP
3.
4. Configure the Yum update source to download the installation package from the domestic update source.
5. Turn off SELinux and iptables (in the work scenario, if an external IP is normally turned on)
6. Adjust the number of file descriptors, and the process and file opening will consume the file descriptor.
7. Regularly automatically clean up the Mail directory junk files to prevent inodes nodes from being stained (note centos5 and CENTOS6 directories are different)
8. Streamline and retain the necessary boot-up services (such as Crond, sshd, Network, Rsyslog, Sysstat)
9.Linux kernel parameter optimization/etc/sysctl.conf, execution sysctl-p effective.
10. Change the character set, which is supported in Chinese, but it is recommended to use the English character set to prevent garbled characters.
11. Lock critical system files such as/etc/passwd/etc/shadow/etc/group/etc/gshadow/etc/inittab
After processing the above content, Chattr, lsattr renamed to Xuliangwei, so it is much safer.
12. Clear/etc/issue,/etc/issue.net, remove the system and the kernel version before the login information.
13. Clear the redundant system virtual account.
14. Bit Grub menu plus password.
15. Disable Ping
16. Upgrade Vulnerability Software
This article is from the "Xu Liangwei" blog, make sure to keep this source http://liangweilinux.blog.51cto.com/8340258/1681472
Basic optimization idea after Linux installation