Basic optimization idea after Linux installation

Viewing the system environment

[Email protected] ~]# Cat/etc/redhat-releasecentos release 6.6 (Final)

[Email protected] ~]# uname–alinux xuliangwei.com 2.6.32-504.el6.x86_64 #1 SMP Wed Oct 04:27:16 UTC x86_64 x86_6 4 x86_64 Gnu/linux

1. Streamlined Boot system

Reserved 5 must: Sshd|rsyslog|network|crond|sysstat

Sshd

This server program is required to connect to a Linux server remotely, so it must be turned on or it will not connect to the Linux server.

Rsyslog

is a mechanism provided by the operating system, the system daemon usually uses Rsyslog to record various information in the system log file, Centos6 the previous server name as Syslog

Network

If you want to activate/deactivate each network interface when the system starts, you should (must) consider turning it on.

Crond

This service is used to perform periodic system and user-configured task schedules. There are tasks to be performed periodically, and to be turned on, this service is almost a software that must be used in production scenarios.

Sysstat

Sysstat is a software package that contains a set of tools to detect system performance and efficiency, which is useful for system performance data, such as CPU usage, hard disk and network throughput data, which can be used to determine whether the system is functioning properly, so it is a better system operation efficiency, The assistant that runs the server safely.

The main tools for Sysstat package integration are:

The Iostat tool provides data on CPU utilization and hard drive throughput efficiency;

The Mpstat tool provides data related to single or multiple processors;

The SAR tool collects, reports and stores information that is active on the system;

Other processing methods that do not start with boot:

1). setup-->systemservices--> Cancel * indicates off

2) netsysv--> Cancel * indicates off

3) use Chkconfig to close

Chkconfig name off

Using a For loop, with awk cleanup does not require a start-up service

For i in ' chkconfig--list | awk ' {print '} ' | Grep-ev "Sshd|network|rsyslog|sysstat|crond"; Do chkconfig $i off;  Donechkconfig--list |grep 3:on |awk ' {print $} ' |grep-ev ' Crond|network|rsyslog|sshd|sysstat ' |sed-r ' s/(. *)/chkconfig \1 off/g ' |bash

2.Linux Minimized installation

The principle of minimizing operation and maintenance thought

2.1, install the Linux system to minimize, that is, the package is minimized, yum installation package should be minimized, useless package does not install.

2.2, the operation of the command to minimize. For example: Use Rm-f text.txt without RM-RF

2.3, login Linux users to minimize. Usually no need to log in without root, with ordinary users login.

2.4, the ordinary user authorized permission to minimize, that is, only to the necessary management system commands.

2.5, the Linux system files and directories to minimize the permissions set, prohibit arbitrarily create, change, delete. (Theoretically forbidden)

3.SSH optimization

Configuration file

/etc/ssh/sshd_config Service side

/etc/ssh/ssh_config Client

Port52113 modifying ports 52113

Usedns Yes to no will reverse query the client hostname for authentication to prevent client spoofing

Permitrootlogin No Disable root login

Gssapiauthentication Yes Cancel, open no to solve the problem of using SSH connection between Linux is slow

PermitempasswordsNo prohibit use of blank password (default is empty)

ListenAddress192.168.1.x Only run the intranet address on the server for remote connection, the external network address directly refused, you can use a VPN springboard into the local area network, through such access, more secure

Configuration file Modification

##### #xuliangwei ##### #Port 52113UseDNS nopermitrootlogin nogssapiauthentication no##### #20150627 ######

You can use SED to add

[Email protected] ~]# sed-ir ' iport 52113\nusedns no\npermitrootlogin no\ngssapiauthentication No '/etc/ssh/sshd_con Fig

4. Other Optimizations

4.0 Chinese Characters

The Client Connection tool must also be UTF-8

Temporary entry into force

Export Lang=en_us. UTF-8

Permanent effect

vim/etc/sysconfig/i18n change lang= "en_US. UTF-8 "

4.1 Time synchronization

Time server

Time.nist.govtime.windows.com

Manual modification Time

Date-s "2015/05/28 12:00"

Ntpdate timing and Internet time synchronization

echo "*/5 * * * * * ntpdate time.windows.com >/dev/null 2>&1"

The server can build time synchronization server between 50-100 units NtpServer

4.2 Optimization History

History view default 100 entries

Parameters:

-C: Clear History

-D: Specify to delete a row

Export Hisisize=5 (Control terminal)

Histfilesize=5(Control of records under User's home directory)

[Email protected] ~]# histfilesize=5 [[email protected] ~]# cat ~/.bash_history testwelcome to Xuliangwei linuxeofexit[[e Mail protected] ~]#

Clear the history terminal

[[email protected] ~]# History-c[[email protected] ~]# history 734 History

4.3 Terminal timeout

Temporary entry into force

[Email protected] ~]# export tmout=300ms

Permanent effect

echo "Export tmout=300ms" >>/etc/profile

4.4 Increasing file descriptors

Each process startup consumes the file descriptor, which causes the process to fail to start if the file descriptor is too

View Default file descriptors

Ulinit-n

Parameters:

-S: Soft

-H: Hard

Adjust file descriptors

Temporary entry into force

Ulimit-shn 65535

Permanent effect

echo "*-Nofile 65535" >>/etc/security/limits.conf

4.5 Locking System Relationship files

Locking the file system

[Email protected] ~]# chattr +i/etc/passwd/etc/shadow/etc/gshadow/etc/inittab

viewing locked files

[Email protected] ~]# lsattr/etc/passwd/etc/shadow/etc/gshadow/etc/inittab----i--------e-/etc/ passwd----I--------e/etc/shadow----i--------e-/etc/gshadow----i--------e-/etc/inittab

Release lock

[Email protected] ~]# chattr-i/etc/passwd/etc/shadow/etc/gshadow/etc/inittab

Check Again

[Email protected] ~]# lsattr/etc/passwd/etc/shadow/etc/gshadow/etc/inittab-------------e-/etc/ passwd-------------e-/etc/shadow-------------e-/etc/gshadow-------------e-/etc/inittab

4.6 Disable Linux being ping

Prohibit Linux from being ping to increase system security

echo "Net.ipv4.icmp_echo_ignore_all=1" >>/etc/sysctl.conf

Make it effective

Sysctl-p

Do not prohibit this in the work, generally use the firewall to filter

4.7 Adjusting the Yum source

Since the default Yum source is downloaded from the CentOS official website it will be very slow and will be much faster to adjust to the domestic.

Backing up Yum sources

mv/etc/yum.repos.d/centos-base.repo/etc/yum.repos.d/centos-base.repo.xuliangwei.20150629

CentOS 5 Source

[Email protected] ~]# Wget-o/etc/yum.repos.d/centos-base.repo Http://mirrors.aliyun.com/repo/Centos-5.repo

CentOS6 Source

[Email protected] ~]# Wget-o/etc/yum.repos.d/centos-base.repo Http://mirrors.aliyun.com/repo/Centos-6.repo

CentOS 7 Source [[email protected] ~]# Wget-o/etc/yum.repos.d/centos-base.repo Http://mirrors.aliyun.com/repo/Centos-7.repo

4.8 Hide Linux Version number

[[email protected] ~]# >/etc/issue[[email protected] ~]# >/etc/issue = cat >/dev/null/etc/issue

Edit/ETC/MOTD (Set login prompt information)

[email protected] ~]# cat >>/etc/motd << eof> Welcome to Xuliangwei linux> EOF

4.9 Adding a password for grub

[Email protected] ~]#/sbin/grub-md5-crypt password:retype Password: $1$gavdj$90lqgr4wta/.9kfeafw7f/

Edit/etc/grub.conf

Add the password to, between title and Splashimage.

5. Scheduled cleanup of the Mail Service temp directory junk files

The SendMail service is installed by default on the CentOS5 series, so the size of the mail temporary storage location

/var/spool/clientmqueue/

CentOS6 by default, the SendMail service is not installed, but the Postfix service is modified, so the path to the mail storage location is

/var/spool/postfix/maildrop/

The above two directories are easily filled with garbage files, resulting in insufficient inode count, resulting in the inability to store files.

The manual cleanup method is as follows:

[[Email protected] ~] #find/var/spool/clientmqueue/-type F | Xargs rm-f

SendMail Service for CentOS5

[[Email protected] ~] #find/var/spool/postfix/maildrop/-type F | Xarfs rm-f

Postfix Service for CentOS6

The timing cleanup method is: write the above command into a script, and then do the scheduled task, every night 0 o'clock to execute.

6. Turn off the firewall

6.1 Shutting down the iptables firewall

Learn to shut down the firewall normally, if the production environment is doing debugging

View Firewall

[[email protected] ~]# iptables-l-nchain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy accept) target prot opt source destination Chain OUTPUT (policy accept) Target Prot O PT Source Destination

Shutting down the firewall

[Email protected] ~]#/etc/init.d/iptables stopiptables:setting chains to Policy accept:filter [OK]iptabl  es:flushing firewall rules: [OK]iptables:unloading modules: [OK ]

6.2 Turn off SELinux firewall

Modify/etc/selinux/config

Selinux=enforcing modified to Selinux=disabled

Use SED to replace off SELinux

Sed-i ' s/selinux=enforcing/selinux=disabled/g '/etc/selinux/config

Temporarily closed

Getenforce View

Setenforce1. Turn on 0.permissive

7.Linux Kernel optimization

The parameters listed here are the usual parameters of the old boys ' teacher production:

Add parameters to/etc/sysctl.conf and execute sysctl-p to make the parameters effective and permanent

Net.ipv4.tcp_syn_retries = 1net.ipv4.tcp_synack_retries = 1net.ipv4.tcp_keepalive_time  = 600net.ipv4.tcp_keepalive_probes = 3net.ipv4.tcp_keepalive_intvl =15net.ipv4.tcp_ retries2 = 5net.ipv4.tcp_fin_timeout = 2net.ipv4.tcp_max_tw_buckets =  36000net.ipv4.tcp_tw_recycle = 1net.ipv4.tcp_tw_reuse = 1net.ipv4.tcp_max_orphans =  32768net.ipv4.tcp_syncookies = 1net.ipv4.tcp_max_syn_backlog = 16384net.ipv4.tcp_ wmem = 8192 131072 16777216net.ipv4.tcp_rmem = 32768 131072  16777216net.ipv4.tcp_mem = 786432 1048576 1572864net.ipv4.ip_local_port_range =  1024 65000net.ipv4.ip_conntrack_max = 65536net.ipv4.netfilter.ip_conntrack_max= 65536net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=180net.core.somaxconn =  16384net.core.netdev_max_backlog = 16384

Enterprise interview: How Linux systems are optimized

How is the Linux system optimized?

1. Without root management, in the name of ordinary users through sudo authorization management.

2. Change the default remote connection SSH service port, prohibit the root user to connect remotely, even changed to only listen to the intranet IP

3.

4. Configure the Yum update source to download the installation package from the domestic update source.

5. Turn off SELinux and iptables (in the work scenario, if an external IP is normally turned on)

6. Adjust the number of file descriptors, and the process and file opening will consume the file descriptor.

7. Regularly automatically clean up the Mail directory junk files to prevent inodes nodes from being stained (note centos5 and CENTOS6 directories are different)

8. Streamline and retain the necessary boot-up services (such as Crond, sshd, Network, Rsyslog, Sysstat)

9.Linux kernel parameter optimization/etc/sysctl.conf, execution sysctl-p effective.

10. Change the character set, which is supported in Chinese, but it is recommended to use the English character set to prevent garbled characters.

11. Lock critical system files such as/etc/passwd/etc/shadow/etc/group/etc/gshadow/etc/inittab

After processing the above content, Chattr, lsattr renamed to Xuliangwei, so it is much safer.

12. Clear/etc/issue,/etc/issue.net, remove the system and the kernel version before the login information.

13. Clear the redundant system virtual account.

14. Bit Grub menu plus password.

15. Disable Ping

16. Upgrade Vulnerability Software

This article is from the "Xu Liangwei" blog, make sure to keep this source http://liangweilinux.blog.51cto.com/8340258/1681472

Basic optimization idea after Linux installation