Special note: Nic modification after cloning
1
Edit the configuration file for eth0: Vi/etc/sysconfig/network-scripts/ifcfg-eth0,
Delete Hwaddr address the line and UUID lines are as follows:
hwaddr=00:0c:29:08:28:9f
Uuid=cee39dbb-6a10-4425-9daf-768b6e79a9c9
2. Clear the following Internet rules:
>/etc/udev/rules.d/70-persistent-net.rules.
Then reboot reboot
Optimization entries:
Modify IP address, gateway, hostname, DNS, etc. turn off SELinux, empty iptables add a regular user and perform sudo authorization management update Yum source and necessary software Installation Timing Automatic Update server time thin boot service scheduled automatic cleanup/var/spool/ clientmqueue/directory junk file, place inode node is full change default SSH service port, prohibit root user remote connection lock key File system Adjust file descriptor size character set, enable it to support Chinese removal system and kernel version login screen display kernel parameter optimization
1, modify the IP address, gateway, host name, DNS, etc. (dynamic IP address can omit this step)
[[email protected] ~]# vi/etc/sysconfig/network-scripts/ifcfg-eth0device=eth0 #网卡名字BOOTPROTO =static #静态IP Address acquisition status such as: DHCP represents the automatic acquisition of IP address ipaddr=192.168.1.113 #IP地址NETMASK =255.255.255.0 If the gateway is activated at boot time #子网掩码ONBOOT =yes# =192.168.1.1[[email protected] ~]# cat/etc/sysconfig/network-scripts/ifcfg-eth0device=eth0bootproto= Staticipaddr=192.168.1.113netmask=255.255.255.0onboot=yesgateway=192.168.1.1[[email protected] ~]# vi/etc/ SYSCONFIG/NETWORKHOSTNAME=C64 #修改主机名, restart effective gateway=192.168.1.1 #修改默认网关, if the above eth0 does not configure the gateway, the default is to use the gateway here. [[email protected] ~]# cat/etc/sysconfig/networkhostname=c64gateway=192.168.1.1 We can also use HOSTNAMEC64 to temporarily modify the host name, Re-login effective modification dns[[email protected] ~]# vi/etc/resolv.conf #修改DNS信息nameserver 114.114.114.114nameserver 8.8.8.8[[ Email protected] ~]# cat/etc/resolv.conf #查看修改后的DNS信息nameserver 114.114.114.114nameserver 8.8.8.8[[email Protected] ~]# Service network Restart #重启网卡, restart the network card, or you can use the following command [[email protected] ~]#/etc/init.d/network Restart
2, close SELinux, empty iptables
Turn off SELinux
[Email protected] ~]# Vi/etc/selinux/config
Modify Selinux=disabled
Permissive
Empty iptables
[Email protected] ~]#/sbin/iptables-p INPUT ACCEPT #清理防火墙规则
[Email protected] ~]#/etc/init.d/iptables save #保存防火墙配置信息
3、添加普通用户并进行
sudo
授权管理
[[email protected] ~]# useradd sunsky[[email protected] ~]# echo "123456" |passwd--stdin Sunsky&&history–c[[emai L protected] ~]# Visudo under root all= (all) all this line, add the following content Sunsky all= (All) all
4, update Yum source and necessary software installation
Yum installs the software, the default way to get the RPM package from the official source of foreign countries, changed to domestic sources.
Domestic faster two sites: Sohu Mirror site, NetEase Mirror site
Method 1: Configure the installation source configuration file yourself and upload it to Linux.
Method 2: Configure the Yum installation source configuration file with the mirror site
[Email protected] ~]# cd/etc/yum.repos.d/[[email protected] yum.repos.d]#/BIN/MV Centos-base.repo Centos-base.repo.bak[[email protected] yum.repos.d]# wget Http://mirrors.163.com/.help/CentOS6-Base-163.repo
Next, execute the following command to detect if Yum is normal
[email protected] yum.repos.d]# Yum clean all #清空yum缓存 [[email protected] yum.repos.d]# Yum Makecache #建立yum缓存
Then use the following command to update the system to the latest (preferably not, according to their own customization is good)
[Email protected] yum.repos.d]# rpm--import/etc/pki/rpm-gpg/rpm-gpg-key* #导入签名KEY到RPM [[email protected] yum.repos.d]# Yum upgrade-y #更新系统内核到最新
Then we need to install a few necessary software.
Yum-y Install gcc* gcc-c++* autoconf* automake* zlib* libxml* ncurses-devel* libgcrypt* libtool*
[email protected] yum.repos.d]# Yum install Lrzsz ntpdate sysstat-y
Lrzsz is a software that uploads and downloads
Ntpdate is the software used to update time with a remote time server
Sysstat is a tool for detecting system performance and efficiency
5, scheduled automatic Update server time
Ntpdate asia.pool.ntp.org
[[email protected] ~]# echo ' */5 * * * */usr/sbin/ntpdate time.windows.com >/dev/null 2 >&1 ' >>/var/spool /cron/root[[email protected] ~]# echo ' */10 * * * */usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1 ' >>/va R/spool/cron/root
Tips: CentOS 6.4 Time Synchronization command path not the same
6 is/usr/sbin/ntpdate.
5 is/sbin/ntpdate.
expansion: in the number of machines, the above timed task synchronization time can be. If the number of machines is large, an additional time synchronization server, NTP server, can be deployed within the network. Only mentioned here, do not deploy.
Time Synchronization server architecture diagram:
6. Streamlined boot-up service
Just installed the operating system can only keep Crond,Network,syslog,sshd these four services. (Centos6.4 for rsyslog)
[[email protected] ~]# for sun in ' chkconfig--list|grep 3:on|awk ' {print $} ';d o chkconfig--level 3 $sun Off;done[[emai L protected] ~]# for sun in Crond rsyslog sshd network;do chkconfig--level 3 $sun on;done[[email protected] ~]# chkconfig --list|grep 3:oncrond 0:off 1:off 2:on 3:on 4:on 5:on 6:offnetwork 0:off 1:off 2:on 3:on 4:on 5:on 6:offrsyslog 0:off 1:off 2:on 3:o n 4:on 5:on 6:offsshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
7、定时自动清理
/var/spool/clientmqueue/
目录垃圾文件,放置inode节点被占满
本优化点,在6.4上可以忽略不需要操作即可! (centos6.4以上版本有自动清理功能)
[Email protected] ~]# mkdir/server/scripts-p[[email protected] ~]# vi/server/scripts/spool_clean.sh#!/bin/shfind/ Var/spool/clientmqueue/-typef-mtime +30|xargsrm-f
Then add it to the crontab scheduled task
[[email protected] ~]# echo ' */30 * * * */bin/sh/server/scripts/spool_clean.sh >/dev/null 2>&1 ' >>/var/sp Ool/cron/root
8、变更默认的
ssh
服务端口,禁止root用户远程连接 (自用就不必执行这一步)
[Email protected] ~]# cp/etc/ssh/sshd_config/etc/ssh/sshd_config.bak[[email protected] ~]# vim/etc/ssh/sshd_ Configport 52113#SSH Connect the default port Permitrootlogin no #root用户黑客都知道, disable it telnet to Permitemptypasswords no #禁止空密码登录UseDNS no #不使用DNS [[email protected] ~]#/etc/init.d/sshd reload #从新加载配置 [[email protected] ~]# netstat-lnt #查看端口信息 [ [Email protected] ~]# lsof-i tcp:52113
9, lock the key file system (for personal use)
[[email protected] ~]# chattr +i/etc/passwd[[email protected] ~]# chattr +i/etc/inittab[[email protected] ~]# chattr +i /etc/group[[email protected] ~]# chattr +i/etc/shadow[[email protected] ~]# chattr +i/etc/gshadow
After using the chattr command, we need to rename it for security.
[[email protected] ~]#/bin/mv/usr/bin/chattr/usr/bin/any name
10. Adjust file Descriptor size
Adjust the maximum number of open files for Linux
#vim/etc/rc.d/rc.local
Add content
Ulimit-shn 65565
Save exit
[Email protected] ~]# ulimit–n #查看文件描述符大小1024 [[email protected] ~]# Echo ' * - nofile 65535 ' >>/ Etc/security/limits.conf
Once the configuration is complete, log in again to view it.
tip: You can also add the Ulimit-shn 65535 command to the/etc/rc.local, and then each reboot takes effect
[email protected] ~]# cat >>/etc/rc.local<<eof#open filesulimit-hsn 65535#stack sizeulimit-s 65535EOF
Extension: file descriptor
The file descriptor is formally a non-negative integer. In fact, it is an index value that points to the record table in which the kernel opens a file for each process maintained by the process. When a program opens an existing file or creates a new file, the kernel returns a file descriptor to the process. In programming, some of the underlying programming often revolves around file descriptors. However, the concept of file descriptors is often applied only to operating systems such as UNIX and Linux.
Traditionally, standard input has a file descriptor of 0, standard output is 1, and standard error is 2. Although this habit is not characteristic of the Unix kernel, it is used by some shell and many applications, so if the kernel does not follow this habit, many applications will not be able to use it.
11. Adjust the character set so that it supports Chinese
vim/etc/sysconfig/i18n
Modified into lang= "ZH_CN. GB18030 The following steps are not necessary
Sed-i ' s#lang= ' en_US. UTF-8 "#LANG =" zh_cn. GB18030 "# '/etc/sysconfig/i18nsource/etc/sysconfig/i18n
extension: What is a character set?
Simply put is a set of text symbols and their encoding. The commonly used character sets are:
GBK fixed-length DWORD is not an international standard, many support systems
UTF-8 non-fixed length 1-4 bytes widely supported, MySQL also uses UTF-8
12, removal of the system and kernel version of the screen before the login display
[Email protected] ~]# >/etc/redhat-release[[email protected] ~]# >/etc/issue
13, Stop the printer service (minimized system does not match this service)
#/etc/init.d/cups stop
#chkconfig cups off
13. Optimization of kernel parameters to improve system performance
Add content
Description: This optimization is suitable for apache,nginx,squid a variety of Web applications, special business may also need a slight adjustment. (This can be configured according to your business environment)
[Email protected] ~]# vi/etc/sysctl.conf#by sun in 20131001net.ipv4.tcp_fin_timeout = 2net.ipv4.tcp_tw_reuse = 1NET.IPV 4.tcp_tw_recycle = 1net.ipv4.tcp_syncookies = 1net.ipv4.tcp_keepalive_time =600net.ipv4.ip_local_port_range = 4000 65000net.ipv4.tcp_max_syn_backlog = 16384net.ipv4.tcp_max_tw_buckets = 36000net.ipv4.route.gc_timeout = 100net.ipv4.tcp_syn_retries = 1net.ipv4.tcp_synack_retries = 1net.core.somaxconn = 16384net.core.netdev_max_backlog = 16384net.ipv4.tcp_max_orphans = 16384# The following parameters are optimized for iptables firewall, the firewall does not have a meeting prompt, can be ignored. Net.ipv4.ip_conntrack_max = 25000000net.ipv4.netfilter.ip_conntrack_max = 25000000net.ipv4.netfilter.ip_conntrack_ tcp_timeout_established = 180net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120net.ipv4.netfilter.ip_ conntrack_tcp_timeout_close_wait = 60net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120[[email protected] ~] # sysctl–p #使配置文件生效
Hint: Because the module name in the centos6.x system is not ip_conntrack, but nf_conntrack, so in/etc/sysctl.conf optimization, you need to put Net.ipv4.netfilter.ip_conntrack_ This old parameter of Max is changed to Net.netfilter.nf_conntrack_max.
That is, the optimization of the firewall, on 5.8 is
Net.ipv4.ip_conntrack_max = 25000000net.ipv4.netfilter.ip_conntrack_max = 25000000net.ipv4.netfilter.ip_conntrack_ tcp_timeout_established = 180net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120net.ipv4.netfilter.ip_ conntrack_tcp_timeout_close_wait = 60net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120
On the 6.4 is
Net.nf_conntrack_max = 25000000net.netfilter.nf_conntrack_max = 25000000net.netfilter.nf_conntrack_tcp_timeout_ established = 180net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120net.netfilter.nf_conntrack_tcp_timeout_ close_wait = 60net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
In addition, there may be errors in this optimization process:
On version 1 and 5.8
Error: "Net.ipv4.ip_conntrack_max" is a unknown Keyerror: "Net.ipv4.netfilter.ip_conntrack_max" is an unknown Keyerror: "Net.ipv4.netfilter.ip_conntrack_tcp_timeout_established" is an unknown Keyerror: "Net.ipv4.netfilter.ip_conntrack_ Tcp_timeout_time_wait "is a unknown Keyerror:" Net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait "is an unknown Keyerror: "Net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait" is an unknown key
This error may be that your firewall does not open or automatically handle the loaded module Ip_conntrack not automatically loaded, the solution is two, one is to open the firewall, and the second is to automatically handle the loaded module Ip_conntrack
Modprobe Ip_conntrackecho "Modprobe ip_conntrack" >>/etc/rc.local
On version 2 and 6.4
Error: "Net.nf_conntrack_max" Isan unknown Keyerror: "Net.netfilter.nf_conntrack_max" Isan unknown Keyerror: " Net.netfilter.nf_conntrack_tcp_timeout_established "Isan unknown Keyerror:" Net.netfilter.nf_conntrack_tcp_timeout _time_wait "Isan unknown Keyerror:" net.netfilter.nf_conntrack_tcp_timeout_close_wait "Isan unknown Keyerror:" Net.netfilter.nf_conntrack_tcp_timeout_fin_wait "Isan unknown Key
This error may be that your firewall does not open or automatically handle the loaded module Ip_conntrack not automatically loaded, the solution is two, one is to open the firewall, and the second is to automatically handle the loaded module Ip_conntrack
Modprobe Nf_conntrackecho "Modprobe nf_conntrack" >>/etc/rc.local
On version 3 and 6.4
Error: "Net.bridge.bridge-nf-call-ip6tables" Isan unknown Keyerror: "Net.bridge.bridge-nf-call-iptables" Isan unknown Keyerror: "Net.bridge.bridge-nf-call-arptables" Isan unknown Key
This error is due to automatic loading of the module bridge is not automatically loaded, the solution is to automatically handle the loaded module Ip_conntrack
Modprobe Bridgeecho "Modprobe Bridge" >>/etc/rc.local
To this, our Linux system after the installation of the basic optimization has been operating almost, summed up a total of 13 optimization points need to be known to us. I'll come up with a one-click Optimized shell script to communicate with everyone.
This article is from the "Sunsky" blog, make sure to keep this source http://sunsky.blog.51cto.com/4824967/1318607
Basic optimization of centos6.x system after installation