Basic optimization of centos6.x system after installation

Special note: Nic modification after cloning

1

Edit the configuration file for eth0: Vi/etc/sysconfig/network-scripts/ifcfg-eth0,

Delete Hwaddr address the line and UUID lines are as follows:

hwaddr=00:0c:29:08:28:9f
Uuid=cee39dbb-6a10-4425-9daf-768b6e79a9c9

2. Clear the following Internet rules:

>/etc/udev/rules.d/70-persistent-net.rules.

Then reboot reboot

Optimization entries:

Modify IP address, gateway, hostname, DNS, etc. turn off SELinux, empty iptables add a regular user and perform sudo authorization management update Yum source and necessary software Installation Timing Automatic Update server time thin boot service scheduled automatic cleanup/var/spool/ clientmqueue/directory junk file, place inode node is full change default SSH service port, prohibit root user remote connection lock key File system Adjust file descriptor size character set, enable it to support Chinese removal system and kernel version login screen display kernel parameter optimization

1, modify the IP address, gateway, host name, DNS, etc. (dynamic IP address can omit this step)

 

[[email protected] ~]# vi/etc/sysconfig/network-scripts/ifcfg-eth0device=eth0 #网卡名字BOOTPROTO =static #静态IP Address acquisition status such as: DHCP represents the automatic acquisition of IP address ipaddr=192.168.1.113 #IP地址NETMASK =255.255.255.0 If the gateway is activated at boot time #子网掩码ONBOOT =yes# =192.168.1.1[[email protected] ~]# cat/etc/sysconfig/network-scripts/ifcfg-eth0device=eth0bootproto= Staticipaddr=192.168.1.113netmask=255.255.255.0onboot=yesgateway=192.168.1.1[[email protected] ~]# vi/etc/ SYSCONFIG/NETWORKHOSTNAME=C64 #修改主机名, restart effective gateway=192.168.1.1 #修改默认网关, if the above eth0 does not configure the gateway, the default is to use the gateway here. [[email protected] ~]# cat/etc/sysconfig/networkhostname=c64gateway=192.168.1.1 We can also use HOSTNAMEC64 to temporarily modify the host name, Re-login effective modification dns[[email protected] ~]# vi/etc/resolv.conf #修改DNS信息nameserver 114.114.114.114nameserver 8.8.8.8[[ Email protected] ~]# cat/etc/resolv.conf #查看修改后的DNS信息nameserver 114.114.114.114nameserver 8.8.8.8[[email  Protected] ~]# Service network Restart #重启网卡, restart the network card, or you can use the following command [[email protected] ~]#/etc/init.d/network Restart 

2, close SELinux, empty iptables

Turn off SELinux

[Email protected] ~]# Vi/etc/selinux/config    
Modify Selinux=disabled

Permissive

Empty iptables

[Email protected] ~]#/sbin/iptables-p INPUT ACCEPT     #清理防火墙规则

[Email protected] ~]#/etc/init.d/iptables save #保存防火墙配置信息

3、添加普通用户并进行sudo授权管理

[[email protected] ~]# useradd sunsky[[email protected] ~]# echo "123456" |passwd--stdin Sunsky&&history–c[[emai L protected] ~]# Visudo under root    all= (all) all    this line, add the following content Sunsky    all= (All)    all

4, update Yum source and necessary software installation

Yum installs the software, the default way to get the RPM package from the official source of foreign countries, changed to domestic sources.

Domestic faster two sites: Sohu Mirror site, NetEase Mirror site

Method 1: Configure the installation source configuration file yourself and upload it to Linux.

Method 2: Configure the Yum installation source configuration file with the mirror site

[Email protected] ~]# cd/etc/yum.repos.d/[[email protected] yum.repos.d]#/BIN/MV Centos-base.repo Centos-base.repo.bak[[email protected] yum.repos.d]# wget Http://mirrors.163.com/.help/CentOS6-Base-163.repo

Next, execute the following command to detect if Yum is normal

[email protected] yum.repos.d]# Yum clean all  #清空yum缓存 [[email protected] yum.repos.d]# Yum Makecache  #建立yum缓存

Then use the following command to update the system to the latest (preferably not, according to their own customization is good)

[Email protected] yum.repos.d]# rpm--import/etc/pki/rpm-gpg/rpm-gpg-key*       #导入签名KEY到RPM [[email protected] yum.repos.d]# Yum  upgrade-y     #更新系统内核到最新

Then we need to install a few necessary software.

Yum-y Install gcc* gcc-c++* autoconf* automake* zlib* libxml* ncurses-devel* libgcrypt* libtool*

[email protected] yum.repos.d]# Yum install Lrzsz ntpdate sysstat-y

Lrzsz is a software that uploads and downloads

Ntpdate is the software used to update time with a remote time server

Sysstat is a tool for detecting system performance and efficiency

5, scheduled automatic Update server time

Ntpdate asia.pool.ntp.org

[[email protected] ~]# echo ' */5 * * * */usr/sbin/ntpdate time.windows.com >/dev/null 2 >&1 ' >>/var/spool /cron/root[[email protected] ~]# echo ' */10 * * * */usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1 ' >>/va R/spool/cron/root

Tips: CentOS 6.4 Time Synchronization command path not the same

6 is/usr/sbin/ntpdate.

5 is/sbin/ntpdate.

expansion: in the number of machines, the above timed task synchronization time can be. If the number of machines is large, an additional time synchronization server, NTP server, can be deployed within the network. Only mentioned here, do not deploy.

Time Synchronization server architecture diagram:

6. Streamlined boot-up service

Just installed the operating system can only keep Crond,Network,syslog,sshd these four services. (Centos6.4 for rsyslog)

[[email protected] ~]# for sun in ' chkconfig--list|grep 3:on|awk ' {print $} ';d o chkconfig--level 3 $sun Off;done[[emai  L protected] ~]# for sun in Crond rsyslog sshd network;do chkconfig--level 3 $sun on;done[[email protected] ~]# chkconfig --list|grep 3:oncrond           0:off   1:off   2:on    3:on    4:on    5:on    6:offnetwork         0:off   1:off   2:on    3:on    4:on    5:on    6:offrsyslog         0:off   1:off   2:on    3:o n    4:on    5:on    6:offsshd            0:off   1:off   2:on    3:on    4:on    5:on    6:off

7、定时自动清理/var/spool/clientmqueue/目录垃圾文件，放置inode节点被占满

本优化点，在6.4上可以忽略不需要操作即可！ （centos6.4以上版本有自动清理功能）

[Email protected] ~]# mkdir/server/scripts-p[[email protected] ~]# vi/server/scripts/spool_clean.sh#!/bin/shfind/ Var/spool/clientmqueue/-typef-mtime +30|xargsrm-f

Then add it to the crontab scheduled task

[[email protected] ~]# echo ' */30 * * * */bin/sh/server/scripts/spool_clean.sh >/dev/null 2>&1 ' >>/var/sp Ool/cron/root

8、变更默认的ssh服务端口，禁止root用户远程连接 （自用就不必执行这一步）

[Email protected] ~]# cp/etc/ssh/sshd_config/etc/ssh/sshd_config.bak[[email protected] ~]# vim/etc/ssh/sshd_ Configport 52113#SSH Connect the default port Permitrootlogin no   #root用户黑客都知道, disable it telnet to Permitemptypasswords no #禁止空密码登录UseDNS no            #不使用DNS [[email protected] ~]#/etc/init.d/sshd reload    #从新加载配置 [[email protected] ~]# netstat-lnt     #查看端口信息 [ [Email protected] ~]# lsof-i tcp:52113

9, lock the key file system (for personal use)

[[email protected] ~]# chattr +i/etc/passwd[[email protected] ~]# chattr +i/etc/inittab[[email protected] ~]# chattr +i /etc/group[[email protected] ~]# chattr +i/etc/shadow[[email protected] ~]# chattr +i/etc/gshadow

After using the chattr command, we need to rename it for security.

[[email protected] ~]#/bin/mv/usr/bin/chattr/usr/bin/any name

10. Adjust file Descriptor size

Adjust the maximum number of open files for Linux

#vim/etc/rc.d/rc.local

Add content

Ulimit-shn 65565

Save exit

[Email protected] ~]# ulimit–n        #查看文件描述符大小1024 [[email protected] ~]# Echo ' *  -  nofile  65535 ' >>/ Etc/security/limits.conf

Once the configuration is complete, log in again to view it.

tip: You can also add the Ulimit-shn 65535 command to the/etc/rc.local, and then each reboot takes effect

[email protected] ~]# cat >>/etc/rc.local<<eof#open filesulimit-hsn 65535#stack sizeulimit-s 65535EOF

Extension: file descriptor

The file descriptor is formally a non-negative integer. In fact, it is an index value that points to the record table in which the kernel opens a file for each process maintained by the process. When a program opens an existing file or creates a new file, the kernel returns a file descriptor to the process. In programming, some of the underlying programming often revolves around file descriptors. However, the concept of file descriptors is often applied only to operating systems such as UNIX and Linux.

Traditionally, standard input has a file descriptor of 0, standard output is 1, and standard error is 2. Although this habit is not characteristic of the Unix kernel, it is used by some shell and many applications, so if the kernel does not follow this habit, many applications will not be able to use it.

11. Adjust the character set so that it supports Chinese

vim/etc/sysconfig/i18n

Modified into lang= "ZH_CN. GB18030 The following steps are not necessary

Sed-i ' s#lang= ' en_US. UTF-8 "#LANG =" zh_cn. GB18030 "# '/etc/sysconfig/i18nsource/etc/sysconfig/i18n

extension: What is a character set?

Simply put is a set of text symbols and their encoding. The commonly used character sets are:

GBK fixed-length DWORD is not an international standard, many support systems

UTF-8 non-fixed length 1-4 bytes widely supported, MySQL also uses UTF-8

12, removal of the system and kernel version of the screen before the login display

[Email protected] ~]# >/etc/redhat-release[[email protected] ~]# >/etc/issue

13, Stop the printer service (minimized system does not match this service)

#/etc/init.d/cups stop

#chkconfig cups off

13. Optimization of kernel parameters to improve system performance

Add content

Description: This optimization is suitable for apache,nginx,squid a variety of Web applications, special business may also need a slight adjustment. (This can be configured according to your business environment)

[Email protected] ~]# vi/etc/sysctl.conf#by sun in 20131001net.ipv4.tcp_fin_timeout = 2net.ipv4.tcp_tw_reuse = 1NET.IPV 4.tcp_tw_recycle = 1net.ipv4.tcp_syncookies = 1net.ipv4.tcp_keepalive_time =600net.ipv4.ip_local_port_range = 4000    65000net.ipv4.tcp_max_syn_backlog = 16384net.ipv4.tcp_max_tw_buckets = 36000net.ipv4.route.gc_timeout = 100net.ipv4.tcp_syn_retries = 1net.ipv4.tcp_synack_retries = 1net.core.somaxconn = 16384net.core.netdev_max_backlog = 16384net.ipv4.tcp_max_orphans = 16384# The following parameters are optimized for iptables firewall, the firewall does not have a meeting prompt, can be ignored. Net.ipv4.ip_conntrack_max = 25000000net.ipv4.netfilter.ip_conntrack_max = 25000000net.ipv4.netfilter.ip_conntrack_ tcp_timeout_established = 180net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120net.ipv4.netfilter.ip_ conntrack_tcp_timeout_close_wait = 60net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120[[email protected] ~] # sysctl–p    #使配置文件生效

Hint: Because the module name in the centos6.x system is not ip_conntrack, but nf_conntrack, so in/etc/sysctl.conf optimization, you need to put Net.ipv4.netfilter.ip_conntrack_ This old parameter of Max is changed to Net.netfilter.nf_conntrack_max.

That is, the optimization of the firewall, on 5.8 is

Net.ipv4.ip_conntrack_max = 25000000net.ipv4.netfilter.ip_conntrack_max = 25000000net.ipv4.netfilter.ip_conntrack_ tcp_timeout_established = 180net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120net.ipv4.netfilter.ip_ conntrack_tcp_timeout_close_wait = 60net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120

On the 6.4 is

Net.nf_conntrack_max = 25000000net.netfilter.nf_conntrack_max = 25000000net.netfilter.nf_conntrack_tcp_timeout_ established = 180net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120net.netfilter.nf_conntrack_tcp_timeout_ close_wait = 60net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120

In addition, there may be errors in this optimization process:

On version 1 and 5.8

Error: "Net.ipv4.ip_conntrack_max" is a unknown Keyerror: "Net.ipv4.netfilter.ip_conntrack_max" is an unknown Keyerror: "Net.ipv4.netfilter.ip_conntrack_tcp_timeout_established" is an unknown Keyerror: "Net.ipv4.netfilter.ip_conntrack_ Tcp_timeout_time_wait "is a unknown Keyerror:" Net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait "is an unknown Keyerror: "Net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait" is an unknown key

This error may be that your firewall does not open or automatically handle the loaded module Ip_conntrack not automatically loaded, the solution is two, one is to open the firewall, and the second is to automatically handle the loaded module Ip_conntrack

Modprobe Ip_conntrackecho "Modprobe ip_conntrack" >>/etc/rc.local

On version 2 and 6.4

Error: "Net.nf_conntrack_max" Isan unknown Keyerror: "Net.netfilter.nf_conntrack_max" Isan unknown Keyerror: " Net.netfilter.nf_conntrack_tcp_timeout_established "Isan unknown Keyerror:" Net.netfilter.nf_conntrack_tcp_timeout _time_wait "Isan unknown Keyerror:" net.netfilter.nf_conntrack_tcp_timeout_close_wait "Isan unknown Keyerror:" Net.netfilter.nf_conntrack_tcp_timeout_fin_wait "Isan unknown Key

This error may be that your firewall does not open or automatically handle the loaded module Ip_conntrack not automatically loaded, the solution is two, one is to open the firewall, and the second is to automatically handle the loaded module Ip_conntrack

Modprobe Nf_conntrackecho "Modprobe nf_conntrack" >>/etc/rc.local

On version 3 and 6.4

Error: "Net.bridge.bridge-nf-call-ip6tables" Isan unknown Keyerror: "Net.bridge.bridge-nf-call-iptables" Isan unknown Keyerror: "Net.bridge.bridge-nf-call-arptables" Isan unknown Key

This error is due to automatic loading of the module bridge is not automatically loaded, the solution is to automatically handle the loaded module Ip_conntrack

Modprobe Bridgeecho "Modprobe Bridge" >>/etc/rc.local

To this, our Linux system after the installation of the basic optimization has been operating almost, summed up a total of 13 optimization points need to be known to us. I'll come up with a one-click Optimized shell script to communicate with everyone.

This article is from the "Sunsky" blog, make sure to keep this source http://sunsky.blog.51cto.com/4824967/1318607

Basic optimization of centos6.x system after installation