Linux System Foundation tuning
1. turn off SELinux and empty iptables
Sed-i ' s/selinux=enforcing/selinux=disabled/g '/etc/selinux/configgrep selinux=disabled/etc/selinux/ Configsetenforce 0iptables-fiptables-xiptables-ziptables-l/etc/init.d/iptables Save
2. Add a regular user and perform sudo authorization management
Useradd liwenecho ' 123456 ' |passwd--stdin liwen&&history-cecho ' Liwen all= (All) Nopasswd:all ' >>/e Tc/sudoerstail/etc/sudoers
3. updating Yum source and necessary software installation
CD/ETC/YUM.REPOS.D//BIN/MV Centos-base.repo Centos-base.repo.bakwget-o/etc/yum.repos.d/centos-base.repohttp:// Mirrors.aliyun.com/repo/centos-6.reposed-i ' s# $releasever #6#g ' centos-base.repoyum clean allyum install Lrzszntpdate Sysstat openssh OpenSSL telnet tree Dos2unix nmap-y
4.
定时自动更新服务器时间
Echo ' */5 * * * * */usr/sbin/ntpdate time.windows.com >/dev/null
5. Streamlined boot-up service
For Sun in ' chkconfig--list|grep 3:on|awk ' {print$1} ";d o chkconfig--level 3 $sun off;donefor Sun in Crond rsyslog sshd Network;do chkconfig--level 3 $sun on;donechkconfig--list|grep 3:on
6. Change the default SSH service port to prevent the root user from connecting remotely
Sed-i ' s/#Port 22/port 52113/g '/etc/ssh/sshd_configsed-i ' s/#PermitRootLogin yes/permitrootloginno/g '/etc/ssh/sshd_ Configsed-i ' s/#PermitEmptyPasswordsno/permitemptypasswords no/g '/etc/ssh/sshd_configsed-i ' s/ Gssapiauthenticationyes/gssapiauthentication no/g '/etc/ssh/sshd_configsed-i ' s/#UseDNS yes/UseDNS no/g '/etc/ssh/ Sshd_configcat/etc/ssh/sshd_config|egrep ' permitemptypasswords| usedns| Port| gssapiauthentication| Permitrootlogin '/etc/init.d/sshd restart
7. Lock the critical file system
Chattr +i/etc/passwdchattr +i/etc/inittabchattr +i/etc/shadowchattr +i/etc/groupchattr +i/etc/gshadow
After using the chattr command, we need to rename it for security.
/bin/mv/usr/bin/chattr/usr/bin/any name
8. Adjust file descriptor size
Ulimit-necho ' *-nofile 65535 ' >>/etc/security/limits.conf
9. Adjust the character set so that it supports Chinese
Sed-i ' s#lang=.*$ #LANG = "ZH_CN. UTF-8 "#g '/etc/sysconfig/i18nsource/etc/sysconfig/i18n
Removal of the system and kernel version before login screen display
>/etc/redhat-release>/etc/issue>/etc/issue.net>/etc/motd
One. kernel parameter optimization
This optimization is suitable for apache,nginx,squid a variety of other Web applications, special business may also need to be slightly adjusted
cat >>/etc/sysctl.conf<<eofnet.ipv4.tcp_syn_retries = 1net.ipv4.tcp_synack_retries = 1net.ipv4.tcp_keepalive_time = 600net.ipv4.tcp _keepalive_probes = 3net.ipv4.tcp_keepalive_intvl =15net.ipv4.tcp_retries2 = 5net.ipv4.tcp_fin_timeout = 2net.ipv4.tcp_max_tw_buckets = 36000net.ipv4.tcp_tw_recycle = 1net.ipv4.tcp_tw_reuse = 1net.ipv4.tcp_max_orphans = 32768net.ipv4.tcp_ syncookies = 1net.ipv4.tcp_max_syn_backlog = 16384net.ipv4.tcp_wmem = 8192 131072 16777216net.ipv4.tcp_rmem = 32768 131072 16777216net.ipv4.tcp_mem = 786432 1048576 1572864net.ipv4.ip_local_port_range = 1024 65000net.core.somaxconn = 16384net.core.netdev_max_backlog = 16384EOFtail /etc/sysctl.conf/sbin/sysctl -P
If the firewall is turned on, you can add the following tuning parameters:
Net.nf_conntrack_max = 25000000net.netfilter.nf_conntrack_max = 25000000net.netfilter.nf_conntrack_tcp_timeout_ established= 180net.netfilter.nf_conntrack_tcp_timeout_time_wait =120net.netfilter.nf_conntrack_tcp_timeout_ Close_wait =60net.netfilter.nf_conntrack_tcp_timeout_fin_wait =120
Linux System Foundation Tuning