Linux System Foundation Tuning

Linux System Foundation tuning

1. turn off SELinux and empty iptables

Sed-i ' s/selinux=enforcing/selinux=disabled/g '/etc/selinux/configgrep selinux=disabled/etc/selinux/ Configsetenforce 0iptables-fiptables-xiptables-ziptables-l/etc/init.d/iptables Save

2. Add a regular user and perform sudo authorization management

Useradd liwenecho ' 123456 ' |passwd--stdin liwen&&history-cecho ' Liwen all= (All) Nopasswd:all ' >>/e Tc/sudoerstail/etc/sudoers

3. updating Yum source and necessary software installation

CD/ETC/YUM.REPOS.D//BIN/MV Centos-base.repo Centos-base.repo.bakwget-o/etc/yum.repos.d/centos-base.repohttp:// Mirrors.aliyun.com/repo/centos-6.reposed-i ' s# $releasever #6#g ' centos-base.repoyum clean allyum install Lrzszntpdate Sysstat openssh OpenSSL telnet tree Dos2unix nmap-y

4.   定时自动更新服务器时间

Echo ' */5 * * * * */usr/sbin/ntpdate time.windows.com >/dev/null

5. Streamlined boot-up service

For Sun in ' chkconfig--list|grep 3:on|awk ' {print$1} ";d o chkconfig--level 3 $sun off;donefor Sun in Crond rsyslog sshd Network;do chkconfig--level 3 $sun on;donechkconfig--list|grep 3:on

6. Change the default SSH service port to prevent the root user from connecting remotely

Sed-i ' s/#Port 22/port 52113/g '/etc/ssh/sshd_configsed-i ' s/#PermitRootLogin yes/permitrootloginno/g '/etc/ssh/sshd_ Configsed-i ' s/#PermitEmptyPasswordsno/permitemptypasswords no/g '/etc/ssh/sshd_configsed-i ' s/ Gssapiauthenticationyes/gssapiauthentication no/g '/etc/ssh/sshd_configsed-i ' s/#UseDNS yes/UseDNS no/g '/etc/ssh/ Sshd_configcat/etc/ssh/sshd_config|egrep ' permitemptypasswords| usedns| Port| gssapiauthentication| Permitrootlogin '/etc/init.d/sshd restart

7. Lock the critical file system

Chattr +i/etc/passwdchattr +i/etc/inittabchattr +i/etc/shadowchattr +i/etc/groupchattr +i/etc/gshadow

After using the chattr command, we need to rename it for security.

/bin/mv/usr/bin/chattr/usr/bin/any name

8. Adjust file descriptor size

Ulimit-necho ' *-nofile 65535 ' >>/etc/security/limits.conf

9. Adjust the character set so that it supports Chinese

Sed-i ' s#lang=.*$ #LANG = "ZH_CN. UTF-8 "#g '/etc/sysconfig/i18nsource/etc/sysconfig/i18n

Removal of the system and kernel version before login screen display

>/etc/redhat-release>/etc/issue>/etc/issue.net>/etc/motd

One. kernel parameter optimization

This optimization is suitable for apache,nginx,squid a variety of other Web applications, special business may also need to be slightly adjusted

cat >>/etc/sysctl.conf<<eofnet.ipv4.tcp_syn_retries  = 1net.ipv4.tcp_synack_retries = 1net.ipv4.tcp_keepalive_time = 600net.ipv4.tcp _keepalive_probes = 3net.ipv4.tcp_keepalive_intvl =15net.ipv4.tcp_retries2 =  5net.ipv4.tcp_fin_timeout = 2net.ipv4.tcp_max_tw_buckets = 36000net.ipv4.tcp_tw_recycle  = 1net.ipv4.tcp_tw_reuse = 1net.ipv4.tcp_max_orphans = 32768net.ipv4.tcp_ syncookies = 1net.ipv4.tcp_max_syn_backlog = 16384net.ipv4.tcp_wmem = 8192  131072 16777216net.ipv4.tcp_rmem = 32768 131072 16777216net.ipv4.tcp_mem =  786432 1048576 1572864net.ipv4.ip_local_port_range = 1024 65000net.core.somaxconn  = 16384net.core.netdev_max_backlog = 16384EOFtail /etc/sysctl.conf/sbin/sysctl  -P 

If the firewall is turned on, you can add the following tuning parameters:

Net.nf_conntrack_max = 25000000net.netfilter.nf_conntrack_max = 25000000net.netfilter.nf_conntrack_tcp_timeout_ established= 180net.netfilter.nf_conntrack_tcp_timeout_time_wait =120net.netfilter.nf_conntrack_tcp_timeout_ Close_wait =60net.netfilter.nf_conntrack_tcp_timeout_fin_wait =120

Linux System Foundation Tuning