General Production Environment Linux Server Configuration

General Production Environment Linux Server Configuration

1. Selection of the Linux server system version in the production environment

Select the 64-bit Linux operating system of CentOS6.5

CentOS (Community Enterprise Operating System) is one of the Linux releases, it is compiled from Red Hat Enterprise Linux, which is written in the source code according to the open source code. Thanks to the same source code, the RHEL System of the Red Hat commercial version uses the same high stability. The difference between the two is that CentOS does not include Red Hat commercial support and some hidden functions of RHEL commercial edition. CentOS is completely open-source and free, and enterprises can freely deploy it in the production environment.

2. The initial disk partition of the general server

1)/boot partition to store boot files and kernels. Set the partition size to 200 MB.

Generally, the Linux boot file and kernel size are within MB in the official environment.

2) swap partition, used as virtual memory, used to call part of the hard disk when the physical memory is insufficient for use. Using Virtual Memory ensures that the server will not go down when the memory is insufficient.

Generally, the server memory in the production environment is large, and the swap partition size is the same as the memory size.

3)/partition the root partition. Allocate the remaining space of the/boot and swap partitions to/partition.

3. Initial disk partition of the Database Server

1)/boot partition. The partition size is set to 200 MB.

2) swap partition, swap partition size and memory are the same

3) create an LVM logical volume and mount the logical volume to the corresponding file path. Later, you can easily expand or reduce the size of the file system.

4)/partition root partitions Use logical volumes. The root partitions of the database server mainly store system-related files, logs, and user information. Because data files are not stored, in addition, the logical volume can be expanded at will to meet the system running requirements. Lv size: 200 GB

5) data partitioning is a separate logical volume partition for database software and database files to ensure data independence and security. If the Linux operating system crashes, you can format/boot partitions and root partitions to reinstall the system, while retaining the database software and data files under the Data Partition. Allocate all the remaining volume group space to the logical volume of the Data Partition. Mysql databases generally mount the Data Partition to/usr/local. Oracle databases generally mount the Data Partition to/u02.

4. Bind the bond configuration to multiple NICs

For multiple physical NICs in the production environment, you must bind bond to a virtual Nic to provide external services and configure an ip address to achieve load balancing and high availability of the NIC, bind two NICs eth0 and eth1 to bond0 in the production environment

1) virtual Nic bond0 configuration file

Vim/etc/sysconfig/network-scripts/ifcfg-bond0

DEVICE = bond0

BOOTPROTO = none

ONBOOT = yes

IPADDR = 192.168.10.93

NETMASK = 255.255.255.0

GATEWAY = 192.168.10.1

2) Physical Nic eth0 configuration file

Vim/etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE = eth0

ONBOOT = yes

BOOTPROTO = none

MASTER = bond0

SLAVE = yes

3) Physical Nic eth1 configuration file

Vim/etc/sysconfig/network-scripts/ifcfg-eth1

DEVICE = eth1

ONBOOT = yes

BOOTPROTO = none

MASTER = bond0

SLAVE = yes

4) modify the modprobe settings file and load the bonding module.

Vim/etc/modprobe. d/bonding. conf

Alias bond0 bonding

Options bond mode = 0 miimon = 100

Mode: 0 provides load balancing and high availability. packets are sent to the NIC bound to the bond port in turn in order.

1. Master-slave policy, which provides high availability and simple logic. Only one Nic is active, one fails, and the other is automatically activated.

Miimon: monitors the network connection frequency, in milliseconds

5) load the module (or restart)

Modprobe bonding

6) View module Loading

Lsmod | grep bonding

7) restart the network

Service network restart

8) confirm the binding status

Cat/proc/net/bonding/bond0

Ifconfig

 

5. Disable the Local Firewall

Iptables-F

Iptables-L

Service iptables save

 

6. Disable the NetworkManager service.

Service NetworkManager stop

Chkconfig NetworkManager off

 

7. Account security permission Configuration

1) Disable super users other than root

Cat/etc/passwd | awk-F': ''{print $1, $3} '| grep '0 $' detects other superusers

Passwd-l username: User locked

2) Delete unnecessary accounts

Awk-F: '{print $1}'/etc/passwd | grep-E 'adm | lp | sync | shutdown | halt | news | uucp | operator | games | gopher'

Userdel username

3) Delete unnecessary groups

Awk-F: '{print $1}'/etc/group | grep-E 'adm | lp | news | uucp | games | dip | pppusers | popusers | slipusers'

Groupdel groupname

4) set the root user password

Passwd

5) Check the empty password account. If any, set the password.

Awk-F: '($2 = "") {print $1}'/etc/shadow

Passwd username

6) Lock the password file

Chattr + I/etc/passwd

Chattr + I/etc/shadow

Chattr + I/etc/group

Chattr + I/etc/gshadow

To change the password, first unlock the shadow file:

Chattr-I/etc/shadow

7) set the time limit for automatic cancellation of the root account

Vim/etc/profile

Add the following after "HISTFILESIZE ="

TMOUT = 300

8) restrict normal users to switch to root users through su

Vim/etc/pam. d/su

Auth required pam_wheel.so use_uid

If you need su to become root, add it to the wheel group.

Usermod-G 10 username

9) restrict normal users from performing sensitive operations such as shutdown, restart, and network configuration.

Rm-rf/etc/security/console. apps /*

10) Disable Ctrl + Alt + Delete to restart the machine command.

Vim/etc/inittab

# Ca: ctrlaltdel:/sbin/shutdown-t3-rnow

11) set the permission for the startup Item

Chmod-R 700/etc/rc. d/init. d/

12) Avoid Displaying System and version information during login.

Rm-rf/etc/issue

Rm-rf/etc/issue.net

13) delete redundant logon Terminals

Vim/etc/securetty

Tty1

# Tty2

# Tty3

# Tty4

This article permanently updates the link address: