Authoritative Guide to tuning Linux systems

1. Turn off SELinux function
1.1 Modify the configuration file to disable SELinux for permanent effect
Sed ' s#selinux=enforcing#selinux=disables#g '/etc/selinux/config ===> reboot system in effect
1.2 Temporarily close SELinux
[Email protected] xningge]# Setenforce
Usage:setenforce [Enforcing | Permissive | 1 | 0]
The ===> number 0 indicates that the permissive is a warning prompt and does not block the operation, equivalent to Disabled
===> Number 1 indicates that enforcing is the SELinux open state
[[email protected] xningge]# Setenforce 0 ====> temporarily modify SELinux to permissive status
[[email protected] xningge]# getenforce ===> view SELinux current status
Permissive

2. Set the operating level
7 operating levels under Linux:

0: System shutdown status, the system default operation level cannot be set to 0, otherwise it will not start normally, the machine shuts down.
1: Single user working status, root privileges, for system maintenance, prohibit remote login, just like Windows security mode login.
2: Multi-user status, no NFS support.
3: Full multi-user mode, NFS, login to console command line mode.
4: The system is not used, reserved for general use, in some special cases you can use it to do some things. For example, you can switch to this mode to do some setup when your laptop's battery is running out.
5:x11 console, after landing into the graphical GUI mode, Xwindow system.
6: The system shuts down gracefully and restarts, the default runlevel cannot be set to 6, otherwise it will not start normally. Running the INIT6 machine will restart.

2.1
[[email protected] xningge]# grep 5:initdefault/etc/inittab ===> system default Run level
Id:5:initdefault:

[[email protected] xningge]# runlevel ===> View RunLevel
N 5

[[Email protected] xningge]# init 3 ===> set RunLevel

3. Turn off Iptables firewall
1.
[[email protected] xningge]#/etc/init.d/iptables stop ===> temporarily shut down the firewall
Iptables:setting chains to Policy Accept:filter [OK]
iptables:flushing firewall rules: [OK]
iptables:unloading modules: [OK]

[[email protected] xningge]# chkconfig iptables off = = "Turn off boot command

4.sudo controlling user access to system commands
4.1 The first step Visudo = = = "equivalent to Vi/etc/sudoers
4.2 The second step Xningge all= (All) Nopasswd:all ===> about 98 rows
4.3 Third step to see if the modification was successful
[[email protected] ~]$ sudo grep xningge/etc/sudoers
Xningge all= (All) Nopasswd:all
4.4 Viewing the sudo permissions command collection that the current user is granted
[Email protected] ~]$ sudo-l

5.Linux Chinese display settings
5.1 Viewing the current language used by Linux
[Email protected] ~]# cat/etc/sysconfig/i18n
Lang= "ZH_CN. UTF-8 "
5.2 Set into Chinese language
[email protected] ~]# sudo echo ' lang= ' ZH_CN. UTF-8 "' >/etc/sysconfig/i18n
[[email protected] ~]# source/etc/sysconfig/i18n = = = "To make the modified file effective
[[email protected] ~]# echo $LANG = = = "View the currently used language equivalent
Zh_cn. UTF-8

6. Set Linux Server time synchronization
6.1
[[email protected] ~]#/usr/sbin/ntpdate ntp1.aliyun.com
21:45:17 NTPDATE[31374]: Step time Server 182.92.12.11 offset-28774.000359 sec
6.2
[[email protected] ~]# which Ntpdate
/usr/sbin/ntpdate ===> Note This directory, centos5 for/sbin
6.3 automatically executes every 5 minutes using timed Tasks
[[email protected] ~]# Echo ' */5 * * * * */usr/sbin/ntpdate ntp1.aliyun.com >/dev/null 2>&1 ' >>/var/spool/cron/root
[[email& Nbsp;protected] ~]# crontab-l ===> This command is actually writing a timed task, equivalent to executing crontab-e then adding content
#time sync by Xningge at 2017-12-24
*/ 5 * * * */usr/sbin/ntpdate ntp1.aliyun.com >/dev/null 2>&1

7. History count and login timeout environment variable settings
7.1 Set Idle account timeout time
[[email protected] ~]$ export TMOUT=10 = = = Set timeout for connection session temporarily valid
[[email protected] ~]$ timed out waiting for input:auto-logout
7.2 Set the command line history of Linux
[[email protected] ~]# export histsize=5 = = = "
[Email protected] ~]# history
Crontab-e
Su-xingge
Su-xningge
Histsize=5 Export
History

7.3 Set the number of commands for a history file variable (~/.bash_history)
[Email protected] ~]# export histfilesize=5
[email protected] ~]# cat ~/.bash_history
which LS
Which iptables
Getenforce
Cat/etc/selinux/config
Export tmout=10

7.4 Make the above command permanent
[Email protected] ~]# echo ' Export tmout=300 ' >>/etc/profile
[Email protected] ~]# echo ' Export histsize=5 ' >>/etc/profile
[Email protected] ~]# echo ' Export histfilesize=5 ' >>/etc/profile
[Email protected] ~]# tail-3/etc/profile
Export tmout=300
Export histsize=5
Export histfilesize=5
[Email protected] ~]# Source/etc/profile

7.5
tmout=300 = = = time-out control variable of the connection
histsize=5 = = = Number of history variables for the command line
histfilesize=5 = = = Number of command variables for history files
8. Adjust the number of Linux system file descriptors
8.1 View Linux Server file descriptor settings The default size is 1024
[Email protected] ~]$ ulimit-n
1024
8.2 For high-concurrency business Linux servers, you need to adjust
[[email protected] ~]$ vim/etc/security/limits.conf at the end of the file add a sentence (*-nofile 65535)

9. Scheduled cleanup of the Mail Service temp directory junk files
9.1 Manual Cleanup
[[email protected] ~]# find/var/spool/postfix/maildrop/-type f|xargs rm-f ===> for CentOS 6 postfix service
[[email protected] ~]# find/var/spool/clientmqueue/-type f|xargs rm-f ===> for CentOS 5 Sendmall Service
9.2 timed Cleanup
[Email protected] ~]# mkdir-p/server/scripts
[Email protected] ~]# echo "find/var/spool/postfix/maildrop/-type f|xargs rm-f" >/server/scripts/del_file.sh
[Email protected] ~]# cat/server/scripts/del_file.sh
find/var/spool/postfix/maildrop/-type F|xargs rm-f
[Email protected] ~]# echo "xx * * */bin/sh/server/scripts/del_file.sh >/dev/null 2>&1" >>//var/spo Ol/cron/root
[Email protected] ~]# crontab-l
#time sync by Xningge at 2017-12-24
*/5 * * * */usr/sbin/ntpdate ntp1.aliyun.com >/dev/null 2>&1
XX * * * */bin/sh/server/scripts/del_file.sh >/dev/null 2>&1
9.3 View Disk Inode Total, amount remaining, usage
[Email protected] ~]# df-i
Filesystem inodes iused IFree iuse% mounted on
/dev/sda3 1234576 122241 1112335 10%/
TMPFS 125514 6 125508 1%/dev/shm
/DEV/SDA1 51200 51162 1%/boot
10. Hide Linux Version information display
10.1 Viewing the actual storage file of the terminal display content
[Email protected] ~]# cat/etc/issue
CentOS Release 6.9 (Final)
Kernel \ r on an \m
[Email protected] ~]# cat/etc/issue.net
CentOS Release 6.9 (Final)
Kernel \ r on an \m
10.2 Clear Linux System version and kernel information
[Email protected] ~]# >/etc/issue
[Email protected] ~]# cat/etc/issue
[Email protected] ~]# >/etc/issue.net
[Email protected] ~]# cat/etc/issue.net
[Email protected] ~]#

11. Lock down critical system files to prevent the right to be tampered with
11.1 Lock
[Email protected] ~]# chattr +i/etc/passwd/etc/shadow/etc/group/etc/gshadow/etc/inittab
11.2 Unlocking
[Email protected] ~]# chattr-i/etc/passwd/etc/shadow/etc/group/etc/gshadow/etc/inittab

12.3. Prevent hackers from using, chattr transfer
[Email protected] ~]# Mv/usr/bin/chattr/usr/bin/xningge1
[Email protected] ~]# Xningge1 +i/etc/passwd/etc/shadow/etc/group/etc/gshadow/etc/inittab
[Email protected] ~]# chattr-i/etc/passwd/etc/shadow/etc/group/etc/gshadow/etc/inittab
-bash:/usr/bin/chattr: No file or directory
[Email protected] ~]# xningge1-i/etc/passwd/etc/shadow/etc/group/etc/gshadow/etc/inittab
[Email protected] ~]# Xningge1 +i/etc/passwd/etc/shadow/etc/group/etc/gshadow/etc/inittab
[Email protected] ~]#

12. Clear the redundant system virtual account
13. Add a password to the Grub menu
Purpose: To prevent others from modifying grub for boot settings such as kernel, and to start with a single user mode to crack root password and other operations
Setup steps:
(1) First use/sbin/grub-md5-crypt to generate a MD5 cipher string
[Email protected] ~]$/sbin/grub-md5-crypt
Password:
Retype Password:
$1$x85we/$cdytOERYCKB. Apbqbl9ef.
(2) Modify the grub.conf file
Add a row between Splashimage and title (password--md5 $1$x85we/$cdytOERYCKB. Apbqbl9ef.)

14. Disable the Linux system from being ping
14.1 Forbidden Command for
[Email protected] ~]# echo "net.ipv4.icmp_echo_ignore_all=1" >>/etc/sysctl.conf
[Email protected] ~]# tail-1/etc/sysctl.conf
Net.ipv4.icmp_echo_ignore_all=1
14.2 Restore No ping operation
Delete the net.ipv4.icmp_echo_ignore_all=1 saved in/etc/sysctl.conf.
and execute the following command
[Email protected] ~]# echo 0 >/proc/sys/net/ipv4/icmp_echo_ignore_all

14.3 because it is forbidden to ping us to test the network situation is not possible, do a good thing is to use the iptables set to let the specific IP can ping
Iptables-t filter-i inpot-p ICMP--icmp-type 8-i eth0-s 10.0.0.0/24-j ACCEPT

15. Upgrading a software version with a typical vulnerability
15.1 Viewing the version number of the relevant software
[Email protected] ~]# Rpm-qa OpenSSL openssh bash
Bash-4.1.2-48.el6.x86_64
Openssh-5.3p1-122.el6.x86_64
Openssl-1.0.1e-57.el6.x86_64
15.2 upgrading software versions of known vulnerabilities to the latest
[email protected] ~]# yum install OpenSSL openssh bash-y

16.Linux Server kernel parameter optimization

Description of the 17.Linux system safety minimization principle

18. Change the configuration of SSH server-side Telnet

19. Streamlined boot system self-booting
19.1 Important boot-up service
1 "sshd: This service is required to connect to a Linux server remotely, so it must be turned on, otherwise the Linux server will not be able to provide remote connection services.
2 "Rsyslog: Log related software, which is a mechanism provided by the operating system, the system daemon usually uses the Rsyslog program to write various information to the various system log files. Prior to CentOS 6 The name of this service was syslog.
3 "Network: When the system starts, you should consider turning on this service if you want to activate/deactivate each of these interfaces.
4 "Crond: This service is used for periodic execution of the system and User configuration of the task plan, have to periodically perform tasks, it is necessary to open.
5 Sysstat: is a package that contains a set of tools for detecting system performance and efficiency. These tools are useful for collecting system performance data, such as CPU utilization, hard disk and network throughput data, etc.
The main tools for Sysstat package integration are:
Iostat: Tool provides data on CPU usage and drive throughput efficiency
Mpstat: Tools provide data related to single or multiple processors
SAR: Tools are responsible for collecting, reporting, and storing system-active information

19.2 common ways to set up start-up service
Method 1: Execute the NTSYSV command, and then set it in the popup window.
Method 2: Execute the Setup command->system service and set it in the popup window

Authoritative Guide to tuning Linux systems