Basic optimization and security Essentials for Linux Systems Summary

Source: Internet
Author: User
Tags i18n rsyslog security essentials

This article describes some basic system optimization knowledge points, in order to adapt to batch configuration, all code is a non-interactive configuration method, can be in the CRT through the Command window to do a simple batch processing.

  1. The admin system is not logged in as root, and is managed with sudo authorization as a normal user. As an example, create a new user here and make sudo right
    123456|passwd--/etc/"Gotimmygo    all= (All)       Nopasswd:all  ">>/etc/-1 /etc/-C
  2. Change the default remote connection SSH service port, prevent the root user from connecting remotely, or even change the SSH service to monitor only the intranet IP.
  3. Time-out, number of operation Records changed
    1 " Export tmout=300 " >>/etc/profile2"export histsize=10">>/etc/  Profile 3 " Export histfilesize=10 ">>/etc/profile
  4. Periodically update the server time so that it synchronizes with Internet time.
    1 " Time sync by Xuyan at 2017-12-16 ">>/var/spool/cron/Root2"*/5 * * * */usr/bin/ntpdate ntp1.aliyun.com >>/dev/null 2&>1" >>/var/spool/cron/Root 3 crontab-l
  5. Configure the Yum update source to download the installation package from the domestic update source.
  6. Turn off SELinux and Iptables (in a working scenario, a server with high concurrent traffic may not turn on if you have an external IP that typically opens iptables).
    " s#selinux=enforcing#selinux=disabled#g " /etc/selinux/0  getenforce# #关闭iptables/etc/init.d/iptables status/ etc/init.d/iptables stopchkconfig iptables off
  7. The number of file descriptors is adjusted, and the number of file descriptors is consumed by the process and the opening of the file. Login after configuration is complete to take effect and can be viewed using command ulinmit-n
    Echo ' *             -      nofile             65535' >>/etc/security/limits.conf
  8. Regular automatic cleanup of mail temporary directory junk files, to prevent the number of the disk inode is small files full (note centos6 and centos5 to clear the directory is different).
  9. Streamline and retain the necessary boot-up services (such as Cron, network, sshd, Rsyslog, Sysstat)
    Chkconfig--list|egrep-v  "crond|ssh|network|rsyslog|sysstat"'{print "Chkconfig", $ $, "off"}'|  "3:on"
  10. Linux kernel parameter optimization/etc/sysctl.conf, execution sysctl–p effective.
    1Cat >>/etc/sysctl.conf<<EOF2Net.ipv4.tcp_fin_timeout =23Net.ipv4.tcp_tw_reuse =14Net.ipv4.tcp_tw_recycle =15Net.ipv4.tcp_syncookies =16Net.ipv4.tcp_keepalive_time = -7Net.ipv4.ip_local_port_range =4000 60008Net.ipv4.tcp_max_syn_backlog =163849Net.ipv4.tcp_max_tw_buckets =36000TenNet.ipv4.route.gc_timeout = - OneNet.ipv4.tcp_syn_retries =1 ANet.ipv4.tcp_synack_retries =1 -Net.core.somaxconn =16384 -Net.core.netdev_max_backlog =16384 theNet.ipv4.tcp_max_orphans =16384 -Net.ipv4.tcp_keepalive_probes =3 -NET.IPV4.TCP_KEEPALIVE_INTVL = the -Net.ipv4.tcp_retries2 =5 +Net.ipv4.tcp_max_tw_buckets =36000 -Net.ipv4.tcp_wmem =8192 131072 16777216 +Net.ipv4.tcp_rmem =32768 131072 16777216 ANet.ipv4.tcp_mem =786432 1048576 1572864 atNet.ipv4.ip_local_port_range =1024x768 65000 -Net.ipv4.ip_conntrack_max =65536 -net.ipv4.netfilter.ip_conntrack_max=65536 -Net.ipv4.netfilter.ip_conntrack_tcp_timeout_established= the -vm.swappiness=Ten - # # #以下是对iptables的优化, firewall not meeting prompt, can be ignored inNet.nf_conntrack_max =25000000 -Net.netfilter.nf_conntract_max =25000000 tonet.netfilter.nf_conntract_tcp_timeout_established = the +Net.netfilter.nf_conntract_tcp_timeout_time_wait = - -Net.netfilter.nf_conntract_tcp_timeout_close_wait = - theNet.netfilter.nf_conntract_tcp_timeout_fin_wait = - * EOF $
  11. Change the system character set to "ZH_CN." UTF-8 "so that it supports Chinese and prevents garbled problems. The corresponding Chinese character set should be installed in the Linux system.

    1 cp/etc/sysconfig/I18n{,i18n.ori}2"lang="zh_cn. UTF-8"'>/etc/sysconfig/i18n3 source/etc/sysconfig/i18n4 Export LANG=ZH_CN. utf-8
  12. Lock critical system files, such as/etc/passwd,/etc/shadow,/etc/group,/etc/gshadow,/etc/inittab, after processing the above chattr, lsattr renamed Oldboy, transfer away, That's a lot safer.
  13. Empty/etc/isuue,/etc/issue.net, remove the screen display before the system and kernel version login.
    1 >/etc/issue2 >/etc/issue.net3 cat/etc/issue4 cat/etc/issue.net
  14. Clear the redundant system virtual user accounts.
  15. Add a password for the Grub boot menu.
  16. Prevents the host from being ping.
  17. Patching and upgrading software for known vulnerabilities.

Basic optimization and security Essentials for Linux Systems Summary

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.