Basic optimization and security Essentials for Linux Systems Summary

This article describes some basic system optimization knowledge points, in order to adapt to batch configuration, all code is a non-interactive configuration method, can be in the CRT through the Command window to do a simple batch processing.

2. The admin system is not logged in as root, and is managed with sudo authorization as a normal user. As an example, create a new user here and make sudo right
   

   123456|passwd--/etc/"Gotimmygo    all= (All)       Nopasswd:all  ">>/etc/-1 /etc/-C

4. Change the default remote connection SSH service port, prevent the root user from connecting remotely, or even change the SSH service to monitor only the intranet IP.
6. Time-out, number of operation Records changed
   

   1 " Export tmout=300 " >>/etc/profile2"export histsize=10">>/etc/  Profile 3 " Export histfilesize=10 ">>/etc/profile

8. Periodically update the server time so that it synchronizes with Internet time.
   

   1 " Time sync by Xuyan at 2017-12-16 ">>/var/spool/cron/Root2"*/5 * * * */usr/bin/ntpdate ntp1.aliyun.com >>/dev/null 2&>1" >>/var/spool/cron/Root 3 crontab-l

10. Configure the Yum update source to download the installation package from the domestic update source.
12. Turn off SELinux and Iptables (in a working scenario, a server with high concurrent traffic may not turn on if you have an external IP that typically opens iptables).
    

    " s#selinux=enforcing#selinux=disabled#g " /etc/selinux/0  getenforce# #关闭iptables/etc/init.d/iptables status/ etc/init.d/iptables stopchkconfig iptables off

14. The number of file descriptors is adjusted, and the number of file descriptors is consumed by the process and the opening of the file. Login after configuration is complete to take effect and can be viewed using command ulinmit-n
    

    Echo ' *             -      nofile             65535' >>/etc/security/limits.conf

16. Regular automatic cleanup of mail temporary directory junk files, to prevent the number of the disk inode is small files full (note centos6 and centos5 to clear the directory is different).
18. Streamline and retain the necessary boot-up services (such as Cron, network, sshd, Rsyslog, Sysstat)
    

    Chkconfig--list|egrep-v  "crond|ssh|network|rsyslog|sysstat"'{print "Chkconfig", $ $, "off"}'|  "3:on"

19. Linux kernel parameter optimization/etc/sysctl.conf, execution sysctl–p effective.
    

    1Cat >>/etc/sysctl.conf<<EOF2Net.ipv4.tcp_fin_timeout =23Net.ipv4.tcp_tw_reuse =14Net.ipv4.tcp_tw_recycle =15Net.ipv4.tcp_syncookies =16Net.ipv4.tcp_keepalive_time = -7Net.ipv4.ip_local_port_range =4000 60008Net.ipv4.tcp_max_syn_backlog =163849Net.ipv4.tcp_max_tw_buckets =36000TenNet.ipv4.route.gc_timeout = - OneNet.ipv4.tcp_syn_retries =1 ANet.ipv4.tcp_synack_retries =1 -Net.core.somaxconn =16384 -Net.core.netdev_max_backlog =16384 theNet.ipv4.tcp_max_orphans =16384 -Net.ipv4.tcp_keepalive_probes =3 -NET.IPV4.TCP_KEEPALIVE_INTVL = the -Net.ipv4.tcp_retries2 =5 +Net.ipv4.tcp_max_tw_buckets =36000 -Net.ipv4.tcp_wmem =8192 131072 16777216 +Net.ipv4.tcp_rmem =32768 131072 16777216 ANet.ipv4.tcp_mem =786432 1048576 1572864 atNet.ipv4.ip_local_port_range =1024x768 65000 -Net.ipv4.ip_conntrack_max =65536 -net.ipv4.netfilter.ip_conntrack_max=65536 -Net.ipv4.netfilter.ip_conntrack_tcp_timeout_established= the -vm.swappiness=Ten - # # #以下是对iptables的优化, firewall not meeting prompt, can be ignored inNet.nf_conntrack_max =25000000 -Net.netfilter.nf_conntract_max =25000000 tonet.netfilter.nf_conntract_tcp_timeout_established = the +Net.netfilter.nf_conntract_tcp_timeout_time_wait = - -Net.netfilter.nf_conntract_tcp_timeout_close_wait = - theNet.netfilter.nf_conntract_tcp_timeout_fin_wait = - * EOF $

21. Change the system character set to "ZH_CN." UTF-8 "so that it supports Chinese and prevents garbled problems. The corresponding Chinese character set should be installed in the Linux system.

    1 cp/etc/sysconfig/I18n{,i18n.ori}2"lang="zh_cn. UTF-8"'>/etc/sysconfig/i18n3 source/etc/sysconfig/i18n4 Export LANG=ZH_CN. utf-8

23. Lock critical system files, such as/etc/passwd,/etc/shadow,/etc/group,/etc/gshadow,/etc/inittab, after processing the above chattr, lsattr renamed Oldboy, transfer away, That's a lot safer.
25. Empty/etc/isuue,/etc/issue.net, remove the screen display before the system and kernel version login.
    

    1 >/etc/issue2 >/etc/issue.net3 cat/etc/issue4 cat/etc/issue.net

27. Clear the redundant system virtual user accounts.
29. Add a password for the Grub boot menu.
31. Prevents the host from being ping.
33. Patching and upgrading software for known vulnerabilities.

Basic optimization and security Essentials for Linux Systems Summary