Centos 6.5 Server Optimization configuration memo (some basic optimizations and security settings) _linux

Source: Internet
Author: User
Tags i18n syslog domain name server iptables nameserver ssh port rsyslog aliyun


There are 18 CentOS 6.5 optimizations in this article:
1, centos6.5 to minimize the installation of the network card after the start
2, ifconfig query IP for SSH link
3. Update system source and upgrade system
4, the system time update and set the timing of any
5, modify the IP address, gateway, host name, DNS
6, close SELinux, empty iptables
7, the creation of ordinary users and the sudo authorization management
8, modify the SSH port number and shield root account remote Login
9, Lock critical file system (prohibit unauthorized users to get permissions)
10. Streamlined power-on self-starter service
11, adjust the system file descriptor size
12, set the system character set
13, clean up when the system and the kernel version of the display
14. Kernel parameter optimization
15, regular cleaning/var/spool/clientmqueue
16. Remove unnecessary system users and groups
17, turn off restart Ctl-alt-delete key combination
18, set some global variables



1, start the network card



#centos6. x the NIC defaults to no boot state after the installation is minimized
ifup eth0



2, SSH link ifconfig view IP after the SSH terminal connection.



3, update the source to minimize the installation is not wget tools, you must first install in the Modify source)



yum install wget



Back up the original system update source



mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup



Enter YUM.REPOS.D Directory



cd /etc/yum.repos.d



Download NetEase mirror source or Sohu mirror source or Aliyun Mirror source


#下载网易镜像源:
wget http://mirrors.163.com/.help/CentOS6-Base-163.repo
#或者
#下载搜狐镜像源:
wget http:// Mirrors.sohu.com/help/centos-base-sohu.repo
#下载阿里云镜像源
wget Http://mirrors.aliyun.com/repo/Centos-6.repo


NetEase Sohu Source may have a problem.



Reference http://www.jb51.net/os/RedHat/499587.html


Empty yum cache
Yum Clean all
Live cache
Yum Makecache
start updating system and kernel
Yum upgrade
prerequisite software
Yum Lrzsz ntpdate sysstat-y


Use LRZSZ Tools Common operations: RZ upload sz Download



4, the system time update and set timed tasks first: Update time and Write Bois



ntpdate time.windows.com && hwclock -w && hwclock --systohc



Second: Update time and write timed tasks





Copy Code code as follows:

Echo ' */30 * * * ntpdate time.windows.com && hwclock-w && hwclock--systohc >/dev/null 2>&1 ' >>/var/spool/cron/root





Third: Sync time between 5 minutes and 10 minutes each interval





Copy Code code as follows:

Echo ' */5 * * * */usr/sbin/ntpdate time.windows.com >/dev/null 2 >&1 ' >>/var/spool/cron/root
Echo ' */10 * * */usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1 ' >>/var/spool/cron/root





Tip: CentOS 6.x time sync command path is different 6 is/usr/sbin/ntpdate 5 is/sbin/ntpdate



5, modify IP address, gateway, host name, DNS #eth0 network card settings


Mv/etc/sysconfig/network-scripts/ifcfg-eth0/etc/sysconfig/network-scripts/ifcfg-eth0.bak
Vi/etc/sysconfig/ Network-scripts/ifcfg-eth0
Device=eth0 #NIC device name
Hwaddr=00:0c:29:d0:c7:b5 #corresponding physical address of the Ethernet device
Type=ethernet #Network type is Ethernet mode
Uuid=080a457b-6a53-4a3a-9155-a23c1146c2c6 #Universal unique identifier
Onboot=yes #Do you want to activate YES when booting?
Nm_ Controlled=no #Device eth0 can be managed by Network Manager Graphics management tools
Bootproto=dhcp #Static IP address acquisition status such as: DHCP means automatic access to IP addresses
Ipaddr= 192.168.1.10 #IP
Ipv6init=no
Ipv6_autoconf=no
Netmask=255.255.255.0 #Network mask corresponding to the network card
Gateway= 192.168.1.1 #Gateway address


Check NIC Configuration



cat /etc/sysconfig/network-scripts/ifcfg-eth0



Gateway Configuration


Vi/etc/sysconfig/network
If the system uses the network, generally set to Yes. If set to no, the network cannot be used, and many system services programs will not be able to start the
Networking=yes
#Set the host name of this machine, where the host name is set to correspond to the hostname set in/etc/hosts
Hostname= C65mini.localdomain
#Set the IP address of the gateway connected to this machine. For example, the gateway is 10.0.0.1 or 192.168.1.1
Gateway=192.168.1.1


modifying host DNS


vi/etc/resolv.conf
generated by/sbin/dhclient-script
nameserver 8.8.8.8 nameserver
4.4.4.4


Modify hosts


Vi/etc/hosts
127.0.0.1 c65mini.localdomain
#Use DNS domain name server to resolve the name order
Bind hosts
#Does one host have multiple IPs?
Multi
On the wrong name to confirm that it does match the address of your query. resolve the "cheat" IP address
Nospoof on


Two ways to reboot the network card for effective setting


Service Network restart
or
/etc/init.d/network restart


6, close the SELinux, empty the iptables after the server configuration is completely successful after the normal service, in the open SELinux



View SELinux Status



The first method:/usr/bin/setstatus-v #If displayed: SELinux status:enabled is the open state
The second method: Cat/etc/selinux/config #If displayed: Selinux=enforcing is turned on permissive alert state disabled is off
The third method: grep selinux=disabled/etc/selinux/config
Fourth method: Getenforce



Modify the SELinux state if the configuration file is modified permanently, but the system must be restarted



The first: Vi/etc/selinux/config modified selinux=disabled
The second type: Sed–i ' s/selinux=enforcing/selinux=disabled/g '/etc/selinux/config
If you want to take effect immediately (if you want to change temporarily) Setenforce 0





Copy Code code as follows:

Setenforce 1 setting SELinux becomes enforcing mode setenforce 0 setting SELinux becomes permissive mode view status Getenforce





iptables firewall rules cleaned up, tailored to requirements


#Empty iptables rules
Iptables-f
#View iptables rules
Iptables-l
#Save rules, note, although empty, do not save words, after the restart, there will be rules.
/etc/init.d/iptables Save


7, the creation of ordinary users and the sudo authorization management
Create a normal user Useradd Bingoku Modify the user password passwd bingoku



Another way: Create users and set passwords at once echo "123456" |passwd--stdin bingoku&&history–c



The user name that Bingoku created for you
sudo authorization management opens sudo profile Visudo


# Set nu view rows, find 99 rows of
root all= (All)
#insert
Bingoku all=


8, modify the SSH port number and shield root account remote Login


#Backup SSH configuration
Cp/etc/ssh/sshd_config sshd_config_bak
#Modify SSH security configuration
Vi/etc/ssh/sshd_config
#SSHLinkDefault Port The #Do not use DNS of no
#Forbidden blank password
Permitemptypasswords
No in port 52113 #Forbid root account login permitrootlogin
Usedns No


Reload SSH configuration/etc/init.d/sshd reload See if there is a port number that has just been modified 52113



netstat -lnt



or the counter check port is the process.



lsof -i tcp:52113



centos6.5 Minimal installation lsof tools required Yum Install Lsof



9, Lock critical file system (prohibit unauthorized users to get permissions)


Chattr +i/etc/passwd
chattr +i/etc/inittab chattr +i/etc/group chattr +i/etc/shadow chattr +i
/ Etc/gshadow


10. Streamlined power-on self-starter service



Note: Just install the operating system can generally retain only crond,network,syslog,sshd these four services. Post-Start service # (centos6.x for Rsyslog cetnos5.x for Syslog) based on business requirements if it is in Chinese. May require lang=en or replace 3:on 3: Enabled


#Close all services for
Sun in ' chkconfig--list|grep 3:on|awk ' {print $} ';d o chkconfig--level 3 $sun off;done

#or
For Sun in ' Chkconfig--list|grep 3: Enable |awk ' {print $} ';d o chkconfig--level 3 $sun off;done

#Open the required service for
Sun in cron D rsyslog sshd network;do chkconfig--level 3 $sun on;done

# or need to use a firewall, you can open iptables and ip6tables for
Sun in Crond rsy Slog sshd network iptables ip6tables;do chkconfig--level 3 $sun on;done


Services opened under the query Chkconfig–list | grep 3:on or Chkconfig–list|grep 3: Enabled


[Bingoku@c65mini ~]$ chkconfig--list|grep 3: Enable
crond  0: Close 1: Close 2: Enable 3: Enable 4: Enable 5: Enable 6: Close
ip6tables 0: Close 1: Close 2 : Enable 3: Enable 4: Enable 5: Enable 6: Close Iptables 0: Close 1: Close 2: Enable 3: Enable 4: Enable 5: Enable 6: Turn off network 0: Turn off 1: Turn off 2: Enable 3: Enable 4: Enable 5: Enable 6:  Turn off
rsyslog  0: Off 1: Off 2: Enable 3: Enable 4: Enable 5: Enable 6: Close
sshd 0: Close 1: Close 2: Enable 3: Enable 4: Enable 5: Enable 6:  Turn off


11, adjust the file descriptor size



#View file descriptor size
ulimit -n



The first type: #Here is the default setting of Alibaba Cloud host.


vi/etc/security/limits.conf 
* Soft nofile 65535 
* Hard nofile 65535 
* Soft Nproc 65535 
* Hard Nproc 6 5535 
* Soft nofile 65535


The second type: Echo ' *-nofile 65535 ' >>/etc/security/limits.conf



Third: Add the Ulimit-shn 65535 command to the/etc/rc.local, and then each reboot takes effect to append the command to the rc.local configuration file


Cat >>/etc/rc.local<<eof
#open files
ulimit-hsn 65535
#stack size
ulimit-s 65535
Eof


Fourth: If you do not modify the limits configuration file, immediate effect immediately, but reboot and restore the previous default. Ulimit-shn 65535



12, set the system character set



First type:vi /etc/sysconfig/i18n



If you want to use the Chinese hint: lang= "ZH_CN." Utf-8″ If you want to use English tips: lang= "en_US." Utf-8″ can also be LANG=ZH_CN if you switch temporarily. UTF-8



Second: Use SED to quickly replace


#Replaced with English
Sed-i ' s#lang= ' zh_cn.* "#LANG =" en_US. UTF-8 "# '/etc/sysconfig/i18n
#Replace with Chinese
Sed-i ' s#lang= ' en_us.*" #LANG = "zh_cn. UTF-8 "# '/etc/sysconfig/i18n
#Replace with UTF-8 Chinese
Sed-i ' s#lang= ' zh_cn.*" #LANG = "zh_cn. UTF-8 "# '/etc/sysconfig/i18n


13, clean up when the system and the kernel version of the display


#View login information
Cat/etc/redhat-release cat/etc/issue
#Clean up login information
Echo >/etc/redhat-release echo
>/ Etc/issue


14. Kernel parameter optimization



vi /etc/sysctl.conf



#可用于apache, nginx,squid various web applications Net.ipv4.tcp_max_syn_backlog = 65536 Net.core.netdev_max_backlog = 32768 Net.core.somaxconn = 32768 Net.core.wmem_default = 8388608 Net.core.rmem_default = 8388608 Net.core.rmem_max = 16777216 n Et.core.wmem_max = 16777216 Net.ipv4.tcp_timestamps = 0 
Net.ipv4.tcp_synack_retries = 2 Net.ipv4.tcp_syn_retries = 2 Net . ipv4.tcp_tw_recycle = 1 #net. Ipv4.tcp_tw_len = 1 Net.ipv4.tcp_tw_reuse = 1 Net.ipv4.tcp_mem = 94500000 915000000 9270000 Net.ipv4.tcp_max_orphans = 3276800 #net. ipv4.tcp_fin_timeout = #net. Ipv4.tcp_keepalive_time = Net.ipv4.ip_loca
L_port_range = 1024 65535 #The following parameters are for centos6. x's iptables firewall optimization, the firewall does not meet prompts, can ignore. #如果是centos5. x need to replace Netfilter.nf_conntrack with Ipv4.netfilter.ip #centos5.
X is Net.ipv4.ip_conntrack_max = 25000000 Net.nf_conntrack_max = 25000000 Net.netfilter.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_tcp_timeout_established = 180 Net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120 Net.netfilter.nf_conntrack_tcp_timeout_close_wait = Net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120 



Effective immediately/sbin/sysctl-p centos6.5 may have an error


Error: "Net.bridge.bridge-nf-call-ip6tables" is a unknown key
error: "Net.bridge.bridge-nf-call-iptables" is a Unknown key
error: "Net.bridge.bridge-nf-call-arptables" is a unknown key


This occurs because the bridge bridging module is not automatically loaded


Modprobe Bridge
Echo "Modprobe Bridge" >>/etc/rc.local


View Bridginglsmod|grep bridge



Centos5. X may complain this error may be your firewall is not turned on or automatically process the loaded module Ip_conntrack not automatically loaded, the solution is two, one is to open the firewall, and the second is to automatically handle the loading module ip_conntrack


Error: "Net.ipv4.ip_conntrack_max" is a unknown key
error: "Net.ipv4.netfilter.ip_conntrack_max" is a unknown key< C2/>error: "Net.ipv4.netfilter.ip_conntrack_tcp_timeout_established" is a unknown key
error: " Net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait "is a unknown key
error:" Net.ipv4.netfilter.ip_ Conntrack_tcp_timeout_close_wait "is a unknown key
error:" Net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_ Wait ' is a unknown key


Centos5. X Solution:


Modprobe ip_conntrack
echo "modprobe ip_conntrack" >>/etc/rc.local


Centos6. X may complain this error may be your firewall is not turned on or automatically process the loaded module Ip_conntrack not automatically loaded, the solution is two, one is to open the firewall, and the second is to automatically handle the loading module ip_conntrack


Error: "Net.nf_conntrack_max" Isan unknown key
error: "Net.netfilter.nf_conntrack_max" Isan key
Error: "Net.netfilter.nf_conntrack_tcp_timeout_established" Isan unknown key
error: "Net.netfilter.nf_conntrack_tcp_ Timeout_time_wait "Isan unknown key
error:" Net.netfilter.nf_conntrack_tcp_timeout_close_wait "Isan unknown Key
error: "Net.netfilter.nf_conntrack_tcp_timeout_fin_wait" Isan unknown Key


Centos6. X Solution:


Modprobe nf_conntrack
echo "modprobe nf_conntrack" >>/etc/rc.local


Note: The author in the collation of this centos6.5 kernel optimization, found that if you do not open ip6tables to optimize the Nf_conntrack module to perform the above solution will still prompt the above error. So in the optimization of service, you can choose to leave Iptables and ip6tables. Of course, if you do not need to iptables, in the kernel optimization of the time to remove the Nf_conntrack settings, in the/sbin/sysctl-p there will be no error prompted.



15, if the installation sendmail must be automatically cleaned/var/spool/clientmqueue/under the file to prevent the Inode node is occupied


#centos6.5 has not automatically installed SendMail, so there's no need to take this step to optimize
mkdir-p/server/scripts
vi/server/scripts/spool_clean.sh
#!/ Bin/sh
Find/var/spool/clientmqueue/-typef-mtime +30|xargsrm-f


16. Remove unnecessary system users and groups


# Delete unnecessary users
Userdel ADM
Userdel LP
Userdel sync
Userdel shutdown
Userdel Halt Userdel News
Userdel uucp
Userdel operator Userdel games, Userdel gopher
Ftp
# Delete unnecessary groups
Groupdel ADM
Groupdel LP
Groupdel news
Groupdel UUCP
Groupdel Games Groupdel Dip
Groupdel Pppusers


17, turn off restart Ctl-alt-delete key combination


vi/etc/init/control-alt-delete.conf
#Comment out


18, set some global variables


#Prevent the illegal shutdown of the SSH client caused by excessive logon process, you can set a larger number of seconds
Echo "tmout=3600" >>/etc/profile
#history command record number is set to 10
Sed-i "s/histsize=1000/histsize=10/"/etc/profile
#Effective immediately
Source/etc/profile


The above is the production server environment to minimize the installation of Centos 6.5 optimization configuration memo, need friends can test. You can install the Web environment later


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.