There are 18 CentOS 6.5 optimizations in this article:
1, centos6.5 to minimize the installation of the network card after the start
2, ifconfig query IP for SSH link
3. Update system source and upgrade system
4, the system time update and set the timing of any
5, modify the IP address, gateway, host name, DNS
6, close SELinux, empty iptables
7, the creation of ordinary users and the sudo authorization management
8, modify the SSH port number and shield root account remote Login
9, Lock critical file system (prohibit unauthorized users to get permissions)
10. Streamlined power-on self-starter service
11, adjust the system file descriptor size
12, set the system character set
13, clean up when the system and the kernel version of the display
14. Kernel parameter optimization
15, regular cleaning/var/spool/clientmqueue
16. Remove unnecessary system users and groups
17, turn off restart Ctl-alt-delete key combination
18, set some global variables
1, start the network card
#centos6. x the NIC defaults to no boot state after the installation is minimized
ifup eth0
2, SSH link ifconfig view IP after the SSH terminal connection.
3, update the source to minimize the installation is not wget tools, you must first install in the Modify source)
yum install wget
Back up the original system update source
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
Enter YUM.REPOS.D Directory
cd /etc/yum.repos.d
Download NetEase mirror source or Sohu mirror source or Aliyun Mirror source
#下载网易镜像源: wget http://mirrors.163.com/.help/CentOS6-Base-163.repo #或者 #下载搜狐镜像源: wget http:// Mirrors.sohu.com/help/centos-base-sohu.repo #下载阿里云镜像源 wget Http://mirrors.aliyun.com/repo/Centos-6.repo
NetEase Sohu Source may have a problem.
Reference http://www.jb51.net/os/RedHat/499587.html
Empty yum cache Yum Clean all Live cache Yum Makecache start updating system and kernel Yum upgrade prerequisite software Yum Lrzsz ntpdate sysstat-y
Use LRZSZ Tools Common operations: RZ upload sz Download
4, the system time update and set timed tasks first: Update time and Write Bois
ntpdate time.windows.com && hwclock -w && hwclock --systohc
Second: Update time and write timed tasks
Third: Sync time between 5 minutes and 10 minutes each interval
Tip: CentOS 6.x time sync command path is different 6 is/usr/sbin/ntpdate 5 is/sbin/ntpdate
5, modify IP address, gateway, host name, DNS #eth0 network card settings
Mv/etc/sysconfig/network-scripts/ifcfg-eth0/etc/sysconfig/network-scripts/ifcfg-eth0.bak Vi/etc/sysconfig/ Network-scripts/ifcfg-eth0 Device=eth0 #NIC device name Hwaddr=00:0c:29:d0:c7:b5 #corresponding physical address of the Ethernet device Type=ethernet #Network type is Ethernet mode Uuid=080a457b-6a53-4a3a-9155-a23c1146c2c6 #Universal unique identifier Onboot=yes #Do you want to activate YES when booting? Nm_ Controlled=no #Device eth0 can be managed by Network Manager Graphics management tools Bootproto=dhcp #Static IP address acquisition status such as: DHCP means automatic access to IP addresses Ipaddr= 192.168.1.10 #IP Ipv6init=no Ipv6_autoconf=no Netmask=255.255.255.0 #Network mask corresponding to the network card Gateway= 192.168.1.1 #Gateway address
Check NIC Configuration
cat /etc/sysconfig/network-scripts/ifcfg-eth0
Gateway Configuration
Vi/etc/sysconfig/network If the system uses the network, generally set to Yes. If set to no, the network cannot be used, and many system services programs will not be able to start the Networking=yes #Set the host name of this machine, where the host name is set to correspond to the hostname set in/etc/hosts Hostname= C65mini.localdomain #Set the IP address of the gateway connected to this machine. For example, the gateway is 10.0.0.1 or 192.168.1.1 Gateway=192.168.1.1
modifying host DNS
vi/etc/resolv.conf generated by/sbin/dhclient-script nameserver 8.8.8.8 nameserver 4.4.4.4
Modify hosts
Vi/etc/hosts 127.0.0.1 c65mini.localdomain #Use DNS domain name server to resolve the name order Bind hosts #Does one host have multiple IPs? Multi On the wrong name to confirm that it does match the address of your query. resolve the "cheat" IP address Nospoof on
Two ways to reboot the network card for effective setting
Service Network restart or /etc/init.d/network restart
6, close the SELinux, empty the iptables after the server configuration is completely successful after the normal service, in the open SELinux
View SELinux Status
The first method:/usr/bin/setstatus-v #If displayed: SELinux status:enabled is the open state
The second method: Cat/etc/selinux/config #If displayed: Selinux=enforcing is turned on permissive alert state disabled is off
The third method: grep selinux=disabled/etc/selinux/config
Fourth method: Getenforce
Modify the SELinux state if the configuration file is modified permanently, but the system must be restarted
The first: Vi/etc/selinux/config modified selinux=disabled
The second type: Sed–i ' s/selinux=enforcing/selinux=disabled/g '/etc/selinux/config
If you want to take effect immediately (if you want to change temporarily) Setenforce 0
iptables firewall rules cleaned up, tailored to requirements
#Empty iptables rules Iptables-f #View iptables rules Iptables-l #Save rules, note, although empty, do not save words, after the restart, there will be rules. /etc/init.d/iptables Save
7, the creation of ordinary users and the sudo authorization management
Create a normal user Useradd Bingoku Modify the user password passwd bingoku
Another way: Create users and set passwords at once echo "123456" |passwd--stdin bingoku&&history–c
The user name that Bingoku created for you
sudo authorization management opens sudo profile Visudo
# Set nu view rows, find 99 rows of root all= (All) #insert Bingoku all=
8, modify the SSH port number and shield root account remote Login
#Backup SSH configuration Cp/etc/ssh/sshd_config sshd_config_bak #Modify SSH security configuration Vi/etc/ssh/sshd_config #SSHLinkDefault Port The #Do not use DNS of no #Forbidden blank password Permitemptypasswords No in port 52113 #Forbid root account login permitrootlogin Usedns No
Reload SSH configuration/etc/init.d/sshd reload See if there is a port number that has just been modified 52113
netstat -lnt
or the counter check port is the process.
lsof -i tcp:52113
centos6.5 Minimal installation lsof tools required Yum Install Lsof
9, Lock critical file system (prohibit unauthorized users to get permissions)
Chattr +i/etc/passwd chattr +i/etc/inittab chattr +i/etc/group chattr +i/etc/shadow chattr +i / Etc/gshadow
10. Streamlined power-on self-starter service
Note: Just install the operating system can generally retain only crond,network,syslog,sshd these four services. Post-Start service # (centos6.x for Rsyslog cetnos5.x for Syslog) based on business requirements if it is in Chinese. May require lang=en or replace 3:on 3: Enabled
#Close all services for
Sun in ' chkconfig--list|grep 3:on|awk ' {print $} ';d o chkconfig--level 3 $sun off;done
#or
For Sun in ' Chkconfig--list|grep 3: Enable |awk ' {print $} ';d o chkconfig--level 3 $sun off;done
#Open the required service for
Sun in cron D rsyslog sshd network;do chkconfig--level 3 $sun on;done
# or need to use a firewall, you can open iptables and ip6tables for
Sun in Crond rsy Slog sshd network iptables ip6tables;do chkconfig--level 3 $sun on;done
Services opened under the query Chkconfig–list | grep 3:on or Chkconfig–list|grep 3: Enabled
[Bingoku@c65mini ~]$ chkconfig--list|grep 3: Enable crond 0: Close 1: Close 2: Enable 3: Enable 4: Enable 5: Enable 6: Close ip6tables 0: Close 1: Close 2 : Enable 3: Enable 4: Enable 5: Enable 6: Close Iptables 0: Close 1: Close 2: Enable 3: Enable 4: Enable 5: Enable 6: Turn off network 0: Turn off 1: Turn off 2: Enable 3: Enable 4: Enable 5: Enable 6: Turn off rsyslog 0: Off 1: Off 2: Enable 3: Enable 4: Enable 5: Enable 6: Close sshd 0: Close 1: Close 2: Enable 3: Enable 4: Enable 5: Enable 6: Turn off
11, adjust the file descriptor size
#View file descriptor size
ulimit -n
The first type: #Here is the default setting of Alibaba Cloud host.
vi/etc/security/limits.conf * Soft nofile 65535 * Hard nofile 65535 * Soft Nproc 65535 * Hard Nproc 6 5535 * Soft nofile 65535
The second type: Echo ' *-nofile 65535 ' >>/etc/security/limits.conf
Third: Add the Ulimit-shn 65535 command to the/etc/rc.local, and then each reboot takes effect to append the command to the rc.local configuration file
Cat >>/etc/rc.local<<eof #open files ulimit-hsn 65535 #stack size ulimit-s 65535 Eof
Fourth: If you do not modify the limits configuration file, immediate effect immediately, but reboot and restore the previous default. Ulimit-shn 65535
12, set the system character set
First type:vi /etc/sysconfig/i18n
If you want to use the Chinese hint: lang= "ZH_CN." Utf-8″ If you want to use English tips: lang= "en_US." Utf-8″ can also be LANG=ZH_CN if you switch temporarily. UTF-8
Second: Use SED to quickly replace
#Replaced with English Sed-i ' s#lang= ' zh_cn.* "#LANG =" en_US. UTF-8 "# '/etc/sysconfig/i18n #Replace with Chinese Sed-i ' s#lang= ' en_us.*" #LANG = "zh_cn. UTF-8 "# '/etc/sysconfig/i18n #Replace with UTF-8 Chinese Sed-i ' s#lang= ' zh_cn.*" #LANG = "zh_cn. UTF-8 "# '/etc/sysconfig/i18n
13, clean up when the system and the kernel version of the display
#View login information Cat/etc/redhat-release cat/etc/issue #Clean up login information Echo >/etc/redhat-release echo >/ Etc/issue
14. Kernel parameter optimization
vi /etc/sysctl.conf
#可用于apache, nginx,squid various web applications Net.ipv4.tcp_max_syn_backlog = 65536 Net.core.netdev_max_backlog = 32768 Net.core.somaxconn = 32768 Net.core.wmem_default = 8388608 Net.core.rmem_default = 8388608 Net.core.rmem_max = 16777216 n Et.core.wmem_max = 16777216 Net.ipv4.tcp_timestamps = 0
Net.ipv4.tcp_synack_retries = 2 Net.ipv4.tcp_syn_retries = 2 Net . ipv4.tcp_tw_recycle = 1 #net. Ipv4.tcp_tw_len = 1 Net.ipv4.tcp_tw_reuse = 1 Net.ipv4.tcp_mem = 94500000 915000000 9270000 Net.ipv4.tcp_max_orphans = 3276800 #net. ipv4.tcp_fin_timeout = #net. Ipv4.tcp_keepalive_time = Net.ipv4.ip_loca L_port_range = 1024 65535 #The following parameters are for centos6. x's iptables firewall optimization, the firewall does not meet prompts, can ignore. #如果是centos5. x need to replace Netfilter.nf_conntrack with Ipv4.netfilter.ip #centos5. X is Net.ipv4.ip_conntrack_max = 25000000 Net.nf_conntrack_max = 25000000 Net.netfilter.nf_conntrack_max = 25000000 net.netfilter.nf_conntrack_tcp_timeout_established = 180 Net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120 Net.netfilter.nf_conntrack_tcp_timeout_close_wait = Net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
Effective immediately/sbin/sysctl-p centos6.5 may have an error
Error: "Net.bridge.bridge-nf-call-ip6tables" is a unknown key error: "Net.bridge.bridge-nf-call-iptables" is a Unknown key error: "Net.bridge.bridge-nf-call-arptables" is a unknown key
This occurs because the bridge bridging module is not automatically loaded
Modprobe Bridge Echo "Modprobe Bridge" >>/etc/rc.local
View Bridginglsmod|grep bridge
Centos5. X may complain this error may be your firewall is not turned on or automatically process the loaded module Ip_conntrack not automatically loaded, the solution is two, one is to open the firewall, and the second is to automatically handle the loading module ip_conntrack
Error: "Net.ipv4.ip_conntrack_max" is a unknown key error: "Net.ipv4.netfilter.ip_conntrack_max" is a unknown key< C2/>error: "Net.ipv4.netfilter.ip_conntrack_tcp_timeout_established" is a unknown key error: " Net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait "is a unknown key error:" Net.ipv4.netfilter.ip_ Conntrack_tcp_timeout_close_wait "is a unknown key error:" Net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_ Wait ' is a unknown key
Centos5. X Solution:
Modprobe ip_conntrack echo "modprobe ip_conntrack" >>/etc/rc.local
Centos6. X may complain this error may be your firewall is not turned on or automatically process the loaded module Ip_conntrack not automatically loaded, the solution is two, one is to open the firewall, and the second is to automatically handle the loading module ip_conntrack
Error: "Net.nf_conntrack_max" Isan unknown key error: "Net.netfilter.nf_conntrack_max" Isan key Error: "Net.netfilter.nf_conntrack_tcp_timeout_established" Isan unknown key error: "Net.netfilter.nf_conntrack_tcp_ Timeout_time_wait "Isan unknown key error:" Net.netfilter.nf_conntrack_tcp_timeout_close_wait "Isan unknown Key error: "Net.netfilter.nf_conntrack_tcp_timeout_fin_wait" Isan unknown Key
Centos6. X Solution:
Modprobe nf_conntrack echo "modprobe nf_conntrack" >>/etc/rc.local
Note: The author in the collation of this centos6.5 kernel optimization, found that if you do not open ip6tables to optimize the Nf_conntrack module to perform the above solution will still prompt the above error. So in the optimization of service, you can choose to leave Iptables and ip6tables. Of course, if you do not need to iptables, in the kernel optimization of the time to remove the Nf_conntrack settings, in the/sbin/sysctl-p there will be no error prompted.
15, if the installation sendmail must be automatically cleaned/var/spool/clientmqueue/under the file to prevent the Inode node is occupied
#centos6.5 has not automatically installed SendMail, so there's no need to take this step to optimize mkdir-p/server/scripts vi/server/scripts/spool_clean.sh #!/ Bin/sh Find/var/spool/clientmqueue/-typef-mtime +30|xargsrm-f
16. Remove unnecessary system users and groups
# Delete unnecessary users Userdel ADM Userdel LP Userdel sync Userdel shutdown Userdel Halt Userdel News Userdel uucp Userdel operator Userdel games, Userdel gopher Ftp # Delete unnecessary groups Groupdel ADM Groupdel LP Groupdel news Groupdel UUCP Groupdel Games Groupdel Dip Groupdel Pppusers
17, turn off restart Ctl-alt-delete key combination
vi/etc/init/control-alt-delete.conf #Comment out
18, set some global variables
#Prevent the illegal shutdown of the SSH client caused by excessive logon process, you can set a larger number of seconds Echo "tmout=3600" >>/etc/profile #history command record number is set to 10 Sed-i "s/histsize=1000/histsize=10/"/etc/profile #Effective immediately Source/etc/profile
The above is the production server environment to minimize the installation of Centos 6.5 optimization configuration memo, need friends can test. You can install the Web environment later
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
