Common environment variables 1 # vi. bashrc2alias worksrc = 'CD/usr/local/src; ls' 3 configuration takes effect 4 # source. bashrcyum pre-installs common server software 01 # vim linux editor 02 # wget tool for automatically downloading files, supports downloading through the HTTP, HTTPS, and FTP protocols. 03 # crontab cron is a resident service that provides the timer function, allows users to execute preset commands or programs at specific times. As long as you edit the timer configuration file, you can use the timer function 04 # mlocate to quickly search for files based on the database, often use the updatedb command to update database 05 # ntp Time Synchronization Service component 06 # SecureCRT sz/rz toolkit 07yum-y install vim wget gcc make crontabs mlocate ntp lrzsz gcc-c ++ autoconf; 08 #09 # sysstat: a software package that includes a set of tools for monitoring system performance and efficiency. These tools collect system performance data for us, such as CPU usage, hard disk, and network throughput data, the collection and analysis of these data helps us determine whether the system is running normally. It is a good assistant for improving the system running efficiency and running the server safely. 10 # dstat: Used to replace vmstat, iostat, netstat, the tools for nfsstat and ifstat are all-around Color System Information Statistics tools 11 # screen: similar to nohup, which can be connected simultaneously Connect multiple local or remote command line sessions and switch between them freely. It is suitable for the remote management terminal to remotely run the program 12yum-y install sysstat dstat screen; 13 #14 # top is a commonly used linux Monitoring Program, htop is equivalent to its enhanced version, color display different parameters, and support mouse operation 15 # installation support components 16 wget http://ftp.gnu.org/pub/gnu/ncurses/ncurses-5.9.tar.gz17tar xvfz ncurses-5.9.tar.gz18cd ncurses-5.919. /configure20make21make install22 # Install htop: Home http://sourceforge.net/projects/htop/files/htop/23wget http://sourceforge.net/projects/htop/files/htop/1.0.2 /Htop-1.0.2.tar.gz/download24tar zxvf htop-1.0.2.tar.gz25cd htop-1.0.226. /configure27make28make install time and time zone settings view current time zone time 1 date-R synchronize clock 1 echo every 10 minutes "*/10 *****/usr/sbin/ntpdate 61.129.42.44> /home/ntp. log ">/var/spool/cron/root2service crond restart3/usr/sbin/ntpdate 61.129.42.44 Replace the default time zone with Shanghai 1rm-rf/etc/localtime # Delete the current default time zone 2ln- s/usr/share/zoneinfo/Asia/Shanghai/etc/localtime # Replace the default time zone with Shanghai Firewall Configure the script iptables. rule: Set the most basic rules, including clearing the firewall rules, loading the module, and setting the acceptable service. iptables. deny: Set to prevent access to some intended hosts; iptables. allow: allows some auto-generated back-ends to the source host! 001 [root @ www ~] # Mkdir-p/usr/local/iptables002 [root @ www ~] # Cd/usr/local/iptables003 [root @ www iptables] # vim iptables. rule004 #! /Bin/bash005 # Please input the relevant parameter numbers first. Do not import the error! 006 EXTIF = "eth0" # This is the network interface that can be connected to the Public IP. 007 INIF = "eth1" # The connection interface of the internal LAN; if none is written as INIF = "" 008 INNET = "192.168.100.0/24" # if there is no internal network interface, enter INNET = "009 export extif inif INNET010 # First part, firewall settings for the local machine! ######################################## #011 #1. first, set the core network function: 012 echo "1">/proc/sys/net/ipv4/tcp_syncookies # enable the DoS attack Resistance Mechanism of TCP Flooding, however, this setting is not suitable for hosts with a high loading host 013 echo "1">/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # cancel the ping broadcast response 014 # enable reverse path filtering, to comply with the IP packet and network interface settings, enable recording of problematic packets 015 for I in/proc/sys/net/ipv4/conf/*/{rp_filter, log_martians }; do016 echo "1" type = "codeph" text = "codeph"> $ i017 done018 # cancel the source route. This setting value can be canceled. Cancel the re-declaration. Cancel the transfer and re-declaration path function 019 for I in/proc/sys/net/ipv4/conf/*/{accept_source_route, accept_redirects, \ 020send_redirects }; do021 echo "0"> $ i022 done023 #2. clear rules, set worm policies, and enable lo. The related values are 024 PATH =/sbin:/usr/sbin:/bin:/usr/bin: /usr/local/sbin:/usr/local/bin; export PATH025 # clear the existing rule 026 iptables-F027 iptables-X028 iptables-Z029 # Set the Default policy 030 iptables-p input DROP031 iptables-p output ACCEPT032 iptables-P FORW ARD ACCEPT033 # Open lo034 iptables-a input-I lo-j ACCEPT035 # Use 036 iptables-A INPUT-m as long as the data packet is online or related to the sent request. state -- state RELATED, ESTABLISHED-j ACCEPT037 #3. start the script module 038 if [-f/usr/local/iptables. deny]; then039 sh/usr/local/iptables. deny040 fi041 if [-f/usr/local/iptables. allow]; then042 sh/usr/local/iptables. allow043 fi044 if [-f/us R/local/httpd-err/iptables. http]; then045 sh/usr/local/httpd-err/iptables. http046 fi047 #4. some types of ICMP packets are allowed to enter. We usually remove ICMP type 8 so that the remote host does not know whether the host exists, also, the ping will not respond to 048 AICMP = "0 3 3/4 4 11 12 14 16 18" 049 for tyicmp in $ AICMP050 do051 iptables-a input-I $ EXTIF-p icmp -- icmp- type $ tyicmp-j ACCEPT052 done053 #5. allow access to some services. Please enable 054 iptables-a input-p TCP-I $ EXTIF -- dport 22 -- sport 1024: 65534-j According to your environment ACCEPT # SSH055iptables-a input-p TCP-I $ EXTIF -- dport 80 -- sport 1024: 65534-j ACCEPT # WWW056 # iptables-a input-p TCP-I $ EXTIF -- dport 21 -- sport 1024: 65534-j ACCEPT # FTP057 # iptables-a input-p TCP-I $ EXTIF -- dport 25 -- sport 1024: 65534-j ACCEPT # SMTP058 # iptables-a input-p UDP-I $ EXTIF -- dport 53 -- sport 1024: 65534-j ACCEPT # DNS059 # iptables-a input-p TCP-I $ EXTIF -- dport 5 3 -- sport 1024: 65534-j ACCEPT # DNS060 # iptables-a input-p TCP-I $ EXTIF -- dport 110 -- sport 1024: 65534-j ACCEPT # POP3061 # iptables-a input-p TCP-I $ EXTIF -- dport 443 -- sport 1024: 65534-j ACCEPT # HTTPS062 # Part 2, firewall settings for backend hosts! ############################## 063 #1. load some useful module 064 modules = "ip_tables iptable_nat ip_nat_ftp ip_nat_irc partition numbers" 066 for mod in $ modules067 do068 testmod = 'lsmod | grep "^ $ {mod}" | awk '{print $1}' '069 if ["$ testmod" = ""]; then070 modprobe $ mod071 fi072 done073 #2. clear the NAT table rules! 074 iptables-F-t nat075 iptables-X-t nat076 iptables-Z-t nat077 iptables-t nat-p prerouting extends iptables-t nat-p postrouting ACCEPT079 iptables-t nat- p output ACCEPT080 #3. if an internal interface (ENI) exists, it is opened as a router and an IP address sharer! 081 if ["$ INIF "! = ""]; Then082 iptables-a input-I $ INIF-j ACCEPT083 echo "1">/proc/sys/net/ipv4/ip_forward084 if ["$ INNET "! = ""]; Then085 for innet in $ INNET086 do087 iptables-t nat-a postrouting-s $ innet-o $ EXTIF-j MASQUERADE088 done089 fi090 fi091 # If Your MSN cannot be connected, or some websites are OK, some websites are not OK, 092 # may be MTU problems, then you can cancel the next line and start the MTU range 093 # iptables-a forward-p tcp-m tcp -- tcp-flags SYN, rst syn-m tcpmss \ 094 # -- mss 1400: 1536-j TCPMSS -- clamp-mss-to-pmtu095 #4. NAT server backend LAN internal and external server settings 096 # iptables-t nat-A PR EROUTING-p tcp-I $ EXTIF -- dport 80 \ 097 #-j DNAT -- to-destination 192.168.1.210: 80 # WWW098 #5. special features, including the rules generated by Windows terminal desktop, assume that the desktop host is 1.2.3.4099 # iptables-t nat-a prerouting-p tcp-s 1.2.3.4 -- dport 6000 \ 100 #-j DNAT -- to-destination 192.168.100.10101 # iptables-t nat- PREROUTING-p tcp-s 1.2.3.4 -- sport 3389 \ 102 #-j DNAT -- to-destination 192.168.100.20103 #6. finally, save these functions! 104/etc/init. d/iptables saveiptables. allow script setting 1 [root @ www iptables] # vim iptables. allow2 #! /Bin/bash3 # Allow access to other networks or hosts on the machine! 4 iptables-a input-I $ EXTIF-s 140.116.44.0/24-j ACCEPTiptables. deny script setting 1 [root @ www iptables] # vim iptables. deny2 #! /Bin/bash3 # block the Host ip address or the entire network segment of the host 4 iptables-a input-I $ EXTIF-s 140.116.44.254-j DROP script permission setting 1 [root @ www iptables] # chmod 700 iptables. * start 1 [root @ www ~] # Vim/etc/rc. d/rc. local2 #1. firewall3/usr/local/iptables. the rule kernel optimization parameter kernel depends on the software installed on the server and the implemented functions. The parameters are not static and will change to 01mv/etc/sysctl. conf/etc/sysctl. conf. 'date + "% Y-% m-% d _ % H-% M-% S" '02echo "net. ipv4.ip _ forward = 003net. ipv4.conf. default. rp_filter = statistics net. ipv4.conf. default. accept_source_route = 005net. ipv6.conf. all. disable_ipv6 = ipvnet. ipv6.conf. default. disable_ipv6 = kernel. sysrq = 008 kerne L. core_uses_pid = painet. ipv4.tcp _ syncookies = 110kernel. msgmnb = 6553611kernel. msgmax = 6553612kernel. shmmax = 6871947673613kernel. shmall = 429496729614net. ipv4.tcp _ max_tw_buckets = 600015net. ipv4.tcp _ sack = ipvnet. ipv4.tcp _ window_scaling = 017net. ipv4.tcp _ rmem = 4096 87380 1677721618net. ipv4.tcp _ wmem = 4096 16384 1677721619net. core. wmem_default = 838860820net. core. rmem_default = 838860821net. cor E. rmem_max = 1677721622net. core. wmem_max = 1677721623net. core. netdev_max_backlog = 26214w.net. core. somaxconn = 26214w.net. ipv4.tcp _ max_orphans = 327680026net. ipv4.tcp _ max_syn_backlog = 26214427net. ipv4.tcp _ timestamps = 028net. ipv4.tcp _ synack_retries = 129net. ipv4.tcp _ syn_retries = 130net. ipv4.tcp _ tw_recycle = javasnet. ipv4.tcp _ tw_reuse = 132net. ipv4.tcp _ mem = 94500000 915000000 92700000033net. ipv4. Tcp_fin_timeout = 1534net. ipv4.tcp _ keepalive_time = 3035vm. swappiness = 10 ">/etc/sysctl. conf36sysctl-p Summary: after a series of configuration above, most of the server Initialization is complete. Pay special attention to the firewall settings. Once the firewall settings are not properly handled, you may shut yourself out!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
