Discussion on the optimization and security of Linux operating system _unix Linux

On the internet to see a lot about Linux optimization of good articles, here I do not repeat these articles, I just want to from my own experience to talk about this aspect of the problem.

As a system administrator, I'm talking about Linux based on server applications, because the use of Linux on personal computers may not be as secure and stable as the server, so a friend using a personal computer is only a reference.

The system mentioned in this article, if not specifically stated, uses the Redhat company's Redhat Linux system.

　　 about Optimization

Speaking of optimization, in fact, the best optimization is to upgrade the hardware configuration, such as improve CPU computing power, improve memory capacity, personally think if you consider upgrading hardware, we recommend that the priority to increase the capacity of memory, because the general server application, the use of memory consumption is the highest. Of course, this is a digression.

The first thing we have to discuss here is to optimize your system under the same hardware configuration (the same server without lifting hardware).

As a system administrator, I think, first of all, we have to be clear about the idea that any operation on the server, upgrades and modifications to any configuration file or software, must first consider security, not the newer things the better, which is why Linux management feel and Windows different places, Windows first recommended everyone to use its latest version of software and operating system, in fact, I personally think this is a business behavior, as a system management, this is very bad, the use of new software and systems may bring new problems, some even fatal.

Therefore, as a management, we should consider the stable long-term use of the software version to serve as our version, the specific benefits I will not say more. Believe that as an administrator you should know.

In fact, the most direct optimization of the personal use of Linux is to upgrade the kernel, its own compiled kernel is compiled according to their own system, will get the greatest performance and the smallest kernel.

However, the server is not the same, of course, we also hope that each server is their own manual compilation of the kernel, efficient and sophisticated. But the actual and desire is there is a gap, imagine, if you manage 100来 platform Linux host, and each may be different configuration, that the process of compiling the kernel will be a vast project, and from the actual consideration, the workload is too large to imagine. I don't think you would want to do such a thing. As a result, it is a good choice to use the officially released kernel upgrade package as a personal suggestion.

First of all, we will do a series of upgrades to the newly installed system, including the software and the kernel, which is a very important step, (please see my other article about the upgrade).

After upgrading all the software, the Basic Firewall and configuration are done, we began to optimize the details of the configuration, if you are the old system, then in doing this problem and some of the operation and optimization of your system, be sure to be back up all the data to other media.

　　 1. Virtual Memory Optimization

First look at the use of virtual memory, using the command

# free

View memory usage for the current system.

In general, the physical memory of Linux is almost completely used. This is a very big difference from windows, and its memory management mechanism takes full advantage of the system's memory, not windows, no matter how much memory is going to use some virtual memory. This should be noted.

The default configuration of virtual memory under Linux is by command

#cat/proc/sys/vm/freepages

You can see that the three digits displayed are the current system: Minimum memory blank page, minimum memory blank page, and maximum memory blank.

Note that the principle of using virtual memory here is to use disk swap space if the number of blank pages falls below the maximum blank page setting. When the minimum blank page setting is reached, a memory exchange is used (Note: This is something I have to look at for a specific application, but this does not affect our configuration of the new virtual memory parameters).

Memory is typically allocated in 4k bytes per page. The Minimum Memory blank page setting is twice times the amount of memory in the system; The minimum memory blank page setting is 4 times times the amount of memory; The maximum memory blank page setting is 6 times times the system memory. These values are determined when the system is started.

In general, in configuring the system-allocated virtual memory configuration, I personally think that increasing the maximum memory blank page is a better way to configure, with 1G memory configuration as an example:

The original configuration scale can be modified to:

204840966444

by command

# echo "204840966444" >/proc/sys/vm/freepages

Because the maximum blank page configuration is added, the memory can be used more efficiently.

　　 2. Hard Drive optimization

If you are a SCSI hard drive or an IDE array, you can skip this section, which describes the parameter tuning only for servers using the IDE hard disk.

We set up the IDE hard drive through the Hdparm program,

Using DMA and 32-bit transports can significantly improve system performance. The following commands are used:

#/sbin/hdparm-c 1/dev/hda

This command designates the PCI bus for the first IDE hard disk as 32-bit,

Use the-C 0 parameter to disable 32-bit transmission.

Using DMA on your hard disk, use the command:

#/sbin/hdparm-d 1/dev/hda

Turning off DMA can use the parameters of-D 0.

After the change is complete, you can use Hdparm to check the modified results and use the command:

#/sbin/hdparm-t/dev/had

To ensure that the results of the settings are the same, use the command:

#/sbin/hdparm-k 1/dev/hda

Some common other parameter functions of the Hdparm command

-G shows the magnetic track, head, magnetic area and other parameters of the hard disk.

-I displays hardware specification information for the hard drive, which is provided by the hard disk itself at boot time.

-I directly read the hardware specification information provided by the hard disk.

-P Sets the hard drive's PIO mode.

The-TT evaluates the read efficiency of the hard drive and the read efficiency of the hard drive cache.

-u<0 or 1> allow other interrupt requests to be executed simultaneously when hard disk access.

-V displays related settings for the hard drive.

　　 3, other optimization

Turn off unwanted services, about the system to start the service automatically, there are a lot of information on the Internet, I will not repeat the above;

　　 about Security

　　 1. Security check

As a system administrator, it is important to have regular security checks on the system, and recently met some friends who wrote that some inexplicable problems have arisen, such as the biggest problem is the apparent sense of slow network service, which is most likely the phenomenon of attack. Practice has proved that, regardless of that system, the default installation is not safe, in fact, no matter what you use Windows, LINUX,BSD or other systems, the default installation has a lot of loopholes, that how to become a safe system, which is what our system managers need to do. Configure configuration and reconfigure. Any system, as long as the careful configuration, through the known vulnerabilities, it can be said that the system is safe, in fact, not many friends said, installed the system, configured the firewall, installed anti-virus software, then it is safe, in fact, if the system does not make any security settings, it is tantamount to hackers open a piece of paper to do the door, It will take 10 minutes to complete control!

This is not appalling.

As a Linux system, there are also many vulnerabilities, black may use these vulnerabilities to control your entire system, to prevent these problems, we need to do the following steps:

1, upgrade the latest version of all software packages in the system;

2, the establishment of a stronger firewall;

3, regularly check the key record files, configure anti-virus software

4, more concerned about the release of Security information Warning website, master Some of the latest virus and hacker program characteristics, these are conducive to the normal operation of the system.

This article is mainly based on optimization, in order to tie in with this theme, the security part we only discuss the day-to-day maintenance work.

In addition to the 4 listed above which are required by the administrator, it is important to maintain the details of some Linux systems.

　　 include:

1, the Configuration Log Rotation tool, regular download backup log, is a very good habit, so not only can reduce the consumption of disk space, improve system efficiency, more timely detection of problems, Linux under some very good System Log analyzer, can directly extract the special items in the log, save the trouble of reading log;

2, using the command lsof? Ci, netstat? Ca, PS? CE, such as orders, regular inspection system service port monitoring, etc., you can also make a regular execution of the script, these commands are regularly executed after the mail to the mailbox;

3, regularly check the root of the history list, last list, VIPW user list is normal;

4, regular backup files, with the tar command can be a good backup, of course, need to download these backups and transfer media;

If you find any special situation or port, then you should pay enough attention to it.

　　The above is my Linux system security and optimization of some simple understanding, I hope everyone can safely and efficiently use Linux for your work and life to bring convenience.