Linux Server Basic optimization

1, without root management, in the name of ordinary users through sudo authorization management.

2, change the default remote connection SSH service port, prohibit the root user remote connection, change only listen to the network address.
[Email protected] ~]# Vim/etc/ssh/sshd_config
Port 51898 # #监听端口, Ports range (0-65535, preferably ports greater than 1024)
ListenAddress 192.168.1.128 # #监听地址, to be on the safe side, listen to the network above
Protocol 2 # #使用协议
Permitemptypasswords No # #禁止空密码登录系统, default is forbidden
Usedns No # #禁止DNS反解析
Permitrootlogin No # #禁止root远程登录
Gssapiauthentication No # #加速登录ssh

3, timed Automatic Update time server, so that it and Internet time synchronization.
[Email protected] ~]ntpdate time.nist.gov

4, configure the Yum update source, download the installation package from the domestic update source.
[Email protected] ~]# Mv/etc/yum.repos.d/centos-base.repo/etc/yum.repos.d/centos-base.repo
[Email protected] ~]# Wget-o/etc/yum.repos.d/centos-base.repo Http://mirrors.aliyun.com/repo/Centos-6.repo
[email protected] ~]# Yum Makecache

5, close SELinux.
[Email protected] ~]# Setenforce 0 # #临时生效
[Email protected] ~]# sed-i ' s#selinux=enforcing#selinux=disabled#g '/etc/selinux/config##Permanently closed

6, adjust the number of file descriptors, process and file opening will consume the file descriptor.
[Email protected] ~]# ulimit-n##System default 1024
1024

[Email protected] ~]# Ulimit-shn 65535##Temporary settings
[Email protected] ~]# ulimit-n##Current Shell in effect
65535

[Email protected] ~]# vim/etc/security/limits.conf##Permanent effect
* Soft Nofile 65535
* Hard Nofile 65535

7. Periodically clean up the junk files in the Mail directory to prevent inodes nodes from being filled.

8, streamline and maintain the necessary start-up services, such as: Crond, sshd, Rsyslog, iptables, Network, Sysstat.
Method One:
[[email protected] ~]# for name in ' Chkconfig--list | grep 3:on | awk ' {print '} ' | Grep-ev "Sshd|crond|iptables|network|rsyslog|sshd|sysstat" ';d o chkconfig $name off;done

Method Two:
[Email protected] ~]# Chkconfig--list | grep 3:on | awk ' {print '} ' | Grep-ev "Sshd|crond|iptables|network|rsyslog|sshd|sysstat" | Sed-r ' s# (. *) #chkconfig \1 off#g ' | Bash

Method Three:
[Email protected] ~]# Chkconfig--list | grep 3:on | awk ' {print '} ' | Grep-ev "Crond|iptables|network|rsyslog|sshd|sysstat" | awk ' {print ' chkconfig "" "\" "" "Off"} ' | Bash

9, Linux kernel parameter optimization

[[email protected] ~]# vim/etc/sysctl.conf
Net.ipv4.tcp_syn_retries = 1
Net.ipv4.tcp_synack_retries = 1
Net.ipv4.tcp_keepalive_time = 600
Net.ipv4.tcp_keepalive_probes = 3
NET.IPV4.TCP_KEEPALIVE_INTVL =15
Net.ipv4.tcp_retries2 = 5
Net.ipv4.tcp_fin_timeout = 2
Net.ipv4.tcp_max_tw_buckets = 36000
Net.ipv4.tcp_tw_recycle = 1
Net.ipv4.tcp_tw_reuse = 1
Net.ipv4.tcp_max_orphans = 32768
Net.ipv4.tcp_syncookies = 1
Net.ipv4.tcp_max_syn_backlog = 16384
Net.ipv4.tcp_wmem = 8192 131072 16777216
Net.ipv4.tcp_rmem = 32768 131072 16777216
Net.ipv4.tcp_mem = 786432 1048576 1572864
Net.ipv4.ip_local_port_range = 1024 65000
Net.ipv4.ip_conntrack_max = 65536
net.ipv4.netfilter.ip_conntrack_max=65536
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=180
Net.core.somaxconn = 16384
Net.core.netdev_max_backlog = 16384
[[email protected] ~]# sysctl-p # #立即生效

10, change the character set to support Chinese, but it is recommended to use the English character set, to prevent garbled.
Server-side:
[Email protected] ~]# export LANG=ZH_CN. UTF-8 # # temporary entry into force
[Email protected] ~]# sed-i ' S#en_us. Utf-8#zh_cn. Utf-8#g '/etc/sysconfig/i18n # # Perpetual effect
[[email protected] ~]# source/etc/sysconfig/i18n # # no reboot effective

Client:
Session Options---appearance--character encoding selection UTF-8
650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/76/D4/wKioL1ZdUhjBCtUqAAIMc4HaTMc096.jpg "title=" QQ picture 20151201155148.jpg "alt=" Wkiol1zduhjbctuqaaimc4hatmc096.jpg "/>

11, lock the key system files, such as:/etc/passwd,/etc/shadow,/etc/group,/etc/gshadow.
[Email protected] ~]# chattr +i/etc/passwd
[Email protected] ~]# chattr +i/etc/shadow
[Email protected] ~]# chattr +i/etc/group
[Email protected] ~]# chattr +i/etc/gshadow
[Email protected] ~]# LSATTR/ETC/PASSWD##View file properties
----I--------e-/etc/passwd
[Email protected] ~]# Lsattr/etc/shadow
----I--------e-/etc/shadow
[Email protected] ~]# Lsattr/etc/group
----I--------e-/etc/group
[Email protected] ~]# Lsattr/etc/gshadow
----I--------e-/etc/gshadow

12, empty/etc/issue,/etc/issue.net, remove the system and kernel version login information.
[Email protected] ~]# >/etc/issue.net
[[email protected] ~]# echo "This server for test" >/ETC/MOTD

Last Login:mon-05:04:13 from 192.168.1.104
This server for test
[Email protected] ~]#

13. Clear the redundant system virtual account.

14. Set the Grub menu password.
[Email protected] ~]#/sbin/grub-md5-crypt
Password:##Password Axbc1kof
Retype Password:
$1$5yv9p$tu. Bckbxwer.rvc/kvkfh1
[Email protected] ~]# vim/boot/grub/grub.conf
Default=0
Timeout=5
Splashimage= (hd0,0)/grub/splash.xpm.gz
Password--md5 $1$5yv9p$tu. Bckbxwer.rvc/kvkfh1
Hiddenmenu
Title CentOS (2.6.32-358.el6.x86_64)
Root (hd0,0)
kernel/vmlinuz-2.6.32-358.el6.x86_64 ro root=uuid=fc5604d8-4d18-43d1-9df2-b6dfecbbb267 Rd_NO_LUKS KEYBOARDTYPE=pc Keytable=us rd_no_md Crashkernel=auto lang=zh_cn. UTF-8 RD_NO_LVM rd_no_dm RHGB quiet
Initrd/initramfs-2.6.32-358.el6.x86_64.img

15. Prohibit the server from being ping
[[email protected] ~]# echo "net.ipv4.icmp_echo_ignore_all=1" >>/etc/sysctl.conf//Modify kernel parameters
[Email protected] ~]# sysctl-p##Immediate effect
Net.ipv4.ip_forward = 0
Net.ipv4.conf.default.rp_filter = 1
Net.ipv4.conf.default.accept_source_route = 0
KERNEL.SYSRQ = 0
Kernel.core_uses_pid = 1
Net.ipv4.tcp_syncookies = 1
Error: "Net.bridge.bridge-nf-call-ip6tables" is an unknown key
Error: "Net.bridge.bridge-nf-call-iptables" is an unknown key
Error: "Net.bridge.bridge-nf-call-arptables" is an unknown key
KERNEL.MSGMNB = 65536
Kernel.msgmax = 65536
Kernel.shmmax = 68719476736
Kernel.shmall = 4294967296
Net.ipv4.icmp_echo_ignore_all = 1

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M02/76/D5/wKiom1ZdUxPD4lH8AAAo8CliZ_o422.png "title=" QQ picture 20151201155647.png "alt=" Wkiom1zduxpd4lh8aaao8cliz_o422.png "/>

This article is from the "so-called fate of different choices" blog, please be sure to keep this source http://dongshi.blog.51cto.com/5145353/1718510

Linux Server Basic optimization