Original link: http://os.51cto.com/art/201312/423095.htm
Description: often play Linux system friends know some of the system parameter optimization and how to enhance the system security, the system default parameters are more conservative, so we can adjust the system parameters to improve the system memory, CPU, kernel resource occupancy, By disabling unnecessary services, ports, to improve the security of the system, to better play the system's availability. Through their own understanding of Linux, the system tuning has done the following summary:
Operating System: CentOS 6.5_x64 Minimized installation
1. Host name setting
[Email protected]~]# vi/etc/sysconfig/network HOSTNAME=test.com [[email protected]~]# HOSTNAME test.com
2. Turn off SELinux
I'm setting SELinux to permissive.
[email protected]~]# vi/etc/selinux/config selinux=disabled [[email protected]~]# Setenforce # Temporary entry into force [[email protected]
3. Clear the firewall and set the rules
This as a reference, close the unused ports can be
[Email protected]~]# iptables-F #清楚防火墙规则 [[email protected]~]# Iptables-L #查看防火墙规则 [[email protected]~]# iptables-a input-p TCP--dport the-J ACCEPT [[email protected]~]# iptables-a input-p TCP--dport A-J ACCEPT [[email protected]~]# iptables-a input-p TCP--dport --J ACCEPT [[email protected]~]# iptables-a input-p UDP--dport --J ACCEPT [[email protected]~]# iptables-a input-p UDP--dport123-J ACCEPT [[email protected]~]# iptables-a input-p ICMP-J ACCEPT [[email protected]~]# Iptables-P INPUT DROP [[email protected]~]#/etc/init.d/iptables Save
4, add ordinary users and sudo authorization management
[Email protected]~]# useradd User [[email protected]"123456" | passwd--stdin user #设置密码 [[email protected]~]# vi/etc/sudoers #或visudo打开, add user user all rights root all =(all) the user all = (All)
5. Disable root Telnet
[Email protected]~]# vi/etc/ssh/sshd_config permitrootlogin
6. Turn off unnecessary boot service
7. Remove unnecessary system users
8. Turn off restart Ctl-alt-delete key combination
[Email protected] ~]# vi/etc/init/control-alt-"control-alt-deletepressed"
9. Adjust file descriptor size
[Email protected] ~1024x768"ulimit-shn 102400">> /etc/rc.local
10. Removal of system-related information
- [[email protected] ~]# echo "Welcome to Server" >/etc/issue
- [[email protected] ~]# echo "Welcome to Server" >/etc/redhat-release
11. Revise History record
- [Email protected] ~]# Vi/etc/profile #修改记录10个
- Histsize=Ten
12. Synchronization system Time
- [Email protected] ~]# Cp/usr/share/zoneinfo/asia/shanghai/etc/localtime #设置Shanghai时区
- [Email protected] ~]# ntpdate cn.pool.ntp.org; hwclock–w #同步时间并写入blos硬件时间
- [Email protected] ~]# crontab–e #设置任务计划每天零点同步一次
- 0 * * * */usr/sbin/ntpdate cn.pool.ntp.org; Hwclock-w
13. Kernel parameter Optimization
[Email protected] ~]# vi/etc/sysctl.conf #末尾添加如下参数 net.ipv4.tcp_syncookies=1#1是开启SYN Cookies, when there is a SYN wait queue overflow, enable Cookies to be in place, to prevent a small number of SYN attacks, the default is 0 off Net.ipv4.tcp_tw_reuse=1#1是开启重用, allow time_ait sockets to be re-used for new TCP connections, which by default is 0 off net.ipv4.tcp_tw_recycle=1#TCP失败重传次数, the default is 15, reducing the number of times you can release kernel resources Net.ipv4.ip_local_port_range=4096 65000#应用程序可使用的端口范围 net.ipv4.tcp_max_tw_buckets= the#系统同时保持TIME_WAIT套接字的最大数量, if this number is exceeded, the Time_wati socket is immediately cleared and the warning message is printed, and the default 180000 net.ipv4.tcp_max_syn_backlog=4096#进入SYN宝的最大请求队列, the default is 1024x768 Net.core.netdev_max_backlog=10240#允许送到队列的数据包最大设备队列, default Net.core.somaxconn=2048#listen挂起请求的最大数量, default Net.core.wmem_default=8388608#发送缓存区大小的缺省值 Net.core.rmem_default=8388608#接受套接字缓冲区大小的缺省值 (in bytes) Net.core.rmem_max=16777216#最大接收缓冲区大小的最大值 Net.core.wmem_max=16777216#发送缓冲区大小的最大值 net.ipv4.tcp_synack_retries=2#SYN-ACK Handshake State Retry count, default 5 net.ipv4.tcp_syn_retries=2#向外SYN握手重试次数, default 4 net.ipv4.tcp_tw_recycle=1#开启TCP连接中TIME_WAIT Sockets Fast Recovery, default is 0 off Net.ipv4.tcp_max_orphans=3276800#系统中最多有多少个TCP套接字不被关联到任何一个用户文件句柄上, if this number is exceeded, the orphan connection will immediately reset and print the warning message net.ipv4.tcp_mem=94500000 915000000 927000000net.ipv4.tcp_mem[0]: Below this value, TCP has no memory pressure; net.ipv4.tcp_mem[1]: Under this value, enter the memory pressure stage; net.ipv4.tcp_mem[2]: Above this value, TCP refuses to allocate the socket. The memory unit is the page, can adjust according to the physical memory size, if the memory is large enough, it can be raised appropriately. The above memory units are pages, not bytes.
At this point, the CentOS 6.5_x64 minimized installation system has been optimized and the system needs to be restarted.
Go CentOS 6.5 Security Hardening and performance optimization