Linux Basic optimization

How to do basic optimization after installing Linux system? 1, Yum Source 2, SELinux3, close firewall 4, thin boot service 5, use sudo to manage files 6, Chinese character set display 7, Time server synchronization 8-9, SSH remote connection 10, history file Number 11, adjust the number of Linux system file descriptors 12, Kernel optimization 13, tuning kernel parameters file 14, hidden Linux version number: 15, locking system files 16, prohibit Linux system is PING17, scheduled cleanup mail Service temp directory Garbage file 18, Linux operation and maintenance thought minimization principle

A simple understanding of the Yum source the    Yum Source is a software collection where you only need to search and install the software you want, and it will help you solve most of the software dependencies.    local sources, such as CDs, usually come with some software, which can be used as a local source to install the software.    network sources such as Aliyun mirror site, which belongs to the network source, the software can be downloaded and installed through the Internet, as for the modification of the Yum source, because the network source is more abundant than the local source. Change Yum Source: Mv/etc/yum.repos.d/centos-base.repo/etc/yum.repos.d/centos-base.repo.backupwget-o/etc/yum.repos.d/ Centos-base.repo

Second, SELinux functional safety tools, control too strict, the production environment without it, the use of other security measures.    The main value of SELinux to Linux is that it provides a flexible, configurable Mac mechanism. security-enhanced Linux (SELinux) consists of the following two parts: 1) Kernel SELinux module (/kernel/security/selinux) 2) User Configuration Tool SELinux is a secure system node is integrated into the Linux Kernel 2.6.x through the LSM (Linux Security Modules) framework. SELinux provides a flexible, mandatory access control (MAC) system embedded in the Linux kernel.    SELinux defines the access and transformation permissions for each user, process, application, and file in the system, and then it uses a security policy to control the interaction between these entities (users, processes, applications, and files), and the security policy specifies how to check strictly or loosely. SELinux is transparent to system users, and only system administrators need to consider how to develop strict policies on their servers. The strategy can be strict or loose as needed. Off SELinux mode: 1) Enter config file via Vi/etc/selinux/config 2) operation via sed command: [[email protected] ~]# cp/etc/selinux/config/etc /selinux/config.ori #---Backup before operation [[email protected] ~]# sed-i ' s#selinux=enforcing#selinux=disabled#g '/etc/ Selinux/config[[email protected] ~]# grep selinux=disabled/etc/selinux/configselinux=disabled #---Modification result 3) temporarily closed: [[email protected] ~]# setenforce 0[[email protected] ~]# Getenforce Permissive (Provisional entry into force) 4) View comparison of modified files: command: (Vimdiff) diff/etc/selinux/config.ori/eTc/selinux/config output:7c7< selinux=enforcing---> selinux=disabledselinux=disabled (permanent) reboot system 

Third, close the firewall view firewall: IPTABLES-L-n shutdown firewall: [[email protected] ~]#/etc/init.d/iptables stopiptables: Set the chain as policy Accept:filter                    [ OK]iptables: Clear firewall rule:                                 [OK]iptables: Uninstalling module:                                   [OK] View firewall status: [[email protected] ~]#/etc/init.d/iptables Statustable:filterchain INPUT (Policy ACCEPT) num  target     prot opt source               destination         Chain FORWARD ( Policy accept) Num  target     prot opt source               destination         Chain OUTPUT (policy accept) Num  target     Prot opt source               destination

Four, streamlined boot-up service Why do I have to set up boot from? 1, Save the boot time, speed up the starting Speed 2, save resource overhead 3, reduce security risks need to keep the boot: sshd: Remote connection Linux Server Rsyslog: is a mechanism provided by the operating system, System daemons typically use Rsylog to turn various information system log files into network: Activation to shut down each crond: A task schedule for periodic system and User Configuration (scheduled task service that periodically handles some recurring problems) Sysstat: is a package, A set of tools for monitoring system performance and efficiency the main tools for Sysstat package integration are: The Iostat tool provides data for CPU utilization and hard disk throughput efficiency Mpstat tools provide data that is associated with a single or multiple processors the SAR tool collects, Report and store system active information thin Boot implementation method: 1, through the setup to modify 2, through the NTSYSV to modify 3, through the chkconfig to achieve [[email protected] ~]# chkconfig|egrep-v "crond|sshd |network|rsyslog|sysstat "|awk ' {print" Chkconfig ", $," Off "} ' |bash[[email protected] ~]# chkconfig--list|grep 3:on| awk ' {print '} ' |grep-ev ' Sshd|network|rsyslog|crond|sysstat ' |sed-r ' s# (. *) #chkconfig \1 off#g ' |bash[[email protected  ] ~]# for name in ' chkconfig--list|grep 3:on|awk ' {print '} ' |grep-ev ' Sshd|network|rsyslog|crond|sysstat ' ';d o chkconfig $name off;done[[email protected] ~]# chkconfig--list|grep 3:on

V. Using sudo to manage file description: Adding a command path to an ordinary user in a Visudo file allows the command to be manipulated using sudo in a normal user environment. [[email protected] ~]# useradd oldboy[[email protected] ~]# echo 123456|passwd--stdin oldboy[[email protected] ~]# \cp/e Tc/sudoers/etc/sudoers.ori[[email protected] ~]# echo "Oldboy  all= (All) Nopasswd:all" >>/etc/sudoers[[ Email protected] ~]# tail-1/etc/sudoers[[email protected] ~]# Visudo- C-----------------------------------------------------------------------------------------Root     all= (All)       Alloldboy   All=           (All)   nopasswd:all  /bin/ls user     roles managed by user users      /bin/ls Note: sudo is not available for built-in commands. -----------------------------------------------------------------------------------------

Chinese character set display    character set is a set of text symbols and their encoding: GBK, UTF-8 (widely used by enterprises) adjust the server-side character set: Adjust the character set path (/etc/sysconfig/i18n) [Email protected]/]# CAT/ Etc/sysconfig/i18nlang= "en_US. UTF-8 "    #---English character set sysfont=" Latarcyrheb-sun16 "[[Email protected]/]# cp/etc/sysconfig/i18n/etc/sysconfig/ I18n.ori    #---Modified before backup use SED replacement character file modified to Chinese characters: [[email protected]/]# sed-i ' s#lang= ' en_US. UTF-8 "#LANG =" zh_cn. UTF-8 "#g '/etc/sysconfig/i18n[[email protected]/]# cat/etc/sysconfig/i18nlang=" ZH_CN. UTF-8 "sysfont=" Latarcyrheb-sun16 "[email protected]/]# source/etc/sysconfig/i18n    #---Make the modified file effective [email protected]/]# echo $LANG     zh_cn. UTF-8

 Seven, time server sync [[email protected]/]/usr/sbin/ntpdate Time.nist.govov #--- Internet sync time [[email protected]/]# date-s] 2015/10/3 9:34 "October 03, 2015 Saturday 09:34:00 cst[[email protected]/]#  Ntpdate time.nist.gov Set the date and time VIANTP 3 Oct 09:35:21 ntpdate[28135]: adjust timeserver 132.163.4.103 Offset 0.286494 sec[[email protected]/]# Date Date viewing time-s modified on October 03, 2015 Saturday 09:48:46 cst[[email protected]/]# Hwclock Query and set the hardwareclock2015 October 03 Saturday 08:59 12 seconds -0.737654 Secondscrond: Timed tasks, synchronized every 5 minutes [[Email prote cted]/]# echo "*/5 * * * * */usr/sbin/ntpdate time.nist.gov/dev/null2>&1" >>/var/spool/cron/root[[email& Nbsp;protected]/]# crontab–l Timing Effective */5 * * */usr/sbin/ntpdate time.nist.gov/dev/null 2>&1echo ' #time sync by ol  Dboy at 2010-2-1 ' >>/var/spool/cron/rootecho ' */5 * * * */usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1 ' >>/var/spool/cron/rootcrontab-l 
 

VIII. SSH Remote connection Security 1, command line security: Echo ' export tmout=300 ' >>/etc/profileecho ' export histsize=5 ' >>/etc/profileecho ' Export histfilesize=5 ' >>/etc/profiletail-3/etc/profile. /etc/profile2, resolve the connection disconnect problem Vim/etc/profileshifg+g comment out the last three lines #export tmout=300#export histsize=5#export HISTFILESIZE=5

Nine, SSH remote connection slow problem optimization solution connection slow: Sed-ir ' I #Port 52113\npermitrootlogin no\npermitemptypasswords no\nusedns no\ Ngssapiauthentication no\n#listenaddress  10.0.0.61 '/etc/ssh/sshd_config or Vim/etc/ssh/sshd_config#81gg changed to no# 122GG to no/etc/init.d/sshd Restart restart effective:/etc/init.d/sshd Reload "Smooth restart does not affect users" (restart) Linux under SSH remote Connection service Slow solution Please aged boy's blog: http://oldboy.blog.51cto.com/2561410/1300964

Ten, the history file number set [[email protected]/]# export  histsize=5  definition History number 5 [[email protected]/]# historical  cat ~/.bash _history  histfilesize=5  cat ~/.bash_history  histsize=5 history[[email  protected] ~]# echo ' Export histfilesize=5 ' >>/etc/profile #---permanent entry [[email protected] ~]# tail-3/etc/profile

11. Adjust the number of Linux system file descriptors the file descriptor is a handle represented by an unsigned integer that the process uses to mark the open file. File descriptor Concept: 1, the representation of an integer number (0-65535) 2, will occupy the file descriptor (marked Open file) View the default file descriptor Ulimit-n3, adjust the file descriptor [[email protected] ~]# Ulimit-shn 65535  Set file descriptor count [[email protected] ~]# ulimit-n65535 (32768) [[email protected] ~]#  Echo ' *       -    nofile      65535 ' >>/etc/security/limits.conf    writes the modified descriptor number to the file [[email protected] ~]# tail-1/etc/security/limits.conf                   *        -    nofile     65535

12. Kernel-Optimized cat >>/etc/sysctl.conf<<eofnet.ipv4.tcp_fin_timeout = 2net.ipv4.tcp_tw_reuse = 1net.ipv4.tcp_tw_ Recycle = 1net.ipv4.tcp_syncookies = 1net.ipv4.tcp_keepalive_time = 600net.ipv4.ip_local_port_range = 4000    65000net.ipv4.tcp_max_syn_backlog = 16384net.ipv4.tcp_max_tw_buckets = 36000net.ipv4.route.gc_timeout = 100net.ipv4.tcp_syn_retries = 1net.ipv4.tcp_synack_retries = 1net.core.somaxconn = 16384net.core.netdev_max_backlog = 16384net.ipv4.tcp_max_orphans = 16384# The following parameters are optimized for iptables firewall, the firewall does not meet the prompts, can be ignored. Net.nf_conntrack_max = 25000000net.netfilter.nf_conntrack_max = 25000000net.netfilter.nf_conntrack_tcp_timeout_ established = 180net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120net.netfilter.nf_conntrack_tcp_timeout_ close_wait = 60net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120EOF

13. Adjust kernel parameter file (/etc/sysctl.conf) vim/etc/ Sysctl.conflinux Kernel optimization parameters:--------------------------------------------------------------------net.ipv4.tcp_fin_ Timeout = 2net.ipv4.tcp_tw_reuse = 1net.ipv4.tcp_tw_recycle = 1net.ipv4.tcp_syncookies = 1net.ipv4.tcp_keepalive_time = 600net.ipv4.ip_local_port_range = 4000 65000net.ipv4.tcp_max_syn_backlog = 16384net.ipv4.tcp_max_tw_buckets = 36000net.ipv4.route.gc_timeout = 100net.ipv4.tcp_syn_retries = 1net.ipv4.tcp_synack_retries = 1net.core.somaxconn = 16384net.core.netdev_max_backlog = 16384net.ipv4.tcp_max_orphans = 16384# The following parameters are optimized for iptables firewall, the firewall does not meet the prompts, can be ignored. Net.nf_conntrack_max = 25000000net.netfilter.nf_conntrack_max =25000000net.netfilter.nf_conntrack_tcp_timeout_ established= 180net.netfilter.nf_conntrack_tcp_timeout_time_wait= 120net.netfilter.nf_conntrack_tcp_timeout_ close_wait= 60net.netfilter.nf_conntrack_tcp_timeout_fin_wait=---------------------------------------------- ------------------------Network status Description and Optimization commands and optimization details see: HTTP://YANGRONG.BLog.51cto.com/6945369/1321594, an excellent student of the Old Boys ' education blog http://oldboy.blog.51cto.com/2561410/1336488sysctl-p make the loaded parameters effective 

14. Hide Linux version number: [[email protected] ~]# Cat/etc/issuecentos release 6.7 (Final) Kernel \ r on an \m[[email protected] ~]# cat /etc/issue.netcentos Release 6.7 (Final) Kernel \ r on an \m[[email protected] ~]# >/etc/issue[[email protected] ~]# > /etc/issue.net[[email protected] ~]# cat/etc/issue

15. Lock system files related to system files:/etc/passwd/etc/shadow/etc/group/etc/gshadow  /etc/inittab[[email protected]~]# chattr +i/etc /passwd/etc/shadow/etc/group  /etc/gshadow/etc/inittab   +i lock System file [[email protected] ~]# Useradd dddduseradd: Cannot open/etc/passwd[[email protected] ~]# rm-f/etc/passwddo not use RM command. -f/etc/passwd[[email protected] ~]# \rm-f/ETC/PASSWDRM: Unable to delete "/etc/passwd": Action not allowed [[email protected] ~]# chattr-i/etc/ Passwd/etc/shadow/etc/group  /etc/gshadow/etc/inittab-i  release system files [[email protected] ~]# useradd dddd     [[ Email protected] ~]# chattr +i/etc/passwd/etc/shadow/etc/group  /etc/gshadow/etc/inittab[[email protected] ~]# LSATTR/ETC/PASSWD  Viewing System file properties----I--------e/etc/passwd[[email protected] ~]# chattr-i/etc/passwd/etc/shadow/etc /group  /etc/gshadow/etc/inittab[[email protected] ~]# lsattr/etc/passwd-------------e-/etc/passwd

16. Disable ping in Linux system by ping kernel, the disadvantage is prohibit yourself pingecho 0 >/proc/sys/net/ipv4/icmp_echo_ignore_all [[email protected] ~]# echo "net.ipv4.icmp_echo_ignore_all=1" >>/etc/sysctl.conf[[email protected] ~]# tail-1/etc/ Sysctl.confnet.ipv4.icmp_echo_ignore_all=1[[email protected] ~]# sysctl-p effective: [[email protected] ~]# echo " Net.ipv4.icmp_echo_ignore_all=1 ">>/etc/sysctl.conf[[email protected] ~]# tail-1/etc/ Sysctl.confnet.ipv4.icmp_echo_ignore_all=1[[email protected] ~]# sysctl-p restore Forbidden Ping:echo 0 >/proc/sys/net/ipv4/icmp _echo_ignore_all

17. Scheduled cleanup of the Mail Service temp directory Junk file CENTOS5 series system defaults to install Sen when DMail service, so the path of the mail temporary storage location/var/spool/clientmqueue/. CENTOS6 The SendMail service is not available by default, but the Posfix service is modified, so the path to the mail storage location is:/var/spool/postfit/maildrop/ The above two directories can easily be filled with garbage files, resulting in insufficient inode count, resulting in no place to store file manual cleanup method: find/var/spool/clientmqueue/-typef|xargs RM- F Suitable for centOS5 SendMail service find/var/spool/postfix/maildrop/-typef|xargs rm-f the CENTOS6 service for postfix timed cleanup is: Write the above command as a script, And then do the scheduled task, every night 0 o'clock to execute once (scheduled tasks say)

18. The principle of minimizing the operation of Linux is less than one thing! 1, install the Linux system to minimize, the package is minimized, yum installation package should be minimized, useless package does not install. 2, boot from start to minimize 3, operation command minimization such as: with Rm-f test.txt without rm-fr test.txt4, login Linux users minimized. Usually no need to log in without root, with the ordinary user login can be 5, the ordinary user authorized permission to minimize, that is, only to the necessary management system commands. 6, the Linux system files and directories to minimize the permissions set, prohibit arbitrarily create, change, delete. Theoretically limited.

This article is from the "Linuxgao" blog, make sure to keep this source http://linuxgao.blog.51cto.com/11934904/1929588

Linux Basic optimization