Linux System Optimization Summary

Source: Internet
Author: User
Tags crypt i18n iptables rsyslog

Linux System Optimization Summary

1) do not use root login management system, and the normal user login through sudo authorization management.
For example:
Useradd Oldboy
ID Oldboy
echo "Oldboy all= (All) nopasswd:all" >>/etc/sudoers
2) Change the default remote connection SSH service port, prohibit the root user to connect remotely, even to change the SSH service only listen to the intranet IP.

[Email protected] ~]# Vim/etc/ssh/sshd_config
Port 51898 # #监听端口, Ports range (0-65535, preferably ports greater than 1024)
ListenAddress # #监听地址, to be on the safe side, listen to the network above
Protocol 2 # #使用协议
Permitemptypasswords No # #禁止空密码登录系统, default is forbidden
Usedns No # #禁止DNS反解析
Permitrootlogin No # #禁止root远程登录
Gssapiauthentication No # #加速登录ssh

3) Automatically update the time of the server, so that it and the Internet time synchronization.
4) Configure the Yum update source to download the installation package from the domestic update source.
Wget-o/etc/yum.repos.d/centos-base.repo Http://
5) Turn off SELinux and Iptables (in a working scenario, a server with high concurrency and high traffic may not turn on if an external IP is typically turned on iptables).
Sed-i ' s/selinux=enforcing/selinux=disabled/'/etc/selinux/config
grep selinux=disabled/etc/selinux/config
Setenforce 0

/etc/init.d/iptables stop
Chkconfig iptables off
6) Adjust the number of file descriptors, and the number of file descriptors will be consumed by process and file opening.
# #临时设置
Ulimit-shn 65535
# #永久设置
##* Soft Nofile 65535
##* Hard Nofile 65535

7) regularly automatically clean up the mail temporary directory junk files, to prevent the number of disk inodes by small files full (note Centos6 and Centos5 to clear the directory is different).

8) Streamline and retain the necessary boot-up services (such as Crond, sshd, Network, Rsyslog, Sysstat).
Method One:
For name in ' Chkconfig--list | grep 3:on | awk ' {print '} ' | Grep-ev "Sshd|crond|iptables|network|rsyslog|sshd|sysstat" ';d o chkconfig $name off;done
Method Two:
Chkconfig--list | grep 3:on | awk ' {print '} ' | Grep-ev "Sshd|crond|iptables|network|rsyslog|sshd|sysstat" | Sed-r ' s# (. *) #chkconfig \1 off#g ' | Bash
Method Three:
Chkconfig--list | grep 3:on | awk ' {print '} ' | Grep-ev "Crond|iptables|network|rsyslog|sshd|sysstat" | awk ' {print ' chkconfig "" "\" "" "Off"} ' | Bash
9) Linux kernel parameter optimization/etc/sysctl.conf, execution sysctl-p effective.
#net. ipv4.tcp_syn_retries = 1
#net. ipv4.tcp_synack_retries = 1
#net. Ipv4.tcp_keepalive_time = 600
#net. Ipv4.tcp_keepalive_probes = 3
#net. Ipv4.tcp_retries2 = 5
#net. ipv4.tcp_fin_timeout = 2
#net. ipv4.tcp_max_tw_buckets = 36000
#net. ipv4.tcp_tw_recycle = 1
#net. Ipv4.tcp_tw_reuse = 1
#net. Ipv4.tcp_max_orphans = 32768
#net. ipv4.tcp_syncookies = 1
#net. Ipv4.tcp_max_syn_backlog = 16384
#net. Ipv4.tcp_wmem = 8192 131072 16777216
#net. Ipv4.tcp_rmem = 32768 131072 16777216
#net. Ipv4.tcp_mem = 786432 1048576 1572864
#net. Ipv4.ip_local_port_range = 1024 65000
#net. Ipv4.ip_conntrack_max = 65536
#net. ipv4.netfilter.ip_conntrack_max=65536
#net. ipv4.netfilter.ip_conntrack_tcp_timeout_established=180
#net. Core.somaxconn = 16384
#net. Core.netdev_max_backlog = 16384
# #立即生效

10) Change the system character set to "ZH_CN." UTF-8 "so that it supports Chinese and prevents garbled problems.
Sed-i ' S#en_us. Utf-8#zh_cn. Utf-8#g '/etc/sysconfig/i18n
11) Lock the key system files such as/etc/passwd,/etc/shadow,/etc/group,/etc/gshadow,/etc/inittab, after processing the above content chattr, lsattr renamed Oldboy, transferred away, That's a lot safer.
Chattr +i/etc/passwd
Chattr +i/etc/shadow
Chattr +i/etc/group
Chattr +i/etc/gshadow
Chattr +i/etc/inittab
Chattr +i/etc/passwd
Alias chattr= ' Cha '
Alias Lsattr= ' LSA '
Permanently create aliases
echo alias chattr= ' Cha ' >>/root/.bashrc
echo alias lsattr= ' LSA ' >>/ROOT/.BASHRC
12) Clear the/etc/issue,/etc/, remove the system and the kernel version of the screen before the login display.
13) Clear the redundant system virtual user account.

14) Add a password for the Grub boot menu.
#执行/sbin/grub-md5-crypt will randomly generate a string
Add a string to the/boot/grub/grub.conf
echo "passwd--md5 $1$fkb6n$k3euy32phkr2mlpn9rjpa0" >>/boot/grub/grub.conf

15) prevent the host from being ping.
echo "Net.ipv4.icmp_echo_ignore_all=1" >>/etc/sysctl.conf
16) Patching and upgrading software with known vulnerabilities.

This article from "11471403" blog, declined reprint!

Linux System Optimization Summary

Related Article

E-Commerce Solutions

Leverage the same tools powering the Alibaba Ecosystem

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.