Linux System Optimization Summary

Source: Internet
Author: User
Tags crypt i18n iptables rsyslog

Linux System Optimization Summary

1) do not use root login management system, and the normal user login through sudo authorization management.
For example:
Useradd Oldboy
ID Oldboy
echo "Oldboy all= (All) nopasswd:all" >>/etc/sudoers
2) Change the default remote connection SSH service port, prohibit the root user to connect remotely, even to change the SSH service only listen to the intranet IP.

[Email protected] ~]# Vim/etc/ssh/sshd_config
Port 51898 # #监听端口, Ports range (0-65535, preferably ports greater than 1024)
ListenAddress 192.168.1.128 # #监听地址, to be on the safe side, listen to the network above
Protocol 2 # #使用协议
Permitemptypasswords No # #禁止空密码登录系统, default is forbidden
Usedns No # #禁止DNS反解析
Permitrootlogin No # #禁止root远程登录
Gssapiauthentication No # #加速登录ssh

3) Automatically update the time of the server, so that it and the Internet time synchronization.
Ntpdate time-a.nist.gov
4) Configure the Yum update source to download the installation package from the domestic update source.
Wget-o/etc/yum.repos.d/centos-base.repo Http://mirrors.aliyun.com/repo/Centos-6.repo
5) Turn off SELinux and Iptables (in a working scenario, a server with high concurrency and high traffic may not turn on if an external IP is typically turned on iptables).
#关闭SElinux
Sed-i ' s/selinux=enforcing/selinux=disabled/'/etc/selinux/config
grep selinux=disabled/etc/selinux/config
Setenforce 0
Getenforce

#关闭iptables
/etc/init.d/iptables stop
Chkconfig iptables off
6) Adjust the number of file descriptors, and the number of file descriptors will be consumed by process and file opening.
#系统默认1024
Ulimit-n
# #临时设置
Ulimit-shn 65535
#检查临时设置是否成功
Ulimit-n
# #永久设置
Vim/etc/security/limits.conf
##* Soft Nofile 65535
##* Hard Nofile 65535

7) regularly automatically clean up the mail temporary directory junk files, to prevent the number of disk inodes by small files full (note Centos6 and Centos5 to clear the directory is different).


8) Streamline and retain the necessary boot-up services (such as Crond, sshd, Network, Rsyslog, Sysstat).
Method One:
For name in ' Chkconfig--list | grep 3:on | awk ' {print '} ' | Grep-ev "Sshd|crond|iptables|network|rsyslog|sshd|sysstat" ';d o chkconfig $name off;done
Method Two:
Chkconfig--list | grep 3:on | awk ' {print '} ' | Grep-ev "Sshd|crond|iptables|network|rsyslog|sshd|sysstat" | Sed-r ' s# (. *) #chkconfig \1 off#g ' | Bash
Method Three:
Chkconfig--list | grep 3:on | awk ' {print '} ' | Grep-ev "Crond|iptables|network|rsyslog|sshd|sysstat" | awk ' {print ' chkconfig "" "\" "" "Off"} ' | Bash
9) Linux kernel parameter optimization/etc/sysctl.conf, execution sysctl-p effective.
Vim/etc/sysctl.conf
#net. ipv4.tcp_syn_retries = 1
#net. ipv4.tcp_synack_retries = 1
#net. Ipv4.tcp_keepalive_time = 600
#net. Ipv4.tcp_keepalive_probes = 3
#net. IPV4.TCP_KEEPALIVE_INTVL =15
#net. Ipv4.tcp_retries2 = 5
#net. ipv4.tcp_fin_timeout = 2
#net. ipv4.tcp_max_tw_buckets = 36000
#net. ipv4.tcp_tw_recycle = 1
#net. Ipv4.tcp_tw_reuse = 1
#net. Ipv4.tcp_max_orphans = 32768
#net. ipv4.tcp_syncookies = 1
#net. Ipv4.tcp_max_syn_backlog = 16384
#net. Ipv4.tcp_wmem = 8192 131072 16777216
#net. Ipv4.tcp_rmem = 32768 131072 16777216
#net. Ipv4.tcp_mem = 786432 1048576 1572864
#net. Ipv4.ip_local_port_range = 1024 65000
#net. Ipv4.ip_conntrack_max = 65536
#net. ipv4.netfilter.ip_conntrack_max=65536
#net. ipv4.netfilter.ip_conntrack_tcp_timeout_established=180
#net. Core.somaxconn = 16384
#net. Core.netdev_max_backlog = 16384
# #立即生效
Sysctl-p

10) Change the system character set to "ZH_CN." UTF-8 "so that it supports Chinese and prevents garbled problems.
Sed-i ' S#en_us. Utf-8#zh_cn. Utf-8#g '/etc/sysconfig/i18n
source/etc/sysconfig/i18n
11) Lock the key system files such as/etc/passwd,/etc/shadow,/etc/group,/etc/gshadow,/etc/inittab, after processing the above content chattr, lsattr renamed Oldboy, transferred away, That's a lot safer.
Chattr +i/etc/passwd
Chattr +i/etc/shadow
Chattr +i/etc/group
Chattr +i/etc/gshadow
Chattr +i/etc/inittab
Chattr +i/etc/passwd
#临时创建别名
Alias chattr= ' Cha '
Alias Lsattr= ' LSA '
Permanently create aliases
echo alias chattr= ' Cha ' >>/root/.bashrc
echo alias lsattr= ' LSA ' >>/ROOT/.BASHRC
12) Clear the/etc/issue,/etc/issue.net, remove the system and the kernel version of the screen before the login display.
>/etc/issue
>/etc/issue.net
13) Clear the redundant system virtual user account.

14) Add a password for the Grub boot menu.
#执行/sbin/grub-md5-crypt will randomly generate a string
/sbin/grub-md5-crypt
Add a string to the/boot/grub/grub.conf
echo "passwd--md5 $1$fkb6n$k3euy32phkr2mlpn9rjpa0" >>/boot/grub/grub.conf

15) prevent the host from being ping.
#修改内核参数
echo "Net.ipv4.icmp_echo_ignore_all=1" >>/etc/sysctl.conf
#立即生效
Sysctl-p
16) Patching and upgrading software with known vulnerabilities.

This article from "11471403" blog, declined reprint!

Linux System Optimization Summary

Related Article

E-Commerce Solutions

Leverage the same tools powering the Alibaba Ecosystem

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.