Linux system post-installation tuning and related configuration

The overall planning complies with the minimum principle, including: Minimum system installation, Yum installation package minimized, boot start service minimized, Operation command minimized, login system user minimized, normal user privileges minimized, system files and directory permissions minimized!

Modify User Password

# echo "centos" |passwd --stdin root && history -c

Empty iptables

Enterprises generally configure the network IP Linux server needs to open the firewall, but for the high-concurrency, high-traffic service server with external network IP is not recommended to open the firewall, this will have a large performance loss, resulting in slow access, we recommend the use of hardware firewall!

# iptables -F# /etc/init.d/iptables save# /etc/init.d/iptables stop# chkconfig iptables off

SELinux settings

SELinux is security-enhanced Linux for short, the actual production environment is turned on according to the situation, the following is the shutdown setting.

# sed -i ‘s/SELINUX=enforcing/SELINUX=disabled/‘ /etc/selinux/config //重启后永久生效# setenforce 0 //临时设置selinux，避免业务主机重启# getenforce //查看selinux状态

Configure static IP

# setup //图形界面方式配置或者# vim /etc/sysconfig/network-scripts/ifcfg-eth0 //修改配置文件

Note: After the virtual machine cloning, the network card MAC address consistency, UUID, network card name naming problems such as the solution.

Configuring host and IP mapping relationships

# vim /etc/hosts  127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4  ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6  192.168.1.63 demo63.cn server01  192.168.1.64 demo64.cn client01

Modify Host Name

# vim /etc/sysconfig/network  NETWORKING=yes  HOSTNAME=demo63.cn  NTPSERVERARGS=iburst # hostname //查看主机名  demo63.cn

Configure Yum Source mode

Method One: Configure the local Yum source

# mount /dev/sr0 /mnt/# echo "/dev/sr0 /mnt iso9660 defaults 0 0" >> /etc/fstab# rm -rf /etc/yum.repos.d/*# cat > /etc/yum.repos.d/rhel6.repo <<EOF> [rhel6-source]> name=rhel6-source> baseurl=file:///mnt> enabled=1> gpgcheck=0> EOF

Method Two: Configure the network yum source

# cp /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.bk# wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo# sed -i ‘s/$releasever/6.9/g‘ /etc/yum.repos.d/CentOS-Base.repo # yum clean all# yum repolist all# rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY*

Attention:

A) The following are useful packages for actual production, recommended for installation.

b) If the system does not have Yum software installed, it can be installed by RPM.

# rpm -qa |grep yum# rpm -qa|grep yum|xargs rpm -e --nodeps //不检查依赖，直接删除rpm包# wget -O /test/yum-3.2.29-81.el6.centos.noarch.rpm http://mirrors.163.com/centos/6.9/os/x86_64/Packages/yum-3.2.29-81.el6.centos.noarch.rpm# wget -O /test/yum-metadata-parser-1.1.2-16.el6.x86_64.rpm http://mirrors.163.com/centos/6.9/os/x86_64/Packages/yum-metadata-parser-1.1.2-16.el6.x86_64.rpm# wget -O /test/yum-plugin-fastestmirror-1.1.30-40.el6.noarch.rpm http://mirrors.163.com/centos/6.9/os/x86_64/Packages/yum-plugin-fastestmirror-1.1.30-40.el6.noarch.rpm# rpm -ivh yum-3.2.29-81.el6.centos.noarch.rpm yum-metadata-parser-1.1.2-16.el6.x86_64.rpm yum-plugin-fastestmirror-1.1.30-40.el6.noarch.rpm

Modifying the Run Level

# vim /etc/inittab  id：3： initdefault://级别3,即为文本模式，更改配置文件永久生效# runlevel//查看运行级别# init0   //关机（init5图形模式、init6重启）

Streamlined boot system self-booting

Five services are recommended in the enterprise production environment, including SSHD (the service used by remote connections), Rsyslog (the daemon that the system calls when logging, the service named Syslog before the CentOS6 version), Network (the service that is used to activate/deactivate the Networking interface), Crond (Services used when performing periodic system or user-configured tasks), Sysstat (the service is used to monitor system performance and efficiency).

Method One: Call the graphical interface

# ntsysv （或setup->system service） //选择要启用的服务

Method Two: Execute the command

# chkconfig --list |grep 3:on |grep -vE "crond|network|rsyslog|sshd|sysstat" |awk ‘{print “chkconfig ”$1 " off"}‘ |bash或者# chkconfig --list |grep 3:on |grep -vE "crond|network|rsyslog|sshd|sysstat" |awk ‘{print $1}‘ |sed -r ‘s#(.*)#chkconfig \1 off#g‘|bash //注意蓝色处格式中无空格

Method Three: Execute the script

# LANG=en //调整为英文字符集，方便过滤中文字符串# chkconfig --list |grep 3:on //查看级别3上开启的服务# vim service-off.sh //执行脚本关闭不必要服务a) Shell脚本一：#!/bin/bashLANG=enfor name in `chkconfig --list |grep 3:on |awk ‘{print $1}‘`;do chkconfig --level 3 $name off;donefor name in crond network rsyslog sshd sysstat;do chkconfig --level 3 $name on;donechkconfig --list |grep 3:onb) Shell脚本二：（默认情况下级别3文本模式都是开启的状态）#!/bin/bashLANG=enfor name in `chkconfig --list |grep 3:on |awk ‘{print $1}‘ |grep -vE "crond|network|rsyslog|sshd|sysstat" `;do chkconfig --level 3 $name off;donechkconfig --list |grep 3:on# chmod +x service-off.sh# ./service-off.sh

Telnet configuration

In the actual production environment, it is recommended to hide or change the default SSH remote connection port!

# cp -a /etc/ssh/sshd_config{,.`date +"%F%H%M%S"`}

Method One: Modify the configuration file

# vim /etc/ssh/sshd_configPort 2233   //sshd服务端口号PermitRootLogin no  //是否允许root登录PermitEmptyPasswords no //是否允许密码为空的用户登录UseDNS no   //sshd是否对远程主机名进行反向解析GSSAPIAuthentication no //解决Linux之间使用ssh远程连接慢的问题

Method Two: Rapid modification by sed to add content

# sed -ir ‘13 iPort 2233\nPermitRootLogin no\nPermitEmptyPasswords no\nUseDNS no\nGSSAPIAuthentication no‘ /etc/ssh/sshd_config# sed -n ‘13,17p‘ /etc/ssh/sshd_config# /etc/init.d/sshd reload   //平滑重启，不影响正在SSH连接的其他用户或者# /etc/init.d/sshd restart

sudo power configuration

# cp -a /etc/sudoers{,.`date +"%F%H%M%S"`}# echo "admin1 ALL=(ALL) NOPASSWD:ALL" >>/etc/sudoers# tail -5 /etc/sudoers或者# visudo  //使用此命令可以直接修改配置文件# visudo -c   //对修改的配置文件做语法检查

Chinese display settings

In the actual production environment, it is recommended to use the English display settings.

# cp -a /etc/sysconfig/i18n{,.`date +"%F%H%M%S"`}# echo ‘LANG="zh_CN.UTF-8"‘ >/etc/sysconfig/i18n# source /etc/sysconfig/i18n //使修改的配置文件生效# echo $LANG

Set up time synchronization Tasks

# echo ‘# Time sync by Jerome at 2017-6-8 ‘ >> /var/spool/cron/root# echo ‘*/5 * * * * /usr/sbin/ntpdate time.nist.gov > /dev/null 2>&1‘ >> /var/spool/cron/root# crontab -l   //查看定时任务或者# crontab -e   //进行定时任务编辑

Settings for some environment variables

Modify the configuration file/etc/profile to be a global modification.

# echo ‘export TMOUT=300‘ >> /etc/profile  //设置账号超时时间# echo ‘export HISTSIZE=5‘ >> /etc/profile //设置命令行历史记录数# echo ‘export HISTFILESIZE=5‘ >> /etc/profile //设置历史文件记录数量（~/.bash_history）# source /etc/profile# tail -3 /etc/profile

Adjust the number of file descriptors

A file descriptor is a handle that is represented by an unsigned integer that the process uses to identify the open file.

# ulimit -n

Method One:

# cp -a /etc/security/limits.conf{,.`date +"%F%H%M%S"`}# echo ‘* - nofile 65535‘ >> /etc/security/limits.conf# tail -1 /etc/security/limits.conf

Method Two:

# cp -a /etc/rc.local{,.`date +"%F%H%M%S"`}# cat >> /etc/rc.local <<EOF# -S use the ‘soft‘ resource limit# -H use the ‘hard‘ resource limit# -n the maximum number of open file descriptors  ulimit -HSn 65535# -s the maximum stack size  ulimit -s 65535EOF

Timed Cleanup Mail Service temp directory junk file

# vim /scripts/del_temp_mail.sh 脚本内容：#! /bin/bashfind /var/spool/postfix/maildrop/ -type f|xargs rm -f 执行脚本：# chmod +x /scripts/del_temp_mail.sh设置定时任务：# echo ‘00 00 * * * /bin/sh /scripts/del_temp_mail.sh > /dev/null 2>&1‘ >>/var/spool/cron/root# crontab -l # df -i //查看磁盘inode总量、剩余量、使用量

Hide Linux Version information

# >/etc/issue# >/etc/issue.net# cat /etc/issue# cat /etc/issue.net

Lock system Critical files

# chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab# chattr -i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab# lsattr /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab

Encrypt the Grub menu

# /sbin/grub-md5-crypt# cp -a /etc/grub.conf{,.`date +"%F%H%M%S"`}# vim /etc/grub.conf

Note: password is best added between Splashimage and title, otherwise it may not work, after Setup is complete, the next time you need to manage grub, you will be prompted for a password.

Linux system post-installation tuning and related configuration