Linux system tuning authoritative guide, linux tuning Guide

Linux system tuning authoritative guide, linux tuning Guide

1. Disable SELINUX.
1.1 modify the configuration file to make SELINUX disabled permanently effective
Sed's # SELINUX = enforcing # SELINUX = disables # G'/etc/selinux/config ==> restart the system to take effect
1.2 temporarily disable SELINUX
[Root @ hadoop01 xningge] # setenforce
Usage: setenforce [Enforcing | Permissive | 1 | 0]
==> The number 0 indicates Permissive, which is a warning message and does not stop the operation. It is equivalent to disabled.
==> Number 1 indicates that Enforcing is enabled for SELINUX.
[Root @ hadoop01 xningge] # setenforce 0 ==> temporarily change SELINUX to Permissive status
[Root @ hadoop01 xningge] # getenforce ==> view the current status of SELINUX
Permissive

2. Set the running level
Seven running levels in Linux:

0: The system is down. The default running level cannot be set to 0. Otherwise, the system cannot start normally and the machine is down.
1: single-user working status, root permission, used for system maintenance, remote login is prohibited, just like login in safe mode in Windows.
2: multi-user status, not supported by NFS.
3: full multi-user mode with NFS. After logging on to the console, go to the command line mode.
4: The system is not used. It is generally not used for reservation. In some special cases, you can use it to do some things. For example, you can switch to this mode to make some settings when the battery of your laptop is exhausted.
5: On the X11 console, log on to the graphical GUI mode and use the XWindow system.
6: The system is shut down and restarted normally. The default running level cannot be set to 6. Otherwise, the system cannot be started normally. If you run init6, the system restarts.

2.1
[Root @ hadoop01 xningge] # grep 5: initdefault/etc/inittab ==> default system running level
Id: 5: initdefault:

[Root @ hadoop01 xningge] # runlevel ==> view running level
N 5

[Root @ hadoop01 xningge] # init 3 ==> set the running level

3. Disable iptables Firewall
1.
[Root @ hadoop01 xningge] #/etc/init. d/iptables stop ==> temporarily disable Firewall
Iptables: Setting chains to policy ACCEPT: filter [OK]
Iptables: Flushing firewall rules: [OK]
Iptables: Unloading modules: [OK]

[Root @ hadoop01 xningge] # chkconfig iptables off ===" disable the auto-start command

4. sudo controls the user's permission to use system commands
4.1 The first step is equivalent to vi/etc/sudoers
4.2 Step 2 xningge ALL = (ALL) NOPASSWD: ALL ==> about 98 rows
4.3 step 3 check whether the modification is successful
[Xningge @ hadoop01 ~] $ Sudo grep xningge/etc/sudoers
Xningge ALL = (ALL) NOPASSWD: ALL
4.4 view the sudo permission command set granted to the current user
[Xningge @ hadoop01 ~] $ Sudo-l

5. Linux Chinese display settings
5.1 view the current Linux Language
[Root @ hadoop01 ~] # Cat/etc/sysconfig/i18n
LANG = "zh_CN.UTF-8"
5.2 set to Chinese Language
[Root @ hadoop01 ~] # Sudo echo 'lang = "zh_CN.UTF-8" '>/etc/sysconfig/i18n
[Root @ hadoop01 ~] # Source/etc/sysconfig/i18n = make the modified file take effect
[Root @ hadoop01 ~] # Echo $ LANG = "view the current language equivalent
Zh_CN.UTF-8

6. Set Linux server time synchronization
6.1
[Root @ hadoop01 ~] #/Usr/sbin/ntpdate ntp1.aliyun.com
24 Dec 21:45:17 ntpdate [31374]: step time server 182.92.12.11 offset-28774.000359 sec
6.2
[Root @ hadoop01 ~] # Which ntpdate
/Usr/sbin/ntpdate ==> note this directory. centos5 is/sbin.
6.3 Automatic execution every 5 minutes using scheduled tasks
[Root @ hadoop01 ~] # Echo '*/5 *****/usr/sbin/ntpdate ntp1.aliyun.com>/dev/null 2> & 1'>/var/spool/cron/root
[Root @ hadoop01 ~] # Crontab-l ==> this command is actually to write a scheduled task, which is equivalent to executing crontab-e and then adding content
# Time sync by xningge at 2017-12-24
*/5 */usr/sbin/ntpdate ntp1.aliyun.com>/dev/null 2> & 1

7. Set the number of historical records and logon timeout Environment Variables
7.1 set Idle Account timeout
[Xningge @ hadoop01 ~] $ Export TMOUT = 10 ===" set the connection Session Timeout time to be temporarily valid
[Xningge @ hadoop01 ~] $ Timed out waiting for input: auto-logout
7.2 set the number of command line history records in Linux
[Root @ hadoop01 ~] # Export HISTSIZE = 5 ="
[Root @ hadoop01 ~] # History
39 crontab-e
40 su-xingge
41 su-xningge
42 export HISTSIZE = 5
43 history

7.3 Set the number variable of commands in the history file (~ /. Bash_history)
[Root @ hadoop01 ~] # Export HISTFILESIZE = 5
[Root @ hadoop01 ~] # Cat ~ /. Bash_history
Which ls
Which iptables
Getenforce
Cat/etc/selinux/config
Export TMOUT = 10

7.4 make the preceding command permanently effective
[Root @ hadoop01 ~] # Echo 'export TMOUT = 300 '>/etc/profile
[Root @ hadoop01 ~] # Echo 'export HISTSIZE = 5'>/etc/profile
[Root @ hadoop01 ~] # Echo 'export HISTFILESIZE = 5'>/etc/profile
[Root @ hadoop01 ~] # Tail-3/etc/profile
Export TMOUT = 300
Export HISTSIZE = 5
Export HISTFILESIZE = 5
[Root @ hadoop01 ~] # Source/etc/profile

7.5
TMOUT = 300 = connection timeout control variable
HISTSIZE = 5 === variable of the number of historical records of the command line
HISTFILESIZE = 5 === variable of the number of commands in the History File
8. Adjust the number of file descriptors in Linux
8.1 check the file descriptor settings of the Linux server. The default size is 1024.
[Xningge @ hadoop01 ~] $ Ulimit-n
1024
8.2 for High-concurrency Linux servers, adjustments are required
[Xningge @ hadoop01 ~] $ Vim/etc/security/limits. conf add a sentence (*-nofile 65535) at the end of the file)

9. regularly clear junk files in the temporary directory of the mail service
9.1 manual cleanup
[Root @ hadoop01 ~] # Find/var/spool/postfix/maildrop/-type f | xargs rm-f ==> applicable to the Postfix service of centos 6
[Root @ hadoop01 ~] # Find/var/spool/clientmqueue/-type f | xargs rm-f ==> suitable for centos 5 Sendmall Service
9.2 timed cleaning
[Root @ hadoop01 ~] # Mkdir-p/server/scripts
[Root @ hadoop01 ~] # Echo "find/var/spool/postfix/maildrop/-type f | xargs rm-f">/server/scripts/del_file.sh
[Root @ hadoop01 ~] # Cat/server/scripts/del_file.sh
Find/var/spool/postfix/maildrop/-type f | xargs rm-f
[Root @ hadoop01 ~] # Echo "00 00 ***/bin/sh/server/scripts/del_file.sh>/dev/null 2> & 1"> // var/spool/cron/root
[Root @ hadoop01 ~] # Crontab-l
# Time sync by xningge at 2017-12-24
*/5 */usr/sbin/ntpdate ntp1.aliyun.com>/dev/null 2> & 1
00 00 ***/bin/sh/server/scripts/del_file.sh>/dev/null 2> & 1
9.3 view the total disk inode, remaining amount, and usage
[Root @ hadoop01 ~] # Df-I
Filesystem Inodes IUsed IFree IUse % Mounted on
/Dev/sda3 1234576 122241 1112335 10%/
Tmpfs 125514 6 125508 1%/dev/shm
/Dev/sda1 51200 38 51162 1%/boot
10. Hide Linux Version Information
10.1 view the actual stored files displayed on the terminal
[Root @ hadoop01 ~] # Cat/etc/issue
CentOS release 6.9 (Final)
Kernel \ r on an \ m
[Root @ hadoop01 ~] # Cat/etc/issue.net
CentOS release 6.9 (Final)
Kernel \ r on an \ m
10.2 understand the Linux system version and kernel information
[Root @ hadoop01 ~] #>/Etc/issue
[Root @ hadoop01 ~] # Cat/etc/issue
[Root @ hadoop01 ~] #>/Etc/issue.net
[Root @ hadoop01 ~] # Cat/etc/issue.net
[Root @ hadoop01 ~] #

11. Lock key system files to prevent unauthorized access.
11.1 lock
[Root @ hadoop01 ~] # Chattr + I/etc/passwd/etc/shadow/etc/group/etc/gshadow/etc/inittab
Unlock 11.2
[Root @ hadoop01 ~] # Chattr-I/etc/passwd/etc/shadow/etc/group/etc/gshadow/etc/inittab

. Prevent hackers from using chattr for transfer
[Root @ hadoop01 ~] # Mv/usr/bin/chattr/usr/bin/xningge1
[Root @ hadoop01 ~] # Xningge1 + I/etc/passwd/etc/shadow/etc/group/etc/gshadow/etc/inittab
[Root @ hadoop01 ~] # Chattr-I/etc/passwd/etc/shadow/etc/group/etc/gshadow/etc/inittab
-Bash:/usr/bin/chattr: the file or directory does not exist.
[Root @ hadoop01 ~] # Xningge1-I/etc/passwd/etc/shadow/etc/group/etc/gshadow/etc/inittab
[Root @ hadoop01 ~] # Xningge1 + I/etc/passwd/etc/shadow/etc/group/etc/gshadow/etc/inittab
[Root @ hadoop01 ~] #

12. Clear redundant system virtual accounts
13. Add a password to the grub menu
Objective: To prevent others from modifying grub startup settings such as kernel, and starting to crack the root password in single-user mode
Procedure:
(1) first use/sbin/grub-md5-crypt to generate an MD5 password string
[Xningge @ hadoop01 ~] $/Sbin/grub-md5-crypt
Password:
Retype password:
$1 $ X85We/$ cdytOERYCKB. aPBqbL9ef.
(2) modify the grub. conf file
Add a line between splashimage and title (password -- md5 $1 $ X85We/$ cdytOERYCKB. aPBqbL9ef .)

14. Prohibit Linux system from being pinged
14.1 The Forbidden command is
[Root @ hadoop01 ~] # Echo "net. ipv4.icmp _ echo_ignore_all = 1">/etc/sysctl. conf
[Root @ hadoop01 ~] # Tail-1/etc/sysctl. conf
Net. ipv4.icmp _ echo_ignore_all = 1
14.2 restore to prohibit ping
Delete net. ipv4.icmp _ echo_ignore_all = 1 in/etc/sysctl. conf and save the settings.
Run the following command:
[Root @ hadoop01 ~] # Echo 0>/proc/sys/net/ipv4/icmp_echo_ignore_all

14.3 we cannot test the connection because ping is prohibited. The best practice is to set iptables to allow specific ip addresses to be pinged.
Iptables-t filter-I inpot-p icmp -- icmp-type 8-I eth0-s 10.0.0.0/24-j ACCEPT

15. upgrade software versions with typical Vulnerabilities
15.1 view the Software Version Number
[Root @ hadoop01 ~] # Rpm-qa openssl openssh bash
Bash-4.1.2-48.el6.x86_64
Openssh-5.3p1-122.el6.x86_64
Openssl-1.0.1e-57.el6.x86_64
15.2 upgrade the software version with known vulnerabilities to the latest version.
[Root @ hadoop01 ~] # Yum install openssl openssh bash-y

16. Linux Server Kernel Parameter Optimization

17. Linux System Security minimization principles

18. Modify the remote logon configuration of the ssh server.

19. Streamline boot System Auto-start
19.1 important auto-start services
1. sshd: this service program is used to remotely connect to a Linux server. Therefore, it must be enabled. Otherwise, the Linux server cannot provide the remote connection service.
2 rsyslog: Log-related software. This is a mechanism provided by the operating system. The system daemon usually uses the rsyslog program to write various information to various system log files. Before centos 6, the service name is syslog.
3 "network: when the system is started, if you want to activate/disable various network interfaces, you should consider enabling this service.
4. crond: this service is used for periodic execution systems and user-configured task plans. It must be enabled when there is a periodic execution task.
5. sysstat: a software package that includes a set of tools for detecting system performance and efficiency. These tools are very helpful for us to collect system performance data, such as CPU usage, hard disk and network throughput data.
The main tools for sysstat package integration are:
Iostat: The tool provides data on CPU usage and Hard Disk Throughput efficiency.
Mpstat: The tool provides data related to one or more processors.
Sar: the tool collects, reports, and stores active system information.

19.2 common methods for setting auto-start service upon startup
Method 1: Execute the ntsysv command and set it in the pop-up window.
Method 2: Execute the setup command-> system service, and then set it in the pop-up window.