Liunx基礎最佳化配置，liunx最佳化配置

Liunx基礎最佳化配置，liunx最佳化配置
1：  為系統添加操作使用者，並授予sudo許可權

[root@localhost ~]# groupadd cai[root@localhost ~]# useradd cai -g cai[root@localhost ~]# passwd cai更改使用者 cai 的密碼 。新的 密碼：無效的密碼： 過於簡單化/系統化無效的密碼： 過於簡單重新輸入新的 密碼：passwd： 所有的身分識別驗證令牌已經成功更新。[root@localhost ~]# su - cai

sudo的設定檔在/etc/sudoers下面，不過是唯讀檔案。想要修改使用“visudo”命令。

使用者名稱　　可登入的終端　　具體命令（使用絕對路徑，which查看）

cairui　　  ALL=(ALL)　　    /usr/sbin/useradd

 

2：  配置Yum源為國內源（在我的其他部落格中專門有一篇介紹，此處不寫了）

 

3：  關閉防火牆（iptables）和Selinux

（1）因為防火牆和selinux的設定很麻煩，而且需要大量的時間去搞，所以索性就關掉。

臨時關閉防火牆：（可以查看狀態，重啟，關閉，開啟）

[root@localhost ~]# /etc/init.d/iptables Usage: iptables {start|stop|reload|restart|condrestart|status|panic|save}

永久關閉防火牆：（關閉開機自啟）

[root@localhost ~]# chkconfig iptables off

查看iptables開機狀態：

[root@localhost ~]# chkconfig --list | grep iptablesiptables           0:關閉    1:關閉    2:關閉    3:關閉    4:關閉    5:關閉    6:關閉

（2）關閉selinux

[root@localhost ~]# vim /etc/selinux/config # This file controls the state of SELinux on the system.# SELINUX= can take one of these three values:#     enforcing - SELinux security policy is enforced.#     permissive - SELinux prints warnings instead of enforcing.#     disabled - No SELinux policy is loaded.#SELINUX=enforcingSELINUX=disabled　　修改為disabled# SELINUXTYPE= can take one of these two values:#     targeted - Targeted processes are protected,#     mls - Multi Level Security protection.SELINUXTYPE=targeted

 

4：  修改ssh服務的預設配置

修改之前先備份預設的配置：

[root@localhost ~]# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup

再修改

[root@localhost ~]# vim /etc/ssh/sshd_config#    $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $# This is the sshd server system-wide configuration file.  See# sshd_config(5) for more information.# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin# The strategy used for options in the default sshd_config shipped with# OpenSSH is to specify options with their default value where# possible, but leave them commented.  Uncommented options change a# default value.#Port 22Port 52000   修改Linux預設串連連接埠#AddressFamily any#ListenAddress 0.0.0.0#ListenAddress ::# Disable legacy (protocol version 1) support in the server for new# installations. In future the default will change to require explicit# activation of protocol 1Protocol 2# HostKey for protocol version 1#HostKey /etc/ssh/ssh_host_key# HostKeys for protocol version 2#HostKey /etc/ssh/ssh_host_rsa_key#HostKey /etc/ssh/ssh_host_dsa_key# Lifetime and size of ephemeral version 1 server key#KeyRegenerationInterval 1h#ServerKeyBits 1024# Logging# obsoletes QuietMode and FascistLogging#SyslogFacility AUTHSyslogFacility AUTHPRIV#LogLevel INFO# Authentication:#LoginGraceTime 2m#PermitRootLogin yesPermitRootLogin no　　#不允許root使用者登入（因為每個人都知道root能夠登入）#StrictModes yes#MaxAuthTries 6#MaxSessions 10#RSAAuthentication yes#PubkeyAuthentication yes#AuthorizedKeysFile    .ssh/authorized_keys#AuthorizedKeysCommand none#AuthorizedKeysCommandRunAs nobody# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts#RhostsRSAAuthentication no# similar for protocol version 2#HostbasedAuthentication no# Change to yes if you don't trust ~/.ssh/known_hosts for# RhostsRSAAuthentication and HostbasedAuthentication#IgnoreUserKnownHosts no# Don't read the user's ~/.rhosts and ~/.shosts files#IgnoreRhosts yes# To disable tunneled clear text passwords, change to no here!#PasswordAuthentication yes#PermitEmptyPasswords noPasswordAuthentication yes# Change to no to disable s/key passwords#ChallengeResponseAuthentication yesChallengeResponseAuthentication no# Kerberos options#KerberosAuthentication no#KerberosOrLocalPasswd yes#KerberosTicketCleanup yes#KerberosGetAFSToken no#KerberosUseKuserok yes# GSSAPI options#GSSAPIAuthentication noGSSAPIAuthentication yes#GSSAPICleanupCredentials yesGSSAPICleanupCredentials yes#GSSAPIStrictAcceptorCheck yes#GSSAPIKeyExchange no# Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and# PasswordAuthentication.  Depending on your PAM configuration,# PAM authentication via ChallengeResponseAuthentication may bypass# the setting of "PermitRootLogin without-password".# If you just want the PAM account and session checks to run without# PAM authentication, then enable this but set PasswordAuthentication# and ChallengeResponseAuthentication to 'no'.#UsePAM noUsePAM yes# Accept locale-related environment variablesAcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGESAcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENTAcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGEAcceptEnv XMODIFIERS#AllowAgentForwarding yes#AllowTcpForwarding yes#GatewayPorts no#X11Forwarding noX11Forwarding yes#X11DisplayOffset 10#X11UseLocalhost yes#PrintMotd yes#PrintLastLog yes#TCPKeepAlive yes#UseLogin no#UsePrivilegeSeparation yes#PermitUserEnvironment no#Compression delayed#ClientAliveInterval 0#ClientAliveCountMax 3#ShowPatchLevel no#UseDNS yesUseDNS no　　#不使用DNS#PidFile /var/run/sshd.pid#MaxStartups 10:30:100#PermitTunnel no#ChrootDirectory none# no default banner path#Banner none# override default of no subsystemsSubsystem    sftp    /usr/libexec/openssh/sftp-server# Example of overriding settings on a per-user basis#Match User anoncvs#    X11Forwarding no#    AllowTcpForwarding no#    ForceCommand cvs server

修改完之後重啟：

[root@localhost ~]# /etc/init.d/sshd 用法： /etc/init.d/sshd {start|stop|restart|reload|force-reload|condrestart|try-restart|status}

 

5：  系統核心最佳化

[root@localhost ~]# cat /etc/sysctl.conf # Kernel sysctl configuration file for Red Hat Linux## For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and# sysctl.conf(5) for more details.## Use '/sbin/sysctl -a' to list all possible parameters.# Controls IP packet forwardingnet.ipv4.ip_forward = 0# Controls source route verificationnet.ipv4.conf.default.rp_filter = 1# Do not accept source routingnet.ipv4.conf.default.accept_source_route = 0# Controls the System Request debugging functionality of the kernelkernel.sysrq = 0# Controls whether core dumps will append the PID to the core filename.# Useful for debugging multi-threaded applications.kernel.core_uses_pid = 1# Controls the use of TCP syncookiesnet.ipv4.tcp_syncookies = 1# Controls the default maxmimum size of a mesage queuekernel.msgmnb = 65536# Controls the maximum size of a message, in byteskernel.msgmax = 65536# Controls the maximum shared segment size, in byteskernel.shmmax = 68719476736# Controls the maximum number of shared memory segments, in pageskernel.shmall = 4294967296# 下面是核心調優參數net.ipv4.tcp_syn_retries = 1net.ipv4.tcp_synack_retries = 1net.ipv4.tcp_keepalive_time = 600net.ipv4.tcp_keepalive_probes = 3net.ipv4.tcp_keepalive_intvl =15net.ipv4.tcp_retries2 = 5net.ipv4.tcp_fin_timeout = 2net.ipv4.tcp_max_tw_buckets = 36000net.ipv4.tcp_tw_recycle = 1net.ipv4.tcp_tw_reuse = 1net.ipv4.tcp_max_orphans = 32768net.ipv4.tcp_syncookies = 1net.ipv4.tcp_max_syn_backlog = 16384net.ipv4.tcp_wmem = 8192 131072 16777216net.ipv4.tcp_rmem = 32768 131072 16777216net.ipv4.tcp_mem = 786432 1048576 1572864net.ipv4.ip_local_port_range = 1024 65000net.ipv4.ip_conntrack_max = 65536net.ipv4.netfilter.ip_conntrack_max=65536net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=180net.core.somaxconn = 16384net.core.netdev_max_backlog = 16384

[root@localhost ~]# sysctl -p    #配置生效net.ipv4.ip_forward = 0net.ipv4.conf.default.rp_filter = 1net.ipv4.conf.default.accept_source_route = 0kernel.sysrq = 0kernel.core_uses_pid = 1net.ipv4.tcp_syncookies = 1kernel.msgmnb = 65536kernel.msgmax = 65536kernel.shmmax = 68719476736kernel.shmall = 4294967296net.ipv4.tcp_syn_retries = 1net.ipv4.tcp_synack_retries = 1net.ipv4.tcp_keepalive_time = 600net.ipv4.tcp_keepalive_probes = 3net.ipv4.tcp_keepalive_intvl = 15net.ipv4.tcp_retries2 = 5net.ipv4.tcp_fin_timeout = 2net.ipv4.tcp_max_tw_buckets = 36000net.ipv4.tcp_tw_recycle = 1net.ipv4.tcp_tw_reuse = 1net.ipv4.tcp_max_orphans = 32768net.ipv4.tcp_syncookies = 1net.ipv4.tcp_max_syn_backlog = 16384net.ipv4.tcp_wmem = 8192 131072 16777216net.ipv4.tcp_rmem = 32768 131072 16777216net.ipv4.tcp_mem = 786432 1048576 1572864net.ipv4.ip_local_port_range = 1024 65000error: "net.ipv4.ip_conntrack_max" is an unknown keyerror: "net.ipv4.netfilter.ip_conntrack_max" is an unknown keyerror: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_established" is an unknown keynet.core.somaxconn = 16384net.core.netdev_max_backlog = 16384

 

6：  逾時設定（timeout）

為了系統的安全，設定無操作逾時自動結束登入設定

臨時生效：

[root@centos6 ~]# export TMOUT=5[root@centos6 ~]# timed out waiting for input: auto-logout

永久配置生效：

[root@centos6 ~]# echo "export TMOUT=300" >>/etc/profile 實際生產環境 5 分鐘[root@centos6 ~]# source / etc/profile

 

7：  加大檔案描述符

檔案描述符是由不帶正負號的整數表示的控制代碼（一般使用範圍0~65535），進程使用它來標識開啟的檔案。檔案描述符與包括相關資訊（如檔案的開啟模式、檔案的位置類型、檔案的初始類型等）的對象想關聯，這些資訊稱為檔案的上下文。

對於核心而言，所有開啟的檔案都是通過檔案描述符引用的。當開啟一個現有檔案或者建立一個新檔案時，核心向進程返回一個檔案描述符。

按照慣例，UNIX系統shell使用0-》標準輸入，1-》標準輸出，2-》標準錯誤

查看系統預設的檔案描述符大小：[root@centos6 ~]# ulimit -n1024[root@centos6 ~]# echo "* - nofile 65535">>/etc/security/limits.conf退出重新登入，才會生效[root@centos6 ~]# ulimit -n65535

 

8：  隱藏系統版本訊息

[cairui@localhost ~]$ cat /etc/issueCentOS release 6.8 (Final)Kernel \r on an \m[cairui@localhost ~]$ cat /etc/issue.net CentOS release 6.8 (Final)Kernel \r on an \m

只需要清空上述的檔案內容，就可以隱藏資訊。

 

9：  給grub引導菜單加密碼保護（因為grub能進入看到root密碼）

[root@localhost ~]# /sbin/grub-md5-crypt Password: Retype password: $1$kpiKh/$..jTvOdnHGnMsqqs5OWlM/[root@localhost ~]# vi /etc/grub.conf [root@localhost ~]# cat /etc/grub.conf # grub.conf generated by anaconda## Note that you do not have to rerun grub after making changes to this file# NOTICE:  You have a /boot partition.  This means that#          all kernel and initrd paths are relative to /boot/, eg.#          root (hd0,0)#          kernel /vmlinuz-version ro root=/dev/sda3#          initrd /initrd-[generic-]version.img#boot=/dev/sdadefault=0timeout=5splashimage=(hd0,0)/grub/splash.xpm.gzhiddenmenu    password --md5 $1$hv58gkgk9G995885/JG0orl4m　　#後來添加的title CentOS 6 (2.6.32-642.el6.x86_64)    root (hd0,0)    kernel /vmlinuz-2.6.32-642.el6.x86_64 ro root=UUID=57e48303-c321-4c12-8ac4-7596c31f55ef rd_NO_LUKS  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_MD crashkernel=auto LANG=zh_CN.UTF-8 rd_NO_LVM rd_NO_DM rhgb quiet    initrd /initramfs-2.6.32-642.el6.x86_64.img

 

10：  調整字元集

[root@centos6 ssh]# echo $LANGen_US.UTF-8[root@centos6 ssh]# cat /etc/sysconfig/i18nLANG="en_US.UTF-8"SYSFONT="latarcyrheb-sun16"[root@centos6 ssh]# cp /etc/sysconfig/i18n /etc/sysconfig/i18n.2016.12.21[root@centos6 ssh]# sed -i 's#LANG="en_US.UTF-8"#LANG="zh_CN.UTF-8"#g' /etc/sysconfig/i18n[root@centos6 ssh]# source /etc/sysconfig/i18n[root@centos6 ssh]# echo $LANGzh_CN.UTF-8