Liunx基礎優化配置
1. 為系統添加操作用戶,並授予sudo許可權
[root@localhost ~]# groupadd cai[root@localhost~]# useradd cai -g cai[root@localhost~]#passwdcai更改用戶 cai 的密碼 。新的 密碼:無效的密碼: 過於簡單化/系統化無效的密碼: 過於簡單重新輸入新的 密碼:passwd: 所有的身份驗證令牌已經成功更新。[root@localhost~]#su- cai
sudo的配置文件在/etc/sudoers下面,不過是只讀文件。想要修改使用「visudo」命令。
用戶名 可登錄的終端 具體命令(使用絕對路徑,which查看)
cairui ALL=(ALL) /usr/sbin/useradd
2. 配置Yum源為國內源
下載對應版本repo文件, 放入/etc/yum.repos.d/(操作前請做好相應備份)
[root@localhost ~]# cd /etc/yum.repos.d
[root@localhost ~]# wget http://mirrors.163.com/.help/CentOS6-Base-163.repo
3. 關閉防火牆(iptables)和Selinux
(1)因為防火牆和selinux的設置很麻煩,而且需要大量的時間去搞,所以索性就關掉。
臨時關閉防火牆:(可以查看狀態,重啟,關閉,打開)
[root@localhost ~]# /etc/init.d/iptables Usage: iptables
永久關閉防火牆:(關閉開機自啟)
[root@localhost ~]# chkconfig iptables off
查看iptables開機狀態:
(2)關閉selinux
[root@localhost ~]# vim /etc/selinux/config # Thisfilecontrols the state of SELinux on the system.# SELINUX=can take one of these three values:# enforcing-SELinux security policy is enforced.# permissive-SELinux prints warnings instead of enforcing.# disabled-No SELinux policy is loaded.#SELINUX=enforcingSELINUX=disabled 修改為disabled# SELINUXTYPE=can take one of these two values:# targeted-Targeted processes are protected,# mls-Multi Level Security protection.SELINUXTYPE=targeted
4. 修改ssh服務的默認配置
修改之前先備份默認的配置:
[root@localhost ~]#cp/etc/ssh/sshd_config /etc/ssh/sshd_config.backup
再修改
[root@localhost ~]# vim /etc/ssh/sshd_config# $OpenBSD: sshd_config,v1.802008/07/0202:24:18djm Exp $# This is the sshd server system-wide configurationfile. See# sshd_config(5)formoreinformation.# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin# The strategy usedforoptionsinthe default sshd_config shipped with# OpenSSH is to specify options with their default value where# possible, but leave them commented. Uncommented options change a# default value.#Port22Port 52000 修改Linux默認連接埠#AddressFamily any#ListenAddress0.0.0.0#ListenAddress ::# Disable legacy (protocol version1) supportinthe serverfornew# installations. In future the default will change to require explicit# activation of protocol1Protocol2# HostKeyforprotocol version1#HostKey/etc/ssh/ssh_host_key# HostKeysforprotocol version2#HostKey/etc/ssh/ssh_host_rsa_key#HostKey/etc/ssh/ssh_host_dsa_key# Lifetime and size of ephemeral version1server key#KeyRegenerationInterval 1h#ServerKeyBits1024# Logging# obsoletes QuietMode and FascistLogging#SyslogFacility AUTHSyslogFacility AUTHPRIV#LogLevel INFO# Authentication:#LoginGraceTime 2m#PermitRootLogin yes
PermitRootLogin no #不允許root用戶登錄(因為每個人都知道root能夠登錄)#StrictModes yes#MaxAuthTries6
#MaxSessions10
#RSAAuthentication yes#PubkeyAuthentication yes#AuthorizedKeysFile
.ssh/authorized_keys#AuthorizedKeysCommand none#AuthorizedKeysCommandRunAs nobody# For this to work you will also need host keysin/etc/ssh/ssh_known_hosts#RhostsRSAAuthentication no# similarforprotocol version2#HostbasedAuthentication no# Change to yesifyou don"t trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication#IgnoreUserKnownHosts no# Don"t read the user"s ~/.rhosts and ~/.shosts files#IgnoreRhosts yes# To disable tunneledcleartext passwords, change to no here!#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes# Change to no to disable s/key passwords#ChallengeResponseAuthentication yesChallengeResponseAuthentication no# Kerberos options#KerberosAuthentication no#KerberosOrLocalPasswd yes#KerberosTicketCleanup yes#KerberosGetAFSToken no#KerberosUseKuserok yes# GSSAPI options#GSSAPIAuthentication noGSSAPIAuthentication yes#GSSAPICleanupCredentials yesGSSAPICleanupCredentials yes#GSSAPIStrictAcceptorCheck yes#GSSAPIKeyExchange no# Set this to"yes"to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and# PasswordAuthentication. Depending on your PAM configuration,# PAM authentication via ChallengeResponseAuthentication may bypass# the setting of"PermitRootLogin without-password".# If you just want the PAM account and session checks to run without# PAM authentication,thenenable this but set PasswordAuthentication# and ChallengeResponseAuthentication to"no".#UsePAM noUsePAM yes# Accept locale-related environment variablesAcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGESAcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENTAcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGEAcceptEnv XMODIFIERS#AllowAgentForwarding yes#AllowTcpForwarding yes#GatewayPorts no#X11Forwarding noX11Forwarding yes#X11DisplayOffset10#X11UseLocalhost yes#PrintMotd yes#PrintLastLog yes#TCPKeepAlive yes#UseLogin no#UsePrivilegeSeparation yes#PermitUserEnvironment no#Compression delayed#ClientAliveInterval#ClientAliveCountMax3#ShowPatchLevel no#UseDNS yes
UseDNS no #不使用DNS
#PidFile/var/run/sshd.pid#MaxStartups10:30:100#PermitTunnel no#ChrootDirectory none# no default banner path#Banner none# override default of no subsystemsSubsystem sftp/usr/libexec/openssh/sftp-server# Example of overriding settings on a per-user basis#Match User anoncvs# X11Forwarding no# AllowTcpForwarding no# ForceCommand cvs server
修改完之後重啟:
[root@localhost ~]# /etc/init.d/sshd 用法:/etc/init.d/sshd
5. 系統內核優化
[root@localhost ~]#cat/etc/sysctl.conf # Kernel sysctl configurationfileforRed Hat Linux## For binary values,is disabled,1is enabled. See sysctl(8) and# sysctl.conf(5)formoredetails.## Use"/sbin/sysctl -a"to list all possible parameters.# Controls IP packet forwardingnet.ipv4.ip_forward=
# Controls source route verificationnet.ipv4.conf.default.rp_filter=1
# Do not accept source routingnet.ipv4.conf.default.accept_source_route=
# Controls the System Request debugging functionality of the kernelkernel.sysrq=
# Controls whether core dumps will append the PID to the core filename.# Usefulfordebugging multi-threaded applications.kernel.core_uses_pid=1
# Controls the use of TCP syncookiesnet.ipv4.tcp_syncookies=1
# Controls the default maxmimum size of a mesage queuekernel.msgmnb=65536
# Controls the maximum size of a message,inbyteskernel.msgmax=65536
# Controls the maximum shared segment size,inbyteskernel.shmmax=68719476736
# Controls the maximum number of shared memory segments,inpageskernel.shmall=4294967296
# 下面是內核調優參數
net.ipv4.tcp_syn_retries=1
net.ipv4.tcp_synack_retries=1
net.ipv4.tcp_keepalive_time=600
net.ipv4.tcp_keepalive_probes=3
net.ipv4.tcp_keepalive_intvl=15
net.ipv4.tcp_retries2=5
net.ipv4.tcp_fin_timeout=2
net.ipv4.tcp_max_tw_buckets=36000
net.ipv4.tcp_tw_recycle=1
net.ipv4.tcp_tw_reuse=1
net.ipv4.tcp_max_orphans=3276
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_max_syn_backlog=16384
net.ipv4.tcp_wmem=819213107216777216
net.ipv4.tcp_rmem=3276813107216777216
net.ipv4.tcp_mem=78643210485761572864
net.ipv4.ip_local_port_range=102465000
net.ipv4.ip_conntrack_max=65536
net.ipv4.netfilter.ip_conntrack_max=65536
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=180
net.core.somaxconn=16384net.core.netdev_max_backlog=16384
[root@localhost ~]# sysctl -p #配置生效net.ipv4.ip_forward=
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.default.accept_source_route=
kernel.sysrq=
kernel.core_uses_pid=1
net.ipv4.tcp_syncookies=1
kernel.msgmnb=65536
kernel.msgmax=65536
kernel.shmmax=68719476736
kernel.shmall=4294967296
net.ipv4.tcp_syn_retries=1
net.ipv4.tcp_synack_retries=1
net.ipv4.tcp_keepalive_time=600
net.ipv4.tcp_keepalive_probes=3
net.ipv4.tcp_keepalive_intvl=15
net.ipv4.tcp_retries2=5
net.ipv4.tcp_fin_timeout=2
net.ipv4.tcp_max_tw_buckets=36000
net.ipv4.tcp_tw_recycle=1
net.ipv4.tcp_tw_reuse=1
net.ipv4.tcp_max_orphans=32768
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_max_syn_backlog=16384
net.ipv4.tcp_wmem=819213107216777216
net.ipv4.tcp_rmem=3276813107216777216
net.ipv4.tcp_mem=78643210485761572864
net.ipv4.ip_local_port_range=102465000
error:"net.ipv4.ip_conntrack_max"is an unknown keyerror:"net.ipv4.netfilter.ip_conntrack_max"is an unknown keyerror:"net.ipv4.netfilter.ip_conntrack_tcp_timeout_established"is an unknown keynet.core.somaxconn=16384
net.core.netdev_max_backlog=16384
6. 超時設置(timeout)
為了系統的安全,設置無操作超時自動退出登錄設置
臨時生效:
[root@centos6 ~]# export TMOUT=5
[root@centos6~]# timed out waitingforinput: auto-logout
永久配置生效:
[root@centos6 ~]#echo"export TMOUT=300">>/etc/profile 實際生產環境5分鐘[root@centos6~]# source / etc/profile
7. 加大文件描述符
文件描述符是由無符號整數表示的句柄(一般使用範圍0~65535),進程使用它來標識打開的文件。文件描述符與包括相關信息(如文件的打開模式、文件的位置類型、文件的初始類型等)的對象想關聯,這些信息稱為文件的上下文。
對於內核而言,所有打開的文件都是通過文件描述符引用的。當打開一個現有文件或者創建一個新文件時,內核向進程返回一個文件描述符。
按照慣例,UNIX系統shell使用0-》標準輸入,1-》標準輸出,2-》標準錯誤
查看系統默認的文件描述符大小:[root@centos6~]# ulimit -n1024
[root@centos6~]#echo"* - nofile 65535">>/etc/security/limits.conf退出重新登錄,才會生效[root@centos6~]# ulimit -n65535
8. 隱藏系統版本消息
[cairui@localhost ~]$cat/etc/issueCentOS release6.8(Final)Kernel
on an m[cairui@localhost~]$cat/etc/issue.net CentOS release6.8(Final)Kernel
on an m
只需要清空上述的文件內容,就可以隱藏信息。
9. 給grub引導菜單加密碼保護(因為grub能進入看到root密碼)
[root@localhost ~]# /sbin/grub-md5-crypt Password: Retype password: $1$kpiKh/$..jTvOdnHGnMsqqs5OWlM/[root@localhost~]#vi/etc/grub.conf [root@localhost~]#cat/etc/grub.conf # grub.conf generated by anaconda## Note that youdonot have to rerun grub after making changes to thisfile# NOTICE: You have a/boot partition. This means that# all kernel and initrd paths are relative to/boot/, eg.# root (hd0,)# kernel/vmlinuz-version ro root=/dev/sda3# initrd/initrd-[generic-]version.img#boot=/dev/sdadefault=timeout=5splashimage=(hd0,)/grub/splash.xpm.gzhiddenmenupassword--md5 $1$hv58gkgk9G995885/JG0orl4m #後來添加的title CentOS6(2.6.32-642.el6.x86_64) root (hd0,) kernel/vmlinuz-2.6.32-642.el6.x86_64 ro root=UUID=57e48303-c321-4c12-8ac4-7596c31f55ef rd_NO_LUKS KEYBOARDTYPE=pc KEYTABLE=us rd_NO_MD crashkernel=auto LANG=zh_CN.UTF-8rd_NO_LVM rd_NO_DM rhgb quiet initrd/initramfs-2.6.32-642.el6.x86_64.img
10. 調整字符集
[root@centos6ssh]#echo$LANGen_US.UTF-8[root@centos6ssh]#cat/etc/sysconfig/i18nLANG="en_US.UTF-8"SYSFONT="latarcyrheb-sun16"[root@centos6ssh]#cp/etc/sysconfig/i18n /etc/sysconfig/i18n.2016.12.21[root@centos6ssh]#sed-i"s#LANG="en_US.UTF-8"#LANG="zh_CN.UTF-8"#g"/etc/sysconfig/i18n[root@centos6ssh]# source /etc/sysconfig/i18n[root@centos6ssh]#echo$LANGzh_CN.UTF-8
TAG:Linux資訊速推 |