最近公司新升級了服務器系統到CentOS6.7,精心做了一套系統優化方案
centos優化
配置網卡
修改主機名
關閉selinux,清空防火牆
新建普通用戶並visudo授權
更改yum源,安裝常用軟件
定時任務,定時更新時間
精簡開機啟動項
定時任務在自動清理/var/spool/maildrop/目錄垃圾文件,防止inode占滿
更改ssh服務端口,禁止root用戶遠程連接
鎖定關鍵文件系統
調整文件描述符大小
調整字符集,使其支持中文
去除系統及內核版本登錄前的屏幕顯示
內核參數優化
1、配置網卡(此處為克隆機所以刪除了UUID和MAC)
vim
/etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth
TYPE=Ethernet
ONBOOT=
yes
NM_CONTROLLED=
yes
BOOTPROTO=none
IPV6INIT=no
USERCTL=no
IPADDR=10.0.0.100
GATEWAY=10.0.0.2
DNS2=223.5.5.5
DNS1=10.0.0.2
NETMASK=255.255.255.0
vim
/etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth0
TYPE=Ethernet
ONBOOT=
yes
NM_CONTROLLED=
yes
BOOTPROTO=none
IPV6INIT=no
USERCTL=no
IPADDR=10.0.0.100
GATEWAY=10.0.0.2
DNS2=223.5.5.5
DNS1=10.0.0.2
NETMASK=255.255.255.0
重啟網卡eth1
ifdowneth1&&ifupeth1
/etc/init
.d
/network
restart
echo
'>/etc/udev/rules.d/70-persistent-net.rules'
>>/etc/rc.local
hostnamezhang(臨時修改)
vim/etc/sysconfig/network
3、檢查DNS
阿裡服務器
223.5.5.5vim
/etc/resolv
.conf
(網卡配置文件中設置的優先啟動)
4、關閉selinux
sed
-i
's#SELINUX=enforcing#SELINUX=disabled#g'
/etc/selinux/config
grep
SELINUX=disabled
/etc/selinux/config
setenforce0
getenforce
清空防火牆
iptables-F
iptables-L1>>~/install.ok2>>install.bug
/etc/init.d/iptablessave
5、新建普通用戶並visudo授權
useradd
zhang
id
zhang
echo
'123456'
|
passwd
--stdinzhang
echo
'zhangALL=(ALL)NOPASSWD:ALL'
>>
/etc/sudoers
visudo-c
6、更改yum源
備份本機yum源
法1:自己配置好安裝源配置文件,然後上傳到linux
法2:使用鏡像站點配置好的yum安裝源配置文件
mv
/etc/yum
.repos.d
/CentOS-Base
.repo
/etc/yum
.repos.d
/CentOS-Base
.repo.f1.ori
ls
/etc/yum
.repos.d
/CentOS-Base
.repo.f1.ori1>>~
/install
.ok2>>
install
.bug
yummakecache
wget-O
/etc/yum
.repos.d
/CentOS-Base
.repohttp:
//mirrors
.aliyun.com
/repo/Centos-6
.repo
yum
install
lrzsztreesysstat-y
rpm-qalrzsztreenmapsysstat1>>~
/install
.ok2>>
install
.bug
sysstat是用來檢測系統性能及效率的工具dos2unix將dos格式的文本轉換為unix格式
nmap網絡掃描和主機檢測
grep
過濾變色(實驗用)
echo
'grep="grep--color=auto"'
>>
/etc/profile
.
/etc/profile
grep
'grep="grep--color=auto"'
/etc/profile
1>>~
/install
.ok2>>
install
.bug
7、定時任務,定時更新時間
echo
'*/5****/usr/sbin/ntpdatentp1.aliyun.com>/dev/null2>&1'
>>
/var/spool/cron/root
crontab
-l1>>~
/install
.ok2>>
install
.bug
8、精簡開機啟動項
for
n
in
`chkconfig--list|
grep
"3:on"
|
awk
'{print$1}'
`;
do
chkconfig$noff;
done
chkconfig--list|
egrep
'crond|network|rsyslog|sshd|sysstat'
|
awk
'{print"chkconfig"$1"on"}'
|
bash
chkconfig--list|
grep
"3:on"
1>>~
/install
.ok2>>
install
.bug
mkdir
/server/scripts
-p
ls
-l
/server/scripts/
1>>~
/install
.ok2>>
install
.bug
echo
'
#binbash\
find
/var/spool/postfix/maildrop
-
type
f|
xargs
rm
-f'>
/server/scripts/clean_mail
.sh
cat
/server/scripts/clean_mail
.sh1>>~
/install
.ok2>>
install
.bug
echo
'
#clean/var/spool/postfix/maildrop\
0000***
/bin/sh
/server/scripts/clean_mail
.sh'>>
/var/spool/cron/root
crontab
-l1>>~
/install
.ok2>>
install
.bug
10、更改ssh服務端口,禁止root用戶遠程連接
cp
/etc/ssh/sshd_config
{,f1.ori}
ls
/etc/ssh/sshd_config
.f1.ori1>>~
/install
.ok2>>
install
.bug
sed
-ir
'13iPort52113\nPermitRootLoginno\nPermitEmptyPasswordsno\nUseDNSno\nGSSAPIAuthenticationno'
/etc/ssh/sshd_config
sed
-n13,17p
/etc/ssh/sshd_config
1>>~
/install
.ok2>>
install
.bug
11、鎖定關鍵文件系統
chattr+i
/etc/passwd
chattr+i
/etc/inittab
chattr+i
/etc/group
chattr+i
/etc/shadow
chattr+i
/etc/gshadow
lsattr+i
/etc/passwd
1>>~
/install
.ok2>>
install
.bug
lsattr+i
/etc/inittab
1>>~
/install
.ok2>>
install
.bug
lsattr+i
/etc/group
1>>~
/install
.ok2>>
install
.bug
lsattr+i
/etc/shadow
1>>~
/install
.ok2>>
install
.bug
lsattr+i
/etc/gshadow
1>>~
/install
.ok2>>
install
.bug
使用chattr命令後,為了安全我們需要將其改名
/bin/mv
/usr/bin/chattr
/usr/bin/
#
任意名稱
13、調整字符集,使其支持中文
sed
-i
's#LANG="en_US.UTF-8"#LANG="zh_CN.GB18030"#'
/etc/sysconfig/i18nsource/etc/sysconfig/i18n
14、去除系統及內核版本登錄前的屏幕顯示
>
/etc/issue
>
/etc/redhat-release
老男孩28期章曾整理發布。
在這裡要感謝老男孩老師的教導。
一鍵執行優化
echo
'#######克隆機清空文件#####'
1>>~
/install
.ok2>>
install
.bug
echo
'>/etc/udev/rules.d/70-persistent-net.rules'
>>
/etc/rc
.
local
tail
-1
/etc/rc
.
local
1>>~
/install
.ok2>>
install
.bug
echo
'#######修改主機名#####'
1>>~
/install
.ok2>>
install
.bug
hostname
zhang
sed
-i
's#HOSTNAME=.*#HOSTNAME=zhang#g'
/etc/sysconfig/network
cat
/etc/sysconfig/network
1>>~
/install
.ok2>>
install
.bug
echo
'#######關閉selinux#####'
1>>~
/install
.ok2>>
install
.bug
sed
-i
's#SELINUX=enforcing#SELINUX=disabled#g'
/etc/selinux/config
grep
SELINUX=disabled
/etc/selinux/config
1>>~
/install
.ok2>>
install
.bug
setenforce0
getenforce1>>~
/install
.ok2>>
install
.bug
echo
'#######關閉selinux#####'
1>>~
/install
.ok2>>
install
.bug
iptables-F
iptables-L1>>~
/install
.ok2>>
install
.bug
/etc/init
.d
/iptables
save
echo
'#######新建用戶sudo授權#####'
1>>~
/install
.ok2>>
install
.bug
useradd
zhang
id
zhang1>>~
/install
.ok2>>
install
.bug
echo
'123456'
|
passwd
--stdinzhang
echo
'zhangALL=(ALL)NOPASSWD:ALL'
>>
/etc/sudoers
visudo-c1>>~
/install
.ok2>>
install
.bug
echo
'#######更改yum源安裝常用軟件#####'
1>>~
/install
.ok2>>
install
.bug
mv
/etc/yum
.repos.d
/CentOS-Base
.repo
/etc/yum
.repos.d
/CentOS-Base
.repo.backup
ls
/etc/yum
.repos.d
/CentOS-Base
.repo.backup1>>~
/install
.ok2>>
install
.bug
wget-O
/etc/yum
.repos.d
/CentOS-Base
.repohttp:
//mirrors
.aliyun.com
/repo/Centos-6
.repo
yum
install
lrzsztreesysstat-y
rpm-qalrzsztreenmapsysstat1>>~
/install
.ok2>>
install
.bug
echo
'#######grep變色#####'
1>>~
/install
.ok2>>
install
.bug
echo
'grep="grep--color=auto"'
>>
/etc/profile
.
/etc/profile
grep
'grep="grep--color=auto"'
/etc/profile
1>>~
/install
.ok2>>
install
.bug
echo
'#######定時更新時間#####'
1>>~
/install
.ok2>>
install
.bug
echo
'*/5****/usr/sbin/ntpdatentp1.aliyun.com>/dev/null2>&1'
>>
/var/spool/cron/root
crontab
-l1>>~
/install
.ok2>>
install
.bug
echo
'#######精簡開機啟動項#####'
1>>~
/install
.ok2>>
install
.bug
for
n
in
`chkconfig--list|
grep
"3:on"
|
awk
'{print$1}'
`;
do
chkconfig$noff;
done
chkconfig--list|
egrep
'crond|network|rsyslog|sshd|sysstat'
|
awk
'{print"chkconfig"$1"on"}'
|
bash
chkconfig--list|
grep
"3:on"
1>>~
/install
.ok2>>
install
.bug
echo
'#######清理臨時郵件隊列#####'
1>>~
/install
.ok2>>
install
.bug
mkdir
/server/scripts
-p
ls
-l
/server/scripts/
1>>~
/install
.ok2>>
install
.bug
echo
'
#binbash\
find
/var/spool/postfix/maildrop
-
type
f|
xargs
rm
-f'>
/server/scripts/clean_mail
.sh
cat
/server/scripts/clean_mail
.sh1>>~
/install
.ok2>>
install
.bug
echo
'
#clean/var/spool/postfix/maildrop\
0000***
/bin/sh
/server/scripts/clean_mail
.sh'>>
/var/spool/cron/root
crontab
-l1>>~
/install
.ok2>>
install
.bug
cp
/etc/ssh/sshd_config
{,.f1.ori}
ls
/etc/ssh/sshd_config
.f1.ori1>>~
/install
.ok2>>
install
.bug
echo
'#######ssh安全#####'
1>>~
/install
.ok2>>
install
.bug
sed
-ir
'13iPort52113\nPermitRootLoginno\nPermitEmptyPasswordsno\nUseDNSno\nGSSAPIAuthenticationno'
/etc/ssh/sshd_config
sed
-n13,17p
/etc/ssh/sshd_config
1>>~
/install
.ok2>>
install
.bug
echo
'#######鎖定重要文件#####'
1>>~
/install
.ok2>>
install
.bug
chattr+i
/etc/passwd
chattr+i
/etc/inittab
chattr+i
/etc/group
chattr+i
/etc/shadow
chattr+i
/etc/gshadow
lsattr+i
/etc/passwd
1>>~
/install
.ok2>>
install
.bug
lsattr+i
/etc/inittab
1>>~
/install
.ok2>>
install
.bug
lsattr+i
/etc/group
1>>~
/install
.ok2>>
install
.bug
lsattr+i
/etc/shadow
1>>~
/install
.ok2>>
install
.bug
lsattr+i
/etc/gshadow
1>>~
/install
.ok2>>
install
.bug
echo
'#######清空內核系統名#####'
1>>~
/install
.ok2>>
install
.bug
>
/etc/issue
>
/etc/redhat-release
http://xxxxxx/Linuxjc/1134254.html TechArticle