system message:
[root@nfs01 ~]# uname -r 2.6.32-696.el6.x86_64 [root@nfs01 ~]# uname -m x86_64 [root@nfs01 ~]# cat /etc/redhat-release CentOS release 6.9 (Final)
change yum source
mv /etc/yum.repos.d/CentOS-Base.repo{,.$(date +%F_%T).backup} wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-6.repo yum makecache
Turn off SELinux
\cp /etc/selinux/config{,.$(date +%F_%T).backup} sed -i "s#SELINUX=enforcing#SELINUX=disabled#g" /etc/selinux/config grep 'SELINUX=disable' /etc/selinux/config setenforce 0 getenforce
close iptables
/etc/init.d/iptables stop /etc/init.d/iptables stop chkconfig iptables off
Streamlined boot auto-start service
export LANG=en chkconfig --list | egrep "3:on"|egrep -v "crond|network|sshd|rsyslog|sysstat" | awk '{print "chkconfig",$1,"off"}' | bash chkconfig --list | grep 3:on
Privilege escalation abc can sudo
useradd abc \cp /etc/sudoers{,.$(date +%F_%T).backup} echo "abc ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers tail -1 /etc/sudoers visudo -c
time synchronization
echo '# time sync by odlboy at 2018-2-1' >> /var/spool/cron/root echo '*/5 * * * * /usr/sbin/ntpdate ntp1.aliyun.com >/dev/null 2>&1' >> /var/spool/cron/root crontab -l
Increase file description
\cp /etc/security/limits.conf{,.$(date +%F_%T).backup} echo '* - nofile 65535' >> /etc/security/limits.conf tail -1 /etc/security/limits.conf # 重启生效 ulimit -n
Kernel optimization
\cp /etc/sysctl.conf{,.$(date +%F_%T).backup} cat >>/etc/sysctl.conf<<EOF net.ipv4.tcp_fin_timeout = 2 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_keepalive_time = 600 net.ipv4.ip_local_port_range = 4000 65000 net.ipv4.tcp_max_syn_backlog = 16384 net.ipv4.tcp_max_tw_buckets = 36000 net.ipv4.route.gc_timeout = 100 net.ipv4.tcp_syn_retries = 1 net.ipv4.tcp_synack_retries = 1 net.core.somaxconn = 16384 net.core.netdev_max_backlog = 16384 net.ipv4.tcp_max_orphans =16384 # 以下参数是对iptables防火墙的优化,防火墙不开会提示,可以忽略不理 net.nf_conntrack_max = 25000000 net.netfilter.nf_conntrack_max = 25000000 net.netfilter.nf_conntrack_tcp_timeout_established = 180 net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120 net.netfilter.nf_conntrack_tcp_timeout_close-wait = 60 net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120 EOF # 让内核配置文件中的参数生效 sysctl -p
Download and install system basic software
yum -y install tree lrzsz telnet nc nmap dos2unix sysstat htop nload iptraf iftop
Change the configuration of SSH server remote login (selective modification, don't log in by yourself)
\cp /etc/ssh/sshd_config{,.$(date +%F_%T).backup} sed -i 's/#Port 22/Port 52113/g' /etc/ssh/sshd_config sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/g' /etc/ssh/sshd_config sed -i 's/GSSAPIAuthentication yes/GSSAPIAuthentication no/g' /etc/ssh/sshd_config sed -i 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config /etc/init.d/sshd reload
Prevent Linux systems from being pinged
# 禁止ping echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all # 允许ping # echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
Fix some software bugs
rpm -qa openssh openssl bash yum install -y openssh openssl bash
Linux basic optimization and complete key summary
1) Do not log in to the management system as root, but log in as an ordinary user and authorize management through sudo
2) Change the default remote connection ssh service port, prohibit the root user from connecting remotely, and even change the ssh service to only monitor the intranet ip
3) Regularly update the server's
4) Configure the yum update source, download and install the software package from the domestic update source
5) Turn off SELinux and iptables (in the working scenario, if there is an external IP, generally open iptables, a server with high concurrency and high traffic May not be able to open)
6) Adjust the number of file descriptors, the opening of processes and files will consume the number of file descriptions
7) Automatically clean up the mail directory junk files regularly to prevent the number of inodes on the disk from being filled with small files (note that CentOS6 and Cnetos5 need to be cleaned up different directories)
8) Streamline and retain necessary self-starting services (such as: crond, shhd, network, rsyslog, sysstat)
9) Linux kernel parameters optimize /etc/sysctl.conf, execute sysctl -p to take effect
10) Change the system The character set is "zh_CN.UTF-8", which supports Chinese and prevents garbled characters.
11) Lock key system files, such as: /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab, After processing the above content, rename chattr and lsattr to oldboy and transfer them away, so that it is much safer.
12) Clear /etc/issue /etc/issue.net, and remove the screen display before system and kernel version login.
13) Clear redundant systems Virtual user account
14) Password for grub boot menu
15) Prevent host from being pinged
16) Patch and upgrade software with known vulnerabilities
Note: This blog is for reference only, readers can make reasonable configuration according to their actual situation, the content of the blog refers to the old boy book "Web Cluster Practice"