Some basic optimizations of Centos6.9 system (updated 2018/04/19)

system message:

[root@nfs01 ~]# uname -r
2.6.32-696.el6.x86_64
[root@nfs01 ~]# uname -m
x86_64
[root@nfs01 ~]# cat /etc/redhat-release 
CentOS release 6.9 (Final)

 change yum source

mv /etc/yum.repos.d/CentOS-Base.repo{,.$(date +%F_%T).backup} 
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-6.repo
yum makecache

Turn off SELinux 

\cp /etc/selinux/config{,.$(date +%F_%T).backup}
sed -i "s#SELINUX=enforcing#SELINUX=disabled#g" /etc/selinux/config
grep 'SELINUX=disable' /etc/selinux/config
setenforce 0
getenforce

close iptables 

/etc/init.d/iptables stop
/etc/init.d/iptables stop
chkconfig iptables off

Streamlined boot auto-start service 

export LANG=en
chkconfig --list | egrep "3:on"|egrep -v "crond|network|sshd|rsyslog|sysstat" | awk '{print "chkconfig",$1,"off"}' | bash
chkconfig --list | grep 3:on

Privilege escalation abc can sudo 

useradd abc
\cp /etc/sudoers{,.$(date +%F_%T).backup}
echo "abc ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
tail -1 /etc/sudoers
visudo -c

time synchronization 

echo '# time sync by odlboy at 2018-2-1' >> /var/spool/cron/root
echo '*/5 * * * * /usr/sbin/ntpdate ntp1.aliyun.com >/dev/null 2>&1' >> /var/spool/cron/root
crontab -l

Increase file description 

\cp /etc/security/limits.conf{,.$(date +%F_%T).backup}
echo '*               -    nofile            65535' >> /etc/security/limits.conf
tail -1 /etc/security/limits.conf 
# 重启生效
ulimit -n

Kernel optimization 

\cp /etc/sysctl.conf{,.$(date +%F_%T).backup}
cat >>/etc/sysctl.conf<<EOF
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000	65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.core.somaxconn = 16384
net.core.netdev_max_backlog = 16384
net.ipv4.tcp_max_orphans =16384
# 以下参数是对iptables防火墙的优化，防火墙不开会提示，可以忽略不理
net.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_tcp_timeout_established = 180
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close-wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
EOF
# 让内核配置文件中的参数生效
sysctl -p  

Download and install system basic software

yum -y install tree lrzsz telnet nc nmap dos2unix sysstat htop nload iptraf iftop

Change the configuration of SSH server remote login (selective modification, don't log in by yourself) 

\cp /etc/ssh/sshd_config{,.$(date +%F_%T).backup}

sed -i 's/#Port 22/Port 52113/g' /etc/ssh/sshd_config
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config 
sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/g' /etc/ssh/sshd_config 

sed -i 's/GSSAPIAuthentication yes/GSSAPIAuthentication no/g' /etc/ssh/sshd_config 
sed -i 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config
/etc/init.d/sshd reload

Prevent Linux systems from being pinged 

# 禁止ping
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
# 允许ping
# echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

Fix some software bugs 

rpm -qa openssh openssl bash
yum install -y openssh openssl bash

Linux basic optimization and complete key summary

1) Do not log in to the management system as root, but log in as an ordinary user and authorize management through sudo
2) Change the default remote connection ssh service port, prohibit the root user from connecting remotely, and even change the ssh service to only monitor the intranet ip
3) Regularly update the server's
4) Configure the yum update source, download and install the software package from the domestic update source
5) Turn off SELinux and iptables (in the working scenario, if there is an external IP, generally open iptables, a server with high concurrency and high traffic May not be able to open)
6) Adjust the number of file descriptors, the opening of processes and files will consume the number of file descriptions
7) Automatically clean up the mail directory junk files regularly to prevent the number of inodes on the disk from being filled with small files (note that CentOS6 and Cnetos5 need to be cleaned up different directories)
8) Streamline and retain necessary self-starting services (such as: crond, shhd, network, rsyslog, sysstat)
9) Linux kernel parameters optimize /etc/sysctl.conf, execute sysctl -p to take effect
10) Change the system The character set is "zh_CN.UTF-8", which supports Chinese and prevents garbled characters.
11) Lock key system files, such as: /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab, After processing the above content, rename chattr and lsattr to oldboy and transfer them away, so that it is much safer.
12) Clear /etc/issue /etc/issue.net, and remove the screen display before system and kernel version login.
13) Clear redundant systems Virtual user account
14) Password for grub boot menu
15) Prevent host from being pinged
16) Patch and upgrade software with known vulnerabilities

Note: This blog is for reference only, readers can make reasonable configuration according to their actual situation, the content of the blog refers to the old boy book "Web Cluster Practice"