First, close the firewall iptables:
(1) Close
/etc/init.d/iptables stop
(2) Check
/etc/init.d/iptables status (3) Set chkconfig iptables off
to not start automatically when booting up (4) Check chkconfig --list iptables
2. Turn off selinux (security):
Note: It will take effect permanently and needs to restart the computer.
(1) Check the configuration file
cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
(2) Modify the configuration file
sed -i "s#SELINUX=enforcing#SELINUX=disabled#g" /etc/selinux/config
(3) Temporary effective method without restarting the system
setenforce 0 #Set Permissive mode
getenforce #Check the effective situation
(4) Parameter description
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing. Print warnings, but it is also forbidden.
# disabled - No SELinux policy is loaded. Disabled state.
3. Change the yum source:
(1) Create a backup directory
mkdir -p /etc/yum.repos.d/{default,back} ###Remember, be sure to back up before each operation! Backup! Backup! The important thing is said three times
(2) Backup all default configuration files
\mv /etc/yum.repos.d/*repo /etc/yum.repos.d/default
(3) Get yum source
wget -O /etc/ yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo
(4) Backup yum source
\cp /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/default
4. Streamline the self-starting service after booting:
(1) Only keep important basic services, and close the rest
chkconfig --list|egrep -v "sysstat|crond|sshd|network|rsyslog"|awk '{print "chkconfig "$1,"off"}'|bash
( 2) Check
chkconfig --list|grep 3:on
Five, modify the Linux server character set:
(1) Check the configuration file
cat /etc/sysconfig/i18n
There should be the following 2 lines by default:
LANG="en_US.UTF-8" ###The default prompt is English each time, if you are not familiar with English, you can do it The following operations
SYSFONT="latarcyrheb-sun16"
(2) Backup configuration file
cp /etc/sysconfig/i18n{,.back}
(3) Modify (optional in this step)
Description: You can change the character set to Chinese, or you can Do not modify.
echo 'LANG="zn_CN.UTF-8"' > /etc/sysconfig/i18n
echo 'SYSFONT="latarcyrheb-sun16"' >> /etc/sysconfig/i18n
(4) Effective
source /etc/sysconfig/i18n
(5 ) check
echo $LANG
6. Kernel optimization:
(1) Modify the configuration file /etc/sysctl.conf and add the following content (copy all the following content at once, and paste and execute it on the command line)
cat >>/etc/sysctl.conf<<EOF
net.ipv4. tcp_fin_timeout=2
net.ipv4.tcp_tw_reuse=1
net.ipv4.tcp_tw_recycle=1
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_keepalive_time=600
net.ipv4.ip_local_port_range=4000 65000 net.ipv4.tcp_max_syn_backlog
=16384
tcp_max_tw_buckets=36000
net.ipv4.route.gc_timeout=100
net.ipv4.tcp_syn_retries=1
net.ipv4.tcp_synack_retries=1
net.core.somaxconn=16384
net.core.netdev_max_backlog=16384
net.ipv4.tcp_max_orphans = 16384 #The
following parameters are optimized for the iptables firewall. If the firewall does not have a meeting prompt, it can be ignored.
= 25000000 or net.nf_conntrack_max
net.netfilter.nf_conntrack_max = 25000000 or
net.netfilter.nf_conntrack_tcp_timeout_established = 180 [
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
the EOF
(2) to take effect
sysctl -p
Seven, time synchronization: (time synchronization is very important at work, very important!)
(1)配置
echo '#time sync by oldboy at 2018-04-26' >> /var/spool/cron/root
echo '*/5 * * * * /usr/sbin/ntpdate ntp1.aliyun.com >/dev/null 2>&1' >> /var/spool/cron/root
### Generally, the Alibaba Cloud time server is used as the benchmark. The following addresses can be selected by yourself:
ntp1.aliyun.com
ntp2.aliyun.com
ntp3.aliyun.com
ntp4.aliyun.com
ntp5.aliyun.com
ntp6.aliyun.com
ntp7.aliyun.com
(2) Check
crontab -l
(3) Backup
\cp /var /spool/cron/root{,.back}
Eight, increase the description of the file:
(1) Configure
echo '* - nofile 65535 ' >>/etc/security/limits.conf
(2) Check
tail -1 /etc/security/limits.conf
(3) Backup
\cp /etc/security/limits.conf {,.back}
9. Download and install the basic software of the system:
yum install -y lrzsz nmap tree dos2unix nc ###Some basic software will be often used in the cluster architecture
10. Configure the hosts file:
Note: The domain name resolution of the mid-term cluster architecture uses the intranet IP, and the basic services involve almost 9 servers
(1) Modify
cat >/etc/hosts<<EOF
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost6 localhost6.localdomain6 localhost.localdomain
172.16.1.5 LB01
172.16.1.6 LB02
172.16.1.7 web01
172.16.1.8 web02
172.16.1.9 web03
172.16.1.51 DB01
172.16.1.31 nfs01
172.16.1.41 backup
172.16.1.61 M01
EOF
(2) backup
\ cp /etc/hosts{,.back}
11. Process /etc/bashrc and /root/.bashrc:
(1) Backup configuration file
\cp /etc/bashrc{,.back}
(2) Process /etc/bashrc
Edit configuration file /etc/bashrc (vim /etc/bashrc),
comment out the 36th line of this file,
Then start a new line below the just commented out line 36 and add the following:
[ "$PS1" = "\\s-\\v\\\$ " ] && PS1="[\[\e[34; 1m\]\u@\H\[\e[0m\] \[\e[31;1m\]\w\[\e[0m\] \[\e[32;1m\]\t\[ \e[0m\]]\\$ "
Note that the above line is very long, it must be copied and pasted in exactly the same way, and there can be no carriage return in the middle, only spaces, be sure to check! ! !
Make it effective: source /etc/bashrc to
check the effect: press the key combination ctrl+d, and then log in to the system again.
###Slightly, it's almost like the above. My teacher wrote it. It feels very convenient. You don't need to pwd to see the path and location at any time. It is especially useful in enterprises.
(3) Process /etc/bashrc
to modify the configuration file /root/.bashrc (vim /root/.bashrc), and
add the following 2 lines below the last line of alias:
alias grep='grep --color'
alias egrep='egrep --color'
save and exit;
make it effective: ./root/.bashrc
Note: The dot (.) here is a command, which is equivalent to the source command.
12. Add a user:
(1) Add
useradd oldboy
(2) Check
id oldboy
(3) Set password
echo 123456|passwd --stdin oldboy
13. Elevate the rights to the newly created user (explain, because the root user knows too many people, and they all know that they are super administrators. For the safety of the enterprise, reset a user)
Add oldboy to sudo management, then oldboy will be equivalent to administrator
(1) backup
\cp /etc/sudoers{,.back}
(2) modify
echo "oldboy ALL=(ALL) NOPASSWD: ALL " >> /etc/ sudoers
(3) check
tail -1 /etc/sudoers
(4) take effect
visudo -c
###The oldboy permission at this time is equivalent to the root user
14. Optimize SSH remote connection:
(1) Backup the configuration file
cp /etc/ssh/sshd_config{,.back}
(2) Modify the configuration file
Edit the configuration file of the ssh service (vim /etc/ssh/sshd_config), and add the following under line 12:
# ###Start by oldboy#2018-04-26###
Port 52113 ###Also for security, change the login port
PermitRootLogin no
PermitEmptyPasswords no
UseDNS no
GSSAPIAuthentication no
####End by oldboy#2018-04-26## #
(3) Check
grep -A 5 -i 'Start by oldboy' /etc/ssh/sshd_config
(4) Restart ssh service
/etc/init.d/sshd restart
(5) Check
netstat -lntup | grep ssh
(6) Configuration instructions
####Start by oldboy#2018-04-26###
Port 52113 #Use a port number greater than 10000
PermitRootLogin no #Prohibit root remote login
PermitEmptyPasswords no #Prohibit empty password login
UseDNS no #Do not use dns to resolve
GSSAPIAuthentication no #Slow connection solution configuration
####End by oldboy#2018-04- 26###
15. xshell connection
########################################################################################################
In the enterprise: If you study, the above optimization is almost the same. Of course, you can also hide the Linux version information display in the actual combat; lock key system files to prevent tampering by escalation; add a password to the grub menu; prohibit ping, etc.