Take Ali Cloud Server as an example
1. Mount the hard disk
1、 disk partition
fdisk -l #View the device, generally you can see the device name is /dev/xvdb, or /dev/vdb (Alibaba Cloud io optimized)
fdisk /dev/xvdb #Partition the disk, or fdisk /dev/vdb
Type n #Create a new partition
Enter p #create primary partition
Enter 1 #Create the first primary partition
Enter w # to save and execute the above command to create a partition
After the above command is executed, use fdisk -l to view, you will see something like
/dev/xvdb1 partition
Or for
/dev/vdb1 partition (the following steps are similar, pay attention to the distinction between xvdb1 and vdb1)
The partition is successful.
2、 Disk format
mkfs.ext4 /dev/xvdb1 #Format the partition
Note: ext4 is the default partition format of CentOS6.x, please use ext3 for CentOS5.x
mkfs.xfs /dev/vdb1 or mkfs -t xfs /dev/vdb1
After the formatting is complete (depending on the size of the partition, the time required for formatting is different, please be patient), mount the partition
3、 Mount the disk
For example: to mount /dev/xvdb1 to the /data directory
mkdir -p /data #Create directory
mount /dev/xvdb1 /data #mount
mount -t ext4 /dev/xvdb1 /data #mount
mount -t xfs /dev/vdb1 /data #mount
df -h #View the mount result
vi /etc/fstab #Set up automatic mounting at boot, enter the following code in the last line
/dev/xvdb1 /data ext4 defaults 0 0
: wq! #Save and exit
Or use UUID to mount
blkid /dev/xvdb1 #Get the UUID of the disk, for example:
/dev/xvdb1: UUID=”9c991d14-9372-4fd8-97d6-2aa1ac1acf47” TYPE=”xfs“
vi /etc/fstab #Set up automatic mounting at boot, enter the following code in the last line
UUID=9c991d14-9372-4fd8-97d6-2aa1ac1acf47 /data xfs defaults 0 0
: wq! #Save and exit
mount -a #Make the partition setting effective immediately
2. Create SWAP partition
Note: By default, Alibaba Cloud Service does not have a swap partition. When PHP 5.6 is installed on a 512M cloud server, it will prompt that there is insufficient memory and the installation fails!
It is strongly recommended to increase the swap partition no matter how large the memory is.
Increase 1024M swap space on 512M Alibaba Cloud service
Specific operation:
1、 dd if=/dev/zero of=/home/swap bs=1M count=1024 #Create a 1024M file block
2、 mkswap /home/swap #Create swap file
3、 swapon /home/swap #Activate swap file
4、 swapon -s #View swap
5、 Modify the /etc/fstab file and add the following content to let the system start automatically when it boots
vi /etc/fstab #Add the following code at the end
/home/swap swap swap default 0 0
: wq! #Save and exit
System operation and maintenance www.osyunwei.com Warm reminder: qihang01 original content © copyright, reprint please indicate the source and the original link
3. System kernel optimization
1、 CentOS 5.x CentOS 6.x CentOS 7.x
vi /etc/security/limits.conf #Add the following code in the last line
soft nproc unlimited
hard nproc unlimited
soft nofile 655350
hard nofile 655350
: wq! #Save and exit
2、 CentOS 5.x CentOS 6.x CentOS 7.x
vi /etc/profile #Add the following code in the last line
ulimit -SHn 655350
ulimit -SHu unlimited
ulimit -SHd unlimited
ulimit -SHm unlimited
ulimit -SHs unlimited
ulimit -SHt unlimited
ulimit -SHv unlimited
: wq! #Save and exit
source /etc/profile #Make the configuration effective immediately
ulimit -a #View settings
3、 CentOS 6.x (CentOS 5.x and CentOS 7.x do not need to set this)
vi /etc/security/limits.d/90-nproc.conf #Add the following code in the last line
soft nofile 655350
hard nofile 655350
root soft nofile 655350
root hard nofile 655350
soft core unlimited
hard core unlimited
root soft core unlimited
root hard core unlimited
: wq! #Save and exit
4、 CentOS 5.x
sed -i “s/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g” ‘/etc/sysctl.conf’
echo -e “net.core.somaxconn = 65535” >> /etc/sysctl.conf
echo -e “net.core.netdev_max_backlog = 262144” >> /etc/sysctl.conf
echo -e “net.core.wmem_default = 8388608” >> /etc/sysctl.conf
echo -e “net.core.rmem_default = 8388608” >> /etc/sysctl.conf
echo -e “net.core.rmem_max = 16777216” >> /etc/sysctl.conf
echo -e “net.core.wmem_max = 16777216” >> /etc/sysctl.conf
echo -e “net.ipv4.route.max_size = 5242880” >> /etc/sysctl.conf
echo -e “net.ipv4.route.gc_timeout = 20” >> /etc/sysctl.conf
echo -e “net.ipv4.ip_local_port_range = 1025 65535” >> /etc/sysctl.conf
echo -e “net.ipv4.tcp_retries2 = 5” >> /etc/sysctl.conf
echo -e “net.ipv4.tcp_fin_timeout = 30” >> /etc/sysctl.conf
echo -e “net.ipv4.tcp_syn_retries = 3” >> /etc/sysctl.conf
echo -e “net.ipv4.tcp_synack_retries = 3” >> /etc/sysctl.conf
echo -e “net.ipv4.tcp_timestamps = 0” >> /etc/sysctl.conf
echo -e “net.ipv4.tcp_tw_recycle = 0” >> /etc/sysctl.conf
echo -e “net.ipv4.tcp_tw_reuse = 1” >> /etc/sysctl.conf
echo -e “net.ipv4.tcp_keepalive_time = 120” >> /etc/sysctl.conf
echo -e “net.ipv4.tcp_keepalive_probes = 3” >> /etc/sysctl.conf
echo -e “net.ipv4.tcp_keepalive_intvl = 15” >> /etc/sysctl.conf
echo -e “net.ipv4.tcp_max_tw_buckets = 200000” >> /etc/sysctl.conf
echo -e “net.ipv4.tcp_max_orphans = 3276800” >> /etc/sysctl.conf
echo -e “net.ipv4.tcp_max_syn_backlog = 262144” >> /etc/sysctl.conf
echo -e “net.ipv4.tcp_wmem = 8192 131072 16777216” >> /etc/sysctl.conf
echo -e “net.ipv4.tcp_rmem = 32768 131072 16777216” >> /etc/sysctl.conf
echo -e “net.ipv4.tcp_mem = 94500000 915000000 927000000” >> /etc/sysctl.conf
echo -e “net.ipv4.ip_conntrack_max = 25000000” >> /etc/sysctl.conf
echo -e “net.ipv4.netfilter.ip_conntrack_max = 25000000” >> /etc/sysctl.conf
echo -e “net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 180” >> /etc/sysctl.conf
echo -e “net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 1” >> /etc/sysctl.conf
echo -e “net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60” >> /etc/sysctl.conf
echo -e “net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120” >> /etc/sysctl.conf
echo -e “net.unix.max_dgram_qlen = 655360” >> /etc/sysctl.conf
echo -e “kernel.msgmax = 655360” >> /etc/sysctl.conf
echo -e “kernel.msgmni = 20480” >> /etc/sysctl.conf
CentOS 6.x 7.x
sed -i “s/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g” ‘/etc/sysctl.conf’
echo -e “net.core.somaxconn = 65535” >> /etc/sysctl.conf
echo -e “net.core.netdev_max_backlog = 262144” >> /etc/sysctl.conf
echo -e “net.core.wmem_default = 8388608” >> /etc/sysctl.conf
echo -e “net.core.rmem_default = 8388608” >> /etc/sysctl.conf
echo -e “net.core.rmem_max = 16777216” >> /etc/sysctl.conf
echo -e “net.core.wmem_max = 16777216” >> /etc/sysctl.conf
echo -e “net.ipv4.route.max_size = 5242880” >> /etc/sysctl.conf
echo -e “net.ipv4.route.gc_timeout = 20” >> /etc/sysctl.conf
echo -e “net.ipv4.ip_local_port_range = 1025 65535” >> /etc/sysctl.conf
echo -e “net.ipv4.tcp_retries2 = 5” >> /etc/sysctl.conf
echo -e “net.ipv4.tcp_fin_timeout = 30” >> /etc/sysctl.conf
echo -e “net.ipv4.tcp_syn_retries = 3” >> /etc/sysctl.conf
echo -e “net.ipv4.tcp_synack_retries = 3” >> /etc/sysctl.conf
echo -e “net.ipv4.tcp_timestamps = 0” >> /etc/sysctl.conf
echo -e “net.ipv4.tcp_tw_recycle = 0” >> /etc/sysctl.conf
echo -e “net.ipv4.tcp_tw_reuse = 1” >> /etc/sysctl.conf
echo -e “net.ipv4.tcp_keepalive_time = 120” >> /etc/sysctl.conf
echo -e “net.ipv4.tcp_keepalive_probes = 3” >> /etc/sysctl.conf
echo -e “net.ipv4.tcp_keepalive_intvl = 15” >> /etc/sysctl.conf
echo -e “net.ipv4.tcp_max_tw_buckets = 200000” >> /etc/sysctl.conf
echo -e “net.ipv4.tcp_max_orphans = 3276800” >> /etc/sysctl.conf
echo -e “net.ipv4.tcp_max_syn_backlog = 262144” >> /etc/sysctl.conf
echo -e “net.ipv4.tcp_wmem = 8192 131072 16777216” >> /etc/sysctl.conf
echo -e “net.ipv4.tcp_rmem = 32768 131072 16777216” >> /etc/sysctl.conf
echo -e “net.ipv4.tcp_mem = 94500000 915000000 927000000” >> /etc/sysctl.conf
echo -e “net.nf_conntrack_max = 25000000” >> /etc/sysctl.conf
echo -e “net.netfilter.nf_conntrack_max = 25000000” >> /etc/sysctl.conf
echo -e “net.netfilter.nf_conntrack_tcp_timeout_established = 180” >> /etc/sysctl.conf
echo -e “net.netfilter.nf_conntrack_tcp_timeout_time_wait = 1” >> /etc/sysctl.conf
echo -e “net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60” >> /etc/sysctl.conf
echo -e “net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120” >> /etc/sysctl.conf
echo -e “net.unix.max_dgram_qlen = 655360” >> /etc/sysctl.conf
echo -e “kernel.msgmnb = 655360” >> /etc/sysctl.conf
echo -e “kernel.msgmax = 655360” >> /etc/sysctl.conf
echo -e “kernel.msgmni = 20480” >> /etc/sysctl.conf
/sbin/sysctl -p #Make the configuration effective immediately
cat /var/log/secure #Check whether the system settings are correct, there is no error prompt indicating that the settings are correct
error:
error: “net.bridge.bridge-nf-call-ip6tables” is an unknown key
error: “net.bridge.bridge-nf-call-iptables” is an unknown key
error: “net.bridge.bridge-nf-call-arptables” is an unknown key
Solution:
modprobe bridge
lsmod|grep bridge
modprobe ip_conntrack
**Remarks: **
The module name in CentOS 5.x is ip_conntrack
The module name in CentOS 6.x 7.x is nf_conntrack
When optimizing /etc/sysctl.conf, in CentOS 6.x 7.x, the
net.ipv4.netfilter.ip_conntrack_max parameter
Change to net.netfilter.nf_conntrack_max
Four, system security settings
1、 Create a normal account
useradd osyunwei #Create a normal account
passwd osyunwei #Set the password according to the prompt, you need to enter it twice
2、 Disable root direct login
vi /etc/ssh/sshd_config #Edit
Find PermitRootLogin, change the yes to no
: wq! #Save and exit
3、 Lock system files to prevent unauthorized deletion or addition
chattr +ia /etc/passwd
chattr +ia /etc/shadow
chattr +ia /etc/group
chattr +ia /etc/gshadow
chattr +ia /etc/services
lsattr /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/services #Display the attributes of the file
Note: After performing the above permission modification, users cannot be added or deleted.
If you want to add or delete users, you need to cancel the above settings first, and then perform the above operations after the user is added and deleted.
chattr -ia /etc/passwd
chattr -ia /etc/shadow
chattr -ia /etc/group
chattr -ia /etc/gshadow
chattr -ia /etc/services
4、 Turn on the firewall
yum install iptables #install firewall yum install wget first install the download tool
chkconfig iptables on #Set boot up
vi /etc/sysconfig/iptables #Edit, add the following code
: INPUT ACCEPT [0:0]
: FORWARD ACCEPT [0:0]
: OUTPUT ACCEPT [0:0]
A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
A INPUT -p icmp -j ACCEPT
A INPUT -i lo -j ACCEPT
A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
A INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
A INPUT -s 192.168.1.1/24 -m state –state NEW -m tcp -p tcp –dport 3306 -j ACCEPT
A INPUT -j REJECT –reject-with icmp-host-prohibited
A FORWARD -j REJECT –reject-with icmp-host-prohibited
COMMIT
service iptables start #Start the firewall
Remarks: -s 192.168.1.1/24 means that only this ip segment is allowed to access port 3306, which can be modified as required
5、 Close SELINUX
vi /etc/selinux/config
SELINUX=disabled #increase
: wq! #Save and exit
setenforce 0 #Make the configuration effective immediately
6、 Modify ssh default port
Change the ssh default remote connection port 22 to 222
vi /etc/ssh/sshd_config
Add Port 222 below port #Port 22
: wq! #Save and exit
vi /etc/ssh/ssh_config
Add Port 222 below port #Port 22
: wq! #Save and exit
/etc/init.d/sshd restart #Restart the sshd service
vi /etc/sysconfig/iptables #Edit
Modify port 22 to 222
: wq! #Save and exit
service iptables restart #Restart the firewall to make the configuration effective
7、 Temporary directory /tmp, /var/tmp, /dev/shm security hardening
7.1、 /tmp directory
7.1.1、 If /tmp is an independent partition, modify the mount attribute corresponding to /tmp, and add nosuid, noexec, nodev options
vi /etc/fstab #Edit and modify
LABEL=/tmp /tmp ext3 rw,nosuid,noexec,nodev 0 0
: wq! #Save and exit
Parameter Description:
nosuid, noexec, nodev: no suid program, no script execution, no device file
mount -o remount /tmp
mount -a #Remount the partition
7.1.2、 If /tmp is a directory under the root directory, you can build a loopback file system to mount /tmp
dd if=/dev/zero of=/mnt/tmpfs bs=1M count=5120
mke2fs -j /mnt/tmpfs
cp -ap /tmp /tmp.old
mount -o loop,noexec,nosuid,rw /mnt/tmpfs /tmp
chmod 1777 /tmp
mv -f /tmp.old/* /tmp/
rm -rf /tmp.old
vi /etc/fstab #Edit and modify
/mnt/tmpfs /tmp ext3 loop,nosuid,noexec,rw 0 0
: wq! #Save and exit
mount -o remount /tmp
mount -a #Remount the partition
7.2、 /var/tmp directory
7.2.1、 If /var/tmp is an independent partition, modify the mount attributes corresponding to /var/tmp, and add nosuid, noexec, nodev options
vi /etc/fstab #Edit and modify
LABEL=/var/tmp /var/tmp ext3 rw,nosuid,noexec,nodev 0 0
: wq! #Save and exit
7.2.2、 If /var/tmp is a directory under the /var partition, move the data in the /var/tmp directory to the /tmp partition, and make a soft link to /tmp under /var
cp -ap /var/tmp/* /tmp/
rm -rf /var/tmp
ln -sf /tmp /var/tmp
7.3、 /dev/shm directory
Modify the mount attribute of /dev/shm
vi /etc/fstab #Edit and modify
tmpfs /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0
: wq! #Save and exit
mount -o remount /dev/shm
mount -a #Remount the partition
Five, modify the host name
Set the host name here: www.osyunwei.com
1、 hostname “www.osyunwei.com” #Set the host name to www.osyunwei.com
2、
vi /etc/sysconfig/network #Edit the configuration file CentOS 5.x CentOS 6.x
HOSTNAME= www.osyunwei.com #Modify localhost.localdomain to www.osyunwei.com
: wq! #Save and exit
vi /etc/hostname #Edit configuration file CentOS 7.x
www.osyunwei.com #Modify localhost.localdomain to www.osyunwei.com
: wq! #Save and exit
3、 vi /etc/hosts #Edit configuration file
127.0.0.1 www.osyunwei.com localhost #Modify localhost.localdomain to www.osyunwei.com
: wq! #Save and exit
6. Synchronize system time
yum install -y ntp #install ntp
ntpdate time1.aliyun.com #Execute time synchronization
hwclock --systohc #System clock and hardware clock synchronization
CentOS 5.x
echo -e "0 0 * * * /sbin/ntpdate time1.aliyun.com &>/dev/null" >> /var/spool/cron/root #Add a scheduled task
CentOS 6.x 7.x
echo -e "0 0 * * * /usr/sbin/ntpdate time1.aliyun.com &>/dev/null" >> /var/spool/cron/root #Add a scheduled task
service crond restart #Restart the service
Seven, install the basic software package
yum install -y apr* autoconf automake bison cloog-ppl compat* cpp curl curl-devel fontconfig fontconfig-devel freetype freetype* freetype-devel gcc gcc-c++ gtk+-devel gd gettext
gettext-devel glibc kernel kernel-headers keyutils keyutils-libs-devel krb5-devel libcom_err-devel libpng* libjpeg* libsepol-devel libselinux-devel libstdc++-devel libtool*
libgomp libxml2 libxml2-devel libXpm* libtiff libtiff* libX* libxml* make mpfr ncurses* ntp openssl openssl-devel patch pcre-devel perl php-common php-gd policycoreutils ppl telnet
t1lib t1lib* nasm nasm* wget zlib-devel
**At this point, the CentOS server initialization settings are completed. **
Recommended Posts