[ root@nfs01 ~]# uname -r
2.6.32- 696. el6.x86_64
[ root@nfs01 ~]# uname -m
x86_64
[ root@nfs01 ~]# cat /etc/redhat-release
CentOS release 6.9(Final)
mv /etc/yum.repos.d/CentOS-Base.repo{,.$(date +%F_%T).backup}
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-6.repo
yum makecache
\ cp /etc/selinux/config{,.$(date +%F_%T).backup}
sed -i "s#SELINUX=enforcing#SELINUX=disabled#g"/etc/selinux/config
grep 'SELINUX=disable'/etc/selinux/config
setenforce 0
getenforce
/etc/init.d/iptables stop
/etc/init.d/iptables stop
chkconfig iptables off
export LANG=en
chkconfig --list | egrep "3:on"|egrep -v "crond|network|sshd|rsyslog|sysstat"| awk '{print "chkconfig",$1,"off"}'| bash
chkconfig --list | grep 3:on
useradd abc
\ cp /etc/sudoers{,.$(date +%F_%T).backup}
echo "abc ALL=(ALL) NOPASSWD:ALL">>/etc/sudoers
tail -1/etc/sudoers
visudo -c
echo '# time sync by odlboy at 2018-2-1'>>/var/spool/cron/root
echo '*/5 * * * * /usr/sbin/ntpdate ntp1.aliyun.com >/dev/null 2>&1'>>/var/spool/cron/root
crontab -l
\ cp /etc/security/limits.conf{,.$(date +%F_%T).backup}
echo '* - nofile 65535'>>/etc/security/limits.conf
tail -1/etc/security/limits.conf
# Restart to take effect
ulimit -n
\ cp /etc/sysctl.conf{,.$(date +%F_%T).backup}
cat >>/etc/sysctl.conf<<EOF
net.ipv4.tcp_fin_timeout =2
net.ipv4.tcp_tw_reuse =1
net.ipv4.tcp_tw_recycle =1
net.ipv4.tcp_syncookies =1
net.ipv4.tcp_keepalive_time =600
net.ipv4.ip_local_port_range =400065000
net.ipv4.tcp_max_syn_backlog =16384
net.ipv4.tcp_max_tw_buckets =36000
net.ipv4.route.gc_timeout =100
net.ipv4.tcp_syn_retries =1
net.ipv4.tcp_synack_retries =1
net.core.somaxconn =16384
net.core.netdev_max_backlog =16384
net.ipv4.tcp_max_orphans =16384
# The following parameters are optimized for the iptables firewall. If the firewall does not have a meeting, you can ignore it.
net.nf_conntrack_max =25000000
net.netfilter.nf_conntrack_max =25000000
net.netfilter.nf_conntrack_tcp_timeout_established =180
net.netfilter.nf_conntrack_tcp_timeout_time_wait =120
net.netfilter.nf_conntrack_tcp_timeout_close-wait =60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait =120
EOF
# Let the parameters in the kernel configuration file take effect
sysctl -p
yum -y install tree lrzsz telnet nc nmap dos2unix sysstat htop nload iptraf iftop
\ cp /etc/ssh/sshd_config{,.$(date +%F_%T).backup}
sed -i 's/#Port 22/Port 52113/g'/etc/ssh/sshd_config
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g'/etc/ssh/sshd_config
sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/g'/etc/ssh/sshd_config
sed -i 's/GSSAPIAuthentication yes/GSSAPIAuthentication no/g'/etc/ssh/sshd_config
sed -i 's/#UseDNS yes/UseDNS no/g'/etc/ssh/sshd_config
/etc/init.d/sshd reload
# Prohibit ping
echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all
# Allow ping
# echo 0>/proc/sys/net/ipv4/icmp_echo_ignore_all
rpm -qa openssh openssl bash
yum install -y openssh openssl bash
Linux basic optimization and complete key summary
1 ) Do not log in to the management system as root, but log in as a normal user and manage through sudo authorization
2 ) Change the default remote connection ssh service port, prohibit the root user from connecting remotely, or even change the ssh service to only monitor the intranet ip
3 ) Automatically update the time of the server regularly to synchronize it with the Internet time
4 ) Configure yum update source, download and install software package from domestic update source
5 ) Turn off SELinux and iptables (in work scenarios, if there is an external ip, iptables should generally be turned on, and servers with high concurrency and high traffic may not be turned on)
6 ) Adjust the number of file descriptors, process and file opening will consume the number of file descriptions
7 ) Regularly automatically clean up junk files in the mail directory to prevent the number of inodes on the disk from being filled with small files (note that the directories to be cleaned up in CentOS6 and Cnetos5 are different)
8 ) Streamline and keep necessary self-starting services to boot (such as: crond, shhd, network, rsyslog, sysstat)
9 ) Linux kernel parameter optimization /etc/sysctl.conf, execute sysctl -p to take effect
10 ) Change the system character set to "zh_CN.UTF-8" to make it support Chinese to prevent garbled characters
11 ) Lock key system files, such as: /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab, after processing the above content, rename chattr and lsattr to oldboy and transfer them away, which is more secure
12 ) Clear /etc/issue /etc/issue.net, remove the screen display before login of the system and kernel version
13 ) Clear redundant system virtual user accounts
14 ) Password for the grub boot menu
15 ) Prevent the host from being pinged
16 ) Patch and upgrade software with known vulnerabilities
Note: This blog is for reference only. Readers can make reasonable configuration according to their actual situation. For the content of the blog, please refer to the old boy book "Web Cluster Actual Combat"
Recommended Posts