最近公司新升级了服务器系统到CentOS6.7,精心做了一套系统优化方案
centos优化
配置网卡
修改主机名
关闭selinux,清空防火墙
新建普通用户并visudo授权
更改yum源,安装常用软件
定时任务,定时更新时间
精简开机启动项
定时任务在自动清理/var/spool/maildrop/目录垃圾文件,防止inode占满
更改ssh服务端口,禁止root用户远程连接
锁定关键文件系统
调整文件描述符大小
调整字符集,使其支持中文
去除系统及内核版本登录前的屏幕显示
内核参数优化
1、配置网卡(此处为克隆机所以删除了UUID和MAC)
vim /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE=eth TYPE=Ethernet ONBOOT=yes NM_CONTROLLED=yes BOOTPROTO=none IPV6INIT=no USERCTL=no IPADDR=10.0.0.100 GATEWAY=10.0.0.2 DNS2=223.5.5.5 DNS1=10.0.0.2 NETMASK=255.255.255.0 vim /etc/sysconfig/network-scripts/ifcfg-eth1 DEVICE=eth0 TYPE=Ethernet ONBOOT=yes NM_CONTROLLED=yes BOOTPROTO=none IPV6INIT=no USERCTL=no IPADDR=10.0.0.100 GATEWAY=10.0.0.2 DNS2=223.5.5.5 DNS1=10.0.0.2 NETMASK=255.255.255.0
重启网卡eth1
ifdown eth1&&ifup eth1/etc/init.d/network restart
echo '>/etc/udev/rules.d/70-persistent-net.rules' >>/etc/rc.local
hostname zhang (临时修改) vim /etc/sysconfig/network
3、检查DNS
阿里服务器
223.5.5.5vim /etc/resolv.conf
(网卡配置文件中设置的优先启动)
4、关闭selinux
sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config grep SELINUX=disabled /etc/selinux/config setenforce 0 getenforce
清空防火墙
iptables -F
iptables -L 1>>~/install.ok 2>>install.bug
/etc/init.d/iptables save
5、新建普通用户并visudo授权
useradd zhang id zhang echo '123456'|passwd --stdin zhang echo 'zhang ALL=(ALL) NOPASSWD: ALL' >>/etc/sudoers visudo -c
6、更改yum源
备份本机yum源 法1:自己配置好安装源配置文件,然后上传到linux 法2:使用镜像站点配置好的yum安装源配置文件 mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.f1.ori ls /etc/yum.repos.d/CentOS-Base.repo.f1.ori 1>>~/install.ok 2>>install.bug yum makecache wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo yum install lrzsz tree sysstat -y rpm -qa lrzsz tree nmap sysstat 1>>~/install.ok 2>>install.bug sysstat 是用来检测系统性能及效率的工具 dos2unix将dos格式的文本转换为unix格式 nmap 网络扫描和主机检测 grep 过滤变色(实验用) echo 'grep="grep --color=auto"' >>/etc/profile . /etc/profile grep 'grep="grep --color=auto"' /etc/profile 1>>~/install.ok 2>>install.bug
7、定时任务,定时更新时间
echo '*/5 * * * * /usr/sbin/ntpdate ntp1.aliyun.com >/dev/null 2>&1' >>/var/spool/cron/root crontab -l 1>>~/install.ok 2>>install.bug
8、精简开机启动项
for n in `chkconfig --list|grep "3:on"|awk '{print $1}'`; do chkconfig $n off; done
chkconfig --list|egrep 'crond|network|rsyslog|sshd|sysstat'|awk '{print "chkconfig "$1" on"}'|bash
chkconfig --list|grep "3:on" 1>>~/install.ok 2>>install.bugmkdir /server/scripts -p ls -l /server/scripts/ 1>>~/install.ok 2>>install.bug
echo '#bin bash \ find /var/spool/postfix/maildrop -type f|xargs rm -f' >/server/scripts/clean_mail.sh cat /server/scripts/clean_mail.sh 1>>~/install.ok 2>>install.bug echo '#clean /var/spool/postfix/maildrop \ 00 00 * * * /bin/sh /server/scripts/clean_mail.sh' >>/var/spool/cron/root crontab -l 1>>~/install.ok 2>>install.bug
10、更改ssh服务端口,禁止root用户远程连接
cp /etc/ssh/sshd_config{,f1.ori}
ls /etc/ssh/sshd_config.f1.ori 1>>~/install.ok 2>>install.bug
sed -ir '13 iPort 52113\nPermitRootLogin no\nPermitEmptyPasswords no\nUseDNS no\nGSSAPIAuthentication no' /etc/ssh/sshd_config
sed -n 13,17p /etc/ssh/sshd_config 1>>~/install.ok 2>>install.bug11、锁定关键文件系统
chattr +i /etc/passwd chattr +i /etc/inittab chattr +i /etc/group chattr +i /etc/shadow chattr +i /etc/gshadow lsattr +i /etc/passwd 1>>~/install.ok 2>>install.bug lsattr +i /etc/inittab 1>>~/install.ok 2>>install.bug lsattr +i /etc/group 1>>~/install.ok 2>>install.bug lsattr +i /etc/shadow 1>>~/install.ok 2>>install.bug lsattr +i /etc/gshadow 1>>~/install.ok 2>>install.bug
使用chattr命令后,为了安全我们需要将其改名
/bin/mv /usr/bin/chattr /usr/bin/ # 任意名称
13、调整字符集,使其支持中文
sed-i 's#LANG="en_US.UTF-8"#LANG="zh_CN.GB18030"#'/etc/sysconfig/i18nsource/etc/sysconfig/i18n
14、去除系统及内核版本登录前的屏幕显示
>/etc/issue >/etc/redhat-release
老男孩28期 章曾 整理发布。
在这里要感谢 老男孩 老师的教导。
一键执行优化
echo '#######克隆机清空文件#####' 1>>~/install.ok 2>>install.bug
echo '>/etc/udev/rules.d/70-persistent-net.rules' >>/etc/rc.local
tail -1 /etc/rc.local 1>>~/install.ok 2>>install.bug
echo '#######修改主机名#####' 1>>~/install.ok 2>>install.bug
hostname zhang
sed -i 's#HOSTNAME=.*#HOSTNAME=zhang#g' /etc/sysconfig/network
cat /etc/sysconfig/network 1>>~/install.ok 2>>install.bug
echo '#######关闭selinux#####' 1>>~/install.ok 2>>install.bug
sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config
grep SELINUX=disabled /etc/selinux/config 1>>~/install.ok 2>>install.bug
setenforce 0
getenforce 1>>~/install.ok 2>>install.bug
echo '#######关闭selinux#####' 1>>~/install.ok 2>>install.bug
iptables -F
iptables -L 1>>~/install.ok 2>>install.bug
/etc/init.d/iptables save
echo '#######新建用户sudo授权#####' 1>>~/install.ok 2>>install.bug
useradd zhang
id zhang 1>>~/install.ok 2>>install.bug
echo '123456'|passwd --stdin zhang
echo 'zhang ALL=(ALL) NOPASSWD: ALL' >>/etc/sudoers
visudo -c 1>>~/install.ok 2>>install.bug
echo '#######更改yum源安装常用软件#####' 1>>~/install.ok 2>>install.bug
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
ls /etc/yum.repos.d/CentOS-Base.repo.backup 1>>~/install.ok 2>>install.bug
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo
yum install lrzsz tree sysstat -y
rpm -qa lrzsz tree nmap sysstat 1>>~/install.ok 2>>install.bug
echo '#######grep变色#####' 1>>~/install.ok 2>>install.bug
echo 'grep="grep --color=auto"' >>/etc/profile
. /etc/profile
grep 'grep="grep --color=auto"' /etc/profile 1>>~/install.ok 2>>install.bug
echo '#######定时更新时间#####' 1>>~/install.ok 2>>install.bug
echo '*/5 * * * * /usr/sbin/ntpdate ntp1.aliyun.com >/dev/null 2>&1' >>/var/spool/cron/root
crontab -l 1>>~/install.ok 2>>install.bug
echo '#######精简开机启动项#####' 1>>~/install.ok 2>>install.bug
for n in `chkconfig --list|grep "3:on"|awk '{print $1}'`; do chkconfig $n off; done
chkconfig --list|egrep 'crond|network|rsyslog|sshd|sysstat'|awk '{print "chkconfig "$1" on"}'|bash
chkconfig --list|grep "3:on" 1>>~/install.ok 2>>install.bug
echo '#######清理临时邮件队列#####' 1>>~/install.ok 2>>install.bug
mkdir /server/scripts -p
ls -l /server/scripts/ 1>>~/install.ok 2>>install.bug
echo '#bin bash \
find /var/spool/postfix/maildrop -type f|xargs rm -f' >/server/scripts/clean_mail.sh
cat /server/scripts/clean_mail.sh 1>>~/install.ok 2>>install.bug
echo '#clean /var/spool/postfix/maildrop \
00 00 * * * /bin/sh /server/scripts/clean_mail.sh' >>/var/spool/cron/root
crontab -l 1>>~/install.ok 2>>install.bug
cp /etc/ssh/sshd_config{,.f1.ori}
ls /etc/ssh/sshd_config.f1.ori 1>>~/install.ok 2>>install.bug
echo '#######ssh安全#####' 1>>~/install.ok 2>>install.bug
sed -ir '13 iPort 52113\nPermitRootLogin no\nPermitEmptyPasswords no\nUseDNS no\nGSSAPIAuthentication no' /etc/ssh/sshd_config
sed -n 13,17p /etc/ssh/sshd_config 1>>~/install.ok 2>>install.bug
echo '#######锁定重要文件#####' 1>>~/install.ok 2>>install.bug
chattr +i /etc/passwd
chattr +i /etc/inittab
chattr +i /etc/group
chattr +i /etc/shadow
chattr +i /etc/gshadow
lsattr +i /etc/passwd 1>>~/install.ok 2>>install.bug
lsattr +i /etc/inittab 1>>~/install.ok 2>>install.bug
lsattr +i /etc/group 1>>~/install.ok 2>>install.bug
lsattr +i /etc/shadow 1>>~/install.ok 2>>install.bug
lsattr +i /etc/gshadow 1>>~/install.ok 2>>install.bug
echo '#######清空内核系统名#####' 1>>~/install.ok 2>>install.bug
>/etc/issue
>/etc/redhat-release
