優化:
1)關閉selinux
操作:sed -i s#SELINUX=enforcing#SELINUX=disable#g /etc/selinux/config
setenforce 0 臨時禁止,不用馬上重啓
2)更換yum源
默認是mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=contrib&infra=$infra
1:備份,cd/etc/yum.repos.d mv CentOS-Base.repo CentOS-Base.repo.ori
2:下載163源 wget http://mirrors.163.com/.help/CentOS6-Base-163.repo
3:替換mv CentOS6-Base-163.repo CentOS-Base.repo
3)下載安裝必要的軟件包
yum install tree telnet dos2unix sysstat lrzsz -y
分別 樹結構 測試 轉碼 性能監控 上傳和下載
4)關閉無用自啓動程序
必須開啓的:crond network sshd rsyslog (c5.8syslog)
chkconfig --list|grep "3:on"
for yuan in `chkconfig --list |grep "3:on"|awk '{print $1}'`;do chkconfig $yuan off;done
for yuan in crond network rsyslog sshd ;do chkconfig $yuan on;done
或者一步for yuan in `chkconfig --list |grep "3:on"|awk '{print $1}'|grep -vE "crond|network|syslog|sshd"`;do chkconfig $yuan off;done
5)更改ssh遠程登錄服務配置
1:更改端口號 /etc/ssh/sshd_config port:65535
2:禁止root登錄,/etc/ssh/sshd_config permitRootLogin no
或者 密鑰登錄
3:/etc/ssh/sshd_config UseDNS no 加速ssh登錄
4:/etc/ssh/sshd_config GSSAPIAuthentication no 加速ssh登錄
5:重啓服務,/etc/init.d/sshd restart=service sshd restart
6)給普通用戶root權限
1:visudo=vi /etc/sudoers 98gg到98行 yy複製 p粘帖
2:root>yuangq ALL>/usr/sbin/useradd yuangq就有useradd的權限。
3:在yuangq用戶下,sudo useradd
4:yuangq ALL=(ALL) NOPASSWD: ALL
7)服務器時間同步 ntp
echo '#time sysnc by yuangq at 2016/11/8' >>/var/spool/cron/root
echo '*/5 * * * * /usr/sbin/ntpdate time.nist.gov >/dev/null2>&1'>>/var/spool/cron/root
crontab -l 檢查定時任務
8)加大文件描述符
查看最大文件描述符 ulimit -n 最大65535 夠用就好
echo '* - nofile 65535' >>/etc/security/limits.conf
9)調整內核參數
vi /etc/sysctl.conf
在最後面,添加內容
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000 65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.core.somaxconn = 16384
net.core.netdev_max_backlog = 16384
net.ipv4.tcp_max_orphans = 16384
防火牆的優化
net.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_tcp_timeout_established = 180
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
sysctl -p 使之生效
可能會報錯
error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key
error: "net.bridge.bridge-nf-call-iptables" is an unknown key
error: "net.bridge.bridge-nf-call-arptables" is an unknown key
這個錯誤是由於自動處理可載入的模塊bridge沒有自動載入,解決辦法是自動處理開載入的模塊ip_conntrack
需要這樣做
modprobe bridge
echo "modprobe bridge">> /etc/rc.local
也可能報錯
error: "net.nf_conntrack_max" is an unknown key
error: "net.netfilter.nf_conntrack_max" is an unknown key
error: "net.netfilter.nf_conntrack_tcp_timeout_established" is an unknown key
error: "net.netfilter.nf_conntrack_tcp_timeout_time_wait" is an unknown key
error: "net.netfilter.nf_conntrack_tcp_timeout_close_wait" is an unknown key
error: "net.netfilter.nf_conntrack_tcp_timeout_fin_wait" is an unknown key
這個錯誤可能是你的防火牆沒有開啓或者自動處理可載入的模塊ip_conntrack沒有自動載入,解決辦法有二,一是開啓防火牆,二是自動處理開載入的模塊ip_conntrack
啓動防火牆:/etc/init.d/iptables stop
modprobe nf_conntrack
echo "modprobe nf_conntrack">> /etc/rc.local
10)隱藏系統版本
>/etc/issue 或者 cat /dev/null >/etc/issue
11)鎖定關鍵文件
chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab -i解鎖
lsattr /etc/passwd ---i---e-- i表示加鎖了
12)定時清理 /var/spool/clientmqueue垃圾目錄(cento6.4以上不需要)
echo "find /var/spool/clientmqueue/ -type f |xargs rm -f " >/server/scripts/del_sys_file.sh
echo "00 00 * * 0 /bin/sh/server/scripts/del_sys_file.sh >/dev/null2>&1" >>/var/spool/cron/root
crontab -l |tail -2