- 關閉防火牆和SElinux
- 更改yum源
- 精簡開機自啓動服務
- 優化ssh登錄策略
- 優化用戶與登錄策略
- 添加定時任務服務器進行時間同步
- 調整文件描述符大小
- 內核參數優化
- 鎖定關鍵系統文件
- history顯示時間
- 刪除登錄信息
- 安裝必要的軟件
- 修改系統默認字符集
- 歷史命令記錄數量調小
- 禁ping
- grub加密碼
- lvs/haproxy負載均衡代理內核參數配置
- nginx/apache生產內核參數優化
- squid/varnish/nginx proxy 生產內核優化
1.關閉防火牆和SElinux
有外網機器的要開啓配置防火牆,僅開啓需要提供服務的端口
#iptables
service iptables stop
/sbin/chkconfig iptables off
#selinux
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
2.更改yum源
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
wget http://mirrors.163.com/.help/CentOS6-Base-163.repo -O /etc/yum.repos.d/CentOS-Base.repo
3.精簡開機自啓動服務
LANG=en #如果是中文字符集需要執行一下
for i in `chkconfig --list|grep 3:on|awk '{print $1}'|grep -Ev "crond|network|rsyslog|sshd|sysstat"`;do chkconfig --level 3 $i off;done
4.優化ssh登錄策略
# /etc/ssh/sshd_config
Port22 連接端口
PermitRootLogin no 禁止root遠程登錄
PermitEmptyPasswords 禁止空密碼登錄
UseDNS no 不適用DNS
GSSAPIAuthentication no linux下SSH遠程連接服務慢解決方案
###
sed -i 's/#Port 22/Port 52113/' /etc/ssh/sshd_config
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/^#PermitEmptyPasswords no/PermitEmptyPasswords no/' /etc/ssh/sshd_config
sed -i 's/^GSSAPIAuthentication yes$/GSSAPIAuthentication no/' /etc/ssh/sshd_config
sed -i 's/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config
/etc/init.d/sshd restart
5.優化用戶與登錄策略
username='sysadmin'
password='sysadmin'
useradd $username && echo $password | passwd --stdin $username &>/dev/null
sed -i "99i sysadmin ALL=(ALL) NOPASSWD:ALL" /etc/sudoers
echo "Defaults logfile=/var/log/sudo.log" >>/etc/sudoers
echo "local2.debug /var/log/sudo.log" >>/etc/rsyslog.conf
6.添加定時任務服務器進行時間同步
/usr/sbin/ntpdate pool.ntp.org &>/dev/null
echo '#Update time' >>/var/spool/cron/root
echo '*/5 * * * * /usr/sbin/ntpdate pool.ntp.org >/dev/null 2>&1' >>/var/spool/cron/root
7.調整文件描述符大小
ulimit -HSn 65535
cat >> /etc/security/limits.conf << EOF
* soft nofile 65535
* hard nofile 65535
EOF
8.內核參數優化
cat >> /etc/sysctl.conf << EOF
vm.swappiness = 0
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000 65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.core.somaxconn = 16384
net.core.netdev_max_backlog = 16384
net.ipv4.tcp_max_orphans = 16384
net.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_max=25000000
net.netfilter.nf_conntrack_tcp_timeout_established=180
net.netfilter.nf_conntrack_tcp_timeout_time_wait=120
net.netfilter.nf_conntrack_tcp_timeout_close_wait=60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait=120
EOF
/sbin/sysctl -p
#net.ipv4.tcp_fin_timeout = 2 表示如果套接字由本端要求關閉,這個參數決定了它保持在FIN-WAIT-2的狀態時間,單位是秒,這個就是四次斷開的最後一下,減少等待時間。
#net.ipv4.tcp_tw_reuse = 1 表示開啓重用。允許TIME-WAIT套接字重新用於新的TCP鏈接。默認是0表示關閉。
#net.ipv4.tcp_tw_recycle = 1 表示開啓TCP連接中的TIME-WAIT套接字的快速回收,默認是0表示關閉
#net.ipv4.tcp_syncookies = 1 表示開啓SYN Cookies。當出現SYN等待隊列溢出時,啓用cookie來處理,可防範少量的SYN攻擊。默認爲0,表示關閉。
#net.ipv4.tcp_keepalive_time =600 表示當keepalive啓用時,TCP發送keepalive消息的頻率,默認是2小時,這裏改爲10分鐘
#net.ipv4.ip_local_port_range = 4096 65000 #表示向外連接的端口範圍,默認很少,32768~65535
#net.ipv4.tcp_max_syn_backlog = 16384 表示SYN隊列的長度,默認爲1024,加大隊列長度爲16384,可以容納更多等待連接的網絡連接數。
#net.ipv4.tcp_max_tw_buckets = 36000 示系統同時保持TIME_WAIT套接字的最大數量,如果超過這個數 字,TIME_WAIT套接字將立刻被清除並打印警告信息。默認爲180000,改爲36000。對於Apache、Nginx等服務器,前面介紹的幾個參 數已經可以很好地減少TIME_WAIT套接字數量,但是對於Squid來說,效果卻不大。有了此參數就可以控制TIME_WAIT套接字的最大數量,避 免Squid服務器被大量的TIME_WAIT套接字拖死。
#net.ipv4.route.gc_timeout = 100 路由緩存刷新頻率,當一個路由失敗後多長時間跳到另一個默認是300秒
#net.ipv4.tcp_syn_retries = 1 對於一個新建連接,內核要發送多少個 SYN 連接請求才決定放棄。不應該大於255,默認值是5,對應於180秒左右。
#net.ipv4.tcp_synack_retries = 1 對於遠端的連接請求SYN,內核會發送SYN + ACK數據報,以確認收到上一個 SYN連接請求包。這是所謂的三次握手( threeway handshake)機制的第二個步驟。這裏決定內核在放棄連接之前所送出的 SYN+ACK 數目。不應該大於255,默認值是5,對應於180秒左右時間。
#net.core.somaxconn = 16384 用來限制監聽(LISTEN)隊列最大數據包的數量,超過這個數量就會導致鏈接超時或者觸發重傳機制。web應用中listen函數的backlog默認會給我們內核參數的net.core.somaxconn限制到128,而nginx定義的NGX_LISTEN_BACKLOG默認爲511,所以有必要調整這個值。對繁忙的服務器,增加該值有助於網絡性能。默認是128.
#net.core.netdev_max_backlog = 16384 每個網絡接口接收數據包的速率比內核處理這些包的速率快時,允許送到隊列的數據包的最大數目,對重負載服務器而言,該值需要調高一點。默認是1024
#net.ipv4.tcp_max_orphans = 16384 系統所能處理不屬於任何進程的TCP sockets最大數量。假如超過這個數量﹐那麼不屬於任何進程的連接會被立即reset,並同時顯示警告信息。之所以要設定這個限制﹐純粹爲了抵禦那些簡單的 DoS 攻擊﹐千萬不要依賴這個或是人爲的降低這個限制。如果內存大更應該增加這個值。默認值是8192.
#一下參數是對iptables防火牆的優化,防火牆不開會有提示,可以忽略不理。
#net.ipv4.ip_conntrack_max = 25000000 系統支持的最大ipv4連接數,默認65536,同時這個值和你的內存大小有關,如果內存128M,這個值最大8192,1G以上內存這個值都是默認65536
#net.nf_conntrack_max = 25000000
#net.netfilter.nf_conntrack_max = 25000000
#net.netfilter.nf_conntrack_tcp_timeout_established = 180 已建立的tcp連接的超時時間,默認432000,也就是5天,這個值過大將導致一些可能已經不用的連接常駐於內存中,佔用大量鏈接資源,從而可能導致NAT ip_conntrack: table full的問題,這裏調小了
#net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
#net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
#net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
9.鎖定關鍵系統文件
鎖定關鍵系統文件:chattr +i files -i 解鎖
/etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab /etc/services /etc/rc.local
lsattr file :查看文件是否加鎖
10.history顯示時間
# cat /etc/profile #加上下面一句話
HISTTIMEFORMAT="%F %T `whoami` "
# source /etc/profile #生效一下
11.刪除登錄信息
>/etc/issue
>/etc/motd
12.安裝必要的軟件
yum install lrzsz ntpdate sysstat tree wget nmap telnet -y
13.修改系統默認字符集
# vi /etc/sysconfig/i18n
LANG=”zh_CN.UTF-8″ #這裏改成你想要的字符集,如果想搞成gbk就這樣LANG=”zh_CN.GB18030″
# source /etc/sysconfig/i18n #使生效
14.歷史命令記錄數量調小
sed -i “s/HISTSIZE=1000/HISTSIZE=10/” /etc/profile #將歷史記錄值由1000變爲10
source /etc/profile #使生效
15.禁ping(非必須)
echo "net.ipv4.icmp_echo_ignore_all=1" >> /etc/sysctl.conf
16.grub加密碼(非必須)
1)先用/sbin/grub-md5-crypt產生一個MD5密碼串
# /sbin/grub-md5-crypt
Password:
Retype password:
$1$7XIYM/$L4is2wwmH0CZqGH1Oq4RY.
2)修改grub.conf文件
# vim /etc/grub.conf
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
password --md5 $1$jJJYM/$lfH83xAKeks/dkptv7wx9. #注意:password必須加在plashimage和title之間這段,否則不能生效
title CentOS (2.6.32-431.el6.x86_64)
17.lvs/haproxy負載均衡代理內核參數配置
#vm.swappiness = 0
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000 65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
#net.ipv4.tcp_max_orphans = 16384
# iptables -V
net.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_max=25000000
net.netfilter.nf_conntrack_tcp_timeout_established=180
net.netfilter.nf_conntrack_tcp_timeout_time_wait=120
net.netfilter.nf_conntrack_tcp_timeout_close_wait=60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait=120
18.nginx/apache生產內核參數優化
net.ipv4.tcp_max_syn_backlog = 65536
net.core.somaxconn = 32768
net.core.netdev_max_backlog = 32768
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_fin_timeout = 10
net.ipv4.tcp_keepalive_time = 120
net.ipv4.ip_local_port_range = 2048 65535
19.squid/varnish/nginx proxy 生產內核優化
CDN公司cache服務器內核優化
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_max_tw_buckets = 1800000
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 10
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_retriesl = 22
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_synack_retries = 3
net.ipv4.tcp_syn_retries = 3
以下腳本包含優化的前8項:
# cat system_optimization.sh
#!/bin/bash
. /etc/init.d/functions
#Require root to run this script.
if [ "`whoami`" != "root" ];then
echo "Please run this script as root."
exit 1
fi
close_iptables_selinux(){
#stop iptables and SELinux
/etc/init.d/iptables stop &> /dev/null
/sbin/chkconfig iptables off
sel=`getenforce`
if [ "$sel" == "Enforcing" ];then
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
fi
if [ $? -eq 0 ];then
action "close iptables and selinux" /bin/true
else
action "close iptables and selinux" /bin/false
fi
}
update_yum_repo(){
#make the 163.com as the default yum repo
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
wget http://mirrors.163.com/.help/CentOS6-Base-163.repo -O /etc/yum.repos.d/CentOS-Base.repo &>/dev/null
#ls -l /etc/yum.repos.d/
if [ $? -eq 0 ];then
action "Update yum repo" /bin/true
else
action "Update yum repo" /bin/false
fi
}
service(){
#Service optimization
for i in `chkconfig --list|grep 3:on|awk '{print $1}'|grep -Ev "crond|network|rsyslog|sshd|sysstat"`;do chkconfig --level 3 $i off;done
if [ $? -eq 0 ];then
action "Service optimization" /bin/true
else
action "Service optimization" /bin/false
fi
}
ssh(){
#set ssh
sed -i 's/#Port 22/Port 52113/' /etc/ssh/sshd_config
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/^#PermitEmptyPasswords no/PermitEmptyPasswords no/' /etc/ssh/sshd_config
sed -i 's/^GSSAPIAuthentication yes$/GSSAPIAuthentication no/' /etc/ssh/sshd_config
sed -i 's/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config
/etc/init.d/sshd restart &>/dev/null
grep "Port 52113" /etc/ssh/sshd_config &>/dev/null
if [ $? -eq 0 ];then
action "Optimization of SSH" /bin/true
else
action "Optimization of SSH" /bin/false
fi
}
sudo(){
#sudo
username='sysadmin'
password='sysadmin'
useradd $username && echo $password | passwd --stdin $username &>/dev/null
sed -i "99i sysadmin ALL=(ALL) NOPASSWD:ALL" /etc/sudoers
echo "Defaults logfile=/var/log/sudo.log" >>/etc/sudoers
echo "local2.debug /var/log/sudo.log" >>/etc/rsyslog.conf
#Sudo authorization
if [ $? -eq 0 ];then
action "Sudo authorization" /bin/true
else
action "Sudo authorization" /bin/false
fi
}
update_time(){
#Update time
/usr/sbin/ntpdate pool.ntp.org &>/dev/null
if [ $? -eq 0 ];then
action "Update time" /bin/true
else
action "Update time" /bin/false
fi
echo '#Update time' >>/var/spool/cron/root
echo '*/5 * * * * /usr/sbin/ntpdate pool.ntp.org >/dev/null 2>&1' >>/var/spool/cron/root
}
set_file_limit(){
#set the file limit
ulimit -HSn 65535
cat >> /etc/security/limits.conf << EOF
* - nofile 65535
EOF
if [ $? -eq 0 ];then
action "Set file limit" /bin/true
else
action "Set file limit" /bin/false
fi
#tail -2 /etc/security/limits.conf
}
kernel(){
#tune kernel parametres
cat >> /etc/sysctl.conf << EOF
vm.swappiness = 0
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000 65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.core.somaxconn = 16384
net.core.netdev_max_backlog = 16384
net.ipv4.tcp_max_orphans = 16384
net.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_max=25000000
net.netfilter.nf_conntrack_tcp_timeout_established=180
net.netfilter.nf_conntrack_tcp_timeout_time_wait=120
net.netfilter.nf_conntrack_tcp_timeout_close_wait=60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait=120
EOF
/sbin/sysctl -p &>/dev/null
grep "net.nf_conntrack_max = 25000000" /etc/sysctl.conf &>/dev/null
if [ $? -eq 0 ];then
action "Tune kernel parametres" /bin/true
else
action "Tune kernel parametres" /bin/false
fi
}
close_iptables_selinux
update_yum_repo
service
ssh
sudo
update_time
set_file_limit
kernel
cat << EOF
+-------------------------------------------------+
| optimizer is done |
| it's recommond to restart this server ! |
+-------------------------------------------------+
EOF