在机器上安装完linux系统后,一般要做的有系统更新、软件安装、软件更新、系统优化等等,本次我们来讨论最容易忘却和忽略的系统优化。
以下针对linux列出一系列优化点,并列出每点的优化命令(经测试)
适用于(CentOS/Redhat/Fedora 5-6版本)
1. 关闭SELinux功能
sed -i ‘s/SELINUX=enforcing/SELINUX=disabled/‘ /etc/selinux/config
setenforce 0 > /dev/null 2>&1
2. 设置运行级别为3
sed -i ‘s#id:5:initdefault:#id:3:initdefault:#‘ /etc/inittab
3. 精简开机启动
方法一:
LANG=en && for name in `chkconfig --list | grep 3:on | awk ‘{print $1}‘ | grep -Ev "sshd|network|sysstat|crond|rsyslog" `; do chkconfig $name off; done
方法二:
LANG=en && chkconfig --list | grep 3:on | grep -vE "crond|sshd|network|rsyslog|sysstat" | awk ‘{print $1}‘ | sed -r ‘s#(.*)#chkconfig \1 off#g‘|bash
方法三:
LANG=en && chkconfig --list | grep 3:off | awk ‘{print $1}‘ | grep -Ev "sshd|network|sysstat|crond|rsyslog" | awk ‘{print "chkconfig " $1 " off"}‘ | bash
4. 关闭iptables防火墙(有外网ip需谨慎)
/etc/init.d/iptables stop && chkconfig iptables off
5. ssh优化 关闭userDNS检查、更改访问端口、禁止空密码登陆、禁止root登陆、关闭GSS检查
sed -r -e ‘s/#?UseDNS yes/UseDNS no/‘ \
-e ‘s/#+Port 22/Port 22/‘ \
-e ‘s/#+PermitEmptyPasswords no/PermitEmptyPasswords no/‘ \
-e ‘s/#+PermitRootLogin yes/PermitRootLogin no/‘ \
-e ‘s/GSSAPIAuthentication yes/GSSAPIAuthentication no/‘ \
-i /etc/ssh/sshd_config
##通过防火墙限制仅能使用内网IP连接服务器(慎用)
iptables -I INPUT -p tcp --dport 22 -s 192.168.56.0/24 -j ACCEPT
6. sudo安全管理
方法一:
visodu 手动管理
方法二:
sed -i "`grep -En "^root" /etc/sudoers| awk -F ‘:‘ ‘{print $1}‘`aroot\tALL=(ALL)\tNOPASSWD: ALL" /etc/sudoers && visudo -c
7. 中文显示 先备份,再修改,最后比对
cp /etc/sysconfig/i18n /etc/sysconfig/i18n.ori && sed -i ‘s#en_US.UTF-8#zh_CN.UTF-8#g‘ /etc/sysconfig/i18n && source /etc/sysconfig/i18n
8. 时间同步
echo "#time sync by cnlisea at `date +%F" "%T`" >> /var/spool/cron/root
echo "*/30 * * * * /usr/sbin/ntpdate pool.ntp.org > /dev/null 2>&1" >> /var/spool/cron/root hwclock
9. 系统使用设置
设置闲置账号超时时间
echo "export TMOUT=300" >> /etc/bashrc
设置历史命令数
echo "export HISTSIZE=5" >> /etc/bashrc
历史记录文件的命令数据
echo "export HISTFILESIZE=5" >> /etc/bashrc
source /etc/bashrc
10. 调整linux系统文件描述符数量
echo -e "*\t\t-\tnofile\t\t65535" >> /etc/security/limits.conf
source /etc/bashrc
11. linux内核参数优化
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000 65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net_ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.core.somaxconn = 16384
net.core.netdev_max_backlog = 16384
net.ipv4.tcp_max_orphans = 16384
//是参iptables防火墙的优化
net.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_tcp_timeout_established = 180
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
##重新加载系统参数
sysctl -p
12. 隐藏linux版本信息
> /etc/issue
> /etc/issue.net
13. 锁定关键系统文件(慎用)
加锁 chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab
解锁 chattr -i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab
将chattr改名转称
mv /usr/bin/chattr /usr/bin/lisea
14. 清除多余的系统虚拟账号
按需清理。
15. 禁止系统被ping(慎用)
echo "net.ipv4.icmp_echo_ignore_all = 1" >> /etc/sysctl.conf
sysctl -p