1)关闭selinux
使用getenforce 可以查看selinux的状态
[[email protected] ~]$ getenforce
Enforcing
或者使用sestatus
[[email protected] ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
使用setenforce 0临时关闭selinux(为宽容模式Permissive)
[[email protected] ~]# setenforce 0
[[email protected] ~]# getenforce
Permissive
要永久关闭操作如下(红色为修改部分)
[[email protected] ~]# vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
注意修改后要重启服务器然后再查看一下状态
[[email protected] ~]$ sestatus
SELinux status: disabled
2)关闭防火墙
注意:centos7的防火墙默认使用的是firewalld
临时关闭防火墙
[[email protected] ~]$ systemctl stop firewalld.service
永久关闭防火墙
[[email protected] ~]$ systemctl disable firewalld.service
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.
查看防火墙的状态
[[email protected] ~]$ firewall-cmd --state
not running
3)基本优化
修改最大打开进程数和最大文件句柄,先使用ulimit命令查看
[[email protected] ~]# ulimit -n
1024
[[email protected] ~]# ulimit -u
3480
修改相关的配置
[r[email protected] ~]# vi /etc/security/limits.conf
在最后追加下面几行
* soft nofile 1024000
* hard nofile 1024000
* soft nproc 1024000
* hard nproc 1024000
再修改/etc/security/limits.d下的文件20-nproc.conf (红色为修改项 已修改)
[[email protected] ~]# vi /etc/security/limits.d/20-nproc.conf
# Default limit for number of user‘s processes to prevent
# accidental fork bombs.
# See rhbz #432903 for reasoning.
* soft nproc 1024000
* hard nproc 1024000
注意:修改完成后重启生效
内核基础优化配置,(暂时不太懂,先直接操作即可)
[[email protected] sysctl.d]# vi /usr/lib/sysctl.d/ 00-system.conf
追加下面的参数
#关闭ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
# 避免放大攻击
net.ipv4.icmp_echo_ignore_broadcasts = 1
# 开启恶意icmp错误消息保护
net.ipv4.icmp_ignore_bogus_error_responses = 1
#关闭路由转发
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
#开启反向路径过滤
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
#处理无源路由的包
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
#关闭sysrq功能
kernel.sysrq = 0
#core文件名中添加pid作为扩展名
kernel.core_uses_pid = 1
# 开启SYN洪水攻击保护
net.ipv4.tcp_syncookies = 1
#修改消息队列长度
kernel.msgmnb = 65536
kernel.msgmax = 65536
#设置最大内存共享段大小bytes
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
#timewait的数量,默认180000
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
#每个网络接口接收数据包的速率比内核处理这些包的速率快时,允许送到队列的数据包的最大数目
net.core.netdev_max_backlog = 262144
#限制仅仅是为了防止简单的DoS 攻击
net.ipv4.tcp_max_orphans = 3276800
#未收到客户端确认信息的连接请求的最大值
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
#内核放弃建立连接之前发送SYNACK 包的数量
net.ipv4.tcp_synack_retries = 1
#内核放弃建立连接之前发送SYN 包的数量
net.ipv4.tcp_syn_retries = 1
#启用timewait 快速回收
net.ipv4.tcp_tw_recycle = 1
#开启重用。允许将TIME-WAIT sockets 重新用于新的TCP 连接
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1
#当keepalive 起用的时候,TCP 发送keepalive 消息的频度。缺省是2 小时
net.ipv4.tcp_keepalive_time = 30
#允许系统打开的端口范围
net.ipv4.ip_local_port_range = 1024 65000
#修改防火墙表大小,默认65536
#net.netfilter.nf_conntrack_max=655350
#net.netfilter.nf_conntrack_tcp_timeout_established=1200
# 确保无人能修改路由表
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
使其生效
[[email protected] sysctl.d]# sysctl -p
4)简化开机服务
这个暂时先不搞
5)做个快捷设置网络脚本
先配置下centos7的网络 首先使用ip命令查看下状态
[[email protected] network-scripts]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:36:ff:fd brd ff:ff:ff:ff:ff:ff
inet 192.168.0.101/24 brd 192.168.0.255 scope global ens33
valid_lft forever preferred_lft forever
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN qlen 1000
link/ether 52:54:00:bd:63:40 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN qlen 1000
link/ether 52:54:00:bd:63:40 brd ff:ff:ff:ff:ff:ff
上面出现了3和4.这个我不知道是怎么回事,网上查了下,有干掉的办法,贴出来如下
|
怎么多出来3和4,virbr0这个东西出现了,上网一查,原来是做虚拟机网桥的。难怪防火墙又是添加对virbr0的NAT规则,又是添加转发规则的。 网上很多说卸载了就好,yum remove libvirt,很遗憾,卸载了也没有用。 还有说改rhnplugin.conf文件的,我在/etc/yum/plugincon.d/就没找到这个文件,也许是centos7的原因吧。反正是搞不定。 查来查去,还是有人搞定的。 [[email protected] protected.d]# brctl show bridge name bridge id STP enabled interfaces virbr0 8000.525400bd6340 yes virbr0-nic 查看果然有网桥存在,竟然还支持STP,有鸡毛用啊。 [[email protected] protected.d]# virsh net-list Name State Autostart Persistent ---------------------------------------------------------- default active yes yes 列表一下看看,还是自动启动的,真烦人。 [[email protected] protected.d]# virsh net-destroy default Network default destroyed 默认强制停止 [[email protected] protected.d]# virsh net-undefine default Network default has been undefined 默认为未定义 [[email protected] protected.d]# systemctl restart libvirtd.service 不过这个命令真不好,啥提示都没,还不如用service libvirtd restart,起码给点反应,虽然也没啥用。 [[email protected] protected.d]# virsh net-list Name State Autostart Persistent ---------------------------------------------------------- [[email protected] protected.d]# brctl show bridge name bridge id STP enabled interfaces [[email protected] protected.d]# ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:36:ff:fd brd ff:ff:ff:ff:ff:ff inet 192.168.0.10/24 brd 192.168.0.255 scope global ens33 valid_lft forever preferred_lft forever [[email protected] protected.d]# ^C 在用virsh net-list看看,没啥了 ip add也没有多出来的两个网卡了 |
到这里看起来就正常多了,最后配置下
vi /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE="Ethernet"
BOOTPROTO=static
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
IPV6_ADDR_GEN_MODE="stable-privacy"
NAME=ens33
UUID="06ce2307-5a1c-4624-8a7a-f1ba1fd87458"
DEVICE=ens33
ONBOOT="yes"
DNS1=202.102.224.68
IPADDR0=192.168.0.10
PREFIX=24
GATEWAY0=192.168.0.1
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_PRIVACY=no
| 备注:红色字体为修改添加的部分 蓝色字体是不能随便修改的部分,曾试过修改后无法重启网络,而且在当前文件夹下如果有第三个网络配置文件也是无法重启的。 |
重启网络(有几种重启的方法,centos7推荐使用的是下面的方式,而且使用久方式可能会给你转发请求到此命令 无返回值即为最好的结果)
[[email protected] network-scripts]# systemctl restart network.service
[[email protected] network-scripts]#
基本上完成以上操作既可以正常使用了,我使用此模板作为克隆源,所以写一个简单的脚本来方便的进行ip修改>>>>>
编写脚本:
创建一个脚本目录并创建一个简单的更换ip的脚本
[[email protected] /]# mkdir /home/snail/scripts
[[email protected] /]# cd /home/snail/scripts
[[email protected] scripts]# touch ipcrt:wq
[[email protected] scripts]# chmod +x ipcrt
[[email protected] scripts]# vi ~/.bashrc
# .bashrc
# User specific aliases and functions
alias rm=‘rm -i‘
alias cp=‘cp -i‘
alias mv=‘mv -i‘
# Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi
#这里要注意,要把环境变量写入这个文件下,不然重启失效
PATH="/home/snail/scripts:$PATH"
[[email protected] scripts]# ll
total 0
-rwxr-xr-x 1 root root 0 Aug 29 15:42 ip_create.sh
[[email protected] scripts]# vi ipcrt
没有进行参数校验,需要注意,参数必须写正确,否则会出问题。
#! /bin/sh
sed -i ‘/IPADDR.*/d‘ /etc/sysconfig/network-scripts/ifcfg-ens33
echo ‘IPADDR0‘=$1>>/etc/sysconfig/network-scripts/ifcfg-ens33
systemctl restart network.service
改版之后的脚本
[[email protected] scripts]# cat ipcrt
#! /bin/bash
#对参数进行判断
case "$1" in
--help)
echo "please enter an IP address !"
echo "Scope in 192.168.0.10 - 192.168.0.99";;
*)
if [[ ${#1} -eq 12 ]];then
sed -i ‘/IPADDR.*/d‘ /etc/sysconfig/network-scripts/ifcfg-ens33
echo ‘IPADDR0‘=$1>>/etc/sysconfig/network-scripts/ifcfg-ens33
systemctl restart network.service
sleep 1
echo "ip changed ok!"
else
echo "error:input error!"
echo ‘please enter a "--help" view the help information!‘
fi
;;
esac
创建一个更换主机名的脚本(只适用centos7)
#! /bin/bash
hostnamectl set-hostname $1
sed -i ‘/127.0.0.1*/d‘ /etc/hosts
echo "127.0.0.1 " $1 $1 >>/etc/hosts
6)更换yum源
默认使用的是sohu源,看了下里面貌似只支持4,5的版本,所以更改为163的源 地址:mirrors.163.com
[[email protected] ~]# cd /etc/yum.repos.d/
[[email protected] yum.repos.d]# mv CentOS-Base.repo CentOS-Base.repo.old
[[email protected] yum.repos.d]# wget http://mirrors.163.com/.help/CentOS7-Base-163.repo
......
[[email protected] yum.repos.d]# mv CentOS7-Base-163.repo CentOS-Base.repo
[[email protected] yum.repos.d]# yum clean all
[[email protected] yum.repos.d]# yum makecache
7)时间同步
查看系统时间
[[email protected] ~]$ date
Mon Aug 28 23:05:20 PDT 2017
查看时区并修改
[[email protected] ~]# date -R (方法1)
Mon, 28 Aug 2017 23:12:35 -0700
[[email protected] ~]# date +%z (方法2)
-0700
[[email protected] ~]# cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
cp: overwrite ‘/etc/localtime’? y
安装时间同步工具
[[email protected] ~]# yum -y install ntp ntpdate
同步时间
[[email protected] ~]# ntpdate cn.pool.ntp.org
设置定时更新时间任务
[[email protected] ~]# echo ‘*/10 * * * * /usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1‘ >>/var/spool/cron/root