centos 7 優化
阿新 • • 發佈:2021-11-08
1. 介紹
為了更好的使用linux。基本的優化我們還是需要做的。
sed -i 's@SELINUX=enforcing@SELINUX=disabled@g' /etc/selinux/config setenforce 0 systemctl disable firewalld # 開機不自啟防火牆 systemctl stop firewalld # 關閉防火牆 yum install -y ntp \cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime echo "*/5 * * * * /usr/sbin/ntpdate cn.pool.ntp.org > /dev/null 2>&1" >> /var/spool/cron/root cat>>/etc/security/limits.conf<<EOF * soft nofile 65535 * hard nofile 65535 EOF echo "ulimit -SHn 65535">>/etc/rc.local ulimit -SHn 65535 # 網絡卡開機自啟動,根據當前網絡卡名修改,centos7 預設是ifcfg-ens33,centos6預設是eth0 sed -i 's@ONBOOT=no@ONBOOT=yes@g' /etc/sysconfig/network-scripts/ifcfg-ens33 # 禁止ssh反向解析 sed -i 's@UseDNS yes@UseDNS no@' /etc/ssh/sshd_config /etc/ssh/sshd_config # 禁止空密碼登入 sed -i 's@PermitEmptyPasswords yes@PermitEmptyPasswords no@' /etc/ssh/sshd_config yum install -y bash-completion epel-release gcc cmake bzip2-devel curl-devel db4-devel libjpeg-devel libpng-devel freetype-devel libXpm-devel gmp-devel libc-client-devel openldap-devel unixODBC-devel postgresql-devel sqlite-devel aspell-devel net-snmp-devel libxslt-devel libxml2-devel pcre-devel mysql-devel pspell-devel libmemcached libmemcached-devel zlib-devel vim wget lrzsz tree sudo systemctl set-default multi-user.target # 設定非圖形模式為預設模式 cat >> /etc/resolv.conf << EOF nameserver 114.114.114.114 EOF cat >> /etc/sysctl.conf << EOF vm.overcommit_memory = 1 net.ipv4.ip_local_port_range = 1024 65536 net.ipv4.tcp_fin_timeout = 1 net.ipv4.tcp_keepalive_time = 1200 net.ipv4.tcp_mem = 94500000 915000000 927000000 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_timestamps = 0 net.ipv4.tcp_synack_retries = 1 net.ipv4.tcp_syn_retries = 1 net.ipv4.tcp_abort_on_overflow = 0 net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 net.core.netdev_max_backlog = 262144 net.core.somaxconn = 262144 net.ipv4.tcp_max_orphans = 3276800 net.ipv4.tcp_max_syn_backlog = 262144 net.core.wmem_default = 8388608 net.core.rmem_default = 8388608 net.ipv4.netfilter.ip_conntrack_max = 2097152 net.nf_conntrack_max = 655360 net.netfilter.nf_conntrack_tcp_timeout_established = 1200 EOF /sbin/sysctl -p
2. 優化
2.1 禁用SELINUX
sed -i 's@SELINUX=enforcing@SELINUX=disabled@g' /etc/selinux/config
setenforce 0
詳細操作如下:
[root@localhost ~]# sed -i 's@SELINUX=enforcing@SELINUX=disabled@g' /etc/selinux /config [root@localhost ~]# setenforce 0 [root@localhost ~]# grep -wi ^selinux /etc/selinux/config SELINUX=disabled
2.2 關閉防火牆
systemctl disable firewalld # 開機不自啟防火牆
systemctl stop firewalld # 關閉防火牆
詳細操作如下:
[root@localhost ~]# systemctl disable firewalld [root@localhost ~]# systemctl stop firewalld [root@localhost ~]# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor p reset: enabled) Active: inactive (dead) Docs: man:firewalld(1) Apr 13 09:59:26 localhost.localdomain systemd[1]: Starting firewalld - dynami... Apr 13 09:59:26 localhost.localdomain systemd[1]: Started firewalld - dynamic... Apr 13 04:45:19 localhost.localdomain systemd[1]: Stopping firewalld - dynami... Apr 13 04:45:20 localhost.localdomain systemd[1]: Stopped firewalld - dynamic... Hint: Some lines were ellipsized, use -l to show in full.
2.3 時間矯正
yum install -y ntp
cp -f /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
crontab -e
// 加入一行
*/5 * * * * /usr/sbin/ntpdate ntp.api.bz
# echo "*/5 * * * * /usr/sbin/ntpdate cn.pool.ntp.org > /dev/null 2>&1" >> /var/spool/cron/root
詳細操作
[root@localhost ~]# crontab -l
*/5 * * * * /usr/sbin/ntpdate ntp.api.bz
[root@localhost ~]# date
Sat Apr 13 04:48:52 EDT 2019
[root@localhost ~]# /usr/sbin/ntpdate ntp.api.bz
13 Apr 05:06:38 ntpdate[38604]: step time server 114.118.7.163 offset 1056.43580
1 sec[root@localhost ~]# date
Sat Apr 13 05:06:54 EDT 2019
2.4 limit
要調整一下 Linux 的最大檔案開啟數,否則執行 Squid 詛服務的機器在高負載時執行效能將會很差;另外,在 Linux 下部署應用時,有時候會遇上 “Too many open files” 這樣的問題,這個值也會影響伺服器的最大併發數。其實 Linux 是有檔案控制代碼限制的。但預設值下是很高,一般是1024,生產伺服器很容易就會達到這個值,所以需要改動此值。
cat>>/etc/security/limits.conf<<EOF
* soft nofile 65535
* hard nofile 65535
EOF
echo "ulimit -SHn 65535">>/etc/rc.local
ulimit -SHn 65535
詳細操作:
[root@localhost ~]# cat>>/etc/security/limits.conf<<EOF
> * soft nofile 65535
> * hard nofile 65535
> EOF
[root@localhost ~]# echo "ulimit -SHn 65535">>/etc/rc.local
[root@localhost ~]# ulimit -SHn 65535
[root@localhost ~]# ulimit -n
65535
2.5 網絡卡自啟動
sed -i 's@ONBOOT=no@ONBOOT=yes@g' /etc/sysconfig/network-scripts/ifcfg-ens33
詳細操作如下:
[root@localhost ~]# sed -i 's@ONBOOT=no@ONBOOT=yes@g' /etc/sysconfig/network-scripts/ifcfg-ens33
[root@localhost ~]# grep -i 'ONBOOT' /etc/sysconfig/network-scripts/ifcfg-ens33
ONBOOT=yes
2.6 ssh
# 禁止ssh反向解析
sed -i 's@UseDNS yes@UseDNS no@' /etc/ssh/sshd_config /etc/ssh/sshd_config
# # 禁止空密碼登入
sed -i 's@PermitEmptyPasswords no@PermitEmptyPasswords no@' /etc/ssh/sshd_config
詳細操作
[root@localhost ~]# sed -i 's@UseDNS yes@UseDNS no@' /etc/ssh/sshd_config /etc/ssh/sshd_config
[root@localhost ~]# sed -i 's@PermitEmptyPasswords no@PermitEmptyPasswords no@' /etc/ssh/sshd_config
2.7 命令補全
yum install -y bash-completion
2.8 修改字符集
[root@localhost ~]# echo $LANG
zh_CN.UTF-8
[root@localhost ~]# vi /etc/locale.conf
LANG="en_US.UTF-8"
[root@localhost ~]# source /etc/locale.conf
2.9 更換yum源
使用國內的更新源,下載會比國外要好[預設是使用的國外yum源]。
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
cd /etc/yum.repos.d/
wget http://mirrors.163.com/.help/CentOS7-Base-163.repo
yum clean all
yum makecache
詳細操作如下:
[root@localhost yum.repos.d]# cd /etc/yum.repos.d/
[root@localhost yum.repos.d]# wget http://mirrors.163.com/.help/CentOS7-Base-16
3.repo--2019-04-13 05:18:56-- http://mirrors.163.com/.help/CentOS7-Base-163.repo
Resolving mirrors.163.com (mirrors.163.com)... 59.111.0.251
Connecting to mirrors.163.com (mirrors.163.com)|59.111.0.251|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1572 (1.5K) [application/octet-stream]
Saving to: ‘CentOS7-Base-163.repo’
100%[======================================>] 1,572 --.-K/s in 0s
2019-04-13 05:18:56 (259 MB/s) - ‘CentOS7-Base-163.repo’ saved [1572/1572]
[root@localhost yum.repos.d]# yum clean all
Loaded plugins: fastestmirror
Cleaning repos: base extras updates
Cleaning up list of fastest mirrors
[root@localhost yum.repos.d]# yum makecache
Loaded plugins: fastestmirror
Determining fastest mirrors
base | 3.6 kB 00:00
......省略
2.10 安裝基本軟體
yum install gcc cmake bzip2-devel curl-devel db4-devel libjpeg-devel libpng-devel freetype-devel libXpm-devel gmp-devel libc-client-devel openldap-devel unixODBC-devel postgresql-devel sqlite-devel aspell-devel net-snmp-devel libxslt-devel libxml2-devel pcre-devel mysql-devel pspell-devel libmemcached libmemcached-devel zlib-devel vim wget lrzsz tree
2.11 非圖形
systemctl get-default # 檢視當前的執行模式
systemctl set-default graphical.target # 設定圖形模式為預設模式
sudo systemctl set-default multi-user.target # 設定非圖形模式為預設模式
[root@localhost yum.repos.d]# systemctl get-default
multi-user.target
2.12 yum 擴充套件源
這是因為像centos這類衍生出來的發行版,他們的源有時候內容更新的比較滯後,或者說有時候一些擴充套件的源根本就沒有。所以在使用yum來search python-pip的時候,會說沒有找到該軟體包。 因此為了能夠安裝這些包,需要先安裝擴充套件源EPEL。EPEL(http://fedoraproject.org/wiki/EPEL) 是由 Fedora 社群打造,為 RHEL 及衍生髮行版如 CentOS、Scientific Linux 等提供高質量軟體包的專案。 首先安裝epel擴充套件源:
yum -y install epel-release
2.13 新增公網DNS
cat >> /etc/resolv.conf << EOF
nameserver 114.114.114.114
EOF
2.14 核心優化
cat >> /etc/sysctl.conf << EOF
vm.overcommit_memory = 1
net.ipv4.ip_local_port_range = 1024 65536
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_abort_on_overflow = 0
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 262144
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.ipv4.netfilter.ip_conntrack_max = 2097152
net.nf_conntrack_max = 655360
net.netfilter.nf_conntrack_tcp_timeout_established = 1200
EOF
/sbin/sysctl -p
2.15 優化服務
SERVICES="acpid atd auditd avahi-daemon avahi-dnsconfd bluetooth conman cpuspeed cups dnsmasq dund firstboot hidd httpd ibmasm ip6tables irda kdump lm_sensors mcstrans messagebus microcode_ctl netconsole netfs netplugd nfs nfslock nscd oddjobd pand pcscd portmap psacct rdisc restorecond rpcgssd rpcidmapd rpcsvcgssd saslauthd sendmail setroubleshoot smb vncserver winbind wpa_supplicant ypbind"
for service in $SERVICES
do
#關閉所選服務隨系統啟動
systemctl disable $SERVICES
#停止所選的服務
systemctl stop $SERVICES
done
centos6 優化指令碼
#!/bin/sh
echo "------ step 1: config yum ------"
cd /etc/yum.repos.d/
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo
echo "------ step 2: config profile------"
echo 'export LC_ALL=C'>> /etc/profile
source /etc/profile
echo "------ step 3: stop iptables and selinux------"
/etc/init.d/iptables stop
/etc/init.d/iptables stop
/etc/init.d/NetworkManager stop
chkconfig NetworkManager off
chkconfig iptables off
setenforce 0
if [ -f /etc/selinux/config ]; then
sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config
setenforce 0
fi
echo "------ step 4: config time sync------"
ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
cp /etc/sysconfig/clock /etc/sysconfig/clock.ori
> /etc/sysconfig/clock
echo " ZONE="Asia/Shanghai"">/etc/sysconfig/clock
/usr/sbin/ntpdate pool.ntp.org
echo '#time sync by caimengzhi at 2016-2-1'>>/var/spool/cron/root
echo '*/10 * * * * /usr/sbin/ntpdate pool.ntp.org >/dev/null 2>&1'>>/var/spool/cron/root
#配置SSHD
sed -i '/^#Port/s/#Port 22/Port 65535/g' /etc/ssh/sshd_config
sed -i '/^#UseDNS/s/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
/etc/init.d/sshd restart
#關閉系統不用的服務
for server in `chkconfig --list |grep 3:on|awk '{ print $1}'`
do
chkconfig --level 3 $server off
done
for server in crond network rsyslog sshd
do
chkconfig --level 3 $server on
done
#優化核心引數
cat >> /etc/sysctl.conf << ENDF
net.ipv4.tcp_max_syn_backlog = 65536
net.core.netdev_max_backlog = 32768
net.core.somaxconn = 32768
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_tw_recycle = 1
#net.ipv4.tcp_tw_len = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.ip_local_port_range = 1024 65535
ENDF
sysctl -p
cat >/etc/hosts <<ENDF
127.0.0.1 $MYHOSTNAME $MYHOSTNAME.$DOMAINNAME localhost
$IPADDR $MYHOSTNAME $MYHOSTNAME.$DOMAINNAME localhost
ENDF
cat >/etc/resolv.conf <<ENDF
domain $DOMAINNAME
search $DOMAINNAME
nameserver $MYDNS1
nameserver $MYDNS2
ENDF
#加固
#------------------------------------------------------------------------------------------------------------
echo "Welcome to Server" >/etc/issue
echo "Welcome to Server" >/etc/redhat-release
#修改歷史記錄為5
sed -i "s#HISTSIZE=1000#HISTSIZE=5#g" /etc/profile
#修改crtl+alt+delete鍵盤重啟
sed -i "s#exec#\#exec#g" /etc/init/control-alt-delete.conf
#修改開啟檔案數
echo "ulimit -SHn 102400">> /etc/rc.local #設定開機自動生效
userdel adm
userdel lp
userdel shutdown
userdel halt
userdel uucp
userdel operator
userdel games
userdel gopher
yum install epel-release
crontab -l
yum update -y
yum install -y dos2unix lrzsz nc telnet zip gcc* gcc-c++ libstdc++-devel
cat <<EOF >>/etc/security/limits.conf
* soft nofile 65536
* hard nofile 65536
* soft nproc unlimited
* hard nproc unlimited
EOF
cat <<EOF >>/etc/security/limits.d/90-nproc.conf
* soft nproc unlimited
root soft nproc unlimited
EOF