Linux system optimization

close SELinux

[[email protected] ~]# sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config
[[email protected] ~]# setenforce 0
[[email protected] ~]# getenforce

close Firewalld A firewall

Wait until the business is debugged , Prevent during deployment of business , The influence of firewall .

[[email protected] ~]# systemctl stop firewalld
[[email protected] ~]# systemctl disable firewalld

Modify character set

Modify the appropriate character set as you try , This should be a Chinese character set .

[[email protected] ~]# LANG=zh_CN.utf-8
[[email protected] ~]# vi /etc/locale.conf
LANG="zh_CN.UTF-8"

Use alicloud image to do yum Source

[[email protected] ~]# rm -fr /etc/yum.repos.d/*
cd /etc/yum.repos.d/
curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-6.repo
wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo

Install common software

yum -y install tree nmap sysstat lrzsz dos2unix telnet bash-completion bash-completion-extras vim nc lsof net-tools rsync ntpdate

change vim Editor alias

[[email protected] ~]# alias vi='vim'
[[email protected] ~]# vi /etc/profile.d/vi.sh
alias vi='vim'

Time synchronization

echo '#Time synchronization time' >>/var/spool/cron/root
echo '0 0 * * * /usr/sbin/ntpdate ntp1.aliyun.com &>/dev/null' >>/var/spool/cron/root
crontab -l

Enlarge the file descriptor

echo '* - nofile 65535 ' >>/etc/security/limits.conf
tail -1 /etc/security/limits.conf

PS1 Variable optimization

[[email protected] ~]# vi /etc/profile.d/PS1.sh 
PS1="\[\e[37;40m\][\[\e[32;40m\]\u\[\e[37;40m\]@\h \[\e[36;40m\]\w\[\e[0m\]]\\$ "

Kernel optimization

cat >>/etc/sysctl.conf<<EOF
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000 65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.core.somaxconn = 16384
net.core.netdev_max_backlog = 16384
net.ipv4.tcp_max_orphans = 16384
EOF
[[email protected] ~]# sysctl -p

sshd Remote connection optimization

sed -i 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config
grep 'UseDNS no' /etc/ssh/sshd_config
sed -i 's/GSSAPIAuthentication yes/GSSAPIAuthentication no/g' /etc/ssh/sshd_config
grep 'GSSAPIAuthentication no' /etc/ssh/sshd_config
systemctl restart sshd

Security optimization

>/etc/issue
>/etc/issue.net
>/etc/motd
#  User login timeout
echo 'export TMOUT=900' >> /etc/profile

Optimization summary

no need root Log in to the management system , And log in as an ordinary user through sudo Authorization management .

Change the default remote connection SSH Service port , prohibit root User remote connection , Even change SSH The service only monitors the intranet IP.

Automatically update the time of the server , Synchronize it with Internet time .

To configure yum Update source , Download the installation package from the domestic update source .

close SELinux And iptables( In a work scenario , If there is an outside IP It's usually opened iptables, Servers with high concurrency and high traffic may not be turned on ).

Adjust the number of file descriptors , Process and file opening will consume the number of file descriptors .

Regularly and automatically clean up the junk files in the temporary email directory , Prevent the disk from inodes The number is full of small files ( Be careful Centos6 and Centos5 Different directories to clear ).

Streamline and retain the necessary boot service ( Such as crond、sshd、network、rsyslog、sysstat).

Linux Kernel parameter optimization /etc/sysctl.conf, perform sysctl -p take effect .

Change the system character set to “zh_CN.UTF-8”, Make it support Chinese , Prevent garbled problems .

Lock key system files such as /etc/passwd、/etc/shadow、/etc/group、/etc/gshadow、/etc/inittab, Deal with the above

Rear handle chattr、lsattr Renamed as luffy, Transfer , It's much safer .

Empty /etc/issue、/etc/issue.net, Remove the screen display before system and kernel version login .

Remove redundant system virtual user accounts .

by grub Add password to the boot menu .

Prevent the host from being ping.

Patch and upgrade software with known vulnerabilities . New system yum –y install Servers already in use online web The server can stop .