1.添加用户并设置密码
useradd -M -s /sbin/nologin wei
echo "123456" | passwd --stdin wei && history -c
2.关闭selinux
getenforce
setenforce 0
sed -i "s#SELINUX=enforcing#SELINUX=disabled#g" /etc/selinux/config
3.修改启动级别
centos6:
init 3
sed -i "s#id:5:inintdefault#id:3:inintdefault#g" /etc/inittab
centos7:
systemctl set-default multi-user.target
systemctl get-default
runlevel
注:multi-user.target 级别3 graphical.target 级别5
4.精简开机启动项
必须保留开机自启动项
- sshd 远程连接服务
- rsyslog 系统日志服务
- network 网络服务
- crond 定时任务服务
- sysstat 性能检测工具,包括iostat提供cpu使用率及硬盘读写速率
- mpstat提供与单个或者多个处理器相关的数据
- sar提供收集报告并存储系统活跃信息
方法:
LANG=en
chkconfig --list | grep 3:on
for n in chkconfig --list|grep 3:on|awk '{print$1}';do chkconfig $n off;done
5.关闭防火墙
systemctl stop firewall
systemctl disable firewall
6.系统最小化
最小化安装系统,最小化安装yum,最小化输入指令
yum install -y lrzsz net-tools bind-utils telnet lsof wget strace sysstat
7.修改ssh配置
Port 11111
PermitRootLogin no
PermitEmptyPasswords no
UseDNS no
GSSAPIAuthentication no
sed -ir '13 iPort 11111\nPermitRootLogin no\nPermitEmptyPasswords no\nUseDNS no\nGSSAPIAuthentication no' /etc/ssh/sshd_config
systemctl reload sshd
8.创建时间同步服务器
echo '*/5 * * * * /usr/sbin/ntpdate time.nist.gov >/dev/null 2>$1' >>/var/spool/cron/root
crontab -e
9.历史记录数及登录超时设置
echo "export TMOUT=60" >>/etc/profile
echo "export HISTSIZE=20" >>/etc/profile
echo "export HISTFILESIZE=20" >>/etc/profile
echo 'export HISTTIMEFORMAT="%D%T `whoani`"' >>/etc/profile
10.文件描述符及进程数设置
"soft" 和 "hard" 的区别
- soft:代表警告的设定,可以超过这个设定值,但是超过后会有警告
- hard:代表严格的设定,不允许超过这个值
"nproc" 和 "nofile" 的区别
- nproc:每个用户可创建的进程数限制
- nofile:每个进程可打开的文件数限制
# 高并发下建议将值都设置为65535
cat /etc/security/limits.conf
root soft nproc 65535
root soft nproc 65535
* soft nproc 65535
* soft nproc 65535
root soft nofile 65535
root soft nofile 65535
* soft nofile 65535
* soft nofile 65535
注:
- 一般soft的值会比hard小,也可相等。
- /etc/security/limits.d/里面配置会覆盖/etc/security/limits.conf的配置
- 只有root用户才有权限修改/etc/security/limits.conf
- 如果limits.conf没有做设定,则默认值是1024
11.liunx内核参数优化
cat /etc/sysctl.conf
#CTCDN系统优化参数
#关闭ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
# 避免放大攻击
net.ipv4.icmp_echo_ignore_broadcasts = 1
# 开启恶意icmp错误消息保护
net.ipv4.icmp_ignore_bogus_error_responses = 1
#关闭路由转发
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
#开启反向路径过滤
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
#处理无源路由的包
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
#关闭sysrq功能
kernel.sysrq = 0
#core文件名中添加pid作为扩展名
kernel.core_uses_pid = 1
# 开启SYN洪水攻击保护
net.ipv4.tcp_syncookies = 1
#修改消息队列长度
kernel.msgmnb = 65536
kernel.msgmax = 65536
#设置最大内存共享段大小bytes
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
#timewait的数量,默认180000
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
#每个网络接口接收数据包的速率比内核处理这些包的速率快时,允许送到队列的数据包的最大数目
net.core.netdev_max_backlog = 262144
#限制仅仅是为了防止简单的DoS 攻击
net.ipv4.tcp_max_orphans = 3276800
#未收到客户端确认信息的连接请求的最大值
net.ipv4.tcp_max_syn_backlog = 262144
#内核放弃建立连接之前发送SYNACK 包的数量
net.ipv4.tcp_synack_retries = 1
#内核放弃建立连接之前发送SYN 包的数量
net.ipv4.tcp_syn_retries = 1
#启用timewait 快速回收
net.ipv4.tcp_tw_recycle = 0
#开启重用。允许将TIME-WAIT sockets 重新用于新的TCP 连接
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1
#当keepalive 起用的时候,TCP 发送keepalive 消息的频度。缺省是2 小时
net.ipv4.tcp_keepalive_time = 30
#允许系统打开的端口范围
net.ipv4.ip_local_port_range = 1024 65000
#修改防火墙表大小,默认65536
#net.netfilter.nf_conntrack_max=655350
#net.netfilter.nf_conntrack_tcp_timeout_established=1200
# 确保无人能修改路由表
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
#设置虚拟ip后,不验证ip是否存在,keepalive配置时需要使用此项,否则nginx启动报错
net.ipv4.ip_nonlocal_bind = 1