linux系统调优指南(centos7.X)

欢迎关注我最新博客地址：

关闭不必要的服务(如打印服务等)

for owelinux in `chkconfig --list | grep "3:on" | awk '{print $1}'`; do chkconfig $owelinux off; donefor owelinux in crond network sshd rsyslog sysstat iptables; do chkconfig $owelinux on; done

关闭不需要的tty

\cp /etc/securetty  /etc/securetty.bak>/etc/securettyecho "tty1" >>/etc/securettyecho "tty2" >>/etc/securettyecho "tty3" >>/etc/securetty

调整linux 文件描述符大小

\cp /etc/security/limits.conf /etc/security/limits.conf.$(date +%F)ulimit -HSn 65535echo -ne "* soft nofile 65535* hard nofile 65535" >>/etc/security/limits.confecho "ulimit -c unlimited" >> /etc/profilesource /etc/profile

修改shell命令的history 记录个数和连接超时时间

echo "export HISTCONTROL=ignorespace" >>/etc/profileecho "export HISTCONTROL=erasedups" >>/etc/profileecho "HISTSIZE=500" >> /etc/profile#修改帐户TMOUT值，设置自动注销时间echo "export TMOUT=300" >>/etc/profile echo "set autologout=300" >>/etc/csh.cshrcsource /etc/profile

清空系统版本信息加入登录警告

>/etc/motd >/etc/issue>/etc/redhat-releaseecho "Authorized uses only. All activity may be monitored   and reported." >>/etc/motdecho "Authorized uses only. All activity may be monitored   and reported." >> /etc/issueecho "Authorized uses only. All activity may be monitored   and reported." >> /etc/issue.netchown root:root /etc/motd /etc/issue  /etc/issue.netchmod 644 /etc/motd /etc/issue  /etc/issue.net

优化内核TCP参数

cat >>/etc/sysctl.conf<

登录机器发邮件告警

yum -y install mailxcat >>/root/.bashrc << EOFecho 'ALERT - Root Shell Access (Server Name) on:' \`date\`\`who\`\`hostname\` | mail -s "Alert:Root Access from \`who | cut -d "(" -f2 | cut -d ")" #-f1\`" blue.yunwei@bluepay.asiaEOF

定时校正服务器时间

echo '0 * * * * /usr/sbin/ntpdate -u  0.cn.pool.ntp.org;/sbin/hwclock -w > /dev/null 2>&1' >> /var/spool/cron/root/usr/sbin/ntpdate -u  0.cn.pool.ntp.org;/sbin/hwclock -w systemctl  restart crond

停止ipv6

echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6

修改yum源

mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backupwget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repoyum -y reinstall epel-releaseyum clean allyum makecache

关闭Selinux

setenforce 0sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config

安装必要的服务，更新系统软件

yum -y groupinstall "Development tools"yum -y install ntpdate sysstat lrzsz wget nmap tree curl  epel-release lsof nano bash-completion net-tools lsof vim-enhanced

ssh优化，加快连接速度

#1、配置空闲登出的超时间隔:#2、禁用   .rhosts 文件#3、禁用基于主机的认证#4、禁止   root 帐号通过 SSH   登录#5、用警告的   Banner#6、iptables防火墙处理 SSH 端口22123#7、修改 SSH   端口和限制 IP 绑定：#8、禁用空密码：#9、记录日志：mv /etc/ssh/ /etc/sshbakmkdir -p /application/toolscd /application/toolsyum -y install wget C gcc ccwget https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-7.6p1.tar.gztar -zxf openssh-7.6p1.tar.gzcd openssh-7.6p1yum install -y zlib-devel openssl-devel pam pam-devel./configure --prefix=/usr --sysconfdir=/etc/ssh --without-zlib-version-check  --with-pamchmod 600 /etc/ssh/*_keymake -j4rpm -e --nodeps `rpm -qa | grep openssh`make install ssh -Vcp contrib/redhat/sshd.init /etc/init.d/sshdchkconfig --add sshdmv /etc/ssh/sshd_config /etc/ssh/sshd_config_`date +%F`cat >/etc/ssh/sshd_config<
    
     >/etc/rsyslog.conf echo "local5.* /var/log/sshd.log" >>/etc/rsyslog.conf systemctl restart rsyslogsystemctl stop sshd && systemctl start sshdsystemctl reload sshd
    

删除系统不需要的用户和用户组

for i in adm lp sync shutdown halt news uucp operator games gopher   do      userdel $i  2>/dev/null   done && action "delete user: " /bin/true || action "delete user: " /bin/false   for i in adm  news uucp games dip pppusers popusers slipusers   do      groupdel $i  2>/dev/null   done

修改密码认证的复杂度，和过期时间

mv /etc/pam.d/system-auth /etc/pam.d/system-auth_`date +%F`cat >/etc/pam.d/system-auth<
    
     = 500 quietauth        required      pam_deny.soauth    sufficient    /lib/security/pam_unix.so likeauth nullokaccount     required      pam_unix.soaccount     sufficient    pam_localuser.soaccount     sufficient    pam_succeed_if.so uid < 500 quietaccount     required      pam_permit.sopassword    requisite     pam_cracklib.so try_first_pass retry=3  minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtokpassword    required      pam_deny.sosession     optional      pam_keyinit.so revokesession     required      pam_limits.sosession     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uidsession     required      pam_unix.soetc/pam.d/system-auth EOFcat >/etc/pam.d/sshd<
    

使用noatime文件系统挂载选项

删除CentOS自带的sendmail，改用postfix

增加SWAP分区大小（一般是内存的2倍）

dd if=/dev/zero of=/mnt/swapfile bs=4M count=1024mkswap /mnt/swapfile swapon /mnt/swapfile echo "/mnt/swapfile swap swap defaults 0 0" >>/etc/fstabmount -afree -m | grep -i swap

使用iptables关闭不需要对外开放的端口

systemctl disable firewalldsystemctl stop firewalldyum -y install iptables-servicessystemctl start iptablessystemctl start ip6tablessystemctl enable iptablessystemctl enable ip6tablesiptables -Fiptables -A INPUT -i lo -j ACCEPTiptables -A INPUT -p tcp --dport 22123 -j ACCEPTiptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPTiptables -A INPUT -p icmp -j ACCEPTiptables -A INPUT -j DROPservice iptables save

启动系统审计服务

yum install audit*.* -ycat >>/etc/audit/audit.rules<

部署完整性检查工具软件

yum -y install aide#1）执行初始化，建立第一份样本库aide -imv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz#2）更新到样本库aide -ucd /var/lib/aide/mv aide.db.new.gz aide.db.gz#3）定期执行***检测，并发送报告# crontab -e#45 17 * * * /usr/sbin/aide -C -V4 | /bin/mail -s ”AIDE REPORT $（date +%Y%m%d）” abcdefg#163.comecho '45 23 * * * aide -C >> /var/log/aide/`date +%Y%m%d`_aide.log' >> /var/spool/cron/root#记录aide可执行文件的md5 checksum：md5sum /usr/sbin/aide

关闭ctrl+alt+del重启机器

rm -f /usr/lib/systemd/system/ctrl-alt-del.targe && init q#恢复  ln -s /usr/lib/systemd/system/reboot.target /usr/lib/systemd/system/ctrl-alt-del.target

文件加锁及修改默认权限

#1、限制   at/cron给授权的用户:rm -f /etc/cron.deny /etc/at.denyecho root >/etc/cron.allowecho root >/etc/at.allowchown root:root /etc/cron.allow /etc/at.allowchmod 400 /etc/cron.allow /etc/at.allow#2、Crontab文件限制访问权限:chown root:root /etc/crontabchmod 400 /etc/crontabchown -R root:root /var/spool/cronchmod -R go-rwx /var/spool/cronchown -R root:root /etc/cron.*chmod -R go-rwx /etc/cron.*#3、加锁重要口令文件和组文件chattr +i /etc/passwdchattr +i /etc/shadowchattr +i /etc/groupchattr +i /etc/gshadowchattr +i /etc/xinetd.confchattr +i /etc/services