centos7.2系统基本优化

系统是7.2-1511，安装完成后的基本优化。

1 修改网卡为eth0

2 更新系统

3 给/etc/rc.local添加执行权限

4 添加用户hequan

5 禁用selinux

6 关闭防火墙安装iptables

7 修改主机名

8 查看并管理服务

9 设置字符集

10 yum

11 配置sshd

12 加大打开文件数的限制（open files）

13 优化内核

14 时间设置

1 修改网卡为eth0

cd/etc/sysconfig/network-scripts/

vimifcfg-eno16777729
TYPE=Ethernet
BOOTPROTO=static
IPADDR=192.168.1.201
NETMASK=255.255.255.0
GATEWAY=192.168.1.1
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
NAME=eth0
UUID=efd17b9a-a5ab-4c94-be62-d2c32eb48a7e
DEVICE=eth0
ONBOOT=yes
DNS1=202.106.0.20

mvifcfg-eno16777729ifcfg-eth0
vi/etc/sysconfig/grub
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="$(sed's,release.*$,g'/etc/system-release)"
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="net.ifnames=0biosdevname=0rhgbquiet"#添加net.ifnames=0biosdevname=0
GRUB_DISABLE_RECOVERY="true"

grub2-mkconfig-o/boot/grub2/grub.cfg#生成启动菜单
Generatinggrubconfigurationfile...
Foundlinuximage:/boot/vmlinuz-3.10.0-327.el7.x86_64
Foundinitrdimage:/boot/initramfs-3.10.0-327.el7.x86_64.img
Foundlinuximage:/boot/vmlinuz-0-rescue-e8675ae79abd41309dac42388f8d9116
Foundinitrdimage:/boot/initramfs-0-rescue-e8675ae79abd41309dac42388f8d9116.img
reboot

ipaddr或者
yuminstallnet-tools#默认centos7不支持ifconfig需要看装net-tools包
ifconfigeth0#在次查看网卡信息

2 更新系统

yumupdate-y

3 给/etc/rc.local添加执行权限

[root@bogon~]#ll/etc/rc.local
lrwxrwxrwx.1rootroot13Feb607:28/etc/rc.local->rc.d/rc.local
[root@bogon~]#ll/etc/rc.d/rc.local
-rw-r--r--.1rootroot473May122016/etc/rc.d/rc.local
[root@bogon~]#chmod+x/etc/rc.d/rc.local

4 添加用户hequan

[root@bogon~]#useraddhequan
[root@bogon~]#echo123456|passwd--stdinhequan
Changingpasswordforuserhequan.
passwd:allauthenticationtokensupdatedsuccessfully.
[root@bogon~]#usermod-Gwheelhequan
[root@bogon~]#sed-i'6s/^#//g'/etc/pam.d/su
[root@bogon~]#grepwheel/etc/pam.d/su#只有WHEEL组的可以su
#Uncommentthefollowinglinetoimplicitlytrustusersinthe"wheel"group.
#authsufficientpam_wheel.sotrustuse_uid
#Uncommentthefollowinglinetorequireausertobeinthe"wheel"group.
authrequiredpam_wheel.souse_uid

扩展:为用户hequan添加sudo，除关机外的其他所有操作：

[root@www~]#visudo
Cmnd_AliasSHUTDOWN=/sbin/halt,/sbin/shutdown,/sbin/poweroff,/sbin/reboot,/sbin/init
hequanALL=(ALL)ALL,!SHUTDOWN
%wheelALL=(ALL)ALL,!SHUTDOWN#修改
Defaultslogfile=/var/log/sudo.log

5 禁用selinux

[root@bogon~]#grep-i^selinux/etc/selinux/config
SELINUX=enforcing
SELINUXTYPE=targeted
[root@bogon~]#sed-i'/^SELINUX/s/enforcing/disabled/g'/etc/selinux/config
[root@bogon~]#grep-i^selinux/etc/selinux/config
SELINUX=disabled
SELINUXTYPE=targeted
[root@bogon~]#getenforce
Enforcing
[root@bogon~]#reboot

6 关闭防火墙安装iptables

systemctlstopfirwalld
systemctldisablefirwalld
yuminstalliptables-services-y#安装

7修改主机名

[root@bogon~]#hostnamectlset-hostnamehequan.com
[root@bogon~]#hostname
hequan.com

8 查看并管理服务

[root@hequan~]#systemctl-tservice
[root@hequan~]#systemctllist-unit-files-tservice

9 设置字符集

[root@hequan~]#echo$LANG
zh_CN.UTF-8
[root@hequan~]#vi/etc/locale.conf
LANG="en_US.UTF-8"
[root@hequan~]#source/etc/locale.conf

10 yum

yuminstallgcccmakebzip2-develcurl-develdb4-devellibjpeg-devellibpng-develfreetype-devellibXpm-develgmp-devellibc-client-developenldap-develunixODBC-develpostgresql-develsqlite-develaspell-develnet-snmp-devellibxslt-devellibxml2-develpcre-develmysql-develpspell-devellibmemcachedlibmemcached-develzlib-develvimwgetlrzsztree

mv/etc/yum.repos.d/CentOS-Base.repo/etc/yum.repos.d/CentOS-Base.repo.backup
cd/etc/yum.repos.d/
wgethttp://mirrors.163.com/.help/CentOS7-Base-163.repo
yumcleanall
yummakecache

其他

yum-yinstallyum-plugin-priorities##安装优先级插件
sed-i-e"s/\]$/\]\npriority=1/g"/etc/yum.repos.d/CentOS-Base.repo##设置基本yum源的优先级为1
yum-yinstallepel-release##安装epel源
sed-i-e"s/\]$/\]\npriority=5/g"/etc/yum.repos.d/epel.repo##设置优先级为5
sed-i-e"s/enabled=1/enabled=0/g"/etc/yum.repos.d/epel.repo##禁用epel源
yum-yinstallhttp://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el7.rf.x86_64.rpm##安装rpmforge的源
sed-i-e"s/\]$/\]\npriority=10/g"/etc/yum.repos.d/rpmforge.repo##设置优先级为10
sed-i-e"s/enabled=1/enabled=0/g"/etc/yum.repos.d/rpmforge.repo##禁用yum源
使用方法：yum--enablerepo=rpmforgeinstall[Package]

11 配置sshd

sed-i-e'49s/^#//g'/etc/ssh/sshd_config##启用49行配置
sed-i-e'49s/yes/no/g'/etc/ssh/sshd_config##禁止root使用ssh登录
sed-i-e'129s/#//g'/etc/ssh/sshd_config##禁止UseDNS
sed-i-e'129s/yes$/no/g'/etc/ssh/sshd_config
sed-i'/^GSS/s/yes/no/g'/etc/ssh/sshd_config##禁用GSSAPI认证加快登录速度
systemctlrestartsshd##重新启动服务
systemctlenablesshd##设置为开机启动
systemctlstatussshd##查看状态
●sshd.service-OpenSSHserverdaemon
Loaded:loaded(/usr/lib/systemd/system/sshd.service;enabled;vendorpreset:enabled)
Active:active(running)since一2016-06-0600:16:26CST;1min3sago

12 加大打开文件数的限制（open files）

ulimit-n
ulimit-a
vi/etc/security/limits.conf
最后添加
*softnofile1024000
*hardnofile1024000
hive-nofile1024000
hive-nproc1024000
用户进程限制
[root@hequan~]#sed-i's#4096#65535#g'/etc/security/limits.d/20-nproc.conf#加大普通用户限制也可以改为unlimited
[root@hequan~]#egrep-v"^$|^#"/etc/security/limits.d/20-nproc.conf
*softnproc65535
rootsoftnprocunlimited

reboot

13 优化内核

cat/etc/sysctl.conf
#CTCDN系统优化参数
#关闭ipv6
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
#决定检查过期多久邻居条目
net.ipv4.neigh.default.gc_stale_time=120
#使用arp_announce/arp_ignore解决ARP映射问题
net.ipv4.conf.default.arp_announce=2
net.ipv4.conf.all.arp_announce=2
net.ipv4.conf.lo.arp_announce=2
#避免放大攻击
net.ipv4.icmp_echo_ignore_broadcasts=1
#开启恶意icmp错误消息保护
net.ipv4.icmp_ignore_bogus_error_responses=1
#关闭路由转发
net.ipv4.ip_forward=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
#开启反向路径过滤
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
#处理无源路由的包
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
#关闭sysrq功能
kernel.sysrq=0
#core文件名中添加pid作为扩展名
kernel.core_uses_pid=1
#开启SYN洪水攻击保护
net.ipv4.tcp_syncookies=1
#修改消息队列长度
kernel.msgmnb=65536
kernel.msgmax=65536
#设置最大内存共享段大小bytes
kernel.shmmax=68719476736
kernel.shmall=4294967296
#timewait的数量，默认180000
net.ipv4.tcp_max_tw_buckets=6000
net.ipv4.tcp_sack=1
net.ipv4.tcp_window_scaling=1
net.ipv4.tcp_rmem=4096873804194304
net.ipv4.tcp_wmem=4096163844194304
net.core.wmem_default=8388608
net.core.rmem_default=8388608
net.core.rmem_max=16777216
net.core.wmem_max=16777216
#每个网络接口接收数据包的速率比内核处理这些包的速率快时，允许送到队列的数据包的最大数目
net.core.netdev_max_backlog=262144
#限制仅仅是为了防止简单的DoS攻击
net.ipv4.tcp_max_orphans=3276800
#未收到客户端确认信息的连接请求的最大值
net.ipv4.tcp_max_syn_backlog=262144
net.ipv4.tcp_timestamps=0
#内核放弃建立连接之前发送SYNACK包的数量
net.ipv4.tcp_synack_retries=1
#内核放弃建立连接之前发送SYN包的数量
net.ipv4.tcp_syn_retries=1
#启用timewait快速回收
net.ipv4.tcp_tw_recycle=1
#开启重用。允许将TIME-WAITsockets重新用于新的TCP连接
net.ipv4.tcp_tw_reuse=1
net.ipv4.tcp_mem=94500000915000000927000000
net.ipv4.tcp_fin_timeout=1
#当keepalive起用的时候，TCP发送keepalive消息的频度。缺省是2小时
net.ipv4.tcp_keepalive_time=1800
net.ipv4.tcp_keepalive_probes=3
net.ipv4.tcp_keepalive_intvl=15
#允许系统打开的端口范围
net.ipv4.ip_local_port_range=102465000
#修改防火墙表大小，默认65536
net.netfilter.nf_conntrack_max=655350
net.netfilter.nf_conntrack_tcp_timeout_established=1200
#确保无人能修改路由表
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
本文出自“兰芷”博客，请务必保留此出处http://7826443.blog.51cto.com/7816443/1775248
sysctl-p#生效