1.关闭selinux,清空iptables
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
grep SELINUX=disabled /etc/selinux/config
setenforce 0
iptables -F
iptables -X
iptables -Z
iptables -L
/etc/init.d/iptables save
/etc/init.d/iptables stop
chkconfig iptables off2.添加普通用户并进行sudo授权管理
useradd liwen
echo '123456'|passwd --stdin liwen&&history -c
echo 'liwen ALL=(ALL) NOPASSWD: ALL' >>/etc/sudoers
tail /etc/sudoers3.更新yum源及必要软件安装
yum install -y wget
cd /etc/yum.repos.d/
/bin/mv CentOS-Base.repo CentOS-Base.repo.bak
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo
sed -i 's#$releasever#6#g' CentOS-Base.repo
yum clean all
yum makecache
yum install lrzsz ntpdate sysstat openssh openssl expect telnet tree dos2unix nmap -y4.定时自动更新服务器时间
echo '*/5 * * * * /usr/sbin/ntpdate -u ntp.api.bz && /sbin/hwclock -w ' >>/var/spool/cron/root5.精简开机自启动服务
for sun in chkconfig --list|grep 3:on|awk '{print $1}';do chkconfig --level 3 $sun off;done
for sun in crond rsyslog sshd network;do chkconfig --level 3 $sun on;done
chkconfig --list|grep 3:on6.修改字符集支持中文
cp /etc/sysconfig/i18n /etc/sysconfig/i18n.$(date +%Y%m%d%k%I%M)
cat >/etc/sysconfig/i18n<临时更改:export LANG="en_US.UTF-8"和export LANGUAGE="en_US:en"
7.变更默认的ssh服务端口,禁止root用户远程连接
sed -i 's/#Port 22/Port 52113/g' /etc/ssh/sshd_config
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
sed -i 's/GSSAPIAuthentication yes/GSSAPIAuthentication no/g' /etc/ssh/sshd_config
sed -i 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config
cat /etc/ssh/sshd_config|egrep 'PermitEmptyPasswords|UseDNS|Port|GSSAPIAuthentication|PermitRootLogin'
/etc/init.d/sshd restart对于云服务器可添加如下防止ssh连接中断
ClientAliveInterval 60
ClientAliveCountMax 864008.添加历史命令记录
[root@node1 ~]# vim /etc/profile #添加如下
LOG_DIR=/var/log/.history
USER_IP=who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'
if [ "$USER_IP" = "" ]; then
USER_IP=hostname
fi
if [ ! -d $LOG_DIR ]; then
mkdir $LOG_DIR
chmod 777 $LOG_DIR
fi
if [ ! -d ${LOG_DIR}/${LOGNAME} ];then
mkdir ${LOG_DIR}/${LOGNAME}
chmod 300 ${LOG_DIR}/${LOGNAME}
fi
export HISTSIZE=4096
DT=date +"%F_%H%M%S"
export HISTFILE="${LOG_DIR}/${LOGNAME}/${DT}_${USER_IP}.history"
chmod 600 ${LOG_DIR}/${LOGNAME}/*history* 2>/tmp/history.error.log
readonly PROMPT_COMMAND='{ date "+%F %T ##### $(who am i |awk "{print \$1\" \"\$2\" \"\$5}") #### $(pwd) #### $(history 1 | { read x cmd; echo "$cmd"; })"; } >> $HISTFILE' 2>/tmp/history.error.log9.锁定关键文件系统
chattr +i /etc/passwd
chattr +i /etc/inittab
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/gshadow使用chattr命令后,为了安全我们需要将其改名
/bin/mv /usr/bin/chattr /usr/bin/任意名称
10.调整文件描述符大小
ulimit –n
echo '* - nofile 65535' >> /etc/security/limits.conf11.调整字符集,使其支持中文
sed -i 's#LANG=.*$#LANG="zh_CN.UTF-8"#g' /etc/sysconfig/i18n
source /etc/sysconfig/i18n12.去除系统及内核版本登录前的屏幕显示
>/etc/redhat-release
>/etc/issue
>/etc/issue.net
>/etc/motd13.内核参数优化
本优化适合apache,nginx,squid多种等web应用,特殊的业务也可能需要略作调整
cat >>/etc/sysctl.conf<将上面的内核参数值加入/etc/sysctl.conf文件中然后/sbin/sysctl -p使其生效
防火墙的优化参数
net.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_tcp_timeout_established = 180
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120服务器技术交流群请加微信 YJZyjz
发表评论