CentOS6.7优化方案

1312

最近公司新升级了服务器系统到CentOS6.7，精心做了一套系统优化方案
centos优化

• 配置网卡
  
• 修改主机名
  
• 关闭selinux，清空防火墙
  
• 新建普通用户并visudo授权
  
• 更改yum源，安装常用软件
  
• 定时任务，定时更新时间
  
• 精简开机启动项
  
• 定时任务在自动清理/var/spool/maildrop/目录垃圾文件，防止inode占满
  
• 更改ssh服务端口，禁止root用户远程连接
  
• 锁定关键文件系统
• 调整文件描述符大小
  
• 调整字符集，使其支持中文
  
• 去除系统及内核版本登录前的屏幕显示
  
• 内核参数优化
  
  

1、配置网卡（此处为克隆机所以删除了UUID和MAC）

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27

vim /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE=eth TYPE=Ethernet ONBOOT=yes NM_CONTROLLED=yes BOOTPROTO=none IPV6INIT=no USERCTL=no IPADDR=10.0.0.100 GATEWAY=10.0.0.2 DNS2=223.5.5.5 DNS1=10.0.0.2 NETMASK=255.255.255.0 vim /etc/sysconfig/network-scripts/ifcfg-eth1 DEVICE=eth0 TYPE=Ethernet ONBOOT=yes NM_CONTROLLED=yes BOOTPROTO=none IPV6INIT=no USERCTL=no IPADDR=10.0.0.100 GATEWAY=10.0.0.2 DNS2=223.5.5.5 DNS1=10.0.0.2 NETMASK=255.255.255.0

重启网卡eth1

1	ifdown eth1&&ifup eth1/etc/init.d/network restart

1	echo '>/etc/udev/rules.d/70-persistent-net.rules' >>/etc/rc.local

1 2	hostname zhang (临时修改) vim /etc/sysconfig/network

3、检查DNS
阿里服务器

1	223.5.5.5vim /etc/resolv.conf

（网卡配置文件中设置的优先启动）
4、关闭selinux

1 2 3 4

sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config grep SELINUX=disabled /etc/selinux/config setenforce 0 getenforce

清空防火墙

1	iptables -F

1	iptables -L 1>>~/install.ok 2>>install.bug

1	/etc/init.d/iptables save

5、新建普通用户并visudo授权

1 2 3 4 5

useradd zhang id zhang echo '123456'|passwd --stdin zhang echo 'zhang    ALL=(ALL)       NOPASSWD: ALL' >>/etc/sudoers visudo -c

6、更改yum源

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

备份本机yum源 法1：自己配置好安装源配置文件，然后上传到linux 法2：使用镜像站点配置好的yum安装源配置文件 mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.f1.ori ls /etc/yum.repos.d/CentOS-Base.repo.f1.ori  1>>~/install.ok 2>>install.bug yum makecache wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo yum install lrzsz tree sysstat -y rpm -qa lrzsz tree nmap sysstat  1>>~/install.ok 2>>install.bug sysstat   是用来检测系统性能及效率的工具 dos2unix将dos格式的文本转换为unix格式 nmap      网络扫描和主机检测 grep      过滤变色（实验用） echo 'grep="grep --color=auto"' >>/etc/profile . /etc/profile grep 'grep="grep --color=auto"' /etc/profile  1>>~/install.ok 2>>install.bug

7、定时任务，定时更新时间

1 2	echo '*/5 * * * * /usr/sbin/ntpdate ntp1.aliyun.com >/dev/null 2>&1' >>/var/spool/cron/root crontab -l 1>>~/install.ok 2>>install.bug

8、精简开机启动项

1 2 3

for n in `chkconfig --list|grep "3:on"|awk '{print $1}'`; do chkconfig $n off; done       chkconfig --list|egrep 'crond|network|rsyslog|sshd|sysstat'|awk '{print "chkconfig "$1" on"}'|bash chkconfig --list|grep "3:on" 1>>~/install.ok 2>>install.bug

1 2	mkdir /server/scripts -p ls -l /server/scripts/ 1>>~/install.ok 2>>install.bug

1 2 3 4 5 6

echo '#bin bash \ find /var/spool/postfix/maildrop -type f|xargs rm -f' >/server/scripts/clean_mail.sh cat /server/scripts/clean_mail.sh 1>>~/install.ok 2>>install.bug echo '#clean /var/spool/postfix/maildrop \ 00 00 * * * /bin/sh /server/scripts/clean_mail.sh' >>/var/spool/cron/root crontab -l 1>>~/install.ok 2>>install.bug

10、更改ssh服务端口，禁止root用户远程连接

1 2 3 4

cp /etc/ssh/sshd_config{,f1.ori} ls /etc/ssh/sshd_config.f1.ori 1>>~/install.ok 2>>install.bug sed -ir '13 iPort 52113\nPermitRootLogin no\nPermitEmptyPasswords no\nUseDNS no\nGSSAPIAuthentication no' /etc/ssh/sshd_config sed -n 13,17p /etc/ssh/sshd_config 1>>~/install.ok 2>>install.bug

11、锁定关键文件系统

1 2 3 4 5 6 7 8 9 10

chattr +i /etc/passwd chattr +i /etc/inittab chattr +i /etc/group chattr +i /etc/shadow chattr +i /etc/gshadow lsattr +i /etc/passwd 1>>~/install.ok 2>>install.bug lsattr +i /etc/inittab 1>>~/install.ok 2>>install.bug lsattr +i /etc/group 1>>~/install.ok 2>>install.bug lsattr +i /etc/shadow 1>>~/install.ok 2>>install.bug lsattr +i /etc/gshadow 1>>~/install.ok 2>>install.bug

使用chattr命令后，为了安全我们需要将其改名

1 2	/bin/mv /usr/bin/chattr /usr/bin/  # 任意名称

13、调整字符集，使其支持中文

1	sed-i 's#LANG="en_US.UTF-8"#LANG="zh_CN.GB18030"#'/etc/sysconfig/i18nsource/etc/sysconfig/i18n

14、去除系统及内核版本登录前的屏幕显示

1 2	>/etc/issue >/etc/redhat-release

老男孩28期 章曾 整理发布。
在这里要感谢 老男孩 老师的教导。

一键执行优化

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67

echo '#######克隆机清空文件#####' 1>>~/install.ok 2>>install.bug echo '>/etc/udev/rules.d/70-persistent-net.rules' >>/etc/rc.local tail -1 /etc/rc.local 1>>~/install.ok 2>>install.bug echo '#######修改主机名#####' 1>>~/install.ok 2>>install.bug hostname zhang sed -i 's#HOSTNAME=.*#HOSTNAME=zhang#g' /etc/sysconfig/network cat /etc/sysconfig/network 1>>~/install.ok 2>>install.bug echo '#######关闭selinux#####' 1>>~/install.ok 2>>install.bug sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config grep SELINUX=disabled /etc/selinux/config 1>>~/install.ok 2>>install.bug setenforce 0 getenforce 1>>~/install.ok 2>>install.bug echo '#######关闭selinux#####' 1>>~/install.ok 2>>install.bug iptables -F iptables -L 1>>~/install.ok 2>>install.bug /etc/init.d/iptables save echo '#######新建用户sudo授权#####' 1>>~/install.ok 2>>install.bug useradd zhang id zhang 1>>~/install.ok 2>>install.bug echo '123456'|passwd --stdin zhang echo 'zhang    ALL=(ALL)       NOPASSWD: ALL' >>/etc/sudoers visudo -c 1>>~/install.ok 2>>install.bug echo '#######更改yum源安装常用软件#####' 1>>~/install.ok 2>>install.bug mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup ls /etc/yum.repos.d/CentOS-Base.repo.backup 1>>~/install.ok 2>>install.bug wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo yum install lrzsz tree sysstat -y rpm -qa lrzsz tree nmap sysstat  1>>~/install.ok 2>>install.bug echo '#######grep变色#####' 1>>~/install.ok 2>>install.bug echo 'grep="grep --color=auto"' >>/etc/profile . /etc/profile grep 'grep="grep --color=auto"' /etc/profile  1>>~/install.ok 2>>install.bug echo '#######定时更新时间#####' 1>>~/install.ok 2>>install.bug echo '*/5 * * * * /usr/sbin/ntpdate ntp1.aliyun.com >/dev/null 2>&1' >>/var/spool/cron/root crontab -l 1>>~/install.ok 2>>install.bug echo '#######精简开机启动项#####' 1>>~/install.ok 2>>install.bug for n in `chkconfig --list|grep "3:on"|awk '{print $1}'`; do chkconfig $n off; done       chkconfig --list|egrep 'crond|network|rsyslog|sshd|sysstat'|awk '{print "chkconfig "$1" on"}'|bash chkconfig --list|grep "3:on" 1>>~/install.ok 2>>install.bug echo '#######清理临时邮件队列#####' 1>>~/install.ok 2>>install.bug mkdir /server/scripts -p ls -l /server/scripts/ 1>>~/install.ok 2>>install.bug echo '#bin bash \ find /var/spool/postfix/maildrop -type f|xargs rm -f' >/server/scripts/clean_mail.sh cat /server/scripts/clean_mail.sh 1>>~/install.ok 2>>install.bug echo '#clean /var/spool/postfix/maildrop \ 00 00 * * * /bin/sh /server/scripts/clean_mail.sh' >>/var/spool/cron/root crontab -l 1>>~/install.ok 2>>install.bug cp /etc/ssh/sshd_config{,.f1.ori} ls /etc/ssh/sshd_config.f1.ori 1>>~/install.ok 2>>install.bug echo '#######ssh安全#####' 1>>~/install.ok 2>>install.bug sed -ir '13 iPort 52113\nPermitRootLogin no\nPermitEmptyPasswords no\nUseDNS no\nGSSAPIAuthentication no' /etc/ssh/sshd_config sed -n 13,17p /etc/ssh/sshd_config 1>>~/install.ok 2>>install.bug echo '#######锁定重要文件#####' 1>>~/install.ok 2>>install.bug chattr +i /etc/passwd chattr +i /etc/inittab chattr +i /etc/group chattr +i /etc/shadow chattr +i /etc/gshadow lsattr +i /etc/passwd 1>>~/install.ok 2>>install.bug lsattr +i /etc/inittab 1>>~/install.ok 2>>install.bug lsattr +i /etc/group 1>>~/install.ok 2>>install.bug lsattr +i /etc/shadow 1>>~/install.ok 2>>install.bug lsattr +i /etc/gshadow 1>>~/install.ok 2>>install.bug echo '#######清空内核系统名#####' 1>>~/install.ok 2>>install.bug >/etc/issue >/etc/redhat-release