1. <form id='eefcc'></form>
        <bdo id='eefcc'><sup id='eefcc'><div id='eefcc'><bdo id='eefcc'></bdo></div></sup></bdo>

          • centos系统优化

            作者: 冬冬 分类: 网络技术 发布时间: 2013-09-29 17:00

            1、 vim /etc/profile 插入以下即可
            ulimit -c unlimited
            ulimit -s unlimited
            ulimit -SHn 65535

            建议设置成无限制(unlimited)的一些重要设置是:

            数据段长度:ulimit –d unlimited

            最大内存大小:ulimit –m unlimited

            堆栈大小:ulimit –s unlimited

            CPU 时间:ulimit –t unlimited

            虚拟内存:ulimit –v unlimited

            source /etc/profile 执行生效

            2、
            vim /etc/sysctl.conf
            插入以下:
            net.ipv4.tcp_max_syn_backlog = 65536
            net.core.netdev_max_backlog = 32768
            net.core.somaxconn = 32768

            net.core.wmem_default = 8388608
            net.core.rmem_default = 8388608
            net.core.rmem_max = 16777216
            net.core.wmem_max = 16777216

            net.ipv4.tcp_timestamps = 0
            net.ipv4.tcp_synack_retries = 2
            net.ipv4.tcp_syn_retries = 2

            net.ipv4.tcp_tw_recycle = 1
            #net.ipv4.tcp_tw_len = 1
            net.ipv4.tcp_tw_reuse = 1
            net.ipv4.tcp_syncookies = 1
            net.ipv4.tcp_mem = 94500000 915000000 927000000
            net.ipv4.tcp_max_orphans = 3276800

            net.ipv4.tcp_fin_timeout = 30
            net.ipv4.tcp_keepalive_time = 120
            net.ipv4.ip_local_port_range = 1024 65535

            执行以下命令使内核配置立马生效:
            /sbin/sysctl -p

            3、
            vim /usr/include/bits/typesizes.h
            修改 #define __FD_SETSIZE 65536

            4、ntsysv保留
            anacron
            cpuspeed
            crond
            gpm
            irqbalance
            kudzu
            lm_sensors
            lvm2-monitor
            mdmonitor
            messagebus
            microcde_ctl
            network
            pcscd
            psacct
            readahead_early
            readahead_later
            smartd
            sshd
            syslog
            xfs

            service NetworkManager stop
            service NetworkManagerDispatcher stop
            service acpid stop
            service anacron start
            service atd stop
            service auditd stop
            service autofs stop
            service avahi-daemon stop
            service avahi-dnsconfd stop
            service bluetooth stop
            service capi stop
            service conman stop
            service cpuspeed start
            service crond start
            service cups stop
            service dhcdbd stop
            service dkms_autoinstaller stop
            service dund stop
            service firstboot stop
            service gpm start
            service haldaemon stop
            service hidd stop
            service hplip stop
            service ip6tables stop
            service iptables stop
            service irda stop
            service irqbalance start
            service isdn stop
            service kudzu start
            service lm_sensors start
            service lvm2-monitor start
            service mcstrans stop
            service mdmonitor start
            service mdmpd stop
            service messagebus start
            service microcode_ctl start
            service multipathd stop
            service netconsole stop
            service netfs stop
            service netplugd stop
            service network start
            service nfs stop
            service nfslock stop
            service nscd stop
            service ntpd stop
            service oddjobd stop
            service pand stop
            service pcscd start
            service portmap stop
            service psacct start
            service rdisc stop
            service readahead_early start
            service readahead_later start
            service restorecond stop
            service rpcgssd stop
            service rpcidmapd stop
            service rpcsvcgssd stop
            service saslauthd stop
            service sendmail stop
            service smartd start
            service snmptrapd stop
            service sshd start
            service syslog start
            service vncserver stop
            service wdaemon stop
            service winbind stop
            service wpa_supplicant stop
            service xfs start
            service ypbind stop
            service yum-updatesd stop


            5、修改SSH 端口
            vim /etc/ssh/sshd_config
            Port 22 修改
            PermitEmptyPasswords no 把#注销掉-禁止空密码帐户登入服务器!
            MaxAuthTries 2 两次不行就切断重新SSH启动登入

            6、远程5分钟无操作自动注销:
            vim /etc/profile
            最后添加:
            export TMOUT=300 —5分钟自动注销下来
            找到
            HISTSIZE=1000
            修改为:
            HISTSIZE=100 –减少日记字节为100KB,太大内容过多容易漏重要信息.

            7、修改文件属性
            chmod 700 /bin/rpm 只有root权限用户才可以使用rpm命定,安装软件包
            chmod 664 /etc/hosts
            chmod 644 /etc/passwd
            chmod 644 /etc/exports
            chmod 644 /etc/issue
            chmod 664 /var/log/wtmp
            chmod 664 /var/log/btmp
            chmod 644 /etc/services
            chmod 600 /etc/shadow
            chmod 600 /etc/login.defs
            chmod 600 /etc/hosts.allow
            chmod 600 /etc/hosts.deny
            chmod 600 /etc/securetty
            chmod 600 /etc/security
            chmod 600 /etc/ssh/ssh_host_key
            chmod 600 /etc/ssh/sshd_config
            chmod 600 /var/log/lastlog
            chmod 600 /var/log/messages

            8、禁止ping 用户使用ping不做任何反映
            echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all — 禁止ping
            echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all — 解除禁止ping操作

            9、禁止IP伪装
            vim /etc/host.conf
            在里面加上:
            nospoof on

            10、防止DOS攻击:
            vim /etc/security/limits.conf
            加入以下配置:
            hard core 0
            hard rss 10000
            hard nproc 20
            以上根据需求而论!

            11、修改root帐户密码越复杂越好:
            1、含有大小写字母;
            2、含有数字;
            3、含有字符;
            4、不用自己生日等常关联的字母数字及字符。

            12、删除部分不需要的用户和组:
            # cut -d: -f1 /etc/passwd # 查看系统所有用户
            # cut -d: -f1 /etc/group # 查看系统所有组
            userdel adm
            userdel lp
            userdel news
            userdel uucp
            userdel games
            groupdel adm
            groupdel lp
            groupdel news
            groupdel uucp
            groupdel games
            groupdel dip

            13、垃圾IP封杀
            # more /var/log/secure
            首先通过以上命定观察多次扫描欲远程登入服务器的垃圾IP;
            然后在
            vim /etc/hosts.deny
            增加:
            sshd:211.100.49.77 —这以211.100.49.77这个垃圾IP为例!
            保存即可!

            如果觉得我的文章对您有用,请随意打赏。您的支持将鼓励我继续创作!

            发表评论

            电子邮件地址不会被公开。 必填项已用*标注