centos系统优化

uconny · 发表于 2012-9-4 13:19:00

转载来自http://bbs.28php.com/thread-6-1-1.html

1、 vim /etc/profile 插入以下即可
ulimit -c unlimited
      ulimit -s unlimited
      ulimit -SHn 65535

建议设置成无限制（unlimited）的一些重要设置是：

      数据段长度：ulimit –d unlimited

最大内存大小：ulimit –m unlimited

堆栈大小：ulimit –s unlimited

      CPU 时间：ulimit –t unlimited

虚拟内存：ulimit –v unlimited

      source  /etc/profile 执行生效

2、
vim /etc/sysctl.conf
插入以下：
net.ipv4.tcp_max_syn_backlog = 65536
      net.core.netdev_max_backlog =  32768
      net.core.somaxconn = 32768

      net.core.wmem_default = 8388608
      net.core.rmem_default = 8388608
      net.core.rmem_max = 16777216
      net.core.wmem_max = 16777216

      net.ipv4.tcp_timestamps = 0
      net.ipv4.tcp_synack_retries = 2
      net.ipv4.tcp_syn_retries = 2

      net.ipv4.tcp_tw_recycle = 1
      #net.ipv4.tcp_tw_len = 1
      net.ipv4.tcp_tw_reuse = 1
      net.ipv4.tcp_syncookies = 1
      net.ipv4.tcp_mem = 94500000 915000000 927000000
      net.ipv4.tcp_max_orphans = 3276800

      net.ipv4.tcp_fin_timeout = 30
      net.ipv4.tcp_keepalive_time = 120
      net.ipv4.ip_local_port_range = 1024 65535

　　执行以下命令使内核配置立马生效：
/sbin/sysctl -p

      3、
vim /usr/include/bits/typesizes.h
　　修改 #define __FD_SETSIZE 65536

      4、ntsysv保留
anacron
      cpuspeed
      crond
      gpm
      irqbalance
      kudzu
      lm_sensors
      lvm2-monitor
      mdmonitor
      messagebus
      microcde_ctl
      network
      pcscd
      psacct
      readahead_early
      readahead_later
      smartd
      sshd
      syslog
      xfs

service NetworkManager stop
            service NetworkManagerDispatcher stop
            service acpid  stop
            service anacron start
            service atd stop
            service auditd stop
            service autofs stop
            service avahi-daemon stop
            service avahi-dnsconfd stop
            service bluetooth stop
            service capi stop
            service conman stop
            service cpuspeed start
            service crond start
            service cups stop
            service dhcdbd stop
            service dkms_autoinstaller stop
            service dund stop
            service firstboot stop
            service gpm start
            service haldaemon stop
            service hidd stop
            service hplip stop
            service ip6tables stop
            service iptables stop
            service irda stop
            service irqbalance start
            service isdn stop
            service kudzu start
            service lm_sensors start
            service lvm2-monitor start
            service mcstrans stop
            service mdmonitor start
            service mdmpd stop
            service messagebus start
            service microcode_ctl start
            service multipathd stop
            service netconsole stop
            service netfs stop
            service netplugd stop
            service network start
            service nfs stop
            service nfslock stop
            service nscd stop
            service ntpd stop
            service oddjobd stop
            service pand stop
            service pcscd start
            service portmap stop
            service psacct start
            service rdisc stop
            service readahead_early start
            service readahead_later start
            service restorecond stop
            service rpcgssd stop
            service rpcidmapd stop
            service rpcsvcgssd stop
            service saslauthd stop
            service sendmail stop
            service smartd start
            service snmptrapd stop
            service sshd start
            service syslog start
            service vncserver stop
            service wdaemon stop
            service winbind stop
            service wpa_supplicant stop
            service xfs start
            service ypbind stop
            service yum-updatesd stop

5、修改SSH 端口
vim /etc/ssh/sshd_config
            Port 22 修改
PermitEmptyPasswords no 把#注销掉-禁止空密码帐户登入服务器!
MaxAuthTries 2 两次不行就切断重新SSH启动登入

6、远程5分钟无操作自动注销:
vim /etc/profile
最后添加:
export TMOUT=300 ---5分钟自动注销下来
            找到
HISTSIZE=1000
修改为:
HISTSIZE=100 --减少日记字节为100KB,太大内容过多容易漏重要信息.

7、修改文件属性
chmod 700 /bin/rpm 只有root权限用户才可以使用rpm命定,安装软件包
chmod 664 /etc/hosts
            chmod 644 /etc/passwd
            chmod 644 /etc/exports
            chmod 644 /etc/issue
            chmod 664 /var/log/wtmp
            chmod 664 /var/log/btmp
            chmod 644 /etc/services
            chmod 600 /etc/shadow
            chmod 600 /etc/login.defs
            chmod 600 /etc/hosts.allow
            chmod 600 /etc/hosts.deny
            chmod 600 /etc/securetty
            chmod 600 /etc/security
            chmod 600 /etc/ssh/ssh_host_key
            chmod 600 /etc/ssh/sshd_config
            chmod 600 /var/log/lastlog
            chmod 600 /var/log/messages

            8、禁止ping 用户使用ping不做任何反映
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all -- 禁止ping
            echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all -- 解除禁止ping操作

9、禁止IP伪装
vim /etc/host.conf
在里面加上：
nospoof on

            10、防止DOS攻击:
vim /etc/security/limits.conf
加入以下配置:
            *             hard core          0
            *             hard rss          10000
            *             hard nproc          20
以上根据需求而论！

11、修改root帐户密码越复杂越好:
1、含有大小写字母；
2、含有数字；
3、含有字符；
4、不用自己生日等常关联的字母数字及字符。

12、删除部分不需要的用户和组：
# cut -d: -f1 /etc/passwd # 查看系统所有用户
# cut -d: -f1 /etc/group # 查看系统所有组
userdel adm
            userdel lp
            userdel news
            userdel uucp
            userdel games
            groupdel adm
            groupdel lp
            groupdel news
            groupdel uucp
            groupdel games
            groupdel dip

            13、垃圾IP封杀
# more /var/log/secure
首先通过以上命定观察多次扫描欲远程登入服务器的垃圾IP；
            然后在
vim /etc/hosts.deny
增加：
sshd:211.100.49.77 ---这以211.100.49.77这个垃圾IP为例！
            保存即可！

江小刀 · 发表于 2012-9-4 15:30:02

这类不负责任的东西怎么老有人转。。。

crx349 · 发表于 2012-9-4 23:19:51

确认需要因系统需要而设置特别是服务部分

qzg40737 · 发表于 2012-11-13 16:19:26

收藏者以后用哦

		自动登录	找回密码
密码			立即注册

[教程] centos系统优化