Linux服务器初始化调优及安全加固

疑难杂症   Linux调优   安全加固  
一、开启 iptables

仅开放必要的SSH端口和监控端口例:
SSH tcp 22
snmpd udp 161
nrpe tcp 5666
本人公网IP 全端口开放

二、除非特别熟悉selinux配置,否则请关闭selinux

查看是否开启:getenforce 如果为enforcing和permissive则关闭
vim /etc/sysconfig/selinux
SELINUX=disabled

三、优化SSH端口

vim /etc/ssh/sshd_config
将默认的22端口改为大于1024的其他端口
Port 2222
如果不经常使用root登陆禁止root登陆,使用普通用户su切换
PermitRootLogin yes

四、系统服务优化

最少服务原则,凡是不需要的服务一律关掉

for a in `ls /etc/rc3.d/S*`  
        do
        CURSRV=`echo $a |cut -c15-`
        echo $CURSRV
case $CURSRV in        mysqld|crond|irqbalance|iptables|ip6tables|xinetd|microcode_ctl|network|random|sshd|syslog|local|snmpd)  
        echo "Base services,Skip"
        ;;
        *)
        echo "change $CURSRV to off"
        chkconfig --level 235 $CURSRV off
        service $CURSRV stop
        ;;
esac  
done  
五、sysctl核心参数调优
  • 修改/etc/sysctl.conf
net.ipv4.ip_forward = 0  
net.ipv4.conf.default.rp_filter = 1  
net.ipv4.conf.default.accept_source_route = 0  
kernel.sysrq = 0  
kernel.core_uses_pid = 1  
net.ipv4.tcp_syncookies = 1  
kernel.msgmnb = 65536  
kernel.msgmax = 65536  
kernel.shmmax = 68719476736  
kernel.shmall = 4294967296  
net.ipv4.tcp_max_tw_buckets = 6000  
net.ipv4.tcp_sack = 1  
net.ipv4.tcp_window_scaling = 1  
net.ipv4.tcp_rmem = 4096 87380 4194304  
net.ipv4.tcp_wmem = 4096 16384 4194304  
net.core.wmem_default = 8388608  
net.core.rmem_default = 8388608  
net.core.rmem_max = 16777216  
net.core.wmem_max = 16777216  
net.core.netdev_max_backlog = 262144  
net.core.somaxconn = 262144  
net.ipv4.tcp_max_orphans = 3276800  
net.ipv4.tcp_max_syn_backlog = 262144  
net.ipv4.tcp_timestamps = 0  
net.ipv4.tcp_synack_retries = 1  
net.ipv4.tcp_syn_retries = 1  
net.ipv4.tcp_tw_recycle = 1  
net.ipv4.tcp_tw_reuse = 1  
net.ipv4.tcp_mem = 94500000 915000000 927000000  
net.ipv4.tcp_fin_timeout = 1  
net.ipv4.tcp_keepalive_time = 1200  
net.ipv4.ip_local_port_range = 1024 65535  
  • 生效
    sysctl -p
六、优化Linux系统文件描述符

vim /etc/security/limits.conf
* soft nofile 65535
* hard nofile 65535

七、修改用户登陆和操作历史记录
  • 将以下代码追加/etc/profile
HISTSIZE=5000  
export HISTTIMEFORMAT="%F %T "  
user=`whoami`  
ip=`who -u am i | awk '{print $NF}' | sed 's/[()]//g'`  
dt=`who -u am i | awk '{print $3" "$4}'`  
date=`date "+%Y-%m-%d"`  
user_date=/tmp/.history/$user/$date  
history_file=$user_date/${user}_history_$date.txt  
login_file=$user_date/${user}_login_$date.txt  
mkdir -p $user_date  
echo "$user\t$dt\t$ip\n" >> $login_file  
chmod 600 $login_file  
touch $history_file  
export HISTFILE="$history_file"  
chmod 600 $history_file  
  • source /etc/profile
  • 下次登陆即可以在 /tmp/.history 目录下看到历史登陆记录
八、YUM源优化
  • 保证yum速度使用国内网易源
    mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
    cd /etc/yum.repos.d && wget http://mirrors.163.com/.help/CentOS6-Base-163.repo yum makecache && yum list