一、开启 iptables
仅开放必要的SSH端口和监控端口例:
SSH tcp 22
snmpd udp 161
nrpe tcp 5666
本人公网IP 全端口开放
二、除非特别熟悉selinux配置,否则请关闭selinux
查看是否开启:getenforce
如果为enforcing和permissive则关闭
vim /etc/sysconfig/selinux
SELINUX=disabled
三、优化SSH端口
vim /etc/ssh/sshd_config
将默认的22端口改为大于1024的其他端口
Port 2222
如果不经常使用root登陆禁止root登陆,使用普通用户su切换
PermitRootLogin yes
四、系统服务优化
最少服务原则,凡是不需要的服务一律关掉
for a in `ls /etc/rc3.d/S*`
do
CURSRV=`echo $a |cut -c15-`
echo $CURSRV
case $CURSRV in mysqld|crond|irqbalance|iptables|ip6tables|xinetd|microcode_ctl|network|random|sshd|syslog|local|snmpd)
echo "Base services,Skip"
;;
*)
echo "change $CURSRV to off"
chkconfig --level 235 $CURSRV off
service $CURSRV stop
;;
esac
done
五、sysctl核心参数调优
- 修改
/etc/sysctl.conf
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 262144
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.ip_local_port_range = 1024 65535
- 生效
sysctl -p
六、优化Linux系统文件描述符
vim /etc/security/limits.conf
* soft nofile 65535
* hard nofile 65535
七、修改用户登陆和操作历史记录
- 将以下代码追加/etc/profile
HISTSIZE=5000
export HISTTIMEFORMAT="%F %T "
user=`whoami`
ip=`who -u am i | awk '{print $NF}' | sed 's/[()]//g'`
dt=`who -u am i | awk '{print $3" "$4}'`
date=`date "+%Y-%m-%d"`
user_date=/tmp/.history/$user/$date
history_file=$user_date/${user}_history_$date.txt
login_file=$user_date/${user}_login_$date.txt
mkdir -p $user_date
echo "$user\t$dt\t$ip\n" >> $login_file
chmod 600 $login_file
touch $history_file
export HISTFILE="$history_file"
chmod 600 $history_file
- source /etc/profile
- 下次登陆即可以在
/tmp/.history
目录下看到历史登陆记录
八、YUM源优化
- 保证yum速度使用国内网易源
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
cd /etc/yum.repos.d && wget http://mirrors.163.com/.help/CentOS6-Base-163.repo
yum makecache && yum list