Of Stack

Centos 6.5 server optimization configuration cheat sheet of some basic optimizations and security Settings

  • 2020-05-12 06:34:58
  • OfStack

There are 18 items optimized by centos 6.5 in this paper:
1. Start the network card after minimum installation of centos 6.5
2. ifconfig queries IP for SSH links
3. Update the system source and upgrade the system
4. System time update and timing setting
5. Modify ip address, gateway, host name and DNS
6. Close selinux and empty iptables
7. Create ordinary users and manage sudo authorization
8. Modify the port number of SSH and block the remote login of root account
9. Lock the key file system (unauthorized users are not allowed to obtain permissions)
10. Simplify startup service
11. Adjust the size of the system file descriptor
12. Set the system character set
13, clean up the system and kernel version displayed when logging in
14. Kernel parameter optimization
15. Regularly clean /var/spool/clientmqueue
Remove unnecessary system users and groups
17. Turn off and restart the ctl-alt-delete key combination
18. Set some global variables

1. Start the network card

The network card is not started by default after the minimum installation of centos6.x
ifup eth0

2. SSH link ifconfig view IP after SSH terminal connection.

3. The minimum installation of update source does not have wget tool, so it must be installed in the modification source first.)

yum install wget

Backup the original system update source

mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup

Enter the yum.repos.d directory

cd /etc/yum.repos.d

Download netease mirror source or sohu mirror source or aliyun mirror source 


# Download netease image source: 
wget http://mirrors.163.com/.help/CentOS6-Base-163.repo
# or 
# Download sohu image source: 
wget http://mirrors.sohu.com/help/CentOS-Base-sohu.repo
# Download aliyun mirror source 
wget http://mirrors.aliyun.com/repo/Centos-6.repo

Netease, sohu might have a problem with the source.

Reference / / www. ofstack. com/os RedHat / 499587. html 


 empty yum The cache 
yum clean all
 Survival cache 
yum makecache
 Start updating the system and kernel 
yum upgrade
 Prerequisite software 
yum install lrzsz ntpdate sysstat -y

Common use of the lrzsz tool: rz upload sz download

4. System time update and timing setting task 1: update time and write BOIS

ntpdate time.windows.com && hwclock -w && hwclock --systohc

Type 2: update time and write timing tasks 



echo '*/30 * * * * ntpdate time.windows.com && hwclock -w && hwclock --systohc >/dev/null 2>&1' >>/var/spool/cron/root

Type 3: synchronizing once every 5 and 10 minutes 



echo '*/5 * * * * /usr/sbin/ntpdate time.windows.com >/dev/null 2 >&1' >>/var/spool/cron/root

echo '*/10 * * * * /usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1' >>/var/spool/cron/root

Note: CentOS 6.x has a different time sync command path 6 is /usr/sbin/ntpdate 5 is /sbin/ntpdate

5. Modify the ip address, gateway, host name, and DNS #eth0 network card Settings 


mv /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.bak
vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0 # Network card device name 
HWADDR=00:0C:29:D0:C7:B5 # The physical address of the Ethernet device 
TYPE=Ethernet # The network type is Ethernet mode 
UUID=080a457b-6a53-4a3a-9155-a23c1146c2c6 # Ge wei 1 Identification code 
ONBOOT=yes # Whether to activate when booting YES
NM_CONTROLLED=no # equipment eth0 Is it possible to Network Manager Graphics management tool hosting 
BOOTPROTO=dhcp # static IP Address fetch status   Such as: DHCP Represents automatic fetch IP address 
IPADDR=192.168.1.10 #IP
IPV6INIT=no
IPV6_AUTOCONF=no
NETMASK=255.255.255.0 # The network mask corresponding to the network card 
GATEWAY=192.168.1.1 # The gateway address

Check the network card configuration

cat /etc/sysconfig/network-scripts/ifcfg-eth0

The gateway configuration 


vi /etc/sysconfig/network
# Is whether the system USES the network, 1 A set to yes . If set to no , will not be able to use the network, and many system services will not be able to start 
NETWORKING=yes
# Set the host name of the machine, which is set to and /etc/hosts The host name set in 
HOSTNAME=c65mini.localdomain
# Set the gateway for the local connection IP Address. For example, the gateway is 10.0.0.1 or 192.168.1.1
GATEWAY=192.168.1.1

Modify host DNS 


vi /etc/resolv.conf
; generated by /sbin/dhclient-script
nameserver 8.8.8.8
nameserver 4.4.4.4

Modify HOSTS 


vi /etc/hosts
127.0.0.1 c65mini.localdomain
# use DNS The domain name server resolves the name 
order bind hosts
#1 Whether there are multiple hosts IP
multi on
# If you use reverse parsing to find a host name that matches the specified address, parse the returned address to make sure it matches the address you are querying for. In order to prevent "cheating" IP address 
nospoof on

Restart the network card to take effect setting two ways 


service network restart
 or 
/etc/init.d/network restart

6. Close selinux and clear iptables. Open selinux after the server configuration is fully successful and all services are normal

View selinux status

Method 1: /usr/bin/ setstatus-v # if it says: SELinux status: enabled, it is on
The second method: cat /etc/selinux/config # if it says: SELINUX=enforcing then permissive is on and permissive is off
The third method: grep SELINUX=disabled /etc/selinux/config
The fourth method: getenforce

Changes to the selinux state take effect permanently if the configuration file is changed, but you must restart the system

Type 1: vi /etc/selinux/config modify SELINUX=disabled
2. sed, i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
If you want it to take effect immediately (if you want a temporary change) setenforce 0 



setenforce 1  Set up the SELinux  Become a enforcing model  setenforce 0  Set up the SELinux  Become a permissive model   Check the status  getenforce

The iptables firewall rules are cleaned up and customized to your needs 


# empty iptables The rules 
iptables -F
# To view iptables The rules 
iptables -L
# Save the rule. Note that even if you empty it, if you don't save it, you will have the rule again when you restart it. 
/etc/init.d/iptables save

7. Create ordinary users and manage sudo authorization
Create regular user useradd bingoku change user password passwd bingoku

Another way: once create the user and set the password echo "123456"|passwd --stdin bingoku&&history, c

bingoku for the username you created
sudo authorization management opens the sudo configuration file visudo 


# According to the :set nu  Look at the line and find 99 line 
root ALL=(ALL) ALL
# add 
bingoku ALL=(ALL) ALL

8. Modify the port number of SSH and block the remote login of root account 


# The backup SSH configuration  
cp /etc/ssh/sshd_config sshd_config_bak 
# Modify the SSH Security configuration  
vi /etc/ssh/sshd_config
#SSH Link default port 
port 52113
# ban root Account login 
PermitRootLogin no
# No null password 
PermitEmptyPasswords no
# Do not use DNS
UseDNS no

Reload the SSH configuration/etc/init d/sshd reload view ports inside have just changed the port number 52113

netstat -lnt

Or the reverse port is that process

lsof -i tcp:52113

centos 6.5 minimize installation without lsof tool required yum install lsof

9. Lock the key file system (unauthorized users are not allowed to obtain permissions) 


 empty yum The cache 
yum clean all
 Survival cache 
yum makecache
 Start updating the system and kernel 
yum upgrade
 Prerequisite software 
yum install lrzsz ntpdate sysstat -y
0

10. Simplify startup service

Note: after installing OS 1, you can only keep crond, network, syslog, sshd services. In the later stage, the self-starting service # (Centos6.x is rsyslog Cetnos5.x is syslog) is developed according to the business requirements, if it is in Chinese. You may need LANG=en or replace 3:on with 3: enabled 


# Shut down all services 
for sun in `chkconfig --list|grep 3:on|awk '{print $1}'`;do chkconfig --level 3 $sun off;done

# or 
for sun in `chkconfig --list|grep 3: To enable the |awk '{print $1}'`;do chkconfig --level 3 $sun off;done

# Start the required service 
for sun in crond rsyslog sshd network;do chkconfig --level 3 $sun on;done

# Or you can turn it on if you need to use a firewall iptables and ip6tables
for sun in crond rsyslog sshd network iptables ip6tables;do chkconfig --level 3 $sun on;done

Enquires if the service is enabled: chkconfig, list |, grep 3:on or chkconfig, list|, grep 3: enabled 


[bingoku@c65mini ~]$ chkconfig --list|grep 3: To enable the 
crond  0: Shut down  1: Shut down  2: To enable the  3: To enable the  4: To enable the  5: To enable the  6: Shut down 
ip6tables 0: Shut down  1: Shut down  2: To enable the  3: To enable the  4: To enable the  5: To enable the  6: Shut down 
iptables 0: Shut down  1: Shut down  2: To enable the  3: To enable the  4: To enable the  5: To enable the  6: Shut down 
network  0: Shut down  1: Shut down  2: To enable the  3: To enable the  4: To enable the  5: To enable the  6: Shut down 
rsyslog  0: Shut down  1: Shut down  2: To enable the  3: To enable the  4: To enable the  5: To enable the  6: Shut down 
sshd  0: Shut down  1: Shut down  2: To enable the  3: To enable the  4: To enable the  5: To enable the  6: Shut down

Adjust the file descriptor size

View file descriptor size
ulimit -n

The first: # here refers to the default setting of ali cloud host. 


 empty yum The cache 
yum clean all
 Survival cache 
yum makecache
 Start updating the system and kernel 
yum upgrade
 Prerequisite software 
yum install lrzsz ntpdate sysstat -y
3

Type 2: echo '* - nofile 65535' > > /etc/security/limits.conf

Type 3: add the ulimit-SHn 65535 command to /etc/ rc.local, and then append the command to the rc.local configuration file each time you restart 


 empty yum The cache 
yum clean all
 Survival cache 
yum makecache
 Start updating the system and kernel 
yum upgrade
 Prerequisite software 
yum install lrzsz ntpdate sysstat -y
4

Type 4: if you do not modify the limits configuration file, it takes effect immediately, but restarts and reverts to the previous default. ulimit SHn - 65535

12. Set the system character set

1 species: vi /etc/sysconfig/i18n

LANG= "zh_CN.UTF-8" LANG= "en_US.UTF-8" LANG= "zh_CN.UTF-8" if you want to use Chinese

Type 2: use sed for quick substitution 


 empty yum The cache 
yum clean all
 Survival cache 
yum makecache
 Start updating the system and kernel 
yum upgrade
 Prerequisite software 
yum install lrzsz ntpdate sysstat -y
5

13, clean up the system and kernel version displayed when logging in 


 empty yum The cache 
yum clean all
 Survival cache 
yum makecache
 Start updating the system and kernel 
yum upgrade
 Prerequisite software 
yum install lrzsz ntpdate sysstat -y
6

14. Kernel parameter optimization

yum install wget0 


# Can be used to apache . nginx . squid A variety of etc. web application 
net.ipv4.tcp_max_syn_backlog = 65536
net.core.netdev_max_backlog = 32768
net.core.somaxconn = 32768

net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216

net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2

net.ipv4.tcp_tw_recycle = 1
#net.ipv4.tcp_tw_len = 1
net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_max_orphans = 3276800

#net.ipv4.tcp_fin_timeout = 30
#net.ipv4.tcp_keepalive_time = 120
net.ipv4.ip_local_port_range = 1024 65535

# The following parameters are correct centos6.x the iptables Firewall optimization, firewall does not have a prompt, can be ignored. 
# If it is centos5.X Need to be! netfilter.nf_conntrack replace ipv4.netfilter.ip
#centos5.X for net.ipv4.ip_conntrack_max = 25000000
net.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_tcp_timeout_established = 180
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120

Effective immediately /sbin/ sysctl-p centos6.5 error may be reported 


error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key
error: "net.bridge.bridge-nf-call-iptables" is an unknown key
error: "net.bridge.bridge-nf-call-arptables" is an unknown key

This occurs because the bridge bridge module is not automatically loaded 


 empty yum The cache 
yum clean all
 Survival cache 
yum makecache
 Start updating the system and kernel 
yum upgrade
 Prerequisite software 
yum install lrzsz ntpdate sysstat -y
9

Look at the bridge lsmod|grep bridge

centos5.X may report an error. This error may be that your firewall is not enabled or that the loadable module ip_conntrack is not loaded automatically 


error: "net.ipv4.ip_conntrack_max"is an unknown key
error: "net.ipv4.netfilter.ip_conntrack_max"is an unknown key
error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_established"is an unknown key
error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait"is an unknown key
error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait"is an unknown key
error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait"is an unknown key

centos5.X solution: 


modprobe ip_conntrack
echo "modprobe ip_conntrack">> /etc/rc.local

centos6.X may report an error. This error may be that your firewall is not turned on or that the loadable module ip_conntrack is not automatically loaded. The solution is 2, 1 is to turn on the firewall and 2 is to automatically handle the loadable module ip_conntrack 


error: "net.nf_conntrack_max"isan unknown key
error: "net.netfilter.nf_conntrack_max"isan unknown key
error: "net.netfilter.nf_conntrack_tcp_timeout_established"isan unknown key
error: "net.netfilter.nf_conntrack_tcp_timeout_time_wait"isan unknown key
error: "net.netfilter.nf_conntrack_tcp_timeout_close_wait"isan unknown key
error: "net.netfilter.nf_conntrack_tcp_timeout_fin_wait"isan unknown key

centos6.X solution: 


modprobe nf_conntrack
echo "modprobe nf_conntrack">> /etc/rc.local

Note: in sorting out this centos6.5 kernel optimization, I found that if I did not turn on ip6tables to optimize the nf_conntrack module to perform the above solution, the above error would still be prompted. So when optimizing the service, you can choose to leave iptables and ip6tables. Of course, if iptables is not used, the setting of nf_conntrack should be removed during kernel optimization, and there will be no error in /sbin/ sysctl-p.

15, if must be regularly clean up automatically sendmail installed files under/var spool clientmqueue/prevent inode filled nodes 


#centos6.5 It is no longer installed automatically sendmail So there's no need to go 1 Step optimization 
mkdir -p /server/scripts
vi /server/scripts/spool_clean.sh
#!/bin/sh
find/var/spool/clientmqueue/-typef -mtime +30|xargsrm-f

Remove unnecessary system users and groups 


# Remove unnecessary users 
userdel adm
userdel lp
userdel sync
userdel shutdown
userdel halt
userdel news
userdel uucp
userdel operator
userdel games
userdel gopher
userdel ftp
# Remove unnecessary groups 
groupdel adm
groupdel lp
groupdel news
groupdel uucp
groupdel games
groupdel dip
groupdel pppusers

17. Turn off and restart the ctl-alt-delete key combination 


vi /etc/init/control-alt-delete.conf
# Comment out the 
#exec /sbin/shutdown -r now "Control-Alt-Deletepressed"

18. Set some global variables 


# Set up automatic exit terminal to prevent illegal shutdown ssh Client caused too many login processes, can be set large 1 Some, in seconds 
echo "TMOUT=3600">> /etc/profile
# The number of history records is set to 10 article 
sed -i "s/HISTSIZE=1000/HISTSIZE=10/" /etc/profile
# Effective immediately 
source /etc/profile

The above is the production server environment after the minimum installation Centos 6.5 optimal configuration cheat sheet, you can test 1. Then you can install the web environment

Related articles: