Centos 6.5 server optimization configuration cheat sheet of some basic optimizations and security Settings
- 2020-05-12 06:34:58
- OfStack
There are 18 items optimized by centos 6.5 in this paper:
1. Start the network card after minimum installation of centos 6.5
2. ifconfig queries IP for SSH links
3. Update the system source and upgrade the system
4. System time update and timing setting
5. Modify ip address, gateway, host name and DNS
6. Close selinux and empty iptables
7. Create ordinary users and manage sudo authorization
8. Modify the port number of SSH and block the remote login of root account
9. Lock the key file system (unauthorized users are not allowed to obtain permissions)
10. Simplify startup service
11. Adjust the size of the system file descriptor
12. Set the system character set
13, clean up the system and kernel version displayed when logging in
14. Kernel parameter optimization
15. Regularly clean /var/spool/clientmqueue
Remove unnecessary system users and groups
17. Turn off and restart the ctl-alt-delete key combination
18. Set some global variables
1. Start the network card
The network card is not started by default after the minimum installation of centos6.x
ifup eth0
2. SSH link ifconfig view IP after SSH terminal connection.
3. The minimum installation of update source does not have wget tool, so it must be installed in the modification source first.)
yum install wget
Backup the original system update source
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
Enter the yum.repos.d directory
cd /etc/yum.repos.d
Download netease mirror source or sohu mirror source or aliyun mirror source
# Download netease image source:
wget http://mirrors.163.com/.help/CentOS6-Base-163.repo
# or
# Download sohu image source:
wget http://mirrors.sohu.com/help/CentOS-Base-sohu.repo
# Download aliyun mirror source
wget http://mirrors.aliyun.com/repo/Centos-6.repo
Netease, sohu might have a problem with the source.
Reference / / www. ofstack. com/os RedHat / 499587. html
empty yum The cache
yum clean all
Survival cache
yum makecache
Start updating the system and kernel
yum upgrade
Prerequisite software
yum install lrzsz ntpdate sysstat -y
Common use of the lrzsz tool: rz upload sz download
4. System time update and timing setting task 1: update time and write BOIS
ntpdate time.windows.com && hwclock -w && hwclock --systohc
Type 2: update time and write timing tasks
echo '*/30 * * * * ntpdate time.windows.com && hwclock -w && hwclock --systohc >/dev/null 2>&1' >>/var/spool/cron/root
Type 3: synchronizing once every 5 and 10 minutes
echo '*/5 * * * * /usr/sbin/ntpdate time.windows.com >/dev/null 2 >&1' >>/var/spool/cron/root
echo '*/10 * * * * /usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1' >>/var/spool/cron/root
Note: CentOS 6.x has a different time sync command path 6 is /usr/sbin/ntpdate 5 is /sbin/ntpdate
5. Modify the ip address, gateway, host name, and DNS #eth0 network card Settings
mv /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.bak
vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0 # Network card device name
HWADDR=00:0C:29:D0:C7:B5 # The physical address of the Ethernet device
TYPE=Ethernet # The network type is Ethernet mode
UUID=080a457b-6a53-4a3a-9155-a23c1146c2c6 # Ge wei 1 Identification code
ONBOOT=yes # Whether to activate when booting YES
NM_CONTROLLED=no # equipment eth0 Is it possible to Network Manager Graphics management tool hosting
BOOTPROTO=dhcp # static IP Address fetch status Such as: DHCP Represents automatic fetch IP address
IPADDR=192.168.1.10 #IP
IPV6INIT=no
IPV6_AUTOCONF=no
NETMASK=255.255.255.0 # The network mask corresponding to the network card
GATEWAY=192.168.1.1 # The gateway address
Check the network card configuration
cat /etc/sysconfig/network-scripts/ifcfg-eth0
The gateway configuration
vi /etc/sysconfig/network
# Is whether the system USES the network, 1 A set to yes . If set to no , will not be able to use the network, and many system services will not be able to start
NETWORKING=yes
# Set the host name of the machine, which is set to and /etc/hosts The host name set in
HOSTNAME=c65mini.localdomain
# Set the gateway for the local connection IP Address. For example, the gateway is 10.0.0.1 or 192.168.1.1
GATEWAY=192.168.1.1
Modify host DNS
vi /etc/resolv.conf
; generated by /sbin/dhclient-script
nameserver 8.8.8.8
nameserver 4.4.4.4
Modify HOSTS
vi /etc/hosts
127.0.0.1 c65mini.localdomain
# use DNS The domain name server resolves the name
order bind hosts
#1 Whether there are multiple hosts IP
multi on
# If you use reverse parsing to find a host name that matches the specified address, parse the returned address to make sure it matches the address you are querying for. In order to prevent "cheating" IP address
nospoof on
Restart the network card to take effect setting two ways
service network restart
or
/etc/init.d/network restart
6. Close selinux and clear iptables. Open selinux after the server configuration is fully successful and all services are normal
View selinux status
Method 1: /usr/bin/ setstatus-v # if it says: SELinux status: enabled, it is on
The second method: cat /etc/selinux/config # if it says: SELINUX=enforcing then permissive is on and permissive is off
The third method: grep SELINUX=disabled /etc/selinux/config
The fourth method: getenforce
Changes to the selinux state take effect permanently if the configuration file is changed, but you must restart the system
Type 1: vi /etc/selinux/config modify SELINUX=disabled
2. sed, i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
If you want it to take effect immediately (if you want a temporary change) setenforce 0
setenforce 1 Set up the SELinux Become a enforcing model setenforce 0 Set up the SELinux Become a permissive model Check the status getenforce
The iptables firewall rules are cleaned up and customized to your needs
# empty iptables The rules
iptables -F
# To view iptables The rules
iptables -L
# Save the rule. Note that even if you empty it, if you don't save it, you will have the rule again when you restart it.
/etc/init.d/iptables save
7. Create ordinary users and manage sudo authorization
Create regular user useradd bingoku change user password passwd bingoku
Another way: once create the user and set the password echo "123456"|passwd --stdin bingoku&&history, c
bingoku for the username you created
sudo authorization management opens the sudo configuration file visudo
# According to the :set nu Look at the line and find 99 line
root ALL=(ALL) ALL
# add
bingoku ALL=(ALL) ALL
8. Modify the port number of SSH and block the remote login of root account
# The backup SSH configuration
cp /etc/ssh/sshd_config sshd_config_bak
# Modify the SSH Security configuration
vi /etc/ssh/sshd_config
#SSH Link default port
port 52113
# ban root Account login
PermitRootLogin no
# No null password
PermitEmptyPasswords no
# Do not use DNS
UseDNS no
Reload the SSH configuration/etc/init d/sshd reload view ports inside have just changed the port number 52113
netstat -lnt
Or the reverse port is that process
lsof -i tcp:52113
centos 6.5 minimize installation without lsof tool required yum install lsof
9. Lock the key file system (unauthorized users are not allowed to obtain permissions)
empty yum The cache
yum clean all
Survival cache
yum makecache
Start updating the system and kernel
yum upgrade
Prerequisite software
yum install lrzsz ntpdate sysstat -y
0
10. Simplify startup service
Note: after installing OS 1, you can only keep crond, network, syslog, sshd services. In the later stage, the self-starting service # (Centos6.x is rsyslog Cetnos5.x is syslog) is developed according to the business requirements, if it is in Chinese. You may need LANG=en or replace 3:on with 3: enabled
# Shut down all services
for sun in `chkconfig --list|grep 3:on|awk '{print $1}'`;do chkconfig --level 3 $sun off;done
# or
for sun in `chkconfig --list|grep 3: To enable the |awk '{print $1}'`;do chkconfig --level 3 $sun off;done
# Start the required service
for sun in crond rsyslog sshd network;do chkconfig --level 3 $sun on;done
# Or you can turn it on if you need to use a firewall iptables and ip6tables
for sun in crond rsyslog sshd network iptables ip6tables;do chkconfig --level 3 $sun on;done
Enquires if the service is enabled: chkconfig, list |, grep 3:on or chkconfig, list|, grep 3: enabled
[bingoku@c65mini ~]$ chkconfig --list|grep 3: To enable the
crond 0: Shut down 1: Shut down 2: To enable the 3: To enable the 4: To enable the 5: To enable the 6: Shut down
ip6tables 0: Shut down 1: Shut down 2: To enable the 3: To enable the 4: To enable the 5: To enable the 6: Shut down
iptables 0: Shut down 1: Shut down 2: To enable the 3: To enable the 4: To enable the 5: To enable the 6: Shut down
network 0: Shut down 1: Shut down 2: To enable the 3: To enable the 4: To enable the 5: To enable the 6: Shut down
rsyslog 0: Shut down 1: Shut down 2: To enable the 3: To enable the 4: To enable the 5: To enable the 6: Shut down
sshd 0: Shut down 1: Shut down 2: To enable the 3: To enable the 4: To enable the 5: To enable the 6: Shut down
Adjust the file descriptor size
View file descriptor size
ulimit -n
The first: # here refers to the default setting of ali cloud host.
empty yum The cache
yum clean all
Survival cache
yum makecache
Start updating the system and kernel
yum upgrade
Prerequisite software
yum install lrzsz ntpdate sysstat -y
3
Type 2: echo '* - nofile 65535' > > /etc/security/limits.conf
Type 3: add the ulimit-SHn 65535 command to /etc/ rc.local, and then append the command to the rc.local configuration file each time you restart
empty yum The cache
yum clean all
Survival cache
yum makecache
Start updating the system and kernel
yum upgrade
Prerequisite software
yum install lrzsz ntpdate sysstat -y
4
Type 4: if you do not modify the limits configuration file, it takes effect immediately, but restarts and reverts to the previous default. ulimit SHn - 65535
12. Set the system character set
1 species:
vi /etc/sysconfig/i18n
LANG= "zh_CN.UTF-8" LANG= "en_US.UTF-8" LANG= "zh_CN.UTF-8" if you want to use Chinese
Type 2: use sed for quick substitution
empty yum The cache
yum clean all
Survival cache
yum makecache
Start updating the system and kernel
yum upgrade
Prerequisite software
yum install lrzsz ntpdate sysstat -y
5
13, clean up the system and kernel version displayed when logging in
empty yum The cache
yum clean all
Survival cache
yum makecache
Start updating the system and kernel
yum upgrade
Prerequisite software
yum install lrzsz ntpdate sysstat -y
6
14. Kernel parameter optimization
yum install wget
0
# Can be used to apache . nginx . squid A variety of etc. web application
net.ipv4.tcp_max_syn_backlog = 65536
net.core.netdev_max_backlog = 32768
net.core.somaxconn = 32768
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_tw_recycle = 1
#net.ipv4.tcp_tw_len = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_max_orphans = 3276800
#net.ipv4.tcp_fin_timeout = 30
#net.ipv4.tcp_keepalive_time = 120
net.ipv4.ip_local_port_range = 1024 65535
# The following parameters are correct centos6.x the iptables Firewall optimization, firewall does not have a prompt, can be ignored.
# If it is centos5.X Need to be! netfilter.nf_conntrack replace ipv4.netfilter.ip
#centos5.X for net.ipv4.ip_conntrack_max = 25000000
net.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_tcp_timeout_established = 180
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
Effective immediately /sbin/ sysctl-p centos6.5 error may be reported
error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key
error: "net.bridge.bridge-nf-call-iptables" is an unknown key
error: "net.bridge.bridge-nf-call-arptables" is an unknown key
This occurs because the bridge bridge module is not automatically loaded
empty yum The cache
yum clean all
Survival cache
yum makecache
Start updating the system and kernel
yum upgrade
Prerequisite software
yum install lrzsz ntpdate sysstat -y
9
Look at the bridge
lsmod|grep bridge
centos5.X may report an error. This error may be that your firewall is not enabled or that the loadable module ip_conntrack is not loaded automatically
error: "net.ipv4.ip_conntrack_max"is an unknown key
error: "net.ipv4.netfilter.ip_conntrack_max"is an unknown key
error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_established"is an unknown key
error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait"is an unknown key
error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait"is an unknown key
error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait"is an unknown key
centos5.X solution:
modprobe ip_conntrack
echo "modprobe ip_conntrack">> /etc/rc.local
centos6.X may report an error. This error may be that your firewall is not turned on or that the loadable module ip_conntrack is not automatically loaded. The solution is 2, 1 is to turn on the firewall and 2 is to automatically handle the loadable module ip_conntrack
error: "net.nf_conntrack_max"isan unknown key
error: "net.netfilter.nf_conntrack_max"isan unknown key
error: "net.netfilter.nf_conntrack_tcp_timeout_established"isan unknown key
error: "net.netfilter.nf_conntrack_tcp_timeout_time_wait"isan unknown key
error: "net.netfilter.nf_conntrack_tcp_timeout_close_wait"isan unknown key
error: "net.netfilter.nf_conntrack_tcp_timeout_fin_wait"isan unknown key
centos6.X solution:
modprobe nf_conntrack
echo "modprobe nf_conntrack">> /etc/rc.local
Note: in sorting out this centos6.5 kernel optimization, I found that if I did not turn on ip6tables to optimize the nf_conntrack module to perform the above solution, the above error would still be prompted. So when optimizing the service, you can choose to leave iptables and ip6tables. Of course, if iptables is not used, the setting of nf_conntrack should be removed during kernel optimization, and there will be no error in /sbin/ sysctl-p.
15, if must be regularly clean up automatically sendmail installed files under/var spool clientmqueue/prevent inode filled nodes
#centos6.5 It is no longer installed automatically sendmail So there's no need to go 1 Step optimization
mkdir -p /server/scripts
vi /server/scripts/spool_clean.sh
#!/bin/sh
find/var/spool/clientmqueue/-typef -mtime +30|xargsrm-f
Remove unnecessary system users and groups
# Remove unnecessary users
userdel adm
userdel lp
userdel sync
userdel shutdown
userdel halt
userdel news
userdel uucp
userdel operator
userdel games
userdel gopher
userdel ftp
# Remove unnecessary groups
groupdel adm
groupdel lp
groupdel news
groupdel uucp
groupdel games
groupdel dip
groupdel pppusers
17. Turn off and restart the ctl-alt-delete key combination
vi /etc/init/control-alt-delete.conf
# Comment out the
#exec /sbin/shutdown -r now "Control-Alt-Deletepressed"
18. Set some global variables
# Set up automatic exit terminal to prevent illegal shutdown ssh Client caused too many login processes, can be set large 1 Some, in seconds
echo "TMOUT=3600">> /etc/profile
# The number of history records is set to 10 article
sed -i "s/HISTSIZE=1000/HISTSIZE=10/" /etc/profile
# Effective immediately
source /etc/profile
The above is the production server environment after the minimum installation Centos 6.5 optimal configuration cheat sheet, you can test 1. Then you can install the web environment