3.1.3 操作系統優化 · 運維工作筆記

>備注：系統默認最下化安裝 ### Centos 7 #### 系統分區 ``` # 初始系統磁盤60GB（經驗值） boot分區200M，SWAP分區2GB，剩下的全部分給/分區 ``` #### 系統配置 yum源配置 ```shell mkdir /etc/yum.repos.d/old && mv /etc/yum.repos.d/C* /etc/yum.repos.d/old/ curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo ``` 系統更新 ```shell yum -y update ``` 軟件安裝 ```shell gcc gcc-c++ ntp lrzsz tree telnet dos2unix sysstat sysstat iptraf ncurses-devel openssl-devel zlib-devel OpenIPMI-tools nmap screen nfs-utils iftop htop dstat iotop nethogs glances psmisc strace tcpdump fail2ban glusterfs glusterfs-fuse vim wget lrzsz autoconf cmake openssh-clients net-tools iproute ``` 字符集設置 ```shell echo 'LANG="en_US.UTF-8"' >/etc/locale.conf source /etc/locale.conf ``` 文件描述符 ```shell cat >> /etc/security/limits.conf << EOF * soft nofile 65535 * hard nofile 65535 EOF ``` 取消ctrl+alt+del ```shell mv /usr/lib/systemd/system/ctrl-alt-del.target /usr/lib/systemd/system/ctrl-alt-del.target.bak ``` 關閉Selinux ```shell sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config ``` SSH服務優化 ```shell \cp /etc/ssh/sshd_config /etc/ssh/sshd_config.`date +"%Y-%m-%d_%H-%M-%S"` sed -i 's/^GSSAPIAuthentication yes$/GSSAPIAuthentication no/' /etc/ssh/sshd_config sed -i 's/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config sed -i 's%#PermitEmptyPasswords no%PermitEmptyPasswords no%g' /etc/ssh/sshd_config service sshd restart ``` 內核優化 ```shell cat >> /etc/sysctl.conf << EOF net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_tw_reuse = 1 net.ipv4.ip_local_port_range = 10000 65000 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_tw_buckets = 36000 net.ipv4.tcp_max_syn_backlog = 16384 net.ipv4.tcp_keepalive_time = 600 net.ipv4.tcp_fin_timeout = 30 vm.swappiness=1 vm.max_map_count = 262144 EOF /sbin/sysctl -p ``` 優化命令行界面 ```shell echo 'export PS1="[ \033[01;33m\u\033[0;36m@\033[01;34m\h \033[01;31m\w\033[0m ]\033[0m \n#"' >> /etc/profile echo "the platform is ok" ``` 優化vim ```shell cat >> /root/.vimrc << EOF syntax enable syntax on set ruler set number set cursorline set cursorcolumn set hlsearch set incsearch set ignorecase set nocompatible set wildmenu set paste set expandtab set tabstop=2 set shiftwidth=4 set softtabstop=4 set gcr=a:block-blinkon0 set guioptions-=l set guioptions-=L set guioptions-=r set guioptions-=R highlight CursorLine cterm=NONE ctermbg=black ctermfg=green guibg=NONE guifg=NONE highlight CursorColumn cterm=NONE ctermbg=black ctermfg=green guibg=NONE guifg=NONE EOF ``` #### 軟件配置 fail2ban(防暴力破解工具) ```shell 1. 保護SSH端口 2. 60秒內，嘗試3次錯誤，IP封鎖3小時 ``` 證書登錄 >將跳板機證書上傳到服務器中 #### 時間同步設置 ``` */10 * * * * /usr/sbin/ntpdate ntp1.aliyun.com 2.cn.pool.ntp.org > /dev/null 2>&1 ``` ### Centos 6 #### 系統分區 ``` boot分區200M，SWAP分區2GB，剩下的全部分給/分區 ``` #### 系統配置 yum源配置 ```shell mkdir /etc/yum.repos.d/old && mv /etc/yum.repos.d/C* /etc/yum.repos.d/old/ curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-6.repo ``` 系統更新 ```shell yum -y update ``` 軟件安裝 ```shell gcc gcc-c++ ntp lrzsz tree telnet dos2unix sysstat sysstat iptraf ncurses-devel openssl-devel zlib-devel OpenIPMI-tools nmap screen nfs-utils iftop htop dstat iotop nethogs glances psmisc strace tcpdump fail2ban glusterfs glusterfs-fuse vim wget lrzsz autoconf cmake openssh-clients net-tools iproute ``` 字符集設置 ```shell echo 'LANG="en_US.UTF-8"' >/etc/sysconfig/i18n source /etc/sysconfig/i18n ``` 文件描述符 ```shell cat >> /etc/security/limits.conf << EOF * soft nofile 65535 * hard nofile 65535 EOF ``` 取消ctrl+alt+del ```shell mv /etc/init/control-alt-delete.conf /etc/init/control-alt-delete.conf.bak ``` 關閉Selinux ```shell sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config ``` 優化啟動服務,只保留基礎服務 ```shell LANG=en for chkoff in `chkconfig --list|grep 3:on|awk '{print $1}'`;do chkconfig --level 3 $chkoff off;done for chkoff in crond network rsyslog sshd rpcbind fail2ban;do chkconfig --level 3 $chkoff on;done ``` SSH服務優化 ```shell \cp /etc/ssh/sshd_config /etc/ssh/sshd_config.`date +"%Y-%m-%d_%H-%M-%S"` sed -i 's/^GSSAPIAuthentication yes$/GSSAPIAuthentication no/' /etc/ssh/sshd_config sed -i 's/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config sed -i 's%#PermitEmptyPasswords no%PermitEmptyPasswords no%g' /etc/ssh/sshd_config service sshd restart ``` 內核優化 ```shell cat >> /etc/sysctl.conf << EOF net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_tw_reuse = 1 net.ipv4.ip_local_port_range = 10000 65000 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_tw_buckets = 36000 net.ipv4.tcp_max_syn_backlog = 16384 net.ipv4.tcp_keepalive_time = 600 net.ipv4.tcp_fin_timeout = 30 vm.swappiness=1 vm.max_map_count = 262144 EOF /sbin/sysctl -p ``` 優化命令行界面 ```shell echo 'export PS1="[ \033[01;33m\u\033[0;36m@\033[01;34m\h \033[01;31m\w\033[0m ]\033[0m \n#"' >> /etc/profile echo "the platform is ok" ``` 優化vim ```shell cat >> /root/.vimrc << EOF syntax enable syntax on set ruler set number set cursorline set cursorcolumn set hlsearch set incsearch set ignorecase set nocompatible set wildmenu set paste set expandtab set tabstop=2 set shiftwidth=4 set softtabstop=4 set gcr=a:block-blinkon0 set guioptions-=l set guioptions-=L set guioptions-=r set guioptions-=R highlight CursorLine cterm=NONE ctermbg=black ctermfg=green guibg=NONE guifg=NONE highlight CursorColumn cterm=NONE ctermbg=black ctermfg=green guibg=NONE guifg=NONE EOF ``` #### 軟件配置 fail2ban(防暴力破解工具) ```shell 1. 保護SSH端口 2. 60秒內，嘗試3次錯誤，IP封鎖3小時 ``` 證書登錄 >將跳板機證書上傳到服務器中 #### 時間同步設置 ``` */10 * * * * /usr/sbin/ntpdate ntp1.aliyun.com 2.cn.pool.ntp.org > /dev/null 2>&1 ```