### 系统优化部分
#建立软件下载目录、脚本存放目录、脚本监控日志目录
mkdir -p /root/{software,sh,jiankong_log}
#设置命令提示符颜色 -z 判断字符串长度是否为0,不为0为是表示已经添加过了
[ -z "`cat ~/.bashrc | grep ^PS1`" ] && echo 'PS1="\[\e[37;40m\][\[\e[32;40m\]\u\[\e[37;40m\]@\h \[\e[35;40m\]\W\[\e[0m\]]\\$ "' >> ~/.bashrc
#配置主机名
vim /etc/sysconfig/network
#关闭maildrop,其他用户的CRONTAB也注意加上MAILTO="" 避免脚本的输出信息或错误信息塞满maildrop目录
sed -i 's/MAILTO=root/MAILTO=""/g' /etc/crontab
# shutdown selinux
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
#SSH
#修改默认端口通常会更安全
sed -i 's/#Port 22/Port 14573/g' /etc/ssh/sshd_config
#OpenSSH在用户登录的时候会验证IP,它根据用户的IP使用反向DNS找到主机名,再使用DNS找到IP地址,最后匹配一下登录的IP是否合法。如果客户机的IP没有域名,或者DNS服务器很慢或不通,那么登录就会很花时间
sed -i 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config
#关闭ssh的gssapi认证
sed -i 's/^GSSAPIAuthentication yes$/GSSAPIAuthentication no/' /etc/ssh/sshd_config
/etc/init.d/sshd restart
#install base lib
yum -y groupinstall base
yum -y install gcc gcc-c++ make automake openssl openssl-devel ncurses ncurses-devel pcre pcre-devel curl-devel lrzsz patch vixie-cron tcl dstat bison flex screen \
telnet iftop bash iotop strace mtr sysstat lsof bind-utils telnet rsync libtool libtool-ltdl libtool-ltdl-devel ntp \
libpcap libpcap-devel libxml2.x86_64 libxml2-devel.x86_64 bc libpng libpng-devel libjpeg-turbo libjpeg-turbo-devel freetype freetype-devel zlib zlib-devel libmcrypt libmcrypt-devel
#优化TCP
vim /etc/sysctl.conf
##### reboot better #####
### reduce tcp time-wait on client;on server, tw_reuse & tw_recycle off and timestamps is on ###
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_timestamps = 1
### System & Memory ###
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
# Do less swapping (reduce disk caching) and increase performance
vm.swappiness = 10
vm.dirty_ratio = 60
vm.dirty_background_ratio = 2
### General Network Performance Tuning ###
# Increase size of file handles and inode cache,There is no performance impact risk by increasing fs.file-max
fs.file-max = 2097152
# Decrease the time default value for connections to keep alive
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 15
### FURTHER TUNING NETWORK PERFORMANCE ###
# Default Socket Receive Buffer
net.core.rmem_default = 31457280
# Maximum Socket Receive Buffer
net.core.rmem_max = 12582912
# Default Socket Send Buffer
net.core.wmem_default = 31457280
# Maximum Socket Send Buffer
net.core.wmem_max = 12582912
# Increase number of incoming connections
net.core.somaxconn = 65536
# Increase the maximum amount of option memory buffers
net.core.optmem_max = 25165824
# Increase number of incoming connections backlog
net.core.netdev_max_backlog = 65536
# Increase the maximum total buffer-space allocatable
net.ipv4.tcp_mem = 65536 131072 262144
net.ipv4.udp_mem = 65536 131072 262144
# Increase the read-buffer space allocatable
net.ipv4.tcp_rmem = 8192 87380 16777216
net.ipv4.udp_rmem_min = 16384
# Increase the write-buffer-space allocatable
net.ipv4.tcp_wmem = 8192 65536 16777216
net.ipv4.udp_wmem_min = 16384
### avoid deleting secondary IPs on deleting the primary IP ###
# look at https://mindless.atlassian.net/wiki/spaces/Linux/pages/1114116/Sysctl+tuning+for+optimized+system+performance
#net.ipv4.conf.default.promote_secondaries = 1
#net.ipv4.conf.all.promote_secondaries = 1
kernel.msgmni = 131072
kernel.msgmnb = 4194304
kernel.msgmax = 4194304
kernel.shmmax = 1234567890123456789
kernel.shmall = 1234567890123456789
# on high concurrency 1024 65535
net.ipv4.ip_local_port_range = 14576 65535
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
### Disable netfilter on bridges. ###
# if open,need modprobe bridge
#net.bridge.bridge-nf-call-ip6tables = 0
#net.bridge.bridge-nf-call-iptables = 0
#net.bridge.bridge-nf-call-arptables = 0
### only aliyun . loot at https://help.aliyun.com/knowledge_detail/39428.html ###
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.default.arp_announce =2
net.ipv4.conf.all.arp_announce=2
### table full, dropping packet . look at https://help.aliyun.com/knowledge_detail/41334.html ###
net.nf_conntrack_max = 655350
net.netfilter.nf_conntrack_tcp_timeout_established = 1200
#net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
#net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
#net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
#net.netfilter.nf_conntrack_max = 655350
### Time wait bucket table overflow ###
#net.ipv4.tcp_max_tw_buckets = 180000
### FIN_WAIT2 tcp too much ###
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_max_syn_backlog = 8192
# TCP SYN Flood Protection
net.ipv4.tcp_synack_retries = 3
net.ipv4.tcp_max_orphans = 65535
### redis ###
vm.overcommit_memory = 1
# 用户登录环境变量 历史命令加时间 文件描述符 审计
mkdir -p /var/log/shell_audit
touch /var/log/shell_audit/audit.log
chown nobody:nobody /var/log/shell_audit/audit.log
chmod 002 /var/log/shell_audit/audit.log
chattr +a /var/log/shell_audit/audit.log
cd /etc/logrotate.d/ && wget -c http://scripts.showshowbaby.com/lnmp/shell_audit
mv /etc/profile /etc/profile.bk
cd /etc/ && wget -c http://scripts.showshowbaby.com/lnmp/profile
# 加载依赖库 编译时候没指定prefix会安装到/usr/local/下 会导致寻找不到依赖库
[ -z "`grep "/usr/local/lib" /etc/ld.so.conf`" ] && echo "/usr/local/lib" >> /etc/ld.so.conf
/sbin/ldconfig
# rsync config
vim /etc/rsyncd.conf
uid = root
gid = root
use chroot = no
max connections = 0
list = no
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsync.lock
log file = /var/log/rsyncd.log
[gen]
path = /
ignore errors
read only = no
hosts allow = 10.0.0.0/22
# centos 6 http://blog.yufeng.info/archives/2568
[ -z "`grep "65535" /etc/security/limits.d/90-nproc.conf`" ] && sed -i 's/1024/65535/g' /etc/security/limits.d/90-nproc.conf#启动RSYNC服务
/usr/bin/rsync --daemon
开机启动
vim /etc/rc.d/rc.local
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
ulimit -SHn 65535
modprobe nf_conntrack
modprobe ip_conntrack
modprobe bridge
/usr/bin/rsync --daemon
touch /var/lock/subsys/local
执行
modprobe nf_conntrack
modprobe ip_conntrack
modprobe bridge
sysctl -p
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
