Centos7 优化

1. 介绍

       为了更好的使用linux。基本的优化我们还是需要做的。 

sed -i 's@SELINUX=enforcing@SELINUX=disabled@g' /etc/selinux/config 
setenforce 0
systemctl disable firewalld  # 开机不自启防火墙
systemctl stop firewalld     # 关闭防火墙

yum install -y ntp
\cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
echo "*/5 * * * *  /usr/sbin/ntpdate cn.pool.ntp.org > /dev/null 2>&1" >> /var/spool/cron/root

cat>>/etc/security/limits.conf<<EOF
* soft nofile 65535
* hard nofile 65535
EOF
echo "ulimit -SHn 65535">>/etc/rc.local
ulimit -SHn 65535

# 网卡开机自启动,根据当前网卡名修改,centos7 默认是ifcfg-ens33,centos6默认是eth0
sed -i 's@ONBOOT=no@ONBOOT=yes@g' /etc/sysconfig/network-scripts/ifcfg-ens33

# 禁止ssh反向解析
sed -i 's@UseDNS yes@UseDNS no@' /etc/ssh/sshd_config /etc/ssh/sshd_config
# 禁止空密码登录
sed -i 's@PermitEmptyPasswords yes@PermitEmptyPasswords no@' /etc/ssh/sshd_config

yum install -y bash-completion epel-release gcc cmake bzip2-devel curl-devel db4-devel libjpeg-devel libpng-devel freetype-devel libXpm-devel gmp-devel libc-client-devel openldap-devel unixODBC-devel postgresql-devel sqlite-devel aspell-devel net-snmp-devel libxslt-devel libxml2-devel pcre-devel mysql-devel pspell-devel libmemcached libmemcached-devel zlib-devel  vim wget   lrzsz  tree

sudo systemctl set-default multi-user.target  # 设置非图形模式为默认模式
cat >> /etc/resolv.conf << EOF
nameserver 114.114.114.114
EOF
cat >> /etc/sysctl.conf << EOF
vm.overcommit_memory = 1
net.ipv4.ip_local_port_range = 1024 65536
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_abort_on_overflow = 0
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 262144
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.ipv4.netfilter.ip_conntrack_max = 2097152
net.nf_conntrack_max = 655360
net.netfilter.nf_conntrack_tcp_timeout_established = 1200
EOF
/sbin/sysctl -p

2. 优化

2.1 禁用SELINUX

sed -i 's@SELINUX=enforcing@SELINUX=disabled@g' /etc/selinux/config 
setenforce 0
详细操作如下:

[root@localhost ~]# sed -i 's@SELINUX=enforcing@SELINUX=disabled@g' /etc/selinux
/config [root@localhost ~]# setenforce 0
[root@localhost ~]# grep -wi ^selinux /etc/selinux/config
SELINUX=disabled

2.2 关闭防火墙

systemctl disable firewalld  # 开机不自启防火墙
systemctl stop firewalld     # 关闭防火墙
详细操作如下:

[root@localhost ~]# systemctl disable firewalld
[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor p
reset: enabled)   Active: inactive (dead)
     Docs: man:firewalld(1)

Apr 13 09:59:26 localhost.localdomain systemd[1]: Starting firewalld - dynami...
Apr 13 09:59:26 localhost.localdomain systemd[1]: Started firewalld - dynamic...
Apr 13 04:45:19 localhost.localdomain systemd[1]: Stopping firewalld - dynami...
Apr 13 04:45:20 localhost.localdomain systemd[1]: Stopped firewalld - dynamic...
Hint: Some lines were ellipsized, use -l to show in full.

2.3 时间矫正

yum install -y ntp
cp -f /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
crontab -e
// 加入一行
*/5 * * * * /usr/sbin/ntpdate ntp.api.bz

# echo "*/5 * * * *  /usr/sbin/ntpdate cn.pool.ntp.org > /dev/null 2>&1" >> /var/spool/cron/root
详细操作

[root@localhost ~]# crontab -l
*/5 * * * * /usr/sbin/ntpdate ntp.api.bz
[root@localhost ~]# date
Sat Apr 13 04:48:52 EDT 2019
[root@localhost ~]# /usr/sbin/ntpdate ntp.api.bz
13 Apr 05:06:38 ntpdate[38604]: step time server 114.118.7.163 offset 1056.43580
1 sec[root@localhost ~]# date
Sat Apr 13 05:06:54 EDT 2019

2.4 limit

       要调整一下 Linux 的最大文件打开数,否则运行 Squid 诅服务的机器在高负载时执行性能将会很差;另外,在 Linux 下部署应用时,有时候会遇上 “Too many open files” 这样的问题,这个值也会影响服务器的最大并发数。其实 Linux 是有文件句柄限制的。但默认值下是很高,一般是1024,生产服务器很容易就会达到这个值,所以需要改动此值。

cat>>/etc/security/limits.conf<<EOF
* soft nofile 65535
* hard nofile 65535
EOF
echo "ulimit -SHn 65535">>/etc/rc.local
ulimit -SHn 65535

详细操作: 

[root@localhost ~]# cat>>/etc/security/limits.conf<<EOF
> * soft nofile 65535
> * hard nofile 65535
> EOF
[root@localhost ~]# echo "ulimit -SHn 65535">>/etc/rc.local
[root@localhost ~]# ulimit -SHn 65535
[root@localhost ~]# ulimit -n
65535

2.5 网卡自启动

sed -i 's@ONBOOT=no@ONBOOT=yes@g' /etc/sysconfig/network-scripts/ifcfg-ens33

详细操作如下: 

[root@localhost ~]# sed -i 's@ONBOOT=no@ONBOOT=yes@g' /etc/sysconfig/network-scripts/ifcfg-ens33 
[root@localhost ~]# grep -i 'ONBOOT'  /etc/sysconfig/network-scripts/ifcfg-ens33 
ONBOOT=yes

2.6 ssh

# 禁止ssh反向解析
sed -i 's@UseDNS yes@UseDNS no@' /etc/ssh/sshd_config /etc/ssh/sshd_config
# # 禁止空密码登录
sed -i 's@PermitEmptyPasswords no@PermitEmptyPasswords no@' /etc/ssh/sshd_config
详细操作

[root@localhost ~]# sed -i 's@UseDNS yes@UseDNS no@' /etc/ssh/sshd_config /etc/ssh/sshd_config
[root@localhost ~]# sed -i 's@PermitEmptyPasswords no@PermitEmptyPasswords no@' /etc/ssh/sshd_config

2.7 命令补全

yum install -y bash-completion

2.8 修改字符集

[root@localhost ~]# echo $LANG
zh_CN.UTF-8
[root@localhost ~]# vi /etc/locale.conf
LANG="en_US.UTF-8"
[root@localhost ~]# source  /etc/locale.conf

2.9 更换yum源

使用国内的更新源,下载会比国外要好[默认是使用的国外yum源]。 

mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
cd  /etc/yum.repos.d/
wget  http://mirrors.163.com/.help/CentOS7-Base-163.repo
yum clean all
yum makecache
详细操作如下:

[root@localhost yum.repos.d]# cd  /etc/yum.repos.d/
[root@localhost yum.repos.d]# wget  http://mirrors.163.com/.help/CentOS7-Base-16
3.repo--2019-04-13 05:18:56--  http://mirrors.163.com/.help/CentOS7-Base-163.repo
Resolving mirrors.163.com (mirrors.163.com)... 59.111.0.251
Connecting to mirrors.163.com (mirrors.163.com)|59.111.0.251|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1572 (1.5K) [application/octet-stream]
Saving to: ‘CentOS7-Base-163.repo’

100%[======================================>] 1,572       --.-K/s   in 0s      

2019-04-13 05:18:56 (259 MB/s) - ‘CentOS7-Base-163.repo’ saved [1572/1572]

[root@localhost yum.repos.d]# yum clean all
Loaded plugins: fastestmirror
Cleaning repos: base extras updates
Cleaning up list of fastest mirrors
[root@localhost yum.repos.d]# yum makecache
Loaded plugins: fastestmirror
Determining fastest mirrors
base                                                     | 3.6 kB     00:00     
......省略

2.10 安装基本软件

yum install gcc cmake bzip2-devel curl-devel db4-devel libjpeg-devel libpng-devel freetype-devel libXpm-devel gmp-devel libc-client-devel openldap-devel unixODBC-devel postgresql-devel sqlite-devel aspell-devel net-snmp-devel libxslt-devel libxml2-devel pcre-devel mysql-devel pspell-devel libmemcached libmemcached-devel zlib-devel  vim wget   lrzsz  tree

2.11 非图形

systemctl get-default                         # 查看当前的运行模式
systemctl set-default graphical.target        # 设置图形模式为默认模式
sudo systemctl set-default multi-user.target  # 设置非图形模式为默认模式

[root@localhost yum.repos.d]# systemctl get-default 
multi-user.target

2.12 yum 扩展源

       这是因为像centos这类衍生出来的发行版,他们的源有时候内容更新的比较滞后,或者说有时候一些扩展的源根本就没有。所以在使用yum来search python-pip的时候,会说没有找到该软件包。 因此为了能够安装这些包,需要先安装扩展源EPEL。EPEL(http://fedoraproject.org/wiki/EPEL) 是由 Fedora 社区打造,为 RHEL 及衍生发行版如 CentOS、Scientific Linux 等提供高质量软件包的项目。 首先安装epel扩展源: 

yum -y install epel-release

2.13 添加公网DNS

cat >> /etc/resolv.conf << EOF
nameserver 114.114.114.114
EOF

2.14 内核优化

cat >> /etc/sysctl.conf << EOF
vm.overcommit_memory = 1
net.ipv4.ip_local_port_range = 1024 65536
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_abort_on_overflow = 0
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 262144
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.ipv4.netfilter.ip_conntrack_max = 2097152
net.nf_conntrack_max = 655360
net.netfilter.nf_conntrack_tcp_timeout_established = 1200
EOF
/sbin/sysctl -p

2.15 优化服务

SERVICES="acpid atd auditd avahi-daemon avahi-dnsconfd bluetooth conman cpuspeed cups dnsmasq dund firstboot hidd httpd ibmasm ip6tables irda kdump lm_sensors mcstrans messagebus microcode_ctl netconsole netfs netplugd nfs nfslock nscd oddjobd pand pcscd portmap psacct rdisc restorecond rpcgssd rpcidmapd rpcsvcgssd saslauthd sendmail setroubleshoot smb vncserver winbind wpa_supplicant ypbind"
for service in $SERVICES
do
#关闭所选服务随系统启动
systemctl disable $SERVICES
#停止所选的服务
systemctl stop $SERVICES
done

centos6 优化脚本

#!/bin/sh

echo "------ step 1: config yum ------"
cd /etc/yum.repos.d/
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo

echo "------ step 2: config  profile------"
echo 'export LC_ALL=C'>> /etc/profile
source /etc/profile

echo "------ step 3: stop iptables and selinux------"
/etc/init.d/iptables stop
/etc/init.d/iptables stop
/etc/init.d/NetworkManager stop
chkconfig NetworkManager off
chkconfig iptables off
setenforce 0
if [ -f /etc/selinux/config ]; then
    sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config
    setenforce 0
fi

echo "------ step 4: config time sync------"
ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
cp /etc/sysconfig/clock /etc/sysconfig/clock.ori
> /etc/sysconfig/clock
echo " ZONE="Asia/Shanghai"">/etc/sysconfig/clock

/usr/sbin/ntpdate pool.ntp.org
echo '#time sync by caimengzhi at 2016-2-1'>>/var/spool/cron/root
echo '*/10 * * * * /usr/sbin/ntpdate pool.ntp.org >/dev/null 2>&1'>>/var/spool/cron/root

#配置SSHD
sed -i '/^#Port/s/#Port 22/Port 65535/g' /etc/ssh/sshd_config
sed -i '/^#UseDNS/s/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
/etc/init.d/sshd restart
#关闭系统不用的服务
for server in `chkconfig --list |grep 3:on|awk '{ print $1}'`
do
    chkconfig --level 3 $server off
done

for server in crond network rsyslog sshd
do
   chkconfig --level 3 $server on
done

#优化内核参数
cat >> /etc/sysctl.conf << ENDF
net.ipv4.tcp_max_syn_backlog = 65536
net.core.netdev_max_backlog =  32768
net.core.somaxconn = 32768
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_tw_recycle = 1
#net.ipv4.tcp_tw_len = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.ip_local_port_range = 1024  65535
ENDF
sysctl -p 

cat >/etc/hosts <<ENDF
127.0.0.1 $MYHOSTNAME $MYHOSTNAME.$DOMAINNAME localhost
$IPADDR $MYHOSTNAME $MYHOSTNAME.$DOMAINNAME  localhost
ENDF

cat >/etc/resolv.conf <<ENDF
domain $DOMAINNAME 
search $DOMAINNAME 
nameserver $MYDNS1 
nameserver $MYDNS2 
ENDF

#加固
#------------------------------------------------------------------------------------------------------------
echo "Welcome to Server" >/etc/issue 
echo "Welcome to Server" >/etc/redhat-release 
#修改历史记录为5
sed -i "s#HISTSIZE=1000#HISTSIZE=5#g" /etc/profile
#修改crtl+alt+delete键盘重启
sed -i "s#exec#\#exec#g" /etc/init/control-alt-delete.conf
#修改打开文件数
echo "ulimit -SHn 102400">> /etc/rc.local #设置开机自动生效
userdel adm
userdel lp
userdel shutdown
userdel halt
userdel uucp
userdel operator
userdel games
userdel gopher 

yum install epel-release
crontab -l
yum update -y

yum install -y dos2unix  lrzsz  nc telnet zip   gcc* gcc-c++ libstdc++-devel
cat <<EOF >>/etc/security/limits.conf
* soft nofile 65536
* hard nofile 65536
* soft nproc unlimited
* hard nproc unlimited
EOF

cat <<EOF >>/etc/security/limits.d/90-nproc.conf
*          soft    nproc     unlimited
root       soft    nproc     unlimited
EOF