Centos7系统初始化

最新推荐文章于 2023-12-01 15:36:48 发布

Cooper-7274

最新推荐文章于 2023-12-01 15:36:48 发布

阅读量62

点赞数 1

文章标签： linux 运维 centos 性能优化服务器

本文链接：https://blog.csdn.net/cooper__7274/article/details/133151563

版权

Centos7系统安装以后，我们需要对其进行优化，以下是我的优化方案。

优化如下：

1. 优化yum源为国内源

[root@cooper-7274 ~]# mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
[root@cooper-7274 ~]# curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
[root@cooper-7274 ~]# yum repolist

2. CentOS切换为iptables防火墙

关闭firewalld

[root@cooper-7274 ~]# systemctl stop firewalld.service

[root@cooper-7274 ~]# systemctl disable firewalld.service

下载并保存iptables

[root@cooper-7274 ~]# yum install iptables-services

[root@cooper-7274 ~]# service iptables save

编辑iptables防火墙配置

[root@cooper-7274 ~]# vi /etc/sysconfig/iptables

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

启动并设置开机自启

[root@cooper-7274 ~]# systemctl start iptables.service

[root@cooper-7274 ~]# systemctl enable iptables.service

有一个iptables的脚本可能会用到

#!/bin/bash

IPT=`which iptables`

$IPT -F

$IPT -X

$IPT -P INPUT DROP

$IPT -P FORWARD ACCEPT

$IPT -P OUTPUT ACCEPT

$IPT -N syn-flood

#内网允许

$IPT -A INPUT -i lo -j ACCEPT

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A INPUT -m state --state NEW -s 10.0.0.0/8 -j ACCEPT

# ssh 端口开放任何IP

$IPT -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT

# DOS防护

$IPT -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn-flood

$IPT -A INPUT -j REJECT --reject-with icmp-host-prohibited

$IPT -A syn-flood -p tcp -m limit --limit 3/sec --limit-burst 6 -j RETURN

$IPT -A syn-flood -j REJECT --reject-with icmp-port-unreachable

# 根据需求填写相应的端口

$IPT -A INPUT -p tcp -m multiport --dports 80,8087,89 -j ACCEPT

# zabbix监控地址

$IPT -A INPUT -p tcp -s zabbix.ip -m state --state NEW -m tcp --dport 10050 -j ACCEPT

# ICMP 规则控制

$IPT -A INPUT -p icmp -m limit --limit 100/sec --limit-burst 100 -j ACCEPT

$IPT -A INPUT -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT

3. 时间同步

[root@cooper-7274 ~]# yum -y install ntpdate

[root@cooper-7274 ~]# ntpdate ntp1.aliyun.com

4. 调整字符集为UTF-8

[root@cooper-7274 ~]# vi /etc/locale.conf

LANG="en_US.UTF-8"

5.关闭SElinux

[root@cooper-7274 ~]# vim /etc/selinux/config

SELINUX=disabled

[root@cooper-7274 ~]# setenforce 0

6. 优化文件描述符

[root@cooper-7274 ~]# vi /etc/security/limits.conf

* soft nofile 65535

* hard nofile 65535

[root@cooper-7274 ~]# vi /etc/sysctl.conf

fs.file-max = 65535

7. 优化ssh

[root@cooper-7274 ~]# sed -i 's#22#921#g' /usr/lib/firewalld/services/ssh.xml

[root@cooper-7274 ~]# cat >>/etc/ssh/sshd_config<<EOF

> Port 22 #可以改成你需要的，但要iptables放行

> PermitRootLogin no

> PermitEmptyPasswords no

> UseDNS no

> GSSAPIAuthentication no

> EOF

[root@cooper-7274 ~]# systemctl restart sshd.service

8. 关闭NetworkManager

[root@cooper-7274 ~]# systemctl stop NetworkManager

[root@cooper-7274 ~]# systemctl disable NetworkManager

9. 优化系统内核参数

[root@cooper-7274 vi /etc/sysctl.conf

fs.file-max = 65535

#处理无源路由的包

net.ipv4.conf.all.accept_source_route = 0

net.ipv4.conf.default.accept_source_route = 0

#关闭sysrq功能

kernel.sysrq = 0

#core文件名中添加pid作为扩展名

kernel.core_uses_pid = 1

#开启SYN洪水攻击保护

net.ipv4.tcp_syncookies = 1

#修改消息队列长度

kernel.msgmnb = 65536

kernel.msgmax = 65536#避免放大攻击

net.ipv4.icmp_echo_ignore_broadcasts = 1

#开启恶意icmp错误消息保护

net.ipv4.icmp_ignore_bogus_error_responses = 1

#关闭路由转发

net.ipv4.ip_forward = 0

net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.default.send_redirects = 0

#开启反向路径过滤

net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.default.rp_filter = 1#设置最大内存共享段大小bytes

kernel.shmmax = 68719476736

kernel.shmall = 4294967296

#timewait的数量，默认180000

net.ipv4.tcp_max_tw_buckets = 6000

net.ipv4.tcp_sack = 1

net.ipv4.tcp_window_scaling = 1

net.ipv4.tcp_rmem = 4096 87380 4194304

net.ipv4.tcp_wmem = 4096 16384 4194304

net.core.wmem_default = 8388608

net.core.rmem_default = 8388608

net.core.rmem_max = 16777216

net.core.wmem_max = 16777216

#，允许送到队列的数据包的最大数目

net.core.netdev_max_backlog = 262144

#限制仅仅是为了防止简单的DoS 攻击

net.ipv4.tcp_max_orphans = 3276800

#未收到客户端确认信息的连接请求的最大值

net.ipv4.tcp_max_syn_backlog = 262144

net.ipv4.tcp_timestamps = 0

#内核放弃建立连接之前发送SYNACK 包的数量

net.ipv4.tcp_synack_retries = 1#确保无人能修改路由表

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.all.secure_redirects = 0

net.ipv4.conf.default.secure_redirects = 0

#内核放弃建立连接之前发送SYN 包的数量

net.ipv4.tcp_syn_retries = 1

#启用timewait 快速回收

net.ipv4.tcp_tw_recycle = 1

#开启重用。允许将TIME-WAIT sockets 重新用于新的TCP 连接

net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_mem = 94500000 915000000 927000000

net.ipv4.tcp_fin_timeout = 1

#当keepalive 起用的时候，TCP 发送keepalive 消息的频度。缺省是2 小时

net.ipv4.tcp_keepalive_time = 30

#允许系统打开的端口范围

net.ipv4.ip_local_port_range = 1024 65000

#修改防火墙表大小，默认6553

######net.netfilter.nf_conntrack_max=65535

######net.netfilter.nf_conntrack_tcp_timeout_established=1200

10. 下载常用命令

[root@cooper-7274 ~]# yum install -y tree vim wget bash-completion bash-completion-extras lrzsz net-tools sysstat iotop iftop htop unzip nc nmap telnet bc psmisc httpd-tools bind-utils nethogs expect cowsay ntpdate mlocate sl screen dstat sshpass

至此我们的初始优化已经完成啦，可以根据需求对具体的功能进行优化。