centos7系统内核优化

linux系统基础调优
1.关闭selinux，清空iptables
sed -i ‘s/SELINUX=enforcing/SELINUX=disabled/g’ /etc/selinux/config
grep SELINUX=disabled /etc/selinux/config
setenforce 0
iptables -F
iptables -X
iptables -Z
iptables -L
/etc/init.d/iptables save
/etc/init.d/iptables stop
chkconfig iptables off
2.添加普通用户并进行sudo授权管理
useradd liwen
echo ‘123456’|passwd --stdin liwen&&history -c
echo ‘liwen ALL=(ALL) NOPASSWD: ALL’ >>/etc/sudoers
tail /etc/sudoers
3.更新yum源及必要软件安装
yum install -y wget
cd /etc/yum.repos.d/
/bin/mv CentOS-Base.repo CentOS-Base.repo.bak
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo
sed -i ‘s#$releasever#6#g’ CentOS-Base.repo
yum clean all
yum makecache 
yum install lrzsz ntpdate sysstat openssh openssl expect telnet tree dos2unix nmap -y
4.定时自动更新服务器时间
echo '*/5 * * * * /usr/sbin/ntpdate -u ntp.api.bz && /sbin/hwclock -w ’ >>/var/spool/cron/root
5.精简开机自启动服务
for sun in chkconfig --list|grep 3:on|awk '{print $1}';do chkconfig --level 3 $sun off;done
for sun in crond rsyslog sshd network;do chkconfig --level 3 $sunon;donechkconfig--list|grep3:on6.修改字符集支持中文cp/etc/sysconfig/i18n/etc/sysconfig/i18n.$(date +%Y%m%d%k%I%M)
cat >/etc/sysconfig/i18n<<EOF
LANG=“zh_CN.UTF-8”
SYSFONT=“latarcyrheb-sun16”
EOF
source /etc/sysconfig/i18n
临时更改：export LANG="en_US.UTF-8"和export LANGUAGE=“en_US:en”
7.变更默认的ssh服务端口，禁止root用户远程连接
sed -i ‘s/#Port 22/Port 52113/g’ /etc/ssh/sshd_config
sed -i ‘s/#PermitRootLogin yes/PermitRootLogin no/g’ /etc/ssh/sshd_config
sed -i ‘s/#PermitEmptyPasswords no/PermitEmptyPasswords no/g’ /etc/ssh/sshd_config
sed -i ‘s/GSSAPIAuthentication yes/GSSAPIAuthentication no/g’ /etc/ssh/sshd_config
sed -i ‘s/#UseDNS yes/UseDNS no/g’ /etc/ssh/sshd_config
cat /etc/ssh/sshd_config|egrep ‘PermitEmptyPasswords|UseDNS|Port|GSSAPIAuthentication|PermitRootLogin’
/etc/init.d/sshd restart
对于云服务器可添加如下防止ssh连接中断
ClientAliveInterval 60
ClientAliveCountMax 86400
8.添加历史命令记录
[root@node1 ~]# vim /etc/profile #添加如下
LOG_DIR=/var/log/.history
USER_IP=who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'
if [ “$USER_IP” = “” ]; then
USER_IP=hostname
fi

if [ ! -d $LOG_DIR ]; then
mkdir $LOG_DIR
chmod 777 $LOG_DIR
fi

if [ ! -d $LO{G}_{D}IR/${LOGNAME} ];then
mkdir $LO{G}_{D}IR/${LOGNAME}
chmod 300 $LO{G}_{D}IR/${LOGNAME}
fi
export HISTSIZE=4096
DT=date +"%F_%H%M%S"
export HISTFILE="$LO{G}_{D}IR/${LOGNAME}/KaTeX parse error: Expected group after '_' at position 5: {DT}_̲{USER_IP}.history"
chmod 600 $LO{G}_{D}IR/${LOGNAME}/history 2>/tmp/history.error.log
readonly PROMPT_COMMAND=’{ date “+%F %T ##### $(who am i |awk “{print $1” “$2” “$5}”) #### $(pwd) #### KaTeX parse error: Expected '}', got 'EOF' at end of input: …d x cmd; echo "cmd”; })"; } >> KaTeX parse error: Expected 'EOF', got '#' at position 328: …其支持中文 sed -i 's#̲LANG=.*#LANG=“zh_CN.UTF-8”#g’ /etc/sysconfig/i18n
source /etc/sysconfig/i18n
12.去除系统及内核版本登录前的屏幕显示

/etc/redhat-release
/etc/issue
/etc/issue.net
/etc/motd
13.内核参数优化
本优化适合apache，nginx，squid多种等web应用，特殊的业务也可能需要略作调整
cat >>/etc/sysctl.conf<<EOF
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl =15
net.ipv4.tcp_retries2 = 5
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_max_orphans = 32768
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_wmem = 8192 131072 16777216
net.ipv4.tcp_rmem = 32768 131072 16777216
net.ipv4.tcp_mem = 786432 1048576 1572864
net.ipv4.ip_local_port_range = 1024 65000
net.core.somaxconn = 16384
net.core.netdev_max_backlog = 16384
EOF
tail /etc/sysctl.conf
/sbin/sysctl -p
将上面的内核参数值加入/etc/sysctl.conf文件中然后/sbin/sysctl -p使其生效
防火墙的优化参数
net.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_tcp_timeout_established = 180
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120