Centos 7 操作系统的优化项
文章目录01 更改yum源02 安装常用工具03 清空系统版本显示04 关闭selinux05 关闭firewalld防火墙06 让用户密码永不过期07 命令行操作历史记录08 命令行空格开头的不记录到历史09 给危险命令rm做别名10 设置支持中文字符集11 更改/etc/rc.d/rc.local文件权限74412 更新系统时间01 更改yum源curl -o /etc/yum.repos.d
·
文章目录
第1章 优化的第一阶段
以下列出的是一些优化项,并不是说得按照这个顺序来一项一项的优化,你得根据你的场景、你的需求以及你对当前操作系统的梳理。并且有些优化项不是千遍一律的。
01 更改yum源
### 更改base源为阿里云的源
curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
### 更改epel源
yum install -y epel-release
02 安装常用工具
yum install -y \
tree telnet lrzsz wget ntpdate vim nc namp dos2unix tcpdump pstree expect sshpass elinks unzip psmisc \
lsof net-tools htop iproute bridge-utils \
bind-utils nscd \
gcc gcc-c++ make cmake libaio zlib-devel pcre-devel \
psmisclsof sysstat yum-utils
03 清空系统版本显示
>/etc/issue
>/etc/issue.net
04 关闭selinux
sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config
setenforce 0
05 关闭firewalld防火墙
systemctl stop firewalld.service # 临时停止firewalld服务
systemctl disable firewalld.service # 不让其开机自启动
systemctl mask firewalld.service # 不让其启动和设置开机自启动
06 让用户密码永不过期
cat >>/etc/login.defs<<EOF
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
EOF
07 命令行及命令行文件对历史操作的记录
echo "export HISTSIZE=10" >>/etc/bashrc # 用history只能看到最近操作的10条命令记录
echo "export HISTFILESIZE=10" >>/etc/bashrc # 历史文件中只保留最近命令行操作的10条命令记录
source /etc/bashrc
08 不记录命令行以空格开头的操作记录
echo "HISTCONTROL=ignorespace" >>/etc/bashrc
source /etc/bashrc
09 给危险命令rm做别名
echo "alias rm='echo Do not use the rm command'" >>/etc/bashrc
source /etc/bashrc
10 设置支持中文字符集
echo "LANG=\"zh_CN.UTF-8\"" >/etc/locale.conf
11 更改/etc/rc.d/rc.local文件权限744
chmod 744 /etc/rc.d/rc.local
12 校准和更新操作系统的时间
初次更新和校准系统时间
## 创建/etc/sysconfig/clock文件
cat >>/etc/sysconfig/clock <<EOF
ZONE="Asia/Shanghai"
UTC=false
ARC=false
EOF
## 强制让其与/etc/localtime文件进行软链接
ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
## 让其与阿里云的时间服务器进行同步一次
ntpdate ntp1.aliyun.com
## 设置硬件时间和系统时间一致并校准
/sbin/hwclock --systohc
hwclock --show
系统定时更新系统时间
13 调整swap交换页面
## 优化的命令
chattr -i /etc/sysctl.conf
echo "vm.swappiness=10" >>/etc/sysctl.conf
sysctl -p
# 我这里是让其当物理内存使用到90%时,才使用swap交换分区
# 其实当服务器的物理内存用到80%的时候就要进行报警了;
## 对应的文件(还没有执行上面的命令哈)和说明
[root@node31 ~]# cat /proc/sys/vm/swappiness
30
# 不同的操作系统这个值是不一样的哈,oracle linux是60,我这里是CentOS linux;
# 30的意思是:当服务器的物理内存被用到100%-30%=70%时,就让其使用swap交换页面(分区)了
# 如果设置为0,则表示不使用swap交换页面(分区)
14 防止Cannot allocate memory(无法分配内存)
值为不超过总内存的1%即可,我这里设置的是512M,min_free_kbytes表示强制 Linux 系统最低保留的空闲内存(Kbytes),如果系统可用内存低于设定的 min_free_kbytes 值,则默认系统启动 oom-killer 或强制重启。具体行为由内核参数 vm.panic_on_oom 值决定:
若 vm.panic_on_oom=0(默认),则系统会提示 OOM,并启动 oom-killer 杀掉占用最高内存的进程。
若 vm.panic_on_oom =1,则系统会自动重启。
chattr -i /etc/sysctl.conf
echo "vm.min_free_kbytes=524288" >>/etc/sysctl.conf
sysctl -p
14 调整limit限制
## 这是修改全局下
cat >>/etc/security/limits.conf<<EOF
#### memlock(max locked memory)
#### cpu(cpu time)
* soft memlock unlimited
* hard memlock unlimited
* soft cpu unlimited
* hard cpu unlimited
### open files(nproc\nofile)
* soft nproc 102431
* hard nproc 102431
* soft nofile 102431
* hard nofile 102431
####
* soft stack 65536
* hard stack 65536
####
* soft core unlimited
* hard core unlimited
EOF
## 调整可以 运行的最大并发进程数
echo " * - nproc unlimited" >/etc/security/limits.d/20-nproc.conf
echo "session required pam_limits.so" >>/etc/pam.d/login
## 调整sshd服务,当我们用ssh客户端工具连接后,才会生效
echo "UsePAM yes" >>/etc/ssh/sshd_config
echo "UseLogin yes" >>/etc/ssh/sshd_config
systemctl restart sshd
15.创建普通用户,让其可以su到超级用户
chattr -i /etc/passwd /etc/shadow /etc/group /etc/gshadow
useradd chenliang -G wheel
echo "chenliang123456"|passwd --stdin chenliang
chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow
17.ssh服务优化
## 更改firewalld防火墙的ssh服务的端口为921
sed -i 's#22#921#g' /usr/lib/firewalld/services/ssh.xml
## ssh服务的优化如下
cat >>/etc/ssh/sshd_config<<EOF
Port 921
PermitRootLogin no
PermitEmptyPasswords no
UseDNS no
GSSAPIAuthentication no
EOF
## 重启sshd服务
systemctl restart sshd.service
二、脚本
脚本名称:Centos7_opt_scrip.sh
#!/bin/bash
#
# ***** For newly installed systems
# ***** Have access to the Internet
# ***** Root user execution
########## Define variables
RETVAL=0
Baidu_url="www.baidu.com"
Yum_soure="http://mirrors.aliyun.com/repo/Centos-7.repo"
## According to operating system version
Common_tools="tree telnet lrzsz wget ntp ntpdate vim net-tools \
lsof nc namp dos2unix tcpdump gcc gcc-c++ make \
cmake libaio zlib-devel pcre-devel psmisclsof \
sysstat yum-utils"
Change_ssh_port="921"
Firewalld_ssh_file="/usr/lib/firewalld/services/ssh.xml"
########## Determine the user to execute
if [ "$UID" -ne $RETVAL ];then
echo "Must be root to run scripts"
exit 1
fi
########## Load local functions
[ -f /etc/init.d/functions ] && source /etc/init.d/functions
########## Check Internet access
ping -c 2 $Baidu_url >/dev/null 2>&1
RETVAL=$?
if [ $RETVAL -eq 0 ];then
action "Check internet access" /bin/true
else
action "Check internet access" /bin/false
exit 1
fi
########## Change domestic yum sources
curl -o /etc/yum.repos.d/CentOS-Base.repo $Yum_soure >/dev/null 2>&1
RETVAL=$?
if [ $RETVAL -eq 0 ];then
action "Change yum sources" /bin/true
else
action "Change yum sources" /bin/false
fi
########## Install common toolkits
yum install -y $Common_tools >/dev/null 2>&1
RETVAL=$?
if [ $RETVAL -eq 0 ];then
action "Install common toolkits" /bin/true
else
action "Install common toolkits" /bin/false
fi
########## Empty version display
if [ -f /etc/issue -a /etc/issue.net ];then
>/etc/issue && >/etc/issue.net
RETVAL=$?
if [ $RETVAL -eq 0 ];then
action "Emty version display" /bin/true
fi
else
echo "/etc/issue or /etc/issue.net is not exists"
fi
########## Disable selinux
if [ -f /etc/selinux/config ];then
sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config &&
setenforce 0
RETVAL=$?
if [ $RETVAL -eq 0 ];then
action "Disable selinux" /bin/true
else
action "Disable selinux" /bin/false
fi
fi
########## User password does not expire
if [ -f /etc/login.defs ];then
echo -e "\nPASS_MAX_DAYS 99999\nPASS_MIN_DAYS 0\nPASS_MIN_LEN 5\nPASS_WARN_AGE 7\n" >>/etc/login.defs
RETVAL=$?
if [ $RETVAL -eq 0 ];then
action "Set user password not expire" /bin/true
else
action "Set user password not expire" /bin/false
fi
fi
########## Command line history sav change
echo -e "\nexport HISTSIZE=10\nexport HISTFILESIZE=10\nexport HISTCONTROL=ignorespace" >>/etc/bashrc
RETVAL=$?
if [ $RETVAL -eq 0 ];then
action "Command line history sav change" /bin/true
else
action "Command line history sav change" /bin/false
fi
########## rm command alias set
echo "alias rm='echo Do not use the rm command'" >>/etc/bashrc
RETVAL=$?
if [ $RETVAL -eq 0 ];then
action "Command rm alias set" /bin/true
else
action "Command rm alias set" /bin/false
fi
######## Time proofread and first update
echo -e "ZONE="Asia/Shanghai"\nUTC=false\nARC=false" >/etc/sysconfig/clock &&
ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime &&
ntpdate ntp1.aliyun.com >/dev/null 2>&1 &&
/sbin/hwclock --systohc
RETVAL=$?
if [ $RETVAL -eq 0 ];then
action "Time proofread and first update" /bin/true
else
action "Time proofread and first update" /bin/false
fi
######### /etc/rc.d/rc.local file permission change
chmod 744 /etc/rc.d/rc.local
RETVAL=$?
if [ $RETVAL -eq 0 ];then
action "/etc/rc.d/rc.local file permission change" /bin/true
else
action "/etc/rc.d/rc.local file permission change" /bin/false
fi
更多推荐
已为社区贡献1条内容
所有评论(0)