第1章 优化的第一阶段

以下列出的是一些优化项，并不是说得按照这个顺序来一项一项的优化，你得根据你的场景、你的需求以及你对当前操作系统的梳理。并且有些优化项不是千遍一律的。

01 更改yum源

### 更改base源为阿里云的源
curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo

### 更改epel源
yum install -y epel-release

02 安装常用工具

yum install -y  \
 tree telnet lrzsz wget ntpdate vim  nc namp dos2unix  tcpdump pstree  expect sshpass elinks unzip  psmisc \
 lsof net-tools htop iproute  bridge-utils \
 bind-utils nscd \
 gcc gcc-c++ make cmake libaio zlib-devel pcre-devel  \
 psmisclsof sysstat yum-utils 

03 清空系统版本显示

>/etc/issue
>/etc/issue.net

04 关闭selinux

sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config
setenforce 0

05 关闭firewalld防火墙

systemctl stop firewalld.service      # 临时停止firewalld服务
systemctl disable firewalld.service   # 不让其开机自启动
systemctl mask firewalld.service      # 不让其启动和设置开机自启动

06 让用户密码永不过期

cat >>/etc/login.defs<<EOF
PASS_MAX_DAYS   99999
PASS_MIN_DAYS   0 
PASS_MIN_LEN    5
PASS_WARN_AGE   7
EOF

07 命令行及命令行文件对历史操作的记录

echo "export HISTSIZE=10" >>/etc/bashrc      # 用history只能看到最近操作的10条命令记录
echo "export HISTFILESIZE=10" >>/etc/bashrc  # 历史文件中只保留最近命令行操作的10条命令记录
source /etc/bashrc

08 不记录命令行以空格开头的操作记录

echo "HISTCONTROL=ignorespace" >>/etc/bashrc
source /etc/bashrc

09 给危险命令rm做别名

echo "alias rm='echo Do not use the rm command'" >>/etc/bashrc
source /etc/bashrc

10 设置支持中文字符集

echo "LANG=\"zh_CN.UTF-8\"" >/etc/locale.conf

11 更改/etc/rc.d/rc.local文件权限744

chmod 744 /etc/rc.d/rc.local

12 校准和更新操作系统的时间

初次更新和校准系统时间

## 创建/etc/sysconfig/clock文件
cat >>/etc/sysconfig/clock <<EOF
ZONE="Asia/Shanghai"
UTC=false
ARC=false
EOF

## 强制让其与/etc/localtime文件进行软链接
ln -sf /usr/share/zoneinfo/Asia/Shanghai    /etc/localtime

## 让其与阿里云的时间服务器进行同步一次
ntpdate ntp1.aliyun.com

## 设置硬件时间和系统时间一致并校准
/sbin/hwclock --systohc 
hwclock --show

系统定时更新系统时间

定时更新Linux操作系统的系统时间

13 调整swap交换页面

## 优化的命令
chattr -i /etc/sysctl.conf
echo "vm.swappiness=10" >>/etc/sysctl.conf
sysctl -p

    # 我这里是让其当物理内存使用到90%时,才使用swap交换分区
    # 其实当服务器的物理内存用到80%的时候就要进行报警了;
    

## 对应的文件(还没有执行上面的命令哈)和说明
[root@node31 ~]# cat /proc/sys/vm/swappiness 
30   
    # 不同的操作系统这个值是不一样的哈,oracle linux是60,我这里是CentOS linux；
    # 30的意思是：当服务器的物理内存被用到100%-30%=70%时,就让其使用swap交换页面(分区)了
    # 如果设置为0,则表示不使用swap交换页面(分区)

14 防止Cannot allocate memory(无法分配内存)

值为不超过总内存的1%即可，我这里设置的是512M，min_free_kbytes表示强制 Linux 系统最低保留的空闲内存(Kbytes)，如果系统可用内存低于设定的 min_free_kbytes 值，则默认系统启动 oom-killer 或强制重启。具体行为由内核参数 vm.panic_on_oom 值决定：
若 vm.panic_on_oom=0(默认)，则系统会提示 OOM，并启动 oom-killer 杀掉占用最高内存的进程。
若 vm.panic_on_oom =1，则系统会自动重启。

chattr -i /etc/sysctl.conf
echo "vm.min_free_kbytes=524288" >>/etc/sysctl.conf
sysctl -p 

14 调整limit限制

## 这是修改全局下
cat >>/etc/security/limits.conf<<EOF
#### memlock(max locked memory)
#### cpu(cpu time)
*     soft   memlock           unlimited
*     hard   memlock           unlimited
*     soft   cpu               unlimited
*     hard   cpu               unlimited

### open files(nproc\nofile)
*     soft   nproc             102431
*     hard   nproc             102431
*     soft   nofile            102431
*     hard   nofile            102431


####  
* soft stack  65536
* hard stack  65536

####
*     soft   core              unlimited 
*     hard   core              unlimited
EOF

## 调整可以 运行的最大并发进程数
echo " * - nproc unlimited" >/etc/security/limits.d/20-nproc.conf

echo "session    required    pam_limits.so" >>/etc/pam.d/login

## 调整sshd服务,当我们用ssh客户端工具连接后,才会生效
echo "UsePAM yes" >>/etc/ssh/sshd_config
echo "UseLogin yes" >>/etc/ssh/sshd_config
systemctl restart sshd

15.创建普通用户,让其可以su到超级用户

chattr -i /etc/passwd /etc/shadow /etc/group /etc/gshadow
useradd chenliang -G wheel
echo "chenliang123456"|passwd --stdin chenliang
chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow

17.ssh服务优化

## 更改firewalld防火墙的ssh服务的端口为921
sed -i 's#22#921#g' /usr/lib/firewalld/services/ssh.xml

## ssh服务的优化如下
cat >>/etc/ssh/sshd_config<<EOF
Port 921
PermitRootLogin no
PermitEmptyPasswords no
UseDNS no
GSSAPIAuthentication no
EOF

## 重启sshd服务
systemctl restart sshd.service

二、脚本

脚本名称：Centos7_opt_scrip.sh

#!/bin/bash
#
# ***** For newly installed systems
# ***** Have access to the Internet
# ***** Root user execution

########## Define variables
RETVAL=0
Baidu_url="www.baidu.com"
Yum_soure="http://mirrors.aliyun.com/repo/Centos-7.repo"  
         ##  According to operating system version
         
Common_tools="tree telnet lrzsz wget ntp ntpdate vim net-tools \
              lsof nc namp dos2unix tcpdump gcc gcc-c++ make \
              cmake libaio zlib-devel pcre-devel psmisclsof \
              sysstat yum-utils"

Change_ssh_port="921"
Firewalld_ssh_file="/usr/lib/firewalld/services/ssh.xml"

########## Determine the user to execute
if [ "$UID" -ne $RETVAL ];then
   echo "Must be root to run scripts"
   exit 1
fi

########## Load local functions
[ -f /etc/init.d/functions ] && source /etc/init.d/functions

########## Check Internet access
ping -c 2 $Baidu_url >/dev/null 2>&1
RETVAL=$?
if [ $RETVAL -eq 0 ];then
   action "Check internet access" /bin/true
  else
   action "Check internet access" /bin/false
   exit 1
fi

########## Change domestic yum sources
curl -o /etc/yum.repos.d/CentOS-Base.repo $Yum_soure >/dev/null 2>&1
RETVAL=$?
if [ $RETVAL -eq 0 ];then
   action "Change yum sources" /bin/true
  else
   action "Change yum sources" /bin/false
fi

########## Install common toolkits
yum install -y $Common_tools >/dev/null 2>&1
RETVAL=$?
if [ $RETVAL -eq 0 ];then
   action "Install common toolkits" /bin/true
  else
   action "Install common toolkits" /bin/false
fi

########## Empty version display
if [ -f /etc/issue  -a /etc/issue.net ];then
   >/etc/issue && >/etc/issue.net   
   RETVAL=$?
   if [ $RETVAL -eq 0 ];then
      action "Emty version display" /bin/true
   fi
  else
   echo "/etc/issue or /etc/issue.net is not exists"
fi

########## Disable selinux
if [ -f /etc/selinux/config  ];then
   sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config &&
   setenforce 0
   RETVAL=$?
   if [ $RETVAL -eq 0  ];then
      action "Disable selinux" /bin/true
     else
      action "Disable selinux" /bin/false
   fi
fi

########## User password does not expire
if [ -f /etc/login.defs ];then
   echo -e "\nPASS_MAX_DAYS   99999\nPASS_MIN_DAYS   0\nPASS_MIN_LEN    5\nPASS_WARN_AGE   7\n" >>/etc/login.defs
   RETVAL=$?
   if [ $RETVAL -eq 0  ];then
      action "Set user password not expire" /bin/true
     else
      action "Set user password not expire" /bin/false
   fi
fi

########## Command line history sav change
echo -e "\nexport HISTSIZE=10\nexport HISTFILESIZE=10\nexport HISTCONTROL=ignorespace" >>/etc/bashrc
RETVAL=$?
if [ $RETVAL -eq 0 ];then
   action "Command line history sav change" /bin/true
  else
   action "Command line history sav change" /bin/false
fi

########## rm command alias set
echo "alias rm='echo Do not use the rm command'" >>/etc/bashrc
RETVAL=$?
if [ $RETVAL -eq 0  ];then
   action "Command rm alias set" /bin/true
  else
   action "Command rm alias set" /bin/false
fi

######## Time proofread and first update
echo -e "ZONE="Asia/Shanghai"\nUTC=false\nARC=false" >/etc/sysconfig/clock && 
ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime &&
ntpdate ntp1.aliyun.com >/dev/null 2>&1 &&
/sbin/hwclock --systohc
RETVAL=$?
if [ $RETVAL -eq 0   ];then
   action "Time proofread and first update" /bin/true
  else
   action "Time proofread and first update" /bin/false
fi
 
######### /etc/rc.d/rc.local file permission change
chmod 744 /etc/rc.d/rc.local
RETVAL=$?
if [ $RETVAL -eq 0 ];then
   action "/etc/rc.d/rc.local file permission change" /bin/true
  else
   action "/etc/rc.d/rc.local file permission change" /bin/false
fi