一个专业运维
技术分享网站!

Linux服务器初始化调优及安全加固

一,开启iptables

仅开放必要的SSH端口和监控端口 示例:
SSH tcp 22
snmpd udp 161
nrpe tcp 5666
本人公网IP全端口开放

二,除非特别熟悉selinux配置,否则请关闭selinux

查看是否开启:getenforce如果为强制和允许则关闭
vim /etc/sysconfig/selinux
SELINUX = disabled

三,优化SSH端口

vim /etc/ssh/sshd_config
将默认的22端口替换大于1024的其他端口
2222
如果不经常使用root登陆禁止root登陆,使用普通用户su切换
PermitRootLogin yes

四,系统服务优化

最少服务原则,凡是不需要的服务一律关掉


for a in `ls /etc/rc3.d/S*`  
        do
        CURSRV=`echo $a |cut -c15-`
        echo $CURSRV
case $CURSRV in        mysqld|crond|irqbalance|iptables|ip6tables|xinetd|microcode_ctl|network|random|sshd|syslog|local|snmpd)  
        echo "Base services,Skip"
        ;;
        *)
        echo "change $CURSRV to off"
        chkconfig --level 235 $CURSRV off
        service $CURSRV stop
        ;;
esac  
done  
五,sysctl核心参数调优
  • 修改/etc/sysctl.conf
net.ipv4.ip_forward = 0  
net.ipv4.conf.default.rp_filter = 1  
net.ipv4.conf.default.accept_source_route = 0  
kernel.sysrq = 0  
kernel.core_uses_pid = 1  
net.ipv4.tcp_syncookies = 1  
kernel.msgmnb = 65536  
kernel.msgmax = 65536  
kernel.shmmax = 68719476736  
kernel.shmall = 4294967296  
net.ipv4.tcp_max_tw_buckets = 6000  
net.ipv4.tcp_sack = 1  
net.ipv4.tcp_window_scaling = 1  
net.ipv4.tcp_rmem = 4096 87380 4194304  
net.ipv4.tcp_wmem = 4096 16384 4194304  
net.core.wmem_default = 8388608  
net.core.rmem_default = 8388608  
net.core.rmem_max = 16777216  
net.core.wmem_max = 16777216  
net.core.netdev_max_backlog = 262144  
net.core.somaxconn = 262144  
net.ipv4.tcp_max_orphans = 3276800  
net.ipv4.tcp_max_syn_backlog = 262144  
net.ipv4.tcp_timestamps = 0  
net.ipv4.tcp_synack_retries = 1  
net.ipv4.tcp_syn_retries = 1  
net.ipv4.tcp_tw_recycle = 1  
net.ipv4.tcp_tw_reuse = 1  
net.ipv4.tcp_mem = 94500000 915000000 927000000  
net.ipv4.tcp_fin_timeout = 1  
net.ipv4.tcp_keepalive_time = 1200  
net.ipv4.ip_local_port_range = 1024 65535  
  • 表现
    sysctl -p
六,优化Linux系统文件大小

vim /etc/security/limits.conf
*软nofile 65535
*硬nofile 65535

七,修改用户登陆和操作历史记录
  • 将以下代码追加/ etc / profile
HISTSIZE=5000  
export HISTTIMEFORMAT="%F %T "  
user=`whoami`  
ip=`who -u am i | awk '{print $NF}' | sed 's/[()]//g'`  
dt=`who -u am i | awk '{print $3" "$4}'`  
date=`date "+%Y-%m-%d"`  
user_date=/tmp/.history/$user/$date  
history_file=$user_date/${user}_history_$date.txt  
login_file=$user_date/${user}_login_$date.txt  
mkdir -p $user_date  
echo "$user\t$dt\t$ip\n" >> $login_file  
chmod 600 $login_file  
touch $history_file  
export HISTFILE="$history_file"  
chmod 600 $history_file  
  • 来源/ etc / profile
  • 下次登陆即可以在/tmp/.history目录下看到历史登陆记录
八,YUM源优化
  • 保证yum速度使用国内网易源
    mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
    cd /etc/yum.repos.d && wget http://mirrors.163.com/.help/CentOS6-Base-163.repo yum makecache && yum list
历史上的今天
七月
29
    哇哦~~~,历史上的今天没发表过文章哦
赞(5) 打赏
未经允许不得转载:小柳实验室 » Linux服务器初始化调优及安全加固
分享到: 更多 (0)

评论 抢沙发

评论前必须登录!

 

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

微信扫一扫打赏