Next, I'll give you a brief explanation of some basic optimization operations after the installation of Linux system.
Note: This optimization is based on entOS (5.8/6.4). I will mention the cell size of 5.8 and 6.4 when they are optimized.
Optimize entries: Modify ip address, gateway, host name, DNS, etc. Close selinux,Empty iptables Added ordinary users and sudo authorization management Update yum source and necessary software installation Timely automatic update of server time Streamlining boot-up self-startup service Automatically clean up / var / spool / client mqueue / directory junk files at regular intervals, and place inode nodes full Change the default ssh service port to prohibit root users from remotely connecting Locking key file systems Adjust the file descriptor size Adjust the character set to support Chinese Remove screen display before system and kernel version login Kernel parameter optimization
1. Modify ip address, gateway, host name, DNS, etc.
[root@localhost ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE=eth0 #NIC name BOOTPROTO=static #Static IP address acquisition status such as: DHCP represents automatic IP address acquisition IPADDR=192.168.1.113 #IP address NETMASK=255.255.255.0 #Subnet mask ONBOOT=yes#Whether to Activate at Boot GATEWAY=192.168.1.1 [root@localhost ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE=eth0 BOOTPROTO=static IPADDR=192.168.1.113 NETMASK=255.255.255.0 ONBOOT=yes GATEWAY=192.168.1.1 [root@localhost ~]# vi /etc/sysconfig/network HOSTNAME=c64 #Modify the host name to restart GATEWAY=192.168.1.1 #Modify the default gateway. If the gateway is not configured in eth0 above, the gateway here will be used by default. [root@localhost ~]# cat /etc/sysconfig/network HOSTNAME=c64 GATEWAY=192.168.1.1
We can also use hostname C64 to modify the host name when it comes in and log in again.
Modify DNS
[root@localhost ~]# vi /etc/resolv.conf #Modify DNS information nameserver 114.114.114.114 nameserver 8.8.8.8 [root@localhost ~]# cat /etc/resolv.conf #View the modified DNS information nameserver 114.114.114.114 nameserver 8.8.8.8
[root@localhost] service network restart_restart the network card, take effect To restart the network card, you can also use the following commands [root@localhost ~]# /etc/init.d/network restart
2. Close selinux and empty iptables
Close selinux
[root@c64 ~]# sed –i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config #Modifying the configuration file takes effect permanently, but the system must be restarted. [root@c64 ~]# grep SELINUX=disabled /etc/selinux/config SELINUX=disabled #View the changed results [root@c64 ~]# setenforce 0#Provisional effective order [root@c64 ~]# getenforce #View the current status of selinux Permissive
Empty iptables
[root@c64 ~]# iptables –F #Cleaning firewall rules [root@c64 ~]# iptables –L #View firewall rules Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@c64 ~]#/etc/init.d/iptables save #Save firewall configuration information
3. Adding ordinary users and managing sudo authorization
[root@c64 ~]# useradd sunsky [root@c64 ~]# echo "123456"|passwd --stdin sunsky&&history –c [root@c64 ~]# visudo //Under the line root ALL = (ALL) ALL, add the following sunsky ALL=(ALL) ALL
4. Update yum source and necessary software installation
yum installation software, default access to rpm packages from foreign official sources, to domestic sources.
Two Faster Sites in China: Sohu Mirror Site and Netease Mirror Site
Method 1: Configure the source configuration file and upload it to linux.
Method 2: Install the source configuration file using the yum configuration of the mirror site
[root@c64 ~]# cd /etc/yum.repos.d/ [root@c64 yum.repos.d]# /bin/mv CentOS-Base.repo CentOS-Base.repo.bak [root@c64 yum.repos.d]# wget http://mirrors.163.com/.help/CentOS6-Base-163.repo
Next, execute the following command to check whether yum is normal
[root@c64 yum.repos.d]# yum clean all #Clear the yum cache [root@c64 yum.repos.d]# yum makecache #Establishing yum cache
Then update the system to the latest using the following commands
[root@c64 yum.repos.d]# RPM -- import/etc/pki/rpm-gpg/RPM-GPG-KEY*# Import signature KEY to RPM [root@c64 yum.repos.d] Yum upgrade-y update the system kernel to the latest Next, we need to install some necessary software.
[root@c64 yum.repos.d]# yum install lrzsz ntpdate sysstat -y
lrzsz is an upload and download software
sysstat is a tool for testing system performance and efficiency
5. Timely automatic update of server time
[root@c64 ~]# echo '*/5 * * * * /usr/sbin/ntpdate time.windows.com >/dev/null 2 >&1' >>/var/spool/cron/root [root@c64 ~]# echo '*/10 * * * * /usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1' >>/var/spool/cron/root
Tip: CentOS 6.4 has different time synchronization command paths
6 is / usr/sbin/ntpdate
5 is / sbin/ntpdate
Extension: When the number of machines is small, the above timing task synchronization time is enough. If the number of machines is large, another time synchronization server NTP Server can be deployed in the network. Only mentioned here, not deployed.
Time Synchronization Server Architecture Diagram:
133048286.png
6. Streamlining boot-up self-startup service
Just after installing the operating system, you can reserve only four services: crond, network, syslog and sshd. (Centos 6.4 is rsyslog)
[root@c64 ~]# for sun in `chkconfig --list|grep 3:on|awk '{print $1}'`;do chkconfig --level 3 $sun off;done
[root@c64 ~]# for sun in crond rsyslog sshd network;do chkconfig --level 3 $sun on;done
[root@c64 ~]# chkconfig --list|grep 3:on
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off7. Automatically clean up/var/spool/client mqueue/directory junk files at regular intervals and fill up inode nodes
This optimization point can be ignored on 6.4 without operation.
[root@c64 ~]# mkdir /server/scripts -p [root@c64 ~]# vi /server/scripts/spool_clean.sh #!/bin/sh find/var/spool/clientmqueue/-typef -mtime +30|xargsrm-f
Then add it to the crontab timing task
[root@c64 ~]# echo '*/30 * * * * /bin/sh /server/scripts/spool_clean.sh >/dev/null 2>&1'>>/var/spool/cron/root
8. Change the default ssh service port and prohibit root users from remotely connecting
[root@c64 ~]# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak [root@c64 ~]# vim /etc/ssh/sshd_config Port 52113#ssh connection default port PermitRootLogin no #root user *** knows that it is not allowed to log on remotely PermitEmptyPasswords no #No empty password login UseDNS no #Do not use DNS [root@c64 ~]# /etc/init.d/sshd reload #From New Load Configuration [root@c64 ~]# netstat -lnt #View port information [root@c64 ~]# lsof -i tcp:52113
9. Locking key file systems
[root@c64 ~]# chattr +i /etc/passwd [root@c64 ~]# chattr +i /etc/inittab [root@c64 ~]# chattr +i /etc/group [root@c64 ~]# chattr +i /etc/shadow [root@c64 ~]# chattr +i /etc/gshadow
After using the chattr command, we need to rename it for security
[root@c64~]#/bin/mv/usr/bin/chattr/usr/bin/any name
10. Adjust the file descriptor size
[root@localhost ~]# ulimit –n #View file descriptor size 1024 [root@localhost ~]# echo '* - nofile 65535' >> /etc/security/limits.conf
Once the configuration is complete, you can view it by login again.
Tip: You can also add the ulimit-SHn 65535 command to / etc/rc.local, and each reboot takes effect.
[root@c64 ~]# cat >>/etc/rc.local<<EOF #open files ulimit -HSn 65535 #stack size ulimit -s 65535 EOF
Extension: File Descriptor
The file descriptor is formally a non-negative integer. In fact, it is an index value that points to the record table of the file that the kernel maintains for each process. When the program opens an existing file or creates a new file, the kernel returns a file descriptor to the process. In programming, some low-level programming often revolves around file descriptors. But the concept of file descriptors is often only applicable to operating systems such as Unix and Linux.
Traditionally, the standard input file descriptor is 0, the standard output is 1, and the standard error is 2. Although this habit is not a feature of the Unix kernel, because some shell s and many applications use it, many applications will not be able to use it if the kernel does not follow this habit.
11. Adjust the character set to support Chinese
sed-i 's#LANG="en_US.UTF-8"#LANG="zh_CN.GB18030"#'/etc/sysconfig/i18n source/etc/sysconfig/i18n
Extension: What is a character set?
Simply put, it is a set of character symbols and their encoding. Commonly used character sets are:
GBK fixed length double bytes is not an international standard, and there are many support systems.
Unfixed length 1-4 bytes of UTF-8 are widely supported, and MYSQL uses UTF-8.
12. Remove screen display before system and kernel version login
[root@c64 ~]# >/etc/redhat-release [root@c64 ~]# >/etc/issue
13. Kernel parameter optimization
Note: This optimization is suitable for apache, nginx, squid and other web applications. Special business may need to be adjusted slightly.
[root@c64 ~]# vi /etc/sysctl.conf #by sun in 20131001 net.ipv4.tcp_fin_timeout = 2 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_keepalive_time =600 net.ipv4.ip_local_port_range = 4000 65000 net.ipv4.tcp_max_syn_backlog = 16384 net.ipv4.tcp_max_tw_buckets = 36000 net.ipv4.route.gc_timeout = 100 net.ipv4.tcp_syn_retries = 1 net.ipv4.tcp_synack_retries = 1 net.core.somaxconn = 16384 net.core.netdev_max_backlog = 16384 net.ipv4.tcp_max_orphans = 16384
# The next parameter is the optimization of the iptables firewall, the firewall will not have prompts, can be ignored.
net.ipv4.ip_conntrack_max = 25000000 net.ipv4.netfilter.ip_conntrack_max = 25000000 net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 180 net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120 net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60 net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120 [root@localhost ~]# sysctl –p #Make the configuration file effective
Tip: Because the module name in CentOS 6.X system is not ip_conntrack, but nf_conntrack, it is necessary to change the old parameter of net.ipv4.netfilter.ip_conntrack_max to net.netfilter.nf_conntrack_max when optimizing / etc/sysctl.conf.
That is to say, the optimization of firewall is on 5.8.
net.ipv4.ip_conntrack_max = 25000000 net.ipv4.netfilter.ip_conntrack_max = 25000000 net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 180 net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120 net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60 net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120
On 6.4 is
net.nf_conntrack_max = 25000000 net.netfilter.nf_conntrack_max = 25000000 net.netfilter.nf_conntrack_tcp_timeout_established = 180 net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120 net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60 net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
In addition, there may be errors in this optimization process:
Versions 1 and 5.8
error: "net.ipv4.ip_conntrack_max"is an unknown key error: "net.ipv4.netfilter.ip_conntrack_max"is an unknown key error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_established"is an unknown key error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait"is an unknown key error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait"is an unknown key error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait"is an unknown key
This error may be that your firewall has not been opened or the loadable module ip_conntrack has not been automatically loaded. There are two solutions: one is to open the firewall, the other is to automatically process the loadable module ip_conntrack.
modprobe ip_conntrack echo "modprobe ip_conntrack">> /etc/rc.local
Versions 2 and 6.4
error: "net.nf_conntrack_max"isan unknown key error: "net.netfilter.nf_conntrack_max"isan unknown key error: "net.netfilter.nf_conntrack_tcp_timeout_established"isan unknown key error: "net.netfilter.nf_conntrack_tcp_timeout_time_wait"isan unknown key error: "net.netfilter.nf_conntrack_tcp_timeout_close_wait"isan unknown key error: "net.netfilter.nf_conntrack_tcp_timeout_fin_wait"isan unknown key
This error may be that your firewall has not been opened or the loadable module ip_conntrack has not been automatically loaded. There are two solutions: one is to open the firewall, the other is to automatically process the loadable module ip_conntrack.
modprobe nf_conntrack echo "modprobe nf_conntrack">> /etc/rc.local
Versions 3 and 6.4
error: "net.bridge.bridge-nf-call-ip6tables"isan unknown key error: "net.bridge.bridge-nf-call-iptables"isan unknown key error: "net.bridge.bridge-nf-call-arptables"isan unknown key
This error is due to the fact that the loadable module bridge is not automatically loaded. The solution is to automatically process the loadable module ip_conntrack.
modprobe bridge echo "modprobe bridge">> /etc/rc.local
So far, the basic optimization of our Linux system after installation has almost been operated. In summary, there are 13 optimization points that we need to be familiar with. Later I will come up with a one-click optimized shell script to communicate and learn with you.