CentOS 6.x安装完成后的优化

查看系统32位还是64位

[root@i-92x8m5i3 logs]# uname -r
2.6.32-504.16.2.el6.x86_64
[root@i-92x8m5i3 logs]# uname -a
Linux i-92x8m5i3 2.6.32-504.16.2.el6.x86_64 #1 SMP Wed Apr 22 06:48:29 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
[root@i-92x8m5i3 logs]# ls -d /lib64
/lib64

[root@local-dev ~]# uname -m
x86_64
[root@local-dev ~]# cat /etc/redhat-release 
CentOS release 6.5 (Final)

配置网卡

使用setup命令或编辑/etc/sysconfig/network-scripts/ifcfg-eth0内容

网卡配置完成后执行
ifup eth0 启动网卡
ifconfig eth0 查看获取的ip
·ping baidu.com· 检测网卡是否畅通

尽量不用/etc/init.d/network restart重启网卡,这会影响物理机上的所有网卡

[root@localhost ~]# ifdown eth0 && ifup eth0 快速重启

网络畅通步骤一,查看网卡

[root@local-dev ~]# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:50:56:94:6B:B4  
          inet addr:10.0.1.16  Bcast:10.0.1.255  Mask:255.255.254.0
          inet6 addr: fe80::250:56ff:fe94:6bb4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:9005200 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11334373 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1388103677 (1.2 GiB)  TX bytes:6820763127 (6.3 GiB)

网络畅通步骤二,查看默认网关

[root@local-dev ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.0.0        0.0.0.0         255.255.254.0   U     0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1002   0        0 eth0
0.0.0.0         10.0.0.1        0.0.0.0         UG    0      0        0 eth0

网络畅通步骤三,查看dns设置

[root@local-dev ~]# cat /etc/resolv.conf 
# Generated by NetworkManager
nameserver 114.114.114.114

在centos6.6中,只在确定的ifcfg-eth0网卡配置文件上配置dns,如果在/etc/resolv.conf上配置dns,使用命令/etc/init.d/network restart会清除/etc/resolv.conf的dns配置

经过网络畅通三步骤应该就可以上网了

网卡的配置文件

[root@localhost ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0       # 网卡名, eth1第二块网卡名,以此类推
TYPE=Ethernet     # 上网类型,以太网
UUID=8d6bdf86-1fda-4334-99bb-74b634018e9d    # 唯一标志码
ONBOOT=yes        # 开机自启动
NM_CONTROLLED=yes  # 是否通过NetworkManager管理网卡设备
BOOTPROTO=dhcp     # 启动协议,none|bootp|dhcp三种选项
HWADDR=00:0C:29:50:98:80 # 网卡mac地址
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no     # 是否支持IP6
NAME="System eth0"
LAST_CONNECT=1486401226

IPADDR=10.0.1.16      # 固定IP
PREFIX=23
GATEWAY=10.0.0.1
NETMASK=255.255.255.0 #子网掩码
DNS1=114.114.114.114  # 主DNS,默认会覆盖/etc/resolv.conf的配置

更新系统,打补丁

mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
wget http://mirrors.163.com/.help/CentOS6-Base-163.repo
yum clean all
yum makecache
yum update -y  # 更新系统,打补丁

安装额外的工具软件包

 [root@localhost ~]# yum install tree telnet dos2unix sysstat lrzsz nc nmap -y

sysstat包含了iostat(cpu使用率和硬盘吞吐率)、mpstat(单个或多个)处理器相关的数据、sor(收集报告并存储系统活跃信息)
yum grouplist 查看所有包名称
yum groupinstall "Development Tools" 指定包组名安装,注意需要双引号

连接不上服务排查

一、检查物理链路是否有问题(客户端执行)
ping 10.0.0.7 # 排查线路问题
windows:tracert -d 10.0.0.7 # 检查线路是否畅通 -d 不进行反向解析
linux:traceroute 10.0.0.7 -n

二、服务是否开启端口(客户端执行)
telnet 10.0.0.7 22
nmap 10.0.0.7 -p 22 (linux环境,需要安装)

三、是否防火墙阻挡(服务端执行)
/etc/init.d/iptables status

例如:检查ssh服务是否开启

[root@i-92x8m5i3 backend]# ps -ef | grep sshd | grep -v grep
root      1075     1  0 May04 ?        00:00:00 /usr/sbin/sshd
root      2100  1075  0 10:25 ?        00:00:00 sshd: root@pts/2 
root      5565  1075  0 12:21 ?        00:00:00 sshd: root@pts/3 
root     19821  1075  0 Jun26 ?        00:00:03 sshd: root@pts/0,pts/1
[root@i-92x8m5i3 backend]# netstat -lntup | grep sshd
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      1075/sshd           
tcp        0      0 :::22                       :::*                        LISTEN      1075/sshd 

用户

[root@local-dev ~]# useradd ljq
[root@local-dev ~]# passwd ljq
Changing password for user ljq.
New password: 
BAD PASSWORD: it is too simplistic/systematic
BAD PASSWORD: is too simple
Retype new password: 
passwd: all authentication tokens updated successfully.
[root@local-dev ~]# su - ljq
[ljq@chuangxin ~]$ whoami
ljq
[ljq@chuangxin ~]$ su - root
Password: 

一句话完成密码设置,但是需要该用户已存在
[root@local-dev ~]# echo “1234” | passwd –stdin ljq && history -c
Changing password for user ljq.
passwd: all authentication tokens updated successfully.

[ljq@chuangxin ~]$          普通用户为$美元符号
[root@local-dev ~]#         root用户为#符号

[root@i-92x8m5i3 backend]# whoami     # 查看当前用户
root
[root@i-92x8m5i3 backend]# hostname   # 查看当前主机名
i-92x8m5i3

[root@local-dev ~]# echo $PS1      #设置PS1变量
\[\e[37;40m\][\[\e[32;40m\]\u\[\e[37;40m\]@local-dev \[\e[35;40m\]\W\[\e[0m\]]\$

安全设置

关闭SELinux

1、修改SELinux配置文件,使之永远失效

[root@localhost ~]#  sed -i 's/SELINUX=enforcing/SELinux=disabled/' /etc/selinux/config
[root@localhost ~]# grep SELINUX=disabled /etc/selinux/config
SELINUX=disabled

2、结合手动关闭,可避免重启

[root@localhost ~]# setenforce 0
setenforce: SELinux is disabled
[root@localhost ~]# getenforce
Disabled

设定运行基本为3(文本模式)

[root@localhost ~]# runlevel
N 3
[root@localhost ~]# grep 3:initdefault /etc/inittab
id:3:initdefault:

实现精简开机

默认启动只需要开启如下5种服务即可

  • sshd

  • rsylog 系统的守护进程使用rsylog程序将各种信息写到各个系统日志文件中

  • network 激活或关闭各个网络接口

  • crond

  • sysstat 检测系统性能及运行效率的工具

设置开机自自动项

方式一,执行命令完成设置
执行ntsysv命令或执行setup命令,选择system service选项
退出按Tab键进行选择Exit退出

方式二,使用shell完成设置

注意:只查找3级别的服务项即可

1、先全部关闭,在开启保留项

# 1、先查看level 3的服务开关状况
[root@localhost ~]# LANG=en
[root@localhost ~]# echo $LANG
en
[root@localhost ~]# chkconfig --list
auditd             0:off    1:off    2:on    3:on    4:on    5:on    6:off
blk-availability    0:off    1:on    2:on    3:on    4:on    5:on    6:off
crond              0:off    1:off    2:on    3:on    4:on    5:on    6:off
ip6tables          0:off    1:off    2:on    3:on    4:on    5:on    6:off
iptables           0:off    1:off    2:on    3:on    4:on    5:on    6:off
lvm2-monitor       0:off    1:on    2:on    3:on    4:on    5:on    6:off
messagebus         0:off    1:off    2:on    3:on    4:on    5:on    6:off
netconsole         0:off    1:off    2:off    3:off    4:off    5:off    6:off
netfs              0:off    1:off    2:off    3:on    4:on    5:on    6:off
network            0:off    1:off    2:on    3:on    4:on    5:on    6:off
postfix            0:off    1:off    2:on    3:on    4:on    5:on    6:off
rdisc              0:off    1:off    2:off    3:off    4:off    5:off    6:off
restorecond        0:off    1:off    2:off    3:off    4:off    5:off    6:off
rsyslog            0:off    1:off    2:on    3:on    4:on    5:on    6:off
saslauthd          0:off    1:off    2:off    3:off    4:off    5:off    6:off
sshd               0:off    1:off    2:on    3:on    4:on    5:on    6:off
udev-post          0:off    1:on    2:on    3:on    4:on    5:on    6:off

#2、关闭后,查看关闭状况
[root@localhost ~]# for oldboy in `chkconfig --list|grep 3:on|awk '{print $1}'`;do chkconfig --level 3 $oldboy off;done
[root@localhost ~]# chkconfig --list
auditd             0:off    1:off    2:on    3:off    4:on    5:on    6:off
blk-availability    0:off    1:on    2:on    3:off    4:on    5:on    6:off
crond              0:off    1:off    2:on    3:off    4:on    5:on    6:off
ip6tables          0:off    1:off    2:on    3:off    4:on    5:on    6:off
iptables           0:off    1:off    2:on    3:off    4:on    5:on    6:off
lvm2-monitor       0:off    1:on    2:on    3:off    4:on    5:on    6:off
messagebus         0:off    1:off    2:on    3:off    4:on    5:on    6:off
netconsole         0:off    1:off    2:off    3:off    4:off    5:off    6:off
netfs              0:off    1:off    2:off    3:off    4:on    5:on    6:off
network            0:off    1:off    2:on    3:off    4:on    5:on    6:off
postfix            0:off    1:off    2:on    3:off    4:on    5:on    6:off
rdisc              0:off    1:off    2:off    3:off    4:off    5:off    6:off
restorecond        0:off    1:off    2:off    3:off    4:off    5:off    6:off
rsyslog            0:off    1:off    2:on    3:off    4:on    5:on    6:off
saslauthd          0:off    1:off    2:off    3:off    4:off    5:off    6:off
sshd               0:off    1:off    2:on    3:off    4:on    5:on    6:off
udev-post          0:off    1:on    2:on    3:off    4:on    5:on    6:off
# 3、开启后,查看开启状况
[root@localhost ~]# for oldboy in crond network rsyslog sshd sysstat;do chkconfig --level 3 $oldboy on;done
[root@localhost ~]# chkconfig --list
auditd             0:off    1:off    2:on    3:off    4:on    5:on    6:off
blk-availability    0:off    1:on    2:on    3:off    4:on    5:on    6:off
crond              0:off    1:off    2:on    3:on    4:on    5:on    6:off
ip6tables          0:off    1:off    2:on    3:off    4:on    5:on    6:off
iptables           0:off    1:off    2:on    3:off    4:on    5:on    6:off
lvm2-monitor       0:off    1:on    2:on    3:off    4:on    5:on    6:off
messagebus         0:off    1:off    2:on    3:off    4:on    5:on    6:off
netconsole         0:off    1:off    2:off    3:off    4:off    5:off    6:off
netfs              0:off    1:off    2:off    3:off    4:on    5:on    6:off
network            0:off    1:off    2:on    3:on    4:on    5:on    6:off
postfix            0:off    1:off    2:on    3:off    4:on    5:on    6:off
rdisc              0:off    1:off    2:off    3:off    4:off    5:off    6:off
restorecond        0:off    1:off    2:off    3:off    4:off    5:off    6:off
rsyslog            0:off    1:off    2:on    3:on    4:on    5:on    6:off
saslauthd          0:off    1:off    2:off    3:off    4:off    5:off    6:off
sshd               0:off    1:off    2:on    3:on    4:on    5:on    6:off
udev-post          0:off    1:on    2:on    3:off    4:on    5:on    6:off

2、一条命令shell搞定

默认情况下,需要保留的服务,已经开启了,只需要把不用的状态关闭掉即可

[root@localhost ~]# for oldboy in `chkconfig --list | grep "3:on" | awk '{print $1}' | grep -vE "crond|network|sshd|rsyslog|sysstat"`;do chkconfig $oldboy off;done
[root@localhost ~]# chkconfig --list
auditd             0:off    1:off    2:on    3:off    4:on    5:on    6:off
blk-availability    0:off    1:on    2:on    3:off    4:on    5:on    6:off
crond              0:off    1:off    2:on    3:on    4:on    5:on    6:off
ip6tables          0:off    1:off    2:on    3:off    4:on    5:on    6:off
iptables           0:off    1:off    2:on    3:off    4:on    5:on    6:off
lvm2-monitor       0:off    1:on    2:on    3:off    4:on    5:on    6:off
messagebus         0:off    1:off    2:on    3:off    4:on    5:on    6:off
netconsole         0:off    1:off    2:off    3:off    4:off    5:off    6:off
netfs              0:off    1:off    2:off    3:off    4:on    5:on    6:off
network            0:off    1:off    2:on    3:on    4:on    5:on    6:off
postfix            0:off    1:off    2:on    3:off    4:on    5:on    6:off
rdisc              0:off    1:off    2:off    3:off    4:off    5:off    6:off
restorecond        0:off    1:off    2:off    3:off    4:off    5:off    6:off
rsyslog            0:off    1:off    2:off    3:on    4:off    5:off    6:off
saslauthd          0:off    1:off    2:off    3:off    4:off    5:off    6:off
sshd               0:off    1:off    2:on    3:on    4:on    5:on    6:off
sysstat            0:off    1:on    2:on    3:on    4:on    5:on    6:off
udev-post          0:off    1:on    2:on    3:off    4:on    5:on    6:off

3、循环语句搞定

原理如2,使用命令拼出处理的字符串,然后通过bash将其当做命令执行

[root@localhost ~]# chkconfig --list | grep -vE "crond|sshd|network|rsyslog|sysstat" | awk '{print "chkconfig " $1 " off"}' | bash

# 另外一种写法
[root@localhost ~]# chkconfig --list | grep 3:on | grep -vE "crond|sshd|network|rsyslog|sysstat" | awk '{print $1}' | sed -r 's#(.*)#chkconfig \1 off#g' | bash

上面的操作会把iptables防火墙也关闭掉,当前系统没有关闭,需要执行

[root@localhost ~]# /etc/init.d/iptables stop
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]
[root@localhost ~]# /etc/init.d/iptables stop  # 重复执行,确认关闭

修改ssh登录端口

1、改配置文件方式

2、使用sed命令改

sudo命令控制用户对系统命令的使用权限

TBD

Linux中文显示设置

[root@localhost ~]# cat /etc/sysconfig/i18n 
LANG="zh_CN.UTF-8"
[root@localhost ~]# cp /etc/sysconfig/i18n /etc/sysconfig/i18n.ori
[root@localhost ~]# echo 'LANG="en_us.UTF-8"' > /etc/sysconfig/i18n
[root@localhost ~]# echo $LANG
en_us.UTF-8
[root@localhost ~]# source /etc/sysconfig/i18n # 马上生效

设置Linux时间同步

TBD

历史数据history文件和登录超时设置

TBD

调整Linux文件描述符数量

TBD

Linux内核参数优化

TBD

定时清理邮件服务临时目录垃圾文件

TBD

隐藏Linux版本信息显示

TBD

锁定关键文件,防止篡改

TBD

清除多余虚拟账号

TBD

禁止系统被Ping

TBD

升级具有典型漏洞的软件版本

TBD

基础优化与安全

  • 不用root登录,使用普通用户,通过sudo授权

  • 更改默认ssh端口,禁止root远程登录,甚至修改ssh只监听内网IP

  • 定时自动更新系统时间

  • 更新yum源

  • 关闭SELinux和iptables

  • 调整文件描述符数量。进程及文件的打开都会消耗文件描述符数量

  • 定时自动清零邮件临时目录,防止磁盘inode数量被小文件占满

  • 精简开机任务(如只保留crond、sshd、network、rsyslog、systat)

  • linux内核优化/etc/sysctl.conf,执行sysctl -p生效

  • 更改系统字符集LANG=en_us.UTF-8或LANG=zh_CN.UTF-8

  • 锁定系统关键文件,如/etc/passwd、/etc/shadow、/etc/group、/etc/gshadow、/etc/inittab,处理以上内容吧chattr、lsatr改名为oldboy并转移,这样就安全多了。

  • 清除系统版本信息,清空或修改/etc/issue、/etc/issue.net,去除登录后的系统信息显示

  • 清除系统多余的虚拟用户账号

    原文作者:甄城
    原文地址: https://segmentfault.com/a/1190000009957383
    本文转自网络文章,转载此文章仅为分享知识,如有侵权,请联系博主进行删除。
点赞