页面“关于压力测试和并发的那些事儿”与“Centos7服务器初始化”之间的差异

来自linux中国网wiki
(页面间的差异)
跳到导航 跳到搜索
 
 
第1行: 第1行:
== start==
+
=站内相关资源=
===首先是基本知识点===
+
[[容器初始化]]
[http://www.ha97.com/5095.html 系统吞吐量(TPS)、用户并发量、性能测试概念和公式]
+
= 如果机器多[[Salt-ssh批量初始化机器]]=
 +
[[Salt-ssh批量初始化机器]]
  
 +
=如果机器少=
 +
==我现在用的shell==
 +
<pre>
 +
#!/bin/bash
 +
#Authon: linuxsa.org 201911
 +
# usage bash  osinit.sh 2>&1 | tee osinit.log 
 +
#http://wiki.linuxchina.net/index.php/Centos7%E5%88%9D%E5%A7%8B%E5%8C%96
 +
 +
#常用开发包 gcc etc
 +
yum groupinstall "Development Tools" -y
 +
#常用命令 ifconfig etc
 +
yum install -y  net-tools    yum-utils rsync
 +
 +
yum install epel-release -y
 +
yum install iftop tcpdump  -y
 +
 +
# ins docker
 +
# step 1: 安装必要的一些系统工具
 +
yum install -y yum-utils device-mapper-persistent-data lvm2
 +
# Step 2: 添加软件源信息
 +
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
 +
 +
# Step 3: 更新并安装 Docker-CE
 +
yum makecache fast
 +
 +
yum -y install docker-ce
 +
# Step 4: 开启Docker服务
 +
systemctl enable docker
 +
systemctl start docker
 +
 +
 +
rpm -ivh https://repo.zabbix.com/zabbix/4.0/rhel/7/x86_64/zabbix-release-4.0-1.el7.noarch.rpm
 +
 +
yum install zabbix-agent -y  && systemctl  enable zabbix-agent
 +
 +
#install docker-compose etc
 +
 +
yum -y install vim wget curl yum-utils bash-completion bash-completion-extras epel-release lrzsz telnet python-pip
 +
#这个看情况
 +
sudo curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
 +
#mv  docker-compose /usr/local/bin/docker-compose
 +
sudo chmod +x /usr/local/bin/docker-compose
 +
chmod +x /usr/local/bin/docker-compose
 +
#pip install docker-compose
 +
 +
#mkdir -p /home/data/docker
 +
mkdir -p  /data/docker
 +
 +
echo '{"graph": "/data/docker"}' >/etc/docker/daemon.json
 +
 +
# cat /etc/docker/daemon.json
 +
#{"graph": "/home/data/docker"}
 +
 +
systemctl restart docker
  
===这两个比较偏向web 测试===
+
#验证docker储存位置
 +
docker system info | grep "Root Dir"
  
[http://wiki.linuxchina.net/index.php?title=%E7%BD%91%E7%AB%99%E8%BF%90%E7%BB%B4#chapter_5_.E6.B5.8B.E8.AF.95.E8.AF.84.E4.BC.B0 详情测试评估请见]
+
#开机自启动要用的
  
==并发承载==
+
chmod +x /etc/rc.d/rc.local
 +
 
 +
setenforce 0
 +
sed -i 's/enforcing/disabled/g' /etc/selinux/config
 +
 
 +
#firewall
 +
systemctl enable firewalld
 +
 
 +
 
 +
#修改源
 +
#CentOS 7
 +
wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
 +
#或者
 +
curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
 +
 
 +
#CentOS 8
 +
wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-8.repo
 +
#或者
 +
curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-8.repo
 +
 
 +
#3. 运行 yum makecache 生成缓存
 +
yum makecache
 +
</pre>
 +
 
 +
==centos7初始化 ==
 +
 
 +
== ssh config==
 
<pre>
 
<pre>
10W 活跃用户 访问4个页面  一次页面加3次接口
+
echo "ssh-rsa AAAAB3NzaC you_prk_key root@ops
 +
" >> /root/.ssh/authorized_keys
 +
 
 +
sed -i "s/#PubkeyAuthentication yes/PubkeyAuthentication yes/g" /etc/ssh/sshd_config
  
10w*4*4 =160W
+
sed -i "s/^PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config
  
一般人睡觉8个小时 so 一天 24-8=16h
+
systemctl restart sshd
10W日活 * 4次访问数*每次4个接口或者页面 = 160W
+
#service  sshd restart
16h*60min*60s= 57 600 s
 
160w/57600=28QPS OR TPS
 
  
真实情况下
+
</pre>
5 分钟内的活跃用户为1000
+
==网络配置==
100*4*4=1600
+
<pre>
1600/(5*6)=53QPS
+
cat  /etc/sysconfig/network-scripts/ifcfg-eth0
 +
TYPE="Ethernet"
 +
BOOTPROTO=static 
 +
IPADDR0=192.168.0.16
 +
NETMASK=255.255.255.0 
 +
GATEWAY0=192.168.0.1
 +
DNS1=223.5.5.5
 +
DNS2=114.114.114.114
  
反来说
+
DEVICE="eth0"
如果一个系统的qps 100  一天能顶的访问量为 100*60*60*24=8 640 000 也就是864W
+
ONBOOT="yes"
  
 +
</pre>
  
ps
+
== 安装常用软件==
TPS:Transactions Per Second(每秒传输的事物处理个数)
+
<pre> yum install python-devel
 +
yum install vim  wget  net-tools  psmisc links  lsof telnet  zlib-devel curl  tmux  mariadb    -y  # screen
  
QPS(TPS):每秒钟 request/事务 数量,在互联网领域,指每秒响应请求数(指http请求)
+
yum groupinstall "Development Tools" -y
 
</pre>
 
</pre>
==常用的压力测试工具==
+
===CentOS7 安装ifconfig===
<pre> ab  参数有时比较 搞笑
+
<pre>
10000 请求100并发
 
ab -n  10000 -c  100 ip
 
  
Usage: ab [options] [http[s]://]hostname[:port]/path
+
不知道dig 是哪个软件包 提供的  请用 yum provides  command #绝对路径
ab -n 100 -c 10 http://192.168.88.173/index.html
 
  
 +
yum  provides /sbin/ifconfig
  
ab -n 1000 -c 1000 http://192.168.88.173/index.html
+
******
 +
net-tools-1.60-114.el6.x86_64 : Basic networking tools
 +
Repo        : base
 +
匹配来自于:
 +
Filename    : /sbin/ifconfig
 +
*****
 +
 
 +
由上可见安装的软件为net-tools
 +
 
 +
ifconfig, netstat, route, and other
 +
 
 +
[root@centos7 hcmdb]# yum info net-tools  
 +
已安装的软件包
 +
名称    :net-tools
 +
架构    :x86_64
 +
版本    :2.0
 +
发布    :0.17.20131004git.el7
 +
大小    :917 k
 +
源    :installed
 +
简介    : Basic networking tools
 +
网址    :http://sourceforge.net/projects/net-tools/
 +
协议    : GPLv2+
 +
描述    : The net-tools package contains basic networking tools,
 +
        : including ifconfig, netstat, route, and others.
 +
        : Most of them are obsolete. For replacement check iproute package.
 +
 
 +
yum -y  install net-tools  vim  wget
 +
#yum/dnf install net-tools  vim  wget
 +
 
 +
centos7精简安装后,使用中发现没有killall命令。
 +
可以通过以下命令解决:
 +
 
 +
yum install psmisc
 
   
 
   
  </pre>
+
简单介绍一下 psmisc :
===siege ===
+
 
 +
Psmisc软件包包含三个帮助管理/proc目录的程序。
 +
安装下列程序: fuser, killall,pstree和pstree.x11(到pstree的链接)
 +
fuser 显示使用指定文件或者文件系统的进程的PID。
 +
killall 杀死某个名字的进程,它向运行指定命令的所有进程发出信号。
 +
pstree 树型显示当前运行的进程。
 +
pstree.x11 与pstree功能相同,只是在退出前需要确认
 +
 
 +
 
 +
</pre>
 +
 
 +
==常用软件==
 +
<pre>
 +
 
 +
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
 +
 
 +
yum install  nmap-ncat lsof -y #nc (nmap-ncat)
 +
 
 +
  lsof -i:1080
 +
 
 +
yum groupinstall "Development Libraries"
 +
 
 +
yum groupinstall "Development Tools"
 +
 
 +
</pre>
 +
 
 +
==nginx==
 +
<pre>
 +
yum install wget  -y
 +
 
 +
wget https://mirrors.tuna.tsinghua.edu.cn/epel/7/x86_64/Packages/e/epel-release-7-12.noarch.rpm
 +
 
 +
wget https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-7-12.noarch.rpm
 +
 
 +
yum install nginx  -y
 +
</pre>
 +
==jdk==
 
<pre>
 
<pre>
 +
java.security.InvalidKeyException: Illegal key size or default parameters
  
 +
new vm 就要加上 unlime
  
可能得修改一下配置
+
文件 UnlimitedJCEPolicyJDK7.zip
siege -c  2000  -t 60s http:192.168.88.173
+
规制办法
 +
evan@evankalilatop:~/xk/jdk$ cat jdkpath
 +
替换 ${jdk_home}/jre/lib/security 下local_policy.jar, US_export_policy.jar
 +
</pre>
  
================================================================
+
==修改文件句柄数==
WARNING: The number of users is capped at 255.  To increase this
+
<pre>
        limit, search your .siegerc file for 'limit' and change
+
#临时修改,立刻生效
        its value. Make sure you read the instructions there...
+
ulimit -n 655350       
================================================================
 
  
vim  .siege/siege.conf
+
#永久修改
 +
echo "* soft nofile 655360" >> /etc/security/limits.conf
 +
echo "* hard nofile 655360" >> /etc/security/limits.conf
 +
</pre>
 +
[https://www.jianshu.com/p/23ee9db2a620 使用ulimit 命令、/etc/security/limits.conf、proc 调整系统参数]
  
# ex: limit = 1023 (default is 255)                                                                                                                                         
+
[https://developer.aliyun.com/article/435650 ulimit设置不生效?]
#                                                                                                                                                                           
 
limit = 2559
 
  
 +
==kernel 优化==
 +
<pre>
 +
#set sysctl 有空把这些意思拿出来
 +
sysctl_config(){
 +
cp /etc/sysctl.conf /et/sysctl.conf.bak
 +
cat > /etc/sysctl.conf << EOF
 +
net.ipv4.ip_forward = 0
 +
net.ipv4.conf.default.rp_filter = 1
 +
net.ipv4.conf.default.accept_source_route = 0
 +
kernel.sysrq = 0
 +
kernel.core_uses_pid = 1
 +
net.ipv4.tcp_syncookies = 1
 +
kernel.msgmnb = 65536
 +
kernel.msgmax = 65536
 +
kernel.shmmax = 68719476736
 +
kernel.shmall = 4294967296
 +
net.ipv4.tcp_max_tw_buckets = 6000
 +
net.ipv4.tcp_sack = 1
 +
net.ipv4.tcp_window_scaling = 1
 +
net.ipv4.tcp_rmem = 4096 87380 4194304
 +
net.ipv4.tcp_wmem = 4096 16384 4194304
 +
net.core.wmem_default = 8388608
 +
net.core.rmem_default = 8388608
 +
net.core.rmem_max = 16777216
 +
net.core.wmem_max = 16777216
 +
net.core.netdev_max_backlog = 262144
 +
net.core.somaxconn = 262144
 +
net.ipv4.tcp_max_orphans = 3276800
 +
net.ipv4.tcp_max_syn_backlog = 262144
 +
net.ipv4.tcp_timestamps = 0
 +
net.ipv4.tcp_synack_retries = 1
 +
net.ipv4.tcp_syn_retries = 1
 +
net.ipv4.tcp_tw_recycle = 1
 +
net.ipv4.tcp_tw_reuse = 1
 +
net.ipv4.tcp_mem = 94500000 915000000 927000000
 +
net.ipv4.tcp_fin_timeout = 1
 +
net.ipv4.tcp_keepalive_time = 1200
 +
net.ipv4.ip_local_port_range = 1024 65535
 +
EOF
 +
/sbin/sysctl -p
 +
echo "sysctl set OK!!"
 +
}
  
  
 +
使用PAM模块限制资源:
 +
# vi /etc/pam.d/login
 +
session required pam_limits.so
 +
</pre>
  
 +
==可以禁用ipv6 ==
 +
<pre>
 +
cat >> /etc/modprobe.d/ipv6.conf <<EOF
 +
alias net-pf-10 off
 +
alias ipv6 off
 +
EOF
 +
</pre>
  
100并发  30s
+
==去除ssh远程DNS认证 ==
siege -c  100 -t 30s http:ip
+
<pre>
   
+
sed -i 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config
  wrk 可以lua脚本
+
sed -i 's/GSSAPIAuthentication yes/GSSAPIAuthentication no/g' /etc/ssh/sshd_config
4个线程
+
 
wrk -c 100 -d 30s -t 4 ip
+
sed -i "s/#PubkeyAuthentication yes/PubkeyAuthentication yes/g" /etc/ssh/sshd_config
 +
 
 +
sed -i "s/^PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config
 +
 
 +
systemctl restart sshd
 +
 
 +
</pre>
 +
 
 +
==关闭不要的用户和服务==
 +
 
 +
== 安全==
 +
<pre>
 +
关闭 selinux 如果是在内网机器关了也没关系
 +
 
 +
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
 +
setenforce 0
 +
 
 +
查看SELinux状态
 +
getenforce
 +
 
 +
 
 +
#临时关闭防火墙
 +
systemctl stop firewalld
 +
#永久防火墙开机自启动
 +
systemctl disable firewalld
 +
#临时打开防火墙
 +
systemctl start firewalld
 +
#防火墙开机启动
 +
systemctl enable firewalld
 +
#查看防火墙状态
 +
systemctl status firewalld
 +
 
 +
 
 +
新机器 测试 web 不关闭可能报错
 +
ERR_ADDRESS_UNREACHABLE
 +
 
 +
 
 +
fail2ban
 +
 
 +
</pre>
 +
 
 +
==设置时区==
 +
  如果时间不对 请 看
 +
[[Linux时间同步的那些事儿]]
 +
<pre>
  
 +
yum install ntp
 +
  timedatectl set-ntp true
 +
</pre>
  
 +
<pre>
 +
rm -f /etc/localtime
 +
cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
 
</pre>
 
</pre>
  
https://askubuntu.com/questions/932449/siege-cannot-perform-load-testing-for-more-than-255-tests
+
==参考==
 +
 
 +
[https://www.jianshu.com/p/d0ef5bd18610 centos7初始化脚本.bash]
  
 +
[https://blog.csdn.net/kxwinxp/article/details/78895373 CentOS 7 运维优化]
  
[http://blog.linuxchina.net/?p=3150 介绍几款Web服务器性能压力测试工具ApacheBench(ab) Siege详解]
+
[https://blog.csdn.net/wh211212/article/details/52923673 CentOS 7安装完成后初始化]
  
[https://www.vpser.net/opt/webserver-test.html  Web服务器性能/压力测试工具http_load、webbench、ab、Siege使用教程]
+
[https://blog.51cto.com/wzlinux/2043592 CentOS 7 新装服务器部署流程]
  
===如果你是 windows .net  请用 ===
+
[https://www.cnblogs.com/sdhzdtwhm/p/8027928.html CentOS7操作系统初始化]
  
[http://zhang-ps.iteye.com/blog/2297318  如何测试一个网站的性能(并发数)]
+
[https://linux.cn/article-5067-1.html 如何使用 fail2ban 防御 SSH 服务器的暴力破解攻击]
  
[http://www.cnblogs.com/zhili/articles/StreeTool.html ASP.NET压力测试]
+
[http://www.cnblogs.com/txk1452/p/6361559.html CentOS7 安装ifconfig]
  
[https://www.zhihu.com/question/40527273 如何对Asp.Net网站做并发测试?]
+
[http://blog.51cto.com/feihan21/1060365 Linux服务器初始化配置脚本]
  
== 参考==
+
[https://blog.imdst.com/linux-fu-wu-qi-chu-shi-hua-an-quan-jia-gu/ Linux服务器初始化调优及安全加固]
[https://segmentfault.com/q/1010000000588140  如何测试一个web网站的性能(并发数)?]
 
  
[http://wetest.qq.com/lab/view/177.html  早知道早幸福——从压测工具谈并发、压力、吞吐量]
 
  
[https://www.cnblogs.com/zhengah/p/5160772.html 如何估算网站日承受最大访问PV]
+
[https://www.cnblogs.com/stulzq/p/7610100.html Centos7 初始化硬盘分区、挂载]
  
[[category:ops]]
+
==kernel==
 +
[https://blog.csdn.net/lufeisan/article/details/53339991 Linux系统swappiness参数在内存与交换分区之间优化作用]
 +
[[category:linux]][[category:ops]]

2021年4月24日 (六) 07:54的版本

站内相关资源

容器初始化

如果机器多Salt-ssh批量初始化机器

Salt-ssh批量初始化机器

如果机器少

我现在用的shell

#!/bin/bash
#Authon: linuxsa.org 201911
# usage bash  osinit.sh 2>&1 | tee osinit.log  
#http://wiki.linuxchina.net/index.php/Centos7%E5%88%9D%E5%A7%8B%E5%8C%96

#常用开发包 gcc etc 
yum groupinstall "Development Tools" -y 
#常用命令 ifconfig etc
yum install -y   net-tools    yum-utils rsync

yum install epel-release -y
yum install iftop tcpdump  -y

# ins docker 
# step 1: 安装必要的一些系统工具
yum install -y yum-utils device-mapper-persistent-data lvm2
# Step 2: 添加软件源信息
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

# Step 3: 更新并安装 Docker-CE
yum makecache fast

 yum -y install docker-ce
# Step 4: 开启Docker服务
systemctl enable docker
systemctl start docker


rpm -ivh https://repo.zabbix.com/zabbix/4.0/rhel/7/x86_64/zabbix-release-4.0-1.el7.noarch.rpm

yum install zabbix-agent -y   && systemctl  enable zabbix-agent

#install docker-compose etc 

yum -y install vim wget curl yum-utils bash-completion bash-completion-extras epel-release lrzsz telnet python-pip
#这个看情况
sudo curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
#mv  docker-compose /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
#pip install docker-compose

#mkdir -p /home/data/docker
mkdir -p  /data/docker

echo '{"graph": "/data/docker"}' >/etc/docker/daemon.json

# cat /etc/docker/daemon.json 
#{"graph": "/home/data/docker"}

systemctl restart docker

#验证docker储存位置
docker system info | grep "Root Dir"

#开机自启动要用的

chmod +x /etc/rc.d/rc.local

setenforce 0
sed -i 's/enforcing/disabled/g' /etc/selinux/config

#firewall
systemctl enable firewalld


#修改源
#CentOS 7
wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
#或者
curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo

#CentOS 8
wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-8.repo
#或者
curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-8.repo

#3. 运行 yum makecache 生成缓存
yum makecache

centos7初始化

ssh config

echo "ssh-rsa AAAAB3NzaC you_prk_key root@ops
"  >> /root/.ssh/authorized_keys

sed -i "s/#PubkeyAuthentication yes/PubkeyAuthentication yes/g" /etc/ssh/sshd_config

sed -i "s/^PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config

systemctl restart sshd
#service  sshd restart

网络配置

cat  /etc/sysconfig/network-scripts/ifcfg-eth0 
TYPE="Ethernet"
BOOTPROTO=static  
IPADDR0=192.168.0.16
NETMASK=255.255.255.0  
GATEWAY0=192.168.0.1 
DNS1=223.5.5.5  
DNS2=114.114.114.114 

DEVICE="eth0"
ONBOOT="yes"

安装常用软件

 yum install python-devel
 yum install vim  wget  net-tools  psmisc links  lsof telnet  zlib-devel curl  tmux  mariadb     -y  # screen

yum groupinstall "Development Tools" -y

CentOS7 安装ifconfig


不知道dig 是哪个软件包 提供的  请用 yum provides  command #绝对路径 

yum  provides /sbin/ifconfig

******
net-tools-1.60-114.el6.x86_64 : Basic networking tools
Repo        : base
匹配来自于:
Filename    : /sbin/ifconfig
*****

由上可见安装的软件为net-tools

ifconfig, netstat, route, and other

[root@centos7 hcmdb]# yum info  net-tools  
已安装的软件包
名称    :net-tools
架构    :x86_64
版本    :2.0
发布    :0.17.20131004git.el7
大小    :917 k
源    :installed
简介    : Basic networking tools
网址    :http://sourceforge.net/projects/net-tools/
协议    : GPLv2+
描述    : The net-tools package contains basic networking tools,
         : including ifconfig, netstat, route, and others.
         : Most of them are obsolete. For replacement check iproute package.

yum -y  install net-tools  vim  wget 
#yum/dnf install net-tools  vim  wget 

centos7精简安装后,使用中发现没有killall命令。
可以通过以下命令解决:

yum install psmisc
 
简单介绍一下 psmisc :

Psmisc软件包包含三个帮助管理/proc目录的程序。
安装下列程序: fuser, killall,pstree和pstree.x11(到pstree的链接)
fuser 显示使用指定文件或者文件系统的进程的PID。
killall 杀死某个名字的进程,它向运行指定命令的所有进程发出信号。
pstree 树型显示当前运行的进程。
pstree.x11 与pstree功能相同,只是在退出前需要确认

常用软件


wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo

yum install  nmap-ncat lsof -y #nc (nmap-ncat)

 lsof -i:1080

yum groupinstall "Development Libraries"

yum groupinstall "Development Tools"

nginx

yum install wget  -y

wget https://mirrors.tuna.tsinghua.edu.cn/epel/7/x86_64/Packages/e/epel-release-7-12.noarch.rpm

wget https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-7-12.noarch.rpm

yum install nginx   -y

jdk

java.security.InvalidKeyException: Illegal key size or default parameters

new vm 就要加上 unlime

 文件 UnlimitedJCEPolicyJDK7.zip
规制办法 
evan@evankalilatop:~/xk/jdk$ cat jdkpath 
替换 ${jdk_home}/jre/lib/security 下local_policy.jar, US_export_policy.jar

修改文件句柄数

#临时修改,立刻生效
ulimit -n 655350         

#永久修改
echo "* soft nofile 655360" >> /etc/security/limits.conf
echo "* hard nofile 655360" >> /etc/security/limits.conf

使用ulimit 命令、/etc/security/limits.conf、proc 调整系统参数

ulimit设置不生效?

kernel 优化

#set sysctl 有空把这些意思拿出来
sysctl_config(){
cp /etc/sysctl.conf /et/sysctl.conf.bak
cat > /etc/sysctl.conf << EOF
 net.ipv4.ip_forward = 0
 net.ipv4.conf.default.rp_filter = 1
 net.ipv4.conf.default.accept_source_route = 0
 kernel.sysrq = 0
 kernel.core_uses_pid = 1
 net.ipv4.tcp_syncookies = 1
 kernel.msgmnb = 65536
 kernel.msgmax = 65536
 kernel.shmmax = 68719476736
 kernel.shmall = 4294967296
 net.ipv4.tcp_max_tw_buckets = 6000
 net.ipv4.tcp_sack = 1
 net.ipv4.tcp_window_scaling = 1
 net.ipv4.tcp_rmem = 4096 87380 4194304
 net.ipv4.tcp_wmem = 4096 16384 4194304
 net.core.wmem_default = 8388608
 net.core.rmem_default = 8388608
 net.core.rmem_max = 16777216
 net.core.wmem_max = 16777216
 net.core.netdev_max_backlog = 262144
 net.core.somaxconn = 262144
 net.ipv4.tcp_max_orphans = 3276800
 net.ipv4.tcp_max_syn_backlog = 262144
 net.ipv4.tcp_timestamps = 0
 net.ipv4.tcp_synack_retries = 1
 net.ipv4.tcp_syn_retries = 1
 net.ipv4.tcp_tw_recycle = 1
 net.ipv4.tcp_tw_reuse = 1
 net.ipv4.tcp_mem = 94500000 915000000 927000000
 net.ipv4.tcp_fin_timeout = 1
 net.ipv4.tcp_keepalive_time = 1200
 net.ipv4.ip_local_port_range = 1024 65535
EOF
/sbin/sysctl -p
echo "sysctl set OK!!"
}


使用PAM模块限制资源:
# vi /etc/pam.d/login
session required pam_limits.so

可以禁用ipv6

cat >> /etc/modprobe.d/ipv6.conf <<EOF
alias net-pf-10 off
alias ipv6 off
EOF

去除ssh远程DNS认证

sed -i 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config
sed -i 's/GSSAPIAuthentication yes/GSSAPIAuthentication no/g' /etc/ssh/sshd_config

sed -i "s/#PubkeyAuthentication yes/PubkeyAuthentication yes/g" /etc/ssh/sshd_config

sed -i "s/^PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config

systemctl restart sshd

关闭不要的用户和服务

安全

关闭 selinux 如果是在内网机器关了也没关系 

sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
setenforce 0

查看SELinux状态
getenforce


#临时关闭防火墙
systemctl stop firewalld
#永久防火墙开机自启动
systemctl disable firewalld
#临时打开防火墙
systemctl start firewalld
#防火墙开机启动
systemctl enable firewalld
#查看防火墙状态
systemctl status firewalld


新机器 测试 web  不关闭可能报错
ERR_ADDRESS_UNREACHABLE


fail2ban

设置时区

如果时间不对 请 看

Linux时间同步的那些事儿 


 yum install ntp 
  timedatectl set-ntp true

rm -f /etc/localtime
cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime

参考

centos7初始化脚本.bash

CentOS 7 运维优化

CentOS 7安装完成后初始化

CentOS 7 新装服务器部署流程

CentOS7操作系统初始化

如何使用 fail2ban 防御 SSH 服务器的暴力破解攻击

CentOS7 安装ifconfig

Linux服务器初始化配置脚本

Linux服务器初始化调优及安全加固


Centos7 初始化硬盘分区、挂载

kernel

Linux系统swappiness参数在内存与交换分区之间优化作用

取自“http://wiki.linuxchina.net/index.php?title=关于压力测试和并发的那些事儿&oldid=6151