页面“关于压力测试和并发的那些事儿”与“Centos7服务器初始化”之间的差异
(页面间的差异)
跳到导航
跳到搜索
(→siege) |
|||
第1行: | 第1行: | ||
− | == | + | =站内相关资源= |
− | = | + | [[容器初始化]] |
− | [ | + | = 如果机器多[[Salt-ssh批量初始化机器]]= |
+ | [[Salt-ssh批量初始化机器]] | ||
+ | =如果机器少= | ||
+ | ==我现在用的shell== | ||
+ | <pre> | ||
+ | #!/bin/bash | ||
+ | #Authon: linuxsa.org 201911 | ||
+ | # usage bash osinit.sh 2>&1 | tee osinit.log | ||
+ | #http://wiki.linuxchina.net/index.php/Centos7%E5%88%9D%E5%A7%8B%E5%8C%96 | ||
+ | |||
+ | #常用开发包 gcc etc | ||
+ | yum groupinstall "Development Tools" -y | ||
+ | #常用命令 ifconfig etc | ||
+ | yum install -y net-tools yum-utils rsync | ||
+ | |||
+ | yum install epel-release -y | ||
+ | yum install iftop tcpdump -y | ||
+ | |||
+ | # ins docker | ||
+ | # step 1: 安装必要的一些系统工具 | ||
+ | yum install -y yum-utils device-mapper-persistent-data lvm2 | ||
+ | # Step 2: 添加软件源信息 | ||
+ | yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo | ||
+ | |||
+ | # Step 3: 更新并安装 Docker-CE | ||
+ | yum makecache fast | ||
+ | |||
+ | yum -y install docker-ce | ||
+ | # Step 4: 开启Docker服务 | ||
+ | systemctl enable docker | ||
+ | systemctl start docker | ||
+ | |||
+ | |||
+ | rpm -ivh https://repo.zabbix.com/zabbix/4.0/rhel/7/x86_64/zabbix-release-4.0-1.el7.noarch.rpm | ||
+ | |||
+ | yum install zabbix-agent -y && systemctl enable zabbix-agent | ||
+ | |||
+ | #install docker-compose etc | ||
+ | |||
+ | yum -y install vim wget curl yum-utils bash-completion bash-completion-extras epel-release lrzsz telnet python-pip | ||
+ | #这个看情况 | ||
+ | sudo curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose | ||
+ | #mv docker-compose /usr/local/bin/docker-compose | ||
+ | sudo chmod +x /usr/local/bin/docker-compose | ||
+ | chmod +x /usr/local/bin/docker-compose | ||
+ | #pip install docker-compose | ||
+ | |||
+ | #mkdir -p /home/data/docker | ||
+ | mkdir -p /data/docker | ||
+ | |||
+ | echo '{"graph": "/data/docker"}' >/etc/docker/daemon.json | ||
+ | |||
+ | # cat /etc/docker/daemon.json | ||
+ | #{"graph": "/home/data/docker"} | ||
+ | |||
+ | systemctl restart docker | ||
− | + | #验证docker储存位置 | |
+ | docker system info | grep "Root Dir" | ||
− | + | #开机自启动要用的 | |
− | == | + | chmod +x /etc/rc.d/rc.local |
+ | |||
+ | setenforce 0 | ||
+ | sed -i 's/enforcing/disabled/g' /etc/selinux/config | ||
+ | |||
+ | #firewall | ||
+ | systemctl enable firewalld | ||
+ | |||
+ | |||
+ | #修改源 | ||
+ | #CentOS 7 | ||
+ | wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo | ||
+ | #或者 | ||
+ | curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo | ||
+ | |||
+ | #CentOS 8 | ||
+ | wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-8.repo | ||
+ | #或者 | ||
+ | curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-8.repo | ||
+ | |||
+ | #3. 运行 yum makecache 生成缓存 | ||
+ | yum makecache | ||
+ | </pre> | ||
+ | |||
+ | ==centos7初始化 == | ||
+ | |||
+ | == ssh config== | ||
<pre> | <pre> | ||
− | + | echo "ssh-rsa AAAAB3NzaC you_prk_key root@ops | |
+ | " >> /root/.ssh/authorized_keys | ||
+ | |||
+ | sed -i "s/#PubkeyAuthentication yes/PubkeyAuthentication yes/g" /etc/ssh/sshd_config | ||
− | + | sed -i "s/^PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config | |
− | + | systemctl restart sshd | |
− | + | #service sshd restart | |
− | |||
− | |||
− | + | </pre> | |
− | + | ==网络配置== | |
− | + | <pre> | |
− | + | cat /etc/sysconfig/network-scripts/ifcfg-eth0 | |
+ | TYPE="Ethernet" | ||
+ | BOOTPROTO=static | ||
+ | IPADDR0=192.168.0.16 | ||
+ | NETMASK=255.255.255.0 | ||
+ | GATEWAY0=192.168.0.1 | ||
+ | DNS1=223.5.5.5 | ||
+ | DNS2=114.114.114.114 | ||
− | + | DEVICE="eth0" | |
− | + | ONBOOT="yes" | |
+ | </pre> | ||
− | + | == 安装常用软件== | |
− | + | <pre> yum install python-devel | |
+ | yum install vim wget net-tools psmisc links lsof telnet zlib-devel curl tmux mariadb -y # screen | ||
− | + | yum groupinstall "Development Tools" -y | |
</pre> | </pre> | ||
− | == | + | ===CentOS7 安装ifconfig=== |
− | <pre> | + | <pre> |
− | |||
− | |||
− | + | 不知道dig 是哪个软件包 提供的 请用 yum provides command #绝对路径 | |
− | |||
+ | yum provides /sbin/ifconfig | ||
− | + | ****** | |
+ | net-tools-1.60-114.el6.x86_64 : Basic networking tools | ||
+ | Repo : base | ||
+ | 匹配来自于: | ||
+ | Filename : /sbin/ifconfig | ||
+ | ***** | ||
+ | |||
+ | 由上可见安装的软件为net-tools | ||
+ | |||
+ | ifconfig, netstat, route, and other | ||
+ | |||
+ | [root@centos7 hcmdb]# yum info net-tools | ||
+ | 已安装的软件包 | ||
+ | 名称 :net-tools | ||
+ | 架构 :x86_64 | ||
+ | 版本 :2.0 | ||
+ | 发布 :0.17.20131004git.el7 | ||
+ | 大小 :917 k | ||
+ | 源 :installed | ||
+ | 简介 : Basic networking tools | ||
+ | 网址 :http://sourceforge.net/projects/net-tools/ | ||
+ | 协议 : GPLv2+ | ||
+ | 描述 : The net-tools package contains basic networking tools, | ||
+ | : including ifconfig, netstat, route, and others. | ||
+ | : Most of them are obsolete. For replacement check iproute package. | ||
+ | |||
+ | yum -y install net-tools vim wget | ||
+ | #yum/dnf install net-tools vim wget | ||
+ | |||
+ | centos7精简安装后,使用中发现没有killall命令。 | ||
+ | 可以通过以下命令解决: | ||
+ | |||
+ | yum install psmisc | ||
− | </pre> | + | 简单介绍一下 psmisc : |
− | === | + | |
+ | Psmisc软件包包含三个帮助管理/proc目录的程序。 | ||
+ | 安装下列程序: fuser, killall,pstree和pstree.x11(到pstree的链接) | ||
+ | fuser 显示使用指定文件或者文件系统的进程的PID。 | ||
+ | killall 杀死某个名字的进程,它向运行指定命令的所有进程发出信号。 | ||
+ | pstree 树型显示当前运行的进程。 | ||
+ | pstree.x11 与pstree功能相同,只是在退出前需要确认 | ||
+ | |||
+ | |||
+ | </pre> | ||
+ | |||
+ | ==常用软件== | ||
+ | <pre> | ||
+ | |||
+ | wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo | ||
+ | |||
+ | yum install nmap-ncat lsof -y #nc (nmap-ncat) | ||
+ | |||
+ | lsof -i:1080 | ||
+ | |||
+ | yum groupinstall "Development Libraries" | ||
+ | |||
+ | yum groupinstall "Development Tools" | ||
+ | |||
+ | </pre> | ||
+ | |||
+ | ==nginx== | ||
+ | <pre> | ||
+ | yum install wget -y | ||
+ | |||
+ | wget https://mirrors.tuna.tsinghua.edu.cn/epel/7/x86_64/Packages/e/epel-release-7-12.noarch.rpm | ||
+ | |||
+ | wget https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-7-12.noarch.rpm | ||
+ | |||
+ | yum install nginx -y | ||
+ | </pre> | ||
+ | ==jdk== | ||
<pre> | <pre> | ||
+ | java.security.InvalidKeyException: Illegal key size or default parameters | ||
+ | new vm 就要加上 unlime | ||
− | + | 文件 UnlimitedJCEPolicyJDK7.zip | |
− | + | 规制办法 | |
+ | evan@evankalilatop:~/xk/jdk$ cat jdkpath | ||
+ | 替换 ${jdk_home}/jre/lib/security 下local_policy.jar, US_export_policy.jar | ||
+ | </pre> | ||
− | == | + | ==修改文件句柄数== |
− | + | <pre> | |
− | + | #临时修改,立刻生效 | |
− | + | ulimit -n 655350 | |
− | |||
− | + | #永久修改 | |
+ | echo "* soft nofile 655360" >> /etc/security/limits.conf | ||
+ | echo "* hard nofile 655360" >> /etc/security/limits.conf | ||
+ | </pre> | ||
+ | [https://www.jianshu.com/p/23ee9db2a620 使用ulimit 命令、/etc/security/limits.conf、proc 调整系统参数] | ||
− | + | [https://developer.aliyun.com/article/435650 ulimit设置不生效?] | |
− | |||
− | |||
+ | ==kernel 优化== | ||
+ | <pre> | ||
+ | #set sysctl 有空把这些意思拿出来 | ||
+ | sysctl_config(){ | ||
+ | cp /etc/sysctl.conf /et/sysctl.conf.bak | ||
+ | cat > /etc/sysctl.conf << EOF | ||
+ | net.ipv4.ip_forward = 0 | ||
+ | net.ipv4.conf.default.rp_filter = 1 | ||
+ | net.ipv4.conf.default.accept_source_route = 0 | ||
+ | kernel.sysrq = 0 | ||
+ | kernel.core_uses_pid = 1 | ||
+ | net.ipv4.tcp_syncookies = 1 | ||
+ | kernel.msgmnb = 65536 | ||
+ | kernel.msgmax = 65536 | ||
+ | kernel.shmmax = 68719476736 | ||
+ | kernel.shmall = 4294967296 | ||
+ | net.ipv4.tcp_max_tw_buckets = 6000 | ||
+ | net.ipv4.tcp_sack = 1 | ||
+ | net.ipv4.tcp_window_scaling = 1 | ||
+ | net.ipv4.tcp_rmem = 4096 87380 4194304 | ||
+ | net.ipv4.tcp_wmem = 4096 16384 4194304 | ||
+ | net.core.wmem_default = 8388608 | ||
+ | net.core.rmem_default = 8388608 | ||
+ | net.core.rmem_max = 16777216 | ||
+ | net.core.wmem_max = 16777216 | ||
+ | net.core.netdev_max_backlog = 262144 | ||
+ | net.core.somaxconn = 262144 | ||
+ | net.ipv4.tcp_max_orphans = 3276800 | ||
+ | net.ipv4.tcp_max_syn_backlog = 262144 | ||
+ | net.ipv4.tcp_timestamps = 0 | ||
+ | net.ipv4.tcp_synack_retries = 1 | ||
+ | net.ipv4.tcp_syn_retries = 1 | ||
+ | net.ipv4.tcp_tw_recycle = 1 | ||
+ | net.ipv4.tcp_tw_reuse = 1 | ||
+ | net.ipv4.tcp_mem = 94500000 915000000 927000000 | ||
+ | net.ipv4.tcp_fin_timeout = 1 | ||
+ | net.ipv4.tcp_keepalive_time = 1200 | ||
+ | net.ipv4.ip_local_port_range = 1024 65535 | ||
+ | EOF | ||
+ | /sbin/sysctl -p | ||
+ | echo "sysctl set OK!!" | ||
+ | } | ||
+ | 使用PAM模块限制资源: | ||
+ | # vi /etc/pam.d/login | ||
+ | session required pam_limits.so | ||
+ | </pre> | ||
+ | ==可以禁用ipv6 == | ||
+ | <pre> | ||
+ | cat >> /etc/modprobe.d/ipv6.conf <<EOF | ||
+ | alias net-pf-10 off | ||
+ | alias ipv6 off | ||
+ | EOF | ||
+ | </pre> | ||
− | + | ==去除ssh远程DNS认证 == | |
− | + | <pre> | |
− | + | sed -i 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config | |
− | + | sed -i 's/GSSAPIAuthentication yes/GSSAPIAuthentication no/g' /etc/ssh/sshd_config | |
− | + | ||
− | + | sed -i "s/#PubkeyAuthentication yes/PubkeyAuthentication yes/g" /etc/ssh/sshd_config | |
+ | |||
+ | sed -i "s/^PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config | ||
+ | |||
+ | systemctl restart sshd | ||
+ | |||
+ | </pre> | ||
+ | |||
+ | ==关闭不要的用户和服务== | ||
+ | |||
+ | == 安全== | ||
+ | <pre> | ||
+ | 关闭 selinux 如果是在内网机器关了也没关系 | ||
+ | |||
+ | sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config | ||
+ | setenforce 0 | ||
+ | |||
+ | 查看SELinux状态 | ||
+ | getenforce | ||
+ | |||
+ | |||
+ | #临时关闭防火墙 | ||
+ | systemctl stop firewalld | ||
+ | #永久防火墙开机自启动 | ||
+ | systemctl disable firewalld | ||
+ | #临时打开防火墙 | ||
+ | systemctl start firewalld | ||
+ | #防火墙开机启动 | ||
+ | systemctl enable firewalld | ||
+ | #查看防火墙状态 | ||
+ | systemctl status firewalld | ||
+ | |||
+ | |||
+ | 新机器 测试 web 不关闭可能报错 | ||
+ | ERR_ADDRESS_UNREACHABLE | ||
+ | |||
+ | |||
+ | fail2ban | ||
+ | |||
+ | </pre> | ||
+ | |||
+ | ==设置时区== | ||
+ | 如果时间不对 请 看 | ||
+ | [[Linux时间同步的那些事儿]] | ||
+ | <pre> | ||
+ | yum install ntp | ||
+ | timedatectl set-ntp true | ||
+ | </pre> | ||
+ | <pre> | ||
+ | rm -f /etc/localtime | ||
+ | cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime | ||
</pre> | </pre> | ||
− | https:// | + | ==参考== |
+ | |||
+ | [https://www.jianshu.com/p/d0ef5bd18610 centos7初始化脚本.bash] | ||
+ | [https://blog.csdn.net/kxwinxp/article/details/78895373 CentOS 7 运维优化] | ||
− | [ | + | [https://blog.csdn.net/wh211212/article/details/52923673 CentOS 7安装完成后初始化] |
− | [https:// | + | [https://blog.51cto.com/wzlinux/2043592 CentOS 7 新装服务器部署流程] |
− | + | [https://www.cnblogs.com/sdhzdtwhm/p/8027928.html CentOS7操作系统初始化] | |
− | [ | + | [https://linux.cn/article-5067-1.html 如何使用 fail2ban 防御 SSH 服务器的暴力破解攻击] |
− | [http://www.cnblogs.com/ | + | [http://www.cnblogs.com/txk1452/p/6361559.html CentOS7 安装ifconfig] |
− | [ | + | [http://blog.51cto.com/feihan21/1060365 Linux服务器初始化配置脚本] |
− | + | [https://blog.imdst.com/linux-fu-wu-qi-chu-shi-hua-an-quan-jia-gu/ Linux服务器初始化调优及安全加固] | |
− | [https:// | ||
− | |||
− | [https://www.cnblogs.com/ | + | [https://www.cnblogs.com/stulzq/p/7610100.html Centos7 初始化硬盘分区、挂载] |
− | + | ==kernel== | |
+ | [https://blog.csdn.net/lufeisan/article/details/53339991 Linux系统swappiness参数在内存与交换分区之间优化作用] | ||
+ | [[category:linux]][[category:ops]] |
2021年4月24日 (六) 07:54的版本
目录
站内相关资源
如果机器多Salt-ssh批量初始化机器
如果机器少
我现在用的shell
#!/bin/bash #Authon: linuxsa.org 201911 # usage bash osinit.sh 2>&1 | tee osinit.log #http://wiki.linuxchina.net/index.php/Centos7%E5%88%9D%E5%A7%8B%E5%8C%96 #常用开发包 gcc etc yum groupinstall "Development Tools" -y #常用命令 ifconfig etc yum install -y net-tools yum-utils rsync yum install epel-release -y yum install iftop tcpdump -y # ins docker # step 1: 安装必要的一些系统工具 yum install -y yum-utils device-mapper-persistent-data lvm2 # Step 2: 添加软件源信息 yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo # Step 3: 更新并安装 Docker-CE yum makecache fast yum -y install docker-ce # Step 4: 开启Docker服务 systemctl enable docker systemctl start docker rpm -ivh https://repo.zabbix.com/zabbix/4.0/rhel/7/x86_64/zabbix-release-4.0-1.el7.noarch.rpm yum install zabbix-agent -y && systemctl enable zabbix-agent #install docker-compose etc yum -y install vim wget curl yum-utils bash-completion bash-completion-extras epel-release lrzsz telnet python-pip #这个看情况 sudo curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose #mv docker-compose /usr/local/bin/docker-compose sudo chmod +x /usr/local/bin/docker-compose chmod +x /usr/local/bin/docker-compose #pip install docker-compose #mkdir -p /home/data/docker mkdir -p /data/docker echo '{"graph": "/data/docker"}' >/etc/docker/daemon.json # cat /etc/docker/daemon.json #{"graph": "/home/data/docker"} systemctl restart docker #验证docker储存位置 docker system info | grep "Root Dir" #开机自启动要用的 chmod +x /etc/rc.d/rc.local setenforce 0 sed -i 's/enforcing/disabled/g' /etc/selinux/config #firewall systemctl enable firewalld #修改源 #CentOS 7 wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo #或者 curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo #CentOS 8 wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-8.repo #或者 curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-8.repo #3. 运行 yum makecache 生成缓存 yum makecache
centos7初始化
ssh config
echo "ssh-rsa AAAAB3NzaC you_prk_key root@ops " >> /root/.ssh/authorized_keys sed -i "s/#PubkeyAuthentication yes/PubkeyAuthentication yes/g" /etc/ssh/sshd_config sed -i "s/^PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config systemctl restart sshd #service sshd restart
网络配置
cat /etc/sysconfig/network-scripts/ifcfg-eth0 TYPE="Ethernet" BOOTPROTO=static IPADDR0=192.168.0.16 NETMASK=255.255.255.0 GATEWAY0=192.168.0.1 DNS1=223.5.5.5 DNS2=114.114.114.114 DEVICE="eth0" ONBOOT="yes"
安装常用软件
yum install python-devel yum install vim wget net-tools psmisc links lsof telnet zlib-devel curl tmux mariadb -y # screen yum groupinstall "Development Tools" -y
CentOS7 安装ifconfig
不知道dig 是哪个软件包 提供的 请用 yum provides command #绝对路径 yum provides /sbin/ifconfig ****** net-tools-1.60-114.el6.x86_64 : Basic networking tools Repo : base 匹配来自于: Filename : /sbin/ifconfig ***** 由上可见安装的软件为net-tools ifconfig, netstat, route, and other [root@centos7 hcmdb]# yum info net-tools 已安装的软件包 名称 :net-tools 架构 :x86_64 版本 :2.0 发布 :0.17.20131004git.el7 大小 :917 k 源 :installed 简介 : Basic networking tools 网址 :http://sourceforge.net/projects/net-tools/ 协议 : GPLv2+ 描述 : The net-tools package contains basic networking tools, : including ifconfig, netstat, route, and others. : Most of them are obsolete. For replacement check iproute package. yum -y install net-tools vim wget #yum/dnf install net-tools vim wget centos7精简安装后,使用中发现没有killall命令。 可以通过以下命令解决: yum install psmisc 简单介绍一下 psmisc : Psmisc软件包包含三个帮助管理/proc目录的程序。 安装下列程序: fuser, killall,pstree和pstree.x11(到pstree的链接) fuser 显示使用指定文件或者文件系统的进程的PID。 killall 杀死某个名字的进程,它向运行指定命令的所有进程发出信号。 pstree 树型显示当前运行的进程。 pstree.x11 与pstree功能相同,只是在退出前需要确认
常用软件
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo yum install nmap-ncat lsof -y #nc (nmap-ncat) lsof -i:1080 yum groupinstall "Development Libraries" yum groupinstall "Development Tools"
nginx
yum install wget -y wget https://mirrors.tuna.tsinghua.edu.cn/epel/7/x86_64/Packages/e/epel-release-7-12.noarch.rpm wget https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-7-12.noarch.rpm yum install nginx -y
jdk
java.security.InvalidKeyException: Illegal key size or default parameters new vm 就要加上 unlime 文件 UnlimitedJCEPolicyJDK7.zip 规制办法 evan@evankalilatop:~/xk/jdk$ cat jdkpath 替换 ${jdk_home}/jre/lib/security 下local_policy.jar, US_export_policy.jar
修改文件句柄数
#临时修改,立刻生效 ulimit -n 655350 #永久修改 echo "* soft nofile 655360" >> /etc/security/limits.conf echo "* hard nofile 655360" >> /etc/security/limits.conf
使用ulimit 命令、/etc/security/limits.conf、proc 调整系统参数
kernel 优化
#set sysctl 有空把这些意思拿出来 sysctl_config(){ cp /etc/sysctl.conf /et/sysctl.conf.bak cat > /etc/sysctl.conf << EOF net.ipv4.ip_forward = 0 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 kernel.sysrq = 0 kernel.core_uses_pid = 1 net.ipv4.tcp_syncookies = 1 kernel.msgmnb = 65536 kernel.msgmax = 65536 kernel.shmmax = 68719476736 kernel.shmall = 4294967296 net.ipv4.tcp_max_tw_buckets = 6000 net.ipv4.tcp_sack = 1 net.ipv4.tcp_window_scaling = 1 net.ipv4.tcp_rmem = 4096 87380 4194304 net.ipv4.tcp_wmem = 4096 16384 4194304 net.core.wmem_default = 8388608 net.core.rmem_default = 8388608 net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 net.core.netdev_max_backlog = 262144 net.core.somaxconn = 262144 net.ipv4.tcp_max_orphans = 3276800 net.ipv4.tcp_max_syn_backlog = 262144 net.ipv4.tcp_timestamps = 0 net.ipv4.tcp_synack_retries = 1 net.ipv4.tcp_syn_retries = 1 net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_mem = 94500000 915000000 927000000 net.ipv4.tcp_fin_timeout = 1 net.ipv4.tcp_keepalive_time = 1200 net.ipv4.ip_local_port_range = 1024 65535 EOF /sbin/sysctl -p echo "sysctl set OK!!" } 使用PAM模块限制资源: # vi /etc/pam.d/login session required pam_limits.so
可以禁用ipv6
cat >> /etc/modprobe.d/ipv6.conf <<EOF alias net-pf-10 off alias ipv6 off EOF
去除ssh远程DNS认证
sed -i 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config sed -i 's/GSSAPIAuthentication yes/GSSAPIAuthentication no/g' /etc/ssh/sshd_config sed -i "s/#PubkeyAuthentication yes/PubkeyAuthentication yes/g" /etc/ssh/sshd_config sed -i "s/^PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config systemctl restart sshd
关闭不要的用户和服务
安全
关闭 selinux 如果是在内网机器关了也没关系 sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config setenforce 0 查看SELinux状态 getenforce #临时关闭防火墙 systemctl stop firewalld #永久防火墙开机自启动 systemctl disable firewalld #临时打开防火墙 systemctl start firewalld #防火墙开机启动 systemctl enable firewalld #查看防火墙状态 systemctl status firewalld 新机器 测试 web 不关闭可能报错 ERR_ADDRESS_UNREACHABLE fail2ban
设置时区
如果时间不对 请 看
yum install ntp timedatectl set-ntp true
rm -f /etc/localtime cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
参考
如何使用 fail2ban 防御 SSH 服务器的暴力破解攻击