Liunx基础优化配置

1：  为系统添加操作用户，并授予sudo权限

[root@localhost ~]# groupadd cai
[root@localhost ~]# useradd cai -g cai
[root@localhost ~]# passwd cai
更改用户 cai 的密码 。
新的 密码：
无效的密码： 过于简单化/系统化
无效的密码： 过于简单
重新输入新的 密码：
passwd： 所有的身份验证令牌已经成功更新。
[root@localhost ~]# su - cai

sudo的配置文件在/etc/sudoers下面，不过是只读文件。想要修改使用“visudo”命令。

用户名　　可登录的终端　　具体命令（使用绝对路径，which查看）

cairui　　  ALL=(ALL)　　    /usr/sbin/useradd

2：  配置Yum源为国内源（在我的其他博客中专门有一篇介绍，此处不写了）

3：  关闭防火墙（iptables）和Selinux

（1）因为防火墙和selinux的设置很麻烦，而且需要大量的时间去搞，所以索性就关掉。

临时关闭防火墙：（可以查看状态，重启，关闭，打开）

[root@localhost ~]# /etc/init.d/iptables
Usage: iptables {start|stop|reload|restart|condrestart|status|panic|save}

永久关闭防火墙：（关闭开机自启）

[root@localhost ~]# chkconfig iptables off

查看iptables开机状态：

[root@localhost ~]# chkconfig --list | grep iptables
iptables           :关闭    :关闭    :关闭    :关闭    :关闭    :关闭    :关闭

（2）关闭selinux

[root@localhost ~]# vim /etc/selinux/config 
 
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
#SELINUX=enforcing
SELINUX=disabled　　修改为disabled
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

4：  修改ssh服务的默认配置

修改之前先备份默认的配置：

[root@localhost ~]# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup

再修改

[root@localhost ~]# vim /etc/ssh/sshd_config
#    $OpenBSD: sshd_config,v 1.80 // :: djm Exp $
 
# This is the sshd server system-wide configuration file.  See
# sshd_config() for more information.
 
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
 
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.
 
#Port
Port 52000   修改Linux默认连接端口
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
 
# Disable legacy (protocol version ) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol
Protocol 
 
# HostKey for protocol version
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
 
# Lifetime and size of ephemeral version  server key
#KeyRegenerationInterval 1h
#ServerKeyBits 
 
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
 
# Authentication:
 
#LoginGraceTime 2m
#PermitRootLogin yes
PermitRootLogin no　　#不允许root用户登录（因为每个人都知道root能够登录）
#StrictModes yes
#MaxAuthTries
#MaxSessions 
 
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile    .ssh/authorized_keys
#AuthorizedKeysCommand none
#AuthorizedKeysCommandRunAs nobody
 
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
 
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
 
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
 
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
 
# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
 
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes
 
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
 
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval
#ClientAliveCountMax
#ShowPatchLevel no
#UseDNS yes
UseDNS no　　#不使用DNS
#PidFile /var/run/sshd.pid
#MaxStartups ::
#PermitTunnel no
#ChrootDirectory none
 
# no default banner path
#Banner none
 
# override default of no subsystems
Subsystem    sftp    /usr/libexec/openssh/sftp-server
 
# Example of overriding settings on a per-user basis
#Match User anoncvs
#    X11Forwarding no
#    AllowTcpForwarding no
#    ForceCommand cvs server

修改完之后重启：

[root@localhost ~]# /etc/init.d/sshd
用法： /etc/init.d/sshd {start|stop|restart|reload|force-reload|condrestart|try-restart|status}

5：  系统内核优化

[root@localhost ~]# cat /etc/sysctl.conf
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values,  is disabled,  is enabled.  See sysctl() and
# sysctl.conf() for more details.
#
# Use '/sbin/sysctl -a' to list all possible parameters.
 
# Controls IP packet forwarding
net.ipv4.ip_forward = 
 
# Controls source route verification
net.ipv4.conf.default.rp_filter = 
 
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 
 
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 
 
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 
 
# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 
 
# Controls the default maxmimum size of a mesage queue
kernel.msgmnb = 
 
# Controls the maximum size of a message, in bytes
kernel.msgmax = 
 
# Controls the maximum shared segment size, in bytes
kernel.shmmax = 
 
# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 
 
# 下面是内核调优参数
net.ipv4.tcp_syn_retries =
net.ipv4.tcp_synack_retries =
net.ipv4.tcp_keepalive_time =
net.ipv4.tcp_keepalive_probes =
net.ipv4.tcp_keepalive_intvl =
net.ipv4.tcp_retries2 =
net.ipv4.tcp_fin_timeout =
net.ipv4.tcp_max_tw_buckets =
net.ipv4.tcp_tw_recycle =
net.ipv4.tcp_tw_reuse =
net.ipv4.tcp_max_orphans =
net.ipv4.tcp_syncookies =
net.ipv4.tcp_max_syn_backlog =
net.ipv4.tcp_wmem =
net.ipv4.tcp_rmem =
net.ipv4.tcp_mem =
net.ipv4.ip_local_port_range =
net.ipv4.ip_conntrack_max =
net.ipv4.netfilter.ip_conntrack_max=
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=
net.core.somaxconn =
net.core.netdev_max_backlog = 

[root@localhost ~]# sysctl -p    #配置生效
net.ipv4.ip_forward =
net.ipv4.conf.default.rp_filter =
net.ipv4.conf.default.accept_source_route =
kernel.sysrq =
kernel.core_uses_pid =
net.ipv4.tcp_syncookies =
kernel.msgmnb =
kernel.msgmax =
kernel.shmmax =
kernel.shmall =
net.ipv4.tcp_syn_retries =
net.ipv4.tcp_synack_retries =
net.ipv4.tcp_keepalive_time =
net.ipv4.tcp_keepalive_probes =
net.ipv4.tcp_keepalive_intvl =
net.ipv4.tcp_retries2 =
net.ipv4.tcp_fin_timeout =
net.ipv4.tcp_max_tw_buckets =
net.ipv4.tcp_tw_recycle =
net.ipv4.tcp_tw_reuse =
net.ipv4.tcp_max_orphans =
net.ipv4.tcp_syncookies =
net.ipv4.tcp_max_syn_backlog =
net.ipv4.tcp_wmem =
net.ipv4.tcp_rmem =
net.ipv4.tcp_mem =
net.ipv4.ip_local_port_range =
error: "net.ipv4.ip_conntrack_max" is an unknown key
error: "net.ipv4.netfilter.ip_conntrack_max" is an unknown key
error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_established" is an unknown key
net.core.somaxconn =
net.core.netdev_max_backlog = 

6：  超时设置（timeout）

为了系统的安全，设置无操作超时自动退出登录设置

临时生效：

[root@centos6 ~]# export TMOUT=
[root@centos6 ~]# timed out waiting for input: auto-logout

永久配置生效：

[root@centos6 ~]# echo "export TMOUT=300" >>/etc/profile 实际生产环境  分钟
[root@centos6 ~]# source / etc/profile

7：  加大文件描述符

文件描述符是由无符号整数表示的句柄（一般使用范围0~65535），进程使用它来标识打开的文件。文件描述符与包括相关信息（如文件的打开模式、文件的位置类型、文件的初始类型等）的对象想关联，这些信息称为文件的上下文。

对于内核而言，所有打开的文件都是通过文件描述符引用的。当打开一个现有文件或者创建一个新文件时，内核向进程返回一个文件描述符。

按照惯例，UNIX系统shell使用0-》标准输入，1-》标准输出，2-》标准错误

查看系统默认的文件描述符大小：
[root@centos6 ~]# ulimit -n
 
[root@centos6 ~]# echo "* - nofile 65535">>/etc/security/limits.conf
退出重新登录，才会生效
[root@centos6 ~]# ulimit -n

8：  隐藏系统版本消息

[cairui@localhost ~]$ cat /etc/issue
CentOS release 6.8 (Final)
Kernel \r on an \m
 
[cairui@localhost ~]$ cat /etc/issue.net
CentOS release 6.8 (Final)
Kernel \r on an \m
 
只需要清空上述的文件内容，就可以隐藏信息。

9：  给grub引导菜单加密码保护（因为grub能进入看到root密码）

[root@localhost ~]# /sbin/grub-md5-crypt
Password:
Retype password:
$$kpiKh/$..jTvOdnHGnMsqqs5OWlM/
[root@localhost ~]# vi /etc/grub.conf
[root@localhost ~]# cat /etc/grub.conf
# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You have a /boot partition.  This means that
#          all kernel and initrd paths are relative to /boot/, eg.
#          root (hd0,)
#          kernel /vmlinuz-version ro root=/dev/sda3
#          initrd /initrd-[generic-]version.img
#boot=/dev/sda
default=
timeout=
splashimage=(hd0,)/grub/splash.xpm.gz
hiddenmenu
    password --md5 $1$hv58gkgk9G995885/JG0orl4m　　#后来添加的
title CentOS  (2.6.-.el6.x86_64)
    root (hd0,)
    kernel /vmlinuz-2.6.-.el6.x86_64 ro root=UUID=57e48303-c321-4c12-8ac4-7596c31f55ef rd_NO_LUKS  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_MD crashkernel=auto LANG=zh_CN.UTF- rd_NO_LVM rd_NO_DM rhgb quiet
    initrd /initramfs-2.6.-.el6.x86_64.img

10：  调整字符集

[root@centos6 ssh]# echo $LANG
en_US.UTF-
[root@centos6 ssh]# cat /etc/sysconfig/i18n
LANG="en_US.UTF-8"
SYSFONT="latarcyrheb-sun16"
[root@centos6 ssh]# cp /etc/sysconfig/i18n /etc/sysconfig/i18n.2016.12.
[root@centos6 ssh]# sed -i 's#LANG="en_US.UTF-8"#LANG="zh_CN.UTF-8"#g' /etc/sysconfig/i18n
[root@centos6 ssh]# source /etc/sysconfig/i18n
[root@centos6 ssh]# echo $LANG
zh_CN.UTF-