1:  为系统添加操作用户,并授予sudo权限

[root@localhost ~]# groupadd cai

[root@localhost ~]# useradd cai -g cai

[root@localhost ~]# passwd cai

更改用户 cai 的密码 。

新的 密码:

无效的密码: 过于简单化/系统化

无效的密码: 过于简单

重新输入新的 密码:

passwd: 所有的身份验证令牌已经成功更新。

[root@localhost ~]# su - cai

sudo的配置文件在/etc/sudoers下面,不过是只读文件。想要修改使用“visudo”命令。

用户名  可登录的终端  具体命令(使用绝对路径,which查看)

cairui    ALL=(ALL)      /usr/sbin/useradd

2:  配置Yum源为国内源(在我的其他博客中专门有一篇介绍,此处不写了)

3:  关闭防火墙(iptables)和Selinux

(1)因为防火墙和selinux的设置很麻烦,而且需要大量的时间去搞,所以索性就关掉。

临时关闭防火墙:(可以查看状态,重启,关闭,打开)

[root@localhost ~]# /etc/init.d/iptables

Usage: iptables {start|stop|reload|restart|condrestart|status|panic|save}

永久关闭防火墙:(关闭开机自启)

[root@localhost ~]# chkconfig iptables off

查看iptables开机状态:

[root@localhost ~]# chkconfig --list | grep iptables

iptables           :关闭    :关闭    :关闭    :关闭    :关闭    :关闭    :关闭

(2)关闭selinux

[root@localhost ~]# vim /etc/selinux/config 

# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

#     enforcing - SELinux security policy is enforced.

#     permissive - SELinux prints warnings instead of enforcing.

#     disabled - No SELinux policy is loaded.

#SELINUX=enforcing

SELINUX=disabled  修改为disabled

# SELINUXTYPE= can take one of these two values:

#     targeted - Targeted processes are protected,

#     mls - Multi Level Security protection.

SELINUXTYPE=targeted

4:  修改ssh服务的默认配置

修改之前先备份默认的配置:

[root@localhost ~]# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup

再修改

[root@localhost ~]# vim /etc/ssh/sshd_config

#    $OpenBSD: sshd_config,v 1.80 // :: djm Exp $

# This is the sshd server system-wide configuration file.  See

# sshd_config() for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented.  Uncommented options change a

# default value.

#Port

Port 52000   修改Linux默认连接端口

#AddressFamily any

#ListenAddress 0.0.0.0

#ListenAddress ::

# Disable legacy (protocol version ) support in the server for new

# installations. In future the default will change to require explicit

# activation of protocol

Protocol 

# HostKey for protocol version

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version  server key

#KeyRegenerationInterval 1h

#ServerKeyBits 

# Logging

# obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH

SyslogFacility AUTHPRIV

#LogLevel INFO

# Authentication:

#LoginGraceTime 2m

#PermitRootLogin yes

PermitRootLogin no  #不允许root用户登录(因为每个人都知道root能够登录)

#StrictModes yes

#MaxAuthTries

#MaxSessions 

#RSAAuthentication yes

#PubkeyAuthentication yes

#AuthorizedKeysFile    .ssh/authorized_keys

#AuthorizedKeysCommand none

#AuthorizedKeysCommandRunAs nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

# similar for protocol version

#HostbasedAuthentication no

# Change to yes if you don't trust ~/.ssh/known_hosts for

# RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

# Don't read the user's ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!

#PasswordAuthentication yes

#PermitEmptyPasswords no

PasswordAuthentication yes

# Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

ChallengeResponseAuthentication no

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

#KerberosGetAFSToken no

#KerberosUseKuserok yes

# GSSAPI options

#GSSAPIAuthentication no

GSSAPIAuthentication yes

#GSSAPICleanupCredentials yes

GSSAPICleanupCredentials yes

#GSSAPIStrictAcceptorCheck yes

#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,

# and session processing. If this is enabled, PAM authentication will

# be allowed through the ChallengeResponseAuthentication and

# PasswordAuthentication.  Depending on your PAM configuration,

# PAM authentication via ChallengeResponseAuthentication may bypass

# the setting of "PermitRootLogin without-password".

# If you just want the PAM account and session checks to run without

# PAM authentication, then enable this but set PasswordAuthentication

# and ChallengeResponseAuthentication to 'no'.

#UsePAM no

UsePAM yes

# Accept locale-related environment variables

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES

AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT

AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE

AcceptEnv XMODIFIERS

#AllowAgentForwarding yes

#AllowTcpForwarding yes

#GatewayPorts no

#X11Forwarding no

X11Forwarding yes

#X11DisplayOffset

#X11UseLocalhost yes

#PrintMotd yes

#PrintLastLog yes

#TCPKeepAlive yes

#UseLogin no

#UsePrivilegeSeparation yes

#PermitUserEnvironment no

#Compression delayed

#ClientAliveInterval

#ClientAliveCountMax

#ShowPatchLevel no

#UseDNS yes

UseDNS no  #不使用DNS

#PidFile /var/run/sshd.pid

#MaxStartups ::

#PermitTunnel no

#ChrootDirectory none

# no default banner path

#Banner none

# override default of no subsystems

Subsystem    sftp    /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis

#Match User anoncvs

#    X11Forwarding no

#    AllowTcpForwarding no

#    ForceCommand cvs server

修改完之后重启:

[root@localhost ~]# /etc/init.d/sshd

用法: /etc/init.d/sshd {start|stop|restart|reload|force-reload|condrestart|try-restart|status}

5:  系统内核优化

[root@localhost ~]# cat /etc/sysctl.conf

# Kernel sysctl configuration file for Red Hat Linux

#

# For binary values,  is disabled,  is enabled.  See sysctl() and

# sysctl.conf() for more details.

#

# Use '/sbin/sysctl -a' to list all possible parameters.

# Controls IP packet forwarding

net.ipv4.ip_forward = 

# Controls source route verification

net.ipv4.conf.default.rp_filter = 

# Do not accept source routing

net.ipv4.conf.default.accept_source_route = 

# Controls the System Request debugging functionality of the kernel

kernel.sysrq = 

# Controls whether core dumps will append the PID to the core filename.

# Useful for debugging multi-threaded applications.

kernel.core_uses_pid = 

# Controls the use of TCP syncookies

net.ipv4.tcp_syncookies = 

# Controls the default maxmimum size of a mesage queue

kernel.msgmnb = 

# Controls the maximum size of a message, in bytes

kernel.msgmax = 

# Controls the maximum shared segment size, in bytes

kernel.shmmax = 

# Controls the maximum number of shared memory segments, in pages

kernel.shmall = 

# 下面是内核调优参数

net.ipv4.tcp_syn_retries =

net.ipv4.tcp_synack_retries =

net.ipv4.tcp_keepalive_time =

net.ipv4.tcp_keepalive_probes =

net.ipv4.tcp_keepalive_intvl =

net.ipv4.tcp_retries2 =

net.ipv4.tcp_fin_timeout =

net.ipv4.tcp_max_tw_buckets =

net.ipv4.tcp_tw_recycle =

net.ipv4.tcp_tw_reuse =

net.ipv4.tcp_max_orphans =

net.ipv4.tcp_syncookies =

net.ipv4.tcp_max_syn_backlog =

net.ipv4.tcp_wmem =

net.ipv4.tcp_rmem =

net.ipv4.tcp_mem =

net.ipv4.ip_local_port_range =

net.ipv4.ip_conntrack_max =

net.ipv4.netfilter.ip_conntrack_max=

net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=

net.core.somaxconn =

net.core.netdev_max_backlog = 
[root@localhost ~]# sysctl -p    #配置生效

net.ipv4.ip_forward =

net.ipv4.conf.default.rp_filter =

net.ipv4.conf.default.accept_source_route =

kernel.sysrq =

kernel.core_uses_pid =

net.ipv4.tcp_syncookies =

kernel.msgmnb =

kernel.msgmax =

kernel.shmmax =

kernel.shmall =

net.ipv4.tcp_syn_retries =

net.ipv4.tcp_synack_retries =

net.ipv4.tcp_keepalive_time =

net.ipv4.tcp_keepalive_probes =

net.ipv4.tcp_keepalive_intvl =

net.ipv4.tcp_retries2 =

net.ipv4.tcp_fin_timeout =

net.ipv4.tcp_max_tw_buckets =

net.ipv4.tcp_tw_recycle =

net.ipv4.tcp_tw_reuse =

net.ipv4.tcp_max_orphans =

net.ipv4.tcp_syncookies =

net.ipv4.tcp_max_syn_backlog =

net.ipv4.tcp_wmem =

net.ipv4.tcp_rmem =

net.ipv4.tcp_mem =

net.ipv4.ip_local_port_range =

error: "net.ipv4.ip_conntrack_max" is an unknown key

error: "net.ipv4.netfilter.ip_conntrack_max" is an unknown key

error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_established" is an unknown key

net.core.somaxconn =

net.core.netdev_max_backlog =

6:  超时设置(timeout)

为了系统的安全,设置无操作超时自动退出登录设置

临时生效:

[root@centos6 ~]# export TMOUT=

[root@centos6 ~]# timed out waiting for input: auto-logout

永久配置生效:

[root@centos6 ~]# echo "export TMOUT=300" >>/etc/profile 实际生产环境  分钟

[root@centos6 ~]# source / etc/profile

7:  加大文件描述符

文件描述符是由无符号整数表示的句柄(一般使用范围0~65535),进程使用它来标识打开的文件。文件描述符与包括相关信息(如文件的打开模式、文件的位置类型、文件的初始类型等)的对象想关联,这些信息称为文件的上下文。

对于内核而言,所有打开的文件都是通过文件描述符引用的。当打开一个现有文件或者创建一个新文件时,内核向进程返回一个文件描述符。

按照惯例,UNIX系统shell使用0-》标准输入,1-》标准输出,2-》标准错误

查看系统默认的文件描述符大小:

[root@centos6 ~]# ulimit -n

[root@centos6 ~]# echo "* - nofile 65535">>/etc/security/limits.conf

退出重新登录,才会生效

[root@centos6 ~]# ulimit -n

8:  隐藏系统版本消息

[cairui@localhost ~]$ cat /etc/issue

CentOS release 6.8 (Final)

Kernel \r on an \m

[cairui@localhost ~]$ cat /etc/issue.net

CentOS release 6.8 (Final)

Kernel \r on an \m

只需要清空上述的文件内容,就可以隐藏信息。

9:  给grub引导菜单加密码保护(因为grub能进入看到root密码)

[root@localhost ~]# /sbin/grub-md5-crypt

Password:

Retype password:

$$kpiKh/$..jTvOdnHGnMsqqs5OWlM/

[root@localhost ~]# vi /etc/grub.conf

[root@localhost ~]# cat /etc/grub.conf

# grub.conf generated by anaconda

#

# Note that you do not have to rerun grub after making changes to this file

# NOTICE:  You have a /boot partition.  This means that

#          all kernel and initrd paths are relative to /boot/, eg.

#          root (hd0,)

#          kernel /vmlinuz-version ro root=/dev/sda3

#          initrd /initrd-[generic-]version.img

#boot=/dev/sda

default=

timeout=

splashimage=(hd0,)/grub/splash.xpm.gz

hiddenmenu

    password --md5 $1$hv58gkgk9G995885/JG0orl4m  #后来添加的

title CentOS  (2.6.-.el6.x86_64)

    root (hd0,)

    kernel /vmlinuz-2.6.-.el6.x86_64 ro root=UUID=57e48303-c321-4c12-8ac4-7596c31f55ef rd_NO_LUKS  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_MD crashkernel=auto LANG=zh_CN.UTF- rd_NO_LVM rd_NO_DM rhgb quiet

    initrd /initramfs-2.6.-.el6.x86_64.img

10:  调整字符集

[root@centos6 ssh]# echo $LANG

en_US.UTF-

[root@centos6 ssh]# cat /etc/sysconfig/i18n

LANG="en_US.UTF-8"

SYSFONT="latarcyrheb-sun16"

[root@centos6 ssh]# cp /etc/sysconfig/i18n /etc/sysconfig/i18n.2016.12.

[root@centos6 ssh]# sed -i 's#LANG="en_US.UTF-8"#LANG="zh_CN.UTF-8"#g' /etc/sysconfig/i18n

[root@centos6 ssh]# source /etc/sysconfig/i18n

[root@centos6 ssh]# echo $LANG

zh_CN.UTF-

Liunx基础优化配置的更多相关文章

  1. CentOS7.5基础优化与常用配置

    目录 最小化全新安装CentOS7基础优化 配置yum源 安装常用软件 关闭防火墙 关闭SELinux 优化ulimit 历史命令记录改为1万条 把命令提示符改为绿色 添加vim配置文件 添加一个普通 ...

  2. Linu之linux系统基础优化和基本命令

    Linux系统基础优化和基本命令 网络参数设定命令 ifconfig: 查询,设置网卡和ip等参数 ifup,ifdown: 脚本命令,更简单的方式 ip: 符合指令,直接修改上述功能 编辑网卡配置文 ...

  3. Linux实战教学笔记06:Linux系统基础优化

    第六节 Linux系统基础优化 标签(空格分隔):Linux实战教学笔记-陈思齐 第1章 基础环境 第2章 使用网易163镜像做yum源 默认国外的yum源速度很慢,所以换成国内的. 第一步:先备份 ...

  4. 【No.1 Ionic】基础环境配置

    Node 安装 git clone https://github.com/nodejs/node cd node ./configure make sudo make install node -v ...

  5. Centos6.5 64linux系统基础优化(二)

    1  操作的最小化原则 1)安装系统最小化 2)开启程序服务最小化原则 3)操作最小化原则 4)登陆最小化原则;平时没有需求不用root登陆,要用普通登陆. 2  更改ssh服务默认端口及常规配置 # ...

  6. Apache优化配置:修改最大并发连接数

    此文摘自: http://www.365mini.com/page/apache-concurrency-configuration.htm Apache查看连接数和限制当前的连接数 : http:/ ...

  7. Linux基础优化与安全归纳总结

    一名运维工程师在运维岗位上时间久了,就会发现Linux优化的重要性,同时会给运维工作带来很多的便利性.本人逐渐认识到了这一点,所以特意在工作闲暇之余,通过阅读Linux相关书籍及向同事.同行高手咨询, ...

  8. [转帖]关于网络编程中MTU、TCP、UDP优化配置的一些总结

    关于网络编程中MTU.TCP.UDP优化配置的一些总结 https://www.cnblogs.com/maowang1991/archive/2013/04/15/3022955.html 感谢原作 ...

  9. Linux基础优化和安全重点小结

    Linux基础优化和安全重点小结 1.不用root管理,以普通用户的名义通过sudo管理授权(/etc/sudoers)        2.更改默认的ssh服务端口,禁止root用户远程连接,甚至监听 ...

随机推荐

  1. Day3-Python基础3---函数递归和函数式方程

    一.函数的递归 在函数内部,可以调用其他函数.如果一个函数在内部调用自身本身,这个函数就是递归函数. 递归特性: 1. 必须有一个明确的结束条件 2. 每次进入更深一层递归时,问题规模相比上次递归都应 ...

  2. 【转】 Pro Android学习笔记(八三):了解Package(2):包签名过程

    目录(?)[-] 类比例子 数字签名 文章转载只能用于非商业性质,且不能带有虚拟货币.积分.注册等附加条件.转载须注明出处:http://blog.csdn.net/flowingflying/ 在W ...

  3. mina在spring中的配置多个端口

    本次练习中是监听2个端口 applicationContext-mina.xml: <?xml version="1.0" encoding="UTF-8" ...

  4. php学习之try catch

    PHP 5 添加了类似于其它语言的异常处理模块.在 PHP 代码中所产生的异常可被 throw语句抛出并被 catch 语句捕获.(注:一定要先抛才能获取) 需要进行异常处理的代码都必须放入 try ...

  5. linux命令-sudo普通用户拥有root权限

    普通用户权限不够 [root@wangshaojun ~]# su - dennywang[dennywang@wangshaojun ~]$ ls /root/ls: 无法打开目录/root/: 权 ...

  6. EF CODEFIRST WITH ORACLE 存储过程

    EF  CODEFIRST WITH ORACLE 解决存储过程一直没找到解决方案 所以最后也没办法还是用了最基本的解决方案 采用Oracle.ManagedDataAccess提供的ADO基础访问类 ...

  7. [Python Study Notes]折线图绘制

    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ...

  8. centos7虚拟机桥接上网(DHCP)

    centos设置成自动获取ip地址方式(DHCP) 1.打开终端查看网卡信息 #ifconfigifcfg-enp0s3lovirbro 2.编辑文件#vim /etc/sysconfig/netwo ...

  9. Reporting services

    “数据库引擎服务”可以承载报表服务器数据库.Reporting Services 需要SQL Server 2008 数据库引擎的本地或远程实例来承载报表服务器数据库.如果同时安装数据库引擎实例和 R ...

  10. 第4章_Java仿微信全栈高性能后台+移动客户端

    基于web端使用netty和websocket来做一个简单的聊天的小练习.实时通信有三种方式:Ajax轮询.Long pull.websocket,现在很多的业务场景,比方说聊天室.或者手机端onli ...