linux 系統基本優化

1、基本的原則與思路

   保證系統最小化安裝結束後，要把相應的服務，工具、和系統所須要的資源等打開，能夠從如下思路去想。

   例如：

   所需加載的模塊與不須要加載的模塊、開機啓動與應用服務、防火牆、內核參數、句柄數、yum、倉庫、環境變量、（如jdk、歷史命令、本身習慣及vim等設置等）、軟件包、tty終端、命令別名等。

centos6 

#!/bin/bash

yum clean all

yum makecache || echo -e "\e[1;31m Please check that the yum source address is correct \e[0m" 

# Before the installation check

for i in $(echo "man openssh-clients lsof dstat sysstat vim-enhanced yum-plugin-priorities ntpdate bind-utils");do

        service_packages=$(rpm -qa |grep "^"$i"-[0-9]")

        if [ $? == 0 ];then

                echo -e "\e[1;32m $service_packages is installed!\e[0m"

        else

                echo -e "\e[1;31m $i is not installed!,In the installing,Please wait.\e[0m"

                 yum install $i -y > /dev/null 2>&1 

        fi

done

grep "nofile         65535" /etc/security/limits.conf || echo "*                -       nofile         65535" >>/etc/security/limits.conf

grep ignorespace /etc/profile.d/history.sh ||echo "export HISTCONTROL=ignorespace" >> /etc/profile.d/history.sh

grep "export HISTTIMEFORMAT" /etc/profile.d/history.sh ||echo 'export HISTTIMEFORMAT="%F-%T "' >>/etc/profile.d/history.sh 

source /etc/profile.d/history.sh

sed -i.bak-$(date +%F) 's/enabled.*$/enabled = 1/g' /etc/yum/pluginconf.d/priorities.conf

sed -i.bak-$(date +%F) 's/SELINUX=.*$/SELINUX=disabled/g' /etc/selinux/config

\cp /etc/issue.net /etc/issue.net-bak-$(date +%F)

\cp /etc/issue /etc/issue-bak-$(date +%F)

cat > /etc/issue.net << END

Your operation is under monitoring, please note that!

END

cat > /etc/issue << END

Your operation is under monitoring, please note that!

END

# View connection number

# ss -atu| awk '/^tcp/{++S[$2]} END {for(a in S) print a,S[a]}'

\cp /etc/sysctl.conf /etc/sysctl.conf-bak-$(date +%F)

cat > /etc/sysctl.conf << END

net.ipv4.tcp_syncookies = 1  # 表示開啓syncookies。當出現syn等待隊列溢出時，啓用cookies來處理，可防範少許syn***，默認爲0，表示關閉。

net.ipv4.tcp_syn_retries = 1

net.ipv4.tcp_tw_recycle = 1   ### 表示開啓TCP鏈接中TIME-WAIT sockets的快速回收，默認爲0，表示關閉。

net.ipv4.tcp_tw_reuse = 1   ### 表示開啓重用。容許將TIME-WAIT sockets從新用於新的TCP鏈接，默認爲0，表示關閉；

net.ipv4.tcp_fin_timeout = 1   ### 修改系統默認的 TIMEOUT 時間

net.ipv4.tcp_keepalive_time = 1200 # #表示當keepalive起用的時候，tcp發送keepalive消息的頻度。缺省是2小時，改成20分鐘。

net.ipv4.ip_local_port_range = 10000 65535

net.ipv4.tcp_max_syn_backlog = 16384  ##表示SYN隊列的長度，默認爲1024，加大隊列長度爲16384,能夠容納更多等待鏈接的網絡鏈接數。

net.ipv4.tcp_max_tw_buckets = 55000   ## #表示系統同時保持TIME_WAIT的最大數量，若是超出這個數字，TIME_WAIT將馬上被清除並打印警告信息。默認180000，改成5000，此項參數能夠控制TIME_WAIT的最大數量。

↑ # 這個值可能有什麼很差的影響 ：一、 當前服務器主動關閉鏈接 二、當前服務器 TIME_WAIT 數等於或大於 tcp_max_tw_buckets

net.ipv4.route.gc_timeout = 100

net.ipv4.tcp_syn_retries = 1

net.ipv4.tcp_synack_retries = 1

net.core.somaxconn = 16384

net.core.netdev_max_backlog = 16384

net.ipv4.tcp_max_orphans = 16384

END

sysctl -p

sed -i.bak-$(date +%F) 's/env ACTIVE_CONSOLES\=\/dev\/tty\[1\-6\]/env ACTIVE_CONSOLES\=\/dev\/tty\[1\-2\]/' /etc/init/start-ttys.conf

crontab -l| grep "/usr/sbin/ntpdate ntp.api.bz"|| echo "*/5 * * * * /usr/sbin/ntpdate ntp.api.bz" | crontab

grep "alias grep='grep --color=auto'" /etc/profile.d/command-alias.sh || echo "alias grep='grep --color=auto'" >> /etc/profile.d/command-alias.sh

grep "alias vi='vim'" /etc/profile.d/command-alias.sh || echo "alias vi='vim'" >> /etc/profile.d/command-alias.sh

source /etc/profile.d/command-alias.sh

grep "install ipv6 /bin/true" /etc/modprobe.d/disable-ipv6.conf || echo "install ipv6 /bin/true" >> /etc/modprobe.d/disable-ipv6.conf

ulimit -SHn 65535

grep "ulimit -SHn 65535" /etc/rc.local || echo "ulimit -SHn 65535" >> /etc/rc.local 

# show file open number

# for pid in `ps aux | grep httpd | grep -v grep | awk '{print $2}'`

# do

# cat /proc/$pid/limits | grep "Max open files"

# done

sed -i.bak-$(date +%F) 's/#PermitRootLogin.*$/PermitRootLogin no/' /etc/ssh/sshd_config

sed -i.bak-$(date +%F) 's/#PermitEmptyPasswords.*$/PermitEmptyPasswords no/' /etc/ssh/sshd_config

sed -i.bak-$(date +%F) 's/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config

cat /etc/ssh/sshd_config | egrep 'Root|Empty|DNS'

service sshd restart

#######crond、network、rsyslog、sshd

for i in `chkconfig --list|grep 3:on|awk '{print $1}'`;do chkconfig --level 3 $i off; done 

for CURSRV in crond rsyslog sshd network; do chkconfig --level 3 $CURSRV on;done

######squid########

net.ipv4.tcp_fin_timeout = 30

net.ipv4.tcp_keepalive_time = 1200

net.ipv4.tcp_syncookies = 1

net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_tw_recycle = 1

net.ipv4.ip_local_port_range = 10000 65535

net.ipv4.tcp_max_syn_backlog = 8192

net.ipv4.tcp_max_tw_buckets = 5000

#######nginx or apache ############

net.ipv4.tcp_syncookies = 1

net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_tw_recycle = 1

net.ipv4.ip_local_port_range = 10000 65535

########postfix##########

net.ipv4.tcp_fin_timeout = 30

net.ipv4.tcp_keepalive_time = 300

net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_tw_recycle = 1

net.ipv4.ip_local_port_range = 10000 65535

kernel.shmmax = 134217728

centos7

自動補全參數安裝包

yum install bash-completion -y

chrony