CentOS優化初裝系統

1. 添加用戶，並給用戶建立密碼

[root@hooper161 ~]# useradd nil

[root@hooper161 ~]# echo "332211"|passwd --stdin nil

Changing password for user nil.

passwd: all authentication tokens updated successfully.

2. 查看時區及時間是否正確，並設置服務器同步時間

[root@hooper161 ~]# date

Fri Dec 14 15:11:25 CST 2012

[root@hooper161 ~]# ntpdate ntp.sjtu.edu.cn

14 Dec 07:12:15 ntpdate[3582]: step time server 202.120.2.101 offset -28801.460657 sec

[root@hooper161 ~]# date

Fri Dec 14 07:12:23 CST 2012

[root@hooper161 ~]# hwclock -w

[root@hooper161 ~]# echo '*/5 * * * * /usr/sbin/ntpdate ntp.sjtu.edu.cn >/dev/null 2>&1' >>/var/spool/cron/root

#將時間同步寫到root這個用戶下crontab下，也能夠用 crontab -e 添加當前用戶的定時任務

[root@hooper161 ~]# crontab -l

*/5 * * * * /usr/sbin/ntpdate ntp.sjtu.edu.cn >/dev/null 2>&1

[root@hooper161 ~]# /etc/init.d/crond status   #查看定時服務運行狀態

crond (pid  3058) is running...

拓展：系統安裝好後，更改時區

[root@hooper161 ~]# tzselect  

Please identify a location so that time zone rules can be set correctly.

Please select a continent or ocean.

1) Africa

2) Americas

3) Antarctica

4) Arctic Ocean

5) Asia

6) Atlantic Ocean

7) Australia

8) Europe

9) Indian Ocean

10) Pacific Ocean

11) none - I want to specify the time zone using the Posix TZ format.

#? 5

Please select a country.

1) Afghanistan       18) Israel            35) Palestine

2) Armenia       19) Japan         36) Philippines

3) Azerbaijan        20) Jordan            37) Qatar

4) Bahrain       21) Kazakhstan        38) Russia

5) Bangladesh        22) Korea (North)     39) Saudi Arabia

6) Bhutan        23) Korea (South)     40) Singapore

7) Brunei        24) Kuwait            41) Sri Lanka

8) Cambodia          25) Kyrgyzstan        42) Syria

9) China         26) Laos          43) Taiwan

10) Cyprus        27) Lebanon           44) Tajikistan

11) East Timor        28) Macau         45) Thailand

12) Georgia       29) Malaysia          46) Turkmenistan

13) Hong Kong         30) Mongolia          47) United Arab Emirates

14) India         31) Myanmar (Burma)       48) Uzbekistan

15) Indonesia         32) Nepal         49) Vietnam

16) Iran          33) Oman          50) Yemen

17) Iraq          34) Pakistan

#? 9

Please select one of the following time zone regions.

1) east China - Beijing, Guangdong, Shanghai, etc.

2) Heilongjiang (except Mohe), Jilin

3) central China - Sichuan, Yunnan, Guangxi, Shaanxi, Guizhou, etc.

4) most of Tibet & Xinjiang

5) west Tibet & Xinjiang

#? 1

The following information has been given:

   China

   east China - Beijing, Guangdong, Shanghai, etc.

Therefore TZ='Asia/Shanghai' will be used.

Local time is now:  Fri Dec 14 15:11:03 CST 2012.

Universal Time is now:  Fri Dec 14 07:11:03 UTC 2012.

Is the above information OK?

1) Yes

2) No

#? 1

You can make this change permanent for yourself by appending the line

TZ='Asia/Shanghai'; export TZ

to the file '.profile' in your home directory; then log out and log in again.

Here is that TZ value again, this time on standard output so that you

can use the /usr/bin/tzselect command in shell scripts:

Asia/Shanghai

或者執行下列命令：

cp -f /usr/share/zoneinfo/Asia/Shanghai /etc/localtime

ps：查看時區的命令：

[root@mail ~]# date -R
Thu, 25 Jul 2013 15:03:22 +0800

3. 更改源（yum.repo）

[root@hooper161 ~]# cd /etc/yum.repos.d/

[root@hooper161 yum.repos.d]# ll

total 36

-rw-r--r-- 1 root root 1926 Feb 25  2012 CentOS-Base.repo

-rw-r--r-- 1 root root  631 Feb 25  2012 CentOS-Debuginfo.repo

-rw-r--r-- 1 root root  626 Feb 25  2012 CentOS-Media.repo

-rw-r--r-- 1 root root 6118 Feb 25  2012 CentOS-Vault.repo

[root@hooper161 yum.repos.d]# /bin/mv CentOS-Base.repo CentOS-Base.repo.ori

# 將原文件重命名爲CentOS-Base.repo.ori

[root@hooper161 yum.repos.d]# ll

total 36

-rw-r--r-- 1 root root 1926 Feb 25  2012 CentOS-Base.repo.ori

-rw-r--r-- 1 root root  631 Feb 25  2012 CentOS-Debuginfo.repo

-rw-r--r-- 1 root root  626 Feb 25  2012 CentOS-Media.repo

-rw-r--r-- 1 root root 6118 Feb 25  2012 CentOS-Vault.repo

[root@hooper161 yum.repos.d]# wget http://mirrors.sohu.com/help/CentOS-Base-sohu.repo

--2012-12-14 07:29:53--  http://mirrors.sohu.com/help/CentOS-Base-sohu.repo

Resolving mirrors.sohu.com... 123.129.214.98

Connecting to mirrors.sohu.com|123.129.214.98|:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 2299 (2.2K) [application/octet-stream]

Saving to: `CentOS-Base-sohu.repo'

100%[========================================>] 2,299       --.-K/s   in 0.05s    

2012-12-14 07:29:53 (47.9 KB/s) - `CentOS-Base-sohu.repo' saved [2299/2299]

[root@hooper161 yum.repos.d]# ll

total 44

-rw-r--r-- 1 root root 2299 Dec 31  2009 CentOS-Base-sohu.repo

-rw-r--r-- 1 root root 1926 Feb 25  2012 CentOS-Base.repo.ori

-rw-r--r-- 1 root root  631 Feb 25  2012 CentOS-Debuginfo.repo

-rw-r--r-- 1 root root  626 Feb 25  2012 CentOS-Media.repo

-rw-r--r-- 1 root root 6118 Feb 25  2012 CentOS-Vault.repo

[root@hooper161 yum.repos.d]# /bin/mv CentOS-Base-sohu.repo CentOS-Base.repo

[root@hooper161 yum.repos.d]# ll

total 44

-rw-r--r-- 1 root root 2299 Dec 31  2009 CentOS-Base.repo

-rw-r--r-- 1 root root 1926 Feb 25  2012 CentOS-Base.repo.ori

-rw-r--r-- 1 root root  631 Feb 25  2012 CentOS-Debuginfo.repo

-rw-r--r-- 1 root root  626 Feb 25  2012 CentOS-Media.repo

-rw-r--r-- 1 root root 6118 Feb 25  2012 CentOS-Vault.repo

4. 安裝lrzsz軟件（在客戶端上能夠下載或上傳文件到服務器上）

[root@hooper161 ~]# yum install lrzsz -y

Failed to set locale, defaulting to C

Loaded plugins: fastestmirror, security

Determining fastest mirrors

* addons: mirrors.sohu.com

* base: mirror.bit.edu.cn

* extras: mirror.bit.edu.cn

* updates: mirror.bit.edu.cn

addons                                                     | 1.9 kB     00:00      

addons/primary_db                                          | 1.1 kB     00:00      

base                                                       | 1.1 kB     00:00      

base/primary                                               | 1.2 MB     00:02      

base                                                                    3591/3591

extras                                                     | 2.1 kB     00:00      

extras/primary_db                                          | 207 kB     00:00      

updates                                                    | 1.9 kB     00:00      

updates/primary_db                                         | 1.0 MB     00:06      

Setting up Install Process

Package lrzsz-0.12.20-22.1.x86_64 already installed and latest version

Nothing to do

[root@hooper161 ~]# ll

total 48

-rw------- 1 root root  1060 Dec 14  2012 anaconda-ks.cfg

-rw-r--r-- 1 root root 32117 Dec 14  2012 install.log

-rw-r--r-- 1 root root     0 Dec 14  2012 install.log.syslog

[root@hooper161 ~]# sz -y install.log    #下載文件並替換現有文件

[root@hooper161 ~]# rz -y                #上傳文件並替換現有文件

5. 設置全局PATH環境變量

[root@hooper161 ~]# vi /etc/skel/.bash_profile  

# .bash_profile

# Get the aliases and functions

if [ -f ~/.bashrc ]; then

       . ~/.bashrc

fi

# User specific environment and startup programs

PATH=$PATH:$HOME/bin:/usr/kerberos/sbin:/usr/local/sbin:/sbin:/usr/sbin

#添加須要環境變量，保存後退出

export PATH

拓展：修改當前用戶的PATH環境變量

[root@hooper161 ~]# su - nil

[nil@hooper161 ~]$ vi .bash_profile  

# .bash_profile

# Get the aliases and functions

if [ -f ~/.bashrc ]; then

       . ~/.bashrc

fi

# User specific environment and startup programs

PATH=$PATH:$HOME/bin:/usr/kerberos/sbin:/usr/local/sbin:/sbin:/usr/sbin    

#添加須要的環境變量，保存退出

export PATH

6. 將vi添加別名vim

[root@hooper161 ~]# vi .bashrc  

# .bashrc

# User specific aliases and functions

alias rm='rm -i'

alias cp='cp -i'

alias mv='mv -i'

alias vi=vim       #添加vi=vim

# Source global definitions

if [ -f /etc/bashrc ]; then

       . /etc/bashrc

fi

7. 添加sudo權限

[root@hooper161 ~]# visudo

## Allow root to run any commands anywhere

root    ALL=(ALL)       ALL

nil     ALL=(ALL)       ALL   #添加用戶sudo權限，保存退出

8. 修改語言

[root@hooper161 ~]# cp /etc/sysconfig/i18n /etc/sysconfig/i18n.ori -p

[root@hooper161 ~]# vi /etc/sysconfig/i18n

LANG="en_US.UTF-8"             #修改你要設置的語言

SYSFONT="latarcyrheb-sun16"

[root@hooper161 ~]# cat /etc/sysconfig/i18n

LANG="en_US.UTF-8"             #代表你當前系統的語言環境變量設置  

SYSFONT="latarcyrheb-sun16"   #定義控制檯終端字體，登陸時顯示的字體

[root@hooper161 ~]# source /etc/sysconfig/i18n  #讓配置文件生效

[root@hooper161 ~]# echo $LANG                  #查看當前語言

en_US.UTF-8

9. 修改ip地址、網關、主機名、DNS

永久生效IP地址

[root@hooper161 ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth0  

# Intel Corporation 82545EM Gigabit Ethernet Controller (Copper)

DEVICE=eth0         #網卡名字

BOOTPROTO=static    #靜態IP地址獲取狀態 如：DHCP表示自動獲取IP地址

BROADCAST=192.168.0.255         #廣播地址

HWADDR=00:0C:29:7E:A2:12        #mac地址

IPADDR=192.168.0.161            #IP地址

NETMASK=255.255.255.0           #子網掩碼

NETWORK=192.168.0.0             #網絡地址

ONBOOT=yes                      #引導時是否激活

[root@hooper161 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0  

# Intel Corporation 82545EM Gigabit Ethernet Controller (Copper)

DEVICE=eth0

BOOTPROTO=static

BROADCAST=192.168.0.255

HWADDR=00:0C:29:7E:A2:12

IPADDR=192.168.0.161

NETMASK=255.255.255.0

NETWORK=192.168.0.0

ONBOOT=yes

[root@hooper161 ~]# service network restart    

#重啓網卡，也能夠用/etc/init.d/network restart

臨時生效IP地址

[root@hooper161 ~]# ifconfig eth0 192.168.10.161 up

修改網關及主機名

[root@hooper161 ~]# vi /etc/sysconfig/network

NETWORKING=yes

NETWORKING_IPV6=no

HOSTNAME=hooper161     #修改主機名，重啓生效

GATEWAY=192.168.0.1    #修改網關

[root@hooper161 ~]# cat /etc/sysconfig/network

NETWORKING=yes

NETWORKING_IPV6=no

HOSTNAME=hooper161

GATEWAY=192.168.0.1

[root@hooper161 ~]# /etc/init.d/network  restart  #重啓網絡

臨時修改主機名

[root@hooper161 ~]# hostname hooper161    

#臨時修改主機名，從新登陸生效

修改DNS

[root@hooper161 ~]# vi /etc/resolv.conf  

[root@hooper161 ~]# cat /etc/resolv.conf  

nameserver 202.106.0.20

nameserver 8.8.8.8

[root@hooper161 ~]# service network restart   #重啓網卡，生效

10. 優化開機自啓動

[root@hooper161 ~]# chkconfig --list|egrep "syslog|cron|network|ssh"    #查看這些服務啓動狀態

anacron         0:off   1:off   2:on    3:on    4:on    5:on    6:off

crond           0:off   1:off   2:on    3:on    4:on    5:on    6:off

network         0:off   1:off   2:on    3:on    4:on    5:on    6:off

rsyslog         0:off   1:off   2:off   3:off   4:off   5:off   6:off

sshd            0:off   1:off   2:on    3:on    4:on    5:on    6:off

syslog          0:off   1:off   2:on    3:on    4:on    5:on    6:off

[root@hooper161 ~]# chkconfig  --list|awk '{print $1}'

NetworkManager

acpid

anacron

atd

auditd

autofs

avahi-daemon

avahi-dnsconfd

bluetooth

capi

conman

cpuspeed

crond

dnsmasq

dund

firstboot

gpm

haldaemon

hidd

ip6tables

ipmi

ipmievd

iptables

irda

irqbalance

iscsi

iscsid

isdn

kudzu

lvm2-monitor

mcstrans

mdmonitor

mdmpd

messagebus

microcode_ctl

multipathd

netconsole

netfs

netplugd

network

nfs

nfslock

nscd

ntpd

oddjobd

pand

pcscd

portmap

psacct

rawdevices

rdisc

readahead_early

readahead_later

restorecond

rpcgssd

rpcidmapd

rpcsvcgssd

rsyslog

saslauthd

sendmail

smartd

sshd

svnserve

syslog

tcsd

winbind

wpa_supplicant

xfs

ypbind

yum-updatesd

[root@hooper161 ~]# for n in `chkconfig  --list|awk '{print $1}'`;do chkconfig $n off;done

[root@hooper161 ~]# chkconfig --list|grep 3:on

[root@hooper161 ~]# chkconfig --list|egrep "syslog|cron|network|ssh"

anacron         0:off   1:off   2:off   3:off   4:off   5:off   6:off

crond           0:off   1:off   2:off   3:off   4:off   5:off   6:off

network         0:off   1:off   2:off   3:off   4:off   5:off   6:off

rsyslog         0:off   1:off   2:off   3:off   4:off   5:off   6:off

sshd            0:off   1:off   2:off   3:off   4:off   5:off   6:off

syslog          0:off   1:off   2:off   3:off   4:off   5:off   6:off

[root@hooper161 ~]# chkconfig --list|egrep "syslog|cron|network|ssh"|awk '{print $1}'

anacron

crond

network

rsyslog

sshd

syslog

[root@hooper161 ~]# for n in `chkconfig --list|egrep "syslog|cron|network|ssh"|awk '{print $1}'`;do chkconfig --level 3 $n on;done

[root@hooper161 ~]# ntsysv    #或者執行下面的命令查看

[root@hooper161 ~]# chkconfig --list|grep 3:on

anacron         0:off   1:off   2:off   3:on    4:off   5:off   6:off

crond           0:off   1:off   2:off   3:on    4:off   5:off   6:off

network         0:off   1:off   2:off   3:on    4:off   5:off   6:off

rsyslog         0:off   1:off   2:off   3:on    4:off   5:off   6:off

sshd            0:off   1:off   2:off   3:on    4:off   5:off   6:off

syslog          0:off   1:off   2:off   3:on    4:off   5:off   6:off

11. 優化ssh端口設置

[root@hooper161 ~]# netstat -lntup|grep ssh   #查看ssh端口是否開啓

tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      2902/sshd            

tcp        0      0 127.0.0.1:6010              0.0.0.0:*                   LISTEN      4396/sshd            

[root@hooper161 ~]# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.ori -p

[root@hooper161 ~]# vi /etc/ssh/sshd_config     #編輯配置文件

#將下面內容添加到配置文件中，保存退出：

####by oldboy#2011-11-24##

 Port 52113                #→ssh鏈接默認的端口，誰都知道，必需要改

 PermitRootLogin no        #→root用戶***都知道的，禁止它遠程登錄

 PermitEmptyPasswords no   #→禁止空密碼登錄

 UseDNS no                 #→不使用DNS

####by oldboy#2011-11-24##

[root@hooper161 ~]# /etc/init.d/sshd restart

Stopping sshd:                                             [  OK  ]

Starting sshd:                                             [  OK  ]

[root@hooper161 ~]# netstat -lntup|grep ssh

tcp        0      0 0.0.0.0:52113               0.0.0.0:*                   LISTEN      4496/sshd            

tcp        0      0 127.0.0.1:6010              0.0.0.0:*                   LISTEN      4396/sshd            

[root@hooper161 ~]# logout    #退出登陸，從新登陸，端口已經改變

12. 加大服務器文件描述符

[root@hooper161 ~]# vi /etc/security/limits.conf  

#........忽略部分，結尾添加，下面內容，保存後退出：

*               -       nofile          65535  

[root@hooper161 ~]# logout

[root@hooper161 ~]# ulimit -n

65535

13. 調整內核參數文件/etc/sysctl.conf

[root@hooper161 ~]#  vi /etc/sysctl.conf

#在結尾處，添加如下內容，保存退出：

net.ipv4.tcp_fin_timeout = 2

net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_tw_recycle = 1

net.ipv4.tcp_syncookies = 1

net.ipv4.tcp_keepalive_time = 600

net.ipv4.ip_local_port_range = 4000    65000

net.ipv4.tcp_max_syn_backlog = 16384

net.ipv4.tcp_max_tw_buckets = 36000

net.ipv4.route.gc_timeout = 100

net.ipv4.tcp_syn_retries = 1

net.ipv4.tcp_synack_retries = 1

net.ipv4.ip_conntrack_max = 25000000

#對防火牆的設置，若是沒有開啓防火牆，會報錯

net.ipv4.netfilter.ip_conntrack_max=25000000

net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=180

net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait=120

net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait=60

net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait=120

[root@hooper161 ~]# /sbin/sysctl -p        #顯示sysctl配置文件

net.ipv4.ip_forward = 0

net.ipv4.conf.default.rp_filter = 1

net.ipv4.conf.default.accept_source_route = 0

kernel.sysrq = 0

kernel.core_uses_pid = 1

net.ipv4.tcp_syncookies = 1

kernel.msgmnb = 65536

kernel.msgmax = 65536

kernel.shmmax = 68719476736

kernel.shmall = 4294967296

net.ipv4.tcp_fin_timeout = 2

net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_tw_recycle = 1

net.ipv4.tcp_syncookies = 1

net.ipv4.tcp_keepalive_time = 600

net.ipv4.ip_local_port_range = 4000    65000

net.ipv4.tcp_max_syn_backlog = 16384

net.ipv4.tcp_max_tw_buckets = 36000

net.ipv4.route.gc_timeout = 100

net.ipv4.tcp_syn_retries = 1

net.ipv4.tcp_synack_retries = 1

error: "net.ipv4.ip_conntrack_max" is an unknown key

error: "net.ipv4.netfilter.ip_conntrack_max" is an unknown key

error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_established" is an unknown key

error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait" is an unknown key

error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait" is an unknown key

error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait" is an unknown key

以上爲centos最小化，安裝後優化系統。之後會陸續添加。