1. 配置yum源
mkdir -p /etc/yum.repos.d/default
mv /etc/yum.repos.d/*repo /etc/yum.repos.d/default/
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
2. 保留必要的开机自启
chkconfig --list|egrep -v "sysstat|crond|sshd|network|rsyslog"|awk '{print "chkconfig "$1,"off"}'|bash
chkconfig --list|grep 3:on
3. 更改ssh服务端口。禁止root登入
sed -i 's/Port 22/Port 55122/' /etc/ssh/sshd_config
sed -i 's/ListenAddress 0.0.0.0/ListenAddress 192.168.10.9/' /etc/ssh/sshd_config
sed -i 's/PermitRootLogion yes/PermitRootLogion no/' /etc/ssh/sshd_config
systemctl reload sshd
netstat -lntup|grep sshd
4. 不用root管理,以普通用户的名义通过sudo授权管理
useradd sand && id sand
echo "123qwe,./" |passwd --stdin sand
\cp /etc/sudoers{,.back}
echo "sand ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers && tail -1 /etc/sudoers
visudo -c
5. 定时自动更新服务器时间
echo '#time sync by 新的用户名 at 2021-05-18' >> /var/spool/cron/root
echo '*/5 * * * * /usr/sbin/ntpdate ntp1.aliyun.com >/dev/null 2>&1' >> /var/spool/cron/root
crontab -l
\cp /var/spool/cron/root{,.back}
6. 定时自动清理邮件目录垃圾文件,防止inodes节点占满
7. 锁定关键性系统文件,防止被篡改
chattr +i /etc/{passwd,shadow,group,gshadow}
lsattr -a /etc/{passwd,shadow,group,gshadow}
# 解锁命令
chattr -i
8. 系统内核优化
net.ipv4.conf.lo.arp_ignore=1
net.ipv4.conf.lo.arp_announce=2
net.ipv4.conf.all.arp_ignore=1
net.ipv4.conf.all.arp_announce-2
net.ipv4.tcp_tw_reuse=1
net.ipv4.tcp_tw_recyde=1
net.ipv4.tcp_fin_timeout=10
net.ipv4.tcp_max_syn_backlog=20000
net.core.netdev_max_backlog = 32768
net.core.somaxconn = 32768
net.core.wmem_default=8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_timestamps=0
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_tw_recycle=1
net.ipv4.tcp_tw_reuse=1
net.ipv4.tcp_mem=94500000 915000000 927000000
net.ipv4.tcp_max_orphans=3276800
net.ipv4.tcp_fin_timeout=10
net.ipv4.tcp_keepalive_time = 120
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_max_tw_buckets=80000
net.ipv4.tcp_keepalive_time = 120
net.ipv4.tcp_keepalive_intvl=15
net.ipv4.tcp_keepalive_probes =5
net.ipv4.conf.lo.arp_ignore=1
net.ipv4.conf.lo.arp_announce=2
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce=2
net.ipv4.tcp_tw_reuse=1net.ipv4.tcp_tw_recycle=1
net.ipv4.tcp_fin_timeout=10
net.ipv4.tcp_max_syn_backlog =20000
net.core.netdev_max_backlog = 32768
net.core.somaxconn = 32768
net.core.wmem_default=8388608
net.core.rmem_default = 8388608
net.core.rmem_max=16777216
net.core.wmem_max=16777216
net.ipv4.tcp_timestamps=0
net.ipv4.tcp_synack_retries=2
net.ipv4.tcp_syn_retries=2
# 禁止系统被ping
net.ipv4.icmp_echo_ignore_all=1
# 防火墙
net.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_tcp_timeout_established = 180
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
9. 删除没必要的系统用户及组
# 删除的用户
userdel lp
userdel sync
userdel shutdown
userdel halt
userdel news
userdel uucp
userdel video
userdel games
userdel gopher
userdel ftp
# 删除的组
groupdel lp
groupdel news
groupdel uucp
groupdel games
groupdel dip
10. 调整文件描述符的数量
ulimit –n #查看
echo '* - nofile 65535' >>/etc/security/limits.conf
tail -1 /etc/security/limits.conf #查看
11. 关闭selinux,及防火墙
setenforce 0
sed -i "s#SELINUX=enforcing#SELINUX=disabled#g" /etc/selinux/config
#如果有外网ip,一定要开防火墙
systemctl disable --now firewalld
12. 支持中文字符集
yum install kde-l10n-Chinese
# 不建议设置成中文
vim /etc/locale.conf
#LANG="en_US.UTF-8"
LANG="zh_CN.UTF-8"
13. 清空,去除系统及内核版本登录前的屏幕显示
> /etc/issue
或者: echo "" > /etc/issue