1. 配置yum源

  1. mkdir -p /etc/yum.repos.d/default
  2. mv /etc/yum.repos.d/*repo /etc/yum.repos.d/default/
  4. wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo

2. 保留必要的开机自启

  1. chkconfig --list|egrep -v "sysstat|crond|sshd|network|rsyslog"|awk '{print "chkconfig "$1,"off"}'|bash
  2. chkconfig --list|grep 3:on

3. 更改ssh服务端口。禁止root登入

  1. sed -i 's/Port 22/Port 55122/' /etc/ssh/sshd_config
  2. sed -i 's/ListenAddress 0.0.0.0/ListenAddress 192.168.10.9/' /etc/ssh/sshd_config
  3. sed -i 's/PermitRootLogion yes/PermitRootLogion no/' /etc/ssh/sshd_config
  4. systemctl reload sshd
  5. netstat -lntup|grep sshd

4. 不用root管理,以普通用户的名义通过sudo授权管理

  1. useradd sand && id sand
  2. echo "123qwe,./" |passwd --stdin sand
  3. \cp /etc/sudoers{,.back}
  4. echo "sand ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers && tail -1 /etc/sudoers
  5. visudo -c

5. 定时自动更新服务器时间

  1. echo '#time sync by 新的用户名 at 2021-05-18' >> /var/spool/cron/root
  2. echo '*/5 * * * * /usr/sbin/ntpdate ntp1.aliyun.com >/dev/null 2>&1' >> /var/spool/cron/root 
  3. crontab -l
  4. \cp /var/spool/cron/root{,.back}

6. 定时自动清理邮件目录垃圾文件,防止inodes节点占满

7. 锁定关键性系统文件,防止被篡改

  1. chattr +i /etc/{passwd,shadow,group,gshadow}
  2. lsattr -a /etc/{passwd,shadow,group,gshadow}
  4. # 解锁命令
  5. chattr -i

8. 系统内核优化

  1. net.ipv4.conf.lo.arp_ignore=1
  2. net.ipv4.conf.lo.arp_announce=2
  3. net.ipv4.conf.all.arp_ignore=1
  4. net.ipv4.conf.all.arp_announce-2
  5. net.ipv4.tcp_tw_reuse=1
  6. net.ipv4.tcp_tw_recyde=1
  7. net.ipv4.tcp_fin_timeout=10
  8. net.ipv4.tcp_max_syn_backlog=20000
  9. net.core.netdev_max_backlog = 32768
  10. net.core.somaxconn = 32768
  11. net.core.wmem_default=8388608
  12. net.core.rmem_default = 8388608
  13. net.core.rmem_max = 16777216
  14. net.core.wmem_max = 16777216
  15. net.ipv4.tcp_timestamps=0
  16. net.ipv4.tcp_synack_retries = 2
  17. net.ipv4.tcp_syn_retries = 2
  18. net.ipv4.tcp_syncookies=1
  19. net.ipv4.tcp_tw_recycle=1
  20. net.ipv4.tcp_tw_reuse=1
  21. net.ipv4.tcp_mem=94500000  915000000  927000000
  22. net.ipv4.tcp_max_orphans=3276800
  23. net.ipv4.tcp_fin_timeout=10
  24. net.ipv4.tcp_keepalive_time = 120
  25. net.ipv4.ip_local_port_range = 1024 65535
  26. net.ipv4.tcp_max_tw_buckets=80000
  27. net.ipv4.tcp_keepalive_time = 120
  28. net.ipv4.tcp_keepalive_intvl=15
  29. net.ipv4.tcp_keepalive_probes =5
  30. net.ipv4.conf.lo.arp_ignore=1
  31. net.ipv4.conf.lo.arp_announce=2
  32. net.ipv4.conf.all.arp_ignore = 1
  33. net.ipv4.conf.all.arp_announce=2
  34. net.ipv4.tcp_tw_reuse=1net.ipv4.tcp_tw_recycle=1
  35. net.ipv4.tcp_fin_timeout=10
  36. net.ipv4.tcp_max_syn_backlog =20000
  37. net.core.netdev_max_backlog = 32768
  38. net.core.somaxconn = 32768
  39. net.core.wmem_default=8388608
  40. net.core.rmem_default = 8388608
  41. net.core.rmem_max=16777216
  42. net.core.wmem_max=16777216
  43. net.ipv4.tcp_timestamps=0
  44. net.ipv4.tcp_synack_retries=2
  45. net.ipv4.tcp_syn_retries=2
  47. # 禁止系统被ping
  48. net.ipv4.icmp_echo_ignore_all=1
  50. # 防火墙
  51. net.nf_conntrack_max = 25000000
  52. net.netfilter.nf_conntrack_max = 25000000
  53. net.netfilter.nf_conntrack_tcp_timeout_established = 180
  54. net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
  55. net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
  56. net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120

9. 删除没必要的系统用户及组

# 删除的用户
userdel lp
userdel sync
userdel shutdown
userdel halt
userdel news
userdel uucp
userdel video
userdel games
userdel gopher
userdel ftp
# 删除的组
groupdel lp
groupdel news
groupdel uucp
groupdel games
groupdel dip

10. 调整文件描述符的数量

ulimit –n    #查看
echo '* - nofile 65535' >>/etc/security/limits.conf
tail -1 /etc/security/limits.conf    #查看

11. 关闭selinux,及防火墙

setenforce 0
sed -i "s#SELINUX=enforcing#SELINUX=disabled#g" /etc/selinux/config

 #如果有外网ip,一定要开防火墙
systemctl disable --now firewalld

12. 支持中文字符集

yum install kde-l10n-Chinese

# 不建议设置成中文
vim /etc/locale.conf
#LANG="en_US.UTF-8"
LANG="zh_CN.UTF-8"

13. 清空,去除系统及内核版本登录前的屏幕显示

> /etc/issue
或者: echo "" > /etc/issue