linux 系统基本优化

1、基本的原则与思路

   保证系统最小化安装结束后，要把相应的服务，工具、和系统所须要的资源等打开，能够从如下思路去想。

   例如：

   所需加载的模块与不须要加载的模块、开机启动与应用服务、防火墙、内核参数、句柄数、yum、仓库、环境变量、（如jdk、历史命令、本身习惯及vim等设置等）、软件包、tty终端、命令别名等。

centos6 

#!/bin/bash

yum clean all

yum makecache || echo -e "\e[1;31m Please check that the yum source address is correct \e[0m" 

# Before the installation check

for i in $(echo "man openssh-clients lsof dstat sysstat vim-enhanced yum-plugin-priorities ntpdate bind-utils");do

        service_packages=$(rpm -qa |grep "^"$i"-[0-9]")

        if [ $? == 0 ];then

                echo -e "\e[1;32m $service_packages is installed!\e[0m"

        else

                echo -e "\e[1;31m $i is not installed!,In the installing,Please wait.\e[0m"

                 yum install $i -y > /dev/null 2>&1 

        fi

done

grep "nofile         65535" /etc/security/limits.conf || echo "*                -       nofile         65535" >>/etc/security/limits.conf

grep ignorespace /etc/profile.d/history.sh ||echo "export HISTCONTROL=ignorespace" >> /etc/profile.d/history.sh

grep "export HISTTIMEFORMAT" /etc/profile.d/history.sh ||echo 'export HISTTIMEFORMAT="%F-%T "' >>/etc/profile.d/history.sh 

source /etc/profile.d/history.sh

sed -i.bak-$(date +%F) 's/enabled.*$/enabled = 1/g' /etc/yum/pluginconf.d/priorities.conf

sed -i.bak-$(date +%F) 's/SELINUX=.*$/SELINUX=disabled/g' /etc/selinux/config

\cp /etc/issue.net /etc/issue.net-bak-$(date +%F)

\cp /etc/issue /etc/issue-bak-$(date +%F)

cat > /etc/issue.net << END

Your operation is under monitoring, please note that!

END

cat > /etc/issue << END

Your operation is under monitoring, please note that!

END

# View connection number

# ss -atu| awk '/^tcp/{++S[$2]} END {for(a in S) print a,S[a]}'

\cp /etc/sysctl.conf /etc/sysctl.conf-bak-$(date +%F)

cat > /etc/sysctl.conf << END

net.ipv4.tcp_syncookies = 1  # 表示开启syncookies。当出现syn等待队列溢出时，启用cookies来处理，可防范少许syn***，默认为0，表示关闭。

net.ipv4.tcp_syn_retries = 1

net.ipv4.tcp_tw_recycle = 1   ### 表示开启TCP链接中TIME-WAIT sockets的快速回收，默认为0，表示关闭。

net.ipv4.tcp_tw_reuse = 1   ### 表示开启重用。容许将TIME-WAIT sockets从新用于新的TCP链接，默认为0，表示关闭；

net.ipv4.tcp_fin_timeout = 1   ### 修改系統默认的 TIMEOUT 时间

net.ipv4.tcp_keepalive_time = 1200 # #表示当keepalive起用的时候，tcp发送keepalive消息的频度。缺省是2小时，改成20分钟。

net.ipv4.ip_local_port_range = 10000 65535

net.ipv4.tcp_max_syn_backlog = 16384  ##表示SYN队列的长度，默认为1024，加大队列长度为16384,能够容纳更多等待链接的网络链接数。

net.ipv4.tcp_max_tw_buckets = 55000   ## #表示系统同时保持TIME_WAIT的最大数量，若是超出这个数字，TIME_WAIT将马上被清除并打印警告信息。默认180000，改成5000，此项参数能够控制TIME_WAIT的最大数量。

↑ # 这个值可能有什么很差的影响 ：一、 当前服务器主动关闭链接 二、当前服务器 TIME_WAIT 数等于或大于 tcp_max_tw_buckets

net.ipv4.route.gc_timeout = 100

net.ipv4.tcp_syn_retries = 1

net.ipv4.tcp_synack_retries = 1

net.core.somaxconn = 16384

net.core.netdev_max_backlog = 16384

net.ipv4.tcp_max_orphans = 16384

END

sysctl -p

sed -i.bak-$(date +%F) 's/env ACTIVE_CONSOLES\=\/dev\/tty\[1\-6\]/env ACTIVE_CONSOLES\=\/dev\/tty\[1\-2\]/' /etc/init/start-ttys.conf

crontab -l| grep "/usr/sbin/ntpdate ntp.api.bz"|| echo "*/5 * * * * /usr/sbin/ntpdate ntp.api.bz" | crontab

grep "alias grep='grep --color=auto'" /etc/profile.d/command-alias.sh || echo "alias grep='grep --color=auto'" >> /etc/profile.d/command-alias.sh

grep "alias vi='vim'" /etc/profile.d/command-alias.sh || echo "alias vi='vim'" >> /etc/profile.d/command-alias.sh

source /etc/profile.d/command-alias.sh

grep "install ipv6 /bin/true" /etc/modprobe.d/disable-ipv6.conf || echo "install ipv6 /bin/true" >> /etc/modprobe.d/disable-ipv6.conf

ulimit -SHn 65535

grep "ulimit -SHn 65535" /etc/rc.local || echo "ulimit -SHn 65535" >> /etc/rc.local 

# show file open number

# for pid in `ps aux | grep httpd | grep -v grep | awk '{print $2}'`

# do

# cat /proc/$pid/limits | grep "Max open files"

# done

sed -i.bak-$(date +%F) 's/#PermitRootLogin.*$/PermitRootLogin no/' /etc/ssh/sshd_config

sed -i.bak-$(date +%F) 's/#PermitEmptyPasswords.*$/PermitEmptyPasswords no/' /etc/ssh/sshd_config

sed -i.bak-$(date +%F) 's/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config

cat /etc/ssh/sshd_config | egrep 'Root|Empty|DNS'

service sshd restart

#######crond、network、rsyslog、sshd

for i in `chkconfig --list|grep 3:on|awk '{print $1}'`;do chkconfig --level 3 $i off; done 

for CURSRV in crond rsyslog sshd network; do chkconfig --level 3 $CURSRV on;done

######squid########

net.ipv4.tcp_fin_timeout = 30

net.ipv4.tcp_keepalive_time = 1200

net.ipv4.tcp_syncookies = 1

net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_tw_recycle = 1

net.ipv4.ip_local_port_range = 10000 65535

net.ipv4.tcp_max_syn_backlog = 8192

net.ipv4.tcp_max_tw_buckets = 5000

#######nginx or apache ############

net.ipv4.tcp_syncookies = 1

net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_tw_recycle = 1

net.ipv4.ip_local_port_range = 10000 65535

########postfix##########

net.ipv4.tcp_fin_timeout = 30

net.ipv4.tcp_keepalive_time = 300

net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_tw_recycle = 1

net.ipv4.ip_local_port_range = 10000 65535

kernel.shmmax = 134217728

centos7

自动补全参数安装包

yum install bash-completion -y

chrony