centos系统优化脚本

#!/bin/bash
#written by mofansheng@2015-11-03
#system optimization script
#The fllow apply to CentOS 6.x
. /etc/init.d/functions
 
function check_ok(){
  if [ $? -eq 0 ]
   then
     echo ""
     continue
  else
     echo "pls check error"
     exit
  fi
}
 
cat<<EOF
-----------------------------------------------------------------------
|                     system optimization                             |
-----------------------------------------------------------------------
EOF
#1. 更新系统
yum update -y
yum install net-tools wget telnet perl perl-devel kernel-devel bash-completion ntpdate vim
#yum install gcc cmake bzip2-devel curl-devel db4-devel libjpeg-devel libpng-devel freetype-devel libXpm-devel gmp-devel libc-client-devel openldap-devel unixODBC-devel postgresql-devel sqlite-devel aspell-devel net-snmp-devel libxslt-devel libxml2-devel pcre-devel pspell-devel libmemcached libmemcached-devel zlib-devel  vim wget   lrzsz  tree
yum groupinstall "Development tools" -y
#2. 给/etc/rc.local添加执行权限
chmod +x /etc/rc.d/rc.local

#3. 关闭不必要服务close unimportant system services
echo "===Close unimportant system services,it will take serval mintinues==="
for i in `systemctl list-unit-files |grep 'enabled'| awk '{print $1}' |grep -Ev "crond|sshd|sysstat|rsyslog|network|dbus|systemd|multi|default|NetworkManager|auditd"`; do 
	systemctl disable $i;systemctl stop $i;systemctl status $i
done
check_ok
action "Close unimportant system services" /bin/true
 
 
#4. close selinux
echo "===close SELINUX==="
if [ `getenforce` != "Disabled" ]
then
 sed -i  '/^SELINUX/s/enforcing/disabled/g' /etc/selinux/config
 setenforce 0
 echo "selinux is disabled"
else
 action "SELINUX is closed" /bin/true
fi
check_ok
action "Close SELINUX" /bin/true
 
#5. 关闭防火墙安装iptables
systemctl   stop   firewalld.service 
systemctl   disable firewalld.service
yum install iptables-services -y

#6. 修改主机名
hostnamectl set-hostname vm1

#7. 设置字符集 
yum -y install kde-l10n-Chinese
localectl set-locale LANG=zh_CN.utf8
echo "LANG=zh_CN.UTF-8" > /etc/environment
echo "LC_ALL=zh_CN.UTF-8" >> /etc/environment
echo "LANG=zh_CN.utf8" > /etc/locale.conf
source  /etc/locale.conf

#8. 加大打开文件数的限制（open files）和内核优化
echo "* soft nofile 65535" >> /etc/security/limits.conf 
echo "* hard nofile 65535" >> /etc/security/limits.conf
echo "* soft nproc 65535" >> /etc/security/limits.conf
echo "* hard nproc 65535" >> /etc/security/limits.conf

cat >> /etc/sysctl.conf << "EOF"
#CTCDN系统优化参数
fs.file-max = 655536
#关闭ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
#决定检查过期多久邻居条目
net.ipv4.neigh.default.gc_stale_time=120
#使用arp_announce / arp_ignore解决ARP映射问题
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.all.arp_announce=2
net.ipv4.conf.lo.arp_announce=2
# 避免放大攻击
net.ipv4.icmp_echo_ignore_broadcasts = 1
# 开启恶意icmp错误消息保护
net.ipv4.icmp_ignore_bogus_error_responses = 1
#关闭路由转发
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
#开启反向路径过滤
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
#处理无源路由的包
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
#关闭sysrq功能
kernel.sysrq = 0
#core文件名中添加pid作为扩展名
kernel.core_uses_pid = 1
# 开启SYN洪水攻击保护
net.ipv4.tcp_syncookies = 1
#修改消息队列长度
kernel.msgmnb = 65536
kernel.msgmax = 65536
#设置最大内存共享段大小bytes
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
#timewait的数量，默认180000
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096        87380   4194304
net.ipv4.tcp_wmem = 4096        16384   4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
#每个网络接口接收数据包的速率比内核处理这些包的速率快时，允许送到队列的数据包的最大数目
net.core.netdev_max_backlog = 262144
#限制仅仅是为了防止简单的DoS 攻击
net.ipv4.tcp_max_orphans = 3276800
#未收到客户端确认信息的连接请求的最大值
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
#内核放弃建立连接之前发送SYNACK 包的数量
net.ipv4.tcp_synack_retries = 1
#内核放弃建立连接之前发送SYN 包的数量
net.ipv4.tcp_syn_retries = 1
#启用timewait 快速回收
net.ipv4.tcp_tw_recycle = 1
#开启重用。允许将TIME-WAIT sockets 重新用于新的TCP 连接
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1
#当keepalive 起用的时候，TCP 发送keepalive 消息的频度。缺省是2 小时
net.ipv4.tcp_keepalive_time = 1800
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl = 15
#允许系统打开的端口范围
net.ipv4.ip_local_port_range = 1024    65000
#修改防火墙表大小，默认65536
net.netfilter.nf_conntrack_max=655350
net.netfilter.nf_conntrack_tcp_timeout_established=1200
# 确保无人能修改路由表
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
EOF
#生效
sysctl -p
#用户进程限制
sed -i 's#4096#65535#g' /etc/security/limits.d/20-nproc.conf  #加大普通用户限制  也可以改为unlimited
 
#set SSH
sed -i 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config
sed -i 's/#Port 22/Port 65500/g' /etc/ssh/sshd_config
service sshd restart
 
 
#set system files permission
chmod 600 /etc/passwd
chmod 600 /etc/group
chmod 600 /etc/shadow
chmod 600 /etc/gshadow
 
 
#set ntp
yum install ntpdate -y
ntpdate ntp.fudan.edu.cn
echo "* 3 * * * /usr/sbin/ntpdate ntp.fudan.edu.cn >/dev/null 2>&1" >>/etc/crontab
service crond restart
check_ok
action "ntpdate is installed and add in crontab" /bin/true
 
 
#set vim
echo "===install vim,it will take serval mintinues==="
yum install vim-enhanced -y &>/dev/null
alias vi=vim
echo "alias vi=vim" >>/root/.bashrc
check_ok
action "vim is installed" /bin/true
 
 
#set yum repos
echo "===update yum repos,it will take serval mintinues==="
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
yum clean all &>/dev/null
yum makecache &>/dev/null
check_ok
action  "yum repos update is ok" /bin/true

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

#!/bin/bash

#written by mofansheng@2015-11-03

#system optimization script

#The fllow apply to CentOS 6.x

. /etc/init.d/functions

function check_ok(){

if [ $? -eq 0 ]

then

echo ""

continue

else

echo "pls check error"

exit

}

cat<<EOF

-----------------------------------------------------------------------

| system optimization |

-----------------------------------------------------------------------

EOF

#1. 更新系统

yum update -y

yum install net-tools wget telnet perl perl-devel kernel-devel bash-completion ntpdate vim

#yum install gcc cmake bzip2-devel curl-devel db4-devel libjpeg-devel libpng-devel freetype-devel libXpm-devel gmp-devel libc-client-devel openldap-devel unixODBC-devel postgresql-devel sqlite-devel aspell-devel net-snmp-devel libxslt-devel libxml2-devel pcre-devel pspell-devel libmemcached libmemcached-devel zlib-devel vim wget lrzsz tree

yum groupinstall "Development tools" -y

#2. 给/etc/rc.local添加执行权限

chmod +x /etc/rc.d/rc.local

#3. 关闭不必要服务close unimportant system services

echo "===Close unimportant system services,it will take serval mintinues==="

for i in `systemctl list-unit-files |grep 'enabled'| awk '{print $1}' |grep -Ev "crond|sshd|sysstat|rsyslog|network|dbus|systemd|multi|default|NetworkManager|auditd"`; do

systemctl disable $i;systemctl stop $i;systemctl status $i

done

check_ok

action "Close unimportant system services" /bin/true

#4. close selinux

echo "===close SELINUX==="

if [ `getenforce` != "Disabled" ]

then

sed -i '/^SELINUX/s/enforcing/disabled/g' /etc/selinux/config

setenforce 0

echo "selinux is disabled"

else

action "SELINUX is closed" /bin/true

check_ok

action "Close SELINUX" /bin/true

#5. 关闭防火墙安装iptables

systemctl stop firewalld.service

systemctl disable firewalld.service

yum install iptables-services -y

#6. 修改主机名

hostnamectl set-hostname vm1

#7. 设置字符集

yum -y install kde-l10n-Chinese

localectl set-locale LANG=zh_CN.utf8

echo "LANG=zh_CN.UTF-8" > /etc/environment

echo "LC_ALL=zh_CN.UTF-8" >> /etc/environment

echo "LANG=zh_CN.utf8" > /etc/locale.conf

source /etc/locale.conf

#8. 加大打开文件数的限制（open files）和内核优化

echo "* soft nofile 65535" >> /etc/security/limits.conf

echo "* hard nofile 65535" >> /etc/security/limits.conf

echo "* soft nproc 65535" >> /etc/security/limits.conf

echo "* hard nproc 65535" >> /etc/security/limits.conf

cat >> /etc/sysctl.conf << "EOF"

#CTCDN系统优化参数

fs.file-max = 655536

#关闭ipv6

net.ipv6.conf.all.disable_ipv6 = 1

net.ipv6.conf.default.disable_ipv6 = 1

#决定检查过期多久邻居条目

net.ipv4.neigh.default.gc_stale_time=120

#使用arp_announce / arp_ignore解决ARP映射问题

net.ipv4.conf.default.arp_announce = 2

net.ipv4.conf.all.arp_announce=2

net.ipv4.conf.lo.arp_announce=2

# 避免放大攻击

net.ipv4.icmp_echo_ignore_broadcasts = 1

# 开启恶意icmp错误消息保护

net.ipv4.icmp_ignore_bogus_error_responses = 1

#关闭路由转发

net.ipv4.ip_forward = 0

net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.default.send_redirects = 0

#开启反向路径过滤

net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.default.rp_filter = 1

#处理无源路由的包

net.ipv4.conf.all.accept_source_route = 0

net.ipv4.conf.default.accept_source_route = 0

#关闭sysrq功能

kernel.sysrq = 0

#core文件名中添加pid作为扩展名

kernel.core_uses_pid = 1

# 开启SYN洪水攻击保护

net.ipv4.tcp_syncookies = 1

#修改消息队列长度

kernel.msgmnb = 65536

kernel.msgmax = 65536

#设置最大内存共享段大小bytes

kernel.shmmax = 68719476736

kernel.shmall = 4294967296

#timewait的数量，默认180000

net.ipv4.tcp_max_tw_buckets = 6000

net.ipv4.tcp_sack = 1

net.ipv4.tcp_window_scaling = 1

net.ipv4.tcp_rmem = 4096 87380 4194304

net.ipv4.tcp_wmem = 4096 16384 4194304

net.core.wmem_default = 8388608

net.core.rmem_default = 8388608

net.core.rmem_max = 16777216

net.core.wmem_max = 16777216

#每个网络接口接收数据包的速率比内核处理这些包的速率快时，允许送到队列的数据包的最大数目

net.core.netdev_max_backlog = 262144

#限制仅仅是为了防止简单的DoS 攻击

net.ipv4.tcp_max_orphans = 3276800

#未收到客户端确认信息的连接请求的最大值

net.ipv4.tcp_max_syn_backlog = 262144

net.ipv4.tcp_timestamps = 0

#内核放弃建立连接之前发送SYNACK 包的数量

net.ipv4.tcp_synack_retries = 1

#内核放弃建立连接之前发送SYN 包的数量

net.ipv4.tcp_syn_retries = 1

#启用timewait 快速回收

net.ipv4.tcp_tw_recycle = 1

#开启重用。允许将TIME-WAIT sockets 重新用于新的TCP 连接

net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_mem = 94500000 915000000 927000000

net.ipv4.tcp_fin_timeout = 1

#当keepalive 起用的时候，TCP 发送keepalive 消息的频度。缺省是2 小时

net.ipv4.tcp_keepalive_time = 1800

net.ipv4.tcp_keepalive_probes = 3

net.ipv4.tcp_keepalive_intvl = 15

#允许系统打开的端口范围

net.ipv4.ip_local_port_range = 1024 65000

#修改防火墙表大小，默认65536

net.netfilter.nf_conntrack_max=655350

net.netfilter.nf_conntrack_tcp_timeout_established=1200

# 确保无人能修改路由表

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.all.secure_redirects = 0

net.ipv4.conf.default.secure_redirects = 0

EOF

#生效

sysctl -p

#用户进程限制

sed -i 's#4096#65535#g' /etc/security/limits.d/20-nproc.conf #加大普通用户限制也可以改为unlimited

#set SSH

sed -i 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config

sed -i 's/#Port 22/Port 65500/g' /etc/ssh/sshd_config

service sshd restart

#set system files permission

chmod 600 /etc/passwd

chmod 600 /etc/group

chmod 600 /etc/shadow

chmod 600 /etc/gshadow

#set ntp

yum install ntpdate -y

ntpdate ntp.fudan.edu.cn

echo "* 3 * * * /usr/sbin/ntpdate ntp.fudan.edu.cn >/dev/null 2>&1" >>/etc/crontab

service crond restart

check_ok

action "ntpdate is installed and add in crontab" /bin/true

#set vim

echo "===install vim,it will take serval mintinues==="

yum install vim-enhanced -y &>/dev/null

alias vi=vim

echo "alias vi=vim" >>/root/.bashrc

check_ok

action "vim is installed" /bin/true

#set yum repos

echo "===update yum repos,it will take serval mintinues==="

mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup

wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo

yum clean all &>/dev/null

yum makecache &>/dev/null

check_ok

action "yum repos update is ok" /bin/true

Published by sean on 10/01/2017

0 Comments

Leave a Reply Cancel reply

HANDBOOK

解决ansible mitogen 0.3.0+ 插件未渲染ansible_ssh_common_args模板变量问题

MIDDLEWARE

nginx反向代理Harbor/配置https

MIDDLEWARE

nginx问题解决

centos系统优化脚本

Published by sean on 10/01/2017

0 Comments

Leave a Reply Cancel reply

Related Posts

HANDBOOK

解决ansible mitogen 0.3.0+ 插件未渲染ansible_ssh_common_args模板变量问题

MIDDLEWARE

nginx反向代理Harbor/配置https

MIDDLEWARE

nginx问题解决