环境: CentOS 7.6
前言
为了方便起见,这里借助Oneinstack脚本安装基础组件库(这里只需要安装iptables)
wget -c http://mirrors.linuxeye.com/oneinstack-full.tar.gz && tar xzf oneinstack-full.tar.gz && ./oneinstack/install.sh --iptables --reboot
1.配置防火墙
- 修改iptables规则
vim /etc/sysconfig/iptables
- 添加放行规则(
这里以8080端口为例
)
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
:wq 保存退出
- 重启iptables生效
service iptables restart
2.更改yum镜像源
- 备份镜像源
cp /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
或者
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
- 添加镜像源
cd /etc/yum.repos.d/
wget http://mirrors.163.com/.help/CentOS7-Base-163.repo #网易镜像源
wget http://mirrors.aliyun.com/repo/Centos-7.repo #阿里云镜像源
yum clean all #重建缓存生效
yum makecache
3.修改时区
tzselect #执行命令,根据提示选择 Asia / China / Beijing Time 即可
4.更改系统语言
vim /etc/locale.conf
将
LANG="en_US.UTF-8"
修改为
LANG="zh_CN.UTF-8"
:wq 保存退出
source /etc/locale.conf #执行使配置生效
5.同步硬件时间
hwclock -w #从当前时间设置硬件时间
6.修改命令行颜色
- 修改bash配置文件:
cd ~
vim .bashrc
- 加入下面一行:
PS1="\[\e[37;40m\][\[\e[32;40m\]\u\[\e[37;40m\]@\h \[\e[36;40m\]\w\[\e[0m\]]\\$ "
- 重新加载bash配置
source .bashrc #使配置生效
7.精简开机启动项
- 查看开机启动服务
chkconfig --list
- 停止服务
service <服务名> stop
- 删除服务
chkconfig --del <服务名>
- 删除开机自启
chkconfig <服务名> off
或者
systemctl disable <服务名>
8.卸载阿里云盾
文中使用阿里云ECS服务器,其他厂商提供的服务器可忽略
- 卸载阿里云盾监控
wget http://update.aegis.aliyun.com/download/uninstall.sh
sh uninstall.sh
wget http://update.aegis.aliyun.com/download/quartz_uninstall.sh
sh quartz_uninstall.sh
- 删除目录残留
pkill aliyun-service
rm -fr /etc/init.d/agentwatch /usr/sbin/aliyun-service
rm -rf /usr/local/aegis*
9.关闭邮件服务
介于邮件服务会在其他场景下会使用到,故先保留服务,此处仅关闭服务,若需使用,开启即可
systemctl stop dovecot
systemctl stop postfix
systemctl disable dovecot
systemctl disable postfix
10.修改欢迎信息及Last Login信息
- 修改欢迎信息
vim /etc/motd #修改文件,自定义欢迎信息
:wq 保存退出
- 关闭LastLogin打印
vi /etc/ssh/sshd_config #查看sshd_config文件
修改为如下:
PrintMotd no #取消注释,将yes修改为no
PrintLastLog no #取消注释,将yes修改为no
:wq 保存退出
service sshd restart #重启sshd服务使配置生效
11.内核参数优化
vi /etc/sysctl.conf #修改文件
修改为如下:
fs.file-max=1000000
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.ipv4.tcp_max_syn_backlog = 262144
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 32768
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_syncookies = 1
#net.ipv4.tcp_tw_len = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.ip_local_port_range = 1024 65000
net.nf_conntrack_max = 6553500
net.netfilter.nf_conntrack_max = 6553500
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_established = 1200
net.ipv4.icmp_echo_ignore_all= 1
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_keepalive_time = 30
net.ipv4.tcp_orphan_retries = 3
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
:wq 保存退出
sysctl -p #执行使配置生效