时间:2020-02-24来源:电脑系统城作者:电脑系统城
我把优化centos7的脚本分享给大家,建议刚安装完服务器的朋友执行如下优化脚本
[root@test2 yum.repos.d]# cat centos7.sh
#!/bin/bash
#author junxi by
#this script is only for CentOS 7.x
#check the OS
platform
=`uname -i`
if[
$platform
!=
"x86_64"
];then
echo
"this script is only for 64bit Operating System !"
exit 1
fi
echo
"the platform is ok"
cat<<
EOF
+---------------------------------------+
| your system is CentOS 7 x86_64 |
| start optimizing....... |
+---------------------------------------+
EOF
#添加公网DNS地址
cat>>
/etc/resolv.conf
<<EOF
nameserver 223.6.6.6
EOF
#Yum源更换为国内阿里源
yum
installwget
-y
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
#添加阿里的epel源
#add the epel
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
#yum重新建立缓存
yum clean all
yum makecache
#同步时间
yum -y
installntp
/usr/sbin/ntpdate ntp1.aliyun.com
echo"* 4 * * * /usr/sbin/ntpdate ntp1.aliyun.com > /dev/null 2>&1"
>>
/var/spool/cron/root
systemctl restart crond.service
#设置主机名
hostnamectl set-hostname qiuyuetao
#设置字符集
#设置最大打开文件描述符数
echo"ulimit -SHn 102400"
>>
/etc/rc.local
cat>>
/etc/security/limits.conf
<<EOF
* soft nofile 655350
* hard nofile 655350
EOF
#禁用selinux
sed-i
's/SELINUX=enforcing/SELINUX=disabled/'/etc/selinux/config
setenforce 0
#关闭防火墙
systemctl disable firewalld.service
systemctl stop firewalld.service
#set ssh
sed-i
's/^GSSAPIAuthentication yes$/GSSAPIAuthentication no/'/etc/ssh/sshd_config
sed-i
's/#UseDNS yes/UseDNS no/'/etc/ssh/sshd_config
systemctl restart sshd.service
#内核参数优化
cat>>
/etc/sysctl.conf
<<EOF
#CTCDN系统优化参数
#关闭ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
#决定检查过期多久邻居条目
net.ipv4.neigh.default.gc_stale_time=120
#使用arp_announce / arp_ignore解决ARP映射问题
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.all.arp_announce=2
net.ipv4.conf.lo.arp_announce=2
# 避免放大攻击
net.ipv4.icmp_echo_ignore_broadcasts = 1
# 开启恶意icmp错误消息保护
net.ipv4.icmp_ignore_bogus_error_responses = 1
#关闭路由转发
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
#开启反向路径过滤
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
#处理无源路由的包
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
#关闭sysrq功能
kernel.sysrq = 0
#core文件名中添加pid作为扩展名
kernel.core_uses_pid = 1
# 开启SYN洪水攻击保护
net.ipv4.tcp_syncookies = 1
#修改消息队列长度
kernel.msgmnb = 65536
kernel.msgmax = 65536
#设置最大内存共享段大小bytes
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
#timewait的数量,默认180000
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
#每个网络接口接收数据包的速率比内核处理这些包的速率快时,允许送到队列的数据包的最大数目
net.core.netdev_max_backlog = 262144
#限制仅仅是为了防止简单的DoS 攻击
net.ipv4.tcp_max_orphans = 3276800
#未收到客户端确认信息的连接请求的最大值
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
#内核放弃建立连接之前发送SYNACK 包的数量
net.ipv4.tcp_synack_retries = 1
#内核放弃建立连接之前发送SYN 包的数量
net.ipv4.tcp_syn_retries = 1
#启用timewait 快速回收
net.ipv4.tcp_tw_recycle = 0
#开启重用。允许将TIME-WAIT sockets 重新用于新的TCP 连接
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1
#当keepalive 起用的时候,TCP 发送keepalive 消息的频度。缺省是2 小时
net.ipv4.tcp_keepalive_time = 1800
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl = 15
#允许系统打开的端口范围
net.ipv4.ip_local_port_range = 1024 65000
#修改防火墙表大小,默认65536
net.netfilter.nf_conntrack_max=655350
net.netfilter.nf_conntrack_tcp_timeout_established=1200
# 确保无人能修改路由表
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
EOF
/sbin/sysctl -p
#vim定义退格键可删除最后一个字符类型
echo'alias vi=vim'
>>
/etc/profile
echo'stty erase ^H'
>>
/etc/profile
echo'curl ip.6655.com/ip.aspx&&echo'
>>
/etc/profile
cat>>
/root/.vimrc
<<EOF
set tabstop=4
set shiftwidth=4
set expandtab
syntax on
"set number
EOF
#update soft
yum -y update
cat<<
EOF
+------------------------------------------------+
| 优 化 已 完 成 |
| 5s 后 重启 这台服务器 ! |
+------------------------------------------------+
EOF
sleep 5
reboot
##重启加载内核修改
脚本中并未提及内核升级
,如果您需要升级到4.10 ,请执行命令
rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm
yum --enablerepo
=elrepo-kernel
installkernel-ml -y
&&
sed -i s/saved/0/g /etc/default/grub
&&
grub2-mkconfig -o /boot/grub2/grub.cfg
&&reboot
#不重启不生效!
2024-07-18
Centos 7 二进制安装配置 MariaDB数据库2024-07-18
Centos7默认firewalld防火墙使用命令大全2024-07-07
四种执行python系统命令的方法常用权限linux系统内有档案有三种身份 u:拥有者 g:群组 o:其他人这些身份对于文档常用的有下面权限:r:读权限,用户可以读取文档的内容,如用cat,more查看w:写权限,用户可以编辑文档x...
2024-07-07
然而,如果我们遵循通常的 WordPress 最佳实践,这些安全问题可以避免。在本篇中,我们会向你展示如何使用 WPSeku,一个 Linux 中的 WordPress 漏洞扫描器,它可以被用来找出你安装...
2024-07-03