#升级内核到最新
可以参考:https://teddylu.xyz/blog/4258.html
#升级openssl
可以参考:https://teddylu.xyz/blog/5036.html
#安装快速的源repo和更新系统
cd /etc/yum.repos.d/ /bin/mv CentOS-Base.repo CentOS-Base.repo.bak wget http://mirrors.163.com/.help/CentOS7-Base-163.repo yum clean all yum makecache yum upgrade -y
#设置eple源
方法1:wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
方法2:yum install epel-release -y
#安装常用的软件
yum install lrzsz ntpdate sysstat lsof wget tree vim zip unzip iftop net-tools htop glances iptables-services dos2unix make cmake gcc-c++ openssl openssl-devel -y
#设置时区
\cp -f /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
#设置时间同步
echo '#sync time every 5 min' >>/var/spool/cron/root echo '*/5 * * * * /usr/sbin/ntpdate time.windows.com >/dev/null 2 >&1' >>/var/spool/cron/root systemctl reload crond
#关闭邮件服务
systemctl stop postfix.service
systemctl disable postfix.service
#关闭firewalld
systemctl stop firewalld.service
systemctl disable firewalld.service
# 查看开机启动的服务
systemctl list-unit-files|grep enabled
#关闭selinux
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config reboot
#设置dns
#国内 cat >>/etc/resolv.conf<<EOF nameserver 114.114.114.114 nameserver 8.8.8.8 EOF #国外 cat >>/etc/resolv.conf<<EOF nameserver 1.1.1.1 nameserver 2606:4700:4700::1111 nameserver 8.8.8.8 nameserver 2001:4860:4860::8888 EOF
#优化系统资源限制
cat >>/etc/security/limits.conf<<EOF * soft nproc 65535 * hard nproc 65535 * soft nofile 65535 * hard nofile 65535 EOF
#优化系统内核
cat >>/etc/sysctl.conf<<EOF net.ipv4.ip_forward=1 net.bridge.bridge-nf-call-iptables=1 net.ipv4.neigh.default.gc_thresh1=4096 net.ipv4.neigh.default.gc_thresh2=6144 net.ipv4.neigh.default.gc_thresh3=8192 kernel.shmmax = 25769803774 kernel.shmmni = 4096 kernel.shmall = 16777216 kernel.sem = 1010 129280 1010 128 net.ipv4.ip_local_port_range = 9000 65500 net.core.rmem_default = 4194304 net.core.rmem_max = 4194304 net.core.wmem_default = 262144 net.core.wmem_max = 1048576 fs.aio-max-nr = 1048576 fs.file-max = 6815744 net.core.somaxconn = 1024 vm.overcommit_memory = 1 net.ipv4.tcp_fastopen = 3 net.core.default_qdisc = fq net.ipv4.tcp_congestion_control = bbr net.ipv6.bindv6only = 1 EOF
sysctl -p
#setup ssh
#change ssh default port to 44444 cp /etc/ssh/sshd_config /etc/ssh/sshd_config.save sed -i 's%#Port 22%Port 44444%' /etc/ssh/sshd_config #enable 'PermitEmptyPasswords no' sed -i 's%#PermitEmptyPasswords no%PermitEmptyPasswords no%' /etc/ssh/sshd_config systemctl restart sshd.service
#配置iptables
#ip4tables
iptables -F iptables -X iptables -Z iptables -F -t nat iptables -X -t nat iptables -Z -t nat iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP iptables -A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 33333 -j ACCEPT iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 44444 -j ACCEPT iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT iptables -A INPUT -p udp -m state --state NEW -m udp --dport 443 -j ACCEPT iptables -P INPUT DROP iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT service iptables save systemctl enable iptables #ip6table配置 ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ip6tables -A INPUT -p ipv6-icmp -j ACCEPT ip6tables -A INPUT -i lo -j ACCEPT ip6tables -A INPUT -p tcp -m state --state NEW -m tcp --dport 44444 -j ACCEPT ip6tables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT ip6tables -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT ip6tables -A INPUT -p udp -m state --state NEW -m udp --dport 443 -j ACCEPT ip6tables -P INPUT DROP ip6tables -P FORWARD ACCEPT ip6tables -P OUTPUT ACCEPT service ip6tables save systemctl enable ip6tables
Centos7系统优化