根据这篇博文的优化介绍:http://lizhenliang.blog.51cto.com/7876557/1349879
简单写了一键执行脚本,对批量部署很有帮助,脚本内容执行顺序如下:
1、关闭Selinux
2、清空防火墙并设置基本规则
3、添加user用户并进行Sudo授权管理(根据需求添加自己的用户)
4、禁用Root远程登录
5、禁用不使用的自启动服务
6、删除不使用的系统用户
7、关闭重启组合键(ctl-alt-delete)
8、调整文件描述符大小
9、修改系统显示信息
10、修改历史记录
11、同步系统时间
12、内核参数优化
[root@localhost ~]# vi optimizing.sh #!/bin/bash cat << EOF +---------------------------------------+ | Start Optimize ...... | +---------------------------------------+ EOF ########## Shut selinux ########## sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config echo "Shut selinux. [ OK ]" ########## Set firewall ########## /sbin/iptables -F /sbin/iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT /sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT /sbin/iptables -A INPUT -p udp --dport 123 -j ACCEPT /sbin/iptables -A INPUT -p icmp -j ACCEPT /sbin/iptables -P INPUT DROP /etc/init.d/iptables save > /dev/null 2>&1 echo "Set firewall. [ OK ]" ########## Auth and add user ########## /usr/sbin/useradd user > /dev/null 2>&1 #添加user用户并设置密码123.com if [[ $? -eq 0 ]];then echo "123.com" | passwd --stdin user > /dev/null 2>&1 sed -i "99 s/^/user ALL=(ALL) ALL/" /etc/sudoers echo "Auth and add user. [ OK ]" else echo "User already exist! [Fail]" fi ########## Shut root login ########## sed -i "s/#PermitRootLogin yes/PermitRootLogin no/g" /etc/ssh/sshd_config sed -i "s/#PermitEmptyPasswords no/PermitEmptyPasswords no/g" /etc/ssh/sshd_config sed -i "s/#UseDNS yes/UseDNS no/g" /etc/ssh/sshd_config echo "Shut root login. [ OK ]" ########## Forbidden not use service ########## /sbin/chkconfig auditd off /sbin/chkconfig blk-availability off /sbin/chkconfig ip6tables off /sbin/chkconfig lvm2-monitor off /sbin/chkconfig netfs off /sbin/chkconfig udev-post off echo "Forbidden not use service. [ OK ]" ########## Delete not use user ########## /usr/sbin/userdel adm > /dev/null 2>&1 /usr/sbin/userdel lp > /dev/null 2>&1 /usr/sbin/userdel shutdown > /dev/null 2>&1 /usr/sbin/userdel halt > /dev/null 2>&1 /usr/sbin/userdel uucp > /dev/null 2>&1 /usr/sbin/userdel operator > /dev/null 2>&1 /usr/sbin/userdel games > /dev/null 2>&1 /usr/sbin/userdel gopher > /dev/null 2>&1 if [[ $? -eq 0 ]];then echo "Delete not use service. [ OK ]" else echo "Not use user already deleted! [Fail]" fi ########## Shut reboot combination key ########## sed -i 's#exec /sbin/shutdown -r now#\#exec /sbin/shutdown -r now#' /etc/init/control-alt-delete.conf echo "Shut reboot combination key. [ OK ]" ########## Modify file descriptor size ########## echo "* soft nofile 102400" >> /etc/security/limits.conf echo "* hard nofile 102400" >> /etc/security/limits.conf echo "Modify file descriptor size. [ OK ]" ########## Modify system show message ########## echo "Welcome to Server." >/etc/issue echo "Welcome to Server." >/etc/redhat-release echo "Modify system show message. [ OK ]" ########## Modify history ########## sed -i "s/HISTSIZE=1000/HISTSIZE=10/g" /etc/profile source /etc/profile echo "Modify history. [ OK ]" ########## Sync timezone ########## yum install ntp -y > /dev/null 2>&1 cp -rf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime /usr/sbin/ntpdate cn.pool.ntp.org > /dev/null 2>&1 /sbin/hwclock -w echo "0 * * * * /usr/sbin/ntpdate cn.pool.ntp.org ; hwclock -w" >> /etc/crontab echo "Sync timezone. [ OK ]" ########## Kernel optimize ########## cat >> /etc/sysctl.conf << EOF net.ipv4.tcp_fin_timeout = 2 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_tw_recycle = 1 net.ipv4.ip_local_port_range = 4096 65000 net.ipv4.tcp_max_tw_buckets = 5000 net.ipv4.tcp_max_syn_backlog = 4096 net.core.netdev_max_backlog = 10240 net.core.somaxconn = 2048 net.core.wmem_default = 4096000 net.core.rmem_default = 4096000 net.core.rmem_max = 4096000 net.core.wmem_max = 4096000 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_syn_retries = 2 net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_max_orphans = 3276800 net.ipv4.tcp_mem = 94500000 915000000 927000000 EOF echo "Kernel optimize. [ OK ]" cat << EOF +---------------------------------------+ | Optimize the end ...... | | Please reboot your system ! | +---------------------------------------+ EOF
