1:  为系统添加操作用户,并授予sudo权限

[root@localhost ~]# groupadd cai

[root@localhost ~]# useradd cai -g cai

[root@localhost ~]# passwd cai

更改用户 cai 的密码 。

新的 密码:

无效的密码: 过于简单化/系统化

无效的密码: 过于简单

重新输入新的 密码:

passwd: 所有的身份验证令牌已经成功更新。

[root@localhost ~]# su - cai

sudo的配置文件在/etc/sudoers下面,不过是只读文件。想要修改使用“visudo”命令。

用户名  可登录的终端  具体命令(使用绝对路径,which查看)

cairui    ALL=(ALL)      /usr/sbin/useradd

2:  配置Yum源为国内源(在我的其他博客中专门有一篇介绍,此处不写了)

3:  关闭防火墙(iptables)和Selinux

(1)因为防火墙和selinux的设置很麻烦,而且需要大量的时间去搞,所以索性就关掉。

临时关闭防火墙:(可以查看状态,重启,关闭,打开)

[root@localhost ~]# /etc/init.d/iptables

Usage: iptables {start|stop|reload|restart|condrestart|status|panic|save}

永久关闭防火墙:(关闭开机自启)

[root@localhost ~]# chkconfig iptables off

查看iptables开机状态:

[root@localhost ~]# chkconfig --list | grep iptables

iptables           :关闭    :关闭    :关闭    :关闭    :关闭    :关闭    :关闭

(2)关闭selinux

[root@localhost ~]# vim /etc/selinux/config 

# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

#     enforcing - SELinux security policy is enforced.

#     permissive - SELinux prints warnings instead of enforcing.

#     disabled - No SELinux policy is loaded.

#SELINUX=enforcing

SELINUX=disabled  修改为disabled

# SELINUXTYPE= can take one of these two values:

#     targeted - Targeted processes are protected,

#     mls - Multi Level Security protection.

SELINUXTYPE=targeted

4:  修改ssh服务的默认配置

修改之前先备份默认的配置:

[root@localhost ~]# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup

再修改

[root@localhost ~]# vim /etc/ssh/sshd_config

#    $OpenBSD: sshd_config,v 1.80 // :: djm Exp $

# This is the sshd server system-wide configuration file.  See

# sshd_config() for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented.  Uncommented options change a

# default value.

#Port

Port 52000   修改Linux默认连接端口

#AddressFamily any

#ListenAddress 0.0.0.0

#ListenAddress ::

# Disable legacy (protocol version ) support in the server for new

# installations. In future the default will change to require explicit

# activation of protocol

Protocol 

# HostKey for protocol version

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version  server key

#KeyRegenerationInterval 1h

#ServerKeyBits 

# Logging

# obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH

SyslogFacility AUTHPRIV

#LogLevel INFO

# Authentication:

#LoginGraceTime 2m

#PermitRootLogin yes

PermitRootLogin no  #不允许root用户登录(因为每个人都知道root能够登录)

#StrictModes yes

#MaxAuthTries

#MaxSessions 

#RSAAuthentication yes

#PubkeyAuthentication yes

#AuthorizedKeysFile    .ssh/authorized_keys

#AuthorizedKeysCommand none

#AuthorizedKeysCommandRunAs nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

# similar for protocol version

#HostbasedAuthentication no

# Change to yes if you don't trust ~/.ssh/known_hosts for

# RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

# Don't read the user's ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!

#PasswordAuthentication yes

#PermitEmptyPasswords no

PasswordAuthentication yes

# Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

ChallengeResponseAuthentication no

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

#KerberosGetAFSToken no

#KerberosUseKuserok yes

# GSSAPI options

#GSSAPIAuthentication no

GSSAPIAuthentication yes

#GSSAPICleanupCredentials yes

GSSAPICleanupCredentials yes

#GSSAPIStrictAcceptorCheck yes

#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,

# and session processing. If this is enabled, PAM authentication will

# be allowed through the ChallengeResponseAuthentication and

# PasswordAuthentication.  Depending on your PAM configuration,

# PAM authentication via ChallengeResponseAuthentication may bypass

# the setting of "PermitRootLogin without-password".

# If you just want the PAM account and session checks to run without

# PAM authentication, then enable this but set PasswordAuthentication

# and ChallengeResponseAuthentication to 'no'.

#UsePAM no

UsePAM yes

# Accept locale-related environment variables

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES

AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT

AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE

AcceptEnv XMODIFIERS

#AllowAgentForwarding yes

#AllowTcpForwarding yes

#GatewayPorts no

#X11Forwarding no

X11Forwarding yes

#X11DisplayOffset

#X11UseLocalhost yes

#PrintMotd yes

#PrintLastLog yes

#TCPKeepAlive yes

#UseLogin no

#UsePrivilegeSeparation yes

#PermitUserEnvironment no

#Compression delayed

#ClientAliveInterval

#ClientAliveCountMax

#ShowPatchLevel no

#UseDNS yes

UseDNS no  #不使用DNS

#PidFile /var/run/sshd.pid

#MaxStartups ::

#PermitTunnel no

#ChrootDirectory none

# no default banner path

#Banner none

# override default of no subsystems

Subsystem    sftp    /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis

#Match User anoncvs

#    X11Forwarding no

#    AllowTcpForwarding no

#    ForceCommand cvs server

修改完之后重启:

[root@localhost ~]# /etc/init.d/sshd

用法: /etc/init.d/sshd {start|stop|restart|reload|force-reload|condrestart|try-restart|status}

5:  系统内核优化

[root@localhost ~]# cat /etc/sysctl.conf

# Kernel sysctl configuration file for Red Hat Linux

#

# For binary values,  is disabled,  is enabled.  See sysctl() and

# sysctl.conf() for more details.

#

# Use '/sbin/sysctl -a' to list all possible parameters.

# Controls IP packet forwarding

net.ipv4.ip_forward = 

# Controls source route verification

net.ipv4.conf.default.rp_filter = 

# Do not accept source routing

net.ipv4.conf.default.accept_source_route = 

# Controls the System Request debugging functionality of the kernel

kernel.sysrq = 

# Controls whether core dumps will append the PID to the core filename.

# Useful for debugging multi-threaded applications.

kernel.core_uses_pid = 

# Controls the use of TCP syncookies

net.ipv4.tcp_syncookies = 

# Controls the default maxmimum size of a mesage queue

kernel.msgmnb = 

# Controls the maximum size of a message, in bytes

kernel.msgmax = 

# Controls the maximum shared segment size, in bytes

kernel.shmmax = 

# Controls the maximum number of shared memory segments, in pages

kernel.shmall = 

# 下面是内核调优参数

net.ipv4.tcp_syn_retries =

net.ipv4.tcp_synack_retries =

net.ipv4.tcp_keepalive_time =

net.ipv4.tcp_keepalive_probes =

net.ipv4.tcp_keepalive_intvl =

net.ipv4.tcp_retries2 =

net.ipv4.tcp_fin_timeout =

net.ipv4.tcp_max_tw_buckets =

net.ipv4.tcp_tw_recycle =

net.ipv4.tcp_tw_reuse =

net.ipv4.tcp_max_orphans =

net.ipv4.tcp_syncookies =

net.ipv4.tcp_max_syn_backlog =

net.ipv4.tcp_wmem =

net.ipv4.tcp_rmem =

net.ipv4.tcp_mem =

net.ipv4.ip_local_port_range =

net.ipv4.ip_conntrack_max =

net.ipv4.netfilter.ip_conntrack_max=

net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=

net.core.somaxconn =

net.core.netdev_max_backlog = 
[root@localhost ~]# sysctl -p    #配置生效

net.ipv4.ip_forward =

net.ipv4.conf.default.rp_filter =

net.ipv4.conf.default.accept_source_route =

kernel.sysrq =

kernel.core_uses_pid =

net.ipv4.tcp_syncookies =

kernel.msgmnb =

kernel.msgmax =

kernel.shmmax =

kernel.shmall =

net.ipv4.tcp_syn_retries =

net.ipv4.tcp_synack_retries =

net.ipv4.tcp_keepalive_time =

net.ipv4.tcp_keepalive_probes =

net.ipv4.tcp_keepalive_intvl =

net.ipv4.tcp_retries2 =

net.ipv4.tcp_fin_timeout =

net.ipv4.tcp_max_tw_buckets =

net.ipv4.tcp_tw_recycle =

net.ipv4.tcp_tw_reuse =

net.ipv4.tcp_max_orphans =

net.ipv4.tcp_syncookies =

net.ipv4.tcp_max_syn_backlog =

net.ipv4.tcp_wmem =

net.ipv4.tcp_rmem =

net.ipv4.tcp_mem =

net.ipv4.ip_local_port_range =

error: "net.ipv4.ip_conntrack_max" is an unknown key

error: "net.ipv4.netfilter.ip_conntrack_max" is an unknown key

error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_established" is an unknown key

net.core.somaxconn =

net.core.netdev_max_backlog =

6:  超时设置(timeout)

为了系统的安全,设置无操作超时自动退出登录设置

临时生效:

[root@centos6 ~]# export TMOUT=

[root@centos6 ~]# timed out waiting for input: auto-logout

永久配置生效:

[root@centos6 ~]# echo "export TMOUT=300" >>/etc/profile 实际生产环境  分钟

[root@centos6 ~]# source / etc/profile

7:  加大文件描述符

文件描述符是由无符号整数表示的句柄(一般使用范围0~65535),进程使用它来标识打开的文件。文件描述符与包括相关信息(如文件的打开模式、文件的位置类型、文件的初始类型等)的对象想关联,这些信息称为文件的上下文。

对于内核而言,所有打开的文件都是通过文件描述符引用的。当打开一个现有文件或者创建一个新文件时,内核向进程返回一个文件描述符。

按照惯例,UNIX系统shell使用0-》标准输入,1-》标准输出,2-》标准错误

查看系统默认的文件描述符大小:

[root@centos6 ~]# ulimit -n

[root@centos6 ~]# echo "* - nofile 65535">>/etc/security/limits.conf

退出重新登录,才会生效

[root@centos6 ~]# ulimit -n

8:  隐藏系统版本消息

[cairui@localhost ~]$ cat /etc/issue

CentOS release 6.8 (Final)

Kernel \r on an \m

[cairui@localhost ~]$ cat /etc/issue.net

CentOS release 6.8 (Final)

Kernel \r on an \m

只需要清空上述的文件内容,就可以隐藏信息。

9:  给grub引导菜单加密码保护(因为grub能进入看到root密码)

[root@localhost ~]# /sbin/grub-md5-crypt

Password:

Retype password:

$$kpiKh/$..jTvOdnHGnMsqqs5OWlM/

[root@localhost ~]# vi /etc/grub.conf

[root@localhost ~]# cat /etc/grub.conf

# grub.conf generated by anaconda

#

# Note that you do not have to rerun grub after making changes to this file

# NOTICE:  You have a /boot partition.  This means that

#          all kernel and initrd paths are relative to /boot/, eg.

#          root (hd0,)

#          kernel /vmlinuz-version ro root=/dev/sda3

#          initrd /initrd-[generic-]version.img

#boot=/dev/sda

default=

timeout=

splashimage=(hd0,)/grub/splash.xpm.gz

hiddenmenu

    password --md5 $1$hv58gkgk9G995885/JG0orl4m  #后来添加的

title CentOS  (2.6.-.el6.x86_64)

    root (hd0,)

    kernel /vmlinuz-2.6.-.el6.x86_64 ro root=UUID=57e48303-c321-4c12-8ac4-7596c31f55ef rd_NO_LUKS  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_MD crashkernel=auto LANG=zh_CN.UTF- rd_NO_LVM rd_NO_DM rhgb quiet

    initrd /initramfs-2.6.-.el6.x86_64.img

10:  调整字符集

[root@centos6 ssh]# echo $LANG

en_US.UTF-

[root@centos6 ssh]# cat /etc/sysconfig/i18n

LANG="en_US.UTF-8"

SYSFONT="latarcyrheb-sun16"

[root@centos6 ssh]# cp /etc/sysconfig/i18n /etc/sysconfig/i18n.2016.12.

[root@centos6 ssh]# sed -i 's#LANG="en_US.UTF-8"#LANG="zh_CN.UTF-8"#g' /etc/sysconfig/i18n

[root@centos6 ssh]# source /etc/sysconfig/i18n

[root@centos6 ssh]# echo $LANG

zh_CN.UTF-

Liunx基础优化配置的更多相关文章

  1. CentOS7.5基础优化与常用配置

    目录 最小化全新安装CentOS7基础优化 配置yum源 安装常用软件 关闭防火墙 关闭SELinux 优化ulimit 历史命令记录改为1万条 把命令提示符改为绿色 添加vim配置文件 添加一个普通 ...

  2. Linu之linux系统基础优化和基本命令

    Linux系统基础优化和基本命令 网络参数设定命令 ifconfig: 查询,设置网卡和ip等参数 ifup,ifdown: 脚本命令,更简单的方式 ip: 符合指令,直接修改上述功能 编辑网卡配置文 ...

  3. Linux实战教学笔记06:Linux系统基础优化

    第六节 Linux系统基础优化 标签(空格分隔):Linux实战教学笔记-陈思齐 第1章 基础环境 第2章 使用网易163镜像做yum源 默认国外的yum源速度很慢,所以换成国内的. 第一步:先备份 ...

  4. 【No.1 Ionic】基础环境配置

    Node 安装 git clone https://github.com/nodejs/node cd node ./configure make sudo make install node -v ...

  5. Centos6.5 64linux系统基础优化(二)

    1  操作的最小化原则 1)安装系统最小化 2)开启程序服务最小化原则 3)操作最小化原则 4)登陆最小化原则;平时没有需求不用root登陆,要用普通登陆. 2  更改ssh服务默认端口及常规配置 # ...

  6. Apache优化配置:修改最大并发连接数

    此文摘自: http://www.365mini.com/page/apache-concurrency-configuration.htm Apache查看连接数和限制当前的连接数 : http:/ ...

  7. Linux基础优化与安全归纳总结

    一名运维工程师在运维岗位上时间久了,就会发现Linux优化的重要性,同时会给运维工作带来很多的便利性.本人逐渐认识到了这一点,所以特意在工作闲暇之余,通过阅读Linux相关书籍及向同事.同行高手咨询, ...

  8. [转帖]关于网络编程中MTU、TCP、UDP优化配置的一些总结

    关于网络编程中MTU.TCP.UDP优化配置的一些总结 https://www.cnblogs.com/maowang1991/archive/2013/04/15/3022955.html 感谢原作 ...

  9. Linux基础优化和安全重点小结

    Linux基础优化和安全重点小结 1.不用root管理,以普通用户的名义通过sudo管理授权(/etc/sudoers)        2.更改默认的ssh服务端口,禁止root用户远程连接,甚至监听 ...

随机推荐

  1. [python] itertools库学习

    最近做 cyber-dojo上的题,好几道都要用到排列组合.一开始我还老老实实自己写算法.后来一想,不对呀!python有那么多的库,为啥不用呢? 于是搜了下,发现这个:itertools 使用 he ...

  2. 原生的ado.net(访问sql server数据库)

    本文介绍原生的ado.net(访问sql server数据库) 写在前面 数据库连接字符串 过时的写法 string str = "server=localhost;database=my_ ...

  3. SqlServer——判断对象是否存在

    对以下对象判断是否存在:database.table.proc.触发器.临时表.索引.对于这些对象的判断是通过数据表 SysObjects来获得的. 一.基础知识 1.SysObjects系统表 对于 ...

  4. 问题:C#属性;结果:c# 属性

    c# 属性 属性:get { //读属性代码 } set { //写属性代码 } public class Person{private string name;public string Name{ ...

  5. Java的JAR包, EAR包 ,WAR包 都是干什么的,有什么区别

    JAR包:打成JAR包的代码,一般作为工具类,在项目中,会应用到N多JAR工具包: WAR包:JAVA WEB工程,都是打成WAR包,进行发布,如果我们的服务器选择TOMCAT等轻量级服务器,一般就打 ...

  6. Bytes和bits的区别(字节和位的区别)

    基本概念 Bit意为“位”或“比特”,是计算机运算的基础,属于二进制的范畴: Byte意为“字节”,是计算机文件大小的基本计算单位: 这两者应用的场合不同.通常用bit来作数据传输的单位,因为物理层, ...

  7. javascript的概述

    JavaScript是怎么诞生的???刚开始的是为了验证表单而开发出来的. 什么是JavaScript???a.面向对象的编程语言b.解释性的编程语言(说白了就是不用编译的一种语言)c.脚本语言(说白 ...

  8. js中的各种宽高

    在设计页面时可能经常会用到固定层的位置,这就需要获取一些html对象的坐标以更灵活的设置目标层的坐标,这里可能就会用到document .body.scrollTop等属性,但是此属性在xhtml标准 ...

  9. day17 9.关闭资源与异常处理

    Java程序跟任何外部设备进行连接之后,都要把连接断开,把资源释放掉.Connection是一个重量级资源,Connecton占内存,Connection的获取是比较消耗资源和内存的.finally是 ...

  10. Android 实现形态各异的双向侧滑菜单 自定义控件来袭(转载)

    1.概述 关于自定义控件侧滑已经写了两篇了~~今天决定把之前的单向改成双向,当然了,单纯的改动之前的代码也没意思,今天不仅会把之前的单向改为双向,还会多添加一种侧滑效果,给大家带来若干种形态各异的双向 ...