#1、初始化目录结构
[root@TEST ~]# mkdir /server/tools -p 存放编译软件源码目录
[root@TEST ~]# mkdir /application -p 软件程序的安装目录
[root@TEST ~]# mkdir /server/scripts -p 存放脚本的目录
#2、修改/tmp权限(一般默认不用修改)
/tmp目录权限必须为1777,不能改变
[root@TEST ~]# chmod 1777 /tmp <修改 /tmp目录的权限>
#3、虚拟机网卡设置
[root@TEST ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
TYPE=Ethernet
UUID=4554b848-3744-4792-ac09-712c8570bca1
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=static
IPADDR=10.0.0.200
NETMASK=255.255.255.0
GATEWAY=10.0.0.2
DNS=114.114.114.114
DNS1=8.8.8.8
重启服务 [root@TEST ~]# service network restart
网络测试 [root@TEST ~]# ping www.baidu.com <能ping通,代表配置成功>
#4、更改默认yum源
[root@TEST ~]# wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo
[root@TEST ~]# wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-6.repo
#5、关闭selinux
[root@TEST ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
[root@TEST ~]# cat /etc/selinux/config | grep "SELINUX=disabled"
SELINUX=disabled
[root@TEST ~]# setenforce 0
[root@TEST ~]# getenforce
Disabled
说明:重启系统后,selinux开机自启动生效
#6、关闭防火墙,开启803306端口
关闭防火墙:
[root@TEST ~]# /etc/init.d/iptables stop
[root@TEST ~]# /etc/init.d/iptables stop
[root@TEST ~]# chkconfig iptables off <关闭开机自启动>
开放端口:
[root@TEST ~]# vim /etc/sysconfig/iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT #允许80端口通过防火墙
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT #允许3306端口通过防火墙
备注:很多网友把这两条规则添加到防火墙配置的最后一行,导致防火墙启动失败,正确的应该是添加到默认的22端口这条规则的下面
[root@TEST ~]# /etc/init.d/iptables restart #最后重启防火墙使配置生效
#7、精简开机自启动服务
[root@TEST ~]# chkconfig --list |grep 3:on | awk '{print $1}' | grep -Ev 'crond|network|rsyslog|sshd|sysstat' | awk '{print "chkconfig " $1 " off"}' | bash
[root@TEST ~]# export LANG=en_US.UTF-8
[root@TEST ~]# chkconfig --list | grep 3:on
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sysstat 0:off 1:on 2:on 3:on 4:on 5:on 6:off
#8、账号提权(可不操作)
[root@TEST ~]# useradd oldboy
[root@TEST ~]# echo 123456|passwd --stdin oldboy
[root@TEST ~]# cp /etc/sudoers /etc/sudoers.ori
[root@TEST ~]# echo "oldboy ALL=(ALL) NOPASSWD: ALL " >>/etc/sudoers
[root@TEST ~]# tail -1 /etc/sudoers
[root@TEST ~]# visudo -c
#9、中文字符集(不用做)
[root@TEST ~]# cp /etc/sysconfig/i18n /etc/sysconfig/i18n.ori
[root@TEST ~]# echo 'LANG="zh_CN.UTF-8"' >> /etc/sysconfig/i18n
[root@TEST ~]# source /etc/sysconfig/i18n
[root@TEST ~]# echo $LANG
#10、时间同步
[root@TEST ~]# echo '#time sync by Mr.Young at 2018-08-14' >> /var/spool/cron/root
[root@TEST ~]# echo '*/5 * * * * /usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1' >>/var/spool/cron/root
[root@TEST ~]# crontab -l
#11、加大文件描述符
[root@TEST ~]# echo '* - nofile 65535 ' >> /etc/security/limits.conf
[root@TEST ~]# tail -1 /etc/security/limits.conf
* - nofile 65535
#12、内核优化
说明:内核优化会报错,谨慎选择
[root@TEST ~]# cat >> /etc/sysctl.conf << EOF
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_prot_range = 4000 65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.core.somaxconn = 16384
net.core.netdev_max_backlog = 16384
net.ipv4.tcp_max_orphans = 16384
net.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_tcp_timeout_entablished = 180
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
EOF
[root@TEST ~]# echo $?
0
[root@TEST ~]# sysctl -p #让内核配置文件中的参数生效
[root@TEST ~]# echo $?
255
#13、下载安装系统基础软件
[root@TEST ~]# yum install lrzsz nmap tree dos2unix nc -y