Centos 6.x 系统基础优化
1、更换国内yum源
删除系统带的centos官方yum源
rm -rf /etc/yum.repos.d/*
使用国内阿里云源
curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo
使用国内阿里云epel源
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-6.repo
提示:如果这里提示没有wget命令,则需要执行:yum install wget -y
2、安装系统基础包
yum install lrzsz tree telnet wget lsof net-tools dos2unix sysstat traceroute unzip zip -y
3、时区配置和时间同步
将硬件时钟调整为与本地时钟一致, 0 为设置为 UTC 时间 >cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
ntpd时间同步服务
yum install chrony -y
配置:
编辑配置文件:/etc/chrony.conf,删除4-6行,并修改第3行,如下:
server time4.aliyun.com iburst
启动chrony服务并设置开机自启
/etc/init.d/chronyd start
chkconfig chronyd on
查看时间同步状态:
[root@centos6 ~]# chronyc sources
210 Number of sources = 1
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* 203.107.6.88 2 9 377 287 -182us[ -676us] +/- 19ms
4、精简并保留必要的开机自启动服务
关闭不必要的开机启动项,使用下面命令:
chkconfig | egrep -v 'network|sshd|rsyslog|chronyd|crond|ntpd' | awk '{print "chkconfig",$1,"off"}' | bash
5、关闭selinux和iptables
iptables需要根据实际情况来决定是否关闭,请自行判断;
关闭selinux: >sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/sysconfig/selinux
此配置是重启后生效,如果没有条件重启或者不想重启可以使用:
setenforce 0 #此命令仅是忽略,还是建议关闭
6、调整文件描述符数量
修改/etc/security/limits.conf配置文件:
echo '* - nofile 65535'>>/etc/security/limits.conf
增加开机启动:
cat >>/etc/rc.local<<EOF
#open files
ulimit -HSn 65535
#stack size
ulimit -s 65535
EOF
7、锁定关键系统文件,防止提权篡改
上锁:
chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab
解锁:
chattr -i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab
8、内核优化
内核优化相关的参数很多,需要根据自身的业务进行相关参数的变更优化
下面提供几个案例优化参数,仅供参考:
#可用于apache,nginx,squid多种等web应用
net.ipv4.tcp_max_syn_backlog = 65536
net.core.netdev_max_backlog = 32768
net.core.somaxconn = 32768
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_tw_recycle = 1
#net.ipv4.tcp_tw_len = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_max_orphans = 3276800
#net.ipv4.tcp_fin_timeout = 30
#net.ipv4.tcp_keepalive_time = 120
net.ipv4.ip_local_port_range = 1024 65535
以下参数是对centos6.x的iptables防火墙的优化,防火墙不开会有提示,可以忽略不理。
如果是centos5.X需要吧netfilter.nf_conntrack替换成ipv4.netfilter.ip
centos5.X为net.ipv4.ip_conntrack_max = 25000000
net.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_tcp_timeout_established = 180
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
立即生效 /sbin/sysctl -p centos6.5可能会报错
error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key
error: "net.bridge.bridge-nf-call-iptables" is an unknown key
error: "net.bridge.bridge-nf-call-arptables" is an unknown key