Centso7 简单优化（阿里云服务器）

##1.下载常用包
# yum -y install wget net-tools screen lsof tcpdump nc mtr openssl-devel vim bash-completion lrzsz nmap telnet tree ntpdate
##2.内核优化
cp /etc/sysctl.conf{,.default}
cat>/etc/sysctl.conf<<EOF
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
vm.swappiness = 0
net.ipv4.neigh.default.gc_stale_time=120
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.lo.arp_announce=2
net.ipv4.conf.all.arp_announce=2
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_synack_retries = 2
kernel.sysrq = 1
net.ipv4.tcp_syn_retries = 1 
net.ipv4.tcp_keepalive_time = 600 
net.ipv4.tcp_keepalive_probes = 3 
net.ipv4.tcp_keepalive_intvl =15 
net.ipv4.tcp_retries2 = 5 
net.ipv4.tcp_fin_timeout = 30 
net.ipv4.tcp_tw_recycle = 1 
net.ipv4.tcp_tw_reuse = 1 
net.ipv4.tcp_max_orphans = 32768 
net.ipv4.tcp_wmem = 8192 131072 16777216 
net.ipv4.tcp_rmem = 32768 131072 16777216 
net.ipv4.tcp_mem = 786432 1048576 1572864 
net.ipv4.ip_local_port_range = 1024 65000 
net.ipv4.ip_conntrack_max = 65536 
net.ipv4.netfilter.ip_conntrack_max = 65536
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 180 
net.core.somaxconn = 16384 
net.core.netdev_max_backlog = 16384 
kernel.shmmax = 30923764531 
kernel.shmall = 7549747 
kernel.msgmax = 65535 
kernel.msgmnb = 65535 
net.ipv4.tcp_sack = 1 
net.ipv4.tcp_window_scaling = 1 
kernel.sysrq = 0
EOF
sysctl -p

##3.开机自启优化

systemctl disable postfix

systemctl  disable  ntpd

systemctl  disable  tuned

##4.操作系统和数据库系统管理用户身份鉴别信息令应有复杂度要求并定期更换。

cp  /etc/login.defs{,.default}

sed -i "s#PASS_MAX_DAYS 99999#PASS_MAX_DAYS 90#g" /etc/login.defs

sed -i "s#PASS_MIN_LEN 5#PASS_MIN_LEN 8#g"  /etc/login.defs

sed -i "s#PASS_MIN_DAYS 0#PASS_MIN_DAYS 2#g" /etc/login.defs

##5.启用登录失败处理功能

cp  /etc/pam.d/system-auth{,.default}

sed -i "13a password requisite pam_cracklib.so retry=3 difok=2 minlen=8 lcredit=-1 dcredit=-1" /etc/pam.d/system-auth

##6.设置登录终端的操作超时锁定

sed -i "46a TMOUT=900"  /etc/profile