CentOS5.0 服务器配置笔记

通过VMWare Player在Windows上部署了一台CentOS Linux服务器，做了一些服务器配置，先记载下来，以防遗忘。

1、设置机器IP

# vi /etc/sysconfig/network-scripts/ifcfg-eth0

改成：
DEVICE=eth0
BOOTPROTO=static
BROADCAST=192.168.148.255
HWADDR=00:15:17:3D:AC:7D
IPADDR=192.168.148.137    --因为VMware Network Adapter VMnet8网络windows主机的ip是192.168.148.1，虚拟机是NAT网络连接方式，把Windows主机当作网关。
NETMASK=255.255.255.0
NETWORK=192.168.148.0
ONBOOT=yes
TYPE=Ethernet

使设置生效：

# /sbin/ifdown eth0
# /sbin/ifup eth0
# /etc/init.d/network restart

2、设置SSH的终端字符集为中文

# cd
# vi .bash_profile
LC_ALL=zh_CN.GB18030
export LC_ALL
# source .bash_profile

3、关闭不需要的服务

# ntsysv
crond
irqbalance    --仅当服务器CPU为S.M.P架构或支持双核心、HT技术时，才需开启，否则关闭
microcode_ctl
network
vsftpd
sshd
syslog
yum-updatesd

至少保留以上服务。

具体各服务是什么参考：http://hi.baidu.com/edeed/blog/item/6fccd43fa12b5fc67c1e716c.HTML

3、更新源地址

# cd /etc/yum.repos.d
# vi CentOS-Base.repo

加入：

# CentOS-Base.repo
#
# This file uses a new #mirrorlist system developed by Lance Davis for CentOS.
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client. You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the #mirrorlist= does not work for you, as a fall back you can try the
# remarked out baseurl= line instead.
#
#

[base]
name=CentOS-5.1 - Base
#mirrorlist=http://#mirrorlist.centos.org/?release=5.1&arch=$basearch&repo=os
baseurl=http://centos.stksky.com/centos/5.1/os/$basearch/
gpgcheck=1
gpgkey=http://centos.stksky.com/centos/RPM-GPG-KEY-CentOS-5

#released updates
[updates]
name=CentOS-5.1 - Updates
#mirrorlist=http://#mirrorlist.centos.org/?release=5.1&arch=$basearch&repo=updates
baseurl=http://centos.stksky.com/centos/5.1/updates/$basearch/
gpgcheck=1
gpgkey=http://centos.stksky.com/centos/RPM-GPG-KEY-CentOS-5

#packages used/produced in the build but not released
[addons]
name=CentOS-5.1 - Addons
#mirrorlist=http://#mirrorlist.centos.org/?release=5.1&arch=$basearch&repo=addons
baseurl=http://centos.stksky.com/centos/5.1/addons/$basearch/
gpgcheck=1
gpgkey=http://centos.stksky.com/centos/RPM-GPG-KEY-CentOS-5

#additional packages that may be useful
[extras]
name=CentOS-5.1 - Extras
#mirrorlist=http://#mirrorlist.centos.org/?release=5.1&arch=$basearch&repo=extras
baseurl=http://centos.stksky.com/centos/5.1/extras/$basearch/
gpgcheck=1
gpgkey=http://centos.stksky.com/centos/RPM-GPG-KEY-CentOS-5

#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-5.1 - Plus
#mirrorlist=http://#mirrorlist.centos.org/?release=5.1&arch=$basearch&repo=centosplus
baseurl=http://centos.stksky.com/centos/5.1/centosplus/$basearch/
gpgcheck=1
enabled=1
gpgkey=http://centos.stksky.com/centos/RPM-GPG-KEY-CentOS-5

5、定时校正服务器时间

# yum install -y ntp
# crontab -e
0 23 * * * root /usr/sbin/ntpdate 203.117.180.36 > /dev/null 2>&1

6、更新系统

# yum upgrade

7、安装开发包

# yum install gcc gcc-c++ gcc-g77 flex bison autoconf automake bzip2-devel zlib-devel ncurses-devel libjpeg-devel libpng-devel libtiff-devel freetype-devel pam-devel openssl-devel libxml2-devel gettext-devel pcre-devel fontconfig-devel libevent-devel glib2-devel

8、优化编译参数

根据机器的实际配置参考：http://gentoo-wiki.com/Safe_Cflags

9、服务器参数调整

参数调整：

1）# vi /usr/include/bits/typesizes.h

#define __FD_SETSIZE            1024

改成

#define __FD_SETSIZE            65535

启动加载

# /etc/rc.d/rc.local

2）# echo 65535 > /proc/sys/fs/file-max

3）# ulimit -HSn 65536

内核优化：

# vi /etc/sysctl.conf

仅供参考：

net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout=30
net.ipv4.tcp_keepalive_time=1800
net.ipv4.tcp_max_syn_backlog=8192

net.core.rmem_max = 67108864
net.core.rmem_default = 65536
net.core.wmem_max = 67108864
net.core.wmem_default = 65536
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 65536 67108864
net.ipv4.tcp_mem = 67108864 67108864
net.ipv4.route.flush = 1
net.core.netdev_max_backlog = 3000

# sysctl -p

10、安装Web服务器

优化编译参数:

export CHOST="i686-pc-linux-gnu"
export CFLAGS="-O3 -msse2 -mmmx -mfpmath=sse -march=prescott -pipe -fomit-frame-pointer"
export CXXFLAGS="$"

创建用户和用户组：

# groupadd www
# useradd www -s /sbin/nologin -g www

Nginx:

# tar xzvf nginx-0.5.35.tar.gz
# cd nginx-0.5.35
# ./configure --user=www --group=www --prefix=/usr/local/nginx --with-http_stub_status_module
# make install && make

补充：

得到Nginx主进程号：

# ps -ef | grep "nginx: master process" | grep -v "grep" | awk -F ' ' '{print $2}'

测试Nginx配置文件：

# nginx -t

启动服务：

# ulimit -SHn 51200
# nginx

停止服务：

# nginx -QUIT '主进程号'

不重启加载更新后的配置文件：

# kill -HUP '主进程号'
Lighttpd:
lighttpd-1.5.0.r1992.modcache.v.1.4.1.patch
# patch -p1 < lighttpd-1.5.0.r1992.modcache.v.1.4.1.patch
# ./configure --prefix=/usr/local/lighttpd_optimize
# make && make install

11、安装memcached服务器

# tar xzvf memcached-1.2.2.tar.gz
# cd memcached-1.2.2
# ./configure --prefix=/usr/local/memcached
# make install && make

启动服务：

# /usr/local/memcached/bin/memcached -d -m 50 -p 11211 -u root

参数说明：

-m 缓存空间MB
-p 监听的端口
-u 用户

12、XFS文件系统

# uname -a

Linux centos32.ctid.com.cn 2.6.18-53.1.4.el5.centos.plusPAE #1 SMP Fri Dec 7 07:40:34 EST 2007 i686 i686 i386 GNU/Linux

# yum install xfsprogs kmod-xfs-PAE
# modprobe xfs
# lsmod | grep xfs
xfs                   514632 0
# umount /cache0
# mkfs.xfs -f -i size=512 -l size=128m -d agcount=4 /dev/cache/cache0
# vi /etc/fstab
/dev/cache/cache0 /cache0                xfs     noatime,nodiratime         1 2
# mount -t xfs /dev/cache/cache0 /cache0

13、安装Squid3

优化编译参数:

# export CHOST="i686-pc-linux-gnu"
# export CFLAGS="-O3 -march=prescott -pipe -fomit-frame-pointer"
# export CXXFLAGS="$"
# ./configure --prefix=/usr/local/squid \
--enable-dlmalloc \
--enable-debug-cbdata \
--enable-async-io=100 \
--with-pthreads \
--enable-storeio="aufs,coss,diskd,ufs" \
--enable-removal-policies="heap,lru" \
--enable-icmp \
--enable-delay-pools \
--enable-useragent-log \
--enable-referer-log \
--disable-wccp \
--disable-wccpv2 \
--enable-kill-parent-hack \
--enable-arp-acl \
--enable-snmp \
--enable-default-err-language=Simplify_Chinese \
--enable-err-languages="Simplify_Chinese English" \
--disable-poll \
--enable-epoll \
--disable-ident-lookups \
--disable-internal-dns \
--enable-truncate \
--enable-underscores \
--enable-basic-auth-helpers="NCSA" \
--enable-stacktrace \
--with-winbind-auth-challenge \
--enable-large-cache-files \
--with-maxfd=65535\
--enable-ssl \
--enable-x-accelerator-vary \
--with-large-files（64-bit 不要此项）

14、CentOS服务器安全设置

1)、用防火墙关闭不须要的任何端口，别人PING不到服务器，威胁自然减少了一大半

2)、更改SSH端口，最好改为10000以上，别人扫描到端口的机率也会下降

3)、删除系统臃肿多余的账号：

# userdel adm
# userdel lp
# userdel sync
# userdel shutdown
# userdel halt
# userdel news
# userdel uucp
# userdel operator
# userdel games
# userdel gopher
# userdel ftp 如果你不允许匿名FTP，就删掉这个用户帐号

# groupdel adm
# groupdel lp
# groupdel news
# groupdel uucp
# groupdel games
# groupdel dip
# groupdel pppusers

4)、更改下列文件权限，使任何人没有更改账户权限：

# chattr +i /etc/passwd
# chattr +i /etc/shadow
# chattr +i /etc/group
# chattr +i /etc/gshadow

如果用以上设置，那么连root也不能改，也不能删，也不能加，如果需要加的话，要用：

# chattr -i /etc/passwd
# chattr -i /etc/shadow
# chattr -i /etc/group
# chattr -i /etc/gshadow

然后再增加或是删除。

5)、# chmod 600 /etc/xinetd.conf
6)、关闭FTP匿名用户登陆

--End--