系统初始化设置
# 设置主机名,永久修改,再次登陆生效 hostnamectl set-hostname xxxxx # 安装eprl源,常用命令 yum install -y wget && wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo && yum -y install bash-completion telnet nmap tree net-tools ntpdate && # 查看时区,同步时间 timedatectl set-timezone Asia/Shanghai 修改时区命令 ntpdate hk.ntp.org.cn 同步时间 # 优化文件描述符 cat >>/etc/security/limits.conf<<EOF root soft nofile 65535 root hard nofile 65535 * soft nofile 65535 * hard nofile 65535 EOF ulimit -n # 查看 # 防火墙设置 添加允许访问的端口 firewall-cmd --zone=public --add-port=80/tcp --permanent 添加允许访问的服务 firewall-cmd --permanent --add-service https 对指定IP或某个网段开放端口,允许192.168.142.166和192.168.224.0/24访问5432端口 firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.142.166" port protocol="tcp" port="5432" accept" firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.224.0/24" port protocol="tcp" port="5432" accept" 重新加载防火墙,防火墙规则生效 firewall-cmd --reload # 关闭防火墙,如果需要 systemctl stop firewalld.service && systemctl disable firewalld.service # 关闭selinux setenforce 0 && sed '7s#enforcing#disabled#g' /etc/selinux/config -i # 关闭ssh解析 sed -i.bak 's@#UseDNS yes@UseDNS no@g;s@^GSSAPIAuthentication yes@GSSAPIAuthentication no@g' /etc/ssh/sshd_config systemctl restart sshd # 目录规划 /server/scripts/ 脚本存放目录 /server/tools/ 安装包存放目录 /usr/local/ 服务安装目录 /backup/ 备份目录 # ssh 白名单规则 在 /etc/hosts.allow 设置,允许连接的IP sshd:167.179.49.12 sshd:192.168.224.0/24 在/etc/hosts.deny 设置,拒绝所有的连接 echo "sshd:all" >> /etc/hosts.deny
Centos7 系统初试化脚本
#!/bin/bash yum install -y wget && wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo && yum -y install vim wget bash-completion lrzsz nmap tree nc net-tools htop iotop iftop psmisc ntpdate && systemctl stop firewalld.service && systemctl disable firewalld.service #setenforce 0 && sed '7s#enforcing#disabled#g' /etc/selinux/config -i #优化文件描述符
echo -e "* soft nofile 65535 * hard nofile 65535" >> /etc/security/limits.conf
ulimit -n 65535
#内核优化 cat >>/etc/sysctl.conf<<EOF net.ipv4.tcp_fin_timeout = 2 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_keepalive_time = 600 net.ipv4.ip_local_port_range = 4000 65000 net.ipv4.tcp_max_syn_backlog = 16384 net.ipv4.tcp_max_tw_buckets = 36000 net.ipv4.route.gc_timeout = 100 net.ipv4.tcp_syn_retries = 1 net.ipv4.tcp_synack_retries = 1 net.core.somaxconn = 16384 net.core.netdev_max_backlog = 16384 net.ipv4.tcp_max_orphans = 16384 EOF sysctl -p sed -i.bak 's@#UseDNS yes@UseDNS no@g;s@^GSSAPIAuthentication yes@GSSAPIAuthentication no@g' /etc/ssh/sshd_config systemctl restart sshd echo '* * * * * root /usr/sbin/ntpdate ntp1.aliyun.com' >>/etc/crontab