系统是centos7.2,安装完成的基本操作
3.10.0-327.18.2.el7.x86_64
-
1 修改网卡为eth0
-
2 更新系统
-
3 给/etc/rc.local添加执行权限
-
4 添加用户hequan
-
5 禁用selinux
-
6 关闭防火墙安装iptables
-
7 修改主机名
-
8 查看并管理服务
-
9 设置字符集
-
10 yum
-
11 配置sshd
-
12 加大打开文件数的限制(open files)
-
13 优化内核
-
14 时间设置
-
15 man 中文版
-
16 vim基本设置
1 修改网卡为eth0
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
cd
/etc/sysconfig/network-scripts/
vim ifcfg-eno16777729
TYPE=Ethernet
BOOTPROTO=static
IPADDR=192.168.1.201
NETMASK=255.255.255.0
GATEWAY=192.168.1.1
DEFROUTE=
yes
PEERDNS=
yes
PEERROUTES=
yes
IPV4_FAILURE_FATAL=no
NAME=eth0
UUID=efd17b9a-a5ab-4c94-be62-d2c32eb48a7e
DEVICE=eth0
ONBOOT=
yes
DNS1=202.106.0.20
|
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
mv
ifcfg-eno16777729 ifcfg-eth0
vi
/etc/sysconfig/grub
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR=
"$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=
true
GRUB_TERMINAL_OUTPUT=
"console"
GRUB_CMDLINE_LINUX=
"net.ifnames=0 biosdevname=0 rhgb quiet"
#添加 net.ifnames=0 biosdevname=0
GRUB_DISABLE_RECOVERY=
"true"
grub2-mkconfig -o
/boot/grub2/grub
.cfg
#生成启动菜单
Generating grub configuration
file
...
Found linux image:
/boot/vmlinuz-3
.10.0-327.el7.x86_64
Found initrd image:
/boot/initramfs-3
.10.0-327.el7.x86_64.img
Found linux image:
/boot/vmlinuz-0-rescue-e8675ae79abd41309dac42388f8d9116
Found initrd image:
/boot/initramfs-0-rescue-e8675ae79abd41309dac42388f8d9116
.img
reboot
ip addr 或者
yum
install
net-tools
#默认centos7不支持ifconfig 需要看装net-tools包
ifconfig
eth0
#再次查看网卡信息
|
2 更新系统
|
1
|
yum update -y
|
3 给/etc/rc.local添加执行权限
|
1
2
3
4
5
|
[root@bogon ~]
# ll /etc/rc.local
lrwxrwxrwx. 1 root root 13 Feb 6 07:28
/etc/rc
.
local
-> rc.d
/rc
.
local
[root@bogon ~]
# ll /etc/rc.d/rc.local
-rw-r--r--. 1 root root 473 May 12 2016
/etc/rc
.d
/rc
.
local
[root@bogon ~]
# chmod +x /etc/rc.d/rc.local
|
4 添加用户hequan
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
[root@bogon ~]
# useradd hequan
[root@bogon ~]
# echo 123456 | passwd --stdin hequan
Changing password
for
user hequan.
passwd
: all authentication tokens updated successfully.
[root@bogon ~]
# usermod -G wheel hequan
[root@bogon ~]
# sed -i '6s/^#//g' /etc/pam.d/su
[root@bogon ~]
# grep wheel /etc/pam.d/su #只有WHEEL组的可以su
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth required pam_wheel.so use_uid
扩展:为用户hequan添加
sudo
,除关机外的其他所有操作:
[root@www ~]
# visudo
Cmnd_Alias SHUTDOWN =
/sbin/halt
,
/sbin/shutdown
,
/sbin/poweroff
,
/sbin/reboot
,
/sbin/init
hequan ALL=(ALL) ALL,!SHUTDOWN
%wheel ALL=(ALL) ALL,!SHUTDOWN
#修改wheel组的权限,禁止关机
Defaults logfile=
/var/log/sudo
.log
|
5 禁用selinux
|
1
2
3
4
5
6
7
8
9
10
|
[root@bogon ~]
# grep -i ^selinux /etc/selinux/config
SELINUX=enforcing
SELINUXTYPE=targeted
[root@bogon ~]
# sed -i '/^SELINUX/s/enforcing/disabled/g' /etc/selinux/config
[root@bogon ~]
# grep -i ^selinux /etc/selinux/config
SELINUX=disabled
SELINUXTYPE=targeted
[root@bogon ~]
# getenforce
Enforcing
[root@bogon ~]
# reboot
|
6 关闭防火墙安装iptables
|
1
2
3
|
systemctl stop firewalld.service
systemctl disable firewalld.service
yum
install
iptables-services -y
#安装
|
7修改主机名
|
1
2
3
|
[root@bogon ~]
# hostnamectl set-hostname hequan.com
[root@bogon ~]
# hostname
hequan.com
|
8 查看并管理服务
|
1
2
3
4
|
[root@hequan ~]
# systemctl -t service
[root@hequan ~]
# systemctl list-unit-files -t service
yum
install
-y
bash
-completion
#补全服务名称,退出bash再进就可以
|
9 设置字符集
|
1
2
3
4
5
|
[root@hequan ~]
# echo $LANG
zh_CN.UTF-8
[root@hequan ~]
# vi /etc/locale.conf
LANG=
"en_US.UTF-8"
[root@hequan ~]
# source /etc/locale.conf
|
10 yum
|
1
|
yum
install
gcc cmake
bzip2
-devel curl-devel db4-devel libjpeg-devel libpng-devel freetype-devel libXpm-devel gmp-devel libc-client-devel openldap-devel unixODBC-devel postgresql-devel sqlite-devel aspell-devel net-snmp-devel libxslt-devel libxml2-devel pcre-devel mysql-devel pspell-devel libmemcached libmemcached-devel zlib-devel vim wget lrzsz tree
|
|
1
2
3
4
5
6
|
安装163源
mv
/etc/yum
.repos.d
/CentOS-Base
.repo
/etc/yum
.repos.d
/CentOS-Base
.repo.backup
cd
/etc/yum
.repos.d/
wget http:
//mirrors
.163.com/.help
/CentOS7-Base-163
.repo
yum clean all
yum makecache
|
其他
|
1
2
3
4
5
6
7
8
9
|
yum -y
install
yum-plugin-priorities
##安装优先级插件
sed
-i -e
"s/\]$/\]\npriority=1/g"
/etc/yum
.repos.d
/CentOS-Base
.repo
##设置基本yum源的优先级为1
yum -y
install
epel-release
##安装epel源
sed
-i -e
"s/\]$/\]\npriority=5/g"
/etc/yum
.repos.d
/epel
.repo
##设置优先级为5
sed
-i -e
"s/enabled=1/enabled=0/g"
/etc/yum
.repos.d
/epel
.repo
##禁用epel源
yum -y
install
http:
//pkgs
.repoforge.org
/rpmforge-release/rpmforge-release-0
.5.3-1.el7.rf.x86_64.rpm
##安装rpmforge的源
sed
-i -e
"s/\]$/\]\npriority=10/g"
/etc/yum
.repos.d
/rpmforge
.repo
##设置优先级为10
sed
-i -e
"s/enabled = 1/enabled = 0/g"
/etc/yum
.repos.d
/rpmforge
.repo
##禁用yum源
使用方法:yum --enablerepo=rpmforge
install
[Package]
|
11 配置sshd
|
1
2
3
4
5
6
7
8
9
10
11
12
13
|
sed
-i -e
'49s/^#//g'
/etc/ssh/sshd_config
##启用49行配置
sed
-i -e
'49s/yes/no/g'
/etc/ssh/sshd_config
##禁止root使用ssh登录
sed
-i -e
'129s/#/ /g'
/etc/ssh/sshd_config
##禁止UseDNS
sed
-i -e
'129s/yes$/no/g'
/etc/ssh/sshd_config
sed
-i
'/^GSS/s/yes/no/g'
/etc/ssh/sshd_config
##禁用GSSAPI认证加快登录速度
systemctl restart sshd
##重新启动服务
systemctl
enable
sshd
##设置为开机启动
systemctl status sshd
##查看状态
● sshd.service - OpenSSH server daemon
Loaded: loaded (
/usr/lib/systemd/system/sshd
.service; enabled; vendor preset: enabled)
Active: active (running) since 一 2016-06-06 00:16:26 CST; 1min 3s ago
|
12 加大打开文件数的限制(open files)
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
ulimit
-n
ulimit
-a
vi
/etc/security/limits
.conf
最后添加
* soft nofile 1024000
* hard nofile 1024000
hive - nofile 1024000
hive - nproc 1024000
用户进程限制
[root@hequan ~]
# sed -i 's#4096#65535#g' /etc/security/limits.d/20-nproc.conf #加大普通用户限制 也可以改为unlimited
[root@hequan ~]
# egrep -v "^$|^#" /etc/security/limits.d/20-nproc.conf
* soft nproc 65535
root soft nproc unlimited
reboot
|
13 优化内核
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
|
cat
/etc/sysctl
.conf
#CTCDN系统优化参数
#关闭ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
#决定检查过期多久邻居条目
net.ipv4.neigh.default.gc_stale_time=120
#使用arp_announce / arp_ignore解决ARP映射问题
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.all.arp_announce=2
net.ipv4.conf.lo.arp_announce=2
# 避免放大攻击
net.ipv4.icmp_echo_ignore_broadcasts = 1
# 开启恶意icmp错误消息保护
net.ipv4.icmp_ignore_bogus_error_responses = 1
#关闭路由转发
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
#开启反向路径过滤
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
#处理无源路由的包
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
#关闭sysrq功能
kernel.sysrq = 0
#core文件名中添加pid作为扩展名
kernel.core_uses_pid = 1
# 开启SYN洪水攻击保护
net.ipv4.tcp_syncookies = 1
#修改消息队列长度
kernel.msgmnb = 65536
kernel.msgmax = 65536
#设置最大内存共享段大小bytes
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
#timewait的数量,默认180000
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
#每个网络接口接收数据包的速率比内核处理这些包的速率快时,允许送到队列的数据包的最大数目
net.core.netdev_max_backlog = 262144
#限制仅仅是为了防止简单的DoS 攻击
net.ipv4.tcp_max_orphans = 3276800
#未收到客户端确认信息的连接请求的最大值
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
#内核放弃建立连接之前发送SYNACK 包的数量
net.ipv4.tcp_synack_retries = 1
#内核放弃建立连接之前发送SYN 包的数量
net.ipv4.tcp_syn_retries = 1
#启用timewait 快速回收
net.ipv4.tcp_tw_recycle = 1
#开启重用。允许将TIME-WAIT sockets 重新用于新的TCP 连接
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1
#当keepalive 起用的时候,TCP 发送keepalive 消息的频度。缺省是2 小时
net.ipv4.tcp_keepalive_time = 1800
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl = 15
#允许系统打开的端口范围
net.ipv4.ip_local_port_range = 1024 65000
#修改防火墙表大小,默认65536
net.netfilter.nf_conntrack_max=655350
net.netfilter.nf_conntrack_tcp_timeout_established=1200
# 确保无人能修改路由表
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
本文出自 “兰芷” 博客,请务必保留此出处http:
//7826443
.blog.51cto.com
/7816443/1775248
sysctl -p
#生效
|
14 时间设置
|
1
2
|
ntpdate
time
.nist.gov
hwclock -w
#先同步一遍时间到硬件时间
|
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
yum
install
chrony
vi
/etc/chrony
.conf
server 0.centos.pool.ntp.org
server 3.europe.pool.ntp.org
systemctl
enable
chronyd.service
systemctl start chronyd.service
timedatectl
set
-timezone Asia
/Shanghai
timedatectl
set
-
time
"2015-01-21 11:50:00"
(可以只修改其中一个)修改日期时间
timedatectl 查看时间状态
chronyc sources -
v
查看时间同步源
chronyc sourcestats -
v
|
15 man中文版
|
1
2
3
|
yum
install
man
-pages-zh-CN.noarch -y
man
cp
#测试, 想再换成中文版,yum卸载就行了
|
16 vim基本设置
|
1
|
vim
/root/
.vimrc
|
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
set
history
=1000
autocmd InsertLeave * se cul
autocmd InsertLeave * se nocul
set
nu
set
bs=2
syntax on
set
laststatus=2
set
tabstop=4
set
go=
set
ruler
set
showcmd
set
cmdheight=1
hi CursorLine cterm=NONE ctermbg=blue ctermfg=white guibg=blue guifg=white
set
hls
set
cursorline
set
ignorecase
set
hlsearch
set
incsearch
set
helplang=cn
inoremap ( ()<ESC>i
inoremap [ []<ESC>i
inoremap { {}<ESC>i
inoremap < <><ESC>i
inoremap
" "
"<ESC>i
inoremap
' '
'<ESC>i
|
本文转自 295631788 51CTO博客,原文链接:http://blog.51cto.com/hequan/1789146,如需转载请自行联系原作者
