1、 vim /etc/profile 插入以下即可 ulimit -c unlimited ulimit -s unlimited ulimit -SHn 65535 建议设置成无限制(unlimited)的一些重要设置是: 数据段长度:ulimit –d unlimited 最大内存大小:ulimit –m unlimited 堆栈大小:ulimit –s unlimited CPU 时间:ulimit –t unlimited 虚拟内存:ulimit –v unlimited source /etc/profile 执行生效 2、 vim /etc/sysctl.conf 插入以下: net.ipv4.tcp_max_syn_backlog = 65536 net.core.netdev_max_backlog = 32768 net.core.somaxconn = 32768 net.core.wmem_default = 8388608 net.core.rmem_default = 8388608 net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 net.ipv4.tcp_timestamps = 0 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_syn_retries = 2 net.ipv4.tcp_tw_recycle = 1 #net.ipv4.tcp_tw_len = 1 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_mem = 94500000 915000000 927000000 net.ipv4.tcp_max_orphans = 3276800 net.ipv4.tcp_fin_timeout = 30 net.ipv4.tcp_keepalive_time = 120 net.ipv4.ip_local_port_range = 1024 65535 执行以下命令使内核配置立马生效: /sbin/sysctl -p 3、 vim /usr/include/bits/typesizes.h 修改 #define __FD_SETSIZE 65536
4、ntsysv保留 anacron cpuspeed crond gpm irqbalance kudzu lm_sensors lvm2-monitor mdmonitor messagebus microcde_ctl network pcscd psacct readahead_early readahead_later smartd sshd syslog xfs service NetworkManager stop service NetworkManagerDispatcher stop service acpid stop service anacron start service atd stop service auditd stop service autofs stop service avahi-daemon stop service avahi-dnsconfd stop service bluetooth stop service capi stop service conman stop service cpuspeed start service crond start service cups stop service dhcdbd stop service dkms_autoinstaller stop service dund stop service firstboot stop service gpm start service haldaemon stop service hidd stop service hplip stop service ip6tables stop service iptables stop service irda stop service irqbalance start service isdn stop service kudzu start service lm_sensors start service lvm2-monitor start service mcstrans stop service mdmonitor start service mdmpd stop service messagebus start service microcode_ctl start service multipathd stop service netconsole stop service netfs stop service netplugd stop service network start service nfs stop service nfslock stop service nscd stop service ntpd stop service oddjobd stop service pand stop service pcscd start service portmap stop service psacct start service rdisc stop service readahead_early start service readahead_later start service restorecond stop service rpcgssd stop service rpcidmapd stop service rpcsvcgssd stop service saslauthd stop service sendmail stop service smartd start service snmptrapd stop service sshd start service syslog start service vncserver stop service wdaemon stop service winbind stop service wpa_supplicant stop service xfs start service ypbind stop service yum-updatesd stop 5、修改SSH 端口 vim /etc/ssh/sshd_config Port 22 修改 PermitEmptyPasswords no 把#注销掉-禁止空密码帐户登入服务器! MaxAuthTries 2 两次不行就切断重新SSH启动登入 6、远程5分钟无操作自动注销: vim /etc/profile 最后添加: export TMOUT=300 ---5分钟自动注销下来 找到 HISTSIZE=1000 修改为: HISTSIZE=100 --减少日记字节为100KB,太大内容过多容易漏重要信息. 7、修改文件属性 chmod 700 /bin/rpm 只有root权限用户才可以使用rpm命定,安装软件包 chmod 664 /etc/hosts chmod 644 /etc/passwd chmod 644 /etc/exports chmod 644 /etc/issue chmod 664 /var/log/wtmp chmod 664 /var/log/btmp chmod 644 /etc/services chmod 600 /etc/shadow chmod 600 /etc/login.defs chmod 600 /etc/hosts.allow chmod 600 /etc/hosts.deny chmod 600 /etc/securetty chmod 600 /etc/security chmod 600 /etc/ssh/ssh_host_key chmod 600 /etc/ssh/sshd_config chmod 600 /var/log/lastlog chmod 600 /var/log/messages 8、禁止ping 用户使用ping不做任何反映 echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all -- 禁止ping echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all -- 解除禁止ping操作 9、禁止IP伪装 vim /etc/host.conf 在里面加上: nospoof on 10、防止DOS攻击: vim /etc/security/limits.conf 加入以下配置: * hard core 0 * hard rss 10000 * hard nproc 20 以上根据需求而论! 11、修改root帐户密码越复杂越好: 1、含有大小写字母; 2、含有数字; 3、含有字符; 4、不用自己生日等常关联的字母数字及字符。 12、删除部分不需要的用户和组: # cut -d: -f1 /etc/passwd # 查看系统所有用户 # cut -d: -f1 /etc/group # 查看系统所有组 userdel adm userdel lp userdel news userdel uucp userdel games groupdel adm groupdel lp groupdel news groupdel uucp groupdel games groupdel dip 13、垃圾IP封杀 # more /var/log/secure 首先通过以上命定观察多次扫描欲远程登入服务器的垃圾IP; 然后在 vim /etc/hosts.deny 增加: sshd:192.168.1.1 ---这以192.168.1.1这个垃圾IP为例! 保存即可!
|