Linux 系统参数优化设置
0 条评论/etc/security/limits.conf
limits.conf 文件实际是 Linux PAM(插入式认证模块,Pluggable Authentication Modules)中 pam_limits.so 的配置文件,而且只针对于单个会话。 该设置不会影响系统服务的资源限制
* soft core unlimited
* hard core unlimited
* soft nproc 1000000
* hard nproc 1000000
* soft nofile 1000000
* hard nofile 1000000
* soft memlock 32000
* hard memlock 32000
* soft msgqueue 8192000
* hard msgqueue 8192000
/etc/default/grub
在 centos7 上是根据内核识别硬件状态,自动添加网卡名称,如果有多台机器导致网卡名不一样,不能统一管理,所以需要改网卡名称!一般网卡命名为 eth0, 如果有多个网卡,依次命名为 eth1、eth2 等 , centos4、centos5 都是这个名称!
# 追加" net.ifnames=0",通过修改系统启动参数实现各个主机网卡名一致
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet net.ifnames=0"
/etc/sysctl.conf
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.ip_forward = 1
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1
# Disable netfilter on bridges.
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
# Controls the default maxmimum size of a mesage queue
kernel.msgmnb = 65536
# # Controls the maximum size of a message, in bytes
kernel.msgmax = 65536
# Controls the maximum shared segment size, in bytes
kernel.shmmax = 68719476736
# # Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296
# TCP kernel paramater
net.ipv4.tcp_mem = 786432 1048576 1572864
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_sack = 1
# socket buffer
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 20480
net.core.optmem_max = 81920
# TCP conn
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_syn_retries = 3
net.ipv4.tcp_retries1 = 3
net.ipv4.tcp_retries2 = 15
# tcp conn reuse
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_max_tw_buckets = 20000
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_timestamps = 1 #?
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syncookies = 1
# keepalive conn
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.ip_local_port_range = 10001 65000
# swap
vm.overcommit_memory = 0
vm.swappiness = 10
#net.ipv4.conf.eth1.rp_filter = 0
#net.ipv4.conf.lo.arp_ignore = 1
#net.ipv4.conf.lo.arp_announce = 2
#net.ipv4.conf.all.arp_ignore = 1
#net.ipv4.conf.all.arp_announce = 2
常用的内核参数 :
#ip转发
net.ipv4.ip_forward#禁ping
net.ipv4.icmp_echo_ignore_all#允许应用程序可以监听本地不存在的IP
net.ipv4.ip_nonlocal_bind#释放缓存
vm.drop_caches#全局打开文件的最大数
fs.file-max = 1020000#防止超分内存,比如只有8G内存,非要分10G内存出去
#0表示内核将检查是否有足够可用内存供应用进程使用;如果有足够的可用内存,内存申请允许;否则内存申请失败,并把错误返回给应用进程。
#1表示内核允许分配所有的物理内存,而不管当前的内存状态如何。
#2表示内核允许分配超过所有物理内存和交换空间总和的内存。
vm.overcommit_memory = 0#表示物理内存剩余10%的时候允许使用swap,生产中可以优化这个参数
vm.swappiness = 10
/etc/ssh/sshd_config
# 解决ssh登录缓慢的问题,以下选项默认为yes,改为no
UseDNS no
GSSAPIAuthentication no
# 设置 ssh 空闲60s 自动注销
ClientAliveInterval 60
ClientAliveCountMax 0
ssh服务的最佳实践:
(1)建议使用非默认端口
(2)禁止使用protocol version 1
(3)限制可登录用户
(4)设定空闲会话超时时长
(5)利用防火墙设置ssh访问策略
(6)仅监听特定的IP地址
(7)基于口令认证时,使用强密码策略,比如:tr -dc A-Za-z0-9_ < /dev/urandom | head -c 12|
(8)使用基于密钥的认证
(9)禁止使用空密码
(10)禁止root用户直接登录
(11)限制ssh的访问频度和并发在线数
(12)经常分析日志
