Linux 系统安全 及 lnmp 安装
2015-09-12 14:50
489 查看
/*********************系统盘规划*********************************/
伦理片http://www.dotdy.com/
/dev/vda 8G
/dev/vdb 500G
/dev/vda 系统盘 挂载在 /
/dev/vdb 分四个逻辑盘
/dev/vdb1 400G 用作项目应用 挂载 /var/www
/dev/vdb2 60G 用作日志记录 挂载 /var/log
/dev/vdb3 20G 分系统使用的软件其余的工具 例如 一些测试网速的软件就存放安装到这里 挂载 /opt
/dev/vdb4 20G /home 数据交换
Java代码
ulimit -SHn 65535
echo "* soft nofile 65535" >> /etc/security/limits.conf
echo "* hard nofile 65535" >> /etc/security/limits.conf
/**********sshd key 登录*******************************************/
Java代码
yum -y install sshd
echo "ClientAliveInterval 60" >> /etc/ssh/sshd_config
echo "ClientAliveCountMax 60" >> /etc/ssh/sshd_config
echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
echo export TMOUT=1000000 >> /root/.bash_profile
source /root/.bash_profile
service sshd restart
/usr/bin/ssh-keygen -t rsa XXXXXXX
move XXXXXXX.pub /root/.ssh/authorized_keys
必须将 key 备份到本地 登录要用。
/************sshd 登录编码格式 vim设置 时区设置 关闭selinux*************/
Java代码
yum install fonts-chinese
locale -a | grep -E 'zh|en_US'
vim /etc/sysconfig/i18n
Java代码
LANG="zh_CN.gb18030"
LANGUAGE="zh_CN.gb18030:zh_CN.gb2312:zh_CN.gbk:zh_CN.utf8:zh_CN"
SUPPORTED="zh_CN.utf8:zh_CN:zh:en_US.utf8:en_US:en"
SYSFONT="lat0-sun16"
LANG="zh_CN.gb18030"
LANG="en_US.utf8"
source /etc/sysconfig/i18n
vim ~/.vimrc
Java代码
set termencoding=gbk
set encoding=utf-8
set fileencodings=ucs-bom,utf-8,cp936
set fileencoding=utf-8
vim /etc/profile
Java代码
export LANG=zh_CN.utf8
export LC_ALL=zh_CN.gb18030
###设置vi, vim的默认的tab、行号显示参数
Java代码
echo "set tabstop=4" >> /etc/virc
echo "set tabstop=4" >> /etc/vimrc
echo "set number" >> /etc/virc
echo "set number" >> /etc/vimrc
echo "alias vi=vim" >> ~/.bashrc
Java代码
source ~/.bashrc
##设置正确的时区
Java代码
cp /usr/share/zoneinfo/Asia/Chongqing /etc/localtime
printf 'ZONE="Asia/Chongqing"\nUTC=false\nARC=false' > /etc/sysconfig/clock
###更新系统时间 每天凌晨6点更新系统时间
ntpdate pool.ntp.org
06*** /sbin/ntpdate pool.ntp.org 2>&1 | /bin/logger
设置/etc/sysconfig/selinux文件中
SELINUX=disabled
/*******************************************防火墙***************/
vim /etc/sysconfig/iptables
Java代码
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#-A INPUT -p icmp -j ACCEPT
#-A INPUT -i lo -j ACCEPT
#-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
#-A INPUT -j REJECT --reject-with icmp-host-prohibited
#-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-N whitelist
-A whitelist -s 36.36.68.0/24 -j ACCEPT
-A whitelist -s 223.73.59.0/24 -j ACCEPT
-A whitelist -s 119.130.86.0/24 -j ACCEPT
-A whitelist -s 36.36.68.65 -j ACCEPT
-A whitelist -s 223.73.59.101 -j ACCEPT
-A whitelist -s 119.130.86.201 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID,NEW -j LOG
-A INPUT -s 180.0.0.0/8 -j DROP
-A INPUT -p tcp -m tcp --sport 54321 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 68 -j ACCEPT
#iptables -A INPUT -p tcp -m tcp --sport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m limit --limit 25/min --limit-burst 200 -j ACCEPT
COMMIT
service iptables start
/*********************禁止root 创建普通用户******************************/
useradd wyj2507
passwd wyj2507 (密码 www.xiubt.com)
visudo (99行)
Java代码
wyj2507 ALL=(ALL) ALL
/*********************禁止root 创建普通用户********************/
/*******************************************修改HOSTS*******************/
vi /etc/hosts
27.0.0.1 localhost VM_41_93_centos
#使用DNS域名服务器来解析名字
order bind hosts
#一台主机是否存在多个IP
multi on
#如果用逆向解析找出与指定的地址匹配的主机名,对返回的地址进行解析以确认它确实与您查询的地址相配.为了防止“骗取”IP地址
nospoof on
service network restart
/*****************精简开机自启动服务*************************************/
7个运行级别 0 系统停机模式 1 单用户 2 多用户模 3 完整多用户
4 系统未使用 5 图形化模式 6 重启模式
init 0 1 2 3 4 5 6 设置运行级别
新系统只保留crond,network,syslog(rsyslog),sshd自启动服务 后期加
查看运行级别 runlevel
查看开启的服 chkconfig --list
#关闭全部服务
Java代码
for sun in `chkconfig --list|grep 3:启用 | awk '{print $1}'`;
do
chkconfig --level 3 $sun off
done
#或者
Java代码
for sun in `chkconfig --list|grep 3:启用|awk '{print $1}'`;
do
chkconfig --level 3 $sun off
done
#开启需要的服务
Java代码
for sun in crond rsyslog sshd network
do
chkconfig --level 3 $sun on
done
#或者需要使用防火墙的话可以开启iptables和ip6tables
Java代码
for sun in crond rsyslog sshd network iptables ip6tables
do
chkconfig --level 3 $sun on
done
/******************清理登陆的时候显示的系统及内核版本等***********************/
#查看登陆信息
cat /etc/redhat-release
cat /etc/issue
#清理登陆信息
echo >/etc/redhat-release
echo >/etc/issue
#关闭重启ctl-alt-delete组合键
vi /etc/init/control-alt-delete.conf
#注释掉
#exec /sbin/shutdown -r now "Control-Alt-Deletepressed"
#chattr类似chmod修改文件/目录属性 级别高于chmod
#chattr命令不能保护/、/dev、/tmp、/var目录。lsattr命令是显示chattr命令设置的文件属性。
#锁定关键文件系统
Java代码
chattr +i /etc/passwd
chattr +i /etc/inittab
chattr +i /etc/group
chattr +i /etc/shadow
chattr +i /etc/gshadow
#删除不必要的系统用户和群组
Java代码
userdel adm
userdel lp
userdel sync
userdel shutdown
userdel halt
userdel news
userdel uucp
userdel operator
userdel games
userdel gopher
userdel ftp
#删除不必要的群组
Java代码
groupdel adm
groupdel lp
groupdel news
groupdel uucp
groupdel games
groupdel dip
groupdel pppusers
/******************************************清理登陆的时候显示的系统及内核版本等********************************/
/*****************************内核参数优化*************************/
vi /etc/sysctl.conf 增加以下配置
Java代码
net.ipv4.tcp_max_syn_backlog = 65536
net.core.netdev_max_backlog = 32768
net.core.somaxconn = 32768
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.ip_local_port_range = 1024 65535
Java代码
net.nf_conntrack_max = 25000000 # 如果使用默认参数,容易出现网络丢包 最大会话数
net.netfilter.nf_conntrack_max = 25000000 # 如果使用默认参数,容易出现网络丢包 最大会话数
net.netfilter.nf_conntrack_tcp_timeout_established = 180 #会话连接超时变量 自动清除30分钟的无效链接
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
Java代码
#TIME_WAIT 要过段时间释放 Linux 65535个端口
#1 SYN等待队列溢出时,启用cookies来处理,可防范少量SYN攻击
#2 允许将TIME-WAIT sockets重新用于新的TCP连接
#3 开启TCP连接中TIME-WAIT sockets的快速回收
#4 系統默认的 TIMEOUT 时间
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 30
echo "modprobe nf_conntrack" >> /etc/rc.local
echo "modprobe bridge" >> /etc/rc.local
配置生效
# modprobe nf_conntrack
# sysctl -p
修改iptables启动脚本,在star()函数里面加上
# vi /etc/init.d/iptables
/sbin/sysctl -p
service iptables restart
iptables -v -n -L
#查看当前的会话
cat /proc/net/nf_conntrack | wc -l
lNMP
/*******************************************依赖包*************/
Java代码
yum install -y autoconf curl curl-devel cmake
yum install -y sendmail graphviz
yum install -y gcc gcc-c++
yum -y install python
yum -y install python-dev
yum install libicu-devel
yum install ncurses-libs
yum install ncurses-devel
yum -y install libxslt
yum install libxslt-devel
yum -y install curl-devel
yum -y install e2fsprogs-devel krb5-devel libidn-devel openssl-devel
Java代码
wget http://download.savannah.gnu.org/releases/freetype/freetype-2.4.4.tar.gz
tar zxvf freetype-2.4.4.tar.gz
./configure
make && make install
wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.37.tar.bz2
tar -jxvf pcre-8.37.tar.bz2
cd pcre-8.37
./configure
make && make install
wget https://www.openssl.org/source/openssl-1.0.1g.tar.gz -O openssl-1.0.1g.tar.gz
tar -zxf openssl-1.0.1g.tar.gz
./config -fPIC enable-shared
make && make test && make install
wget http://zlib.net/zlib-1.2.8.tar.gz
tar -zxf zlib-1.2.8.tar.gz
./configure
make && make install
wget http://nginx.org/download/nginx-1.8.0.tar.gz
tar -zxvf nginx-1.8.0.tar.gz
cd nginx-1.8.0
## 启用SSL模块 启用nginx状态模块 启用realip模块(将用户IP转发给后端服务器)
Java代码
./configure --prefix=/usr/local/nginx \
--user=nobody \
--conf-path=/usr/local/nginx/conf/nginx.conf \
--with-http_ssl_module \
--with-http_flv_module \
--with-http_stub_status_module \
--with-http_gzip_static_module \
--with-http_realip_module \ #启用realip模块(将用户IP转发给后端服务器)
--with-pcre=/opt/pcre-8.37
--with-openssl=/opt/openssl-1.0.1g \
--with-zlib=/opt/zlib-1.2.8 \
Java代码
wget http://xmlsoft.org/sources/old/libxml2-2.7.0.tar.gz
wget ftp://ftp.xmlsoft.org/libxml2/libxml2-2.9.2.tar.gz
tar zxvf libxml2-2.9.2.tar.gz
./configure
make && make install
libjpeg
wget ftp://ftp.pl.freebsd.org/vol/rzm1/GraphicsMagick/delegates/libjpeg-6b.tar.gz
tar zxvf libjpeg-6b.tar.gz
./configure && make && make install
libpng
wget http://download.sourceforge.net/libpng/libpng-1.6.18.tar.gz
tar zxvf libpng-1.6.18.tar.gz
./configure
sed -i 's/LDFLAGS\=/LDFLAGS\=-L\/usr\/local\/lib/g' Makefile
sed -i 's/CPPFLAGS\=/CPPFLAGS\=-L\/usr\/local\/include/g' Makefile
make && make install
Java代码
wget ftp://mcrypt.hellug.gr/pub/crypto/mcrypt/attic/libmcrypt/libmcrypt-2.5.7.tar.gz
tar zxvf libmcrypt-2.5.7.tar.gz
./configure
make && make install
wget http://curl.haxx.se/download/curl-7.44.0.tar.gz
wget http://www.execve.net/curl/curl-7.44.0.tar.gz
tar zxvf curl-7.44.0.tar.gz
cd /opt/curl-7.44.0
./configure --with-ssl=/opt/openssl-1.0.1g --with-zlib=/opt/zlib-1.2.8 && make && make install
或者
./configure --with-zlib=/opt/zlib-1.2.8 --with-ssl=/usr/local/ssl && make && make install
--with-openssl=/usr/local/ssl --with-libs=/usr/local/ssl
ldd $(which curl)
ln -s /usr/local/ssl/lib/libcrypto.so /usr/local/lib/libcrypto.so.1.0.0
cd /opt/php-5.6.12/ext/curl
/usr/local/php/bin/phpize
./configure -with-php-config=/usr/local/php/bin/php-config --with-curl=/opt/curl-7.44.0
make && make install
编译oci php扩展
rpm -ivh oracle-instantclient12.1-basic-12.1.0.1.0-1.x86_64.rpm
rpm -ivh oracle-instantclient12.1-sqlplus-12.1.0.1.0-1.x86_64.rpm
rpm -ivh oracle-instantclient12.1-devel-12.1.0.1.0-1.x86_64.rpm
配置库路径 libsqlplus.so
vim /etc/ld.so.conf
/usr/lib/oracle/12.1/client64/lib/
ldconfig
Java代码
export ORACLE_HOME=/usr/lib/oracle/12.1/client64
export ORACLE_BASE=/usr/lib/oracle/12.1
export PATH=$ORACLE_HOME/bin:$PATH:
export LD_LIBRARY_PATH=$ORACLE_HOME/lib:$LD_LIBRARY_PATH
export NLS_LANG=AMERICAN_AMERICA.AL32UTF8
export TNS_ADMIN=$ORACLE_HOME/network/admin
source /etc/profile
cd /opt/php-5.6.12/ext/oci8
/usr/local/php/bin/phpize
./configure --with-php-config=/usr/local/php/bin/php-config
make && make install
cd /usr/local/php/lib/php/extensions/no-debug-non-zts-20131226/
/*******************************************Mysql********************************/
mysql
wget http://ftp.jaist.ac.jp/pub/mysql/Downloads/MySQL-5.5/mysql-5.5.44.tar.gz
groupadd mysql
useradd -r -g mysql mysql
##此处本来只应该装客户端
Java代码
cd /usr/local/Downloads
tar -zxvf mysql-5.5.44.tar.gz
cd mysql-5.5.44
cmake -DCMAKE_INSTALL_PREFIX=/usr/local/mysql \
-DMYSQL_DATADIR=/usr/local/mysql/data \
-DMYSQL_TCP_PORT=3306 \
-DMYSQL_UNIX_ADDR=/var/run/mysqld/mysqld.sock \
-DMYSQL_USER=mysql \
-DDEFAULT_CHARSET=utf8 \
-DWITH_EXTRA_CHARSETS:STRING=utf8,gbk \
-DWITH_MYISAM_STORAGE_ENGINE=1 \
-DWITH_MEMORY_STORAGE_ENGINE=1 \
-DDEFAULT_COLLATION=utf8_general_ci \
-DEXTRA_CHARSETS=all \
-DWITH_READLINE=1 \
-DWITH_EMBEDDED_SERVER=1 \
-DENABLED_LOCAL_INFILE=1 \
-DWITH_INNOBASE_STORAGE_ENGINE=1
make && make install
Java代码
mkdir /usr/local/mysql/etc/
cp support-files/my-large.cnf /usr/local/mysql/etc/my.cnf
vim /usr/local/mysql/etc/my.cnf
[mysqld]
basedir = /usr/local/mysql
datadir = /usr/local/mysql/data
port = 3306
socket = /var/run/mysqld/mysqld.sock
character_set_server = utf8
slow_query_log = 1
log-error = /usr/local/mysql/log/mysql_error.log
pid-file = /usr/local/mysql/run/mysql.pid
default-storage-engine=MyISAM
user = mysql
open_files_limit = 65535
max_connections = 5000
max_connect_errors = 6000 #出错锁定host
back_log = 600 #连接队列的最大值
skip-name-resolve #关闭反向域名解析
innodb_file_per_table = 0 #innodb表不共享一个文件
interactive_timeout = 120
wait_timeout = 120 #连接过期秒数
thread_cache_size = 32 #连接词空闲线程数
tmp_table_size = 56M
max_heap_table_size = 56M
long_query_time = 3
log-bin = /var/www/log/binlog
binlog_cache_size = 4M
binlog_format = MIXED
max_binlog_cache_size = 8M
max_binlog_size = 1G
[client]
socket = /var/run/mysqld/mysqld.sock
groupadd mysql
useradd -r -g mysql mysql
cd /usr/local/mysql
chown -R mysql . //更改所有文件的所有者为mysql
chgrp -R mysql . // 更改所有文件的所属组为mysql
2. mysql 初始化安装 执行以下命令 //以mysql的身份执行scripts/mysql_install_db脚本
/usr/local/mysql/scripts/mysql_install_db --basedir=/usr/local/mysql \
--defaults-file=/usr/local/mysql/etc/my.cnf \
--user=mysql \
--datadir=/usr/local/mysql/data
chown -R root . //再将所有文件的所有者改为root
chown -R mysql data //其中要将data目录及其子文件的所有者改为mysql
chown -R mysql /usr/local/mysql/data
chgrp -R mysql /usr/local/mysql/data
cp /etc/my.cnf /etc/my.cnf_bak
cp /usr/local/mysql/etc/my.cnf /etc/my.cnf
mkdir /var/run/mysqld
chmod -R 777 /var/run/mysqld
mkdir /usr/local/mysql/run
chmod -R 777 /usr/local/mysql/run
/usr/local/mysql/bin/mysqld \
--defaults-file=/usr/local/mysql/etc/my.cnf \
--basedir=/usr/local/mysql \
--datadir=/usr/local/mysql/data \
--plugin-dir=/usr/local/mysql/lib/plugin \
--user=mysql \
--log-error=/usr/local/mysql/log/mysql_error.log \
--pid-file=/usr/local/mysql/run/mysql.pid \
--socket=/var/run/mysqld/mysqld.sock \
--port=3306 &
cp /usr/local/mysql/support-files/mysql.server /etc/init.d/mysqld
客户端
yum install mysql
update user set password=passworD("wyj_2015") where user='root';
update user set host='%' where user='root';
flush privileges;
/*******************************************php*********************************/
Java代码
wget http://cn2.php.net/distributions/php-5.6.12.tar.gz
opcash http://php.net/manual/zh/opcache.installation.php
tar zxvf php-5.6.12.tar.gz
./configure --prefix=/usr/local/php \
--with-config-file-path=/usr/local/php/conf \
--with-fpm-user=nobody \
--with-fpm-group=nogroup \
--enable-fpm \
--enable-bcmath \
--with-curl \
--with-mcrypt \
--with-freetype-dir \
--enable-mbstring \
--with-pdo-mysql=mysqlnd \
--with-mysqli=mysqlnd \
--with-mysql=/usr/local/mysql \
--with-openssl \
--with-imap-ssl \
--with-freetype-dir \
--with-gd \
--with-jpeg-dir=/usr/lib/ \
--with-png-dir=/usr/lib/ \
--enable-exif \
--enable-zip \
--with-zlib \
--with-xsl \
--with-gettext \
--enable-intl \
--with-xmlrpc \
--enable-xml \
--enable-ftp \
--with-pear \
--enable-sockets \
--enable-gd-native-ttf \
--enable-sysvsem \
--enable-sysvshm \
--enable-shmop \
--with-mhash \
--enable-inline-optimization \
--with-curlwrappers \
--enable-mbregex \
--enable-opcache \
make && make install
http://www.oracle.com/technetwork/topics/linuxx86-64soft-092277.html
##最小权限
Java代码
ROOT="/var/www/html"
chown -R nobody:nobody $ROOT
chmod a-wxr -R $ROOT
chmod u+xr -R $ROOT
chmod u+rw -R $ROOT/serverConfig
chmod u+rwx -R $ROOT/Runtime
chmod u+rxw -R $ROOT/Uploads
chmod u+rw -R $ROOT/crontab
chmod u+wrx -R $ROOT/Public
chmod u+rw -R $ROOT/serverConfig
chown -R ftp:ftp $ROOT/ftp
chmod u+rw -R $ROOT/ftp
#session
Java代码
mkdir -p /usr/local/php/sess/weijiaoyun
chown nobody:nobody /usr/local/php/sess/weijiaoyun
chmod a-wrx -R /usr/local/php/sess/weijiaoyun
chmod u+wr -R /usr/local/php/sess/weijiaoyun
/*********************************************启动命令***************************/
pkill php-fpm
/usr/local/php/sbin/php-fpm -c /usr/local/php/etc/php.ini -y /usr/local/php/etc/php-fpm.conf
chown -R nobody:nobody /usr/local/php/sess
chown nobody:nobody /dev/shm/sess/weijiaoyun
chmod u+wr -R /usr/local/php/sess/weijiaoyun
kill -USR2 `cat /usr/local/php/var/run/php-fpm.pid` #平滑重启 推荐
kill -USR1 `cat /usr/local/php/var/run/php-fpm.pid` #平滑重启日志 推荐
pkill nginx
/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
/usr/local/nginx/sbin/nginx -s reload
chown -R nobody:nobody /dev/shm
kill -USR2 `cat /usr/local/nginx/logs/nginx.pid` #平滑重启 推荐
kill -USR1 `cat /usr/local/nginx/logs/nginx.pid` #平滑重启日志 推荐
pkill mysqld
/usr/local/mysql/bin/mysqld \
--defaults-file=/usr/local/mysql/etc/my.cnf \
--basedir=/usr/local/mysql \
--datadir=/usr/local/mysql/data \
--plugin-dir=/usr/local/mysql/lib/plugin \
--user=mysql \
--log-error=/usr/local/mysql/log/mysql_error.log \
--pid-file=/usr/local/mysql/run/mysql.pid \
--socket=/var/run/mysqld/mysqld.sock \
--port=3306 &
不保存历史
sed -i 's/HISTSIZE\=3000/HISTSIZE\=4/g' /etc/profile
source /etc/profile
传输命令
scp -i /root/wjyRsa -P 54321 -r /var/www/testscp 119.29.38.43:/var/www/
scp -i /root/devRsa -P 54321 -r /opt/curl-7.44.0 119.29.11.29:/opt/curl-7.44.0
/********************************系统工具**************************************/
yum -y install vim
yum install fonts-chinese.noarch
添加库文件路径
vim /etc/ld.so.conf
ldconfig
#滞后
--with-oci8 \
apparmor_parser -R /etc/apparmor.d/usr.sbin.tcpdump
tcpdump -i lo -w /var/www/logs/php-fpm2
/usr/sbin/tcpdump -i eth0 -w /var/www/logs/tcpdump7
yum -y install sysstat
sar -n EDEV 2 10
sar -n SOCK 2 10
sar -r 6 #men
sar -u 6 #cpu
top -p pid
P:按%CPU使用率排行
T:按MITE+排行
M:按%MEM排行
Linux查看网络端口对应的程序
lsof -i :80
netstat -a |grep LISTEN |grep -v unix
ps -aux | sort -k4nr
ps -aux | grep -E "sap|USER"
#innode
df -i
#innode 大小
dumpe2fs -h /dev/vdb2 | grep "Inode size"
查看 进程的详细内存
pmap -q php-fpmp的pid
/**********************配置文件备份*******************************/
/usr/local/mysql/etc/my.cnf
Java代码
[client]
port = 3306
socket = /var/run/mysqld/mysqld.sock
[mysqld]
port = 3306
socket = /var/run/mysqld/mysqld.sock
skip-external-locking
key_buffer_size = 256M
max_allowed_packet = 1M
table_open_cache = 256
sort_buffer_size = 1M
read_buffer_size = 1M
read_rnd_buffer_size = 4M
myisam_sort_buffer_size = 64M
thread_cache_size = 8
query_cache_size= 16M
query_cache_limit = 2M
query_cache_min_res_unit = 2k
basedir = /usr/local/mysql
datadir = /usr/local/mysql/data
port = 3306
socket = /var/run/mysqld/mysqld.sock
character_set_server = utf8
slow_query_log = 1
log-error = /usr/local/mysql/log/mysql_error.log
pid-file = /usr/local/mysql/run/mysql.pid
default-storage-engine=MyISAM
user = mysql
thread_concurrency = 2
open_files_limit = 65535
max_connections = 5000
max_connect_errors = 6000
back_log = 600
skip-name-resolve
innodb_file_per_table = 0
interactive_timeout = 120
wait_timeout = 120
log-bin = /var/www/log/binlog
binlog_cache_size = 4M
binlog_format = MIXED
max_binlog_cache_size = 8M
max_binlog_size = 1G
cat /usr/local/php/etc/php.ini
[PHP]
Java代码
engine = On
short_open_tag = Off
asp_tags = Off
precision = 14
output_buffering = 4096
zlib.output_compression = Off
implicit_flush = Off
unserialize_callback_func =
serialize_precision = 17
open_basedir = "/tmp/:/var/www/html:/var/www/task/cli/:/var/www/tasks/test_data/";
disable_functions =
disable_classes =
zend.enable_gc = On
expose_php = On
max_execution_time = 30
max_input_time = 60
memory_limit = 256M
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
display_errors = Off
display_startup_errors = Off
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
track_errors = Off
html_errors = On
variables_order = "GPCS"
request_order = "GP"
register_argc_argv = Off
auto_globals_jit = On
post_max_size = 100M
auto_prepend_file =
auto_append_file =
default_mimetype = "text/html"
doc_root =
user_dir =
enable_dl = Off
cgi.fix_pathinfo=1
file_uploads = On
upload_max_filesize = 100M
max_file_uploads = 20
upload_tmp_dir=/tmp
allow_url_fopen = On
allow_url_include = Off
default_socket_timeout = 60
[Phar]
[mail function]
SMTP = localhost
smtp_port = 25
mail.add_x_header = On
[opcache]
zend_extension = "/usr/local/php/lib/php/extensions/no-debug-non-zts-20131226/opcache.so"
opcache.memory_consumption=128
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=4000
opcache.revalidate_freq=60
opcache.fast_shutdown=1
opcache.enable_cli=1
[Session]
session.save_handler = files
session.save_path = "1;/usr/local/php/sess/weijiaoyun"
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
[curl]
extension="/usr/local/php/lib/php/extensions/no-debug-non-zts-20131226/curl.so"
cat /usr/local/php/etc/php-fpm.conf | grep -v '^;' | grep -v '^$'| less
Java代码
[global]
error_log = /var/log/php/php-fpm.log
log_level = notice
rlimit_files = 65535
rlimit_core = 0
pid = run/php-fpm.pid
[www]
user = nobody
group = nobody
listen = 127.0.0.1:9000
listen.allowed_clients = 127.0.0.1
pm = static
pm.max_children = 50
pm.start_servers = 40
pm.min_spare_servers = 5
pm.max_spare_servers = 10
pm.max_requests = 1000
pm.status_path = /status
request_terminate_timeout = 30
rlimit_files = 655360
rlimit_core = 0
security.limit_extensions = .php .html
php_admin_value['date.timezone'] = 'Asia/Shanghai'
cat /usr/local/nginx/conf/nginx.conf | grep -v '^#' | grep -v '^$'| less
user nobody nobody;
worker_processes 2;
worker_rlimit_nofile 65353;
events {
worker_connections 65353;
use epoll;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 128k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 32k;
gzip_http_version 1.1;
gzip_comp_level 2;
gzip_types text/plain application/x-javascript text/css application/xml;
gzip_vary on;
gzip_disable "MSIE [1-6].";
server_names_hash_bucket_size 128;
client_max_body_size 100m;
client_header_buffer_size 256k;
large_client_header_buffers 4 256k;
include vhost/*.conf;
}
cat /usr/local/nginx/conf/vhost/dev.xcoach.cn.conf | grep -v '^#' | grep -v '^$'| less
Java代码
server {
listen 80;
server_name 119.29.11.29;
root /var/www/html;
index index.php index.html;
large_client_header_buffers 4 16k;
client_max_body_size 300m;
client_body_buffer_size 128k;
proxy_connect_timeout 600;
proxy_read_timeout 600;
proxy_send_timeout 600;
proxy_buffer_size 64k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
location / {
index index.htm index.html index.php;
if (!-e $request_filename) {
rewrite ^/(.*)$ /index.php/$1 last;
break;
}
}
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_read_timeout 150;
include /usr/local/nginx/conf/fastcgi_params;
set $path_info "";
set $real_script_name $fastcgi_script_name;
if ($fastcgi_script_name ~ "^(.+?\.php)(/.+)$") {
set $real_script_name $1;
set $path_info $2;
}
fastcgi_param SCRIPT_FILENAME /var/www/html/$real_script_name;
fastcgi_param SCRIPT_NAME $real_script_name;
fastcgi_param PATH_INFO $path_info;
}
location /ngstatus {
stub_status on;
access_log off;
}
location /status {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi.conf;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
expires 30d;
}
location ~ .*\.(js|css)?$ {
expires 12h;
}
location ~* \.(htaccess|inc|conf)$ {
deny all;
}
location ~ /(sql|Data|Uploads|ftp)/.*\.(php|php5)?$ {
deny all;
}
#location ^~ /Runtime {
# deny all;
#}
access_log logs/dev.xcoach.cn.access.log;
error_log logs/dev.xcoach.cn.error.log;
}
/*************************************定时程序***************************/
Java代码
* * * * * /bin/sh /var/www/tasks/defend_ddos/defend_ddos.sh &
*/10 * * * * /var/www/tasks/ftp/ftp_get.sh "school" "username" "password" "/var/www/html/ftp/userdata" "/userdata/*.data" &
*/10 * * * * /usr/local/php/bin/php -q /var/www/tasks/cli/cliApiBandRelation.php &
#59 * * * * /var/www/tasks/data_docking/doching.sh 121.41.74.208 youanbao PPla@0155 yabsz 3306 &
*/1 * * * * /usr/local//qcloud/stargate/admin/start.sh > /dev/null 2>&1 &
0 0 * * * bash /var/www/task/nglog_bak/nglog_bak.sh &
/*************************************************定时程序***********************************************************/
/***************************************其他************************/
保证每天多少PV的并发连接数的计算公式是:
并发连接数= PV / 统计时间(一天是86400) * 页面衍生连接次数 * http响应时间 * 因数(5) / web服务器数量
保证4千万PV的并发连接数:
(40000000PV / 86400秒 * 10个派生连接数 * 5秒内响应 * 5倍峰值) / 6台Web服务器 = 19290连接数
10PV的并发连接数:
(100000PV / 86400秒 * 10个派生连接数 * 5秒内响应 * 5倍峰值) / 1台Web服务器 = 289连接数
ab.exe -n2000 -kc2000
svn
svn delete svn://119.29.11.29/weijiaoyun/Public -m "delete Public"
svn import -m 'reimport' /var/www/html/Public svn://119.29.11.29/weijiaoyun/Public
vim ignore.txt
Application/User/Conf/config.php
Application/Common/Conf/config.php
Runtime
Uploads
svn propset svn:ignore -F ignore.txt .
svn proplist
svn propget svn:ignore
ngnix无法打印日志 tail -f 没有磁盘空间 增大max_user_watches 参考 http://www.51know.info/system_security/inotify.html
echo '17000' > cat /proc/sys/fs/inotify/max_user_watches
批量替换 参考 http://php.net/manual/zh/language.exceptions.php (jim at anderos dot com)
grep 'throw new Exception' /var/www/ceshi/ -rl | xargs sed -i 's/throw new Exception/throw new \\Exception/g'
sed -i 's/throw new Exception/throw new \\Exception/g' `grep 'throw new Exception' /var/www/ceshi/ -rl`
错误日志分析
error_log="/usr/local/nginx/logs/weijiaoyun_error.log"
deny_ip_arr=`cat $error_log | grep -iE "referrer: \"http:\/\/123.249.24.233\/POST_ip_port.phpAccep" | sed 's/\(.*\)\(client: \)\(.*\)\(, server:.*\)/\3/g'`
for ip in $deny_ip_arr
do
exist=`cat /etc/sysconfig/iptables| grep $ip`
if [ -z "$exist" ]
then
/sbin/iptables -A INPUT -s $ip -j DROP
/sbin/iptables -I INPUT -s $ip -j DROP
/sbin/iptables-save > /etc/sysconfig/iptables
fi
done
PHP-FPM master进程可以理解以下信号
INT, TERM 立刻终止 QUIT 平滑终止 USR1 重新打开日志文件 USR2平滑重载所有worker进程并重新载入配置和二进制模块
php-fpm 关闭:kill -INT `cat /usr/local/php/var/run/php-fpm.pid`
php-fpm 重启:kill -USR2 `cat /usr/local/php/var/run/php-fpm.pid`
/**********************************************************其他******************************************************/
/****************服务优化 只开启必要的服务,提高安全性和性能********************/
###以下服务是必须的必须开启 其他可以尝试关闭
安装完Linux之后,以下服务是必须的必须开启,没列出的服务可关闭
acpid #高级控制电源管理接口
crond #定时执行任务
haldaemon #必须开启,否则可能导致控制台键盘鼠标无法使用
hidd #同上
irqbalance #支持多cpu中断,必须开启
kudzu #检测硬件变化时自动进行配置
lvm2-monitor #用于监测LVM状态
messagebus #Linux系统进程间通讯的关键服务
mdmonitor #监测软RAID健康状态 即使没有使用软RAID, 也强烈建议启用此服务
mdmpd #同上,即使没有多路径存储设备,也强烈建议启用之
network #网络支持
readahead_early #预先加载特定的应用程序到内存中以提供性能
readahead_later #同上
smartd #硬盘故障自动检测
sshd
syslog
klogd #如果服务列表中存在,则必须开启
提示:配置服务可使用ntsysv工具,比较方便
其它强烈建议开启的服务 iptables
/**********************************服务优化 只开启必要的服务,提高安全性和性能*************************************/
/*************************************日志************************************/
/var/log/message 系统启动后的信息和错误日志,是Red Hat Linux中最常用的日志之一
/var/log/secure 与安全相关的日志信息
/var/log/maillog 与邮件相关的日志信息
/var/log/cron 与定时任务相关的日志信息
/var/log/spooler 与UUCP和news设备相关的日志信息
/var/log/boot.log 守护进程启动和停止相关的日志消息
dmesg | grep IDE # 查看启动时IDE设备检测状况
route -n # 查看路由表
/**************************************参考***********************/
生产服务器环境最小化安装后 Centos 6.5优化配置备忘 http://zhangxugg-163-com.iteye.com/blog/1843724
Centos 6.5优化配置 http://www.lvtao.net/server/centos-server-setup.html
inotify: http://www.51know.info/system_security/inotify.html
Linux(Centos )的网络内核参数优化来提高服务器并发处理能力 http://blog.csdn.net/shaobingj126/article/details/8549494
日志 :http://www.centoscn.com/CentosSecurity/CentosSafe/2014/0304/2490.html
linux下使用tc模拟网络延迟和丢包 http://blog.csdn.net/duanbeibei/article/details/41250029
/*****************************参考***********************************/
伦理片http://www.dotdy.com/
/dev/vda 8G
/dev/vdb 500G
/dev/vda 系统盘 挂载在 /
/dev/vdb 分四个逻辑盘
/dev/vdb1 400G 用作项目应用 挂载 /var/www
/dev/vdb2 60G 用作日志记录 挂载 /var/log
/dev/vdb3 20G 分系统使用的软件其余的工具 例如 一些测试网速的软件就存放安装到这里 挂载 /opt
/dev/vdb4 20G /home 数据交换
Java代码
ulimit -SHn 65535
echo "* soft nofile 65535" >> /etc/security/limits.conf
echo "* hard nofile 65535" >> /etc/security/limits.conf
/**********sshd key 登录*******************************************/
Java代码
yum -y install sshd
echo "ClientAliveInterval 60" >> /etc/ssh/sshd_config
echo "ClientAliveCountMax 60" >> /etc/ssh/sshd_config
echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
echo export TMOUT=1000000 >> /root/.bash_profile
source /root/.bash_profile
service sshd restart
/usr/bin/ssh-keygen -t rsa XXXXXXX
move XXXXXXX.pub /root/.ssh/authorized_keys
必须将 key 备份到本地 登录要用。
/************sshd 登录编码格式 vim设置 时区设置 关闭selinux*************/
Java代码
yum install fonts-chinese
locale -a | grep -E 'zh|en_US'
vim /etc/sysconfig/i18n
Java代码
LANG="zh_CN.gb18030"
LANGUAGE="zh_CN.gb18030:zh_CN.gb2312:zh_CN.gbk:zh_CN.utf8:zh_CN"
SUPPORTED="zh_CN.utf8:zh_CN:zh:en_US.utf8:en_US:en"
SYSFONT="lat0-sun16"
LANG="zh_CN.gb18030"
LANG="en_US.utf8"
source /etc/sysconfig/i18n
vim ~/.vimrc
Java代码
set termencoding=gbk
set encoding=utf-8
set fileencodings=ucs-bom,utf-8,cp936
set fileencoding=utf-8
vim /etc/profile
Java代码
export LANG=zh_CN.utf8
export LC_ALL=zh_CN.gb18030
###设置vi, vim的默认的tab、行号显示参数
Java代码
echo "set tabstop=4" >> /etc/virc
echo "set tabstop=4" >> /etc/vimrc
echo "set number" >> /etc/virc
echo "set number" >> /etc/vimrc
echo "alias vi=vim" >> ~/.bashrc
Java代码
source ~/.bashrc
##设置正确的时区
Java代码
cp /usr/share/zoneinfo/Asia/Chongqing /etc/localtime
printf 'ZONE="Asia/Chongqing"\nUTC=false\nARC=false' > /etc/sysconfig/clock
###更新系统时间 每天凌晨6点更新系统时间
ntpdate pool.ntp.org
06*** /sbin/ntpdate pool.ntp.org 2>&1 | /bin/logger
设置/etc/sysconfig/selinux文件中
SELINUX=disabled
/*******************************************防火墙***************/
vim /etc/sysconfig/iptables
Java代码
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#-A INPUT -p icmp -j ACCEPT
#-A INPUT -i lo -j ACCEPT
#-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
#-A INPUT -j REJECT --reject-with icmp-host-prohibited
#-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-N whitelist
-A whitelist -s 36.36.68.0/24 -j ACCEPT
-A whitelist -s 223.73.59.0/24 -j ACCEPT
-A whitelist -s 119.130.86.0/24 -j ACCEPT
-A whitelist -s 36.36.68.65 -j ACCEPT
-A whitelist -s 223.73.59.101 -j ACCEPT
-A whitelist -s 119.130.86.201 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID,NEW -j LOG
-A INPUT -s 180.0.0.0/8 -j DROP
-A INPUT -p tcp -m tcp --sport 54321 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 68 -j ACCEPT
#iptables -A INPUT -p tcp -m tcp --sport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m limit --limit 25/min --limit-burst 200 -j ACCEPT
COMMIT
service iptables start
/*********************禁止root 创建普通用户******************************/
useradd wyj2507
passwd wyj2507 (密码 www.xiubt.com)
visudo (99行)
Java代码
wyj2507 ALL=(ALL) ALL
/*********************禁止root 创建普通用户********************/
/*******************************************修改HOSTS*******************/
vi /etc/hosts
27.0.0.1 localhost VM_41_93_centos
#使用DNS域名服务器来解析名字
order bind hosts
#一台主机是否存在多个IP
multi on
#如果用逆向解析找出与指定的地址匹配的主机名,对返回的地址进行解析以确认它确实与您查询的地址相配.为了防止“骗取”IP地址
nospoof on
service network restart
/*****************精简开机自启动服务*************************************/
7个运行级别 0 系统停机模式 1 单用户 2 多用户模 3 完整多用户
4 系统未使用 5 图形化模式 6 重启模式
init 0 1 2 3 4 5 6 设置运行级别
新系统只保留crond,network,syslog(rsyslog),sshd自启动服务 后期加
查看运行级别 runlevel
查看开启的服 chkconfig --list
#关闭全部服务
Java代码
for sun in `chkconfig --list|grep 3:启用 | awk '{print $1}'`;
do
chkconfig --level 3 $sun off
done
#或者
Java代码
for sun in `chkconfig --list|grep 3:启用|awk '{print $1}'`;
do
chkconfig --level 3 $sun off
done
#开启需要的服务
Java代码
for sun in crond rsyslog sshd network
do
chkconfig --level 3 $sun on
done
#或者需要使用防火墙的话可以开启iptables和ip6tables
Java代码
for sun in crond rsyslog sshd network iptables ip6tables
do
chkconfig --level 3 $sun on
done
/******************清理登陆的时候显示的系统及内核版本等***********************/
#查看登陆信息
cat /etc/redhat-release
cat /etc/issue
#清理登陆信息
echo >/etc/redhat-release
echo >/etc/issue
#关闭重启ctl-alt-delete组合键
vi /etc/init/control-alt-delete.conf
#注释掉
#exec /sbin/shutdown -r now "Control-Alt-Deletepressed"
#chattr类似chmod修改文件/目录属性 级别高于chmod
#chattr命令不能保护/、/dev、/tmp、/var目录。lsattr命令是显示chattr命令设置的文件属性。
#锁定关键文件系统
Java代码
chattr +i /etc/passwd
chattr +i /etc/inittab
chattr +i /etc/group
chattr +i /etc/shadow
chattr +i /etc/gshadow
#删除不必要的系统用户和群组
Java代码
userdel adm
userdel lp
userdel sync
userdel shutdown
userdel halt
userdel news
userdel uucp
userdel operator
userdel games
userdel gopher
userdel ftp
#删除不必要的群组
Java代码
groupdel adm
groupdel lp
groupdel news
groupdel uucp
groupdel games
groupdel dip
groupdel pppusers
/******************************************清理登陆的时候显示的系统及内核版本等********************************/
/*****************************内核参数优化*************************/
vi /etc/sysctl.conf 增加以下配置
Java代码
net.ipv4.tcp_max_syn_backlog = 65536
net.core.netdev_max_backlog = 32768
net.core.somaxconn = 32768
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.ip_local_port_range = 1024 65535
Java代码
net.nf_conntrack_max = 25000000 # 如果使用默认参数,容易出现网络丢包 最大会话数
net.netfilter.nf_conntrack_max = 25000000 # 如果使用默认参数,容易出现网络丢包 最大会话数
net.netfilter.nf_conntrack_tcp_timeout_established = 180 #会话连接超时变量 自动清除30分钟的无效链接
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
Java代码
#TIME_WAIT 要过段时间释放 Linux 65535个端口
#1 SYN等待队列溢出时,启用cookies来处理,可防范少量SYN攻击
#2 允许将TIME-WAIT sockets重新用于新的TCP连接
#3 开启TCP连接中TIME-WAIT sockets的快速回收
#4 系統默认的 TIMEOUT 时间
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 30
echo "modprobe nf_conntrack" >> /etc/rc.local
echo "modprobe bridge" >> /etc/rc.local
配置生效
# modprobe nf_conntrack
# sysctl -p
修改iptables启动脚本,在star()函数里面加上
# vi /etc/init.d/iptables
/sbin/sysctl -p
service iptables restart
iptables -v -n -L
#查看当前的会话
cat /proc/net/nf_conntrack | wc -l
lNMP
/*******************************************依赖包*************/
Java代码
yum install -y autoconf curl curl-devel cmake
yum install -y sendmail graphviz
yum install -y gcc gcc-c++
yum -y install python
yum -y install python-dev
yum install libicu-devel
yum install ncurses-libs
yum install ncurses-devel
yum -y install libxslt
yum install libxslt-devel
yum -y install curl-devel
yum -y install e2fsprogs-devel krb5-devel libidn-devel openssl-devel
Java代码
wget http://download.savannah.gnu.org/releases/freetype/freetype-2.4.4.tar.gz
tar zxvf freetype-2.4.4.tar.gz
./configure
make && make install
wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.37.tar.bz2
tar -jxvf pcre-8.37.tar.bz2
cd pcre-8.37
./configure
make && make install
wget https://www.openssl.org/source/openssl-1.0.1g.tar.gz -O openssl-1.0.1g.tar.gz
tar -zxf openssl-1.0.1g.tar.gz
./config -fPIC enable-shared
make && make test && make install
wget http://zlib.net/zlib-1.2.8.tar.gz
tar -zxf zlib-1.2.8.tar.gz
./configure
make && make install
wget http://nginx.org/download/nginx-1.8.0.tar.gz
tar -zxvf nginx-1.8.0.tar.gz
cd nginx-1.8.0
## 启用SSL模块 启用nginx状态模块 启用realip模块(将用户IP转发给后端服务器)
Java代码
./configure --prefix=/usr/local/nginx \
--user=nobody \
--conf-path=/usr/local/nginx/conf/nginx.conf \
--with-http_ssl_module \
--with-http_flv_module \
--with-http_stub_status_module \
--with-http_gzip_static_module \
--with-http_realip_module \ #启用realip模块(将用户IP转发给后端服务器)
--with-pcre=/opt/pcre-8.37
--with-openssl=/opt/openssl-1.0.1g \
--with-zlib=/opt/zlib-1.2.8 \
Java代码
wget http://xmlsoft.org/sources/old/libxml2-2.7.0.tar.gz
wget ftp://ftp.xmlsoft.org/libxml2/libxml2-2.9.2.tar.gz
tar zxvf libxml2-2.9.2.tar.gz
./configure
make && make install
libjpeg
wget ftp://ftp.pl.freebsd.org/vol/rzm1/GraphicsMagick/delegates/libjpeg-6b.tar.gz
tar zxvf libjpeg-6b.tar.gz
./configure && make && make install
libpng
wget http://download.sourceforge.net/libpng/libpng-1.6.18.tar.gz
tar zxvf libpng-1.6.18.tar.gz
./configure
sed -i 's/LDFLAGS\=/LDFLAGS\=-L\/usr\/local\/lib/g' Makefile
sed -i 's/CPPFLAGS\=/CPPFLAGS\=-L\/usr\/local\/include/g' Makefile
make && make install
Java代码
wget ftp://mcrypt.hellug.gr/pub/crypto/mcrypt/attic/libmcrypt/libmcrypt-2.5.7.tar.gz
tar zxvf libmcrypt-2.5.7.tar.gz
./configure
make && make install
wget http://curl.haxx.se/download/curl-7.44.0.tar.gz
wget http://www.execve.net/curl/curl-7.44.0.tar.gz
tar zxvf curl-7.44.0.tar.gz
cd /opt/curl-7.44.0
./configure --with-ssl=/opt/openssl-1.0.1g --with-zlib=/opt/zlib-1.2.8 && make && make install
或者
./configure --with-zlib=/opt/zlib-1.2.8 --with-ssl=/usr/local/ssl && make && make install
--with-openssl=/usr/local/ssl --with-libs=/usr/local/ssl
ldd $(which curl)
ln -s /usr/local/ssl/lib/libcrypto.so /usr/local/lib/libcrypto.so.1.0.0
cd /opt/php-5.6.12/ext/curl
/usr/local/php/bin/phpize
./configure -with-php-config=/usr/local/php/bin/php-config --with-curl=/opt/curl-7.44.0
make && make install
编译oci php扩展
rpm -ivh oracle-instantclient12.1-basic-12.1.0.1.0-1.x86_64.rpm
rpm -ivh oracle-instantclient12.1-sqlplus-12.1.0.1.0-1.x86_64.rpm
rpm -ivh oracle-instantclient12.1-devel-12.1.0.1.0-1.x86_64.rpm
配置库路径 libsqlplus.so
vim /etc/ld.so.conf
/usr/lib/oracle/12.1/client64/lib/
ldconfig
Java代码
export ORACLE_HOME=/usr/lib/oracle/12.1/client64
export ORACLE_BASE=/usr/lib/oracle/12.1
export PATH=$ORACLE_HOME/bin:$PATH:
export LD_LIBRARY_PATH=$ORACLE_HOME/lib:$LD_LIBRARY_PATH
export NLS_LANG=AMERICAN_AMERICA.AL32UTF8
export TNS_ADMIN=$ORACLE_HOME/network/admin
source /etc/profile
cd /opt/php-5.6.12/ext/oci8
/usr/local/php/bin/phpize
./configure --with-php-config=/usr/local/php/bin/php-config
make && make install
cd /usr/local/php/lib/php/extensions/no-debug-non-zts-20131226/
/*******************************************Mysql********************************/
mysql
wget http://ftp.jaist.ac.jp/pub/mysql/Downloads/MySQL-5.5/mysql-5.5.44.tar.gz
groupadd mysql
useradd -r -g mysql mysql
##此处本来只应该装客户端
Java代码
cd /usr/local/Downloads
tar -zxvf mysql-5.5.44.tar.gz
cd mysql-5.5.44
cmake -DCMAKE_INSTALL_PREFIX=/usr/local/mysql \
-DMYSQL_DATADIR=/usr/local/mysql/data \
-DMYSQL_TCP_PORT=3306 \
-DMYSQL_UNIX_ADDR=/var/run/mysqld/mysqld.sock \
-DMYSQL_USER=mysql \
-DDEFAULT_CHARSET=utf8 \
-DWITH_EXTRA_CHARSETS:STRING=utf8,gbk \
-DWITH_MYISAM_STORAGE_ENGINE=1 \
-DWITH_MEMORY_STORAGE_ENGINE=1 \
-DDEFAULT_COLLATION=utf8_general_ci \
-DEXTRA_CHARSETS=all \
-DWITH_READLINE=1 \
-DWITH_EMBEDDED_SERVER=1 \
-DENABLED_LOCAL_INFILE=1 \
-DWITH_INNOBASE_STORAGE_ENGINE=1
make && make install
Java代码
mkdir /usr/local/mysql/etc/
cp support-files/my-large.cnf /usr/local/mysql/etc/my.cnf
vim /usr/local/mysql/etc/my.cnf
[mysqld]
basedir = /usr/local/mysql
datadir = /usr/local/mysql/data
port = 3306
socket = /var/run/mysqld/mysqld.sock
character_set_server = utf8
slow_query_log = 1
log-error = /usr/local/mysql/log/mysql_error.log
pid-file = /usr/local/mysql/run/mysql.pid
default-storage-engine=MyISAM
user = mysql
open_files_limit = 65535
max_connections = 5000
max_connect_errors = 6000 #出错锁定host
back_log = 600 #连接队列的最大值
skip-name-resolve #关闭反向域名解析
innodb_file_per_table = 0 #innodb表不共享一个文件
interactive_timeout = 120
wait_timeout = 120 #连接过期秒数
thread_cache_size = 32 #连接词空闲线程数
tmp_table_size = 56M
max_heap_table_size = 56M
long_query_time = 3
log-bin = /var/www/log/binlog
binlog_cache_size = 4M
binlog_format = MIXED
max_binlog_cache_size = 8M
max_binlog_size = 1G
[client]
socket = /var/run/mysqld/mysqld.sock
groupadd mysql
useradd -r -g mysql mysql
cd /usr/local/mysql
chown -R mysql . //更改所有文件的所有者为mysql
chgrp -R mysql . // 更改所有文件的所属组为mysql
2. mysql 初始化安装 执行以下命令 //以mysql的身份执行scripts/mysql_install_db脚本
/usr/local/mysql/scripts/mysql_install_db --basedir=/usr/local/mysql \
--defaults-file=/usr/local/mysql/etc/my.cnf \
--user=mysql \
--datadir=/usr/local/mysql/data
chown -R root . //再将所有文件的所有者改为root
chown -R mysql data //其中要将data目录及其子文件的所有者改为mysql
chown -R mysql /usr/local/mysql/data
chgrp -R mysql /usr/local/mysql/data
cp /etc/my.cnf /etc/my.cnf_bak
cp /usr/local/mysql/etc/my.cnf /etc/my.cnf
mkdir /var/run/mysqld
chmod -R 777 /var/run/mysqld
mkdir /usr/local/mysql/run
chmod -R 777 /usr/local/mysql/run
/usr/local/mysql/bin/mysqld \
--defaults-file=/usr/local/mysql/etc/my.cnf \
--basedir=/usr/local/mysql \
--datadir=/usr/local/mysql/data \
--plugin-dir=/usr/local/mysql/lib/plugin \
--user=mysql \
--log-error=/usr/local/mysql/log/mysql_error.log \
--pid-file=/usr/local/mysql/run/mysql.pid \
--socket=/var/run/mysqld/mysqld.sock \
--port=3306 &
cp /usr/local/mysql/support-files/mysql.server /etc/init.d/mysqld
客户端
yum install mysql
update user set password=passworD("wyj_2015") where user='root';
update user set host='%' where user='root';
flush privileges;
/*******************************************php*********************************/
Java代码
wget http://cn2.php.net/distributions/php-5.6.12.tar.gz
opcash http://php.net/manual/zh/opcache.installation.php
tar zxvf php-5.6.12.tar.gz
./configure --prefix=/usr/local/php \
--with-config-file-path=/usr/local/php/conf \
--with-fpm-user=nobody \
--with-fpm-group=nogroup \
--enable-fpm \
--enable-bcmath \
--with-curl \
--with-mcrypt \
--with-freetype-dir \
--enable-mbstring \
--with-pdo-mysql=mysqlnd \
--with-mysqli=mysqlnd \
--with-mysql=/usr/local/mysql \
--with-openssl \
--with-imap-ssl \
--with-freetype-dir \
--with-gd \
--with-jpeg-dir=/usr/lib/ \
--with-png-dir=/usr/lib/ \
--enable-exif \
--enable-zip \
--with-zlib \
--with-xsl \
--with-gettext \
--enable-intl \
--with-xmlrpc \
--enable-xml \
--enable-ftp \
--with-pear \
--enable-sockets \
--enable-gd-native-ttf \
--enable-sysvsem \
--enable-sysvshm \
--enable-shmop \
--with-mhash \
--enable-inline-optimization \
--with-curlwrappers \
--enable-mbregex \
--enable-opcache \
make && make install
http://www.oracle.com/technetwork/topics/linuxx86-64soft-092277.html
##最小权限
Java代码
ROOT="/var/www/html"
chown -R nobody:nobody $ROOT
chmod a-wxr -R $ROOT
chmod u+xr -R $ROOT
chmod u+rw -R $ROOT/serverConfig
chmod u+rwx -R $ROOT/Runtime
chmod u+rxw -R $ROOT/Uploads
chmod u+rw -R $ROOT/crontab
chmod u+wrx -R $ROOT/Public
chmod u+rw -R $ROOT/serverConfig
chown -R ftp:ftp $ROOT/ftp
chmod u+rw -R $ROOT/ftp
#session
Java代码
mkdir -p /usr/local/php/sess/weijiaoyun
chown nobody:nobody /usr/local/php/sess/weijiaoyun
chmod a-wrx -R /usr/local/php/sess/weijiaoyun
chmod u+wr -R /usr/local/php/sess/weijiaoyun
/*********************************************启动命令***************************/
pkill php-fpm
/usr/local/php/sbin/php-fpm -c /usr/local/php/etc/php.ini -y /usr/local/php/etc/php-fpm.conf
chown -R nobody:nobody /usr/local/php/sess
chown nobody:nobody /dev/shm/sess/weijiaoyun
chmod u+wr -R /usr/local/php/sess/weijiaoyun
kill -USR2 `cat /usr/local/php/var/run/php-fpm.pid` #平滑重启 推荐
kill -USR1 `cat /usr/local/php/var/run/php-fpm.pid` #平滑重启日志 推荐
pkill nginx
/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
/usr/local/nginx/sbin/nginx -s reload
chown -R nobody:nobody /dev/shm
kill -USR2 `cat /usr/local/nginx/logs/nginx.pid` #平滑重启 推荐
kill -USR1 `cat /usr/local/nginx/logs/nginx.pid` #平滑重启日志 推荐
pkill mysqld
/usr/local/mysql/bin/mysqld \
--defaults-file=/usr/local/mysql/etc/my.cnf \
--basedir=/usr/local/mysql \
--datadir=/usr/local/mysql/data \
--plugin-dir=/usr/local/mysql/lib/plugin \
--user=mysql \
--log-error=/usr/local/mysql/log/mysql_error.log \
--pid-file=/usr/local/mysql/run/mysql.pid \
--socket=/var/run/mysqld/mysqld.sock \
--port=3306 &
不保存历史
sed -i 's/HISTSIZE\=3000/HISTSIZE\=4/g' /etc/profile
source /etc/profile
传输命令
scp -i /root/wjyRsa -P 54321 -r /var/www/testscp 119.29.38.43:/var/www/
scp -i /root/devRsa -P 54321 -r /opt/curl-7.44.0 119.29.11.29:/opt/curl-7.44.0
/********************************系统工具**************************************/
yum -y install vim
yum install fonts-chinese.noarch
添加库文件路径
vim /etc/ld.so.conf
ldconfig
#滞后
--with-oci8 \
apparmor_parser -R /etc/apparmor.d/usr.sbin.tcpdump
tcpdump -i lo -w /var/www/logs/php-fpm2
/usr/sbin/tcpdump -i eth0 -w /var/www/logs/tcpdump7
yum -y install sysstat
sar -n EDEV 2 10
sar -n SOCK 2 10
sar -r 6 #men
sar -u 6 #cpu
top -p pid
P:按%CPU使用率排行
T:按MITE+排行
M:按%MEM排行
Linux查看网络端口对应的程序
lsof -i :80
netstat -a |grep LISTEN |grep -v unix
ps -aux | sort -k4nr
ps -aux | grep -E "sap|USER"
#innode
df -i
#innode 大小
dumpe2fs -h /dev/vdb2 | grep "Inode size"
查看 进程的详细内存
pmap -q php-fpmp的pid
/**********************配置文件备份*******************************/
/usr/local/mysql/etc/my.cnf
Java代码
[client]
port = 3306
socket = /var/run/mysqld/mysqld.sock
[mysqld]
port = 3306
socket = /var/run/mysqld/mysqld.sock
skip-external-locking
key_buffer_size = 256M
max_allowed_packet = 1M
table_open_cache = 256
sort_buffer_size = 1M
read_buffer_size = 1M
read_rnd_buffer_size = 4M
myisam_sort_buffer_size = 64M
thread_cache_size = 8
query_cache_size= 16M
query_cache_limit = 2M
query_cache_min_res_unit = 2k
basedir = /usr/local/mysql
datadir = /usr/local/mysql/data
port = 3306
socket = /var/run/mysqld/mysqld.sock
character_set_server = utf8
slow_query_log = 1
log-error = /usr/local/mysql/log/mysql_error.log
pid-file = /usr/local/mysql/run/mysql.pid
default-storage-engine=MyISAM
user = mysql
thread_concurrency = 2
open_files_limit = 65535
max_connections = 5000
max_connect_errors = 6000
back_log = 600
skip-name-resolve
innodb_file_per_table = 0
interactive_timeout = 120
wait_timeout = 120
log-bin = /var/www/log/binlog
binlog_cache_size = 4M
binlog_format = MIXED
max_binlog_cache_size = 8M
max_binlog_size = 1G
cat /usr/local/php/etc/php.ini
[PHP]
Java代码
engine = On
short_open_tag = Off
asp_tags = Off
precision = 14
output_buffering = 4096
zlib.output_compression = Off
implicit_flush = Off
unserialize_callback_func =
serialize_precision = 17
open_basedir = "/tmp/:/var/www/html:/var/www/task/cli/:/var/www/tasks/test_data/";
disable_functions =
disable_classes =
zend.enable_gc = On
expose_php = On
max_execution_time = 30
max_input_time = 60
memory_limit = 256M
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
display_errors = Off
display_startup_errors = Off
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
track_errors = Off
html_errors = On
variables_order = "GPCS"
request_order = "GP"
register_argc_argv = Off
auto_globals_jit = On
post_max_size = 100M
auto_prepend_file =
auto_append_file =
default_mimetype = "text/html"
doc_root =
user_dir =
enable_dl = Off
cgi.fix_pathinfo=1
file_uploads = On
upload_max_filesize = 100M
max_file_uploads = 20
upload_tmp_dir=/tmp
allow_url_fopen = On
allow_url_include = Off
default_socket_timeout = 60
[Phar]
[mail function]
SMTP = localhost
smtp_port = 25
mail.add_x_header = On
[opcache]
zend_extension = "/usr/local/php/lib/php/extensions/no-debug-non-zts-20131226/opcache.so"
opcache.memory_consumption=128
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=4000
opcache.revalidate_freq=60
opcache.fast_shutdown=1
opcache.enable_cli=1
[Session]
session.save_handler = files
session.save_path = "1;/usr/local/php/sess/weijiaoyun"
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
[curl]
extension="/usr/local/php/lib/php/extensions/no-debug-non-zts-20131226/curl.so"
cat /usr/local/php/etc/php-fpm.conf | grep -v '^;' | grep -v '^$'| less
Java代码
[global]
error_log = /var/log/php/php-fpm.log
log_level = notice
rlimit_files = 65535
rlimit_core = 0
pid = run/php-fpm.pid
[www]
user = nobody
group = nobody
listen = 127.0.0.1:9000
listen.allowed_clients = 127.0.0.1
pm = static
pm.max_children = 50
pm.start_servers = 40
pm.min_spare_servers = 5
pm.max_spare_servers = 10
pm.max_requests = 1000
pm.status_path = /status
request_terminate_timeout = 30
rlimit_files = 655360
rlimit_core = 0
security.limit_extensions = .php .html
php_admin_value['date.timezone'] = 'Asia/Shanghai'
cat /usr/local/nginx/conf/nginx.conf | grep -v '^#' | grep -v '^$'| less
user nobody nobody;
worker_processes 2;
worker_rlimit_nofile 65353;
events {
worker_connections 65353;
use epoll;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 128k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 32k;
gzip_http_version 1.1;
gzip_comp_level 2;
gzip_types text/plain application/x-javascript text/css application/xml;
gzip_vary on;
gzip_disable "MSIE [1-6].";
server_names_hash_bucket_size 128;
client_max_body_size 100m;
client_header_buffer_size 256k;
large_client_header_buffers 4 256k;
include vhost/*.conf;
}
cat /usr/local/nginx/conf/vhost/dev.xcoach.cn.conf | grep -v '^#' | grep -v '^$'| less
Java代码
server {
listen 80;
server_name 119.29.11.29;
root /var/www/html;
index index.php index.html;
large_client_header_buffers 4 16k;
client_max_body_size 300m;
client_body_buffer_size 128k;
proxy_connect_timeout 600;
proxy_read_timeout 600;
proxy_send_timeout 600;
proxy_buffer_size 64k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
location / {
index index.htm index.html index.php;
if (!-e $request_filename) {
rewrite ^/(.*)$ /index.php/$1 last;
break;
}
}
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_read_timeout 150;
include /usr/local/nginx/conf/fastcgi_params;
set $path_info "";
set $real_script_name $fastcgi_script_name;
if ($fastcgi_script_name ~ "^(.+?\.php)(/.+)$") {
set $real_script_name $1;
set $path_info $2;
}
fastcgi_param SCRIPT_FILENAME /var/www/html/$real_script_name;
fastcgi_param SCRIPT_NAME $real_script_name;
fastcgi_param PATH_INFO $path_info;
}
location /ngstatus {
stub_status on;
access_log off;
}
location /status {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi.conf;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ {
expires 30d;
}
location ~ .*\.(js|css)?$ {
expires 12h;
}
location ~* \.(htaccess|inc|conf)$ {
deny all;
}
location ~ /(sql|Data|Uploads|ftp)/.*\.(php|php5)?$ {
deny all;
}
#location ^~ /Runtime {
# deny all;
#}
access_log logs/dev.xcoach.cn.access.log;
error_log logs/dev.xcoach.cn.error.log;
}
/*************************************定时程序***************************/
Java代码
* * * * * /bin/sh /var/www/tasks/defend_ddos/defend_ddos.sh &
*/10 * * * * /var/www/tasks/ftp/ftp_get.sh "school" "username" "password" "/var/www/html/ftp/userdata" "/userdata/*.data" &
*/10 * * * * /usr/local/php/bin/php -q /var/www/tasks/cli/cliApiBandRelation.php &
#59 * * * * /var/www/tasks/data_docking/doching.sh 121.41.74.208 youanbao PPla@0155 yabsz 3306 &
*/1 * * * * /usr/local//qcloud/stargate/admin/start.sh > /dev/null 2>&1 &
0 0 * * * bash /var/www/task/nglog_bak/nglog_bak.sh &
/*************************************************定时程序***********************************************************/
/***************************************其他************************/
保证每天多少PV的并发连接数的计算公式是:
并发连接数= PV / 统计时间(一天是86400) * 页面衍生连接次数 * http响应时间 * 因数(5) / web服务器数量
保证4千万PV的并发连接数:
(40000000PV / 86400秒 * 10个派生连接数 * 5秒内响应 * 5倍峰值) / 6台Web服务器 = 19290连接数
10PV的并发连接数:
(100000PV / 86400秒 * 10个派生连接数 * 5秒内响应 * 5倍峰值) / 1台Web服务器 = 289连接数
ab.exe -n2000 -kc2000
svn
svn delete svn://119.29.11.29/weijiaoyun/Public -m "delete Public"
svn import -m 'reimport' /var/www/html/Public svn://119.29.11.29/weijiaoyun/Public
vim ignore.txt
Application/User/Conf/config.php
Application/Common/Conf/config.php
Runtime
Uploads
svn propset svn:ignore -F ignore.txt .
svn proplist
svn propget svn:ignore
ngnix无法打印日志 tail -f 没有磁盘空间 增大max_user_watches 参考 http://www.51know.info/system_security/inotify.html
echo '17000' > cat /proc/sys/fs/inotify/max_user_watches
批量替换 参考 http://php.net/manual/zh/language.exceptions.php (jim at anderos dot com)
grep 'throw new Exception' /var/www/ceshi/ -rl | xargs sed -i 's/throw new Exception/throw new \\Exception/g'
sed -i 's/throw new Exception/throw new \\Exception/g' `grep 'throw new Exception' /var/www/ceshi/ -rl`
错误日志分析
error_log="/usr/local/nginx/logs/weijiaoyun_error.log"
deny_ip_arr=`cat $error_log | grep -iE "referrer: \"http:\/\/123.249.24.233\/POST_ip_port.phpAccep" | sed 's/\(.*\)\(client: \)\(.*\)\(, server:.*\)/\3/g'`
for ip in $deny_ip_arr
do
exist=`cat /etc/sysconfig/iptables| grep $ip`
if [ -z "$exist" ]
then
/sbin/iptables -A INPUT -s $ip -j DROP
/sbin/iptables -I INPUT -s $ip -j DROP
/sbin/iptables-save > /etc/sysconfig/iptables
fi
done
PHP-FPM master进程可以理解以下信号
INT, TERM 立刻终止 QUIT 平滑终止 USR1 重新打开日志文件 USR2平滑重载所有worker进程并重新载入配置和二进制模块
php-fpm 关闭:kill -INT `cat /usr/local/php/var/run/php-fpm.pid`
php-fpm 重启:kill -USR2 `cat /usr/local/php/var/run/php-fpm.pid`
/**********************************************************其他******************************************************/
/****************服务优化 只开启必要的服务,提高安全性和性能********************/
###以下服务是必须的必须开启 其他可以尝试关闭
安装完Linux之后,以下服务是必须的必须开启,没列出的服务可关闭
acpid #高级控制电源管理接口
crond #定时执行任务
haldaemon #必须开启,否则可能导致控制台键盘鼠标无法使用
hidd #同上
irqbalance #支持多cpu中断,必须开启
kudzu #检测硬件变化时自动进行配置
lvm2-monitor #用于监测LVM状态
messagebus #Linux系统进程间通讯的关键服务
mdmonitor #监测软RAID健康状态 即使没有使用软RAID, 也强烈建议启用此服务
mdmpd #同上,即使没有多路径存储设备,也强烈建议启用之
network #网络支持
readahead_early #预先加载特定的应用程序到内存中以提供性能
readahead_later #同上
smartd #硬盘故障自动检测
sshd
syslog
klogd #如果服务列表中存在,则必须开启
提示:配置服务可使用ntsysv工具,比较方便
其它强烈建议开启的服务 iptables
/**********************************服务优化 只开启必要的服务,提高安全性和性能*************************************/
/*************************************日志************************************/
/var/log/message 系统启动后的信息和错误日志,是Red Hat Linux中最常用的日志之一
/var/log/secure 与安全相关的日志信息
/var/log/maillog 与邮件相关的日志信息
/var/log/cron 与定时任务相关的日志信息
/var/log/spooler 与UUCP和news设备相关的日志信息
/var/log/boot.log 守护进程启动和停止相关的日志消息
dmesg | grep IDE # 查看启动时IDE设备检测状况
route -n # 查看路由表
/**************************************参考***********************/
生产服务器环境最小化安装后 Centos 6.5优化配置备忘 http://zhangxugg-163-com.iteye.com/blog/1843724
Centos 6.5优化配置 http://www.lvtao.net/server/centos-server-setup.html
inotify: http://www.51know.info/system_security/inotify.html
Linux(Centos )的网络内核参数优化来提高服务器并发处理能力 http://blog.csdn.net/shaobingj126/article/details/8549494
日志 :http://www.centoscn.com/CentosSecurity/CentosSafe/2014/0304/2490.html
linux下使用tc模拟网络延迟和丢包 http://blog.csdn.net/duanbeibei/article/details/41250029
/*****************************参考***********************************/
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- linux 学习笔记之权限管理命令
- linux学习笔记之文件搜索命令
- linux 学习笔记之文件的压缩和解压
- linux 学习之帮助命名
- 个人学习笔记---linux原子操作的实现原理
- Linux下彻底卸载mysql数据库
- centos安装git客户端以及常用指令
- 使用iptables配置linux服务器请求转发
- linux关闭sendmail服务
- 查看Linux系统版本信息方法
- centos卸载系统自带JDK版本
- centOS安装JDK
- Linux简介
- Linux目录
- linux进程管理工具二
- linux模块驱动之led(ioremap)
- Linux下MySql忘记 root密码的解决办法
- 【Linux】Ubuntu14.04 用root登录,亲测好用
- Linux下VirtualBox安装XP,U盘、U盾无法识别解决办法
- 29个你必须知道的Linux命令