1、配置sudo
useradd herlly
echo '123456'|passwd --stdin herlly
cat >> /etc/sudoers <<EOF
lnso ALL=(ALL) ALL,!/usr/bin/passwd,/usr/bin/passwd [A-Za-z]*,!/usr/bin/passwd root
EOF
2、关闭SELinux
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
setenforce 0 # 临时生效
reboot # 修改配置后,重启永久生效
3、配置资源限制
echo -e 'ulimit -c unlimited' >> /etc/profile
echo -e 'ulimit -s unlimited' >> /etc/profile
echo -e 'ulimit -SHn 65535' >> /etc/profile
echo -e 'export HISTTIMEFORMAT="%F %T `whoami` "' >>/etc/profile
echo -e 'export TMOUT=300' >>/etc/profile
echo -e "HISTFILESIZE=100" >>/etc/profile
source /etc/profile
cat >>/etc/security/limits.conf <<EOF
* soft nofile 60000
* hard nofile 65535
* soft nproc 60000
* hard nproc 65535
#* soft memlock 33554432
#* hard memlock 33554432
EOF
# 其中nofile要根据系统情况进行调整,而非65535就是上限
4、内核参数优化
cat >> /etc/sysctl.conf <<EOF
############add#################
net.core.somaxconn = 262144
net.core.netdev_max_backlog = 262144
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.ip_forward = 1
net.ipv4.route.gc_timeout = 20
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_retries2 = 5
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 120
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_wmem = 8192 131072 16777216
net.ipv4.tcp_rmem = 32768 131072 16777216
net.ipv4.tcp_mem = 94500000 915000000 927000000
#vm.swappiness = 0
fs.file-max = 6553560
EOF
/sbin/sysctl -p
# 根据自己系统情况选取配置,而非全部
5、iptables模板
iptables -F
iptables -X
iptables -Z
iptables -F -t nat
iptables -X -t nat
iptables -Z -t nat
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -s 10.145.254.14 --sport 1024:65534 --dport 22 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 10 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.115:80
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
/etc/init.d/iptables save
/etc/init.d/iptables restart
6、释放内存
sync ; echo 3 >/proc/sys/vm/drop_caches #释放内存和cache
sync ; echo 1 > /proc/sys/vm/drop_caches #释放内存
dmidecode | grep -A16 "Memory Device$" #查看内存条数
# 释放内存前,一定要多次执行sync,将内存数据刷入硬盘,否则有数据丢失风险
7、执行上一条命了
less /etc/hosts
vim !$
8、通过中间主机连接不可达主机
ssh -t reachable_host ssh unreachable_host
9、获取IP地址
ifconfig eth0|grep "inet addr"|awk -F '[: ]+' '{print $4}'
ifconfig eth0|grep 'inet addr'|awk -F[:""]+ '{print $4}'
ifconfig eth0 |grep 'inet addr'|sed -e 's/^.*addr://g' -e 's/Bcast.*$//g'
# 注意网卡名更改为服务器对应的网卡名即可,云主机基本都是eth.*
10、网络连接状态统计
netstat -an|awk '/^tcp/ {++S[$NF]} END {for(a in S)print a,S[a]}'