CentOS6标准流程

centos 6 mini安装(内容极其精简)
红帽官方中文文档
http://docs.redhat.com/docs/zh-CN/Red_Hat_Enterprise_Linux/index.html

默认邮件服务器就是postfix
升级系统
# yum update

精简服务
chkconfig ip6tables off
chkconfig iscsi off
chkconfig iscsid off
chkconfig netfs off
chkconfig auditd off
chkconfig nfslock off
chkconfig rpcgssd off
chkconfig rpcbind off
chkconfig rpcidmapd off
chkconfig lvm2-monitor off
chkconfig lldpad off

安装基本配置程序(cronie 为安装Cron)
# yum install -y setuptool ntsysv system-config-firewall-tui system-config-network-tui cronie wget vim unzip openssh-clients screen rsync ftp telnet

记录每次bash命令的执行时间
vi /etc/profile
加入(centos6最好加到第54行)
HISTTIMEFORMAT=”%Y-%m-%d %H:%M:%S ”
export HISTTIMEFORMAT

安全配置
禁用selinux
编辑# vi /etc/selinux/config
SELINUX=disabled

su加固
编辑配置文件
# vi /etc/pam.d/su
大约第六行去掉#
#auth required pam_wheel.so use_uid
运行
# echo “SU_WHEEL_ONLY yes” >> /etc/login.defs

设置可以su的用户到wheel组
# useradd -G wheel yezhiqiu
# passwd yezhiqiu

SSH部分
# vim /etc/ssh/sshd_config
修改端口号
大约第13行
Port 58022
不允许用root进行登录
大约第42行
PermitRootLogin no
不允许空密码登录
大约第65行
PermitEmptyPasswords no
禁用DNS
大约第81行
GSSAPIAuthentication no
大约第122行
UseDNS no

最后一行只允许指定用户登录ssh
AllowUsers yezhiqiu
编辑防火墙文件
# vi /etc/sysconfig/iptables
加入
-A INPUT -m state –state NEW -m tcp -p tcp –dport 58022 -j ACCEPT
重启服务
# /etc/init.d/sshd restart
# /etc/init.d/iptables restart

添加监控宝的snmpd监控
# yum -y install net-snmp
# vi /etc/snmp/snmpd.conf
# ——添加监控宝账号——
rocommunity jiankongbao 60.195.249.83
rocommunity jiankongbao 60.195.252.107
rocommunity jiankongbao 60.195.252.110
重启服务
# /etc/init.d/snmpd start
# chkconfig snmpd on
修改防火墙配置
# vi /etc/sysconfig/iptables
# ——添加防火墙规则——
-A INPUT -p udp -m udp –dport 161 -j ACCEPT
重启防火墙
# /etc/init.d/iptables restart

校时
# yum install -y ntp
# /usr/sbin/ntpdate 210.72.145.44
# /sbin/hwclock –systohc
加入备份脚本
# crontab -e
5 */6 * * * /usr/sbin/ntpdate 210.72.145.44 > /dev/null 2>&1

有些机房禁用UDP 可以使用rdate
# yum install -y rdate
5 */6 * * * /usr/bin/rdate -s stdtime.gov.hk > /dev/null 2>&1

安装第三方软件仓库
EPEL
# wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
# rpm -ivh epel-release-6-8.noarch.rpm
修改enabled = 0默认不启用
# vim /etc/yum.repos.d/epel.repo
# yum –enablerepo=epel -y install htop pbzip2

rpmforge逐步淘汰不用
# wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
# rpm -ivh rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
修改enabled = 0默认不启用
# vim /etc/yum.repos.d/rpmforge.repo
# yum –enablerepo=rpmforge -y install htop unrar axel

优化Linux内核参数
# vi /etc/sysctl.conf
在末尾增加以下内容:
引用
# Add
net.ipv4.tcp_max_syn_backlog = 65536
net.core.netdev_max_backlog = 32768
net.core.somaxconn = 32768

net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216

net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2

net.ipv4.tcp_tw_recycle = 1
#net.ipv4.tcp_tw_len = 1
net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_max_orphans = 3276800

#net.ipv4.tcp_fin_timeout = 30
#net.ipv4.tcp_keepalive_time = 120
net.ipv4.ip_local_port_range = 1024 65535

目前可以确定的是
#######
fs.aio-max-nr = 1048576
fs.file-max = 6815744
kernel.shmall = 2097152
kernel.shmmax = 536870912
kernel.shmmni = 4096
kernel.sem = 250 32000 100 128
net.ipv4.ip_local_port_range = 9000 65500
net.core.rmem_default = 262144
net.core.rmem_max = 4194304
net.core.wmem_default = 262144
net.core.wmem_max = 1048586
#######
使配置立即生效:
/sbin/sysctl -p

调整ulimit
# vi /etc/security/limits.conf
在文件末加上:
* soft nofile 65535
* hard nofile 65535
# vi /etc/security/limits.d/90-nproc.conf
修改
* soft nproc 1024

* soft nproc 65535

设置logwatch发给指定邮箱
# yum install logwatch -y
# echo “MailTo = yezhiqiu.cn@gmail.com” >>/etc/logwatch/conf/logwatch.conf
添加
MailTo = yezhiqiu.cn@gmail.com
删除对httpd的日志分析在 /usr/share/logwatch/default.conf/logwatch.conf加入大约在86行
Service = “-http”

如果需要自己编译软件
# yum install gcc gcc-c++ make automake autoconf patch

LAMP服务器做如下步骤:
# yum –enablerepo=epel install cronolog
# yum install httpd mysql-server
# yum install postgresql-devel mysql-devel httpd-devel openssl-devel libxml2-devel zlib-devel curl-devel libmcrypt-devel mhash-devel libjpeg-devel libpng-devel gd-devel freetype-devel libtool-ltdl-devel
# yum install libevent-devel libc-client-devel readline-devel
# yum install libXpm-devel libxslt-devel krb5-devel net-snmp-devel
# cd /usr/lib64
# ln -s /usr/lib64/mysql/libmysqlclient.so
# yum install php53 php53-gd php53-devel php53-mbstring php53-mysql php53-xml php53-xmlrpc

附:
硬件检测:
# wget http://aspersa.googlecode.com/svn/trunk/summary
# chmod +x summary
# ./summary

CentOS升级流程:
yum clean all
yum update glibc\* -y
yum update yum\* rpm\* pyth\* -y
yum clean all
yum update mkinitrd nash -y
yum update selinux\* -y
yum update -y
shutdown -r now

安装常用附加软件
# yum install screen sysstat iptraf
iptraf :CLI 流量监控软件
screen:远程会话管理
sysstat:系统性能分析工具包

磁盘IO测试
yum –enablerepo=rpmforge install iozone

去掉atime提高文件系统性能:
可以在/etc/fstab中增加,noatime,nodiratime参数
降低文件系统权限
nosuid,noexec,nodev参数

杀毒软件
# yum –enablerepo=epel install clamd
升级病毒库
# freshclam –verbose
# clamscan -i -r /dir
备选库
http://rpms.famillecollet.com/
可以安装在centos5等低版本中安装php-fpm等软件