å ¥å£å®å ¨ä¼å
sshé ç½®ä¼å
ä¿®æ¹ä¹åï¼éè¦å°/etc/ssh/sshd_configå¤ä»½ä¸ä¸ªï¼æ¯å¦/etc/ssh/sshd_config.oldï¼ ä¸»è¦ä¼åå¦ä¸åæ°ï¼
Port 12011
PermitRootLogin no
UseDNS no
#é²æ¢ssh客æ·ç«¯è¶
æ¶#
ClientAliveInterval 30
ClientAliveCountMax 99
GSSAuthentication no
主è¦ç®çæ´æ¹sshè¿ç¨ç«¯å£ãç¦ç¨rootè¿ç¨ç»å½ï¼æ¬å°è¿æ¯å¯ä»¥rootç»å½çï¼ãç¦ç¨dnsãé²æ¢sshè¶ æ¶ã解å³sshæ ¢ï¼å½ç¶ä¹å¯ä»¥å¯ç¨å¯é¥ç»å½ï¼è¿ä¸ªæ ¹æ®å ¬å¸éæ±ã
注æï¼ä¿®æ¹ä»¥åééå¯sshçæï¼å¦å¤éè¦iptablesæ¾è¡ææ°ssh端å£ã
iptablesä¼å
ååï¼ç¨å°åªäºæ¾è¡åªäºï¼ä¸ç¨çä¸å¾ç¦æ¢ã
举ä¸ç®åçä¾åï¼æææå¡æ¯å¦mysqlè¿ç§3306æ§å¶ï¼é»è®¤ç¦æ¢è¿ç¨ï¼ç¡®å®æå¿ è¦å¯ä»¥æ¾è¡èªå·±æå®IPè¿æ¥æè éè¿vpnæ¨å·åè·³æ¿è¿æ¥ï¼ä¸å¯ç´æ¥æ¾ç½®äºå ¬ç½ï¼ å¦åä½æèªå·±çå ¬ç½IPæåºå®IPï¼é£åªå 许èªå·±çå ¬ç½IPè¿è¡è¿æ¥sshæè æå®æå¡ç«¯å£å°±æ´å¥½äºã
ç¨æ·æé以åç³»ç»å®å ¨ä¼å
érootç¨æ·æ·»å 以åsudoæéæ§å¶
ç¨æ·é ç½®æ件éå®
æå¡æ§å¶
é»è®¤æ å ³æå¡é½ç¦æ¢è¿è¡å¹¶chkconfig xxx offï¼åªä¿çæç¨æå¡ãè¿ç§å¦ææ¯äºè®¡ç®ååæä¾çï¼ä¸è¬é½æ¯ä¼åè¿ãå¦ææ¯èªå·±å®è£ çèææºæè æ管çæºå¨ï¼é£å°±éè¦ä¼åä¸ï¼é»è®¤åªä¿çnetworkãsshdãiptablesãcrondã以årsyslogçå¿ è¦æå¡ï¼ä¸äºæ å ³ç´§è¦çæå¡å°±å¯ä»¥offæäºï¼
å æ ¸åæ°ä¼å
è¿ç¨çº§æ件以åç³»ç»çº§æ件å¥ææ°éåæ°ä¼å
é»è®¤ulinit -nçå°çæ¯1024ï¼è¿ç§å¦æç³»ç»æ件å¼ééé常大ï¼é£ä¹å°±ä¼éå°åç§æ¥éæ¯å¦ï¼
localhost kernel: VFS: file-max limit 65535 reached æè too many open files ççï¼é£å°±æ¯æ件å¥ææå¼æ°éå·²ç»è¶ è¿ç³»ç»éå¶ï¼å°±éè¦ä¼åäºã
è¿ä¸ªåæ°æ们è¿ç¨çº§ä¼åæ件å¦ä¸ï¼
vim /etc/security/limits.conf
# End of file
* soft nofile 65535
* hard nofile 65535
* soft nproc 65535
* hard nproc 65535
好äºï¼éåºå½åç»ç«¯ä»¥åéæ°ç»å½å¯ä»¥çå°ulimit -nå·²ç»æ¹æäº65535ãå¦å¤éè¦æ³¨æï¼è¿ç¨çº§åæ°ä¼åè¿éè¦ä¿®æ¹æ件ï¼
/etc/security/limits.d/90-nproc.conf è¿ä¸ªä¼å½±åå°åæ°ãæ¥çæä¸ä¸ªè¿ç¨çlimitså¯ä»¥éè¿cat /proc/pid/limitsæ¥çãé»è®¤è¿ä¸ªæ件åæ°æ¨è设置ï¼
[root@21yunwei 9001]# cat /etc/security/limits.d/90-nproc.conf
* soft nproc 65535
root soft nproc unlimited
ç³»ç»çº§æ件å¥æä¼å
ä¿®æ¹/etc/sysctl.confæ·»å å¦ä¸åæ°ï¼
fs.file-max=65535
å æ ¸åæ°ä¼åï¼è¿ä¸ªæ¯é常éè¦çï¼ãå ·ä½ä¼åçæ件为/etc/sysctl.confï¼å尾追å ä¼ååæ°ï¼
net.ipv4.neigh.default.gc_stale_time=120
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.all.arp_announce=2
net.core.netdev_max_backlog = 32768
net.core.somaxconn = 32768
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.conf.lo.arp_announce=2
net.ipv4.tcp_synack_retries = 2
#åæ°çå¼å³å®äºå æ ¸æ¾å¼è¿æ¥ä¹ååéSYN+ACKå çæ°éã
net.ipv4.tcp_syn_retries = 1
#表示å¨å æ ¸æ¾å¼å»ºç«è¿æ¥ä¹ååéSYNå çæ°éã
net.ipv4.tcp_max_syn_backlog = 262144
#è¿ä¸ªåæ°è¡¨ç¤ºTCPä¸æ¬¡æ¡æ建ç«é¶æ®µæ¥åSYN请æ±åéçæ大é¿åº¦ï¼é»è®¤1024ï¼å°å
¶è®¾ç½®ç大ä¸äºå¯ä»¥ä½¿åºç°Nginxç¹å¿æ¥ä¸åacceptæ°è¿æ¥çæ
åµæ¶ï¼Linuxä¸è³äºä¸¢å¤±å®¢æ·ç«¯åèµ·çé¾æ¥è¯·æ±ã
设置å®ä»¥åæ§è¡å½ä»¤sysctl -p使å¾é ç½®æ°é ç½®çå æ ¸åæ°çæãç³»ç»ä¼åè¿ä¸ªå æ ¸å¯¹ç³»ç»æ¬èº«å®å ¨ä»¥åé«å¹¶åé½é常çææï¼å¯ä»¥è§£å³å¤§éTIME_WAIT带æ¥çæ æ³è®¿é®ä½¿ç¨ãç³»ç»æ件å¥ææ°éè¶ åºççï¼ã
net.ipv4.tcp_timestamps = 1 #å¼å¯æ¶é´æ³ï¼é
åtcpå¤ç¨ãå¦éå°å±åç½å
çå
¶ä»æºå¨ç±äºæ¶é´æ³ä¸å导è´æ æ³è¿æ¥æå¡å¨ï¼æå¯è½æ¯è¿ä¸ªåæ°å¯¼è´ã注ï¼é¿éçslbä¼æ¸
çætcp_timestamps
net.ipv4.tcp_tw_recycle = 1 #è¿ä¸ªåæ°ç¨äºè®¾ç½®å¯ç¨timewaitå¿«éåæ¶
net.ipv4.tcp_max_tw_buckets = 6000 #åæ°è®¾ç½®ä¸º 1 ï¼è¡¨ç¤ºå
许å°TIME_WAITç¶æçsocketéæ°ç¨äºæ°çTCPé¾æ¥ï¼è¯¥åæ°é»è®¤ä¸º180000ï¼è¿å¤çTIME_WAITå¥æ¥åä¼ä½¿Webæå¡å¨åæ
¢ã
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1 #å½æå¡å¨ä¸»å¨å
³éé¾æ¥æ¶ï¼é项å³å®äºå¥æ¥åä¿æå¨FIN-WAIT-2ç¶æçæ¶é´ãé»è®¤å¼æ¯60ç§ã
net.ipv4.tcp_keepalive_time = 600 #å½keepaliveå¯å¨æ¶ï¼TCPåékeepaliveæ¶æ¯çé¢åº¦ï¼é»è®¤æ¯2å°æ¶ï¼å°å
¶è®¾ç½®ä¸º10åéï¼å¯ä»¥æ´å¿«çæ¸
çæ æé¾æ¥ã
net.ipv4.ip_local_port_range = 1024 65000#å®ä¹UDPåTCPé¾æ¥çæ¬å°ç«¯å£çåå¼èå´ã
fs.file-max=65535 #表示æ大å¯ä»¥æå¼çå¥ææ°ï¼
设置å®ä»¥åæ§è¡å½ä»¤sysctl -p使å¾é ç½®æ°é ç½®çå æ ¸åæ°çæãè¿ä¸ªå æ ¸å¯¹ç³»ç»æ¬èº«å®å ¨ä»¥åé«å¹¶åé½é常çææï¼å¯ä»¥è§£å³å¤§éTIME_WAIT带æ¥çæ æ³è®¿é®ä½¿ç¨ãç³»ç»æ件å¥ææ°éè¶ åºççï¼ã