分区规范

/boot 2GB # 考虑可能升级内核
/swap ？GB # 生产环境中交换分区的大小一般取决于服务器物理内存的大小，如果物理内存小于4GB通常建议为物理内存的2倍，如果物理内存大于4GB小于16GB，通常设置为物理内存的大小，物理内存大于16GB，建议为物理内存的一半
/ # 剩余空间

更改主机名

[root@localhost ~]# hostnamectl set-hostname  unicom-centos7-shanghai-area0

关闭防火墙及SELINUX

[root@unicom-centos7-shanghai-area0  ~]#  sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
[root@unicom-centos7-shanghai-area0  ~]#  systemctl stop firewalld && systemctl disable firewalld
[root@unicom-centos7-shanghai-area0  ~]#  setenforce 0
[root@unicom-centos7-shanghai-area0  ~]#  reboot

安装常用工具

[root@unicom-centos7-shanghai-area0  ~]#  yum install epel-release -y # 安装epel扩展源支持
[root@unicom-centos7-shanghai-area0  ~]#  yum install  -y lrzsz unzip zip nmap net-tools vim wget git ntp net-snmp net-snmp-utils telnet iftop tcpdump rsync screen gcc gcc-c++ groupinstall "Development Tools"  *ltdl* bash-completion nfs-utils psmisc  openssh-clients vsftpd ftp yum-utils rsync  bzip2 perf smartmontools nethogs java-1.8.0-openjdk.x86_64 e2fsprogs.x86_64 e2fsprogs-devel.x86_64 e2fsprogs-libs.x86_64 xfsdump tree extundelete telnet-server.x86_64 telnet.x86_64 zlib* xinetd ansible expect openssl-devel lsof bind-utils fio logrotate python-pip zlib-devel bzip2-devel  ncurses-devel sqlite-devel readline-devel tk-devel gdbm-devel db4-devel libpcap-devel xz-devel gcc kernel-devel kenel-headers make htop libffi-devel python-devel libffi libffi-devel 

更换阿里源

[root@unicom-centos7-shanghai-area0  ~]#  mv /etc/yum.repos.d/CentOS-Base.repo 
/etc/yum.repos.d/CentOS-Base.repo.backup
[root@unicom-centos7-shanghai-area0  ~]#  wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo # 下载新的CentOS-Base.repo 到/etc/yum.repos.d/
[root@unicom-centos7-shanghai-area0  ~]# yum makecache

更改网卡名称

[root@unicom-centos7-shanghai-area0  ~]#  vim /etc/sysconfig/network-scripts/ifcfg-ens33
[root@unicom-centos7-shanghai-area0  ~]#  mv  /etc/sysconfig/network-scripts/ifcfg-ens33  /etc/sysconfig/network-scripts/ifcfg-eth0
[root@unicom-centos7-shanghai-area0  ~]#  vim /etc/default/grub  # 禁用该可预测命名规则, 通过 "net.ifnames=0 biosdevname=0" 的内核参数到GRUBCMDLINELINUX变量来实现
[root@unicom-centos7-shanghai-area0  ~]#  grub2-mkconfig -o /boot/grub2/grub.cfg # 新生成GRUB配置并更新内核参数
[root@unicom-centos7-shanghai-area0  ~]#  reboot

配置ssh登录显示Banner信息

[root@unicom-centos7-shanghai-area0  ~]#  vim /etc/motd
Authorized only. All activity will be monitored and reported.

添加用户并赋予管理员权限

[root@unicom-centos7-shanghai-area0  ~]#  useradd ponfey
[root@unicom-centos7-shanghai-area0  ~]#  passwd  ponfey
[root@unicom-centos7-shanghai-area0  ~]#  chmod -v u+w /etc/sudoers # 将sudoers文件的权限修改成可编辑
## [root@unicom-centos7-shanghai-area0  ~]#  vim /etc/sudoers
## Allow root to run any commands anywhere 
root    ALL=(ALL)       ALL
ponfey     ALL=(ALL)       ALL

## Allows members of the 'sys' group to run networking, software, 
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL

## Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL
ponfey        ALL=(ALL)       NOPASSWD: ALL

[root@unicom-centos7-shanghai-area0  ~]#  chmod -v u-w /etc/sudoers # 将写权限收回

优化

[root@unicom-centos7-shanghai-area0  ~]#  sed -i 's%#UseDNS yes%UseDNS no%' /etc/ssh/sshd_config
[root@unicom-centos7-shanghai-area0  ~]#  sed -i 's%GSSAPIAuthentication yes%GSSAPIAuthentication no%' /etc/ssh/sshd_config
[root@unicom-centos7-shanghai-area0  ~]#  sed -i 's%#PermitEmptyPasswords no%PermitEmptyPasswords no%' /etc/ssh/sshd_config 

开启NTP时间同步：

[root@unicom-centos7-shanghai-area0  ~]#  systemctl enable ntpd && systemctl start ntpd
[root@unicom-centos7-shanghai-area0  ~]#  ntpdate -u ntp1.aliyun.com

history添加具体用户-IP-操作时间

[root@unicom-centos7-shanghai-area0 ~]# vi /etc/profile

USER_IP=`who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'`
export HISTTIMEFORMAT="[%F %T][`whoami`][${USER_IP}] "
[root@unicom-centos7-shanghai-area0  ~]# source /etc/profile

配置主机时间、时区、系统语言

[root@localhost ~]# ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime

安装 zabbix-agent 客户端，并配置混杂监听模式，客户端指向服务端

[root@unicom-centos7-shanghai-area0  ~]# rpm -ivh 
http://repo.zabbix.com/zabbix/4.5/rhel/7/x86_64/zabbix-release-4.5-1.el7.noarch.rpm
[root@unicom-centos7-shanghai-area0  ~]# yum install -y zabbix-agent
[root@unicom-centos7-shanghai-area0  ~]# systemctl enable zabbix-agent
[root@unicom-centos7-shanghai-area0  ~]# systemctl restart zabbix-agent

修改文件描述符

[root@unicom-centos7-shanghai-area0  ~]# echo "* - nofile 65535">>/etc/security/limits.conf
[root@unicom-centos7-shanghai-area0  ~]# ulimit -n # 修改完成退出，重新登录使其生效
[root@unicom-centos7-shanghai-area0  ~]# cat /etc/sysctl.conf
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
net.ipv4.tcp_fin_timeout = 30 # 如果套接字由本端要求关闭，这个参数决定了它保持在FIN-WAIT-2状态的时间
net.ipv4.tcp_keepalive_time = 1200 # 表示当keepalive起用的时候，TCP发送keepalive消息的频度。缺省是2小时，改为20分钟
net.ipv4.tcp_syncookies = 1 # 表示开启SYN Cookies。当出现SYN等待队列溢出时，启用cookies来处理，可防范少量SYN攻击，默认为0，表示关闭
net.ipv4.tcp_tw_reuse = 1 # 表示开启重用。允许将TIME-WAIT sockets重新用于新的TCP连接，默认为0，表示关闭
net.ipv4.tcp_tw_recycle = 1 # 表示开启TCP连接中TIME-WAIT sockets的快速回收，默认为0，表示关闭
net.ipv4.ip_local_port_range = 1024    65000 # 表示用于向外连接的端口范围。缺省情况下很小：32768到61000，改为1024到65000
net.ipv4.tcp_max_syn_backlog = 8192 # 表示SYN队列的长度，默认为1024，加大队列长度为8192，可以容纳更多等待连接的网络连接数
net.ipv4.tcp_max_tw_buckets = 5000 # 表示系统同时保持TIME_WAIT套接字的最大数量，如果超过这个数字，TIME_WAIT套接字将立刻被清除并打印警告信息。
默 认为180000，改为5000。对于Apache、Nginx等服务器，上几行的参数可以很好地减少TIME_WAIT套接字数量，但是对于Squid，效果却不大。此项参数可以控制TIME_WAIT套接字的最大数量，避免Squid服务器被大量的TIME_WAIT套接字拖死
net.ipv4.route.gc_timeout = 100 # 路由缓存刷新频率， 当一个路由失败后多长时间跳到另一个默认是300
net.ipv4.tcp_syn_retries = 1 # 对于一个新建连接，内核要发送多少个 SYN 连接请求才决定放弃。不应该大于255，默认值是5，对应于180秒左右
net.ipv4.tcp_synack_retries = 1
vm.swappiness = 0  # 不代表禁用swap分区，只是告诉内核，能少用到swap分区就尽量少用到，设置vm.swappiness=100，则表示尽量使用swap分区，默认的值是60 

*登录超时退出

[root@unicom-centos7-shanghai-area0  ~]# echo "export TMOUT=300">>/etc/profile
[root@unicom-centos7-shanghai-area0  ~]# source /etc/profile

*ssh登录显示服务器信息

[root@unicom-centos7-shanghai-area0  ~]#  cat /etc/ssh/sshrc 
lvse="\033[37m"
zise="\033[37m"
end="\033[0m"
dmidestatus=$(rpm -qa | grep dmidecode | wc -l)
totalmemkb=$(cat /proc/meminfo | grep "MemTotal" | awk '{print $2}')
echo -e "                   "${zise}"System Date: "${end}${lvse}$(date +"%F %T")${end}
echo -e "                   "${zise}"System Name: "${end}${lvse}$([ -f /etc/redhat-release ] && cat /etc/redhat-release || uname -o)${end}
echo -e "                "${zise}"System Machine: "${end}${lvse}$(uname -m)${end}
echo -e "                 "${zise}"System uptime: "${end}${lvse}$(uptime)${end}
if [ $dmidestatus -eq 1 ];then echo -e "                "${zise}"System Product: "${end}${lvse}$(dmidecode -s system-product-name) ${end};fi
if [ $dmidestatus -eq 1 ];then echo -e "                 "${zise}"System Serial: "${end}${lvse}$(dmidecode -s system-serial-number) ${end};fi
echo -e "                    "${zise}"Login User: "${end}${lvse}$(whoami)${end}
echo -e "                      "${zise}"Login IP: "${end}${lvse}$(w | grep pts | head -n 1 | awk '{print $3}')${end}
echo -e "                           "${zise}"CPU: "${end}${lvse}$(cat /proc/cpuinfo | grep "model name" | tail -n 1 | awk -F ":" '{print $2}' | sed '
s/           / /g')
echo -e "                      "${zise}"CPU Core: "${end}${lvse}$(cat /proc/cpuinfo | grep "model name" | wc -l)${end}
echo -e "                     "${zise}"CPU Count: "${end}${lvse}$(cat /proc/cpuinfo | grep "physical id" | sort -u | wc -l)${end}
echo -e "                        "${zise}"Memory: "${end}${lvse}$((totalmemkb/1000000))" GB"${end}
echo -e "                     "${zise}"Interface: "${end}${lvse} $(ip addr show | grep inet | egrep -v "lo$|:" |  awk '{print $NF,": " $2}')${end}

*部署JDK8 ( java-1.8.0-openjdk.x86_64 二选一)

[root@unicom-centos7-shanghai-area0 packages]#  rz 
[root@unicom-centos7-shanghai-area0 packages]# tar zxvf jdk-8u181-linux-x64.tar.gz
[root@unicom-centos7-shanghai-area0 packages]# mv jdk1.8.0_181/ /usr/local/
[root@unicom-centos7-shanghai-area0 packages]# echo 'export JAVA_HOME=/usr/local/jdk1.8.0_181'>>/etc/profile
[root@unicom-centos7-shanghai-area0 packages]# echo 'export CLASSPATH=.:$JAVA_HOME/jre/lib/rt.jar:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar'>>/etc/profile
[root@unicom-centos7-shanghai-area0 packages]# echo 'export PATH=$PATH:$JAVA_HOME/bin'>>/etc/profile
[root@unicom-centos7-shanghai-area0 packages]# source /etc/profile
[root@unicom-centos7-shanghai-area0 packages]# java -version