基础配置
软件源
mkdir -p /media/apt
mount -o loop /data/ubuntu-10.04-server-amd64.iso /media/apt
cat >> /etc/fstab <<EOF
# Mount the APT source to /media/apt.
/data/ubuntu-10.04-server-amd64.iso /media/apt iso9660 loop,ro 0 0
EOF
cat > /etc/apt/sources.list <<EOF
deb file:///media/apt lucid main restricted
EOF
apt-get update
SSH
cat >> /etc/ssh/sshd_config <<EOF
UseDNS no
EOF
service ssh restart
安全加固
防火墙
ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw enable
内核参数
cat > /etc/sysctl.conf <<EOF
# ========== 文件句柄 & 内存优化 ==========
# 系统最大打开文件句柄数
fs.file-max = 655350
# 避免 OOM killer 误杀进程
vm.overcommit_memory = 1
# 降低 swap 使用优先级
vm.swappiness = 10
# ========== 网络高并发优化 ==========
# 网卡接收队列最大值
net.core.netdev_max_backlog = 65535
# TCP 连接队列最大值
net.core.somaxconn = 65535
# TCP 孤儿连接上限
net.ipv4.tcp_max_orphans = 655350
# TCP 读/写缓冲区最大值
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
# TCP 保活时间
net.ipv4.tcp_keepalive_time = 600
# 启用 TCP 时间戳
net.ipv4.tcp_timestamps = 1
# 复用 TIME_WAIT 状态的连接
net.ipv4.tcp_tw_reuse = 1
# 回收 TIME-WAIT 状态的连接
net.ipv4.tcp_tw_recycle = 1
# TIME_WAIT 超时时间
net.ipv4.tcp_fin_timeout = 30
# TIME_WAIT 最大数量
net.ipv4.tcp_max_tw_buckets = 60000
# SYN 队列最大值
net.ipv4.tcp_max_syn_backlog = 65535
# 启用 SYN Cookie
net.ipv4.tcp_syncookies = 1
# 可用端口范围
net.ipv4.ip_local_port_range = 1024 65535
# ========== MySQL ==========
# 禁用透明大页
vm.nr_hugepages = 0
# 优先回收不活跃内存
vm.dirty_ratio = 20
vm.dirty_background_ratio = 10
# 增大内存映射区
vm.max_map_count = 262144
# 内核最小空闲内存
vm.min_free_kbytes = 65536
EOF
sysctl -p
文件打开数
cat >> /etc/security/limits.conf <<EOF
* soft nofile 65535
* hard nofile 65535
* soft nproc 65535
* hard nproc 65535
EOF
临时文件系统
cat >> /etc/fstab <<EOF
# Temporary Filesystem Hardening
tmpfs /tmp tmpfs defaults,noexec,nosuid 0 0
tmpfs /var/tmp tmpfs defaults,noexec,nosuid 0 0
EOF
应用服务
apt-get install -y apache2 mysql-server php5 php5-mysql libapache2-mod-php5
cat >> /etc/apache2/apache2.conf <<EOF
ServerName localhost
EOF
sed -i '/ServerSignature On/d' /etc/apache2/conf.d/security
sed -i 's/#ServerSignature Off/ServerSignature Off/g' /etc/apache2/conf.d/security
sed -i '/#ServerTokens /d' /etc/apache2/conf.d/security
sed -i 's/ServerTokens OS/ServerTokens Prod/g' /etc/apache2/conf.d/security
/etc/init.d/apache2 restart