Talking about the optimization and security of Linux system

As a system administrator, I will talk about Linux based on server application. Because Linux is not used on personal computers, it is better to pursue security. And stable, so friends who use PCs are only a reference.

The system mentioned in this article, if not specifically stated, uses redhat's redhat linux system.

About optimization

Speaking of optimization, in fact, the best optimization is to improve the hardware configuration, such as improving the computing power of the CPU and increasing the memory capacity. Personally, if you consider upgrading the hardware, It is recommended to increase the memory capacity first, because the general server application requires the highest memory consumption. Of course, this is a digression.

The first thing we discuss here is to optimize your system under the same hardware configuration (same server, no hardware upgrade).

As a system administrator, I think, first of all, we have to make a point: to do anything on the server, upgrade and modify any configuration files or software, you must first consider security, not the newer things. The better, this is why Linux management feels different from Windows. Windows first recommends everyone to use its latest version of software and operating system. In fact, I personally think this is a business behavior, as from the perspective of system management. This is very bad. Using new software and systems can bring new problems, some of which are even fatal.

Therefore, as a management, we should still consider the stable long-term use of the software version as our version, I will not say more about the specific benefits. I believe you should know as an administrator.

In fact, the most direct optimization of linux for personal use is to upgrade the kernel. The kernel compiled by itself is compiled according to its own system and will get the maximum performance and the smallest kernel.

But the server is not the same. Of course, we also hope that each server is a self-compiled kernel, efficient and sophisticated. But there is a gap between reality and desire. Imagine if you manage 100 Linux hosts, and each one may be configured differently, then a process of compiling the kernel will be a huge project, and from practical considerations, the workload It’s too big to imagine. I don't think you will be willing to do this kind of thing. Therefore, personal recommendation is to use the officially released kernel upgrade package is a good choice.

First of all, we will do a series of upgrades to the newly installed system, including software and kernel. This is a very important step. (For details, please visit my other article on upgrades.) ).

After upgrading all the software, after the basic firewall and configuration are done, we will optimize some details. If you are an old system, then do some of the problems. Be sure to back up all data to other media before operating and optimizing your system.

1. Virtual Memory Optimization

First check the usage of virtual memory, use the command:

# Free

View the current system memory usage.

Generally speaking, linux's physical memory is almost completely used. This is very different from windows. Its memory management mechanism makes full use of system memory. It is not the same as windows, no matter how much memory you have to use some virtual memory. This needs attention.

The default configuration of virtual memory under Linux is as follows:

#cat/proc/sys/vm/freepages

can be viewed, the three numbers displayed are current system: minimum memory blank page, lowest memory blank page and highest memory blank.

Note that the principle of using virtual memory in this system is to use disk swap space if the number of blank pages is lower than the highest blank page setting. When the minimum blank page setting is reached, use the memory swap (Note: This is what I have to look at some of the information, you need to observe it yourself, but this does not affect our configuration of new virtual memory parameters).

Memory is generally allocated in 4k bytes per page. The minimum memory blank page setting is twice the amount of memory in the system; the minimum memory blank page setting is 4 times the amount of memory; the highest memory blank page setting is 6 times the system memory. These values ​​are determined at system startup.

Generally speaking, in configuring the virtual memory configuration allocated by the system, I personally think that it is a better configuration to increase the maximum memory blank page. Take the 1G memory configuration as an example, the original configuration can be configured. The scale is modified to:

204840966444

Command by:

# echo"204840966444" /proc/sys /vm/freepages

Because the maximum blank page configuration is added, memory can be used more efficiently.

2, hard disk optimization

If you are a scsi hard disk or an ide array, you can skip this section. The parameter adjustments described in this section are only for the ide hard disk. Server.

We set up the IDE hard disk through the hdparm program, which can greatly improve system performance by using DMA and 32-bit transfer. Use the command as follows:

#/sbin/hdparm -c 1 /dev/hda

This command specifies the PCI bus of the first IDE hard disk as 32 bits. Use the -c 0 parameter to disable 32-bit transfers. Use DMA on the hard disk, use the command:

# /sbin/hdparm -d 1 /dev/hda

Turn off DMA can be used - The parameter of d 0 . After the change is complete, you can use hdparm to check the modified result, using the command:

# /sbin/hdparm -t /dev/had

To ensure that the results of the settings are unchanged, use the command:

# /sbin/hdparm -k 1 /dev/hda

Hdparm Some commonly used other parameter functions of the command:

-g Display the magnetic track, head, magnetic area and other parameters of the hard disk.

-i Displays the hardware specification information of the hard disk, which is provided by the hard disk itself at boot time.

-I Directly read the hardware specification information provided by the hard disk.

-pSet the PIO mode of the hard disk.

-T Evaluate the read efficiency of the hard disk and the read efficiency of the hard disk cache.

-u0 or 1 Allows other interrupts to be executed at the same time when the hard disk is accessed.

-v Displays the settings related to the hard disk.

On the Linux operating system optimization and security issues (3)

3, other optimization

do not need to shut down The service, about the system automatically started the service, there is a lot of information online, I will not go into details here.

About Security

1, Security Check

As a system administrator, it is important to have a comprehensive security check on the system regularly. Recently, some friends have come to write a letter saying that some inexplicable problems have arisen. For example, the biggest problem is that the network service is obviously feeling slow, which is very likely to be attacked. Practice has proved that, regardless of the system, the default installation is not safe. Actually, whether you use windows or linux, bsd or any other system, there are many loopholes in the default installation. How can you become a secure system? This is exactly what our system administrators need to do. Configure configuration and then configure. Any system, as long as careful configuration, blocking known vulnerabilities, it can be said that this system is safe, in fact, not many friends said, installed the system, configured the firewall, installed anti-virus software, then it is safe, in fact, If you don't make any security settings for the system, it's like opening a door to the hacker and you can control it in tens of minutes! This is not shocking.

As a Linux system, there are also many vulnerabilities. Black may use these vulnerabilities to control your entire system. To prevent these problems, we need to do the following steps:

1. Upgrade all software in the system. The latest version of the package;

2, set a stronger firewall;

3, regularly check the key record files, configure anti-virus software;

4, pay more attention to the release security The information warning website, mastering the characteristics of some of the latest viruses and hacking programs, is conducive to the normal operation of the system.

This article is mainly based on optimization. In order to cooperate with this topic, we only discuss some daily maintenance work in the security section. In addition to the four items listed above are the compulsory courses for administrators, it is also important to maintain the details of some Linux systems.

includes:

1. It is a very good practice to configure the log rotation tool and download the backup log regularly. This will not only reduce the log. The disk space consumed, improve system efficiency, and find problems in time. Some good system log analyzers under Linux can directly extract special items in the log, eliminating the trouble of reading logs.

2, use the commands lsof?Ci, netstat?Ca, ps?Ce, etc., periodically check the system service port monitoring, etc., or create a script that is executed regularly, and send these commands to the regular execution. In the mailbox.

3. Regularly check the history list of the root user, the last list, and whether the vipw user list is normal.

4, regularly back up files, you can use the tar command to back up very well, of course you need to download these backups and transfer media.

If you find any special situations or ports that you have never seen before, then you should pay enough attention and don't lose it because of smallness. The above is my understanding of the security and optimization of Linux system, I hope everyone can use linux safely and efficiently for your work and life.