添加服务器初始化基础规范

24a52c0a · Administrator · 54189759 · 24a52c0a
Commit 24a52c0a authored Sep 10, 2019 by Administrator
Show whitespace changes
Inline Side-by-side

Showing with 152 additions and 0 deletions

服务器初始化基础规范.md
+152 -0

No files found.
--- a/服务器初始化基础规范.md
+++ b/服务器初始化基础规范.md
+# 服务器初始化基础服务拟定方案
+# 服务器初始化基础服务拟定方案
+
+## 主机名更改 *
+比如某台机器的 ip 地址为 `192.168.0.101`，那么他的主机名为 `node101`
+主机名格式：node + ip地址后三位
+
+## 修改 DNS *
+
+```
+DNS1=180.76.76.76
+DNS2=119.29.29.29
+```
+
+## 安装基础应用软件包 *
+
+```
+yum -y install gcc gcc-c++ wget telnet net-tools bind-utils
+```
+
+
+## 内核版本 * （Centos7.X）
+
+```
+[nbzhiwei@node11 ~]$ uname -r
+4.19.12-1.el7.elrepo.x86_64
+```
+
+
+## 调整内核参数 *
+
+```
+# cat /etc/sysctl.conf
+net.core.default_qdisc=fq
+net.ipv4.tcp_congestion_control=bbr
+vm.max_map_count=262144
+net.ipv4.tcp_keepalive_time=600
+net.ipv4.tcp_keepalive_intvl=60
+net.ipv4.tcp_keepalive_probes=3
+net.ipv4.tcp_syncookies = 1
+net.ipv4.tcp_tw_reuse = 1
+net.ipv4.tcp_max_tw_buckets = 300
+net.ipv4.tcp_fin_timeout = 5
+net.ipv4.tcp_retries2 = 2
+net.ipv4.tcp_keepalive_intvl = 30
+net.ipv4.tcp_keepalive_probes = 2
+net.ipv4.tcp_keepalive_time = 60
+```
+
+## 修改服务器 ulimit 限制 *
+
+```
+cat /etc/security/limits.conf
+"nbzhiwei soft nofile 243000"
+"nbzhiwei hard nofile 243000"
+"nbzhiwei soft nproc  65535"
+"nbzhiwei hard nproc  65535"
+```
+
+
+## JDK 安装位置 *
+
+```
+/usr/local/jdk${version}
+```
+
+```
+[nbzhiwei@node11 ~]$ cat /etc/profile
+export JAVA_HOME=/usr/local/jdk1.8.0_191/
+export JRE_HOME=/usr/local/jdk1.8.0_191/jre
+export CLASSPATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar:$JRE_HOME/lib
+export PATH=$PATH:$JAVA_HOME/bin:$JRE_HOME/bin
+```
+
+## 安装 Python3.6 
+
+链接：[Install Python3.6.8 for Centos.7.X](http://joker.irybd.com/2019/09/06/1-1%E3%80%81%E5%AE%89%E8%A3%85-ython3-6-8-for-Centos-7-X/)
+
+## 优化 SSH 服务 *
+
+关闭 DNS 反向解析
+```
+# vi /etc/ssh/sshd_config
+UseDNS=no
+```
+
+关闭SERVER上的GSS认证
+
+```
+# vi /etc/ssh/sshd_config
+GSSAPIAuthentication no
+```
+
+打开SERVER上的IgnoreRhosts参数
+```
+# vi /etc/ssh/sshd_config
+IgnoreRhosts yes
+```
+
+## 添加 Fail2Ban 服务防止暴力破解 *
+
+Ansible Yaml 文件内容如下：
+```
+---
+- name: 安装万能源
+  become: yes
+  become_method: sudo
+  become_user: root
+  yum: name=epel-release state=present
+- name: 安装 Fail2Ban
+  become: yes
+  become_method: sudo
+  become_user: root
+  yum: name=fail2ban state=present
+- name: 配置 Fail2Ban sshd 服务
+  become: yes
+  become_method: sudo
+  become_user: root
+  template: src=jail.local.j2 dest=/etc/fail2ban/jail.local
+  notify: restart fail2ban
+- name: 开启 Fail2Ban 服务
+  become: yes
+  become_method: sudo
+  become_user: root
+  service: name=fail2ban state=started
+```
+
+
+
+## 服务器目录规划 *
+
+### 服务器磁盘分区规划
+```
+[nbzhiwei@node11 ~]$ df -h
+文件系统                 容量  已用  可用 已用% 挂载点
+devtmpfs                  32G     0   32G    0% /dev
+tmpfs                     32G     0   32G    0% /dev/shm
+tmpfs                     32G   18M   32G    1% /run
+tmpfs                     32G     0   32G    0% /sys/fs/cgroup
+/dev/mapper/centos-root  3.6T  210G  3.4T    6% /
+/dev/sda2                497M  170M  327M   35% /boot
+tmpfs                    6.3G     0  6.3G    0% /run/user/1000
+
+```
+
+### 服务器应用服务规划
+
+各类服务安装路径为 `/usr/local/服务名+版本号` , 权限设置为当前用户拥有或者使用 ACL 添加权限设置。
+日志路径为：安装目录下的 logs 目录
+数据路径为：安装目录下的 data 目录
+配置文件路径为： 安装目录下的 config 目录
+