Linux Server Security and Performance Optimization Guide

  1. Principle of Minimal Operation

1.1 Minimal System Installation

When installing the Linux operating system, select only the essential package groups:


base--------------------------basic environment
editors-----------------------editors
development librarys------development libraries
development tools---------development tools
x software development--graphical interface development
system tools----------------system tools

1.2 Minimize Enabled Services

Disable all services at runlevel 3 and enable only essential ones:

for i in `chkconfig --list|grep 3:on|awk '{print $1}'`;do chkconfig --level 3 $i off;done
for i in crond network syslog sshd;do chkconfig --level 3 $i on;done
Only keep: crond, network, syslog, sshd

1.3 Login Minimization Principle

Avoid logging in as root during daily operations. Use regular user accounts instead:

useradd  developer ; echo "P@ssw0rd123" | passwd --stdin developer
  1. SSH Service Hardening

Modify the SSH configuration file to enhance security:

vim /etc/ssh/sshd_config

#ListenAddress 0.0.0.0                 #listen on all interfaces
Port    52113                          #custom SSH port
PermitRootLogin    no                  #deny root login
PermitEmptyPasswords    no              #deny empty passwords
UseDNS    no                            #disable DNS lookup
GSSAPIAuthentication no                 #disable GSSAPI authentication
  1. Sudo Configuration

Sudo allows regular users to execute specific privileged commands without root password.

3.1 Configuration via visudo

When granting full root privileges to a user, they can switch to root using sudo su - without knowing the root password, only their own password.

3.2 Configuraton Syntax

visudo directly edits the configuration with syntax checking:

# User authorization format
Username    ALL=(ALL)             ALL
User        Host=(Target_Role)    Commands

# Group authorization (use % prefix)
%groupname  Host=(Target_Role)    Commands

3.3 Alias Definitions

Users/Groups Hosts Role Permissions Commands
Root ALL (ALL) ALL
User_Alias ADMIN=user1,user2 Host_Alias HOSTS=server1,server2 Runas_Alias RUNAS=root,oracle Cmnd_Alias CMDS=/sbin/*

3.4 Viewing Sudo Privileges

Users can check their sudo permistions:

sudo -l

3.5 Important Notes


a) Command aliases must use absolute paths
b) Alias names must contain uppercase letters, numbers, and underscores
c) Multiple members in an alias are separated by commas
d) Members must match their alias type (Host_Alias, User_Alias, Runas_Alias, Cmnd_Alias)
e) Each line represents one rule; use backslash for continuation
f) Runas target must be enclosed in parentheses; default is root
g) Use NOPASSWD: to execute without password
h) Use ! prefix to deny specific commands, placed after allowed commands
i) User groups must use % prefix
  1. User Session Timeout Configuration

echo "export TMOUT=300" >>/etc/profile        #timeout in seconds
echo "export HISTSIZE=10" >>/etc/profile       #command history count
history -c                                      #clear history
history -d 5                                    #delete specific entry
  1. System Locale Configuration

Recommended: Change to appropriate locale for your region

Source the profile to apply changes: source /etc/profile

  1. Time Synchronization

6.1 Manual Time Setting

date -s "2024/01/15"
hwclock --systohc
date +%F\ %T

6.2 NTP Date Synchronization

ntpdate pool.ntp.org

6.3 NTP Server Configuration

Install ntp package (usually pre-installed):

rpm -qa | grep ntp

Edit /etc/ntp.conf:

restrict 0.0.0.0 mask 0.0.0.0 nomodify notrap noquery
restrict 192.168.1.0 mask 255.255.255.0 nomodify
restrict 127.0.0.1
server 0.pool.ntp.org prefer
server 127.127.1.0 fudge
127.127.1.0 stratum 8
driftfile /var/lib/ntp/drift
keys /etc/ntp/keys

Parameter Explanations:


restrict IP_address mask subnet parameters
- ignore: disable all NTP connections
- nomodify: client cannot change server time parameters
- notrust: client must be authenticated
- noquery: disable time queries

6.4 Automated Time Sync via Cron

echo "#time sync task" >> /var/spool/cron/root
echo "*/5 * * * * /usr/sbin/ntpdate pool.ntp.org >/dev/null 2>&1" >> /var/spool/cron/root
  1. File Descriptor Limits

Edit /etc/security/limits.conf to permanently increase file descriptors:

vim /etc/security/limits.conf
#ulimit -n
#ulimit -a
# man limits.conf

Note: Adjust values based on actual needs. Logout and reconnect to apply changes.

  1. Kernel Parameter Tuning

Edit /etc/sysctl.conf:

net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp_retries2 = 5
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_max_orphans = 32768
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_wmem = 8192 131072 16777216
net.ipv4.tcp_rmem = 32768 131072 16777216
net.ipv4.tcp_mem = 786432 1048576 1572864
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.ip_conntrack_max = 65536
net.ipv4.netfilter.ip_conntrack_max = 65536
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 180
net.core.somaxconn = 16384
net.core.netdev_max_backlog = 16384

sysctl -p    #apply changes
  1. Locking Critical System Files

chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab
  1. Load Balancer Kernel Parameters

For LVS/HAProxy environments:

net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000 65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.ipv4.ip_conntrack_max = 25000000
net.ipv4.netfilter.ip_conntrack_max = 25000000
  1. Web Server Kernel Optimization

For Nginx/Apache production servers:

net.ipv4.tcp_max_syn_backlog = 65536
net.core.netdev_max_backlog = 32768
net.core.somaxconn = 32768

net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216

net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1

net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_mem = 94500000 91500000 94371840
  1. CDN Cache Server Optimization

net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.tcp_max_tw_buckets = 1800000
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_retries1 = 2
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_fin_timeout = 10
net.ipv4.tcp_synack_retries = 3
  1. Removing Login Banners

#Remove version information to prevent fingerprinting
cat /dev/null > /etc/issue           #local login banner
cat /dev/null > /etc/issue.net       #remote login banner
cat /dev/null > /etc/motd            #message of the day
  1. TCP Wrappers Configuration

Control access to services via /etc/hosts.allow and /etc/hosts.deny:

/etc/hosts.allow takes precedence over /etc/hosts.deny

Optional: Remove unnecessary system accounts

  1. Optimization Summary


1) Use regular users with sudo instead of root
2) Change default SSH port and disable root login
3) Configure automatic time synchronization
4) Use local yum mirrors for faster updates
5) Disable SELinux and iptables (configure later)
6) Increase file descriptor limits
7) Schedule cleanup of /var/spool/clientmqueue/
8) Minimize startup services
9) Tune kernel parameters
10) Configure locale (English recommended to avoid encoding issues)
11) Lock critical system files
12) Clear /etc/issue to hide system information
  1. Kernel Crash Recovery


1) Reinstall system without partitioning
2) Select old /boot, / and swap partitions, remount and format
3) After installation, remount data partitions
This preserves user data.
  1. CentOS 7 Optimization Checklist

Disable SELinux

sed -i 's#SELINUX=.*#SELINUX=disabled#g' /etc/selinux/config
setenforce 0
getenforce

Disable Firewalld

systemctl stop firewalld
systemctl disable firewalld

Configure Sudo for Regular User

useradd developer
echo "SecurePass456" | passwd --stdin developer
cp /etc/sudoers{,.backup}
echo "developer ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
visudo -c

Set Locale

cp /etc/locale.conf{,.backup}
echo 'LANG="en_US.UTF-8"' > /etc/locale.conf
source /etc/locale.conf

Time Synchronization

/usr/sbin/ntpdate ntp.aliyun.com
echo "*/5 * * * * /usr/sbin/ntpdate ntp.aliyun.com >/dev/null 2>&1" >> /var/spool/cron/root

Security Timeout Settings

echo 'export TMOUT=600' >> /etc/profile
echo 'export HISTSIZE=10' >> /etc/profile
echo 'export HISTFILESIZE=10' >> /etc/profile
source /etc/profile

Encrease File Descriptors

echo '* - nofile 65535' >> /etc/security/limits.conf
ulimit -SHn 65535

Kernel Tuning

net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000 65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.core.somaxconn = 16384
net.core.netdev_max_backlog = 16384

iptables Tuning

net.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_tcp_timeout_established = 180
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.wmem_max = 16777216
net.core.rmem_max = 16777216

Install Essential Tools

yum install tree nmap dos2unix lrzsz nc lsof wget tcpdump htop iftop iotop sysstat nethogs -y
yum install psmisc net-tools bash-completion vim-enhanced -y

Harden SSH

cp /etc/ssh/sshd_config{,.backup}
sed -i 's/^#Port 22/Port 22222/' /etc/ssh/sshd_config
sed -i 's/^#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/^#PermitEmptyPasswords yes/PermitEmptyPasswords no/' /etc/ssh/sshd_config
sed -i 's/^#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config
sed -i 's/^GSSAPIAuthentication yes/GSSAPIAuthentication no/' /etc/ssh/sshd_config
systemctl restart sshd

Lock System Files

chattr +i /etc/passwd /etc/shadow /etc/group
chattr +i /etc/inittab /etc/fstab /etc/sudoers

Remove Login Banners

> /etc/issue.net
> /etc/issue

Remove Unnecessary Accounts

userdel -r adm
userdel -r lp
userdel -r games
userdel -r ftp
groupdel adm
groupdel lp
groupdel games
groupdel video
groupdel ftp

GRUB Password Protection

grub2-setpassword
cat /boot/grub2/user.cfg

Disable ICMP Ping

echo "net.ipv4.icmp_echo_ignore_all=1" >> /etc/sysctl.conf
sysctl -p

Apply System Updates

yum update -y

Minimize Startup Services

systemctl list-unit-files | grep enabled | grep -vE "sshd.service|crond.service|sysstat|rsyslog|NetworkManager|irqbalance" | awk '{print "systemctl disable",$1}' | bash

Production Environment Principles


1) Minimal software packages
2) Minimal user permissions
3) Minimal file/directory permissions
4) Minimal startup services
5) Minimal service running users

Tags: Linux system-administration Security performance-optimization ssh

Posted on Wed, 08 Jul 2026 17:05:37 +0000 by jauson