How To Prepare a System for Production.
update 11/07/2001
By Colin A. Bitterfield
SUN Microsystems, Inc.
Contact Me
--------------------------------------------------------------------------------
A note on these recommendations. Since Solaris 2.6 is end of life and Solaris 8 is the flagship OS currently. This article is targeted to Solaris 8. Some of the tuning parameters listed will did not exist in Solaris 2.6 and others are no longer an issue in 8.
Edit or Create the following Files:
a. /etc/default/login
+ CONSOLE=/dev/console (+号表示加入,该句的意思是只允许root用户从控制台登陆)
+ PATH=/opt/sfw/bin:/usr/local/bin:/usr/bin:/usr/sbin:/usr/openwin/bin:/usr/dt/bin:/usr/ccs/bin:/usr/ucb:.
+ SUPATH=/opt/sfw/bin:/usr/local/bin:/usr/bin:/usr/sbin:/usr/openwin/bin:/usr/dt/bin:/usr/ccs/bin:/usr/ucb
+ SYSLOG_FAILED_LOGINS=3
b. /etc/default/su
+ PATH=/opt/sfw/bin:/usr/local/bin:/usr/bin:/usr/sbin:/usr/openwin/bin:/usr/dt/bin:/usr/ccs/bin:/usr/ucb
(这个变量的在哪用,谁来解释一下?)
+ SUPATH=/opt/sfw/bin:/usr/local/bin:/usr/bin:/usr/sbin:/usr/openwin/bin:/usr/dt/bin:/usr/ccs/bin:/usr/ucb
(使用su命令后,系统设置的PATH路径)
c. /etc/default/telnetd
+ BANNER=""
BANNER用来设置你使用telnet登陆时显示的欢迎信息,建议在后面加上个\n.
d. /etc/default/ftpd
+ BANNER=""
参考上面解释
e. /etc/default/inetinit
- TCP_STRONG_ISS=1
+ TCP_STRONG_ISS=2
(不知道)
f. /etc/inetd.conf
See Example
[url]http://colin.bitterfield.com/files/example_inetd_conf.txt[/url]
Please note that a router filter should be in place for not allowing REXEC type commands from outside the network.
(在这个文件中注释掉一些不常用的服务,具体可以参考蜘蛛的一篇文章)
g. /etc/init.d/inetsvc
- /usr/sbin/inetd -s&
+ /usr/sbin/inetd -s -t&
(以调试方式启动inetd进程)
h. create file /etc/notrouter
# touch /etc/notrouter
创建notrouter文件,以禁止路由.
i. Modify /etc/init.d/inetinit (At end), set TCP tuning parameters.
Reference: This information is an excerpt/recommendation from SysAdmin magazine November 2000, "Securing Solaris" by Idu Dubrowsky.
修改/etc/init.d/inetinit文件,设置tcp协调参数:
+/usr/sbin/ndd -set /dev/tcp tcp_mss_def_ipv4 846
+/usr/sbin/ndd -set /dev/arp arp_cleanup_interval 150000
Reference: This information is an excerpt from "SUN Tuning and Performance" by Adrian Cockcroft and Richard Pettit second edition.
(use at own risk, these are some of my recommendations for web services based machine)
+/usr/sbin/ndd -set /dev/tcp tcp_time_wait_interval 60000
+/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q0 1024
侦听后备队列(默认为128)
+/usr/sbin/ndd -set /dev/tcp tcp_xmit_hiwat 32768
传输缓冲区大小(我建议设成最大值,65536)
+/usr/sbin/ndd -set /dev/tcp tcp_recv_hiwat 32768
接收窗口大小(我建议设成最大值,65536)
+/usr/sbin/ndd -set /dev/tcp tcp_slow_start_initial 2
Reference: This one is from a test I performed on moving small files via FTP. I saw a 500% improvement with this setting change.
+/usr/sbin/ndd -set /dev/tcp tcp_deferred_ack_interval1
j. Modify /etc/system
Reference: This is the manual for all tuning parameters in Solaris 8.Do *not* make hundreds of changes because you think you need them. Please read the book by Adrian Cockcroft and Richard Pettit.
* Good Values to add from defaults
* This adjusts many other parameters that use this as a base for calculation
(修改/etc/system文件, 修改这个文件前请一定要备份一份.)
set maxusers=512
* This parameter allows more "telnet/pty" connections
* Note max_pty is no longer required to be set in Solaris 8. See tuning manaual.
* set the tcp hash size
(该参数具体含义,见我以前发的一个帖子)
set tcp:tcp_conn_hash_size=8192
* Do not set this higher than the default unless you absolutely need to. rlim_fd_max
* Do not set this higher than the default unless you absolutely need to. rlim_fd_cur
* There are issue with the above parameters when the exceed 1024 which is the new default/
Below are some examples to add for various packages. Please note that the 2 examples below overlap with two different settings. If you need both on the same machine, choose the large value of the parameter.
* For Oracle
set shmsys:shminfo_shmmax=4294967295
set shmsys:shminfo_shmmin=1
set shmsys:shminfo_shmmni=100
set shmsys:shminfo_shmseg=10
set semsys:seminfo_semmni=100
set semsys:seminfo_semmsl=100
set semsys:seminfo_semmns=200
set semsys:seminfo_semopm=100
set semsys:seminfo_semvmx=32767
* The following lines are required for Exploring the GNOME Desktop (version 1.4)
set shmsys:shminfo_shmmax = 0x2000000
set shmsys:shminfo_shmmni = 0x1000
set shmsys:shminfo_shmseg = 0x100
* End of settings for Exploring the GNOME Desktop (version 1.4)
(这些参数的具体意思还真不清楚, 有哪位大侠能个说明?)
k. modify /etc/skel/local.profile
-PATH=/usr/bin:/usr/ucb:/etc:.
(建账号时用的模版文件,不知道他这为何建议把这句给删掉)
l. modify /etc/profile
(At Beginning)
+LD_LIBRARY_PATH=/opt/sfw/lib:/usr/local/lib:/usr/lib:/usr/openwin/lib:/usr/dt/lib
(这句很重要,有很多人发贴说gcc,make等,不能成功安装之类的问题就与他有关.)
+MANPATH=/opt/sfw/man:/usr/man:/usr/local/man:/usr/dt/man:/usr/openwin/man
设置man搜索路径,/opt/sfw/man这个应该是装了一张sun出的光盘产生的路径,可以在sun网站上下载该安装盘.
+CC=/opt/sfw/bin/gcc
+EDIT=vi
+export LD_LIBRARY_PATH MANPATH CC EDIT
设完之后别忘了export.
(Later you may want to change the prompts to reflect relative path and hostname)
m. modify /etc/.login
(If you use any of the C shells)
n. Create /etc/issue
# banner “restricted” “ system” “$HOSTNAME” > /etc/issue
# echo “To request access or report violations contact ###-###-####” >> /etc/issue
(For Instance)
给telnet登陆显示欢迎信息.
o. modify /etc/motd
Make sure to add a section on acceptable use of the system and a phone number to contact in case of issues.
这就不用说了吧:)
p. Deactivate Sendmail
1. If a not a mail server, mv /etc/rc2.d/S88sendmail to K88sendmail & make sure that mailhost resolves to the central mail server.
2. If a sendmail server, mv /etc/mail/main.cf to /etc/mail/sendmail.cf
(快速成为sendmail服务器的做法罗)
q. Deactivate LPD/LPR services
If not a print server, mv /etc/rc2.d/S80lp to K80lp and edit the /etc/inetd.conf and comment out the printer line.
r. Install OpenSSH
Install openssl package
Install openssh package
Use keygen for creating the 3 key files.
# ssh-keygen -t rsa1 -f /usr/local/etc/ssh_host_key -N ""
# ssh-keygen -t rsa -f /usr/local/etc/ssh_host_rsa_key -N ""
# ssh-keygen -t dsa -f /usr/local/etc/ssh_host_dsa_key -N ""
create and install /etc/init.d/ssh.server script
s. A More Serious Lock Down
Disable all "R" commands in /etc/inetd.conf
Disable telnet services and only allow SSH
Disable ftp services
Remove almost everything from the inetd.conf
(去除inetd.conf中的大部分服务,包括r命令,telnet ,ftp等,只保留ssh)
t. Notes on CDE desktops
Make sure to create the directories:
/etc/dt/config
/etc/dt/config/Xsession.d
You can place a ksh script into the Xession.d to set environmental values. See the article on environmental manager.
建议不要直接修改/usr/dt/config下面的文件,而是要cp /usr/dt/config /etc/dt/config 后再修改/etc/dt/config/下面相关配置文件,如果修改出错删掉重新copy,针对普通用户,如果CDE出错,rm -r $HOME/.dt ,rm .dt*
u. Notes on /etc/skel
If you need to create a directrory structure for each user when you create the accounts, create the directories and files here.
For instance: Using profiles you can custom edit a file during the useradd process. i.e. a customer index.html for each new user.
./public_html
./projects
(/etc/skel目录是当你使用useradd命令时使用的一个模版目录,当使用-m参数时将会把这个目录下的文件 copy到你的用户主目录中.)
v. Add on packages to make your life easier.
| fxp1126 回复于:2003-09-28 23:19:10 |
| Another copy & paste? LOL. |
| sunmarmot 回复于:2003-09-28 23:55:27 |
| 好东东呀 |
| guchengman 回复于:2003-09-28 21:02:09 |
| 哦,
没人看啊,自已顶一顶. |
| deeperpurple 回复于:2003-09-28 21:13:39 |
| 收藏!!! 谢谢啦 ~@-@~ |
| williamw2000 回复于:2003-09-28 21:59:06 |
| very good! |
| guchengman 回复于:2003-09-29 09:59:36 |
| 文章是copy的,但中文注释可是自已写得啦.
还有很多问题呢, 各位跟贴完善了. |
| bigbilly 回复于:2003-09-29 11:08:58 |
| 支持加入精華 |
| procrus 回复于:2003-09-29 11:12:34 |
| 好东西,打印一份好好看看 |
延伸阅读
文章来源于领测软件测试网 https://www.ltesting.net/