Rocky9基本设置
SUPPORT_END="2032-05-31"
安装相关软件
sudo dnf update -y && sudo dnf install dnf-automatic -y && sudo cat /etc/os-release
如下错误:
Extra Packages for Enterprise Linux 9 - x86_64 10 MB/s | 20 MB 00:01
Extra Packages for Enterprise Linux 9 openh264 (From Cisco) - x86_64 0.0 B/s | 0 B 00:07
Errors during downloading metadata for repository 'epel-cisco-openh264':
- Curl error (7): Couldn't connect to server for https://mirrors.fedoraproject.org/metalink?repo=epel-cisco-openh264-9&arch=x86_64 [Failed to connect to mirrors.fedoraproject.org port 443: Connection refused]
Error: Failed to download metadata for repo 'epel-cisco-openh264': Cannot prepare internal mirrorlist: Curl error (7): Couldn't connect to server for https://mirrors.fedoraproject.org/metalink?repo=epel-cisco-openh264-9&arch=x86_64 [Failed to connect to mirrors.fedoraproject.org port 443: Connection refused]
Rocky Linux 9 - BaseOS 5.1 MB/s | 2.5 MB 00:00
Rocky Linux 9 - AppStream 12 MB/s | 9.5 MB 00:00
Rocky Linux 9 - Extras 88 kB/s | 17 kB 00:00
Ignoring repositories: epel-cisco-openh264
Dependencies resolved.
Nothing to do.
Complete!
处理:sudo vi /etc/yum.repos.d/epel-cisco-openh264.repo
将 enabled=1 改为 enabled=0 ,执行
sudo dnf makecache && sudo dnf update -y
设置自动更新
sudo vi /etc/dnf/automatic.conf
- 将 apply_updates 参数设置为 yes,以便在下载更新后自动应用它们。
- 如果您只希望安装安全更新,可以将 upgrade_type 设置为 security,否则保持为 default 以安装所有更新。(保持default)
- 还可以设置 emit_via 参数为 motd,以便在每次登录时通知您已安装的更新。(设置为motd)
完成编辑后保存并退出文件。在继续之前,手动运行 dnf-automatic 命令以确保配置文件中没有错误。
在 Rocky 服务器上每天自动下载和应用更新,参考: https://docs.rocky-linux.cn/guides/security/dnf_automatic/
sudo systemctl enable --now dnf-automatic-notifyonly.timer
Created symlink /etc/systemd/system/timers.target.wants/dnf-automatic-notifyonly.timer → /usr/lib/systemd/system/dnf-automatic-notifyonly.timer.
sudo vi /usr/lib/systemd/system/dnf-automatic-notifyonly.timer
时间可以修改为5:00
对计时器文件进行更改后,您需要重新加载 systemd 守护程序以应用更改
sudo systemctl daemon-reload && sudo systemctl list-timers
找到 dnf-automatic.timer 条目,并验证 NEXT 列显示您配置的正确时间↑
启用BBR
运行以下命令检查可用的拥塞控制算法
sudo sysctl net.ipv4.tcp_available_congestion_control
启用 BBR,
sudo vi /etc/sysctl.conf
将以下内容添加到文件中:
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr
使用以下命令刷新您的配置并验证:
sudo sysctl -p && sudo sysctl net.ipv4.tcp_congestion_control
释放系统预留内存并关闭Kdump服务
参考:
- https://help.aliyun.com/zh/simple-application-server/support/release-the-reserved-memory-of-a-linux-instance
- https://blog.acesheep.com/p/rocky-9-disable-kdump/
sudo cp /etc/default/grub /etc/default/grub.bak
sudo vi /etc/default/grub
在GRUB_CMDLINE_LINUX行找到crashkernel=内容,删除crashkernel参数及内容后,执行:
grub2-mkconfig -o /boot/grub2/grub.cfg
sudo systemctl stop kdump
sudo systemctl disable kdump
reboot
Rocky Linux 9 使用 grubby 管理内核启动参数。可以通过以下命令将 crashkernel 设置为 no
grubby --update-kernel=ALL --args="crashkernel=no"
grubby --info /boot/vmlinuz-$(uname -r)
reboot
添加swap分区
fallocate -l 4G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
echo "/swapfile swap swap defaults 0 0" >> /etc/fstab
free -m
服务器自动拉黑ssh登录失败的IP
参考: https://blog.csdn.net/lx7820336/article/details/125196227
sudo vi /opt/banip.sh
# 获取列表
iplist=$(/bin/lastb |awk '{if(length($0)>40) print $0}' |awk '{print $3}'|sort|uniq -c|awk '{if ($1>=1) print $2}')
# 追加到黑名单并清空登录日志
for ip in ${iplist}
do
echo ALL: ${ip} >> /etc/hosts.deny
echo > /var/log/btmp
done
sudo vi /etc/crontab
*/2 * * * * root sh /opt/banip.sh
每2分钟检查一次,2分钟内登录失败,就封禁。可以按需修改。
