#!/bin/bash
#关闭防火墙
systemctl stop firewalld
systemctl disabled firewalld
#关闭selinux
sed -i 's/enforcing/disabled/' /etc/selinux/config
setenforce 0
echo "已关闭selinux"
#将vi软链到vim,默认用vim编辑
echo 'alias vi=vim' >> /etc/profile
source /etc/profile
#优化网络安全
echo "进行网络安全部分优化......"
sleep 2
sysctl -w net.ipv4.conf.all.send_redirects=0
echo "net.ipv4.conf.all.send_redirects=0" >> /etc/sysctl.conf
sysctl -w net.ipv4.conf.default.send_redirects=0
echo "net.ipv4.conf.default.send_redirects=0" >> /etc/sysctl.conf
sysctl -w net.ipv4.conf.all.accept_redirects=0
echo "net.ipv4.conf.all.accept_redirects=0" >> /etc/sysctl.conf
sysctl -w net.ipv4.conf.default.accept_redirects=0
echo "net.ipv4.conf.default.accept_redirects=0" >> /etc/sysctl.conf
sysctl -w net.ipv4.conf.all.secure_redirects=0
echo "net.ipv4.conf.all.secure_redirects=0" >> /etc/sysctl.conf
sysctl -w net.ipv4.conf.default.secure_redirects=0
echo "net.ipv4.conf.default.secure_redirects=0" >> /etc/sysctl.conf
sysctl -w net.ipv6.conf.all.accept_ra=0
echo "net.ipv6.conf.all.accept_ra=0" >> /etc/sysctl.conf
sysctl -w net.ipv6.conf.default.accept_ra=0
echo "net.ipv6.conf.default.accept_ra=0" >> /etc/sysctl.conf
sysctl -w net.ipv6.conf.all.accept_redirects=0
echo "net.ipv6.conf.all.accept_redirects=0" >> /etc/sysctl.conf
sysctl -w net.ipv6.conf.default.accept_redirects=0
echo "net.ipv6.conf.default.accept_redirects=0" >> /etc/sysctl.conf
#优化vim配置
echo "开始优化vim编辑器配置......"
sleep 2
cp -a /etc/vimrc /etc/vimrc_bak
cat /dev/null>/etc/vimrc #清空vimrc配置文件
echo """
set nocompatible
set history=100
filetype on
filetype plugin on
filetype indent on
set autoread
set mouse=
syntax enable
set cursorline
hi cursorline guibg=#00ff00
hi CursorColumu guibg=#00ff00
set nofen
set fdl=0
set expandtab
set tabstop=4
set shiftwidth=4
set softtabstop=4
set smarttab
set ai
set si
set wrap
set sw=4
set wildmenu
set ruler
set cmdheight=1
set lz
set backspace=eol,start,indent
set whichwrap+=<,>,h,l
set magic
set noerrorbells
set novisualbell
set showmatch
set mat=2
set hlsearch
set ignorecase
set encoding=utf-8
set fileencodings=utf-8
set termencoding=utf-8
set smartindent
set cin
set showmatch
set guioptions-=T
set guioptions-=m
set vb t_vb=
set laststatus=2
set pastetoggle=<F9>
set background=dark
highlight Search ctermbg=black ctermfg=white guifg=white guibg=black
autocmd BufNewFile *.py,*.cc,*.sh,*.java exec \":call SetTitle()\"
func SetTitle()
if expand(\"%:e\") == 'sh'
call setline(1, \"#!/bin/bash\")
call setline(2, \"#Author:Benson\")
call setline(3, \"#Blog:http://www.qinzc.me\")
call setline(4, \"#Time:\".strftime(\"%F %T\"))
call setline(5, \"#Name:\".expand(\"%\"))
call setline(6, \"#Version:V1.0\")
call setline(7, \"#Description:\")
endif
endfunc
""" > /etc/vimrc
#优化部分系统文件权限,加强安全性
echo """
开始优化部分文件权限,优化列表如下:
/etc/services 0600
/etc/security/sepermit.conf 0600
/etc/security/console.handlers 0600
/etc/security/namespace.conf 0600
/etc/security/chroot.conf 0600
/etc/security/group.conf 0600
/etc/security/console.perms 0600
/etc/security/pam_env.conf 0600
/etc/security/access.conf 0600
/etc/security/pwquality.conf 0600
/etc/security/namespace.init 0600
/etc/security/time.conf 0600
/etc/security/limits.conf 0600
/etc/rc.d/init.d/cloudmonitor 0755
"""
sleep 10
for i in /etc/services /etc/security/sepermit.conf /etc/security/console.handlers /etc/security/namespace.conf /etc/security/chroot.conf /etc/security/group.conf /etc/security/console.perms /etc/security/pam_env.conf /etc/security/access.conf /etc/security/pwquality.conf /etc/security/namespace.init /etc/security/time.conf /etc/security/limits.conf;
do
chmod 600 $i
done
echo "列表中文件权限已优化!"
sleep 2
chmod +x /etc/rc.d/rc.local
#定义函数soft功能为循环安装部分工具及软件,方便下面的询问条件调用
function soft()
{
for i in gcc gcc-c++ epel-release wget unzip screen telnet psmisc vim net-tools ntpdate htop iptables-services iftop git;
do
yum install -y $i
done
}
echo "是否开始安装常用到的软件包括:gcc gcc-c++ epel-release wget unzip screen telnet psmisc vim net-tools ntpdate htop iptables-services iftop git?"
select goon in 是 否
do
case $goon in
是) soft && break;;
否) break;;
esac
done
#同步更新系统时间
echo "开始同步时间"
ntpdate time.windows.com
#设定服务器主机名
sleep 2
echo "开始设定主机名"
read -p "请输入要修改的主机名:" hname
hostnamectl set-hostname "$hname"
echo "以下是你设定的主机名内容:"
hostnamectl status | grep "hostname"
#定义了一个系统命令cxdx可直接查询当前目录下的文件夹大小排行前十并显示
echo "cxdx ()
{
du -cksm * | sort -rn | head -n 10
}" >> /etc/profile
#优化系统文件打开数
echo "* soft nofile 65535
* hard nofile 65535" >> /etc/security/limits.conf
echo "调整系统最大文件打开数为65535,需重启系统后运行ulimit -a命令查看"
source /etc/profile
echo "接下来进行系统更新操作。"
sleep 5
yum update -y
echo "进行升级系统内核操作。"
sleep 3
yum update kernel -y脚本2:
#!/bin/bash
SysVer=`cat /etc/redhat-release | awk -F'release' '{print $2}' | awk -F'[ .]+' '{print $2}'`
NetCnf=`ls /etc/sysconfig/network-scripts/ | grep if | head -1`
NetName=`ls /etc/sysconfig/network-scripts/ | grep if | head -1 | awk -F'-' '{print $2}'`
NetPath="/etc/sysconfig/network-scripts/"
clear
echo "#####################################"
echo "###### 1、配置网络 ######"
echo "###### 2、优化系统 ######"
echo "###### 3、命令审计 ######"
echo "###### 4、其他功能 ######"
echo "#####################################"
read -p "Please Input Number (1/2/3) :" Nmb
if [ ! $Nmb == 1 ] && [ ! $Nmb == 2 ] && [ ! $Nmb == 3 ]
then
echo -e "\033[41;33;5m Input ERROR,you Can only enter 1 or 2 or 3 \033[0m"
exit 110
fi
Jdt(){
echo "准备中..."
i=0
str=""
arr=("|" "/" "-" "\\")
while [ $i -le 20 ]
do
let index=i%4
let indexcolor=i%8
let color=30+indexcolor
let NUmbER=$i*5
printf "\e[0;$color;1m[%-20s][%d%%]%c\r" "$str" "$NUmbER" "${arr[$index]}"
sleep 0.1
let i++
str+='+'
done
printf "\n"
echo "正在执行...稍候!"
}
PanDuan(){
if [ ! $? -eq 0 ]
then
echo -e "\033[41;33;5m ERROR,Please To Check \033[0m"
exit 110
fi
}
C6NetWork(){
cat > $NetPath$NetCnf << END
DEVICE=$NetName
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=static
IPADDR=$Ipa
NETMASK=$Ntm
GATEWAY=$Gtw
DNS1=114.114.114.114
DNS2=223.5.5.5
END
service NetworkManager stop >/dev/null 2>&1
chkconfig NetworkManager off >/dev/null 2>&1
chkconfig network on >/dev/null 2>&1
Jdt
echo -e "\033[46;35;5m[ ## Network configuration succeeded ## ]\033[0m"
echo -e "\033[46;35;5m[ ##### Please restart the server ##### ]\033[0m"
}
C7NetWork(){
cat > $NetPath$NetCnf << EOF
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
NAME=$NetName
DEVICE=$NetName
ONBOOT=yes
IPADDR=$Ipa
NETMASK=$Ntm
GATEWAY=$Gtw
DNS1=223.5.5.5
DNS2=114.114.114.114
EOF
systemctl stop NetworkManager >/dev/null 2>&1
systemctl disable NetworkManager >/dev/null 2>&1
systemctl enable network.service >/dev/null 2>&1
Jdt
echo -e "\033[46;35;5m[ ## Network configuration succeeded ## ]\033[0m"
echo -e "\033[46;35;5m[ ##### Please restart the server ##### ]\033[0m"
}
OptSSH(){
echo "#########################################################"
echo -e "\033[46;34;5m[ 配置SSH 端口 关闭DNS 反向解析 ]\033[0m"
echo -e "\033[46;34;5m[ 关闭此终端后 请使用新SSH端口:$Pt 进行登陆 原端口失效 ]\033[0m"
read -p "Please enter the SSH port :" Pt
Jdt
sed -i 's/^GSSAPIAuthentication yes$/GSSAPIAuthentication no/' /etc/ssh/sshd_config
sed -i 's/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config
sed -i "s/#Port 22/Port $Pt/" /etc/ssh/sshd_config
sed -i "s/^Port.*/Port $Pt/g" /etc/ssh/sshd_config
sed -i 's/#PrintMotd yes/PrintMotd yes/' /etc/ssh/sshd_config
case $SysVer in
6)
service sshd restart >/dev/null 2>&1
PanDuan
;;
7)
systemctl restart sshd >/dev/null 2>&1
PanDuan
;;
*)
echo -e "\033[41;33;5m System Version Error,Scripts only apply to Centos 6 and 7 versions \033[0m"
exit 110
;;
esac
}
OffIPv6(){
clear
echo "####################################"
echo -e "\033[46;34;5m[ Shutdown IpV6 关闭IPv6 ]\033[0m"
Jdt
sed -i '/.*net-pf-10.*/d' /etc/modprobe.conf
sed -i '/.*ipv6.*/d' /etc/modprobe.conf
echo "alias net-pf-10 off" >> /etc/modprobe.conf
echo "alias ipv6 off" >> /etc/modprobe.conf
}
OffSE(){
clear
echo "####################################"
echo -e "\033[46;34;5m[ Shutdown selinux ]\033[0m"
Jdt
sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config
setenforce 0 >/dev/null 2>&1
}
OFFfirewalld(){
clear
echo "####################################"
echo -e "\033[46;34;5m[ Shutdown Firewalld ]\033[0m"
Jdt
case $SysVer in
6)
service iptables stop >/dev/null 2>&1
chkconfig iptables off >/dev/null 2>&1
;;
7)
systemctl stop firewalld >/dev/null 2>&1
systemctl disable firewalld >/dev/null 2>&1
;;
*)
echo -e "\033[41;33;5m System Version Error,Scripts only apply to Centos 6 and 7 versions \033[0m"
exit 110
;;
esac
}
TimeLock(){
clear
echo "####################################"
echo -e "\033[46;34;5m[ Configure TimeLock ]\033[0m"
Jdt
sed -i '/.*ntpdate.*/d' /var/spool/cron/root
echo "*/5 * * * * /usr/sbin/ntpdate 202.112.31.197 > /dev/null 2>&1" >> /var/spool/cron/root
case $SysVer in
6)
service crond restart >/dev/null 2>&1
;;
7)
systemctl restart crond >/dev/null 2>&1
;;
*)
echo -e "\033[41;33;5m System Version Error,Scripts only apply to Centos 6 and 7 versions \033[0m"
exit 110
;;
esac
}
FileLimitsConf(){
cat >> /etc/security/limits.conf << COMMENTBLOCK
* soft nofile 102400
* hard nofile 102400
* soft nproc 102400
* hard nproc 102400
COMMENTBLOCK
}
LimitsFile(){
clear
echo "#####################################"
echo -e "\033[46;34;5m[ Configure LimitNumber ]\033[0m"
Jdt
shu1=`cat /etc/rc.local | grep ulimit | wc -l`
shu2=`cat /etc/security/limits.conf | grep nofile | wc -l`
if [ $shu1 -lt 1 ]
then
echo "ulimit -SHn 102400" >> /etc/rc.local
fi
if [ $shu2 -lt 2 ]
then
FileLimitsConf
fi
case $SysVer in
6)
sed -i 's/1024$/102400/' /etc/security/limits.d/90-nproc.conf
;;
7)
sed -i 's/^#DefaultLimitNOFILE=.*/DefaultLimitNOFILE=100000/g' /etc/systemd/system.conf
sed -i 's/^#DefaultLimitNPROC=.*/DefaultLimitNPROC=100000/g' /etc/systemd/system.conf
;;
*)
echo -e "\033[41;33;5m System Version Error,Scripts only apply to Centos 6 and 7 versions \033[0m"
exit 110
;;
esac
}
KernelFile(){
clear
echo "#####################################"
echo -e "\033[46;34;5m[ Optimize Kernel ]\033[0m"
Jdt
true > /etc/sysctl.conf
cat >> /etc/sysctl.conf << EIZ
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.secure_redirects = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 262144
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_keepalive_time = 30
net.ipv4.tcp_keepalive_probes=3
net.ipv4.tcp_orphan_retries=3
net.ipv4.ip_local_port_range = 1024 65500
EIZ
/sbin/sysctl -p
echo "内核优化的具体参数见上 如需修改请自行修改/etc/sysctl.conf文件"
echo "内核优化的具体参数见上 如需修改请自行修改/etc/sysctl.conf文件"
echo "内核优化的具体参数见上 如需修改请自行修改/etc/sysctl.conf文件"
}
RootEmail(){
clear
echo "#######################################################"
echo -e "\033[46;34;5m[ 禁止 You have new mail in /var/spool/mail/root 提示 ]\033[0m"
Jdt
sed -i '/.*MAILCHECK/d' /etc/profile
echo "unset MAILCHECK">> /etc/profile
source /etc/profile
}
#BieMing(){
#
#}
HisTory(){
#history modify
file_path="/var/log/Command"
file_name="Command.log"
ProFile=`cat /etc/profile | grep HISTORY_FILE | wc -l`
ComMand=`cat /var/spool/cron/root | grep history.sh | wc -l`
Group1(){
touch $file_path/$file_name
chown -R nobody:nobody $file_path
chmod 001 $file_path
chmod 002 $file_path/$file_name
chattr +a $file_path/$file_name
}
Group2(){
cat >> /etc/profile << EPP
export HISTORY_FILE=$file_path/$file_name
export PROMPT_COMMAND='{ date "+%y-%m-%d %T ## \$(who am i |awk "{print \\\$1,\\\$2,\\\$5}") ## \$(whoami) ## \$(history 1 | { read x cmd; echo "\$cmd"; })"; } >>\$HISTORY_FILE'
EPP
}
if [ ! -d $file_path ]
then
mkdir -p $file_path
Group1
else
if [ ! -f $file_path/$file_name ]
then
Group1
fi
fi
if [ $ProFile -lt 1 ]
then
Group2
else
sed -i '/.*HISTORY_FILE.*/d' /etc/profile
Group2
fi
if [ ! -f $file_path/history.sh ]
then
cat >> $file_path/history.sh << EOF
#!/bin/bash
#Time=\`date +%Y%m%d%H -d '-1 hours'\`
Time=\`date +%Y%m%d%H\`
logs_path="$file_path/"
logs_name="$file_name"
new_file="\$logs_path\$logs_name-\$Time"
old_file=\`find \$logs_path -mtime +30 -type f -name "Command.*"\`
chattr -a \$logs_path\$logs_name
mv \$logs_path\$logs_name \$new_file
chattr +a \$new_file
touch \$logs_path\$logs_name
chown -R nobody:nobody \$logs_path\$logs_name
chmod -R 002 \$logs_path\$logs_name
chattr +a \$logs_path\$logs_name
if [ ! -z \$old_file ]
then
echo "delet \$old_file \$Time" >> /var/log/messages
chattr -a \$old_file
rm -rf \$old_file
fi
EOF
chmod 100 $file_path/history.sh
fi
if [ $ComMand -lt 1 ]
then
echo "30 10 * * 6 /bin/bash $file_path/history.sh > /dev/null 2>&1" >> /var/spool/cron/root
fi
case $SysVer in
6)
service crond restart >/dev/null 2>&1
;;
7)
systemctl restart crond >/dev/null 2>&1
;;
*)
echo -e "\033[41;33;5m System Version Error,Scripts only apply to Centos 6 and 7 versions \033[0m"
exit 110
;;
esac
source /etc/profile
if [ $? -eq 0 ]
then
echo "###########################################"
echo -e "\033[46;31;5m 配置完成 命令审计文件位于:/var/log/Command/Command.log \033[0m"
else
echo -e "\033[41;33;5m ERROR,Please To Check \033[0m"
exit 110
fi
}
case $Nmb in
1)
rm -rf /etc/udev/rules.d/70-persistent-net.rules >/dev/null 2>&1
echo "###########################################"
read -p "Please Input IPAddress :" Ipa
read -p "Please Input Netmask :" Ntm
read -p "Please Input Gateway :" Gtw
echo -e "\033[46;34;5m[ 配置中请稍候... 完成后请使用新地址 $Ipa 进行SSH登陆 ]\033[0m"
echo "###########################################"
case $SysVer in
6)
C6NetWork
;;
7)
C7NetWork
;;
*)
echo -e "\033[41;33;5m System Version Error,Scripts only apply to Centos 6 and 7 versions \033[0m"
exit 110
;;
esac
;;
2)
echo -e "\033[46;31;5m以下配置均可在进度条处 有10秒时间 按Ctrl+C结束 请按需优化\033[0m"
OptSSH
PanDuan
OffIPv6
PanDuan
OffSE
OFFfirewalld
PanDuan
TimeLock
PanDuan
LimitsFile
PanDuan
RootEmail
PanDuan
KernelFile
PanDuan
echo " #####################################"
echo " #####################################"
echo " 优化已完成 本次优化内容有:"
echo " 1、优化SSH服务"
echo " 2、关闭IPv6服务"
echo " 3、关闭Selinux 机制"
echo " 4、关闭iptables/firewalld"
echo " 5、设置时间同步"
echo " 6、优化内核参数"
echo " 7、关闭邮件提示"
;;
3)
echo -e "\033[46;31;5m 此审计会记录30天内所有终端执行过的所有命令 \033[0m"
Jdt
HisTory
;;
*)
echo -e "\033[41;33;5m Error, please check the first line variable \033[0m"
exit 110
;;
esac
桂ICP备16010384号-1
停留在世界边缘,与之惜别