1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
| #!/bin/bash
#Filename:server_init.sh
character_set=/etc/locale.conf
mkdir -p /server/scripts
centos7epel=http://mirrors.aliyun.com/repo/epel-7.repo
yum install wget -y && cd /etc/yum.repos.d/ && rm -rf ./* && wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo && sed -i -e '/mirrors.cloud.aliyuncs.com/d' -e '/mirrors.aliyuncs.com/d' /etc/yum.repos.d/CentOS-Base.repo && wget $centos7epel
# -----检测初始化权限------
if [ $(id -u) != "0" ]; then
echo "Error: You must be root to run this script, please use root to initialization OS."
exit 1
fi
softwarelist=(
epel-release
ntpdate
gcc
gcc-c++
openssl-devel
lrzsz
wget
make
unzip
bash-completion
zip
xz
ntpdate
subversion
lsof
telnet
vim
tree
iftop
iputils
net-tools
nload
tcpdump
nc
nmap
dstat
mailx
dos2unix
expect
libselinux-python
)
function check_result()
{
if [ $? -ne 0 ];then
error_usage
fi
}
function info_msg()
{
local fmt=$1
shift && printf "\033[1;32m[INFO] [`date +%Y-%m-%d\ %H:%M:%S`] ${fmt}\033[0m" "$@"
}
function error_msg()
{
local fmt=$1
shift && printf "\033[1;31m[ERROR] [`date +%Y-%m-%d\ %H:%M:%S`] ${fmt}\033[0m" "$@"
}
function warn_msg()
{
local fmt=$1
shift && printf "\033[1;33m[WARN] [`date +%Y-%m-%d\ %H:%M:%S`] ${fmt}\033[0m" "$@"
}
function exit_msg()
{
error_msg "$@"
exit 1
}
#
system_update(){
echo "*** Starting update system && install tools pakeage... ***"
yum install epel-release -y && yum -y update
yum clean all && yum makecache
}
#-----------------------------------------------------------------------------------------------------------------------------
deploy_kernel(){ #必选
#sysctl
info_msg "初始化-配置内核参数sysctl\n"
cat /etc/sysctl.conf | egrep -q -c _MODIFIED_AE_ || cat >> /etc/sysctl.conf <<- EOF
#_MODIFIED_AE_
vm.swappiness = 0
net.ipv4.ip_forward = 1
net.ipv4.neigh.default.gc_stale_time = 120
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.all.arp_announce = 2
net.ipv4.tcp_max_tw_buckets = 262144
net.ipv4.tcp_syncookies = 1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
net.core.netdev_max_backlog = 10240
net.core.somaxconn = 4096
vm.overcommit_memory = 1
net.core.somaxconn = 20480
net.core.rmem_default = 262144
net.core.wmem_default = 262144
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 4096 16777216
net.ipv4.tcp_wmem = 4096 4096 16777216
net.ipv4.tcp_mem = 786432 2097152 3145728
net.core.netdev_max_backlog = 20000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_max_orphans = 131072
EOF
sysctl -p >/dev/null 2>&1
#ulimits
info_msg "初始化-配置系统限制limits\n"
if [ `cat /etc/security/limits.conf|egrep -c "hard nofile 65535"` == 0 ];then
cat >> /etc/security/limits.conf <<- EOF
#ulimit
* soft nproc 102400
* hard nproc 102400
* soft nofile 102400
* hard nofile 102400
EOF
fi
info_msg "初始化-关闭IPV6协议\n"
#kernel mod options optimize
if [ ! -f /etc/sysctl.conf ];then
cat >> /etc/sysctl.conf <<- EOF
#forbid ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
EOF
fi
#-------Linux默认允许任何人按下Ctrl+Alt+Del来重启系统。但是在生产环境中,应该停用按下Ctrl-Alt-Del 重启系统的功能-----
#control-alt-delete
info_msg "初始化-关闭重启热键\n"
if [ -f /usr/lib/systemd/system/ctrl-alt-del.target ];then
sed -i '/^[^#]/s/^/#/' /usr/lib/systemd/system/ctrl-alt-del.target
fi
#配置关键目录权限控制
info_msg "初始化-修改重要系统文件权限\n"
chmod 644 /etc/passwd /etc/group
chmod 600 /etc/shadow /etc/ssh/sshd_config
}
#关闭selinux
deploy_selinux(){ #必选
#关闭selinux
info_msg "初始化-关闭服务器selinux\n"
sed -i 's/\(SELINUX=\).*/\1disabled/g' /etc/selinux/config
setenforce 0 > /dev/null 2>&1
}
#关闭防火墙
deploy_iptables(){
#设置防火墙
info_msg "初始化-配置本地防火墙\n"
iptables -F && systemctl stop firewalld && systemctl disable firewalld >/dev/null 2>&1
check_result
}
#----配置命令历史记录,具体用户登陆及退出时间段ip等信息------
depoly_profile(){ #必选
# sed -i 's/#*Port.*22/Port 528/' /etc/ssh/sshd_config
sed -i 's/#*UseDNS.*/UseDNS no/' /etc/ssh/sshd_config
check_result
}
deploy_ntp(){ #需要选择1和0
info_msg "初始化-配置系统时间时区\n"
status=`crontab -l|grep ntpdate|wc -l`
if [ "$status"x == 0x ];then
systemctl stop ntpd >/dev/null 2>&1
echo "*/5 * * * * /usr/sbin/ntpdate pool.ntp.org >/dev/null 2>&1" >> /var/spool/cron/root
fi
rm -f /etc/localtime && ln -s /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
check_result
}
deploy_software(){ #必选
info_msg "初始化-常用软件包下载安装\n"
yum install ${softwarelist[*]} -y >/dev/null 2>&1
yum groupinstall "Development Tools" -y
systemctl stop postfix
check_result
}
deploy_character_set(){ #必选
info_msg "初始化-配置系统字符集\n"
if [ -f "$character_set" ];then
sed -i 's/\(^LANG=\).*/\1"en_US.UTF-8"/g' $character_set
fi
check_result
}
main(){
system_update
deploy_kernel
deploy_selinux
deploy_iptables
depoly_profile
deploy_ntp
deploy_software
deploy_character_set
warn_msg "初始化-完成,请重启系统\n"
}
main
|
