通过脚本案例学习shell（四） --- 通过脚本初始化并加固新安装的Linux系统-阿里云开发者社区

通过脚本案例学习shell（四） --- 通过脚本初始化并加固新安装的Linux系统

2017-11-15 1144

版权

本文内容由阿里云实名注册用户自发贡献，版权归原作者所有，阿里云开发者社区不拥有其著作权，亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容，填写侵权投诉表单进行举报，一经查实，本社区将立刻删除涉嫌侵权内容。

简介：

近来喜欢无人值守安装RHEL6.3系统,可是安装好每次都要做很多初始化工作,实在麻烦就写了个简单脚本省去了不少麻烦,由于本人是小牛,跟大牛比起来差的很远,还请大家提出一些宝贵意见!

本脚本是在rhel6.3环境下运行的,稍作修改同样适合其他Linux版本环境,不过脚本前半部分都是针对我自己的环境进行优化的,大家可以自行修改成自己的环境.

下面我对Linux系统初始化脚本进行简单讲解:

#!/bin/bash
echo "New system configuration"
sleep 1
echo "Environment RHEL6.3"
sleep 1
echo "The kernel version configuration!"
sleep 1
echo "Designed by www.rsyslog.org http://dreamfire.blog.51cto.com"
sleep 1
input_fun() //定义一个可以重复输入的函数(空值回车情况下也可用参考http://dreamfire.blog.51cto.com/418026/1152672)
{
OUTPUT_VAR=$1
INPUT_VAR=""
while [ -z $INPUT_VAR ];do
read -p "$OUTPUT_VAR" INPUT_VAR
done
echo $INPUT_VAR
}
input_again() //定义网络参数函数,交互式读取输入.
{
MYHOSTNAME=$( input_fun "Please input the hostname: ")
DOMAINNAME=$( input_fun "Please intput the domainname(rsyslog.org): ")
CARD_TYPE=$( input_fun "Please input card type(eth0): ")
IPADDR=$( input_fun "Please input ipaddress(192.168.100.1): ")
NETMASK=$( input_fun "Please input netmask(255.255.255.0): ")
GATEWAY=$( input_fun "Please input gateway(192.168.100.1): ")
MYDNS1=$( input_fun "Please input DNS1(192.168.100.102): ")
MYDNS2=$( input_fun "Please input DNS2(192.168.100.103): ")
}
BEGIN_INIT=$( input_fun "Whether you initialize the Linux operating system(YES/NO): ") //如果你不需要运行此脚本,可以按n退出.
if [ "$BEGIN_INIT" = "NO" ] || [ "$BEGIN_INIT" = "no" ] || [ "$BEGIN_INIT" = "N" ] ||[ "$BEGIN_INIT" = "n" ];then
kill -9 $$ //$$为夫进程PID,也就是脚本PID
elif [ "$BEGIN_INIT" = "YES" ] || [ "$BEGIN_INIT" = "yes" ] || [ "$BEGIN_INIT" = "y" ] || [ "$BEGIN_INIT" = "Y" ];then
echo "The script is begin....."
else
kill -9 $$
fi
input_again
BEGIN_INIT=$( input_fun "If you need input again[YES/NO]: ") //为了防止出错再给你一次机会.
if [ "$BEGIN_INIT" = "YES" ] || [ "$BEGIN_INIT" = "YES" ] || [ "$BEGIN_INIT" = "Y" ] ||[ "$BEGIN_INIT" = "y" ];then
input_again
fi
MAC=`ifconfig $CARD_TYPE | grep "HWaddr" | awk -F[" "]+ '{print $5}'` //取网卡MAC地址.
cat >/etc/sysconfig/network << ENDF //配置network文件,激活网卡
NETWORKING=yes
HOSTNAME=$MYHOSTNAME
ENDF
echo "Configure the HOSTNAME................................ OK !"
sleep 1
##########################
cat >/etc/sysconfig/network-scripts/ifcfg-$CARD_TYPE <<endf //配置网卡(静态环境下配置,动态获取不适合)
DEVICE=$CARD_TYPE
BOOTPROTO=none
HWADDR=$MAC
NM_CONTROLLED=yes
ONBOOT=yes
TYPE=Ethernet
DNS2=$MYDNS2
DNS1=$MYDNS1
IPV6INIT=no
USERCTL=no
IPADDR=$IPADDR
NETMASK=$NETMASK
GATEWAY=$GATEWAY
endf
/etc/rc.d/init.d/network restart
chkconfig --level 35 network off
echo "Configure the $CARD_TYPE............................OK!"
sleep 1
###########################
cat >/etc/hosts <<endf //配置本地hosts文件
127.0.0.1 $MYHOSTNAME $MYHOSTNAME.$DOMAINNAME
$IPADDR $MYHOSTNAME $MYHOSTNAME.$DOMAINNAME
endf
echo "Configure the hosts.............................. OK !"
sleep 1
###############################
cat >/etc/resolv.conf <<endf //配置dns
domain $DOMAINNAME
search $DOMAINNAME
nameserver $MYDNS1
nameserver $MYDNS2
endf
echo "Configure the resolv.conf......................OK!"
sleep 1
###############################
mount | grep dev/sr0 >/dev/null //挂载安装光盘到 /media/cdrom下为yum仓库做准备
if [ $? -eq 0 ];then
umount `mount | grep dev/sr0 | awk -F[" "] '{print $3}'`
[ ! -d /media/cdrom ] && mkdir /media/cdrom
mount /dev/sr0 /media/cdrom
else
mount | grep dev/sr0
fi
echo "mount the iso of system................OK!"
sleep 1
#################################
cp -p /etc/yum.repos.d/rhel-source.repo{,.bak} //配置yum仓库
cat >/etc/yum.repos.d/rhel-source.repo <<endf
[rhel-source-beta]
name=RHEL6U3-ISO
baseurl=file:///media/cdrom
enabled=1
gpgcheck=0
endf
echo "Configure YUM.........................OK!"
#####################################
yum clean all && yum makecache //安装系统必须的一些测试工具,方便后期维护
yum -y install gcc gcc-c++ autoconf libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel glibc glibc-devel glib2 glib2-devel bzip2 bzip2-devel zip unzip ncurses ncurses-devel curl curl-devel e2fsprogs e2fsprogs-devel krb5-devel libidn libidn-devel openssl openssh openssl-devel nss_ldap openldap openldap-devel openldap-clients openldap-servers libxslt-devel libevent-devel ntp libtool-ltdl bison libtool vim-enhanced python wget lsof iptraf strace lrzsz kernel-devel kernel-headers pam-devel Tcl/Tk cmake ncurses-devel bison setuptool
echo "Install the system view command......................OK!"
#########################################
sed -i 's/id:.*$/id:3:initdefault:/g' /etc/inittab //设置系统从init 3级别启动
echo "alias net-pf-10 off" >> /etc/modprobe.conf
echo "alias ipv6 off" >> /etc/modprobe.conf
/sbin/chkconfig --level 35 ip6tables off //关闭ipv6,虽然ipv6是未来发展趋势,但是现在不用
sed -i 's/SELINUX=enforcing/SELINUX=disabled' /etc/sysconfig/selinux //关闭selinux,后期如果需要可以打开
sed -i -e 's/GSSAPIAuthentication yes/GSSAPIAuthentication no/' -e 's/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config //加速ssh连接
echo "Stop iptables ang set selinux=disable,If you need,please open them!,Optimization to speed up access to ssh,init 3"
#########################################//以下是锁定系统不需要登录的账号
passwd -l news
passwd -l nscd
passwd -l dbus
passwd -l vcsa
passwd -l games
passwd -l nobody
passwd -l avahi
passwd -l haldaemon
passwd -l gopher
passwd -l ftp
passwd -l mailnull
passwd -l pcap
passwd -l mail
passwd -l shutdown
passwd -l halt
passwd -l uucp
passwd -l operator
passwd -l sync
passwd -l adm
passwd -l lp
echo "Lock useless users.......................OK"
sleep 1
############################
echo "TMOUT=1800" >>/etc/profile //设置30分钟无活动自动退出,可自行设置
echo "* soft nofile 66666" >> /etc/security/limits.conf //修改系统打开的最大文件数
echo "* hard nofile 66666" >> /etc/security/limits.conf
echo "30 minutes of inactivity, automatic exit && To modify the system to open the maximum number of files.....OK"
sleep 1
###############################
cat >> /etc/sysctl.conf << endf //优化内核参数调整
#michaelkang add 120724
net.ipv4.tcp_abort_on_overflow = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 20
net.ipv4.tcp_retries1 = 2
net.ipv4.tcp_retries2 = 5
net.ipv4.tcp_max_orphans = 2000
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 3
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_max_tw_buckets = 5000
endf
sysctl -p
echo "Adjust the kernel parameters!......................OK!"
sleep 1
#############################################
for I in `ls /etc/rc3.d/S*` //关闭系统不需要的服务,其中S打头的都是正在运行的服务,K打头的是没有运行的服务.
do
STOP_SRV=`echo $I|cut -c 15-` //过滤服务名称,从15个字符往后.
echo $STOP_SRV
case $STOP_SRV in
local | cpuspeed | crond | irqbalance | microcode_ctl | xinetd | network | mon | partmon | messagebus| udev-post | sshd | rsyslog | syslog )
echo "Base services, Skip!"
;;
*)
echo "change $STOP_SRV to off"
chkconfig --level 235 $STOP_SRV off
service $STOP_SRV stop
;;
esac
done
echo "Close useless services.........................ok"
sleep 1
############################################## //系统一些安全密码文件加锁,不允许修改创建
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/gshadow
chattr +a /root/.bash_history //root执行命令数据只运行添加
sed -i "s/HISTSIZE=1000/HISTSIZE=10/" /etc/profile //设置使用history命令只能查看10条命令
echo "The passwd shadow group gshadow is locked,if you use them,please use chattr -i!..............ok"
sleep 1
##############################################
cat >> /etc/hosts.allow << ENDF //设置运行远程使用ssh登录的网段
sshd:192.168.100.0/255.255.255.0
ENDF
echo 'sshd:all' >>/etc/hosts.deny
echo "Allowd 192.168.100.0 to use ssh................ok "
############################################ //设置默认创建用户密码最大存活天数以及密码长度
sed -i -e "s/PASS_MAX_DAYS.*$/PASS_MAX_DAYS 90/" -e "s/PASS_MIN_LEN.*$/PASS_MIN_LEN 8/" /etc/login.defs
echo "###################The script is stop!!####################"

本文转自凌激冰51CTO博客，原文链接：http://blog.51cto.com/dreamfire/1155542，如需转载请自行联系原作者

通过脚本案例学习shell（四） --- 通过脚本初始化并加固新安装的Linux系统

热门文章

最新文章

相关课程

相关电子书

相关实验场景

推荐镜像

探索云世界

热门

云计算

大数据

云原生

人工智能

数据库

开发与运维

活动广场

任务中心

训练营

直播

乘风者计划

下载

镜像站

技术资料

通过脚本案例学习shell（四） --- 通过脚本初始化并加固新安装的Linux系统

热门文章

最新文章

相关课程

相关电子书

相关实验场景

推荐镜像