1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
|
#!/bin/bash
#:***********************************************
#:Program:centos6_init_shell
#:
#:Author:yanconggod
#:
#:History:2017-01-10
#:
#:Version:1.0
#:***********************************************
cat
<<EOF
+--------------------------------------------------------------+
| === Welcome to System init === |
+--------------------------------------------------------------+
EOF
DATE=`
date
+%Y_%m_%d:%H_%M_%S`
INIT_LOG=system_init_$DATE.log
#0.yum resource config
#mv /etc/yum.repos.d/* /tmp/
#wget -P /etc/yum.repos.d/ http://yum.xxx.xxx/{CentOS-Base.repo,epel.repo}
yum clean all
yum
install
vim gcc gcc-c++ openssl-devel python-devel lrzsz tree
ftp
telnet -y
#1.del_user_group_config
USER=(adm lp
shutdown
halt uucp operator games gopher)
for
i
in
`
echo
${USER[*]}`
do
if
grep
-qs
"$i"
/etc/passwd
;
then
/usr/sbin/userdel
$i
else
echo
"$i is no exist"
fi
done
GROUP=(adm lp dip)
for
ii
in
`
echo
${GROUP[*]}`
do
if
grep
-qs
"$ii"
/etc/group
;
then
/usr/sbin/groupdel
$ii
else
echo
"$ii is no exist"
fi
done
if
[
"$?"
==
"0"
];
then
echo
"$DATE [del_user_group_config] is [success]"
>>
/root/
${INIT_LOG}
fi
#2.add_users_config
#指定UID,密码不能明文显示
/usr/sbin/useradd
-u 1001 -m -G 10 yanconggod
sed
-i
'/yanconggod/s#\!\!#\$6\$nRS2zBCw\$9AuQZSdYJezLTyzinOQzfcp1je2EGAD5oL7d3JeAeSXKoVGd920\.vX\/dPFuyP\/C2VexJQa5PpPD\/wRfE0m\.9A\/#g'
/etc/shadow
USER1=(yanconggod)
for
yl
in
`
echo
${USER1[*]}`
do
if
grep
-qs
"$yl"
/etc/passwd
;
then
echo
"$DATE $yl is added success"
>>
/root/
${INIT_LOG}
fi
done
#3.sudoer_config
sed
-i
's/Defaults requiretty/#Defaults requiretty/g'
/etc/sudoers
echo
-e
"User_Alias SYSADMINS = yanconggod"
>>
/etc/sudoers
echo
-e
"SYSADMINS ALL=(ALL) NOPASSWD: ALL"
>>
/etc/sudoers
echo
"$DATE [sudoer_config] is [success]"
>>
/root/
${INIT_LOG}
#4.limits_config
echo
"* soft nofile 65535"
>>
/etc/security/limits
.conf
echo
"* hard nofile 65535"
>>
/etc/security/limits
.conf
echo
"* soft noproc 65535"
>>
/etc/security/limits
.conf
echo
"* hard noproc 65535"
>>
/etc/security/limits
.conf
sed
-i
'/1024/s/1024/65535/g'
/etc/security/limits
.d
/90-nproc
.conf
echo
"$DATE [limits_config] is [success]"
>>
/root/
${INIT_LOG}
#5.sysctl_config
echo
"net.ipv4.tcp_syncookies = 1"
>>
/etc/sysctl
.conf
echo
"net.ipv4.tcp_fin_timeout = 30"
>>
/etc/sysctl
.conf
echo
"net.ipv4.tcp_tw_recycle = 1"
>>
/etc/sysctl
.conf
echo
"net.ipv4.tcp_tw_reuse = 1"
>>
/etc/sysctl
.conf
echo
"net.ipv4.tcp_max_syn_backlog = 4096"
>>
/etc/sysctl
.conf
echo
"net.core.netdev_max_backlog = 10240"
>>
/etc/sysctl
.conf
echo
"net.ipv4.icmp_echo_ignore_broadcasts = 1"
>>
/etc/sysctl
.conf
echo
"net.core.somaxconn = 2048"
>>
/etc/sysctl
.conf
echo
"net.core.wmem_default = 8388608"
>>
/etc/sysctl
.conf
echo
"net.core.rmem_default = 8388608"
>>
/etc/sysctl
.conf
echo
"net.core.rmem_max = 16777216"
>>
/etc/sysctl
.conf
echo
"net.core.wmem_max = 16777216"
>>
/etc/sysctl
.conf
echo
"net.ipv4.conf.all.rp_filter = 1"
>>
/etc/sysctl
.conf
echo
"net.ipv4.tcp_keepalive_time = 300"
>>
/etc/sysctl
.conf
echo
"net.ipv4.tcp_synack_retries = 2"
>>
/etc/sysctl
.conf
echo
"net.ipv4.tcp_syn_retries = 2"
>>
/etc/sysctl
.conf
echo
"net.ipv4.ip_local_port_range = 5000 65000 "
>>
/etc/sysctl
.conf
sysctl -p
echo
"$DATE [sysctl_config] is [success]"
>>
/root/
${INIT_LOG}
#6.history_config
echo
"export HISTSIZE=2000"
>>
/etc/profile
source
/etc/profile
echo
"$DATE [history_config] is [success]"
>>
/root/
${INIT_LOG}
#7.pass_length and login count limit
#sed -i '25s/99999/90/g' /etc/login.defs
#sed -i '27s/5/8/g' /etc/login.defs
sed
-i
'5i auth required /lib64/security/pam_tally2.so deny=5 unlock_time=300'
/etc/pam
.d
/system-auth
#8.disable_selinux_config
sed
-i
's/SELINUX=enforcing/SELINUX=disabled/'
/etc/selinux/config
setenforce 0
echo
"$DATE [disable_selinux_config] is [success]"
>>
/root/
${INIT_LOG}
#9.ntp_config
ntp_config_count=`
crontab
-l |
grep
ntpdate|
wc
-l`
if
[ ${ntp_config_count} -
eq
0 ];
then
cat
<<EOF >>
/var/spool/cron/root
*
/5
* * * *
/usr/sbin/ntpdate
-s ntp1.aliyun.com >
/dev/null
2>&1
EOF
fi
if
[ $? = 0 ];
then
echo
"$DATE [ntp_config] is [success]"
>>
/root/
${INIT_LOG}
fi
#10.maxlogins_config
echo
"yanconggod - maxlogins 10"
>>
/etc/security/limits
.conf
echo
"$DATE [maxlogins_config] is [success]"
>>
/root/
${INIT_LOG}
#11.disbled_ipv6_config
cat
>>
/etc/modprobe
.d
/disableipv6
.conf << EOF
alias
net-pf-10 off
options ipv6 disable=1
EOF
echo
"$DATE [disble_ipv6_config] is [success]"
>>
/root/
${INIT_LOG}
#12.character_config
cat
>>
/etc/sysconfig/i18n
<< EOF
LANG=
"en_US.UTF-8"
SYSFONT=
"latarcyrheb-sun16"
EOF
#13.disable_service_config
for
i
in
auditd blk-availability ip6tables iptables lvm2-monitor netfs udev-post
do
chkconfig $i off
#iptables -F
#iptables -X
done
echo
"$DATE [disable_service_config] is [success]"
>>
/root/
${INIT_LOG}
#15.DNS config
MASK=`
ifconfig
|
grep
-w
"inet"
|
grep
-
v
127.0.0.1|
awk
-F
':'
'{print $2}'
|
sed
's/ Bcast$//g'
|
awk
-F
'.'
'{print $1"."$2}'
`
echo
$MASK
if
[ $MASK =
"10.0"
-o $MASK =
"10.1"
]
then
cat
>
/etc/resolv
.conf << EOF
nameserver 10.0.0.1
#nameserver 1.1.1.2
#nameserver 1.1.1.3
EOF
else
:
fi
#16.sshd_config
sed
"s/#Port 22/Port 22/g"
/etc/ssh/sshd_config
-i
sed
"s/^#Protocol 2/Protocol 2/g"
/etc/ssh/sshd_config
-i
sed
"s/#UseDNS yes/UseDNS no/g"
/etc/ssh/sshd_config
-i
#sed 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config -i
#sed 's/GSSAPIAuthentication yes/GSSAPIAuthentication no/g' /etc/ssh/sshd_config -i
#sed 's/GSSAPIAuthentication yes/GSSAPIAuthentication no/g' /etc/ssh/ssh_config -i
/etc/init
.d
/sshd
restart
echo
"$DATE [sshd_config] is [success]"
>>
/root/
${INIT_LOG}
#17. reboot_system
read
-p
"Do you want to reboot the system?"
want
case
$want
in
yes
)
echo
"reboot now!"
reboot
;;
no)
echo
"init over!"
;;
*)
echo
"please useage yes or no! thanks"
;;
esac
|
本文转自 yanconggod 51CTO博客,原文链接:http://blog.51cto.com/yanconggod/1890698