##修改yum源,关闭selinux,关闭防火墙,关闭不必要的开机服务,添加用户,设置默认字符集UTF8
##时间同步,设置超时时间、文件打开数、历史指令,内核优化,ssh优化,隐藏系统版本号,锁定重要文件
#!/bin/bash
#set env
export PATH=$PATH:/bin:/sbin:/usr/sbin
if [ "$UID" != "0" ]
then
echo "please run this script by root."
exit 1
fi
#define cmd var
SERVICE=`which service`
CHKCONFIG=`which chkconfig`
yum install -y wget;
#
修改yum源
function mod_yum(){
if [ -e /etc/yum.repos.d/CentOS-Base.repo ]
then
mv /etc/yum.repos.d/CentOS-Base.repo/etc/yum.repos.d/CentOS-Base.repo.backup&&\
wget -O/etc/yum.repos.d/CentOS-Base.repohttp://mirrors.aliyun.com/repo/Centos-6.repo
fi
}
#
关闭selinux
function close_selinux(){
sed -i 's/SELINUX=enforcing/SELINUX=disabled' /etc/selinux/config
setenforce 0 &>/dev/null
}
#
关闭防火墙
function close_iptables(){
/etc/init.d/iptables stop
/etc/init.d/iptables stop
chkconfig iptables off
service firewalld stop
chkconfig firewalld off
}
#
关闭不必要的开机启动服务
function lease_service(){
chkconfig | awk '{print "chkconfig",$1,"off"}'|bash
chkconfig | egrep "crond|sshd|network|rsyslog|sysstat"|awk '{print"chkconfig",$1,"on"}'|bash
}
#
添加用户
function adduser(){
#4.add hat and sudo
if [ `grep -w hat /etc/passwd|wc -l`-lt 1 ]
then
useradd hat -g root
echo geeboo|passwd --stdinhat
\cp /etc/sudoers/etc/sudoers.ori
echo "hat ALL=(ALL)NOPASSWD: ALL " >>/etc/sudoers
tail -1 /etc/sudoers
visudo -c&>/dev/null
fi
}
#
设置默认字符集为中文
function charset(){
#5.charset config
cp /etc/sysconfig/i18n/etc/sysconfig/i18n.ori
echo'LANG="zh_CN.UTF-8"' >/etc/sysconfig/i18n
source /etc/sysconfig/i18n
#echo $LANG
}
#
时间同步
function time_sync(){
#6.time sync.
cron=/var/spool/cron/root
if [ `grep -w "ntpdate"$cron|wc -l` -lt 1 ]
then
echo "#time sync">>$cron
echo "*/5 * * * */usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1">>$cron
crontab -l
fi
}
function com_line_set(){
#7.command set.
if [ `egrep"TMOUT|HISTSIZE|HISTFILESIZE" /etc/profile|wc -l` -ge 3 ]
then
echo "export TMOUT=300">>/etc/profile
echo "exportHISTSIZE=5" >>/etc/profile
echo "export HISTFILESIZE=5">>/etc/profile
. /etc/profile
fi
}
#
设置打开文件数
function open_file_set(){
#8.increase open file.
if [ `grep 65535/etc/security/limits.conf|wc -l` -lt 1 ]
then
echo "* - nofile 65535 ">>/etc/security/limits.conf
tail -1/etc/security/limits.conf
fi
}
function set_kernel(){
#9.kernel set.
if [ `grep kernel_flag/etc/sysctl.conf|wc -l` -lt 1 ]
then
cat>>/etc/sysctl.conf<
#kernel_flag
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time =600
net.ipv4.ip_local_port_range =4000 65000
net.ipv4.tcp_max_syn_backlog =16384
net.ipv4.tcp_max_tw_buckets =36000
net.ipv4.route.gc_timeout =100
net.ipv4.tcp_syn_retries =1
net.ipv4.tcp_synack_retries =1
net.core.somaxconn = 16384
net.core.netdev_max_backlog =16384
net.ipv4.tcp_max_orphans =16384
net.nf_conntrack_max =25000000
net.netfilter.nf_conntrack_max =25000000
net.netfilter.nf_conntrack_tcp_timeout_established = 180
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
EOF
sysctl -p
fi
}
#
优化SSH
function init_ssh(){
cp /etc/ssh/sshd_config/etc/ssh/sshd_config.`date +"%Y-%m-%d_%H-%M-%S"`;
sed -i "s%#Port 22%Port52113%" /etc/ssh/sshd_config;
#sed -i "s%#PermitRootLoginyes%PermitRootLogin no%" /etc/ssh/sshd_config;
sed -i "s%#PermitEmptyPasswordsno%PermitEmptyPasswords no%" /etc/ssh/sshd_config;
sed -i "s%#UseDNS yes%UseDNSno%" /etc/ssh/sshd_config;
sed -i "s%GSSAPIAuthenticationyes%GSSAPIAuthentication no%" /etc/ssh/sshd_config;
sed -i "s%GSSAPIAuthenticationyes%GSSAPIAuthentication no%" /etc/ssh/sshd_config;
#sed -i "$a\AllowUsers hat" /etc/ssh/sshd_config;
service sshd restart&>/dev/null;
echo "sshd:192.168.10.0/24">> /etc/hosts.allow;
echo "sshd:ALL" >>/etc/hosts.deny;
iptables -I INPUT -p tcp --dport 52113-j DROP;
iptables -I INPUT -p tcp --dport 52113-s 192.168.10.0/24 -j ACCEPT;
iptables save;
}
function update_linux(){
#10.upgrade linux.
if [ `rpm -qa lrzsz nmap treedos2unix nc|wc -l` -le 3 ]
then
yum install wget lrzsz nmap treedos2unix nc -y
#yum update -y
fi
}
main(){
mod_yum
close_selinux
close_iptables
least_service
adduser
charset
time_sync
com_line_set
open_file_set
set_kernel
init_ssh
update_linux
#
隐藏系统版本号
#> /etc/issue
#> /etc/issue.net
#
锁定关系系统文件
#chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab
#
解锁chattr -i /etc/passwd /etc/shadow /etc/group/etc/gshadow /etc/inittab
#
修改chattr的名字mv /usr/bin/chattr/usr/bin/hat1
#
为grub加密
#/sbin/grub-md5-crypt
,生成密码,然后将密码加入/etc/grub.conf,password --md5 #密码
#
禁止被ping net.ipv4.icmp_echo_ignore_all=1
}
main
