1 #!/bin/bash
2 #################################################
3 # --Info
4 # Initialization CentOS 7.x script
5 #################################################
6 # Auther: shaonbean@qq.com
7 # Changelog:
8 # 20180710 wanghui initial create
9 #################################################
10 # Check if user is root
11 #
12 if [ $(id -u) != "0" ]; then
13 echo "Error: You must be root to run this script, please use root to initialization OS."
14 exit 1
15 fi
16
17 echo "+------------------------------------------------------------------------+"
18 echo "| To initialization the system for security and performance |"
19 echo "+------------------------------------------------------------------------+"
20
21 # add yunwei user
22 user_add()
23 {
24 # add yunwei for jumpserver
25 id -u yunwei
26 if [ $? -eq 0 ];then
27 useradd -s /bin/bash -d /home/yunwei -m yunwei && echo password | passwd --stdin yunwei && echo "yunwei ALL=(ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/yunwei
28 else
29 echo "yunwei user is exist."
30 fi
31 }
32
33 # update system & install pakeage
34 system_update(){
35 echo "*** Starting update system && install tools pakeage... ***"
36 yum install epel-release -y && yum -y update
37 yum clean all && yum makecache
38 yum -y install rsync wget vim openssh-clients iftop htop iotop sysstat lsof telnet traceroute tree man iptraf lrzsz net-tools dstat tree ntpdate dos2unix net-tools git egrep
39 [ $? -eq 0 ] && echo "System upgrade && install pakeages complete."
40 }
41
42 # Set timezone synchronization
43 timezone_config()
44 {
45 echo "Setting timezone..."
46 /usr/bin/timedatectl | grep "Asia/Shanghai"
47 if [ $? -eq 0 ];then
48 echo "System timezone is Asia/Shanghai."
49 else
50 timedatectl set-local-rtc 0 && timedatectl set-timezone Asia/Shanghai
51 fi
52 # config chrony
53 yum -y install chrony && systemctl start chronyd.service && systemctl enable chronyd.service
54 sed -i '$a 192.168.0.205 time.aniu.so' /etc/hosts
55 sed -i 's/server 0.centos.pool.ntp.org iburst/server time.aniu.so iburst/g' /etc/chrony.conf
56 [ $? -eq 0 ] && echo "Setting timezone && Sync network time complete."
57 }
58
59 # disable selinux
60 selinux_config()
61 {
62 sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
63 setenforce 0
64 echo "Dsiable selinux complete."
65 }
66
67 # ulimit comfig
68 ulimit_config()
69 {
70 echo "Starting config ulimit..."
71 cat >> /etc/security/limits.conf <<EOF
72 * soft nproc 8192
73 * hard nproc 8192
74 * soft nofile 8192
75 * hard nofile 8192
76 EOF
77
78 [ $? -eq 0 ] && echo "Ulimit config complete!"
79
80 }
81
82 # sshd config
83 sshd_config(){
84 echo "Starting config sshd..."
85 sed -i '/^#Port/s/#Port 22/Port 54077/g' /etc/ssh/sshd_config
86 #sed -i "$ a\ListenAddress 0.0.0.0:21212\nListenAddress 0.0.0.0:22 " /etc/ssh/sshd_config
87 sed -i '/^#UseDNS/s/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config
88 systemctl restart sshd
89 #sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
90 #sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
91 [ $? -eq 0 ] && echo "SSH config complete."
92 }
93
94 # firewalld config
95 disable_firewalld(){
96 echo "Starting disable firewalld..."
97 rpm -qa | grep firewalld >> /dev/null
98 if [ $? -eq 0 ];then
99 systemctl stop firewalld && systemctl disable firewalld
100 [ $? -eq 0 ] && echo "Dsiable firewalld complete."
101 else
102 echo "Firewalld not install."
103 fi
104 }
105
106 # vim config
107 vim_config() {
108 echo "Starting vim config..."
109 /usr/bin/egrep pastetoggle /etc/vimrc >> /dev/null
110 if [ $? -eq 0 ];then
111 echo "vim already config"
112 else
113 sed -i '$ a\set bg=dark\nset pastetoggle=<F9>' /etc/vimrc
114 fi
115
116 }
117
118 # sysctl config
119
120 config_sysctl() {
121 echo "Staring config sysctl..."
122 /usr/bin/cp -f /etc/sysctl.conf /etc/sysctl.conf.bak
123 cat > /etc/sysctl.conf << EOF
124 vm.swappiness = 0
125 vm.dirty_ratio = 80
126 vm.dirty_background_ratio = 5
127 fs.file-max = 2097152
128 fs.suid_dumpable = 0
129 net.core.somaxconn = 65535
130 net.core.netdev_max_backlog = 262144
131 net.core.optmem_max = 25165824
132 net.core.rmem_default = 31457280
133 net.core.rmem_max = 67108864
134 net.core.wmem_default = 31457280
135 net.ipv4.tcp_syncookies = 1
136 net.ipv4.conf.all.rp_filter = 1
137 net.ipv4.icmp_echo_ignore_all = 0
138 net.ipv4.icmp_echo_ignore_broadcasts = 0
139 net.ipv4.conf.all.log_martians = 1
140 net.ipv4.conf.all.accept_source_route = 0
141 net.ipv4.conf.all.accept_redirects = 0
142 EOF
143
144 # eg:https://www.vultr.com/docs/securing-and-hardening-the-centos-7-kernel-with-sysctl
145 # set kernel parameters work
146 /usr/sbin/sysctl -p
147 [ $? -eq 0 ] && echo "Sysctl config complete."
148 }
149
150 # ipv6 config
151 disable_ipv6() {
152 echo "Starting disable ipv6..."
153 sed -i '$ a\net.ipv6.conf.all.disable_ipv6 = 1\nnet.ipv6.conf.default.disable_ipv6 = 1' /etc/sysctl.conf
154 sed -i '$ a\AddressFamily inet' /etc/ssh/sshd_config
155 systemctl restart sshd
156 /usr/sbin/sysctl -p
157 }
158
159 # password config
160 password_config() {
161 # /etc/login.defs
162 sed -i 's/PASS_MIN_LEN 5/PASS_MIN_LEN 8/g' /etc/login.defs
163 authconfig --passminlen=8 --update
164 authconfig --enablereqlower --update
165 [ $? -eq 0 ] && echo "Config password rule complete."
166 }
167
168 # disable no use service
169 disable_serivces() {
170 systemctl stop postfix && systemctl disable postfix
171 [ $? -eq 0 ] && echo "Disable postfix service complete."
172 }
173
174 #main function
175 main(){
176 user_add
177 system_update
178 timezone_config
179 selinux_config
180 ulimit_config
181 sshd_config
182 disable_firewalld
183 vim_config
184 config_sysctl
185 disable_ipv6
186 password_config
187 disable_serivces
188 }
189 # execute main functions
190 main
191 echo "+------------------------------------------------------------------------+"
192 echo "| To initialization system all completed !!! |"
193 echo "+------------------------------------------------------------------------+"
194 ————————————————
195 版权声明:本文为CSDN博主「诸葛冰玄」的原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接及本声明。
196 原文链接:https://blog.csdn.net/embrace99999/article/details/81132443
#!/bin/bash################################################## --Info# Initialization CentOS 7.x script################################################## Auther: shaonbean@qq.com# Changelog:# 20180710 wanghui initial create################################################## Check if user is root#if [ $(id -u) != "0" ]; then echo "Error: You must be root to run this script, please use root to initialization OS." exit 1fi
echo "+------------------------------------------------------------------------+"echo "| To initialization the system for security and performance |"echo "+------------------------------------------------------------------------+"
# add yunwei useruser_add(){ # add yunwei for jumpserver id -u yunwei if [ $? -eq 0 ];then useradd -s /bin/bash -d /home/yunwei -m yunwei && echo password | passwd --stdin yunwei && echo "yunwei ALL=(ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/yunwei else echo "yunwei user is exist." fi }
# update system & install pakeagesystem_update(){ echo "*** Starting update system && install tools pakeage... ***" yum install epel-release -y && yum -y update yum clean all && yum makecache yum -y install rsync wget vim openssh-clients iftop htop iotop sysstat lsof telnet traceroute tree man iptraf lrzsz net-tools dstat tree ntpdate dos2unix net-tools git egrep [ $? -eq 0 ] && echo "System upgrade && install pakeages complete."}
# Set timezone synchronizationtimezone_config(){ echo "Setting timezone..." /usr/bin/timedatectl | grep "Asia/Shanghai" if [ $? -eq 0 ];then echo "System timezone is Asia/Shanghai." else timedatectl set-local-rtc 0 && timedatectl set-timezone Asia/Shanghai fi # config chrony yum -y install chrony && systemctl start chronyd.service && systemctl enable chronyd.service sed -i '$a 192.168.0.205 time.aniu.so' /etc/hosts sed -i 's/server 0.centos.pool.ntp.org iburst/server time.aniu.so iburst/g' /etc/chrony.conf [ $? -eq 0 ] && echo "Setting timezone && Sync network time complete."}
# disable selinuxselinux_config(){ sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config setenforce 0 echo "Dsiable selinux complete."}
# ulimit comfigulimit_config(){echo "Starting config ulimit..."cat >> /etc/security/limits.conf <<EOF* soft nproc 8192* hard nproc 8192* soft nofile 8192* hard nofile 8192EOF
[ $? -eq 0 ] && echo "Ulimit config complete!"
}
# sshd configsshd_config(){ echo "Starting config sshd..." sed -i '/^#Port/s/#Port 22/Port 54077/g' /etc/ssh/sshd_config #sed -i "$ a\ListenAddress 0.0.0.0:21212\nListenAddress 0.0.0.0:22 " /etc/ssh/sshd_config sed -i '/^#UseDNS/s/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config systemctl restart sshd #sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config #sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/g' /etc/ssh/sshd_config [ $? -eq 0 ] && echo "SSH config complete."}
# firewalld configdisable_firewalld(){ echo "Starting disable firewalld..." rpm -qa | grep firewalld >> /dev/null if [ $? -eq 0 ];then systemctl stop firewalld && systemctl disable firewalld [ $? -eq 0 ] && echo "Dsiable firewalld complete." else echo "Firewalld not install." fi}
# vim config vim_config() { echo "Starting vim config..." /usr/bin/egrep pastetoggle /etc/vimrc >> /dev/null if [ $? -eq 0 ];then echo "vim already config" else sed -i '$ a\set bg=dark\nset pastetoggle=<F9>' /etc/vimrc fi
}
# sysctl config
config_sysctl() { echo "Staring config sysctl..." /usr/bin/cp -f /etc/sysctl.conf /etc/sysctl.conf.bak cat > /etc/sysctl.conf << EOFvm.swappiness = 0vm.dirty_ratio = 80vm.dirty_background_ratio = 5fs.file-max = 2097152fs.suid_dumpable = 0net.core.somaxconn = 65535net.core.netdev_max_backlog = 262144net.core.optmem_max = 25165824net.core.rmem_default = 31457280net.core.rmem_max = 67108864net.core.wmem_default = 31457280net.ipv4.tcp_syncookies = 1net.ipv4.conf.all.rp_filter = 1net.ipv4.icmp_echo_ignore_all = 0net.ipv4.icmp_echo_ignore_broadcasts = 0net.ipv4.conf.all.log_martians = 1net.ipv4.conf.all.accept_source_route = 0net.ipv4.conf.all.accept_redirects = 0EOF
# eg:https://www.vultr.com/docs/securing-and-hardening-the-centos-7-kernel-with-sysctl# set kernel parameters work /usr/sbin/sysctl -p [ $? -eq 0 ] && echo "Sysctl config complete."}
# ipv6 configdisable_ipv6() { echo "Starting disable ipv6..." sed -i '$ a\net.ipv6.conf.all.disable_ipv6 = 1\nnet.ipv6.conf.default.disable_ipv6 = 1' /etc/sysctl.conf sed -i '$ a\AddressFamily inet' /etc/ssh/sshd_config systemctl restart sshd /usr/sbin/sysctl -p}
# password configpassword_config() { # /etc/login.defs sed -i 's/PASS_MIN_LEN 5/PASS_MIN_LEN 8/g' /etc/login.defs authconfig --passminlen=8 --update authconfig --enablereqlower --update [ $? -eq 0 ] && echo "Config password rule complete."}
# disable no use servicedisable_serivces() { systemctl stop postfix && systemctl disable postfix [ $? -eq 0 ] && echo "Disable postfix service complete."}
#main functionmain(){ user_add system_update timezone_config selinux_config ulimit_config sshd_config disable_firewalld vim_config config_sysctl disable_ipv6 password_config disable_serivces}# execute main functionsmainecho "+------------------------------------------------------------------------+"echo "| To initialization system all completed !!! |"echo "+------------------------------------------------------------------------+"————————————————版权声明:本文为CSDN博主「诸葛冰玄」的原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接及本声明。原文链接:https://blog.csdn.net/embrace99999/article/details/81132443