#!/bin/bash
# author wangqd
# description:this is a centos6.7 optimization script
# processname: 升級系統,精簡服務,安裝基本配置,記錄bash執行時間,安全配置,su加固,ssh優化,iptables設置,時間同步 系統優化
#檢查是否爲root用戶;
if [ $(id -u) != "0" ];then
echo "運行此腳本需要root權限!"
fi
yum update -y >> /etc/null
if [ $? = "0" ];then
echo "系統暫時無需更新"
fi
#精簡服務
# 關閉ipv6防火牆
chkconfig ip6tables off
if [ $? = "0" ];then
echo "設置ipv6防火牆開機不自啓成功"
else
echo "設置ipv6防火牆開機不自啓成功失敗"
fi
# 關閉iscsi服務
chkconfig iscsi off
if [ $? = "0" ];then
echo "設置iscsi服務開機不自啓成功"
else
echo "設置iscsi服務開機不自啓失敗"
fi
# 關閉iscsi相關服務
chkconfig iscsid off
if [ $? = "0" ];then
echo "設置iscsi相關服務開機不自啓成功"
else
echo "設置iscsi相關服務開機不自啓失敗"
fi
# 關閉NFS,smaba和NetWare網絡文件系統
chkconfig netfs off
if [ $? = "0" ];then
echo "設置NFS,smaba和NetWare網絡文件系統開機不自啓成功"
else
echo "設置NFS,smaba和NetWare網絡文件系統開機不自啓失敗"
fi
# linux的審計功能
chkconfig auditd off
if [ -f "/var/lock/subsys/auditd" ];then
echo "linux的審計功能"
else
echo "linux的審計功能未開啓"
fi
# 關閉TCP/IP網絡共享文件的協議的NFS的文件鎖功能
if [ -f "/var/lock/subsys/nfslock" ];then
chkconfig nfslock off
echo "關閉TCP/IP網絡共享文件的協議的NFS的文件鎖功能"
else
echo "TCP/IP網絡共享文件的協議的NFS的文件鎖功能未開啓"
fi
# 關閉 NFS v4
if [ -f "/var/lock/subsys/rpcgssd" ];then
chkconfig rpcgssd off
echo "關閉 NFS-rpcgssd"
else
echo "NFS-rpcgssd服務未開啓"
fi
# 關閉RPC服務
if [ -f "/var/lock/subsys/rpcbind" ];then
chkconfig rpcbind off
echo "關閉RPC rpcbind服務"
else
echo "RPC服務未開啓"
fi
# 關閉 NFS v4
if [ -f "/var/lock/subsys/rpcidmapd" ];then
chkconfig rpcidmapd off
echo "關閉 rpcidmapd"
else
echo "rpcidmapd服務未開啓"
fi
# 關閉系統對Logical Volume Manager 邏輯磁區的支持
if [ -f "/var/lock/subsys/lvm2-monitor" ];then
chkconfig lvm2-monitor off
echo "關閉系統對Logical Volume Manager 邏輯磁區的支持"
else
echo "系統對Logical Volume Manager 邏輯磁區的支持未開"
fi
# 關閉鄰近發現協議
if [ -f "/var/lock/subsys/lldpad" ];then
chkconfig lldpad off
echo "關閉鄰近發現協議"
else
echo "鄰近發現協議未開啓"
fi
#安裝基本組件
# setuptool Python的 distutilsde工具的增強工具(py2.3.5以上 64位py2.4)
# ntsysv 設置系統的各種服務
# system-config-firewall-tui 命令行用戶接口(TUI)的防火牆客戶端
# system-config-network-tui 安裝Fedora網絡配置的工具
yum install -y setuptool ntsysv system-config-firewall-tui system-config-network-tui cronie wget vim unzip openssh-clients screen rsync ftp telnet >> /etc/null
if [ $? = "0" ];then
echo "基本組件安裝完成"
else
echo "基本組件已安裝過"
fi
#記錄每次bash命令的執行時間
time="HISTTIMEFORMAT=\"%Y-%m-%d\ %H:%M:%S\""
grep "$time" /etc/profile >> /etc/null
if [ $? = "0" ];then
echo "記錄每次bash命令的執行時間已經做過"
else
line=$(sed -n "/export\ PATH\ USER/=" /etc/profile| tail -n1)
sed -i "${line}a HISTTIMEFORMAT=\"%Y-%m-%d\ %H:%M:%S\"\nexport\ HISTTIMEFORMAT" /etc/profile
echo "記錄每次bash命令的執行時間已經成功"
fi
#安全配置
grep "^SELINUX=disabled" /etc/selinux/config
if [ $? = "0" ];then
echo "已經做過安全配置"
else
selinux1=$(grep "^SELINUX=enforcing" /etc/selinux/config)
sed -i "s/$selinux1/SELINUX=disabled/" /etc/selinux/config
echo "服務器安全配置已經完成"
fi
#su加固
grep "^auth" /etc/pam.d/su|grep "pam_wheel.so use_uid"
if [ $? = "0"];then
echo "su 已加固"
else
line2=$(sed -n "/^auth/=" /etc/pam.d/su|tail -1 )
sed -i "${line2}a auth\ \ \ \ \ \ required\ \ \ \ pam_wheel.so\ use_uid" /etc/pam.d/su
echo "su加固成功"
fi
#ssh 優化
#port 端口
grep "^Port[[:space:]]" /etc/ssh/sshd_config|grep "58022"
if [ $? = "0" ];then
echo "ssh端口號設置正確修改"
else
check1=$(grep "^#Port" /etc/ssh/sshd_config)
sline1=$(sed -n "/$check1/=" /etc/ssh/sshd_config)
sed -i "/^Port/d" /etc/ssh/sshd_config
sed -i "${sline1}a Port\ 58022" /etc/ssh/sshd_config
echo "SSH已改爲58022"
fi
#不允許用root進行登錄
grep "^PermitRootLogin[[:space:]]" /etc/ssh/sshd_config|grep "no"
if [ $? = "0" ];then
echo "ssh不允許root登錄功能已設置"
else
check2=$(grep "^#PermitRootLogin[[:space:]]" /etc/ssh/sshd_config)
sline2=$(sed -n "/$check2/=" /etc/ssh/sshd_config)
sed -i "/^PermitRootLogin/d" /etc/ssh/sshd_config
sed -i "${sline2}a PermitRootLogin\ no" /etc/ssh/sshd_config
echo "不允許root登錄ssh設置成功"
fi
#不允許空密碼登錄
grep "^PermitEmptyPasswords[[:space:]]" /etc/ssh/sshd_config|grep "no"
if [ $? = "0" ];then
echo "請查看ssh不允許空密碼登錄已被設置"
else
check3=$(grep "^#PermitEmptyPasswords[[:space:]]" /etc/ssh/sshd_config)
sline3=$(sed -n "/$check3/=" /etc/ssh/sshd_config)
sed -i "/^PermitEmptyPasswords/d" /etc/ssh/sshd_config
sed -i "${sline3}a PermitEmptyPasswords\ no" /etc/ssh/sshd_config
echo "ssh不允許空密碼登錄設置成功"
fi
#禁用DNS
grep "^GSSAPIAuthentication[[:space:]]" /etc/ssh/sshd_config|grep "no"
if [ $? = "0" ];then
echo "禁用DNS已被設置"
else
check4=$(grep "#GSSAPIAuthentication[[:space:]]" /etc/ssh/sshd_config)
sed -i "/^GSSAPIAuthentication/d" /etc/ssh/sshd_config
sline4=$(sed -n "/$check4/=" /etc/ssh/sshd_config)
sed -i "${sline4}c GSSAPIAuthentication\ no" /etc/ssh/sshd_config
echo "禁用DNS設置成功"
fi
#禁用UseDNS
grep "^UseDNS[[:space:]]" /etc/ssh/sshd_config|grep "no"
if [ $? = "0" ];then
echo "禁用UseDNS已被設置"
else
check5=$(grep "^#UseDNS[[:space:]]" /etc/ssh/sshd_config)
sline5=$(sed -n "/$check5/=" /etc/ssh/sshd_config)
sed -i "/^UseDNS/d" /etc/ssh/sshd_config
sed -i "${sline5}a UseDNS\ no" /etc/ssh/sshd_config
echo "禁用UseDNS設置成功"
fi
#AllowUsers
sed -i "/^AllowUsers/d" /etc/ssh/sshd_config
if [ $? = "0" ];then
echo "SSH的其他允許登錄的用戶已被刪除"
else
echo "ssh 無其他允許登錄的用戶"
fi
AU=$(sed -n "/^#/=" /etc/ssh/sshd_config|tail -1)
sed -i "${AU}a AllowUsers\ $1" /etc/ssh/sshd_config
if [ $? = "0" ];then
echo "AllowUsers已設置用戶成功"
else
echo "AllowUsers設置用戶失敗"
fi
#設置防火牆
iptab="-A\ INPUT\ -m\ state\ --state\ NEW\ -m\ tcp\ -p\ tcp\ --dport\ 58022\ -j\ ACCEPT"
grep "58022" /etc/sysconfig/iptables
if [ $? != 0 ];then
line8=$(sed -n "/22/=" /etc/sysconfig/iptables|head -1)
sed -i "${line8}a $iptab" /etc/sysconfig/iptables
echo "添加58022端口成功"
#line9=$(sed -n "/lo/=" /etc/sysconfig/iptables|head -1)
#sed -i "${line9}a $iptab" /etc/sysconfig/iptables
else
echo "58022 已被設置請查看"
fi
/etc/init.d/sshd restart
if [ $? = "0" ];then
echo "sshd已重啓"
fi
/etc/init.d/iptables restart
if [ $? = "0" ];then
echo "iptables"
fi
#時間同步
yum install ntp -y >> /etc/null
if [ $? = "0" ];then
echo "ntp服務已被安裝"
fi
/usr/sbin/ntpdate time.nist.gov
if [ $? = "0" ];then
echo "本地時間一同步時間服務器"
fi
/sbin/hwclock --systohc
if [ $? = "0" ];then
echo "系統時間已同步到硬件"
fi
#將時間同步寫入計劃日誌
line10=$(sed -n "/^#/=" /etc/crontab|tail -1)
sed -i "${line10}a 5\ */6\ *\ *\ *\ /usr/sbin/ntpdate time.nist.gov\ >\ /dev/null\ 2>&1" /etc/crontab
if [ $? = "0" ];then
echo "時間同步已寫入計劃日誌"
fi
#優化內核參數
line11=$(sed -n "/^#/=" /etc/sysctl.conf|tail -1)
sed -i "${line11}a net.ipv4.tcp_max_syn_backlog\ =\ 65536\nnet.core.netdev_max_backlog\ =\ 32768\nnet.core.somaxconn\ =\ 32768\nnet.core.wmem_default\ =\ 8388608\nnet.core.rmem_default\ =\ 8388608\nnet.core.rmem_max\ =\ 16777216\nnet.core.wmem_max\ =\ 16777216net.ipv4.tcp_timestamps\ =\ 0\nnet.ipv4.tcp_synack_retries\ =\ 2\nnet.ipv4.tcp_syn_retries\ =\ 2\nnet.ipv4.tcp_tw_recycle\ =\ 1\n#net.ipv4.tcp_tw_len\ =\ 1\nnet.ipv4.tcp_tw_reuse\ =\ 1\nnet.ipv4.tcp_mem\ =\ 94500000\ 915000000\ 927000000\nnet.ipv4.tcp_max_orphans\ =\ 3276800\nnet.ipv4.ip_local_port_range\ =\ 1024\ 65535" /etc/sysctl.conf
if [ $? = "0" ];then
echo "系統已經優化完成"
fi
#創建wheel用戶
useradd -G wheel $1
echo "$2" | passwd $1 --stdin > /dev/null 2>&1
if [ $? = "0" ];then
echo "user is created!"
fi
echo "SU_WHEEL_ONLY yes" >> /etc/login.defs
#只允許wheel用戶su到root
if [ $? = "0" ];then
echo "只允許wheel用戶su到root執行成功"
else
echo "只允許wheel用戶su到root執行失敗請查看"
fi
init 6