系統初始化主要包括:iptables初始化、sshd服務初始化、添加Zabbix監控、添加密鑰、關閉SELinux、安裝deny_host等
#!/bin/bash
###Initialization
###key add
add_key()
{
mkdir -p /root/.ssh && chmod 700 /root/.ssh && \
wget -P /root/.ssh/ -N http://192.168.1.105/yunwei/authorized_keys && chmod 600 /root/.ssh/authorized_keys
if [ $? -eq 0 ]
then
printf "Key Set Successful\n"
else
printf "Key Set Faild\n"
fi
}
###Synchronization Time
syn_time()
{
echo '###Time Synchronization' > /etc/cron.d/ntpdate
echo '*/10 * * * * root (/usr/sbin/ntpdate 192.168.1.46;/usr/sbin/hwclock -w) >> /var/log/ntp.log 2>&1' >> /etc/cron.d/ntpdate
if [ $? -eq 0 ]
then
printf "Set Ntpdate Successful\n"
else
printf "Set Ntpdate Faild\n"
fi
}
###close SELINUX
close_selinux()
{
setenforce 0
sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
if [ "`awk -F'=' '/^SELINUX=/ {print $2}' /etc/selinux/config`" = "disabled" ]
then
printf "Set Selinux Successful\n"
else
printf "Set Selinux Faild\n"
fi
}
###change ulimit
chang_ulimit()
{
MOD_DATE=`date +%Y%m%d-%H:%M:%S`
cp /etc/security/limits.conf /etc/security/limits.conf_$MOD_DATE
if [ -z "`grep -P \"(\*.*soft.*nofile.*655350|\*.*hard.*nproc.*655350)\" /etc/security/limits.conf`" ]
then
printf "*\tsoft\tnofile\t655350\n*\thard\tnofile\t655350\n*\tsoft\tnproc\t655350\n*\thard\tnproc\t655350\n"\
>> /etc/security/limits.conf
fi
sed -i 's/4096/655350/' /etc/security/limits.d/20-nproc.conf
if [ ! -z "`grep -P \"(\*.*soft.*nofile.*655350|\*.*hard.*nproc.*655350)\" /etc/security/limits.conf`" ]
then
printf "Set Ulimit Successful\n"
else
printf "Set Ulimit Faild\n"
fi
}
###forbid root login,forbid no password
forbid_root()
{
sed -i "s/^#PermitRootLogin.*/PermitRootLogin without-password/g" /etc/ssh/sshd_config
sed -i 's/^#PermitEmptyPasswords.*/PermitEmptyPasswords\tno/g' /etc/ssh/sshd_config
sed -i 's/^#UseDNS.*/UseDNS\tno/g' /etc/ssh/sshd_config
epnum=`grep -P "^PermitEmptyPasswords\tno" /etc/ssh/sshd_config|wc -l`
permnum=`grep -P "^PermitRootLogin without-password" /etc/ssh/sshd_config|wc -l`
UseDNSnum=`grep -P "^UseDNS\tno" /etc/ssh/sshd_config|wc -l`
if [[ $epnum -eq 1 ]] && [[ $permnum -eq 1 ]] && [[ $UseDNSnum -eq 1 ]]
then
printf "Set sshd Config Successful\n"
else
printf "Set sshd Config Faild\n"
fi
}
####iptables rule add
iptables_rule()
{
sed -i '/22 -j ACCEPT/a\-A INPUT -s 118.144.xxx.8/29 -p tcp -j ACCEPT\n-A INPUT -s 118.144.xxx.128/26 -p tcp -j ACCEPT\n-A INPUT -s 118.144.xxx.0/25 -p tcp -j ACCEPT\n-A INPUT -s 118.144.xxx.0/28 -p tcp -j ACCEPT\n-A INPUT -s 118.144.xxx.38 -p udp --dport 161 -j ACCEPT' /etc/sysconfig/iptables
if [ $? -eq 0 ]
then
printf "Set Iptables Successful\n"
else
printf "Set Iptables Faild\n"
fi
}
####Cacti snmp config
snmpd_config()
{
wget -P /etc/snmp/ -N http://192.168.1.105/yunwei/snmpd.conf
if [ $? -eq 0 ]
then
printf "Set Snmp Successful\n"
else
printf "Set Snmp Faild\n"
fi
}
####install_denyhosts
deny_hosts()
{
wget -P /root/software/ -N http://192.168.1.105/yunwei/install_denyhost.sh && sh /root/software/install_denyhost.sh
if [ $? -eq 0 ]
then
printf "Install Denyhosts Successful\n"
else
printf "Install Denyhosts Faild\n"
fi
}
####install_zabbix_agentd
zabbix_agentd()
{
wget -P /root/software/ -N http://192.168.1.105/yunwei/zabbix_agentd.sh && sh /root/software/zabbix_agentd.sh && echo "/usr/local/zabbix/sbin/zabbix_agentd" >> /etc/rc.d/rc.local
if [ $? -eq 0 ]
then
printf "Install Zabbix_agentd Successful\n"
else
printf "Install Zabbix_agentd Faild\n"
fi
}
####zabbix_tcp
zabbix_tcp()
{
wget -P /usr/local/zabbix/etc/ -N http://192.168.1.105/yunwei/tcp_connections.sh && chown zabbix.zabbix /usr/local/zabbix/etc/tcp_connections.sh && chmod u+x /usr/local/zabbix/etc/tcp_connections.sh
if [ $? -eq 0 ]
then
printf "Wget Zabbix_tcp Config Successful\n"
else
printf "Wget Zabbix_tcp Config Faild\n"
fi
}
####zabbix_nginx
zabbix_nginx()
{
wget -P /usr/local/zabbix/etc/ -N http://192.168.1.105/yunwei/nginx_status.sh && chown zabbix.zabbix /usr/local/zabbix/etc/nginx_status.sh && chmod u+x /usr/local/zabbix/etc/nginx_status.sh
if [ $? -eq 0 ]
then
printf "Wget Zabbix_nginx Config Successful\n"
else
printf "Wget Zabbix_nginx Config Faild\n"
fi
IP=`ifconfig -a|grep inet|grep -v 127.0.0.1|grep -v 172|grep -v inet6|awk '{print $2}'|tr -d "addr:"`
sed -i "s/118.144.155.105/$IP/g" /usr/local/zabbix/etc/nginx_status.sh
}
###mail.rc
mailx()
{
wget -P /etc/ -N http://118.144.155.105/yunwei/mail.rc
if [ $? -eq 0 ]
then
printf "Wget Mail Config Successful\n"
else
printf "Wget Mail Config Faild\n"
fi
}
###exec function
yum -y install epel-release
# yum -y update
yum -y install make vim net-tools gcc gcc-c++ rsync ntpdate lrzsz screen iptables-services iptables net-snmp net-snmp-devel wget traceroute iftop iptraf mailx unzip
add_key
syn_time
close_selinux
chang_ulimit
forbid_root
iptables_rule
snmpd_config
deny_hosts
zabbix_agentd
zabbix_tcp
zabbix_nginx
mailx
service sshd restart
service iptables restart
service snmpd restart
chkconfig sshd on
chkconfig iptables on
chkconfig snmpd on
systemctl stop firewalld.service
systemctl disable firewalld.service
systemctl restart iptables.service
systemctl enable iptables.service
systemctl enable snmpd.service
systemctl restart sshd
systemctl restart snmpd
chmod u+x /etc/rc.d/rc.local
/usr/local/zabbix/sbin/zabbix_agentd restart
echo -e "\033[47;31m 提醒:需要修改/etc/mail.rc文件的郵件發件人!!! \033[0m"