脚本内容在文档的底部,将脚本后缀改为.sh,放到系统(CentOS6.X)里直接执行即可,有不能执行的麻烦告诉我,多谢!
#!/bin/bash
. /etc/init.d/functions
if [ "$UID" -ne 0 ];then
echo "you should change to root ,then run this script,please enter the root password:"
su - root
fi
RETVAL=0
DIR="/tmp/result_${SERVER_IP}.txt"
read -p "please enter your server ip:" SERVER_IP
result() {
[ $RETVAL -eq 0 ] && echo "$1 is ok." >> ${DIR} || echo "$1 is false." >> ${DIR}
}
create_user() {
id nginx &>/dev/null
[ $? -ne 0 ] || userdel -r nginx >/dev/null 2>&1
groupadd -g 501 nginx >/dev/null 2>&1
useradd -u 501 -r -g nginx -s /sbin/nologin nginx >/dev/null 2>&1
RETVAL=$?
result create_user
}
fstab_opt() {
sed -i -e '/\/tmp/s/defaults/defaults,nosuid,noexec,nodev/' -e '/\/home/s/defaults/defaults,nosuid,nodev/' -e '/\/var/s/defaults/defaults,nosuid/' /etc/fstab
RETVAL=$?
result fstab_opt
}
time_opt() {
sed -i 's#^#\##g' /etc/sysconfig/clock && sed -i '1i ZONE="Asia/Shanghai"' /etc/sysconfig/clock && \cp -af /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
RETVAL=$?
result time_opt
}
ntp_opt() {
echo "*/5 * * * * /usr/sbin/ntpdate time.sfbest.bj" >/tmp/ntpdate && crontab /tmp/ntpdate && rm -rf /tmp/ntpdate
RETVAL=$?
result ntp_opt
}
passwd1_opt() {
sed -i '/^PASS/ s#^#\##g' /etc/login.defs && echo -e "PASS_MAX_DAYS 180\nPASS_MIN_DAYS 1\nPASS_MIN_LEN 8\nPASS_WARN_AGE 7\n" >> /etc/login.defs
RETVAL=$?
result passwd1_opt
}
passwd2_opt() {
sed -ir '/pam_cracklib.so/ s#^.*$#password requisite pam_cracklib.so try_first_pass retry=3 type= ifok=3 minlen=10 ucredit=-1 lcredit=-3 dvredit=-3 dictpath=/usr/share/cracklib/pw_dict#g' /etc/pam.d/system-auth
RETVAL=$?
result passwd2_opt
}
passwd3_opt() {
grep 'remember' /etc/pam.d/system-auth &>/dev/null
if [ $? -eq 0 ];then
sed -n '/remember/p' /etc/pam.d/system-auth >> ${DIR}
else
sed -i '/password sufficient pam_unix.so md5/ s#$# remember=3#g' /etc/pam.d/system-auth
fi
RETVAL=$?
result passwd3_opt
}
pamd_sshd_opt() {
sed -i '/#%PAM-1.0/a\auth required pam_listfile.so item=user sense=allow file=/etc/ssh/sshusers onerr=succeed' /etc/pam.d/sshd
echo sa > /etc/ssh/sshusers
sed -i 's/\(^wheel.*\)/\1,sa/' /etc/group
sed -i '/^#auth.* use_uid$/a auth required pam_wheel.so use_uid' /etc/pam.d/su
RETVAL=$?
result pamd_sshd_opt
}
#pam_tally2_opt() {
# find /lib* -name "pam_tally2.so" &>/dev/null
#if [ $? -ne 0 ];then
# echo "pam_tally2.so is no exsit." >> ${DIR}
#else
# grep 'pam_tally2.so' /etc/pam.d/sshd &>/dev/null
#[ $? -eq 0 ] && sed -n '/pam_tally2.so/p' /etc/pam.d/sshd >> ${DIR} || sed -i '1a auth required pam_tally2.so deny=3 unlock_time=300' /etc/pam.d/sshd
#fi
#RETVAL=$?
#result pam_tally2_opt
#}
ssh_opt() {
sed -i 's#\#PermitRootLogin yes#PermitRootLogin no#g' /etc/ssh/sshd_config && sed -i 's#\#Port 22#Port 9880#g' /etc/ssh/sshd_config && sed -i 's#\#ListenAddress 0.0.0.0#ListenAddress '$SERVER_IP'#g' /etc/ssh/sshd_config && sed -i 's#\#UseDNS yes#UseDNS no#g' /etc/ssh/sshd_config && echo "export TMOUT=300" >> /etc/profile && . /etc/profile
RETVAL=$?
result ssh_opt
}
issue_opt() {
cat /etc/issue >> ${DIR} && >/etc/issue && >/etc/issue.net
RETVAL=$?
result issue_opt
}
chattr_file_opt() {
chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab && mv /usr/bin/chattr /etc/zchattr && echo "chattr moved to /etc/zchattr" >> ${DIR}
RETVAL=$?
result chattr_file_opt
}
ctr_opt() {
sed -i 's#exec#\#exec#g' /etc/init/control-alt-delete.conf
RETVAL=$?
result ctr_opt
}
history_opt() {
echo -e "export HISTFILESIZE=5\nexport HISTSIZE=5" >> /etc/profile && . /etc/profile
RETVAL=$?
result history_opt
}
selinux_iptables_opt() {
sed -i 's#^SELINUX=.*$#SELINUX=disabled#g' /etc/selinux/config && setenforce 0 &>/dev/null
/etc/init.d/iptables stop && chkconfig iptables off
RETVAL=$?
result selinux_iptables_opt
}
sysctl_opt() {
echo -ne "
net.ipv4.tcp_max_syn_backlog = 655350000
net.core.netdev_max_backlog = 327680000
net.core.somaxconn = 327680
net.core.wmem_default = 838860800
net.core.rmem_default = 838860800
net.core.rmem_max = 167772160
net.core.wmem_max = 167772160
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_keepalive_time = 120
net.ipv4.tcp_max_tw_buckets = 180
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 10
net.ipv4.ip_local_port_range = 1024 65535
vm.swappiness = 10
net.nf_conntrack_max = 6553500
net.netfilter.nf_conntrack_max = 6553500
net.netfilter.nf_conntrack_tcp_timeout_established = 300
" >>/etc/sysctl.conf
sysctl -p &>/dev/null
RETVAL=$?
result sysctl_opt
}
fs_file_opt() {
echo -ne "
* soft nofile 65535
* hard nofile 65535
" >>/etc/security/limits.conf
echo -ne "
* soft nproc 65535
* hard nproc 65535
" >>/etc/security/limits.d/90-nproc.conf
sysctl -p &>/dev/null
RETVAL=$?
result fs_file_opt
}
yum_opt() {
rm -rf /etc/yum.repos.d/*
cd /etc/yum.repos.d/
for i in [yum] name=yum 'baseurl=http://yum.sfbest.bj/centos/$releasever/os/$basearch/' enable=1 gpgcheck=0; do echo $i >> yum.repo;done
RETVAL=$?
result yum_opt
}
lang_opt() {
sed -i 's#^LANG#\#LANG#g' /etc/sysconfig/i18n && sed -i '1i LANG="zh_CN.UTF-8"' /etc/sysconfig/i18n
RETVAL=$?
result lang_opt
}
sys_server_opt() {
chkconfig --list|awk '{print $1}'|xargs -i chkconfig {} --level 0123456 off
for a in auditd crond irqbalance network psacct rsyslog sshd sysstat; do chkconfig --level 2345 $a on; done
RETVAL=$?
result sys_server_opt
}
postfix_opt() {
[ -d /server/scripts ] || mkdir -p /server/scripts
echo "tmpwatch -afv 30d /var/spool/postfix/maildrop/" > /server/scripts/delete_mail.sh
echo "00 00 01 * * /bin/sh /server/scripts/delete_mail.sh &>/dev/null" >> /var/spool/cron/root
RETVAL=$?
result postfix_opt
}
other_opt() {
rm -rf /root/*
chmod 0700 /usr/bin/passwd
}
main() {
create_user
fstab_opt
time_opt
ntp_opt
passwd1_opt
passwd2_opt
passwd3_opt
pamd_sshd_opt
ssh_opt
issue_opt
chattr_file_opt
ctr_opt
history_opt
selinux_iptables_opt
sysctl_opt
fs_file_opt
yum_opt
lang_opt
sys_server_opt
postfix_opt
other_opt
}
main