脚本内容在文档的底部,将脚本后缀改为.sh,放到系统(CentOS6.X)里直接执行即可,有不能执行的麻烦告诉我,多谢!


#!/bin/bash

. /etc/init.d/functions


if [ "$UID" -ne 0 ];then
  echo "you should change to root ,then run this script,please enter the root password:"
  su - root
fi



RETVAL=0
DIR="/tmp/result_${SERVER_IP}.txt"

read -p "please enter your server ip:" SERVER_IP


result() {
 [ $RETVAL -eq 0 ] && echo "$1 is ok." >> ${DIR} || echo "$1 is false." >> ${DIR}
}

create_user() {
  id nginx &>/dev/null
  [ $? -ne 0 ] || userdel -r nginx >/dev/null 2>&1
  groupadd -g 501 nginx >/dev/null 2>&1
  useradd -u 501 -r -g nginx -s /sbin/nologin nginx >/dev/null 2>&1
  RETVAL=$?
  result create_user
}

fstab_opt() {
  sed -i -e '/\/tmp/s/defaults/defaults,nosuid,noexec,nodev/' -e '/\/home/s/defaults/defaults,nosuid,nodev/' -e '/\/var/s/defaults/defaults,nosuid/' /etc/fstab
  RETVAL=$?
  result fstab_opt
}


time_opt() {
  sed -i 's#^#\##g' /etc/sysconfig/clock && sed -i '1i ZONE="Asia/Shanghai"' /etc/sysconfig/clock && \cp -af /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
  RETVAL=$?
  result time_opt
}

ntp_opt() {
  echo "*/5 * * * *  /usr/sbin/ntpdate time.sfbest.bj" >/tmp/ntpdate && crontab /tmp/ntpdate && rm -rf /tmp/ntpdate
  RETVAL=$?
  result ntp_opt
}

passwd1_opt() {
  sed -i '/^PASS/ s#^#\##g' /etc/login.defs && echo -e "PASS_MAX_DAYS 180\nPASS_MIN_DAYS 1\nPASS_MIN_LEN 8\nPASS_WARN_AGE 7\n" >> /etc/login.defs
  RETVAL=$?
  result passwd1_opt
}

passwd2_opt() {
  sed -ir '/pam_cracklib.so/ s#^.*$#password    requisite     pam_cracklib.so try_first_pass retry=3 type= ifok=3 minlen=10 ucredit=-1 lcredit=-3 dvredit=-3 dictpath=/usr/share/cracklib/pw_dict#g' /etc/pam.d/system-auth
  RETVAL=$?
  result passwd2_opt
}

passwd3_opt() {
  grep 'remember' /etc/pam.d/system-auth &>/dev/null
  if [ $? -eq 0 ];then
    sed -n '/remember/p' /etc/pam.d/system-auth >> ${DIR}
  else
    sed -i '/password    sufficient    pam_unix.so md5/ s#$# remember=3#g' /etc/pam.d/system-auth
  fi
  RETVAL=$?
  result passwd3_opt
}

pamd_sshd_opt() {
  sed -i '/#%PAM-1.0/a\auth       required     pam_listfile.so item=user sense=allow file=/etc/ssh/sshusers onerr=succeed' /etc/pam.d/sshd
  echo sa > /etc/ssh/sshusers
  sed -i 's/\(^wheel.*\)/\1,sa/' /etc/group
  sed -i '/^#auth.* use_uid$/a auth           required        pam_wheel.so use_uid' /etc/pam.d/su
  RETVAL=$?
  result pamd_sshd_opt
}

#pam_tally2_opt() {
 # find /lib* -name "pam_tally2.so" &>/dev/null
  #if [ $? -ne 0 ];then
   # echo "pam_tally2.so is no exsit." >> ${DIR}
  #else
   # grep 'pam_tally2.so' /etc/pam.d/sshd &>/dev/null
    #[ $? -eq 0 ] && sed -n '/pam_tally2.so/p' /etc/pam.d/sshd >> ${DIR} || sed -i '1a auth       required     pam_tally2.so deny=3 unlock_time=300' /etc/pam.d/sshd
  #fi
  #RETVAL=$?
  #result pam_tally2_opt
#}


ssh_opt() {
  sed -i 's#\#PermitRootLogin yes#PermitRootLogin no#g' /etc/ssh/sshd_config && sed -i 's#\#Port 22#Port 9880#g' /etc/ssh/sshd_config && sed -i 's#\#ListenAddress 0.0.0.0#ListenAddress '$SERVER_IP'#g' /etc/ssh/sshd_config && sed -i 's#\#UseDNS yes#UseDNS no#g' /etc/ssh/sshd_config && echo "export TMOUT=300" >> /etc/profile && . /etc/profile
  RETVAL=$?
  result ssh_opt
}


issue_opt() {
  cat /etc/issue >> ${DIR} && >/etc/issue && >/etc/issue.net
  RETVAL=$?
  result issue_opt
}


chattr_file_opt() {
  chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab && mv /usr/bin/chattr /etc/zchattr && echo "chattr moved to /etc/zchattr" >> ${DIR}
  RETVAL=$?
  result chattr_file_opt
}


ctr_opt() {
  sed -i 's#exec#\#exec#g' /etc/init/control-alt-delete.conf
  RETVAL=$?
  result ctr_opt
}

history_opt() {
  echo -e "export HISTFILESIZE=5\nexport HISTSIZE=5" >> /etc/profile && . /etc/profile
  RETVAL=$?
  result history_opt
}

selinux_iptables_opt() {
  sed -i 's#^SELINUX=.*$#SELINUX=disabled#g' /etc/selinux/config && setenforce 0 &>/dev/null
  /etc/init.d/iptables stop && chkconfig iptables off
  RETVAL=$?
  result selinux_iptables_opt
}


sysctl_opt() {
  echo -ne "
net.ipv4.tcp_max_syn_backlog = 655350000
net.core.netdev_max_backlog =  327680000
net.core.somaxconn = 327680
net.core.wmem_default = 838860800
net.core.rmem_default = 838860800
net.core.rmem_max = 167772160
net.core.wmem_max = 167772160
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_keepalive_time = 120
net.ipv4.tcp_max_tw_buckets = 180
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 10
net.ipv4.ip_local_port_range = 1024  65535
vm.swappiness = 10
net.nf_conntrack_max = 6553500
net.netfilter.nf_conntrack_max = 6553500
net.netfilter.nf_conntrack_tcp_timeout_established = 300
" >>/etc/sysctl.conf
  sysctl -p &>/dev/null
  RETVAL=$?
  result sysctl_opt
}


fs_file_opt() {
  echo -ne "
* soft nofile 65535
* hard nofile 65535
" >>/etc/security/limits.conf
  echo -ne "
* soft nproc  65535
* hard nproc  65535
" >>/etc/security/limits.d/90-nproc.conf 
  sysctl -p &>/dev/null
  RETVAL=$?
  result fs_file_opt
}


yum_opt() {
  rm -rf /etc/yum.repos.d/*
  cd /etc/yum.repos.d/
  for i in [yum] name=yum 'baseurl=http://yum.sfbest.bj/centos/$releasever/os/$basearch/' enable=1 gpgcheck=0; do echo $i >> yum.repo;done
  RETVAL=$?
  result yum_opt
}


lang_opt() {
  sed -i 's#^LANG#\#LANG#g' /etc/sysconfig/i18n && sed -i '1i LANG="zh_CN.UTF-8"' /etc/sysconfig/i18n
  RETVAL=$?
  result lang_opt
}


sys_server_opt() {
  chkconfig --list|awk '{print $1}'|xargs -i chkconfig {} --level 0123456 off
  for a in auditd  crond irqbalance  network psacct rsyslog sshd sysstat; do chkconfig --level 2345 $a on; done
  RETVAL=$?
  result sys_server_opt
}


postfix_opt() {
  [ -d /server/scripts ] || mkdir -p /server/scripts
  echo "tmpwatch -afv 30d /var/spool/postfix/maildrop/" > /server/scripts/delete_mail.sh
  echo "00 00 01 * * /bin/sh /server/scripts/delete_mail.sh &>/dev/null" >> /var/spool/cron/root
  RETVAL=$?
  result postfix_opt
}


other_opt() {
  rm -rf /root/*
  chmod 0700 /usr/bin/passwd

}


main() {
  create_user
  fstab_opt
  time_opt
  ntp_opt
  passwd1_opt
  passwd2_opt
  passwd3_opt
  pamd_sshd_opt
  ssh_opt
  issue_opt
  chattr_file_opt
  ctr_opt
  history_opt
  selinux_iptables_opt
  sysctl_opt
  fs_file_opt
  yum_opt
  lang_opt
  sys_server_opt
  postfix_opt
  other_opt
}

main