Linux 系统优化脚本

##修改yum源，关闭selinux,关闭防火墙，关闭不必要的开机服务，添加用户，设置默认字符集UTF8

##时间同步，设置超时时间、文件打开数、历史指令，内核优化，ssh优化，隐藏系统版本号，锁定重要文件

#!/bin/bash

#set env

export PATH=$PATH:/bin:/sbin:/usr/sbin

if [ "$UID" != "0" ]

then

echo "please run this script by root."

exit 1

fi

#define cmd var

SERVICE=`which service`

CHKCONFIG=`which chkconfig`

yum install -y wget;

#

修改yum源

function mod_yum(){

if [ -e /etc/yum.repos.d/CentOS-Base.repo ]

 then

  mv /etc/yum.repos.d/CentOS-Base.repo/etc/yum.repos.d/CentOS-Base.repo.backup&&\

  wget -O/etc/yum.repos.d/CentOS-Base.repohttp://mirrors.aliyun.com/repo/Centos-6.repo

fi

}

#

关闭selinux

function close_selinux(){

sed -i 's/SELINUX=enforcing/SELINUX=disabled' /etc/selinux/config

setenforce 0 &>/dev/null

}

#

关闭防火墙

function close_iptables(){

/etc/init.d/iptables stop

/etc/init.d/iptables stop

chkconfig iptables off

service firewalld stop

chkconfig firewalld off

}

#

关闭不必要的开机启动服务

function lease_service(){

chkconfig | awk '{print "chkconfig",$1,"off"}'|bash

chkconfig | egrep "crond|sshd|network|rsyslog|sysstat"|awk '{print"chkconfig",$1,"on"}'|bash

}

#

添加用户

function adduser(){

    #4.add hat and sudo

    if [ `grep -w hat /etc/passwd|wc -l`-lt 1 ]

      then

        useradd hat -g root

        echo geeboo|passwd --stdinhat

        \cp /etc/sudoers/etc/sudoers.ori

        echo "hat ALL=(ALL)NOPASSWD: ALL " >>/etc/sudoers

        tail -1 /etc/sudoers

        visudo -c&>/dev/null

    fi

}

#

设置默认字符集为中文

function charset(){

    #5.charset config

    cp /etc/sysconfig/i18n/etc/sysconfig/i18n.ori

    echo'LANG="zh_CN.UTF-8"' >/etc/sysconfig/i18n

    source /etc/sysconfig/i18n

    #echo $LANG

}

#

时间同步

function time_sync(){

    #6.time sync.

    cron=/var/spool/cron/root

    if [ `grep -w "ntpdate"$cron|wc -l` -lt 1  ]

      then

        echo "#time sync">>$cron

        echo "*/5 * * * */usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1">>$cron

        crontab -l

    fi

}

function com_line_set(){

    #7.command set.

    if [ `egrep"TMOUT|HISTSIZE|HISTFILESIZE" /etc/profile|wc -l` -ge 3  ]

      then

        echo "export TMOUT=300">>/etc/profile

        echo "exportHISTSIZE=5" >>/etc/profile

        echo "export HISTFILESIZE=5">>/etc/profile

        . /etc/profile

    fi

}

#

设置打开文件数

function open_file_set(){

    #8.increase open file.

    if [ `grep 65535/etc/security/limits.conf|wc -l` -lt 1 ]

      then

        echo "*               -       nofile          65535 ">>/etc/security/limits.conf

        tail -1/etc/security/limits.conf

    fi

}

function set_kernel(){

    #9.kernel set.

    if [ `grep kernel_flag/etc/sysctl.conf|wc -l` -lt 1 ]

      then

        cat>>/etc/sysctl.conf<

        #kernel_flag

        net.ipv4.tcp_fin_timeout = 2

        net.ipv4.tcp_tw_reuse = 1

        net.ipv4.tcp_tw_recycle = 1

        net.ipv4.tcp_syncookies = 1

        net.ipv4.tcp_keepalive_time =600

        net.ipv4.ip_local_port_range =4000    65000

        net.ipv4.tcp_max_syn_backlog =16384

        net.ipv4.tcp_max_tw_buckets =36000

        net.ipv4.route.gc_timeout =100

        net.ipv4.tcp_syn_retries =1

        net.ipv4.tcp_synack_retries =1

        net.core.somaxconn = 16384

        net.core.netdev_max_backlog =16384

        net.ipv4.tcp_max_orphans =16384

        net.nf_conntrack_max =25000000

        net.netfilter.nf_conntrack_max =25000000

       net.netfilter.nf_conntrack_tcp_timeout_established = 180

       net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120

       net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60

       net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120

EOF

        sysctl -p

    fi

}

#

优化SSH

function init_ssh(){

    cp /etc/ssh/sshd_config/etc/ssh/sshd_config.`date +"%Y-%m-%d_%H-%M-%S"`;

    sed -i "s%#Port 22%Port52113%" /etc/ssh/sshd_config;

    #sed -i "s%#PermitRootLoginyes%PermitRootLogin no%" /etc/ssh/sshd_config;

    sed -i "s%#PermitEmptyPasswordsno%PermitEmptyPasswords no%" /etc/ssh/sshd_config;

    sed -i "s%#UseDNS yes%UseDNSno%" /etc/ssh/sshd_config;

    sed -i "s%GSSAPIAuthenticationyes%GSSAPIAuthentication no%" /etc/ssh/sshd_config;

    sed -i "s%GSSAPIAuthenticationyes%GSSAPIAuthentication no%" /etc/ssh/sshd_config;

   #sed -i "$a\AllowUsers  hat" /etc/ssh/sshd_config;

   service sshd restart&>/dev/null;

   echo "sshd:192.168.10.0/24">> /etc/hosts.allow;

   echo "sshd:ALL" >>/etc/hosts.deny;

   iptables -I INPUT -p tcp --dport 52113-j DROP;

   iptables -I INPUT -p tcp --dport 52113-s 192.168.10.0/24 -j ACCEPT;

   iptables save;

}

function update_linux(){

    #10.upgrade linux.

    if [ `rpm -qa lrzsz nmap treedos2unix nc|wc -l` -le 3 ]

      then

        yum install wget lrzsz nmap treedos2unix nc -y

        #yum update -y

    fi

}

main(){

    mod_yum

    close_selinux

    close_iptables

    least_service

    adduser

    charset

    time_sync

    com_line_set

    open_file_set

    set_kernel

    init_ssh

    update_linux

#

隐藏系统版本号

#> /etc/issue

#> /etc/issue.net

#

锁定关系系统文件

#chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab

#

解锁chattr -i /etc/passwd /etc/shadow /etc/group/etc/gshadow /etc/inittab

#

修改chattr的名字mv /usr/bin/chattr/usr/bin/hat1

#

为grub加密

#/sbin/grub-md5-crypt

，生成密码，然后将密码加入/etc/grub.conf，password --md5 #密码

#

禁止被ping net.ipv4.icmp_echo_ignore_all=1

}

main