#!/bin/bash
#################
#################
. ./check_os.sh
if [ $(id -u) != "0" ] ; then
printf "Error:You must be root to run this script!\n"
exit 1
fi
[ "${CentOS_ver}" == '7' ] && [ "$(systemctl is-active NetworkManager.service)" == "inactive" ]
#关闭selinux
setenforce 0
sed -i 's/^SELINUX=.*$/SELINUX=disabled/' /etc/selinux/config
#修改yum源地址
yum install -y wget curl
wget http://mirrors.aliyun.com/repo/Centos-7.repo
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo_back
mv Centos-7.repo /etc/yum.repos.d/CentOS-Base.repo
yum clean all
yum makecache
yum update
#命令别名
cat > /etc/profile.d/alias.sh << EOF
HISTSIZE=10000
PS1="\[\e[37;40m\][\[\e[32;40m\]\u\[\e[37;40m\]@\h \[\e[35;40m\]\W\[\e[0m\]]\\\\$ "
HISTTIMEFORMAT="%F %T \$(whoami) "
alias l='ls -AFhlt'
alias lh='l | head'
alias vi=vim
GREP_OPTIONS="--color=auto"
alias grep='grep --color'
alias egrep='egrep --color'
alias fgrep='fgrep --color'
EOF
#删除无效用户
groupdel adm
groupdel lp
groupdel games
userdel adm
userdel lp
userdel shutdown
userdel operator
userdel games
userdel uucp
#修改limits.conf
cat >> /etc/security/limits.conf < # End of file * soft nproc 1000000 * hard nproc 1000000 * soft nofile 1000000 * hard nofile 1000000 EOF ## set ulimit echo "ulimit -HSn 65536" >> /etc/profile #初始化系统时区 rm -rf /etc/localtime ln -s /usr/share/zoneinfo/Asia/Shanghai /etc/localtime # /etc/sysctl.conf [ ! -e "/etc/sysctl.conf_bk" ] && /bin/mv /etc/sysctl.conf{,_bk} cat > /etc/sysctl.conf << EOF fs.file-max=1000000 net.ipv4.tcp_max_tw_buckets = 6000 net.ipv4.tcp_sack = 1 net.ipv4.tcp_window_scaling = 1 net.ipv4.tcp_rmem = 4096 87380 4194304 net.ipv4.tcp_wmem = 4096 16384 4194304 net.ipv4.tcp_max_syn_backlog = 65535 net.core.netdev_max_backlog = 32768 net.core.somaxconn = 32768 net.core.wmem_default = 8388608 net.core.rmem_default = 8388608 net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 net.ipv4.tcp_keepalive_time = 600 net.ipv4.tcp_timestamps = 1 net.ipv4.tcp_fin_timeout = 10 net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_syn_retries = 2 net.ipv4.tcp_syncookies = 1 #net.ipv4.tcp_tw_len = 1 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_mem = 94500000 915000000 927000000 net.ipv4.tcp_max_orphans = 3276800 net.ipv4.ip_local_port_range = 1024 65000 net.nf_conntrack_max = 6553500 net.netfilter.nf_conntrack_max = 6553500 net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60 net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120 net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120 net.netfilter.nf_conntrack_tcp_timeout_established = 3600 EOF sysctl -p #安装一些依赖包 yum -y install sysstat ntp net-snmp lrzsz rsync >/dev/null 2>&1 apt-get -y install vim ntpdate locales >/dev/null 2>&1 echo "Installation system tools.------->OK" #更新时间 ntpdate cn.pool.ntp.org >/dev/null 2>&1 #停止无用的服务 #/etc/init.d/exim4 stop >/dev/null 2>&1 #/etc/init.d/nfs-common stop >/dev/null 2>&1 #/etc/init.d/portmap stop >/dev/null 2>&1 ## #systemctl stop portmap >/dev/null 2>&1 #systemctl stop exim4 >/dev/null 2>&1 #systemctl stop nfs-common >/dev/null 2>&1 #chkconfig --del exim4 && chkconfig exim4 off >/dev/null 2>&1 #chkconfig --del portmap && chkconfig exim4 off >/dev/null 2>&1 #chkconfig --del nfs-common && chkconfig exim4 off >/dev/null 2>&1 #设置回话自动超时 echo "export TMOUT=300">>/etc/profile #设置登陆提示 echo "nginx_111" > /etc/issue echo "nginx_111" > /etc/redhat-release echo "本机仅限本公司员工使用 否则追究法律责任" >/etc/motd #安装SendEmail发送邮件 wget http://caspian.dotconf.net/menu/Software/SendEmail/sendEmail-v1.56.tar.gz tar xf sendEmail-v1.56.tar.gz mv sendEmail-v1.56 /data/soft/ #安装chkrootkit命令检测 yum install -y chkrootkit cat > /data/sh/chkrootkit_everydays.sh < #!/bin/bash #------------------------------------------------------------------------- #application: 检查linux是否被cc的工具,监控命令是否被替换 #Filename: chkrootkit_everyday.sh #crontab: */5 * * * * chkrootkit_everyday.sh #------------------------------------------------------------------------ TIME="`date +%Y%m%d%H%M`" /usr/sbin/chkrootkit -n > /data/sh/.chkrootkitLog/.chkrootkit_$TIME.log if [ "`grep 'INFECTED' /data/sh/.chkrootkitLog/.chkrootkit_$TIME.log`" != "" ];then echo "Dangerous" EMAIL='/data/soft/sendEmail-v1.56/sendEmail' FEMAIL="[email protected]" #发件邮箱 MAILP="PASSWD" MAILSMTP="smtp.163.com" #发件邮箱的SMTP MAILT="[email protected],.......,...." #收件邮箱 MAILmessage=" server command change ERROR" $EMAIL -q -f $FEMAIL -t $MAILT -u "您服务器有人登录修改命令,请使用chkrootkit来检测" -m "$MAILmessage" -s $MAILSMTP -o message-charset=utf-8 -xu $FEMAIL -xp $MAILP -o tls=no else echo "OK" fi EOF #写入crontab -e (crontab -l;echo "*/5 * * * * /data/sh/chkrootkit_everyday.sh >/dev/null 2>&1") | crontab root@centos-mysql01:/data/sh# cat check_os.sh #!/bin/bash ####################### ###################### #判断系统版本 if [ -e /etc/redhat-release ]; then OS=CentOS [ ! -e "$(which lsb_release 2>/dev/null)" ] && { yum -y install redhat-lsb-core; clear; } system_ver=$(lsb_release -sr | awk -F. '{print $1}') elif [ -n "$(grep 'bian' /etc/issue)" -o "$(lsb_release -is 2>/dev/null)" == "Debian" ]; then OS=Debian [ ! -e "$(which lsb_release 2>/dev/null)" ] && { apt-get -y update; apt-get -y install lsb-release; clear; } system_ver=$(lsb_release -sr | awk -F. '{print $1}') elif [ -n "$(grep 'Ubuntu' /etc/issue)" -o "$(lsb_release -is 2>/dev/null)" == "Ubuntu" -o -n "$(grep 'Linux Mint' /etc/issue)" ]; then OS=Ubuntu Ubuntu_ver=$(lsb_release -sr | awk -F. '{print $1}') else echo "${CFAILURE}Does not support this OS, Please contact the author! ${CEND}" kill -9 $$ fi THREAD=$(grep 'processor' /proc/cpuinfo | sort -u | wc -l) debian和ubunt的后续再写吧