Linux 系统基础优化-Shell脚本

#!/bin/bash

#Linux 系统基础优化

#version 1.1

#by anthors lrj 2017-3-19

#定义root用户执行

Check_admin_user(){

if [ $UID -ne 0 ];then

echo -e "\033[32mPlease run this script as root.\033[0m"

exit 1

fi

}

#定义命令行变量

SERVICE=` which service `

CHKCONFIG=` which chkconfig `

#定义文件存放目录为变量

app=/data/software/

#加载系统函数库

. /etc/init.d/functions

#精简系统服务和开机进程

Service_conf(){

for serv in ` $CHKCONFIG --list |grep 3:on|awk '{print $1}'`;do $CHKCONFIG --level 3 $serv off;done

for serv in crond network rsyslog sshd iptables udev-post sysstat;do $CHKCONFIG --level 3 $serv on;done

}

#内核参数优化

Kernel_conf(){

[ -f /etc/sysctl.conf ] && /bin/cp /etc/sysctl.conf /etc/sysctl.conf.$(date +%F)||continue

 cat <>/etc/sysctl.conf

# Kernel sysctl configuration file for Red Hat Linux

#

# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and

# sysctl.conf(5) for more details.

#

# Use '/sbin/sysctl -a' to list all possible parameters.

# Controls IP packet forwarding(modify to 1)

net.ipv4.ip_forward = 1

# Controls source route verification

net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing

net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel

kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.

# Useful for debugging multi-threaded applications.

kernel.core_uses_pid = 1

# Controls the use of TCP syncookies

net.ipv4.tcp_syncookies = 1

# Controls the default maxmimum size of a mesage queue

kernel.msgmnb = 65536

# Controls the maximum size of a message, in bytes

kernel.msgmax = 65536

# Controls the maximum shared segment size, in bytes

kernel.shmmax = 68719476736

# Controls the maximum number of shared memory segments, in pages

kernel.shmall = 4294967296

#add new_conf_2017-3-22

 net.ipv4.conf.lo.arp_ignore = 1

  net.ipv4.conf.lo.arp_announce = 2

  net.ipv4.conf.all.arp_ignore = 1

  net.ipv4.conf.all.arp_announce = 2

  net.ipv4.tcp_tw_reuse = 1

  net.ipv4.tcp_tw_recycle = 1

  net.ipv4.tcp_fin_timeout = 10

  net.ipv4.tcp_max_syn_backlog = 20000

  net.core.netdev_max_backlog =  32768

  net.core.somaxconn = 32768

  net.core.wmem_default = 8388608

  net.core.rmem_default = 8388608

  net.core.rmem_max = 16777216

  net.core.wmem_max = 16777216

  net.ipv4.tcp_timestamps = 0

  net.ipv4.tcp_synack_retries = 2

  net.ipv4.tcp_syn_retries = 2

  net.ipv4.tcp_tw_recycle = 1

  net.ipv4.tcp_tw_reuse = 1

  net.ipv4.tcp_mem = 94500000 915000000 927000000

  net.ipv4.tcp_max_orphans = 3276800

  net.ipv4.tcp_fin_timeout = 10

  net.ipv4.tcp_keepalive_time = 120

  net.ipv4.ip_local_port_range = 1024  65535

  net.ipv4.tcp_max_tw_buckets = 80000

  net.ipv4.tcp_keepalive_time = 120

  net.ipv4.tcp_keepalive_intvl = 15

  net.ipv4.tcp_keepalive_probes = 5

  net.ipv4.conf.lo.arp_ignore = 1

  net.ipv4.conf.lo.arp_announce = 2

  net.ipv4.conf.all.arp_ignore = 1

  net.ipv4.conf.all.arp_announce = 2

  net.ipv4.tcp_tw_reuse = 1

  net.ipv4.tcp_tw_recycle = 1

  net.ipv4.tcp_fin_timeout = 10

  net.ipv4.tcp_max_syn_backlog = 20000

  net.core.netdev_max_backlog =  32768

  net.core.somaxconn = 32768

  net.core.wmem_default = 8388608

  net.core.rmem_default = 8388608

  net.core.rmem_max = 16777216

  net.core.wmem_max = 16777216

  net.ipv4.tcp_timestamps = 0

  net.ipv4.tcp_synack_retries = 2

  net.ipv4.tcp_syn_retries = 2

  net.ipv4.tcp_mem = 94500000 915000000 927000000

  net.ipv4.tcp_max_orphans = 3276800

  net.ipv4.ip_local_port_range = 1024  65535

  net.ipv4.tcp_max_tw_buckets = 500000

  net.ipv4.tcp_keepalive_time = 60

  net.ipv4.tcp_keepalive_intvl = 15

  net.ipv4.tcp_keepalive_probes = 5

  net.nf_conntrack_max = 2097152

EOF

sysctl -p

}

#配置高速yum源

Yum_epel_conf(){

/bin/rpm -ivh /$app/epel-*.rpm && yum clean all && yum makecache

}

#增加系统文件描述符、用户数等

File_des_conf(){

echo “ *      -       nofile        65535 ” >> /etc/security/limits.conf  

sed -i 's%*          soft    nproc     1024%*          soft    nproc     65535%g' /etc/security/limits.d/90-nproc.conf

echo "unset MAILCHECK" >> /etc/profile && . /etc/profile

}

#禁止root用户远程登陆，ssh安全配置

Ssh_conf(){

[ -f /etc/ssh/sshd_config ] && /bin/cp /etc/ssh/sshd_config /etc/ssh/sshd_config.$(date +%F)||continue

 sed -i "s%#PermitRootLogin yes%PermitRootLogin no%g" /etc/ssh/sshd_config

 sed -i "s%#PermitEmptyPasswords no%PermitEmptyPasswords no%g" /etc/ssh/sshd_config

 sed -i "s%#UseDNS yes%UseDNS no%g" /etc/ssh/sshd_config

 sed -i 's%#GSSAPIAuthentication no%GSSAPIAuthentication no%g' /etc/ssh/sshd_config

 sed -i 's%GSSAPIAuthentication yes%#GSSAPIAuthentication yes%g' /etc/ssh/sshd_config

}

#防火墙配置，关闭selinux

Iptables_conf(){

 sed -i "s%SELINUX=enforcing%SELINUX=disabled%g" /etc/selinux/config

 sed -i "s%SELINUXTYPE=targeted%#SELINUXTYPE=targeted%g" /etc/selinux/config

[ -f /etc/sysconfig/iptables ]&& /bin/cp /etc/sysconfig/iptables /etc/sysconfig/iptables.$(date +%F)||continue

cat <>/etc/sysconfig/iptables 

# Firewall configuration written by system-config-firewall

# Manual customization of this file is not recommended.

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

COMMIT

EOF

 

 /etc/init.d/iptables restart

}

#授权远程用户

User_remote(){

adduer(){

/usr/sbin/useradd test1 >&/dev/null

echo "123456"|/usr/bin/passwd --stdin test1 >&/dev/null

}

adduer

[ -f /etc/sudoers ] && echo "test1   ALL=(ALL)       /usr/sbin/useradd,/usr/sbin/userdel" >>/etc/sudoers ||exit 1

}

 

#配置时间同步，定时任务

Time_sync(){

echo "*/5 * * * * /usr/sbin/ntpdate time.nist.gov >> /var/log/ntp.log 2>&1; /sbin/hwclock --systohc">>/var/spool/cron/root

}

#去除登陆时显示系统版本信息

Version_conf(){

[ -f /etc/issue ]&& /bin/cp /etc/issue /etc/issue.$(date +%F)||continue

[ -f /etc/issue.net ]&& /bin/cp /etc/issue.net /etc/issue.net.$(date +%F)||continue

cat /dev/null > /etc/issue   

cat /dev/null > /etc/issue.net

}

#服务器登陆提示

Login_conf(){

[ -f /etc/motd ] && echo "Welcome to cobbler server!" >/etc/motd 

}

#修改服务器名称

ServerNamde_conf(){

[ -f /etc/hosts ] && echo "` ifconfig|awk -F "[ :]+" 'NR==2 {print $4}' `   cobbler_server" >>/etc/hosts ||exit 1

[ -f /etc/sysconfig/network ]&& /bin/cp /etc/sysconfig/network /etc/sysconfig/network.$(date +%F)||continue

sed -i 's%HOSTNAME=localhost.localdomain%HOSTNAME=cobbler_server%g' /etc/sysconfig/network 

}

#修改服务器启动模式

Runlevel_conf(){

[ -f /etc/inittab ]&& sed -i 's%id:5:initdefault:%id:3:initdefault:%g' /etc/inittab ||exit 1

}

#锁定敏感文件

File_lock_conf(){

  /usr/bin/chattr +i /etc/passwd 

  /usr/bin/chattr +i /etc/inittab 

  /usr/bin/chattr +i /etc/group 

  /usr/bin/chattr +i /etc/shadow 

  /usr/bin/chattr +i /etc/gshadow

 }

 

#调用各函数

main(){

Check_admin_user 

Service_conf && sleep 1

Yum_epel_conf && sleep 1

Kernel_conf && sleep 1

File_des_conf && sleep 1

Ssh_conf && sleep 1

Iptables_conf && sleep 1

#User_remote && sleep 1

Time_sync && sleep 1

Version_conf && sleep 1

Login_conf && sleep 1

ServerNamde_conf && sleep 1

Runlevel_conf && sleep 1

#File_lock_conf && sleep 1

}

#完成后重启

main

[ $? -eq 0 ] && reboot || exit 1