#!/bin/bash
#初始化系统工作
#1、禁止root登陆,禁止密码登陆,添加普通用户
#2、生成一对密钥对
#3、设置两个普通用户可以通过sudo提权
#4、开启防火墙,设置防火墙规则
#5、安装fail2ban
#6、更改ssh端口号
#7、禁止su
#系统安全,关闭selinux
sed -i '7s#enforcing#disabled#g' /etc/selinux/config
#内核参数优化
echo net.ipv4.tcp_max_tw_buckets = 6000 >> /etc/sysctl.conf
echo net.ipv4.tcp_sack = 1 >> /etc/sysctl.conf
echo net.ipv4.tcp_window_scaling = 1 >> /etc/sysctl.conf
echo net.ipv4.tcp_rmem = 4096 87380 4194304 >> /etc/sysctl.conf
echo net.ipv4.tcp_wmem = 4096 16384 4194304 >> /etc/sysctl.conf
echo net.core.wmem_default = 8388608 >> /etc/sysctl.conf
echo net.core.rmem_default = 8388608 >> /etc/sysctl.conf
echo net.core.rmem_max = 16777216 >> /etc/sysctl.conf
echo net.core.wmem_max = 16777216 >> /etc/sysctl.conf
echo net.core.netdev_max_backlog = 262144 >> /etc/sysctl.conf
echo net.core.somaxconn = 262144 >> /etc/sysctl.conf
echo net.ipv4.tcp_max_orphans = 3276800 >> /etc/sysctl.conf
echo net.ipv4.tcp_max_syn_backlog = 262144 >> /etc/sysctl.conf
echo net.ipv4.tcp_timestamps = 0 >> /etc/sysctl.conf
echo net.ipv4.tcp_synack_retries = 1 >> /etc/sysctl.conf
echo net.ipv4.tcp_syn_retries = 1 >> /etc/sysctl.conf
echo net.ipv4.tcp_tw_recycle = 1 >> /etc/sysctl.conf
echo net.ipv4.tcp_tw_reuse = 1 >> /etc/sysctl.conf
echo net.ipv4.tcp_mem = 94500000 915000000 927000000 >> /etc/sysctl.conf
echo net.ipv4.tcp_fin_timeout = 30>> /etc/sysctl.conf
echo net.ipv4.tcp_keepalive_time = 30 >> /etc/sysctl.conf
echo net.ipv4.ip_local_port_range = 1024 65000 >> /etc/sysctl.conf
echo net.nf_conntrack_max = 655360 >> /etc/sysctl.conf
echo net.netfilter.nf_conntrack_tcp_timeout_established = 1200 >> /etc/sysctl.conf
#防火墙优化,不开防火墙不用做如下操作
echo net.nf_conntrack_max = 25000000 >> /etc/sysctl.conf
echo net.netfilter.nf_conntrack_max = 25000000 >> /etc/sysctl.conf
echo net.netfilter.nf_conntrack_tcp_timeout_established = 180 >> /etc/sysctl.conf
echo net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120 >> /etc/sysctl.conf
echo net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60 >> /etc/sysctl.conf
echo net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120 >> /etc/sysctl.conf
#立即生效
sysctl -p /etc/sysconfig
#创建用户
useradd wsyht
echo "jisdfasfwebxserwera" | passwd --stdin wsyht
#设置系统字符
sed -i 's#zh_CN#en_US#g' /etc/sysconfig/i18n
#配置yum源
#cd /etc/yum.repos.d/;mkdir other;mv *.repo other
#wget http://mirrors.163.com/.help/CentOS6-Base-163.repo .
#yum clean all
#yum makecache
#修改SSH端口号和屏蔽root账号远程登陆
sed -i '13a Port 9527' /etc/ssh/sshd_config #更改ssh端口号
sed -i '42a PermitRootLogin no' /etc/ssh/sshd_config #不允许root登陆
#sed -i '66s#yes#no#g' #不允许密码登陆
sed -i '$a UseDNS no' /etc/ssh/sshd_config #关闭UseDNS加速SSH登陆
service sshd restart
#设置全局变量
sed -i 's/HISTSIZE=1000/HISTSIZE=10/' /etc/profile
echo "HISTCONTROL=ignorespace" >> /etc/profile #历史记录里面不记录敏感的命令
#调整文件描述符大小
echo "* soft nofile 65535" >> /etc/security/limits.conf
echo "* hard nofile 65535" >> /etc/security/limits.conf
echo "* soft nproc 65535" >> /etc/security/limits.conf
echo "* hard nproc 65535" >> /etc/security/limits.conf
#安装需要的常用rpm包
yum -y install unix2dos dos2unix screen tree lrzsz expect telnet tcpdump
#vim ~/.vimrc 位于用户家目录 可预先设置一些vim参数
echo "set nu" >> ~/.vimrc
echo "set nohlsearch" >> ~/.vimrc
echo "set autoindent" >> ~/.vimrc
#禁止su
sed -i "6s/#//g" /etc/pam.d/su
#修改系统时区
sed -i "s#Etc/UTC#Asia/Shanghai#g" /etc/sysconfig/clock
rm -f /etc/localtime
ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
#sudo提权
sed -i "98a wsyht ALL=(ALL) ALL" /etc/sudoers
#开启防火墙,设置防火墙规则
service iptables start
iptables -F
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 80,443,9527 -j ACCEPT
iptables -A INPUT -d 192.168.0.0/24 -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --sports 80,443,9527 -j ACCEPT
iptables -A OUTPUT -s 192.168.0.0/24 -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT DROP
service iptables save
service iptables restart
#优化不需要开启的服务
chkconfig acpid off
chkconfig auditd off
chkconfig cups off
chkconfig cpuspeed off
chkconfig dnsmasq off
chkconfig rpcgssd off
chkconfig nfslock off
chkconfig mdmonitor off
chkconfig lvm2-monitor off
chkconfig mcelogd off
chkconfig abrt-ccpp off
chkconfig autofs off
chkconfig atd off
chkconfig certmonger off
chkconfig kdump off
chkconfig portreserve off
chkconfig jexec off
chkconfig hypervkvpd off
chkconfig blk-availability off
#重启服务器
shutdown -r now