#!/bin/bash

#初始化系统工作

#1、禁止root登陆,禁止密码登陆,添加普通用户

#2、生成一对密钥对

#3、设置两个普通用户可以通过sudo提权

#4、开启防火墙,设置防火墙规则

#5、安装fail2ban

#6、更改ssh端口号

#7、禁止su


#系统安全,关闭selinux

sed -i '7s#enforcing#disabled#g' /etc/selinux/config  


#内核参数优化

echo net.ipv4.tcp_max_tw_buckets = 6000 >> /etc/sysctl.conf

echo net.ipv4.tcp_sack = 1 >> /etc/sysctl.conf

echo net.ipv4.tcp_window_scaling = 1 >> /etc/sysctl.conf

echo net.ipv4.tcp_rmem = 4096 87380 4194304 >> /etc/sysctl.conf

echo net.ipv4.tcp_wmem = 4096 16384 4194304 >> /etc/sysctl.conf

echo net.core.wmem_default = 8388608 >> /etc/sysctl.conf

echo net.core.rmem_default = 8388608 >> /etc/sysctl.conf

echo net.core.rmem_max = 16777216 >> /etc/sysctl.conf

echo net.core.wmem_max = 16777216 >> /etc/sysctl.conf

echo net.core.netdev_max_backlog = 262144 >> /etc/sysctl.conf

echo net.core.somaxconn = 262144 >> /etc/sysctl.conf

echo net.ipv4.tcp_max_orphans = 3276800 >> /etc/sysctl.conf

echo net.ipv4.tcp_max_syn_backlog = 262144 >> /etc/sysctl.conf

echo net.ipv4.tcp_timestamps = 0 >> /etc/sysctl.conf

echo net.ipv4.tcp_synack_retries = 1 >> /etc/sysctl.conf

echo net.ipv4.tcp_syn_retries = 1 >> /etc/sysctl.conf

echo net.ipv4.tcp_tw_recycle = 1 >> /etc/sysctl.conf

echo net.ipv4.tcp_tw_reuse = 1 >> /etc/sysctl.conf

echo net.ipv4.tcp_mem = 94500000 915000000 927000000 >> /etc/sysctl.conf

echo net.ipv4.tcp_fin_timeout = 30>> /etc/sysctl.conf

echo net.ipv4.tcp_keepalive_time = 30 >> /etc/sysctl.conf

echo net.ipv4.ip_local_port_range = 1024 65000 >> /etc/sysctl.conf

echo net.nf_conntrack_max = 655360 >> /etc/sysctl.conf

echo net.netfilter.nf_conntrack_tcp_timeout_established = 1200 >> /etc/sysctl.conf


#防火墙优化,不开防火墙不用做如下操作

echo net.nf_conntrack_max = 25000000 >> /etc/sysctl.conf

echo net.netfilter.nf_conntrack_max = 25000000 >> /etc/sysctl.conf

echo net.netfilter.nf_conntrack_tcp_timeout_established = 180 >> /etc/sysctl.conf

echo net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120 >> /etc/sysctl.conf

echo net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60 >> /etc/sysctl.conf

echo net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120 >> /etc/sysctl.conf

#立即生效

sysctl -p /etc/sysconfig


#创建用户

useradd wsyht

echo "jisdfasfwebxserwera" | passwd --stdin wsyht


#设置系统字符

sed -i 's#zh_CN#en_US#g' /etc/sysconfig/i18n


#配置yum源

#cd /etc/yum.repos.d/;mkdir other;mv *.repo other

#wget http://mirrors.163.com/.help/CentOS6-Base-163.repo .

#yum clean all

#yum makecache


#修改SSH端口号和屏蔽root账号远程登陆

sed -i '13a Port 9527' /etc/ssh/sshd_config  #更改ssh端口号

sed -i '42a PermitRootLogin no' /etc/ssh/sshd_config  #不允许root登陆

#sed -i '66s#yes#no#g'    #不允许密码登陆

sed -i '$a UseDNS no' /etc/ssh/sshd_config   #关闭UseDNS加速SSH登陆

service sshd restart


#设置全局变量

sed -i 's/HISTSIZE=1000/HISTSIZE=10/' /etc/profile

echo "HISTCONTROL=ignorespace" >> /etc/profile     #历史记录里面不记录敏感的命令



#调整文件描述符大小

echo "* soft nofile 65535" >> /etc/security/limits.conf

echo "* hard nofile 65535" >> /etc/security/limits.conf

echo "* soft nproc 65535" >> /etc/security/limits.conf

echo "* hard nproc 65535" >> /etc/security/limits.conf


#安装需要的常用rpm包

yum -y install unix2dos dos2unix screen tree lrzsz expect telnet tcpdump


#vim ~/.vimrc 位于用户家目录 可预先设置一些vim参数

echo "set nu" >> ~/.vimrc

echo "set nohlsearch" >> ~/.vimrc

echo "set autoindent" >> ~/.vimrc


#禁止su

sed -i "6s/#//g" /etc/pam.d/su


#修改系统时区

sed -i "s#Etc/UTC#Asia/Shanghai#g" /etc/sysconfig/clock

rm -f /etc/localtime

ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime


#sudo提权

sed -i "98a wsyht   ALL=(ALL)         ALL" /etc/sudoers


#开启防火墙,设置防火墙规则

service iptables start

iptables -F

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -m multiport --dports 80,443,9527 -j ACCEPT

iptables -A INPUT -d 192.168.0.0/24 -j ACCEPT

iptables -A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp -m multiport --sports 80,443,9527 -j ACCEPT

iptables -A OUTPUT -s 192.168.0.0/24 -j ACCEPT

iptables -P INPUT DROP

iptables -P OUTPUT DROP

service iptables save

service iptables restart


#优化不需要开启的服务

chkconfig acpid off

chkconfig auditd off

chkconfig cups off

chkconfig cpuspeed off

chkconfig dnsmasq off

chkconfig rpcgssd off

chkconfig nfslock off

chkconfig mdmonitor off

chkconfig lvm2-monitor off

chkconfig mcelogd off

chkconfig abrt-ccpp off

chkconfig autofs off

chkconfig atd off

chkconfig certmonger off

chkconfig kdump off

chkconfig portreserve off

chkconfig jexec off

chkconfig hypervkvpd off

chkconfig blk-availability off


#重启服务器

shutdown -r now