#!/bin/bash
# author wangqd
# description:this is a centos6.7 optimization script
# processname: 升级系统,精简服务,安装基本配置,记录bash执行时间,安全配置,su加固,ssh优化,iptables设置,时间同步 系统优化
#检查是否为root用户;
if [ $(id -u) != "0" ];then
echo "运行此脚本需要root权限!"
fi
yum update -y >> /etc/null
if [ $? = "0" ];then
echo "系统暂时无需更新"
fi
#精简服务
# 关闭ipv6防火墙
chkconfig ip6tables off
if [ $? = "0" ];then
echo "设置ipv6防火墙开机不自启成功"
else
echo "设置ipv6防火墙开机不自启成功失败"
fi
# 关闭iscsi服务
chkconfig iscsi off
if [ $? = "0" ];then
echo "设置iscsi服务开机不自启成功"
else
echo "设置iscsi服务开机不自启失败"
fi
# 关闭iscsi相关服务
chkconfig iscsid off
if [ $? = "0" ];then
echo "设置iscsi相关服务开机不自启成功"
else
echo "设置iscsi相关服务开机不自启失败"
fi
# 关闭NFS,smaba和NetWare网络文件系统
chkconfig netfs off
if [ $? = "0" ];then
echo "设置NFS,smaba和NetWare网络文件系统开机不自启成功"
else
echo "设置NFS,smaba和NetWare网络文件系统开机不自启失败"
fi
# linux的审计功能
chkconfig auditd off
if [ -f "/var/lock/subsys/auditd" ];then
echo "linux的审计功能"
else
echo "linux的审计功能未开启"
fi
# 关闭TCP/IP网络共享文件的协议的NFS的文件锁功能
if [ -f "/var/lock/subsys/nfslock" ];then
chkconfig nfslock off
echo "关闭TCP/IP网络共享文件的协议的NFS的文件锁功能"
else
echo "TCP/IP网络共享文件的协议的NFS的文件锁功能未开启"
fi
# 关闭 NFS v4
if [ -f "/var/lock/subsys/rpcgssd" ];then
chkconfig rpcgssd off
echo "关闭 NFS-rpcgssd"
else
echo "NFS-rpcgssd服务未开启"
fi
# 关闭RPC服务
if [ -f "/var/lock/subsys/rpcbind" ];then
chkconfig rpcbind off
echo "关闭RPC rpcbind服务"
else
echo "RPC服务未开启"
fi
# 关闭 NFS v4
if [ -f "/var/lock/subsys/rpcidmapd" ];then
chkconfig rpcidmapd off
echo "关闭 rpcidmapd"
else
echo "rpcidmapd服务未开启"
fi
# 关闭系�y对Logical Volume Manager 逻辑磁区的支持
if [ -f "/var/lock/subsys/lvm2-monitor" ];then
chkconfig lvm2-monitor off
echo "关闭系�y对Logical Volume Manager 逻辑磁区的支持"
else
echo "系�y对Logical Volume Manager 逻辑磁区的支持未开"
fi
# 关闭邻近发现协议
if [ -f "/var/lock/subsys/lldpad" ];then
chkconfig lldpad off
echo "关闭邻近发现协议"
else
echo "邻近发现协议未开启"
fi
#安装基本组件
# setuptool Python的 distutilsde工具的增强工具(py2.3.5以上 64位py2.4)
# ntsysv 设置系统的各种服务
# system-config-firewall-tui 命令行用户接口(TUI)的防火墙客户端
# system-config-network-tui 安装Fedora网络配置的工具
yum install -y setuptool ntsysv system-config-firewall-tui system-config-network-tui cronie wget vim unzip openssh-clients screen rsync ftp telnet >> /etc/null
if [ $? = "0" ];then
echo "基本组件安装完成"
else
echo "基本组件已安装过"
fi
#记录每次bash命令的执行时间
time="HISTTIMEFORMAT=\"%Y-%m-%d\ %H:%M:%S\""
grep "$time" /etc/profile >> /etc/null
if [ $? = "0" ];then
echo "记录每次bash命令的执行时间已经做过"
else
line=$(sed -n "/export\ PATH\ USER/=" /etc/profile| tail -n1)
sed -i "${line}a HISTTIMEFORMAT=\"%Y-%m-%d\ %H:%M:%S\"\nexport\ HISTTIMEFORMAT" /etc/profile
echo "记录每次bash命令的执行时间已经成功"
fi
#安全配置
grep "^SELINUX=disabled" /etc/selinux/config
if [ $? = "0" ];then
echo "已经做过安全配置"
else
selinux1=$(grep "^SELINUX=enforcing" /etc/selinux/config)
sed -i "s/$selinux1/SELINUX=disabled/" /etc/selinux/config
echo "服务器安全配置已经完成"
fi
#su加固
grep "^auth" /etc/pam.d/su|grep "pam_wheel.so use_uid"
if [ $? = "0"];then
echo "su 已加固"
else
line2=$(sed -n "/^auth/=" /etc/pam.d/su|tail -1 )
sed -i "${line2}a auth\ \ \ \ \ \ required\ \ \ \ pam_wheel.so\ use_uid" /etc/pam.d/su
echo "su加固成功"
fi
#ssh 优化
#port 端口
grep "^Port[[:space:]]" /etc/ssh/sshd_config|grep "58022"
if [ $? = "0" ];then
echo "ssh端口号设置正确修改"
else
check1=$(grep "^#Port" /etc/ssh/sshd_config)
sline1=$(sed -n "/$check1/=" /etc/ssh/sshd_config)
sed -i "/^Port/d" /etc/ssh/sshd_config
sed -i "${sline1}a Port\ 58022" /etc/ssh/sshd_config
echo "SSH已改为58022"
fi
#不允许用root进行登录
grep "^PermitRootLogin[[:space:]]" /etc/ssh/sshd_config|grep "no"
if [ $? = "0" ];then
echo "ssh不允许root登录功能已设置"
else
check2=$(grep "^#PermitRootLogin[[:space:]]" /etc/ssh/sshd_config)
sline2=$(sed -n "/$check2/=" /etc/ssh/sshd_config)
sed -i "/^PermitRootLogin/d" /etc/ssh/sshd_config
sed -i "${sline2}a PermitRootLogin\ no" /etc/ssh/sshd_config
echo "不允许root登录ssh设置成功"
fi
#不允许空密码登录
grep "^PermitEmptyPasswords[[:space:]]" /etc/ssh/sshd_config|grep "no"
if [ $? = "0" ];then
echo "请查看ssh不允许空密码登录已被设置"
else
check3=$(grep "^#PermitEmptyPasswords[[:space:]]" /etc/ssh/sshd_config)
sline3=$(sed -n "/$check3/=" /etc/ssh/sshd_config)
sed -i "/^PermitEmptyPasswords/d" /etc/ssh/sshd_config
sed -i "${sline3}a PermitEmptyPasswords\ no" /etc/ssh/sshd_config
echo "ssh不允许空密码登录设置成功"
fi
#禁用DNS
grep "^GSSAPIAuthentication[[:space:]]" /etc/ssh/sshd_config|grep "no"
if [ $? = "0" ];then
echo "禁用DNS已被设置"
else
check4=$(grep "#GSSAPIAuthentication[[:space:]]" /etc/ssh/sshd_config)
sed -i "/^GSSAPIAuthentication/d" /etc/ssh/sshd_config
sline4=$(sed -n "/$check4/=" /etc/ssh/sshd_config)
sed -i "${sline4}c GSSAPIAuthentication\ no" /etc/ssh/sshd_config
echo "禁用DNS设置成功"
fi
#禁用UseDNS
grep "^UseDNS[[:space:]]" /etc/ssh/sshd_config|grep "no"
if [ $? = "0" ];then
echo "禁用UseDNS已被设置"
else
check5=$(grep "^#UseDNS[[:space:]]" /etc/ssh/sshd_config)
sline5=$(sed -n "/$check5/=" /etc/ssh/sshd_config)
sed -i "/^UseDNS/d" /etc/ssh/sshd_config
sed -i "${sline5}a UseDNS\ no" /etc/ssh/sshd_config
echo "禁用UseDNS设置成功"
fi
#AllowUsers
sed -i "/^AllowUsers/d" /etc/ssh/sshd_config
if [ $? = "0" ];then
echo "SSH的其他允许登录的用户已被删除"
else
echo "ssh 无其他允许登录的用户"
fi
AU=$(sed -n "/^#/=" /etc/ssh/sshd_config|tail -1)
sed -i "${AU}a AllowUsers\ $1" /etc/ssh/sshd_config
if [ $? = "0" ];then
echo "AllowUsers已设置用户成功"
else
echo "AllowUsers设置用户失败"
fi
#设置防火墙
iptab="-A\ INPUT\ -m\ state\ --state\ NEW\ -m\ tcp\ -p\ tcp\ --dport\ 58022\ -j\ ACCEPT"
grep "58022" /etc/sysconfig/iptables
if [ $? != 0 ];then
line8=$(sed -n "/22/=" /etc/sysconfig/iptables|head -1)
sed -i "${line8}a $iptab" /etc/sysconfig/iptables
echo "添加58022端口成功"
#line9=$(sed -n "/lo/=" /etc/sysconfig/iptables|head -1)
#sed -i "${line9}a $iptab" /etc/sysconfig/iptables
else
echo "58022 已被设置请查看"
fi
/etc/init.d/sshd restart
if [ $? = "0" ];then
echo "sshd已重启"
fi
/etc/init.d/iptables restart
if [ $? = "0" ];then
echo "iptables"
fi
#时间同步
yum install ntp -y >> /etc/null
if [ $? = "0" ];then
echo "ntp服务已被安装"
fi
/usr/sbin/ntpdate time.nist.gov
if [ $? = "0" ];then
echo "本地时间一同步时间服务器"
fi
/sbin/hwclock --systohc
if [ $? = "0" ];then
echo "系统时间已同步到硬件"
fi
#将时间同步写入计划日志
line10=$(sed -n "/^#/=" /etc/crontab|tail -1)
sed -i "${line10}a 5\ */6\ *\ *\ *\ /usr/sbin/ntpdate time.nist.gov\ >\ /dev/null\ 2>&1" /etc/crontab
if [ $? = "0" ];then
echo "时间同步已写入计划日志"
fi
#优化内核参数
line11=$(sed -n "/^#/=" /etc/sysctl.conf|tail -1)
sed -i "${line11}a net.ipv4.tcp_max_syn_backlog\ =\ 65536\nnet.core.netdev_max_backlog\ =\ 32768\nnet.core.somaxconn\ =\ 32768\nnet.core.wmem_default\ =\ 8388608\nnet.core.rmem_default\ =\ 8388608\nnet.core.rmem_max\ =\ 16777216\nnet.core.wmem_max\ =\ 16777216net.ipv4.tcp_timestamps\ =\ 0\nnet.ipv4.tcp_synack_retries\ =\ 2\nnet.ipv4.tcp_syn_retries\ =\ 2\nnet.ipv4.tcp_tw_recycle\ =\ 1\n#net.ipv4.tcp_tw_len\ =\ 1\nnet.ipv4.tcp_tw_reuse\ =\ 1\nnet.ipv4.tcp_mem\ =\ 94500000\ 915000000\ 927000000\nnet.ipv4.tcp_max_orphans\ =\ 3276800\nnet.ipv4.ip_local_port_range\ =\ 1024\ 65535" /etc/sysctl.conf
if [ $? = "0" ];then
echo "系统已经优化完成"
fi
#创建wheel用户
useradd -G wheel $1
echo "$2" | passwd $1 --stdin > /dev/null 2>&1
if [ $? = "0" ];then
echo "user is created!"
fi
echo "SU_WHEEL_ONLY yes" >> /etc/login.defs
#只允许wheel用户su到root
if [ $? = "0" ];then
echo "只允许wheel用户su到root执行成功"
else
echo "只允许wheel用户su到root执行失败请查看"
fi
init 6