常用脚本1及Linux安全设置脚本 部分安全
Linux运维常用脚本总结
1.日志切割
# nginx 日志分割日志#!/bin/bash --loginshopt -s expand_aliasesdatestr=$(date -d "-1 days" +%Y-%m-%d)echo $datestr;mv /test/log/nginx/access.log /test/log/nginx/access_${datestr}.logmv /test/log/nginx/error.log /test/log/nginx/error_${datestr}.logsleep 1service nginx reload
2.删除日志脚本
#!/bin/bash --loginshopt -s expand_aliases#日志保留天数log_max_stay_days=7# 根据时间删除指定路径下的log文件function del_log_by_time(){dir=$1days=$2filePattern=$3if [ -d ${dir} ] && [ ${#dir} -gt 2 ]; thenrm -f ${dir}/*.`date -d '-'${days}' days' +%Y-%m-%d`.*find ${dir} -mtime +$((days-1)) -name "${filePattern}" -exec rm -f {} \;fi}function del_log(){# 删除tomcat日志del_log_by_time "/test/tomcat/logs" $log_max_stay_days "*.*"# 删除nginx日志del_log_by_time "/test/log/nginx" $log_max_stay_days "*.log"# 删除redis日志del_log_by_time "/test/log/redis" $log_max_stay_days "*.log"}del_log $@
3.数据备份
# 临时备份,通常用xtrabackup做全量和增量备份。DB_USER=rootDB_PWD=123DB_PORT=3306DB_HOST=127.0.0.1# 本机部署时,请将MEDIA_SERVER改为localhost或者置为空MEDIA_SERVER=SSH_PORT=22BACKUP_BIZ=1#数据库名称DATABASE_BIZ="db1,db2,db3"back_path=/test/backup/A_db_bak_noce_a_week/#备份最少保留天数file_backup_max_stay_days=7function get_databases(){DATABASES=""if [ "$BACKUP_BIZ" == "1" ];thenDATABASES=$DATABASE_BIZfiDATABASES=${DATABASES##,}if [ "$DATABASES" == "" ];thenERROR_INFO="配置了不导出BIZ及STAT"return 1fireturn 0}# 根据时间删除指定路径下的log文件function del_log_by_time(){dir=$1days=$2filePattern=$3dirFlag=$4if [ -d ${dir} ] && [ ${#dir} -gt 2 ]; thenif [ "${dirFlag}" == "1" ];thenfind ${dir} -mtime +$((days-1)) -type d -name "${filePattern}" -exec rm -rf {} \;elsefind ${dir} -mtime +$((days-1)) -name "${filePattern}" -exec rm -f {} \;fifi}#复制到多媒体路径function move_to_media_server(){to_move_file=$1if [ "$MEDIA_SERVER" == "localhost" ] || [ `ifconfig |grep "$MEDIA_SERVER "|wc -l` -gt 0 ];thenERROR_INFO="多媒体服务即本机,无需上传"return 1fiif [ "$MEDIA_SERVER" == "" ];thenERROR_INFO="未能获取多媒体服务器"return 1fi# 判断免密状态,无则不复制if [ `cat /root/.ssh/known_hosts |grep -E "$MEDIA_SERVER |$MEDIA_SERVER," |wc -l` -lt 1 ];thenERROR_INFO="未设置免密登录到$MEDIA_SERVER"return 1fihostname=$(hostname)ssh -p $SSH_PORT -o "StrictHostKeyChecking no" root@$MEDIA_SERVER "mkdir -p $back_path/${hostname}"scp -r -P $SSH_PORT $to_move_file root@$MEDIA_SERVER:$back_path/${hostname}/return 0}# 全量备份function backup_full(){echo "开始全量备份...."get_databasesif [ "$DATABASES" == "" ];thenSUCCESS_FLAG=0elseOLD_IFS=$IFSIFS=","db_arr=($DATABASES)cd $back_pathfor dbname in ${db_arr[@]}domydumper -h $DB_HOST -u $DB_USER -p $DB_PWD -P $DB_PORT -G -E -R -B $dbname -o ${dbname}_$(date +%Y-%m-%d)/ -v 3 -t 3 -kSUCCESS_FLAG=$?tar czf ${dbname}_$(date +%Y-%m-%d).tar.gz ${dbname}_$(date +%Y-%m-%d)/rm -rf ${dbname}_$(date +%Y-%m-%d)/move_to_media_server ${back_path}/${dbname}_$(date +%Y-%m-%d).tar.gzif [ $? -eq 1 ];thenecho $ERROR_INFOfidel_log_by_time "${back_path}" $file_backup_max_stay_days "${dbname}_*.tar.gz"del_log_by_time "${back_path}" $file_backup_max_stay_days "${dbname}_*.log"donefiecho "结束备份!"}function run(){if [ "$DB_PORT" == "" ];thenDB_PORT=3306fibackup_full}run $@
4.过滤大表导出数据库
#execute all script in specified directorydt=`date +%Y%m%d%H%M`db_IP=127.0.0.1 # 测试库IPdb_pass=abc@123 # 测试库密码db_name=test # 测试库名称db_port=3306 # 测试库端口MAX=100 #大表定义,将不会导出超过100MB的表dir=exp_$dt #导出目录cd /testmkdir $dir# 导出echo "查询 测试库大于$MAX的大表,并存入big_test.txt"mysql -uroot -h$db_IP -p$db_pass -P$db_port -N -e "select concat('$db_name.', TABLE_NAME) from (SELECT TABLE_NAME,DATA_LENGTH,INDEX_LENGTH,(DATA_LENGTH+INDEX_LENGTH) as length,TABLE_ROWS,round((DATA_LENGTH+INDEX_LENGTH)/1024/1024,3) as total_size FROM information_schema.TABLES WHERE TABLE_SCHEMA='$db_name' ) a where a.total_size>$MAX;" >>/test/$dir/big_test.txtecho "已找到"#排除大表导出mydumper -h $db_IP -u root -p $db_pass -P $db_port -G -E -R -B $db_name -O /test/$dir/big_test.txt -o /test/$dir/test -v 3 -t 4 -k#单独导出大表结构,无数据cat /test/$dir/big_test.txt |while read linedomysqldump -h$db_IP -uroot -p$db_pass -d $db_name ${line#*.} >> /test/$dir/$line.sqlecho $linedoneecho "导出 测试库成功!"
Linux安全设置脚本 部分安全
#!/bin/bash#1.备份本次脚本需要修改的文件#2.设定密码策略/etc/login.defssed -i '/^PASS_MAX_DAYS/c PASS_MAX_DAYS 90' /etc/login.defssed -i '/^PASS_MIN_DAYS/c PASS_MIN_DAYS 10' /etc/login.defssed -i '/^PASS_MIN_LEN/c PASS_MIN_LEN 8' /etc/login.defssed -i '/^PASS_WARN_AGE/c PASS_WARN_AGE 5' /etc/login.defscat /etc/login.defs|grep -v "^#"|grep -v "^$"result.txt#3.修改内核设置:|grep -v "^#"|grep -v "^$"echo "net.ipv4.tcp_max_syn_backlog = 4096" /etc/sysctl.confecho "net.ipv4.conf.all.rp_filter = 1" /etc/sysctl.confecho "net.ipv4.conf.all.accept_source_route = 0" /etc/sysctl.confecho "net.ipv4.conf.all.accept_redirects = 0" /etc/sysctl.confecho "net.ipv4.conf.all.secure_redirects = 0" /etc/sysctl.confecho "net.ipv4.conf.default.rp_filter = 1" /etc/sysctl.confecho "net.ipv4.conf.default.accept_source_route = 1" /etc/sysctl.confecho "net.ipv4.conf.default.accept_redirects = 0" /etc/sysctl.confecho "net.ipv4.conf.default.secure_redirects = 0" /etc/sysctl.confecho "net.ipv4.conf.all.send_redirects = 0" /etc/sysctl.confecho "net.ipv4.conf.default.send_redirects = 0" /etc/sysctl.confcat /etc/sysctl.conf|grep -v "^#"|grep -v "^$"result.txt#4.远程登录安全设置sshdconfigsed -i '/^#PermitRootLogin/c PermitRootLogin no' /etc/ssh/sshd_configsed -i '/^#MaxAuthTries 6/c MaxAuthTries 6' /etc/ssh/sshd_configsed -i "/^#UseDNS yes/c UseDNS no" /etc/ssh/sshd_configsed -i '/^#ClientAliveCountMax 3/c ClientAliveCountMax 3' /etc/ssh/sshd_config#5.增加登录超时设置echo "TMOUT=300" /etc/profile#6.锁定不需要的用户passwd -l ftppasswd -l nobody#7.修改重要文件的权限chown root:root /etc/sysctl.confchmod 0600 /etc/sysctl.confsed -i '/^#required pam_wheel.so use.uid/c required pam_wheel.so use.uid' /etc/pam.d/su
