简单优化 ,未涉及安全优化,如有需求请自行修改脚本实现
1 #!/bin/bash
2 SysVer=`cat /etc/redhat-release | awk -F'release' '{print $2}' | awk -F'[ .]+' '{print $2}'`
3 NetCnf=`ls /etc/sysconfig/network-scripts/ | grep if | head -1`
4 NetName=`ls /etc/sysconfig/network-scripts/ | grep if | head -1 | awk -F'-' '{print $2}'`
5 NetPath="/etc/sysconfig/network-scripts/"
6 clear
7 echo "#####################################"
8 echo "###### 1、配置网络 ######"
9 echo "###### 2、优化系统 ######"
10 echo "###### 3、命令审计 ######"
11 echo "###### 4、其他功能 ######"
12 echo "#####################################"
13 read -p "Please Input Number (1/2/3) :" Nmb
14 if [ ! $Nmb == 1 ] && [ ! $Nmb == 2 ] && [ ! $Nmb == 3 ]
15 then
16 echo -e "\033[41;33;5m Input ERROR,you Can only enter 1 or 2 or 3 \033[0m"
17 exit 110
18 fi
19
20 Jdt(){
21 echo "准备中..."
22 i=0
23 str=""
24 arr=("|" "/" "-" "\\")
25 while [ $i -le 20 ]
26 do
27 let index=i%4
28 let indexcolor=i%8
29 let color=30+indexcolor
30 let NUmbER=$i*5
31 printf "\e[0;$color;1m[%-20s][%d%%]%c\r" "$str" "$NUmbER" "${arr[$index]}"
32 sleep 0.1
33 let i++
34 str+='+'
35 done
36 printf "\n"
37 echo "正在执行...稍候!"
38 }
39
40 PanDuan(){
41 if [ ! $? -eq 0 ]
42 then
43 echo -e "\033[41;33;5m ERROR,Please To Check \033[0m"
44 exit 110
45 fi
46 }
47
48 C6NetWork(){
49 cat > $NetPath$NetCnf << END
50 DEVICE=$NetName
51 TYPE=Ethernet
52 ONBOOT=yes
53 NM_CONTROLLED=yes
54 BOOTPROTO=static
55 IPADDR=$Ipa
56 NETMASK=$Ntm
57 GATEWAY=$Gtw
58 DNS1=114.114.114.114
59 DNS2=223.5.5.5
60
61 END
62
63 service NetworkManager stop >/dev/null 2>&1
64 chkconfig NetworkManager off >/dev/null 2>&1
65 chkconfig network on >/dev/null 2>&1
66 Jdt
67 echo -e "\033[46;35;5m[ ## Network configuration succeeded ## ]\033[0m"
68 echo -e "\033[46;35;5m[ ##### Please restart the server ##### ]\033[0m"
69 }
70
71 C7NetWork(){
72 cat > $NetPath$NetCnf << EOF
73 TYPE=Ethernet
74 PROXY_METHOD=none
75 BROWSER_ONLY=no
76 BOOTPROTO=static
77 DEFROUTE=yes
78 IPV4_FAILURE_FATAL=no
79 NAME=$NetName
80 DEVICE=$NetName
81 ONBOOT=yes
82 IPADDR=$Ipa
83 NETMASK=$Ntm
84 GATEWAY=$Gtw
85 DNS1=223.5.5.5
86 DNS2=114.114.114.114
87
88 EOF
89
90 systemctl stop NetworkManager >/dev/null 2>&1
91 systemctl disable NetworkManager >/dev/null 2>&1
92 systemctl enable network.service >/dev/null 2>&1
93 Jdt
94 echo -e "\033[40;35;5m[ ## Network configuration succeeded ## ]\033[0m"
95 echo -e "\033[40;35;5m[ ##### Please restart the server ##### ]\033[0m"
96 }
97
98 OptSSH(){
99 echo "#########################################################"
100 echo -e "\033[40;34;5m[ 配置SSH 端口 关闭DNS 反向解析 ]\033[0m"
101 echo -e "\033[40;34;5m[ 关闭此终端后 请使用新SSH端口:$Pt 进行登陆 原端口失效 ]\033[0m"
102 read -p "Please enter the SSH port :" Pt
103 Jdt
104 sed -i 's/^GSSAPIAuthentication yes$/GSSAPIAuthentication no/' /etc/ssh/sshd_config
105 sed -i 's/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config
106 sed -i "s/#Port 22/Port $Pt/" /etc/ssh/sshd_config
107 sed -i "s/^Port.*/Port $Pt/g" /etc/ssh/sshd_config
108 sed -i 's/#PrintMotd yes/PrintMotd yes/' /etc/ssh/sshd_config
109 case $SysVer in
110 6)
111 service sshd restart >/dev/null 2>&1
112 PanDuan
113 ;;
114 7)
115 systemctl restart sshd >/dev/null 2>&1
116 PanDuan
117 ;;
118 *)
119 echo -e "\033[41;33;5m System Version Error,Scripts only apply to Centos 6 and 7 versions \033[0m"
120 exit 110
121 ;;
122 esac
123 }
124
125
126 OffIPv6(){
127 clear
128 echo "####################################"
129 echo -e "\033[46;34;5m[ Shutdown IpV6 关闭IPv6 ]\033[0m"
130 Jdt
131 sed -i '/.*net-pf-10.*/d' /etc/modprobe.conf
132 sed -i '/.*ipv6.*/d' /etc/modprobe.conf
133 echo "alias net-pf-10 off" >> /etc/modprobe.conf
134 echo "alias ipv6 off" >> /etc/modprobe.conf
135 }
136
137
138 OffSE(){
139 clear
140 echo "####################################"
141 echo -e "\033[40;34;5m[ Shutdown selinux ]\033[0m"
142 Jdt
143 sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config
144 setenforce 0 >/dev/null 2>&1
145 }
146
147
148 OFFfirewalld(){
149 clear
150 echo "####################################"
151 echo -e "\033[40;34;5m[ Shutdown Firewalld ]\033[0m"
152 Jdt
153
154 case $SysVer in
155 6)
156 service iptables stop >/dev/null 2>&1
157 chkconfig iptables off >/dev/null 2>&1
158 ;;
159 7)
160 systemctl stop firewalld >/dev/null 2>&1
161 systemctl disable firewalld >/dev/null 2>&1
162 ;;
163 *)
164 echo -e "\033[41;33;5m System Version Error,Scripts only apply to Centos 6 and 7 versions \033[0m"
165 exit 110
166 ;;
167 esac
168 }
169
170
171 TimeLock(){
172 clear
173 echo "####################################"
174 echo -e "\033[40;34;5m[ Configure TimeLock ]\033[0m"
175 Jdt
176 sed -i '/.*ntpdate.*/d' /var/spool/cron/root
177 echo "*/5 * * * * /usr/sbin/ntpdate 202.112.31.197 > /dev/null 2>&1" >> /var/spool/cron/root
178 case $SysVer in
179 6)
180 service crond restart >/dev/null 2>&1
181 ;;
182 7)
183 systemctl restart crond >/dev/null 2>&1
184 ;;
185 *)
186 echo -e "\033[41;33;5m System Version Error,Scripts only apply to Centos 6 and 7 versions \033[0m"
187 exit 110
188 ;;
189 esac
190 }
191
192
193 FileLimitsConf(){
194 cat >> /etc/security/limits.conf << COMMENTBLOCK
195 * soft nofile 102400
196 * hard nofile 102400
197 * soft nproc 102400
198 * hard nproc 102400
199 COMMENTBLOCK
200 }
201
202 LimitsFile(){
203 clear
204 echo "#####################################"
205 echo -e "\033[40;34;5m[ Configure LimitNumber ]\033[0m"
206 Jdt
207 shu1=`cat /etc/rc.local | grep ulimit | wc -l`
208 shu2=`cat /etc/security/limits.conf | grep nofile | wc -l`
209 if [ $shu1 -lt 1 ]
210 then
211 echo "ulimit -SHn 102400" >> /etc/rc.local
212 fi
213
214 if [ $shu2 -lt 2 ]
215 then
216 FileLimitsConf
217 fi
218
219 case $SysVer in
220 6)
221 sed -i 's/1024$/102400/' /etc/security/limits.d/20-nproc.conf
222 ;;
223 7)
224 sed -i 's/4096$/20480/' /etc/security/limits.d/20-nproc.conf
225 sed -i 's/^#DefaultLimitNOFILE=.*/DefaultLimitNOFILE=100000/g' /etc/systemd/system.conf
226 sed -i 's/^#DefaultLimitNPROC=.*/DefaultLimitNPROC=100000/g' /etc/systemd/system.conf
227 ;;
228 *)
229 echo -e "\033[41;33;5m System Version Error,Scripts only apply to Centos 6 and 7 versions \033[0m"
230 exit 110
231 ;;
232 esac
233
234 }
235
236
237 KernelFile(){
238 clear
239 echo "#####################################"
240 echo -e "\033[40;34;5m[ Optimize Kernel ]\033[0m"
241 Jdt
242 true > /etc/sysctl.conf
243 cat >> /etc/sysctl.conf << EIZ
244 net.ipv4.ip_forward = 0
245 net.ipv4.conf.default.rp_filter = 1
246 net.ipv4.conf.default.accept_source_route = 0
247 net.ipv4.conf.all.secure_redirects = 0
248 kernel.sysrq = 0
249 kernel.core_uses_pid = 1
250 net.ipv4.tcp_syncookies = 1
251 kernel.msgmnb = 65536
252 kernel.msgmax = 65536
253 kernel.shmmax = 68719476736
254 kernel.shmall = 4294967296
255 net.ipv4.tcp_max_tw_buckets = 6000
256 net.ipv4.tcp_sack = 1
257 net.ipv4.tcp_window_scaling = 1
258 net.ipv4.tcp_rmem = 4096 87380 4194304
259 net.ipv4.tcp_wmem = 4096 16384 4194304
260 net.core.wmem_default = 8388608
261 net.core.rmem_default = 8388608
262 net.core.rmem_max = 16777216
263 net.core.wmem_max = 16777216
264 net.core.netdev_max_backlog = 262144
265 net.core.somaxconn = 20480
266 net.ipv4.tcp_max_orphans = 3276800
267 net.ipv4.tcp_max_syn_backlog = 262144
268 net.ipv4.tcp_timestamps = 0
269 net.ipv4.tcp_synack_retries = 2
270 net.ipv4.tcp_syn_retries = 2
271 net.ipv4.tcp_tw_recycle = 0
272 net.ipv4.tcp_tw_reuse = 1
273 net.ipv4.tcp_mem = 94500000 915000000 927000000
274 net.ipv4.tcp_fin_timeout = 1
275 net.ipv4.tcp_keepalive_time = 30
276 net.ipv4.tcp_keepalive_probes=3
277 net.ipv4.tcp_orphan_retries=3
278 net.ipv4.ip_local_port_range = 1024 65500
279
280 EIZ
281
282 /sbin/sysctl -p
283 echo "内核优化的具体参数见上 如需修改请自行修改/etc/sysctl.conf文件"
284 echo "内核优化的具体参数见上 如需修改请自行修改/etc/sysctl.conf文件"
285 echo "内核优化的具体参数见上 如需修改请自行修改/etc/sysctl.conf文件"
286
287 }
288
289
290 RootEmail(){
291 clear
292 echo "#######################################################"
293 echo -e "\033[40;34;5m[ 禁止 You have new mail in /var/spool/mail/root 提示 ]\033[0m"
294 Jdt
295 sed -i '/.*MAILCHECK/d' /etc/profile
296 echo "unset MAILCHECK">> /etc/profile
297 source /etc/profile
298 }
299
300
301 #BieMing(){
302 #
303 #}
304
305 HisTory(){
306 #history modify
307 file_path="/var/log/Command"
308 file_name="Command.log"
309 ProFile=`cat /etc/profile | grep HISTORY_FILE | wc -l`
310 ComMand=`cat /var/spool/cron/root | grep history.sh | wc -l`
311
312 Group1(){
313 touch $file_path/$file_name
314 chown -R nobody:nobody $file_path
315 chmod 001 $file_path
316 chmod 002 $file_path/$file_name
317 chattr +a $file_path/$file_name
318 }
319 Group2(){
320 cat >> /etc/profile << EPP
321 export HISTORY_FILE=$file_path/$file_name
322 export PROMPT_COMMAND='{ date "+%y-%m-%d %T ## \$(who am i |awk "{print \\\$1,\\\$2,\\\$5}") ## \$(whoami) ## \$(history 1 | { read x cmd; echo "\$cmd"; })"; } >>\$HISTORY_FILE'
323 EPP
324 }
325
326 if [ ! -d $file_path ]
327 then
328 mkdir -p $file_path
329 Group1
330 else
331 if [ ! -f $file_path/$file_name ]
332 then
333 Group1
334 fi
335 fi
336 if [ $ProFile -lt 1 ]
337 then
338 Group2
339 else
340 sed -i '/.*HISTORY_FILE.*/d' /etc/profile
341 Group2
342 fi
343 if [ ! -f $file_path/history.sh ]
344 then
345 cat >> $file_path/history.sh << EOF
346 #!/bin/bash
347
348 #Time=\`date +%Y%m%d%H -d '-1 hours'\`
349 Time=\`date +%Y%m%d%H\`
350 logs_path="$file_path/"
351 logs_name="$file_name"
352 new_file="\$logs_path\$logs_name-\$Time"
353 old_file=\`find \$logs_path -mtime +30 -type f -name "Command.*"\`
354 chattr -a \$logs_path\$logs_name
355 mv \$logs_path\$logs_name \$new_file
356 chattr +a \$new_file
357 touch \$logs_path\$logs_name
358 chown -R nobody:nobody \$logs_path\$logs_name
359 chmod -R 002 \$logs_path\$logs_name
360 chattr +a \$logs_path\$logs_name
361 if [ ! -z \$old_file ]
362 then
363 echo "delet \$old_file \$Time" >> /var/log/messages
364 chattr -a \$old_file
365 rm -rf \$old_file
366 fi
367 EOF
368 chmod 100 $file_path/history.sh
369 fi
370 if [ $ComMand -lt 1 ]
371 then
372 echo "30 10 * * 6 /bin/bash $file_path/history.sh > /dev/null 2>&1" >> /var/spool/cron/root
373 fi
374 case $SysVer in
375 6)
376 service crond restart >/dev/null 2>&1
377 ;;
378 7)
379 systemctl restart crond >/dev/null 2>&1
380 ;;
381 *)
382 echo -e "\033[41;33;5m System Version Error,Scripts only apply to Centos 6 and 7 versions \033[0m"
383 exit 110
384 ;;
385 esac
386 source /etc/profile
387 if [ $? -eq 0 ]
388 then
389 echo "###########################################"
390 echo -e "\033[40;31;5m 配置完成 命令审计文件位于:/var/log/Command/Command.log \033[0m"
391 else
392 echo -e "\033[41;33;5m ERROR,Please To Check \033[0m"
393 exit 110
394 fi
395 }
396
397 case $Nmb in
398 1)
399 rm -rf /etc/udev/rules.d/70-persistent-net.rules >/dev/null 2>&1
400 echo "###########################################"
401 read -p "Please Input IPAddress :" Ipa
402 read -p "Please Input Netmask :" Ntm
403 read -p "Please Input Gateway :" Gtw
404 echo -e "\033[40;34;5m[ 配置中请稍候... 完成后请使用新地址 $Ipa 进行SSH登陆 ]\033[0m"
405 echo "###########################################"
406 case $SysVer in
407 6)
408 C6NetWork
409 ;;
410 7)
411 C7NetWork
412 ;;
413 *)
414 echo -e "\033[41;33;5m System Version Error,Scripts only apply to Centos 6 and 7 versions \033[0m"
415 exit 110
416 ;;
417 esac
418 ;;
419 2)
420 echo -e "\033[40;31;5m以下配置均可在进度条处 有10秒时间 按Ctrl+C结束 请按需优化\033[0m"
421 OptSSH
422 PanDuan
423 OffIPv6
424 PanDuan
425 OffSE
426 OFFfirewalld
427 PanDuan
428 TimeLock
429 PanDuan
430 LimitsFile
431 PanDuan
432 RootEmail
433 PanDuan
434 KernelFile
435 PanDuan
436 echo " #####################################"
437 echo " #####################################"
438 echo " 优化已完成 本次优化内容有:"
439 echo " 1、优化SSH服务"
440 echo " 2、关闭IPv6服务"
441 echo " 3、关闭Selinux 机制"
442 echo " 4、关闭iptables/firewalld"
443 echo " 5、设置时间同步"
444 echo " 6、优化内核参数"
445 echo " 7、关闭邮件提示"
446 ;;
447 3)
448 echo -e "\033[46;31;5m 此审计会记录30天内所有终端执行过的所有命令 \033[0m"
449 Jdt
450 HisTory
451 ;;
452 *)
453 echo -e "\033[41;33;5m Error, please check the first line variable \033[0m"
454 exit 110
455 ;;
456 esac
