centos7 系统优化脚本

脚本一:

  1 #!/usr/bin/env bash
  2  
  3 #设置环境变量
  4 export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
  5  
  6 function kernel () {
  7 echo "
  8 #CTCDN系统优化参数
  9 #关闭ipv6
 10 net.ipv6.conf.all.disable_ipv6 = 1
 11 net.ipv6.conf.default.disable_ipv6 = 1
 12 #决定检查过期多久邻居条目
 13 net.ipv4.neigh.default.gc_stale_time=120
 14 #使用arp_announce / arp_ignore解决ARP映射问题
 15 net.ipv4.conf.default.arp_announce = 2
 16 net.ipv4.conf.all.arp_announce=2
 17 net.ipv4.conf.lo.arp_announce=2
 18 # 避免放大攻击
 19 net.ipv4.icmp_echo_ignore_broadcasts = 1
 20 # 开启恶意icmp错误消息保护
 21 net.ipv4.icmp_ignore_bogus_error_responses = 1
 22 #关闭路由转发
 23 net.ipv4.ip_forward = 0
 24 net.ipv4.conf.all.send_redirects = 0
 25 net.ipv4.conf.default.send_redirects = 0
 26 #开启反向路径过滤
 27 net.ipv4.conf.all.rp_filter = 1
 28 net.ipv4.conf.default.rp_filter = 1
 29 #处理无源路由的包
 30 net.ipv4.conf.all.accept_source_route = 0
 31 net.ipv4.conf.default.accept_source_route = 0
 32 #关闭sysrq功能
 33 kernel.sysrq = 0
 34 #core文件名中添加pid作为扩展名
 35 kernel.core_uses_pid = 1
 36 # 开启SYN洪水攻击保护
 37 net.ipv4.tcp_syncookies = 1
 38 #修改消息队列长度
 39 kernel.msgmnb = 65536
 40 kernel.msgmax = 65536
 41 #设置最大内存共享段大小bytes
 42 kernel.shmmax = 68719476736
 43 kernel.shmall = 4294967296
 44 #timewait的数量,默认180000
 45 net.ipv4.tcp_max_tw_buckets = 6000
 46 net.ipv4.tcp_sack = 1
 47 net.ipv4.tcp_window_scaling = 1
 48 net.ipv4.tcp_rmem = 4096        87380   4194304
 49 net.ipv4.tcp_wmem = 4096        16384   4194304
 50 net.core.wmem_default = 8388608
 51 net.core.rmem_default = 8388608
 52 net.core.rmem_max = 16777216
 53 net.core.wmem_max = 16777216
 54 #每个网络接口接收数据包的速率比内核处理这些包的速率快时,允许送到队列的数据包的最大数目
 55 net.core.netdev_max_backlog = 262144
 56 #限制仅仅是为了防止简单的DoS 攻击
 57 net.ipv4.tcp_max_orphans = 3276800
 58 #未收到客户端确认信息的连接请求的最大值
 59 net.ipv4.tcp_max_syn_backlog = 262144
 60 net.ipv4.tcp_timestamps = 0
 61 #内核放弃建立连接之前发送SYNACK 包的数量
 62 net.ipv4.tcp_synack_retries = 1
 63 #内核放弃建立连接之前发送SYN 包的数量
 64 net.ipv4.tcp_syn_retries = 1
 65 #启用timewait 快速回收
 66 net.ipv4.tcp_tw_recycle = 1
 67 #开启重用。允许将TIME-WAIT sockets 重新用于新的TCP 连接
 68 net.ipv4.tcp_tw_reuse = 1
 69 net.ipv4.tcp_mem = 94500000 915000000 927000000
 70 net.ipv4.tcp_fin_timeout = 1
 71 #当keepalive 起用的时候,TCP 发送keepalive 消息的频度。缺省是2 小时
 72 net.ipv4.tcp_keepalive_time = 1800
 73 net.ipv4.tcp_keepalive_probes = 3
 74 net.ipv4.tcp_keepalive_intvl = 15
 75 #允许系统打开的端口范围
 76 net.ipv4.ip_local_port_range = 1024    65000
 77 #修改防火墙表大小,默认65536
 78 net.netfilter.nf_conntrack_max=655350
 79 net.netfilter.nf_conntrack_tcp_timeout_established=1200
 80 # 确保无人能修改路由表
 81 net.ipv4.conf.all.accept_redirects = 0
 82 net.ipv4.conf.default.accept_redirects = 0
 83 net.ipv4.conf.all.secure_redirects = 0
 84 net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.conf
 85  
 86 read -r -p "是否开启路由转发? [y|n] " input
 87 case $input in
 88     y)
 89     sed -i "s#net.ipv4.ip_forward = 0#net.ipv4.ip_forward = 1#g" /etc/sysctl.conf
 90     sed -i "s#net.ipv4.conf.all.send_redirects = 0#net.ipv4.conf.all.send_redirects = 1#g"  /etc/sysctl.conf
 91     sed -i "s#net.ipv4.conf.default.send_redirects = 0#net.ipv4.conf.default.send_redirects = 1#g" /etc/sysctl.conf
 92     sysctl -p
 93     echo "优化完成,程序退出"
 94     ;;
 95     n)
 96     sysctl -p
 97     echo "优化完成,程序退出"
 98     exit
 99     ;;
100 esac
101 }
102  
103  
104 # 是否优化内核
105 function openkernel () {
106     read -r -p "是否优化内核? [y/n] " input
107     case $input in
108         y)
109         kernel
110         ;;
111         n)
112         echo "优化完成,程序退出"
113         exit
114         ;;
115     esac
116 }
117          
118  
119 # 修改文件数限制
120 function openfile () {
121     read -r -p "是否修改打开文件数的限制? [y/n] " input
122     case $input in
123         y)
124         echo -e "* soft nofile 1024000\n* hard nofile 1024000\nhive   - nofile 1024000\nhive   - nproc  1024000" >> /etc/security/limits.conf
125         openkernel
126         ;;
127         n)
128         openkernel
129         ;;
130     esac
131 }
132  
133  
134 # 修改用户进程限制
135 function userlimits () {
136     read -r -p "是否加大普通用户限制? [y/n] " input
137     case $input in
138         y)
139         sed -i 's#4096#65535#g'   /etc/security/limits.d/20-nproc.conf
140         openfile
141         ;;
142         n)
143         openfile
144         ;;
145     esac
146 }      
147  
148  
149 # 修改主机名
150 function hostname () {
151     read -r -p "是否要修改主机名? [y/n]" input
152     case $input in
153         y)
154         read -r -p "请输入主机名:" hostname
155         hostnamectl set-hostname $hostname
156         userlimits
157         ;;
158         n)
159         userlimits
160         ;;
161     esac
162 }
163  
164  
165  
166 # 基础优化函数
167 function All () {
168     yum -y install epel-release
169     yum update
170     yum -y install net-tools tree lrzsz unzip telnet vim gcc cmake wget git ntpdate bash-completion
171     sed -i "/^SELINUX/s#enforcing#disabled#g" /etc/selinux/config
172     cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
173     echo -e "*/1 * * * * ntpdate ntp1.aliyun.com" > /var/spool/cron/root
174     hostname
175 }
176  
177  
178  
179 echo "--------------------------------------------------------------------"
180 echo "本脚本可以根据需求选择要优化的选项-只是针对刚刚安装好的系统做优化,并且保证正常上网"
181 echo "--------------------------------------------------------------------"
182 echo "请选择你要使用的选项:"
183 echo "(0) 基本优化"
184 echo "(9) Exit"
185 echo "--------------------------------------------------------------------"
186 read -p "请输入选项编号>>>>:" input
187   
188 case $input in
189     0)
190     echo "-----------执行基本优化---------------"
191     sleep 1
192     All;;
193     9)
194     echo "-----------退出脚本---------------"
195     exit;;
196 esac

脚本二:



#!/bin/bash

#Cenetos6/7初始化脚本
# get os version
RELEASEVER=$(rpm -q --qf "%{VERSION}" $(rpm -q --whatprovides redhat-release))

# configure yum source
cd /etc/yum.repos.d/
mkdir /etc/yum.repos.d/bak
mv /etc/yum.repos.d/*.repo /etc/yum.repos.d/bak
if [ $RELEASEVER == 6 ];then
    curl http://mirrors.163.com/.help/CentOS6-Base-163.repo > qf.repo
fi
if [ $RELEASEVER == 7 ];then
    curl http://mirrors.163.com/.help/CentOS7-Base-163.repo > qf.repo
fi
yum clean all
yum check-update

# install base rpm package
yum -y install epel-release
yum -y install nc vim iftop iotop dstat tcpdump
yum -y install ipmitool bind-libs bind-utils
yum -y install libselinux-python ntpdate

# update rpm package include kernel
yum -y update
rm -rf /etc/yum.repos.d/CentOS*

# update ulimit configure
if [ $RELEASEVER == 6 ];then
    test -f /etc/security/limits.d/90-nproc.conf && rm -rf /etc/security/limits.d/90-nproc.conf && touch /etc/security/limits.d/90-nproc.conf
fi
if [ $RELEASEVER == 7 ];then
    test -f /etc/security/limits.d/20-nproc.conf && rm -rf /etc/security/limits.d/20-nproc.conf && touch /etc/security/limits.d/20-nproc.conf
fi

> /etc/security/limits.conf
cat >> /etc/security/limits.conf <<EOF
* soft nproc 65535
* hard nproc 65535
* soft nofile 65535
* hard nofile 65535
EOF

# set timezone
test -f /etc/localtime && rm -rf /etc/localtime
ln -s /usr/share/zoneinfo/Asia/Shanghai /etc/localtime

# set LANG
if [ $RELEASEVER == 6 ];then
sed -i 's@LANG=.*$@LANG="en_US.UTF-8"@g' /etc/sysconfig/i18n
fi
if [ $RELEASEVER == 7 ];then
sed -i 's@LANG=.*$@LANG="en_US.UTF-8"@g' /etc/locale.conf
fi

# update time
if [ $RELEASEVER == 6 ];then
    /usr/sbin/ntpdate -b pool.ntp.org
    grep -q ntpdate /var/spool/cron/root
    if [ $? -ne 0 ]; then
        echo '* * * * * /usr/sbin/ntpdate pool.ntp.org > /dev/null 2>&1' > /var/spool/cron/root;chmod 600 /var/spool/cron/root
    fi
    /etc/init.d/crond restart
fi


if [ $RELEASEVER == 7 ];then
    yum -y install chrony
    > /etc/chrony.conf
cat > /etc/chrony.conf << EOF
server pool.ntp.org iburst
stratumweight 0
driftfile /var/lib/chrony/drift
rtcsync
makestep 10 3
bindcmdaddress 127.0.0.1
bindcmdaddress ::1
keyfile /etc/chrony.keys
commandkey 1
generatecommandkey
noclientlog
logchange 0.5
logdir /var/log/chrony
EOF


systemctl restart chronyd
systemctl enable chronyd
fi

# clean iptables default rules
if [ $RELEASEVER == 6 ];then
    /sbin/iptables -F
    service iptables save
    chkconfig iptables off
fi
if [ $RELEASEVER == 7 ];then
    systemctl disable firewalld
fi

# disable unused service
chkconfig auditd off

# disable ipv6
cd /etc/modprobe.d/ && touch ipv6.conf
> /etc/modprobe.d/ipv6.conf
cat >> /etc/modprobe.d/ipv6.conf << EOF
alias net-pf-10 off
alias ipv6 off
EOF

# disable iptable nat moudule
cd /etc/modprobe.d/ && touch connectiontracking.conf
> /etc/modprobe.d/connectiontracking.conf
cat >> /etc/modprobe.d/connectiontracking.conf <<EOF
install nf_nat /bin/true
install xt_state  /bin/true
install iptable_nat /bin/true
install nf_conntrack /bin/true
install nf_defrag_ipv4   /bin/true
install nf_conntrack_ipv4 /bin/true
install nf_conntrack_ipv6  /bin/true
EOF

# disable SELINUX
setenforce 0
sed -i 's/^SELINUX=.*$/SELINUX=disabled/' /etc/selinux/config

# update record command
sed -i 's/^HISTSIZE=.*$/HISTSIZE=100000/' /etc/profile
grep -q 'HISTTIMEFORMAT' /etc/profile
if [[ $? -eq 0 ]]; then
sed -i 's/^HISTTIMEFORMAT=.*$/HISTTIMEFORMAT="%F %T "/' /etc/profile
else
echo 'HISTTIMEFORMAT="%F %T "' >> /etc/profile
fi

# install dsnmasq and update configure //本地dns查询缓存
yum -y install dnsmasq
> /etc/dnsmasq.conf
cat >> /etc/dnsmasq.conf<< EOF
listen-address=127.0.0.1
no-dhcp-interface=lo
log-queries
log-facility=/var/log/dnsmasq.log
all-servers
no-negcache
cache-size=1024
dns-forward-max=512
EOF

if [ $RELEASEVER == 6 ];then
    /etc/init.d/dnsmasq restart
fi


if [ $RELEASEVER == 7 ];then
    systemctl restart dnsmasq
systemctl enable dnsmasq
fi

# update /etc/resolv.conf
> /etc/resolv.conf
cat >> /etc/resolv.conf<< EOF
options timeout:1
nameserver 127.0.0.1
nameserver 114.114.114.114
EOF

# update /etc/sysctl.conf
cat >> /etc/sysctl.conf<< EOF
net.ipv4.tcp_syncookies = 1
kernel.core_uses_pid=1
kernel.core_pattern=/tmp/core-%e-%p
fs.suid_dumpable=2
net.ipv4.tcp_tw_reuse=1
net.ipv4.tcp_tw_recycle=0
net.ipv4.tcp_timestamps=1
EOF
sysctl -p


#注:按标签查看rpm包信息
## rpm -q vsftpd
#vsftpd-3.0.2-21.el7.x86_64
##
## rpm -q --qf "%{NAME}" vsftpd
#vsftpd#
## rpm -q --qf "%{NAME}\n" vsftpd
#vsftpd
## rpm -q --qf "%{VERSION}\n" vsftpd
#3.0.2
## rpm -q --qf "%{RELEASE}\n" vsftpd
#21.el7
## rpm -q --qf "%{ARCH}\n" vsftpd
#x86_64


 

posted @ 2019-04-04 18:23  dulingyulove  阅读(1164)  评论(1编辑  收藏  举报