CentOS 7 系统初始化
- 安装 epel 源
- 关闭 selinux
- 关闭防火墙
- 安装常用软件包
- 添加用户
- 配置时区
- 配置环境变量
- 最大文件打开数(文件句柄)
- 系统内核优化
- 配置 SSH
#!/bin/bash
#Author:mcsiberiawolf
#Time:2019-02-02 13:45:36
#Name:init_system.sh
#Version:V1.0
#Description: init system of CentOS7.
if [ "$UID" != "0" ]; then
echo "Please run this script by root"
exit 1
fi
#### 1.安装 epel 源
mod_yum() {
if [ -e /etc/yum.repos.d/CentOS-Base.repo ]; then
cp /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.default
yum install -y epel-release && yum clean all && yum makecache && yum -y update
fi
}
#### 2. 关闭 selinux
close_selinux() {
# close selinux
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
# grep SELINUX=disabled /etc/selinux/config
setenforce 0 &> /dev/null
# getenforce
}
#### 3. 关闭 firewalld
close_firewalld() {
systemctl stop firewalld.service && systemctl disable firewalld.service
}
#### 4. 安装常用软件包
install_softwares() {
# 安装常用软件包
if [ `rpm -qa vim lrzsz wget nmap nc tree curl tcpdump sysstat lsof net-tools ntpdate|wc -l` -lt 13 ]; then
yum -y install vim lrzsz wget nmap nc tree curl tcpdump sysstat lsof net-tools ntpdate dos2unix
fi
# 安装开发者工具依赖包
yum groups install "Development Tools" -y
}
#### 5. 添加用户
adduser() {
if [ `grep -w ylmf /etc/passwd|wc -l` -lt 1 ]; then
useradd ylmf
echo test |passwd --stdin test
\cp /etc/sudoers /etc/sudoers.ori
echo "test ALL=(ALL) NOPASSWD: ALL " >>/etc/sudoers
tail -1 /etc/sudoers
visudo -c &>/dev/null
fi
}
#### 6. 配置时区
time_sync() {
if [ `timedatectl status|grep -w "Asia/Shanghai"|wc -l ` -lt 1 ]; then
timedatectl set-timezone Asia/Shanghai
fi
#cron=/etc/crontab
#if [ `grep -w "ntpdate" $cron|wc -l` -lt 1 ]; then
# echo '#time sync by mcsiberiawolf at 2019-02-02' >> $cron
# echo '*/5 * * * * /usr/sbin/ntpdate time.nist.gov > /dev/null 2>&1' >> $cron
# systemctl restart crond.service
# crontab -l
#fi
}
#### 7. 配置环境变量
com_line_set() {
if [ `egrep 'TMOUT|HISTSIZE|HISTFILESIZE' /etc/profile|wc -l` ]; then
# 设置会话超时时间
echo 'export TMOUT=1800' >> /etc/profile
# 历史命令输出记录行数
echo 'export HISTSIZE=1000' >> /etc/profile
# 历史命令保存的记录总数
echo 'export HISTFILESIZE=1000' >> /etc/profile
# 历史命令输出格式
echo 'export HISTTIMEFORMAT="%F %T `whoami` "' >> /etc/profile
source /etc/profile
fi
}
#### 8. 最大文件打开数(文件句柄)
open_file_set() {
if [ `grep 65535 /etc/security/limits.conf|wc -l` -lt 1 ]; then
#echo '* - nofile 65535' >> /etc/security/limits.conf
echo '* soft nofile 65535' >> /etc/security/limits.conf
echo '* hard nofile 65535' >> /etc/security/limits.conf
source /etc/security/limits.conf
fi
if [ `grep -w ulimit /etc/rc.local|wc -l` -lt 1 ]; then
echo "ulimit -SHn 65535" >> /etc/rc.local
source /etc/rc.local
fi
}
#### 9. 系统内核优化
set_kernel() {
config=/etc/sysctl.conf
if [ `grep kernel_flag $config |wc -l` -lt 1 ]; then
cat >>/etc/sysctl.conf<<-EOF
# kernel_flag
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.route.gc_timeout = 20
net.ipv4.tcp_retries2 = 5
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_wmem = 8192 131072 16777216
net.ipv4.tcp_rmem = 32768 131072 16777216
net.ipv4.tcp_mem = 94500000 915000000 927000000
#net.core.somaxconn = 262144
net.core.netdev_max_backlog = 262144
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.route.gc_timeout = 20
net.ipv4.ip_local_port_range = 10024 65535
net.ipv4.tcp_retries2 = 5
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_keepalive_time = 1800
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_wmem = 8192 131072 16777216
net.ipv4.tcp_rmem = 32768 131072 16777216
net.ipv4.tcp_mem = 94500000 915000000 927000000
fs.file-max = 65535
kernel.pid_max = 65536
net.ipv4.tcp_wmem = 4096 87380 8388608
net.core.wmem_max = 8388608
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_max_syn_backlog = 10240
net.core.netdev_max_backlog = 262144
#net.core.somaxconn = 262144
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 120
net.ipv4.ip_local_port_range = 10000 65000
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_max_tw_buckets = 36000
EOF
sysctl -p
fi
}
#### 10. 配置 SSH
init_ssh() {
\cp /etc/ssh/sshd_config /etc/ssh/sshd_config.`date +"%Y-%m-%d"`
# sed -i 's%#Port 22%Port 25680%' /etc/ssh/sshd_config
#
sed -i 's%#PermitRootLogin yes%PermitRootLogin yes%' /etc/ssh/sshd_config
sed -i 's%#PermitEmptyPasswords no%PermitEmptyPasswords no%' /etc/ssh/sshd_config
sed -i 's%#UseDNS yes%UseDNS no%' /etc/ssh/sshd_config
systemctl restart sshd &> /dev/null
}
main() {
mod_yum
close_selinux
close_firewalld
install_softwares
adduser
time_sync
com_line_set
open_file_set
set_kernel
init_ssh
}
main
检测系统初始化是否成功
#!/bin/bash
#Author:mcsiberiawolf
#Time:2019-02-03 10:29:02
#Name:check_init_system.sh
#Version:V1.0
#Description: 检查系统初始化是否配置成功.
. /etc/init.d/functions
if [ "$UID" != "0" ]; then
echo "Please run this script by root."
exit 1
fi
. /etc/init.d/functions
check_yum() {
epel=/etc/yum.repos.d/epel.repo
if [ -e $epel ]; then
action "epel repository has been set success" /bin/true
else
action "epel repository has been set fail" /bin/false
fi
}
check_selinux() {
config=/etc/selinux/config
if [ `grep "SELINUX=disabled" $config|wc -l` -ge 1 ]; then
action "selinux has been set success" /bin/true
else
action "selinux has been set fail" /bin/false
fi
}
check_user() {
user=ylmf
if [ `getent passwd $user|wc -l` -ge 1 ]; then
action "user has exised" /bin/true
else
action "user has not exised" /bin/false
fi
}
check_timezone() {
if [ `timedatectl status | grep "Asia/Shanghai"|wc -l` -ge 1 ]; then
action "Timezone has been set success" /bin/true
else
action "Timezone has been set fail" /bin/false
fi
}
check_com_line_set() {
config=/etc/profile
if [`grep -E ^'TMOUT|HISTSIZE|HISTFILESIZE' $config|wc -l` -ge 3]; then
action "$config has been set success" /bin/true
else
action "$config has been set fail" /bin/false
fi
}
check_kernel() {
config=/etc/sysctl.conf
if [ `grep ^[a-z] $config | wc -l` -ge 60 ]; then
action "kernel has been set success" /bin/true
else
action "kernel has been set fail " /bin/false
fi
}
check_open_file() {
config=/etc/security/limits.conf
if [ `grep 65535 $config | wc -l` -ge 2 ]; then
action "open file has been set success" /bin/true
else
action "open file has been set fail" /bin/false
fi
}
check_ssh() {
config=/etc/ssh/sshd_config
if [ `grep -E ^'PermitRootLogin|PermitEmptyPasswords|UseDNS' $config| wc -l` -ge 3 ]; then
action "ssh has been set success" /bin/true
else
action "ssh has been set fail" /bin/false
fi
}
main() {
check_yum
check_selinux
check_user
check_timezone
check_com_line_set
check_kernel
check_open_file
check_ssh
}
main
