CentOS 7与Ubuntu 22.04系统初始化配置

CentOS 7 系统初始化配置

# step 1: 修改默认Yum源为阿里源
if [ ! -f "/etc/yum.repos.d/CentOS-Base.repo.bak" ]; then mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.bak; fi

curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo

yum clean all
yum makecache

# step 2: 安装常用工具
yum -y install vim-enhanced bash-completion net-tools traceroute nmap bind-utils lrzsz wget lsof psmisc tree zip unzip sysstat rsync ntpdate mlocate telnet

# step 3: 修改时区并同步时间
timedatectl set-timezone "Asia/Shanghai"
ntpdate ntp.aliyun.com

# step 4: 关闭防火墙和Selinux
systemctl stop firewalld.service
systemctl disable firewalld.service
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
setenforce 0

# step 5: 历史命令审计（可选）
cat >> /etc/profile <<EOF
export HISTFILESIZE=10000
export HISTSIZE=10000
export HISTTIMEFORMAT="%F %T `whoami` `who -mu | awk '{print $NF}'|sed -e 's/[()]//g'` "
export PROMPT_COMMAND='{ msg=$(history 1 | { read x y ; echo $y ;});logger "[euid=$(whoami)]":$(who -m):[`pwd`]" $msg";}'
EOF

# step 6: 配置时间同步服务（可选）
yum -y install chrony
cp /etc/chrony.conf{,.bak}
cat > /etc/chrony.conf << EOF
server ntp.aliyun.com iburst
stratumweight 0
driftfile /var/lib/chrony/drift
rtcsync
makestep 10 3
bindcmdaddress 127.0.0.1
bindcmdaddress ::1
keyfile /etc/chrony.keys
commandkey 1
generatecommandkey
logchange 0.5
logdir /var/log/chrony
EOF

# step 7: 修改资源限制（可选）
cat >> /etc/security/limits.conf << EOF
* soft nofile 65535
* hard nofile 65535
* soft nproc 65535
* hard nproc 65535
EOF

# step 8: 内核参数优化（可选）
cat >> /etc/sysctl.conf << EOF
# IPv6配置  
# 禁用所有接口的IPv6  
net.ipv6.conf.all.disable_ipv6 = 1  
# 禁用默认接口的IPv6  
net.ipv6.conf.default.disable_ipv6 = 1  
  
# ICMP设置  
# 忽略所有对广播地址的ICMP echo请求  
net.ipv4.icmp_echo_ignore_broadcasts = 1  
# 忽略伪造的ICMP错误信息  
net.ipv4.icmp_ignore_bogus_error_responses = 1  
  
# IP转发设置  
# 禁止IP转发  
net.ipv4.ip_forward = 0  
  
# ICMP重定向和源路由检查  
# 禁止发送ICMP重定向  
net.ipv4.conf.all.send_redirects = 0  
net.ipv4.conf.default.send_redirects = 0  
# 开启严格的源路由检查  
net.ipv4.conf.all.rp_filter = 1  
net.ipv4.conf.default.rp_filter = 1  
# 禁止接受ICMP重定向  
net.ipv4.conf.all.accept_redirects = 0  
net.ipv4.conf.default.accept_redirects = 0  
# 禁止接受不安全的ICMP重定向  
net.ipv4.conf.all.secure_redirects = 0  
net.ipv4.conf.default.secure_redirects = 0  
  
# 内核参数  
# 禁用sysrq功能  
kernel.sysrq = 0  
# 在core文件中使用PID  
kernel.core_uses_pid = 1  
# TCP syncookies参数，用于防止SYN洪水攻击  
net.ipv4.tcp_syncookies = 1  
  
# 消息队列参数  
# 消息队列的最大消息大小  
kernel.msgmnb = 65536  
# 消息队列的最大总大小  
kernel.msgmax = 65536  
  
# 共享内存参数  
# 共享内存段的最大大小  
kernel.shmmax = 68719476736  
# 系统上可以使用的共享内存总量  
kernel.shmall = 4294967296  
  
# TCP相关参数  
# TCP TIME_WAIT套接字最大数量  
net.ipv4.tcp_max_tw_buckets = 6000  
# 启用TCP选择性确认  
net.ipv4.tcp_sack = 1  
# 启用TCP窗口缩放  
net.ipv4.tcp_window_scaling = 1  
# TCP接收和发送缓冲区大小  
net.ipv4.tcp_rmem = 4096 87380 4194304  
net.ipv4.tcp_wmem = 4096 16384 4194304  
# 网络核心接收和发送缓冲区默认和最大大小  
net.core.wmem_default = 8388608  
net.core.rmem_default = 8388608  
net.core.rmem_max = 16777216  
net.core.wmem_max = 16777216  
# 网络设备接收队列的最大长度  
net.core.netdev_max_backlog = 262144  
# TCP孤儿套接字的最大数量  
net.ipv4.tcp_max_orphans = 3276800  
# TCP半连接队列的最大长度  
net.ipv4.tcp_max_syn_backlog = 262144  
# TCP全连接队列的最大长度  
net.core.somaxconn = 262144  
# 禁用TCP时间戳  
net.ipv4.tcp_timestamps = 0  
# TCP SYNACK重试次数  
net.ipv4.tcp_synack_retries = 1  
# TCP SYN重试次数  
net.ipv4.tcp_syn_retries = 1  
# 启用TCP TIME_WAIT套接字的快速回收  
net.ipv4.tcp_tw_recycle = 1  
# 启用TIME_WAIT套接字的重用  
net.ipv4.tcp_tw_reuse = 1  
# TCP内存压力阈值  （最小值设置为系统总内存的 1%-2%，压力模式阈值设置为系统总内存的 10%-20%，最大值设置为系统总内存的 30%-50%）
net.ipv4.tcp_mem = 94500000 915000000 927000000  
# TCP FIN_WAIT_2的超时时间  
net.ipv4.tcp_fin_timeout = 1  
# TCP keepalive的空闲时间  
net.ipv4.tcp_keepalive_time = 30  
# 本地端口范围  
net.ipv4.ip_local_port_range = 1024 65000  
  
# 网络过滤和连接跟踪  
# 连接跟踪表的最大条目数  
net.netfilter.nf_conntrack_max=655350  
# 已建立的TCP连接的超时时间  
net.netfilter.nf_conntrack_tcp_timeout_established=1200
EOF
sysctl -p

ubuntu 22.04 系统初始化配置

# step 1: 网卡配置
sudo cat >/etc/netplan/00-installer-config.yaml<<EOF
# This is the network config written by 'subiquity'
network:
  ethernets:
    ens160:
      dhcp4: false
      addresses:
        - 192.168.200.128/24
      routes:
        - to: default
          via: 192.168.200.2
      nameservers:
        addresses:
          - 192.168.200.2
  version: 2
EOF

sudo netplan generate
sudo netplan apply

# step 2: 配置时区
sudo timedatectl set-timezone Asia/Shanghai

# step 3: 时间同步
sudo echo "NTP=10.196.1.40" >>/etc/systemd/timesyncd.conf
sudo systemctl restart systemd-timesyncd.service
sudo timedatectl timesync-status

# sudo timedatectl status # 查看时间同步的状态
# sudo timedatectl set-ntp true # 启用时间同步
# sudo timedatectl set-ntp false # 禁用时间同步
# sudo timedatectl timesync-status # 查看时间同步服务参数

# step 4: 替换国内源
sudo cp /etc/apt/sources.list /etc/apt/sources.list.bak
sudo cat >/etc/apt/sources.list <<EOF
deb http://mirrors.aliyun.com/ubuntu/ jammy main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ jammy main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ jammy-security main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ jammy-security main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ jammy-updates main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ jammy-updates main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ jammy-proposed main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ jammy-proposed main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ jammy-backports main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ jammy-backports main restricted universe multiverse
EOF
sudo apt update

# step 5: 安装常用工具
sudo apt install -y vim net-tools lrzsz

# step 6: 修改用户默认shell
sudo useradd ubuntu
sudo passwd ubuntu

sudo sed -i '/^ubuntu/s/\/bin\/sh/\/bin\/bash/' /etc/passwd
sudo cat /etc/passwd
ubuntu:x:1001:1001::/home/ubuntu:/bin/bash

# step 7: 授权用户
sudo sed -i '/root\tALL=(ALL:ALL) ALL/a ubuntu\tALL=(ALL:ALL) NOPASSWD:ALL' /etc/sudoers
sudo cat /etc/sudoers
# User privilege specification
root	ALL=(ALL:ALL) ALL
ubuntu	ALL=(ALL:ALL) NOPASSWD:ALL