#!/bin/bash
#################
#################
. ./check_os.sh
if [ $(id -u) != "0" ] ; then
printf "Error:You must be root to run this script!\n"
exit 1
fi
[ "${CentOS_ver}" == '7' ] && [ "$(systemctl is-active NetworkManager.service)" == "inactive" ]
#关闭selinux
setenforce 0
sed -i 's/^SELINUX=.*$/SELINUX=disabled/' /etc/selinux/config
#修改yum源地址
yum install -y wget curl
wget http://mirrors.aliyun.com/repo/Centos-7.repo
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo_back
mv Centos-7.repo /etc/yum.repos.d/CentOS-Base.repo
yum clean all
yum makecache
yum update
#命令别名
cat > /etc/profile.d/alias.sh << EOF
HISTSIZE=10000
PS1="\[\e[37;40m\][\[\e[32;40m\]\u\[\e[37;40m\]@\h \[\e[35;40m\]\W\[\e[0m\]]\\\\$ "
HISTTIMEFORMAT="%F %T \$(whoami) "
alias l='ls -AFhlt'
alias lh='l | head'
alias vi=vim
GREP_OPTIONS="--color=auto"
alias grep='grep --color'
alias egrep='egrep --color'
alias fgrep='fgrep --color'
EOF
#删除无效用户
groupdel adm
groupdel lp
groupdel games
userdel adm
userdel lp
userdel shutdown
userdel operator
userdel games
userdel uucp
#修改limits.conf
cat >> /etc/security/limits.conf <<EOF
# End of file
* soft nproc 1000000
* hard nproc 1000000
* soft nofile 1000000
* hard nofile 1000000
EOF
## set ulimit
echo "ulimit -HSn 65536" >> /etc/profile
#初始化系统时区
rm -rf /etc/localtime
ln -s /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
# /etc/sysctl.conf
[ ! -e "/etc/sysctl.conf_bk" ] && /bin/mv /etc/sysctl.conf{,_bk}
cat > /etc/sysctl.conf << EOF
fs.file-max=1000000
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.ipv4.tcp_max_syn_backlog = 65535
net.core.netdev_max_backlog = 32768
net.core.somaxconn = 32768
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_fin_timeout = 10
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_syncookies = 1
#net.ipv4.tcp_tw_len = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.ip_local_port_range = 1024 65000
net.nf_conntrack_max = 6553500
net.netfilter.nf_conntrack_max = 6553500
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_established = 3600
EOF
sysctl -p
#安装一些依赖包
yum -y install sysstat ntp net-snmp lrzsz rsync >/dev/null 2>&1
apt-get -y install vim ntpdate locales >/dev/null 2>&1
echo "Installation system tools.------->OK"
#更新时间
ntpdate cn.pool.ntp.org >/dev/null 2>&1
#停止无用的服务
#/etc/init.d/exim4 stop >/dev/null 2>&1
#/etc/init.d/nfs-common stop >/dev/null 2>&1
#/etc/init.d/portmap stop >/dev/null 2>&1
##
#systemctl stop portmap >/dev/null 2>&1
#systemctl stop exim4 >/dev/null 2>&1
#systemctl stop nfs-common >/dev/null 2>&1
#chkconfig --del exim4 && chkconfig exim4 off >/dev/null 2>&1
#chkconfig --del portmap && chkconfig exim4 off >/dev/null 2>&1
#chkconfig --del nfs-common && chkconfig exim4 off >/dev/null 2>&1
#设置回话自动超时
echo "export TMOUT=300">>/etc/profile
#设置登陆提示
echo "nginx_111" > /etc/issue
echo "nginx_111" > /etc/redhat-release
echo "本机仅限本公司员工使用 否则追究法律责任" >/etc/motd
#安装SendEmail发送邮件
wget http://caspian.dotconf.net/menu/Software/SendEmail/sendEmail-v1.56.tar.gz
tar xf sendEmail-v1.56.tar.gz
mv sendEmail-v1.56 /data/soft/
#安装chkrootkit命令检测
yum install -y chkrootkit
cat > /data/sh/chkrootkit_everydays.sh <<EOF
#!/bin/bash
#-------------------------------------------------------------------------
#application: 检查linux是否被cc的工具,监控命令是否被替换
#Filename: chkrootkit_everyday.sh
#crontab: */5 * * * * chkrootkit_everyday.sh
#------------------------------------------------------------------------
TIME="`date +%Y%m%d%H%M`"
/usr/sbin/chkrootkit -n > /data/sh/.chkrootkitLog/.chkrootkit_$TIME.log
if [ "`grep 'INFECTED' /data/sh/.chkrootkitLog/.chkrootkit_$TIME.log`" != "" ];then
echo "Dangerous"
EMAIL='/data/soft/sendEmail-v1.56/sendEmail'
FEMAIL="[email protected]" #发件邮箱
MAILP="PASSWD"
MAILSMTP="smtp.163.com" #发件邮箱的SMTP
MAILT="[email protected],.......,...." #收件邮箱
MAILmessage=" server command change ERROR"
$EMAIL -q -f $FEMAIL -t $MAILT -u "您服务器有人登录修改命令,请使用chkrootkit来检测" -m "$MAILmessage" -s $MAILSMTP -o message-charset=utf-8 -xu $FEMAIL -xp $MAILP -o tls=no
else
echo "OK"
fi
EOF
root@centos-mysql01:/data/sh# cat check_os.sh
#!/bin/bash
#######################
######################
#判断系统版本
if [ -e /etc/redhat-release ]; then
OS=CentOS
[ ! -e "$(which lsb_release 2>/dev/null)" ] && { yum -y install redhat-lsb-core; clear; }
system_ver=$(lsb_release -sr | awk -F. '{print $1}')
elif [ -n "$(grep 'bian' /etc/issue)" -o "$(lsb_release -is 2>/dev/null)" == "Debian" ]; then
OS=Debian
[ ! -e "$(which lsb_release 2>/dev/null)" ] && { apt-get -y update; apt-get -y install lsb-release; clear; }
system_ver=$(lsb_release -sr | awk -F. '{print $1}')
elif [ -n "$(grep 'Ubuntu' /etc/issue)" -o "$(lsb_release -is 2>/dev/null)" == "Ubuntu" -o -n "$(grep 'Linux Mint' /etc/issue)" ]; then
OS=Ubuntu
Ubuntu_ver=$(lsb_release -sr | awk -F. '{print $1}')
else
echo "${CFAILURE}Does not support this OS, Please contact the author! ${CEND}"
kill -9 $$
fi
THREAD=$(grep 'processor' /proc/cpuinfo | sort -u | wc -l)
debian和ubunt的后续再写吧