#!/bin/bash
### Usage: This script use to config linux system
#获取IP地址 172.16.100.100
outip=`ifconfig eth1 |grep inet|cut -f 2 -d ":" |cut -f 1 -d " "|awk -F "." '{print $4}'`
#定义系统主机名
hostname=dbbak$outip.mstuc.cn1
#修改yum源
#Change yum source to mirrors.163.com
mv -f /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
curl -s http://mirrors.163.com/.help/CentOS6-Base-163.repo -o /etc/yum.repos.d/CentOS-Base.repo
#添加第三方的yum源
#add the third-party repo
#add the epel
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
#add the rpmforge
rpm -Uvh http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag
#生成yum缓存
yum clean all
yum makecache
#安装一些常用的软件
yum install -y sysstat vim lrzsz ntp traceroute vixie-cron crontabs lsof pcre pcre-devel wget openssl openssl-devel rsync
#时间校正
#set ntp
/usr/sbin/ntpdate ntp.api.bz
echo "*/5 * * * * /usr/sbin/ntpdate ntp.api.bz > /dev/null 2>&1" >> /var/spool/cron/root
#set clock
#校正硬件时钟 bios里面的时间
hwclock --set --date="`date +%D\ %T`"
hwclock --hctosys
#ulimit 修改
#set ulimit
echo "ulimit -SHn 102400" >> /etc/rc.local
cat >> /etc/security/limits.conf << EOF
* soft nofile 102400
* hard nofile 102400
* soft nproc 102400
* hard nproc 102400
EOF
#禁止使用control alt delete重启服务器
#close ctrl+alt+del
sed -i 's/exec \/sbin\/shutdown -r now "Control-Alt-Delete pressed"/#exec \/sbin\/shutdown -r now "Control-Alt-Delete pressed"/g' /etc/init/control-alt-delete.conf
#修改运行级别,修改成默认为3
sed -i 's/^id:5:initdefault:/id:3:initdefault:/' /etc/inittab
#关闭所有的服务的开机启动,只打开部分需要的服务
### service config
for i in `chkconfig --list | awk '{print $1}' `; do echo $i; chkconfig $i off; done
for i in sshd network crond sysstat acpid irqbalance iptables rsyslog ntpdate ; do chkconfig $i on; done
#添加系统需要的用户
### Add new user.
useradd lyp_hx
echo 'Hu0X!nG%12' | passwd --stdin lyp_hx
chage -d 0 lyp_hx
useradd developer
echo 'Hu0X!nG%12' | passwd --stdin developer
chage -d 0 developer
useradd xunge
echo 'Hu0X!nG%12' | passwd --stdin xunge
chage -d 0 xunge
useradd roke01
echo 'Hu0X!nG%12' | passwd --stdin roke01
chage -d 0 roke01
#允许哪些用户有sudo的权限
chmod u+w /etc/sudoers
echo -e "lyp_hx ALL=(ALL) ALL\ndeveloper ALL=(ALL) ALL" >> /etc/sudoers
echo -e "xunge ALL=(ALL) ALL\nroke01 ALL=(ALL) ALL" >> /etc/sudoers
chmod u-w /etc/sudoers
#让所有的网卡开机自动启动
#network start with system.
sed -i s/ONBOOT=no/ONBOOT=yes/g /etc/sysconfig/network-scripts/ifcfg-eth0
sed -i s/ONBOOT=no/ONBOOT=yes/g /etc/sysconfig/network-scripts/ifcfg-eth1
#禁止使用密码登录
### sshd config
sed -i s/"PasswordAuthentication yes"/"PasswordAuthentication no"/g /etc/ssh/sshd_config
#添加ssh的密钥
[ ! -d /root/.ssh ] && mkdir -p /root/.ssh/
chmod 700 /root/.ssh/
echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyVbaOb8yYSOfcfKXQo0zzOFlpUDAAxltM5lo44E0QG5IFtKe5NpUhl/3shOoS78SS6mfADF5+S+jyB/d32CwsG0M4P9ZcX4wt5vNrVuCyud3VF6qhYjuEx28T8L7EjGIHZdNto7mlc8nK2+juE4JxuMXwYknpb22zOR/j1DQcsysymvfgqsHVG2C0cyPCYffzO4baik68KSiyuECl2IQZtj611fHZkFk6jqxFUUav6vwXTBf/RCHYwo8l15IuiPK5YtHT0iLbbXOxlC8G24QAIaPU5FfX445qpd4iCwhYUIcGQAZXCXRwWCODUsTO/D6GtPB2fB1fnPTxUTkzQfe1Q== liyuanpeng@corp.the9.com
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAr905kqmgZT3kTrUEwnoJJpq0ecSo1g8p4NIaklsxOzjBmwKfXcN0RkPKm5qDcanWtalY7OEiJYg1ZMhdGutaFuuVLxsjJJsh2n1vRPC9TYNMEGQ0i99lEEz1shRih5VfHvdsx+htt68GtrUJUxQVE9nlboX6NIqch9FmTxxmegHX/W1nRQ1ejcLw9T0bfwU7/6f37eM4jQ9B72hhZc6tpVFvfrQRCp5rPDZ6agGY9PzNkKldulLmZ5egHhhzA/4UX7L358QeSI7UNb2gkxITqIxM2HS8P8IG0gJb41RJwl4l0dGKfvi32tK1aICSntKF8Bozj4am+6QrpaUip6S6dw== developer
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA4qV2CbFgB0rdEhYkfZYz3EcMy9mHBmPy8kxDw29RHqP5Pvx58fgHgDILdAoKQqpRDN7S4zTznPVJXt7atbGugWMdokG78du8K73CdNbB2NSl9l+XS3wdwQfeALgo+JX/NSuiDk0Zx9SSmfm10izix+4XJ+D5IjzsOrxrGbys3CbYyFx9bIuBN1at618gZezDB9bQaq0AL30w7D3qxp8s2V05s4t1Xngd5Kn1ZcK8327pAmipcHjpn7SDsH04suNdhCE7HJcrBIac2dfauw/90/mkhpA/58L6Hek6TRTPza7Y8+WVYe2RBLVZODmOym2gA9+qhcebVhgyUpAscXgOQQ== program
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxSo72gHJX+tkCze25v3xr16urGM04oHKNWyo5+5eSafeJS+Xl8pHNN4EV3a3tuMvZo1tBmziONqmUv13N8rv1D3rMbkYZAzu10vZi/8Id9UJCu6X15+4j+mga95k/RkYDNydxaMV72f6Zue/ZR6NaoXLYKuXdHXZmRbRE435tAepmbbuxNrdOzM8hdRvFFc4LmM1GBfc3vPDCwNz3+lpLYsO0qPpeT8aVg3vaLX7gLul+f0W+iHzPtdRiGm9U6EXvuRVhv1FEAVpB+hGJmM1L2ECY3s6aWbCNF4bFWFxwtTR8Ykvlq4ekL4DIVF1qY1/vMOG5hp0zPNYGx5i5Y4Ghw== roke001
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA34QAb/xi1Sme/YEBeuJrBW8hn1nIVSL03XiEcJacQO9VVkvKUdY8sXL9fUS2qFgFcFVj5GMI/7YCECp/PMAkox6LAs2+WbmfXgasK+aFWEY9Anop2qmrtvmtvMOy1cINB6fFC9UgXHFL7qm63h5OlZaRrXRzyf2G+LVnV+6vCzJuAO3vkeVzi6XTtrPhXIbh8HBmTFNCr2OQ1g5vX8IMpvhb60j6yY/CUlBbY2WktLPO7bPYOPat2GlrzPy4Ku2xITXnq3CwZnAfe2XTJ7kMG3Bp7YJhOhBV1fZ9VQNuOsodVRnMjNzgyftdZ/8Do5HMT66umos9MSI8f+zSWLoUBQ== xunge
#key" > /root/.ssh/authorized_keys
#重启sshd
/etc/init.d/sshd restart
#修改服务器的DNS
### set dns server
echo -e "nameserver 114.114.114.114\nnameserver 8.8.8.8" > /etc/resolv.conf
#给一些自定义的脚本一些可执行权限
chmod a+x /opt/scripts/*.sh
#关闭SELinux
###disable selinux
sed -i 's/SELINUX=enforcing/SELINUX=disalbed/g' /etc/selinux/config
#把一些服务添加到开机启动
echo 'bash /opt/zabbix/zabbix_agentd.sh' >> /etc/rc.local
echo 'bash /opt/scripts/firewall_kvm.sh' >> /etc/rc.local
echo 'cd /opt/scripts;nohup /opt/scripts/ssh_deny.sh &' >> /etc/rc.local
#把hostname写到配置文件中
echo 'NETWORKING=yes' > /etc/sysconfig/network
echo "HOSTNAME=$hostname" >> /etc/sysconfig/network
#设置vim语法高亮
##Set vim
echo 'syntax on' > /root/.vimrc
#修改内核参数
###sysctl
cat >> /etc/sysctl.conf << END
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.core.wmem_max = 873200
net.core.rmem_max = 873200
net.core.somaxconn = 256
net.core.netdev_max_backlog = 1000
net.ipv4.ip_local_port_range = 5000 65000
net.ipv4.tcp_mem = 786432 1048576 1572864
net.ipv4.tcp_wmem = 8192 436600 873200
net.ipv4.tcp_rmem = 32768 436600 873200
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_retries2 = 5
net.ipv4.tcp_keepalive_time = 1800
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_max_tw_buckets = 20000
net.ipv4.conf.lo.arp_ignore = 1
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
END
modprobe bridge
#让修改后的内核参数生效
/sbin/sysctl -p
#添加执行命令的路径
#Add PATH environment.
echo 'export PATH=$PATH:/opt/node/bin:/opt/node/lib/node_modules/npm/bin/node-gyp-bin:/opt/zabbix/bin:/opt/zabbix/sbin' >> /etc/profile
#添加zabbix这个用户
/usr/sbin/groupadd zabbix
/usr/sbin/useradd -g zabbix zabbix -s /sbin/nologin
#重启
###reboot
sleep 10
reboot CentOS7初始化脚本,优化了CentOS6的脚本,将代码进行函数化。
#!/bin/bash
#CentOS7 initialization
if [[ "$(whoami)" != "root" ]]; then
echo "please run this script as root ." >&2
exit 1
fi
echo -e "\033[31m centos7系统初始化脚本,请慎重运行! press ctrl+C to cancel \033[0m"
sleep 5
#update system pack
yum_update(){
yum -y install wget
cd /etc/yum.repos.d/
mkdir bak
mv ./*.repo bak
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
yum clean all && yum makecache
yum -y install net-tools bash-completion lrzsz gcc gcc-c++ make cmake libxml2-devel openssl-devel curl curl-devel unzip sudo ntp libaio-devel wget vim ncurses-devel autoconf automake zlib-devel python-devel expect
}
#set ntp
zone_time(){
cp /usr/share/zoneinfo/Asia/Chongqing /etc/localtime
printf 'ZONE="Asia/Chongqing"\nUTC=false\nARC=false' > /etc/sysconfig/clock
/usr/sbin/ntpdate pool.ntp.org
echo "*/5 * * * * /usr/sbin/ntpdate pool.ntp.org > /dev/null 2>&1" >> /var/spool/cron/root;chmod 600 /var/spool/cron/root
echo 'LANG="en_US.UTF-8"' > /etc/sysconfig/i18n
source /etc/sysconfig/i18n
}
#set ulimit
ulimit_config(){
echo "ulimit -SHn 102400" >> /etc/rc.local
cat >> /etc/security/limits.conf << EOF
* soft nofile 102400
* hard nofile 102400
* soft nproc 102400
* hard nproc 102400
EOF
}
#set ssh
sshd_config(){
sed -i 's/^GSSAPIAuthentication yes$/GSSAPIAuthentication no/' /etc/ssh/sshd_config
sed -i 's/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config
systemctl start crond
}
#set sysctl
sysctl_config(){
cp /etc/sysctl.conf /et/sysctl.conf.bak
cat > /etc/sysctl.conf << EOF
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 262144
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.ip_local_port_range = 1024 65535
EOF
/sbin/sysctl -p
echo "sysctl set OK!!"
}
#disable selinux
selinux_config(){
sed -i 's@SELINUX=enforcing@SELINUX=disabled@g' /etc/selinux/config
setenforce 0
}
iptables_config(){
systemctl stop firewalld.servic
systemctl disable firewalld.service
yum install iptables-services
cat > /etc/sysconfig/iptables << EOF
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:syn-flood - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p icmp -m limit --limit 100/sec --limit-burst 100 -j ACCEPT
-A INPUT -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn-flood
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A syn-flood -p tcp -m limit --limit 3/sec --limit-burst 6 -j RETURN
-A syn-flood -j REJECT --reject-with icmp-port-unreachable
COMMIT
EOF
/sbin/service iptables restart
}
main(){
yum_update
zone_time
ulimit_config
sysctl_config
sshd_config
selinux_config
iptables_config
}
main
