简单优化 ,未涉及安全优化,如有需求请自行修改脚本实现
1 #!/bin/bash 2 SysVer=`cat /etc/redhat-release | awk -F'release' '{print $2}' | awk -F'[ .]+' '{print $2}'` 3 NetCnf=`ls /etc/sysconfig/network-scripts/ | grep if | head -1` 4 NetName=`ls /etc/sysconfig/network-scripts/ | grep if | head -1 | awk -F'-' '{print $2}'` 5 NetPath="/etc/sysconfig/network-scripts/" 6 clear 7 echo "#####################################" 8 echo "###### 1、配置网络 ######" 9 echo "###### 2、优化系统 ######" 10 echo "###### 3、命令审计 ######" 11 echo "###### 4、其他功能 ######" 12 echo "#####################################" 13 read -p "Please Input Number (1/2/3) :" Nmb 14 if [ ! $Nmb == 1 ] && [ ! $Nmb == 2 ] && [ ! $Nmb == 3 ] 15 then 16 echo -e "\033[41;33;5m Input ERROR,you Can only enter 1 or 2 or 3 \033[0m" 17 exit 110 18 fi 19 20 Jdt(){ 21 echo "准备中..." 22 i=0 23 str="" 24 arr=("|" "/" "-" "\\") 25 while [ $i -le 20 ] 26 do 27 let index=i%4 28 let indexcolor=i%8 29 let color=30+indexcolor 30 let NUmbER=$i*5 31 printf "\e[0;$color;1m[%-20s][%d%%]%c\r" "$str" "$NUmbER" "${arr[$index]}" 32 sleep 0.1 33 let i++ 34 str+='+' 35 done 36 printf "\n" 37 echo "正在执行...稍候!" 38 } 39 40 PanDuan(){ 41 if [ ! $? -eq 0 ] 42 then 43 echo -e "\033[41;33;5m ERROR,Please To Check \033[0m" 44 exit 110 45 fi 46 } 47 48 C6NetWork(){ 49 cat > $NetPath$NetCnf << END 50 DEVICE=$NetName 51 TYPE=Ethernet 52 ONBOOT=yes 53 NM_CONTROLLED=yes 54 BOOTPROTO=static 55 IPADDR=$Ipa 56 NETMASK=$Ntm 57 GATEWAY=$Gtw 58 DNS1=114.114.114.114 59 DNS2=223.5.5.5 60 61 END 62 63 service NetworkManager stop >/dev/null 2>&1 64 chkconfig NetworkManager off >/dev/null 2>&1 65 chkconfig network on >/dev/null 2>&1 66 Jdt 67 echo -e "\033[46;35;5m[ ## Network configuration succeeded ## ]\033[0m" 68 echo -e "\033[46;35;5m[ ##### Please restart the server ##### ]\033[0m" 69 } 70 71 C7NetWork(){ 72 cat > $NetPath$NetCnf << EOF 73 TYPE=Ethernet 74 PROXY_METHOD=none 75 BROWSER_ONLY=no 76 BOOTPROTO=static 77 DEFROUTE=yes 78 IPV4_FAILURE_FATAL=no 79 NAME=$NetName 80 DEVICE=$NetName 81 ONBOOT=yes 82 IPADDR=$Ipa 83 NETMASK=$Ntm 84 GATEWAY=$Gtw 85 DNS1=223.5.5.5 86 DNS2=114.114.114.114 87 88 EOF 89 90 systemctl stop NetworkManager >/dev/null 2>&1 91 systemctl disable NetworkManager >/dev/null 2>&1 92 systemctl enable network.service >/dev/null 2>&1 93 Jdt 94 echo -e "\033[40;35;5m[ ## Network configuration succeeded ## ]\033[0m" 95 echo -e "\033[40;35;5m[ ##### Please restart the server ##### ]\033[0m" 96 } 97 98 OptSSH(){ 99 echo "#########################################################" 100 echo -e "\033[40;34;5m[ 配置SSH 端口 关闭DNS 反向解析 ]\033[0m" 101 echo -e "\033[40;34;5m[ 关闭此终端后 请使用新SSH端口:$Pt 进行登陆 原端口失效 ]\033[0m" 102 read -p "Please enter the SSH port :" Pt 103 Jdt 104 sed -i 's/^GSSAPIAuthentication yes$/GSSAPIAuthentication no/' /etc/ssh/sshd_config 105 sed -i 's/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config 106 sed -i "s/#Port 22/Port $Pt/" /etc/ssh/sshd_config 107 sed -i "s/^Port.*/Port $Pt/g" /etc/ssh/sshd_config 108 sed -i 's/#PrintMotd yes/PrintMotd yes/' /etc/ssh/sshd_config 109 case $SysVer in 110 6) 111 service sshd restart >/dev/null 2>&1 112 PanDuan 113 ;; 114 7) 115 systemctl restart sshd >/dev/null 2>&1 116 PanDuan 117 ;; 118 *) 119 echo -e "\033[41;33;5m System Version Error,Scripts only apply to Centos 6 and 7 versions \033[0m" 120 exit 110 121 ;; 122 esac 123 } 124 125 126 OffIPv6(){ 127 clear 128 echo "####################################" 129 echo -e "\033[46;34;5m[ Shutdown IpV6 关闭IPv6 ]\033[0m" 130 Jdt 131 sed -i '/.*net-pf-10.*/d' /etc/modprobe.conf 132 sed -i '/.*ipv6.*/d' /etc/modprobe.conf 133 echo "alias net-pf-10 off" >> /etc/modprobe.conf 134 echo "alias ipv6 off" >> /etc/modprobe.conf 135 } 136 137 138 OffSE(){ 139 clear 140 echo "####################################" 141 echo -e "\033[40;34;5m[ Shutdown selinux ]\033[0m" 142 Jdt 143 sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config 144 setenforce 0 >/dev/null 2>&1 145 } 146 147 148 OFFfirewalld(){ 149 clear 150 echo "####################################" 151 echo -e "\033[40;34;5m[ Shutdown Firewalld ]\033[0m" 152 Jdt 153 154 case $SysVer in 155 6) 156 service iptables stop >/dev/null 2>&1 157 chkconfig iptables off >/dev/null 2>&1 158 ;; 159 7) 160 systemctl stop firewalld >/dev/null 2>&1 161 systemctl disable firewalld >/dev/null 2>&1 162 ;; 163 *) 164 echo -e "\033[41;33;5m System Version Error,Scripts only apply to Centos 6 and 7 versions \033[0m" 165 exit 110 166 ;; 167 esac 168 } 169 170 171 TimeLock(){ 172 clear 173 echo "####################################" 174 echo -e "\033[40;34;5m[ Configure TimeLock ]\033[0m" 175 Jdt 176 sed -i '/.*ntpdate.*/d' /var/spool/cron/root 177 echo "*/5 * * * * /usr/sbin/ntpdate 202.112.31.197 > /dev/null 2>&1" >> /var/spool/cron/root 178 case $SysVer in 179 6) 180 service crond restart >/dev/null 2>&1 181 ;; 182 7) 183 systemctl restart crond >/dev/null 2>&1 184 ;; 185 *) 186 echo -e "\033[41;33;5m System Version Error,Scripts only apply to Centos 6 and 7 versions \033[0m" 187 exit 110 188 ;; 189 esac 190 } 191 192 193 FileLimitsConf(){ 194 cat >> /etc/security/limits.conf << COMMENTBLOCK 195 * soft nofile 102400 196 * hard nofile 102400 197 * soft nproc 102400 198 * hard nproc 102400 199 COMMENTBLOCK 200 } 201 202 LimitsFile(){ 203 clear 204 echo "#####################################" 205 echo -e "\033[40;34;5m[ Configure LimitNumber ]\033[0m" 206 Jdt 207 shu1=`cat /etc/rc.local | grep ulimit | wc -l` 208 shu2=`cat /etc/security/limits.conf | grep nofile | wc -l` 209 if [ $shu1 -lt 1 ] 210 then 211 echo "ulimit -SHn 102400" >> /etc/rc.local 212 fi 213 214 if [ $shu2 -lt 2 ] 215 then 216 FileLimitsConf 217 fi 218 219 case $SysVer in 220 6) 221 sed -i 's/1024$/102400/' /etc/security/limits.d/20-nproc.conf 222 ;; 223 7) 224 sed -i 's/4096$/20480/' /etc/security/limits.d/20-nproc.conf 225 sed -i 's/^#DefaultLimitNOFILE=.*/DefaultLimitNOFILE=100000/g' /etc/systemd/system.conf 226 sed -i 's/^#DefaultLimitNPROC=.*/DefaultLimitNPROC=100000/g' /etc/systemd/system.conf 227 ;; 228 *) 229 echo -e "\033[41;33;5m System Version Error,Scripts only apply to Centos 6 and 7 versions \033[0m" 230 exit 110 231 ;; 232 esac 233 234 } 235 236 237 KernelFile(){ 238 clear 239 echo "#####################################" 240 echo -e "\033[40;34;5m[ Optimize Kernel ]\033[0m" 241 Jdt 242 true > /etc/sysctl.conf 243 cat >> /etc/sysctl.conf << EIZ 244 net.ipv4.ip_forward = 0 245 net.ipv4.conf.default.rp_filter = 1 246 net.ipv4.conf.default.accept_source_route = 0 247 net.ipv4.conf.all.secure_redirects = 0 248 kernel.sysrq = 0 249 kernel.core_uses_pid = 1 250 net.ipv4.tcp_syncookies = 1 251 kernel.msgmnb = 65536 252 kernel.msgmax = 65536 253 kernel.shmmax = 68719476736 254 kernel.shmall = 4294967296 255 net.ipv4.tcp_max_tw_buckets = 6000 256 net.ipv4.tcp_sack = 1 257 net.ipv4.tcp_window_scaling = 1 258 net.ipv4.tcp_rmem = 4096 87380 4194304 259 net.ipv4.tcp_wmem = 4096 16384 4194304 260 net.core.wmem_default = 8388608 261 net.core.rmem_default = 8388608 262 net.core.rmem_max = 16777216 263 net.core.wmem_max = 16777216 264 net.core.netdev_max_backlog = 262144 265 net.core.somaxconn = 20480 266 net.ipv4.tcp_max_orphans = 3276800 267 net.ipv4.tcp_max_syn_backlog = 262144 268 net.ipv4.tcp_timestamps = 0 269 net.ipv4.tcp_synack_retries = 2 270 net.ipv4.tcp_syn_retries = 2 271 net.ipv4.tcp_tw_recycle = 0 272 net.ipv4.tcp_tw_reuse = 1 273 net.ipv4.tcp_mem = 94500000 915000000 927000000 274 net.ipv4.tcp_fin_timeout = 1 275 net.ipv4.tcp_keepalive_time = 30 276 net.ipv4.tcp_keepalive_probes=3 277 net.ipv4.tcp_orphan_retries=3 278 net.ipv4.ip_local_port_range = 1024 65500 279 280 EIZ 281 282 /sbin/sysctl -p 283 echo "内核优化的具体参数见上 如需修改请自行修改/etc/sysctl.conf文件" 284 echo "内核优化的具体参数见上 如需修改请自行修改/etc/sysctl.conf文件" 285 echo "内核优化的具体参数见上 如需修改请自行修改/etc/sysctl.conf文件" 286 287 } 288 289 290 RootEmail(){ 291 clear 292 echo "#######################################################" 293 echo -e "\033[40;34;5m[ 禁止 You have new mail in /var/spool/mail/root 提示 ]\033[0m" 294 Jdt 295 sed -i '/.*MAILCHECK/d' /etc/profile 296 echo "unset MAILCHECK">> /etc/profile 297 source /etc/profile 298 } 299 300 301 #BieMing(){ 302 # 303 #} 304 305 HisTory(){ 306 #history modify 307 file_path="/var/log/Command" 308 file_name="Command.log" 309 ProFile=`cat /etc/profile | grep HISTORY_FILE | wc -l` 310 ComMand=`cat /var/spool/cron/root | grep history.sh | wc -l` 311 312 Group1(){ 313 touch $file_path/$file_name 314 chown -R nobody:nobody $file_path 315 chmod 001 $file_path 316 chmod 002 $file_path/$file_name 317 chattr +a $file_path/$file_name 318 } 319 Group2(){ 320 cat >> /etc/profile << EPP 321 export HISTORY_FILE=$file_path/$file_name 322 export PROMPT_COMMAND='{ date "+%y-%m-%d %T ## \$(who am i |awk "{print \\\$1,\\\$2,\\\$5}") ## \$(whoami) ## \$(history 1 | { read x cmd; echo "\$cmd"; })"; } >>\$HISTORY_FILE' 323 EPP 324 } 325 326 if [ ! -d $file_path ] 327 then 328 mkdir -p $file_path 329 Group1 330 else 331 if [ ! -f $file_path/$file_name ] 332 then 333 Group1 334 fi 335 fi 336 if [ $ProFile -lt 1 ] 337 then 338 Group2 339 else 340 sed -i '/.*HISTORY_FILE.*/d' /etc/profile 341 Group2 342 fi 343 if [ ! -f $file_path/history.sh ] 344 then 345 cat >> $file_path/history.sh << EOF 346 #!/bin/bash 347 348 #Time=\`date +%Y%m%d%H -d '-1 hours'\` 349 Time=\`date +%Y%m%d%H\` 350 logs_path="$file_path/" 351 logs_name="$file_name" 352 new_file="\$logs_path\$logs_name-\$Time" 353 old_file=\`find \$logs_path -mtime +30 -type f -name "Command.*"\` 354 chattr -a \$logs_path\$logs_name 355 mv \$logs_path\$logs_name \$new_file 356 chattr +a \$new_file 357 touch \$logs_path\$logs_name 358 chown -R nobody:nobody \$logs_path\$logs_name 359 chmod -R 002 \$logs_path\$logs_name 360 chattr +a \$logs_path\$logs_name 361 if [ ! -z \$old_file ] 362 then 363 echo "delet \$old_file \$Time" >> /var/log/messages 364 chattr -a \$old_file 365 rm -rf \$old_file 366 fi 367 EOF 368 chmod 100 $file_path/history.sh 369 fi 370 if [ $ComMand -lt 1 ] 371 then 372 echo "30 10 * * 6 /bin/bash $file_path/history.sh > /dev/null 2>&1" >> /var/spool/cron/root 373 fi 374 case $SysVer in 375 6) 376 service crond restart >/dev/null 2>&1 377 ;; 378 7) 379 systemctl restart crond >/dev/null 2>&1 380 ;; 381 *) 382 echo -e "\033[41;33;5m System Version Error,Scripts only apply to Centos 6 and 7 versions \033[0m" 383 exit 110 384 ;; 385 esac 386 source /etc/profile 387 if [ $? -eq 0 ] 388 then 389 echo "###########################################" 390 echo -e "\033[40;31;5m 配置完成 命令审计文件位于:/var/log/Command/Command.log \033[0m" 391 else 392 echo -e "\033[41;33;5m ERROR,Please To Check \033[0m" 393 exit 110 394 fi 395 } 396 397 case $Nmb in 398 1) 399 rm -rf /etc/udev/rules.d/70-persistent-net.rules >/dev/null 2>&1 400 echo "###########################################" 401 read -p "Please Input IPAddress :" Ipa 402 read -p "Please Input Netmask :" Ntm 403 read -p "Please Input Gateway :" Gtw 404 echo -e "\033[40;34;5m[ 配置中请稍候... 完成后请使用新地址 $Ipa 进行SSH登陆 ]\033[0m" 405 echo "###########################################" 406 case $SysVer in 407 6) 408 C6NetWork 409 ;; 410 7) 411 C7NetWork 412 ;; 413 *) 414 echo -e "\033[41;33;5m System Version Error,Scripts only apply to Centos 6 and 7 versions \033[0m" 415 exit 110 416 ;; 417 esac 418 ;; 419 2) 420 echo -e "\033[40;31;5m以下配置均可在进度条处 有10秒时间 按Ctrl+C结束 请按需优化\033[0m" 421 OptSSH 422 PanDuan 423 OffIPv6 424 PanDuan 425 OffSE 426 OFFfirewalld 427 PanDuan 428 TimeLock 429 PanDuan 430 LimitsFile 431 PanDuan 432 RootEmail 433 PanDuan 434 KernelFile 435 PanDuan 436 echo " #####################################" 437 echo " #####################################" 438 echo " 优化已完成 本次优化内容有:" 439 echo " 1、优化SSH服务" 440 echo " 2、关闭IPv6服务" 441 echo " 3、关闭Selinux 机制" 442 echo " 4、关闭iptables/firewalld" 443 echo " 5、设置时间同步" 444 echo " 6、优化内核参数" 445 echo " 7、关闭邮件提示" 446 ;; 447 3) 448 echo -e "\033[46;31;5m 此审计会记录30天内所有终端执行过的所有命令 \033[0m" 449 Jdt 450 HisTory 451 ;; 452 *) 453 echo -e "\033[41;33;5m Error, please check the first line variable \033[0m" 454 exit 110 455 ;; 456 esac