CentOS7系统初始化脚本

[root@linux-node1 ~]# cat optimize.sh 
#!/bin/bash
# Optimize the system after installation
PASSWD=reid
NETIP=192.168.56.11
PROTOBOOT=static
HOSTNAME=linux-node1.example.com
DNS1=192.168.56.2
NTPSERVER=ntp1.aliyun.com
YUMREPO=http://mirrors.aliyun.com/repo/Centos-7.repo
EPELREPO=http://mirrors.aliyun.com/repo/epel-7.repo
SSH_PORT=22122
# in case of some bad behaviours
CHATTR=chenhao
# Open the port for iptabeles input or maybe stop iptables
PORTS=80,22,21,8088
# record the system user,ip addresse,shell command and detail
HISTDIR=/usr/etc/.history

# the welcome info
cat << EOF
+------------------------------------------------------------------+
|     **********  Welcome to CentOS 7.x System init  **********    |
+------------------------------------------------------------------+
EOF
[ `whoami` != "root" ] && echo "please use root" && exit 1 
function format() {
    echo -e "33[32m Success!!!33[0m
"
    echo "#########################################################"
}

###change the root passwd
echo "set root passwd"
echo $PASSWD | passwd root --stdin &> /dev/null
format

###change network setting
echo ""> /etc/sysconfig/network-scripts/ifcfg-eth0
echo "TYPE=Ethernet"  >> /etc/sysconfig/network-scripts/ifcfg-eth0
echo "NAME=eth0"  >> /etc/sysconfig/network-scripts/ifcfg-eth0
echo "DEVICE=eth0" >> /etc/sysconfig/network-scripts/ifcfg-eth0
echo "ONBOOT=yes" >> /etc/sysconfig/network-scripts/ifcfg-eth0
echo "BOOTPROTO=$PROTOBOOT"  >> /etc/sysconfig/network-scripts/ifcfg-eth0
echo "IPADDR=$NETIP"  >> /etc/sysconfig/network-scripts/ifcfg-eth0
echo "NETMASK=255.255.255.0"  >>  /etc/sysconfig/network-scripts/ifcfg-eth0
#systemctl restart network
format

#stop NetworkManager
systemctl stop NetworkManager
systemctl diable NetworkManager
format

###add route 
route add default gateway $DNS1
echo "route add default gateway $DNS1" >/etc/profile.d/add-route.sh
format

###change the hostname
echo "set hostname"
hostname $HOSTNAME && echo "$HOSTNAME" > /etc/hostname
format

###change the dns
echo "set DNS"
echo "" > /etc/resolv.conf     
echo "nameserver $DNS1" > /etc/resolv.conf
#echo "nameserver $DNS2" >> /etc/resolv.conf
ping -c 3 www.baidu.com &> /dev/null || echo "Network is unreachable" || exit 3
format

###diable selinux
echo "disable selinux"
[ `getenforce` != "Disabled" ] && setenforce 0 &> /dev/null && sed -i s/"^SELINUX=.*$"/"SELINUX=disabled"/g /etc/sysconfig/selinux
format

###update yum repo
echo "set yum mirrors"
cd /etc/yum.repos.d/
mv CentOS-Base.repo CentOS-Base.repo.bak
curl -o /etc/yum.repos.d/CentOS-Base.repo $YUMREPO &> /dev/null
curl -o /etc/yum.repos.d/epel.repo $EPELREPO &> /dev/null
mv /var/cache/yum /tmp
yum clean all &> /dev/null && yum makecache &> /dev/null
format

###install the basic command
yum install vim wget openssl-devel ntpdate make gcc-c++  ncurses-devel net-snmp sysstat lrzsz zip unzip tree net-tools lftp -y
#yum -y groupinstall "Development Tools" "Server Platform Development" &> /dev/null
format

### change ssh port
#echo "set sshd"
#cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
#sed -i s/"^Port 22"/"Port $SSH_PORT"/g /etc/ssh/sshd_config
#sed -i s/"^UseDNS yes"/"UseDNS no"/g /etc/ssh/sshd_config
#service sshd restart &> /dev/null

###lock the important file($CHATTR -i to disable)
#echo "chattr files"
#chattr +i /etc/passwd
#chattr +i /etc/inittab
#chattr +i /etc/group
#chattr +i /etc/shadow
#chattr +i /etc/gshadow
#chattr +i /etc/resolv.conf
#chattr +i /etc/hosts
#chattr +i /etc/fstab
#mv /usr/bin/chattr /usr/bin/$CHATTR

###character set
echo "set LANG"
#sed -i s/"^LANG=.*$"/"LANG=zh_CN.UTF-8"/ /etc/locale.conf
#source /etc/locale.conf

###update timezone
echo "set ntptime"
mv /etc/localtime /tmp
cp /usr/share/zoneinfo/Asia/Shanghai  /etc/localtime 
ntpdate $NTPSERVER &> /dev/null
echo "*/5 * * * * /usr/sbin/ntpdate $NTPSERVER  &>/dev/null" >> /etc/crontab
hwclock -w
format

###set the system limit
echo "Set ulimit 65535"
cat << EOF > /etc/security/limits.conf
*    soft    nofile  65535
*    hard    nofile  65535
*    soft    nproc 65535
*    hard    nproc 65535
EOF
sed -i 's/65535/1024000/g' /etc/security/limits.d/90-nproc.conf
format

###system audit and trouleshooting
echo "set history"
cat >> /etc/profile.d/system-audit.sh << EOF
USER_IP=`who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'`
if [ -z $USER_IP ]
then
USER_IP=`hostname`
fi
if [ ! -d $HISTDIR ]
then
mkdir -p $HISTDIR
chmod 777 $HISTDIR
fi
if [ ! -d $HISTDIR/${LOGNAME} ]
then
mkdir -p $HISTDIR/${LOGNAME}
chmod 300 $HISTDIR/${LOGNAME}
fi
export HISTSIZE=2000
DT=`date +%Y%m%d_%H%M%S`
export HISTFILE="$HISTDIR/${LOGNAME}/${USER_IP}.history.$DT"
export HISTTIMEFORMAT="[%Y.%m.%d %H:%M:%S] "
chmod 600 $HISTDIR/${LOGNAME}/*.history* 2>/dev/null
 
ulimit -SHn 65535
ulimit -SHu unlimited
ulimit -SHd unlimited
ulimit -SHm unlimited
ulimit -SHs unlimited
ulimit -SHt unlimited
ulimit -SHv unlimited
EOF
source /etc/profile.d/system-audit.sh
format

###show the system info
echo "Set login message."
echo "This is Product Server" > /etc/issue
format

###iptables setting
echo "set iptables"
systemctl stop firewalld
systemctl disable firewalld
format
#iptables -F
#iptables -A INPUT -p tcp -m multiport --dports $SSH_PORT,$PORTS -j ACCEPT
#iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#iptables -A INPUT -i lo -j ACCEPT
#iptables -A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -P INPUT DROP
#iptables -P FORWARD DROP
#iptables -P OUTPUT ACCEPT
#service iptables save &> /dev/null

# reboot the system after setting
reboot