- A+
所属分类:Linux
vim sys.sh
#!/bin/bash
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
export PATH
# Check if user is root
if [ $(id -u) != "0" ]; then
echo "Error: You must be root to run this script, please use root to optimization system"
exit 1
fi
#Install epel
yum install epel-release ntpdate yum-cron vim wget ncurses ncurses-devel git gcc -y
rm -f /etc/localtime;
sudo ln -s /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
ntpdate -u cn.pool.ntp.org
#/usr/sbin/ntpdate -u cn.ntp.org.cn >/dev/null 2>&1
#security update
sed -i 's/update_cmd = default/update_cmd = security/' /etc/yum/yum-cron.conf;
sed -i 's/apply_updates = no/apply_updates =yes/' /etc/yum/yum-cron.conf;
systemctl start yum-cron;
systemctl enable yum-cron;
#Password
sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS 60/" /etc/login.defs
sed -i "s/PASS_MIN_LEN.*/PASS_MIN_LEN 8/" /etc/login.defs
chage -M 90 -W 15 root
#Configuration account
#sed -i "91a\futuremove ALL=(ALL) ALL" /etc/sudoers
#Modify SSH port
sed -i 's/#Port.*/Port 65322/' /etc/ssh/sshd_config;
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config;
#Close SElinux
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config && setenforce 0
#Add firewall rules
systemctl start firewalld
firewall-cmd --zone=public --add-port=65322/tcp --permanent;firewall-cmd --reload;
systemctl enable firewalld;
systemctl restart sshd
#Add Swap
dd if=/dev/zero of=/opt/swapfile bs=1024M count=8;
mkswap /opt/swapfile;
swapon /opt/swapfile;
chmod 600 /opt/swapfile;
echo /opt/swapfile swap swap defaults 0 0 >> /etc/fstab;
#User log
tee -a /etc/profile <<-'EOF'
PS1="`whoami`@`hostname`:"'[$PWD]'
PS1="\[\e[37;40m\][\[\e[32;40m\]\u\[\e[37;40m\]@\h \[\e[36;40m\]\w\[\e[0m\]]\\$ "
history
USER_IP=`who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'`
if [ "$USER_IP" = "" ]
then
USER_IP=`hostname`
fi
if [ ! -d /tmp/dbasky ]
then
mkdir /tmp/dbasky
chmod 777 /tmp/dbasky
fi
if [ ! -d /tmp/dbasky/${LOGNAME} ]
then
mkdir /tmp/dbasky/${LOGNAME}
chmod 300 /tmp/dbasky/${LOGNAME}
fi
export HISTSIZE=4096
DT=`date "+%Y-%m-%d_%H:%M:%S"`
export HISTFILE="/tmp/dbasky/${LOGNAME}/${USER_IP} dbasky.$DT"
chmod 600 /tmp/dbasky/${LOGNAME}/*dbasky* 2>/dev/null
EOF
#Configuration enabled
source /etc/profile;
#Recycle
mkdir -p /data/.trash;
chmod 777 /data/.trash;
tee -a /etc/bashrc <<-'EOF'
if [ ! -d /data/.trash/${LOGNAME} ]
then
mkdir /data/.trash/${LOGNAME}
chmod 600 /data/.trash/${LOGNAME}
fi
alias rm=trash
alias rl='ls /data/.trash'
alias ur=undelfile
undelfile()
{
mv -i /data/.trash/$@ ./
}
trash()
{
cp $@ /data/.trash/;
/bin/rm -rf $@
}
cleartrash()
{
read -p "clear sure?[n]" confirm
[ $confirm == 'y' ] || [ $confirm == 'Y' ] && /bin/rm -rf /data/.trash/*
}
EOF
#Configuration enabled
#
source /etc/bashrc;
#Configuration net
tee -a /etc/sysctl.conf <<-'EOF'
net.ipv4.neigh.default.gc_stale_time=120
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.all.arp_announce=2
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.ip_local_port_range = 1024 61000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_synack_retries = 2
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv4.conf.lo.arp_announce=2
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.icmp_echo_ignore_all=1
EOF
#File restriction
tee -a /etc/security/limits.conf <<-'EOF'
* soft nofile 65535
* hard nofile 65535
* soft nproc 65535
* hard nproc 65535
EOF
sed -i 's#4096#65535#g' /etc/security/limits.d/20-nproc.conf;
ulimit -u 65535;
#CV
git clone https://github.com/Xfennec/progress.git;
cd progress;
make && make install;
mv /usr/local/bin/progress /usr/local/bin/cv;
