脚本内容在文档的底部,将脚本后缀改为.sh,放到系统(CentOS6.X)里直接执行即可,有不能执行的麻烦告诉我,多谢!
#!/bin/bash
. /etc/init.d/functions
if [ "$UID" -ne 0 ];then echo "you should change to root ,then run this script,please enter the root password:" su - rootfi RETVAL=0DIR="/tmp/result_${SERVER_IP}.txt"read -p "please enter your server ip:" SERVER_IP
result() { [ $RETVAL -eq 0 ] && echo "$1 is ok." >> ${DIR} || echo "$1 is false." >> ${DIR}}create_user() {
id nginx &>/dev/null [ $? -ne 0 ] || userdel -r nginx >/dev/null 2>&1 groupadd -g 501 nginx >/dev/null 2>&1 useradd -u 501 -r -g nginx -s /sbin/nologin nginx >/dev/null 2>&1 RETVAL=$? result create_user }fstab_opt() {
sed -i -e '/\/tmp/s/defaults/defaults,nosuid,noexec,nodev/' -e '/\/home/s/defaults/defaults,nosuid,nodev/' -e '/\/var/s/defaults/defaults,nosuid/' /etc/fstab RETVAL=$? result fstab_opt} time_opt() { sed -i 's#^#\##g' /etc/sysconfig/clock && sed -i '1i ZONE="Asia/Shanghai"' /etc/sysconfig/clock && \cp -af /usr/share/zoneinfo/Asia/Shanghai /etc/localtime RETVAL=$? result time_opt}ntp_opt() {
echo "*/5 * * * * /usr/sbin/ntpdate time.sfbest.bj" >/tmp/ntpdate && crontab /tmp/ntpdate && rm -rf /tmp/ntpdate RETVAL=$? result ntp_opt}passwd1_opt() {
sed -i '/^PASS/ s#^#\##g' /etc/login.defs && echo -e "PASS_MAX_DAYS 180\nPASS_MIN_DAYS 1\nPASS_MIN_LEN 8\nPASS_WARN_AGE 7\n" >> /etc/login.defs RETVAL=$? result passwd1_opt}passwd2_opt() {
sed -ir '/pam_cracklib.so/ s#^.*$#password requisite pam_cracklib.so try_first_pass retry=3 type= ifok=3 minlen=10 ucredit=-1 lcredit=-3 dvredit=-3 dictpath=/usr/share/cracklib/pw_dict#g' /etc/pam.d/system-auth RETVAL=$? result passwd2_opt}passwd3_opt() {
grep 'remember' /etc/pam.d/system-auth &>/dev/null if [ $? -eq 0 ];then sed -n '/remember/p' /etc/pam.d/system-auth >> ${DIR} else sed -i '/password sufficient pam_unix.so md5/ s#$# remember=3#g' /etc/pam.d/system-auth fi RETVAL=$? result passwd3_opt}pamd_sshd_opt() {
sed -i '/#%PAM-1.0/a\auth required pam_listfile.so item=user sense=allow file=/etc/ssh/sshusers onerr=succeed' /etc/pam.d/sshd echo sa > /etc/ssh/sshusers sed -i 's/\(^wheel.*\)/\1,sa/' /etc/group sed -i '/^#auth.* use_uid$/a auth required pam_wheel.so use_uid' /etc/pam.d/su RETVAL=$? result pamd_sshd_opt}#pam_tally2_opt() {
# find /lib* -name "pam_tally2.so" &>/dev/null #if [ $? -ne 0 ];then # echo "pam_tally2.so is no exsit." >> ${DIR} #else # grep 'pam_tally2.so' /etc/pam.d/sshd &>/dev/null #[ $? -eq 0 ] && sed -n '/pam_tally2.so/p' /etc/pam.d/sshd >> ${DIR} || sed -i '1a auth required pam_tally2.so deny=3 unlock_time=300' /etc/pam.d/sshd #fi #RETVAL=$? #result pam_tally2_opt#} ssh_opt() { sed -i 's#\#PermitRootLogin yes#PermitRootLogin no#g' /etc/ssh/sshd_config && sed -i 's#\#Port 22#Port 9880#g' /etc/ssh/sshd_config && sed -i 's#\#ListenAddress 0.0.0.0#ListenAddress '$SERVER_IP'#g' /etc/ssh/sshd_config && sed -i 's#\#UseDNS yes#UseDNS no#g' /etc/ssh/sshd_config && echo "export TMOUT=300" >> /etc/profile && . /etc/profile RETVAL=$? result ssh_opt} issue_opt() { cat /etc/issue >> ${DIR} && >/etc/issue && >/etc/issue.net RETVAL=$? result issue_opt} chattr_file_opt() { chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab && mv /usr/bin/chattr /etc/zchattr && echo "chattr moved to /etc/zchattr" >> ${DIR} RETVAL=$? result chattr_file_opt} ctr_opt() { sed -i 's#exec#\#exec#g' /etc/init/control-alt-delete.conf RETVAL=$? result ctr_opt}history_opt() {
echo -e "export HISTFILESIZE=5\nexport HISTSIZE=5" >> /etc/profile && . /etc/profile RETVAL=$? result history_opt}selinux_iptables_opt() {
sed -i 's#^SELINUX=.*$#SELINUX=disabled#g' /etc/selinux/config && setenforce 0 &>/dev/null /etc/init.d/iptables stop && chkconfig iptables off RETVAL=$? result selinux_iptables_opt} sysctl_opt() { echo -ne "net.ipv4.tcp_max_syn_backlog = 655350000net.core.netdev_max_backlog = 327680000net.core.somaxconn = 327680net.core.wmem_default = 838860800net.core.rmem_default = 838860800net.core.rmem_max = 167772160net.core.wmem_max = 167772160net.ipv4.tcp_timestamps = 0net.ipv4.tcp_synack_retries = 2net.ipv4.tcp_syn_retries = 2net.ipv4.tcp_syncookies = 1net.ipv4.tcp_max_orphans = 3276800net.ipv4.tcp_keepalive_time = 120net.ipv4.tcp_max_tw_buckets = 180net.ipv4.tcp_tw_reuse = 1net.ipv4.tcp_tw_recycle = 1net.ipv4.tcp_fin_timeout = 10net.ipv4.ip_local_port_range = 1024 65535vm.swappiness = 10net.nf_conntrack_max = 6553500net.netfilter.nf_conntrack_max = 6553500net.netfilter.nf_conntrack_tcp_timeout_established = 300" >>/etc/sysctl.conf sysctl -p &>/dev/null RETVAL=$? result sysctl_opt} fs_file_opt() { echo -ne "* soft nofile 65535* hard nofile 65535" >>/etc/security/limits.conf echo -ne "* soft nproc 65535* hard nproc 65535" >>/etc/security/limits.d/90-nproc.conf sysctl -p &>/dev/null RETVAL=$? result fs_file_opt} yum_opt() { rm -rf /etc/yum.repos.d/* cd /etc/yum.repos.d/ for i in [yum] name=yum 'baseurl=http://yum.sfbest.bj/centos/$releasever/os/$basearch/' enable=1 gpgcheck=0; do echo $i >> yum.repo;done RETVAL=$? result yum_opt} lang_opt() { sed -i 's#^LANG#\#LANG#g' /etc/sysconfig/i18n && sed -i '1i LANG="zh_CN.UTF-8"' /etc/sysconfig/i18n RETVAL=$? result lang_opt} sys_server_opt() { chkconfig --list|awk '{print $1}'|xargs -i chkconfig {} --level 0123456 off for a in auditd crond irqbalance network psacct rsyslog sshd sysstat; do chkconfig --level 2345 $a on; done RETVAL=$? result sys_server_opt} postfix_opt() { [ -d /server/scripts ] || mkdir -p /server/scripts echo "tmpwatch -afv 30d /var/spool/postfix/maildrop/" > /server/scripts/delete_mail.sh echo "00 00 01 * * /bin/sh /server/scripts/delete_mail.sh &>/dev/null" >> /var/spool/cron/root RETVAL=$? result postfix_opt} other_opt() { rm -rf /root/* chmod 0700 /usr/bin/passwd}
main() { create_user fstab_opt time_opt ntp_opt passwd1_opt passwd2_opt passwd3_opt pamd_sshd_opt ssh_opt issue_opt chattr_file_opt ctr_opt history_opt selinux_iptables_opt sysctl_opt fs_file_opt yum_opt lang_opt sys_server_opt postfix_opt other_opt}main