#!/bin/bash ###Usage:Thisscriptusetoconfiglinuxsystem #获取IP地址172.16.100.100 outip=`ifconfigeth1|grepinet|cut-f2-d":"|cut-f1-d""|awk-F"."'{print$4}'` #定义系统主机名 hostname=dbbak$outip.mstuc.cn1 #修改yum源 #Changeyumsourcetomirrors.163.com mv-f/etc/yum.repos.d/CentOS-Base.repo/etc/yum.repos.d/CentOS-Base.repo.backup curl-shttp://mirrors.163.com/.help/CentOS6-Base-163.repo-o/etc/yum.repos.d/CentOS-Base.repo #添加第三方的yum源 #addthethird-partyrepo #addtheepel rpm-Uvhhttp://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm rpm--import/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6 #addtherpmforge rpm-Uvhhttp://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm rpm--import/etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag #生成yum缓存 yumcleanall yummakecache #安装一些常用的软件 yuminstall-ysysstatvimlrzszntptraceroutevixie-croncrontabslsofpcrepcre-develwgetopensslopenssl-develrsync #时间校正 #setntp /usr/sbin/ntpdatentp.api.bz echo"*/5****/usr/sbin/ntpdatentp.api.bz>/dev/null2>&1">>/var/spool/cron/root #setclock #校正硬件时钟bios里面的时间 hwclock--set--date="`date+%D\%T`" hwclock--hctosys #ulimit修改 #setulimit echo"ulimit-SHn102400">>/etc/rc.local cat>>/etc/security/limits.conf<<EOF *softnofile102400 *hardnofile102400 *softnproc102400 *hardnproc102400 EOF #禁止使用controlaltdelete重启服务器 #closectrl+alt+del sed-i's/exec\/sbin\/shutdown-rnow"Control-Alt-Deletepressed"/#exec\/sbin\/shutdown-rnow"Control-Alt-Deletepressed"/g'/etc/init/control-alt-delete.conf #修改运行级别,修改成默认为3 sed-i's/^id:5:initdefault:/id:3:initdefault:/'/etc/inittab #关闭所有的服务的开机启动,只打开部分需要的服务 ###serviceconfig foriin`chkconfig--list|awk'{print$1}'`;doecho$i;chkconfig$ioff;done foriinsshdnetworkcrondsysstatacpidirqbalanceiptablesrsyslogntpdate;dochkconfig$ion;done #添加系统需要的用户 ###Addnewuser. useraddlyp_hx echo'Hu0X!nG%12'|passwd--stdinlyp_hx chage-d0lyp_hx useradddeveloper echo'Hu0X!nG%12'|passwd--stdindeveloper chage-d0developer useraddxunge echo'Hu0X!nG%12'|passwd--stdinxunge chage-d0xunge useraddroke01 echo'Hu0X!nG%12'|passwd--stdinroke01 chage-d0roke01 #允许哪些用户有sudo的权限 chmodu+w/etc/sudoers echo-e"lyp_hxALL=(ALL)ALL\ndeveloperALL=(ALL)ALL">>/etc/sudoers echo-e"xungeALL=(ALL)ALL\nroke01ALL=(ALL)ALL">>/etc/sudoers chmodu-w/etc/sudoers #让所有的网卡开机自动启动 #networkstartwithsystem. sed-is/ONBOOT=no/ONBOOT=yes/g/etc/sysconfig/network-scripts/ifcfg-eth0 sed-is/ONBOOT=no/ONBOOT=yes/g/etc/sysconfig/network-scripts/ifcfg-eth1 #禁止使用密码登录 ###sshdconfig sed-is/"PasswordAuthenticationyes"/"PasswordAuthenticationno"/g/etc/ssh/sshd_config #添加ssh的密钥 [!-d/root/.ssh]&&mkdir-p/root/.ssh/ chmod700/root/.ssh/ echo"ssh-rsaAAAAB3NzaC1yc2EAAAABIwAAAQEAyVbaOb8yYSOfcfKXQo0zzOFlpUDAAxltM5lo44E0QG5IFtKe5NpUhl/3shOoS78SS6mfADF5+S+jyB/d32CwsG0M4P9ZcX4wt5vNrVuCyud3VF6qhYjuEx28T8L7EjGIHZdNto7mlc8nK2+juE4JxuMXwYknpb22zOR/j1DQcsysymvfgqsHVG2C0cyPCYffzO4baik68KSiyuECl2IQZtj611fHZkFk6jqxFUUav6vwXTBf/RCHYwo8l15IuiPK5YtHT0iLbbXOxlC8G24QAIaPU5FfX445qpd4iCwhYUIcGQAZXCXRwWCODUsTO/D6GtPB2fB1fnPTxUTkzQfe1Q==liyuanpeng@corp.the9.com ssh-rsaAAAAB3NzaC1yc2EAAAABIwAAAQEAr905kqmgZT3kTrUEwnoJJpq0ecSo1g8p4NIaklsxOzjBmwKfXcN0RkPKm5qDcanWtalY7OEiJYg1ZMhdGutaFuuVLxsjJJsh2n1vRPC9TYNMEGQ0i99lEEz1shRih5VfHvdsx+htt68GtrUJUxQVE9nlBox6NIqch9FmTxxmegHX/W1nRQ1ejcLw9T0bfwU7/6f37eM4jQ9B72hhZc6tpVFvfrQRCp5rPDZ6agGY9PzNkKldulLmZ5egHhhzA/4UX7L358QeSI7UNb2gkxITqIxM2HS8P8IG0gJb41RJwl4l0dGKfvi32tK1aICSntKF8Bozj4am+6QrpaUip6S6dw==developer ssh-rsaAAAAB3NzaC1yc2EAAAABIwAAAQEA4qV2CbFgB0rdEhYkfZYz3EcMy9mHBmPy8kxDw29RHqP5Pvx58fgHgDILdAoKQqpRDN7S4zTznPVJXt7atbGugWMdokG78du8K73CdNbB2NSl9l+XS3wdwQfeALgo+JX/NSuiDk0Zx9SSmfm10izix+4XJ+D5IjzsOrxrGbys3CbYyFx9bIuBN1at618gZezDB9bQaq0AL30w7D3qxp8s2V05s4t1Xngd5Kn1ZcK8327pAmipcHjpn7SDsH04suNdhCE7HJcrBIac2dfauw/90/mkhpA/58L6Hek6TRTPza7Y8+WVYe2RBLVZODmOym2gA9+qhcebVhgyUpAscXgOQQ==program ssh-rsaAAAAB3NzaC1yc2EAAAABIwAAAQEAxSo72gHJX+tkCze25v3xr16urGM04oHKNWyo5+5eSafeJS+Xl8pHNN4EV3a3tuMvZo1tBmziONqmUv13N8rv1D3rMbkYZAzu10vZi/8Id9UJCu6X15+4j+mga95k/RkYDNydxaMV72f6Zue/ZR6NaoXLYKuXdHXZmRbRE435tAepmbbuxNrdOzM8hdRvFFc4LmM1GBfc3vPDCwNz3+lpLYsO0qPpeT8aVg3vaLX7gLul+f0W+iHzPtdRiGm9U6EXvuRVhv1FEAVpB+hGJmM1L2ECY3s6aWbCNF4bFWFxwtTR8Ykvlq4ekL4DIVF1qY1/vMOG5hp0zPNYGx5i5Y4Ghw==roke001 ssh-rsaAAAAB3NzaC1yc2EAAAABIwAAAQEA34QAb/xi1Sme/YEBeuJrBW8hn1nIVSL03XiEcJacQO9VVkvKUdY8sXL9fUS2qFgFcFVj5GMI/7YCECp/PMAkox6LAs2+WbmfXgasK+aFWEY9Anop2qmrtvmtvMOy1cINB6fFC9UgXHFL7qm63h5OlZaRrXRzyf2G+LVnV+6vCzJuAO3vkeVzi6XTtrPhXIbh8HBmTFNCr2OQ1g5vX8IMpvhb60j6yY/CUlBbY2WktLPO7bPYOPat2GlrzPy4Ku2xITXnq3CwZnAfe2XTJ7kMG3Bp7YJhOhBV1fZ9VQNuOsodVRnMjNzgyftdZ/8Do5HMT66umos9MSI8f+zSWLoUBQ==xunge #key">/root/.ssh/authorized_keys #重启sshd /etc/init.d/sshdrestart #修改服务器的DNS ###setdnsserver echo-e"nameserver114.114.114.114\nnameserver8.8.8.8">/etc/resolv.conf #给一些自定义的脚本一些可执行权限 chmoda+x/opt/scripts/*.sh #关闭SELinux ###disableselinux sed-i's/SELINUX=enforcing/SELINUX=disalbed/g'/etc/selinux/config #把一些服务添加到开机启动 echo'bash/opt/zabbix/zabbix_agentd.sh'>>/etc/rc.local echo'bash/opt/scripts/firewall_kvm.sh'>>/etc/rc.local echo'cd/opt/scripts;nohup/opt/scripts/ssh_deny.sh&'>>/etc/rc.local #把hostname写到配置文件中 echo'NETWORKING=yes'>/etc/sysconfig/network echo"HOSTNAME=$hostname">>/etc/sysconfig/network #设置vim语法高亮 ##Setvim echo'Syntaxon'>/root/.vimrc #修改内核参数 ###sysctl cat>>/etc/sysctl.conf<<END net.ipv4.ip_forward=0 net.ipv4.conf.default.rp_filter=1 net.ipv4.conf.default.accept_source_route=0 kernel.sysrq=0 kernel.core_uses_pid=1 net.ipv4.tcp_syncookies=1 kernel.msgmnb=65536 kernel.msgmax=65536 kernel.shmmax=68719476736 kernel.shmall=4294967296 net.core.wmem_max=873200 net.core.rmem_max=873200 net.core.somaxconn=256 net.core.netdev_max_backlog=1000 net.ipv4.ip_local_port_range=500065000 net.ipv4.tcp_mem=78643210485761572864 net.ipv4.tcp_wmem=8192436600873200 net.ipv4.tcp_rmem=32768436600873200 net.ipv4.tcp_max_syn_backlog=2048 net.ipv4.tcp_retries2=5 net.ipv4.tcp_keepalive_time=1800 net.ipv4.tcp_keepalive_intvl=30 net.ipv4.tcp_keepalive_probes=3 net.ipv4.tcp_fin_timeout=30 net.ipv4.tcp_tw_reuse=1 net.ipv4.tcp_tw_recycle=1 net.ipv4.tcp_max_syn_backlog=8192 net.ipv4.tcp_max_tw_buckets=20000 net.ipv4.conf.lo.arp_ignore=1 net.ipv4.conf.lo.arp_announce=2 net.ipv4.conf.all.arp_ignore=1 net.ipv4.conf.all.arp_announce=2 END modprobebridge #让修改后的内核参数生效 /sbin/sysctl-p #添加执行命令的路径 #AddPATHenvironment. echo'exportPATH=$PATH:/opt/node/bin:/opt/node/lib/node_modules/npm/bin/node-gyp-bin:/opt/zabbix/bin:/opt/zabbix/sbin'>>/etc/profile #添加zabbix这个用户 /usr/sbin/groupaddzabbix /usr/sbin/useradd-gzabbixzabbix-s/sbin/nologin #重启 ###reboot sleep10 reboot
CentOS7初始化脚本,优化了CentOS6的脚本,将代码进行函数化。
#!/bin/bash
#CentOS7initialization
if[["$(whoami)"!="root"]];then
echo"pleaserunthisscriptasroot.">&2
exit1
fi
echo-e"\033[31mcentos7系统初始化脚本,请慎重运行!pressctrl+Ctocancel\033[0m"
sleep5
#updatesystempack
yum_update(){
yum-yinstallwget
cd/etc/yum.repos.d/
mkdirbak
mv./*.repobak
wget-O/etc/yum.repos.d/CentOS-Base.repohttp://mirrors.aliyun.com/repo/Centos-7.repo
wget-O/etc/yum.repos.d/epel.repohttp://mirrors.aliyun.com/repo/epel-7.repo
yumcleanall&&yummakecache
yum-yinstallnet-toolslrzszgccgcc-c++makecmakelibxml2-developenssl-develcurlcurl-develunzipsudontplibaio-develwgetvimncurses-develautoconfautomakezlib-develpython-develexpect
}
#setntp
zone_time(){
cp/usr/share/zoneinfo/Asia/Chongqing/etc/localtime
printf'ZONE="Asia/Chongqing"\nUTC=false\nARC=false'>/etc/sysconfig/clock
/usr/sbin/ntpdatepool.ntp.org
echo"*/5****/usr/sbin/ntpdatepool.ntp.org>/dev/null2>&1">>/var/spool/cron/root;chmod600/var/spool/cron/root
echo'LANG="en_US.UTF-8"'>/etc/sysconfig/i18n
source/etc/sysconfig/i18n
}
#setulimit
ulimit_config(){
echo"ulimit-SHn102400">>/etc/rc.local
cat>>/etc/security/limits.conf<<EOF
*softnofile102400
*hardnofile102400
*softnproc102400
*hardnproc102400
EOF
}
#setssh
sshd_config(){
sed-i's/^GSSAPIAuthenticationyes$/GSSAPIAuthenticationno/'/etc/ssh/sshd_config
sed-i's/#UseDNSyes/UseDNSno/'/etc/ssh/sshd_config
systemctlstartcrond
}
#setsysctl
sysctl_config(){
cp/etc/sysctl.conf/et/sysctl.conf.bak
cat>/etc/sysctl.conf<<EOF
net.ipv4.ip_forward=0
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.default.accept_source_route=0
kernel.sysrq=0
kernel.core_uses_pid=1
net.ipv4.tcp_syncookies=1
kernel.msgmnb=65536
kernel.msgmax=65536
kernel.shmmax=68719476736
kernel.shmall=4294967296
net.ipv4.tcp_max_tw_buckets=6000
net.ipv4.tcp_sack=1
net.ipv4.tcp_window_scaling=1
net.ipv4.tcp_rmem=4096873804194304
net.ipv4.tcp_wmem=4096163844194304
net.core.wmem_default=8388608
net.core.rmem_default=8388608
net.core.rmem_max=16777216
net.core.wmem_max=16777216
net.core.netdev_max_backlog=262144
net.core.somaxconn=262144
net.ipv4.tcp_max_orphans=3276800
net.ipv4.tcp_max_syn_backlog=262144
net.ipv4.tcp_timestamps=0
net.ipv4.tcp_synack_retries=1
net.ipv4.tcp_syn_retries=1
net.ipv4.tcp_tw_recycle=1
net.ipv4.tcp_tw_reuse=1
net.ipv4.tcp_mem=94500000915000000927000000
net.ipv4.tcp_fin_timeout=1
net.ipv4.tcp_keepalive_time=1200
net.ipv4.ip_local_port_range=102465535
EOF
/sbin/sysctl-p
echo"sysctlsetOK!!"
}
#disableselinux
selinux_config(){
sed-i's@SELINUX=enforcing@SELINUX=disabled@g'/etc/selinux/config
setenforce0
}
iptables_config(){
systemctlstopfirewalld.servic
systemctldisablefirewalld.service
yuminstalliptables-services
cat>/etc/sysconfig/iptables<<EOF
#Firewallconfigurationwrittenbysystem-config-securitylevel
#Manualcustomizationofthisfileisnotrecommended.
*filter
:INPUTDROP[0:0]
:FORWARDACCEPT[0:0]
:OUTPUTACCEPT[0:0]
:syn-flood-[0:0]
-AINPUT-ilo-jACCEPT
-AINPUT-mstate--stateRELATED,ESTABLISHED-jACCEPT
-AINPUT-ptcp-mstate--stateNEW-mtcp--dport22-jACCEPT
-AINPUT-ptcp-mstate--stateNEW-mtcp--dport80-jACCEPT
-AINPUT-picmp-mlimit--limit100/sec--limit-burst100-jACCEPT
-AINPUT-picmp-mlimit--limit1/s--limit-burst10-jACCEPT
-AINPUT-ptcp-mtcp--tcp-flagsFIN,SYN,RST,ACKSYN-jsyn-flood
-AINPUT-jREJECT--reject-withicmp-host-prohibited
-Asyn-flood-ptcp-mlimit--limit3/sec--limit-burst6-jRETURN
-Asyn-flood-jREJECT--reject-withicmp-port-unreachable
COMMIT
EOF
/sbin/serviceiptablesrestart
}
main(){
yum_update
zone_time
ulimit_config
sysctl_config
sshd_config
selinux_config
iptables_config
}
main 原文链接:https://www.f2er.com/centos/376565.html