#!/bin/bash ###Usage:Thisscriptusetoconfiglinuxsystem #获取IP地址172.16.100.100 outip=`ifconfigeth1|grepinet|cut-f2-d":"|cut-f1-d""|awk-F"."'{print$4}'` #定义系统主机名 hostname=dbbak$outip.mstuc.cn1 #修改yum源 #Changeyumsourcetomirrors.163.com mv-f/etc/yum.repos.d/CentOS-Base.repo/etc/yum.repos.d/CentOS-Base.repo.backup curl-shttp://mirrors.163.com/.help/CentOS6-Base-163.repo-o/etc/yum.repos.d/CentOS-Base.repo #添加第三方的yum源 #addthethird-partyrepo #addtheepel rpm-Uvhhttp://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm rpm--import/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6 #addtherpmforge rpm-Uvhhttp://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm rpm--import/etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag #生成yum缓存 yumcleanall yummakecache #安装一些常用的软件 yuminstall-ysysstatvimlrzszntptraceroutevixie-croncrontabslsofpcrepcre-develwgetopensslopenssl-develrsync #时间校正 #setntp /usr/sbin/ntpdatentp.api.bz echo"*/5****/usr/sbin/ntpdatentp.api.bz>/dev/null2>&1">>/var/spool/cron/root #setclock #校正硬件时钟bios里面的时间 hwclock--set--date="`date+%D\%T`" hwclock--hctosys #ulimit修改 #setulimit echo"ulimit-SHn102400">>/etc/rc.local cat>>/etc/security/limits.conf<<EOF *softnofile102400 *hardnofile102400 *softnproc102400 *hardnproc102400 EOF #禁止使用controlaltdelete重启服务器 #closectrl+alt+del sed-i's/exec\/sbin\/shutdown-rnow"Control-Alt-Deletepressed"/#exec\/sbin\/shutdown-rnow"Control-Alt-Deletepressed"/g'/etc/init/control-alt-delete.conf #修改运行级别,修改成默认为3 sed-i's/^id:5:initdefault:/id:3:initdefault:/'/etc/inittab #关闭所有的服务的开机启动,只打开部分需要的服务 ###serviceconfig foriin`chkconfig--list|awk'{print$1}'`;doecho$i;chkconfig$ioff;done foriinsshdnetworkcrondsysstatacpidirqbalanceiptablesrsyslogntpdate;dochkconfig$ion;done #添加系统需要的用户 ###Addnewuser. useraddlyp_hx echo'Hu0X!nG%12'|passwd--stdinlyp_hx chage-d0lyp_hx useradddeveloper echo'Hu0X!nG%12'|passwd--stdindeveloper chage-d0developer useraddxunge echo'Hu0X!nG%12'|passwd--stdinxunge chage-d0xunge useraddroke01 echo'Hu0X!nG%12'|passwd--stdinroke01 chage-d0roke01 #允许哪些用户有sudo的权限 chmodu+w/etc/sudoers echo-e"lyp_hxALL=(ALL)ALL\ndeveloperALL=(ALL)ALL">>/etc/sudoers echo-e"xungeALL=(ALL)ALL\nroke01ALL=(ALL)ALL">>/etc/sudoers chmodu-w/etc/sudoers #让所有的网卡开机自动启动 #networkstartwithsystem. sed-is/ONBOOT=no/ONBOOT=yes/g/etc/sysconfig/network-scripts/ifcfg-eth0 sed-is/ONBOOT=no/ONBOOT=yes/g/etc/sysconfig/network-scripts/ifcfg-eth1 #禁止使用密码登录 ###sshdconfig sed-is/"PasswordAuthenticationyes"/"PasswordAuthenticationno"/g/etc/ssh/sshd_config #添加ssh的密钥 [!-d/root/.ssh]&&mkdir-p/root/.ssh/ chmod700/root/.ssh/ echo"ssh-rsaAAAAB3NzaC1yc2EAAAABIwAAAQEAyVbaOb8yYSOfcfKXQo0zzOFlpUDAAxltM5lo44E0QG5IFtKe5NpUhl/3shOoS78SS6mfADF5+S+jyB/d32CwsG0M4P9ZcX4wt5vNrVuCyud3VF6qhYjuEx28T8L7EjGIHZdNto7mlc8nK2+juE4JxuMXwYknpb22zOR/j1DQcsysymvfgqsHVG2C0cyPCYffzO4baik68KSiyuECl2IQZtj611fHZkFk6jqxFUUav6vwXTBf/RCHYwo8l15IuiPK5YtHT0iLbbXOxlC8G24QAIaPU5FfX445qpd4iCwhYUIcGQAZXCXRwWCODUsTO/D6GtPB2fB1fnPTxUTkzQfe1Q==liyuanpeng@corp.the9.com ssh-rsaAAAAB3NzaC1yc2EAAAABIwAAAQEAr905kqmgZT3kTrUEwnoJJpq0ecSo1g8p4NIaklsxOzjBmwKfXcN0RkPKm5qDcanWtalY7OEiJYg1ZMhdGutaFuuVLxsjJJsh2n1vRPC9TYNMEGQ0i99lEEz1shRih5VfHvdsx+htt68GtrUJUxQVE9nlBox6NIqch9FmTxxmegHX/W1nRQ1ejcLw9T0bfwU7/6f37eM4jQ9B72hhZc6tpVFvfrQRCp5rPDZ6agGY9PzNkKldulLmZ5egHhhzA/4UX7L358QeSI7UNb2gkxITqIxM2HS8P8IG0gJb41RJwl4l0dGKfvi32tK1aICSntKF8Bozj4am+6QrpaUip6S6dw==developer ssh-rsaAAAAB3NzaC1yc2EAAAABIwAAAQEA4qV2CbFgB0rdEhYkfZYz3EcMy9mHBmPy8kxDw29RHqP5Pvx58fgHgDILdAoKQqpRDN7S4zTznPVJXt7atbGugWMdokG78du8K73CdNbB2NSl9l+XS3wdwQfeALgo+JX/NSuiDk0Zx9SSmfm10izix+4XJ+D5IjzsOrxrGbys3CbYyFx9bIuBN1at618gZezDB9bQaq0AL30w7D3qxp8s2V05s4t1Xngd5Kn1ZcK8327pAmipcHjpn7SDsH04suNdhCE7HJcrBIac2dfauw/90/mkhpA/58L6Hek6TRTPza7Y8+WVYe2RBLVZODmOym2gA9+qhcebVhgyUpAscXgOQQ==program ssh-rsaAAAAB3NzaC1yc2EAAAABIwAAAQEAxSo72gHJX+tkCze25v3xr16urGM04oHKNWyo5+5eSafeJS+Xl8pHNN4EV3a3tuMvZo1tBmziONqmUv13N8rv1D3rMbkYZAzu10vZi/8Id9UJCu6X15+4j+mga95k/RkYDNydxaMV72f6Zue/ZR6NaoXLYKuXdHXZmRbRE435tAepmbbuxNrdOzM8hdRvFFc4LmM1GBfc3vPDCwNz3+lpLYsO0qPpeT8aVg3vaLX7gLul+f0W+iHzPtdRiGm9U6EXvuRVhv1FEAVpB+hGJmM1L2ECY3s6aWbCNF4bFWFxwtTR8Ykvlq4ekL4DIVF1qY1/vMOG5hp0zPNYGx5i5Y4Ghw==roke001 ssh-rsaAAAAB3NzaC1yc2EAAAABIwAAAQEA34QAb/xi1Sme/YEBeuJrBW8hn1nIVSL03XiEcJacQO9VVkvKUdY8sXL9fUS2qFgFcFVj5GMI/7YCECp/PMAkox6LAs2+WbmfXgasK+aFWEY9Anop2qmrtvmtvMOy1cINB6fFC9UgXHFL7qm63h5OlZaRrXRzyf2G+LVnV+6vCzJuAO3vkeVzi6XTtrPhXIbh8HBmTFNCr2OQ1g5vX8IMpvhb60j6yY/CUlBbY2WktLPO7bPYOPat2GlrzPy4Ku2xITXnq3CwZnAfe2XTJ7kMG3Bp7YJhOhBV1fZ9VQNuOsodVRnMjNzgyftdZ/8Do5HMT66umos9MSI8f+zSWLoUBQ==xunge #key">/root/.ssh/authorized_keys #重启sshd /etc/init.d/sshdrestart #修改服务器的DNS ###setdnsserver echo-e"nameserver114.114.114.114\nnameserver8.8.8.8">/etc/resolv.conf #给一些自定义的脚本一些可执行权限 chmoda+x/opt/scripts/*.sh #关闭SELinux ###disableselinux sed-i's/SELINUX=enforcing/SELINUX=disalbed/g'/etc/selinux/config #把一些服务添加到开机启动 echo'bash/opt/zabbix/zabbix_agentd.sh'>>/etc/rc.local echo'bash/opt/scripts/firewall_kvm.sh'>>/etc/rc.local echo'cd/opt/scripts;nohup/opt/scripts/ssh_deny.sh&'>>/etc/rc.local #把hostname写到配置文件中 echo'NETWORKING=yes'>/etc/sysconfig/network echo"HOSTNAME=$hostname">>/etc/sysconfig/network #设置vim语法高亮 ##Setvim echo'Syntaxon'>/root/.vimrc #修改内核参数 ###sysctl cat>>/etc/sysctl.conf<<END net.ipv4.ip_forward=0 net.ipv4.conf.default.rp_filter=1 net.ipv4.conf.default.accept_source_route=0 kernel.sysrq=0 kernel.core_uses_pid=1 net.ipv4.tcp_syncookies=1 kernel.msgmnb=65536 kernel.msgmax=65536 kernel.shmmax=68719476736 kernel.shmall=4294967296 net.core.wmem_max=873200 net.core.rmem_max=873200 net.core.somaxconn=256 net.core.netdev_max_backlog=1000 net.ipv4.ip_local_port_range=500065000 net.ipv4.tcp_mem=78643210485761572864 net.ipv4.tcp_wmem=8192436600873200 net.ipv4.tcp_rmem=32768436600873200 net.ipv4.tcp_max_syn_backlog=2048 net.ipv4.tcp_retries2=5 net.ipv4.tcp_keepalive_time=1800 net.ipv4.tcp_keepalive_intvl=30 net.ipv4.tcp_keepalive_probes=3 net.ipv4.tcp_fin_timeout=30 net.ipv4.tcp_tw_reuse=1 net.ipv4.tcp_tw_recycle=1 net.ipv4.tcp_max_syn_backlog=8192 net.ipv4.tcp_max_tw_buckets=20000 net.ipv4.conf.lo.arp_ignore=1 net.ipv4.conf.lo.arp_announce=2 net.ipv4.conf.all.arp_ignore=1 net.ipv4.conf.all.arp_announce=2 END modprobebridge #让修改后的内核参数生效 /sbin/sysctl-p #添加执行命令的路径 #AddPATHenvironment. echo'exportPATH=$PATH:/opt/node/bin:/opt/node/lib/node_modules/npm/bin/node-gyp-bin:/opt/zabbix/bin:/opt/zabbix/sbin'>>/etc/profile #添加zabbix这个用户 /usr/sbin/groupaddzabbix /usr/sbin/useradd-gzabbixzabbix-s/sbin/nologin #重启 ###reboot sleep10 reboot
CentOS7初始化脚本,优化了CentOS6的脚本,将代码进行函数化。
#!/bin/bash #CentOS7initialization if[["$(whoami)"!="root"]];then echo"pleaserunthisscriptasroot.">&2 exit1 fi echo-e"\033[31mcentos7系统初始化脚本,请慎重运行!pressctrl+Ctocancel\033[0m" sleep5 #updatesystempack yum_update(){ yum-yinstallwget cd/etc/yum.repos.d/ mkdirbak mv./*.repobak wget-O/etc/yum.repos.d/CentOS-Base.repohttp://mirrors.aliyun.com/repo/Centos-7.repo wget-O/etc/yum.repos.d/epel.repohttp://mirrors.aliyun.com/repo/epel-7.repo yumcleanall&&yummakecache yum-yinstallnet-toolslrzszgccgcc-c++makecmakelibxml2-developenssl-develcurlcurl-develunzipsudontplibaio-develwgetvimncurses-develautoconfautomakezlib-develpython-develexpect } #setntp zone_time(){ cp/usr/share/zoneinfo/Asia/Chongqing/etc/localtime printf'ZONE="Asia/Chongqing"\nUTC=false\nARC=false'>/etc/sysconfig/clock /usr/sbin/ntpdatepool.ntp.org echo"*/5****/usr/sbin/ntpdatepool.ntp.org>/dev/null2>&1">>/var/spool/cron/root;chmod600/var/spool/cron/root echo'LANG="en_US.UTF-8"'>/etc/sysconfig/i18n source/etc/sysconfig/i18n } #setulimit ulimit_config(){ echo"ulimit-SHn102400">>/etc/rc.local cat>>/etc/security/limits.conf<<EOF *softnofile102400 *hardnofile102400 *softnproc102400 *hardnproc102400 EOF } #setssh sshd_config(){ sed-i's/^GSSAPIAuthenticationyes$/GSSAPIAuthenticationno/'/etc/ssh/sshd_config sed-i's/#UseDNSyes/UseDNSno/'/etc/ssh/sshd_config systemctlstartcrond } #setsysctl sysctl_config(){ cp/etc/sysctl.conf/et/sysctl.conf.bak cat>/etc/sysctl.conf<<EOF net.ipv4.ip_forward=0 net.ipv4.conf.default.rp_filter=1 net.ipv4.conf.default.accept_source_route=0 kernel.sysrq=0 kernel.core_uses_pid=1 net.ipv4.tcp_syncookies=1 kernel.msgmnb=65536 kernel.msgmax=65536 kernel.shmmax=68719476736 kernel.shmall=4294967296 net.ipv4.tcp_max_tw_buckets=6000 net.ipv4.tcp_sack=1 net.ipv4.tcp_window_scaling=1 net.ipv4.tcp_rmem=4096873804194304 net.ipv4.tcp_wmem=4096163844194304 net.core.wmem_default=8388608 net.core.rmem_default=8388608 net.core.rmem_max=16777216 net.core.wmem_max=16777216 net.core.netdev_max_backlog=262144 net.core.somaxconn=262144 net.ipv4.tcp_max_orphans=3276800 net.ipv4.tcp_max_syn_backlog=262144 net.ipv4.tcp_timestamps=0 net.ipv4.tcp_synack_retries=1 net.ipv4.tcp_syn_retries=1 net.ipv4.tcp_tw_recycle=1 net.ipv4.tcp_tw_reuse=1 net.ipv4.tcp_mem=94500000915000000927000000 net.ipv4.tcp_fin_timeout=1 net.ipv4.tcp_keepalive_time=1200 net.ipv4.ip_local_port_range=102465535 EOF /sbin/sysctl-p echo"sysctlsetOK!!" } #disableselinux selinux_config(){ sed-i's@SELINUX=enforcing@SELINUX=disabled@g'/etc/selinux/config setenforce0 } iptables_config(){ systemctlstopfirewalld.servic systemctldisablefirewalld.service yuminstalliptables-services cat>/etc/sysconfig/iptables<<EOF #Firewallconfigurationwrittenbysystem-config-securitylevel #Manualcustomizationofthisfileisnotrecommended. *filter :INPUTDROP[0:0] :FORWARDACCEPT[0:0] :OUTPUTACCEPT[0:0] :syn-flood-[0:0] -AINPUT-ilo-jACCEPT -AINPUT-mstate--stateRELATED,ESTABLISHED-jACCEPT -AINPUT-ptcp-mstate--stateNEW-mtcp--dport22-jACCEPT -AINPUT-ptcp-mstate--stateNEW-mtcp--dport80-jACCEPT -AINPUT-picmp-mlimit--limit100/sec--limit-burst100-jACCEPT -AINPUT-picmp-mlimit--limit1/s--limit-burst10-jACCEPT -AINPUT-ptcp-mtcp--tcp-flagsFIN,SYN,RST,ACKSYN-jsyn-flood -AINPUT-jREJECT--reject-withicmp-host-prohibited -Asyn-flood-ptcp-mlimit--limit3/sec--limit-burst6-jRETURN -Asyn-flood-jREJECT--reject-withicmp-port-unreachable COMMIT EOF /sbin/serviceiptablesrestart } main(){ yum_update zone_time ulimit_config sysctl_config sshd_config selinux_config iptables_config } main