CentOS（6.8）linux生产环境若干优化实战

CentOS系统安装之后并不能立即投入生产环境使用，需要经过运维人员的优化才行。在此讲解几点关于Linux系统安装后的基础优化操作。

注意：不同版本5.x和6.x两者优化时会有些区别。

CentOS修改时区

echo ‘ZONE="Asia/Shanghai"‘ > /etc/sysconfig/clock

cp -f /usr/share/zoneinfo/Asia/Shanghai /etc/localtime 

优化条目：

1.   修改ip地址、网关、主机名、DNS等

2.   关闭selinux，清空iptables

3.   添加普通用户并进行sudo授权管理

4.   更新yum源及必要软件安装

5.   定时自动更新服务器时间

6.   精简开机自启动服务

7.   定时自动清理/var/spool/clientmqueue/目录垃圾文件，放置inode节点被占满

8.   变更默认的ssh服务端口，禁止root用户远程连接

9.   锁定关键文件系统

10. 调整文件描述符大小

11. 调整字符集，使其支持中文

12. 去除系统及内核版本登录前的屏幕显示

13. 内核参数优化

#!/bin/bash

#auth yeshanyang

#Centos install update impove

install_judge(){

if [[ "$(whoami)" != "root" ]]; then

    echo "please run this script as root !" >&2

    exit 1

fi

# 检查是否为64位系统，这个脚本只支持64位脚本

plantform=`uname -i`

version=`cat /etc/redhat-release |awk ‘{print $3}‘`

Version=`cat /etc/redhat-release`

echo -e "\033[31m YOU SYSTEM IS: $Version $plantform  \033[0m"

echo -e "\033[32m system initialization script, Please Seriously.Make sure that this your first install!!! press ctrl+C to cancel \033[0m"

if [ $plantform != "x86_64" ];then

    echo -e "\033[32m the script only Support CentOS_6.6 x86_64 \033[0m"

    exit 1

fi

echo "The Platform is ok"

if [ $version != "6.6" ];then

echo -e "\033[32m the script only Support CentOS_6.6 x86_64 \033[0m"

exit 1

fi

sleep 3

# 按Y继续默认N，其他按键全部退出 #

yn="n"

echo -ne "\033[32m IF you want to install ,please input [Y](default [N]) \033[0m"

read yn

if [ "$yn" != "y" -a "$yn" != "Y" ]; then

   echo "bye-bye!"

   exit 0

else

echo -e "\033[32m START TO INSTALL............ \033[0m"

fi

}

input_fun()

{

    OUTPUT_VAR=$1

    INPUT_VAR=""

    while [ -z $INPUT_VAR ];do

        read -p "$OUTPUT_VAR" INPUT_VAR

    done

    echo $INPUT_VAR

}

input_again()

{

MYHOSTNAME=$(input_fun "please input the hostname:")

DOMAINNAME=$(input_fun "please input the domainname:")

CARD_TYPE=$(input_fun "please input the card above you want to change:")

IPADDR=$(input_fun "please input ip address(192.168.100.1):")

NETMASK=$(input_fun "please input netmask(255.255.255.0):")

GATEWAY=$(input_fun "please input gateway(192.168.100.1):")

MYDNS1=$(input_fun "please input DNS1(192.168.1.21):")

MYDNS2=$(input_fun "please input DNS2(8.8.8.8):")

}

network_change()

{

ifconfig -a

cat << EOF

+-------------------------------------------------+

|       查看当前网络IP信息，然后设置具体ip        |

+-------------------------------------------------+

EOF

input_again

MAC=$(ifconfig $CARD_TYPE | grep "HWaddr" | awk -F[" "]+ ‘{print $5}‘)

#修改成固定ip

sed -i ‘s/BOOTPROTO=dhcp/BOOTPROTO=static/g‘ /etc/sysconfig/network-scripts/ifcfg-$CARD_TYPE 

cat >>/etc/sysconfig/network-scripts/ifcfg-$CARD_TYPE <<ENDF

IPADDR=$IPADDR

NETMASK=$NETMASK

GATEWAY=$GATEWAY

ENDF

cat >/etc/hosts <<ENDF

127.0.0.1 $MYHOSTNAME $MYHOSTNAME.$DOMAINNAME localhost

$IPADDR $MYHOSTNAME $MYHOSTNAME.$DOMAINNAME  localhost

ENDF

cat >/etc/resolv.conf <<ENDF

domain $DOMAINNAME 

search $DOMAINNAME 

nameserver $MYDNS1 

nameserver $MYDNS2 

ENDF

}

#关闭系统不用的服务

#隐藏版本信息：（隐藏前cat /etc/issue）

safe_change()

{

> /etc/issue  

>/etc/issue.net

#保护系统关键文件

for server in `chkconfig --list |grep 3:on|awk ‘{ print $1}‘`

do

    chkconfig --level 3 $server off

done

for server in crond network rsyslog sshd ntpd 

do

   chkconfig --level 3 $server on

done

#增加用户并sudo提权

user_add

chmod +w /etc/sudoers

echo "$USERNAME        ALL=(ALL)     ALL" >>/etc/sudoers

chmod -w /etc/sudoers

#禁用root账号直接登录

#系统关键文件，加锁，操作时需要解锁（-i）

#chattr +i  /etc/passwd  /etc/shadow  /etc/group /etc/gshadow /etc/inittab 

#chattr -i  /etc/passwd  /etc/shadow  /etc/group /etc/gshadow /etc/inittab 

}

user_add()

{

    USERNAME=$(input_fun "please input new user name:")

    useradd $USERNAME

    passwd $USERNAME

}

#更新YUM源，epel源和rpm源 repo

yum_update()

{

if [ ! -e "/etc/yum.repos.d/bak" ]; then

    mkdir /etc/yum.repos.d/bak

    mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/bak/CentOS-Base.repo.backup

fi

#add

wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo

#wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo

#wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.sohu.com/help/CentOS-Base-sohu.repo

#wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.163.com/.help/CentOS6-Base-163.repo

########### 安装epel#add the third-party repo

#rpm -Uvh http://download.Fedora.RedHat.com/pub/epel/6/x86_64/epel-release-6-5.noarch.rpm 

rpm -Uvh  http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6 

#add the rpmforge

rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm

rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag

yum clean all && yum makecache

#yum -y groupinstall "Development Tools" "Server Platform Development" "Desktop Platform Development"

yum -y install vim wget man ntp redhat-lsb unzip  gcc gcc-c++

yum -y update glibc\*

yum -y update yum\* rpm\* python\* 

#服务器OpenSSL 1.0.1f，请务必立即升级到OpenSSL 1.0.1g或以上版本解决openssl heartbleed漏洞

#查看版本是否有更新

# rpm -q --changelog openssl-1.0.1e | grep CVE-2014-0160

#### - fix CVE-2014-0160 - information disclosure in TLS（说明已经修复了漏洞）

wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz 

tar zxvf openssl-1.0.1g.tar.gz 

cd openssl-1.0.1g 

./config 

make && make install 

#yum install openssl-client

yum -y update

echo -e "\033[31m yum update ok \033[0m"

#OPENSSLV=·openssl version· 

#if (&OPENSSLV = 1);then

# yum install lsof -y

#fi

sleep 1

}

####设置初始时间

zone_time()

{

yum -y install ntp

if [ `date +%z` != "+0800" ]; then

    rm -rf /etc/localtime

    ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime

cat > /etc/sysconfig/clock<<ENDF

ZONE="Asia/Shanghai"

UTC=false

ARC=false

ENDF

fi

echo "Present time zone:"`date +%z`

cat /etc/sysconfig/clock

echo -e "\033[31m time zone ok \033[0m"

sleep 1

# set time

echo "update time please wait!"

/usr/sbin/ntpdate 0.centos.pool.ntp.org && /sbin/hwclock -w

cat >> /var/spool/cron/root << EOF

*/5 * * * * /usr/sbin/ntpdate 0.centos.pool.ntp.org > /dev/null 2>&1

* * * * */1 /usr/sbin/hwclock -w > /dev/null 2>&1

EOF

chmod 600 /var/spool/cron/root

/sbin/service crond restart

sed -i ‘s/^server 1.centos.pool.ntp.org/server 0.cn.pool.ntp.org/g‘ /etc/ntp.conf

echo -e "\033[31m time zone ok \033[0m"

sleep 1

}

limits_config()

{

######优化系统文件描述符，默认系统分配的很少1024个，以后会不够用

sed -i "/^ulimit -SHn.*/d" /etc/rc.local

echo "ulimit -SHn 102400" >> /etc/rc.local

sed -i "/^ulimit -s.*/d" /etc/profile

sed -i "/^ulimit -c.*/d" /etc/profile

sed -i "/^ulimit -SHn.*/d" /etc/profile

cat >> /etc/profile << EOF

ulimit -c unlimited

ulimit -s unlimited

ulimit -SHn 102400

EOF

source /etc/profile

ulimit -a

cat /etc/profile | grep ulimit

echo -e "\033[31m hosts ok \033[0m"

if [ ! -f "/etc/security/limits.conf.bak" ]; then

    cp /etc/security/limits.conf /etc/security/limits.conf.bak

fi

sed -i "/^*.*soft.*nofile/d" /etc/security/limits.conf

sed -i "/^*.*hard.*nofile/d" /etc/security/limits.conf

sed -i "/^*.*soft.*nproc/d" /etc/security/limits.conf

sed -i "/^*.*hard.*nproc/d" /etc/security/limits.conf

cat >> /etc/security/limits.conf << EOF

#

#---------custom-----------------------

#

*           soft   nofile       65535

*           hard   nofile       65535

*           soft   nproc        65535

*           hard   nproc        65535

EOF

cat /etc/security/limits.conf | grep "^*           .*"

echo -e "\033[31m limits ok \033[0m"

sleep 1

}

#######内核调优，tune kernel parametres

sysctl_config(){

if [ ! -f "/etc/sysctl.conf.bak" ]; then

    cp /etc/sysctl.conf /etc/sysctl.conf.bak

fi

#delete

sed -i "/^net.ipv4.ip_forward/d" /etc/sysctl.conf

sed -i "/^net.ipv4.conf.default.rp_filter/d" /etc/sysctl.conf

sed -i "/^net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf

sed -i "/^kernel.sysrq/d" /etc/sysctl.conf

sed -i "/^kernel.core_uses_pid/d" /etc/sysctl.conf

sed -i "/^net.ipv4.tcp_syncookies/d" /etc/sysctl.conf

sed -i "/^kernel.msgmnb/d" /etc/sysctl.conf

sed -i "/^kernel.msgmax/d" /etc/sysctl.conf

sed -i "/^net.ipv4.tcp_max_tw_buckets/d" /etc/sysctl.conf

sed -i "/^net.ipv4.tcp_sack/d" /etc/sysctl.conf

sed -i "/^net.ipv4.tcp_window_scaling/d" /etc/sysctl.conf

sed -i "/^net.ipv4.tcp_rmem/d" /etc/sysctl.conf

sed -i "/^net.ipv4.tcp_wmem/d" /etc/sysctl.conf

sed -i "/^net.core.wmem_default/d" /etc/sysctl.conf

sed -i "/^net.core.rmem_default/d" /etc/sysctl.conf

sed -i "/^net.core.rmem_max/d" /etc/sysctl.conf

sed -i "/^net.core.wmem_max/d" /etc/sysctl.conf

sed -i "/^net.core.netdev_max_backlog/d" /etc/sysctl.conf

sed -i "/^net.core.somaxconn/d" /etc/sysctl.conf

sed -i "/^net.ipv4.tcp_max_orphans/d" /etc/sysctl.conf

sed -i "/^net.ipv4.tcp_max_syn_backlog/d" /etc/sysctl.conf

sed -i "/^net.ipv4.tcp_timestamps/d" /etc/sysctl.conf

sed -i "/^net.ipv4.tcp_synack_retries/d" /etc/sysctl.conf

sed -i "/^net.ipv4.tcp_syn_retries/d" /etc/sysctl.conf

sed -i "/^net.ipv4.tcp_tw_recycle/d" /etc/sysctl.conf

sed -i "/^net.ipv4.tcp_tw_reuse/d" /etc/sysctl.conf

sed -i "/^net.ipv4.tcp_mem/d" /etc/sysctl.conf

sed -i "/^net.ipv4.tcp_fin_timeout/d" /etc/sysctl.conf

sed -i "/^net.ipv4.tcp_keepalive_time/d" /etc/sysctl.conf

sed -i "/^net.ipv4.ip_local_port_range/d" /etc/sysctl.conf

#sed -i "/^net.ipv4.tcp_tw_len/d" /etc/sysctl.conf

#add

cat >> /etc/sysctl.conf << EOF

#

#

#-------custom---------------------------------------------

#

net.ipv4.ip_forward = 0

net.ipv4.conf.default.rp_filter = 1

net.ipv4.conf.default.accept_source_route = 0

kernel.sysrq = 0

kernel.core_uses_pid = 1

net.ipv4.tcp_syncookies = 1

kernel.msgmnb = 65536

kernel.msgmax = 65536

net.ipv4.tcp_max_tw_buckets = 6000

net.ipv4.tcp_sack = 1

net.ipv4.tcp_window_scaling = 1

net.ipv4.tcp_rmem = 4096    87380   4194304

net.ipv4.tcp_wmem = 4096    16384   4194304

net.core.wmem_default = 8388608

net.core.rmem_default = 8388608

net.core.rmem_max = 16777216

net.core.wmem_max = 16777216

net.core.netdev_max_backlog = 262144

net.core.somaxconn = 262144

net.ipv4.tcp_max_orphans = 3276800

net.ipv4.tcp_max_syn_backlog = 262144

net.ipv4.tcp_timestamps = 0

#net.ipv4.tcp_synack_retries = 1

net.ipv4.tcp_synack_retries = 2

#net.ipv4.tcp_syn_retries = 1

net.ipv4.tcp_syn_retries = 2

net.ipv4.tcp_tw_recycle = 1

net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_mem = 94500000 915000000 927000000

#net.ipv4.tcp_fin_timeout = 1

net.ipv4.tcp_fin_timeout = 15

net.ipv4.tcp_keepalive_time = 30

net.ipv4.ip_local_port_range = 1024    65535

#net.ipv4.tcp_tw_len = 1

#net.ipv4.route.gc_timeout = 100

EOF

#buckets

echo 6000 > /proc/sys/net/ipv4/tcp_max_tw_buckets

#delete

sed -i "/^kernel.shmmax/d" /etc/sysctl.conf

sed -i "/^kernel.shmall/d" /etc/sysctl.conf

#add

shmmax=`free -l |grep Mem |awk ‘{printf("%d\n",$2*1024*0.9)}‘`

shmall=$[$shmmax/4]

echo "kernel.shmmax = "$shmmax >> /etc/sysctl.conf

echo "kernel.shmall = "$shmall >> /etc/sysctl.conf

#bridge

modprobe bridge

lsmod|grep bridge

#reload sysctl

/sbin/sysctl -p

echo -e "\033[31m sysctl ok \033[0m"

sleep 1

}

#关闭 control-alt-delete to guard against the miSUSE

set_key()

{

sed -i ‘s#^exec /sbin/shutdown -r now#\#exec /sbin/shutdown -r now#‘ /etc/init/control-alt-delete.conf

cat /etc/init/control-alt-delete.conf | grep /sbin/shutdown

echo -e "\033[31m control-alt-delete ok \033[0m"

sleep 1

}

#disable selinux

selinux()

{

sed -i ‘s/SELINUX=enforcing/SELINUX=disabled/‘ /etc/selinux/config

setenforce 0

echo -e "\033[31m selinux ok \033[0m"

sleep 1

}

#禁止ping

#echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all

ssh_GSS()

{

#sed -i ‘/^#Port/s/#Port 22/Port 65535/g‘ /etc/ssh/sshd_config

#iptables -A INPUT -p tcp --dport 65535 -j ACCEPT

#sed -i ‘s/^GSSAPIAuthentication yes$/GSSAPIAuthentication no/‘ /etc/ssh/sshd_config

sed -i ‘/^#UseDNS/s/#UseDNS yes/UseDNS no/g‘ /etc/ssh/sshd_config

sed -i ‘s/#UseDNS yes/UseDNS no/‘ /etc/ssh/sshd_config

sed -i ‘s/#PermitRootLogin yes/PermitRootLogin no/g‘ /etc/ssh/sshd_config

sed -i ‘s/#PermitEmptyPasswords no/PermitEmptyPasswords no/g‘ /etc/ssh/sshd_config

/etc/init.d/sshd restart

cat /etc/ssh/sshd_config | grep -i usedns

cat /etc/ssh/sshd_config | grep -i PermitEmptyPasswords

echo -e "\033[31m sshd ok \033[0m"

sleep 1

}

####用户环境修改，vim等,无法回退删除，显示行等，define the backspace button can erase the last character typed

backspace_button(){

sed -i "/^stty erase ^H/d" /etc/profile

echo ‘stty erase ^H‘ >> /etc/profile

sed -i "/^syntax.*/d" /root/.vimrc

echo "syntax on" >> /root/.vimrc

#cat >> /root/.vimrc << EOF

#syntax on

#set nu 

#set showmode

#set ruler

#set autoindent

#EOF

echo -e "\033[31m backspace ok \033[0m"

cat /etc/profile | grep -i "stty erase ^H"

cat /root/.vimrc | grep -i "syntax"

sleep 1

}

stop_crond(){

if [ ! -e "/etc/cron.daily.bak" ]; then

    mkdir /etc/cron.daily.bak

    mv /etc/cron.daily/makewhatis.cron /etc/cron.daily.bak > /dev/null 2>&1

    mv /etc/cron.daily/mlocate.cron /etc/cron.daily.bak > /dev/null 2>&1

fi

echo -e "\033[31m crond ok \033[0m"

sleep 1

}

dissable_service(){

chkconfig bluetooth off > /dev/null 2>&1

chkconfig cups off  > /dev/null 2>&1

chkconfig ip6tables off  > /dev/null 2>&1

for server in `chkconfig --list |grep 3:on|awk ‘{ print $1}‘`

do

    chkconfig --level 3 $server off

done

for server in crond network rsyslog sshd

do

   chkconfig --level 3 $server on

done

chkconfig | grep -E "cups|ip6tables|bluetooth"

echo -e "\033[31m service ok \033[0m"

sleep 1

}

#disable the ipv6

stop_ipv6(){

cat > /etc/modprobe.d/ipv6.conf << EOFI

#

#---------------custom-----------------------

#

alias net-pf-10 off

options ipv6 disable=1

EOFI

sed -i "/^NETWORKING_IPV6.*/d" /etc/sysconfig/network

echo "NETWORKING_IPV6=off" >> /etc/sysconfig/network

cat /etc/sysconfig/network | grep NETWORKING_IPV6

echo -e "\033[31m ipv6 ok \033[0m"

sleep 1

}

#language..

inittab(){

if [ -z "$(cat /etc/redhat-release | grep ‘6\.‘)" ];then

    sed -i ‘s/3:2345:respawn/#3:2345:respawn/g‘ /etc/inittab

    sed -i ‘s/4:2345:respawn/#4:2345:respawn/g‘ /etc/inittab

    sed -i ‘s/5:2345:respawn/#5:2345:respawn/g‘ /etc/inittab

    sed -i ‘s/6:2345:respawn/#6:2345:respawn/g‘ /etc/inittab

    sed -i ‘s/ca::ctrlaltdel/#ca::ctrlaltdel/g‘ /etc/inittab

    sed -i ‘s@LANG=.*$@LANG="en_US.UTF-8"@g‘ /etc/sysconfig/i18n

else

    sed -i ‘s@^ACTIVE_CONSOLES.*@ACTIVE_CONSOLES=/dev/tty[1-2]@‘ /etc/sysconfig/init

    sed -i ‘s@^start@#start@‘ /etc/init/control-alt-delete.conf

fi

/sbin/init q

#locale

echo $LANG

echo -e "\033[31m inittab ok \033[0m"

sleep 1

}

# iptables

iptables(){

#add iptables

yum -y install iptables

#iptables conf bak

if [ ! -e "/etc/sysconfig/iptables.bak" ]; then

    cp /etc/sysconfig/iptables /etc/sysconfig/iptables.bak > /dev/null 2>&1

fi

#add config

cat > /etc/sysconfig/iptables << EOF

# Firewall configuration written by system-config-securitylevel

# Manual customization of this file is not recommended.

# 防火墙规则有先后顺序，修改前请测试确定后更改

*filter

:INPUT DROP [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:syn-flood - [0:0]

#RELATED,ESTABLISHED

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#io

-A INPUT -i lo -j ACCEPT

#ping

-A INPUT -p icmp -j ACCEPT

#redis

#-A INPUT -p tcp -m tcp --dport 6379 -j ACCEPT

#-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6379 -j ACCEPT

#mysql

#-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT

#-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT

#memcache

#-A INPUT -p tcp -m tcp --dport 11211 -j ACCEPT

#-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 11211 -j ACCEPT

#php

#-A INPUT -p tcp -m tcp --dport 9000 -j ACCEPT

#-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 9000 -j ACCEPT

#ssh

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

#-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 --name SSH --rsource -j DROP

#-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource -j ACCEPT

#http  500 * 90%  需要限制情况下可以取消第一行注释

#-A INPUT -p tcp -m tcp --dport 80 -m connlimit --connlimit-above 500 --connlimit-mask 32 -j REJECT --reject-with icmp-port-unreachable

-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

#https 500 * 90% 需要限制情况下可以取消第一行注释

#-A INPUT -p tcp -m tcp --dport 443 -m connlimit --connlimit-above 500 --connlimit-mask 32 -j REJECT --reject-with icmp-port-unreachable

-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

#---service--------------------------------------------------

#DNS 安装DNS服务器后需要打开

#-A INPUT -p udp --sport 53  -j ACCEPT

#ntp 配置ntp服务器时候需要打开

#-A INPUT -p udp --sport 123 -j ACCEPT

#对外访问，比如api接口 需要结合OUTPUT DROP 全部关闭情况下才需要打开，这种限制非常严格情况下才配置

#-A OUTPUT -p tcp --dport 80 -j ACCEPT

#-A OUTPUT -p tcp --dport 443 -j ACCEPT

######################################################################################

#以下#号部分未测试或为成功，并可能有错误开启之前请先测试，并保证能与你的环境匹配

#syn-flood

#-A syn-flood -p tcp -m limit --limit 500/sec --limit-burst 10000 -j RETURN

#------FIN SYN RST ACK SYN-----------------

#-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j ACCEPT

#-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 10/sec --limit-burst 100 -j ACCEPT

######################################################################################

#PORTSAN 端口扫描拒绝，缺少工具没能测试好，请慎用。

#-A INPUT -p tcp --syn -m recent --name portscan --rcheck --seconds 60 --hitcount 10 -j LOG

#-A INPUT -p tcp --syn -m recent --name portscan --set -j DROP

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A syn-flood -j REJECT --reject-with icmp-port-unreachable

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

COMMIT

EOF

/sbin/service iptables restart

source /etc/profile

chkconfig iptables on

/sbin/iptables -L -v

chkconfig | grep iptables

echo -e "\033[31m iptables ok \033[0m"

sleep 1

}

# others

other(){

# initdefault

sed -i ‘s/^id:.*$/id:3:initdefault:/‘ /etc/inittab

/sbin/init q

cat /etc/inittab | grep "id:"

# PS1 /tmp/

sed -i "/^PS1=.*/d" /etc/profile

echo ‘PS1="\[\e[37;40m\][\[\e[32;40m\]\u\[\e[37;40m\]@\h \[\e[35;40m\]\W\[\e[0m\]]\\$ \[\e[33;40m\]"‘ >> /etc/profile

# HISTSIZ

sed -i ‘s/^HISTSIZE=.*$/HISTSIZE=300/‘ /etc/profile

cat /etc/profile | grep "^HISTSIZE"

# Record command

sed -i "/^export PROMPT_COMMAND=.*/d" /root/.bash_profile

echo "export PROMPT_COMMAND=‘{ msg=\$(history 1 | { read x y; echo \$y; });user=\$(whoami); echo \$(date \"+%Y-%m-%d %H:%M:%S\"):\$user:\`pwd\`/:\$msg ---- \$(who am i); } >> /tmp/\`hostname\`.\`whoami\`.history-timestamp‘" >> /root/.bash_profile

# Wrong password five times locked 180s

sed -i "/^auth        required      pam_tally2.so deny=5 unlock_time=180/d" /etc/pam.d/system-auth

sed -i ‘4a auth        required      pam_tally2.so deny=5 unlock_time=180‘ /etc/pam.d/system-auth

source /etc/profile

cat /etc/pam.d/system-auth | grep "auth        required      pam_tally2.so"

echo -e "\033[31m other ok \033[0m"

sleep 1

}

done_ok(){

echo -e "\033[31m +-------------------------------------------------+ \033[0m"

echo -e "\033[31m |               优化已经完成                    | \033[0m"

echo -e "\033[31m |            （系统将在60s后自动重启）            | \033[0m"

echo -e "\033[31m +---重要配置信息保存到/root/info.txt-------- -----+ \033[0m"

echo -e "\033[31m +-------------------------------------------------+ \033[0m"

cat /etc/sysconfig/network-scripts/ifcfg-$CARD_TYPE >>cat /root/info.txt

echo " 超级用户为：$USERNAME" >>cat /root/info.txt

cat /root/info.txt

sleep 60

reboot

}

# main

main(){

install_judge

network_change

safe_change

    yum_update

    zone_time

    limits_config

    sysctl_config

    set_key

    selinux

    ssh_GSS

    backspace_button

    stop_crond

    dissable_service

    stop_ipv6

    inittab

    iptables

    other

    done_ok

}

#python2.7安装

wget https://www.python.org/ftp/python/2.7.10/Python-2.7.10.tgz 

tar -zxvf Python-2.7.10.tgz

cd Python-2.7.10

./configure

make -j && make install

mv /usr/bin/python /usr/bin/python2.6.6    重命名旧的python解释器名称

cd /usr/bin && ln -s /usr/local/bin/python 建软链接，让/user/bin/python指向新python解释器

vim /usr/bin/yum

修改python路径，为原路径#！/usr/bin/python  为#!/usr/bin/python2.6.6

本文出自 “野山羊” 博客，请务必保留此出处http://yeshanyang.blog.51cto.com/8845896/1831706