CentOS(6.8)linux生产环境若干优化实战
CentOS系统安装之后并不能立即投入生产环境使用,需要经过运维人员的优化才行。在此讲解几点关于Linux系统安装后的基础优化操作。
注意:不同版本5.x和6.x两者优化时会有些区别。
CentOS修改时区
echo ‘ZONE="Asia/Shanghai"‘ > /etc/sysconfig/clock
cp -f /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
优化条目:
1. 修改ip地址、网关、主机名、DNS等
2. 关闭selinux,清空iptables
3. 添加普通用户并进行sudo授权管理
4. 更新yum源及必要软件安装
5. 定时自动更新服务器时间
6. 精简开机自启动服务
7. 定时自动清理/var/spool/clientmqueue/目录垃圾文件,放置inode节点被占满
8. 变更默认的ssh服务端口,禁止root用户远程连接
9. 锁定关键文件系统
10. 调整文件描述符大小
11. 调整字符集,使其支持中文
12. 去除系统及内核版本登录前的屏幕显示
13. 内核参数优化
#!/bin/bash
#auth yeshanyang
#Centos install update impove
install_judge(){
if [[ "$(whoami)" != "root" ]]; then
echo "please run this script as root !" >&2
exit 1
fi
# 检查是否为64位系统,这个脚本只支持64位脚本
plantform=`uname -i`
version=`cat /etc/redhat-release |awk ‘{print $3}‘`
Version=`cat /etc/redhat-release`
echo -e "\033[31m YOU SYSTEM IS: $Version $plantform \033[0m"
echo -e "\033[32m system initialization script, Please Seriously.Make sure that this your first install!!! press ctrl+C to cancel \033[0m"
if [ $plantform != "x86_64" ];then
echo -e "\033[32m the script only Support CentOS_6.6 x86_64 \033[0m"
exit 1
fi
echo "The Platform is ok"
if [ $version != "6.6" ];then
echo -e "\033[32m the script only Support CentOS_6.6 x86_64 \033[0m"
exit 1
fi
sleep 3
# 按Y继续默认N,其他按键全部退出 #
yn="n"
echo -ne "\033[32m IF you want to install ,please input [Y](default [N]) \033[0m"
read yn
if [ "$yn" != "y" -a "$yn" != "Y" ]; then
echo "bye-bye!"
exit 0
else
echo -e "\033[32m START TO INSTALL............ \033[0m"
fi
}
input_fun()
{
OUTPUT_VAR=$1
INPUT_VAR=""
while [ -z $INPUT_VAR ];do
read -p "$OUTPUT_VAR" INPUT_VAR
done
echo $INPUT_VAR
}
input_again()
{
MYHOSTNAME=$(input_fun "please input the hostname:")
DOMAINNAME=$(input_fun "please input the domainname:")
CARD_TYPE=$(input_fun "please input the card above you want to change:")
IPADDR=$(input_fun "please input ip address(192.168.100.1):")
NETMASK=$(input_fun "please input netmask(255.255.255.0):")
GATEWAY=$(input_fun "please input gateway(192.168.100.1):")
MYDNS1=$(input_fun "please input DNS1(192.168.1.21):")
MYDNS2=$(input_fun "please input DNS2(8.8.8.8):")
}
network_change()
{
ifconfig -a
cat << EOF
+-------------------------------------------------+
| 查看当前网络IP信息,然后设置具体ip |
+-------------------------------------------------+
EOF
input_again
MAC=$(ifconfig $CARD_TYPE | grep "HWaddr" | awk -F[" "]+ ‘{print $5}‘)
#修改成固定ip
sed -i ‘s/BOOTPROTO=dhcp/BOOTPROTO=static/g‘ /etc/sysconfig/network-scripts/ifcfg-$CARD_TYPE
cat >>/etc/sysconfig/network-scripts/ifcfg-$CARD_TYPE <<ENDF
IPADDR=$IPADDR
NETMASK=$NETMASK
GATEWAY=$GATEWAY
ENDF
cat >/etc/hosts <<ENDF
127.0.0.1 $MYHOSTNAME $MYHOSTNAME.$DOMAINNAME localhost
$IPADDR $MYHOSTNAME $MYHOSTNAME.$DOMAINNAME localhost
ENDF
cat >/etc/resolv.conf <<ENDF
domain $DOMAINNAME
search $DOMAINNAME
nameserver $MYDNS1
nameserver $MYDNS2
ENDF
}
#关闭系统不用的服务
#隐藏版本信息:(隐藏前cat /etc/issue)
safe_change()
{
> /etc/issue
>/etc/issue.net
#保护系统关键文件
for server in `chkconfig --list |grep 3:on|awk ‘{ print $1}‘`
do
chkconfig --level 3 $server off
done
for server in crond network rsyslog sshd ntpd
do
chkconfig --level 3 $server on
done
#增加用户并sudo提权
user_add
chmod +w /etc/sudoers
echo "$USERNAME ALL=(ALL) ALL" >>/etc/sudoers
chmod -w /etc/sudoers
#禁用root账号直接登录
#系统关键文件,加锁,操作时需要解锁(-i)
#chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab
#chattr -i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab
}
user_add()
{
USERNAME=$(input_fun "please input new user name:")
useradd $USERNAME
passwd $USERNAME
}
#更新YUM源,epel源和rpm源 repo
yum_update()
{
if [ ! -e "/etc/yum.repos.d/bak" ]; then
mkdir /etc/yum.repos.d/bak
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/bak/CentOS-Base.repo.backup
fi
#add
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo
#wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
#wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.sohu.com/help/CentOS-Base-sohu.repo
#wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.163.com/.help/CentOS6-Base-163.repo
########### 安装epel#add the third-party repo
#rpm -Uvh http://download.Fedora.RedHat.com/pub/epel/6/x86_64/epel-release-6-5.noarch.rpm
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
#add the rpmforge
rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag
yum clean all && yum makecache
#yum -y groupinstall "Development Tools" "Server Platform Development" "Desktop Platform Development"
yum -y install vim wget man ntp redhat-lsb unzip gcc gcc-c++
yum -y update glibc\*
yum -y update yum\* rpm\* python\*
#服务器OpenSSL 1.0.1f,请务必立即升级到OpenSSL 1.0.1g或以上版本解决openssl heartbleed漏洞
#查看版本是否有更新
# rpm -q --changelog openssl-1.0.1e | grep CVE-2014-0160
#### - fix CVE-2014-0160 - information disclosure in TLS(说明已经修复了漏洞)
wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
tar zxvf openssl-1.0.1g.tar.gz
cd openssl-1.0.1g
./config
make && make install
#yum install openssl-client
yum -y update
echo -e "\033[31m yum update ok \033[0m"
#OPENSSLV=·openssl version·
#if (&OPENSSLV = 1);then
# yum install lsof -y
#fi
sleep 1
}
####设置初始时间
zone_time()
{
yum -y install ntp
if [ `date +%z` != "+0800" ]; then
rm -rf /etc/localtime
ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
cat > /etc/sysconfig/clock<<ENDF
ZONE="Asia/Shanghai"
UTC=false
ARC=false
ENDF
fi
echo "Present time zone:"`date +%z`
cat /etc/sysconfig/clock
echo -e "\033[31m time zone ok \033[0m"
sleep 1
# set time
echo "update time please wait!"
/usr/sbin/ntpdate 0.centos.pool.ntp.org && /sbin/hwclock -w
cat >> /var/spool/cron/root << EOF
*/5 * * * * /usr/sbin/ntpdate 0.centos.pool.ntp.org > /dev/null 2>&1
* * * * */1 /usr/sbin/hwclock -w > /dev/null 2>&1
EOF
chmod 600 /var/spool/cron/root
/sbin/service crond restart
sed -i ‘s/^server 1.centos.pool.ntp.org/server 0.cn.pool.ntp.org/g‘ /etc/ntp.conf
echo -e "\033[31m time zone ok \033[0m"
sleep 1
}
limits_config()
{
######优化系统文件描述符,默认系统分配的很少1024个,以后会不够用
sed -i "/^ulimit -SHn.*/d" /etc/rc.local
echo "ulimit -SHn 102400" >> /etc/rc.local
sed -i "/^ulimit -s.*/d" /etc/profile
sed -i "/^ulimit -c.*/d" /etc/profile
sed -i "/^ulimit -SHn.*/d" /etc/profile
cat >> /etc/profile << EOF
ulimit -c unlimited
ulimit -s unlimited
ulimit -SHn 102400
EOF
source /etc/profile
ulimit -a
cat /etc/profile | grep ulimit
echo -e "\033[31m hosts ok \033[0m"
if [ ! -f "/etc/security/limits.conf.bak" ]; then
cp /etc/security/limits.conf /etc/security/limits.conf.bak
fi
sed -i "/^*.*soft.*nofile/d" /etc/security/limits.conf
sed -i "/^*.*hard.*nofile/d" /etc/security/limits.conf
sed -i "/^*.*soft.*nproc/d" /etc/security/limits.conf
sed -i "/^*.*hard.*nproc/d" /etc/security/limits.conf
cat >> /etc/security/limits.conf << EOF
#
#---------custom-----------------------
#
* soft nofile 65535
* hard nofile 65535
* soft nproc 65535
* hard nproc 65535
EOF
cat /etc/security/limits.conf | grep "^* .*"
echo -e "\033[31m limits ok \033[0m"
sleep 1
}
#######内核调优,tune kernel parametres
sysctl_config(){
if [ ! -f "/etc/sysctl.conf.bak" ]; then
cp /etc/sysctl.conf /etc/sysctl.conf.bak
fi
#delete
sed -i "/^net.ipv4.ip_forward/d" /etc/sysctl.conf
sed -i "/^net.ipv4.conf.default.rp_filter/d" /etc/sysctl.conf
sed -i "/^net.ipv4.conf.default.accept_source_route/d" /etc/sysctl.conf
sed -i "/^kernel.sysrq/d" /etc/sysctl.conf
sed -i "/^kernel.core_uses_pid/d" /etc/sysctl.conf
sed -i "/^net.ipv4.tcp_syncookies/d" /etc/sysctl.conf
sed -i "/^kernel.msgmnb/d" /etc/sysctl.conf
sed -i "/^kernel.msgmax/d" /etc/sysctl.conf
sed -i "/^net.ipv4.tcp_max_tw_buckets/d" /etc/sysctl.conf
sed -i "/^net.ipv4.tcp_sack/d" /etc/sysctl.conf
sed -i "/^net.ipv4.tcp_window_scaling/d" /etc/sysctl.conf
sed -i "/^net.ipv4.tcp_rmem/d" /etc/sysctl.conf
sed -i "/^net.ipv4.tcp_wmem/d" /etc/sysctl.conf
sed -i "/^net.core.wmem_default/d" /etc/sysctl.conf
sed -i "/^net.core.rmem_default/d" /etc/sysctl.conf
sed -i "/^net.core.rmem_max/d" /etc/sysctl.conf
sed -i "/^net.core.wmem_max/d" /etc/sysctl.conf
sed -i "/^net.core.netdev_max_backlog/d" /etc/sysctl.conf
sed -i "/^net.core.somaxconn/d" /etc/sysctl.conf
sed -i "/^net.ipv4.tcp_max_orphans/d" /etc/sysctl.conf
sed -i "/^net.ipv4.tcp_max_syn_backlog/d" /etc/sysctl.conf
sed -i "/^net.ipv4.tcp_timestamps/d" /etc/sysctl.conf
sed -i "/^net.ipv4.tcp_synack_retries/d" /etc/sysctl.conf
sed -i "/^net.ipv4.tcp_syn_retries/d" /etc/sysctl.conf
sed -i "/^net.ipv4.tcp_tw_recycle/d" /etc/sysctl.conf
sed -i "/^net.ipv4.tcp_tw_reuse/d" /etc/sysctl.conf
sed -i "/^net.ipv4.tcp_mem/d" /etc/sysctl.conf
sed -i "/^net.ipv4.tcp_fin_timeout/d" /etc/sysctl.conf
sed -i "/^net.ipv4.tcp_keepalive_time/d" /etc/sysctl.conf
sed -i "/^net.ipv4.ip_local_port_range/d" /etc/sysctl.conf
#sed -i "/^net.ipv4.tcp_tw_len/d" /etc/sysctl.conf
#add
cat >> /etc/sysctl.conf << EOF
#
#
#-------custom---------------------------------------------
#
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 262144
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
#net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_synack_retries = 2
#net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
#net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_keepalive_time = 30
net.ipv4.ip_local_port_range = 1024 65535
#net.ipv4.tcp_tw_len = 1
#net.ipv4.route.gc_timeout = 100
EOF
#buckets
echo 6000 > /proc/sys/net/ipv4/tcp_max_tw_buckets
#delete
sed -i "/^kernel.shmmax/d" /etc/sysctl.conf
sed -i "/^kernel.shmall/d" /etc/sysctl.conf
#add
shmmax=`free -l |grep Mem |awk ‘{printf("%d\n",$2*1024*0.9)}‘`
shmall=$[$shmmax/4]
echo "kernel.shmmax = "$shmmax >> /etc/sysctl.conf
echo "kernel.shmall = "$shmall >> /etc/sysctl.conf
#bridge
modprobe bridge
lsmod|grep bridge
#reload sysctl
/sbin/sysctl -p
echo -e "\033[31m sysctl ok \033[0m"
sleep 1
}
#关闭 control-alt-delete to guard against the miSUSE
set_key()
{
sed -i ‘s#^exec /sbin/shutdown -r now#\#exec /sbin/shutdown -r now#‘ /etc/init/control-alt-delete.conf
cat /etc/init/control-alt-delete.conf | grep /sbin/shutdown
echo -e "\033[31m control-alt-delete ok \033[0m"
sleep 1
}
#disable selinux
selinux()
{
sed -i ‘s/SELINUX=enforcing/SELINUX=disabled/‘ /etc/selinux/config
setenforce 0
echo -e "\033[31m selinux ok \033[0m"
sleep 1
}
#禁止ping
#echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all
ssh_GSS()
{
#sed -i ‘/^#Port/s/#Port 22/Port 65535/g‘ /etc/ssh/sshd_config
#iptables -A INPUT -p tcp --dport 65535 -j ACCEPT
#sed -i ‘s/^GSSAPIAuthentication yes$/GSSAPIAuthentication no/‘ /etc/ssh/sshd_config
sed -i ‘/^#UseDNS/s/#UseDNS yes/UseDNS no/g‘ /etc/ssh/sshd_config
sed -i ‘s/#UseDNS yes/UseDNS no/‘ /etc/ssh/sshd_config
sed -i ‘s/#PermitRootLogin yes/PermitRootLogin no/g‘ /etc/ssh/sshd_config
sed -i ‘s/#PermitEmptyPasswords no/PermitEmptyPasswords no/g‘ /etc/ssh/sshd_config
/etc/init.d/sshd restart
cat /etc/ssh/sshd_config | grep -i usedns
cat /etc/ssh/sshd_config | grep -i PermitEmptyPasswords
echo -e "\033[31m sshd ok \033[0m"
sleep 1
}
####用户环境修改,vim等,无法回退删除,显示行等,define the backspace button can erase the last character typed
backspace_button(){
sed -i "/^stty erase ^H/d" /etc/profile
echo ‘stty erase ^H‘ >> /etc/profile
sed -i "/^syntax.*/d" /root/.vimrc
echo "syntax on" >> /root/.vimrc
#cat >> /root/.vimrc << EOF
#syntax on
#set nu
#set showmode
#set ruler
#set autoindent
#EOF
echo -e "\033[31m backspace ok \033[0m"
cat /etc/profile | grep -i "stty erase ^H"
cat /root/.vimrc | grep -i "syntax"
sleep 1
}
stop_crond(){
if [ ! -e "/etc/cron.daily.bak" ]; then
mkdir /etc/cron.daily.bak
mv /etc/cron.daily/makewhatis.cron /etc/cron.daily.bak > /dev/null 2>&1
mv /etc/cron.daily/mlocate.cron /etc/cron.daily.bak > /dev/null 2>&1
fi
echo -e "\033[31m crond ok \033[0m"
sleep 1
}
dissable_service(){
chkconfig bluetooth off > /dev/null 2>&1
chkconfig cups off > /dev/null 2>&1
chkconfig ip6tables off > /dev/null 2>&1
for server in `chkconfig --list |grep 3:on|awk ‘{ print $1}‘`
do
chkconfig --level 3 $server off
done
for server in crond network rsyslog sshd
do
chkconfig --level 3 $server on
done
chkconfig | grep -E "cups|ip6tables|bluetooth"
echo -e "\033[31m service ok \033[0m"
sleep 1
}
#disable the ipv6
stop_ipv6(){
cat > /etc/modprobe.d/ipv6.conf << EOFI
#
#---------------custom-----------------------
#
alias net-pf-10 off
options ipv6 disable=1
EOFI
sed -i "/^NETWORKING_IPV6.*/d" /etc/sysconfig/network
echo "NETWORKING_IPV6=off" >> /etc/sysconfig/network
cat /etc/sysconfig/network | grep NETWORKING_IPV6
echo -e "\033[31m ipv6 ok \033[0m"
sleep 1
}
#language..
inittab(){
if [ -z "$(cat /etc/redhat-release | grep ‘6\.‘)" ];then
sed -i ‘s/3:2345:respawn/#3:2345:respawn/g‘ /etc/inittab
sed -i ‘s/4:2345:respawn/#4:2345:respawn/g‘ /etc/inittab
sed -i ‘s/5:2345:respawn/#5:2345:respawn/g‘ /etc/inittab
sed -i ‘s/6:2345:respawn/#6:2345:respawn/g‘ /etc/inittab
sed -i ‘s/ca::ctrlaltdel/#ca::ctrlaltdel/g‘ /etc/inittab
sed -i ‘s@LANG=.*$@LANG="en_US.UTF-8"@g‘ /etc/sysconfig/i18n
else
sed -i ‘s@^ACTIVE_CONSOLES.*@ACTIVE_CONSOLES=/dev/tty[1-2]@‘ /etc/sysconfig/init
sed -i ‘s@^start@#start@‘ /etc/init/control-alt-delete.conf
fi
/sbin/init q
#locale
echo $LANG
echo -e "\033[31m inittab ok \033[0m"
sleep 1
}
# iptables
iptables(){
#add iptables
yum -y install iptables
#iptables conf bak
if [ ! -e "/etc/sysconfig/iptables.bak" ]; then
cp /etc/sysconfig/iptables /etc/sysconfig/iptables.bak > /dev/null 2>&1
fi
#add config
cat > /etc/sysconfig/iptables << EOF
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
# 防火墙规则有先后顺序,修改前请测试确定后更改
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:syn-flood - [0:0]
#RELATED,ESTABLISHED
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#io
-A INPUT -i lo -j ACCEPT
#ping
-A INPUT -p icmp -j ACCEPT
#redis
#-A INPUT -p tcp -m tcp --dport 6379 -j ACCEPT
#-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 6379 -j ACCEPT
#mysql
#-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
#-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT
#memcache
#-A INPUT -p tcp -m tcp --dport 11211 -j ACCEPT
#-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 11211 -j ACCEPT
#php
#-A INPUT -p tcp -m tcp --dport 9000 -j ACCEPT
#-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 9000 -j ACCEPT
#ssh
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 --name SSH --rsource -j DROP
#-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource -j ACCEPT
#http 500 * 90% 需要限制情况下可以取消第一行注释
#-A INPUT -p tcp -m tcp --dport 80 -m connlimit --connlimit-above 500 --connlimit-mask 32 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
#https 500 * 90% 需要限制情况下可以取消第一行注释
#-A INPUT -p tcp -m tcp --dport 443 -m connlimit --connlimit-above 500 --connlimit-mask 32 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
#---service--------------------------------------------------
#DNS 安装DNS服务器后需要打开
#-A INPUT -p udp --sport 53 -j ACCEPT
#ntp 配置ntp服务器时候需要打开
#-A INPUT -p udp --sport 123 -j ACCEPT
#对外访问,比如api接口 需要结合OUTPUT DROP 全部关闭情况下才需要打开,这种限制非常严格情况下才配置
#-A OUTPUT -p tcp --dport 80 -j ACCEPT
#-A OUTPUT -p tcp --dport 443 -j ACCEPT
######################################################################################
#以下#号部分未测试或为成功,并可能有错误开启之前请先测试,并保证能与你的环境匹配
#syn-flood
#-A syn-flood -p tcp -m limit --limit 500/sec --limit-burst 10000 -j RETURN
#------FIN SYN RST ACK SYN-----------------
#-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j ACCEPT
#-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 10/sec --limit-burst 100 -j ACCEPT
######################################################################################
#PORTSAN 端口扫描拒绝,缺少工具没能测试好,请慎用。
#-A INPUT -p tcp --syn -m recent --name portscan --rcheck --seconds 60 --hitcount 10 -j LOG
#-A INPUT -p tcp --syn -m recent --name portscan --set -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A syn-flood -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
EOF
/sbin/service iptables restart
source /etc/profile
chkconfig iptables on
/sbin/iptables -L -v
chkconfig | grep iptables
echo -e "\033[31m iptables ok \033[0m"
sleep 1
}
# others
other(){
# initdefault
sed -i ‘s/^id:.*$/id:3:initdefault:/‘ /etc/inittab
/sbin/init q
cat /etc/inittab | grep "id:"
# PS1 /tmp/
sed -i "/^PS1=.*/d" /etc/profile
echo ‘PS1="\[\e[37;40m\][\[\e[32;40m\]\u\[\e[37;40m\]@\h \[\e[35;40m\]\W\[\e[0m\]]\\$ \[\e[33;40m\]"‘ >> /etc/profile
# HISTSIZ
sed -i ‘s/^HISTSIZE=.*$/HISTSIZE=300/‘ /etc/profile
cat /etc/profile | grep "^HISTSIZE"
# Record command
sed -i "/^export PROMPT_COMMAND=.*/d" /root/.bash_profile
echo "export PROMPT_COMMAND=‘{ msg=\$(history 1 | { read x y; echo \$y; });user=\$(whoami); echo \$(date \"+%Y-%m-%d %H:%M:%S\"):\$user:\`pwd\`/:\$msg ---- \$(who am i); } >> /tmp/\`hostname\`.\`whoami\`.history-timestamp‘" >> /root/.bash_profile
# Wrong password five times locked 180s
sed -i "/^auth required pam_tally2.so deny=5 unlock_time=180/d" /etc/pam.d/system-auth
sed -i ‘4a auth required pam_tally2.so deny=5 unlock_time=180‘ /etc/pam.d/system-auth
source /etc/profile
cat /etc/pam.d/system-auth | grep "auth required pam_tally2.so"
echo -e "\033[31m other ok \033[0m"
sleep 1
}
done_ok(){
echo -e "\033[31m +-------------------------------------------------+ \033[0m"
echo -e "\033[31m | 优化已经完成 | \033[0m"
echo -e "\033[31m | (系统将在60s后自动重启) | \033[0m"
echo -e "\033[31m +---重要配置信息保存到/root/info.txt-------- -----+ \033[0m"
echo -e "\033[31m +-------------------------------------------------+ \033[0m"
cat /etc/sysconfig/network-scripts/ifcfg-$CARD_TYPE >>cat /root/info.txt
echo " 超级用户为:$USERNAME" >>cat /root/info.txt
cat /root/info.txt
sleep 60
reboot
}
# main
main(){
install_judge
network_change
safe_change
yum_update
zone_time
limits_config
sysctl_config
set_key
selinux
ssh_GSS
backspace_button
stop_crond
dissable_service
stop_ipv6
inittab
iptables
other
done_ok
}
#python2.7安装
wget https://www.python.org/ftp/python/2.7.10/Python-2.7.10.tgz
tar -zxvf Python-2.7.10.tgz
cd Python-2.7.10
./configure
make -j && make install
mv /usr/bin/python /usr/bin/python2.6.6 重命名旧的python解释器名称
cd /usr/bin && ln -s /usr/local/bin/python 建软链接,让/user/bin/python指向新python解释器
vim /usr/bin/yum
修改python路径,为原路径#!/usr/bin/python 为#!/usr/bin/python2.6.6
本文出自 “野山羊” 博客,请务必保留此出处http://yeshanyang.blog.51cto.com/8845896/1831706