设为首页 收藏本站
查看: 916|回复: 0

[经验分享] centos,redhat系统安全初始化(加固,安全,并发,)

[复制链接]

尚未签到

发表于 2018-5-11 12:51:14 | 显示全部楼层 |阅读模式
  #!/bin/bash
#
# Script Name: initSystem.sh
# Description: setup linux system init.
# Author: lvsi
# Date: 2012-10-30
#  
#set env
export PATH=$PATH:/bin:/sbin:/usr/sbin
export LANG="zh_CN.GB18030"
#require root to run this script.
if [[ "$(whoami)" != "root" ]]; then
echo "Please run this script as root." >&2
exit 1
fi
#define cmd var
SERVICE=`which service`
CHKCONFIG=`which chkconfig`
#Source function library.
. /etc/init.d/functions
#Modify the system yum source  //修改系统Yum源
initYum() {
cat << EOF
+--------------------------------------------------------------+
+------      Welcome to Modify the system yum source.    ------+
+--------------------------------------------------------------+
EOF

cd /etc/yum.repos.d/
\cp CentOS-Base.repo CentOS-Base.repo.ori.$(date +%F)
ping -c 1 baidu.com >/dev/null
[ ! $? -eq 0 ] && echo $&quot;Networking not configured - exiting&quot; && exit 1
wget --quiet -o /dev/null http://mirrors.sohu.com/help/CentOS-Base-sohu.repo
\cp CentOS-Base-sohu.repo CentOS-Base.repo
echo &quot;Modify the system yum source.------->OK&quot;
sleep 3
}
#Set the character encoding  //设置字符编码
initI18n() {
cat << EOF
+--------------------------------------------------------------+
+------       Welcome to Set the character encoding.     ------+
+--------------------------------------------------------------+
EOF
echo &quot;#set LANG=&quot;zh_cn.gb18030&quot;&quot;
\cp /etc/sysconfig/i18n /etc/sysconfig/i18n.$(date +%F)
sed -i 's#LANG=&quot;en_US.UTF-8&quot;#LANG=&quot;zh_CN.GB18030&quot;#' /etc/sysconfig/i18n
source /etc/sysconfig/i18n
grep LANG /etc/sysconfig/i18n
echo &quot;Set the character encoding.------->OK&quot;
sleep 3
}
#Close the firewall and Selinux  //关闭防火墙和Selinux
initFirewall() {
cat << EOF
+--------------------------------------------------------------+
+------     Welcome to Close the firewall and Selinux.   ------+
+--------------------------------------------------------------+
EOF
\cp /etc/selinux/config /etc/selinux/config.`date +&quot;%Y-%m-%d_%H-%M-%S&quot;`
/etc/init.d/iptables stop
chkconfig iptables off
sed -i 's/SELINUX=enable/SELINUX=disabled/' /etc/selinux/config
setenforce 0
/etc/init.d/iptables status
grep SELINUX=disabled /etc/selinux/config
echo &quot;Close the firewall and Selinux.------->OK&quot;
sleep 3
}
#Close unnecessary system service  //关闭不必要系统服务
initService() {
cat << EOF
+--------------------------------------------------------------+
+------   Welcome to Close unnecessary system service .  ------+
+--------------------------------------------------------------+
EOF
export LANG=&quot;en_US.UTF-8&quot;
for i in `chkconfig --list |grep 3:on|awk '{print $1}'`;do chkconfig --level 3 $i off;done
for i in crond network sshd syslog;do chkconfig --level 3 $i on;done
export LANG=&quot;zh_CN.GB18030&quot;
echo &quot;Close unnecessary system service.------>OK&quot;
sleep 3
}
#Set the sshConfig banned root login  //设置sshConfig,禁止root登录
initSsh() {
cat << EOF
+--------------------------------------------------------------+
+------  Welcome to Set the sshConfig banned root login. ------+
+--------------------------------------------------------------+
EOF
\cp /etc/ssh/sshd_config /etc/ssh/sshd_config.`date +&quot;%Y-%m-%d_%H-%M-%S&quot;`
sed -i 's%#Port 22%Port 52113%' /etc/ssh/sshd_config
sed -i 's%#PermitRootLogin yes%PermitRootLogin no%' /etc/ssh/sshd_config
sed -i 's%#PermitEmptyPasswords no%PermitEmptyPasswords no%' /etc/ssh/sshd_config
sed -i 's%#UseDNS yes%UseDNS no' /etc/ssh/sshd_config
egrep &quot;UseDNS|52113|RootLogin|EmptyPass&quot; /etc/ssh/sshd_config
/etc/init.d/sshd reload
echo &quot;Set the sshConfig banned root login.------>OK&quot;
sleep 3
}
#Disable ctrlaltdel three key to reboot system  //禁止ctrl+alt+del三个键重启系统
initSafe() {
cat << EOF
+--------------------------------------------------------------+
+-- Welcome to Disable ctrlaltdel three key to reboot system.--+
+--------------------------------------------------------------+
EOF
\cp /etc/inittab /etc/inittab.`date +&quot;%Y-%m-%d_%H-%M-%S&quot;`
sed -i &quot;s/ca::ctrlaltdel:\/sbin/shutdown -t3 -r now/#ca::ctrlaltdel:\/sbin/shutdown -t3 -r now/&quot; /etc/inittab
/sbin/init q
echo &quot;Disable ctrlaltdel three key to reboot system.------>OK&quot;
sleep 3
}
#Add users and set permissions in sudo //添加SA用户并设置sudo权限
initAddUser() {
cat << EOF
+--------------------------------------------------------------+
+------Welcome to Add  users and set permissions in sudo.------+
+--------------------------------------------------------------+
EOF
datetmp=`date +&quot;%Y-%m-%d_%H-%M-%S&quot;`
\cp /etc/sudoers /etc/sudoers.${datetmp}
saUserArr=(test test1 test2)
groupadd -g 901 sa
for((i=0;i<${#saUserArr[@]};i++))
do
#add user //添加用户
useradd -g sa -u 90${i} ${saUserArr[$i]}
#set password //设置密码
echo &quot;${saUserArr[$i]}123&quot;|passwd ${saUserArr[$i]} --stdin
#set permissions //设置sudo权限
[ $(grep &quot;${saUserArr[$i]} ALL=(ALL) NOPASSWD: ALL&quot; /etc/sudoers|wc -l) -le 0 ] &&echo &quot;${saUserArr[$i]} ALL=(ALL) NOPASSWD: ALL&quot; >>/etc/sudoers
[ `grep &quot;\%sa&quot; /etc/sudoers|grep -v grep |wc -l` -ne 1 ] && \
echo &quot;%sa ALL=(ALL) NOPASSWD: ALL&quot; >>/etc/sudoers
done
/usr/sbin/visudo -c
[ $? -ne 0 ] && /bin/cp /etc/sudoers.${datetmp} /etc/sudoers && echo $&quot;Sudoers not configured - exiting&quot; && exit 1
echo &quot;Add  users and set permissions in sudo.------>OK&quot;
sleep 3
}
#Adjust the number of open files  //调整系统打开文件数
initOpenFiles() {
cat << EOF
+--------------------------------------------------------------+
+------    Welcome to Adjust the number of open files.   ------+
+--------------------------------------------------------------+
EOF
\cp /etc/security/limits.conf /etc/security/limits.conf.`date +&quot;%Y-%m-%d_%H-%M-%S&quot;`
sed -i ' /# End of file/i\*\t\t-\tnofile\t\t65535' /etc/security/limits.conf
ulimit -HSn 65535
echo &quot;ulimit -HSn 65535&quot; >> /etc/rc.local
echo &quot;Adjust the number of open files.------>OK&quot;
sleep 3
}
#Set system time synchronization  //设置系统同步时间
initSysTime() {
cat << EOF
+--------------------------------------------------------------+
+------    Welcome to Set system time synchronization.   ------+
+--------------------------------------------------------------+
EOF

yum -y install ntp >>/dev/null 2>&1
ntpdate time.windows.com
echo &quot;*/5 * * * * /usr/sbin/ntpdate time.windows.com >/dev/null 2>&1&quot; >>/var/spool/cron/root
echo &quot;Set system time synchronization.------>OK&quot;
sleep 3
}
#Optimization of system kernel   //优化系统内核
initKernel() {
cat << EOF
+--------------------------------------------------------------+
+------     Welcome to Optimization of system kernel.    ------+
+--------------------------------------------------------------+
EOF
\cp /etc/sysctl.conf /etc/sysctl.conf.`date +&quot;%Y-%m-%d_%H-%M-%S&quot;`
cat>>/etc/sysctl.conf<<EOF
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_max_orphans = 3276800
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 87380 16777216
net.core.netdev_max_backlog = 32768
net.core.somaxconn = 32768
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_max_syn_backlog = 65535
net.ipv4.ip_local_port_range = 1024 65535
EOF
/sbin/sysctl -p
echo &quot;Optimization of system kernel.------>OK&quot;
sleep 3
}
#Installation system tools  //安装系统工具
initTool() {
cat << EOF
+--------------------------------------------------------------+
+------       Welcome to Installation system tools.      ------+
+------        <sysstat ntp net-snmp lrzsz rsync>        ------+
+--------------------------------------------------------------+
EOF
yum -y install sysstat ntp net-snmp lrzsz rsync >/dev/null 2>&1
echo &quot;Installation system tools.------->OK&quot;
sleep 3
}
#Prohibit the use of IPV6  //禁止使用IPV6
initIPV6() {
cat << EOF
+--------------------------------------------------------------+
+------        Welcome to Prohibit the use of IPV6.      ------+
+--------------------------------------------------------------+
EOF
\cp /etc/modprobe.conf /etc/modprobe.conf.`date +&quot;%Y-%m-%d_%H-%M-%S&quot;`
echo &quot;alias net-pf-10 off&quot; >> /etc/modprobe.conf
echo &quot;alias ipv6 off&quot; >> /etc/modprobe.conf
echo &quot;Prohibit the use of IPV6.------>OK&quot;
sleep 3
}
AStr=&quot;修改系统Yum源,设置字符编码,关闭防火墙和Selinux,关闭不必要系统服务&quot;
BStr=&quot;配置sshConfig,修改默认端口22->52113和禁止root登录&quot;
CStr=&quot;禁止Ctrl+Alt+Del三个键重启系统&quot;
DStr=&quot;添加SA用户并设置sudo权限&quot;
EStr=&quot;调整系统打开文件数&quot;
FStr=&quot;设置系统同步时间&quot;
GStr=&quot;优化系统内核&quot;
HStr=&quot;安装系统工具&quot;
IStr=&quot;禁止使用IPV6&quot;
JStr=&quot;一键初始化&quot;
echo &quot;+--------------------------------------------------------------+&quot;
echo &quot;+-----------------欢迎对系统进行初始化安全设置!---------------+&quot;
echo &quot;A:${AStr}&quot;
echo &quot;B:${BStr}&quot;
echo &quot;C:${CStr}&quot;
echo &quot;D:${DStr}&quot;
echo &quot;E:${EStr}&quot;
echo &quot;F:${FStr}&quot;
echo &quot;G:${GStr}&quot;
echo &quot;H:${HStr}&quot;
echo &quot;I:${IStr}&quot;
echo &quot;J:${JStr}&quot;
echo &quot;+--------------------------------------------------------------+&quot;
echo &quot;注意:如果没有选择初始化选项,20秒后将自动选择一键初始化安装!&quot;
echo &quot;+--------------------------------------------------------------+&quot;
option=&quot;-1&quot;
read -n1 -t20 -p &quot;请选择初始化选项【A-B-C-D-E-F-G-H-I-J】:&quot; option
flag1=$(echo $option|egrep &quot;\-1&quot;|wc -l)
flag2=$(echo $option|egrep &quot;[A-Ja-j]&quot;|wc -l)
if [ $flag1 -eq 1 ];then
    option=&quot;K&quot;
elif [ $flag2 -ne 1 ];then
    echo -e &quot;\n\n请重新运行脚本,输入从A--->J的字母!&quot;
    exit 1
fi
echo -e &quot;\n你选择的选项是:$option\n&quot;
echo &quot;5秒之后开始安装 ......&quot;
sleep 5
case $option in
    A|a)
          initYum
          initI18n
          initFirewall
          initService
       ;;
    B|b)
          initSsh
       ;;
    C|c)
          initSafe
       ;;
    D|d)
          initAddUser
       ;;
    E|e)
          initOpenFiles
       ;;
    F|f)
          initSysTime
       ;;
   G|g)
          initKernel
       ;;
   H|h)
          initTool
       ;;
    I|i)
          initIPV6
       ;;
    J|j)
          initYum
          initI18n
          initFirewall
          initService
          initSsh
          initSafe
          initAddUser
          initOpenFiles
          initSysTime
          initKernel
          initTool
          initIPV6
       ;;
      *)
          echo &quot;请输入从A--->J的字母,谢谢!&quot;
          exit
       ;;
esac   
使用方法:将其复制,保存为一个shell文件,比如initSystem.sh。执行sh initSystem.sh,就可以使用该脚本了,如下图所示:

运维网声明 1、欢迎大家加入本站运维交流群:群②:261659950 群⑤:202807635 群⑦870801961 群⑧679858003
2、本站所有主题由该帖子作者发表,该帖子作者与运维网享有帖子相关版权
3、所有作品的著作权均归原作者享有,请您和我们一样尊重他人的著作权等合法权益。如果您对作品感到满意,请购买正版
4、禁止制作、复制、发布和传播具有反动、淫秽、色情、暴力、凶杀等内容的信息,一经发现立即删除。若您因此触犯法律,一切后果自负,我们对此不承担任何责任
5、所有资源均系网友上传或者通过网络收集,我们仅提供一个展示、介绍、观摩学习的平台,我们不对其内容的准确性、可靠性、正当性、安全性、合法性等负责,亦不承担任何法律责任
6、所有作品仅供您个人学习、研究或欣赏,不得用于商业或者其他用途,否则,一切后果均由您自己承担,我们对此不承担任何法律责任
7、如涉及侵犯版权等问题,请您及时通知我们,我们将立即采取措施予以解决
8、联系人Email:admin@iyunv.com 网址:www.yunweiku.com

所有资源均系网友上传或者通过网络收集,我们仅提供一个展示、介绍、观摩学习的平台,我们不对其承担任何法律责任,如涉及侵犯版权等问题,请您及时通知我们,我们将立即处理,联系人Email:kefu@iyunv.com,QQ:1061981298 本贴地址:https://www.yunweiku.com/thread-458714-1-1.html 上篇帖子: RedHat yum安装配置命令详解 下篇帖子: redhat 设置环境变量的方法
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

扫码加入运维网微信交流群X

扫码加入运维网微信交流群

扫描二维码加入运维网微信交流群,最新一手资源尽在官方微信交流群!快快加入我们吧...

扫描微信二维码查看详情

客服E-mail:kefu@iyunv.com 客服QQ:1061981298


QQ群⑦:运维网交流群⑦ QQ群⑧:运维网交流群⑧ k8s群:运维网kubernetes交流群


提醒:禁止发布任何违反国家法律、法规的言论与图片等内容;本站内容均来自个人观点与网络等信息,非本站认同之观点.


本站大部分资源是网友从网上搜集分享而来,其版权均归原作者及其网站所有,我们尊重他人的合法权益,如有内容侵犯您的合法权益,请及时与我们联系进行核实删除!



合作伙伴: 青云cloud

快速回复 返回顶部 返回列表