您的位置 首页 shell脚本

centos7系统安全配置脚本

init_7.sh

 

#!/bin/bash
[ -f  /etc/init.d/functions ]&& . /etc/init.d/functions

status_check() {
	printf "\033[37m$1\033[0m%-40s\033[32;40m[ $2 ]\033[0m\n"
}

stat() {
	if [ $? -eq 0 ];then
		action "$1" /bin/true
	else
		action "$1" /bin/false
	fi
}

ok() {
	action "$1" /bin/true
}

fail() {
	action "$1" /bin/false
}

user_root() {
	if [ $UID -ne 0 ];then
		user=`whoami`
		fail "$user"
	else
		ok "use root or admin"
	fi
}

network_chk() {
	count=1
	num=0
	while [ $count -le 2 ]
	do
		ping -c 2 www.baidu.com &>/dev/null
		if [ $? -ne 0 ];then
			let count++
			let num++
			action "Network is wrong" /bin/false
		else
			ok "network"
			break
		fi
	done	
}

set_all() {
	user_root
	sleep 1
	network_chk
	sleep 1
	HostName
	sleep 1
	yum_update
	sleep 1
	ntp_date
	sleep 1
	ulimt_change
	sleep 1
	add_user
	sleep 1
	optimize_ssh
	sleep 1
	bash_mode
	sleep 1
	history_message
	sleep 1
	sysctl_optimize
	sleep 1
	iptables_add
	sleep 1
	other_optimize
	
}

HostName() {
	read -p 'pls enter your hostname: ' name
	hostnamectl set-hostname $name
	hostname $name && stat "hostname: $name"
}

yum_update() {
	\cp -a /etc/yum.repos.d /etc/yum.repos.d_backup &>/dev/null && stat "backup yum.repos.d"
	yum -y install wget &>/dev/null && stat "yum wget"
	wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo &>/dev/null && stat "wget Centos-7.repo"
	yum clean all &>/dev/null
	yum makecache &>/dev/null
	yum install -y vim-enhanced iproute net-tools util-linux-ng gcc-c++ make cmake libxml2-devel openssl-devel \
		screen git mailx dos2unix lrzsz dstat xinetd rsync tree bind-utils ncurses-devel autoconf automake zlib* fiex* libxml* \
		ntpdate curl wget zip unzip gcc man perl-Net-SSLeay perl-IO-Socket-SSL libmcrypt* libtool-ltdl-devel* \
		dstat tcpdump telnet salt-minion iptables-services bind-utils mtr python-devel &>/dev/null && stat "yum all packages"
}

ntp_date() {
	if [ `grep -c "aliyun.com" /etc/crontab` -eq 0 ];then
		echo "*/5 * * * * root /usr/sbin/ntpdate time1.aliyun.com &>/dev/null" >> /etc/crontab
		ok "add ntpdate"
	else
		fail "add ntpdate"
	fi		
}

ulimt_change() {
cat >> /etc/security/limits.conf <<EOF
root soft nofile 65535
root hard nofile 65535
* soft nproc 65535
* hard nproc 65535
* soft nofile 65535
* hard nofile 65535
EOF
echo "ulimit -SH 65535" >> /etc/rc.local
ulimit -SH 65535
n=`ulimit -n`
if [ $n -eq 65535 ];then
	ok "Ulimit: 65535"
else
	fail "ulimit: 65535"
fi
}

#shutdown_service() {
#services=(
#nfs \
#portreserve \
#restorecond \
#rpcgssd \
#rpcsvcgssd \
#rpcidmapd \
#abrt-ccpp \
#abrt-oops \
#abrtd \
#acpid \
#bluetooth \
#dund \
#hidd \
#pand \
#)
#for line in ${services[@]}
#do
#	chkconfig $line off &>/dev/null
#done
#	ok "Shutdown service"
#
#}

add_user() {
read -p "Pls enter your name and password: " name pass
useradd "$name" &>/dev/null
echo "$pass" | passwd "$name" --stdin &>/dev/null
usermod -G wheel $name
cat > /etc/pam.d/su << EOF
#%PAM-1.0
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
auth            sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid
auth            substack        system-auth
auth            include         postlogin
account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account         include         system-auth
password        include         system-auth
session         include         system-auth
session         include         postlogin
session         optional        pam_xauth.so
EOF
stat=$(grep -v "^#" /etc/pam.d/su | grep ^auth | grep "trust use_uid" | wc -l)
if [ $stat -eq 1 ];then
	ok "add: $name"
else
	fail "add: $name"
fi
}

optimize_ssh() {
read -p "pls enter ssh port: " port
echo "Port $port" >> /etc/ssh/sshd_config
sed -i 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config &>/dev/null
sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/g' /etc/ssh/sshd_config &>/dev/null
egrep -v "^#|^$" /etc/ssh/sshd_config | grep "$port"
if [ $? -eq 0 ];then
	ok "SSH: $port"
	systemctl restart sshd &>/dev/null
else
	action "SSH: faild" /bin/false
fi
}

bash_mode() {
echo 'PS1="\[\e[37;40m\][\[\e[32;40m\]\u\[\e[37;40m\]@\h \[\e[36;40m\]\w\[\e[0m\]]\\$ "' >> /root/.bashrc
source /root/.bashrc && stat "bash mode"
}

history_message() {
export PROMPT_COMMAND=\
'{ msg=$(history 1 | { read x y ; echo $y ;});\
logger "[euid=$(whoami)]":$(who am i):[`pwd`]" $msg";}'
stat "history: message"
}

sysctl_optimize() {
sed -i 's/net.ipv4.tcp_syncookies.*$/net.ipv4.tcp_syncookies = 1/g' /etc/sysctl.conf &>/dev/null
cat >> /etc/sysctl.conf << ENDF
net.ipv4.tcp_max_syn_backlog = 65536
net.core.netdev_max_backlog =  32768
net.core.somaxconn = 32768
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_tw_recycle = 1
#net.ipv4.tcp_tw_len = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.ip_local_port_range = 1024  65535
ENDF
sysctl -p &>/dev/null && stat "add: sysctl"
}

iptables_add() {
port=$(grep "^Port" /etc/ssh/sshd_config | awk '{print $2}')
if [ $port != 22 ];then
	sed -i "/dport 22/a\-A INPUT -p tcp -m state --state NEW -m tcp --dport $port -j ACCEPT" /etc/sysconfig/iptables
	sed -i "/dport 22/d"  /etc/sysconfig/iptables
	systemctl restart iptables &>/dev/null && stat "iptables"
fi
}

other_optimize() {
echo "alias net-pf-10 off" >> /etc/modprobe.conf && stat "modprobe net-pf-10 off"
echo "alias ipv6 off" >> /etc/modprobe.conf && stat "ipv6 off"
sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config && stat "selinux off"
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all && stat "icmp off"
}

menu_list ( ) {
   echo "#########################################"
   echo "#            系统安全选项               #"
   echo "#########################################"
   echo "   [ 0 ]   默认所有安全设置               "  
   echo "   [ 1 ]   检测网络                       "  
   echo "   [ 2 ]   设置主机名                     "  
   echo "   [ 3 ]   更换yum源                      "  
   echo "   [ 4 ]   时间同步                       "  
   echo "   [ 5 ]   文件打开数修改                 "  
   echo "   [ 6 ]   添加普通用户                   "  
   echo "   [ 7 ]   优化ssh链接慢问题              "  
   echo "   [ 8 ]   修改bash提示符                 "
   echo "   [ 9 ]   记录命令到messages中           "
   echo "   [ 10 ]   优化内核参数                   "
   echo "   [ 11 ]   放通ssh登陆端口                "
   echo "   [ 12 ]   其他一些配置                   "
   echo "   [ 13 ]   退出配置选项                   "  
   echo "##########################################"
   read  -p  "请输入您的选择【0-13】:" number;
   }

menu() {
while [ 1 -eq 1 ]
do
    menu_list;
    case $number in
    0)
       set_all;;
    1)
       network_chk;;
    2)
       HostName;;
    3)
       yum_update;;
    4)
       ntp_date;;
    5)
       ulimt_change;;
    6)
       add_user;;
    7)
       optimize_ssh;;    
    8)
       bash_mode;;
    9)
       history_message;;
    10)
       sysctl_optimize;;
    11)
       iptables_add;;
    12)
       other_optimize;;
   13)
      break;;
   esac
done
}
helplist(){
    echo " 使用menu选项 打开菜单 选择安装项 ";
    echo " 使用all选项  默认安装 所有安全项 ";
    echo " 使用向导 sh safe.sh menu ";
}

setall() {
   if [ -z $1 ]
   then
      echo "参数错误"
      helplist;
   elif [ $1 = "menu" ]
   then 
       menu;
   elif [ $1 = "all" ]
   then  
       set_all;
   fi
}

setall $1  

 

欢迎来撩 : 汇总all

白眉大叔

关于白眉大叔linux云计算: 白眉大叔

热门文章