##修改yum源，關閉selinux,關閉防火墻，關閉不必要的開機服務，添加用戶，設置默認字符集UTF8

##時間同步，設置超時時間、文件打開數、歷史指令，內核優化，ssh優化，隱藏系統版本號，鎖定重要文件

#!/bin/bash

#set env

export PATH=$PATH:/bin:/sbin:/usr/sbin

if [ "$UID" != "0" ]

then

echo "please run this script by root."

exit 1

fi

#define cmd var

SERVICE=`which service`

CHKCONFIG=`which chkconfig`

yum install -y wget;

#

修改yum源

function mod_yum(){

if [ -e /etc/yum.repos.d/CentOS-Base.repo ]

?then

? mv /etc/yum.repos.d/CentOS-Base.repo/etc/yum.repos.d/CentOS-Base.repo.backup&&\

? wget -O/etc/yum.repos.d/CentOS-Base.repohttp://mirrors.aliyun.com/repo/Centos-6.repo

fi

}

#

關閉selinux

function close_selinux(){

sed -i 's/SELINUX=enforcing/SELINUX=disabled' /etc/selinux/config

setenforce 0 &>/dev/null

}

#

關閉防火墻

function close_iptables(){

/etc/init.d/iptables stop

/etc/init.d/iptables stop

chkconfig iptables off

service firewalld stop

chkconfig firewalld off

}

#

關閉不必要的開機啟動服務

function lease_service(){

chkconfig | awk '{print "chkconfig",$1,"off"}'|bash

chkconfig | egrep "crond|sshd|network|rsyslog|sysstat"|awk '{print"chkconfig",$1,"on"}'|bash

}

#

添加用戶

function adduser(){

??? #4.add hat and sudo

??? if [ `grep -w hat /etc/passwd|wc -l`-lt 1 ]

????? then

??????? useradd hat -g root

??????? echo geeboo|passwd --stdinhat

??????? \cp /etc/sudoers/etc/sudoers.ori

??????? echo "hat ALL=(ALL)NOPASSWD: ALL " >>/etc/sudoers

??????? tail -1 /etc/sudoers

??????? visudo -c&>/dev/null

??? fi

}

#

設置默認字符集為中文

function charset(){

??? #5.charset config

??? cp /etc/sysconfig/i18n/etc/sysconfig/i18n.ori

??? echo'LANG="zh_CN.UTF-8"'?>/etc/sysconfig/i18n

??? source /etc/sysconfig/i18n

??? #echo $LANG

}

#

時間同步

function time_sync(){

??? #6.time sync.

??? cron=/var/spool/cron/root

??? if [ `grep -w "ntpdate"$cron|wc -l` -lt 1? ]

????? then

??????? echo "#time sync">>$cron

??????? echo "*/5 * * * */usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1">>$cron

??????? crontab -l

?? ?fi

}

function com_line_set(){

??? #7.command set.

??? if [ `egrep"TMOUT|HISTSIZE|HISTFILESIZE" /etc/profile|wc -l` -ge 3? ]

????? then

??????? echo "export TMOUT=300">>/etc/profile

??????? echo "exportHISTSIZE=5" >>/etc/profile

??????? echo "export HISTFILESIZE=5">>/etc/profile

??????? . /etc/profile

??? fi

}

#

設置打開文件數

function open_file_set(){

??? #8.increase open file.

??? if [ `grep 65535/etc/security/limits.conf|wc -l` -lt 1 ]

????? then

??????? echo "*?????????????? -?????? nofile????????? 65535 ">>/etc/security/limits.conf

??????? tail -1/etc/security/limits.conf

??? fi

}

function set_kernel(){

??? #9.kernel set.

??? if [ `grep kernel_flag/etc/sysctl.conf|wc -l` -lt 1 ]

????? then

??????? cat>>/etc/sysctl.conf<

??????? #kernel_flag

?? ?????net.ipv4.tcp_fin_timeout = 2

??????? net.ipv4.tcp_tw_reuse = 1

??????? net.ipv4.tcp_tw_recycle = 1

??????? net.ipv4.tcp_syncookies = 1

??????? net.ipv4.tcp_keepalive_time =600

??????? net.ipv4.ip_local_port_range =4000??? 65000

??????? net.ipv4.tcp_max_syn_backlog =16384

??????? net.ipv4.tcp_max_tw_buckets =36000

??????? net.ipv4.route.gc_timeout =100

??????? net.ipv4.tcp_syn_retries =1

??????? net.ipv4.tcp_synack_retries =1

??????? net.core.somaxconn = 16384

??????? net.core.netdev_max_backlog =16384

??????? net.ipv4.tcp_max_orphans =16384

??????? net.nf_conntrack_max =25000000

??????? net.netfilter.nf_conntrack_max =25000000

???????net.netfilter.nf_conntrack_tcp_timeout_established = 180

???????net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120

???????net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60

???????net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120

EOF

??????? sysctl -p

??? fi

}

#

優化SSH

function init_ssh(){

??? cp /etc/ssh/sshd_config/etc/ssh/sshd_config.`date +"%Y-%m-%d_%H-%M-%S"`;

??? sed -i "s%#Port 22%Port52113%" /etc/ssh/sshd_config;

??? #sed -i "s%#PermitRootLoginyes%PermitRootLogin no%" /etc/ssh/sshd_config;

??? sed -i "s%#PermitEmptyPasswordsno%PermitEmptyPasswords no%" /etc/ssh/sshd_config;

??? sed -i "s%#UseDNS yes%UseDNSno%" /etc/ssh/sshd_config;

??? sed -i "s%GSSAPIAuthenticationyes%GSSAPIAuthentication no%" /etc/ssh/sshd_config;

??? sed -i "s%GSSAPIAuthenticationyes%GSSAPIAuthentication no%" /etc/ssh/sshd_config;

?? #sed -i "$a\AllowUsers? hat" /etc/ssh/sshd_config;

?? service sshd restart&>/dev/null;

?? echo "sshd:192.168.10.0/24">> /etc/hosts.allow;

?? echo "sshd:ALL" >>/etc/hosts.deny;

?? iptables -I INPUT -p tcp --dport 52113-j DROP;

?? iptables -I INPUT -p tcp --dport 52113-s 192.168.10.0/24 -j ACCEPT;

?? iptables save;

}

function update_linux(){

??? #10.upgrade linux.

??? if [ `rpm -qa lrzsz nmap treedos2unix nc|wc -l` -le 3 ]

????? then

??????? yum install wget lrzsz nmap treedos2unix nc -y

??????? #yum update -y

??? fi

}

main(){

??? mod_yum

??? close_selinux

??? close_iptables

??? least_service

??? adduser

??? charset

??? time_sync

??? com_line_set

??? open_file_set

??? set_kernel

??? init_ssh

??? update_linux

#

隱藏系統版本號

#> /etc/issue

#> /etc/issue.net

#

鎖定關系系統文件

#chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab

#

解鎖chattr -i /etc/passwd /etc/shadow /etc/group/etc/gshadow /etc/inittab

#

修改chattr的名字mv /usr/bin/chattr/usr/bin/hat1

#

為grub加密

#/sbin/grub-md5-crypt

，生成密碼，然后將密碼加入/etc/grub.conf，password --md5 #密碼

#

禁止被ping net.ipv4.icmp_echo_ignore_all=1

}

main