!/bin/bash
#########################################################
Created Time: Tue Aug 7 01:29:09 2018
version:1.0 by:kingle Mail: kingle122@vip.qq.com
基于oldboy書籍優化編寫
實現功能:一鍵系統優化15項腳本,適用于Centos7.x
#########################################################
Source function library.
. /etc/init.d/functions
date
DATE=date +"%y-%m-%d %H:%M:%S"
ip
IPADDR=grep "IPADDR" /etc/sysconfig/network-scripts/ifcfg-br0|cut -d= -f 2
hostname
HOSTNAME=hostname -s
user
USER=whoami
disk_check
DISK_SDA=df -h |grep -w "/" |awk '{print $5}'
cpu_average_check
cpu_uptime=cat /proc/loadavg|awk '{print $1,$2,$3}'
set LANG
export LANG=zh_CN.UTF-8
Require root to run this script.
uid=id | cut -d\( -f1 | cut -d= -f2
if [ $uid -ne 0 ];then
action "Please run this script as root." /bin/false
exit 1
fi
"stty erase ^H"
\cp /root/.bash_profile /root/.bash_profile_erase -lt 1 ];then
echo "stty erase ^H" >>/root/.bash_profile
source /root/.bash_profile
fi
Config Yum CentOS-Bases.repo and save Yum file
configYum(){
echo "================更新為國內YUM源=================="
cd /etc/yum.repos.d/
\cp CentOS-Base.repo CentOS-Base.repo.? -eq 0 ];then
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
else
echo "無法連接網絡。"
exit $?
fi
echo "==============保存YUM源文件======================"
sed -i 's#keepcache=0#keepcache=1#g' /etc/yum.conf
grep keepcache /etc/yum.conf
sleep 5
action "配置國內YUM完成" /bin/true
echo "================================================="
echo ""
sleep 2
}
Charset zh_CN.UTF-8
initI18n(){
echo "================更改為中文字符集================="
\cp /etc/locale.conf /etc/locale.conf.$(date +%F)
/etc/locale.conf
cat >>/etc/locale.conf<<EOF
LANG="zh_CN.UTF-8"
LANG="en_US.UTF-8"
SYSFONT="latarcyrheb-sun16"
EOF
source /etc/locale.conf
echo '#cat /etc/locale.conf'
grep LANG /etc/locale.conf
action "更改字符集zh_CN.UTF-8完成" /bin/true
echo "================================================="
echo ""
sleep 2
}
Close Selinux and Iptables
initFirewall(){
echo "============禁用SELINUX及關閉防火墻=============="
\cp /etc/selinux/config /etc/selinux/config.$(date +%F)
service firewalld stop
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
setenforce 0
echo '#grep SELINUX=disabled /etc/selinux/config '
grep SELINUX=disabled /etc/selinux/config
echo '#getenforce '
getenforce
action "禁用selinux及關閉防火墻完成" /bin/true
echo "================================================="
echo ""
sleep 2
}
Init Auto Startup Service
initService(){
echo "===============精簡開機自啟動===================="
export LANG="en_US.UTF-8"
for A in chkconfig --list |grep 3:on |awk '{print $1}'
;do chkconfig B on;done
echo '+--------which services on---------+'
chkconfig --list |grep 3:on
echo '+----------------------------------+'
export LANG="zh_CN.UTF-8"
action "精簡開機自啟動完成" /bin/true
echo "================================================="
echo ""
sleep 2
}
Removal system and kernel version login before the screen display
initRemoval(){
echo "======去除系統及內核版本登錄前的屏幕顯示======="
must use root user run scripts
if
[ $UID -ne 0 ];then
echo This script must use the root user ! ! !
sleep 2
exit 0
fi
>/etc/redhat-release
>/etc/issue
action "去除系統及內核版本登錄前的屏幕顯示" /bin/true
echo "================================================="
echo ""
sleep 2
}
Change sshd default port and prohibit user root remote login.
initSsh(){
echo "========修改ssh默認端口禁用root遠程登錄=========="
\cp /etc/ssh/sshd_config /etc/ssh/sshd_config./GSSAPIAuthentication no/' /etc/ssh/sshd_config
sed -i 's/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config
echo '+-------modify the sshd_config-------+'
echo 'Port 52113'
echo 'PermitEmptyPasswords no'
echo 'PermitRootLogin no'
echo 'UseDNS no'
echo '+------------------------------------+'
service sshd restart && action "修改ssh默認參數完成" /bin/true || action "修改ssh參數失敗" /bin/false
echo "================================================="
echo ""
sleep 2
}
time sync
syncSysTime(){
echo "================配置時間同步====================="
\cp /var/spool/cron/root /var/spool/cron/root.NTPDATE -eq 0 ];then
echo "#times sync by lee at $(date +%F)" >>/var/spool/cron/root
echo "*/5 * * * * /usr/sbin/ntpdate ntp1.aliyun.com &>/dev/null" >> /var/spool/cron/root
fi
echo '#crontab -l'
crontab -l
action "配置時間同步完成" /bin/true
echo "================================================="
echo ""
sleep 2
}
install tools
initTools(){
echo "#####安裝升級系統補裝工具及重要工具升級(選擇最小化安裝minimal)#####"
ping -c 2 mirrors.aliyun.com
sleep 2
yum install tree nmap sysstat lrzsz dos2unix wget git -y
sleep 2
rpm -qa tree nmap sysstat lrzsz dos2unix
sleep 2
yum install openssl openssh bash -y
sleep 2
action "安裝升級系統補裝工具及重要工具升級(選擇最小化安裝minimal)" /bin/true
echo "================================================="
echo ""
sleep 2
}
add user and give sudoers
addUser(){
echo "===================新建用戶======================"
add user
while true
do
read -p "請輸入新用戶名:" name
NAME=awk -F':' '{print $1}' /etc/passwd|grep -wx $name 2>/dev/null|wc -l
if [ NAME -eq 1 ];then
echo "用戶名已存在,請重新輸入。"
continue
fi
useradd $name
break
done
create password
while true
do
read -p "為 {#pass1} -eq 0 ];then
echo "密碼不能為空,請重新輸入。"
continue
fi
read -p "請再次輸入密碼:" pass2
if [ "pass2" ];then
echo "兩次密碼輸入不相同,請重新輸入。"
continue
fi
echo "name
break
done
sleep 1
add visudo
echo "#####add visudo#####"
\cp /etc/sudoers /etc/sudoers.name" /etc/sudoers |wc -l`
if [ name ALL=(ALL) NOPASSWD: ALL" >>/etc/sudoers
echo '#tail -1 /etc/sudoers'
grep -w "name并將其加入visudo完成" /bin/true
echo "================================================="
echo ""
sleep 2
}
Adjust the file descriptor(limits.conf)
initLimits(){
echo "===============加大文件描述符===================="
LIMIT=grep nofile /etc/security/limits.conf |grep -v "^#"|wc -l
if [ (date +%F)
echo '* - nofile 65535'>>/etc/security/limits.conf
fi
echo '#tail -1 /etc/security/limits.conf'
tail -1 /etc/security/limits.conf
ulimit -HSn 65535
echo '#ulimit -n'
ulimit -n
action "配置文件描述符為65535" /bin/true
echo "================================================="
echo ""
sleep 2
}
set the control-alt-delete to guard against the miSUSE
initRestart(){
sed -i 's#exec /sbin/shutdown -r now##exec /sbin/shutdown -r now#' /etc/init/control-alt-delete.conf
action "將ctrl alt delete鍵進行屏蔽,防止誤操作的時候服務器重啟" /bin/true
echo "================================================="
echo ""
sleep 2
}
Optimizing the system kernel
initSysctl(){
echo "================優化內核參數====================="
SYSCTL=grep "net.ipv4.tcp" /etc/sysctl.conf |wc -l
if [ (date +%F)
cat >>/etc/sysctl.conf<<EOF
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000 65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.core.somaxconn = 16384
net.core.netdev_max_backlog = 16384
net.ipv4.tcp_max_orphans = 16384
net.netfilter.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_tcp_timeout_established = 180
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
EOF
fi
\cp /etc/rc.local /etc/rc.local.$(date +%F)
modprobe nf_conntrack
echo "modprobe nf_conntrack">> /etc/rc.local
modprobe bridge
echo "modprobe bridge">> /etc/rc.local
sysctl -p
action "內核調優完成" /bin/true
echo "================================================="
echo ""
sleep 2
}
setting history and login timeout
initHistory(){
echo "======設置默認歷史記錄數和連接超時時間======"
echo "TMOUT=300" >>/etc/profile
echo "HISTSIZE=100" >>/etc/profile
echo "HISTFILESIZE=100" >>/etc/profile
tail -3 /etc/profile
source /etc/profile
action "設置默認歷史記錄數和連接超時時間" /bin/true
echo "================================================="
echo ""
sleep 2
}
chattr file system
initChattr(){
echo "======鎖定關鍵文件系統======"
chattr +i /etc/passwd
chattr +i /etc/inittab
chattr +i /etc/group
chattr +i /etc/shadow
chattr +i /etc/gshadow
/bin/mv /usr/bin/chattr /usr/bin/lock
action "鎖定關鍵文件系統" /bin/true
echo "================================================="
echo ""
sleep 2
}
del_file(){
echo "======定時清理郵件任務======"
[ -f /server/scripts/ ] || mkdir -p /server/scripts/
echo "find /var/spool/postfix/maildrop/ -type f|xargs rm -f" >/server/scripts/del_file.sh
echo '#this is del mail task by kingle at 2018-8-8' >>/var/spool/cron/root
echo "*/1 * * * * /bin/bash /server/scripts/del_file.sh &>/dev/null" >>/var/spool/cron/root
echo "================================================="
echo ""
sleep 2
}
hide_info(){
echo "======!!隱藏系統信息!!======"
echo "======此項注意不要自己忘記了那就沒救了======"
echo "======不建議使用======"
Version_information=cat /etc/issue|grep "CentOS"
/etc/issue
/etc/issue.net
if [cat /etc/issue|grep cent|wc -l
-eq 0 -acat /etc/issue|grep cent|wc -l
-eq 0 ];then
echo "======清除成功====="
else
/etc/issue
/etc/issue.net
fi
echo "$Version_information"
echo "=====認準本系統版本======"
sleep 10
echo "================================================="
}
grub_md5(){
echo "======grub_md5加密======"
echo "======命令行輸入:/sbin/grub-md5-crypt 進行交互式加密======"
echo "把密碼寫入/etc/grub.conf 格式:password --MD5 密碼"
echo ""
sleep 10
}
menu2
menu2(){
while true
do
clear
cat <<EOF
|****Please Enter Your Choice:[0-15]****|
(1) 新建一個用戶并將其加入visudo
(2) 配置為國內YUM源鏡像和保存YUM源文件
(3) 配置中文字符集
(4) 禁用SELINUX及關閉防火墻
(5) 精簡開機自啟動
(6) 去除系統及內核版本登錄前的屏幕顯示
(7) 修改ssh默認端口及禁用root遠程登錄
(8) 設置時間同步
(9) 安裝系統補裝工具(選擇最小化安裝minimal)
(10) 加大文件描述符
(11) 禁用GSSAPI來認證,也禁用DNS反向解析,加快SSH登陸速度
(12) 將ctrl alt delete鍵進行屏蔽,防止誤操作的時候服務器重啟
(13) 系統內核調優
(14) 設置默認歷史記錄數和連接超時時間
(15) 鎖定關鍵文件系統
(16) 定時清理郵件任務
(17) 隱藏系統信息
(18) grub_md5加密
(0) 返回上一級菜單
EOF
read -p "Please enter your Choice[0-15]: " input2
case "$input2" in
clear
break
;;
addUser
;;
configYum
;;
initI18n
;;
initFirewall
;;
initService
;;
initRemoval
;;
initSsh
;;
syncSysTime
;;
initTools
;;
initLimits
;;
initRestart
;;
initSysctl
;;
initHistory
;;
initChattr
;;
del_file
;;
hide_info
;;
grub_md5
;;
*) echo "----------------------------------"
echo "| Warning!!! |"
echo "| Please Enter Right Choice! |"
echo "----------------------------------"
for i in seq -w 3 -1 1
do
echo -ne "\b\b$i";
sleep 1;
done
clear
esac
done
}
initTools
menu
while true
do
clear
echo "========================================"
echo ' Linux Optimization '
echo "========================================"
cat << EOF
|-----------System Infomation-----------
| DATE :HOSTNAME
| USER :IPADDR
| DISK_USED :cpu_uptime
|****Please Enter Your Choice:[1-3]****|
(1) 一鍵優化
(2) 自定義優化
(3) 退出
EOF
choice
read -p "Please enter your choice[0-3]: " input1
case "$input1" in
addUser
configYum
initI18n
initFirewall
initService
initRemoval
initSsh
syncSysTime
initTools
initLimits
initRestart
initSysctl
initHistory
initChattr
;;
menu2
;;
clear
break
;;
*)
echo "----------------------------------"
echo "| Warning!!! |"
echo "| Please Enter Right Choice! |"
echo "----------------------------------"
for i in seq -w 3 -1 1
do
echo -ne "\b\b$i";
sleep 1;
done
clear
esac
done