检查系统版本
if grep -iq '6.[0-9].*' /etc/redhat-release ; then
export OSVersion=6
elif grep -iq '7.[0-9].*' /etc/redhat-release ; then
export OSVersion=7
fi
移除系统软件
local RPMList="mysql nginx apache"
for rpm in $RPMList; do
yum -y remove $rpm
done
安装软件包
localRPM="/tmp/localRPM.list"
rpm -qa|egrep -v 'vim-' > $localRPM
if [ $OSVersion -eq 6 ]; then
RPMList="openssh-clients crontabs ntpdate vim wget curl rsync tmpwatch tree telnet nc nmap iftop iotop expect unzip setuptool system-config-network-tui htop lrzsz"
elif [ $OSVersion -eq 7 ]; then
RPMList="openssh-clients crontabs vim wget ntpdate curl rsync tmpwatch tree telnet nc nmap iftop iotop expect unzip setuptool htop lrzsz net-tools bash-completion lsof dos2unix telnet psmisc perl-Data-Dumper"
fi
for rpm in $RPMList; do
grep -q "^$rpm-" $localRPM && continue
yum -y --disablerepo="*" --enablerepo="LocalYumRepo" install $rpm >/dev/null 2>&1;
if [ $? -eq 0 ];then
echo "Install $rpm OK"
else
echo "Install $rpm False"
exit 2
fi;
done
设定shell配置
# Bash Shell
sed -i '/HISTTIMEFORMAT=/d' /etc/bashrc
sed -i '/HISTFILESIZE=/d' /etc/bashrc
sed -i '/HISTSIZE=/d' /etc/bashrc
echo -e "
shopt -s histappend" >> /etc/bashrc
echo "export HISTFILESIZE=100000" >> /etc/bashrc
echo "export HISTSIZE=1000" >> /etc/bashrc
echo "export HISTTIMEFORMAT="%F %T "" >> /etc/bashrc
关闭Selinux
if [ -s /etc/selinux/config ]; then
sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config
setenforce 0
fi
关闭IPv6
echo "NETWORKING_IPV6=off" >>/etc/sysconfig/network
if [ $OSVersion -eq 6 ]; then
sed -i '/NETWORKING_IPV6/d' /etc/sysconfig/network
echo "NETWORKING_IPV6=off" >> /etc/sysconfig/network
if grep -q 'ipv6.disable' /boot/grub/grub.conf; then
sed -i 's/ipv6.disable=[0-9]/ipv6.disable=1/g' /boot/grub/grub.conf
else
sed -i 's/(kernel.*ro )/1ipv6.disable=1 /g' /boot/grub/grub.conf
fi
elif [ $OSVersion -eq 7 ]; then
if grep -q 'ipv6.disable' /etc/default/grub; then
sed -i 's/ipv6.disable=[0-9]/ipv6.disable=1/g' /etc/default/grub
else
sed -i '/GRUB_CMDLINE_LINUX/ s/="/="ipv6.disable=1 /' /etc/default/grub
fi
grub2-mkconfig -o /boot/grub2/grub.cfg
fi
关闭Firewall
iptables -Z
iptables -X
iptables -F
if [ $OSVersion -eq 6 ]; then
/etc/init.d/iptables save
/etc/init.d/iptables stop
elif [ $OSVersion -eq 7 ]; then
DisableService="$(systemctl list-unit-files --type=service|grep enabled|egrep -v "acpid.service|autovt@.service|crond.service|dbus-org.freedesktop.nm-dispatcher.service|getty@.service|irqbalance.service|microcode.service|rsyslog.service|sshd.service|systemd-readahead-collect.service|systemd-readahead-drop.service|systemd-readahead-replay.service"|awk '{print $1}')"
for offservice in $DisableService; do
systemctl stop $offservice >/dev/null 2>&1
systemctl disable $offservice >/dev/null 2>&1
done
/sbin/chkconfig network on
fi
系统连接优化
Parameter="# Disable IPv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
# ARP
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.neigh.default.gc_stale_time = 120
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.lo.arp_announce = 2
# TCP Memory
net.core.rmem_default = 2097152
net.core.wmem_default = 2097152
net.core.rmem_max = 4194304
net.core.wmem_max = 4194304
net.ipv4.tcp_rmem = 4096 8192 4194304
net.ipv4.tcp_wmem = 4096 8192 4194304
net.ipv4.tcp_mem = 524288 699050 1048576
# TCP SYN
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_max_syn_backlog = 16384
net.core.netdev_max_backlog = 16384
# TIME_WAIT
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_fin_timeout = 2
net.ipv4.ip_local_port_range = 20000 50000
# TCP keepalive
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_time = 60
net.ipv4.tcp_keepalive_intvl = 10
# Other TCP
net.ipv4.tcp_max_orphans = 65535
net.core.somaxconn = 16384
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
vm.swappiness = 0"
Options="$(echo "$Parameter"|grep -v '# '|awk -F' = ' '{print $1}')"
for Option in $Options; do
sed -i "/$Option/d" /etc/sysctl.conf
done
sed -i "/tables/d" /etc/sysctl.conf
echo -e "
# Anton modify $(date +%F)" >> /etc/sysctl.conf
echo "$Parameter" >> /etc/sysctl.conf
sysctl -p 1> /dev/null
设置定时任务
if [ $OSVersion -eq 6 ]; then
for offservice in $(chkconfig --list|grep "3:on"|awk '{print $1}'|egrep -v "crond|network|sshd|syslog|rsyslog|acpid");do chkconfig $offservice off;done
for onservice in $(chkconfig --list|awk '{print $1}'|egrep "crond|network|sshd|syslog|rsyslog|acpid");do chkconfig $onservice on && /etc/init.d/$onservice start > /dev/null 2>&1;done
fi
设置SSH服务配置
#Set SSHD
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
Options="UsePAM PermitEmptyPasswords UseDNS GSSAPIAuthentication"
for Option in $Options ; do
sed -i "/$Option/d" /etc/ssh/sshd_config
done
echo 'PermitEmptyPasswords no' >>/etc/ssh/sshd_config
echo 'UsePAM no' >>/etc/ssh/sshd_config
echo 'UseDNS no' >>/etc/ssh/sshd_config
echo 'GSSAPIAuthentication no' >>/etc/ssh/sshd_config
if [ $OSVersion -eq 6 ]; then
/etc/init.d/sshd reload
elif [ $OSVersion -eq 7 ]; then
systemctl restart sshd
fi
设置系统限制值
cp /etc/security/limits.conf /etc/security/limits.conf.bak
#echo "* - nofile 65535" >>/etc/security/limits.conf
echo -e "* soft nofile 65535
* hard nofile 65535" >> /etc/security/limits.conf && ulimit -SHn 65535
cp /etc/security/limits.d/*-nproc.conf /etc/security/limits.d/nproc.conf.bak
if [ $OSVersion -eq 6 ]; then
sed -i 's#1024#unlimited#g' /etc/security/limits.d/*-nproc.conf
elif [ $OSVersion -eq 7 ]; then
sed -i 's#4096#unlimited#g' /etc/security/limits.d/*-nproc.conf
fi
设定主机时区
#Set timezone
test -f /etc/timezone && rm -f /etc/timezone
rm -f /etc/localtime
ln -s /usr/share/zoneinfo/UTC /etc/localtime
设置系统语言
if [ -f /etc/sysconfig/i18n ]; then
sed -i '/LANG/d' /etc/sysconfig/i18n
sed -i '/LC_ALL/d' /etc/sysconfig/i18n
echo -e "LANG="en_US.UTF-8"" >> /etc/sysconfig/i18n
fi
设置系统DNS
echo -e "nameserver 8.8.8.8
nameserver 114.114.114.114" >> /etc/resolv.conf