Centos7 系统初试化脚本

系统初始化设置

# 设置主机名，永久修改，再次登陆生效
hostnamectl set-hostname xxxxx 


# 安装eprl源，常用命令
yum install  -y wget && 
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo && 
yum -y install bash-completion  telnet nmap tree  net-tools  ntpdate && 


# 查看时区，同步时间
timedatectl set-timezone Asia/Shanghai   修改时区命令
ntpdate hk.ntp.org.cn    同步时间



# 优化文件描述符
cat >>/etc/security/limits.conf<<EOF
root     soft   nofile   65535
root     hard   nofile   65535
*        soft   nofile   65535
*        hard   nofile   65535
EOF
ulimit -n    # 查看


# 防火墙设置
 添加允许访问的端口
firewall-cmd  --zone=public --add-port=80/tcp --permanent  

 添加允许访问的服务
firewall-cmd --permanent --add-service https


 对指定IP或某个网段开放端口，允许192.168.142.166和192.168.224.0/24访问5432端口
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.142.166" port protocol="tcp" port="5432" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.224.0/24" port protocol="tcp" port="5432" accept"


 重新加载防火墙，防火墙规则生效
firewall-cmd --reload


# 关闭防火墙，如果需要
systemctl stop firewalld.service && systemctl disable firewalld.service 




# 关闭selinux
setenforce  0  && sed '7s#enforcing#disabled#g' /etc/selinux/config -i 

# 关闭ssh解析
sed -i.bak 's@#UseDNS yes@UseDNS no@g;s@^GSSAPIAuthentication yes@GSSAPIAuthentication no@g'  /etc/ssh/sshd_config
systemctl restart sshd 


# 目录规划
/server/scripts/   脚本存放目录
/server/tools/     安装包存放目录
/usr/local/        服务安装目录
/backup/           备份目录



# ssh 白名单规则
在 /etc/hosts.allow 设置,允许连接的IP
sshd:167.179.49.12
sshd:192.168.224.0/24

在/etc/hosts.deny 设置,拒绝所有的连接
echo "sshd:all"  >> /etc/hosts.deny

Centos7 系统初试化脚本

#!/bin/bash
yum install  -y wget && 
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo && 
yum -y install vim wget bash-completion lrzsz nmap tree nc net-tools htop iotop iftop psmisc ntpdate && 
systemctl stop firewalld.service && systemctl disable firewalld.service 
#setenforce  0  && sed '7s#enforcing#disabled#g' /etc/selinux/config -i 
#优化文件描述符

  echo -e "* soft nofile 65535 * hard nofile 65535" >> /etc/security/limits.conf

  ulimit -n 65535   

#内核优化
cat >>/etc/sysctl.conf<<EOF
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000    65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.core.somaxconn = 16384
net.core.netdev_max_backlog = 16384
net.ipv4.tcp_max_orphans = 16384
EOF
sysctl -p
sed -i.bak 's@#UseDNS yes@UseDNS no@g;s@^GSSAPIAuthentication yes@GSSAPIAuthentication no@g'  /etc/ssh/sshd_config
systemctl restart sshd 
echo '* * * * *  root /usr/sbin/ntpdate ntp1.aliyun.com' >>/etc/crontab