echo -e "�33[1;41;33m########## 删除不必要的用户 ############�33[0m"
userdel adm
userdel lp
userdel shutdown
userdel halt
userdel operator
userdel ftp
groupdel games
echo -e "�33[1;41;33m############# 内核 ############�33[0m"
echo "
fs.file-max = 999999
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_rmem = 10240 87380 12582912
net.ipv4.tcp_wmem = 10240 87380 12582912
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_max_orphans=262114
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_sack = 1
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.icmp_echo_ignore_all = 0
net.core.netdev_max_backlog =262144
net.core.rmem_default = 6291456
net.core.wmem_default = 6291456
net.core.rmem_max = 12582912
net.core.wmem_max = 12582912
net.core.somaxconn = 65535
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
kernel.sysrq = 0
kernel.core_uses_pid = 1 " >> /etc/sysctl.conf
echo -e "�33[1;41;33m###########文件打开数 ############�33[0m"
ulimit -n 65535
echo "ulimit -n 65535" >> /etc/rc.local
echo "ulimit -u unlimited " >> /etc/rc.local
echo "* soft nofile 65535" >> /etc/security/limits.conf
echo "* hard nofile 65535" >> /etc/security/limits.conf
echo "* soft noproc 65535" >> /etc/security/limits.conf
echo "* hard noproc 65535" >> /etc/security/limits.conf
echo -e "�33[1;41;33m############ selinnux or firewalld ############�33[0m"
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
firewall-cmd --set-default-zone=work
firewall-cmd --zone=work --change-interface=em1 --permanent
firewall-cmd --zone=work --add-port=22/tcp --permanent
firewall-cmd --zone=work --add-port=10050/tcp --permanent
firewall-cmd --zone=work --add-source=10.0.0.0/16 --permanent
firewall-cmd --zone=work --add-source=10.2.2.0/24 --permanent
firewall-cmd --reload
systemctl stop firewalld.service
systemctl disable firewalld.service
echo -e "�33[1;41;33m############### ssh #############�33[0m"
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
sed -i 's/#Port 22/Port 9022/g' /etc/ssh/sshd_config
sed -i '/#PermitRootLogin yes/aPermitRootLogin no' /etc/ssh/sshd_config
sed -i '/#UseDNS yes/a UseDNS no' /etc/ssh/sshd_config
sed -i 's/GSSAPIAuthentication yes/GSSAPIAuthentication no/g' /etc/ssh/sshd_config
echo -e "�33[1;41;33m############# rm限制 ##########�33[0m"
vim /bin/securityremove
#!/bin/bash ######################################################################### # File Name: securityremove.sh # Author: LookBack # Email: admin#dwhd.org # Version: ######################################################################### RMARGS="${@}" RMPATH="/bin/rm" sys1dir=$(ls / | sed 's/^///'|paste -s -d " ") [ "${RMARGS}" == "" ] && ${RMPATH} && exit SBRUN() { echo -ne "�33[41;37mWhy run this command�33[0m " exit 255 } if grep "$sys1dir" <<< $RMARGS >/dev/null 2>&1; then SBRUN;fi for i in ${@};do [ "$i" = "/data" ] && SBRUN ;done if grep "$sys1dir" <<< $RMARGS >/dev/null 2>&1; then SBRUN;fi for i in ${@};do [ "$i" = "/" ] && SBRUN ;done if grep "$sys1dir" <<< $RMARGS >/dev/null 2>&1; then SBRUN;fi for i in ${@};do [ "$i" = "/etc" ] && SBRUN ;done if grep "$sys1dir" <<< $RMARGS >/dev/null 2>&1; then SBRUN;fi for i in ${@};do [ "$i" = "/boot" ] && SBRUN ;done if grep "$sys1dir" <<< $RMARGS >/dev/null 2>&1; then SBRUN;fi for i in ${@};do [ "$i" = "/dev" ] && SBRUN ;done if grep "$sys1dir" <<< $RMARGS >/dev/null 2>&1; then SBRUN;fi for i in ${@};do [ "$i" = "/home" ] && SBRUN ;done if grep "$sys1dir" <<< $RMARGS >/dev/null 2>&1; then SBRUN;fi for i in ${@};do [ "$i" = "/lib" ] && SBRUN ;done if grep "$sys1dir" <<< $RMARGS >/dev/null 2>&1; then SBRUN;fi for i in ${@};do [ "$i" = "/lib64" ] && SBRUN ;done if grep "$sys1dir" <<< $RMARGS >/dev/null 2>&1; then SBRUN;fi for i in ${@};do [ "$i" = "/proc" ] && SBRUN ;done if grep "$sys1dir" <<< $RMARGS >/dev/null 2>&1; then SBRUN;fi for i in ${@};do [ "$i" = "/sys" ] && SBRUN ;done if grep "$sys1dir" <<< $RMARGS >/dev/null 2>&1; then SBRUN;fi for i in ${@};do [ "$i" = "/tmp" ] && SBRUN ;done if grep "$sys1dir" <<< $RMARGS >/dev/null 2>&1; then SBRUN;fi for i in ${@};do [ "$i" = "/usr" ] && SBRUN ;done if grep "$sys1dir" <<< $RMARGS >/dev/null 2>&1; then SBRUN;fi for i in ${@};do [ "$i" = "/var" ] && SBRUN ;done if grep "$sys1dir" <<< $RMARGS >/dev/null 2>&1; then SBRUN;fi for i in ${@};do [ "$i" = "/root" ] && SBRUN ;done if grep "$sys1dir" <<< $RMARGS >/dev/null 2>&1; then SBRUN;fi for i in ${@};do [ "$i" = "/bin" ] && SBRUN ;done if grep "$sys1dir" <<< $RMARGS >/dev/null 2>&1; then SBRUN;fi for i in ${@};do [ "$i" = "/sbin" ] && SBRUN ;done if [ "${RMARGS}" == '-h' ] || [ "${RMARGS}" == '--help' ];then ${RMPATH} ${RMARGS} else while [ "${confirm}" != "yes I do" ] && [ "${confirm}" != "no" ]; do echo -ne "You are going to execute "${RMPATH} �33[41;37m${RMARGS}�33[0m",please confirm (yes I do or no):" read confirm done [ "${confirm}" == "yes I do" ] && ${RMPATH} ${RMARGS} || exit fi
chmod 755 /bin/securityremove
[ -f /etc/bash.bashrc ] && (sed -i "/securityremove/d" /etc/bash.bashrc && echo 'alias rm="/bin/securityremove"' >> /etc/bash.bashrc && . /etc/bash.bashrc)
[ -f /etc/bashrc ] && (sed -i "/securityremove/d" /etc/bashrc && echo 'alias rm="/bin/securityremove"' >> /etc/bashrc && . /etc/bashrc)
[ -f /root/.bashrc ] && (sed -i "/alias rm/d" /root/.bashrc && echo 'alias rm="/bin/securityremove"' >> /root/.bashrc && . /root/.bashrc)
[[ -f "~/.bashrc" && "$USER" != "root" ]] &&(sed -i "/alias rm/d" ~/.bashrc && echo 'alias rm="/bin/securityremove"' >> ~/.bashrc && . ~/.bashrc)
echo -e "�33[1;41;33m############ 代理上网 #############�33[0m"
echo "
export http_proxy=http://10.0.X.X:13128
export https_proxy=http://10.0.X.X:13128
" >> /etc/profile