|
#!/bin/sh
#優(yōu)化1 開機啟動網(wǎng)卡
cat >/etc/sysconfig/network-scripts/ifcfg-eth0<<EOF
DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
BOOTPROTO=static
IPADDR=192.168.122.147
NETMASK=255.255.255.0
GATEWAY=192.168.122.1
DNS1=192.168.122.1
DNS2=114.114.114.114
EOF
#優(yōu)化2 更改hostname
sed -i 's#HOSTNAME=\(.*\)#HOSTNAME=kvm-demo#g' /etc/sysconfig/network
hostname kvm-demo
sed -i 's#127\(.*\)#127\1\ kvm-demo#g' /etc/hosts
/etc/init.d/network restart
#優(yōu)化3 使用國內(nèi)yum源和epel源安裝軟件
##最小化安裝是沒有wget工具的���,必須先安裝在修改源
yum -y install wget
/bin/mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.`date +%F`.bak
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.163.com/.help/CentOS6-Base-163.repo<br>rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
yum clean all
yum makecache
yum -y groupinstall "Base"
yum -y groupinstall "Compatibility libraries"
yum -y groupinstall "Debugging Tools"
yum -y groupinstall "Development tools"
yum -y install telnet dos2unix tree lftp
yum -y update
#優(yōu)化4 關(guān)閉selinux
setenforce 0
sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config
#優(yōu)化5 清空iptables規(guī)則
iptables -F
/etc/init.d/iptables save
#優(yōu)化6 精簡開機啟動服務(wù)
for service in `chkconfig --list|grep 3:on|awk '{print $1}'|grep -Ev "crond|network|rsyslog|sysstat|sshd|iptables|ip6tables"`
do chkconfig $service off
done
#優(yōu)化7 更改ssh設(shè)置
sed -i 's/#Port\ 22/Port\ 52113/g' /etc/ssh/sshd_config
sed -i 's/#ListenAddress 0.0.0.0/ListenAddress\ 192.168.122.147/g' /etc/ssh/sshd_config
sed -i 's/#PermitRootLogin\ yes/PermitRootLogin\ no/g' /etc/ssh/sshd_config
sed -i 's/#GSSAPIAuthentication\ no/GSSAPIAuthentication\ no/g' /etc/ssh/sshd_config
sed -i 's/GSSAPIAuthentication\ yes/#GSSAPIAuthentication\ yes/g' /etc/ssh/sshd_config
sed -i 's/#UseDNS\ yes/UseDNS\ no/g' /etc/ssh/sshd_config
/etc/init.d/sshd restart
#優(yōu)化8 添加普通用戶
useradd badboy
echo "123456"|passwd --stdin badboy
history -c
#優(yōu)化9 sudo授權(quán)普通用戶
echo "badboy ALL=(ALL) NOPASSWD: ALL" >>/etc/sudoers
#優(yōu)化10 時間同步
echo "*/5 * * * * /usr/sbin/ntpdate ntp.api.bz >/dev/null 2>&1 && /sbin/hwclock -w" >>/var/spool/cron/root
#優(yōu)化11 加大服務(wù)器文件描述符
echo '* - nofile 65535' >> /etc/security/limits.conf
#優(yōu)化12 內(nèi)核調(diào)優(yōu)
echo "net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000 65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.core.somaxconn = 16384
net.core.netdev_max_backlog = 16384
net.ipv4.tcp_max_orphans = 16384
net.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_tcp_timeout_established = 180
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120" >>/etc/sysctl.conf
sysctl -p
#優(yōu)化13 隱藏linux系統(tǒng)版本
:>/etc/issue
:>/etc/issue.net
#優(yōu)化14 鎖定系統(tǒng)關(guān)鍵文件
chattr +i /etc/passwd /etc/group /etc/shadow /etc/gshadow /etc/inittab
##將chattr改名
/bin/mv /usr/bin/chattr /usr/bin/badboy
#優(yōu)化15 grub引導(dǎo)密碼(防止單用戶模式修改root密碼)
##md5密碼為123456 使用grub-md5-crypt工具生成為$1$/0gD5/$VjhsgnUx6uIn9qpbVZIlL1
sed -i '/hiddenmenu/a\password\ --md5\ \$1\$\/0gD5\/\$VjhsgnUx6uIn9qpbVZIlL1' /etc/grub.conf
#優(yōu)化16 設(shè)置全局變量
##設(shè)置自動退出終端,防止非法關(guān)閉ssh客戶端造成登錄進程過多,可以設(shè)置大一些�����,單位為秒
echo "TMOUT=3600">> /etc/profile
##歷史命令記錄數(shù)量設(shè)置為10條
sed -i 's/HISTSIZE=1000/HISTSIZE=10/g' /etc/profile
##立即生效
source /etc/profile
#重啟
shutdown -r now
|
