服务器初始化脚本

huainian
已于 2022-11-11 13:12:57 修改
阅读量214
点赞数
分类专栏： Jenkins教程文章标签： linux 服务器运维
于 2022-10-27 22:14:17 首次发布
本文链接：https://blog.csdn.net/hackermmm/article/details/127561969
版权
Jenkins教程专栏收录该内容
2 篇文章 0 订阅
订阅专栏
本文详细介绍了如何创建和使用服务器初始化脚本，包括设置环境变量、安装必要软件、配置网络服务以及安全优化等关键步骤，旨在帮助运维人员高效地管理和维护Linux服务器。
摘要由CSDN通过智能技术生成
服务器初始化脚本
#!/bin/bash
function check_sshd_config(){
    ##1. check PasswordAuthentication
    if [ `grep PasswordAuthentication /etc/ssh/sshd_config 2> /dev/null | grep -v "#" | grep -i no | wc -l` -gt 0 ];then
       echo "#ssh_password_authentication=1" 
    else
       echo "#ssh_password_authentication=0"
    fi

    ##2. check PermitRootLogin
    if [ `grep PermitRootLogin /etc/ssh/sshd_config 2> /dev/null | grep -v "#" | grep -iE "no|prohibit-password" | wc -l` -gt 0 ];then
       echo "#ssh_permit_root_login=1"
    else
       echo "#ssh_permit_root_login=0"
    fi
   
    ##3.check ssh_host_rsa_key permission
    if [ `stat /etc/ssh/ssh_host_rsa_key  | grep Uid | grep -vE "600|100|200|300|400|500|600|700" | wc -l` -gt 0 ];then
       echo "#ssh_ssh_host_rsa_key=1"
    else
       echo "#ssh_ssh_host_rsa_key=0" 
    fi
 
    ##4. check  /var/empty/sshd permission 
    if [ -d /var/empty/sshd ];then
      if [ `stat /var/empty/sshd | grep Uid | grep  777 |wc -l` -gt 0 ];then
         echo "#ssh_var_empty_sshd=1"
      else
         echo "#ssh_var_empty_sshd=0"
      fi
    fi
   
    ##5. check /etc/hosts.deny
    if [ -f /etc/hosts.deny ];then
        if [ `grep -v "#" /etc/hosts.deny | grep -v "http-rman" | grep -v "^$"  | wc -l` -gt 0 ];then
            echo "#ssh_hosts_deny=1"
        else
            echo "#ssh_hosts_deny=0"
        fi
    fi
   
   ##6. check ssh shell
   sh=`cat /etc/passwd | grep -E "^root" | awk -F ":" '{print $NF}'`
   if [[ ! -n "$sh" || ! -f "$sh" ]];then
        echo "#ssh_shell=1" 
   else
        echo "#ssh_shell=0"
   fi
   
   ##7. check /var/log/btmp /var/log/wtmp file size
   if [ -f /var/log/wtmp ] && [ -f /var/log/btmp ];then
       w_size=`ls -al /var/log/wtmp | awk -F " " '{print $5}'`
       b_size=`ls -al /var/log/btmp | awk -F " " '{print $5}'`
       if [[ $w_size -gt 1024*1024*500 || $b_size -gt 1024*1024*500 ]];then
           echo "#ssh_wtmp_btmp_too_large=1"
       else
           echo "#ssh_wtmp_btmp_too_large=0"
       fi
   fi 
   
   ##8. check sshd ldd
    check_result=`ldd /usr/sbin/sshd  /bin/sshd /sbin/sshd /usr/bin/sshd  2>/dev/null  | grep -i "not found"`
    if [ -n "$check_result" ];then
        echo "#ssh_ldd=1"
    else
        echo "#ssh_ldd=0"
    fi
   
  ##9. /etc/profile call /etc/profile
  if [ `grep "/etc/profile " /etc/profile | grep -v "#" | grep -v "profile.d" |wc -l` -gt 0 ];then
      echo "#ssh_etc_profile_call_etc_profile=1"
  else
      echo "#ssh_etc_profile_call_etc_profile=0"
  fi

  ##10. sshd process  exist 
  if [ `ps aux | grep sshd | grep -v grep |wc -l` -gt 0 ];then
      echo "#sshd_process_exist=0"
  else
      echo "#sshd_process_exist=1"
  fi
  
}

function check_net(){
    ##1. check tw recycle
    if [  `sysctl -a 2>/dev/null | grep "tcp_tw_recycle = 1" | wc -l` -gt 0  ];then 
        echo "#net_tcp_tw_recycle=1"
    else
        echo "#net_tcp_tw_recycle=0"
    fi
    
    ##2. check eth queues
    eth_combined=`ethtool -l eth0 2>/dev/null | grep Combined`
    eth_combined_preset=`echo $eth_combined |head -n 1 | awk -F ":" '{print $2}'` 
    eth_combined_current=`echo $eth_combined | tail -n1 | awk -F ":" '{print $2}'`
    if [ "$eth_combined_preset"X != "$eth_combined_current"X ];then
        echo "#net_eth_channels=1"
    else
        echo "#net_eth_channels=0"
    fi
     
}

function check_limits(){
    no_file_limits=`grep nofile /etc/security/limits.conf  | grep -v "#" | grep soft | grep nofile |tail -n 1 | awk -F " " '{print $NF}'`
    nr_open=`sysctl  -a 2>/dev/null | grep nr_open |awk -F "=" '{print $2}'`
    if  [ ! -n $no_file_limits ] && [ ! -n $nr_open ] && [ $no_file_limits -gt $nr_open ];then
        echo "#limits_no_file=1"
    else
        echo "#limits_no_file=0"

    fi

}

function check_oom(){
    if [ `dmesg | grep "invoked oom-killer" | wc -l` -gt 0 ];then
        echo "#oom=1"
    else
        echo "#oom=0"
    fi

}

function check_selinux(){
    if [ `cat /etc/selinux/config 2>/dev/null | grep "SELINUX=" | grep -v "#"  | grep -v permissive | grep -v disable | wc -l` -gt 0 ];then
        echo "#selinux=1"
    else
        echo "#selinux=0"
    fi
}

function check_pid_useup(){
    if [ -n  `which bc 2>/dev/null` ];then
        echo "#pid_useup=0"
	return
    fi
    pid_num=`cat /proc/loadavg | awk '{print $4}' | awk -F "/" '{print $2}'`
    pid_max=`sysctl  -a 2>/dev/null | grep pid_max | awk -F "=" '{print $2}'`
    if [ `echo "$pid_max * 0.9 < $pid_num"|bc` -eq 1  ];then
        echo "#pid_useup=1"
    else
        echo "#pid_useup=0"
    fi
}

function check_cloud_init(){
    if [ -n  `which cloud-init 2>/dev/null` ];then
        echo "#cloud-init=0"
	return
    fi
    cloud-init -v > /dev/null 2>&1
    cloud_init_ret=$?
    /usr/local/bin/cloud-init -v > /dev/null 2>&1
    usr_local_cloud_init_ret=$?
    if [ $cloud_init_ret -ne 0 -a $usr_local_cloud_init_ret -ne 0 ];then
        echo "#cloud_init=1"
    else
        echo "#cloud_init=0"
    fi
}

function check_soft_link(){
    if [ `cat /etc/redhat-release 2>/dev/null | grep "release 7" | wc -l` -gt 0 ] || 
       [ `cat /etc/redhat-release 2>/dev/null | grep "release 8" | wc -l`  -gt 0 ] || 
       [ `cat /etc/os-release  | grep -i "ubuntu 20" | wc -l`  -gt 0 ];then
	if [ `ls -al /bin /sbin /lib /lib64  |wc -l` -lt 4 ];then
        	echo "#soft_link=1"
                 return
    	fi
    fi
    echo "#soft_link=0"
}


function check_hugepage(){
    if [ `grep nr_hugepages /etc/sysctl.conf  | grep -v "#" ` ];then
        echo "#hugepage=1"
    else
        echo "#hugepage=0"
    fi
}


function check_ld_so_preload(){
    if [ `cat /etc/ld.so.preload 2>/dev/null| grep -v libonion.so` ];then
        echo "#ld_so_preload=1"
    else
        echo "#ld_so_preload=0"
    fi
}

function check_cpu_high_usage(){
    if [ -n  `which bc 2>/dev/null` ];then
        echo "#cpu_high_usage=0"
	return
    fi
    ##top, /proc/stat
    top_cpu=`top -b -n 1 | grep "%Cpu(s):"`
    cpu_idle=`echo $top_cpu | awk -F "," '{print $4}' | awk -F "id" '{print $1}'`
    cpu_wa=`echo $top_cpu | awk -F "," '{print $5}' | awk -F "wa" '{print $1}'`
    if [ `echo "100-$cpu_idle-$cpu_wa>90"|bc` -eq 1 ];then
        echo "#cpu_high_usage=1"
    else
        echo "#cpu_high_usage=0"
    fi
}

function check_mem_high_usage(){
    if [ -n  `which bc 2>/dev/null` ];then
        echo "#mem_high_usage=0"
	return
    fi
    cat /proc/meminfo > /tmp/diagnos_meminfo
    MemTotal=`cat /tmp/diagnos_meminfo | grep MemTotal | awk '{print $2}'`
    Free=`cat /tmp/diagnos_meminfo | grep MemFree | awk '{print $2}'`
    Buffer=`cat /tmp/diagnos_meminfo | grep Buffer | awk '{print $2}'`
    Cached=`cat /tmp/diagnos_meminfo | grep Cached | grep -iv swap | awk '{print $2}'`
    SReclaimable=`cat /tmp/diagnos_meminfo | grep SReclaimable | awk '{print $2}'`
    Shmem=`cat /tmp/diagnos_meminfo | grep "Shmem:" | awk '{print $2}'`
    if [ `echo "($MemTotal-$Free-$Buffer-$Cached-$SReclaimable+$Shmem)*100.0/$MemTotal>90"|bc` -eq 1 ];then
        echo "#mem_high_usage=1"
    else
        echo "#mem_high_usage=0"
    fi
}

function check_disk_high_usage(){
    for value in `df -h | grep -v sr0 | grep -v tmp | sed  '1d' | awk '{print $(NF-1)}' | awk -F "%" '{print $1}'`;do
      if [ $value -gt 95 ];then
          echo "#disk_high_usage=1"
          return
      fi
    done
    echo "#disk_high_usage=0"
}

function check_inode_high_useage(){
    for value in `df -i | grep -v sr0 | grep -v tmp | grep -v boot | sed  '1d' | awk '{print $(NF-1)}' | awk -F "%" '{print $1}'`;do
      if [ $value -gt 95 ];then
          echo "#inode_high_usage=1"
          return
      fi
    done
    echo "#inode_high_usage=0"
}


function check_iptables_input_policy(){
    if [ `iptables -nvL | grep -i "policy DROP" | grep INPUT` ];then
        echo "#iptables_input_policy=1"
    else
        echo "#iptables_input_policy=0"
    fi
}

function check_etc_fstab(){
    if [ ! -f /etc/fstab ];then
        echo "#etc_fstab=1"
        return
    fi
    for dev in `cat /etc/fstab | grep -vE "^#"  | awk  '{print $1}'`;do 
        if [[ $dev =~ "=" ]];then
            dev_uuid=`echo $dev | awk -F "=" '{print $2}'`
            if [[ ! -n `blkid | grep $dev_uuid` ]];then
                echo "#etc_fstab=1"         
                return
            fi
        fi
     
        if [[ $dev =~ "/" ]];then
            if [[ ! -n `blkid | grep $dev:` ]];then
                ##lvm /dev/vg/lv is link 
                if [ ! -L  $dev ];then
                    echo "#etc_fstab=1"  
                    return
                fi    
            fi
        fi
    done
    echo "#etc_fstab=0"  
}


function main(){
    ##check start
    echo "###sshd_config"       
    check_sshd_config
    
    ##check net sysctl
    echo "###net"
    check_net
    
   ##check limits
   echo "###limits"
   check_limits

   ##check oom
   echo "###oom"
   check_oom

   ##check selinux
   echo "###selinux"
   check_selinux

   ##check pid
   echo "###pid"
   check_pid_useup

   ##check cloud-init
   echo "###cloud-init"
   check_cloud_init

   ##check softlink
   echo "###soft_link"
   check_soft_link

   ##check hugepage
   echo "###hugepage"
   check_hugepage

   ##check ld_so_preload
   echo "###ld_so_preload"
   check_ld_so_preload

   ##check cpu usage
   echo "###cpu_usage"
   check_cpu_high_usage

   ##check mem usage
   echo "###mem_usage"
   check_mem_high_usage

   ##check disk_usage
   echo "###disk_usage"
   check_disk_high_usage

   ##check_inode_usage
   echo "###inode_usage"
   check_inode_high_useage

   ##check iptables
   echo "###iptables"
   check_iptables_input_policy

   ##check fstab
   echo "###fstab"
   check_etc_fstab

}

main "$@"