####centos7初始状态优化脚本init.sh
#配置yum
curl -s -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
curl -s -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
rpm -Uvh https://dev.mysql.com/get/mysql80-community-release-el7-1.noarch.rpm
#安装基础软件
yum -y install vim ntpdate sysstat lrzsz tree telnet wget unzip gzip lsof make gcc gcc-c++ automake autoconf libtool git openssl openssl-devel cmake xinetd vixie-cron crontabs net-tools supervisor sudo psmisc bash-completion iptables-services rsyslog
#关闭selinux
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
#时间同步
\cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
echo "01 */04 * * * root /usr/sbin/ntpdate 0.pool.ntp.org" >> /etc/crontab
systemctl restart crond
#配置ulimit值
cat >> /etc/security/limits.conf << EOF
* soft nofile 102400
* hard nofile 102400
* soft nproc 102400
* hard nproc 102400
EOF
#ssh配置
echo "readonly TMOUT=300" >> /etc/profile
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
sed -i 's/GSSAPIAuthentication yes/GSSAPIAuthentication no/g' /etc/ssh/sshd_config
#禁止ssh反向解析
sed -i 's/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config
/bin/systemctl restart sshd.service
#内核参数优化
cat >> /etc/sysctl.conf << EOF
kernel.sysrq = 1
kernel.core_uses_pid = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
kernel.sem = 250 32000 100 128
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.somaxconn = 65535
net.core.netdev_max_backlog = 65000
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.lo.arp_announce=2
net.ipv4.conf.all.arp_announce=2
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.neigh.default.gc_stale_time=120
net.ipv4.ip_local_port_range = 1024 65000
#表示开启TCP连接中TIME-WAIT sockets的快速回收,默认为0,表示关闭,对nat上网环境支持差,如果是最前端负载均衡服务器,不能开启,如果是后端web服务器,或者是数据库,缓存相关,可开启
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_sack = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.ipv4.tcp_max_syn_backlog = 65000
net.ipv4.tcp_mem = 786432 1048576 1572864
net.ipv4.tcp_max_orphans = 262144
net.ipv4.tcp_mtu_probing = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp_fastopen = 3
vm.swappiness = 10
fs.file-max=102400
fs.aio-max-nr = 1048576
#禁用ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
EOF
sysctl -p
#禁用control-alt-delete组合键防止误操作
ctrl_alt_del_file="/usr/lib/systemd/system/ctrl-alt-del.target"
rm -rf ${ctrl_alt_del_file:-/tmp/_del/*.*}
#关闭postfix服务
systemctl stop postfix
systemctl disable postfix
#rsyslog configure
echo "set PROMPT_COMMAND..."
mkdir -p /var/.history
cat > rsyslog.txt <<"EOF"
IN_Face=`route -n |awk '{if($4~/UG/){print $8}}'|head -n 1`
Local_IP=`/sbin/ifconfig|grep -B1 -C1 -w "${IN_Face}"|grep -w 'inet'|awk '{print $2}'`
readonly PROMPT_COMMAND='logger -p local3.notice -t bash "${Local_IP} $(who am i |awk "{print \$1\" \"\$2\" \"\$3\" \"\$4\" \"\$5}") [`pwd`] currentuser=$(whoami) command=$(history 1 | { read x cmd; echo "$cmd"; })"'
EOF
cat rsyslog.txt >> /etc/bashrc
source /etc/bashrc
#设置rsyslog客户端
echo "set rsyslog client..."
#避免日志写入messages
sed -i 's/cron.none/cron.none\;local3.none/g' /etc/rsyslog.conf
cat >> /etc/rsyslog.conf <<EOF
local3.notice /var/.history/audit.log
local3.notice @192.168.3.119
EOF
echo "local2.debug /var/log/sudo.log" >> /etc/rsyslog.conf
/bin/systemctl restart rsyslog.service
#设置日志轮储
echo "set logrotate rsyslog..."
cat >> /etc/logrotate.d/rsyslog <<EOF
/var/.history/audit.log{
daily
rotate 4
missingok
notifempty
nocompress
create
dateext
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}
EOF
###加载profile
source /etc/profile