Linux系统检查和优化脚本
个人博客
个人博客直达地址
网站不断完善中里面拥有大量的脚本,并且源码完全开放 欢迎纯白嫖。关注公众私信可免费写脚本
1. 概述
这是一个功能丰富的Bash脚本,旨在帮助Linux系统管理员进行系统检查和优化。脚本主要针对CentOS/RHEL系统设计,提供了一系列自动化工具来增强系统安全性、提高性能并简化管理任务。
2. 功能详解
2.1 全部执行
选择此选项将依次执行所有功能,包括系统审计设置、安全检查、性能优化等。
2.2 系统审计设置
2.2.1 设置history时间
- 在
/root/.bash_profile
中添加HISTTIMEFORMAT="%F %T "
- 确保
export HISTTIMEFORMAT
被正确设置 - 这允许管理员查看命令执行的确切时间,有助于事后审计和故障排查
2.2.2 配置登录失败锁定
- 在
/etc/pam.d/system-auth
中添加锁定策略 - 设置为密码错误3次后锁定账户5分钟,root账户10分钟
- 这有助于防止暴力破解攻击
2.2.3 设置会话超时
- 设置会话超时时间为300秒
- 提高系统安全性,防止未授权访问
2.3 检查空口令账号
- 使用
awk
命令检查/etc/shadow
文件 - 列出所有没有设置密码的账户
- 这些账户可能存在安全风险,应及时设置密码或禁用
2.4 检查超级用户
- 检查
/etc/passwd
文件中UID为0的账户 - 列出除root外的所有超级用户
- 超级用户拥有系统最高权限,应严格控制数量
2.5 查看可登录用户密码有效期
- 使用
chage -l
命令查看每个可登录用户的密码策略 - 显示密码过期时间、最短使用期限等信息
- 有助于实施强密码策略,定期更换密码
2.6 查看可登录用户
- 列出系统中所有可以登录的用户账户
- 有助于识别潜在的未授权或不必要的账户
2.7 查看登录记录
- 显示最近10次登录失败的记录(
lastb
命令) - 显示最近10次登录成功的记录(
last
命令) - 有助于检测可疑的登录尝试和监控系统使用情况
2.8 查看系统错误
- 显示系统版本信息(
/etc/os-release
) - 使用
dmesg
命令检查系统错误信息 - 有助于及时发现和解决系统问题
2.9 系统优化
2.9.1 关闭SELinux
- 永久关闭SELinux(修改
/etc/selinux/config
) - 提高系统灵活性,但可能降低安全性
2.9.2 关闭防火墙
- 停止并禁用firewalld服务
- 简化网络配置,但可能增加安全风险
2.9.3 优化系统内核参数
- 修改
/etc/sysctl.conf
,优化网络相关参数 - 提高网络性能和并发连接能力
2.9.4 增加最大文件打开数
- 修改
/etc/security/limits.conf
- 增加系统可同时打开的文件数量,提高并发能力
2.9.5 优化SSH配置
- 禁用DNS反向查询和GSSAPI认证
- 提高SSH连接速度和效率
3. 使用说明
- 将脚本内容保存为
.sh
文件,如system_check.sh
- 赋予脚本执行权限:
chmod +x system_check.sh
- 以root用户或使用sudo运行脚本:
sudo ./system_check.sh
- 脚本将显示一个交互式菜单,输入相应数字选择功能
- 某些功能(如系统优化)会自动执行,其他功能会显示结果供查看
4. 注意事项
- 权限要求: 脚本需要root权限才能正常运行所有功能
- 系统兼容性: 主要适用于CentOS/RHEL系统,其他发行版可能需要修改
- 安全考虑:
- 关闭SELinux和防火墙可能降低系统安全性
- 在生产环境中使用前,请仔细评估每项更改的影响
- 性能影响:
- 内核参数优化可能显著影响系统性能
- 建议在测试环境中先验证更改效果
- 备份重要性:
- 执行系统优化前,强烈建议备份重要的系统配置文件
- 特别是
/etc/sysctl.conf
和/etc/security/limits.conf
- 自定义选项:
- 脚本提供多个独立功能,可根据需求选择性执行
- 考虑根据具体环境修改某些参数值
- 定期执行:
- 建议将脚本设置为定期任务,如每周或每月运行一次
- 有助于及时发现和解决潜在问题
- 日志记录:
- 脚本目前不提供日志功能
- 考虑添加日志记录,以便追踪系统变更和问题诊断
5. 可以进一步优化的空间
- 实现日志记录功能,记录所有执行的操作和结果
- 添加更多系统检查项,如磁盘使用情况、服务状态检查等
- 创建配置文件,允许用户自定义参数和阈值
- 增加回滚功能,允许撤销某些系统更改
- 扩展对其他Linux发行版的支持
- 增加错误处理和异常情况报告
- 实现邮件通知功能,在发现关键问题时自动发送警报
- 添加基准测试功能,对优化前后的系统性能进行比较
#!/bin/bash
tishi='请输入以下按键:
1是全部执行
2是系统审计设置
3是检查空口令账号
4是检查超级用户
5是查看可登录用户密码有效期
6是查看可登录用户
7是查看最近10次登录失败记录,以及10次登录成功的记录
8是查看系统是否有错误
9是系统优化
10是退出终端'
PS3="请输入你的选项:"
printf "$tishi \n"
foods=("1" "2" "3" "4" "5" "6" "7" "8" "9" "10")
select fav in "${foods[@]}"; do
qwe=----------------------------------------------------------------------------------------------------------------------------------
case $fav in
"1")
result=`date`
echo "该脚本执行的时间为:$result"
echo -e "\e[1;34m $qwe \e[0m"
#设置history时间
echo "系统审计设置中"
sleep 2
hist=`cat /root/.bash_profile | grep -i 'HISTTIMEFORMAT="%F %T"'`
$hist
if [ "$?" -eq 0 ];then
echo 'HISTTIMEFORMAT="%F %T "' >>/root/.bash_profile
echo "设置完成"
echo -e "\e[1;36m $qwe \e[0m"
else
echo 'HISTTIMEFORMAT="%F %T 文件已存在'
echo -e "\e[1;36m $qwe \e[0m"
fi
expo=`cat /root/.bash_profile | grep -i 'export HISTTIMEFORMAT'`
$expo
if [ "$?" -eq 0 ];then
echo 'export HISTTIMEFORMAT' >>/root/.bash_profile
echo "设置完成"
echo -e "\e[1;36m $qwe \e[0m"
else
echo "export HISTTIMEFORMAT 文件已存在"
echo -e "\e[1;36m $qwe \e[0m"
fi
source /root/.bash_profile
#设置登陆失败锁定密码错5次则十分钟后才能登录
dlsd=`cat /etc/pam.d/system-auth|grep "auth required pam_tally2.so deny=3 unlock_time=5 even_deny_root root_unlock_time=10"`
if [ "$?" -eq 0 ];then
echo "登录锁定已经设置"
echo -e "\e[1;36m $qwe \e[0m"
else
sed -i '3a\auth required pam_tally2.so deny=3 unlock_time=5 even_deny_root root_unlock_time=10' /etc/pam.d/system-auth
echo -e "登录锁定已设置完成\e[1;36m $qwe \e[0m"
fi
#设置会话超时
printf "正在设置会话超时,时间为300秒,请稍后!!!\n"
sleep 2
echo -e "\e[1;32m $qwe \e[0m"
empty_pw_user=`awk -F: '($2 == "") { print $1 }' /etc/shadow`
echo "检查空口令账号为:$empty_pw_user"
echo -e "\e[1;36m $qwe \e[0m"
super_user=`awk -F: '($3==0) { print $1}' /etc/passwd|grep -v "root"`
echo "检查超级用户为(除root以外):$super_user"
echo -e "\e[1;37m $qwe \e[0m"
for user in $(cat /etc/passwd | grep -v /sbin/nologin | cut -d : -f 1 ) ;
do
echo $user;
chage -l $user;
done
echo -e "\e[1;33m $qwe \e[0m"
View_loginable_users=`cat /etc/passwd | grep -v /sbin/nologin | cut -d : -f 1 `
echo "可登录用户为:$View_loginable_users"
echo -e "\e[1;31m $qwe \e[0m"
shibai=`lastb |tail -10`
chenggong=`last | tail -10`
printf "最近10成功登录的信息如下: \n $chenggong"
echo -e "\e[1;36m $qwe \e[0m"
printf "最近10次登录失败的信息如下: \n $shibai"
echo -e "\e[1;31m $qwe \e[0m"
banben=`cat /etc/os-release`
dmesg=`dmesg | grep -i error`
printf "系统版本信息如下: \n $banben"
echo -e "\e[1;36m $qwe \e[0m"
printf "系统错误信息如下: \n $dmesg"
sed -i 's#^SELINUX=.*#SELINUX=disabled#g' /etc/selinux/config
if [ "$?" -eq 0 ];then
echo "永久关闭selinux模块成功!"
echo -e "\e[1;36m $qwe \e[0m"
else
echo "对不起,永久关闭selinux失败,请检查脚本或者手动关闭selinux!"
echo -e "\e[1;36m $qwe \e[0m"
fi
systemctl stop firewalld && systemctl disable firewalld &> /dev/null
if [ "$?" -eq 0 ];then
echo "关闭firewalld防火墙成功!"
echo -e "\e[1;36m $qwe \e[0m"
else
echo "对不起,关闭防火墙失败,请检查脚本或者手动关闭防火墙!"
echo -e "\e[1;36m $qwe \e[0m"
fi
#myFile="/etc/sysctl.conf.txt"
if [ -f /etc/sysctl.conf.txt ]; then
echo "文件已存在"
else
cp /etc/sysctl.conf /etc/sysctl.conf.txt
echo "net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.route.gc_timeout = 20
net.ipv4.tcp_retries2 = 5
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_wmem = 8192 131072 16777216
net.ipv4.tcp_rmem = 32768 131072 16777216
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.core.somaxconn = 262144
net.core.netdev_max_backlog = 262144
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.route.gc_timeout = 20
net.ipv4.ip_local_port_range = 10024 65535
net.ipv4.tcp_retries2 = 5
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_keepalive_time = 1800
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_wmem = 8192 131072 16777216
net.ipv4.tcp_rmem = 32768 131072 16777216
net.ipv4.tcp_mem = 94500000 915000000 927000000
fs.file-max = 65535
kernel.pid_max = 65536
net.ipv4.tcp_wmem = 4096 87380 8388608
net.core.wmem_max = 8388608
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_max_syn_backlog = 10240
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 262144
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 120
net.ipv4.ip_local_port_range = 10000 65000
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_max_tw_buckets = 36000net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.route.gc_timeout = 20
net.ipv4.tcp_retries2 = 5
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_wmem = 8192 131072 16777216
net.ipv4.tcp_rmem = 32768 131072 16777216
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.core.somaxconn = 262144
net.core.netdev_max_backlog = 262144
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.route.gc_timeout = 20
net.ipv4.ip_local_port_range = 10024 65535
net.ipv4.tcp_retries2 = 5
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_keepalive_time = 1800
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_wmem = 8192 131072 16777216
net.ipv4.tcp_rmem = 32768 131072 16777216
net.ipv4.tcp_mem = 94500000 915000000 927000000
fs.file-max = 65535
kernel.pid_max = 65536
net.ipv4.tcp_wmem = 4096 87380 8388608
net.core.wmem_max = 8388608
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_max_syn_backlog = 10240
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 262144
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 120
net.ipv4.ip_local_port_range = 10000 65000
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_max_tw_buckets = 36000
" >>/etc/sysctl.conf
fi
#sysctl -p
if [ "$?" -eq 0 ];then
echo "优化系统内核成功!"
echo -e "\e[1;36m $qwe \e[0m"
else
echo "优化系统内核失败"
echo -e "\e[1;36m $qwe \e[0m"
fi
echo '* soft noproc 65535
* hard noproc 65535
* soft nofile 65535
* hard nofile 65535'>>/etc/security/limits.conf
if [ "$?" -eq 0 ];then
echo "最大文件打开数优化成功"
echo -e "\e[1;36m $qwe \e[0m"
else
echo "最大文件打开数优化失败"
echo -e "\e[1;36m $qwe \e[0m"
fi
sed -i 's/.*UseDNS yes/UseDNS no/' /etc/ssh/sshd_config
sed -i 's/.*GSSAPIAuthentication yes/GSSAPIAuthentication no/' /etc/ssh/sshd_config
if [ "$?" -eq 0 ];then
echo "ssh优化成功"
echo -e "\e[1;36m $qwe \e[0m"
else
echo "ssh优化失败"
echo -e "\e[1;36m $qwe \e[0m"
fi
systemctl restart sshd
if [ "$?" -eq 0 ];then
echo "ssh重启成功"
echo -e "\e[1;36m $qwe \e[0m"
else
echo "ssh重启失败"
echo -e "\e[1;36m $qwe \e[0m"
fi
;;
"2")
#时间
result=`date`
echo "该脚本执行的时间为:$result"
echo -e "\e[1;34m $qwe \e[0m"
#设置history时间
echo "系统审计设置中"
sleep 2
hist=`cat /root/.bash_profile | grep -i 'HISTTIMEFORMAT="%F %T"'`
$hist
if [ "$?" -eq 0 ];then
echo 'HISTTIMEFORMAT="%F %T "' >>/root/.bash_profile
echo "设置完成"
echo -e "\e[1;36m $qwe \e[0m"
else
echo 'HISTTIMEFORMAT="%F %T 文件已存在'
echo -e "\e[1;36m $qwe \e[0m"
fi
expo=`cat /root/.bash_profile | grep -i 'export HISTTIMEFORMAT'`
$expo
if [ "$?" -eq 0 ];then
echo 'export HISTTIMEFORMAT' >>/root/.bash_profile
echo "设置完成"
echo -e "\e[1;36m $qwe \e[0m"
else
echo "export HISTTIMEFORMAT 文件已存在"
echo -e "\e[1;36m $qwe \e[0m"
fi
source /root/.bash_profile
#设置登陆失败锁定密码错5次则十分钟后才能登录
echo "正在设置登陆失败锁定请稍后!!!"
sleep 2
dlsd=`cat /etc/pam.d/system-auth|grep "auth required pam_tally2.so deny=3 unlock_time=5 even_deny_root root_unlock_time=10"`
if [ "$?" -eq 0 ];then
echo "登录锁定已经设置"
echo -e "\e[1;36m $qwe \e[0m"
else
sed -i '3a\auth required pam_tally2.so deny=3 unlock_time=5 even_deny_root root_unlock_time=10' /etc/pam.d/system-auth
echo -e "登录锁定已设置完成\e[1;36m $qwe \e[0m"
fi
#设置会话超时
printf "正在设置会话超时,时间为300秒,请稍后!!!\n"
echo -e "\e[1;32m $qwe \e[0m"
;;
"3")
#检查空口令账号
empty_pw_user=`awk -F: '($2 == "") { print $1 }' /etc/shadow`
echo "检查空口令账号为:$empty_pw_user"
echo -e "\e[1;36m $qwe \e[0m"
;;
"4")
#检查超级用户为
super_user=`awk -F: '($3==0) { print $1}' /etc/passwd|grep -v "root"`
echo "检查超级用户为(除root以外):$super_user"
echo -e "\e[1;37m $qwe \e[0m"
;;
"5")
#查看可登录用户密码有效期
for user in $(cat /etc/passwd | grep -v /sbin/nologin | cut -d : -f 1 ) ;
do
echo $user;
chage -l $user;
done
echo -e "\e[1;33m $qwe \e[0m"
;;
"6")
#查看可登录用户
View_loginable_users=`cat /etc/passwd | grep -v /sbin/nologin | cut -d : -f 1 `
echo "可登录用户为:$View_loginable_users"
echo -e "\e[1;31m $qwe \e[0m"
;;
"7")
#查看登录记录
shibai=`lastb |tail -10`
chenggong=`last | tail -10`
printf "最近10成功登录的信息如下: \n $chenggong"
echo -e "\e[1;36m $qwe \e[0m"
printf "最近10次登录失败的信息如下: \n $shibai"
echo -e "\e[1;31m $qwe \e[0m"
;;
"8")
#查看系统版本以及是否有错误信息
banben=`cat /etc/os-release`
dmesg=`dmesg | grep -i error`
printf "系统版本信息如下: \n $banben"
echo -e "\e[1;36m $qwe \e[0m"
printf "系统错误信息如下: \n $dmesg"
;;
"9")
sed -i 's#^SELINUX=.*#SELINUX=disabled#g' /etc/selinux/config
if [ "$?" -eq 0 ];then
echo "永久关闭selinux模块成功!"
echo -e "\e[1;36m $qwe \e[0m"
else
echo "对不起,永久关闭selinux失败,请检查脚本或者手动关闭selinux!"
echo -e "\e[1;36m $qwe \e[0m"
exit 1
fi
#关闭防火墙并加入开机自启
systemctl stop firewalld && systemctl disable firewalld &> /dev/null
if [ "$?" -eq 0 ];then
echo "关闭firewalld防火墙成功!"
echo -e "\e[1;36m $qwe \e[0m"
else
echo "对不起,关闭防火墙失败,请检查脚本或者手动关闭防火墙!"
echo -e "\e[1;36m $qwe \e[0m"
exit 1
fi
if [ -f /etc/sysctl.conf.txt ]; then
echo "文件已存在"
else
cp /etc/sysctl.conf /etc/sysctl.conf.txt
echo "net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.route.gc_timeout = 20
net.ipv4.tcp_retries2 = 5
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_wmem = 8192 131072 16777216
net.ipv4.tcp_rmem = 32768 131072 16777216
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.core.somaxconn = 262144
net.core.netdev_max_backlog = 262144
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.route.gc_timeout = 20
net.ipv4.ip_local_port_range = 10024 65535
net.ipv4.tcp_retries2 = 5
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_keepalive_time = 1800
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_wmem = 8192 131072 16777216
net.ipv4.tcp_rmem = 32768 131072 16777216
net.ipv4.tcp_mem = 94500000 915000000 927000000
fs.file-max = 65535
kernel.pid_max = 65536
net.ipv4.tcp_wmem = 4096 87380 8388608
net.core.wmem_max = 8388608
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_max_syn_backlog = 10240
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 262144
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 120
net.ipv4.ip_local_port_range = 10000 65000
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_max_tw_buckets = 36000net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.route.gc_timeout = 20
net.ipv4.tcp_retries2 = 5
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_wmem = 8192 131072 16777216
net.ipv4.tcp_rmem = 32768 131072 16777216
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.core.somaxconn = 262144
net.core.netdev_max_backlog = 262144
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.route.gc_timeout = 20
net.ipv4.ip_local_port_range = 10024 65535
net.ipv4.tcp_retries2 = 5
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_keepalive_time = 1800
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_wmem = 8192 131072 16777216
net.ipv4.tcp_rmem = 32768 131072 16777216
net.ipv4.tcp_mem = 94500000 915000000 927000000
fs.file-max = 65535
kernel.pid_max = 65536
net.ipv4.tcp_wmem = 4096 87380 8388608
net.core.wmem_max = 8388608
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_max_syn_backlog = 10240
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 262144
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 120
net.ipv4.ip_local_port_range = 10000 65000
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_max_tw_buckets = 36000
" >>/etc/sysctl.conf
fi
#sysctl -p
if [ "$?" -eq 0 ];then
echo "优化系统内核成功!"
echo -e "\e[1;36m $qwe \e[0m"
else
echo "优化系统内核失败"
echo -e "\e[1;36m $qwe \e[0m"
exit 1
fi
echo '* soft noproc 65535
* hard noproc 65535
* soft nofile 65535
* hard nofile 65535'>>/etc/security/limits.conf
if [ "$?" -eq 0 ];then
echo "最大文件打开数优化成功"
echo -e "\e[1;36m $qwe \e[0m"
else
echo "最大文件打开数优化失败"
echo -e "\e[1;36m $qwe \e[0m"
exit 1
fi
sed -i 's/.*UseDNS yes/UseDNS no/' /etc/ssh/sshd_config
sed -i 's/.*GSSAPIAuthentication yes/GSSAPIAuthentication no/' /etc/ssh/sshd_config
if [ "$?" -eq 0 ];then
echo "ssh优化成功"
echo -e "\e[1;36m $qwe \e[0m"
else
echo "ssh优化失败"
echo -e "\e[1;36m $qwe \e[0m"
exit 1
fi
systemctl restart sshd
if [ "$?" -eq 0 ];then
echo "ssh重启成功"
echo -e "\e[1;36m $qwe \e[0m"
else
echo "ssh重启失败"
echo -e "\e[1;36m $qwe \e[0m"
fi
;;
"10")
echo "退出终端"
exit
;;
*) echo "无效选项 $REPLY";;
esac
done