#!/bin/bash
# Description: script to init configuration to new server.
#--------------------------------------------------------------|
# @Program : System_init.sh |
# @Version : 1.7 |
# @Company : BKJK |
# @Dep. : IDC |
# @Writer : wangshibo <shibo.wang@bkjk.com> |
# @Date : 2017-06-08 |
# @Modify : David |
#--------------------------------------------------------------|
#设置内网DNS
set_resolv()
{
/bin/cat << EOF > /etc/resolv.conf
server bkjk.cn
nameserver 172.29.16.27
nameserver 172.29.16.28
options timeout:1
EOF
}
#设置ntp时间服务
set_ntp()
{
echo -e '\033[32m ***************config ntp*************** \033[0m'
/usr/sbin/ntpdate ntp1.aliyun.com;/sbin/hwclock -w"
echo "00 * * * * /usr/sbin/ntpdate ntp1.aliyun.com;/sbin/hwclock -w" >>/var/spool/cron/root
chmod 600 /var/spool/cron/root
}
#关闭防火墙
set_firewall()
{
echo -e '\033[32m ***************config firewall*************** \033[0m'
iptables -F
iptables -X
#service iptables save > /dev/null 2>&1
chkconfig iptables off > /dev/null 2>&1
service iptables stop > /dev/null 2>&1
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
}
#设置内网yum源(yum.bkjk.cn是内网yum源机器的内网域名)
set_repo()
{
rm -rf /etc/yum.repos.d/*
cd /etc/yum.repos.d/
wget http://yum.bkjk.cn/repo/CentOS-Base.repo
wget http://yum.bkjk.cn/repo/epel.repo
wget http://yum.bkjk.cn/repo/puppet.repo
yum clean all
yum makecache
}
#设置系统环境变量
set_audit ()
{
#add syslog audit
sed -i 's#HISTSIZE=1000#HISTSIZE=3000#' /etc/profile
echo 'HISTTIMEFORMAT="<%F %T>"' >> /etc/profile
echo "user.info /var/log/history" >> /etc/rsyslog.conf
sed -i "/\/var\/log\/spooler/a/var/log/history" /etc/logrotate.d/syslog
source /etc/profile
/etc/init.d/rsyslog restart
}
set_security()
{
#disable control-alt-delete
cp /etc/init/control-alt-delete.conf /etc/init/control-alt-delete.override
sed -i 's/exec/#exec/' /etc/init/control-alt-delete.override
#limit normal user can't reboot poweroff halt
rm -rf /etc/security/console.apps/*
echo "/etc/security/console.apps/ is empty now"
#/etc/rc.d/init.d authority
chmod -R 700 /etc/rc.d/init.d/
echo "/etc/rc.d/init.d/ mod is 700 now"
#delete banner
echo > /etc/issue
echo > /etc/issue.net
#delete tty
echo "console" > /etc/securetty
echo "vc/1" >> /etc/securetty
echo "tty1" >> /etc/securetty
echo "tty config is done"
}
set_tune()
{
#nofile limits
echo " * soft nofile 65535" >> /etc/security/limits.conf
echo " * hard nofile 65535" >> /etc/security/limits.conf
echo " * soft nproc 102400" >> /etc/security/limits.conf
echo " * hard nproc 102400" >> /etc/security/limits.conf
ulimit -SHn 65535
}
set_sysctl()
{
/bin/cat << EOF > /etc/sysctl.conf
kernel.sysrq = 1
kernel.core_uses_pid = 1
fs.aio-max-nr = 1048576
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.ip_forward = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.all.rp_filter = 2
net.ipv4.conf.all.arp_announce = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 2
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 1
net.core.somaxconn = 65535
net.core.rmem_default = 262144
net.core.wmem_default = 262144
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 8192 87380 16777216
net.ipv4.tcp_wmem = 8192 65536 16777216
net.ipv4.tcp_max_syn_backlog = 16384
net.core.netdev_max_backlog = 10000
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_orphan_retries = 0
net.ipv4.tcp_max_orphans = 131072
#fs.file-max = 65536 #os can config
vm.min_free_kbytes = 1048576
vm.swappiness = 10
vm.dirty_ratio = 10
vm.vfs_cache_pressure=150
vm.drop_caches = 1
kernel.panic = 60
EOF
/sbin/sysctl -p >/dev/null 2>&1;
}
set_user()
{
#delete useless user
usernum=`awk -F : '{print $1}' /etc/passwd | grep -E 'adm|lp|sync|shutdown|halt|news|uucp|operator|games|gopher' | wc -l`
if [ $usernum == 0 ]
then
echo there is no useless user
else
for i in `awk -F : '{print $1}' /etc/passwd | grep -E 'adm|lp|sync|shutdown|halt|news|uucp|operator|games|gopher'`
do
userdel -r $i > /dev/null 2>&1
echo delete useless user $i
done
echo **********************useless user delete complete!**********************
fi
#delete useless group
groupnum=`awk -F : '{ print $1 }' /etc/group | grep -E 'adm|lp|news|uucp|games|dip|pppusers|popusers|slipusers' | wc -l`
if [ $groupnum == 0 ]
then
echo there is no useless group
else
for j in `awk -F : '{ print $1 }' /etc/group | grep -E 'adm|lp|news|uucp|games|dip|pppusers|popusers|slipusers'`
do
groupdel $j > /dev/null 2>&1
echo delete uesless group $j
done
echo **********************useless group delete complete!**********************
fi
}
set_ssh()
{
cp /etc/ssh/sshd_config{,.bak}
#sed -e 's/\#PermitRootLogin yes/PermitRootLogin no/' -i /etc/ssh/sshd_config > /dev/null 2>&1
sed -e 's/GSSAPIAuthentication yes/GSSAPIAuthentication no/' -i /etc/ssh/sshd_config > /dev/null 2>&1
sed -e 's/#UseDNS yes/UseDNS no/' -i /etc/ssh/sshd_config > /dev/null 2>&1
sed -e 's/#Port 22/Port 22222/' -i /etc/ssh/sshd_config > /dev/null 2>&1
sed -i '/StrictHostKeyChecking/ s/ask/no/' /etc/ssh/ssh_config > /dev/null 2>&1
sed -i '/StrictHostKeyChecking/ s/^#/^/' /etc/ssh/ssh_config > /dev/null 2>&1
sed -i '/StrictHostKeyChecking/a UserKnownHostsFile \/dev\/null' /etc/ssh/ssh_config > /dev/null 2>&1
sed -i 's/GSSAPIAuthentication yes/GSSAPIAuthentication no/' /etc/ssh/ssh_config > /dev/null 2>&1
/etc/init.d/sshd restart > /dev/null 2>&1
}
set_yumpackage()
{
yum install -y gcc glibc gcc-c++ make lrzsz tree wget curl lsof dstat vim wsmancli ipmitool mtr sysstat ethtool systemtap strace
}
phy_deploy()
{
set_resolv
set_repo
set_yumpackage
set_ssh
set_user
set_sysctl
set_security
set_audit
set_tune
set_ntpdate
}
set_reboot() {
shutdown -r now
}
main()
{
phy_deploy
set_reboot
}
main
# Description: script to init configuration to new server.
#--------------------------------------------------------------|
# @Program : System_init.sh |
# @Version : 1.7 |
# @Company : BKJK |
# @Dep. : IDC |
# @Writer : wangshibo <shibo.wang@bkjk.com> |
# @Date : 2017-06-08 |
# @Modify : David |
#--------------------------------------------------------------|
#设置内网DNS
set_resolv()
{
/bin/cat << EOF > /etc/resolv.conf
server bkjk.cn
nameserver 172.29.16.27
nameserver 172.29.16.28
options timeout:1
EOF
}
#设置ntp时间服务
set_ntp()
{
echo -e '\033[32m ***************config ntp*************** \033[0m'
/usr/sbin/ntpdate ntp1.aliyun.com;/sbin/hwclock -w"
echo "00 * * * * /usr/sbin/ntpdate ntp1.aliyun.com;/sbin/hwclock -w" >>/var/spool/cron/root
chmod 600 /var/spool/cron/root
}
#关闭防火墙
set_firewall()
{
echo -e '\033[32m ***************config firewall*************** \033[0m'
iptables -F
iptables -X
#service iptables save > /dev/null 2>&1
chkconfig iptables off > /dev/null 2>&1
service iptables stop > /dev/null 2>&1
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
}
#设置内网yum源(yum.bkjk.cn是内网yum源机器的内网域名)
set_repo()
{
rm -rf /etc/yum.repos.d/*
cd /etc/yum.repos.d/
wget http://yum.bkjk.cn/repo/CentOS-Base.repo
wget http://yum.bkjk.cn/repo/epel.repo
wget http://yum.bkjk.cn/repo/puppet.repo
yum clean all
yum makecache
}
#设置系统环境变量
set_audit ()
{
#add syslog audit
sed -i 's#HISTSIZE=1000#HISTSIZE=3000#' /etc/profile
echo 'HISTTIMEFORMAT="<%F %T>"' >> /etc/profile
echo "user.info /var/log/history" >> /etc/rsyslog.conf
sed -i "/\/var\/log\/spooler/a/var/log/history" /etc/logrotate.d/syslog
source /etc/profile
/etc/init.d/rsyslog restart
}
set_security()
{
#disable control-alt-delete
cp /etc/init/control-alt-delete.conf /etc/init/control-alt-delete.override
sed -i 's/exec/#exec/' /etc/init/control-alt-delete.override
#limit normal user can't reboot poweroff halt
rm -rf /etc/security/console.apps/*
echo "/etc/security/console.apps/ is empty now"
#/etc/rc.d/init.d authority
chmod -R 700 /etc/rc.d/init.d/
echo "/etc/rc.d/init.d/ mod is 700 now"
#delete banner
echo > /etc/issue
echo > /etc/issue.net
#delete tty
echo "console" > /etc/securetty
echo "vc/1" >> /etc/securetty
echo "tty1" >> /etc/securetty
echo "tty config is done"
}
set_tune()
{
#nofile limits
echo " * soft nofile 65535" >> /etc/security/limits.conf
echo " * hard nofile 65535" >> /etc/security/limits.conf
echo " * soft nproc 102400" >> /etc/security/limits.conf
echo " * hard nproc 102400" >> /etc/security/limits.conf
ulimit -SHn 65535
}
set_sysctl()
{
/bin/cat << EOF > /etc/sysctl.conf
kernel.sysrq = 1
kernel.core_uses_pid = 1
fs.aio-max-nr = 1048576
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.ip_forward = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.all.rp_filter = 2
net.ipv4.conf.all.arp_announce = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 2
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 1
net.core.somaxconn = 65535
net.core.rmem_default = 262144
net.core.wmem_default = 262144
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 8192 87380 16777216
net.ipv4.tcp_wmem = 8192 65536 16777216
net.ipv4.tcp_max_syn_backlog = 16384
net.core.netdev_max_backlog = 10000
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_orphan_retries = 0
net.ipv4.tcp_max_orphans = 131072
#fs.file-max = 65536 #os can config
vm.min_free_kbytes = 1048576
vm.swappiness = 10
vm.dirty_ratio = 10
vm.vfs_cache_pressure=150
vm.drop_caches = 1
kernel.panic = 60
EOF
/sbin/sysctl -p >/dev/null 2>&1;
}
set_user()
{
#delete useless user
usernum=`awk -F : '{print $1}' /etc/passwd | grep -E 'adm|lp|sync|shutdown|halt|news|uucp|operator|games|gopher' | wc -l`
if [ $usernum == 0 ]
then
echo there is no useless user
else
for i in `awk -F : '{print $1}' /etc/passwd | grep -E 'adm|lp|sync|shutdown|halt|news|uucp|operator|games|gopher'`
do
userdel -r $i > /dev/null 2>&1
echo delete useless user $i
done
echo **********************useless user delete complete!**********************
fi
#delete useless group
groupnum=`awk -F : '{ print $1 }' /etc/group | grep -E 'adm|lp|news|uucp|games|dip|pppusers|popusers|slipusers' | wc -l`
if [ $groupnum == 0 ]
then
echo there is no useless group
else
for j in `awk -F : '{ print $1 }' /etc/group | grep -E 'adm|lp|news|uucp|games|dip|pppusers|popusers|slipusers'`
do
groupdel $j > /dev/null 2>&1
echo delete uesless group $j
done
echo **********************useless group delete complete!**********************
fi
}
set_ssh()
{
cp /etc/ssh/sshd_config{,.bak}
#sed -e 's/\#PermitRootLogin yes/PermitRootLogin no/' -i /etc/ssh/sshd_config > /dev/null 2>&1
sed -e 's/GSSAPIAuthentication yes/GSSAPIAuthentication no/' -i /etc/ssh/sshd_config > /dev/null 2>&1
sed -e 's/#UseDNS yes/UseDNS no/' -i /etc/ssh/sshd_config > /dev/null 2>&1
sed -e 's/#Port 22/Port 22222/' -i /etc/ssh/sshd_config > /dev/null 2>&1
sed -i '/StrictHostKeyChecking/ s/ask/no/' /etc/ssh/ssh_config > /dev/null 2>&1
sed -i '/StrictHostKeyChecking/ s/^#/^/' /etc/ssh/ssh_config > /dev/null 2>&1
sed -i '/StrictHostKeyChecking/a UserKnownHostsFile \/dev\/null' /etc/ssh/ssh_config > /dev/null 2>&1
sed -i 's/GSSAPIAuthentication yes/GSSAPIAuthentication no/' /etc/ssh/ssh_config > /dev/null 2>&1
/etc/init.d/sshd restart > /dev/null 2>&1
}
set_yumpackage()
{
yum install -y gcc glibc gcc-c++ make lrzsz tree wget curl lsof dstat vim wsmancli ipmitool mtr sysstat ethtool systemtap strace
}
phy_deploy()
{
set_resolv
set_repo
set_yumpackage
set_ssh
set_user
set_sysctl
set_security
set_audit
set_tune
set_ntpdate
}
set_reboot() {
shutdown -r now
}
main()
{
phy_deploy
set_reboot
}
main