淘先锋技术网

首页 1 2 3 4 5 6 7

centos7 基础调优脚本 

#!/bin/bash
#
#################################################
#												#
#author  sand  by 								#
#this script is only for CentOS 7.x				#
#Optimization system							#
#Contact QQ:2822328929 WX:NAT-bin				#
#												#
####功能##############功能###############功能######
#	1. 关闭selinux  清空iptables					#
#   2. 更新yum源及必要软件安装              		#
#   3. 设置定时自动更新服务器时间           		#
#   4. 添加普通用户进行sudo授权管理         		#
#   5. 修改字符集支持中文                   		#
#   6. 禁止root用户远程连接SSH	 					#
#	7. 添加历史命令记录							#
# 	8. 锁定关键文件系统							#
# 	9. 内核参数优化(详细见命令)           		#
#################################################


#
#  0. 配置ip地址
#
cd /etc/sysconfig/network-scripts/


sed -i 's/BOOTPROTO=none/BOOTPROTO=static/g' ifcfg-ens33
sed -i 's/ONBOOT=no/ONBOOT=yes/g' ifcfg-ens33
echo 'IPADDR=192.168.76.99' >> ifcfg-ens33
echo 'NETMASK=255.255.255.0' >> ifcfg-ens33
echo 'GATEWAY=192.168.76.1' >> ifcfg-ens33
systemctl restart network



#
#  1. 关闭selinux  关闭防火墙  清空iptables
#

echo 'off selinux and Clear firewall'
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
setenforce 0

systemctl stop firewalld
systemctl disable firewalld

iptables -F && iptables -X && iptables -Z
/etc/rc.d/init.d/iptables save
systemctl iptables restart 


#
#  2. 更新yum源及必要软件安装
#
# yum makecache

# 本地yum源  挂载光盘
mount /dev/sr0 /mnt
cd /etc/yum.repos.d/
mv CentOS-Base.repo CentOS-Base.repo.bak
rm -rf *.repo

cat >localbase.repo <<EOF
[sr0]
name=local - base
baseurl=file:///mnt
enabled=1
gpgcheck=1
gpgkey=file:///mnt/RPM-GPG-KEY-CentOS-7
EOF

curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
sed -i 's/gpgcheck=1/gpgcheck=0/g' CentOS-Base.repo

yum makecache

#
#  3. 设置定时自动更新服务器时间   rdate -s  or  ntpdate -u
#
#   中国国家授时中心:210.72.145.44   ----暂时无法使用
#   NTP服务器(上海) :ntp.api.bz
#   中国ntp服务器:cn.pool.ntp.org
#   pool.ntp.org
#
echo '*/5 * * * * /usr/sbin/ntpdate -u ntp.api.bz && /sbin/hwclock -w ' >>/var/spool/cron/root


#
#  4. 添加普通用户进行sudo授权管理
#
# tail /etc/sudoers

useradd send-1
echo '123456'|passwd --stdin send-1 && history -c
echo 'liwen       ALL=(ALL)      NOPASSWD: ALL' >>/etc/sudoers


#
#  5. 修改字符集支持中文
#
# echo $LANG

LANG=zh_CN.UTF-8
echo "token string">"" > /etc/locale.conf && source /etc/locale.conf 


#
#  6. 禁止root用户远程连接SSH
#  cat /etc/ssh/sshd_config|egrep 'PermitEmptyPasswords|UseDNS|Port|GSSAPIAuthentication|PermitRootLogin'
#
sed -i 's/#Port 22/Port 52113/g' /etc/ssh/sshd_config
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
sed -i 's/GSSAPIAuthentication yes/GSSAPIAuthentication no/g' /etc/ssh/sshd_config
sed -i 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config

/etc/init.d/sshd restart






#
#  7. 添加历史命令记录
#
# /var/log/history 日志的存放位置,该目录下以每个用户为名创建一个文件夹,
# 每次用户退出后都会产生以用户名、登录IP、时间的日志文件,以及用户本次的所有操作。
# root用户不记录在此

cat > /etc/profile <<OFF
history
USER=`whoami`
USER_IP=`who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'`
if [ "$USER_IP" = "" ]; then
USER_IP=`hostname`
fi
if [ ! -d /var/log/history ]; then
mkdir /var/log/history
chmod 777 /var/log/history
fi
if [ ! -d /var/log/history/${LOGNAME} ]; then
mkdir /var/log/history/${LOGNAME}
chmod 300 /var/log/history/${LOGNAME}
fi
export HISTSIZE=4096
DT=`date +"%Y%m%d_%H:%M:%S"`
export HISTFILE="/var/log/history/${LOGNAME}/${USER}@${USER_IP}_$DT"
chmod 600 /var/log/history/${LOGNAME}/*history* 2>/dev/null
OFF
source /etc/profile


#
#  8. 锁定关键文件系统
#
# 解锁-i  防止黑客使用这个命令 可以讲命令改名
# mv /usr/bin/chattr /usr/bin/lockcmd
#

chattr +i /etc/passwd /etc/inittab /etc/shadow /etc/group /etc/gshadow


#
#  9. 内核参数优化
#  本优化适合apache,nginx,squid多种等web应用,特殊的业务也可能需要略作调整
#  tail /etc/sysctl.conf
#

cat >>/etc/sysctl.conf <<EOF
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl =15
net.ipv4.tcp_retries2 = 5
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_max_orphans = 32768
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_wmem = 8192 131072 16777216
net.ipv4.tcp_rmem = 32768 131072 16777216
net.ipv4.tcp_mem = 786432 1048576 1572864
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.ip_conntrack_max = 65536
net.ipv4.netfilter.ip_conntrack_max=65536
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=180
net.core.somaxconn = 16384
net.core.netdev_max_backlog = 16384
#防火墙优化
#net.nf_conntrack_max = 25000000
#net.netfilter.nf_conntrack_max = 25000000
#net.netfilter.nf_conntrack_tcp_timeout_established = 180
#net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
#net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
#net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
EOF
/sbin/sysctl -p