#!/bin/bash
#set env
export PATH=$PATH:/bin:/sbin:/usr/sbin
if [ "$UID" != "0" ]
then
echo "please run this script by root."
exit 1
fi
#define cmd var
SERVICE=`which service`
CHKCONFIG=`which chkconfig`
yum install -y wget;
#修改yum源
function mod_yum(){
if [ -e /etc/yum.repos.d/CentOS-Base.repo ]
then
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup&&\
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo
fi
}
#关闭selinux
function close_selinux(){
sed -i 's/SELINUX=enforcing/SELINUX=disabled' /etc/selinux/config
setenforce 0 &>/dev/null
}
#关闭防火墙
function close_iptables(){
/etc/init.d/iptables stop
/etc/init.d/iptables stop
chkconfig iptables off
service firewalld stop
chkconfig firewalld off
}
#关闭不必要的开机启动服务
function lease_service(){
chkconfig | awk '{print "chkconfig",$1,"off"}'|bash
chkconfig | egrep "crond|sshd|network|rsyslog|sysstat"|awk '{print "chkconfig",$1,"on"}'|bash
}
#添加用户
function adduser(){
#4.add hat and sudo
if [ `grep -w hat /etc/passwd|wc -l` -lt 1 ]
then
useradd hat -g root
echo geeboo|passwd --stdin hat
\cp /etc/sudoers /etc/sudoers.ori
echo "hat ALL=(ALL) NOPASSWD: ALL " >>/etc/sudoers
tail -1 /etc/sudoers
visudo -c &>/dev/null
fi
}
#设置默认字符集为中文
function charset(){
#5.charset config
cp /etc/sysconfig/i18n /etc/sysconfig/i18n.ori
echo 'LANG="zh_CN.UTF-8"' >/etc/sysconfig/i18n
source /etc/sysconfig/i18n
#echo $LANG
}
#时间同步
function time_sync(){
#6.time sync.
cron=/var/spool/cron/root
if [ `grep -w "ntpdate" $cron|wc -l` -lt 1 ]
then
echo "#time sync" >>$cron
echo "*/5 * * * * /usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1" >>$cron
crontab -l
fi
}
function com_line_set(){
#7.command set.
if [ `egrep "TMOUT|HISTSIZE|HISTFILESIZE" /etc/profile|wc -l` -ge 3 ]
then
echo "export TMOUT=600" >>/etc/profile
echo "export HISTSIZE=5" >>/etc/profile
echo "export HISTFILESIZE=5" >>/etc/profile
. /etc/profile
fi
sed -i '/PASS_MAX_DAYS.*/d' /etc/login.defs
sed -i '/PASS_MIN_LEN.*/d' /etc/login.defs
sed -i '/PASS_MIN_DAYS.*/d' /etc/login.defs
sed -i '/PASS_WARN_AGE.*/d' /etc/login.defs
sed -i '/UMASK.*/d' /etc/login.defs
echo "PASS_MAX_DAYS 90" >>/etc/login.defs
echo "PASS_MIN_LEN 12" >>/etc/login.defs
echo "PASS_MIN_DAYS 7" >>/etc/login.defs
echo "PASS_WARN_AGE 30" >>/etc/login.defs
echo "UMASK 077" >>/etc/login.defs
sed -i '/minlen.*/d' /etc/security/pwquality.conf
sed -i '/minclass.*/d' /etc/security/pwquality.conf
sed -i '/maxrepeat.*/d' /etc/security/pwquality.conf
sed -i '/maxclassrepeat.*/d' /etc/security/pwquality.conf
sed -i '/lcredit.*/d' /etc/security/pwquality.conf
sed -i '/ucredit.*/d' /etc/security/pwquality.conf
sed -i '/dcredit.*/d' /etc/security/pwquality.conf
sed -i '/ocredit.*/d' /etc/security/pwquality.conf
sed -i '/difok.*/d' /etc/security/pwquality.conf
echo "minlen = 8">>/etc/security/pwquality.conf
echo "minclass = 1">>/etc/security/pwquality.conf
echo "maxrepeat = 0">>/etc/security/pwquality.conf
echo "maxclassrepeat = 4">>/etc/security/pwquality.conf
echo "lcredit = -1">>/etc/security/pwquality.conf
echo "ucredit = -1">>/etc/security/pwquality.conf
echo "dcredit = -1">>/etc/security/pwquality.conf
echo "ocredit = -1">>/etc/security/pwquality.conf
echo "difok = 5">>/etc/security/pwquality.conf
}
#设置打开文件数
function open_file_set(){
#8.increase open file.
if [ `grep 65535 /etc/security/limits.conf|wc -l` -lt 1 ]
then
echo "* - nofile 65535 " >>/etc/security/limits.conf
tail -1 /etc/security/limits.conf
fi
}
function set_kernel(){
#9.kernel set.
if [ `grep kernel_flag /etc/sysctl.conf|wc -l` -lt 1 ]
then
cat >>/etc/sysctl.conf<
#kernel_flag
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000 65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.core.somaxconn = 16384
net.core.netdev_max_backlog = 16384
net.ipv4.tcp_max_orphans = 16384
net.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_tcp_timeout_established = 180
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
EOF
sysctl -p
fi
}
#优化SSH
function init_ssh(){
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.`date +"%Y-%m-%d_%H-%M-%S"`;
sed -i "s%#Port 22%Port 52113%" /etc/ssh/sshd_config;
#sed -i "s%#PermitRootLogin yes%PermitRootLogin no%" /etc/ssh/sshd_config;
sed -i "s%#PermitEmptyPasswords no%PermitEmptyPasswords no%" /etc/ssh/sshd_config;
sed -i "s%#UseDNS yes%UseDNS no%" /etc/ssh/sshd_config;
sed -i "s%GSSAPIAuthentication yes%GSSAPIAuthentication no%" /etc/ssh/sshd_config;
sed -i "s%GSSAPIAuthentication yes%GSSAPIAuthentication no%" /etc/ssh/sshd_config;
#sed -i "$a\AllowUsers hat" /etc/ssh/sshd_config;
service sshd restart &>/dev/null;
echo "sshd:192.168.10.0/24" >> /etc/hosts.allow;
echo "sshd:ALL" >> /etc/hosts.deny;
iptables -I INPUT -p tcp --dport 52113 -j DROP;
iptables -I INPUT -p tcp --dport 52113 -s 192.168.10.0/24 -j ACCEPT;
iptables save;
}
function update_linux(){
#10.upgrade linux.
if [ `rpm -qa lrzsz nmap tree dos2unix nc|wc -l` -le 3 ]
then
yum install wget lrzsz nmap tree dos2unix nc -y
#yum update -y
fi
}
function cha {
chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab
}
function pamtally {
cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
cp /etc/pam.d/login /etc/pam.d/login.bak
##查看所有登陆用户的失败次数pam_tally2
##解锁指定用户pam_tally2 -r -u root
sed -i '/pam_tally2.so.*/d' /etc/pam.d/system-auth
sed -i -e '4a\auth required pam_tally2.so onerr=fail deny=5 unlock_time=600 even_deny_root root_unlock_time=300' /etc/pam.d/system-auth
sed -i '/pam_tally2.so.*/d' /etc/pam.d/sshd
sed -i -e '2a\auth required pam_tally2.so onerr=fail deny=5 unlock_time=600 even_deny_root root_unlock_time=300' /etc/pam.d/sshd
}
main(){
cat << EOF
----------------------------------------
|****Please Enter Your Choice:[1-15]****|
----------------------------------------
(1) mod yum
(2) close selinux
(3) close iptables
(4) least service
(5) add user
(6) charset
(7) time sync
(8) password security
(9) set open file
(10) set kernel
(11) init ssh
(12) update linux
(13) pamtally
(14) chattr
(15) all(except init ssh)
EOF
read -p "Please enter your choice[1-15]: " input1
case $input1 in
1)
mod_yum
;;
2)
close_selinux
;;
3)
close_iptables
;;
4)
least_service
;;
5)
adduser
;;
6)
charset
;;
7)
time_sync
;;
8)
com_line_set
;;
9)
open_file_set
;;
10)
set_kernel
;;
11)
init_ssh
;;
12)
update_linux
;;
13)
pamtally
;;
14)
cha
;;
15)
mod_yum
close_selinux
close_iptables
least_service
adduser
charset
time_sync
com_line_set
open_file_set
set_kernel
init_ssh
update_linux
pamtally
cha
;;
*)
echo "****Please Enter Your Choice:[1-15]****|"
;;
esac
#隐藏系统版本号
#> /etc/issue
#> /etc/issue.net
#锁定关系系统文件
#chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab
#解锁 chattr -i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab
#修改chattr的名字 mv /usr/bin/chattr /usr/bin/hat1
#为grub加密
#/sbin/grub-md5-crypt,生成密码,然后将密码加入/etc/grub.conf,password --md5 #密码
#禁止被ping net.ipv4.icmp_echo_ignore_all=1
}
main
