根据各环境,选择所需的优化策略进行配置
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
systemctl stop firewalld
systemctl disable firewalld
systemctl stop iptables
systemctl disable iptables
systemctl stop NetworkManager
systemctl disable NetworkManager
sed -i '1i\nameserver 223.5.5.5' /etc/resolv.conf
sed -i '2i\nameserver 1.2.4.8' /etc/resolv.conf
yum -y install epel-release wget
mkdir -p /etc/yum.repos.d/bak
mv /etc/yum.repos.d/* /etc/yum.repos.d/bak
wget http://mirrors.aliyun.com/repo/Centos-7.repo -P /etc/yum.repos.d/
wget http://mirrors.aliyun.com/repo/epel-7.repo -P /etc/yum.repos.d/
yum -y install wget vim ntp unzip zip net-snmp* telnet sysstat gcc gcc-c++ make openssl* perl ncurses* nethogs lsof lrzsz libselinux-python bash-completion net-tools setuptool system-config-network-tui ntsysv expat-devel psmisc nmap fping traceroute python2-pip readline-devel cpp cmake bison libaio-devel ncurses-devel perl-DBD-MySQL perl-Time-HiRes openssh-clients libaio zlib-devel libssl.so.6 numactl jemalloc compat-readline5-devel
timedatectl set-timezone Asia/Shanghai
ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
mv /usr/lib/systemd/system/ctrl-alt-del.target /usr/lib/systemd/system/ctrl-alt-del.target.bak
init q
echo 'LANG="en_US.UTF-8"
SUPPORTED="zh_CN.GB18030:zh_CN:zh:en_US.UTF-8:en_US:en"
SYSFONT="latarcyrheb-sun16"' > /etc/locale.conf
systemctl stop ntpd
systemctl disable ntpd
###可访问外网配置
ntpdate ntp1.aliyun.com
echo '*/5 * * * * /usr/sbin/ntpdate ntp1.aliyun.com > /dev/null 2>&1' >> /var/spool/cron/root
###仅可访问阿里云内网配置
ntpdate ntp7.cloud.aliyuncs.com
echo '*/5 * * * * /usr/sbin/ntpdate ntp7.cloud.aliyuncs.com > /dev/null 2>&1' >> /var/spool/cron/root
###配置ssh禁用反向解析
echo 'UseDNS=no' >> /etc/ssh/sshd_config
###配置ssh-server侦听端口
echo 'Port 22' >> /etc/ssh/sshd_config
###禁止root用户通过ssh远程登录
echo 'PermitRootLogin no' >> /etc/ssh/sshd_config
systemctl restart sshd
###可打开的文件描述符的最大数
###用户可用的最大进程数量
cat >> /etc/security/limits.conf << EOF
* soft nproc 65536
* hard nproc 65536
* soft nofile 65536
* hard nofile 65536
EOF
###Linux最大进程数
cat >> /etc/security/limits.d/20-nproc.conf << EOF
* soft nproc unlimited
* hard nproc unlimited
EOF
cat >> /etc/pam.d/login << EOF
session required /lib/security/pam_limits.so
session required pam_limits.so
EOF
###系统所有进程共计可以打开的文件数量
cat >> /etc/sysctl.conf << EOF
fs.file-max = 65535
EOF
###用户登录系统后打开文件数量
cat >> /etc/profile << EOF
ulimit -HSn 65535
EOF
source /etc/profile
#设置密码强度
#设置密码长度不低于8位
authconfig --passminlen=8 --update
#设置密码中连续字符最大数目3个
authconfig --passmaxclassrepeat=3 --update
#密码需包含小写,大写,数字,特殊字符
authconfig --enablereqlower --update
authconfig --enablerequpper --update
authconfig --enablereqdigit --update
authconfig --enablereqother --update
#检查配置成功
#cat /etc/security/pwquality.conf
#' 密码长度 = minlen /
# 连续数目 = maxclassrepeat /
# 小写 = lcredit /
# 大写 = ucredit /
# 数字 = dcredit /
# 特殊字符 = ocredit'
#设置20分钟登录无操作自动退出,服务器每120秒心跳包测试客户端,三次不成功断开
echo 'export TMOUT=1200' >> /etc/profile
source /etc/profile
echo 'ClientAliveInterval 120
ClientAliveCountMax 3' >> /etc/ssh/sshd_config
systemctl restart sshd
echo '#!/bin/bash
loginFile="/var/log/sshd/sshlogin.log"
user=$USER
ip=${SSH_CLIENT%% *}
#if [ "$user" != "root" ] || [ "$ip" != "192.168.2.88" ]
#then
echo "LoginUser:"$user"--IP:"$ip"--LoginTime:"`date "+%Y-%m-%d %H:%M:%S"` >> "$loginFile";
#fi' >> /etc/ssh/sshrc
mkdir /var/log/sshd
touch /var/log/sshd/sshlogin.log
chmod -R 777 /var/log/sshd
chmod +x /etc/ssh/sshrc
echo 'export HISTTIMEFORMAT="%F %T `whoami` "' >> /etc/profile
source /etc/profile
chmod +x /etc/rc.d/rc.local
