#!/bin/bash
ID=`id|awk '{print $1}'|egrep -o [0-9]+`
[ "$ID" -eq 0 ]||echo 'Error: no root!!'||exit 1
kernel(){
cp /etc/sysctl.conf{,.default}
cat>/etc/sysctl.conf<<EOF
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
vm.swappiness = 0
net.ipv4.neigh.default.gc_stale_time=120
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.lo.arp_announce=2
net.ipv4.conf.all.arp_announce=2
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_synack_retries = 2
kernel.sysrq = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl =15
net.ipv4.tcp_retries2 = 5
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_max_orphans = 32768
net.ipv4.tcp_wmem = 8192 131072 16777216
net.ipv4.tcp_rmem = 32768 131072 16777216
net.ipv4.tcp_mem = 786432 1048576 1572864
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.ip_conntrack_max = 65536
net.ipv4.netfilter.ip_conntrack_max = 65536
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 180
net.core.somaxconn = 16384
net.core.netdev_max_backlog = 16384
kernel.shmmax = 30923764531
kernel.shmall = 7549747
kernel.msgmax = 65535
kernel.msgmnb = 65535
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
kernel.sysrq = 0
EOF
sysctl -p
success_display "内核优化"
}
success_display(){
echo -e "\e[40;32m$1 yes \e[40;37m"
}
error_display(){
echo -e "\e[40;31m$1 \e[1;37m"
}
system(){
#常用安装包安装
yum -y install wget bind-utils net-tools screen lsof tcpdump nc mtr openssl-devel vim bash-completion lrzsz nmap telnet tree ntpdate
success_display "安装常用安装包安装"
#文件打开数
cp /etc/security/limits.conf{,.default}
echo '* soft nproc 65535' >>/etc/security/limits.conf
echo '* hard nproc 65535' >>/etc/security/limits.conf
success_display "文件打开数优化"
#rc.local添加执行权限
chmod +x /etc/rc.d/rc.local
success_display "rc.local权限添加"
#关闭开机自启服务
systemctl disable postfix
systemctl stop postfix
systemctl disable ntpd
systemctl stop ntpd
systemctl disable tuned
systemctl stop tuned
success_display "开机自启优化"
# systemctl stop dbus-org.freedesktop.NetworkManager.service
# systemctl disable dbus-org.freedesktop.NetworkManager.service
#定时校准时间
[ -f '/var/spool/cron/root' ]&& ntp_cron=`grep ntpdate /var/spool/cron/root |wc -l`
if [ -z "$ntp_cron" -o "$ntp_cron" -eq 0 ];then
echo '#时间校准' >>/var/spool/cron/root
echo '*/5 * * * /usr/sbin/ntpdate ntp1.aliyun.com 2>&1 >/dev/null' >>/var/spool/cron/root
fi
success_display "时间校准优化"
#关闭selinux
selinux_status=`grep 'SELINUX' /etc/selinux/config|egrep -v "#"|grep 'SELINUX=disabled'|wc -l`
[ "$selinux_status" -eq 0 ]||sed -ri "s#SELINUX=[a-z]+#SELINUX=disabled#g" /etc/selinux/config
success_display "关闭selinux"
}
security(){
#密码复杂度、密码有效期
cp /etc/login.defs{,.default}
sed -ri "s#PASS_MIN_LEN[ \t]+[0-9]+#PASS_MIN_LEN\t5#g" /etc/login.defs
sed -ri "s#PASS_MAX_DAYS[ \t]+[0-9]+#PASS_MAX_DAYS\t90#g" /etc/login.defs
sed -ri "s#PASS_MIN_DAYS[ \t]+[0-9]+#PASS_MIN_DAYS\t2#g" /etc/login.defs
success_display "密码复杂度、密码有效期安全"
#启用登录失败处理功能
cp /etc/pam.d/system-auth{,.default}
cp /etc/pam.d/sshd{,.default}
cp /etc/pam.d/login{,.deafult}
echo 'password requisite pam_cracklib.so retry=3 difok=2 minlen=8 lcredit=-1 dcredit=-1' >>/etc/pam.d/system-auth
echo 'auth required pam_tally2.so onerr=fail deny=3 unlock_time=60 even_deny_root root_unlock_time=60' >>/etc/pam.d/system-uth
echo 'auth required pam_tally2.so deny=3 unlock_time=60 even_deny_root root_unlock_time=60' >>/etc/pam.d/sshd
echo 'auth required pam_tally2.so deny=3 unlock_time=60 even_deny_root root_unlock_time=60' >>/etc/pam.d/login
success_display "启用登录失败处理功能"
#设置登录终端的操作超时锁定
sed -i 's#HISTSIZE=1000#&\nTMOUT=600#g' /etc/profile
success_display "设置登录终端的操作超时锁定"
#ssh安全
cp /etc/ssh/sshd_config{,.default}
sed -ri "s#[#]+LogLevel [A-Z]+#LogLevel INFO#g" /etc/ssh/sshd_config
success_display "SSH LogLevel设置为INFO"
sed -ri "s#[#]ClientAliveInterval [0-9]+#ClientAliveInterval 900#g" /etc/ssh/sshd_config
sed -ri "s#[#]ClientAliveCountMax [0-9]+#ClientAliveCountMax 0#g" /etc/ssh/sshd_config
success_display "设置SSH空闲超时退出时间"
sed -ri "s#[#]Protocol [0-9]+#Protocol 2#g" /etc/ssh/sshd_config
success_display "SSHD强制使用V2安全协议"
sed -ri "s#[#]PermitEmptyPasswords [a-z]+#PermitEmptyPasswords no#g" /etc/ssh/sshd_config
success_display "禁止SSH空密码用户登录"
sed -ri "s#[#]MaxAuthTries [0-9]+#MaxAuthTries 4#g" /etc/ssh/sshd_config
success_display "设置最大密码尝试失败次数"
#设置用户权限配置文件的权限
chown root:root /etc/passwd /etc/shadow /etc/group /etc/gshadow
chmod 0644 /etc/group
chmod 0644 /etc/passwd
chmod 0400 /etc/shadow
chmod 0400 /etc/gshadow
success_display "设置用户权限配置文件的权限"
#开启地址空间布局随机化
sysctl -w kernel.randomize_va_space=2
success_display "开启地址空间布局随机化"
#强制用户不重用最近使用的密码
sed -ri "s#password[ \t]+sufficient.*#& remember=5#g" /etc/pam.d/password-auth
success_display "强制用户不重用最近使用的密码"
#设置密码长度和密码使用多种字符类型
cp /etc/security/pwquality.conf{,.default}
sed -ri "s#[# ]+minlen[ =]+[0-9]#minlen = 10#g" /etc/security/pwquality.conf
sed -ri "s#[# ]+minclass[ =]+[0-9]#minclass = 3#g" /etc/security/pwquality.conf
success_display "设置密码长度和密码使用多种字符类型"
#history命令记录
#pass
}
main(){
cat<<EOF -n
内核优化
系统优化
安全优化
全部都优化
EOF
read -p '输入服务的编号:' number
case $number in
1)
kernel
;;
2)
system
;;
3)
security
;;
4)
kernel
system
security
;;
*)
error_display "输入有误!"
esac
}
main
浙公网安备 33010602011771号