#!/bin/bash
#解压缩startup.tar.gz包
cd /tmp && tar -zxf startup.tar.gz
#初始化YUM源
rm -rf /etc/yum.repos.d/*
cp -ap ./file/*.repo /etc/yum.repos.d/
/bin/rpm --import ./file/RPM-GPG-KEY.dag.txt
/bin/rpm --import ./file/RPM-GPG-KEY-CentOS-6
/usr/bin/yum clean all
/usr/bin/yum makecache
#下载工具及时间同步工具
/usr/bin/yum install -y wget
/usr/bin/yum install -y ntp
ntpdate -d cn.pool.ntp.org
date
echo "##### update server time #####" >> /var/spool/cron/root
echo "*/10 * * * * /usr/sbin/ntpdate cn.pool.ntp.org > /dev/null 2>&1 && /sbin/clock -w > /dev/null 2>&1" >> /var/spool/cron/root
echo "" >> /var/spool/cron/root
echo "##### history #####" >> /var/spool/cron/root
echo "*/5 * * * * /usr/local/gacp/worksh/history.sh > /dev/null 2>&1" >> /var/spool/cron/root
echo "" >> /var/spool/cron/root
echo "##### Logs #####" >> /var/spool/cron/root
echo "00 00 * * * /usr/local/gacp/worksh/del_100day_before_logs.sh > /dev/null 2>&1" >> /var/spool/cron/root
echo "00 00 * * * /usr/local/gacp/worksh/log_rotate.sh > /dev/null 2>&1" >> /var/spool/cron/root
echo "" >> /var/spool/cron/root
#下载必要系统工具
/usr/bin/yum install -y lsof htop nmap iotop telnet iptraf iftop vim-enhanced logrotate ntsysv bind-utils sysstat irqbalance microcode_ctl dstat net-snmp rsync openssh-clients
#selinux is disabled
sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config
echo "selinux is disabled,you must reboot!"
#vim
sed -i "8 s/^/alias vi='vim'/" /root/.bashrc
sed -i "9 s/^/alias dstat='dstat -cdlmnpsy'\n/" /root/.bashrc
sed -i "10 s/^/alias grep='grep --color=auto'\n\n/" /root/.bashrc
echo 'syntax on' > /root/.vimrc
source ~/.bashrc
mv /etc/security/limits.d/90-nproc.conf /etc/security/limits.d/90-nproc
#file size
echo 'ulimit -SHn 65535' >> /etc/rc.local
cat >> /etc/security/limits.conf << EOF
* soft nofile 60000
* hard nofile 65535
EOF
#sysctl.conf
cat >> /etc/sysctl.conf <<eof
# NEW ADD
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_syncookies = 1
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_max_syn_backlog = 65535
net.ipv4.tcp_max_tw_buckets = 65535
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 131070
net.core.somaxconn = 20480
eof
/sbin/sysctl -p
#init
for sun in `chkconfig --list|grep 3:on|awk '{print $1}'`;do chkconfig --level 2345 $sun off;done
for sun in crond irqbalance network sysstat sshd rsyslog iptables;do chkconfig --level 2345 $sun on;done
DATE=`date +%Y%m%H`
#add lsyw user
/usr/sbin/useradd lsyw
echo "lishen@123" | passwd lsyw --stdin
#ssh
ssh_cf="/etc/ssh/sshd_config"
cp $ssh_cf $ssh_cf.$DATE
sed -i "s/#Port 22/Port 50000/" $ssh_cf
sed -i "s/#UseDNS yes/UseDNS no/" $ssh_cf
sed -i "/X11Forwarding yes/d" $ssh_cf
sed -i "s/#X11Forwarding no/X11Forwarding no/g" $ssh_cf
sed -i "s/#PrintMotd yes/PrintMotd no/g" $ssh_cf
sed -i "s/#PrintLastLog yes/PrintLastLog no/g" $ssh_cf
sed -i 's/^#PermitRootLogin yes/PermitRootLogin no/' $ssh_cf
sed -i '$aAllowUsers lsyw' $ssh_cf
/etc/init.d/sshd reload
#iptables添加规则放通50000端口
sed -i '/dport 22/{ s/22/50000/g }' /etc/sysconfig/iptables
/etc/init.d/iptables reload
#清空信息信息为了安全
ISSUE=/etc/issue
ISSUE_NET=/etc/issue.net
RELEASE=/etc/redhat-release
cp $ISSUE $ISSUE.$DATE
cp $ISSUE_NET $ISSUE_NET.$DATE
cp $RELEASE $RELEASE.$DATE
>$ISSUE
>$ISSUE_NET
>$RELEASE
#snmp
snmp_cf="/etc/snmp/snmpd.conf"
cp $snmp_cf $snmp_cf.$DATE
rm -rf $snmp_cf
cp -a ./etc/snmpd.conf $snmp_cf
#deluser
userdel uucp
userdel operator
userdel games
userdel gopher
userdel ftp
#防爆破登录
yum install -y fail2ban
mv /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.$DATE
cp -ap ./file/jail.conf /etc/fail2ban/
mkdir /usr/local/gacp/worksh -p
cp -ap ./file/history.sh ./file/log_rotate.sh ./file/del_100day_before_logs.sh /usr/local/gacp/worksh/
#解压缩startup.tar.gz包
cd /tmp && tar -zxf startup.tar.gz
#初始化YUM源
rm -rf /etc/yum.repos.d/*
cp -ap ./file/*.repo /etc/yum.repos.d/
/bin/rpm --import ./file/RPM-GPG-KEY.dag.txt
/bin/rpm --import ./file/RPM-GPG-KEY-CentOS-6
/usr/bin/yum clean all
/usr/bin/yum makecache
#下载工具及时间同步工具
/usr/bin/yum install -y wget
/usr/bin/yum install -y ntp
ntpdate -d cn.pool.ntp.org
date
echo "##### update server time #####" >> /var/spool/cron/root
echo "*/10 * * * * /usr/sbin/ntpdate cn.pool.ntp.org > /dev/null 2>&1 && /sbin/clock -w > /dev/null 2>&1" >> /var/spool/cron/root
echo "" >> /var/spool/cron/root
echo "##### history #####" >> /var/spool/cron/root
echo "*/5 * * * * /usr/local/gacp/worksh/history.sh > /dev/null 2>&1" >> /var/spool/cron/root
echo "" >> /var/spool/cron/root
echo "##### Logs #####" >> /var/spool/cron/root
echo "00 00 * * * /usr/local/gacp/worksh/del_100day_before_logs.sh > /dev/null 2>&1" >> /var/spool/cron/root
echo "00 00 * * * /usr/local/gacp/worksh/log_rotate.sh > /dev/null 2>&1" >> /var/spool/cron/root
echo "" >> /var/spool/cron/root
#下载必要系统工具
/usr/bin/yum install -y lsof htop nmap iotop telnet iptraf iftop vim-enhanced logrotate ntsysv bind-utils sysstat irqbalance microcode_ctl dstat net-snmp rsync openssh-clients
#selinux is disabled
sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config
echo "selinux is disabled,you must reboot!"
#vim
sed -i "8 s/^/alias vi='vim'/" /root/.bashrc
sed -i "9 s/^/alias dstat='dstat -cdlmnpsy'\n/" /root/.bashrc
sed -i "10 s/^/alias grep='grep --color=auto'\n\n/" /root/.bashrc
echo 'syntax on' > /root/.vimrc
source ~/.bashrc
mv /etc/security/limits.d/90-nproc.conf /etc/security/limits.d/90-nproc
#file size
echo 'ulimit -SHn 65535' >> /etc/rc.local
cat >> /etc/security/limits.conf << EOF
* soft nofile 60000
* hard nofile 65535
EOF
#sysctl.conf
cat >> /etc/sysctl.conf <<eof
# NEW ADD
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_syncookies = 1
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_max_syn_backlog = 65535
net.ipv4.tcp_max_tw_buckets = 65535
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 131070
net.core.somaxconn = 20480
eof
/sbin/sysctl -p
#init
for sun in `chkconfig --list|grep 3:on|awk '{print $1}'`;do chkconfig --level 2345 $sun off;done
for sun in crond irqbalance network sysstat sshd rsyslog iptables;do chkconfig --level 2345 $sun on;done
DATE=`date +%Y%m%H`
#add lsyw user
/usr/sbin/useradd lsyw
echo "lishen@123" | passwd lsyw --stdin
#ssh
ssh_cf="/etc/ssh/sshd_config"
cp $ssh_cf $ssh_cf.$DATE
sed -i "s/#Port 22/Port 50000/" $ssh_cf
sed -i "s/#UseDNS yes/UseDNS no/" $ssh_cf
sed -i "/X11Forwarding yes/d" $ssh_cf
sed -i "s/#X11Forwarding no/X11Forwarding no/g" $ssh_cf
sed -i "s/#PrintMotd yes/PrintMotd no/g" $ssh_cf
sed -i "s/#PrintLastLog yes/PrintLastLog no/g" $ssh_cf
sed -i 's/^#PermitRootLogin yes/PermitRootLogin no/' $ssh_cf
sed -i '$aAllowUsers lsyw' $ssh_cf
/etc/init.d/sshd reload
#iptables添加规则放通50000端口
sed -i '/dport 22/{ s/22/50000/g }' /etc/sysconfig/iptables
/etc/init.d/iptables reload
#清空信息信息为了安全
ISSUE=/etc/issue
ISSUE_NET=/etc/issue.net
RELEASE=/etc/redhat-release
cp $ISSUE $ISSUE.$DATE
cp $ISSUE_NET $ISSUE_NET.$DATE
cp $RELEASE $RELEASE.$DATE
>$ISSUE
>$ISSUE_NET
>$RELEASE
#snmp
snmp_cf="/etc/snmp/snmpd.conf"
cp $snmp_cf $snmp_cf.$DATE
rm -rf $snmp_cf
cp -a ./etc/snmpd.conf $snmp_cf
#deluser
userdel uucp
userdel operator
userdel games
userdel gopher
userdel ftp
#防爆破登录
yum install -y fail2ban
mv /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.$DATE
cp -ap ./file/jail.conf /etc/fail2ban/
mkdir /usr/local/gacp/worksh -p
cp -ap ./file/history.sh ./file/log_rotate.sh ./file/del_100day_before_logs.sh /usr/local/gacp/worksh/
