#!/bin/bash

# author wangqd

# description:this is a centos6.7 optimization script

# processname:  升级系统,精简服务，安装基本配置，记录bash执行时间，安全配置，su加固，ssh优化，iptables设置，时间同步 系统优化

#检查是否为root用户；

if [ $(id -u) != "0" ];then

echo "运行此脚本需要root权限!"

fi

yum update -y >> /etc/null

if [ $? = "0" ];then

echo "系统暂时无需更新"

fi

#精简服务

# 关闭ipv6防火墙

chkconfig ip6tables off

if [ $? = "0" ];then

echo "设置ipv6防火墙开机不自启成功"

else

echo "设置ipv6防火墙开机不自启成功失败"

fi

# 关闭iscsi服务

chkconfig iscsi off

if [ $? = "0" ];then

echo "设置iscsi服务开机不自启成功"

else

echo "设置iscsi服务开机不自启失败"

fi

# 关闭iscsi相关服务

chkconfig iscsid off

if [ $? = "0" ];then

echo "设置iscsi相关服务开机不自启成功"

else

echo "设置iscsi相关服务开机不自启失败"

fi

# 关闭NFS，smaba和NetWare网络文件系统

chkconfig netfs off

if [ $? = "0" ];then

echo "设置NFS，smaba和NetWare网络文件系统开机不自启成功"

else

echo "设置NFS，smaba和NetWare网络文件系统开机不自启失败"

fi

# linux的审计功能

chkconfig auditd off

if [ -f "/var/lock/subsys/auditd" ];then

echo "linux的审计功能"

else

echo "linux的审计功能未开启"

fi

# 关闭TCP/IP网络共享文件的协议的NFS的文件锁功能

if [ -f "/var/lock/subsys/nfslock" ];then

chkconfig nfslock off

echo "关闭TCP/IP网络共享文件的协议的NFS的文件锁功能"

else

echo "TCP/IP网络共享文件的协议的NFS的文件锁功能未开启"

fi

# 关闭 NFS v4

if [ -f "/var/lock/subsys/rpcgssd" ];then

chkconfig rpcgssd off

echo "关闭 NFS-rpcgssd"

else

echo "NFS-rpcgssd服务未开启"

fi

# 关闭RPC服务

if [ -f "/var/lock/subsys/rpcbind" ];then

chkconfig rpcbind off

echo "关闭RPC rpcbind服务"

else

echo "RPC服务未开启"

fi

# 关闭 NFS v4

if [ -f "/var/lock/subsys/rpcidmapd" ];then

chkconfig rpcidmapd off

echo "关闭 rpcidmapd"

else

echo "rpcidmapd服务未开启"

fi

# 关闭系統对Logical Volume Manager 逻辑磁区的支持

if [ -f "/var/lock/subsys/lvm2-monitor" ];then

chkconfig lvm2-monitor off

echo "关闭系統对Logical Volume Manager 逻辑磁区的支持"

else

echo "系統对Logical Volume Manager 逻辑磁区的支持未开"

fi

# 关闭邻近发现协议

if [ -f "/var/lock/subsys/lldpad" ];then

chkconfig lldpad off

echo "关闭邻近发现协议"

else

echo "邻近发现协议未开启"

fi

#安装基本组件

# setuptool Python的 distutilsde工具的增强工具（py2.3.5以上 64位py2.4）

# ntsysv 设置系统的各种服务

# system-config-firewall-tui 命令行用户接口（TUI）的防火墙客户端

# system-config-network-tui  安装Fedora网络配置的工具

yum install -y setuptool ntsysv system-config-firewall-tui system-config-network-tui cronie wget vim unzip openssh-clients screen rsync ftp telnet >> /etc/null

if [ $? = "0" ];then

echo "基本组件安装完成"

else

echo "基本组件已安装过"

fi

#记录每次bash命令的执行时间

time="HISTTIMEFORMAT=\"%Y-%m-%d\ %H:%M:%S\""

grep "$time" /etc/profile >> /etc/null

if [ $? = "0" ];then

echo "记录每次bash命令的执行时间已经做过"

else

line=$(sed -n "/export\ PATH\ USER/=" /etc/profile| tail -n1)

sed -i "${line}a HISTTIMEFORMAT=\"%Y-%m-%d\ %H:%M:%S\"\nexport\ HISTTIMEFORMAT"  /etc/profile

echo "记录每次bash命令的执行时间已经成功"

fi

#安全配置

grep "^SELINUX=disabled" /etc/selinux/config

if [ $? = "0" ];then

echo "已经做过安全配置"

else

selinux1=$(grep "^SELINUX=enforcing" /etc/selinux/config)

sed -i "s/$selinux1/SELINUX=disabled/" /etc/selinux/config

echo "服务器安全配置已经完成"

fi

#su加固

grep "^auth" /etc/pam.d/su|grep "pam_wheel.so use_uid"

if [ $? = "0"];then

echo "su 已加固"

else

line2=$(sed -n "/^auth/=" /etc/pam.d/su|tail -1 )

sed -i "${line2}a auth\ \ \ \ \ \ required\ \ \ \ pam_wheel.so\ use_uid" /etc/pam.d/su

echo "su加固成功"

fi

#ssh 优化

#port 端口

grep "^Port[[:space:]]" /etc/ssh/sshd_config|grep "58022"

if [ $? = "0" ];then

echo "ssh端口号设置正确修改"

else

check1=$(grep "^#Port" /etc/ssh/sshd_config)

sline1=$(sed -n "/$check1/=" /etc/ssh/sshd_config)

sed  -i "/^Port/d" /etc/ssh/sshd_config

sed  -i "${sline1}a Port\ 58022" /etc/ssh/sshd_config

echo "SSH已改为58022"

fi

#不允许用root进行登录

grep "^PermitRootLogin[[:space:]]" /etc/ssh/sshd_config|grep "no"

if [ $? = "0" ];then

echo "ssh不允许root登录功能已设置"

else

check2=$(grep "^#PermitRootLogin[[:space:]]" /etc/ssh/sshd_config)

sline2=$(sed -n "/$check2/=" /etc/ssh/sshd_config)

sed -i "/^PermitRootLogin/d" /etc/ssh/sshd_config

sed -i "${sline2}a PermitRootLogin\ no" /etc/ssh/sshd_config

echo "不允许root登录ssh设置成功"

fi

#不允许空密码登录

grep "^PermitEmptyPasswords[[:space:]]" /etc/ssh/sshd_config|grep "no"

if [ $? = "0" ];then

echo "请查看ssh不允许空密码登录已被设置"

else

check3=$(grep "^#PermitEmptyPasswords[[:space:]]" /etc/ssh/sshd_config)

sline3=$(sed -n "/$check3/=" /etc/ssh/sshd_config)

sed -i "/^PermitEmptyPasswords/d" /etc/ssh/sshd_config

sed -i "${sline3}a PermitEmptyPasswords\ no" /etc/ssh/sshd_config

echo "ssh不允许空密码登录设置成功"

fi

#禁用DNS

grep "^GSSAPIAuthentication[[:space:]]" /etc/ssh/sshd_config|grep "no"

if [ $? = "0" ];then

echo "禁用DNS已被设置"

else

check4=$(grep "#GSSAPIAuthentication[[:space:]]" /etc/ssh/sshd_config)

sed -i "/^GSSAPIAuthentication/d" /etc/ssh/sshd_config

sline4=$(sed -n "/$check4/=" /etc/ssh/sshd_config)

sed -i "${sline4}c GSSAPIAuthentication\ no" /etc/ssh/sshd_config

echo "禁用DNS设置成功"

fi

#禁用UseDNS

grep "^UseDNS[[:space:]]" /etc/ssh/sshd_config|grep "no"

if [ $? = "0" ];then

echo "禁用UseDNS已被设置"

else

check5=$(grep "^#UseDNS[[:space:]]" /etc/ssh/sshd_config)

sline5=$(sed -n "/$check5/=" /etc/ssh/sshd_config)

sed -i "/^UseDNS/d" /etc/ssh/sshd_config

sed -i "${sline5}a UseDNS\ no" /etc/ssh/sshd_config

echo "禁用UseDNS设置成功"

fi

#AllowUsers

sed -i "/^AllowUsers/d" /etc/ssh/sshd_config

if [ $? = "0" ];then

echo "SSH的其他允许登录的用户已被删除"

else

echo "ssh 无其他允许登录的用户"

fi

AU=$(sed -n "/^#/=" /etc/ssh/sshd_config|tail -1)

sed -i "${AU}a AllowUsers\ $1" /etc/ssh/sshd_config

if [ $? = "0" ];then

echo "AllowUsers已设置用户成功"

else

echo "AllowUsers设置用户失败"

fi

#设置防火墙

iptab="-A\ INPUT\ -m\ state\ --state\ NEW\ -m\ tcp\ -p\ tcp\ --dport\ 58022\ -j\ ACCEPT"

grep "58022" /etc/sysconfig/iptables

if [ $? != 0 ];then

line8=$(sed -n "/22/=" /etc/sysconfig/iptables|head -1)

sed -i "${line8}a $iptab" /etc/sysconfig/iptables

echo "添加58022端口成功"

#line9=$(sed -n "/lo/=" /etc/sysconfig/iptables|head -1)

#sed -i "${line9}a $iptab" /etc/sysconfig/iptables

else

echo "58022 已被设置请查看"

fi

/etc/init.d/sshd restart

if [ $? = "0" ];then

echo "sshd已重启"

fi

/etc/init.d/iptables restart

if [ $? = "0" ];then

echo "iptables"

fi

#时间同步

yum install ntp -y >> /etc/null

if [ $? = "0" ];then

echo "ntp服务已被安装"

fi

/usr/sbin/ntpdate time.nist.gov

if [ $? = "0" ];then

echo "本地时间一同步时间服务器"

fi

/sbin/hwclock --systohc

if [ $? = "0" ];then

echo "系统时间已同步到硬件"

fi

#将时间同步写入计划日志

line10=$(sed -n "/^#/=" /etc/crontab|tail -1)

sed -i "${line10}a 5\ */6\ *\ *\ *\ /usr/sbin/ntpdate time.nist.gov\ >\ /dev/null\ 2>&1" /etc/crontab

if [ $? = "0" ];then

echo "时间同步已写入计划日志"

fi

#优化内核参数

line11=$(sed -n "/^#/=" /etc/sysctl.conf|tail -1)

sed -i "${line11}a net.ipv4.tcp_max_syn_backlog\ =\ 65536\nnet.core.netdev_max_backlog\ =\ 32768\nnet.core.somaxconn\ =\ 32768\nnet.core.wmem_default\ =\ 8388608\nnet.core.rmem_default\ =\ 8388608\nnet.core.rmem_max\ =\ 16777216\nnet.core.wmem_max\ =\ 16777216net.ipv4.tcp_timestamps\ =\ 0\nnet.ipv4.tcp_synack_retries\ =\ 2\nnet.ipv4.tcp_syn_retries\ =\ 2\nnet.ipv4.tcp_tw_recycle\ =\ 1\n#net.ipv4.tcp_tw_len\ =\ 1\nnet.ipv4.tcp_tw_reuse\ =\ 1\nnet.ipv4.tcp_mem\ =\ 94500000\ 915000000\ 927000000\nnet.ipv4.tcp_max_orphans\ =\ 3276800\nnet.ipv4.ip_local_port_range\ =\ 1024\ 65535" /etc/sysctl.conf

if [ $? = "0" ];then

echo "系统已经优化完成"

fi

#创建wheel用户

useradd -G wheel $1

echo "$2" | passwd $1 --stdin > /dev/null 2>&1

if [ $? = "0" ];then

echo "user is created!"

fi

echo "SU_WHEEL_ONLY yes" >> /etc/login.defs

#只允许wheel用户su到root

if [ $? = "0" ];then

echo "只允许wheel用户su到root执行成功"

else

echo "只允许wheel用户su到root执行失败请查看"

fi

init 6