发布于 

CentOS系统初始化脚本

#!/bin/sh
# data: 2021-12-09
# description: system_init
# author: wb
#aliyun CentOS-Base.repo
ALIYUN_YUM () {
    yum install wget -y
    grep "mirrors.aliyun.com" /etc/yum.repos.d/CentOS-Base.repo
    if [ $? -ne 0 ];then
        mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
        wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
        sleep 2
        sed -i -e '/mirrors.cloud.aliyuncs.com/d' -e '/mirrors.aliyuncs.com/d' /etc/yum.repos.d/CentOS-Base.repo
        yum makecache
    else
        echo -e "\033[44;37m  Aliyun yum repos is set  \033[0m"
         
    fi
}
 
#disable selinux
DISABLE_SELINUX () {
    grep "SELINUX=disabled" /etc/selinux/config
    if [ $? -ne 0 ];then
        sed -i 's/^SELINUX=.*$/SELINUX=disabled/' /etc/selinux/config
    else
        echo -e "\033[44;37m  SELINUX is disable  \033[0m"
    fi
}
#set time zone
TIME_ZONE () {
    \cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
}
#set ntp
NTP_SET () {
    grep ntpdate /etc/crontab
    if [ $? -ne 0 ];then
            echo "0 3 * * * root /usr/sbin/ntpdate time1.aliyun.com" >> /etc/crontab
    else
            echo -e "\033[44;37m ntpdate is set  \033[0m"
    fi
}
 
#disable service
DISABLE_SERVICE (){
    systemctl disable firewalld.service
    systemctl stop firewalld.service
    systemctl disable iptables.service
    systemctl stop iptables.service
    systemctl disable NetworkManager.service
    systemctl stop NetworkManager.service
    systemctl stop postfix
    systemctl disable postfix
    systemctl stop rpcbind
    systemctl disable rpcbind
}
#set limit
LIMIT_CONF () {
grep "* soft nofile 65535" /etc/security/limits.conf
if [ $? -ne 0 ];then
    echo "* soft nofile 65535" >> /etc/security/limits.conf
else
    sleep 1
fi
grep "* hard nofile 65535" /etc/security/limits.conf
if [ $? -ne 0 ];then
        echo "* hard nofile 65535" >> /etc/security/limits.conf
else
        sleep 1
fi
grep "* soft nproc 65535" /etc/security/limits.conf
if [ $? -ne 0 ];then
        echo "* soft nproc 65535" >> /etc/security/limits.conf
else
        sleep 1
fi
}
#disable ipv6
DISABLE_IPV6 () {
    grep "net.ipv6.conf.all.disable_ipv6" /etc/sysctl.conf
    if [ $? -ne 0 ];then
        echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
    else
        echo -e "\033[44;37m IPV6 is disable  \033[0m"
    fi
    grep "net.ipv6.conf.default.disable_ipv6" /etc/sysctl.conf
    if [ $? -ne 0 ];then
        echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.conf
    else
        echo -e "\033[44;37m IPV6 is disable  \033[0m"
    fi
}
#ssh conf
SSH_CONF () {
    grep "^Port" /etc/ssh/sshd_config
    if [ $? -ne 0 ];then
        echo "Port 12222" >> /etc/ssh/sshd_config
    else
         echo -e "\033[44;37m ssh port is set \033[0m"
    fi
    grep "^UseDNS no" /etc/ssh/sshd_config
    if [ $? -ne 0 ];then
        echo "UseDNS no" >> /etc/ssh/sshd_config
    else
        echo -e "\033[44;37m  UseDNS is set  \033[0m"
    fi
    grep "^Protocol 2" /etc/ssh/sshd_config
    if [ $? -ne 0 ];then
        echo "Protocol 2" >> /etc/ssh/sshd_config
    else
        echo -e "\033[44;37m  Protocol is set  \033[0m"
    fi
}
PROFILE () {
    grep ^umask /etc/profile
    if [ $? -ne 0 ];then
        echo "umask 027" >> /etc/profile
    else
        echo -e "\033[44;37m umask is set  \033[0m"
    fi
    grep HISTTIMEFORMAT /etc/profile
    if [ $? -ne 0 ];then
        echo "export HISTTIMEFORMAT=\"%F %T \`whoami\` \"" >> /etc/profile
    else
        echo -e "\033[44;37m  histime format is set  \033[0m"
    fi
}
FILE_SEC () {
    #文件权限
    chmod 700 /usr/bin
    chmod 700 /bin/ping
    chmod 700 /usr/bin/vim
    chmod 700 /usr/bin/vi
    chmod 700 /bin/netstat
    chmod 700 /usr/bin/tail
    chmod 700 /usr/bin/less
    chmod 700 /usr/bin/head
    chmod 700 /bin/cat
    chmod 700 /bin/uname
    chmod 500 /bin/ps
    #访问控制权限
    chown root:root /etc/hosts.allow
    chown root:root /etc/hosts.deny
    chmod 644 /etc/hosts.deny
    chmod 644 /etc/hosts.allow
    #用户配置文件权限
    chown root:root /etc/passwd
    chown root:root /etc/shadow
    chown root:root /etc/group
    chown root:root /etc/gshadow
    chmod 0644 /etc/group
    chmod 0644 /etc/passwd
    chmod 0644 /etc/exports
    chmod 0644 /etc/inetd.conf
    chmod 0644 /etc/services
    chmod 0400 /etc/shadow
    chmod 0400 /etc/gshadow
    chmod 0600 /etc/securetty
    chmod 0664 /etc/ftpusers
}
INSTALL_DEV_SOFT_PACK () {
    yum groupinstall "Development Tools" -y
    yum install epel-release bash-completion  -y
    yum install vim pcre pcre-devel gzip gzip-devel cmake ncurses ncurses-devel bzip2-devel curl-devel openldap-devel libevent-devel gd gd-devel libxpm-dev bzip2 bzip2-devel zlib zlib-devel libxml2 libxml2-devel libjpeg libjpeg-devel libpng libpng-devel freetype-devel openldap-devel openldap-servers openldap-clients libmcrypt libmcrypt-devel openssl openssl-devel net-tools cmake htop iotop ntpdate tree tcpdump iptraf sysstat net-tools cmake htop iotop ntpdate tree tcpdump iptraf sysstat ntpdate -y
}
case "$1" in
    init)
        ALIYUN_YUM
        DISABLE_SELINUX
        TIME_ZONE
        NTP_SET
        DISABLE_SERVICE
        LIMIT_CONF
        DISABLE_IPV6
        SSH_CONF
        PROFILE
        #FILE_SEC
        INSTALL_DEV_SOFT_PACK
        ;;
    help|*)
    echo -e "\033[44;37m Usage: $0 {init|help} \033[0m"
    echo -e "\033[44;37m init    - system init \033[0m"
    echo -e "\033[44;37m help    - this screen \033[0m"
    exit 1
    ;;
esac