服务器初始化

system_init.sh

#/bin/bash

function init_epel(){
yum install epel-release -y >/dev/null 2>&1
sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/epel.repo
sed -i 's/#baseurl/baseurl/g' /etc/yum.repos.d/epel.repo
sed -i '6s/enabled=0/enabled=1/g' /etc/yum.repos.d/epel.repo
sed -i '7s/gpgcheck=1/gpgcheck=0/g' /etc/yum.repos.d/epel.repo
yum clean all >/dev/null 2>&1
#阿里云机器用aliyun epel
echo "[EPEL 配置] ==> OK"
}

function init_ulimits(){
cat > /etc/security/limits.conf <<EOF
* soft noproc 20480
* hard noproc 20480
root soft nofile 65535
root hard nofile 65535
* soft nofile 65535
* hard nofile 65535
EOF
ulimit -n 65535
ulimit -u 20480
echo "[ulimits 配置] ==> OK"
}

function init_ssh(){
[ -f /etc/ssh/sshd_config ] && sed -ir '13 iUseDNS no\nGSSAPIAuthentication no' /etc/ssh/sshd_config && /etc/init.d/sshd restart >/dev/null 2>&1
echo "[SSH 优化] ==> OK"
}

function init_kernel(){
cat > /etc/sysctl.conf <<EOF
fs.file-max = 65535
net.ipv4.tcp_max_tw_buckets = 1000000
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.ip_local_port_range = 5000 65000
net.ipv4.tcp_mem = 786432 1048576 1572864
net.core.wmem_max = 873200
net.core.rmem_max = 873200
net.ipv4.tcp_wmem = 8192 436600 873200
net.ipv4.tcp_rmem = 32768 436600 873200
net.core.somaxconn = 10240
net.core.netdev_max_backlog = 20480
net.ipv4.tcp_max_syn_backlog = 20480
net.ipv4.tcp_retries2 = 5
net.ipv4.conf.lo.arp_ignore = 0
net.ipv4.conf.lo.arp_announce = 0
net.ipv4.conf.all.arp_ignore = 0
EOF
sysctl -p >/dev/null 2>&1
echo "[内核 优化] ==> OK"
}

function init_history(){
if ! grep "HISTTIMEFORMAT" /etc/profile >/dev/null 2>&1
then echo '
UserIP=$(who -u am i | cut -d"(" -f 2 | sed -e "s/[()]//g")
export HISTTIMEFORMAT="[%F %T] [whoami] [${UserIP}] " ' >> /etc/profile;
fi
echo "[history 优化] ==> OK"
}

function init_security(){
> /etc/issue
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
sed -i 's/SELINUX=permissive/SELINUX=disabled/g' /etc/selinux/config
setenforce 0 >/dev/null 2>&1
#systemctl stop firewalld.service
#systemctl disable firewalld.service
yum install -y openssl openssh bash >/dev/null 2>&1
echo "[安全配置] ==> OK"
}

function init_other(){
yum groupinstall Development tools -y >/dev/null 2>&1
yum install -y vim wget lrzsz iftop iotop htop tree >/dev/null 2>&1
yum install -y git zlib-devel openssl-devel unzip libxslt-devel libxml2-devel libcurl-devel >/dev/null 2>&1
echo "[安装常用工具] ==> OK"
}

function init_chmod(){
chown root:root /etc/passwd /etc/shadow /etc/group /etc/gshadow && chmod 0644 /etc/group && chmod 0644 /etc/passwd && chmod 0400 /etc/shadow && chmod 0400 /etc/gshadow
echo "[关键文件权限设置] ==> OK"
}

function init_ssh_history(){
touch /var/log/check_user_history.log
chown nobody.nobody /var/log/check_user_history.log >/dev/null 2>&1
chmod 002 /var/log/check_user_history.log >/dev/null 2>&1
chattr +a /var/log/check_user_history.log >/dev/null 2>&1
cat >> /etc/profile << "EOF"
export HISTORY_FILE=/var/log/check_user_history.log

export PROMPT_COMMAND='{ date "+%Y-%m-%d %T ##### USER:$USER IP:$SSH_CLIENT PS:$SSH_TTY ppid=$PPID pwd=$PWD #### $(history 1 | { read x cmd; echo "$cmd"; })";} >>$HISTORY_FILE'
EOF
source /etc/profile
echo "[ssh实时操作记录] ==> OK"
}

function init_ssh_login_telegram(){
cat > /etc/ssh/sshrc << "EOF"
#!/bin/sh
# Telegram接收SSH登陆提醒
#编辑 /etc/ssh/sshrc 放入以下代码
IP="$(echo $SSH_CONNECTION | cut -d " " -f 1)"
HOSTNAME=$(hostname)
NOW=$(date +"%e %b %Y, %a %r")
CONTENT="$IP 登录到主机 $HOSTNAME 时间 $NOW."
RES=$(curl -X POST \
  -F "chat_id=-446223495" \
  -F "text=${CONTENT}" \
  -o /dev/null --silent \
  -w %{http_code} \
  "https://api.telegram.org/bot1964244239:AAFIY_CqMoCR0V7dN04ADrjJxZ-rfdrAcXU/sendMessage")
#每次登陆 SSH 后 Telegram Bot 都会发送一条通知给你
#注意
#创建了 ~/.ssh/rc 的用户在登陆时只执行该文件，/etc/ssh/sshrc 会被忽略。
#ssh登录端口转发时会触发，但是开启 -N 选项后不会触发。
#当然这也并不是就万无一失了。提高安全意识，按时更换密码和私钥，不使用来历不明的代码才是正确的姿势。
#最后当然是祈祷这个脚本一次也不要派上用场。（别被黑客日了）
EOF
echo "[ssh登录飞机报警] ==> OK"
}

function init_ssh_logout_telegram(){
cat > /root/.bash_logout << "EOF"
#!/bin/sh
# Telegram接收SSH退出提醒
#编辑 /root/.bash_logout 放入以下代码
IP="$(echo $SSH_CONNECTION | cut -d " " -f 1)"
HOSTNAME=$(hostname)
NOW=$(date +"%e %b %Y, %a %r")
CONTENT="$IP 登出exit主机 $HOSTNAME 时间 $NOW."
RES=$(curl -X POST \
  -F "chat_id=-446223495" \
  -F "text=${CONTENT}" \
  -o /dev/null --silent \
  -w %{http_code} \
  "https://api.telegram.org/bot1964244239:AAFIY_CqMoCR0V7dN04ADrjJxZ-rfdrAcXU/sendMessage")
#每次退出 SSH 后 Telegram Bot 都会发送一条通知给你
cat /var/log/check_user_history.log | grep $(date "+%Y-%m-%d") > /var/log/$HOSTNAME.txt
curl -s "https://api.telegram.org/bot1964244239:AAFIY_CqMoCR0V7dN04ADrjJxZ-rfdrAcXU/senddocument?chat_id=-446223495&" \
-F document=@"/var/log/$HOSTNAME.txt"
#每次退出 SSH 后 Telegram Bot 都会发送操作记录到群
EOF
echo "[ssh登出飞机报警] ==> OK"
}

function init_zabbix_agent(){
rpm -Uvh http://repo.zabbix.com/zabbix/4.4/rhel/7/x86_64/zabbix-agent-4.4.3-1.el7.x86_64.rpm >/dev/null 2>&1
yum install -y zabbix-agent >/dev/null 2>&1
sed -i "s/Server=127.0.0.1/Server=8.210.2.40/g" /etc/zabbix/zabbix_agentd.conf
systemctl enable zabbix-agent.service >/dev/null 2>&1
systemctl restart zabbix-agent.service >/dev/null 2>&1
echo "[zabbix-agent监控启动] ==> OK"
}

#依次导入函数

export -f init_epel
export -f init_ulimits
export -f init_ssh
export -f init_kernel
export -f init_history
export -f init_security
export -f init_other
export -f init_chmod
export -f init_ssh_history
export -f init_ssh_login_telegram
export -f init_ssh_logout_telegram
export -f init_zabbix_agent

#依次执行函数
echo "[系统初始化开始] ==> OK"
init_epel
init_ulimits
init_ssh
init_kernel
init_history
init_security
init_other
init_chmod
init_ssh_history
init_ssh_login_telegram
init_ssh_logout_telegram
init_zabbix_agent
echo "[系统初始化结束] ==> OK"
echo "服务器公网ip `curl -s ifconfig.me` 主机名 `hostname`"

最后更新于3年前

#/bin/bash function init_epel(){ yum install epel-release -y >/dev/null 2>&1 sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/epel.repo sed -i 's/#baseurl/baseurl/g' /etc/yum.repos.d/epel.repo sed -i '6s/enabled=0/enabled=1/g' /etc/yum.repos.d/epel.repo sed -i '7s/gpgcheck=1/gpgcheck=0/g' /etc/yum.repos.d/epel.repo yum clean all >/dev/null 2>&1 #阿里云机器用aliyun epel echo "[EPEL 配置] ==> OK" } function init_ulimits(){ cat > /etc/security/limits.conf <<EOF * soft noproc 20480 * hard noproc 20480 root soft nofile 65535 root hard nofile 65535 * soft nofile 65535 * hard nofile 65535 EOF ulimit -n 65535 ulimit -u 20480 echo "[ulimits 配置] ==> OK" } function init_ssh(){ [ -f /etc/ssh/sshd_config ] && sed -ir '13 iUseDNS no\nGSSAPIAuthentication no' /etc/ssh/sshd_config && /etc/init.d/sshd restart >/dev/null 2>&1 echo "[SSH 优化] ==> OK" } function init_kernel(){ cat > /etc/sysctl.conf <<EOF fs.file-max = 65535 net.ipv4.tcp_max_tw_buckets = 1000000 net.ipv4.tcp_fin_timeout = 30 net.ipv4.tcp_keepalive_time = 300 net.ipv4.tcp_keepalive_probes = 3 net.ipv4.tcp_keepalive_intvl = 30 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_tw_recycle = 1 net.ipv4.ip_local_port_range = 5000 65000 net.ipv4.tcp_mem = 786432 1048576 1572864 net.core.wmem_max = 873200 net.core.rmem_max = 873200 net.ipv4.tcp_wmem = 8192 436600 873200 net.ipv4.tcp_rmem = 32768 436600 873200 net.core.somaxconn = 10240 net.core.netdev_max_backlog = 20480 net.ipv4.tcp_max_syn_backlog = 20480 net.ipv4.tcp_retries2 = 5 net.ipv4.conf.lo.arp_ignore = 0 net.ipv4.conf.lo.arp_announce = 0 net.ipv4.conf.all.arp_ignore = 0 EOF sysctl -p >/dev/null 2>&1 echo "[内核优化] ==> OK" } function init_history(){ if ! grep "HISTTIMEFORMAT" /etc/profile >/dev/null 2>&1 then echo ' UserIP=$(who -u am i | cut -d"(" -f 2 | sed -e "s/[()]//g") export HISTTIMEFORMAT="[%F %T] [whoami] [${UserIP}] " ' >> /etc/profile; fi echo "[history 优化] ==> OK" } function init_security(){ > /etc/issue sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config sed -i 's/SELINUX=permissive/SELINUX=disabled/g' /etc/selinux/config setenforce 0 >/dev/null 2>&1 #systemctl stop firewalld.service #systemctl disable firewalld.service yum install -y openssl openssh bash >/dev/null 2>&1 echo "[安全配置] ==> OK" } function init_other(){ yum groupinstall Development tools -y >/dev/null 2>&1 yum install -y vim wget lrzsz iftop iotop htop tree >/dev/null 2>&1 yum install -y git zlib-devel openssl-devel unzip libxslt-devel libxml2-devel libcurl-devel >/dev/null 2>&1 echo "[安装常用工具] ==> OK" } function init_chmod(){ chown root:root /etc/passwd /etc/shadow /etc/group /etc/gshadow && chmod 0644 /etc/group && chmod 0644 /etc/passwd && chmod 0400 /etc/shadow && chmod 0400 /etc/gshadow echo "[关键文件权限设置] ==> OK" } function init_ssh_history(){ touch /var/log/check_user_history.log chown nobody.nobody /var/log/check_user_history.log >/dev/null 2>&1 chmod 002 /var/log/check_user_history.log >/dev/null 2>&1 chattr +a /var/log/check_user_history.log >/dev/null 2>&1 cat >> /etc/profile << "EOF" export HISTORY_FILE=/var/log/check_user_history.log export PROMPT_COMMAND='{ date "+%Y-%m-%d %T ##### USER:$USER IP:$SSH_CLIENT PS:$SSH_TTY ppid=$PPID pwd=$PWD #### $(history 1 | { read x cmd; echo "$cmd"; })";} >>$HISTORY_FILE' EOF source /etc/profile echo "[ssh实时操作记录] ==> OK" } function init_ssh_login_telegram(){ cat > /etc/ssh/sshrc << "EOF" #!/bin/sh # Telegram接收SSH登陆提醒 #编辑 /etc/ssh/sshrc 放入以下代码 IP="$(echo $SSH_CONNECTION | cut -d " " -f 1)" HOSTNAME=$(hostname) NOW=$(date +"%e %b %Y, %a %r") CONTENT="$IP 登录到主机 $HOSTNAME 时间 $NOW." RES=$(curl -X POST \ -F "chat_id=-446223495" \ -F "text=${CONTENT}" \ -o /dev/null --silent \ -w %{http_code} \ "https://api.telegram.org/bot1964244239:AAFIY_CqMoCR0V7dN04ADrjJxZ-rfdrAcXU/sendMessage") #每次登陆 SSH 后 Telegram Bot 都会发送一条通知给你 #注意 #创建了 ~/.ssh/rc 的用户在登陆时只执行该文件，/etc/ssh/sshrc 会被忽略。 #ssh登录端口转发时会触发，但是开启 -N 选项后不会触发。 #当然这也并不是就万无一失了。提高安全意识，按时更换密码和私钥，不使用来历不明的代码才是正确的姿势。 #最后当然是祈祷这个脚本一次也不要派上用场。（别被黑客日了） EOF echo "[ssh登录飞机报警] ==> OK" } function init_ssh_logout_telegram(){ cat > /root/.bash_logout << "EOF" #!/bin/sh # Telegram接收SSH退出提醒 #编辑 /root/.bash_logout 放入以下代码 IP="$(echo $SSH_CONNECTION | cut -d " " -f 1)" HOSTNAME=$(hostname) NOW=$(date +"%e %b %Y, %a %r") CONTENT="$IP 登出exit主机 $HOSTNAME 时间 $NOW." RES=$(curl -X POST \ -F "chat_id=-446223495" \ -F "text=${CONTENT}" \ -o /dev/null --silent \ -w %{http_code} \ "https://api.telegram.org/bot1964244239:AAFIY_CqMoCR0V7dN04ADrjJxZ-rfdrAcXU/sendMessage") #每次退出 SSH 后 Telegram Bot 都会发送一条通知给你 cat /var/log/check_user_history.log | grep $(date "+%Y-%m-%d") > /var/log/$HOSTNAME.txt curl -s "https://api.telegram.org/bot1964244239:AAFIY_CqMoCR0V7dN04ADrjJxZ-rfdrAcXU/senddocument?chat_id=-446223495&" \ -F document=@"/var/log/$HOSTNAME.txt" #每次退出 SSH 后 Telegram Bot 都会发送操作记录到群 EOF echo "[ssh登出飞机报警] ==> OK" } function init_zabbix_agent(){ rpm -Uvh http://repo.zabbix.com/zabbix/4.4/rhel/7/x86_64/zabbix-agent-4.4.3-1.el7.x86_64.rpm >/dev/null 2>&1 yum install -y zabbix-agent >/dev/null 2>&1 sed -i "s/Server=127.0.0.1/Server=8.210.2.40/g" /etc/zabbix/zabbix_agentd.conf systemctl enable zabbix-agent.service >/dev/null 2>&1 systemctl restart zabbix-agent.service >/dev/null 2>&1 echo "[zabbix-agent监控启动] ==> OK" } #依次导入函数 export -f init_epel export -f init_ulimits export -f init_ssh export -f init_kernel export -f init_history export -f init_security export -f init_other export -f init_chmod export -f init_ssh_history export -f init_ssh_login_telegram export -f init_ssh_logout_telegram export -f init_zabbix_agent #依次执行函数 echo "[系统初始化开始] ==> OK" init_epel init_ulimits init_ssh init_kernel init_history init_security init_other init_chmod init_ssh_history init_ssh_login_telegram init_ssh_logout_telegram init_zabbix_agent echo "[系统初始化结束] ==> OK" echo "服务器公网ip `curl -s ifconfig.me` 主机名 `hostname`"