一个专业运维
技术分享网站!

CentOS 7 一键优化脚本

#!/bin/bash
#########################################################
#copyright by jack.liu  --2020/10/14                         #
#e-mail                                    #
#实现功能:一键系统优化15项脚本,适用于Centos7.x        #
#########################################################
#Source function library.
. /etc/init.d/functions
#date
DATE=`date +"%y-%m-%d %H:%M:%S"`
#ip
IPADDR=`ifconfig | grep "inet" | grep -vE  'inet6|127.0.0.1'|awk '{print $2}'`
#hostname
HOSTNAME=`hostname -s`
#user
USER=`whoami`
#disk_check  (grep -w用于字符串精确匹配)
DISK_SDA=`df -h |grep -w "/" |awk '{print $5}'`
#cpu_average_check
cpu_uptime=`cat /proc/loadavg|awk '{print $1,$2,$3}'`
#set LANG
export.UTF-8

#Require root to run this script.
uid=`id | cut -d\( -f1 | cut -d= -f2`
if [ $uid -ne 0 ];then
  action "Please run this script as root." /bin/false
  exit 1
fi

#"stty erase ^H"  设置backspace为删除键
\cp /root/.bash_profile  /root/.bash_profile_$(date +%F)
erase=`grep -wx "stty erase ^H" /root/.bash_profile |wc -l`
if [ $erase -lt 1 ];then
    echo "stty erase ^H" >>/root/.bash_profile
    source /root/.bash_profile
fi

#Config Yum CentOS-Bases.repo and save Yum file
configYum(){
echo "================更新为阿里YUM源=================="
for i in /etc/yum.repos.d/*.repo;do cp $i ${i%.repo}.bak;done
rm -rf /etc/yum.repos.d/*.repo
wget -P /etc/yum.repos.d/ http://mirrors.aliyun.com/repo/Centos-7.repo >/dev/null 2>&1
  #ping -c 1  mirrors.aliyun.com  >/dev/null
  #if [ $? -eq 0 ];then
  #  rm -rf /etc/yum.repos.d/*.repo
  #  wget -P /etc/yum.repos.d/ http://mirrors.aliyun.com/repo/Centos-7.repo >/dev/null 2>&1
  #else
  #  echo "本服务器无法连接网络。"
  #  exit $?
  #fi
echo "================保存YUM源文件===================="
sed -i 's#keepcache=0#keepcache=1#g' /etc/yum.conf     
grep keepcache /etc/yum.conf
yum clean all;yum makecache;yum repolist
sleep 5
action "配置国内YUM完成"  /bin/true
echo "================================================="
echo ""
  sleep 2
}

#Charset zh_CN.UTF-8
initI18n(){
echo "================更改为中文字符集================="
  \cp /etc/locale.conf  /etc/locale.conf.$(date +%F)
cat >>/etc/locale.conf<<EOF
LANG="zh_CN.UTF-8"
#LANG="en_US.UTF-8"
EOF
source /etc/locale.conf
grep LANG /etc/locale.conf
action "更改字符集zh_CN.UTF-8完成" /bin/true
echo "================================================="
echo ""
  sleep 2
}

#Close Selinux and Iptables
initFirewall(){
echo "============禁用SELINUX及关闭防火墙=============="
  \cp /etc/selinux/config /etc/selinux/config.$(date +%F)
  systemctl stop firewalld
  sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
  setenforce 0
  systemctl status firewalld
  echo '#grep SELINUX=disabled /etc/selinux/config ' 
  grep SELINUX=disabled /etc/selinux/config 
  echo '#getenforce '
  getenforce 
action "禁用selinux及关闭防火墙完成" /bin/true
echo "================================================="
echo ""
  sleep 2
}

#Init Auto Startup Service
initService(){
echo "===============精简开机自启动===================="
  export LANG="en_US.UTF-8"
  for A in `systemctl list-unit-files | grep enable|awk '{print $1}'`;do systemctl $A off;done
  for B in auditd.service crond.service  irqbalance.service  kdump.service microcode.service rsyslog.service sshd.service  sysstat.service  \
   systemd-readahead-collect.service   multi-user.target remote-fs.target runlevel2.target  NetworkManager.service ;do systemctl enable $B;done
  echo '+--------which services on---------+'
  systemctl list-unit-files | grep enable
  echo '+----------------------------------+'
  export LANG="zh_CN.UTF-8"
action "精简开机自启动完成" /bin/true
echo "================================================="
echo ""
  sleep 2
}

#Removal system and kernel version login before the screen display
initRemoval(){
echo "======去除系统及内核版本登录前的屏幕显示======="
#must use root user run scripts
if    
   [ $UID -ne 0 ];then
   echo This script must use the root user ! ! ! 
   sleep 2
   exit 0
fi
    cp /etc/redhat-release /etc/redhat-release.$(date +%F)
    >/etc/redhat-release
    >/etc/issue
action "去除系统及内核版本登录前的屏幕显示" /bin/true
echo "================================================="
echo ""
  sleep 2
}

#Change sshd default port and prohibit user root remote login.
initSsh(){
echo "========修改ssh默认端口22 & 禁用root远程登录=========="
  \cp /etc/ssh/sshd_config /etc/ssh/sshd_config.$(date +%F)
  sed -i 's/#Port 22/Port 22/g' /etc/ssh/sshd_config
  sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
  sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
  sed -i 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config
  echo '+-------modify the sshd_config-------+'
  echo 'Port 22'
  echo 'PermitEmptyPasswords no'
  echo 'PermitRootLogin no'
  echo 'UseDNS no'
  echo '+------------------------------------+'
  /etc/init.d/sshd reload && action "修改ssh默认参数完成" /bin/true || action "修改ssh参数失败" /bin/false
echo "================================================="
echo ""
  sleep 2
}

#time sync
syncSysTime(){
echo "================配置时间同步====================="
  \cp /var/spool/cron/root /var/spool/cron/root.$(date +%F) 2>/dev/null
  NTPDATE=`grep ntpdate /var/spool/cron/root 2>/dev/null |wc -l`
  if [ $NTPDATE -eq 0 ];then
    echo "#times sync by lee at $(date +%F)" >>/var/spool/cron/root
    echo "*/5 * * * * /usr/sbin/ntpdate time.windows.com &>/dev/null" >> /var/spool/cron/root
  fi
  echo '#crontab -l'  
  crontab -l
action "配置时间同步完成" /bin/true
echo "================================================="
echo ""
  sleep 2
}

#install tools
initTools(){
    echo "#####安装升级系统补装工具及重要工具升级(选择最小化安装minimal)#####"
    ping -c 2 mirrors.aliyun.com
    sleep 2
    yum install tree nmap sysstat iotop lrzsz dos2unix -y
    sleep 2
    rpm -qa tree nmap sysstat lrzsz dos2unix
    sleep 2
    yum install openssl openssh bash -y
    sleep 2
action "安装升级系统补装工具及重要工具升级(选择最小化安装minimal)" /bin/true
echo "================================================="
echo ""
  sleep 2
}
#add user and give sudoers
addUser(){
echo "===================新建用户======================"
#add user
while true
do  
    read -p "请输入新用户名:" name
    NAME=`awk -F':' '{print $1}' /etc/passwd|grep -wx $name 2>/dev/null|wc -l`
    if [ ${#name} -eq 0 ];then
       echo "用户名不能为空,请重新输入。"
       continue
    elif [ $NAME -eq 1 ];then
       echo "用户名已存在,请重新输入。"
       continue
    fi
useradd $name
break
done
#create password
while true
do
    read -p "为 $name 创建一个密码:" pass1
    if [ ${#pass1} -eq 0 ];then
       echo "密码不能为空,请重新输入。"
       continue
    fi
    read -p "请再次输入密码:" pass2
    if [ "$pass1" != "$pass2" ];then
       echo "两次密码输入不相同,请重新输入。"
       continue
    fi
echo "$pass2" |passwd --stdin $name
break
done
sleep 1


#add visudo
echo "#####add visudo#####"
\cp /etc/sudoers /etc/sudoers.$(date +%F)
SUDO=`grep -w "$name" /etc/sudoers |wc -l`
if [ $SUDO -eq 0 ];then
    echo "$name  ALL=(ALL)       NOPASSWD: ALL" >>/etc/sudoers
    echo '#tail -1 /etc/sudoers'
    grep -w "$name" /etc/sudoers
    sleep 1
fi
action "创建用户$name并将其加入visudo完成"  /bin/true
echo "================================================="
echo ""
sleep 2
}

#Adjust the file descriptor(limits.conf)
initLimits(){
echo "===============加大文件描述符===================="
  LIMIT=`grep nofile /etc/security/limits.conf |grep -v "^#"|wc -l`
  if [ $LIMIT -eq 0 ];then
  \cp /etc/security/limits.conf /etc/security/limits.conf.$(date +%F)
cat >>/etc/security/limits.conf<<EOF
*  soft nofile 2048
*  hard nofile 65535
*  soft nproc  16384
*  hard nproc  16384
EOF
  fi
  echo '#tail -1 /etc/security/limits.conf'
  tail -1 /etc/security/limits.conf
  ulimit -HSn 65535
  echo '#ulimit -n'
  ulimit -n
action "配置文件描述符为65535" /bin/true
echo "================================================="
echo ""
sleep 2
}
#set ssh
initSsh(){
echo "======禁用GSSAPI来认证,也禁用DNS反向解析,加快SSH登陆速度======="
sed -i 's/^GSSAPIAuthentication yes$/GSSAPIAuthentication no/' /etc/ssh/sshd_config
sed -i 's/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config
service sshd restart
action "禁用GSSAPI来认证,也禁用DNS反向解析,加快SSH登陆速度" /bin/true
echo "================================================="
echo ""
sleep 2
}

#set the control-alt-delete to guard against the miSUSE
initRestart(){
rm -rf /usr/lib/systemd/system/ctrl-alt-del.target
init q
action "将ctrl alt delete键进行屏蔽,防止误操作的时候服务器重启" /bin/true
echo "================================================="
echo ""
sleep 2
}

#Optimizing the system kernel
initSysctl(){
echo "================优化内核参数====================="
SYSCTL=`grep "net.ipv4.tcp" /etc/sysctl.conf |wc -l`
if [ $SYSCTL -lt 10 ];then
   \cp /etc/sysctl.conf /etc/sysctl.conf.$(date +%F)
cat >>/etc/sysctl.conf<<EOF
net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_max_orphans = 16384
net.ipv4.tcp_rmem=4096 87380 4194304
net.ipv4.tcp_wmem=4096 16384 4194304
net.ipv4.tcp_keepalive_time = 600 
net.ipv4.tcp_keepalive_probes = 5 
net.ipv4.tcp_keepalive_intvl = 15 
net.ipv4.route.gc_timeout = 100
net.ipv4.ip_local_port_range = 1024 65000 
net.ipv4.icmp_echo_ignore_broadcasts=1
net.core.somaxconn = 16384 
net.core.netdev_max_backlog = 16384
EOF
fi
sysctl -p
action "内核调优完成" /bin/true
echo "================================================="
echo ""
  sleep 2
}

#setting history and login timeout
initHistory(){
echo "======设置默认历史记录数2000和连接超时时间600======"
echo "TMOUT=600" >>/etc/profile
echo "HISTSIZE=2000" >>/etc/profile
echo "HISTTIMEFORMAT='%Y-%m-%d %H:%M:%S => '" >>/etc/profile
source /etc/profile
action "设置默认历史记录数和连接超时时间" /bin/true
echo "================================================="
echo ""
sleep 2
}

#chattr file system
initChattr(){
echo "======锁定关键文件系统======"
chattr +i /etc/passwd
chattr +i /etc/inittab
chattr +i /etc/group
chattr +i /etc/shadow
chattr +i /etc/gshadow
/bin/mv /usr/bin/chattr /usr/bin/lock
action "锁定关键文件系统" /bin/true
echo "================================================="
echo ""
sleep 2
}
del_file(){
echo "======每天1点定时清理邮件任务======"
[ -f /server/scripts/ ] || mkdir -p /server/scripts/
echo "find /var/spool/postfix/maildrop/ -type f|xargs rm -f" >/server/scripts/del_file.sh
echo "#this is del mail task by hwb at $DATE" >>/var/spool/cron/root
echo "0 1 * * * /bin/bash /server/scripts/del_file.sh &>/dev/null" >>/var/spool/cron/root
echo "================================================="
echo ""
sleep 2
}

hide_info(){
echo "======!!隐藏系统信息!!======"    
echo "======这一项自己衡量吧,或者备份也行======"
Version_information=`cat /etc/redhat-release.$(date +%F)`
>/etc/issue 
>/etc/issue.net
if [ `cat /etc/issue|grep cent|wc -l` -eq 0 -a `cat /etc/issue|grep cent|wc -l` -eq 0 ];then
echo "======清除成功====="
else
>/etc/issue 
>/etc/issue.net
fi
echo "$Version_information"
echo "=====认准本系统版本======"
sleep 10
echo "================================================="
}
grub_md5(){
echo "======grub_md5加密======"
echo "======命令行输入:/sbin/grub-md5-crypt 进行交互式加密======"
echo "把密码写入/etc/grub.conf 格式:password --MD5 密码"
echo ""
sleep 10
}
ban_ping(){
#内网可以ping 其他不能ping 这个由于自己也要ping测试不一定要设置
echo '#内网可以ping 其他不能ping 这个由于自己也要ping测试不一定要设置'
echo 'iptables -t filter -I INPUT -p icmp --icmp-type 8 -i eth0 -s  0.0.0.0/24 -j ACCEPT'
sleep 10
}

#menu2
menu2(){
while true;
do
 clear
cat <<EOF
----------------------------------------
|****Please Enter Your Choice:[0-15]****|
----------------------------------------
(1)  新建一个用户并将其加入visudo
(2)  配置为国内YUM源镜像和保存YUM源文件
(3)  配置中文字符集
(4)  禁用SELINUX及关闭防火墙
(5)  精简开机自启动
(6)  去除系统及内核版本登录前的屏幕显示
(7)  修改ssh默认端口及禁用root远程登录
(8)  设置时间同步
(9)  安装系统补装工具(选择最小化安装minimal)
(10) 加大文件描述符
(11) 禁用GSSAPI来认证,也禁用DNS反向解析,加快SSH登陆速度
(12) 将ctrl alt delete键进行屏蔽,防止误操作的时候服务器重启
(13) 系统内核调优
(14) 设置默认历史记录数和连接超时时间
(15) 锁定关键文件系统
(16) 定时清理邮件任务
(17) 隐藏系统信息
(18) grub_md5加密
(19) ban_ping
(0) 返回上一级菜单

EOF
 read -p "Please enter your Choice[0-15]: " input2
 case "$input2" in
   0)
   clear
   break 
   ;;
   1)
   addUser
   ;;
   2)
   configYum
   ;;
   3)
   initI18n
   ;;
   4)
   initFirewall
   ;;
   5)
   initService
   ;;
   6)
   initRemoval
   ;;
   7)
   initSsh
   ;;
   8)
   syncSysTime
   ;;
   9)
   initTools
   ;;
   10)
   initLimits
   ;;
   11)
   initSsh
   ;;
   12)
   initRestart
   ;;
   13)
   initSysctl
   ;;
   14)
   initHistory
   ;;
   15)
   initChattr
   ;;
   16)
   del_file
   ;;
   17)
   hide_info
   ;;
   18)
   grub_md5
   ;;
   19)
   ban_ping
   ;;
   *) echo "----------------------------------"
      echo "|          Warning!!!            |"
      echo "|   Please Enter Right Choice!   |"
      echo "----------------------------------"
      for i in `seq -w 3 -1 1`
        do 
          echo -ne "\b\b$i";
          sleep 1;
        done
      clear
 esac
done
}
#initTools
#menu
while true;
do
 clear
 echo "========================================"
 echo '          Linux Optimization            '   
 echo "========================================"
cat << EOF
|-----------System Infomation-----------
| DATE       :$DATE
| HOSTNAME   :$HOSTNAME
| USER       :$USER
| IP         :$IPADDR
| DISK_USED  :$DISK_SDA
| CPU_AVERAGE:$cpu_uptime
----------------------------------------
|****Please Enter Your Choice:[1-3]****|
----------------------------------------
(1) 一键优化
(2) 自定义优化
(3) 退出
EOF
 #choice
 read -p "Please enter your choice[0-3]: " input1
 case "$input1" in
 1) 
   addUser
   configYum
   initI18n
   initFirewall
   initService
   initRemoval
   initSsh
   syncSysTime
   initTools
   initLimits
   initSsh
   initRestart
   initSysctl
   initHistory
   initChattr
   ;;
 2)
   menu2
   ;;
 3) 
   clear 
   break
   ;;
 *)   
   echo "----------------------------------"
   echo "|          Warning!!!            |"
   echo "|   Please Enter Right Choice!   |"
   echo "----------------------------------"
   for i in `seq -w 3 -1 1`
       do
         echo -ne "\b\b$i";
         sleep 1;
       done
   clear
 esac  
done
历史上的今天
十月
14
    哇哦~~~,历史上的今天没发表过文章哦
赞(5) 打赏
未经允许不得转载:小柳实验室 » CentOS 7 一键优化脚本
分享到: 更多 (0)

评论 抢沙发

评论前必须登录!

 

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

微信扫一扫打赏