# 国内服务器,需换repo源
# 备份 mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup # 下载 wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo # 生成缓存 yum makecache
# init.sh
wget https://abc.htmltoo.com/tools/shell/init.tar
mv init.tar init.sh && chmod -R 777 init.sh && sh ./init.sh && rm -rf init.sh
#!/bin/sh
#---------------------------------------#
# description: centos7系统优化脚本 #
# author: 13850000249 #
# email: 522588122@qq.com #
#---------------------------------------#
# 禁用并关闭selinux,防火墙
# getenforce: 查看状态
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
setenforce 0
systemctl stop iptables.service
systemctl stop firewalld.service
systemctl disable firewalld.service
# 停止firewalld服务
systemctl stop firewalld
# 禁用firewalld服务
systemctl mask firewalld
systemctl daemon-reload
# 停止rpcbind进程
systemctl stop rpcbind.socket
systemctl stop rpcbind
# 禁止rpcbind随开机启动
systemctl disable rpcbind.socket
systemctl disable rpcbind
# 禁用并停止systemd-resolved的服务:
systemctl disable systemd-resolved.service
systemctl stop systemd-resolved
#禁止Control-Alt-Delete 键盘重启系统命令
rm -rf /usr/lib/systemd/system/ctrl-alt-del.target
or
systemctl mask ctrl-alt-del.target
#设置会话超时(1分钟)
echo "export TMOUT=60" >>/etc/profile
# 创建admin用户组及admin用户
groupadd admin
useradd admin -g admin
#passwd admin # @a Wdqdmm@54321
#passwd 命令提供了 --stdin 选项,用于批量给用户设置初始密码。别人可以在/root/.bash_history中找到设置密码的这个命令.
echo "Wdqdmm@54321" | passwd --stdin admin
# 更改文件夹及内部文件的所属用户及组
chown -R admin:admin /home/admin
# 为用户添加sudo权限
#echo 'admin ALL=(ALL) ALL' >> /etc/sudoers
echo 'admin ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
# 禁用root远程登陆
sed -i 's/.*PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
#主机名
# 版本,内存, 如: 8 ; 8G
CHECK_CENTOS=$( cat /etc/redhat-release|sed -r 's/.* ([0-9]+)\..*/\1/' )
CHECK_RAM=$( cat /proc/meminfo | grep "MemTotal" | awk -F" " '{ram=$2/1000000}{printf("%.0f",ram)}' )
intranet_ip=`/sbin/ifconfig -a|grep inet|grep -v 127.0.0.1|grep -v 172.17.0.1|grep -v inet6|awk '{print $2}'|tr -d "addr:"`
host_name=`echo $intranet_ip | awk -F"." '{print $3"-"$4}'` # 格式:1-100
#host_name=`grep $intranet_ip /root/host_name.txt|awk '{print $2}'` # 匹配指定文件,显示主机名,第2个字段 master
echo "$host_name" > /etc/hostname
echo "HOSTNAME=$host_name" >> /etc/sysconfig/network
hostnamectl set-hostname $host_name
# 安装基础应用
yum -y install --skip-broken epel-release axel yum-axelget vim net-tools bzip2 lrzsz unzip zip wget ftp ntpdate lsof screen curl psmisc telnet-server telnet.* vim-enhanced xz iftop sysstat dstat htop iotop lrzsz lftp bash-completion python-simplejson libselinux-python smartmontools automake autoconf libtool;
yum -y install gcc gcc-c++ make kernel-headers python;
yum -y install gettext-devel openssl-devel perl-CPAN perl-devel zlib-devel libcurl-devel expat-devel;
# centos7安装git2
curl https://setup.ius.io | sh;yum remove -y git | yum -y install git2u;
# Kernel性能调优
cat >> /etc/sysctl.conf<<EOF
net.ipv4.tcp_mem = 768432 2097152 15242880
net.ipv4.tcp_wmem = 40960 163840 4194304
net.ipv4.tcp_rmem = 40960 873800 4194304
#net.core.somaxconn=6553600
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 524288000
net.core.wmem_max = 524288000
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_max_syn_backlog=81920
net.ipv4.tcp_timestamps=0
# 参数的值决定了内核放弃链接之前发送SYN+ACK包的数量,该参数对应系统路径为:/proc/sys/net/ipv4/tcp_synack_retries,默认是2
net.ipv4.tcp_synack_retries=3
# 表示内核放弃建立链接之前发送SYN包的数量,该参数对应系统路径为:/proc/sys/net/ipv4/tcp_syn_retries,默认是6
net.ipv4.tcp_syn_retries=3
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 300
net.ipv4.ip_local_port_range = 20000 65000
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.route.max_size = 5242880
kernel.sem=250 65536 100 2048
kernel.msgmnb = 4203520
kernel.msgmni = 64
kernel.msgmax = 65535
# 设置最大内存共享段大小bytes
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.tcp_tw_reuse=1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_no_metrics_save=1
# 开启SYN洪水攻击保护
kernel.core_uses_pid = 1
net.ipv4.conf.lo.arp_announce=2
net.ipv4.tcp_sack = 1
kernel.randomize_va_space=1
# 避免放大攻击
net.ipv4.icmp_echo_ignore_broadcasts=1
# 关闭ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
# 开启恶意icmp错误消息保护
net.ipv4.icmp_ignore_bogus_error_responses = 1
# 开启路由转发
net.ipv4.ip_forward = 1 #0-关闭
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# 开启反向路径过滤
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# 处理无源路由的包
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# 关闭sysrq功能
kernel.sysrq = 0
# 每个网络接口接收数据包的速率比内核处理这些包的速率快时,允许送到队列的数据包的最大数目
net.core.netdev_max_backlog = 262144
# 限制仅仅是为了防止简单的DoS 攻击
net.ipv4.tcp_max_orphans = 3276800
# 确保无人能修改路由表
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
vm.swappiness = 0
# 决定检查过期多久邻居条目
net.ipv4.neigh.default.gc_stale_time=120
fs.file-max = 40000500
fs.nr_open = 40000500
kernel.perf_cpu_time_max_percent=60
kernel.perf_event_max_sample_rate=6250
kernel.sched_migration_cost_ns=5000000
net.core.optmem_max= 25165824
vm.max_map_count=655360
net.core.somaxconn = 65535
# 使用arp_announce / arp_ignore解决ARP映射问题
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.all.arp_announce=2
net.ipv4.conf.lo.arp_announce=2
net.ipv4.ip_nonlocal_bind=1
EOF
sysctl -p
# 提高系统打开文件数、打开进程数限制,减小默认栈空间大小限制
grep -q "* soft nofile 60000" /etc/security/limits.conf || cat >> /etc/security/limits.conf << EOF
########################################
* soft nofile 60000
* hard nofile 65536
* soft nproc 2048
* hard nproc 16384
* soft stack 10240
* hard stack 32768
EOF
# SSH空闲超时间隔
#ClientAliveInterval设置了ssh服务器端向其客户端发送请求消息(alive消息)的间隔时间,以检测客户端是否还存在;
#ClientAliveCountMax设置了ssh服务允许客户端在接收到服务端的alive消息未响应的最大超时次数,如果客户端在最大超时次数内均未响应,ssh服务会自动终止与客户端的会话。
#如果ClientAliveInterval设置为15,ClientAliveCountMax设置为3,那么无应答的客户端会在45秒后被强制断开。
cat /etc/ssh/sshd_config | grep ClientAliveInterval
cat /etc/ssh/sshd_config | grep ClientAliveCountMax
sed -i "s/#ClientAliveInterval 0/ClientAliveInterval 360/g" /etc/ssh/sshd_config
sed -i "s/#ClientAliveCountMax 3/ClientAliveCountMax 0/g" /etc/ssh/sshd_config
# 登陆超时时间设置
# cat /etc/profile | egrep -v ^\s*# | grep -i TMOUT # 检测
echo -e "\nTMOUT=60" >> /etc/profile
# 系统core dump状态
echo -e "\n* soft core 0" >> /etc/security/limits.conf
echo -e "\n* hard core 0" >> /etc/security/limits.conf
# 口令锁定策略
#PASS_MAX_DAYS 口令最大有效期:建议设置为 90
#PASS_MIN_DAYS 两次修改口令的最小间隔时间:建议设置为 10
#PASS_WARN_AGE 口令过期前开始提示天数:建议设置为 7
sed -i '/^PASS_MAX_DAYS/cPASS_MAX_DAYS 90' /etc/login.defs
sed -i '/^PASS_MIN_DAYS/cPASS_MIN_DAYS 10' /etc/login.defs
# 口令复杂度
#minlen = 8 口令长度至少包含 8 个字符
#dcredit = -1 口令包含N个数字
#ucredit = -1 口令包含N大写字母
#ocredit = -1 口令包含N个特殊字符
#lcredit = -1 口令包含N个小写字母
#N<0可以自行man pwquality.conf查看解释
cat >>/etc/security/pwquality.conf << EOF
minlen = 8
dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -1
EOF
# 删除无关账号
#egrep "^(adm|lp|sync|halt|news|nfsnobody|mail|uucp|operator|games|gopher|ftp|nobody|nobody4|noaccess|listen|webservd|rpm|dbus|avahi|mailnull|smmsp|nscd|vcsa|rpc|rpcuser|nfs|sshd|pcap|ntp|haldaemon|distcache|apache|webalizer|squid|xfs|gdm|sabayon|named):" /etc/passwd 2>/dev/null|awk -F':' '($7 != "/bin/false" && $7 != "/sbin/nologin") {print $1":"$7}'
userdel sync
userdel halt
# 禁止存在空密码的帐号
awk -F: 'length($2)==0 {print $1}' /etc/shadow
passwd -d usr
# 关闭ipv6
cat >> /etc/sysconfig/network<<EOF
NETWORKING_IPV6=no
EOF
sed -i 's/.*IPV6INIT="yes"/IPV6INIT=no/' /etc/sysconfig/network-scripts/ifcfg-eth0 # ifcfg-eth0 注意不是固定的
systemctl disable ip6tables.service
sysctl -p
# 提高Shell打开文件数、打开进程数限制,减小默认栈空间大小限制
grep -q "ulimit -Sn 60000" /etc/profile || cat >> /etc/profile << EOF
########################################
ulimit -Sn 60000
ulimit -Hn 65536
ulimit -Su 2048
ulimit -Hu 16384
ulimit -Ss 10240
ulimit -Hs 32768
alias grep='grep --color=auto'
export HISTTIMEFORMAT="%Y-%m-%d %H:%M:%S "
EOF
# 安装中文
yum -y groupinstall "fonts"
yum -y install kde-l10n-Chinese glibc-common
localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8 && export LC_ALL=zh_CN.UTF-8
echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf
# 修改系统语言环境,修改时区
ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
ntpdate time.windows.com && hwclock -w && hwclock --systohc
# 优化SSH
sed -i 's/.*#Port 22/Port 55555/' /etc/ssh/sshd_config
sed -i 's/.*#PermitEmptyPasswords no/GSSAPIAuthentication no/' /etc/ssh/sshd_config
sed -i 's/.*UseDNS yes/UseDNS no/' /etc/ssh/sshd_config
sed -i 's/.*GSSAPIAuthentication yes/GSSAPIAuthentication no/' /etc/ssh/sshd_config
sed -i 's/^#MaxAuthTries.*$/MaxAuthTries 10/' /etc/ssh/sshd_config
sed -i 's/^#LoginGraceTime.*$/LoginGraceTime 60/' /etc/ssh/sshd_config
sed -i 's/^#PubkeyAuthentication.*$/PubkeyAuthentication yes/' /etc/ssh/sshd_config
sed -i "s/X11Forwarding yes/X11Forwarding no/g" /etc/ssh/sshd_config
sed -i "s/#Banner none/Banner \/etc\/issue.net/g" /etc/ssh/sshd_config
echo "Authorized users only. All activity may be monitored and reported.">/etc/issue.net
[ ! -e "/etc/pam.d/system-auth_bak" ] && /bin/mv /etc/pam.d/system-auth{,_bak}
cat > /etc/pam.d/system-auth << EOF
auth required pam_env.so
auth required pam_faillock.so preauth silent audit deny=3 unlock_time=300
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=300
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
account required pam_faillock.so
password requisite pam_pwquality.so try_first_pass local_users_only
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
EOF
[ ! -e "/etc/pam.d/password-auth_bak" ] && /bin/mv /etc/pam.d/password-auth{,_bak}
cat > /etc/pam.d/password-auth << EOF
auth required pam_env.so
auth required pam_faillock.so preauth silent audit deny=3 unlock_time=300
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=300
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
account required pam_faillock.so
password requisite pam_pwquality.so try_first_pass local_users_only
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
EOF
# 优化DNS
cat > /etc/resolv.conf << EOF
nameserver 8.8.8.8
nameserver 8.8.4.4
EOF
# 更新软件
yum check-update
yum update -y
yum clean all
# 升级最新内核
rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
rpm -Uvh https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
yum -y --enablerepo=elrepo-kernel install kernel-ml
# 修改内核启动顺序, 重启
grub2-set-default 0
reboot# docker.sh
groupadd docker
usermod -aG docker admin
echo 'admin ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
# 安装网络yum源
yum -y install epel-release
yum clean all
# 安装依赖环境
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --enable extras
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
# 安装 Docker
yum -y install docker-ce
cat >> /etc/docker/daemon.json<<EOF
{
"max-concurrent-downloads": 5,
"max-concurrent-uploads": 3,
"insecure-registries":["hub.htmltoo.com:5000"],
"storage-driver": "overlay2",
"log-driver": "json-file",
"log-opts": {
"max-size": "50m",
"max-file": "3"
}
}
EOF
systemctl daemon-reload
systemctl start docker
systemctl enable docker
systemctl restart docker# Ansible-docker.sh
groupadd docker usermod -aG docker admin echo 'admin ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers # 安装网络yum源 yum -y install epel-release yum clean all # 安装依赖环境 yum install -y yum-utils device-mapper-persistent-data lvm2 yum-config-manager --enable extras yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo # 安装 Docker yum -y install docker-ce mkdir -p /etc/docker
# kernel.sh
# 开启BBR加速 echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf && echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf sysctl -p # 查看所有内核 rpm -qa | grep kernel # 卸载旧内核 yum -y remove ....
# 主机信息列表
[root@master scripts]# cat host_name.txt
192.168.1.100 master
192.168.1.233 d-hd-public-public_service-01
192.168.1.234 d-hd-public-zipkin-01
192.168.1.235 d-hd-public-public_service-02
192.168.1.236 d-hd-public-zookeeper-01
192.168.1.237 d-hd-public-fms-01
192.168.1.238 d-hd-public-fmsfinance-01
192.168.1.239 d-hd-public-edi-01
192.168.1.240 d-hd-public-OA-01
192.168.1.241 d-hd-public-fms_crm-01
192.168.1.242 d-hd-public-fmsinance_air-01
192.168.1.243 d-hd-public-jenkins-01
192.168.1.244 d-hd-public-iboss-01
192.168.1.245 d-hd-public-nginx-01
192.168.1.246 d-hd-public-oracle-01
192.168.1.247 d-hd-public-oracle-01
追梦赤子心:domsn.com
签名:这个人很懒,什么也没有留下!
收藏的用户(0)
X
正在加载信息~
最新回复 (0)