ThinkSSL🔒 一键申购 5分钟快速签发 30天无理由退款 购买更放心 广告
系统初始化 ``` !/bin/bash #系统安全,关闭selinux sed -i '7s#enforcing#disabled#g' /etc/selinux/config #内核参数优化 cat >> /etc/sysctl.conf << EOF echo net.ipv4.tcp_max_tw_buckets = 6000 echo net.ipv4.tcp_sack = 1 echo net.ipv4.tcp_window_scaling = 1 echo net.ipv4.tcp_rmem = 4096 87380 4194304 echo net.ipv4.tcp_wmem = 4096 16384 4194304 echo net.core.wmem_default = 8388608 echo net.core.rmem_default = 8388608 echo net.core.rmem_max = 16777216 echo net.core.wmem_max = 16777216 echo net.core.netdev_max_backlog = 262144 echo net.core.somaxconn = 262144 echo net.ipv4.tcp_max_orphans = 3276800 echo net.ipv4.tcp_max_syn_backlog = 262144 echo net.ipv4.tcp_timestamps = 0 echo net.ipv4.tcp_synack_retries = 1 echo net.ipv4.tcp_syn_retries = 1 echo net.ipv4.tcp_tw_recycle = 1 echo net.ipv4.tcp_tw_reuse = 1 echo net.ipv4.tcp_mem = 94500000 915000000 927000000 echo net.ipv4.tcp_fin_timeout = 1 echo net.ipv4.tcp_keepalive_time = 30 echo net.ipv4.ip_local_port_range = 1024 65000 echo net.nf_conntrack_max = 655360 echo net.netfilter.nf_conntrack_tcp_timeout_established = 1200 #防火墙优化,不开防火墙不用做如下操作 echo net.nf_conntrack_max = 25000000 echo net.netfilter.nf_conntrack_max = 25000000 echo net.netfilter.nf_conntrack_tcp_timeout_established = 180 echo net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120 echo net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60 echo net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120 EOF #立即生效 sysctl -p /etc/sysconfig #创建用户 useradd yht echo "jisdfasfwebxserwera" | passwd --stdin wsyht #设置系统字符 sed -i 's#zh_CN#en_US#g' /etc/sysconfig/i18n #配置yum源 #cd /etc/yum.repos.d/;mkdir other;mv *.repo other #wget http://mirrors.163.com/.help/CentOS6-Base-163.repo . #yum clean all #yum makecache >>' #修改SSH端口号和屏蔽root账号远程登陆 sed -i '13a Port 9527' /etc/ssh/sshd_config #更改ssh端口号 sed -i '42a PermitRootLogin no' /etc/ssh/sshd_config #不允许root登陆 #sed -i '66s#yes#no#g' #不允许密码登陆 sed -i '$a UseDNS no' /etc/ssh/sshd_config #关闭UseDNS加速SSH登陆 service sshd restart ' #设置全局变量 sed -i 's/HISTSIZE=1000/HISTSIZE=10/' /etc/profile echo "HISTCONTROL=ignorespace" >> /etc/profile #历史记录里面不记录敏感的命令 #调整文件描述符大小 echo "* soft nofile 65535" >> /etc/security/limits.conf echo "* hard nofile 65535" >> /etc/security/limits.conf echo "* soft nproc 65535" >> /etc/security/limits.conf echo "* hard nproc 65535" >> /etc/security/limits.conf #安装需要的常用rpm包 yum -y install unix2dos dos2unix screen tree lrzsz expect telnet tcpdump #vim ~/.vimrc 位于用户家目录 可预先设置一些vim参数 echo "set nu" >> ~/.vimrc echo "set nohlsearch" >> ~/.vimrc echo "set autoindent" >> ~/.vimrc #禁止su sed -i "6s/#//g" /etc/pam.d/su #修改系统时区 sed -i "s#Etc/UTC#Asia/Shanghai#g" /etc/sysconfig/clock rm -f /etc/localtime ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime #sudo提权 #sed -i "98a yht ALL=(ALL) ALL" /etc/sudoers #开启防火墙,设置防火墙规则 >>' service iptables start iptables -F iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -m multiport --dports 80,443,9527 -j ACCEPT iptables -A INPUT -d 192.168.0.0/24 -j ACCEPT iptables -A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -m multiport --sports 80,443,9527 -j ACCEPT iptables -A OUTPUT -s 192.168.0.0/24 -j ACCEPT iptables -P INPUT DROP iptables -P OUTPUT DROP service iptables save service iptables restart ' #优化不需要开启的服务 service_name=(acpid auditd cups cpuspeed dnsmasq rpcgssd nfslock mdmonitor lvm2-monitor mcelogd abrt-ccpp autofs atd certmonger kdump portreserve jexec hypervkvpd blk-availability) for i in ${service_name[@]} do chkconfig $i off done #重启服务器 #shutdown -r now ```