通过脚本案例学习shell(四) --- 通过脚本初始化并加固新安装的Linux系统 版权声明: 本文遵循署名非商业性使用相同方式共享 2.5 中国大陆协议 您可以自由复制、发行、展览、表演、
通过脚本案例学习shell(四)
--- 通过脚本初始化并加固新安装的Linux系统
版权声明:
本文遵循“署名非商业性使用相同方式共享 2.5 中国大陆”协议
您可以自由复制、发行、展览、表演、放映、广播或通过信息网络传播本作品
您可以根据本作品演义自己的作品
您必须按照作者或者许可人指定的方式对作品进行署名。
您不得将本作品用于商业目的。
如果您改变、转换本作品或者以本作品为基础进行创作,您只能采用与本协议相同的许可协议发布基于本作品的演绎作品。
对任何再使用或者发行,您都必须向他人清楚地展示本作品使用的许可协议条款。
如果得到著作权人的许可,您可以不受任何这些条件的限制。
Designed by 小诺(www.rsyslog.org dreamfire.blog.51cto.com)
近来喜欢无人值守安装RHEL6.3系统,可是安装好每次都要做很多初始化工作,实在麻烦就写了个简单脚本省去了不少麻烦,由于本人是小牛,跟大牛比起来差的很远,还请大家提出一些宝贵意见!
本脚本是在rhel6.3环境下运行的,稍作修改同样适合其他Linux版本环境,不过脚本前半部分都是针对我自己的环境进行优化的,大家可以自行修改成自己的环境.
下面我对Linux系统初始化脚本进行简单讲解:
#!/bin/bash echo "New system configuration" sleep 1 echo "Environment RHEL6.3" sleep 1 echo "The kernel version configuration!" sleep 1 echo "Designed by www.rsyslog.org http://dreamfire.blog.51cto.com" sleep 1 input_fun() //定义一个可以重复输入的函数(空值回车情况下 也可用参考http://dreamfire.blog.51cto.com/418026/1152672){ OUTPUT_VAR=$1 INPUT_VAR="" while [ -z $INPUT_VAR ];do read -p "$OUTPUT_VAR" INPUT_VAR done echo $INPUT_VAR } input_again() //定义网络参数函数,交互式读取输入.{ MYHOSTNAME=$( input_fun "Please input the hostname: ") DOMAINNAME=$( input_fun "Please intput the domainname(rsyslog.org): ") CARD_TYPE=$( input_fun "Please input card type(eth0): ") IPADDR=$( input_fun "Please input ipaddress(192.168.100.1): ") NETMASK=$( input_fun "Please input netmask(255.255.255.0): ") GATEWAY=$( input_fun "Please input gateway(192.168.100.1): ") MYDNS1=$( input_fun "Please input DNS1(192.168.100.102): ") MYDNS2=$( input_fun "Please input DNS2(192.168.100.103): ") } BEGIN_INIT=$( input_fun "Whether you initialize the Linux operating system(YES/NO): ") //如果你不需要运行此脚本,可以按n退出.if [ "$BEGIN_INIT" = "NO" ] || [ "$BEGIN_INIT" = "no" ] || [ "$BEGIN_INIT" = "N" ] ||[ "$BEGIN_INIT" = "n" ];then kill -9 $$ //$$为夫进程PID,也就是脚本PID elif [ "$BEGIN_INIT" = "YES" ] || [ "$BEGIN_INIT" = "yes" ] || [ "$BEGIN_INIT" = "y" ] || [ "$BEGIN_INIT" = "Y" ];then echo "The script is begin....." else kill -9 $$ fi input_again BEGIN_INIT=$( input_fun "If you need input again[YES/NO]: ") //为了防止出错再给你一次机会. if [ "$BEGIN_INIT" = "YES" ] || [ "$BEGIN_INIT" = "YES" ] || [ "$BEGIN_INIT" = "Y" ] ||[ "$BEGIN_INIT" = "y" ];then input_again fi MAC=`ifconfig $CARD_TYPE | grep "HWaddr" | awk -F[" "]+ '{print $5}'` //取网卡MAC地址. cat >/etc/sysconfig/network << ENDF //配置network文件,激活网卡NETWORKING=yes HOSTNAME=$MYHOSTNAME ENDF echo "Configure the HOSTNAME................................ OK !" sleep 1 ########################## cat >/etc/sysconfig/network-scripts/ifcfg-$CARD_TYPE <<endf //配置网卡(静态环境下配置,动态获取不适合)DEVICE=$CARD_TYPE BOOTPROTO=none HWADDR=$MAC NM_CONTROLLED=yes ONBOOT=yes TYPE=Ethernet DNS2=$MYDNS2 DNS1=$MYDNS1 IPV6INIT=no USERCTL=no IPADDR=$IPADDR NETMASK=$NETMASK GATEWAY=$GATEWAY endf /etc/rc.d/init.d/network restart chkconfig --level 35 network off echo "Configure the $CARD_TYPE............................OK!" sleep 1 ########################### cat >/etc/hosts <<endf //配置本地hosts文件127.0.0.1 $MYHOSTNAME $MYHOSTNAME.$DOMAINNAME $IPADDR $MYHOSTNAME $MYHOSTNAME.$DOMAINNAME endf echo "Configure the hosts.............................. OK !" sleep 1 ############################### cat >/etc/resolv.conf <<endf //配置dnsdomain $DOMAINNAME search $DOMAINNAME nameserver $MYDNS1 nameserver $MYDNS2 endf echo "Configure the resolv.conf......................OK!" sleep 1 ############################### mount | grep dev/sr0 >/dev/null //挂载安装光盘到 /media/cdrom下为yum仓库做准备if [ $? -eq 0 ];then umount `mount | grep dev/sr0 | awk -F[" "] '{print $3}'` [ ! -d /media/cdrom ] && mkdir /media/cdrom mount /dev/sr0 /media/cdrom else mount | grep dev/sr0 fi echo "mount the iso of system................OK!" sleep 1 #################################cp -p /etc/yum.repos.d/rhel-source.repo{,.bak} //配置yum仓库 cat >/etc/yum.repos.d/rhel-source.repo <<endf [rhel-source-beta] name=RHEL6U3-ISO baseurl=file:///media/cdrom enabled=1 gpgcheck=0 endf echo "Configure YUM.........................OK!" #####################################yum clean all && yum makecache //安装系统必须的一些测试工具,方便后期维护yum -y install gcc gcc-c++ autoconf libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel glibc glibc-devel glib2 glib2-devel bzip2 bzip2-devel zip unzip ncurses ncurses-devel curl curl-devel e2fsprogs e2fsprogs-devel krb5-devel libidn libidn-devel openssl openssh openssl-devel nss_ldap openldap openldap-devel openldap-clients openldap-servers libxslt-devel libevent-devel ntp libtool-ltdl bison libtool vim-enhanced python wget lsof iptraf strace lrzsz kernel-devel kernel-headers pam-devel Tcl/Tk cmake ncurses-devel bison setuptool echo "Install the system view command......................OK!" ######################################### sed -i 's/id:.*$/id:3:initdefault:/g' /etc/inittab //设置系统从init 3级别启动echo "alias net-pf-10 off" >> /etc/modprobe.conf echo "alias ipv6 off" >> /etc/modprobe.conf /sbin/chkconfig --level 35 ip6tables off //关闭ipv6,虽然ipv6是未来发展趋势,但是现在不用sed -i 's/SELINUX=enforcing/SELINUX=disabled' /etc/sysconfig/selinux //关闭selinux,后期如果需要可以打开sed -i -e 's/GSSAPIAuthentication yes/GSSAPIAuthentication no/' -e 's/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config //加速ssh连接echo "Stop iptables ang set selinux=disable,If you need,please open them!,Optimization to speed up access to ssh,init 3" #########################################//以下是锁定系统不需要登录的账号 passwd -l news passwd -l nscd passwd -l dbus passwd -l vcsa passwd -l games passwd -l nobody passwd -l avahi passwd -l haldaemon passwd -l gopher passwd -l ftp passwd -l mailnull passwd -l pcap passwd -l mail passwd -l shutdown passwd -l halt passwd -l uucp passwd -l operator passwd -l sync passwd -l adm passwd -l lp echo "Lock useless users.......................OK" sleep 1 ############################ echo "TMOUT=1800" >>/etc/profile //设置30分钟无活动自动退出,可自行设置echo "* soft nofile 66666" >> /etc/security/limits.conf //修改系统打开的最大文件数echo "* hard nofile 66666" >> /etc/security/limits.conf echo "30 minutes of inactivity, automatic exit && To modify the system to open the maximum number of files.....OK" sleep 1 ############################### cat >> /etc/sysctl.conf << endf //优化内核参数调整#michaelkang add 120724 net.ipv4.tcp_abort_on_overflow = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_fin_timeout = 20 net.ipv4.tcp_retries1 = 2 net.ipv4.tcp_retries2 = 5 net.ipv4.tcp_max_orphans = 2000 net.ipv4.tcp_keepalive_time = 1200 net.ipv4.tcp_keepalive_intvl = 15 net.ipv4.tcp_keepalive_probes = 5 net.ipv4.tcp_syn_retries = 2 net.ipv4.tcp_synack_retries = 3 net.ipv4.tcp_max_syn_backlog = 8192 net.ipv4.tcp_max_tw_buckets = 5000 endf sysctl -p echo "Adjust the kernel parameters!......................OK!" sleep 1 ############################################# for I in `ls /etc/rc3.d/S*` //关闭系统不需要的服务,其中S打头的都是正在运行的服务,K打头的是没有运行的服务.do STOP_SRV=`echo $I|cut -c 15-` //过滤服务名称,从15个字符往后. echo $STOP_SRV case $STOP_SRV in local | cpuspeed | crond | irqbalance | microcode_ctl | xinetd | network | mon | partmon | messagebus| udev-post | sshd | rsyslog | syslog ) echo "Base services, Skip!" ;; *) echo "change $STOP_SRV to off" chkconfig --level 235 $STOP_SRV off service $STOP_SRV stop ;; esac done echo "Close useless services.........................ok" sleep 1 ############################################## //系统一些安全密码文件加锁,不允许修改创建chattr +i /etc/passwd chattr +i /etc/shadow chattr +i /etc/group chattr +i /etc/gshadow chattr +a /root/.bash_history //root执行命令数据只运行添加sed -i "s/HISTSIZE=1000/HISTSIZE=10/" /etc/profile //设置使用history命令只能查看10条命令echo "The passwd shadow group gshadow is locked,if you use them,please use chattr -i!..............ok" sleep 1 ############################################## cat >> /etc/hosts.allow << ENDF //设置运行远程使用ssh登录的网段sshd:192.168.100.0/255.255.255.0 ENDF echo 'sshd:all' >>/etc/hosts.deny echo "Allowd 192.168.100.0 to use ssh................ok " ############################################ //设置默认创建用户密码最大存活天数以及密码长度sed -i -e "s/PASS_MAX_DAYS.*$/PASS_MAX_DAYS 90/" -e "s/PASS_MIN_LEN.*$/PASS_MIN_LEN 8/" /etc/login.defs echo "###################The script is stop!!####################"
