# echo -ne $(echo export PRMPT_COMMAND='{ cmd=$(history 1 | { read x y; echo $y; }); echo -ne [ $(date "+%c") ]$LOGNAME :: $SUDO_USER :: $SSH_CLIENT :: $SSH_TTY :: $cmd "\n"; } >> $HOME/.bash_history.log') >> /etc/bashrc
# 优化硬盘
cp /etc/fstab /etc/fstab.`date +"%Y-%m-%d_%H-%M-%S"`
# 关闭系统写入文件最后读取时间
sed -i 's/ext3 defaults[[:space:]]/ext3 defaults,noatime/' /etc/fstab
# 关闭系统按时间间隔决定下次重启时运行fsck
grep ext3 /etc/fstab | grep -v boot | awk '{print $1}' | xargs -i tune2fs -i0 {}
# 关闭系统按mount次数决定下次重启时运行fsck
# grep ext3 /etc/fstab | grep -v boot | awk '{print $1}' | xargs -i tune2fs -c-1 {}
# 配置时间同步
echo "/usr/sbin/ntpdate cn.pool.ntp.org" >> /etc/cron.weekly/ntpdate
chmod +x /etc/cron.weekly/ntpdate
# 配置snmpd
cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.`date +"%Y-%m-%d_%H-%M-%S"`
sed -i 's/#view all/view all/' /etc/snmp/snmpd.conf
sed -i 's/#access MyROGroup/access MyROGroup/' /etc/snmp/snmpd.conf
${CHKCONFIG} snmpd on
${SERVICE} snmpd start
# 修改vim配置文件
mv /etc/vimrc /etc/vimrc.`date +"%Y-%m-%d_%H-%M-%S"`
cp /usr/share/vim/vim70/vimrc_example.vim /etc/vimrc
# 屏蔽终端下鼠标功能
sed -i -e 's/set mouse=a/" set mouse=a/' /etc/vimrc
# 配置tab建、elflord颜色方案等
echo "set history=1000" >> /etc/vimrc
echo "set expandtab" >> /etc/vimrc
echo "set ai" >> /etc/vimrc
echo "set tabstop=4" >> /etc/vimrc
echo "set shiftwidth=4" >> /etc/vimrc
echo "set paste" >> /etc/vimrc
#echo "colo elflord" >> /etc/vimrc
echo "colo delek" >> /etc/vimrc
# 安装完成后做一些基本的设置
# 关闭SELINUX
cp /etc/sysconfig/selinux /etc/sysconfig/selinux.`date +"%Y-%m-%d_%H-%M-%S"`
sed -i '/SELINUX/s/\(enforcing\|permissive\)/disabled/' /etc/sysconfig/selinux
# 修改主机名,修改俩文件/etc/sysconfig /network和/etc/hosts
#sed -i -e "/HOSTNAME/s/^/#/" /etc/sysconfig/network
#sed -i -e "$ a HOSTNAME=$HOSTNAME" /etc/sysconfig/network
#sed -i -e "/127.0.0.1/c 127.0.0.1 $HOSTNAME localhost.localdomain localhost" /etc/hosts
# disable IPV6
cp /etc/modprobe.conf /etc/modprobe.conf.`date +"%Y-%m-%d_%H-%M-%S"`
echo "alias net-pf-10 off" >> /etc/modprobe.conf
echo "alias ipv6 off" >> /etc/modprobe.conf
# 设置ssh
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.`date +"%Y-%m-%d_%H-%M-%S"`
# 允许root远程登录
# sed -i 's/#PermitRootLogin/PermitRootLogin/' /etc/ssh/sshd_config
# 屏蔽掉GSSAPIAuthentication yes和GSSAPICleanupCredentials yes
sed -i -e '74 s/^/#/' -i -e '76 s/^/#/' /etc/ssh/sshd_config
# 取消使用DNS
sed -i "s/#UseDNS yes/UseDNS no/" /etc/ssh/sshd_config
# 44行是#PubkeyAuthentication yes。48行是#RhostsRSAAuthentication no
# sed -i -e '44 s/^/#/' -i -e '48 s/^/#/' /etc/ssh/sshd_config
/etc/init.d/sshd restart
# 将错误按键的beep声关掉。stop the “beep"
# cp /etc/inputrc /etc/inputrc.origin
# sed -i '/#set bell-style none/s/#set bell-style none/set bell-style none/' /etc/inputrc
# 关闭不必要的服务
SERVICES="acpid atd auditd avahi-daemon bluetooth cpuspeed cups firstboot hidd ip6tables isdn mcstrans messagebus pcscd rawdevices sendmail yum-updatesd"
for service in $SERVICES
do
${CHKCONFIG} $service off
${SERVICE} $service stop
done
# 优化内核参数
mv /etc/sysctl.conf /etc/sysctl.conf.`date +"%Y-%m-%d_%H-%M-%S"`
echo -e "kernel.core_uses_pid = 1\n"\
"kernel.msgmnb = 65536\n"\
"kernel.msgmax = 65536\n"\
"kernel.shmmax = 68719476736\n"\
"kernel.shmall = 4294967296\n"\
"kernel.sysrq = 0\n"\
"net.core.netdev_max_backlog = 262144\n"\
"net.core.rmem_default = 8388608\n"\
"net.core.rmem_max = 16777216\n"\
"net.core.somaxconn = 262144\n"\
"net.core.wmem_default = 8388608\n"\
"net.core.wmem_max = 16777216\n"\
"net.ipv4.conf.default.rp_filter = 1\n"\
"net.ipv4.conf.default.accept_source_route = 0\n"\
"net.ipv4.ip_forward = 0\n"\
"net.ipv4.ip_local_port_range = 5000 65000\n"\
"net.ipv4.tcp_fin_timeout = 1\n"\
"net.ipv4.tcp_keepalive_time = 30\n"\
"net.ipv4.tcp_max_orphans = 3276800\n"\
"net.ipv4.tcp_max_syn_backlog = 262144\n"\
"net.ipv4.tcp_max_tw_buckets = 6000\n"\
"net.ipv4.tcp_mem = 94500000 915000000 927000000\n"\
"# net.ipv4.tcp_no_metrics_save=1\n"\
"net.ipv4.tcp_rmem = 4096 87380 16777216\n"\
"net.ipv4.tcp_sack = 1\n"\
"net.ipv4.tcp_syn_retries = 1\n"\
"net.ipv4.tcp_synack_retries = 1\n"\
"net.ipv4.tcp_syncookies = 1\n"\
"net.ipv4.tcp_timestamps = 0\n"\
"net.ipv4.tcp_tw_recycle = 1\n"\
"net.ipv4.tcp_tw_reuse = 1\n"\
"net.ipv4.tcp_window_scaling = 1\n"\
"net.ipv4.tcp_wmem = 4096 16384 16777216\n" > /etc/sysctl.conf
sysctl -p
# 设置iptables
if [ -f /etc/sysconfig/iptables ]; then
cp /etc/sysconfig/iptables /etc/sysconfig/iptables.`date +"%Y-%m-%d_%H-%M-%S"`
fi
echo -e "*filter\n"\
":INPUT DROP [0:0]\n"\
"#:INPUT ACCEPT [0:0]\n"\
":FORWARD ACCEPT [0:0]\n"\
":OUTPUT ACCEPT [0:0]\n"\
"-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT\n"\
"-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT\n"\
"# setting trust ethernet.\n"\
"-A INPUT -i eth0 -j ACCEPT\n"\
"-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT\n"\
"-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT\n"\
"-A INPUT -d 127.0.0.1 -j ACCEPT\n"\
"-A INPUT -j DROP\n"\
"-A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j ACCEPT \n"\
"-A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j ACCEPT \n"\
"#-A FORWARD -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT \n"\
"COMMIT\n" > /etc/sysconfig/iptables
${SERVICE} iptables restart
# Linux 大多都是远程维护 pts连接的,可以关闭多余的 tty,保留一个用于物理登陆
cp /etc/inittab /etc/inittab.`date +"%Y-%m-%d_%H-%M-%S"`
sed -i '/tty[2-6]/s/^/#/' /etc/inittab
# 增加文件描述符限制
cp /etc/security/limits.conf /etc/security/limits.conf.`date +"%Y-%m-%d_%H-%M-%S"`
sed -i '/# End of file/i\*\t\t-\tnofile\t\t65535' /etc/security/limits.conf
# 使ctrl+alt+del关机键无效
# cp /etc/inittab /etc/inittab.`date +"%Y-%m-%d_%H-%M-%S"`
# sed -i "s/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/#ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/" /etc/inittab
# /sbin/init q
# 安装fail2ban防暴力工具遍历弱口令利器,有外网IP的推荐打开注释。
# yum install -y fail2ban
# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.`date +"%Y-%m-%d_%H-%M-%S"`
# sed -i 's/bantime = 600/bantime = 43200/
CentOS 5.x 服务器安装优化脚本下载地址: