CentOS6.7 enhanced system optimization script
#! /Bin/bash
# Author wangqd
# Description: this is a centos6.7 optimization script
# Processname: upgrade the system, streamline services, install basic configurations, record bash execution time, security configuration, su reinforcement, ssh optimization, iptables settings, and time synchronization system optimization
# Check whether it is a root user;
If [$ (id-u )! = "0"]; then
Echo "the root permission is required to run this script! "
Fi
Yum update-y>/etc/null
If [$? = "0"]; then
Echo "no updates required for the system"
Fi
# Streamlined services
# Disable ipv6 Firewall
Chkconfig ip6tables off
If [$? = "0"]; then
Echo "ipv6 firewall is set to fail to start automatically"
Else
Echo "An error occurred while enabling ipv6 firewall"
Fi
# Disable the iscsi service
Chkconfig iscsi off
If [$? = "0"]; then
Echo "The iscsi service is set to fail to start automatically"
Else
Echo "An error occurred while enabling the iscsi service"
Fi
# Disable iscsi-related services
Chkconfig iscsid off
If [$? = "0"]; then
Echo "iscsi-related services are set to fail to start automatically"
Else
Echo "An error occurred while enabling iscsi-related services"
Fi
# Disable NFS, smaba, and NetWare Network File Systems
Chkconfig netfs off
If [$? = "0"]; then
Echo "failed to enable NFS, smaba, and NetWare network file systems"
Else
Echo "failed to enable NFS, smaba, and NetWare network file systems from startup"
Fi
# Audit functions of linux
Chkconfig auditd off
If [-f "/var/lock/subsys/auditd"]; then
Echo "audit functions of linux"
Else
Echo "the audit function of linux is not enabled"
Fi
# Disable NFS file lock for TCP/IP network shared file Protocol
If [-f "/var/lock/subsys/nfslock"]; then
Chkconfig nfslock off
Echo "disable NFS file lock for TCP/IP network file sharing protocol"
Else
Echo "the NFS file lock function of the TCP/IP network shared file protocol is not enabled"
Fi
# Disable NFS v4
If [-f "/var/lock/subsys/rpcgssd"]; then
Chkconfig rpcgssd off
Echo "disable NFS-rpcgssd"
Else
Echo "NFS-rpcgssd service not enabled"
Fi
# Disable the RPC service
If [-f "/var/lock/subsys/rpcbind"]; then
Chkconfig rpcbind off
Echo "disable RPC rpcbind service"
Else
Echo "RPC service not enabled"
Fi
# Disable NFS v4
If [-f "/var/lock/subsys/rpcidmapd"]; then
Chkconfig rpcidmapd off
Echo "Disable rpcidmapd"
Else
Echo "rpcidmapd service not enabled"
Fi
# Disable the system's support for the Logical magnetic zone of Logical Volume Manager
If [-f "/var/lock/subsys/lvm2-monitor"]; then
Chkconfig lvm2-monitor off
Echo "disable the system's support for the Logical magnetic zone of Logical Volume Manager"
Else
Echo "the system does not support the Logical magnetic zone of Logical Volume Manager"
Fi
# Disable the adjacent Detection protocol
If [-f "/var/lock/subsys/lldpad"]; then
Chkconfig lldpad off
Echo "Disable neighboring Discovery Protocol"
Else
Echo "the proximity detection protocol is not enabled"
Fi
# Install basic components
# Setuptool Python's distutilsde tool Enhancement Tool (py2.3.5 and above 64-bit py2.4)
# Ntsysv: set various services of the system
# System-config-firewall-tui command line user interface (TUI) firewall client
# System-config-network-tui install Fedora network Configuration Tool
Yum install-y setuptool ntsysv system-config-firewall-tui system-config-network-tui cronie wget vim unzip openssh-clients screen rsync ftp telnet>/etc/null
If [$? = "0"]; then
Echo "basic component installation completed"
Else
Echo "basic components have been installed"
Fi
# Record the execution time of each bash command
Time = "HISTTIMEFORMAT = \" % Y-% m-% d \ % H: % M: % S \""
Grep "$ time"/etc/profile>/etc/null
If [$? = "0"]; then
Echo "records the execution time of each bash command"
Else
Line = $ (sed-n "/export \ PATH \ USER/="/etc/profile | tail-n1)
Sed-I "$ {line} a HISTTIMEFORMAT = \" % Y-% m-% d \ % H: % M: % S \ "\ nexport \ HISTTIMEFORMAT"/etc/profile
Echo "records the successful execution time of each bash command"
Fi
# Security Configuration
Grep "^ SELINUX = disabled"/etc/selinux/config
If [$? = "0"]; then
Echo "Security Configuration already done"
Else
Selinux1 = $ (grep "^ SELINUX = enforcing"/etc/selinux/config)
Sed-I "s/$ selinux1/SELINUX = disabled/"/etc/selinux/config
Echo "the server security configuration has been completed"
Fi
# Su reinforcement
Grep "^ auth"/etc/pam. d/su | grep "pam_wheel.so use_uid"
If [$? = "0"]; then
Echo "su reinforced"
Else
Line2 = $ (sed-n "/^ auth/="/etc/pam. d/su | tail-1)
Sed-I "$ {line2} a auth \\\\\ required \\\ pam_wheel.so \ use_uid"/etc/pam. d/su
Echo "su reinforcement successful"
Fi
# Ssh Optimization
# Port
Grep "^ Port [[: space:]"/etc/ssh/sshd_config | grep "58022"
If [$? = "0"]; then
Echo "correct modification of ssh port number Settings"
Else
Check1 = $ (grep "^ # Port"/etc/ssh/sshd_config)
Sline1 = $ (sed-n "/$ check1/="/etc/ssh/sshd_config)
Sed-I "/^ Port/d"/etc/ssh/sshd_config
Sed-I "$ {sline1} a Port \ 58022"/etc/ssh/sshd_config
Echo "SSH changed to 58022"
Fi
# Root Login not allowed
Grep "^ PermitRootLogin [[: space:]"/etc/ssh/sshd_config | grep "no"
If [$? = "0"]; then
Echo "ssh does not allow root login. The function has been set"
Else
Check2 = $ (grep "^ # PermitRootLogin [[: space:]"/etc/ssh/sshd_config)
Sline2 = $ (sed-n "/$ check2/="/etc/ssh/sshd_config)
Sed-I "/^ PermitRootLogin/d"/etc/ssh/sshd_config
Sed-I "$ {sline2} a PermitRootLogin \ no"/etc/ssh/sshd_config
Echo "root logon to ssh is not allowed"
Fi
# Logon with a blank password is not allowed
Grep "^ PermitEmptyPasswords [[: space:]"/etc/ssh/sshd_config | grep "no"
If [$? = "0"]; then
Echo "Please check that ssh does not allow empty passwords to log on"
Else
Check3 = $ (grep "^ # PermitEmptyPasswords [[: space:]"/etc/ssh/sshd_config)
Sline3 = $ (sed-n "/$ check3/="/etc/ssh/sshd_config)
Sed-I "/^ PermitEmptyPasswords/d"/etc/ssh/sshd_config
Sed-I "$ {sline3} a PermitEmptyPasswords \ no"/etc/ssh/sshd_config
Echo "ssh does not allow empty passwords to be successfully set for Logon"
Fi
# Disable DNS
Grep "^ GSSAPIAuthentication [[: space:]"/etc/ssh/sshd_config | grep "no"
If [$? = "0"]; then
Echo "disabling DNS settings"
Else
Check4 = $ (grep "# GSSAPIAuthentication [[: space:]"/etc/ssh/sshd_config)
Sed-I "/^ GSSAPIAuthentication/d"/etc/ssh/sshd_config
Sline4 = $ (sed-n "/$ check4/="/etc/ssh/sshd_config)
Sed-I "$ {sline4} c GSSAPIAuthentication \ no"/etc/ssh/sshd_config
Echo "DNS settings disabled"
Fi
# Disable UseDNS
Grep "^ UseDNS [[: space:]"/etc/ssh/sshd_config | grep "no"
If [$? = "0"]; then
Echo "UseDNS Disabled has been set"
Else
Check5 = $ (grep "^ # UseDNS [[: space:]"/etc/ssh/sshd_config)
Sline5 = $ (sed-n "/$ check5/="/etc/ssh/sshd_config)
Sed-I "/^ UseDNS/d"/etc/ssh/sshd_config
Sed-I "$ {sline5} a UseDNS \ no"/etc/ssh/sshd_config
Echo "UseDNS settings disabled"
Fi
# AllowUsers
Sed-I "/^ AllowUsers/d"/etc/ssh/sshd_config
If [$? = "0"]; then
Echo "other users allowed to log on to SSH have been deleted"
Else
Echo "ssh has no other users allowed to log on"
Fi
AU = $ (sed-n "/^ #/="/etc/ssh/sshd_config | tail-1)
Sed-I "$ {AU} a AllowUsers \ $1"/etc/ssh/sshd_config
If [$? = "0"]; then
Echo "AllowUsers user set successfully"
Else
Echo "AllowUsers failed to set the user"
Fi
# Setting a firewall
Iptab = "-A \ INPUT \-m \ state \ -- state \ NEW \-m \ tcp \-p \ tcp \ -- dport \ 58022 \-j \ ACCEPT"
Grep "58022"/etc/sysconfig/iptables
If [$? ! = 0]; then
Line8 = $ (sed-n "/22/="/etc/sysconfig/iptables | head-1)
Sed-I "$ {line8} a $ iptab"/etc/sysconfig/iptables
Echo "port 58022 added"
# Line9 = $ (sed-n "/lo/="/etc/sysconfig/iptables | head-1)
# Sed-I "$ {line9} a $ iptab"/etc/sysconfig/iptables
Else
Echo "58022 has been set. Please refer"
Fi
/Etc/init. d/sshd restart
If [$? = "0"]; then
Echo "sshd restarted"
Fi
/Etc/init. d/iptables restart
If [$? = "0"]; then
Echo "iptables"
Fi
# Time Synchronization
Yum install ntp-y>/etc/null
If [$? = "0"]; then
Echo "ntp service installed"
Fi
/Usr/sbin/ntpdate time.nist.gov
If [$? = "0"]; then
Echo "local time 1 synchronization time server"
Fi
/Sbin/hwclock -- systohc
If [$? = "0"]; then
Echo "the system time has been synchronized to the hardware"
Fi
# Write time synchronization into plan logs
Line10 = $ (sed-n "/^ #/="/etc/crontab | tail-1)
Sed-I "$ {line10} a 5 \ */6 \ * \/usr/sbin/ntpdate time.nist.gov \> \/dev/null \ 2> & 1 "/etc/crontab
If [$? = "0"]; then
Echo "time synchronization has been written into the plan log"
Fi
# Optimizing Kernel Parameters
Line11 = $ (sed-n "/^ #/="/etc/sysctl. conf | tail-1)
Sed-I "$ {line11} a net. ipv4.tcp _ max_syn_backlog \=\ 65536 \ nnet. core. netdev_max_backlog \=\ 32768 \ nnet. core. somaxconn \=\ 32768 \ nnet. core. wmem_default \=\ 8388608 \ nnet. core. rmem_default \=\ 8388608 \ nnet. core. rmem_max \=\ 16777216 \ nnet. core. wmem_max \=\ 16777216net. ipv4.tcp _ timestamps \=\ 0 \ nnet. ipv4.tcp _ synack_retries \=\ 2 \ nnet. ipv4.tcp _ syn_retries \=\ 2 \ nnet. ipv4.tcp _ tw_recycle \=\ 1 \ n # net. ipv4.tcp _ tw_len \=\ 1 \ nnet. ipv4.tcp _ tw_reuse \=\ 1 \ nnet. ipv4.tcp _ mem \=\ 94500000 \ 915000000 \ 927000000 \ nnet. ipv4.tcp _ max_orphans \=\ 3276800 \ nnet. ipv4.ip _ local_port_range \=\ 1024 \ 65535 "/etc/sysctl. conf
If [$? = "0"]; then
Echo "the system has been optimized"
Fi
# Create a wheel user
Useradd-G wheel $1
Echo "$2" | passwd $1 -- stdin>/dev/null 2> & 1
If [$? = "0"]; then
Echo "user is created! "
Fi
Echo "SU_WHEEL_ONLY yes">/etc/login. defs
# Only the wheel user is allowed to su to root
If [$? = "0"]; then
Echo "only allows the user of wheel to su to root for successful execution"
Else
Echo "only allows the wheel user to su to root for failed operations. Please refer"
Fi
Init 6