CentOS6.7 enhanced system optimization script

CentOS6.7 enhanced system optimization script

#! /Bin/bash

# Author wangqd

# Description: this is a centos6.7 optimization script

# Processname: upgrade the system, streamline services, install basic configurations, record bash execution time, security configuration, su reinforcement, ssh optimization, iptables settings, and time synchronization system optimization

# Check whether it is a root user;

If [$ (id-u )! = "0"]; then

Echo "the root permission is required to run this script! "

Fi

Yum update-y>/etc/null

If [$? = "0"]; then

Echo "no updates required for the system"

Fi

# Streamlined services

# Disable ipv6 Firewall

Chkconfig ip6tables off

If [$? = "0"]; then

Echo "ipv6 firewall is set to fail to start automatically"

Else

Echo "An error occurred while enabling ipv6 firewall"

Fi

# Disable the iscsi service

Chkconfig iscsi off

If [$? = "0"]; then

Echo "The iscsi service is set to fail to start automatically"

Else

Echo "An error occurred while enabling the iscsi service"

Fi

# Disable iscsi-related services

Chkconfig iscsid off

If [$? = "0"]; then

Echo "iscsi-related services are set to fail to start automatically"

Else

Echo "An error occurred while enabling iscsi-related services"

Fi

# Disable NFS, smaba, and NetWare Network File Systems

Chkconfig netfs off

If [$? = "0"]; then

Echo "failed to enable NFS, smaba, and NetWare network file systems"

Else

Echo "failed to enable NFS, smaba, and NetWare network file systems from startup"

Fi

# Audit functions of linux

Chkconfig auditd off

If [-f "/var/lock/subsys/auditd"]; then

Echo "audit functions of linux"

Else

Echo "the audit function of linux is not enabled"

Fi

# Disable NFS file lock for TCP/IP network shared file Protocol

If [-f "/var/lock/subsys/nfslock"]; then

Chkconfig nfslock off

Echo "disable NFS file lock for TCP/IP network file sharing protocol"

Else

Echo "the NFS file lock function of the TCP/IP network shared file protocol is not enabled"

Fi

# Disable NFS v4

If [-f "/var/lock/subsys/rpcgssd"]; then

Chkconfig rpcgssd off

Echo "disable NFS-rpcgssd"

Else

Echo "NFS-rpcgssd service not enabled"

Fi

# Disable the RPC service

If [-f "/var/lock/subsys/rpcbind"]; then

Chkconfig rpcbind off

Echo "disable RPC rpcbind service"

Else

Echo "RPC service not enabled"

Fi

# Disable NFS v4

If [-f "/var/lock/subsys/rpcidmapd"]; then

Chkconfig rpcidmapd off

Echo "Disable rpcidmapd"

Else

Echo "rpcidmapd service not enabled"

Fi

# Disable the system's support for the Logical magnetic zone of Logical Volume Manager

If [-f "/var/lock/subsys/lvm2-monitor"]; then

Chkconfig lvm2-monitor off

Echo "disable the system's support for the Logical magnetic zone of Logical Volume Manager"

Else

Echo "the system does not support the Logical magnetic zone of Logical Volume Manager"

Fi

# Disable the adjacent Detection protocol

If [-f "/var/lock/subsys/lldpad"]; then

Chkconfig lldpad off

Echo "Disable neighboring Discovery Protocol"

Else

Echo "the proximity detection protocol is not enabled"

Fi

# Install basic components

# Setuptool Python's distutilsde tool Enhancement Tool (py2.3.5 and above 64-bit py2.4)

# Ntsysv: set various services of the system

# System-config-firewall-tui command line user interface (TUI) firewall client

# System-config-network-tui install Fedora network Configuration Tool

Yum install-y setuptool ntsysv system-config-firewall-tui system-config-network-tui cronie wget vim unzip openssh-clients screen rsync ftp telnet>/etc/null

If [$? = "0"]; then

Echo "basic component installation completed"

Else

Echo "basic components have been installed"

Fi

# Record the execution time of each bash command

Time = "HISTTIMEFORMAT = \" % Y-% m-% d \ % H: % M: % S \""

Grep "$ time"/etc/profile>/etc/null

If [$? = "0"]; then

Echo "records the execution time of each bash command"

Else

Line = $ (sed-n "/export \ PATH \ USER/="/etc/profile | tail-n1)

Sed-I "$ {line} a HISTTIMEFORMAT = \" % Y-% m-% d \ % H: % M: % S \ "\ nexport \ HISTTIMEFORMAT"/etc/profile

Echo "records the successful execution time of each bash command"

Fi

# Security Configuration

Grep "^ SELINUX = disabled"/etc/selinux/config

If [$? = "0"]; then

Echo "Security Configuration already done"

Else

Selinux1 = $ (grep "^ SELINUX = enforcing"/etc/selinux/config)

Sed-I "s/$ selinux1/SELINUX = disabled/"/etc/selinux/config

Echo "the server security configuration has been completed"

Fi

# Su reinforcement

Grep "^ auth"/etc/pam. d/su | grep "pam_wheel.so use_uid"

If [$? = "0"]; then

Echo "su reinforced"

Else

Line2 = $ (sed-n "/^ auth/="/etc/pam. d/su | tail-1)

Sed-I "$ {line2} a auth \\\\\ required \\\ pam_wheel.so \ use_uid"/etc/pam. d/su

Echo "su reinforcement successful"

Fi

# Ssh Optimization

# Port

Grep "^ Port [[: space:]"/etc/ssh/sshd_config | grep "58022"

If [$? = "0"]; then

Echo "correct modification of ssh port number Settings"

Else

Check1 = $ (grep "^ # Port"/etc/ssh/sshd_config)

Sline1 = $ (sed-n "/$ check1/="/etc/ssh/sshd_config)

Sed-I "/^ Port/d"/etc/ssh/sshd_config

Sed-I "$ {sline1} a Port \ 58022"/etc/ssh/sshd_config

Echo "SSH changed to 58022"

Fi

# Root Login not allowed

Grep "^ PermitRootLogin [[: space:]"/etc/ssh/sshd_config | grep "no"

If [$? = "0"]; then

Echo "ssh does not allow root login. The function has been set"

Else

Check2 = $ (grep "^ # PermitRootLogin [[: space:]"/etc/ssh/sshd_config)

Sline2 = $ (sed-n "/$ check2/="/etc/ssh/sshd_config)

Sed-I "/^ PermitRootLogin/d"/etc/ssh/sshd_config

Sed-I "$ {sline2} a PermitRootLogin \ no"/etc/ssh/sshd_config

Echo "root logon to ssh is not allowed"

Fi

# Logon with a blank password is not allowed

Grep "^ PermitEmptyPasswords [[: space:]"/etc/ssh/sshd_config | grep "no"

If [$? = "0"]; then

Echo "Please check that ssh does not allow empty passwords to log on"

Else

Check3 = $ (grep "^ # PermitEmptyPasswords [[: space:]"/etc/ssh/sshd_config)

Sline3 = $ (sed-n "/$ check3/="/etc/ssh/sshd_config)

Sed-I "/^ PermitEmptyPasswords/d"/etc/ssh/sshd_config

Sed-I "$ {sline3} a PermitEmptyPasswords \ no"/etc/ssh/sshd_config

Echo "ssh does not allow empty passwords to be successfully set for Logon"

Fi

# Disable DNS

Grep "^ GSSAPIAuthentication [[: space:]"/etc/ssh/sshd_config | grep "no"

If [$? = "0"]; then

Echo "disabling DNS settings"

Else

Check4 = $ (grep "# GSSAPIAuthentication [[: space:]"/etc/ssh/sshd_config)

Sed-I "/^ GSSAPIAuthentication/d"/etc/ssh/sshd_config

Sline4 = $ (sed-n "/$ check4/="/etc/ssh/sshd_config)

Sed-I "$ {sline4} c GSSAPIAuthentication \ no"/etc/ssh/sshd_config

Echo "DNS settings disabled"

Fi

# Disable UseDNS

Grep "^ UseDNS [[: space:]"/etc/ssh/sshd_config | grep "no"

If [$? = "0"]; then

Echo "UseDNS Disabled has been set"

Else

Check5 = $ (grep "^ # UseDNS [[: space:]"/etc/ssh/sshd_config)

Sline5 = $ (sed-n "/$ check5/="/etc/ssh/sshd_config)

Sed-I "/^ UseDNS/d"/etc/ssh/sshd_config

Sed-I "$ {sline5} a UseDNS \ no"/etc/ssh/sshd_config

Echo "UseDNS settings disabled"

Fi

# AllowUsers

Sed-I "/^ AllowUsers/d"/etc/ssh/sshd_config

If [$? = "0"]; then

Echo "other users allowed to log on to SSH have been deleted"

Else

Echo "ssh has no other users allowed to log on"

Fi

AU = $ (sed-n "/^ #/="/etc/ssh/sshd_config | tail-1)

Sed-I "$ {AU} a AllowUsers \ $1"/etc/ssh/sshd_config

If [$? = "0"]; then

Echo "AllowUsers user set successfully"

Else

Echo "AllowUsers failed to set the user"

Fi

# Setting a firewall

Iptab = "-A \ INPUT \-m \ state \ -- state \ NEW \-m \ tcp \-p \ tcp \ -- dport \ 58022 \-j \ ACCEPT"

Grep "58022"/etc/sysconfig/iptables

If [$? ! = 0]; then

Line8 = $ (sed-n "/22/="/etc/sysconfig/iptables | head-1)

Sed-I "$ {line8} a $ iptab"/etc/sysconfig/iptables

Echo "port 58022 added"

# Line9 = $ (sed-n "/lo/="/etc/sysconfig/iptables | head-1)

# Sed-I "$ {line9} a $ iptab"/etc/sysconfig/iptables

Else

Echo "58022 has been set. Please refer"

Fi

/Etc/init. d/sshd restart

If [$? = "0"]; then

Echo "sshd restarted"

Fi

/Etc/init. d/iptables restart

If [$? = "0"]; then

Echo "iptables"

Fi

# Time Synchronization

Yum install ntp-y>/etc/null

If [$? = "0"]; then

Echo "ntp service installed"

Fi

/Usr/sbin/ntpdate time.nist.gov

If [$? = "0"]; then

Echo "local time 1 synchronization time server"

Fi

/Sbin/hwclock -- systohc

If [$? = "0"]; then

Echo "the system time has been synchronized to the hardware"

Fi

# Write time synchronization into plan logs

Line10 = $ (sed-n "/^ #/="/etc/crontab | tail-1)

Sed-I "$ {line10} a 5 \ */6 \ * \/usr/sbin/ntpdate time.nist.gov \> \/dev/null \ 2> & 1 "/etc/crontab

If [$? = "0"]; then

Echo "time synchronization has been written into the plan log"

Fi

# Optimizing Kernel Parameters

Line11 = $ (sed-n "/^ #/="/etc/sysctl. conf | tail-1)

Sed-I "$ {line11} a net. ipv4.tcp _ max_syn_backlog \=\ 65536 \ nnet. core. netdev_max_backlog \=\ 32768 \ nnet. core. somaxconn \=\ 32768 \ nnet. core. wmem_default \=\ 8388608 \ nnet. core. rmem_default \=\ 8388608 \ nnet. core. rmem_max \=\ 16777216 \ nnet. core. wmem_max \=\ 16777216net. ipv4.tcp _ timestamps \=\ 0 \ nnet. ipv4.tcp _ synack_retries \=\ 2 \ nnet. ipv4.tcp _ syn_retries \=\ 2 \ nnet. ipv4.tcp _ tw_recycle \=\ 1 \ n # net. ipv4.tcp _ tw_len \=\ 1 \ nnet. ipv4.tcp _ tw_reuse \=\ 1 \ nnet. ipv4.tcp _ mem \=\ 94500000 \ 915000000 \ 927000000 \ nnet. ipv4.tcp _ max_orphans \=\ 3276800 \ nnet. ipv4.ip _ local_port_range \=\ 1024 \ 65535 "/etc/sysctl. conf

If [$? = "0"]; then

Echo "the system has been optimized"

Fi

# Create a wheel user

Useradd-G wheel $1

Echo "$2" | passwd $1 -- stdin>/dev/null 2> & 1

If [$? = "0"]; then

Echo "user is created! "

Fi

Echo "SU_WHEEL_ONLY yes">/etc/login. defs

# Only the wheel user is allowed to su to root

If [$? = "0"]; then

Echo "only allows the user of wheel to su to root for successful execution"

Else

Echo "only allows the wheel user to su to root for failed operations. Please refer"

Fi

Init 6