[email protected] opt]# cat tun_ins.sh
#!/bin/bash
################################################################
# Base Plform for x86_64 BIT_CENTOS6 #
# Define Yum & Base Tools & Security File && Kernel Sysctl #
# Author Pharmacodia #
# create_time:20170212 #
# last_modifild:20171213 #
################################################################
function check_env ()
{
Sleep 1
Cat <<eof
+----------------------------------+
|will be check env ... |
+----------------------------------+
Eof
Check_user= ' Id-u '
if [${check_user}! = "0"];then
echo "must is root can use!"
Exit 1
Fi
Platform= ' Uname-i '
if [$platform! = "x86_64"];then
echo "Check system is x86_64 CentOS bit!"
Exit 1
Fi
#UTF-8 Char
Sed-i ' [email protected]=.*[email protected]= ' en_US. UTF-8 "@g '/etc/sysconfig/i18n
source/etc/sysconfig/i18n
Yum-y Install REDHAT-LSB wget.x86_64
Version= ' Lsb_release-r|awk-f. ' {print $} '
if [$version! = 6];then
echo "This script was only for CentOS 6!"
Exit 1
Fi
Cat << EOF
+--------------------------------------+
|check env finished,it seems ok ...
+--------------------------------------+
Eof
Sleep 1
Echo-e "\ n"
}
function tune ()
{
Cat << EOF
+-------------------------+
| Start Tunne ... |
+-------------------------+
Eof
#yum Clean All
#yum Makecache
#rpm--import/etc/pki/rpm-gpg/rpm-gpg-key*
Yum Upgrade-y
# Add some Install base tools & Packages & Library
Wget-c http://epel.mirror.net.in/epel/6/x86_64/epel-release-6-8.noarch.rpm
RPM-IVH epel-release-6-8.noarch.rpm
For I in $ (rpm-q glibc glibc-static glibc-devel glib2 glib2-devel bzip2 bzip2-devel ncurses ncurses-devel Libaio readline -devel Curl Curl-devel libidn libidn-devel autoconf libjpeg libjpeg_devel libpng libpng_devel freetype freetype-devel libx ML2 libxml2-devel zlib zlib-devel gcc gcc-c++ lrzsz ntpdate nmap.x86_64 lsof.x86_64 sysstat.x86_64 glances kernel-devel op Enssl openssl-devel popt-devel popt-static libnl-devel libicu-devel libevent-devel tree nc make CMake jemalloc pcre pcre-d Evel pcre-static libzip.x86_64 libzip-devel.x86_64 libevent-devel libool libool-ltdl gd-devel bison vim-enhanced zip Unzi P Patch Expect|awk '/not install/{print $} ');d o yum-y install $i;d One
# # #sync time to cn.pool.ntp.org server everyday
If [$ (pgrep ntpd) > 0];then
Pkill ntpd
Chkconfig--level 3 ntpd off
Else
echo "Services ntpd has stoped ... \ n"
Fi
echo "*/5 * * * * */usr/sbin/ntpdate cn.pool.ntp.org >/dev/null 2>&1" >>/var/spool/cron/root
#Tune file descriptors limit
echo "Ulimit-shn 102400" >>/etc/rc.local
#modprobe Bridge
echo "Modprobe Bridge" >>/etc/rc.local
echo "Modprobe ip_conntrack" >>/etc/rc.local
Ulimit-shn 65535
Cat >>/etc/security/limits.conf << EOF
* Soft Nproc 65535
* Hard Nproc 65535
* Soft Nofile 65535
* Hard Nofile 65535
Eof
#Change user ' s processes limit
s_num=$ (cat/etc/security/limits.d/90-nproc.conf |awk '/*/{print $4} ')
d_num=$ (cat/etc/security/limits.d/90-nproc.conf |awk '/*/{print NR} ')
[${s_num}-gt 65500] | | Sed-i "${d_num}s/${s_num}/65535/"/etc/security/limits.d/90-nproc.conf
# # Security File
Chattr +i/etc/passwd
Chattr +i/etc/inittab
Chattr +i/etc/group
Chattr +i/etc/shadow
Chattr +i/etc/gshadow
# # Security File
#tune kernel
[-E '/etc/sysctl.conf '] &&/bin/mv/etc/sysctl.conf{, ' Date +%f '}
Cat >>/etc/sysctl.conf << EOF
#iptables prefomances
Net.nf_conntrack_max = 25000000
Net.netfilter.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_tcp_timeout_established = 180
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
Net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
Net.ipv4.tcp_mem = 94500000 915000000 927000000
Net.ipv4.tcp_timestamps = 0
Net.core.rmem_max = 16777216
Net.core.wmem_max = 16777216
Net.core.netdev_max_backlog = 262144
Net.core.somaxconn = 262144
Net.ipv4.tcp_max_orphans = 3276800
Net.ipv4.tcp_max_syn_backlog = 262144
Net.core.wmem_default = 8388608
Net.core.rmem_default = 8388608
Net.ipv4.tcp_fin_timeout = 1
Net.ipv4.tcp_tw_reuse = 1
Net.ipv4.tcp_tw_recycle = 1
Net.ipv4.tcp_syncookies = 1
Net.ipv4.tcp_keepalive_time =600
Net.ipv4.ip_local_port_range = 1024 65530
Net.ipv4.tcp_max_tw_buckets = 36000
Net.ipv4.route.gc_timeout = 100
Net.ipv4.tcp_syn_retries = 1
Net.ipv4.tcp_synack_retries = 1
Eof
/sbin/sysctl-p
Cat << EOF
+--------------------------------------------------------------------------+
| Tune finished ... |
| Check_running Process Limit & Check if running process reload and restart|
+--------------------------------------------------------------------------+
Eof
}
function Start_tune ()
{
Read-p "tune start ... yes/no?:" Command
Case $command in
"Yes" | " Y "|" Y ")
Check_env
Tune
;;
*)
Exit 1
;;
Esac
Cat << EOF
+-------------------------------------------------------+
|start_tune function execute would be-start in 3s .... |
| CTRL + C to be Interrupt .... |
+-------------------------------------------------------+
Eof
Sleep 3
Echo-e "\ n"
}
#disable SELinux
Disabled_selinux ()
{
# Close SELINUX
Setenforce 0
#sed-i ' s/^selinux=.*$/selinux=disabled/'/etc/selinux/config
Sed-i ' s#selinux=.* #SELINUX =disabled#g '/etc/selinux/config
}
Stop_server () {
Chkconfig|egrep-v "Crond|sshd|network|rsyslog|sysstat" |awk ' {print "Chkconfig", $, "Off"} ' |bash
Export lang=en
#for server in ' chkconfig--list |grep 3:on|awk ' {print '} '
# do
# chkconfig--level 3 $server off
#done
#
#for Server in Crond network Rsyslog sshd
# do
# chkconfig--level 3 $server on
#done
}
Init_iptables () {
[-E '/etc/sysconfig/iptables '] &&/bin/mv/etc/sysconfig/iptables{, ' Date +%f '}
Cat >/etc/sysconfig/iptables << EOF
# Firewall configuration written by System-config-securitylevel
# Manual Customization of this file are not recommended.
*filter
: INPUT DROP [0:0]
: FORWARD ACCEPT [0:0]
: OUTPUT ACCEPT [0:0]
: Syn-flood-[0:0]
-A input-i lo-j ACCEPT
-A input-m state--state related,established-j ACCEPT
-A input-p tcp-m state--state new-m TCP--dport 22-j ACCEPT
-A input-p tcp-m state--state new-m TCP--dport 10086-j ACCEPT
-A input-p tcp-m state--state new-m TCP--dport 80-j ACCEPT
-A input-p icmp-m limit--limit 100/sec--limit-burst 100-j ACCEPT
-A input-p icmp-m limit--limit 1/s--limit-burst 10-j ACCEPT
-A input-p tcp-m tcp--tcp-flags fin,syn,rst,ack syn-j Syn-flood
-A input-j REJECT--reject-with icmp-host-prohibited
-A syn-flood-p tcp-m limit--limit 3/sec--limit-burst 6-j RETURN
-A syn-flood-j REJECT--reject-with icmp-port-unreachable
COMMIT
Eof
Modprobe Bridge
Modprobe Ip_conntrack
/etc/init.d/iptables restart
}
Sys_init ()
{
Check_env
Tune
Disabled_selinux
Start_tune
Stop_server
Init_iptables
}
Color_env ()
{
[-z] ' CAT/ROOT/.BASHRC | grep ^ps1 ' "] && echo ' ps1=" \[\e[37;40m\][\[\e[32;40m\]\u\[\e[37;40m\]@\h \[\e[35;40m\]\w\[\e[0m\]]\\$ "' > > ~/.BASHRC
SOURCE ~/.BASHRC
}
Sys_init
Color_env
Linux Basic optimization Scripts