####close servicelinux
TimeServerMaster="192.168.6.13"centos
SSHPort="58522"緩存
echored ()bash
{服務器
echo -ne "\033[31m" $1 "\033[0m\n"cookie
}網絡
echogreen ()session
{架構
echo -ne "\033[32m" $1 "\033[0m\n"app
}
IPN=`ifconfig |grep 192.168|awk '{print $2}'|cut -d: -f2|awk -F. '{print $3"-"$4}'`
HOSTNAME="HK$IPN"
hostname $HOSTNAME
sed -i "s/HOSTNAME=.*/HOSTNAME=$HOSTNAME/g" /etc/sysconfig/network
# Router
#RouterIP=`cat /etc/sysconfig/network-scripts/ifcfg-$(ip addr li|egrep '\<10\.'|awk '{print $NF}' |tail -1)| grep IPADDR|awk -F= '{print $2}'|awk -F. '{print $1"."$2"."$3"."1}'`
#echo "10.0.0.0/16 via ${RouterIP}" > /etc/sysconfig/network-scripts/route-`ip addr li|egrep '\<10\.'|awk '{print $NF}' |tail -1`
killall -9 dhclient >/dev/null 2>&1
[ -f /etc/sysconfig/network-scripts/ifcfg-eth0 ] && sed -i 's/ONBOOT=no/ONBOOT=yes/' /etc/sysconfig/network-scripts/ifcfg-eth0
[ -f /etc/sysconfig/network-scripts/ifcfg-eth1 ] && sed -i 's/ONBOOT=no/ONBOOT=yes/' /etc/sysconfig/network-scripts/ifcfg-eth1
# Resolve
echo "#sky_Resolve_Conf
search localdomain
nameserver 192.168.6.13
nameserver 192.166.6.40
" >/etc/resolv.conf
yum install wget -y
# NTPDATE
## echo "Check ntpdate..."
{ [ -f /usr/sbin/ntpdate ] || yum -q -y install ntp ;} || { echored "Error: pls install ntp server." && exit 1;}
if ! grep "/usr/sbin/ntpdate ${TimeServerMaster}" /var/spool/cron/root >/dev/null 2>&1;then echo "*/5 * * * * /usr/sbin/ntpdate ${TimeServerMaster} >> /var/log/uptime.log 2>&1 || /usr/sbin/ntpdate ${TimeServerSalve} >> /var/log/uptime.log 2>&1;/sbin/hwclock -w" >> /var/spool/cron/root;fi
crontab -l | egrep "ntpdate ${TimeServerMaster}" >/dev/null 2>&1 || echored "Error: Ntp error."
{ /usr/sbin/ntpdate ${TimeServerMaster} >/dev/null 2>&1 && /sbin/hwclock >/dev/null 2>&1 && echo Current Date is: `date +"%Y-%m-%d %H:%M:%S"`;} || echored "Error: Sync time fail,pls check it."
# Iptables
## echo "iptables config..."
wget http://yum.sky.com/config/iptables -e http-proxy=192.168.6.13 -O /etc/sysconfig/iptables
/etc/init.d/iptables restart
chkconfig iptables on
#{ wget -q -O /etc/sysconfig/iptables "http://192.168.6.13/config/iptables" && /etc/init.d/iptables restart >/dev/null 2>&1;} || echored "Error: iptables error,pls check."
#chkconfig --add iptables;chkconfig iptables on
#SSH
## echo "ssh config..."
[ -f /etc/ssh/sshd_config ] && sed -i "s/#Port 22/Port ${SSHPort}/" /etc/ssh/sshd_config && sed -i 's/^#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config && /etc/init.d/sshd restart >/dev/null 2>&1
{ netstat -lntp | grep sshd | grep ${SSHPort} >/dev/null 2>&1;sleep 1;} && nc -z localhost ${SSHPort} >/dev/null 2>&1 || echo -ne "\033[31m" Error: SSH not work. "\033[0m\n"
/sbin/modprobe ppp_mppe && grep '/sbin/modprobe ppp_mppe' /etc/rc.local || echo "/sbin/modprobe ppp_mppe" >> /etc/rc.local
/sbin/modprobe nf_conntrack_ipv4 && grep '/sbin/modprobe nf_conntrack_ipv4' /etc/rc.local || echo "/sbin/modprobe nf_conntrack_ipv4" >> /etc/rc.local
/sbin/modprobe nf_conntrack_ipv6 && grep '/sbin/modprobe nf_conntrack_ipv6' /etc/rc.local || echo "/sbin/modprobe nf_conntrack_ipv6" >> /etc/rc.local
/sbin/modprobe bridge && grep '/sbin/modprobe bridge' /etc/rc.local || echo "/sbin/modprobe bridge" >> /etc/rc.local
# kernel mod options optimize
## echo "kernel mod config..."
egrep -q -c "_MODIFIED_SKY_" /etc/sysctl.conf >/dev/null 2>&1 || \
echo "
#_MODIFIED_SKY_
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_retrans_collapse = 0
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.tcp_max_tw_buckets = 50000
net.ipv4.tcp_timestamps = 0
net.nf_conntrack_max = 262144000
net.netfilter.nf_conntrack_tcp_timeout_established = 300
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
net.ipv4.tcp_max_syn_backlog = 262144
net.core.netdev_max_backlog = 262144
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 262144
fs.file-max = 65535000
" >> /etc/sysctl.conf && modprobe nf_conntrack >/dev/null 2>&1 && sysctl -p >/dev/null 2>&1
#if ! grep "modprobe ip_conntrack" /etc/rc.local >/dev/null 2>&1;then echo "modprobe ip_conntrack" >> /etc/rc.local;fi
#if ! grep "sysctl -p" /etc/rc.local >/dev/null 2>&1;then echo "sysctl -p" >> /etc/rc.local;fi
#Disable selinux
## echo "selinux config..."
sed -i 's/^SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=targeted/' /etc/selinux/config
setenforce 0 >/dev/null 2>&1
#Boot option
sed -i '/initdefault/s/5/3/g' /etc/inittab || echored "Error: Modify boot option fail."
#Shutdown and stop some services && start network
## echo "Shutdown and stop some services..."
for serv in `chkconfig --list|grep 3:on|awk '{print $1}'|grep -v -E "crond|iptables|network|rsyslog|sshd|snmpd|xinetd|nslcd"`
do
/etc/init.d/$serv stop
chkconfig --level 35 $serv off
done
for i in network;do chkconfig $i on > /dev/null 2>&1;done
#Ulimits
## echo "ulimits config..."
egrep " - nofile 65535" /etc/security/limits.conf >/dev/null 2>&1 || echo '* - nofile 65535' >> /etc/security/limits.conf
egrep " - nproc 65535" /etc/security/limits.conf >/dev/null 2>&1 || echo '* - nproc 65535' >> /etc/security/limits.conf
#install admin-tools
admin-1.0-1.x86_64.rpm
wget http://yum.sky.com/centos/6/x86_64/RPMS/admin-1.0-1.x86_64.rpm -e http-proxy=192.168.6.13 && rpm -ivh admin-1.0-1.x86_64.rpm && /etc/init.d/admin restart
# Set history
## echo "history command config..."
#if ! grep "HISTTIMEFORMAT" /etc/profile >/dev/null 2>&1;then echo 'export HISTTIMEFORMAT="%F %T `whoami` "' >> /etc/profile;fi
#source /etc/profile
# Kill user login from local
ps ax | awk '/tty1/ {if ($2=="tty1")system("kill -9 "$1)}'
###ldap
yum install openldap-devel nss-pam-ldapd openldap pam_ldap openldap-clients -y
sed -i "/^CACHECREDENTIALS=/d;/^USESHADOW=/d;/^USELDAPAUTH=/d;/^USELDAP=/d;/^USECRACKLIB=/d;/^USELOCAUTHORIZE=/d" /etc/sysconfig/authconfig
echo "CACHECREDENTIALS=yes
USESHADOW=yes
USELDAPAUTH=yes
USELDAP=yes
USECRACKLIB=yes
USELOCAUTHORIZE=yes" >> /etc/sysconfig/authconfig
grep 'session optional pam_mkhomedir.so skel=/etc/skel umask=0022' /etc/pam.d/system-auth || echo 'session optional pam_mkhomedir.so skel=/etc/skel umask=0022' >> /etc/pam.d/system-auth
grep 'auth sufficient pam_ldap.so use_first_pass' /etc/pam.d/system-auth || echo 'auth sufficient pam_ldap.so use_first_pass
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
password sufficient pam_ldap.so use_authtok
session optional pam_ldap.so' >> /etc/pam.d/system-auth
grep 'auth sufficient pam_ldap.so use_first_pass' /etc/pam.d/password-auth || echo 'auth sufficient pam_ldap.so use_first_pass
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
password sufficient pam_ldap.so use_authtok
session optional pam_ldap.so
session optional pam_mkhomedir.so skel=/etc/skel umask=0022' >> /etc/pam.d/password-auth
echo 'base dc=sky,dc=com
uri ldap://192.168.6.13/
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5' > /etc/pam_ldap.conf
grep 'uri ldap://192.168.6.13/' /etc/nslcd.conf || echo 'uid nslcd
gid ldap
uri ldap://192.168.6.13/
base dc=sky,dc=com
ssl no
tls_cacertdir /etc/openldap/cacerts' >/etc/nslcd.conf
#sed -i "/^passwd: files/adow: files/shadow: files ldap/g;s/^group: files/group: files ldap/g;" /etc/nsswitch.conf
sed -i "s/^passwd: files$/passwd: files ldap/g;s/^shadow: files$/shadow: files ldap/g;s/^group: files$/group: files ldap/g;" /etc/nsswitch.conf
echo 'TLS_CACERTDIR /etc/openldap/cacerts
URI ldap://192.168.6.13
BASE dc=sky,dc=com' > /etc/openldap/ldap.conf
chkconfig --level 35 nslcd on
/etc/init.d/nslcd restart
####sudo config
yum install sudo -y
grep 'sudoers: ldap' /etc/nsswitch.conf || echo 'sudoers: ldap' >> /etc/nsswitch.conf
echo 'uri ldap://192.168.6.13
sudoers_base ou=SUDOers,dc=sky,dc=com' > /etc/sudo-ldap.conf
[ -f /etc/pam_ldap.conf ] && grep -q 'pam_filter |(gidNumber=1000)(gidNumber=1001)' /etc/pam_ldap.conf || echo 'pam_filter |(gidNumber=1000)(gidNumber=1001)' >> /etc/pam_ldap.conf
###install rsync
yum install rsync xinetd -y && sed -i "s/disable.*/disable = no/g" /etc/xinetd.d/rsync && echo 'uid = nobody
gid = nobody
use chroot = yes
max connections = 30
pid file=/var/run/rsyncd.pid
log file=/var/log/rsyncd.log
list = no
[ project ]
gid=root
uid=root
path = /data/app/project
hosts allow = 192.168.6.253,192.168.6.13
read only = no' > /etc/rsyncd.conf && /etc/init.d/xinetd restart
grep -q 'tee -a ~/.bash_history' /etc/bashrc || echo "
shopt -s histappend
readonly PROMPT_COMMAND='history -a >(tee -a ~/.bash_history | logger -t \"\$USER[\$$] (\$SSH_CONNECTION) bash\")'" >> /etc/bashrc
yum install rsyslog -y
grep '192.168.6.88' /etc/rsyslog.conf || echo '
$SystemLogRateLimitInterval 60
$SystemLogRateLimitBurst 6000
authpriv.*;*.info @@192.168.6.88' >> /etc/rsyslog.conf
/etc/init.d/rsyslog restart
內核參數解釋:
net.ipv4.tcp_tw_reuse = 1 選項用於設置開啓重用,容許將TIME-WAIT sockets從新用於新的TCP鏈接。
net.ipv4.tcp_tw_recycle = 1 選項用於設置啓用timewait快速回收。
net.ipv4.tcp_syncookies = 1 選項用於設置開啓SYN Cookies,當出現SYN等待隊列溢出時,啓用cookies進行處理。
net.ipv4.tcp_fin_timeout = 30 選項決定了套接字保持在FIN-WAIT-2狀態的時間。默認值是60秒。正確設置這個值很是重要,
有時即便一個負載很小的Web服務器,也會出現大量的死套接字而產生內存溢出的風險。
net.ipv4.tcp_keepalive_time = 1200 選項表示當keepalive啓用的時候,TCP發送keepalive消息的頻度。默認值是2(單位是小時
),這裏是1200s(20分鐘)。
net.ipv4.tcp_retrans_collapse = 0 這個參數控制tcp雙方window協商出現錯誤的時候的一些重傳行爲,默認爲1。但在老的內
核裏,這個參數重傳會致使kernel oops,kernel panic,因此,若是出現有tcp retrans字樣的kernel panic,就要把這個參數設
置爲0.能夠提升linux對端鏈接負載的能力
net.ipv4.ip_local_port_range = 1024 65000 選項用來設定容許系統打開的端口範圍
net.ipv4.tcp_max_tw_buckets = 50000 選項用來設定timewait的數量,默認是180 000
net.ipv4.tcp_timestamps = 0 是否啓用以一種比超時重發更精確的方法(請參閱 RFC 1323)來啓用對 RTT 的計算
net.nf_conntrack_max = 1048576 容許的最大跟蹤鏈接條目,是在內核內存中netfilter能夠同時處理的「任務」(鏈接跟蹤條
目),如果32位架構,不宜設置過大。
net.netfilter.nf_conntrack_tcp_timeout_established = 300
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
net.ipv4.tcp_max_syn_backlog = 262144 表示SYN隊列的長度,默認爲1024,加大隊列長度,能夠容納更多等待鏈接的網絡鏈接數
net.core.netdev_max_backlog = 262144 每一個網絡接口接收數據包的速率比內核處理這些包的速率快時,容許送到隊列的數據包
的最大數目
net.ipv4.tcp_rmem = 4096 87380 4194304 tcp接收緩存區
net.ipv4.tcp_wmem = 4096 16384 4194304 tcp發送緩衝區
net.core.wmem_default = 8388608 該文件指定了發送套接字緩衝區大小的缺省值(以字節爲單位)
net.core.rmem_default = 8388608 指定了接收套接字緩衝區大小的缺省值(以字節爲單位)。
net.core.rmem_max = 16777216 指定了發送套接字緩衝區大小的最大值(以字節爲單位)。
net.core.wmem_max = 16777216 指定了接收套接字緩衝區大小的最大值(以字節爲單位)。
net.core.netdev_max_backlog = 262144 每一個網絡接口接收數據包的速率比內核處理這些包的速率快時,容許送到隊列的數據包
的最大數目。
net.core.somaxconn = 32768