今天跟大家分享一个我自己写的Linux初始化脚本,自认为写的不是很好。希望看到这篇文章的你,能暂时停留下你的脚步,给些修改意见,或者有什么需要补充的地方都可以提出来,大家共同进步,谢谢!
此脚本主要功能:1、关闭一些用不到的服务;2、关闭selinux;3、创建分区、格式化、挂载;4、设置一个ip命令别名;5、创建一个普通用户,并禁止root用户登陆;6、修改limit参数;7、配置时间同步;8、修改ssh端口号;9、初始化firewalld防火墙。
#!/bin/bash
#modify some service demeon # 关闭不需要用到的一些服务
systemctl disable acpid
systemctl disable ip6tables
systemctl disable mcelogd
systemctl disable mdmonitor
systemctl disable netfs
systemctl disable nfslock
systemctl disable openct
systemctl disable postfix
systemctl disable rpcbind
systemctl disable rpcgssd
systemctl disable rpcidmapd
systemctl disable auditd
systemctl disable haldaemon
systemctl disable lldpad
systemctl disable atd
systemctl disable kdump#Close selinux # 关闭selinux
sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
sed -i 's/SELINUXTYPE=targeted/#&/' /etc/selinux/config
setenforce 0#Create new partitions # 创建分区,并格式化及挂载
NEWDISK="/dev/xvdb"
FDK=`fdisk -l $NEWDISK | grep $NEWDISK | wc -l`
if [ $FDK -eq 0 ] ; thenecho "没有$NEWDISK设备,无法创建分区!"
elif [ $FDK -eq 1 ] ; thenfdisk $NEWDISK << EOF
n
p
1w
EOFpartprobesleep 2file ${NEWDISK}1if [ $? -eq 0 ] ; thenmkfs -t ext4 ${NEWDISK}1if [ $? -eq 0 ] && [ ! -d /data ] ; thenmkdir /datamount ${NEWDISK}1 /dataFST=`cat /etc/fstab | grep ${NEWDISK}1 | wc -l`if [ $FST -eq 0 ] ; thenecho "${NEWDISK}1 /data ext4 defaults 0 0" >> /etc/fstabecho "成功创建${NEWDISK}1分区,已成功格式化,并已挂载至/data下,已添加至/etc/fstab开机挂载!"elseecho "成功创建${NEWDISK}1分区,已成功格式化,并已挂载至/data下,请检查/etc/fstab文件是否已添加开机挂载!"fielseecho "格式化${NEWDISK}1失败;或者/data目录已存在,挂载失败!"fielseecho "没有找到${NEWDISK}1分区,未格式化!"fi
elseecho "${NEWDISK}1分区已存在,无须再创建!"
fi#modify bashrc # 设置一个ip命令别名,用于查看本地IP地址
cat << EOF >>/etc/bashrc
alias ip='/sbin/ifconfig | grep '\''inet '\'' | awk '\''{print $2}'\'' | sed -e '\''/127\.0\.0\.1/d'\'''
EOF#Create an ordinary user # 创建一个xuad用户,并允许其用sudo命令时不需要输入密码,并禁止root用户登陆
NEWUSER="xuad"
PASS="JKbL*u#E%317Y8c"
id $NEWUSER
if [ $? -eq 0 ] ; thenecho "$NEWUSER账户已存在,无法创建!"
elseuseradd $NEWUSERecho $PASS | passwd --stdin $NEWUSERif [ $? -eq 0 ] ; thenecho "$NEWUSER账户创建成功!"sed -i "/^root/a\$NEWUSER\tALL=(ALL)\tNOPASSWD: ALL" /etc/sudoerssed -i '/^PermitRootLogin/s/^/#/g' /etc/ssh/sshd_configsed -i '/PermitRootLogin/a\PermitRootLogin no' /etc/ssh/sshd_configelseecho "$NEWUSER账户创建失败!"fi
fi#system settings # 修改limit参数
cat << EOF >>/etc/security/limits.conf
* soft nofile 65535
* hard nofile 65535
EOF#设置开机自动同步时间
cat << EOF >>/etc/rc.d/rc.local
/usr/sbin/ntpdate ntp.xuadup.net && hwclock -w
EOF#modify ntp server # 每天早上6点自动同步时间
echo "00 */6 * * * /usr/sbin/ntpdate ntp.xuadup.net && hwclock -w">/tmp/ntpcron.txt;crontab /tmp/ntpcron.txt#modify ssh port # 修改ssh端口号
sed -i '/Port 22/s/^/#/g' /etc/ssh/sshd_config
sed -i '/Port 22/a\Port 5210' /etc/ssh/sshd_config
sed -i '/^GSSAPI/s/^/#/g' /etc/ssh/sshd_config
sed -i '/GSSAPI options/a\GSSAPIAuthentication no' /etc/ssh/sshd_config#service sshd restart # 重启sshd服务,并执行防火墙策略
if [ $? -eq 0 ] ; thensystemctl restart sshdsh ./firewalld_linuxecho "sshd服务重启成功,远程登陆端口已设置为55210"
elseecho "sshd服务配置有问题,请检查!"
fifirewalld防火墙脚本如下:
#!/bin/bash
systemctl stop firewalld
\cp -p /usr/lib/firewalld/zones/drop.xml /etc/firewalld/zones/
systemctl start firewalld
firewall-cmd --set-default-zone=drop
firewall-cmd --permanent --zone=drop --change-interface=eth0
firewall-cmd --permanent --zone=drop --add-protocol=icmp
firewall-cmd --permanent --zone=drop --add-masquerade
firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="192.168.2.208" port protocol="tcp" port="5210" accept"
firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="192.168.2.206" port protocol="tcp" port="5210" accept"
firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="116.226.230.115" port protocol="tcp" port="8023" accept"
firewall-cmd --reload转载于:https://blog.51cto.com/andyxu/2143956
)
