#!/bin/sh###open iptables service, allow this ports access 80, 3307, 21####function firewall() { service iptables start for Port in 21 80 3307 do iptables -I INPUT 5 -m state --state NEW -m tcp -p tcp --dport $Port -j ACCEPT done /etc/init.d/iptables save}###disable selinux service###function safety() { /usr/sbin/setenforce 0 sed -i 's/^SELINUX=enforcing/SELINUX=disabled/' /etc/sysconfig/selinux}###edit os runlevel, 3 - Full multiuser mode###function runlevel() { sed -i 's/^id:[0-9]:initdefault:/id:3:initdefault:/' /etc/inittab}###thin systrv, initation system open this service: crond, iptables, network, sshd, rsyslog####function systrv() { Srv_List=`chkconfig --list|grep 3:on| awk '{print $1}'` for i in $Srv_List do chkconfig --level 3 $i off done for j in crond iptables network sshd rsyslog do chkconfig --level 3 $j on done}###add common user zkyw as operation account###function adduser() { /usr/sbin/useradd zkyw echo "zkyw@123" | passwd zkyw --stdin}###Optimization ssh service, alter default port 22, disable root login######function myssh() { sed -i 's/^#Port 22/Port 16182/' /etc/ssh/sshd_config #alter ssh default port 16182 sed -i 's/^PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config sed -i 's/^#PermitEmptyPasswords no/PermitEmptyPasswords no/' /etc/ssh/sshd_config sed -i 's/^#MaxAuthTries 6/MaxAuthTries 3/' /etc/ssh/sshd_config sed -i '$aAllowUsers zkyw' /etc/ssh/sshd_config #allow common user zkyw ssh login /etc/init.d/sshd reload}###clock Synchronous with internet time###function ntpclock() { /usr/sbin/ntpdate 202.120.2.101 echo "30 22 * * * /usr/sbin/ntpdate 202.120.2.101" >> /var/spool/cron/root /etc/init.d/crond reload}###lock the key files including: passwd、group、shadow、gshadow、inittab#####function lockfile() { for file in passwd group shadow gshadow inittab do chattr +i /etc/$file done}###alter max nofile and max user processes####function userlimit() { sed -i '$a* soft nofile 65536\n* hard nofile 65536' /etc/security/limits.conf sed -i 's/^/#/' /etc/security/limits.d/90-nproc.conf sed -i '$a* soft nproc 51200\nroot soft nproc unlimited' /etc/security/limits.d/90-nproc.conf}###optimization system kernel parameters, including tcp/ip protocal, iptables and so on####function syskernel() { cp /etc/sysctl.conf /etc/sysctl.conf.eri modprobe bridge ( cat << EOFnet.ipv4.tcp_fin_timeout = 2net.ipv4.tcp_tw_reuse = 1net.ipv4.tcp_tw_recycle = 1net.ipv4.tcp_syncookies = 1net.ipv4.tcp_keepalive_time = 600net.ipv4.ip_local_port_range = 4000 65000net.ipv4.tcp_max_syn_backlog = 16384net.ipv4.tcp_max_tw_buckets = 36000net.ipv4.route.gc_timeout = 100net.ipv4.tcp_syn_retries = 1net.ipv4.tcp_synack_retries = 1net.core.somaxconn = 16384net.core.netdev_max_backlog = 16384net.ipv4.tcp_max_orphans = 16384net.nf_conntrack_max = 25000000net.netfilter.nf_conntrack_max = 25000000net.netfilter.nf_conntrack_tcp_timeout_established = 180net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120EOF ) >> /etc/sysctl.conf /sbin/sysctl -p >/dev/null 2>&1}###delete some of no great importance users and groups####function cleanusers() { for user in adm lp sync shutdown halt uucp operator games gopher ftp do /usr/sbin/userdel $user done for gp in adm lp dip do /usr/sbin/groupdel $gp done}echo "Iptables Optimization Starting..."firewallecho "Selinux Disabled Starting..."safetyecho "Runlevel Optimization Starting..."runlevelecho "System Init Service Optimization Starting..."systrvecho "Add zkyw Common Account Starting..."adduserecho "SSH Service Optimization Starting..."mysshecho "Clock Synchronous Optimization Starting..."ntpclockecho "Max nofile and user processes Optimization Starting..."userlimitecho "System Kernel Parameters Optimization Starting..."syskernel