今天跟大家分享一個我自己寫的Linux初始化腳本,自認為寫的不是很好。希望看到這篇文章的你,能暫時停留下你的腳步,給些修改意見,或者有什么需要補充的地方都可以提出來,大家共同進步,謝謝!
此腳本主要功能:1、關閉一些用不到的服務;2、關閉selinux;3、創建分區、格式化、掛載;4、設置一個ip命令別名;5、創建一個普通用戶,并禁止root用戶登陸;6、修改limit參數;7、配置時間同步;8、修改ssh端口號;9、初始化firewalld防火墻。
#!/bin/bash
#modify some service demeon # 關閉不需要用到的一些服務
systemctl disable acpid
systemctl disable ip6tables
systemctl disable mcelogd
systemctl disable mdmonitor
systemctl disable netfs
systemctl disable nfslock
systemctl disable openct
systemctl disable postfix
systemctl disable rpcbind
systemctl disable rpcgssd
systemctl disable rpcidmapd
systemctl disable auditd
systemctl disable haldaemon
systemctl disable lldpad
systemctl disable atd
systemctl disable kdump#Close selinux # 關閉selinux
sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
sed -i 's/SELINUXTYPE=targeted/#&/' /etc/selinux/config
setenforce 0#Create new partitions # 創建分區,并格式化及掛載
NEWDISK="/dev/xvdb"
FDK=`fdisk -l $NEWDISK | grep $NEWDISK | wc -l`
if [ $FDK -eq 0 ] ; thenecho "沒有$NEWDISK設備,無法創建分區!"
elif [ $FDK -eq 1 ] ; thenfdisk $NEWDISK << EOF
n
p
1w
EOFpartprobesleep 2file ${NEWDISK}1if [ $? -eq 0 ] ; thenmkfs -t ext4 ${NEWDISK}1if [ $? -eq 0 ] && [ ! -d /data ] ; thenmkdir /datamount ${NEWDISK}1 /dataFST=`cat /etc/fstab | grep ${NEWDISK}1 | wc -l`if [ $FST -eq 0 ] ; thenecho "${NEWDISK}1 /data ext4 defaults 0 0" >> /etc/fstabecho "成功創建${NEWDISK}1分區,已成功格式化,并已掛載至/data下,已添加至/etc/fstab開機掛載!"elseecho "成功創建${NEWDISK}1分區,已成功格式化,并已掛載至/data下,請檢查/etc/fstab文件是否已添加開機掛載!"fielseecho "格式化${NEWDISK}1失敗;或者/data目錄已存在,掛載失敗!"fielseecho "沒有找到${NEWDISK}1分區,未格式化!"fi
elseecho "${NEWDISK}1分區已存在,無須再創建!"
fi#modify bashrc # 設置一個ip命令別名,用于查看本地IP地址
cat << EOF >>/etc/bashrc
alias ip='/sbin/ifconfig | grep '\''inet '\'' | awk '\''{print $2}'\'' | sed -e '\''/127\.0\.0\.1/d'\'''
EOF#Create an ordinary user # 創建一個xuad用戶,并允許其用sudo命令時不需要輸入密碼,并禁止root用戶登陸
NEWUSER="xuad"
PASS="JKbL*u#E%317Y8c"
id $NEWUSER
if [ $? -eq 0 ] ; thenecho "$NEWUSER賬戶已存在,無法創建!"
elseuseradd $NEWUSERecho $PASS | passwd --stdin $NEWUSERif [ $? -eq 0 ] ; thenecho "$NEWUSER賬戶創建成功!"sed -i "/^root/a\$NEWUSER\tALL=(ALL)\tNOPASSWD: ALL" /etc/sudoerssed -i '/^PermitRootLogin/s/^/#/g' /etc/ssh/sshd_configsed -i '/PermitRootLogin/a\PermitRootLogin no' /etc/ssh/sshd_configelseecho "$NEWUSER賬戶創建失敗!"fi
fi#system settings # 修改limit參數
cat << EOF >>/etc/security/limits.conf
* soft nofile 65535
* hard nofile 65535
EOF#設置開機自動同步時間
cat << EOF >>/etc/rc.d/rc.local
/usr/sbin/ntpdate ntp.xuadup.net && hwclock -w
EOF#modify ntp server # 每天早上6點自動同步時間
echo "00 */6 * * * /usr/sbin/ntpdate ntp.xuadup.net && hwclock -w">/tmp/ntpcron.txt;crontab /tmp/ntpcron.txt#modify ssh port # 修改ssh端口號
sed -i '/Port 22/s/^/#/g' /etc/ssh/sshd_config
sed -i '/Port 22/a\Port 5210' /etc/ssh/sshd_config
sed -i '/^GSSAPI/s/^/#/g' /etc/ssh/sshd_config
sed -i '/GSSAPI options/a\GSSAPIAuthentication no' /etc/ssh/sshd_config#service sshd restart # 重啟sshd服務,并執行防火墻策略
if [ $? -eq 0 ] ; thensystemctl restart sshdsh ./firewalld_linuxecho "sshd服務重啟成功,遠程登陸端口已設置為55210"
elseecho "sshd服務配置有問題,請檢查!"
fifirewalld防火墻腳本如下:
#!/bin/bash
systemctl stop firewalld
\cp -p /usr/lib/firewalld/zones/drop.xml /etc/firewalld/zones/
systemctl start firewalld
firewall-cmd --set-default-zone=drop
firewall-cmd --permanent --zone=drop --change-interface=eth0
firewall-cmd --permanent --zone=drop --add-protocol=icmp
firewall-cmd --permanent --zone=drop --add-masquerade
firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="192.168.2.208" port protocol="tcp" port="5210" accept"
firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="192.168.2.206" port protocol="tcp" port="5210" accept"
firewall-cmd --permanent --zone=drop --add-rich-rule="rule family="ipv4" source address="116.226.230.115" port protocol="tcp" port="8023" accept"
firewall-cmd --reload轉載于:https://blog.51cto.com/andyxu/2143956
)
