系统初始化脚本和检查初始化结果脚本（centos7）

#!/bin/bash
#Author:mcsiberiawolf
#Time:2019-02-02 13:45:36
#Name:init_system.sh
#Version:V1.0
#Description: init system of CentOS7.

if [ "$UID" != "0" ]; then
    echo "Please run this script by root"
    exit 1
fi

#### 1.安装 epel 源
mod_yum() {
    if [ -e /etc/yum.repos.d/CentOS-Base.repo ]; then
        cp /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.default
        yum install -y epel-release  && yum clean all && yum makecache && yum -y update
    fi
}


#### 2. 关闭 selinux
close_selinux() {
    # close selinux
    sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
    # grep SELINUX=disabled /etc/selinux/config
    setenforce 0 &> /dev/null
    # getenforce
}


#### 3. 关闭 firewalld
close_firewalld() {
    systemctl stop firewalld.service && systemctl disable firewalld.service
}


#### 4. 安装常用软件包
install_softwares() {
    # 安装常用软件包
    if [ `rpm -qa vim lrzsz wget nmap nc tree curl tcpdump sysstat lsof net-tools ntpdate|wc -l` -lt 13 ]; then
        yum -y install vim lrzsz wget nmap nc tree curl tcpdump sysstat lsof net-tools ntpdate dos2unix
    fi
    # 安装开发者工具依赖包
    yum groups install "Development Tools" -y
}


#### 5. 添加用户
adduser() {
    if [ `grep -w ylmf /etc/passwd|wc -l` -lt 1 ]; then
        useradd ylmf
        echo test |passwd --stdin test
        \cp /etc/sudoers /etc/sudoers.ori
        echo "test ALL=(ALL) NOPASSWD: ALL " >>/etc/sudoers
        tail -1 /etc/sudoers
        visudo -c &>/dev/null
    fi
}


#### 6. 配置时区
time_sync() {
    if [ `timedatectl status|grep -w "Asia/Shanghai"|wc -l ` -lt 1 ]; then
        timedatectl set-timezone Asia/Shanghai
    fi
    #cron=/etc/crontab
    #if [ `grep -w "ntpdate" $cron|wc -l` -lt 1 ]; then
    #    echo '#time sync by mcsiberiawolf at 2019-02-02' >> $cron
    #    echo '*/5 * * * * /usr/sbin/ntpdate time.nist.gov > /dev/null 2>&1' >> $cron
    #    systemctl restart crond.service
    #    crontab -l
    #fi
}

#### 7. 配置环境变量
com_line_set() {
    if [ `egrep 'TMOUT|HISTSIZE|HISTFILESIZE' /etc/profile|wc -l` ]; then
        # 设置会话超时时间
        echo 'export TMOUT=1800' >> /etc/profile
        # 历史命令输出记录行数
        echo 'export HISTSIZE=1000' >> /etc/profile
        # 历史命令保存的记录总数
        echo 'export HISTFILESIZE=1000' >> /etc/profile
        # 历史命令输出格式
        echo  'export HISTTIMEFORMAT="%F %T `whoami` "' >> /etc/profile
        source /etc/profile
    fi
}

#### 8. 最大文件打开数（文件句柄）
open_file_set() {
    if [ `grep 65535 /etc/security/limits.conf|wc -l` -lt 1 ]; then
        #echo '*         -       nofile          65535' >> /etc/security/limits.conf
        echo '* soft nofile 65535' >> /etc/security/limits.conf
        echo '* hard nofile 65535' >> /etc/security/limits.conf 
        source /etc/security/limits.conf
    fi

    if [ `grep -w ulimit /etc/rc.local|wc -l` -lt 1 ]; then
        echo "ulimit -SHn 65535" >> /etc/rc.local
        source /etc/rc.local
    fi
}


#### 9. 系统内核优化
set_kernel() {
    config=/etc/sysctl.conf
    if [ `grep kernel_flag $config |wc -l` -lt 1 ]; then
        cat >>/etc/sysctl.conf<<-EOF
# kernel_flag
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.route.gc_timeout = 20
net.ipv4.tcp_retries2 = 5
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_wmem = 8192 131072 16777216
net.ipv4.tcp_rmem = 32768 131072 16777216
net.ipv4.tcp_mem = 94500000 915000000 927000000
#net.core.somaxconn = 262144
net.core.netdev_max_backlog = 262144
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.route.gc_timeout = 20
net.ipv4.ip_local_port_range = 10024  65535
net.ipv4.tcp_retries2 = 5
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_keepalive_time = 1800
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_wmem = 8192 131072 16777216
net.ipv4.tcp_rmem = 32768 131072 16777216
net.ipv4.tcp_mem = 94500000 915000000 927000000

fs.file-max = 65535
kernel.pid_max = 65536
net.ipv4.tcp_wmem = 4096 87380 8388608
net.core.wmem_max = 8388608
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_max_syn_backlog = 10240

net.core.netdev_max_backlog = 262144
#net.core.somaxconn = 262144
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1

net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 30

net.ipv4.tcp_keepalive_time = 120
net.ipv4.ip_local_port_range = 10000 65000
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_max_tw_buckets = 36000
EOF
        sysctl -p
    fi
}


#### 10. 配置 SSH
init_ssh() {
    \cp /etc/ssh/sshd_config /etc/ssh/sshd_config.`date +"%Y-%m-%d"`
    # sed -i 's%#Port 22%Port 25680%' /etc/ssh/sshd_config
    # 
    sed -i 's%#PermitRootLogin yes%PermitRootLogin yes%' /etc/ssh/sshd_config
    sed -i 's%#PermitEmptyPasswords no%PermitEmptyPasswords no%' /etc/ssh/sshd_config
    sed -i 's%#UseDNS yes%UseDNS no%' /etc/ssh/sshd_config
    systemctl restart sshd &> /dev/null
}


main() {
    mod_yum
    close_selinux
    close_firewalld
    install_softwares
    adduser
    time_sync
    com_line_set
    open_file_set
    set_kernel
    init_ssh
}

main

#!/bin/bash
#Author:mcsiberiawolf
#Time:2019-02-03 10:29:02
#Name:check_init_system.sh
#Version:V1.0
#Description: 检查系统初始化是否配置成功.

. /etc/init.d/functions

if [ "$UID" != "0" ]; then
    echo "Please run this script by root."
    exit 1
fi


. /etc/init.d/functions


check_yum() {
    epel=/etc/yum.repos.d/epel.repo
    if [ -e $epel ]; then
        action "epel repository has been set success" /bin/true
    else
        action "epel repository has been set fail" /bin/false
    fi
}

check_selinux() {
    config=/etc/selinux/config
    if [ `grep "SELINUX=disabled" $config|wc -l` -ge 1 ]; then
        action "selinux has been set success" /bin/true
    else
        action "selinux has been set fail" /bin/false
    fi
}

check_user() {
    user=ylmf
    
    if [ `getent passwd $user|wc -l` -ge 1 ]; then
        action "user has exised" /bin/true
    else
        action "user has not exised" /bin/false
    fi
}

check_timezone() {
    if [ `timedatectl status | grep "Asia/Shanghai"|wc -l` -ge 1 ]; then
        action "Timezone has been set success" /bin/true
    else
        action "Timezone has been set fail" /bin/false
    fi
}

check_com_line_set() {
    config=/etc/profile
    if [`grep -E ^'TMOUT|HISTSIZE|HISTFILESIZE' $config|wc -l` -ge 3]; then
        action "$config has been set success" /bin/true
    else
        action "$config has been set fail" /bin/false
    fi
}

check_kernel() {
    config=/etc/sysctl.conf
    if [ `grep ^[a-z] $config | wc -l` -ge 60 ]; then
        action "kernel has been set success" /bin/true
    else
        action "kernel has been set fail " /bin/false
    fi
}

check_open_file() {
    config=/etc/security/limits.conf
    if [ `grep 65535 $config | wc -l` -ge 2 ]; then
        action "open file has been set success" /bin/true
    else
        action "open file has been set fail" /bin/false
    fi
}

check_ssh() {
    config=/etc/ssh/sshd_config
    if [ `grep -E ^'PermitRootLogin|PermitEmptyPasswords|UseDNS' $config| wc -l` -ge 3 ]; then
        action "ssh has been set success" /bin/true
    else
        action "ssh has been set fail" /bin/false
    fi
}


main() {
    check_yum
    check_selinux
    check_user
    check_timezone
    check_com_line_set
    check_kernel
    check_open_file
    check_ssh
}

main