- 论坛徽章:
- 0
|
#Author: cnscn <http://www.redlinux.org>
#来自网络,还源网络
#禁用ctrl-alt-delete
echo 'echo 1 > /proc/sys/kernel/ctrl-alt-del' >> /etc/rc.local
/bin/sed -i 's!ca::ctrlaltdel:/sbin/shutdown!#ca::ctrlaltdel:/sbin/shutdown!' /etc/inittab
/sbin/init q
#禁用selinux
/bin/sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
/usr/sbin/setenforce 0
#加大nofile
echo '* - nofile 100000' >> /etc/security/limits.conf
echo 'ulimit -n 100000' >> /etc/profile
ulimit -n 100000
#关闭不要的服务
/sbin/chkconfig apmd off && service apmd stop
/sbin/chkconfig autofs off && service autofs stop
/sbin/chkconfig avahi-daemon off && service avahi-daemon stop
/sbin/chkconfig bluetooth off && service bluetooth stop
/sbin/chkconfig cups off && service cups stop
/sbin/chkconfig firstboot off && service firstboot stop
/sbin/chkconfig --level 3 gpm on
/sbin/chkconfig --level 5 gpm off
/sbin/chkconfig hidd off && service hidd stop
/sbin/chkconfig ip6tables off && service ip6tables stop
/sbin/chkconfig iptables off && service iptables stop
/sbin/chkconfig isdn off && service isdn stop
/sbin/chkconfig kudzu off && service kudzu stop
/sbin/chkconfig mcstrans off && service mcstrans stop
/sbin/chkconfig mdmonitor off && service mdmonitor stop
/sbin/chkconfig netfs off && service netfs stop
/sbin/chkconfig nfslock off && service nfslock stop
/sbin/chkconfig pcscd off && service pcscd stop
/sbin/chkconfig postfix off && service postfix stop
/sbin/chkconfig portmap off && service portmap stop
/sbin/chkconfig rpcgssd off && service rpcgssd stop
/sbin/chkconfig rpcidmapd off && service rpcidmapd stop
/sbin/chkconfig rpcbind off && service rpcbind stop
/sbin/chkconfig sendmail off && service sendmail stop
/sbin/chkconfig setroubleshoot off && service setroubleshoot stop
/sbin/chkconfig yum-updatesd off && service yum-updatesd stop
#用户密码长度
#sed -i 's!PASS_MIN_LEN 5!PASS_MIN_LEN 8!' /etc/login.defs
#设置系统自动注销时间
#echo 'TMOUT=300' >> /etc/profile
#设置命令历史记录长度
sed -i 's/HISTSIZE=1000/HISTSIZE=30/' /etc/profile
#退出时清空历史
echo 'rm -f $HOME/.bash_history' >> /etc/skel/.bash_logout
#禁止任何人su到root
#sed -i 's/auth sufficient pam_rootok.so/auth sufficient pam_rootok.so debug/' /etc/pam.d/su
#sed -i 's/auth required pam_wheel.so use_uid/auth required pam_wheel.so group=wheel/' /etc/pam.d/su
#禁止root直接ssh
#sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
#优化ssh登录速度
sed -i 's/GSSAPIAuthentication yes/GSSAPIAuthentication no/' /etc/ssh/sshd_config
sed -i 's/GSSAPICleanupCredentials yes/GSSAPICleanupCredentials no/' /etc/ssh/sshd_config
echo 'UseDNS=no' >> /etc/ssh/sshd_config
#禁止ping
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
# echo 'echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all' >> /etc/rc.local
#设置hosts
echo 'order hosts,bind' >> /etc/hosts
echo 'multi on' >> /etc/hosts
echo 'nospoof on' >> /etc/hosts
echo 'nospoof on' >> /etc/host.conf
#保护/etc/services
/usr/bin/chattr +i /etc/services
#增加DNS
sed -i "s/search localdomain/nameserver 202.96.209.133\nsearch localdomain/" /etc/resolv.conf
sed -i "s/search localdomain/nameserver 202.96.209.5\nsearch localdomain/" /etc/resolv.conf
#关闭ipv6
echo "alias net-pf-10 off" >> /etc/modprobe.conf
echo "alias ipv6 off" >> /etc/modprobe.conf
sed -i 's/NETWORKING_IPV6=yes/NETWORKING_IPV6=no/' /etc/sysconfig/network
#设置时区
cp -f /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
sed -i 's!ZONE=".*"!ZONE="Asia/Shanghai"!' /etc/sysconfig/clock
sed -i 's/UTC=true/UTC=false/' /etc/sysconfig/clock
#扫描拥有suid sgid的文件
find / -type f \( -perm -04000 -o -perm -02000 \) -exec ls -lg {} \;
#扫描权限为777的文件和目录
find / -type f \( -perm 777 \) -exec ls -lg {} \;
find / -type d \( -perm 777 \) -exec ls -lg {} \;
#扫描异常和隐含文件
find / -name ".. " --print -xdev
find / -name ".*" --print -xdev | cat -v
#查找无属主的文件
find / -nouser -o -nogroup
#查看最大可以打开的文件数
echo 'echo 65536 > /proc/sys/fs/file-max' >> /etc/rc.local
#nofile的最大数只受限于可用内存
#cat /etc/security/limits.conf
#cat /proc/sys/fs/file-nr 输出为 已分配的文件句柄数 已使用的文件句柄数 文件句柄的最大数目
#禁用文件系统的atime
chattr -R +A /var/spool
chattr -R +A /var/log
#修改fstab
/dev/sda1 /data ext3 defaults,noatime 0 0
#交换分区
#尽可能把交换分区放在硬盘的开始区域,因位于硬盘柱面的外环部分
#所以硬盘的每转能在这一部分读写更多的信息
#性能可以提高3MB/S
#减少time_wait
echo 'net.ipv4.tcp_tw_reuse=1' >> /etc/sysctl.conf
echo 'net.ipv4.tcp_tw_recycle=1' >> /etc/sysctl.conf
echo 'net.ipv4.tcp_synack_retries=3' >> /etc/sysctl.conf
echo 'net.ipv4.tcp_syn_retries=3' >> /etc/sysctl.conf
echo 'net.ipv4.tcp_fin_timeout=30' >> /etc/sysctl.conf
echo 'net.ipv4.tcp_keepalive_time=1800' >> /etc/sysctl.conf
echo 'net.ipv4.ip_local_port_range = 1024 65000' >> /etc/sysctl.conf |
|