标签:
#!/bin/bash
# qcloud system init scripts
# by gaolongquan
# 加点颜色
[ -z "`cat ~/.bashrc | grep ^PS1`" ] && echo ‘PS1="\[\e[37;40m\][\[\e[32;40m\]\u\[\e[37;40m\]@\h \[\e[35;40m\]\W\[\e[0m\]]\\$ "‘ >> ~/.bashrc
# 校对时间
# 腾讯云已有 */20 * * * * root /usr/sbin/ntpdate ntpupdate.tencentyun.com >/dev/null &
# echo "00 * * * * root ntpdate ntp.api.bz >/dev/null 2>&1" >>/etc/crontab
# 腾讯云根分区很小,把安装包目录放到挂载硬盘上
mkdir -p /root/sh && mkdir -p /home/{wwwroot,wwwlogs,backup,software} && ln -s /home/software /root/software && mkdir -p /root/jiankong_log
# hostname
echo ‘Enter new Hostname:‘
read ‘Hostname‘
sed -i /HOSTNAME/d /etc/sysconfig/network
echo "HOSTNAME="$Hostname"" >>/etc/sysconfig/network
# 如果没有用到proftpd和apache,以下不必
# echo "127.0.0.1 $Hostname" >>/etc/hosts
# 禁用ipv6地址,腾讯云名称不一样,可使用青云阿里云
cat <<EOF>>/etc/modprobe.d/disable_ipv6.conf
alias net-pf-10 off
options ipv6 disable=1
EOF
sed -i ‘/localhost6/s/^/#/‘ /etc/hosts
echo "NETWORKING_IPV6=no" >> /etc/sysconfig/network
# shutdown selinux 现在云服务默认都关了-。-
setenforce 0
sed -i ‘s/SELINUX=enforcing/SELINUX=disabled/‘ /etc/selinux/config
# 关于SSH,一般用下面即可,再安装fail2ban禁止暴力破解SSH就可以了
# 详见我的博文:http://my.oschina.net/longquan/blog/478511
# ssh slow
#OpenSSH在用户登录的时候会验证IP,它根据用户的IP使用反向DNS找到主机名,再使用DNS找到IP地址,最后匹配一下登录的IP是否合法。如果客户机的IP没有域名,或者DNS服务器很慢或不通,那么登录就会很花时间
sed -i ‘s/#UseDNS yes/UseDNS no/g‘ /etc/ssh/sshd_config
#关闭ssh的gssapi认证
sed -i ‘s/^GSSAPIAuthentication yes$/GSSAPIAuthentication no/‘ /etc/ssh/sshd_config
/etc/init.d/sshd restart
# yum
yum -y groupinstall base
yum -y install gcc gcc-c++ make automake openssl openssl-devel ncurses ncurses-devel pcre pcre-devel curl-devel lrzsz patch vixie-cron tcl dstat bison flex screen telnet iftop bash strace mtr sysstat lsof bind-utils telnet rsync libtool libtool-ltdl libtool-ltdl-devel jwhois.x86_64 mailx libpcap libpcap-devel libxml2.x86_64 libxml2-devel.x86_64 bc libpng libpng-devel libjpeg-turbo libjpeg-turbo-devel freetype freetype-devel zlib zlib-devel libmcrypt libmcrypt-devel -y
# sysctl
cp /etc/sysctl.conf{,.bk}
cat > /etc/sysctl.conf << EOF
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_max_syn_backlog = 819200
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_keepalive_time = 60
net.ipv4.tcp_fin_timeout = 30
net.netfilter.nf_conntrack_tcp_timeout_established = 120
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
net.netfilter.nf_conntrack_max = 1048576
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.ip_forward = 0
net.nf_conntrack_max = 655360
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.core.wmem_max = 16777216
net.core.wmem_default = 8388608
net.core.somaxconn = 32768
net.core.rmem_max = 16777216
net.core.rmem_default = 8388608
net.core.netdev_max_backlog = 32768
kernel.sysrq = 0
kernel.shmmax = 4294967295
kernel.shmall = 268435456
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.core_uses_pid = 1
fs.file-max = 65535
net.ipv4.tcp_max_tw_buckets = 30000
EOF
# limits.conf 腾讯云已配置,阿里云已配置,如果我们是物理机,需要自行配置
#cat >> /etc/security/limits.conf <<EOF
# * soft nofile 65535
# * hard nofile 65535
# #* soft nproc 65535
# #* hard nproc 65535
#EOF
# 给历史命令加时间,配置ulimit
cat >> /etc/profile <<EOF
HISTTIMEFORMAT="%Y/%m/%d %H:%M:%S "
ulimit -SHn 65535
export LANG="en_US.UTF-8"
EOF
# 动态链接库,其他路径的库文件需手动指定,比如有一些软件直接安装在/usr/local下的 , ldconfig -p可查看所有的
echo "/usr/local/lib" >> /etc/ld.so.conf
/sbin/ldconfig
# rsync config
cat >> /etc/rsyncd.conf << EOF
uid = root
gid = root
use chroot = no
max connections = 0
list = no
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsync.lock
log file = /var/log/rsyncd.log
[gen]
path = /
ignore errors
read only = no
hosts allow = 10.0.0.0/8
EOF
# centos 6 http://blog.yufeng.info/archives/2568
cp /etc/security/limits.d/90-nproc.conf{,.bk} && echo "* soft nproc 65535" > /etc/security/limits.d/90-nproc.conf && echo "root soft nproc unlimited" >>/etc/security/limits.d/90-nproc.conf
/usr/bin/rsync --daemon
sed -i ‘2iulimit -SHn 65535‘ /etc/rc.local
cat >>/etc/rc.local <<EOF
modprobe nf_conntrack
modprobe bridge
/usr/bin/rsync --daemon
EOF
modprobe ip_conntrack
modprobe nf_conntrack
modprobe bridge
sysctl -p
# iptables
# 自己修改一下防火墙哈
#chkconfig iptables on
#/etc/init.d/iptables start
# 配置SMTP,不然报警短信容易被拦截等。
cat >> /etc/mail.rc <<EOF
set from=a_jk@163.com
set smtp=smtp.163.com
set smtp-auth-user=a_jk@163.com
set smtp-auth-password=dfdfdfdfdfdfdf
set smtp-auth=login
EOF
# 开机启动
\cp /etc/rc.local{,.bk}
cd /etc && ln -sf rc.d/rc.local rc.local && cd ~
sed -i ‘/subsys/d‘ /etc/rc.local.bk && echo "touch /var/lock/subsys/local" >> /etc/rc.local.bk
cat /etc/rc.local.bk > /etc/rc.local
# 验证一下
ls -al /etc/rc.local
标签:
原文地址:http://my.oschina.net/longquan/blog/497221
