码迷,mamicode.com
首页 > 其他好文 > 详细

系统优化类

时间:2019-08-13 22:43:01      阅读:80      评论:0      收藏:0      [点我收藏+]

标签:monitor   icm   exp   echo   grep   running   adc   passwd   shang   

此脚本基于centos7和centos6编写:

仅供参考,切勿盲目复制执行

#!/bin/bash

PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin"
export PATH

Centos7=$(uname -a | grep "el7" | wc -l)
Centos6=$(uname -a | grep "el6" | wc -l)

if [ $Centos7 == 1 ];
then
   echo "System Centos 7 in reset kernel"
   /bin/grep "SELINUX=disabled" /etc/selinux/config 2>&1 >/dev/null
   if [ $? -eq 0 ];then
   	echo -e "\033[31m Selinux\033[0m  is already not running"
   else
   	/bin/sed -i  ‘/SELINUX/s/enforcing/disabled/g‘ /etc/selinux/config
   	setenforce 0 2>&1 >/dev/null
   	echo -e "\033[31m Selinux \033[0m is already  modify stop successful"
   fi
   
   ################# <关闭多余用户> ##########################
   
   userdel -r lp 2>&1 >/dev/null
   userdel -r sync 2>&1 >/dev/null
   userdel -r shutdown 2>&1 >/dev/null
   userdel -r halt 2>&1 >/dev/null
   userdel -r operator 2>&1 >/dev/null
   userdel -r games 2>&1 >/dev/null
   userdel -r gopher 2>&1 >/dev/null
   chmod +s /bin/netstat
   chmod 400 /etc/shadow
   ################# <系统内核安全> ##########################
   ipv4=$(grep "net.ipv4" /etc/sysctl.conf  | wc -l)
   if [ $ipv4 -lt 2 ];
   then
       echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.conf
       echo "net.core.rmem_default = 256960" >> /etc/sysctl.conf
       echo "net.core.rmem_max = 513920" >> /etc/sysctl.conf
       echo "net.core.wmem_default = 256960" >> /etc/sysctl.conf
       echo "net.core.wmem_max = 513920" >> /etc/sysctl.conf
       echo "net.core.netdev_max_backlog = 2000" >> /etc/sysctl.conf
       echo "net.core.somaxconn = 2048" >> /etc/sysctl.conf
       echo "net.core.optmem_max = 81920" >> /etc/sysctl.conf
       echo "net.ipv4.tcp_mem = 131072  262144  524288" >> /etc/sysctl.conf
       echo "net.ipv4.tcp_rmem = 8760  256960  4088000" >> /etc/sysctl.conf
       echo "net.ipv4.tcp_wmem = 8760  256960  4088000" >> /etc/sysctl.conf
       echo "net.ipv4.tcp_keepalive_time = 1800" >> /etc/sysctl.conf
       echo "net.ipv4.tcp_keepalive_intvl = 30" >> /etc/sysctl.conf
       echo "net.ipv4.tcp_keepalive_probes = 3" >> /etc/sysctl.conf
       echo "net.ipv4.tcp_sack = 1" >> /etc/sysctl.conf
       echo "net.ipv4.tcp_fack = 1" >> /etc/sysctl.conf
       echo "net.ipv4.tcp_timestamps = 1" >> /etc/sysctl.conf
       echo "net.ipv4.tcp_window_scaling = 1" >> /etc/sysctl.conf
       echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
       echo "net.ipv4.tcp_tw_reuse = 1" >> /etc/sysctl.conf
       echo "net.ipv4.tcp_tw_recycle = 0" >> /etc/sysctl.conf
       echo "net.ipv4.tcp_fin_timeout = 30" >> /etc/sysctl.conf
       echo "net.ipv4.ip_local_port_range = 1024  65000" >> /etc/sysctl.conf
       echo "net.ipv4.tcp_max_syn_backlog = 2048" >> /etc/sysctl.conf
       echo "net.ipv4.tcp_max_tw_buckets = 6000" >> /etc/sysctl.conf
       sysctl -p
   else
       echo "kernel already reset"
   fi
   hosts=$(grep "sshd:10.80.80.100:allow" /etc/hosts.allow  | wc -l)
   if [ $hosts -ne 1 ];
   then
       echo "insert sshd allow"
       echo ‘sshd:10.80.80.100:allow‘  >> /etc/hosts.allow
   else
      echo "sshd already reset"
   fi

   ################## 《更改时区》###############################
   
   TZ=`timedatectl |grep Time|awk {‘print $3‘}`
   SH="Adsia/Shanghai"
   if [ $TZ == $SH ];then
   	echo -e  "\033[31m Timezone \033[0m is already "Asia/Shanghai""
   else 
   	rm -f /etc/localtime
   	cp -arp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
   	echo -e "\033[31m Timezone \033[0m is already modify "Asia/Shanghai""
   fi
   
   ################ <更改ssh端口和禁止root登录> #######################
   Net=$(netstat -tulnp|grep 22502 | wc -l)
   if [ $Net = 0 ];then
       cp -r /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
   	   sed -i ‘/Port 22/aPort 22502‘ /etc/ssh/sshd_config
   	   echo -e  "\033[31m SSH‘s port  22 is already modify to 22502\033[0m"
   	    sed -i "s/#UseDNS/UseDNS/g" /etc/ssh/sshd_config
        sed -i "s/^Subsystem/#Subsystem/g" /etc/ssh/sshd_config
        sed -i "/^#Subsystem/aSubsystem       sftp    internal-sftp" /etc/ssh/sshd_config
   	if [ $? -eq 0 ];then
   		systemctl restart sshd 2>&1 >/dev/null
   		echo -e "\033[31m SSH‘s service\033[0m has restart again"
   	fi
   else 
   	sed -i "s/#UseDNS/UseDNS/g" /etc/ssh/sshd_config
        echo -e "\033[31m chage Use UseDns\033[0m"
   	PORT=`netstat -tulnp|grep 22 |awk {‘print $4‘}|head -n 1|cut -d : -f 2`
   	echo -e "ssh‘s port is \033[31m already modify $PORT\033[0m"
   fi
   ############## <登录密码相关设置> #######################################
   
   cp /etc/login.defs /etc/login.defs.bak
   sed -i ‘/^PASS_MAX_DAYS/s/[0-9]\{1,\}/99999/g‘ /etc/login.defs
   sed -i ‘/^PASS_MIN_DAYS/s/[0-9]\{1,\}/7/g‘ /etc/login.defs
   sed -i ‘/^PASS_MIN_LEN/s/[0-9]\{1,\}/12/g‘ /etc/login.defs
   sed -i ‘/^PASS_WARN_AGE/s/[0-9]\{1,\}/30/g‘ /etc/login.defs
   #########################################################################
   username=$(id kyeroot | grep "uid=0" | wc -l)
   if [ $username = 0 ];then
   	useradd kyeroot
   	echo "Aa+12345678" | passwd --stdin kyeroot
   	sed -i ‘/^kyeroot/s/[0-9]\{1,\}/0/g‘ /etc/passwd
   	sed -i ‘/^kyeroot/s/home\/kyeroot/root/g‘ /etc/passwd
        sed -i "/^root/s/bin/sbin/g" /etc/passwd
        sed -i "/^root/s/bash/nologin/g" /etc/passwd
        cp /etc/sudoers /etc/sudoers.bak
   	sed -i ‘/^root/akyeroot ALL=(ALL)   ALL‘ /etc/sudoers
   else
   	echo -e "\033[31m user kyeroot is exists\033[0m  or \033[31m password is wrong\033[0m"
   fi

   
   useradd kyeadmin 2>&1 >/dev/null
   d=$?
   if [ $d -eq 0 ];then
       echo "Aa+12345678" |passwd --stdin kyeadmin 2>&1 >/dev/null
   	echo -e "\033[31m create user kyeadmin successful \033[0m"
   	echo -e "\033[31m create user passwd successful \033[0m"
   else
   	echo -e "\033[31m user kyeadmin is exists\033[0m  or \033[31m password is wrong\033[0m"
   fi
   
   ############### <日志权限> #########################################
   chattr +a /var/log/messages
   if [ $? == "0" ];then
   	echo -e "\033[31m Already add "lsatrr +a"\033[0m  for "/var/log/messages" "
   else
   	echo -e "Add \033[31m "lsattr +a"\033[0m  is failed,please check it!"
   fi
   
   find /var/log/ -type f -exec chmod u-x,g-x,o-wx {} \;
   echo -e "\033[31m modify "/var/log/*"\033[0m all files permission of "u-x,g-x,o-wx" successful"
chmod +x /etc/rc.local
null=$(grep "/dev/null" /etc/rc.local  |wc -l)
if [ $null = 0 ];
then
    echo "chmod 666 /dev/null" >> /etc/rc.local
else
   echo "already reset /dev/null"
fi

   ############## <修改文件句柄数> ###################################
   
   h=`ulimit -n`
   if [ $h -ne 65535 ];then
   
   	ulimit -n 65535
   	grep "* soft nofile 65535" /etc/security/limits.conf 2>&1 >/dev/null
   	i=$?   #判断“soft nofile 65536”是否存在
   	grep "* hard nofile 65535" /etc/security/limits.conf 2>&1 >/dev/null
   	j=$?   #判断“hard nofile 65536”是否存在
   	k=$[i+j] 
   	if [ $k -ne 0 ];then #同时判断“soft/hard nofile 65536”
   		cp /etc/security/limits.conf /etc/security/limits.conf.bak
   		echo "* soft nofile 65535" >> /etc/security/limits.conf
   		echo "* hard nofile 65535" >> /etc/security/limits.conf
   		echo -e "\033[31m default ulimit is $h\033[0m,now ulimit is already modify 65535"
   	else
   	echo -e "\033[31m "soft nofile 65535 and  hard nofile 65535"\033[0m is already configure,not to modify "
   	fi
   else 
   	echo -e "\033[31m default ulimit is 65535\033[0m,not modify"
   fi
   
   ############# <防止暴力破解,提高系统安全性> ################################
   
   grep "remember" /etc/pam.d/system-auth  2>&1 >/dev/null
   o=$?
   grep "unlock_time" /etc/pam.d/system-auth  2>&1 >/dev/null
   p=$?
   grep "pam_pwquality.so" /etc/pam.d/system-auth 2>&1 >/dev/null
   w=$?
   if [ $o -ne 0 ];then
        cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak
   	sed  -i "/sha512/s/use_authtok/use_authtok remember=4/g" /etc/pam.d/system-auth ###表示禁止使用最近用过的4个密码(己使用过的密码会被保存在 /etc/security/opasswd 下面)
   	echo -e "Configure "use_authtok remember=4" for /etc/pam.d/system-auth successful"
   fi
   if [ $w -ne 0 ];then
   	sed -i "/pam_pwquality.so/s/local_users_only/minclass=3/g" /etc/pam.d/system-auth
   	echo -e "Configure "use_authtok remember=4" for /etc/pam.d/system-auth successful"
   fi
   if [ $p -eq 0 ];then
   	echo "auth required pam_tally2.so even_deny_root deny=5 unlock_time=1800" >> /etc/pam.d/system-auth 
   	echo -e "Configure "auth required pam_tally2.so even_deny_root deny=5 unlock_time=1800" for /etc/pam.d/system-auth successful"
   fi
   
   ################# <设置shell会话超时退出> ##################################
   
   n=`grep "TMOUT=" /etc/profile|cut -d "=" -f 2` #读取默认的超时的时间
   l=`grep "TMOUT" /etc/profile`
   if [ $? -ne 0 ];then   ##判断TMOUT没有设置过超时配置
        cp /etc/profile /etc/profile.bak
   	echo "TMOUT=300" >> /etc/profile
   	echo "export TMOUT" >> /etc/profile
   #	sed -i ‘s/^HISTSIZE=1000/HISTSIZE=30/g‘ /etc/profile
   	echo -e "\033[31m TMOUT \033[0m is already modify TMOUT=300"
   else               ##若是配置过超时命令,替换换默认超时时间
   	sed -i s/TMOUT=$n/TMOUT=300/g /etc/profile  #替换默认超时时间为180
   	echo -e  "\033[31m default TMOUT \033[0m is $n,TMOUT is already modify to 180s successful  " #获取默认超时时间
   #	echo "export TMOUT" >> /etc/profile
   fi
   
   ################# <禁止root ftp登录> #######################################
   
   systemctl status vsftpd 2>&1 >/dev/null
   if [ $? -eq 0 ];then
   	echo "root" >> /etc/vsftpd/ftpusers 
   	echo -e "\033[31m The ftp for root forbidden \033[0m successful"
   else
   	echo -e "\033[31m The vsftpd \033[0m service not exists,not need to forbidden"
   fi 
   
   ############### <登录警告语> #############################################
   
   grep "WARNING" /etc/motd 2>&1 >/dev/null
   if [ $? -ne 0 ];then
   	echo "WARNING: If you are not authorized to access this private computer system, disconnect now. All activities on this system will be monitored and recorded without prior notification or permission!" > /etc/motd
   	echo -e "\033[31m The motd \033[0m is add at /etc/motd successful"
   else 
   	echo -e "\033[31m The motd "WARNING" is exsits\033[0m,please check if need to modify again"
   fi
   

   ################ <设置允许能su到root的用户> #################################
   grep "SU_WHEEL_ONLY yes" /etc/login.defs && echo "Already set" || echo "SU_WHEEL_ONLY yes" >> /etc/login.defs

elif [ $Centos6 == 1 ]
then

   echo "System Centos 6 in reset kernel"
   ################ 《关闭selinux》############################################

   /bin/grep "SELINUX=disabled" /etc/selinux/config 2>&1 >/dev/null
   if [ $? -eq 0 ];then
   	echo -e "\033[31m Selinux\033[0m  is already not running"
   else
   	/bin/sed -i  ‘/SELINUX/s/enforcing/disabled/g‘ /etc/selinux/config
   	setenforce 0 2>&1 >/dev/null
   	echo -e "\033[31m Selinux \033[0m is already  modify stop successful"
   fi
   ################# <关闭多余用户> ##########################
   
   userdel -r lp 2>&1 >/dev/null
   userdel -r sync 2>&1 >/dev/null
   userdel -r shutdown 2>&1 >/dev/null
   userdel -r halt 2>&1 >/dev/null
   userdel -r operator 2>&1 >/dev/null
   userdel -r games 2>&1 >/dev/null
   chmod +s /bin/netstat
   chmod 400 /etc/shadow
   ################# <系统内核安全> ##########################
   ipv4=$(grep "net.ipv4" /etc/sysctl.conf  | wc -l)
   if [ $ipv4 -lt 2 ];
   then
       echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.conf
       echo "net.core.rmem_default = 256960" >> /etc/sysctl.conf
       echo "net.core.rmem_max = 513920" >> /etc/sysctl.conf
       echo "net.core.wmem_default = 256960" >> /etc/sysctl.conf
       echo "net.core.wmem_max = 513920" >> /etc/sysctl.conf
       echo "net.core.netdev_max_backlog = 2000" >> /etc/sysctl.conf
       echo "net.core.somaxconn = 2048" >> /etc/sysctl.conf
       echo "net.core.optmem_max = 81920" >> /etc/sysctl.conf
       echo "net.ipv4.tcp_mem = 131072  262144  524288" >> /etc/sysctl.conf
       echo "net.ipv4.tcp_rmem = 8760  256960  4088000" >> /etc/sysctl.conf
       echo "net.ipv4.tcp_wmem = 8760  256960  4088000" >> /etc/sysctl.conf
       echo "net.ipv4.tcp_keepalive_time = 1800" >> /etc/sysctl.conf
       echo "net.ipv4.tcp_keepalive_intvl = 30" >> /etc/sysctl.conf
       echo "net.ipv4.tcp_keepalive_probes = 3" >> /etc/sysctl.conf
       echo "net.ipv4.tcp_sack = 1" >> /etc/sysctl.conf
       echo "net.ipv4.tcp_fack = 1" >> /etc/sysctl.conf
       echo "net.ipv4.tcp_timestamps = 1" >> /etc/sysctl.conf
       echo "net.ipv4.tcp_window_scaling = 1" >> /etc/sysctl.conf
       echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
       echo "net.ipv4.tcp_tw_reuse = 1" >> /etc/sysctl.conf
       echo "net.ipv4.tcp_tw_recycle = 0" >> /etc/sysctl.conf
       echo "net.ipv4.tcp_fin_timeout = 30" >> /etc/sysctl.conf
       echo "net.ipv4.ip_local_port_range = 1024  65000" >> /etc/sysctl.conf
       echo "net.ipv4.tcp_max_syn_backlog = 2048" >> /etc/sysctl.conf
       echo "net.ipv4.tcp_max_tw_buckets = 6000" >> /etc/sysctl.conf
       sysctl -p
   else
       echo "kernel already reset"
   fi
   hosts=$(grep "sshd:10.80.80.100:allow" /etc/hosts.allow  | wc -l)
   if [ $hosts -ne 1 ];
   then
       echo "insert sshd allow"
       echo ‘sshd:10.80.80.100:allow‘  >> /etc/hosts.allow
   else
      echo "sshd already reset"
   fi
   ################ 《更改时区》##############################################
   
   /bin/grep "Asia/Shanghai" /etc/sysconfig/clock 2>&1 >/dev/null
   if [ $? -eq 0 ];then
   	echo -e  "\033[31m Timezone \033[0m is already "Asia/Shanghai""
   else 
   	rm -f /etc/localtime
   	cp -arp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
   	echo -e "\033[31m Timezone \033[0m is already modify "Asia/Shanghai""
   fi
   
   ###############《更改ssh端口和禁止root登录》##############################

   Net=$(netstat -tulnp|grep 22502 | wc -l)
   if [ $Net = 0 ];then
       cp -r /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
   	sed -i ‘/port 22/aport 22502‘ /etc/ssh/sshd_config
   	echo -e  "\033[31m SSH‘s port  22 is already modify to 22502\033[0m"
   	sed -i "s/#UseDNS/UseDNS/g" /etc/ssh/sshd_config
        sed -i "s/^Subsystem/#Subsystem/g" /etc/ssh/sshd_config
        sed -i "/^#Subsystem/aSubsystem       sftp    internal-sftp" /etc/ssh/sshd_config
   	if [ $? -eq 0 ];then
   		service sshd restart 2>&1 >/dev/null
   		echo -e "\033[31m SSH‘s service\033[0m has restart again"
   	fi
   else 
   	sed -i "s/#UseDNS/UseDNS/g" /etc/ssh/sshd_config
        echo -e "\033[31m chage Use UseDns\033[0m"
   	PORT=`netstat -tulnp|grep 22 |awk {‘print $4‘}|head -n 1|cut -d : -f 2`
   	echo -e "ssh‘s port is \033[31m already modify $PORT\033[0m"
   fi
   ############### 《禁止组合键关机》#######################################
   
   /bin/grep ^exec /etc/init/control-alt-delete.conf 2>&1 >/dev/null
   a=$?    #判断是否关闭“exec /etc/init/control-alt-delete.conf”
   /bin/grep ^start /etc/init/control-alt-delete.conf 2>&1 >/dev/null
   b=$?    #判断是否关闭"start on control-alt-delete"
   c=$[a+b]
   if [ $c -eq 2 ];then
           echo -e "\033[31m "control-alt-delete" \033[0m modify is \033[31m failed \033[0m,or configure successful,please check it again"
   else
       cp  /etc/init/control-alt-delete.conf /etc/init/control-alt-delete.conf.bak
   	sed -i "/^start/s/start/#start/g" /etc/init/control-alt-delete.conf
   	sed -i "/^exec/s/exec/#exec/g" /etc/init/control-alt-delete.conf
   	echo -e "\033[31m “control-alt-delete”\033[0m is already modify stop successful"
   fi
   
   
   ############# 《登录密码相关设置》##############################
   cp /etc/login.defs /etc/login.defs.bak
   sed -i ‘/^PASS_MAX_DAYS/s/[0-9]\{1,\}/90/g‘ /etc/login.defs
   sed -i ‘/^PASS_MIN_DAYS/s/[0-9]\{1,\}/7/g‘ /etc/login.defs
   sed -i ‘/^PASS_MIN_LEN/s/[0-9]\{1,\}/12/g‘ /etc/login.defs
   sed -i ‘/^PASS_WARN_AGE/s/[0-9]\{1,\}/30/g‘ /etc/login.defs
   
   ############## 《新建用户》############################################
   #u=`grep "^kyeroot" /etc/passwd | wc -l`
      username=$(id kyeroot | grep "uid=0" | wc -l)
      if [ $username = 0 ];then
      	useradd kyeroot
      	echo "Aa+12345678" | passwd --stdin kyeroot
      	sed -i ‘/^kyeroot/s/[0-9]\{1,\}/0/g‘ /etc/passwd
      	sed -i ‘/^kyeroot/s/home\/kyeroot/root/g‘ /etc/passwd
           sed -i "/^root/s/bin/sbin/g" /etc/passwd
           sed -i "/^root/s/bash/nologin/g" /etc/passwd
           cp /etc/sudoers /etc/sudoers.bak
      	sed -i ‘/^root/akyeroot ALL=(ALL)   ALL‘ /etc/sudoers
      else
      	echo -e "\033[31m user kyeroot is exists\033[0m  or \033[31m password is wrong\033[0m"
      fi
   
      
      useradd kyeadmin 2>&1 >/dev/null
      d=$?
      if [ $d -eq 0 ];then
          echo "Aa+12345678" |passwd --stdin kyeadmin 2>&1 >/dev/null
      	echo -e "\033[31m create user kyeadmin successful \033[0m"
      	echo -e "\033[31m create user passwd successful \033[0m"
      else
      	echo -e "\033[31m user kyeadmin is exists\033[0m  or \033[31m password is wrong\033[0m"
      fi
   ############# 《日志权限》############################################
   
   chattr +a /var/log/messages
   if [ $? == "0" ];then
   	echo -e "\033[31m Already add "lsatrr +a"\033[0m  for "/var/log/messages" "
   else
   	echo -e "Add \033[31m "lsattr +a"\033[0m  is failed,please check it!"
   fi
   
   find /var/log/ -type f -exec chmod u-x,g-x,o-wx {} \;
   echo -e "\033[31m modify "/var/log/*"\033[0m all files permission of "u-x,g-x,o-wx" successful"
   
   chmod +x /etc/rc.local
   null=$(grep "/dev/null" /etc/rc.local  |wc -l)
   if [ $null = 0 ];
   then
       echo "chmod 666 /dev/null" >> /etc/rc.local
   else
      echo "already reset /dev/null"
   fi
   ############# 《修改文件句柄数》######################################
   h=`ulimit -n`
   if [ $h -ne 65535 ];then
   	ulimit -n 65535
   	grep "* soft nofile 65535" /etc/security/limits.conf 2>&1 >/dev/null
   	i=$?   #判断“soft nofile 65536”是否存在
   	grep "* hard nofile 65535" /etc/security/limits.conf 2>&1 >/dev/null
   	j=$?   #判断“hard nofile 65536”是否存在
   	k=$[i+j] 
   	if [ $k -ne 0 ];then #同时判断“soft/hard nofile 65536”
   	    cp /etc/security/limits.conf /etc/security/limits.conf.bak
   		echo "* soft nofile 65535" >> /etc/security/limits.conf
   		echo "* hard nofile 65535" >> /etc/security/limits.conf
   		echo -e "\033[31m default ulimit is $h\033[0m,now ulimit is already modify 65535"
   	else
   	echo -e "\033[31m "soft nofile 65535 and  hard nofile 65535"\033[0m is already configure,not to modify "
   	fi
   else 
   	echo -e "\033[31m default ulimit is 65535\033[0m,not modify"
   fi
   
   
   ############## 《防止暴力破解,提高系统安全性》######################
   
   grep "remember" /etc/pam.d/system-auth  2>&1 >/dev/null
   o=$?
   p=`grep "unlock_time" /etc/pam.d/system-auth | wc -l`
   if [ $o -ne 0 ];then
       cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak
   	sed  -i "/sha512/s/use_authtok/use_authtok remember=4/g" /etc/pam.d/system-auth ###表示禁止使用最近用过的4个密码(己使用过的密码会被保存在 /etc/security/opasswd 下面)
   fi
   if [ $p -lt 1 ];then
   	echo "auth    required        pam_tally2.so even_deny_root deny=5 unlock_time=1800" >> /etc/pam.d/system-auth 
   fi
   
   ############## 《设置shell会话超时退出》############################
   
   n=`grep "TMOUT=" /etc/profile|cut -d "=" -f 2` #读取默认的超时的时间
   l=`grep "TMOUT" /etc/profile`
   if [ $? -ne 0 ];then   ##判断TMOUT没有设置过超时配置
   	cp /etc/profile /etc/profile.bak
   	echo "TMOUT=300" >> /etc/profile
   	echo "export TMOUT" >> /etc/profile
   #	sed -i ‘s/^HISTSIZE=1000/HISTSIZE=30/g‘ /etc/profile
   	echo -e "\033[31m TMOUT \033[0m is already modify TMOUT=300"
   else               ##若是配置过超时命令,替换换默认超时时间
   	sed -i s/TMOUT=$n/TMOUT=300/g /etc/profile  #替换默认超时时间为180
   	echo -e  "\033[31m default TMOUT \033[0m is $n,TMOUT is already modify to 180s successful  " #获取默认超时时间
   #	echo "export TMOUT" >> /etc/profile
   fi
   
   ############## 《禁止root ftp登录》################################
   
   if [ -f /etc/vsftpd/ftpusers ];then
           p=`grep ‘root‘ /etc/vsftpd/ftpusers | wc -l`
           if [ $p -eq 0 ];then
               cp  /etc/vsftpd/ftpusers /etc/vsftpd/ftpusers.bak
               echo "root" >> /etc/vsftpd/ftpusers
               echo -e "\033[31m The ftp for root forbidden \033[0m successful or\033[31m ftp‘s service not exsits \033[0m"
           else
               echo -e "\033[31m The vsftpd \033[0m service not exists or Have been modified"
           fi
   
   else
           echo -e "\033[31m The vsftpd \033[0m service not exists or Have been modified"
   fi
   
   ################ 《登录警告语》###################################
   
   grep "WARNING" /etc/motd 2>&1 >/dev/null
   if [ $? -ne 0 ];then
       cp  /etc/motd /etc/motd.bak 
   	echo "WARNING: If you are not authorized to access this private computer system, disconnect now. All activities on this system will be monitored and recorded without prior notification or permission!" > /etc/motd
   	echo -e "\033[31m The motd \033[0m is add at /etc/motd successful"
   else 
   	echo -e "\033[31m The motd "WARNING" is exsits\033[0m,please check if need to modify again"
   fi
   
   
   ############## 《关闭telnet》####################################
   
   y=`chkconfig --list|grep telnet |awk ‘{print $2}‘`
   m=`chkconfig --list|grep telnet `
   if [ $? -ne 0 ];then
   	echo -e "\033[31m The telnet \033[0m is not exsits"
   else
      	if [ $y == "on" ];then
   		chkconfig telnet off
   		echo -e "\033[31m The telnet \033[0m is stop sucessful"
   	else
   		echo -e "\033[31m The telnet\033[0m is already stop "
   	fi
   fi

else
   echo "cache System version"
fi

 

系统优化类

标签:monitor   icm   exp   echo   grep   running   adc   passwd   shang   

原文地址:https://www.cnblogs.com/steven9898/p/11348775.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!