#!/bin/bash
#0.disable selinux
setenforce 0
sed -i ‘s/SELINUX=enforcing/SELINUX=permissive/g‘ /etc/sysconfig/selinux
#1.set ip address
#
#read -p "input interface num[eth0,eth1]:" int
#read -p "input ip address:" ip
#read -p "input netmask:" ms
#read -p "input gateway:" gw
#
#cat > /etc/sysconfig/network-scripts/ifcfg-$int << EOF
#DEVICE=$int
#TYPE=Ethernet
#ONBOOT=yes
#NM_CONTROLLED=no
#BOOTPROTO=static
#IPADDR=$ip
#NETMASK=$ms
#GATEWAY=$gw
#EOF
#
#2.set dns
#read -p "input dns server[df:114.114.114.114]:" dns
#if [ $dns = 0 ];then
dns="114.114.114.114"
echo "nameserver $dns" >> /etc/resolv.conf
#else
#echo "nameserver $dns" >> /etc/resolv.conf
#fi
#3.set iptables
iptables -F
iptables -X
iptables -Z
/etc/init.d/iptables save
cat > /etc/sysconfig/iptables << EOF
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 10.0.8.0/24 -j ACCEPT
-A INPUT -s 10.0.10.0/24 -j ACCEPT
-A INPUT -s 121.9.13.0/24 -p tcp -m state --state NEW -m tcp -j ACCEPT
-A INPUT -s 121.9.243.0/24 -p tcp -m state --state NEW -m tcp -j ACCEPT
COMMIT
EOF
/etc/init.d/iptables restart
#4.add login user
#pw="x+y-z=`echo ${ip} | awk -F‘.‘ ‘{print $NF}‘`"
#useradd youboy
#echo "$pw" |passwd --stdin youboy
#5.modify ssh port
#sed -i ‘s/#Port 22/Port 22612/‘ /etc/ssh/sshd_config
#sed -i ‘s/#PermitRootLogin yes/PermitRootLogin no/‘ /etc/ssh/sshd_config
#/etc/init.d/sshd reload
#6.sync time
echo ‘0 0 * * * /usr/sbin/ntpdate cn.pool.ntp.org‘ >> /var/spool/cron/root
#7.The kernel optimization
cat > /etc/sysctl.conf << EOF
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.tcp_max_tw_buckets = 20000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 87380 4194304
net.ipv4.tcp_wmem = 4096 16384 4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 262144
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.netfilter.ip_conntrack_max = 102400
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 86400
EOF
#8.set connetions limit
cat >> /etc/security/limits.conf << EOF
* soft nproc 4000
* hard nproc 4000
* soft nofile 65535
* hard nofile 65535
* soft stack 4000
* hard stack 4000
EOF
#9.tunoff powered up service
for i in `ls /etc/rc3.d/S*`
do
CURSRV=`echo $i|cut -c 15-`
echo $CURSRV
case $CURSRV in
network | sshd | syslog | iptables |vncserver | libvirtd | libvirt-guests | master | java | snmpd )
echo "Base services, Skip!"
;;
*)
echo "change $CURSRV to off"
chkconfig --level 235 $CURSRV off
service $CURSRV stop
;;
esac
done
#10.reboot
echo ‘system init is done,now reboot!‘
#init 6