mmio

功能说明

  服务器通常使用最小化安装操作系统,使用该脚本可快速初始化一些基本配置,包括以下:

1、ssh修改默认端口

2、ssh禁止root登陆

3、selinux及firewalld禁用

4、history历史操作记录格式

5、安装常用软件

6、配置TMOUT

7、配置ssh登陆banner

8、修改用户过期时间

  前提:Centos 7系列操作系统及配置好yum源。

 

脚本链接

  https://files-cdn.cnblogs.com/files/blogs/683815/preset.sh

  脚本中有少部分中文,直接打开可能显示乱码。可使用wget 下载到本地

wget https://files-cdn.cnblogs.com/files/blogs/683815/preset.sh

 

preset.sh

#!/bin/bash 
#Date:2021-09-08
#Description:When choosed "minimal install" to install OS, Use this shell script to initialization system quickly.

source /etc/init.d/functions

#####define color
RED="\033[1;31m"
GREEN="\033[1;32m"
YELLOW="\033[1;33m"
BLUE="\033[1;34m"
PURPLE="\033[1;35m"
COLOR_END="\033[0m" 

#####Make sure system-release
OS_Release=$(cat /etc/system-release |awk -F'[ |.]' '{print $4}')

if [ $OS_Release -eq 7 ];then
    echo
    echo -e "${PURPLE}Warning: The script only supports \"Centos 7 series\", System version match!! ${COLOR_END}"
    for ((i=1;i<=2;i++))
    do
        printf "System checking ...\n"
    sleep 1
    done
    action "System version match" /bin/true

#####shell production
echo -e "${YELLOW}--------------------------------------------------------------------${COLOR_END}" 
echo -e "${YELLOW}                           Script description${COLOR_END}" 
printf "${YELLOW}%-2s %s\n %s\n ${COLOR_END}\n" "1)" "Install the basic softwall and environment." "     Use function: install-softwall"
printf "${YELLOW}%-2s %s\n %s\n ${COLOR_END}\n" "2)" "Modify the ssh default port." "     Use function: modify-ssh-port"
printf "${YELLOW}%-2s %s\n %s\n ${COLOR_END}\n" "3)" "Disabled selinux and firewalld." "     Use function: disalbe-selinux-firewalld"
printf "${YELLOW}%-2s %s\n %s\n ${COLOR_END}\n" "4)" "Disabled \"root\" account ssh login."  "     Use function: modify-ssh-root"
printf "${YELLOW}%-2s %s\n %s\n ${COLOR_END}\n" "5)" "Modify the login banner information." "     Use function: modify-banner"
printf "${YELLOW}%-2s %s\n %s\n ${COLOR_END}\n" "6)" "Configure TMOUT is 600 seconds." "     Use function: modify-timeout"
printf "${YELLOW}%-2s %s\n %s\n ${COLOR_END}\n" "7)" "Modify user password expiration time." "     Use function: modify_passwd_expire"
printf "${YELLOW}%-2s %s\n %s\n ${COLOR_END}\n" "8)" "Modify user operation record format." "     Use function: modify_history_format"
echo -e "${YELLOW}--------------------------------------------------------------------${COLOR_END}"

#####define function
install_software(){
echo 
echo -e "${RED}If configured \"yum repos\", Please inut \"yes\" to start, Otherwise, input \"no\" and return to the main menu:${COLOR_END}\n"
read -p $'\033[1;35mPlease inut "yes|no":\033[0m' ACK
echo 
case $ACK in 
[yY][eE][sS])
    echo -e "${YELLOW}Beginning install base softwall....${COLOR_END}"
    yum install -y vim-enhanced wget lrzsz tree bash-completion net-tools lsof man-pages ntpdate unzip nfs-utils gcc glibc-devel pcre pcre-devel openssl-devel systemd-devel zlib-devel iptables-services yum-utils &>/dev/null
#判断iptables-services是否安装,若修改ssh端口需使用此服务保存iptables配置。否则重启后无法登陆
    rpm -q iptables-services &>/dev/null && action "softwall install " /bin/true || action "software install " /bin/false

    echo -e "${YELLOW}Beginning install fonts....${COLOR_END}"
    yum groupinstall -y fonts &>/dev/null
    action "fonts install "  /bin/true

    echo -e "${YELLOW}Beginning install X Protocol(X11)....${COLOR_END}"
    yum install -y xorg-x11-xauth xorg-x11-fonts-* xorg-x11-font-utils xorg-x11-fonts-Type1 firefox mesa-libGLES-devel.x86_64 mesa-dri-drivers mesa-libGLU*.i686 mesa-libGLU*.x86_64  dbus-x11 &>/dev/null
    action "X11 install "  /bin/true
    echo
    echo -e "${GREEN}Finished install....${COLOR_END}\n"
    ;;

[Nn][Oo])
    echo -e "${PURPLE}Please configured the \"yum repos\" before run this shell${COLOR_END}\n"
    echo -e "${PURPLE}You can see this essay: \"https://www.cnblogs.com/mmio/p/15160936.html\" ${COLOR_END}\n"

    ;;
*)
    echo -e "${RED}Input error. Please input:'yes|no' ${COLOR_END}\n"
    ;;
esac
}

modify_issue_net () {
echo >/etc/issue.net
echo "###############################################################################">>/etc/issue.net
echo "#                       WARNING                                               #">>/etc/issue.net
echo "#  This is a private server                                                   #">>/etc/issue.net
echo "#  All connections will be monitored                                          #">>/etc/issue.net
echo "#  All operations will be recorded                                            #">>/etc/issue.net
echo "#  Disconnect IMMEDIATELY if you are not an authorized user                   #">>/etc/issue.net
echo "#  If you login in illegally, we will hold you legally responsible            #">>/etc/issue.net
echo "###############################################################################">>/etc/issue.net
echo >>/etc/issue.net

#echo -e "${PURPLE}Open the ssh banner configuration${COLOR_END}\n"
sed -i '/#Banner/c\Banner /etc/issue.net' /etc/ssh/sshd_config && action "open ssh banner" /bin/true || action "open ssh banner" /bin/false
systemctl restart sshd &>/dev/null && action "restart sshd" /bin/true || action "restart sshd" /bin/false

sed -i '/UseDNS/c\UseDNS no' /etc/ssh/sshd_config && action "disable \"UseDNS\" " /bin/true || action "disable \"UseDNS\" " /bin/false

echo -e "${GREEN}Modify /etc/issue.net file sucess. Please login again ${COLOR_END}\n"
}

modify_issue () {
echo >/etc/issue
echo "###############################################################################">>/etc/issue
echo "#                       WARNING                                               #">>/etc/issue
echo "#  This is a private server                                                   #">>/etc/issue
echo "#  All connections will be monitored                                          #">>/etc/issue
echo "#  All operations will be recorded                                            #">>/etc/issue
echo "#  Disconnect IMMEDIATELY if you are not an authorized user                   #">>/etc/issue
echo "#  If you login in illegally, we will hold you legally responsible            #">>/etc/issue
echo "###############################################################################">>/etc/issue
echo >>/etc/issue

echo -e "${GREEN}Modify /etc/issue file sucess. Please login again ${COLOR_END}\n"
}

modify_ssh_port () {
    echo -e "${RED}Warning:Package \"iptables-services\" must be installed. Otherwise you can't save the iptables rules and can't login use ssh!!! ${COLOR_END}\n"
    rpm -q iptables-services &>/dev/null
    if [ $? -eq 0 ];then 

        read -p $'\033[1;33mPlease input a new port(eg:15225): \033[0m' ssh_port 
        sed -i "/Port /c\Port ${ssh_port}" /etc/ssh/sshd_config
        systemctl restart sshd  &>/dev/null && action "sshd restart" /bin/true || action "sshd restart" /bin/false
        ss -nlt |grep "*:${ssh_port}" &>/dev/null  && action "Modify ssh port" /bin/true || action "Modify ssh port" /bin/false

            iptables -I INPUT  -p tcp --dport ${ssh_port} -j ACCEPT
        service iptables save &>/dev/null
        systemctl mask firewalld &>/dev/null && action "mask firewalld" /bin/true 
        systemctl stop firewalld &>/dev/null && action "stop firewalld" /bin/true || echo -e "${RED}Stop firewalld fail, Please run this command: systemctl disable firewalld --now ${COLOR_END}"
        systemctl enable iptables --now &>/dev/null && action "enable iptables" /bin/true 
        systemctl restart iptables &>/dev/null && action "restart iptables" /bin/true 
#        grep "${ssh_port}" /etc/sysconfig/iptables &>/dev/null && action "add ${ssh_port} to iptables" /bin/true || action "add ${ssh_port} to iptables" /bin/false
        iptables -nvL |grep "${ssh_port}" &>/dev/null && action "add ${ssh_port} to iptables" /bin/true || action "add ${ssh_port} to iptables" /bin/false
        echo 
        echo -e "${GREEN}Please record the new ssh port: ${ssh_port} ${COLOR_END}\n"
        echo -e "${GREEN}Now the \"ssh port ${ssh_port}\" iptables rule allow all host login, Please modify according to yourself. ${COLOR_END}"
    else 
        
        echo -e "${RED}Modify ssh port fail: Package \"iptables-services\" not install:\n Please input the number \"1\" to install, or exit script and  run command: \"yum install -y iptables-services\" ${COLOR_END}\n"

    fi
}

disable_selinux () {
    echo 
    sed -i '/^SELINUX=/c\SELINUX=disabled' /etc/selinux/config && action "disable selinux"  /bin/true
    setenforce 0 &>/dev/null && action "setenforce 0" /bin/true
    echo -e "${GREEN}Disable selinux temporary, If you need permanent effective, please restart system ${COLOR_END}"
}

disable_firewalld () {
    echo 
    systemctl mask firewalld &>/dev/null && action "mask firewalld" /bin/true 
    systemctl stop firewalld &>/dev/null && action "stop firewalld" /bin/true || echo -e "${RED}Stop firewalld fail, Please run this command: systemctl disable firewalld --now ${COLOR_END}\n"
    echo -e "${GREEN}Disable firewalld sucess, if you want to use \"firewalld\", please run command: \"systemctl unmask firewalld; systemctl disable iptables --now; systemctl enable firewalld --now\" ${COLOR_END}\n"
}

disable_ssh_root () {
    echo -e "${RED}Warning:Befor disable the user \"root\" login by ssh, you must create a new user! ${COLOR_END}\n"
    read -p $'\033[1;34mPlease input a new username,then press "Enter":\033[0m' ssh_user && useradd -m ${ssh_user} &>/dev/null && read -p $'\033[1;34mPlease input a password,then press "Enter": \033[0m' ssh_passwd && echo "${ssh_passwd}" | passwd --stdin ${ssh_user} &>/dev/null 
    echo
    if [ $? -eq 0 ];then
        action "Create new user: ${ssh_user}" /bin/true 
        echo -e "${GREEN}Please record the new ssh user:\n  username: ${ssh_user}\n  password: ${ssh_passwd}\n   (TIPS: If \"password\" is null, you input the user already exist!) ${COLOR_END}\n"
        echo -e "${RED}Warning: Please run this command to check the new user login sucess: \"ssh ${ssh_user}@10.0.0.7 -p 22\"  ${COLOR_END}\n"

        echo -e "${BLUE}Waiting 3s...Now begin modify ssh to disable the user \"root\" login ${COLOR_END}\n"
        sleep 3
        sed -i '/PermitRootLogin yes/c\PermitRootLogin no' /etc/ssh/sshd_config
        systemctl restart sshd &>/dev/null && action "restart ssh" /bin/true || echo -e "${RED}Restart sshd failed, Please check the file: /etc/ssh/sshd_config ${COLOR_END}"
        echo
        echo -e "${GREEN}Disable \"root\" login sucess ${COLOR_END}\n"
    else 
        action "Create new user: ${ssh_user}" /bin/false
        echo -e "${RED}Create user failed. Please run this command to create a new user and set password: \"useradd NEWUSER; echo 'PASSWORD' |passwd --stdin NEWUSER\" ${COLOR_END}\n"
    fi

}
    
modify_tmout () {
    grep "TMOUT" /etc/profile &>/dev/null
    if [ $? -eq 0 ];then 
        sed -i '/TMOUT/c\TMOUT=600' /etc/profile && source /etc/profile
        action "Modify TMOUT=600" /bin/true
        echo 
    else 
        echo "TMOUT=600" >> /etc/profile && source /etc/profile
        action "Set TMOUT=600" /bin/true
        echo
    fi
}

modify_passwd_expire (){
    MAXDAY=$(grep "^PASS_MAX_DAYS" /etc/login.defs |awk '{print $2}')    
    if [ $MAXDAY -eq 90 ];then 
        action "Modify password expiration time" /bin/true
    else 
        sed -i '/^PASS_MAX_DAYS/c\PASS_MAX_DAYS 90' /etc/login.defs
        action "Modify password expiration time" /bin/true
    fi
}

modify_history_format (){
    echo  'export HISTTIMEFORMAT="%F %T `whoami` " ' >> /etc/profile && action "Modify history record file format" /bin/true || action "Modify history record file format" /bin/false
    source /etc/profile
    echo 
}

all () {
    echo
    echo -e "${YELLOW}Beginning execute all \"1-8\"....${COLOR_END}"
    install_software    
    modify_ssh_port
        disable_selinux
        disable_firewalld    
    disable_ssh_root
        modify_issue
        modify_issue_net
    modify_tmout
    modify_passwd_expire
    modify_history_format
}    

#####main
PS3=$(echo -e "${YELLOW}Please input the number[1-10]: ${COLOR_END}")
LIST='install-softwall
modify-ssh-port
disalbe-selinux-firewalld
disable-ssh-root
modify-banner
modify-timeout
modify-password-expire
modify-history-format
all
quit'

select menu in $LIST;do
case $REPLY in 
1)
    echo 
    echo -e "${PURPLE}---Install software--- ${COLOR_END}"
    install_software
        ;; 
2)
    echo
    echo -e "${PURPLE}---Modify ssh port--- ${COLOR_END}"
    modify_ssh_port
        ;;
3)
    echo
    echo -e "${PURPLE}---Disable selinux and firewalld--- ${COLOR_END}"
    disable_selinux
    disable_firewalld
        ;;
4)
    echo 
    disable_ssh_root
        ;;
5)
    echo
    echo -e "${PURPLE}---Modify before login banner information--- ${COLOR_END}"
    modify_issue
    modify_issue_net
        ;;
6)
    echo
    echo -e "${PURPLE}---Configure TMOUT--- ${COLOR_END}"
    modify_tmout 
        ;;
7)
    echo
    echo -e "${PURPLE}---Modify new user's password expiration time---${COLOR_END}"
    modify_passwd_expire
        ;;
8)
    echo 
    echo -e "${PURPLE}---Modify history for user operation record format---${COLOR_END}"
    modify_history_format
    ;;
9)    
    echo 
    echo -e "${PURPLE}---Execute all \"1-8\"---${COLOR_END}"
    all
    ;;

10)    
    echo -e "${PURPLE} Bye Bye ${COLOR_END}"
        break
        ;;
*)
    echo -e "${PURPLE}Input error. Please input the number: \"1-10\" ${COLOR_END}"
        ;;      
esac
done


else
    echo
    echo -e "${PURPLE}Warning: The script only supports \"Centos 7 series\", System version not match!! ${COLOR_END}"
fi

 

相关文章: