#!/usr/bin/env bash PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin export PATH clear echo "#=========================================================" echo "# System Required: CentOS 6/7+ Debian 6/7+ Ubuntu 14.04+" echo "# Description: Linux系統初始化腳本" echo "# Version: 3.6.0" echo "# Author:Chuyio" echo "# Date:18/06/2017" echo "# Blog:https://www.cnblogs.com/chuyiwang" echo "# Github:https://github.com/Chuyio" echo "#=========================================================" CENTOS_VERSION=`cat /etc/redhat-release | awk -F'release' '{print $2}' | awk -F'[ .]+' '{print $2}'` STDOUT=`>/dev/null 2>&1` GREEN_FONT_PREFIX="\033[46;34m" && PURPLE_FONT_PREFIX="\033[35m" && RED_FONT_PREFIX="\033[41;33;5m" && GREEN_BACKGROUND_PREFIX="\033[42;37m" && FONT_COLOR_SUFFIX="\033[0m" INFO="${GREEN_FONT_PREFIX}[信息]${FONT_COLOR_SUFFIX}" ERROR="${RED_FONT_PREFIX}[錯誤]${FONT_COLOR_SUFFIX}" TIP="${PURPLE_FONT_PREFIX}[注意]${FONT_COLOR_SUFFIX}" VERSION_ERROR() { echo -e " ${RED_FONT_PREFIX} 本腳本僅支持 CentOS6+/7+ 版本系統 暫時不支持本系統版本 System Version Error,Scripts only apply to Centos 6 and 7 versions ${FONT_COLOR_SUFFIX}" exit 110 } JDT(){ echo "准備中..." i=0 str="" arr=("|" "/" "-" "\\") while [ $i -le 20 ] do let index=i%4 let indexcolor=i%8 let color=30+indexcolor let NUmbER=$i*5 printf "\e[0;$color;1m[%-20s][%d%%]%c\r" "$str" "$NUmbER" "${arr[$index]}" sleep 0.1 let i++ str+='+' done printf "\n" echo "正在執行...稍候!" } #CHECK_RESULT() { #if [ ! $? -eq 0 ]; then # echo -e "${ERROR} ERROR,Please To Check " # exit 110 #fi #} # 檢查系統是否符合&是否已經初始化過該機器 CHECK_ROOT() { [[ $EUID != 0 ]] && echo -e "${ERROR} 當前賬號非ROOT(或沒有ROOT權限),無法繼續操作,請使用${GREEN_BACKGROUND_PREFIX} sudo su ${FONT_COLOR_SUFFIX}來獲取臨時ROOT權限(執行后會提示輸入當前賬號的密碼)。" && exit 1 } CHECK_SYS() { if [[ -f /etc/redhat-release ]]; then release="centos" elif cat /etc/issue | grep -q -E -i "debian"; then release="debian" elif cat /etc/issue | grep -q -E -i "ubuntu"; then release="ubuntu" elif cat /etc/issue | grep -q -E -i "centos|red hat|redhat"; then release="centos" elif cat /proc/version | grep -q -E -i "debian"; then release="debian" elif cat /proc/version | grep -q -E -i "ubuntu"; then release="ubuntu" elif cat /proc/version | grep -q -E -i "centos|red hat|redhat"; then release="centos" fi bit=$(uname -m) } CHECK_SYS #[[ ${release} != "debian" ]] && [[ ${release} != "ubuntu" ]] && [[ ${release} != "centos" ]] && echo -e "${ERROR} 本腳本不支持當前系統 ${release} !" && exit 1 [[ ${release} != "centos" ]] && echo -e "${ERROR} 本腳本暫時不支持當前系統 ${release} ! 當前僅支持CentOS6/7+ 感謝理解" && exit 110 CHECK_RESULT() { if [ ! $? -eq 0 ]; then echo -e "${ERROR} ERROR,Please To Check !!!" exit 110 fi } NETWORK() { CHECK_ROOT NETPATH="/etc/sysconfig/network-scripts/" NETCNF=`ls ${NETPATH} | grep if | head -1` NETNAME=`ip a | grep -E '^2:' | awk -F'[: ]+' '{print $2}'` CHECK_CNF=`echo ${NETCNF} | awk -F'-' '{print $2}'` if [[ ! ${CHECK_CNF} == ${NETNAME} ]]; then NET_CHECK=`echo ${NETCNF} | awk -F'-' '{print $1}'` NETCNF=`echo ${NET_CHECK}-${NETNAME}` fi cp $NETPATH$NETCNF /tmp/$NETCNF-$(date +%m%d%H%M) echo "###########################################" echo && stty erase '^H' && read -p "Please Input IPAddress :" IPA echo && stty erase '^H' && read -p "Please Input Netmask :" NTM echo && stty erase '^H' && read -p "Please Input Gateway :" GTW echo && stty erase '^H' && read -p "Please Input DNS (Default[223.5.5.5]):" DNS if [[ $DNS == "" ]]; then DNS="223.5.5.5" fi echo -e "${PURPLE_FONT_PREFIX} 配置中請稍候... 完成后請使用新地址 $IPA 進行SSH登陸 ${FONT_COLOR_SUFFIX}" NET_RULES="/etc/udev/rules.d/70-persistent-net.rules" if [ -f $NET_RULES ] then mv -bf $NET_RULES /tmp $STDOUT fi case $CENTOS_VERSION in 6) C6NETWORK ;; 7) C7NETWORK ;; *) VERSION_ERROR ;; esac } HINT() { echo -e " ${PURPLE_FONT_PREFIX} [ ## Network configuration succeeded ## ] [ ##### Please restart the server ##### ] [ CentOS 6+: server restart network ] [ CentOS 7+: systemctl restart network.service ]${FONT_COLOR_SUFFIX}" } C6NETWORK() { cat > $NETPATH$NETCNF << END DEVICE=$NETNAME TYPE=Ethernet ONBOOT=yes NM_CONTROLLED=yes BOOTPROTO=static IPADDR=$IPA NETMASK=$NTM GATEWAY=$GTW DNS=$DNS END if [ -e NetworkManager ]; then service NetworkManager stop $STDOUT chkconfig NetworkManager off $STDOUT fi chkconfig network on $STDOUT JDT HINT } C7NETWORK() { cat > $NETPATH$NETCNF << EOF TYPE=Ethernet PROXY_METHOD=none BROWSER_ONLY=no BOOTPROTO=static DEFROUTE=yes IPV4_FAILURE_FATAL=no NAME=$NETNAME DEVICE=$NETNAME ONBOOT=yes IPADDR=$IPA NETMASK=$NTM GATEWAY=$GTW DNS=$DNS EOF if [ -e "/usr/lib/systemd/system/NetworkManager.service" ]; then systemctl stop NetworkManager $STDOUT systemctl disable NetworkManager $STDOUT fi systemctl enable network.service $STDOUT JDT HINT } HISTORY() { #history modify FILE_PATH="/var/log/Command" FILE_NAME="Command.log" PROFILE_PATH="/etc/profile" PROFILE=`cat ${PROFILE_PATH} | grep HISTORY_FILE | wc -l` COMMAND=`cat /var/spool/cron/root | grep history.sh | wc -l` CROND='/var/spool/cron/root' CLUSTER1() { touch $FILE_PATH/$FILE_NAME chown -R nobody:nobody $FILE_PATH chmod 001 $FILE_PATH chmod 002 $FILE_PATH/$FILE_NAME chattr +a $FILE_PATH/$FILE_NAME } CLUSTER2() { cat >> ${PROFILE_PATH} << EPP export HISTORY_FILE=$FILE_PATH/$FILE_NAME export PROMPT_COMMAND='{ date "+%y-%m-%d %T ## \$(who am i |awk "{print \\\$1,\\\$2,\\\$5}") ## \$(whoami) ## \$(history 1 | { read x cmd; echo "\$cmd"; })"; } >>\$HISTORY_FILE' EPP } if [ ! -d $FILE_PATH ] then mkdir -p $FILE_PATH CLUSTER1 else if [ ! -f $FILE_PATH/$FILE_NAME ] then CLUSTER1 fi fi if [ $PROFILE -lt 1 ] then CLUSTER2 else sed -i '/.*HISTORY_FILE.*/d' ${PROFILE_PATH} CLUSTER2 fi if [ ! -f $FILE_PATH/history.sh ] then cat >> $FILE_PATH/history.sh << EOF #!/bin/bash #Time=\`date +%Y%m%d%H -d '-1 hours'\` Time=\`date +%Y%m%d%H\` logs_path="$FILE_PATH/" logs_name="$FILE_NAME" new_file="\$logs_path\$logs_name-\$Time" old_file=\`find \$logs_path -mtime +30 -type f -name "Command.*"\` chattr -a \$logs_path\$logs_name mv \$logs_path\$logs_name \$new_file chattr +a \$new_file touch \$logs_path\$logs_name chown -R nobody:nobody \$logs_path\$logs_name chmod -R 002 \$logs_path\$logs_name chattr +a \$logs_path\$logs_name if [[ ! -z \$old_file ]] then echo "delet \$old_file \$Time" >> /var/log/messages chattr -a \$old_file rm -rf \$old_file fi EOF chmod 100 $FILE_PATH/history.sh fi if [ $COMMAND -lt 1 ] then echo "30 10 * * 6 /bin/bash $FILE_PATH/history.sh $STDOUT" >> $CROND else sed -i '/.*history\.sh.*/d' $CROND echo "30 10 * * 6 /bin/bash $FILE_PATH/history.sh $STDOUT" >> $CROND fi case $CENTOS_VERSION in 6) service crond restart $STDOUT ;; 7) systemctl restart crond $STDOUT ;; *) VERSION_ERROR ;; esac source ${PROFILE_PATH} if [ $? -eq 0 ] then JDT echo "###########################################" echo -e "${TIP} 配置完成 命令審計文件位於:/var/log/Command/Command.log " else echo -e "${ERROR},Please To Check " exit 110 fi } YUMREPO() { YUM='/etc/yum.repos.d' if [ ! -d $YUM/oldbackup ] then mkdir -p $YUM/oldbackup fi REPO=`ls $YUM | grep -E "*.repo$"` if [[ ! $REPO == "" ]]; then for repo in REPO; do mv -bf $YUM/$repo $YUM/oldbackup $STDOUT done fi /bin/ping -c 3 -i 0.1 -w 1 baidu.com $STDOUT CHECK_RESULT echo -e "${INFO} 網絡正常" echo "正在執行中ing...請確保網絡連接正常..." wget -P $YUM http://mirrors.aliyun.com/repo/Centos-$CENTOS_VERSION.repo $STDOUT if [ ! $? -eq 0 ] then echo "wget 命令執行失敗 正在嘗試使用curl命令..." curl -Os http://mirrors.aliyun.com/repo/Centos-$CENTOS_VERSION.repo CHECK_RESULT mv Centos-$CENTOS_VERSION.repo $YUM fi rpm -e $(rpm -qa | grep epel-release) $STDOUT rpm -ivh http://mirrors.aliyun.com/epel/epel-release-latest-$CENTOS_VERSION.noarch.rpm $STDOUT CHECK_RESULT echo "重新構建YUM倉庫中稍候...如果網絡不佳會造成失敗" yum clean all && yum makecache CHECK_RESULT } MYSQL_REPO() { REPO_PATH="/etc/yum.repos.d/mysql-community.repo" MYSQL_INSTALL() { yum -y install mysql-community-server CHECK_RESULT } /bin/ping -c 3 -i 0.1 -w 1 baidu.com $STDOUT CHECK_RESULT echo -e "${INFO} 網絡正常" echo "正在執行中ing...請確保網絡連接正常..." rpm -e $(rpm -qa | grep -E "mysql.*release") $STDOUT echo -e " ${PURPLE_FONT_PREFIX} #################### 本腳本不支持一個系統安裝多個數據庫 ######################## 也不建議使用其他方法安裝多個數據庫 如果有多個數據庫的需求,可以使用多實例來實現 正在檢查是否已安裝過MySQL,如已安裝MySQL將嘗試自動卸載... ######### 注意 如果不想卸載當前數據庫 請在進度條處按Ctrl+C結束腳本運行 #########${FONT_COLOR_SUFFIX}" sleep 10 JDT for PACKAGE in $(rpm -qa | grep -i mysql) do rpm -e $PACKAGE if [ $? -eq 0 ]; then echo -e "${TIP} $PACKAGE 已成功卸載..." else yum remove $PACKAGE if [ ! $? -eq 0 ]; then #yum remove $(rpm -qa | grep -i mysql) echo -e "${ERROR} $PACKAGE 自動卸載失敗,請手動卸載!!!" fi fi done rpm -Uvh https://mirrors.tuna.tsinghua.edu.cn/mysql/yum/mysql-connectors-community-el$CENTOS_VERSION/mysql-community-release-el$CENTOS_VERSION-5.noarch.rpm CHECK_RESULT yum repolist enabled | grep "mysql.*-community.*" sed -i '/^#/d' $REPO_PATH echo -e "${TIP}以下為目前僅支持安裝的MySQL版本" MYSQL_VER=`cat ${REPO_PATH} | grep -E "^\[mysql5.*" | awk -F'[[-]' '{print $2}'` sed -i '/.*mysql56.*/,/.*mysql57.*/s/enabled=1/enabled=0/' ${REPO_PATH} echo -e "${PURPLE_FONT_PREFIX} ${MYSQL_VER}${FONT_COLOR_SUFFIX}" echo && stty erase '^H' && read -p "請輸入你要安裝的MySQL版本 (55/56/57) :" NMB case $NMB in 55) sed -i '/.*mysql55.*/,/.*mysql56.*/s/enabled=0/enabled=1/' ${REPO_PATH} MYSQL_INSTALL ;; 56) sed -i '/.*mysql56.*/,/.*mysql57.*/s/enabled=0/enabled=1/' ${REPO_PATH} MYSQL_INSTALL ;; 57) echo "# INSTALL_SCRIPT #" >> ${REPO_PATH} sed -i '/.*mysql57.*/,/.*INSTALL_SCRIPT.*/s/enabled=0/enabled=1/' ${REPO_PATH} MYSQL_INSTALL ;; *) echo -e "${ERROR} 輸入信息有誤,請輸入正確的數字!!!" ;; esac } ########################################################################## # 以下為系統優化項 ########################################################################## ######################## 配置SSH服務優化 ######################## MUTUAL() { echo && stty erase '^H' && read -p "Whether or not to perform? (y/n):" NMB if [[ $NMB == y ]] || [[ $NMB == "" ]]; then echo -e "${PURPLE_FONT_PREFIX}正在執行此項優化...${FONT_COLOR_SUFFIX}" JDT else echo -e "${PURPLE_FONT_PREFIX}即將跳過此項優化...${FONT_COLOR_SUFFIX}" JDT return 100 fi } OPTSSH() { clear echo -e " ${GREEN_FONT_PREFIX} ######################################################### [ 配置SSH端口 關閉DNS反向解析 ] ${FONT_COLOR_SUFFIX}" MUTUAL if [ ! $? -eq 0 ]; then return 100 fi SSHD_CONF_PATH="/etc/ssh/sshd_config" echo && stty erase '^H' && read -p "Please enter the SSH port :" PT if [[ $PT =~ ^[1-65534]$ ]]; then echo -e "${ERROR} 輸入端口有誤,請輸入[1-65534]之間的數字" exit 110 fi sed -i 's/^GSSAPIAuthentication yes$/GSSAPIAuthentication no/' ${SSHD_CONF_PATH} sed -i 's/#UseDNS yes/UseDNS no/' ${SSHD_CONF_PATH} sed -i "s/#Port 22/Port $PT/" ${SSHD_CONF_PATH} sed -i "s/^Port.*/Port $PT/g" ${SSHD_CONF_PATH} sed -i 's/#PrintMotd yes/PrintMotd yes/' ${SSHD_CONF_PATH} case $CENTOS_VERSION in 6) service sshd restart $STDOUT ;; 7) systemctl restart sshd $STDOUT ;; *) VERSION_ERROR ;; esac } ######################## 關閉IPv6服務 ######################## OFFIPV6() { clear echo -e " ${GREEN_FONT_PREFIX} ########################################## [ 關閉IPv6服務 ] ${FONT_COLOR_SUFFIX}" MUTUAL if [ ! $? -eq 0 ]; then return 100 fi MODPROBE_CONF_PATH="/etc/modprobe.conf" sed -i '/.*net-pf-10.*/d' ${MODPROBE_CONF_PATH} sed -i '/.*ipv6.*/d' ${MODPROBE_CONF_PATH} echo "alias net-pf-10 off" >> ${MODPROBE_CONF_PATH} echo "alias ipv6 off" >> ${MODPROBE_CONF_PATH} } ######################## 關閉selinux ######################## OFFSELINUX() { clear echo -e " ${GREEN_FONT_PREFIX} ######################################### [ 關閉selinux ] ${FONT_COLOR_SUFFIX}" MUTUAL if [ ! $? -eq 0 ]; then return 100 fi SELINUX_CONF_PATH="/etc/selinux/config" sed -i '/SELINUX/s/enforcing/disabled/' ${SELINUX_CONF_PATH} setenforce 0 $STDOUT } ######################## 關閉防火牆 ######################## OFFFIREWALL() { clear echo -e " ${GREEN_FONT_PREFIX} ######################################## [ 關閉防火牆 ] ${FONT_COLOR_SUFFIX}" MUTUAL if [ ! $? -eq 0 ]; then return 100 fi case $CENTOS_VERSION in 6) service iptables stop $STDOUT chkconfig iptables off $STDOUT ;; 7) systemctl stop firewalld $STDOUT systemctl disable firewalld $STDOUT ;; *) VERSION_ERROR ;; esac } ######################## 設置時間同步 ######################## TIMELOCK() { clear echo -e " ${GREEN_FONT_PREFIX} ########################################## [ 設置時間同步 ] ${FONT_COLOR_SUFFIX}" MUTUAL if [ ! $? -eq 0 ]; then return 100 fi CROND_PATH="/var/spool/cron/root" sed -i '/.*ntpdate.*/d' ${CROND_PATH} echo "*/5 * * * * /usr/sbin/ntpdate 203.107.6.88 $STDOUT" >> ${CROND_PATH} ntpdate 203.107.6.88 CHECK_RESULT case $CENTOS_VERSION in 6) service crond restart $STDOUT ;; 7) systemctl restart crond $STDOUT ;; *) VERSION_ERROR ;; esac } ######################## 配置用戶最大文件打開數 ######################## LIMITSCONF() { clear echo -e " ${GREEN_FONT_PREFIX} #################################################### [ 配置用戶最大文件打開數 ] ${FONT_COLOR_SUFFIX}" MUTUAL if [ ! $? -eq 0 ]; then return 100 fi CONF_PATH="/etc/security/limits.conf" CHECK_OLD=`tail -4 ${CONF_PATH} | grep -E 'nofile|nproc' | wc -l` if [[ ! $CHECK_OLD -eq 4 ]]; then cat >> ${CONF_PATH} << COMMENTBLOCK * soft nofile 102400 * hard nofile 102400 * soft nproc 102400 * hard nproc 102400 COMMENTBLOCK CHECK_RESULT fi } ######################## 配置用戶最大進程數 ######################## NPROCCONF() { clear echo -e " ${GREEN_FONT_PREFIX} ################################################ [ 配置用戶最大進程數 ] ${FONT_COLOR_SUFFIX}" MUTUAL if [ ! $? -eq 0 ]; then return 100 fi NPROC_CONF_PATH="/etc/security/limits.d" SYSTEM_CONF_PATH="/etc/systemd/system.conf" case $CENTOS_VERSION in 6) sed -i 's/1024$/102400/' ${NPROC_CONF_PATH}/90-nproc.conf ;; 7) sed -i 's/4096$/20480/' ${NPROC_CONF_PATH}/20-nproc.conf sed -i 's/^#DefaultLimitNOFILE=.*/DefaultLimitNOFILE=100000/g' ${SYSTEM_CONF_PATH} sed -i 's/^#DefaultLimitNPROC=.*/DefaultLimitNPROC=100000/g' ${SYSTEM_CONF_PATH} ;; *) VERSION_ERROR ;; esac } ######################## 優化系統內核參數項 ######################## SYSCTLCONF() { clear echo -e " ${GREEN_FONT_PREFIX} ################################################ [ 優化系統內核參數項 ] ${FONT_COLOR_SUFFIX}" MUTUAL if [ ! $? -eq 0 ]; then return 100 fi SYSCTL_CONF_PATH="/etc/sysctl.conf" true > ${SYSCTL_CONF_PATH} cat >> ${SYSCTL_CONF_PATH} << EIZ net.ipv4.ip_forward = 0 #該文件內容為0 表示禁止數據包轉發 1表示允許 net.ipv4.conf.default.rp_filter = 0 #是否忽略arp請求 net.ipv4.conf.default.accept_source_route = 0 #是否接受源路由(source route) kernel.sysrq = 0 #是否開啟sysrq,0為disable sysrq, 1為enable sysrq completely kernel.core_uses_pid = 1 #如果這個文件的內容被配置成1,那么即使core_pattern中沒有設置%p,最后生成的core dump文件名仍會加上進程ID kernel.unknown_nmi_panic = 0 #該參數的值影響的行為(非屏蔽中斷處理).當這個值為非0,未知的NMI受阻,PANIC出現.這時,內核調試信息顯示控制台,則可以減輕系統中的程序掛起. kernel.msgmnb = 65536 #指定內核中每個消息隊列的最大字節限制 kernel.msgmax = 65536 #指定內核中單個消息的最大長度(bytes).進程間的消息傳遞是在內核的內存中進行的,不會交換到磁盤上,所以如果增大該值,則將增大操作系統所使用的內存數量 kernel.shmmax = 68719476736 #指定共享內存片段的最大尺寸(bytes) kernel.shmall = 4294967296 #指定可分配的共享內存數量 vm.swappiness = 10 #內存不足時=0,進行少量交換 而不禁用交換=1,系統內存足夠時=10 提高性能,默認值=60,值=100將積極使用交換空間 net.ipv4.tcp_tw_reuse = 1 #開啟重用,允許Time-WAIT sockets重新用於新的TCP連接 net.ipv4.tcp_syncookies = 1 #開啟SYN Cookies,當出現SYN等待隊列溢出時,啟用cookies來處理 net.ipv4.tcp_fin_timeout = 30 #如果套接字有本端要求關閉,這個參數決定了保持在FIN-WAIT-2狀態的時間,對端可以出錯並永遠關閉連接,甚至以外宕機,缺省值是60秒,2.2內核的通常值是180秒,你可以按這個設置,但要記住的是,即時你的機器是一個輕載的WEB服務器,也有因為大量的死套接字而內存溢出的風險,FIN-WAIT-2的危險性比FIN-WAIT-1要小,因為它最多只能吃掉1.5K內存,但是他們生存期長些 net.ipv4.tcp_syn_retries = 3 #在內核放棄建立連接之前發送SYN包的數量可以設置為1 net.ipv4.tcp_synack_retries = 3 #為了打開對端的連接,內核需要發送一個SYN並附帶一個回應前面一個SYN的ACK,也就是所謂的三次握手中的第二次握手,這個設置決定了內核放棄連接之前發送SYN+ACK包的數量可以設置為1 net.ipv4.tcp_max_orphans = 262144 #系統中最多有多少個TCP套接字不被關聯到任何一個用戶文件句柄上,如果超過這個數字,孤兒連接將即刻被復位並打印出警告信息,這個限制僅僅是為了防止簡單的Dos攻擊,不能過分依靠它或者人為地減小這個值,更應該增加這個值(如果增加了內存之后) net.ipv4.tcp_keepalive_time = 60 #當keepzlived起作用的時候,TCP發送keepzlived消息的頻度,缺省是兩小時,可以設置為30 net.ipv4.tcp_max_tw_buckets = 180000 #time_wait的數量,默認是180000 net.ipv4.conf.all.send_redirects = 0 #禁止轉發重定向報文 net.ipv4.conf.default.send_redirects = 0 #不充當路由器 net.ipv4.conf.all.secure_redirects = 0 #如果服務器不作為網關/路由器,該值建議設置為0 net.ipv4.conf.default.secure_redirects = 0 #禁止轉發安全ICMP重定向報文 net.ipv4.conf.all.accept_redirects = 0 #禁止包含源路由的ip包 net.ipv4.conf.default.accept_redirects = 0 #禁止包含源路由的ip包 ##### iptables ############## net.ipv4.neigh.default.gc_thresh1 = 2048 #存在於ARP高速緩存中的最少層數,如果少於這個數,垃圾收集器將不會運行.缺省值是128。 net.ipv4.neigh.default.gc_thresh2 = 4096 #保存在 ARP 高速緩存中的最多的記錄軟限制.垃圾收集器在開始收集前,允許記錄數超過這個數字 5 秒.缺省值是 512 net.ipv4.neigh.default.gc_thresh3 = 8192 #保存在 ARP 高速緩存中的最多記錄的硬限制,一旦高速緩存中的數目高於此,垃圾收集器將馬上運行.缺省值是1024 net.ipv4.ip_local_port_range = 1024 65535 #用於定義網絡連接可用作其源(本地)端口的最小和最大端口的限制,同時適用於TCP和UDP連接. net.ipv6.conf.all.disable_ipv6 = 1 #禁用整個系統所有接口的IPv6 fs.file-max = 1000000 #系統最大打開文件描述符數 fs.inotify.max_user_watches = 10000000 #表示同一用戶同時可以添加的watch數目(watch一般是針對目錄,決定了同時同一用戶可以監控的目錄數量) net.core.rmem_max = 16777216 #接收套接字緩沖區大小的最大值(以字節為單位) net.core.wmem_max = 16777216 #發送套接字緩沖區大小的最大值(以字節為單位) net.core.wmem_default = 262144 #發送套接字緩沖區大小的默認值(以字節為單位) net.core.rmem_default = 262144 #接收套接字緩沖區大小的默認值(以字節為單位) net.core.somaxconn = 65535 #用來限制監聽(LISTEN)隊列最大數據包的數量,超過這個數量就會導致鏈接超時或者觸發重傳機制 net.core.netdev_max_backlog = 262144 #當網卡接收數據包的速度大於內核處理的速度時,會有一個隊列保存這些數據包.這個參數表示該隊列的最大值 net.ipv4.tcp_max_syn_backlog = 8120 #表示系統同時保持TIME_WAIT套接字的最大數量.如果超過此數,TIME_WAIT套接字會被立刻清除並且打印警告信息.之所以要設定這個限制,純粹為了抵御那些簡單的DoS攻擊,不過,過多的TIME_WAIT套接字也會消耗服務器資源,甚至死機 net.netfilter.nf_conntrack_max = 1000000 #CONNTRACK_MAX 允許的最大跟蹤連接條目,是在內核內存中netfilter可以同時處理的"任務"(連接跟蹤條目) EIZ /sbin/sysctl -p echo -e " ${PURPLE_FONT_PREFIX} 內核參數已優化完畢,請按需自行修改/etc/sysctl.conf配置文件${FONT_COLOR_SUFFIX}" } ################################################################################### ################################################################################### echo -e " CentOS 初始化一鍵配置腳本 ${PURPLE_FONT_PREFIX}Powered By Chuyio${FONT_COLOR_SUFFIX} ${GREEN_FONT_PREFIX}1.${FONT_COLOR_SUFFIX} 配置網絡 ${GREEN_FONT_PREFIX}2.${FONT_COLOR_SUFFIX} 配置審計 ${GREEN_FONT_PREFIX}3.${FONT_COLOR_SUFFIX} 優化系統 ${GREEN_FONT_PREFIX}4.${FONT_COLOR_SUFFIX} 配置YUM倉庫 ${GREEN_FONT_PREFIX}5.${FONT_COLOR_SUFFIX} 安裝MySQL數據庫 " echo && stty erase '^H' && read -p "Please Input Number (1/2/3/4/5) :" NMB case "$NMB" in 1) NETWORK ;; 2) HISTORY ;; 3) OPTSSH OFFIPV6 OFFSELINUX OFFFIREWALL TIMELOCK LIMITSCONF NPROCCONF SYSCTLCONF ;; 4) YUMREPO ;; 5) MYSQL_REPO ;; *) echo -e "${ERROR} 請輸入正確的數字 [1-4]" ;; esac