1. What can server initialization do
- Turn off selinux
- ntp synchronization time
- Modify dns
- Configure ssh key
- Modify yum source
- Set host name
- Kernel parameter optimization: tcp, memory, routing, file handle
- Install the necessary software package: gcc-c++ cmake nmp wget vim jdk traceroute iotop, etc
- Prohibit root login and password login
- Camouflage critical service port
- Set Chinese character set personalized login information display, command line color matching
- Disable unwanted services
2. Initialization script
#!/bin/bash
# Author: hanli
# centos7 initialization script
PASSWD=123456
HOSTNAME=test.example.com
DNS1=119.29.29.29
DNS2=223.5.5.5
cat << EOF
+------------------------------------------------------------------+
| ********** Welcome to CentOS 7 System init ********** |
+------------------------------------------------------------------+
EOF
[ `whoami` != "root" ] && echo "please use root" && exit 1
function format() {
echo -e "\033[32m Success!!! \033[0m\n"
echo "#########################################################"
}
###Change root password
echo "set root passwd"
echo $PASSWD | passwd root --stdin &> /dev/null
format
###Modify host name
echo "set hostname"
hostname $HOSTNAME && echo "HOSTNAME=$HOSTNAME" >> /etc/sysconfig/network
format
###Configure DNS resolution
echo "set DNS"
echo "" > /etc/resolv.conf
echo "nameserver $DNS1" > /etc/resolv.conf
echo "nameserver $DNS2" >> /etc/resolv.conf
ping -c 3 www.baidu.com &> /dev/null || echo "Please check the network connection,This script requires access to the Internet" || exit 3
format
###Turn off Selinux service
echo "disable selinux"
[ `getenforce` != "Disabled" ] && setenforce 0 &> /dev/null && sed -i s/"^SELINUX=.*$"/"SELINUX=disabled"/g /etc/sysconfig/selinux
format
###Update yum source to alicloud
echo "set yum repo"
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.bak
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo &> /dev/null
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo &> /dev/null
yum makecache &> /dev/null
format
###Lock critical profile
echo "chattr files"
chattr +i /etc/passwd
chattr +i /etc/inittab
chattr +i /etc/group
chattr +i /etc/shadow
chattr +i /etc/gshadow
chattr +i /etc/resolv.conf
chattr +i /etc/hosts
chattr +i /etc/fstab
format
###Set character set to Chinese
echo "set LANG"
echo 'LANG="zh_CN.UTF-8"' > /etc/locale.conf
format
###Automatically update server time
echo "set ntptime"
sed -i "/server/d" /etc/chrony.conf
echo 'server ntp.aliyun.com iburst &>/dev/null' >> /etc/chrony.conf
format
###Kernel parameter optimization
echo "Set sysctl.conf"
cat > /etc/sysctl.conf << EOF
net.ipv4.ip_forward = 0
#Enable routing
net.ipv4.conf.all.rp_filter = 1
#Strengthen inbound and outbound filtering
net.ipv4.conf.default.rp_filter = 1
#Turn on reverse path filtering
net.ipv4.conf.default.accept_source_route = 0
#Processing packets with passive routing
kernel.sysrq = 0
#Functional requirements of control system debugging kernel
kernel.core_uses_pid = 1
#For debugging multithreaded applications
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
kernel.msgmnb = 65536
#Maximum of the sum of all messages in the message queue
kernel.msgmax = 65536
# Specifies the maximum value of messages in the message queue in the kernel
kernel.shmmax = 68719476736
#To define the maximum value of a single shared memory segment, 64 bit linux system: the maximum value that can be taken is - 1byte of physical memory. The recommended value is more than half of the physical memory. Generally, the value is greater than SGA max? Size, and - 1byte of physical memory can be taken. For example, if it is 64GB physical memory, 64 * 1024 * 1024 * 1024-1 = 68719476735 can be used
kernel.shmall = 4294967296
#The size of inux shared memory page is 4KB, and the size of shared memory segment is an integer multiple of the size of shared memory page. The maximum size of a shared memory segment is 16G, so the number of pages that need to be shared is 16GB/4KB=16777216KB /4KB=4194304 (page), that is, 16GB physical memory in 64Bit system. Setting kernel.shmall = 4194304 can meet the requirements (almost twice the original setting of 2097152)
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv4.neigh.default.gc_stale_time = 120
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.lo.arp_announce = 2
###Memory resource usage related settings
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 65536 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
net.ipv4.tcp_mem = 8388608 8388608 8388608
##In response to DDOS attacks, TCP connection establishment settings
net.ipv4.tcp_syncookies = 1
#Prevent syn flood Attack
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_max_syn_backlog = 262144
#The length of SYN queue is 1024 by default, and the increased queue length is 262144, which can accommodate more network connections waiting for connection
##To deal with the setting of too high timewait and TCP disconnection
net.ipv4.tcp_max_tw_buckets = 10000
#The default is 180000. Indicates that the system maintains the maximum number of time ﹣ wait at the same time. If this number is exceeded, time ﹣ wait will be cleared immediately and warning messages will be printed
net.ipv4.tcp_tw_recycle = 1
#Indicates that the quick recall function of TIME-WAIT sockets in TCP connection is enabled. The default value is 0, indicating that it is closed.
net.ipv4.tcp_tw_reuse = 1
#Indicates reuse is on. Allows TIME-WAIT sockets to be reused for new TCP connections, and the default value is 0 to close
net.ipv4.tcp_timestamps = 0
#Time stamp can avoid the winding of serial number
net.ipv4.tcp_fin_timeout = 5
# Indicates that if the socket is required to be closed by the local side, this parameter determines the time it remains in the FIN-WAIT-2 state. The peer can fail and never close the connection, or even crash unexpectedly. The default is 60 seconds. 2.2 the normal value of kernel is 180 seconds. 3 you can press this setting, but remember that even if your machine is a lightly loaded WEB server, there is a risk of memory overflow due to a large number of dead sockets. The risk of FIN-WAIT-2 is less than that of FIN-WAIT-1, because it can only eat 1.5K memory at most, but its lifetime is longer
net.ipv4.ip_local_port_range = 4000 65000
# Indicates the range of ports used for outbound connections
###TCP keepalived connection preservation settings
net.ipv4.tcp_keepalive_time = 1200
#Indicates how often TCP sends keepalive messages when keepalive is enabled. Default is 2 hours, change to 20 minutes
net.ipv4.tcp_keepalive_intvl = 15
# When the detection is not confirmed, the frequency of resend detection. The default is 75.
net.ipv4.tcp_keepalive_probes = 5
# How many keepalive packets of TCP are sent before the connection is determined to be invalid. The default is 9. This value multiplied by tcp_keepalive_intvl determines how long a connection can have no response after sending keepalive
###Other TCP related adjustments
net.core.somaxconn = 262144
#Default parameter of isten (function), the maximum number of pending requests. By default, the backlog of the listen function in web applications will limit the net.core.somaxconn of our kernel parameters to 128, while the NGX ﹐ listen ﹐ backlog defined by nginx is 511 by default, so it is necessary to adjust this value
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
EOF
sysctl -p
format
#Install necessary packages
echo "install pack"
yum -y install make gcc-c++ cmake snmp iotop wget vim lsof &> /dev/null
format
read -p "System initialization completed,Need to restart(y/n)?" TT
if [ "$TT" == "y" ];then
reboot
elif [ "$TT" == "n" ];then
exit 4
else
echo "Please input y/n"
fi
3,ansible roles
4,puppet