代码拉取完成,页面将自动刷新
#!/bin/sh
####################################################
# 51dmz系统初始化脚本:系统模块 #
# Author: [email protected] #
####################################################
## Performance tunning by sysctl #############################################
/bin/cp -rf /etc/sysctl.conf /etc/sysctl.conf.bak
:>/etc/sysctl.conf
##下面是网络性能的调整################################################
#允许复用在time_wait状态的套接字
echo "net.ipv4.tcp_tw_reuse = 1" >> /etc/sysctl.conf
#启动time_wait的快速循环功能,必须打开
echo "net.ipv4.tcp_tw_recycle = 1" >> /etc/sysctl.conf
#设置所有协议的最大系统发送,接收缓冲,我们设置为8MB,不够再加
echo "net.core.rmem_max = 16777216" >> /etc/sysctl.conf
echo "net.core.wmem_max = 16777216" >> /etc/sysctl.conf
#调节tcp创建套接字时耗费的内存,分别为最小,默认,最大
echo "net.ipv4.tcp_rmem = 4096 87380 16777216" >> /etc/sysctl.conf
echo "net.ipv4.tcp_wmem = 4096 87380 16777216" >> /etc/sysctl.conf
#backlog的大小,半开连接(syn)保存在 backlog connections 队列中,增加TCP SYN队列长度使系统可以接受更多的并发连接。
echo "net.ipv4.tcp_max_syn_backlog = 8192" >> /etc/sysctl.conf
#允许本地打开端口的范围,默认32768-61000
echo "net.ipv4.ip_local_port_range = 1024 65000" >> /etc/sysctl.conf
#syn发过去,如果没有响应,重新发送的次数,默认5次
echo "net.ipv4.tcp_syn_retries = 2" >> /etc/sysctl.conf
#如果tcp keepalive打开,tcp connection上多久没有数据到达,会引起keepalive探测发送,默认7200秒
echo "net.ipv4.tcp_keepalive_time = 30" >> /etc/sysctl.conf
#如果tcp keepalive打开,TCP发送keepalive消息的次数,超过该次数没有回应则断开连接,默认9次
echo "net.ipv4.tcp_keepalive_probes = 4" >> /etc/sysctl.conf
#如果tcp keepalive打开,TCP发送keepalive探测的频率,默认75秒
echo "net.ipv4.tcp_keepalive_intvl = 15" >> /etc/sysctl.conf
#如果tcp连接上发生了重传,重传几次失败后断开连接,默认15次
echo "net.ipv4.tcp_retries2 = 5" >> /etc/sysctl.conf
#对于本端断开的socket连接,TCP保持在FIN-WAIT-2状态的时间,默认60秒
echo "net.ipv4.tcp_fin_timeout = 5" >> /etc/sysctl.conf
##下面是安全相关的调整############################################################
#是否接受含有源路由信息的ip包,服务器不当网关就关闭掉,有几个网络接口加几行
for iface in `ls /proc/sys/net/ipv4/conf/`
do
echo "net.ipv4.conf.${iface}.accept_source_route = 0" >> /etc/sysctl.conf
#是否接受ICMP重定向包,0表示拒绝任何ICMP重定向,默认1
echo "net.ipv4.conf.${iface}.accept_redirects = 0" >> /etc/sysctl.conf
#打开安全重定向功能,只接受来自网关的ICMP重定向
echo "net.ipv4.conf.${iface}.secure_redirects = 1" >> /etc/sysctl.conf
#是否允许发送icmp重定向消息,不做网关的话就禁止发送
echo "net.ipv4.conf.${iface}.send_redirects = 0" >> /etc/sysctl.conf
done
#是否接受ICMP广播,我们不接受
echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.conf
#是否忽略所有icmp包,包括ping,我们不忽略,我们还是要ping的
echo "net.ipv4.icmp_echo_ignore_all = 0" >> /etc/sysctl.conf
# Controls IP packet forwarding.Default Forbidden.如果使用lvs集群的机器可视情况打开
echo "net.ipv4.ip_forward = 0" >> /etc/sysctl.conf
# Enable syncookie.
echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.conf
# 连接处于TIME_WAIT时重试次数.默认5,每连接花费35秒,所以这个值应该设置小点,对DoS防御也有好处.
echo "net.ipv4.tcp_synack_retries=1" >> /etc/sysctl.conf
# timewait sockets 最大保持数,增加可有利于增强简单DoS攻击防御.
echo "net.ipv4.tcp_max_tw_buckets=655360" >> /etc/sysctl.conf
# BOOLEAN: Enable Explicit Congestion Notification in TCP.
echo "net.ipv4.tcp_ecn=0" >> /etc/sysctl.conf
##下面是对系统性能的调整###########################################################
#给core文件的文件名带上pid号
echo "kernel.core_uses_pid = 1" >> /etc/sysctl.conf
#调节message的最大值
echo "kernel.msgmnb = 65536" >> /etc/sysctl.conf
# 调整message队列的最大值
echo "kernel.msgmax = 65536" >> /etc/sysctl.conf
# 调整共享内存的大小,最大值
echo "kernel.shmmax = 68719476736" >> /etc/sysctl.conf
# 可以创建多少个共享内存
echo "kernel.shmall = 4294967296" >> /etc/sysctl.conf
##调整iptables相关参数ip连接跟踪信息
###modprobe ip_conntrack hashsize=524288
echo "net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait=30" >> /etc/sysctl.conf
echo "net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait=30" >> /etc/sysctl.conf
echo "net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait=30" >> /etc/sysctl.conf
##ip_conntrack hashsize,>=1GB 内存的系统默认为8192.设为2的正整数次方
##echo "net.ipv4.netfilter.ip_conntrack_buckets = 524288" >> /etc/sysctl.conf
sed -i '/ip_conntrack hashsize/d' /etc/modprobe.conf
echo "options ip_conntrack hashsize=524288" >> /etc/modprobe.conf
##kernel version 2.4.23 以后的版本使用,超过1G内存的系统默认65536.系统自动设置为hashsize*8,也可指定.
echo "net.ipv4.netfilter.ip_conntrack_max = 4194304" >> /etc/sysctl.conf
##kernel version 2.4.23 以前的版本使用.
echo "net.ipv4.ip_conntrack_max = 4194304" >> /etc/sysctl.conf
##默认432000秒
echo "net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 200" >> /etc/sysctl.conf
##关闭不需要的服务#####################################################
chkconfig --list|grep :on|awk '{printf "chkconfig %s off\n",$1}'|sh
for ser in irqbalance network syslog crond sshd smartd sysstat
do
chkconfig --level 345 $ser on
done
echo "==============chkconfig initialization done============"
##安装内网运维专用ssh服务/app/oslinkd.############################################
#LAN_IP=$(/sbin/ifconfig eth1|awk '/inet addr/{print $2}'|cut -d':' -f2)
LAN_IP=$(ip a sh|awk -F'[ /]+' '/inet\> (192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])).*eth1/{print $3}')
if [ ! "$LAN_IP" -o "`echo "$LAN_IP"|wc -l`" -ne 1 ] ;then
echo "lan interface is not eth1 or lan ip number is greater than 2"
exit 1
fi
mkdir -p /app/oslinkd
if [[ ! -f "/app/oslinkd/key" ]];then
cat > /app/oslinkd/key <<EOF
ssh-dss AAAAB3NzaC1kc3MAAACBAKuNHvg+Y1nLUD9KblQjMI4cnZCi7/AnKF/4JnKp49TAIocX+y7i5lGO+sIP9RIFu8oDRUwLX6PhF3++7BygGzEp5LLenVbtnZdkWOffdBrGV9JlVBTEQnzsRpjd05QRv+wuDyL9+XRJWssyx3QrnIRhIkWAmPBkAcmL4juFUMZDAAAAFQC/zBt86fys3/QpAjWTRl5TWqh3XwAAAIASB3wSS9LhyLGCY4S21Sr2kdC0iW5VywSBHlQQvbWF1EDh4+X7WKAtxw/ik0ivIlluP7dul2dPUjMW177K4PW3AkVny22gHZ3fY0q9Y3wjUYm7QosnNjiZSHGh8zktWZC1oDfLsyQPLaJD0f+OG57yDB1+tnbY1sXkM+JaSv02tQAAAIAHS2WLnD2Za8Fue8bTa+xe3oQB1Dvw8mm0WsQ71ayeBBFBrVtmpLzDCEiWzq9ySYdRlxUbBdoQdcEjvYSF05lEO/rYD01Z8rMXF02uYCS2/e2WH3qCQPSNsUYq2DFEfvhXxheyZzN/vkueg4Mj7QoPKsIK8YvFpDRkzpsgRNUyXg==
EOF
##ssh oslinkd配置文件内容
cat > /app/oslinkd/oslinkd_config <<EOF
Protocol 2
Port 56789
ListenAddress $LAN_IP
PermitRootLogin yes
SyslogFacility AUTHPRIV
PubkeyAuthentication yes
AuthorizedKeysFile /app/oslinkd/key
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
UseDNS no
PidFile /var/run/oslinkd.pid
MaxStartups 100
EOF
#Apply oslinkd sshd:
sspid=`ps aux|grep "security/etc/sshd_config"|grep -v grep|awk '{print $2}'`
if test -n $sspid;then
kill -9 $sspid
else
continue;
fi
/usr/sbin/sshd -f /app/oslinkd/oslinkd_config
cp -af oslinkd/bin /app/oslinkd/
echo "==============oslinkd initialization done=============="
else
continue;
fi
##应用安全的配置#################################################################
/bin/cp /etc/ssh/sshd_config /etc/ssh/sshd_config.init
#禁止使用ssh1协议,强制使用ssh v2.
if test -n "`egrep "^Protocol 2" /etc/ssh/sshd_config`";then
continue;
else
echo "Protocol 2" >> /etc/ssh/sshd_config
fi
#
if [ "`awk '!/^#/&&/ListenAddress '$LAN_IP'/' /etc/ssh/sshd_config`" ];then
continue;
else
#绑定ssh端口到内网
echo "ListenAddress $LAN_IP" >> /etc/ssh/sshd_config
fi
##添加key到root授权key文件,注意离职人员key要及时删除
mkdir -p /root/.ssh
cat > /root/.ssh/authorized_keys << EOF
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxt0V9uUGRhlgaeKOGgmwJ13lXjc4IfJUFMRAj/2DrTzPqPV48ozHhEGVde6ZaGXH5Ynfk0d9+LuHHhqx0wQaF/WaDHRj5kGZOaArSV0JTqj/8ns3HWTK59w44vBs9REC2DLFfqCHN3IS8J2XbjDsu381EgRBQhrcuQ/k/vEa/hLo9fL5UDihjc5daXNmetSozs5njIJIJjt6SUTshkhWtyxkOISJWblonUnL8moM3vVDjD9VdjYLND4Bm50Lt2evb8vTbjClEmM97dPCIPpmXxF4qSLda2Yh/++jDO8k1JhaVUkVBnTip4JaWAqz1YgnWEU1RubL4dB8c9ViwtULj [email protected]
ssh-dss AAAAB3NzaC1kc3MAAACBAPe+mgQ4cyDC5yD4yNo04iDdkusnGSG8jSkHkGY1sdfnENtoPNKIt4uiCUu+FPc3m7jSeKrKKqyHw17QQnTS5zwMlAHFi5++d2cRi/CKXiwDDj7sgMkJY+xHTKNfcxx8rF6aDwJBtVLAd/hh0zegQdiwp+Xku3taxQgHqJjCxkqJAAAAFQDYMf8X9PJi1pDeIWcGEysFnx9DowAAAIEAi8EThgbY6w3p1Kxu2c6RbU3Zw9bTAeGK9c1e3hCVWcXNf1YyACLvbOwq7utXjFgcVVi5XIHgqNPTpFseSSB5Qm/HK4DC6ymiCYyIXq5WzJ8wPaLUcX1hfspwqFe9eNANiKNo8nk0vEKlkpoVK3sQEuSEWUWs9Da2JF2yuii3D3IAAACAOCJAjB9qGeJgtgRMowSJflnRIeXtiWH1aWRcHZrCaCiky+ddb+RMgF4MCVdV7ySC9RowBlyoLSnVR8MyiK96NF6Z0YV72u/HhSkzBaVot2fWbK7kqW4sNkKqkkVx6phqth66QiQCeYqBqjhfkAIEo++eJRONXQMGhEEbSprjgGY= shenp@51game-shp
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA3ih4mN2bfPNpaizoxqK8hulBg0FPNiQQH3Ub9ETtfcUWxkZ3pp1b4pQbxmQ3ay6hzWyBzRJ4TGWj3O3C3K2BGHKsCNjigHW28TDsjfK0v4Gpi//WOTSHW/un82NlIZIl4eZ/C9TboHcIRgDT7rr/kN0I6ncf+bMBpMZ1/kREuN9Pn25l+c+8FQEfPqnqAqFWLSAeGixroZBy3QHA83JSyGHO1CH2e9VdAoAIzguXhDMfzIZGaScJ96w7P4AlDco048NnlaO6Gt34s+v5SPcycwIzTwcl+yQPZazkBOYeKBmiplav1PPQSZG76Lczog/Q8eFHnOsMSvQX09SljU5Ipw== daihj@51sa
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzTA00+0mvwketOxKToHQeo1v1eyw+4OK0Wnreo0I6c6+fS5VF2Rc7Cjj0jvROya/JZjx/PWBbEGDEf700qQf8olS7tm0TZb0CK321tbQlw3aY97lH2q3raKbqMZDOSTVoZhaU8/cDhEZ4TY2RKNHJXhFilMSllJ9l+vr/LnHwVAFaiCw1h6CH/flZ0l1ol0ryUlXXs/3OLB5XklmSg83EfdKp4ofpaIVLtvwms6PTERtQ5KN0n6dxbDGyzy1fltTzWz7twvnmw4MRvIn5yCRT+AT4lim5jNP3BFB6EsP0qGwcZwwoz3zJqz6kcLE15fREFXvT1deUaf7beJKXEZkbQ== root@SHCTC-GAME5-151
ssh-dss AAAAB3NzaC1kc3MAAAEBAMFsZFg18fS+I32jPrJAsEw3nFQ33WMPzaHn8N19eB6cg+of3VnotZDogNCFJ0Wp6KkQc62W18tnoSkOin3uKRJUyCakCLtvT+px1KxlYI7WQL5Z+oHlbCd1o/5WtLoSdDL3Ri4jmAcPye278gxMmIBZxThs3AM7XRpssVicXOKL/gggmCIjeycFZMu7iGyU21pO6UqIlNmuH420l69o4bWk6mXu1drnRYv2MseeJWXYkaDmm2dH+okaAD87vaWrgSavBfIsgq+5/7wmQ2k/Jg9fEzoIr+/H5a90WoY2FMDx0uzZ65lTfvur8BLeinVJnFwBpxdlFq3Dn8G5aBA9A/cAAAAVAMeoR8E0x4HQpiPMbj2yrpCdC9SlAAABAHiPVSLHxDUohknWqAiytrnZIbnoJJ8bvwML2vfTT599oxN0H5ndX5QxcF7JWlPJ5hN07wLWVheVSeCWvcD4eZFmr99ygZczzWDSwp8apeQBVjiR8X63aaeZHDYhLoUxXPL5AH9GP+GPjdTzF2FBw/tQCvD+8sQny/qJZ/manjZKf1ZxX4L/E2gPOMwx/x0pNlPQaXI2xTtV9rJF5659ko/8u1W7xTY3Jf4vikJIxRWNc+FY13Rzon2H0ZNFMWKnxjfOhGv2aN9r3pggr7QtVl410Ay3m0a2b7Skk3Zx8da+R7MXepC3VnI6soCywgcw1bJKrm6Pqgx+5FBOAd2OctAAAAEAI+CXCuGScmfHe7mFVjH9WWXJP+HTglJTF/ROwYQr5A4FP3Y94V3jv34fdXhGcv5kAKg4VR4epvYNMnvlYdapNcbFBl0DQVMkvuCuLtzURPJ5on347NeMN8GmoX3Q7FCb4iT7LRt0/zW6/w1Si7/RzpPjiY81f4VCl2fmE4kATE79F+BvPHpkUzUEKlKxCR0xrTkAosrdepYdiu8ZgpKi9TX4KL9ugyAXDETBCEo4x7NH4BVvqiEuQcBhDx+Dz7AWoqLuWr0ahfQ+tNkfbazF+kx41A9UFj2RHIZvyx4GyAQ0PzWP3pa3M2EjR0Vy4ItFIxtkl9uhtEZ2N0GSz/uQBw== [email protected]
EOF
chmod 600 ~/.ssh/authorized_keys
#重载sshd配置,使其生效.请小心使用,为以防万一,可在初始化后确定ssh:56789能登录后再执行.
if [ "`netstat -lantup|awk '/LISTEN/&&/'$LAN_IP':56789/'`" ] && [ ! "`netstat -lantup|awk '/LISTEN/&&/'$LAN_IP':22/'`" ];then
kill -HUP `cat /var/run/sshd.pid`
else
continue;
fi
echo "=================Add root key done====================="
##修改hostname###################################################################
SEG1=$(echo $LAN_IP|awk -F'.' '{print $3}')
SEG2=$(echo $LAN_IP|awk -F'.' '{print $4}')
HONAME="${pre_hostname}${SEG1}-${SEG2}"
sed -i '/HOSTNAME/{d}' /etc/sysconfig/network
echo "HOSTNAME=$HONAME" >> /etc/sysconfig/network
##资源限制设置.请结合下面ulimit,/etc/profile一起使用#############################
cat >>/etc/security/limits.conf <<-EOF
* soft core 1024000
* hard core 1024000
* soft nofile 65000
* hard nofile 65000
EOF
##允许产生core dump文件,文件大小无限制.
echo "ulimit -c 1024000" >> /etc/profile
echo "ulimit -n 65000" >> /etc/profile
echo "==============ulimit initialization done==============="
#加入开机启动的项目:#############################################################
cat >/etc/rc.d/rc.local<<-EOF
#!/bin/bash
touch /var/lock/subsys/local
/usr/sbin/sshd -f /app/oslinkd/oslinkd_config
/app/agent/zabbix/zabbix_agentd -c /app/agent/zabbix/zabbix_agentd.conf
rsync --daemon --config=/app/rsync/rsyncd.conf
#ip路由:
EOF
sed -i /agent.sh/d /etc/rc.local
#添加路由的判断:如果是下面网段以外的,请自行添加即可.
#ROUTE_NET=$(ip rou sh dev eth1 proto kernel|awk '{print $1}')
ROUTE_NET=$(ip rou sh proto kernel|awk '/\<(192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1]).)/{print $1}')
case $ROUTE_NET in
10.10.12.0/24)
#如果内网是10.10.12.0/24网段,gateway=10.10.12.254,添加以下路由:
ip rou add 192.168.0.0/16 via 10.10.12.254
ip rou add 10.10.0.0/16 via 10.10.12.254
ip rou add 10.11.0.0/16 via 10.10.12.254
ip rou add 10.12.1.0/24 via 10.10.12.254
echo "ip rou add 192.168.0.0/16 via 10.10.12.254" >>/etc/rc.d/rc.local
echo "ip rou add 10.10.0.0/16 via 10.10.12.254" >>/etc/rc.d/rc.local
echo "ip rou add 10.11.0.0/16 via 10.10.12.254" >>/etc/rc.d/rc.local
echo "ip rou add 10.12.1.0/24 via 10.10.12.254" >>/etc/rc.d/rc.local
;;
10.10.5.0/24)
#10.10.5.0/24网段的gateway=10.10.5.254,只需添加到192.168.0.0/16网段的路由即可:
ip rou add 192.168.0.0/16 via 10.10.5.254
ip rou add 10.11.0.0/16 via 10.10.5.254
ip rou add 10.12.1.0/24 via 10.10.5.254
echo "ip rou add 192.168.0.0/16 via 10.10.5.254" >>/etc/rc.d/rc.local
echo "ip rou add 10.11.0.0/16 via 10.10.5.254" >>/etc/rc.d/rc.local
echo "ip rou add 10.12.1.0/24 via 10.10.5.254" >>/etc/rc.d/rc.local
;;
10.11.1.0/24)
ip rou add 10.10.0.0/16 via 10.11.1.254
ip rou add 10.11.0.0/16 via 10.11.1.254
ip rou add 192.168.0.0/16 via 10.11.1.254
ip rou add 10.12.1.0/24 via 10.11.1.254
echo "ip rou add 10.10.0.0/16 via 10.11.1.254" >>/etc/rc.d/rc.local
echo "ip rou add 10.11.0.0/16 via 10.11.1.254" >>/etc/rc.d/rc.local
echo "ip rou add 192.168.0.0/16 via 10.11.1.254" >>/etc/rc.d/rc.local
echo "ip rou add 10.12.1.0/24 via 10.11.1.254" >>/etc/rc.d/rc.local
;;
192.168.3.0/24)
#如果内网是192.168.3.0/24网段,gateway=192.168.3.1,添加以下路由:
ip rou add 192.168.0.0/16 via 192.168.3.1
ip rou add 10.10.0.0/16 via 192.168.3.1
ip rou add 10.11.0.0/16 via 192.168.3.1
ip rou add 10.12.1.0/24 via 192.168.3.1
echo "ip rou add 192.168.0.0/16 via 192.168.3.1" >>/etc/rc.d/rc.local
echo "ip rou add 10.10.0.0/16 via 192.168.3.1" >>/etc/rc.d/rc.local
echo "ip rou add 10.11.0.0/16 via 192.168.3.1" >>/etc/rc.d/rc.local
echo "ip rou add 10.12.1.0/24 via 192.168.3.1" >>/etc/rc.d/rc.local
;;
192.168.9.0/24)
#如果内网是192.168.9.0/24网段,gateway=192.168.9.1,添加以下路由:
ip rou add 192.168.0.0/16 via 192.168.9.1
ip rou add 10.10.0.0/16 via 192.168.9.1
ip rou add 10.11.0.0/16 via 192.168.9.1
ip rou add 10.12.1.0/24 via 192.168.9.1
echo "ip rou add 192.168.0.0/16 via 192.168.9.1" >>/etc/rc.d/rc.local
echo "ip rou add 10.10.0.0/16 via 192.168.9.1" >>/etc/rc.d/rc.local
echo "ip rou add 10.11.0.0/16 via 192.168.9.1" >>/etc/rc.d/rc.local
echo "ip rou add 10.12.1.0/24 via 192.168.9.1" >>/etc/rc.d/rc.local
;;
esac
##设置时间同步###################################################################
#LAN_NET=`echo "$LAN_IP"|awk -F. '{print $1}'`
LAN_NET=$(ip a sh|awk -F'[ .]+' '/inet\> (192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])).*eth[0-9]/{print $3}')
if [[ ! "`crontab -l|grep ntpdate`" ]];then
case $LAN_NET in
# 10网段:
10)
echo "0 * * * * /usr/sbin/ntpdate -u 10.10.11.10" >> /var/spool/cron/root;
/usr/sbin/ntpdate -u 10.10.11.10;clock -w;
;;
192)
# 192.168网段:
echo "0 * * * * /usr/sbin/ntpdate -u 10.10.11.10" >> /var/spool/cron/root;
/usr/sbin/ntpdate -u 10.10.11.10;clock -w;
;;
esac
else
continue;
fi
echo "==============NTP initialization done=================="
#Rsync daemon: ##################################################################
mkdir -p /app/rsync/logs
if [[ ! -f "/app/rsync/rsyncd.conf" ]];then
cat >/app/rsync/rsyncd.conf<<EOF
address = $LAN_IP
uid = root
gid = root
max connections = 200
timeout = 600
use chroot = no
list = no
read only = yes
pid file=/app/rsync/logs/rsyncd.pid
hosts allow=10.0.0.0/8 192.168.0.0/16
#syslog facility = local7
lock file = /app/rsync/logs/rsync.lock
log file = /app/rsync/logs/rsyncd.log
transfer logging = yes
auth users = agent
[dmz]
path=/app/dmz
secrets file = /app/rsync/rsyncd.pwd
comment = dmz
EOF
#Rsync认证
echo "agent:y8x9ijw" >/app/rsync/rsyncd.pwd
chmod 0600 /app/rsync/rsyncd.pwd
#/usr/bin/rsync --daemon --config=/app/rsync/rsyncd.conf
else
continue;
fi
echo "==============Rsync initialization done============="
#DMZ应用相关:####################################################################
mkdir -p /app/{dmz,historylog,agent,packages,script}
chmod 0777 /app/historylog
# History command log:###########################################################
#touch /app/history.log
#sed -i -r '/HDATE|HPID|HTERM_ID|HIP|PROMPT_COMMAND/d' /etc/profile
if [[ ! "`grep HTERM_ID /etc/profile`" ]];then
cat >>/etc/profile<<-'EOF'
HDATE="`date +%Y%m%d_%H%M%S`"
HPID=`expr $$ - 0`
HTERM_ID=`ps -ef|awk '$2=="'$HPID'"{print $6}'`
HIP=`who|awk '$2=="'$HTERM_ID'"{print $5}'|sed "s/[()]//g"`
PROMPT_COMMAND='history 1|{ read seq cmd;echo -ne $seq" ";echo -ne `date "+%Y-%m-%d_%H:%M:%S"`" ";echo -ne $USER"\t";echo -ne $HTERM_ID"\t";echo -ne "$HIP ";echo $cmd; } >>/app/historylog/history_${HDATE}_${HPID}.log'
EOF
else
continue
fi
#Iptables initialization:########################################################
/etc/init.d/iptables stop
iptables -F
iptables -P FORWARD DROP
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -A INPUT -s 10.10.5.151 -j ACCEPT
iptables -A INPUT -s 10.12.1.20 -j ACCEPT
iptables -A INPUT -s 210.13.69.50/255.255.255.0 -p tcp -j ACCEPT
iptables -A INPUT -s 210.13.100.163 -p tcp -j ACCEPT
iptables -A INPUT -s 114.80.91.0/28 -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -j DROP
/etc/init.d/iptables save
/etc/init.d/iptables start
echo "==============iptables initialization done============="
# 重新加载配置,使系统参数生效.[在iptables启动后再加载,否则将无法识别与iptables相关的内核参数]
sysctl -p 1>/dev/null
echo "==============sysctl initialization done==============="
/etc/init.d/iptables stop
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
马建仓 AI 助手