-
Notifications
You must be signed in to change notification settings - Fork 0
/
centos7-tuning.sh
executable file
·227 lines (169 loc) · 6.14 KB
/
centos7-tuning.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
#!/bin/bash
#
# testing scripts
# Install EPEL repo
yum -y install epel-release
# Change yum repo to Taiwan mirror site (http://mirror01.idc.hinet.net/centos)
# backup config
mkdir -p /root/.linux-tunning-bak
tar zcvf /root/.linux-tunning-bak/etc-yum.repo.d-bak.tgz /etc/yum.repos.d
# Use find + sed searching and replacing string
find /etc/yum.repos.d -type f -name CentOS-Base.repo -exec sed -i 's/#baseurl=http:\/\/mirror.centos.org/baseurl=http:\/\/mirror01.idc.hinet.net/' {} \;
find /etc/yum.repos.d -type f -name CentOS-Base.repo -exec sed -i 's/^mirrorlist/#mirrorlist/' {} \;
find /etc/yum.repos.d -type f -name epel.repo -exec sed -i 's/#baseurl=http:\/\/download.fedoraproject.org\/pub/baseurl=http:\/\/mirror01.idc.hinet.net/' {} \;
find /etc/yum.repos.d -type f -name epel.repo -exec sed -i 's/^mirrorlist/#mirrorlist/' {} \;
# Install some daily use packages.
yum -y install net-tools wget w3m curl telnet lftp tcpdump vim iptables-services
# root user .bashrc customize
# Disable NetworkManager and enable network
systemctl stop NetworkManager.service
systemctl disable NetworkManager.service
systemctl restart network
# Disable firewalld and enable iptables-service
systemctl disable firewalld.service
systemctl stop firewalld.service
systemctl enable iptables.service
systemctl start iptables.service
systemctl enable ip6tables.service
systemctl start ip6tables.service
# Customize vim env
cat > /root/.vimrc << EOF
set background=dark
EOF
# Customize bash env
cat > /root/.bashrc << EOF
# .bashrc
# User specific aliases and functions
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
PS1='[\[\033[34;1m\]\u\[\033[39;0m\]@\[\033[31;2m\]\H \[\033[34;1m\]\w\[\033[39;0m\]]# '
# Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi
EOF
#
cat > ~/.screenrc << EOF
termcap xterm 'is=\E[r\E[m\E[2J\E[H\E[?7h\E[?1;4;6l'
terminfo xterm 'is=\E[r\E[m\E[2J\E[H\E[?7h\E[?1;4;6l'
EOF
# Setup shell login timeout
# Setup out firewall script in /etc/fwrules
#
mkdir -p /etc/fwrules
cat > /etc/fwrules/iptables << EOF
#!/bin/bash
PATH=/sbin:/usr/sbin:/bin:/usr/local/sbin:/usr/bin
NATOUT="eth0"
OUTIF="eth0"
INIF="eth1"
## RESET ALL RULES ##
iptables -F
iptables -X
iptables -F -t nat
iptables -F -t mangle
## INPUT ##
#block invalid SYN packet
#reference:
#http://www.webhostingtalk.com/showthread.php?t=363499
#http://www.kb.cert.org/vuls/id/464113
#http://phorum.study-area.org/index.php?topic=5195.0
iptables -A INPUT -i \$OUTIF -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
iptables -A INPUT -i \$OUTIF -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -i \$OUTIF -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -i \$OUTIF -p all -s whitelist.example.com/32 -j ACCEPT
#iptables -A INPUT -i \$INIF -p all -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT ! -i lo -m state --state NEW,INVALID -j DROP
## NAT ##
#iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o \$NATOUT -j SNAT --to-source 10.10.10.1
#iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o \$NATOUT -j MASQUERADE
## PREROUTING ##
#iptables -A PREROUTING -t nat -p tcp -d 10.10.10.1/32 --dport 3389 -j DNAT --to 192.168.1.1:3389
## FORWARD ##
iptables -P FORWARD DROP
#iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state NEW,INVALID -j DROP
# PING flow control
iptables -N ping
iptables -A ping -p icmp --icmp-type echo-request -m limit --limit 20/sec -j ACCEPT
iptables -A ping -p icmp -j DROP
iptables -I INPUT -p icmp --icmp-type echo-request -m state --state NEW -j ping
#
## SAVE CONFIGURATION##
iptables-save > /etc/sysconfig/iptables
EOF
chmod a+x /etc/fwrules/iptables
#create ipv6 ip6tables
cat > /etc/fwrules/v6-ip6tables << EOF
#!/bin/bash
PATH=/sbin:/usr/sbin:/bin:/usr/local/sbin:/usr/bin
NATOUT="em1"
OUTIF="em1"
INIF="em2"
## RESET ALL RULES ##
ip6tables -F
ip6tables -X
ip6tables -F -t mangle
#ipmp v6
ip6tables -A INPUT -i \$OUTIF -p icmpv6 -j ACCEPT
## INPUT ##
#block invalid SYN packet
#reference:
#http://www.webhostingtalk.com/showthread.php?t=363499
#http://www.kb.cert.org/vuls/id/464113
#http://phorum.study-area.org/index.php?topic=5195.0
ip6tables -A INPUT -i \$OUTIF -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
ip6tables -A INPUT -i \$OUTIF -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
ip6tables -A INPUT -i \$OUTIF -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
#My home
ip6tables -A INPUT -i \$OUTIF -p all -s 2001:Bxxx:xxxx:1001::/64 -j ACCEPT
#Console
ip6tables -A INPUT -i \$OUTIF -p all -s 2001:bxxx:0:xxxx::227/128 -j ACCEPT
############## Intranet INPUT ##########################
#ip6tables -A INPUT -i \$INIF -p all -j ACCEPT
########################################################
ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A INPUT ! -i lo -m state --state NEW,INVALID -j DROP
## FORWARD ##
#ip6tables -P FORWARD DROP
#ip6tables -A FORWARD -s 2001:bxxx:0:xxxx::227/128 -j ACCEPT
ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -m state --state NEW,INVALID -j DROP
#
## SAVE CONFIGURATION##
ip6tables-save > /etc/sysconfig/ip6tables
EOF
chmod a+x /etc/fwrules/v6-ip6tables
# snmp setting
# todo
# /etc/profile tuning
sed -i "s/HISTSIZE=1000/HISTSIZE=20000\\nTMOUT=7200/" /etc/profile
# log shell command to /var/log/history
# ref:
# http://webplay.pro/linux/syslog-log-bash-history-every-user.html
# http://stackoverflow.com/questions/3522341/identify-user-in-a-bash-script-called-by-sudo
# https://coderwall.com/p/anphha/save-bash-history-in-syslog-on-centos
cat >> /etc/bashrc << EOF
PROMPT_COMMAND=\$(history -a)
typeset -r PROMPT_COMMAND
function log2syslog
{
[ \$SUDO_USER ] && user=\$SUDO_USER || user=\`who am i|awk '{print \$1}'\`
declare command
command=\$BASH_COMMAND
logger -p local1.notice -t bash -i -- "\$user=>\$USER[\$$]" : \$PWD : \$command
}
trap log2syslog DEBUG
EOF
# update syslog
cat > /etc/rsyslog.d/history.conf << EOF
# history
local1.notice /var/log/history
EOF
# update logrotate
sed -i '1s/^/\/var\/log\/history\n/' /etc/logrotate.d/syslog
#update package
yum -y update