script
服务器初始化脚本(init.sh)
本文档使用 MrDoc 发布
-
+
首页
服务器初始化脚本(init.sh)
本脚本功能: 1.禁止selinux 2.修改ssh端口为65522 3.禁止root用户ssh登录 4.新增sudo用户opadm 5.生成opadm用户ssh公钥 6.设置时区为Asia/Hong_Kong,并同步系统时间。 7.修改系统limits和系统内核参数 ``` # 转换文件格式 dos2unix init.sh # 执行初始化脚本 sh init.sh ``` ``` #!/bin/bash ### # # @Author: Strange # @Email: strangestge@gmail.com # @Date: 2020-12-01 10:56:25 # @LastEditTime: 2020-12-18 17:14:15 # @LastEditors: Strange # @Description: # @FilePath: \shell\init.sh # @Add HIDS deployment(V1.1) ---dracula ### source /etc/profile ################################################################ #环境检测 function env_check() { if [ -f /var/log/init.log ];then echo -e "\033[31;49;1m[`date +%F' '%T`] Error: 此系统已经初始化过,请检查。 \033[39;49;0m" echo -e "\033[31;49;1m[`date +%F' '%T`] Error: 上次初始化时间为 `awk '{print $1,$2}' /var/log/init.log` \033[39;49;0m" sleep 5s exit 1 fi if [ $(id -u) -ne 0 ];then echo '=== 此脚本需要root用户执行,即将退出脚本 ===' sleep 5s exit 2 fi if (! ping -c1 -w20 www.google.com > /dev/null 2>&1);then echo '=== 访问internet异常,即将退出脚本 ===' sleep 5s exit 3 fi } #同步系统时间 function set_date() { timedatectl set-timezone Asia/Hong_Kong >/dev/null >&1 yum -y install ntp >/dev/null >&1 /usr/sbin/ntpdate cn.pool.ntp.org >/dev/null >&1 echo "* 4 * * * /usr/sbin/ntpdate cn.pool.ntp.org > /dev/null 2>&1" >> /var/spool/cron/root systemctl restart crond.service >/dev/null >&1 } #安装基本软件 function install_base_soft() { yum install -y http://rpms.famillecollet.com/enterprise/remi-release-7.rpm >/dev/null >&1 yum install -y epel-release >/dev/null >&1 yum install -y http://www.city-fan.org/ftp/contrib/yum-repo/city-fan.org-release-2-2.rhel7.noarch.rpm bsoft_list=(man yum-plugin-fastestmirror vim-enhanced ntp wget bash-completion elinks lrzsz unix2dos dos2unix firewalld git unzip python python-devel python-pip net-tools fail2ban) for basesoft in ${bsoft_list[*]};do rpm -q "$basesoft" > /dev/null || yum -y install "$basesoft" >/dev/null >&1;done yum install curl --enablerepo=city-fan.org -y } #添加su用户 function set_su_admin() { ADMGROUP=opadm ADMUSER=opadm if (! id "$ADMUSER" > /dev/null 2>&1);then groupadd "$ADMGROUP" >/dev/null >&1 && useradd -g "$ADMGROUP" -G wheel "$ADMUSER" >/dev/null >&1 && \ echo "$ADMUSER:\$6\$75s94X0p\$qrr9ahVu0OeeGXc92QwD3/2H2be.ZWAsEr9/j5O6EIcSwccpc7Utb.kGX03lmZWmR/jldHiSFdjY.S.gsA/jA0" | chpasswd -e && \ sed -i '/pam_wheel.so\ use_uid/s/\#auth/auth/' /etc/pam.d/su && echo -e "root:\t$ADMUSER" >> /etc/aliases && newaliases echo "add user: $ADMUSER " >/dev/null >&1 chmod 700 /etc/sudoers echo "$ADMUSER ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers chmod 440 /etc/sudoers fi } #设置sudoers function set_su_default_tty() { if (grep -q '^Defaults requiretty$' /etc/sudoers);then chmod 700 /etc/sudoers sed -i '/^Defaults requiretty$/s/^/#/' /etc/sudoers chmod 440 /etc/sudoers fi } #设置ssh禁止root登录,禁止密码登录 function set_sshroot() { if (! grep -qE '^###ops_diy_flag_sshroot$' /etc/ssh/sshd_config);then echo '###ops_diy_flag_sshroot' >> /etc/ssh/sshd_config #禁止root登录 if [ $(grep '^PermitRootLogin\ \+yes\ *$' /etc/ssh/sshd_config|wc -l) -ge 1 ];then sed -i "s/^PermitRootLogin\ \+yes\ *$/PermitRootLogin\ no/" /etc/ssh/sshd_config elif [ $(grep '^#PermitRootLogin\ \+yes\ *$' /etc/ssh/sshd_config|wc -l) -ge 1 ];then sed -i "s/^#PermitRootLogin\ \+yes\ *$/PermitRootLogin\ no/" /etc/ssh/sshd_config elif [ $(grep '^[#]\{2,\}PermitRootLogin\ \+yes\ *$' /etc/ssh/sshd_config|wc -l) -ge 1 ];then sed -i "s/[#]\{2,\}PermitRootLogin\ \+yes\ *$/PermitRootLogin\ no/" /etc/ssh/sshd_config else echo 'PermitRootLogin no' >> /etc/ssh/sshd_config fi # 配置SSH 2协议 if [ $(grep '^Protocol*' /etc/ssh/sshd_config|wc -l) -eq 0 ];then echo 'Protocol 2' >> /etc/ssh/sshd_config fi #测试ssh配置文件是否正确 if (sshd -t);then systemctl restart sshd.service >/dev/null >&1 else echo " sshd_config 配置文件有错误,请检查配置,即将退出脚本 " exit 4 fi fi } #设置ssh端口 function set_sshport(){ export mysshlistenport='65522' if (! grep -qE '^###ops_diy_flag_sshport$' /etc/ssh/sshd_config);then echo '###ops_diy_flag_sshport' >> /etc/ssh/sshd_config if [ $(grep '^Port\ \+[0-9]\{2,5\}\ *$' /etc/ssh/sshd_config|wc -l) -eq 1 ];then sed -i "s/^Port\ \+[0-9]\{2,5\}\ *$/Port ${mysshlistenport}/" /etc/ssh/sshd_config elif [ $(grep '^Port\ \+[0-9]\{2,5\}\ *$' /etc/ssh/sshd_config|wc -l) -ge 2 ];then sed -i "/^Port\ \+[0-9]\{2,5\}\ *$/s/^/#/" /etc/ssh/sshd_config sed -i "0,/^#Port\ \+[0-9]\{2,5\}\ *$/s//Port ${mysshlistenport}/" /etc/ssh/sshd_config elif [ $(grep '^#Port\ \+[0-9]\{2,5\}\ *$' /etc/ssh/sshd_config|wc -l) -eq 1 ];then sed -i "s/^#Port\ \+[0-9]\{2,5\}\ *$/Port ${mysshlistenport}/" /etc/ssh/sshd_config elif [ $(grep '^#Port\ \+[0-9]\{2,5\}\ *$' /etc/ssh/sshd_config|wc -l) -ge 2 ];then sed -i "/^#Port\ \+[0-9]\{2,5\}\ *$/s/^/#/" /etc/ssh/sshd_config sed -i "0,/^#Port\ \+[0-9]\{2,5\}\ *$/s//Port ${mysshlistenport}/" /etc/ssh/sshd_config fi sed -i "s/^#UseDNS yes/UseDNS no/" /etc/ssh/sshd_config if (sshd -t);then echo " sshd_config 配置文件正确 " >/dev/null >&1 systemctl restart sshd.service >/dev/null >&1 else echo " sshd_config 配置文件有错误,请检查配置,即将退出脚本 " exit 4 fi fi } #设置ssh公钥 function opadm_ssh_key(){ ssh_key_dir=/home/opadm/.ssh mkdir -p ${ssh_key_dir} cat >>${ssh_key_dir}/authorized_keys<< EOF ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMCXyymw/3DN5P5jfDeyAxEoqnoPHlyUD8wXQ275qMDcEi7NFzP5I8YfLeS4+40tpjm4BB0GUhkZVeDu5GLgwX9MQtxM5AvFxahymNBK9VrnancuxnEWg3CGRpKGnlgWDz1AxKygcEKZ53Zpr/kpnoBJNLX/QKW6J5mAOgpn6kpU3gTE1oxNl0YIRqw0Wf54QUkxFS1WIspFkoX2zENVceaIDucfkkM+AiVZamCOrYAiQ/ecCR5Ehm/v3LpjvRkg1ojWayJnzRkXhQV1gGGFNP4wH37D583xhT2d1K25mBi/CezmPAdyoswERSq5OgmH1JQOaFm5Zk8m9sLCs2uVbp jump-new-2 EOF } #设置limits function systemd() { mkdir -p /etc/systemd/system.conf.d/ >/dev/null >&1 cat << EOF >/etc/systemd/system.conf.d/limits.conf [Manager] DefaultLimitNOFILE=65535 EOF systemctl daemon-reexec >/dev/null >&1 } #设置防火墙服务 function set_iptables() { systemctl enable firewalld.service >/dev/null >&1 systemctl restart firewalld.service >/dev/null >&1 } #设置防火墙规则 function set_iptrules(){ #开放http协议 firewall-cmd --permanent --zone=public --add-service=http >/dev/null >&1 #禁ping #firewall-cmd --add-rich-rule='rule protocol value=icmp drop' --permanent #禁止开放ssh服务端口 #firewall-cmd --permanent --zone=public --remove-service=ssh #开放ssh服务 firewall-cmd --permanent --zone=public --add-port=65522/tcp >/dev/null >&1 #允许某ip段访问ssh端口 #firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="10.98.0.0/24" service name="ssh" accept" #firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.168.142.166" port protocol="tcp" port="6379" accept" #重新加载防火墙配置 firewall-cmd --reload >/dev/null >&1 } #禁用selinux function set_selinux() { if [ $(grep -cE '^SELINUX=disabled$' /etc/selinux/config) -eq 0 ];then /usr/sbin/setenforce 0 sed -i '/^SELINUX=/s/SELINUX=.*/SELINUX=disabled/' /etc/selinux/config >/dev/null >&1 echo "selinux is disabled,you must reboot!" >/dev/null >&1 fi } #设置语言 function set_lang_cn() { grep -q 'en_US.UTF-8' /etc/locale.conf || sed -i -E 's/^LANG=.*/LANG="en_US.UTF-8"/' /etc/locale.conf } #禁止不必要服务 function disable_service() { service_list=(rpcbind rpcbind.socket postfix) for service in ${service_list[*]}; do systemctl stop ${service} > /dev/null ; done for service in ${service_list[*]}; do systemctl disable ${service} > /dev/null ; done } #配置Fail2ban function set_Fail2ban(){ cat >>/etc/fail2ban/jail.d/sshd.conf<< EOF [sshd] enabled = true maxretry = 5 findtime = 3600 # an hour bantime = 10800 # 3 hours ignoreip = 127.0.0.1/8 EOF systemctl enable fail2ban.service >/dev/null >&1 systemctl restart fail2ban.service >/dev/null >&1 } #配置内核参数 function set_sysctl() { modprobe ip_conntrack grep -qE '^###ops_diy_flag_limits$' /etc/security/limits.conf || \ echo "###ops_diy_flag_limits * soft nofile 52100 * hard nofile 52100 * soft nproc 32768 * hard nproc 65536 * soft core 0" >> /etc/security/limits.conf [ -f /etc/sysctl.conf ] || touch /etc/sysctl.conf if (! grep -qE '^###ops_diy_flag_sysctl$' /etc/sysctl.conf);then mv /etc/sysctl.conf /etc/sysctl.conf_bak iMyRam=`free -m|grep Mem:|awk '{print $2}'` ikernel_shmmax=`expr $iMyRam \* 1024 \* 1024 \* 80 \/ 100` echo "###ops_diy_flag_sysctl net.ipv4.ip_forward = 0 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 kernel.sysrq = 0 kernel.core_uses_pid = 1 net.ipv4.tcp_syncookies = 1 kernel.msgmnb = 65536 kernel.msgmax = 65536 #kernel.shmmax = ${ikernel_shmmax} #kernel.shmall = 134217728 #net.ipv4.ip_local_port_range = 10240 63535 #net.ipv4.ip_local_reserved_ports = 10241, 10242-12000 net.ipv4.ip_local_port_range = 30000 63535 net.ipv4.tcp_max_tw_buckets = 9000 net.ipv4.tcp_keepalive_time = 180 net.ipv4.tcp_keepalive_intvl = 30 net.ipv4.tcp_keepalive_probes = 2 net.ipv6.conf.all.disable_ipv6 = 1 net.core.rmem_max = 33554432 net.core.wmem_max = 33554432 net.ipv4.tcp_rmem = 4096 87380 16777216 net.ipv4.tcp_wmem = 4096 65536 16777216 net.nf_conntrack_max = 524288 net.ipv4.tcp_fin_timeout = 30 #net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_tw_recycle = 0 net.core.netdev_max_backlog = 30000 net.core.somaxconn = 65535 net.ipv4.tcp_max_orphans = 262144 net.ipv4.tcp_max_syn_backlog = 262144 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_syn_retries = 2 vm.swappiness = 5 vm.overcommit_memory = 1 fs.file-max = 4096000 kernel.ctrl-alt-del = 1" > /etc/sysctl.conf sysctl -p /etc/sysctl.conf >/dev/null >&1 fi } #分区 function set_op_fdisk() { op_dlabel='op_data' op_mount_dst='/data' if $(fdisk -l | grep -q "${1}");then : else echo "=== 目标磁盘不存在 ===" return 4 fi part_num=$(fdisk -l $1 | grep -o "^$1[1-9]\>" | tr -d [[:punct:]] | tr -d 'A-Za-z' | sort -n | tail -1) if [ -z ${part_num} ];then fdisk $1 &> ${install_bak_path}/fdisk.log <<EOF n p 1 1 w EOF mkfs.xfs -f ${1}1 [ -d ${op_mount_dst} ] || mkdir -p ${op_mount_dst} grep -q "${1}1" /etc/fstab || echo "${1}1 ${op_mount_dst} xfs defaults 0 0" >>/etc/fstab mount -a && mount && df -h elif [ ${part_num} -ge 1 ];then echo '' echo '=== 目标磁盘分区数量不为零,为保护数据不进行分区 ===' echo '' return 5 fi } #初始化日志 function set_logs(){ echo `date +%F' '%T` 服务器初始化完成 >>/var/log/init.log chattr +i /var/log/init.log } #安装HIDS function install_HIDS(){ export WAZUH_AGENT_NAME=$(hostname) export WAZUH_REGISTRATION_PASSWORD='sgi4011pfj5rfjdkajf54q35we' sudo yum remove -y wazuh-agent; sudo rm -rf /var/ossec/ >/dev/null >&1 ping -c1 wzlan-agent.cg.xxx &> /dev/null PINGresult=$? if [ $PINGresult -eq 0 ];then export WAZUH_MANAGER='wzlan-agent.cg.xxx' yum -y install https://packages.wazuh.com/4.x/yum/wazuh-agent-4.2.5-1.x86_64.rpm >/dev/null >&1 else export WAZUH_MANAGER='wz-agent.cg.xxx' yum -y install https://packages.wazuh.com/4.x/yum/wazuh-agent-4.2.5-1.x86_64.rpm >/dev/null >&1 fi yum -y install wget curl psmisc sshpass >/dev/null >&1 rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 systemctl enable wazuh-agent >/dev/null >&1 mkdir -p /var/ossec/wodles/oscap >/dev/null >&1 cd /var/ossec/wodles/oscap/;sudo yum -y install openscap-scanner unzip >/dev/null >&1 wget -c https://raw.githubusercontent.com/draculahaha/openscap/main/oscap.py >/dev/null >&1 wget -c https://raw.githubusercontent.com/draculahaha/openscap/main/template_oval.xsl >/dev/null >&1 wget -c https://raw.githubusercontent.com/draculahaha/openscap/main/template_xccdf.xsl >/dev/null >&1 curl -LJO https://github.com/ComplianceAsCode/content/releases/download/v0.1.54/scap-security-guide-0.1.54.zip >/dev/null >&1 unzip -jn scap-security-guide-0.1.54.zip -d content >/dev/null >&1 chmod +x oscap.py >/dev/null >&1 yum -y install yum-utils >/dev/null >&1 curl -L https://pkg.osquery.io/rpm/GPG | tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery >/dev/null >&1 yum-config-manager --add-repo https://pkg.osquery.io/rpm/osquery-s3-rpm.repo >/dev/null >&1 yum-config-manager --enable osquery-s3-rpm >/dev/null >&1 yum -y install osquery >/dev/null >&1 echo "CnsKICAgICJvcHRpb25zIjogewogICAgICAgICJjb25maWdfcGx1Z2luIjogImZpbGVzeXN0ZW0iLAogICAgICAgICJsb2dnZXJfcGx1Z2luIjogImZpbGVzeXN0ZW0iLAogICAgICAgICJ1dGMiOiAidHJ1ZSIKICAgIH0sCgoJInNjaGVkdWxlIjogewogICAgICAgICJzeXN0ZW1faW5mbyI6IHsKICAgICAgICAicXVlcnkiOiAiU0VMRUNUIGhvc3RuYW1lLCBjcHVfYnJhbmQsIHBoeXNpY2FsX21lbW9yeSBGUk9NIHN5c3RlbV9pbmZvOyIsCiAgICAgICAgImludGVydmFsIjogMzYwMAogICAgICAgIH0sCiAgICAgICAgImJlaGF2aW9yYWxfcmV2ZXJzZV9zaGVsbCI6IHsKICAgICAgICAicXVlcnkiIDogIlNFTEVDVCBESVNUSU5DVChwcm9jZXNzZXMucGlkKSwgcHJvY2Vzc2VzLnBhcmVudCwgcHJvY2Vzc2VzLm5hbWUsIHByb2Nlc3Nlcy5wYXRoLCBwcm9jZXNzZXMuY21kbGluZSwgcHJvY2Vzc2VzLmN3ZCwgcHJvY2Vzc2VzLnJvb3QsIHByb2Nlc3Nlcy51aWQsIHByb2Nlc3Nlcy5naWQsIHByb2Nlc3Nlcy5zdGFydF90aW1lLCBwcm9jZXNzX29wZW5fc29ja2V0cy5yZW1vdGVfYWRkcmVzcywgcHJvY2Vzc19vcGVuX3NvY2tldHMucmVtb3RlX3BvcnQsIChTRUxFQ1QgY21kbGluZSBGUk9NIHByb2Nlc3NlcyBBUyBwYXJlbnRfY21kbGluZSBXSEVSRSBwaWQ9cHJvY2Vzc2VzLnBhcmVudCkgQVMgcGFyZW50X2NtZGxpbmUgRlJPTSBwcm9jZXNzZXMgSk9JTiBwcm9jZXNzX29wZW5fc29ja2V0cyBVU0lORyAocGlkKSBMRUZUIE9VVEVSIEpPSU4gcHJvY2Vzc19vcGVuX2ZpbGVzIE9OIHByb2Nlc3Nlcy5waWQgPSBwcm9jZXNzX29wZW5fZmlsZXMucGlkIFdIRVJFIChuYW1lPSdzaCcgT1IgbmFtZT0nYmFzaCcgT1IgbmFtZT0nbmMnKSBBTkQgcmVtb3RlX2FkZHJlc3MgTk9UIElOICgnMC4wLjAuMCcsICc6OicsICcnKTsiLAogICAgICAgICJpbnRlcnZhbCIgOiAxMCwKICAgICAgICAiZGVzY3JpcHRpb24iIDogIkZpbmQgc2hlbGwgcHJvY2Vzc2VzIHRoYXQgaGF2ZSBvcGVuZWQgc29ja2V0cyIKICAgICAgICB9LAogICAgICAgICJoaWdoX2xvYWRfYXZlcmFnZSI6IHsKICAgICAgICAicXVlcnkiOiAiU0VMRUNUIHBlcmlvZCwgYXZlcmFnZSwgJzcwJScgQVMgJ3RocmVzaG9sZCcgRlJPTSBsb2FkX2F2ZXJhZ2UgV0hFUkUgcGVyaW9kID0gJzE1bScgQU5EIGF2ZXJhZ2UgPiAnMC43JzsiLAogICAgICAgICJpbnRlcnZhbCI6IDkwMCwKICAgICAgICAiZGVzY3JpcHRpb24iOiAiUmVwb3J0IGlmIGxvYWQgY2hhcmdlIGlzIG92ZXIgNzAgcGVyY2VudC4iCiAgICAgICAgfSwKICAgICAgICAibG93X2ZyZWVfbWVtb3J5IjogewogICAgICAgICJxdWVyeSI6ICJTRUxFQ1QgbWVtb3J5X3RvdGFsLCBtZW1vcnlfZnJlZSwgQ0FTVChtZW1vcnlfZnJlZSBBUyByZWFsKSAvIG1lbW9yeV90b3RhbCBBUyBtZW1vcnlfZnJlZV9wZXJjLCAnMTAlJyBBUyB0aHJlc2hvbGQgRlJPTSBtZW1vcnlfaW5mbyBXSEVSRSBtZW1vcnlfZnJlZV9wZXJjIDwgMC4xOyIsCiAgICAgICAgImludGVydmFsIjogMTgwMCwKICAgICAgICAiZGVzY3JpcHRpb24iOiAiRnJlZSBSQU0gaXMgdW5kZXIgMTAlLiIKICAgICAgICB9LAogICAgICAgIC8vInNoZWxsX2hpc3RvcnkiOiB7CiAgICAgICAgLy8icXVlcnkiOiAic2VsZWN0IHVzci51c2VybmFtZSwgc2h0LmNvbW1hbmQsIHNodC5oaXN0b3J5X2ZpbGUgZnJvbSBzaGVsbF9oaXN0b3J5IHNodCBKT0lOIHVzZXJzIHVzciBPTiBzaHQudWlkID0gdXNyLnVpZCBXSEVSRSBzaHQudWlkIElOIChTRUxFQ1QgdWlkIGZyb20gdXNlcnMpOyIsCiAgICAgICAgLy8iaW50ZXJ2YWwiOiAzNjAwLAogICAgICAgIC8vImRlc2NyaXB0aW9uIjogIkxpc3Qgc2hlbGxfaGlzdG9yeSBmb3IgZWFjaCB1c2VycyBvbiB0aGUgc3lzdGVtIiwKICAgICAgICAvLyJyZW1vdmVkIjogZmFsc2UKICAgICAgICAvL30sCiAgICAgICAgImxpbnV4X3VzZXJzIjogewogICAgICAgICJxdWVyeSI6ICJzZWxlY3QgKiBmcm9tIHVzZXJzOyIsCiAgICAgICAgImludGVydmFsIjogMzYwMCwKICAgICAgICAiZGVzY3JpcHRpb24iOiAiTGlzdHMgYWxsIGNyZWF0ZSBhbmQgZGVsZXRlZCBhY2NvdW50IgogICAgICAgIH0sCiAgICAgICAgImxpbnV4X2xvZ2dlZF91c2VycyI6IHsKICAgICAgICAicXVlcnkiOiAic2VsZWN0IGRhdGV0aW1lKHRpbWUsJ3VuaXhlcG9jaCcsJ1VUQycpIGFzIHRpbWVfdXRjLGhvc3QsdXNlcix0dHkscGlkLHR5cGUgZnJvbSBsb2dnZWRfaW5fdXNlcnM7IiwKICAgICAgICAiaW50ZXJ2YWwiOiAzNjAwLAogICAgICAgICJkZXNjcmlwdGlvbiI6ICJMaXN0cyBhbGwgbG9nZ2VkIGluIHVzZXJzIgogICAgICAgIH0sCiAgICAgICAgImxpbnV4X2xhc3RfbG9nZ2VkX3VzZXJzIjogewogICAgICAgICJxdWVyeSI6ICJzZWxlY3QgZGF0ZXRpbWUodGltZSwndW5peGVwb2NoJywnVVRDJykgYXMgdGltZV91dGMsaG9zdCx1c2VybmFtZSx0dHkscGlkLHR5cGUgZnJvbSBsYXN0OyIsCiAgICAgICAgImludGVydmFsIjogMzYwMCwKICAgICAgICAiZGVzY3JpcHRpb24iOiAiTGlzdHMgbGFzdCBsb2dnZWQgaW4gdXNlcnMiCiAgICAgICAgfSwKICAgICAgICAibG9jYWxfam9iX3NjaGVkdWxpbmciOiB7CiAgICAgICAgInF1ZXJ5IjogInNlbGVjdCBjb21tYW5kLCBwYXRoIGZyb20gY3JvbnRhYjsiLAogICAgICAgICJpbnRlcnZhbCI6IDM2MDAsCiAgICAgICAgImRlc2NyaXB0aW9uIjogIkxpc3QgTG9jYWwgam9iIHNjaGVkdWxpbmcgd2l0aCBDcm9uIgogICAgICAgIH0sCiAgICAgICAgImxpbnV4X3Byb2Nlc3NfbGlzdGVuaW5nX2xvcnQiOiB7CiAgICAgICAgInF1ZXJ5IjogInNlbGVjdCBwLm5hbWUsIHAucGF0aCwgbHAucG9ydCwgbHAuYWRkcmVzcywgbHAucHJvdG9jb2wgIGZyb20gbGlzdGVuaW5nX3BvcnRzIGxwIExFRlQgSk9JTiBwcm9jZXNzZXMgcCBPTiBscC5waWQgPSBwLnBpZCBXSEVSRSBscC5wb3J0ICE9IDAgQU5EIHAubmFtZSAhPSAnJzsiLAogICAgICAgICJpbnRlcnZhbCI6IDM2MDAsCiAgICAgICAgImRlc2NyaXB0aW9uIjogIlJldHVybnMgdGhlIExpc3RlbmluZyBwb3J0IExpc3QiLAogICAgICAgICJyZW1vdmVkIjogZmFsc2UKICAgICAgICB9LAogICAgICAgICJsaW51eF9wcm9jZXNzX29wZW5fc29ja2V0cyI6IHsKICAgICAgICAicXVlcnkiOiAic2VsZWN0IERJU1RJTkNUIHAubmFtZSwgcC5wYXRoLCBwb3MucmVtb3RlX2FkZHJlc3MsIHBvcy5yZW1vdGVfcG9ydCBmcm9tIHByb2Nlc3Nfb3Blbl9zb2NrZXRzIHBvcyBMRUZUIEpPSU4gcHJvY2Vzc2VzIHAgT04gcG9zLnBpZCA9IHAucGlkIFdIRVJFIHBvcy5yZW1vdGVfcG9ydCAhPSAwIEFORCBwLm5hbWUgIT0gJyc7IiwKICAgICAgICAiaW50ZXJ2YWwiOiAzNjAwLAogICAgICAgICJkZXNjcmlwdGlvbiI6ICJSZXR1cm5zIHRoZSBuZXR3b3JrIGNvbm5lY3Rpb25zIGZyb20gc3lzdGVtIHByb2Nlc3NlcyIsCiAgICAgICAgInJlbW92ZWQiOiBmYWxzZQogICAgICAgIH0sCiAgICAgICAgImxpbnV4X3NoZWxsX2NoZWNrIjogewogICAgICAgICJxdWVyeSI6ICJTRUxFQ1QgRElTVElOQ1QocHJvY2Vzc2VzLnBpZCkscHJvY2Vzc2VzLnBhcmVudCxwcm9jZXNzZXMubmFtZSxwcm9jZXNzZXMucGF0aCxwcm9jZXNzZXMuY21kbGluZSxwcm9jZXNzZXMuY3dkLHByb2Nlc3Nlcy5yb290LHByb2Nlc3Nlcy51aWQscHJvY2Vzc2VzLmdpZCxwcm9jZXNzZXMuc3RhcnRfdGltZSxwcm9jZXNzX29wZW5fc29ja2V0cy5yZW1vdGVfYWRkcmVzcyxwcm9jZXNzX29wZW5fc29ja2V0cy5yZW1vdGVfcG9ydCwoU0VMRUNUIGNtZGxpbmUgRlJPTSBwcm9jZXNzZXMgQVMgcGFyZW50X2NtZGxpbmUgV0hFUkUgcGlkID0gcHJvY2Vzc2VzLnBhcmVudCkgQVMgcGFyZW50X2NtZGxpbmUgRlJPTSBwcm9jZXNzZXMgSk9JTiBwcm9jZXNzX29wZW5fc29ja2V0cyBVU0lORyhwaWQpIExFRlQgT1VURVIgSk9JTiBwcm9jZXNzX29wZW5fZmlsZXMgT04gcHJvY2Vzc2VzLnBpZCA9IHByb2Nlc3Nfb3Blbl9maWxlcy5waWQgV0hFUkUgKG5hbWUgPSAnc2gnIE9SIG5hbWUgPSAnYmFzaCcpIEFORCBwcm9jZXNzX29wZW5fZmlsZXMucGlkIElTIE5VTEw7IiwKICAgICAgICAiaW50ZXJ2YWwiOiAzNjAwLAogICAgICAgICJkZXNjcmlwdGlvbiI6ICJDaGVjayBSZXR1cm5zIHBvc3NpYmxlIFJldmVyc2UgU2hlbGxzIG9uIHN5c3RlbSBwcm9jZXNzZXMiLAogICAgICAgICJyZW1vdmVkIjogZmFsc2UKICAgICAgICB9CiAgICB9LAoKICAgICJwYWNrcyI6IHsKICAgICAgICAvLyAib3NxdWVyeS1tb25pdG9yaW5nIjogIi91c3Ivc2hhcmUvb3NxdWVyeS9wYWNrcy9vc3F1ZXJ5LW1vbml0b3JpbmcuY29uZiIsCiAgICAgICAgLy8gImluY2lkZW50LXJlc3BvbnNlIjogIi91c3Ivc2hhcmUvb3NxdWVyeS9wYWNrcy9pbmNpZGVudC1yZXNwb25zZS5jb25mIiwKICAgICAgICAvLyAiaXQtY29tcGxpYW5jZSI6ICIvdXNyL3NoYXJlL29zcXVlcnkvcGFja3MvaXQtY29tcGxpYW5jZS5jb25mIiwKICAgICAgICAvLyAidnVsbi1tYW5hZ2VtZW50IjogIi91c3Ivc2hhcmUvb3NxdWVyeS9wYWNrcy92dWxuLW1hbmFnZW1lbnQuY29uZiIsCiAgICAgICAgLy8gImhhcmR3YXJlLW1vbml0b3JpbmciOiAiL3Vzci9zaGFyZS9vc3F1ZXJ5L3BhY2tzL2hhcmR3YXJlLW1vbml0b3JpbmcuY29uZiIsCiAgICAgICAgIm9zc2VjLXJvb3RraXQiOiAiL3Vzci9zaGFyZS9vc3F1ZXJ5L3BhY2tzL29zc2VjLXJvb3RraXQuY29uZiIKICAgIH0KfQ==" | base64 -d > /etc/osquery/osquery.conf systemctl disable osqueryd >/dev/null >&1 systemctl start osqueryd >/dev/null >&1 systemctl stop osqueryd >/dev/null >&1 systemctl restart wazuh-agent >/dev/null >&1 } #安装node-exporter function install_node_exporter(){ wget https://github.com/prometheus/node_exporter/releases/download/v1.3.1/node_exporter-1.3.1.linux-amd64.tar.gz -O /opt/node_exporter-1.3.1.linux-amd64.tar.gz tar -zxf /opt/node_exporter-1.3.1.linux-amd64.tar.gz -C /opt/ cp /opt/node_exporter-1.3.1.linux-amd64/node_exporter /usr/bin/ cat <<EOF >/usr/lib/systemd/system/node-exporter.service [Unit] Description=node_exporter Documentation=https://prometheus.io/ After=network.target [Service] Type=simple ExecStart=/usr/bin/node_exporter Restart=on-failure [Install] WantedBy=multi-user.target EOF systemctl daemon-reload systemctl start node-exporter systemctl enable node-exporter firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="10.65.18.135/32" port protocol="tcp" port="9100" accept" firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="10.64.18.123/32" port protocol="tcp" port="9100" accept" firewall-cmd --reload } #main函数入口函数 function main() { pids="" echo -e '正在初始化操作系统:' echo -ne '#.......................................................................................................... (1%) [环境检测]\r' sleep .5 #环境检测 env_check pids+=($!) echo -ne '########................................................................................................... (6%) [同步系统时间]\r' sleep .5 #同步系统时间 set_date pids+=($!) echo -ne '###############............................................................................................ (12%) [禁用selinux]\r' sleep .5 #禁用selinux set_selinux pids+=($!) echo -ne '#######################.................................................................................... (18%) [安装基本软件]\r' sleep .5 #安装基本软件 install_base_soft pids+=($!) echo -ne '##############################............................................................................. (26%) [添加su用户]\r' sleep .5 #添加su用户 set_su_admin pids+=($!) echo -ne '#####################################...................................................................... (32%) [设置sudoers]\r' sleep .5 #设置sudoers set_su_default_tty pids+=($!) echo -ne '#############################################.............................................................. (38%) [设置禁止root登录]\r' sleep .5 #设置ssh禁止root登录,并添加opadm用户 set_sshroot sleep .5 pids+=($!) echo -ne '###################################################........................................................ (46%) [添加opadm用户ssh-key]\r' #添加opadm用户ssh-key sleep .5 opadm_ssh_key pids+=($!) echo -ne '##########################################################................................................. (52%) [设置ssh端口]\r' sleep .5 #设置ssh端口 set_sshport pids+=($!) echo -ne '###############################################################............................................. (58%) [禁用不必要的系统服务]\r' sleep .5 #禁用不必要的系统服务 disable_service pids+=($!) echo -ne '#####################################################################....................................... (66%) [设置limits]\r' sleep .5 #设置limits systemd pids+=($!) echo -ne '##########################################################################.................................. (72%) [设置防火墙服务]\r' sleep .5 #设置防火墙服务 set_iptables pids+=($!) echo -ne '##################################################################################.......................... (78%) [设置防火墙规则]\r' sleep .5 #设置防火墙规则 set_iptrules pids+=($!) echo -ne '########################################################################################.................... (86%) [设置Fail2ban]\r' sleep .5 #设置Fail2ban set_Fail2ban pids+=($!) echo -ne '###########################################################################################................. (92%) [设置中文语言]\r' sleep .5 #设置中文语言 set_lang_cn pids+=($!) echo -ne '################################################################################################............ (93%) [配置内核参数]\r' sleep .5 #配置内核参数 set_sysctl pids+=($!) echo -ne '####################################################################################################........ (95%) [初始化成功日志]\r' sleep .5 #安装HIDS install_HIDS pids+=($!) echo -ne '######################################################################################################...... (98%) [HIDS安装成功]\r' sleep .5 #安装node-exporter install_node_exporter pids+=($!) echo -ne '########################################################################################################.... (99%) [node-exporter安装成功]\r' sleep .5 #初始化成功日志 set_logs pids+=($!) echo -ne '############################################################################################################ (100%) [初始化完成了,请重启服务器]\r' sleep .5 #请重启服务器 sleep 2 } main ```
admin
2023年7月3日 10:21
转发文档
收藏文档
上一篇
下一篇
手机扫码
复制链接
手机扫一扫转发分享
复制链接
Markdown文件
分享
链接
类型
密码
更新密码