####close service

TimeServerMaster="192.168.6.13"

SSHPort="58522"

echored ()

{

echo -ne "\033[31m" $1 "\033[0m\n"

}

echogreen ()

{

echo -ne "\033[32m" $1 "\033[0m\n"

}

IPN=`ifconfig |grep 192.168|awk '{print $2}'|cut -d: -f2|awk -F. '{print $3"-"$4}'`

HOSTNAME="HK$IPN"

hostname $HOSTNAME

sed -i  "s/HOSTNAME=.*/HOSTNAME=$HOSTNAME/g"  /etc/sysconfig/network

# Router

#RouterIP=`cat /etc/sysconfig/network-scripts/ifcfg-$(ip addr li|egrep '\<10\.'|awk '{print $NF}' |tail -1)| grep IPADDR|awk -F= '{print $2}'|awk -F. '{print $1"."$2"."$3"."1}'`

#echo "10.0.0.0/16 via ${RouterIP}" > /etc/sysconfig/network-scripts/route-`ip addr li|egrep '\<10\.'|awk '{print $NF}' |tail -1`

killall -9 dhclient >/dev/null 2>&1

[ -f /etc/sysconfig/network-scripts/ifcfg-eth0 ] && sed -i 's/ONBOOT=no/ONBOOT=yes/' /etc/sysconfig/network-scripts/ifcfg-eth0

[ -f /etc/sysconfig/network-scripts/ifcfg-eth1 ] && sed -i 's/ONBOOT=no/ONBOOT=yes/' /etc/sysconfig/network-scripts/ifcfg-eth1

# Resolve

echo "#sky_Resolve_Conf

search localdomain

nameserver 192.168.6.13

nameserver 192.166.6.40

" >/etc/resolv.conf

yum install wget -y

# NTPDATE

## echo "Check ntpdate..."

{ [ -f /usr/sbin/ntpdate ] || yum -q -y install ntp ;} || { echored "Error: pls install ntp server." && exit 1;}

if ! grep "/usr/sbin/ntpdate ${TimeServerMaster}" /var/spool/cron/root >/dev/null 2>&1;then echo "*/5 * * * * /usr/sbin/ntpdate ${TimeServerMaster} >> /var/log/uptime.log 2>&1 || /usr/sbin/ntpdate ${TimeServerSalve} >> /var/log/uptime.log 2>&1;/sbin/hwclock -w" >> /var/spool/cron/root;fi

crontab -l | egrep "ntpdate ${TimeServerMaster}" >/dev/null 2>&1 || echored "Error: Ntp error."

{ /usr/sbin/ntpdate ${TimeServerMaster} >/dev/null 2>&1 && /sbin/hwclock >/dev/null 2>&1 && echo Current Date is: `date +"%Y-%m-%d %H:%M:%S"`;} || echored "Error: Sync time fail,pls check it."

# Iptables

## echo "iptables config..."

wget  http://yum.sky.com/config/iptables  -e http-proxy=192.168.6.13 -O /etc/sysconfig/iptables

/etc/init.d/iptables restart

chkconfig iptables on

#{ wget -q -O /etc/sysconfig/iptables "http://192.168.6.13/config/iptables" && /etc/init.d/iptables restart >/dev/null 2>&1;} || echored "Error: iptables error,pls check."

#chkconfig --add iptables;chkconfig iptables on

#SSH

## echo "ssh config..."

[ -f /etc/ssh/sshd_config ] && sed -i "s/#Port 22/Port ${SSHPort}/" /etc/ssh/sshd_config && sed -i 's/^#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config && /etc/init.d/sshd restart >/dev/null 2>&1

{ netstat -lntp | grep sshd | grep ${SSHPort} >/dev/null 2>&1;sleep 1;} && nc -z localhost ${SSHPort} >/dev/null 2>&1 || echo -ne "\033[31m" Error: SSH not work. "\033[0m\n"

/sbin/modprobe ppp_mppe && grep '/sbin/modprobe ppp_mppe' /etc/rc.local || echo "/sbin/modprobe ppp_mppe" >> /etc/rc.local

/sbin/modprobe nf_conntrack_ipv4 && grep '/sbin/modprobe nf_conntrack_ipv4' /etc/rc.local || echo "/sbin/modprobe nf_conntrack_ipv4" >> /etc/rc.local

/sbin/modprobe nf_conntrack_ipv6 && grep '/sbin/modprobe nf_conntrack_ipv6' /etc/rc.local || echo "/sbin/modprobe nf_conntrack_ipv6" >> /etc/rc.local

/sbin/modprobe bridge && grep '/sbin/modprobe bridge' /etc/rc.local || echo "/sbin/modprobe bridge" >> /etc/rc.local

# kernel mod options optimize 

## echo "kernel mod config..."

egrep -q -c "_MODIFIED_SKY_" /etc/sysctl.conf >/dev/null 2>&1 || \

echo "

#_MODIFIED_SKY_

net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_tw_recycle = 1

net.ipv4.tcp_syncookies = 1

net.ipv4.tcp_fin_timeout = 30

net.ipv4.tcp_keepalive_time = 1200

net.ipv4.tcp_syncookies = 1

net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_tw_recycle = 1

net.ipv4.tcp_retrans_collapse = 0

net.ipv4.ip_local_port_range = 1024    65000

net.ipv4.tcp_max_tw_buckets = 50000

net.ipv4.tcp_timestamps = 0

net.nf_conntrack_max  = 262144000

net.netfilter.nf_conntrack_tcp_timeout_established = 300

net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120

net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60

net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120

net.ipv4.tcp_max_syn_backlog = 262144

net.core.netdev_max_backlog = 262144  

net.ipv4.tcp_rmem = 4096 87380 4194304

net.ipv4.tcp_wmem = 4096 16384 4194304

net.core.wmem_default = 8388608

net.core.rmem_default = 8388608

net.core.rmem_max = 16777216

net.core.wmem_max = 16777216

net.core.netdev_max_backlog = 262144

net.core.somaxconn = 262144

fs.file-max = 65535000 

" >> /etc/sysctl.conf && modprobe nf_conntrack  >/dev/null 2>&1 && sysctl -p >/dev/null 2>&1

#if ! grep "modprobe ip_conntrack" /etc/rc.local >/dev/null 2>&1;then echo "modprobe ip_conntrack" >> /etc/rc.local;fi

#if ! grep "sysctl -p" /etc/rc.local >/dev/null 2>&1;then echo "sysctl -p" >> /etc/rc.local;fi

#Disable selinux

## echo "selinux config..."

sed -i 's/^SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config

sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=targeted/' /etc/selinux/config

setenforce 0 >/dev/null 2>&1

#Boot option

sed -i '/initdefault/s/5/3/g' /etc/inittab || echored "Error: Modify boot option fail."

#Shutdown and stop some services  && start network

## echo "Shutdown and stop some services..."

for serv in `chkconfig --list|grep 3:on|awk '{print $1}'|grep -v -E "crond|iptables|network|rsyslog|sshd|snmpd|xinetd|nslcd"`

do

/etc/init.d/$serv stop

        chkconfig --level 35 $serv off

done

for i in network;do chkconfig $i on > /dev/null 2>&1;done

#Ulimits

## echo "ulimits config..."

egrep " - nofile 65535" /etc/security/limits.conf >/dev/null 2>&1 || echo '*       - nofile 65535' >> /etc/security/limits.conf

egrep " - nproc 65535" /etc/security/limits.conf >/dev/null 2>&1 || echo '*       - nproc 65535' >> /etc/security/limits.conf

#install admin-tools

admin-1.0-1.x86_64.rpm

wget  http://yum.sky.com/centos/6/x86_64/RPMS/admin-1.0-1.x86_64.rpm  -e http-proxy=192.168.6.13 && rpm -ivh admin-1.0-1.x86_64.rpm && /etc/init.d/admin restart

# Set history

## echo "history command config..."

#if ! grep "HISTTIMEFORMAT" /etc/profile >/dev/null 2>&1;then echo 'export HISTTIMEFORMAT="%F %T `whoami` "' >> /etc/profile;fi

#source /etc/profile

# Kill user login from local

ps ax | awk '/tty1/ {if ($2=="tty1")system("kill -9 "$1)}'

###ldap

yum install openldap-devel nss-pam-ldapd openldap pam_ldap openldap-clients -y

sed -i "/^CACHECREDENTIALS=/d;/^USESHADOW=/d;/^USELDAPAUTH=/d;/^USELDAP=/d;/^USECRACKLIB=/d;/^USELOCAUTHORIZE=/d"  /etc/sysconfig/authconfig

echo "CACHECREDENTIALS=yes

USESHADOW=yes

USELDAPAUTH=yes

USELDAP=yes

USECRACKLIB=yes

USELOCAUTHORIZE=yes" >> /etc/sysconfig/authconfig

grep 'session     optional      pam_mkhomedir.so skel=/etc/skel umask=0022' /etc/pam.d/system-auth || echo 'session     optional      pam_mkhomedir.so skel=/etc/skel umask=0022' >> /etc/pam.d/system-auth

grep  'auth        sufficient    pam_ldap.so use_first_pass'  /etc/pam.d/system-auth  || echo 'auth        sufficient    pam_ldap.so use_first_pass

account     [default=bad success=ok user_unknown=ignore] pam_ldap.so

password    sufficient    pam_ldap.so use_authtok

session     optional      pam_ldap.so' >> /etc/pam.d/system-auth

grep 'auth        sufficient    pam_ldap.so use_first_pass' /etc/pam.d/password-auth || echo 'auth        sufficient    pam_ldap.so use_first_pass

account     [default=bad success=ok user_unknown=ignore] pam_ldap.so

password    sufficient    pam_ldap.so use_authtok

session     optional      pam_ldap.so

session     optional      pam_mkhomedir.so skel=/etc/skel umask=0022' >> /etc/pam.d/password-auth

echo 'base dc=sky,dc=com

uri ldap://192.168.6.13/

ssl no

tls_cacertdir /etc/openldap/cacerts

pam_password md5' >  /etc/pam_ldap.conf 

grep 'uri ldap://192.168.6.13/'  /etc/nslcd.conf ||  echo 'uid nslcd

gid ldap

uri ldap://192.168.6.13/

base dc=sky,dc=com

ssl no

tls_cacertdir /etc/openldap/cacerts' >/etc/nslcd.conf

#sed -i "/^passwd:     files/adow:     files/shadow:     files ldap/g;s/^group:      files/group:      files ldap/g;"  /etc/nsswitch.conf 

sed -i "s/^passwd:     files$/passwd:     files ldap/g;s/^shadow:     files$/shadow:     files ldap/g;s/^group:      files$/group:      files ldap/g;" /etc/nsswitch.conf 

echo 'TLS_CACERTDIR /etc/openldap/cacerts

URI ldap://192.168.6.13

BASE dc=sky,dc=com' > /etc/openldap/ldap.conf 

chkconfig --level 35 nslcd on 

/etc/init.d/nslcd restart

####sudo config

yum install sudo -y

grep 'sudoers:   ldap' /etc/nsswitch.conf  || echo 'sudoers:   ldap' >> /etc/nsswitch.conf 

echo 'uri ldap://192.168.6.13

sudoers_base ou=SUDOers,dc=sky,dc=com' > /etc/sudo-ldap.conf

[ -f /etc/pam_ldap.conf ] && grep -q 'pam_filter |(gidNumber=1000)(gidNumber=1001)'  /etc/pam_ldap.conf || echo 'pam_filter |(gidNumber=1000)(gidNumber=1001)' >>  /etc/pam_ldap.conf 

###install rsync

yum install rsync xinetd -y && sed -i "s/disable.*/disable = no/g"  /etc/xinetd.d/rsync && echo 'uid     = nobody

gid     = nobody

use chroot      = yes

max connections = 30

pid file=/var/run/rsyncd.pid

log file=/var/log/rsyncd.log

list = no

[ project ]

gid=root

uid=root

path            = /data/app/project

hosts allow     =     192.168.6.253,192.168.6.13

read only       =       no' > /etc/rsyncd.conf  && /etc/init.d/xinetd restart

grep -q 'tee -a ~/.bash_history' /etc/bashrc || echo " 

shopt -s histappend

readonly PROMPT_COMMAND='history -a >(tee -a ~/.bash_history | logger -t \"\$USER[\$$] (\$SSH_CONNECTION) bash\")'" >> /etc/bashrc

yum install rsyslog -y

grep '192.168.6.88'  /etc/rsyslog.conf || echo '

$SystemLogRateLimitInterval 60

$SystemLogRateLimitBurst 6000

authpriv.*;*.info                       @@192.168.6.88' >> /etc/rsyslog.conf

/etc/init.d/rsyslog restart

内核参数解释：

net.ipv4.tcp_tw_reuse = 1   选项用于设置开启重用，允许将TIME-WAIT sockets重新用于新的TCP连接。

net.ipv4.tcp_tw_recycle = 1   选项用于设置启用timewait快速回收。

net.ipv4.tcp_syncookies = 1    选项用于设置开启SYN Cookies，当出现SYN等待队列溢出时，启用cookies进行处理。

net.ipv4.tcp_fin_timeout = 30    选项决定了套接字保持在FIN-WAIT-2状态的时间。默认值是60秒。正确设置这个值非常重要，

有时即使一个负载很小的Web服务器，也会出现大量的死套接字而产生内存溢出的风险。

net.ipv4.tcp_keepalive_time = 1200 选项表示当keepalive启用的时候，TCP发送keepalive消息的频度。默认值是2（单位是小时

）,这里是1200s（20分钟）。

net.ipv4.tcp_retrans_collapse = 0   这个参数控制tcp双方window协商出现错误的时候的一些重传行为，默认为1。但在老的内

核里，这个参数重传会导致kernel oops，kernel panic，所以，如果出现有tcp retrans字样的kernel panic，就要把这个参数设

置为0.可以提高linux对端连接负载的能力

net.ipv4.ip_local_port_range = 1024    65000  选项用来设定允许系统打开的端口范围

net.ipv4.tcp_max_tw_buckets = 50000   选项用来设定timewait的数量，默认是180 000

net.ipv4.tcp_timestamps = 0  是否启用以一种比超时重发更精确的方法（请参阅 RFC 1323）来启用对 RTT 的计算

net.nf_conntrack_max = 1048576   允许的最大跟踪连接条目，是在内核内存中netfilter可以同时处理的“任务”（连接跟踪条

目），若是32位架构，不宜设置过大。

net.netfilter.nf_conntrack_tcp_timeout_established = 300  

net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120

net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60

net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120

net.ipv4.tcp_max_syn_backlog = 262144   表示SYN队列的长度,默认为1024,加大队列长度,可以容纳更多等待连接的网络连接数 

net.core.netdev_max_backlog = 262144  每个网络接口接收数据包的速率比内核处理这些包的速率快时，允许送到队列的数据包

的最大数目

net.ipv4.tcp_rmem = 4096 87380 4194304   tcp接收缓存区

net.ipv4.tcp_wmem = 4096 16384 4194304   tcp发送缓冲区

net.core.wmem_default = 8388608  该文件指定了发送套接字缓冲区大小的缺省值（以字节为单位）

net.core.rmem_default = 8388608  指定了接收套接字缓冲区大小的缺省值（以字节为单位）。

net.core.rmem_max = 16777216   指定了发送套接字缓冲区大小的最大值（以字节为单位）。

net.core.wmem_max = 16777216   指定了接收套接字缓冲区大小的最大值（以字节为单位）。

net.core.netdev_max_backlog = 262144   每个网络接口接收数据包的速率比内核处理这些包的速率快时，允许送到队列的数据包

的最大数目。

net.core.somaxconn = 32768