#!/bin/bash #Date:2021-09-08 #Description:When choosed "minimal install" to install OS, Use this shell script to initialization system quickly. source /etc/init.d/functions #####define color RED="\033[1;31m" GREEN="\033[1;32m" YELLOW="\033[1;33m" BLUE="\033[1;34m" PURPLE="\033[1;35m" COLOR_END="\033[0m" #####Make sure system-release OS_Release=$(cat /etc/system-release |awk -F'[ |.]' '{print $4}') if [ $OS_Release -eq 7 ];then echo echo -e "${PURPLE}Warning: The script only supports \"Centos 7 series\", System version match!! ${COLOR_END}" for ((i=1;i<=2;i++)) do printf "System checking ...\n" sleep 1 done action "System version match" /bin/true #####shell production echo -e "${YELLOW}--------------------------------------------------------------------${COLOR_END}" echo -e "${YELLOW} Script description${COLOR_END}" printf "${YELLOW}%-2s %s\n %s\n ${COLOR_END}\n" "1)" "Install the basic softwall and environment." " Use function: install-softwall" printf "${YELLOW}%-2s %s\n %s\n ${COLOR_END}\n" "2)" "Modify the ssh default port." " Use function: modify-ssh-port" printf "${YELLOW}%-2s %s\n %s\n ${COLOR_END}\n" "3)" "Disabled selinux and firewalld." " Use function: disalbe-selinux-firewalld" printf "${YELLOW}%-2s %s\n %s\n ${COLOR_END}\n" "4)" "Disabled \"root\" account ssh login." " Use function: modify-ssh-root" printf "${YELLOW}%-2s %s\n %s\n ${COLOR_END}\n" "5)" "Modify the login banner information." " Use function: modify-banner" printf "${YELLOW}%-2s %s\n %s\n ${COLOR_END}\n" "6)" "Configure TMOUT is 600 seconds." " Use function: modify-timeout" printf "${YELLOW}%-2s %s\n %s\n ${COLOR_END}\n" "7)" "Modify user password expiration time." " Use function: modify_passwd_expire" printf "${YELLOW}%-2s %s\n %s\n ${COLOR_END}\n" "8)" "Modify user operation record format." " Use function: modify_history_format" echo -e "${YELLOW}--------------------------------------------------------------------${COLOR_END}" #####define function install_software(){ echo echo -e "${RED}If configured \"yum repos\", Please inut \"yes\" to start, Otherwise, input \"no\" and return to the main menu:${COLOR_END}\n" read -p $'\033[1;35mPlease inut "yes|no":\033[0m' ACK echo case $ACK in [yY][eE][sS]) echo -e "${YELLOW}Beginning install base softwall....${COLOR_END}" yum install -y vim-enhanced wget lrzsz tree bash-completion net-tools lsof man-pages ntpdate unzip nfs-utils gcc glibc-devel pcre pcre-devel openssl-devel systemd-devel zlib-devel iptables-services yum-utils &>/dev/null #判断iptables-services是否安装,若修改ssh端口需使用此服务保存iptables配置。否则重启后无法登陆 rpm -q iptables-services &>/dev/null && action "softwall install " /bin/true || action "software install " /bin/false echo -e "${YELLOW}Beginning install fonts....${COLOR_END}" yum groupinstall -y fonts &>/dev/null action "fonts install " /bin/true echo -e "${YELLOW}Beginning install X Protocol(X11)....${COLOR_END}" yum install -y xorg-x11-xauth xorg-x11-fonts-* xorg-x11-font-utils xorg-x11-fonts-Type1 firefox mesa-libGLES-devel.x86_64 mesa-dri-drivers mesa-libGLU*.i686 mesa-libGLU*.x86_64 dbus-x11 &>/dev/null action "X11 install " /bin/true echo echo -e "${GREEN}Finished install....${COLOR_END}\n" ;; [Nn][Oo]) echo -e "${PURPLE}Please configured the \"yum repos\" before run this shell${COLOR_END}\n" echo -e "${PURPLE}You can see this essay: \"https://www.cnblogs.com/mmio/p/15160936.html\" ${COLOR_END}\n" ;; *) echo -e "${RED}Input error. Please input:'yes|no' ${COLOR_END}\n" ;; esac } modify_issue_net () { echo >/etc/issue.net echo "###############################################################################">>/etc/issue.net echo "# WARNING #">>/etc/issue.net echo "# This is a private server #">>/etc/issue.net echo "# All connections will be monitored #">>/etc/issue.net echo "# All operations will be recorded #">>/etc/issue.net echo "# Disconnect IMMEDIATELY if you are not an authorized user #">>/etc/issue.net echo "# If you login in illegally, we will hold you legally responsible #">>/etc/issue.net echo "###############################################################################">>/etc/issue.net echo >>/etc/issue.net #echo -e "${PURPLE}Open the ssh banner configuration${COLOR_END}\n" sed -i '/^#Banner/c\Banner /etc/issue.net' /etc/ssh/sshd_config && action "open ssh banner" /bin/true || action "open ssh banner" /bin/false systemctl restart sshd &>/dev/null && action "restart sshd" /bin/true || action "restart sshd" /bin/false sed -i '/^#UseDNS/c\UseDNS no' /etc/ssh/sshd_config && action "disable \"UseDNS\" " /bin/true || action "disable \"UseDNS\" " /bin/false echo -e "${GREEN}Modify /etc/issue.net file sucess. Please login again ${COLOR_END}\n" } modify_issue () { echo >/etc/issue echo "###############################################################################">>/etc/issue echo "# WARNING #">>/etc/issue echo "# This is a private server #">>/etc/issue echo "# All connections will be monitored #">>/etc/issue echo "# All operations will be recorded #">>/etc/issue echo "# Disconnect IMMEDIATELY if you are not an authorized user #">>/etc/issue echo "# If you login in illegally, we will hold you legally responsible #">>/etc/issue echo "###############################################################################">>/etc/issue echo >>/etc/issue echo -e "${GREEN}Modify /etc/issue file sucess. Please login again ${COLOR_END}\n" } modify_ssh_port () { echo -e "${RED}Warning:Package \"iptables-services\" must be installed. Otherwise you can't save the iptables rules and can't login use ssh!!! ${COLOR_END}\n" rpm -q iptables-services &>/dev/null if [ $? -eq 0 ];then read -p $'\033[1;33mPlease input a new port(eg:15225): \033[0m' ssh_port sed -i "/^#Port /c\Port ${ssh_port}" /etc/ssh/sshd_config systemctl restart sshd &>/dev/null && action "sshd restart" /bin/true || action "sshd restart" /bin/false ss -nlt |grep "*:${ssh_port}" &>/dev/null && action "Modify ssh port" /bin/true || action "Modify ssh port" /bin/false iptables -I INPUT -p tcp --dport ${ssh_port} -j ACCEPT service iptables save &>/dev/null systemctl mask firewalld &>/dev/null && action "mask firewalld" /bin/true systemctl stop firewalld &>/dev/null && action "stop firewalld" /bin/true || echo -e "${RED}Stop firewalld fail, Please run this command: systemctl disable firewalld --now ${COLOR_END}" systemctl enable iptables --now &>/dev/null && action "enable iptables" /bin/true systemctl restart iptables &>/dev/null && action "restart iptables" /bin/true # grep "${ssh_port}" /etc/sysconfig/iptables &>/dev/null && action "add ${ssh_port} to iptables" /bin/true || action "add ${ssh_port} to iptables" /bin/false iptables -nvL |grep "${ssh_port}" &>/dev/null && action "add ${ssh_port} to iptables" /bin/true || action "add ${ssh_port} to iptables" /bin/false echo echo -e "${GREEN}Please record the new ssh port: ${ssh_port} ${COLOR_END}\n" echo -e "${GREEN}Now the \"ssh port ${ssh_port}\" iptables rule allow all host login, Please modify according to yourself. ${COLOR_END}" else echo -e "${RED}Modify ssh port fail: Package \"iptables-services\" not install:\n Please input the number \"1\" to install, or exit script and run command: \"yum install -y iptables-services\" ${COLOR_END}\n" fi } disable_selinux () { echo sed -i '/^SELINUX=/c\SELINUX=disabled' /etc/selinux/config && action "disable selinux" /bin/true setenforce 0 &>/dev/null && action "setenforce 0" /bin/true echo -e "${GREEN}Disable selinux temporary, If you need permanent effective, please restart system ${COLOR_END}" } disable_firewalld () { echo systemctl mask firewalld &>/dev/null && action "mask firewalld" /bin/true systemctl stop firewalld &>/dev/null && action "stop firewalld" /bin/true || echo -e "${RED}Stop firewalld fail, Please run this command: systemctl disable firewalld --now ${COLOR_END}\n" echo -e "${GREEN}Disable firewalld sucess, if you want to use \"firewalld\", please run command: \"systemctl unmask firewalld; systemctl disable iptables --now; systemctl enable firewalld --now\" ${COLOR_END}\n" } disable_ssh_root () { echo -e "${RED}Warning:Befor disable the user \"root\" login by ssh, you must create a new user! ${COLOR_END}\n" read -p $'\033[1;34mPlease input a new username,then press "Enter":\033[0m' ssh_user && useradd -m ${ssh_user} &>/dev/null && read -p $'\033[1;34mPlease input a password,then press "Enter": \033[0m' ssh_passwd && echo "${ssh_passwd}" | passwd --stdin ${ssh_user} &>/dev/null echo if [ $? -eq 0 ];then action "Create new user: ${ssh_user}" /bin/true echo -e "${GREEN}Please record the new ssh user:\n username: ${ssh_user}\n password: ${ssh_passwd}\n (TIPS: If \"password\" is null, you input the user already exist!) ${COLOR_END}\n" echo -e "${RED}Warning: Please run this command to check the new user login sucess: \"ssh ${ssh_user}@10.0.0.7 -p 22\" ${COLOR_END}\n" echo -e "${BLUE}Waiting 3s...Now begin modify ssh to disable the user \"root\" login ${COLOR_END}\n" sleep 3 sed -i '/PermitRootLogin yes/c\PermitRootLogin no' /etc/ssh/sshd_config systemctl restart sshd &>/dev/null && action "restart ssh" /bin/true || echo -e "${RED}Restart sshd failed, Please check the file: /etc/ssh/sshd_config ${COLOR_END}" echo echo -e "${GREEN}Disable \"root\" login sucess ${COLOR_END}\n" else action "Create new user: ${ssh_user}" /bin/false echo -e "${RED}Create user failed. Please run this command to create a new user and set password: \"useradd NEWUSER; echo 'PASSWORD' |passwd --stdin NEWUSER\" ${COLOR_END}\n" fi } modify_tmout () { grep "TMOUT" /etc/profile &>/dev/null if [ $? -eq 0 ];then sed -i '/TMOUT/c\TMOUT=600' /etc/profile && source /etc/profile action "Modify TMOUT=600" /bin/true echo else echo "TMOUT=600" >> /etc/profile && source /etc/profile action "Set TMOUT=600" /bin/true echo fi } modify_passwd_expire (){ MAXDAY=$(grep "^PASS_MAX_DAYS" /etc/login.defs |awk '{print $2}') if [ $MAXDAY -eq 90 ];then action "Modify password expiration time" /bin/true else sed -i '/^PASS_MAX_DAYS/c\PASS_MAX_DAYS 90' /etc/login.defs action "Modify password expiration time" /bin/true fi } modify_history_format (){ echo 'export HISTTIMEFORMAT="%F %T `whoami` " ' >> /etc/profile && action "Modify history record file format" /bin/true || action "Modify history record file format" /bin/false source /etc/profile echo } all () { echo echo -e "${YELLOW}Beginning execute all \"1-8\"....${COLOR_END}" install_software modify_ssh_port disable_selinux disable_firewalld disable_ssh_root modify_issue modify_issue_net modify_tmout modify_passwd_expire modify_history_format } #####main PS3=$(echo -e "${YELLOW}Please input the number[1-10]: ${COLOR_END}") LIST='install-softwall modify-ssh-port disalbe-selinux-firewalld disable-ssh-root modify-banner modify-timeout modify-password-expire modify-history-format all quit' select menu in $LIST;do case $REPLY in 1) echo echo -e "${PURPLE}---Install software--- ${COLOR_END}" install_software ;; 2) echo echo -e "${PURPLE}---Modify ssh port--- ${COLOR_END}" setenforce 0 &>/dev/null modify_ssh_port ;; 3) echo echo -e "${PURPLE}---Disable selinux and firewalld--- ${COLOR_END}" disable_selinux disable_firewalld ;; 4) echo disable_ssh_root ;; 5) echo echo -e "${PURPLE}---Modify before login banner information--- ${COLOR_END}" modify_issue modify_issue_net ;; 6) echo echo -e "${PURPLE}---Configure TMOUT--- ${COLOR_END}" modify_tmout ;; 7) echo echo -e "${PURPLE}---Modify new user's password expiration time---${COLOR_END}" modify_passwd_expire ;; 8) echo echo -e "${PURPLE}---Modify history for user operation record format---${COLOR_END}" modify_history_format ;; 9) echo echo -e "${PURPLE}---Execute all \"1-8\"---${COLOR_END}" all ;; 10) echo -e "${PURPLE} Bye Bye ${COLOR_END}" break ;; *) echo -e "${PURPLE}Input error. Please input the number: \"1-10\" ${COLOR_END}" ;; esac done else echo echo -e "${PURPLE}Warning: The script only supports \"Centos 7 series\", System version not match!! ${COLOR_END}" fi