shell
多级构建镜像脚本
ecs初始化1
ecs初始化2
nginx rpm编译
shell 批量改名
mysql rpm 编译
-
+
首页
ecs初始化2
```shell #!/bin/bash ########################################### # Author : jiaorongtao # # why : #ecs初始化,预期以一个脚本完成常用的安全配置 # Version : 1.0 # # Create_Time : 2021.9.29 # # Description : 1.创建普通用户,2.创建可免密切换root用户,3.修改端口 4.安装修改docker目录,5.操作日志 6.创建user白名单,7.配源和安装依赖 ########################################### #############涉及的变量############################ #创建普通用户,账号密码将user1及pass1值替换,密钥对在/home/$user1/.ssh中,将id_rsa拷贝配合账号登录 #$user1=jrt1 #pass1=jrt1 #创建可免密切换root的普通用户 #默认修改为22端口,修改前提服务器后台安全组放开22端口,如果修改为其他,先放开端口 #port=22 #docker的新目录(修改docker目录,) #dockerpath=/data/.docker_data/ #创建免密切换root的账号 #创建user白名单,除白名单外其他用户禁止登陆 #环境检查 check_env() { if [ -n "`cat /etc/os-release |grep CentOS-7`" ];then echo -e "\e[35;40mGood,Your env is CentOS-7 \e[0m" elif [ -n "`cat /etc/os-release |grep CentOS-8`" ];then echo -e "\e[35;40mGood,Your env is CentOS-8 \e[0m" elif [ -n "`cat /etc/os-release |grep ubuntu`" ];then echo -e "\e[35;40mGood,Your env is ubuntu \e[0m" else echo -e "\e[35;40m环境检查失败,请将脚本放在正确环境,重新执行 \e[0m" exit fi } #centos配置yum源 pre_installall_centos7_source_yum() { if [ -n "`cat /etc/os-release |grep CentOS-7`" ];then echo "Good,Your env is CentOS-7" if [ -n "`uname -a |grep x86`" ];then echo "Good,Your env is CentOS-7的x86环境." cp -a /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.bak wget -O /etc/yum.repos.d/CentOS-Base.repo https://repo.huaweicloud.com/repository/conf/CentOS-7-reg.repo yum clean all yum makecache else echo "Good,Your env is CentOS-7的aarch64环境." cp -a /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.bak wget -O /etc/yum.repos.d/CentOS-Base.repo https://repo.huaweicloud.com/repository/conf/CentOS-AltArch-7.repo yum clean all yum makecache fi elif [ -n "`cat /etc/os-release |grep CentOS-8`" ];then echo "Good,Your env is CentOS-8,不需换源" elif [ -n "`cat /etc/os-release |grep ubuntu`" ];then echo "Good,Your env is ubuntu" if [ -n "`uname -a |grep x86`" ];then echo "Good,Your env is ubuntu的x86环境." sudo cp -a /etc/apt/sources.list /etc/apt/sources.list.bak sudo sed -i "s@http://.*archive.ubuntu.com@http://repo.huaweicloud.com@g" /etc/apt/sources.list sudo sed -i "s@http://.*security.ubuntu.com@http://repo.huaweicloud.com@g" /etc/apt/sources.list apt-get update else echo "Good,Your env is ubuntu的aarch64环境." cp -a /etc/apt/sources.list /etc/apt/sources.list.bak wget -O /etc/apt/sources.list https://repo.huaweicloud.com/repository/conf/Ubuntu-Ports-bionic.list --no-check-certificate apt-get update fi else echo '环境检查失败,请将脚本放在正确环境,重新执行' exit fi } #重装系统后磁盘挂载 disk_mount() { i=0 for j in `lsblk |grep vd |grep -v vda |awk 'NF <7' |awk '{print $1}'` do if [ $i == 0 ];then if [ ! -d "/data" ];then mkdir /data mount /dev/$j /data #永久挂载 echo "/dev/$j /data ext4 defaults 0 0" >> /etc/fstab else mount /dev/$j /data #永久挂载 echo "/dev/$j /data ext4 defaults 0 0" >> /etc/fstab fi else mkdir "/data$i" mount /dev/$j "/data$i" #永久挂载 echo "/dev/$j /data$i ext4 defaults 0 0" >> /etc/fstab df -TH fi i=`expr $i + 1` done } #创建普通用户,并可以密钥登录 create_account() { read -p "请输入要创建的账号名:" user1 read -s -p "请输入要创建的账号名的密码:" pass1 #创建用户在/data/home if [ ! -d "/data/home" ];then mkdir /data/home fi #useradd -d /目标文件夹 用户 -s /bin/bash #创建账号 useradd -d /data/home/$user1 -m $user1 if [ -n "`cat /etc/os-release |grep CentOS`" ];then echo $pass1 | passwd --stdin $user1 elif [ -n "`cat /etc/os-release |grep ubuntu`" ];then #echo "用户:新密码" |chpasswd 回车; echo "$user1:$pass1" |chpasswd else echo "环境不支持" exit fi #密钥登录,创建密钥对 su $user1 -c "ssh-keygen -t rsa -N '' -f /data/home/$user1/.ssh/id_rsa -q" cd /data/home/$user1/.ssh cat id_rsa.pub > authorized_keys chown $user1. authorized_keys #授权,防止登陆失败 chmod 755 /data/home/$user1 chmod 700 /data/home/$user1/.ssh chmod 600 /data/home/$user1/.ssh/* #普通用户拥有docker权限 sudo gpasswd -a $user1 docker sudo service docker restart } #监控日志(每个用户登录完,退出时,会把自己的操作记录存放在/tmp/dishdp/${LOGNAME}) do_logs() { cat >> /etc/profile << \EOF PS1="`whoami`@`hostname`:"'[$PWD]' history USER_IP=`who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'` if [ "$USER_IP" = "" ] then USER_IP=`hostname` fi if [ ! -d /tmp/dishdp ] then mkdir /tmp/dishdp chmod 777 /tmp/dishdp fi if [ ! -d /tmp/dishdp/${LOGNAME} ] then mkdir /tmp/dishdp/${LOGNAME} chmod 300 /tmp/dishdp/${LOGNAME} fi export HISTSIZE=4096 DT=`date "+%Y-%m-%d_%H:%M:%S"` export HISTFILE="/tmp/dishdp/${LOGNAME}/${USER_IP} dishdp.$DT" chmod 600 /tmp/dishdp/${LOGNAME}/*dishdp* 2>/dev/null EOF source /etc/profile } ##创建免密切换root的账号 create_nopasswd_user() { read -p "请输入要创建的账号名:" user2 read -s -p "请输入要创建的账号名的密码:" pass2 #创建用户在/data/home if [ ! -d "/data/home" ];then mkdir /data/home fi useradd -d /data/home/$user2 -m $user2 if [ -n "`cat /etc/os-release |grep CentOS`" ];then echo $pass2 | passwd --stdin $user2 elif [ -n "`cat /etc/os-release |grep ubuntu`" ];then #echo "用户:新密码" |chpasswd 回车; echo "$user2:$pass2" |chpasswd else echo "环境不支持" exit fi #在$user2用户下创建密钥对, su $user2 -c "ssh-keygen -t rsa -N '' -f /data/home/$user2/.ssh/id_rsa -q" cd /data/home/$user2/.ssh cat id_rsa.pub > authorized_keys chown $user2. authorized_keys #授权,防止登陆失败 chmod 755 /data/home/$user2 chmod 700 /data/home/$user2/.ssh chmod 600 /data/home/$user2/.ssh/* usermod -g wheel $user2 } #创建user白名单,除白名单外其他用户禁止登陆 create_user_whitelist() { read -p "请输入要放入白名单的账号,多个以空格分开(如;zhangsan lisi):" user3 echo "AllowUsers $user3" >> /etc/ssh/sshd_config systemctl restart sshd if [ ! -n "`cat /etc/ssh/sshd_config |grep '^ *#* *A'|grep "AllowUsers $user3"`" ];then echo "AllowUsers $user3" >> /etc/ssh/sshd_config fi #查询结果 cat /etc/ssh/sshd_config | grep -i allowusers systemctl restart sshd } #免密登陆 nopasswd_root() { #免密切换root if [ -n "`cat /etc/os-release |grep CentOS`" ];then var1=$(cat -n /etc/pam.d/su|grep '#%PAM-1.0'|awk '{print $1}') sed -i "$[$var1+3]i auth sufficient pam_wheel.so trust use_uid" /etc/pam.d/su sed -i "$[$var1+5]i auth required pam_wheel.so use_uid" /etc/pam.d/su #只允许wheel组使用su echo "SU_WHEEL_ONLY yes" >> /etc/login.defs echo "%wheel ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers usermod -g wheel root elif [ -n "`cat /etc/os-release |grep ubuntu`" ];then var1=$(cat -n /etc/pam.d/su |grep "# auth required pam_wheel.so"|head -n 1 |awk '{print $1}') sed -i "$[$var1+1]i auth required pam_wheel.so use_uid" /etc/pam.d/su sed -i "$[$var1+5]i auth sufficient pam_wheel.so trust use_uid" /etc/pam.d/su #只允许wheel组使用su echo "SU_WHEEL_ONLY yes" >> /etc/login.defs echo "%wheel ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers groupadd wheel usermod -g wheel root else echo "环境不支持" fi } ##############################主函数#################################### while : do echo "############################_menu_############################" echo "0.检查环境" echo "1.配置yum源或apt源" echo "2.创建可免密切换root用户,首次需要先执行6" echo "3.创建普通用户" echo "4.重装系统后磁盘挂载" echo "5.创建user白名单" echo "6.免密从普通用户切换root,一个操作系统执行一次即可,搭配2使用" echo "7.操作日志" echo "8.输入错误或输入10就退出程序" echo "##############################################################" read -p "请选择您需要执行的的步骤:(-1|0|1|2|3|4|5|7|8):" select if [ "$select" == "0" ];then check_env elif [ "$select" == "1" ];then check_env sleep 2s pre_installall_centos7_source_yum elif [ "$select" == "2" ];then check_env sleep 2s create_nopasswd_user elif [ "$select" == "3" ];then check_env sleep 2s create_account elif [ "$select" == "4" ];then check_env sleep 2s disk_mount elif [ "$select" == "5" ];then check_env sleep 2s create_user_whitelist elif [ "$select" == "6" ];then check_env sleep 2s nopasswd_root elif [ "$select" == "7" ];then do_logs elif [ "$select" == "8" ];then echo "输入错误或输入8就退出程序" exit else echo "选择有误,准备退出!" exit fi done ```
JRT
2021年11月11日 09:48
转发文档
收藏文档
上一篇
下一篇
手机扫码
复制链接
手机扫一扫转发分享
复制链接
Markdown文件
分享
链接
类型
密码
更新密码