页面“Centos7服务器初始化”与“Expect基础”之间的差异

来自linux中国网wiki
(页面间的差异)
跳到导航 跳到搜索
 
 
第1行: 第1行:
=我现在用的shell=
+
=添加pubkey=
 +
==多台添加pubkey ==
 
<pre>
 
<pre>
 +
cat main
 
#!/bin/bash
 
#!/bin/bash
#Authon: linuxsa.org 201911
+
for ip  in `cat list`
# usage bash  osinit.sh 2>&1 | tee osinit.log 
 
#http://wiki.linuxchina.net/index.php/Centos7%E5%88%9D%E5%A7%8B%E5%8C%96
 
  
#常用开发包 gcc etc
+
do
yum groupinstall "Development Tools" -y
+
#echo $ip
#常用命令 ifconfig etc
+
./addkey  $ip
yum install -y  net-tools    yum-utils rsync
 
  
# ins docker
+
done
# step 1: 安装必要的一些系统工具
 
yum install -y yum-utils device-mapper-persistent-data lvm2
 
# Step 2: 添加软件源信息
 
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
 
  
# Step 3: 更新并安装 Docker-CE
 
yum makecache fast
 
  
yum -y install docker-ce
 
# Step 4: 开启Docker服务
 
systemctl enable docker
 
systemctl start docker
 
  
 +
cat addkey
 +
#!/usr/local/bin/expect
 +
#define var
 +
set timeout 17
 +
# #<==接受第一个参数,赋值host
 +
set host [lindex $argv 0]
 +
set password "evan=="
  
rpm -ivh https://repo.zabbix.com/zabbix/4.0/rhel/7/x86_64/zabbix-release-4.0-1.el7.noarch.rpm
 
  
yum install zabbix-agent -y  && systemctl enable zabbix-agent
+
#spawn
 +
spawn ssh-copy-id -i /home/evan/lx/ssh/opspub root@$host
 +
#spawn ssh-copy-id  -i /home/evan/.ssh/id_rsa.pub root@$host
 +
#ssh-copy-id  -i /home/evan/.ssh/id_rsa.pub [email protected]
  
#install docker-compose etc
+
#expect
 +
expect {                 
 +
"*yes/no" { send "yes\r"; exp_continue} 
 +
"*password:" { send "$password\r" }     
 +
 +
#send  "exit\r" 
 +
expect eof
  
yum -y install vim wget curl yum-utils bash-completion bash-completion-extras epel-release lrzsz telnet python-pip
+
cat list
#这个看情况
+
192.168.7.4
sudo curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
+
192.168.7.46
#mv  docker-compose /usr/local/bin/docker-compose
 
sudo chmod +x /usr/local/bin/docker-compose
 
chmod +x /usr/local/bin/docker-compose
 
#pip install docker-compose
 
  
#mkdir -p /home/data/docker
+
##上面用了copy-id  如果想用scp etc
mkdir -p /data/docker
 
  
echo '{"graph": "/data/docker"}' >/etc/docker/daemon.json
+
    #!/usr/bin/expect   
 +
    set timeout 5   
 +
    set hostno [lindex $argv 0]   
 +
    spawn scp ~/.ssh/id_dsa.pub impala$hostno:~/.ssh/pub_key   
 +
    expect "*password*"   
 +
    send "111111\r"  
 +
    spawn ssh impala$hostno "cat ~/.ssh/pub_key/ >> ~/.ssh/authorized_keys"   
 +
    expect "*password*"   
 +
    send "111111\r"   
 +
    spawn ssh impala$hostno "chmod 600 ~/.ssh/authorized_keys"   
 +
    expect "*password*"   
 +
    send "111111\r"   
 +
    expect eof   
  
# cat /etc/docker/daemon.json
+
(3)分析:
#{"graph": "/home/data/docker"}
+
set可以设置超时,或者设置一个变量的值
 
+
spawn是执行一个命令
systemctl restart docker
+
expect等待一个匹配的输出流中的内容
 
+
send是匹配到之后向输入流写入的内容
#验证docker储存位置
+
[lindex $argv 0]表示脚本的第0个参数
docker system info | grep "Root Dir"
+
expect eof表示读取到文件结束符
 
 
#开机自启动要用的
 
 
 
chmod +x /etc/rc.d/rc.local
 
 
 
setenforce 0
 
sed -i 's/enforcing/disabled/g' /etc/selinux/config
 
  
 
</pre>
 
</pre>
==centos7初始化 ==
 
  
==网络配置==
+
==多台添加ssh安全(远程执行命令和退出) ==
 
<pre>
 
<pre>
cat /etc/sysconfig/network-scripts/ifcfg-eth0
+
cat   run
TYPE="Ethernet"
+
#!/usr/local/bin/expect
BOOTPROTO=static  
+
  #define var
IPADDR0=192.168.0.16
+
set timeout 17
NETMASK=255.255.255.0
+
set host [lindex $argv 0]
GATEWAY0=192.168.0.1
+
set password "evan=="
DNS1=223.5.5.5 
 
DNS2=114.114.114.114
 
  
DEVICE="eth0"
+
#spawn
ONBOOT="yes"
+
spawn ssh root@$host
  
</pre>
+
expect {
  
== 安装常用软件==
+
    "*#*" { send "sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/g' /etc/ssh/sshd_config\r";
<pre> yum install python-devel
+
send "sed -i 's/^PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config\r"
  yum install vim wget  net-tools  psmisc links  lsof telnet  zlib-devel curl    -y
+
send "systemctl restart sshd\r"
 +
#send "\r"
 +
    }
 +
}
 +
send "exit\r"  
 +
expect eof
  
yum groupinstall "Development Tools" -y
+
cat main
</pre>
+
#!/bin/bash
===CentOS7 安装ifconfig===
+
for ip  in `cat list`
<pre>
 
 
 
不知道dig 是哪个软件包 提供的  请用 yum provides  command #绝对路径
 
 
 
yum  provides /sbin/ifconfig
 
 
 
******
 
net-tools-1.60-114.el6.x86_64 : Basic networking tools
 
Repo        : base
 
匹配来自于:
 
Filename    : /sbin/ifconfig
 
*****
 
 
 
由上可见安装的软件为net-tools
 
 
 
ifconfig, netstat, route, and other
 
 
 
[root@centos7 hcmdb]# yum info  net-tools 
 
已安装的软件包
 
名称    :net-tools
 
架构    :x86_64
 
版本    :2.0
 
发布    :0.17.20131004git.el7
 
大小    :917 k
 
源    :installed
 
简介    : Basic networking tools
 
网址    :http://sourceforge.net/projects/net-tools/
 
协议    : GPLv2+
 
描述    : The net-tools package contains basic networking tools,
 
        : including ifconfig, netstat, route, and others.
 
        : Most of them are obsolete. For replacement check iproute package.
 
 
 
yum -y  install net-tools  vim  wget
 
#yum/dnf install net-tools  vim  wget
 
 
 
centos7精简安装后,使用中发现没有killall命令。
 
可以通过以下命令解决:
 
 
 
yum install psmisc
 
 
简单介绍一下 psmisc :
 
 
 
Psmisc软件包包含三个帮助管理/proc目录的程序。
 
安装下列程序: fuser, killall,pstree和pstree.x11(到pstree的链接)
 
fuser 显示使用指定文件或者文件系统的进程的PID。
 
killall 杀死某个名字的进程,它向运行指定命令的所有进程发出信号。
 
pstree 树型显示当前运行的进程。
 
pstree.x11 与pstree功能相同,只是在退出前需要确认
 
 
 
 
 
</pre>
 
 
 
==常用软件==
 
<pre>
 
 
 
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
 
 
 
yum install lsof -y
 
 
 
lsof -i:1080
 
 
 
yum groupinstall "Development Libraries"
 
 
 
yum groupinstall "Development Tools"
 
 
 
</pre>
 
 
 
==jdk==
 
<pre>
 
java.security.InvalidKeyException: Illegal key size or default parameters
 
 
 
new vm 就要加上 unlime
 
 
 
文件 UnlimitedJCEPolicyJDK7.zip
 
规制办法
 
evan@evankalilatop:~/xk/jdk$ cat jdkpath
 
替换 ${jdk_home}/jre/lib/security 下local_policy.jar, US_export_policy.jar
 
</pre>
 
  
==修改文件句柄数==
+
do
<pre>
+
#echo $ip
#临时修改,立刻生效
+
#./addkey  $ip
ulimit -n 655350       
+
./run  $ip
  
#永久修改
+
done
echo "* soft nofile 655360" >> /etc/security/limits.conf
 
echo "* hard nofile 655360" >> /etc/security/limits.conf
 
</pre>
 
==kernel 优化==
 
<pre>
 
#set sysctl 有空把这些意思拿出来
 
sysctl_config(){
 
cp /etc/sysctl.conf /et/sysctl.conf.bak
 
cat > /etc/sysctl.conf << EOF
 
net.ipv4.ip_forward = 0
 
net.ipv4.conf.default.rp_filter = 1
 
net.ipv4.conf.default.accept_source_route = 0
 
kernel.sysrq = 0
 
kernel.core_uses_pid = 1
 
net.ipv4.tcp_syncookies = 1
 
kernel.msgmnb = 65536
 
kernel.msgmax = 65536
 
kernel.shmmax = 68719476736
 
kernel.shmall = 4294967296
 
net.ipv4.tcp_max_tw_buckets = 6000
 
net.ipv4.tcp_sack = 1
 
net.ipv4.tcp_window_scaling = 1
 
net.ipv4.tcp_rmem = 4096 87380 4194304
 
net.ipv4.tcp_wmem = 4096 16384 4194304
 
net.core.wmem_default = 8388608
 
net.core.rmem_default = 8388608
 
net.core.rmem_max = 16777216
 
net.core.wmem_max = 16777216
 
net.core.netdev_max_backlog = 262144
 
net.core.somaxconn = 262144
 
net.ipv4.tcp_max_orphans = 3276800
 
net.ipv4.tcp_max_syn_backlog = 262144
 
net.ipv4.tcp_timestamps = 0
 
net.ipv4.tcp_synack_retries = 1
 
net.ipv4.tcp_syn_retries = 1
 
net.ipv4.tcp_tw_recycle = 1
 
net.ipv4.tcp_tw_reuse = 1
 
net.ipv4.tcp_mem = 94500000 915000000 927000000
 
net.ipv4.tcp_fin_timeout = 1
 
net.ipv4.tcp_keepalive_time = 1200
 
net.ipv4.ip_local_port_range = 1024 65535
 
EOF
 
/sbin/sysctl -p
 
echo "sysctl set OK!!"
 
}
 
  
 
+
#run
使用PAM模块限制资源:
+
bash main
# vi /etc/pam.d/login
 
session required pam_limits.so
 
 
</pre>
 
</pre>
  
==可以禁用ipv6 ==
+
==单个==
 
<pre>
 
<pre>
cat >> /etc/modprobe.d/ipv6.conf <<EOF
 
alias net-pf-10 off
 
alias ipv6 off
 
EOF
 
</pre>
 
  
==去除ssh远程DNS认证 ==
+
vi addkey
<pre>
 
sed -i 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config
 
sed -i 's/GSSAPIAuthentication yes/GSSAPIAuthentication no/g' /etc/ssh/sshd_config
 
  
sed -i "s/#PubkeyAuthentication yes/PubkeyAuthentication yes/g" /etc/ssh/sshd_config
+
#!/usr/local/bin/expect
 +
#SERVERS="101.00.208.197 120.40.043.52 "
 +
set timeout 5 
 +
set host [lindex $argv 0]
 +
spawn ssh-copy-id  -i /home/evan/.ssh/id_rsa.pub root@$host
 +
#ssh-copy-id  -i /home/evan/.ssh/id_rsa.pub [email protected]
 +
expect {                 
 +
"*yes/no" { send "yes\r"; exp_continue} 
 +
"*password:" { send "P2xMGipLpSG7dA==\r" }     
 +
  
sed -i "s/^PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config
+
expect eof
  
systemctl restart sshd
 
  
 +
用法
 +
./addkey  18.80.216.19 #这是你的IP
 
</pre>
 
</pre>
  
==关闭不要的用户和服务==
+
=on dovo=
 
 
== 安全==
 
 
<pre>
 
<pre>
关闭 selinux 如果是在内网机器关了也没关系
+
#!/usr/bin/expect
 
+
#good on new kali  这个在新的kali 上是ok的
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
+
set timeout 30
setenforce 0
+
set sshIP "4.88.1.2"
 
+
set keypassword "ZdvV"
查看SELinux状态
+
set rootPassword "5D"
getenforce
+
#spawn ssh -o StrictHostKeyChecking=no -i /root/key  evan@$sshIP
 
+
expect "Enter passphrase"
 
+
send "$keypassword\r"
#临时关闭防火墙
+
expect "]$"
systemctl stop firewalld
+
send "sudo -i\r"
#永久防火墙开机自启动
+
expect "xxxxx"
systemctl disable firewalld
+
send "$rootPassword\r"
#临时打开防火墙
+
expect "]#"
systemctl start firewalld
+
## run command
#防火墙开机启动
+
#send "cat /root/1  && echo 'test was ok .';exit\r"
systemctl enable firewalld
+
#send "bash /data/tmp/dbins  && echo 'dbins was ok.';exit\r"
#查看防火墙状态
+
#expect "52wan"
systemctl status firewalld
+
#send "exit\r"
 
+
#expect eof {exit 0}
 
+
interact
新机器 测试 web 不关闭可能报错
 
ERR_ADDRESS_UNREACHABLE
 
 
 
 
 
fail2ban
 
 
 
</pre>
 
  
==设置时区==
 
<pre>
 
  
</pre>
+
#!/usr/bin/expect
 +
# on old kali  这个在老的kali
 +
set timeout 30
 +
set sshIP "4.88.1.2"
 +
set keypassword "Zd"
 +
set rootPassword "5D"
 +
spawn ssh -o StrictHostKeyChecking=no -i /home/key  evan@$sshIP
 +
expect "Enter passphrase"
 +
send "$keypassword\r"
 +
expect "52wan"
 +
send "sudo -i\r"
 +
expect "password for 52wan:"
 +
send "$rootPassword\r"
 +
expect "]#"
 +
## run command
 +
#send "cat /root/1  && echo 'test was ok .';exit\r"
 +
#send "bash /data/tmp/dbins  && echo 'dbins  was ok.';exit\r"
 +
#expect "52wan"
 +
#send "exit\r"
 +
#expect eof {exit 0}
 +
interact
  
<pre>
 
rm -f /etc/localtime
 
cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
 
 
</pre>
 
</pre>
 
 
==参考==
 
 
[https://www.jianshu.com/p/d0ef5bd18610 centos7初始化脚本.bash]
 
 
[https://blog.csdn.net/kxwinxp/article/details/78895373 CentOS 7 运维优化]
 
 
[https://blog.csdn.net/wh211212/article/details/52923673 CentOS 7安装完成后初始化]
 
 
[https://blog.51cto.com/wzlinux/2043592 CentOS 7 新装服务器部署流程]
 
 
[https://www.cnblogs.com/sdhzdtwhm/p/8027928.html CentOS7操作系统初始化]
 
 
[https://linux.cn/article-5067-1.html 如何使用 fail2ban 防御 SSH 服务器的暴力破解攻击]
 
 
[http://www.cnblogs.com/txk1452/p/6361559.html CentOS7 安装ifconfig]
 
 
[http://blog.51cto.com/feihan21/1060365 Linux服务器初始化配置脚本]
 
 
[https://blog.imdst.com/linux-fu-wu-qi-chu-shi-hua-an-quan-jia-gu/ Linux服务器初始化调优及安全加固]
 
 
 
[https://www.cnblogs.com/stulzq/p/7610100.html Centos7 初始化硬盘分区、挂载]
 
 
==kernel==
 
[https://blog.csdn.net/lufeisan/article/details/53339991 Linux系统swappiness参数在内存与交换分区之间优化作用]
 
[[category:linux]][[category:ops]]
 

2019年11月12日 (二) 09:45的版本

添加pubkey

多台添加pubkey

cat main 
#!/bin/bash
for ip   in `cat list` 

do 
#echo $ip
./addkey  $ip

done 



cat addkey 
#!/usr/local/bin/expect
 #define var
set timeout 17
# #<==接受第一个参数,赋值host
set host [lindex $argv 0]
set password "evan=="


#spawn
spawn ssh-copy-id  -i /home/evan/lx/ssh/opspub root@$host
#spawn ssh-copy-id  -i /home/evan/.ssh/id_rsa.pub root@$host
#ssh-copy-id  -i /home/evan/.ssh/id_rsa.pub [email protected]

#expect
expect {                  
 "*yes/no" { send "yes\r"; exp_continue}   
 "*password:" { send "$password\r" }       
 }  
#send  "exit\r"  
expect eof

cat list 
192.168.7.4
192.168.7.46

##上面用了copy-id  如果想用scp  etc 

    #!/usr/bin/expect    
    set timeout 5    
    set hostno [lindex $argv 0]    
    spawn scp ~/.ssh/id_dsa.pub impala$hostno:~/.ssh/pub_key    
    expect "*password*"    
    send "111111\r"    
    spawn ssh impala$hostno "cat ~/.ssh/pub_key/ >> ~/.ssh/authorized_keys"    
    expect "*password*"    
    send "111111\r"    
    spawn ssh impala$hostno "chmod 600 ~/.ssh/authorized_keys"    
    expect "*password*"    
    send "111111\r"    
    expect eof    

(3)分析:
set可以设置超时,或者设置一个变量的值
spawn是执行一个命令
expect等待一个匹配的输出流中的内容
send是匹配到之后向输入流写入的内容
[lindex $argv 0]表示脚本的第0个参数
expect eof表示读取到文件结束符

多台添加ssh安全(远程执行命令和退出)

 cat   run
#!/usr/local/bin/expect
 #define var
set timeout 17
set host [lindex $argv 0]
set password "evan=="

#spawn
spawn ssh root@$host

expect {

    "*#*" { send "sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/g' /etc/ssh/sshd_config\r";
send "sed -i 's/^PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config\r"
send "systemctl restart sshd\r"
	#send "\r"
    }
}
send  "exit\r"  
expect eof

cat main
#!/bin/bash
for ip   in `cat list` 

do 
#echo $ip
#./addkey  $ip
./run  $ip

done 

#run 
bash main

单个


vi addkey

#!/usr/local/bin/expect
#SERVERS="101.00.208.197 120.40.043.52 " 
set timeout 5   
set host [lindex $argv 0]
spawn ssh-copy-id  -i /home/evan/.ssh/id_rsa.pub root@$host
#ssh-copy-id  -i /home/evan/.ssh/id_rsa.pub [email protected]
expect {                  
 "*yes/no" { send "yes\r"; exp_continue}   
 "*password:" { send "P2xMGipLpSG7dA==\r" }       
 }  

expect eof


用法 
	./addkey  18.80.216.19 #这是你的IP

on dovo

#!/usr/bin/expect
#good on new kali  这个在新的kali 上是ok的
set timeout 30
set sshIP "4.88.1.2"
set keypassword "ZdvV"
set rootPassword "5D"
#spawn ssh -o StrictHostKeyChecking=no -i /root/key  evan@$sshIP
expect "Enter passphrase"
send "$keypassword\r"
expect "]$"
send "sudo -i\r"
expect "xxxxx"
send "$rootPassword\r"
expect "]#"
## run command
#send "cat /root/1  && echo 'test was ok .';exit\r"
#send "bash /data/tmp/dbins   && echo 'dbins  was ok.';exit\r"
#expect "52wan"
#send "exit\r"
#expect eof {exit 0}
interact


#!/usr/bin/expect
# on old kali  这个在老的kali
set timeout 30
set sshIP "4.88.1.2"
set keypassword "Zd"
set rootPassword "5D"
spawn ssh -o StrictHostKeyChecking=no -i /home/key  evan@$sshIP
expect "Enter passphrase"
send "$keypassword\r"
expect "52wan"
send "sudo -i\r"
expect "password for 52wan:"
send "$rootPassword\r"
expect "]#"
## run command
#send "cat /root/1  && echo 'test was ok .';exit\r"
#send "bash /data/tmp/dbins   && echo 'dbins  was ok.';exit\r"
#expect "52wan"
#send "exit\r"
#expect eof {exit 0}
interact
取自“http://wiki.linuxchina.net/index.php?title=Centos7服务器初始化&oldid=2065