Ecs初始化2
#!/bin/bash
###########################################
# Author : JRT #
# why : #ecs初始化,预期以一个脚本完成常用的安全配置
# Version : 1.0 #
# Create_Time : 2021.9.29 #
# Description : 1.创建普通用户,2.创建可免密切换root用户,3.修改端口 4.安装修改docker目录,5.操作日志 6.创建user白名单,7.配源和安装依赖
###########################################
#############涉及的变量############################
#创建普通用户,账号密码将user1及pass1值替换,密钥对在/home/$user1/.ssh中,将id_rsa拷贝配合账号登录
#$user1=jrt1
#pass1=jrt1
#创建可免密切换root的普通用户
#默认修改为22端口,修改前提服务器后台安全组放开22端口,如果修改为其他,先放开端口
#port=22
#docker的新目录(修改docker目录,)
#dockerpath=/data/.docker_data/
#创建免密切换root的账号
#创建user白名单,除白名单外其他用户禁止登陆
#环境检查
check_env()
{
if [ -n "`cat /etc/os-release |grep CentOS-7`" ];then
echo -e "\e[35;40mGood,Your env is CentOS-7 \e[0m"
elif [ -n "`cat /etc/os-release |grep CentOS-8`" ];then
echo -e "\e[35;40mGood,Your env is CentOS-8 \e[0m"
elif [ -n "`cat /etc/os-release |grep ubuntu`" ];then
echo -e "\e[35;40mGood,Your env is ubuntu \e[0m"
else
echo -e "\e[35;40m环境检查失败,请将脚本放在正确环境,重新执行 \e[0m"
exit
fi
}
#centos配置yum源
pre_installall_centos7_source_yum()
{
if [ -n "`cat /etc/os-release |grep CentOS-7`" ];then
echo "Good,Your env is CentOS-7"
if [ -n "`uname -a |grep x86`" ];then
echo "Good,Your env is CentOS-7的x86环境."
cp -a /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.bak
wget -O /etc/yum.repos.d/CentOS-Base.repo https://repo.huaweicloud.com/repository/conf/CentOS-7-reg.repo
yum clean all
yum makecache
else
echo "Good,Your env is CentOS-7的aarch64环境."
cp -a /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.bak
wget -O /etc/yum.repos.d/CentOS-Base.repo https://repo.huaweicloud.com/repository/conf/CentOS-AltArch-7.repo
yum clean all
yum makecache
fi
elif [ -n "`cat /etc/os-release |grep CentOS-8`" ];then
echo "Good,Your env is CentOS-8,不需换源"
elif [ -n "`cat /etc/os-release |grep ubuntu`" ];then
echo "Good,Your env is ubuntu"
if [ -n "`uname -a |grep x86`" ];then
echo "Good,Your env is ubuntu的x86环境."
sudo cp -a /etc/apt/sources.list /etc/apt/sources.list.bak
sudo sed -i "s@http://.*archive.ubuntu.com@http://repo.huaweicloud.com@g" /etc/apt/sources.list
sudo sed -i "s@http://.*security.ubuntu.com@http://repo.huaweicloud.com@g" /etc/apt/sources.list
apt-get update
else
echo "Good,Your env is ubuntu的aarch64环境."
cp -a /etc/apt/sources.list /etc/apt/sources.list.bak
wget -O /etc/apt/sources.list https://repo.huaweicloud.com/repository/conf/Ubuntu-Ports-bionic.list --no-check-certificate
apt-get update
fi
else
echo '环境检查失败,请将脚本放在正确环境,重新执行'
exit
fi
}
#重装系统后磁盘挂载
disk_mount()
{
i=0
for j in `lsblk |grep vd |grep -v vda |awk 'NF <7' |awk '{print $1}'`
do
if [ $i == 0 ];then
if [ ! -d "/data" ];then
mkdir /data
mount /dev/$j /data
#永久挂载
echo "/dev/$j /data ext4 defaults 0 0" >> /etc/fstab
else
mount /dev/$j /data
#永久挂载
echo "/dev/$j /data ext4 defaults 0 0" >> /etc/fstab
fi
else
mkdir "/data$i"
mount /dev/$j "/data$i"
#永久挂载
echo "/dev/$j /data$i ext4 defaults 0 0" >> /etc/fstab
df -TH
fi
i=`expr $i + 1`
done
}
#创建普通用户,并可以密钥登录
create_account()
{
read -p "请输入要创建的账号名:" user1
read -s -p "请输入要创建的账号名的密码:" pass1
#创建用户在/data/home
if [ ! -d "/data/home" ];then
mkdir /data/home
fi
#useradd -d /目标文件夹 用户 -s /bin/bash
#创建账号
useradd -d /data/home/$user1 -m $user1
if [ -n "`cat /etc/os-release |grep CentOS`" ];then
echo $pass1 | passwd --stdin $user1
elif [ -n "`cat /etc/os-release |grep ubuntu`" ];then
#echo "用户:新密码" |chpasswd 回车;
echo "$user1:$pass1" |chpasswd
else
echo "环境不支持"
exit
fi
#密钥登录,创建密钥对
su $user1 -c "ssh-keygen -t rsa -N '' -f /data/home/$user1/.ssh/id_rsa -q"
cd /data/home/$user1/.ssh
cat id_rsa.pub > authorized_keys
chown $user1. authorized_keys
#授权,防止登陆失败
chmod 755 /data/home/$user1
chmod 700 /data/home/$user1/.ssh
chmod 600 /data/home/$user1/.ssh/*
#普通用户拥有docker权限
sudo gpasswd -a $user1 docker
sudo service docker restart
}
#监控日志(每个用户登录完,退出时,会把自己的操作记录存放在/tmp/dishdp/${LOGNAME})
do_logs()
{
cat >> /etc/profile << \EOF
PS1="`whoami`@`hostname`:"'[$PWD]'
history
USER_IP=`who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'`
if [ "$USER_IP" = "" ]
then
USER_IP=`hostname`
fi
if [ ! -d /tmp/dishdp ]
then
mkdir /tmp/dishdp
chmod 777 /tmp/dishdp
fi
if [ ! -d /tmp/dishdp/${LOGNAME} ]
then
mkdir /tmp/dishdp/${LOGNAME}
chmod 300 /tmp/dishdp/${LOGNAME}
fi
export HISTSIZE=4096
DT=`date "+%Y-%m-%d_%H:%M:%S"`
export HISTFILE="/tmp/dishdp/${LOGNAME}/${USER_IP} dishdp.$DT"
chmod 600 /tmp/dishdp/${LOGNAME}/*dishdp* 2>/dev/null
EOF
source /etc/profile
}
##创建免密切换root的账号
create_nopasswd_user()
{
read -p "请输入要创建的账号名:" user2
read -s -p "请输入要创建的账号名的密码:" pass2
#创建用户在/data/home
if [ ! -d "/data/home" ];then
mkdir /data/home
fi
useradd -d /data/home/$user2 -m $user2
if [ -n "`cat /etc/os-release |grep CentOS`" ];then
echo $pass2 | passwd --stdin $user2
elif [ -n "`cat /etc/os-release |grep ubuntu`" ];then
#echo "用户:新密码" |chpasswd 回车;
echo "$user2:$pass2" |chpasswd
else
echo "环境不支持"
exit
fi
#在$user2用户下创建密钥对,
su $user2 -c "ssh-keygen -t rsa -N '' -f /data/home/$user2/.ssh/id_rsa -q"
cd /data/home/$user2/.ssh
cat id_rsa.pub > authorized_keys
chown $user2. authorized_keys
#授权,防止登陆失败
chmod 755 /data/home/$user2
chmod 700 /data/home/$user2/.ssh
chmod 600 /data/home/$user2/.ssh/*
usermod -g wheel $user2
}
#创建user白名单,除白名单外其他用户禁止登陆
create_user_whitelist()
{
read -p "请输入要放入白名单的账号,多个以空格分开(如;zhangsan lisi):" user3
echo "AllowUsers $user3" >> /etc/ssh/sshd_config
systemctl restart sshd
if [ ! -n "`cat /etc/ssh/sshd_config |grep '^ *#* *A'|grep "AllowUsers $user3"`" ];then
echo "AllowUsers $user3" >> /etc/ssh/sshd_config
fi
#查询结果
cat /etc/ssh/sshd_config | grep -i allowusers
systemctl restart sshd
}
#免密登陆
nopasswd_root()
{
#免密切换root
if [ -n "`cat /etc/os-release |grep CentOS`" ];then
var1=$(cat -n /etc/pam.d/su|grep '#%PAM-1.0'|awk '{print $1}')
sed -i "$[$var1+3]i auth sufficient pam_wheel.so trust use_uid" /etc/pam.d/su
sed -i "$[$var1+5]i auth required pam_wheel.so use_uid" /etc/pam.d/su
#只允许wheel组使用su
echo "SU_WHEEL_ONLY yes" >> /etc/login.defs
echo "%wheel ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
usermod -g wheel root
elif [ -n "`cat /etc/os-release |grep ubuntu`" ];then
var1=$(cat -n /etc/pam.d/su |grep "# auth required pam_wheel.so"|head -n 1 |awk '{print $1}')
sed -i "$[$var1+1]i auth required pam_wheel.so use_uid" /etc/pam.d/su
sed -i "$[$var1+5]i auth sufficient pam_wheel.so trust use_uid" /etc/pam.d/su
#只允许wheel组使用su
echo "SU_WHEEL_ONLY yes" >> /etc/login.defs
echo "%wheel ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
groupadd wheel
usermod -g wheel root
else
echo "环境不支持"
fi
}
##############################主函数####################################
while :
do
echo "############################_menu_############################"
echo "0.检查环境"
echo "1.配置yum源或apt源"
echo "2.创建可免密切换root用户,首次需要先执行6"
echo "3.创建普通用户"
echo "4.重装系统后磁盘挂载"
echo "5.创建user白名单"
echo "6.免密从普通用户切换root,一个操作系统执行一次即可,搭配2使用"
echo "7.操作日志"
echo "8.输入错误或输入10就退出程序"
echo "##############################################################"
read -p "请选择您需要执行的的步骤:(-1|0|1|2|3|4|5|7|8):" select
if [ "$select" == "0" ];then
check_env
elif [ "$select" == "1" ];then
check_env
sleep 2s
pre_installall_centos7_source_yum
elif [ "$select" == "2" ];then
check_env
sleep 2s
create_nopasswd_user
elif [ "$select" == "3" ];then
check_env
sleep 2s
create_account
elif [ "$select" == "4" ];then
check_env
sleep 2s
disk_mount
elif [ "$select" == "5" ];then
check_env
sleep 2s
create_user_whitelist
elif [ "$select" == "6" ];then
check_env
sleep 2s
nopasswd_root
elif [ "$select" == "7" ];then
do_logs
elif [ "$select" == "8" ];then
echo "输入错误或输入8就退出程序"
exit
else
echo "选择有误,准备退出!"
exit
fi
done