文章目录
1、服务器系统配置初始化
1、设置时区并同步时间
2、禁用selinx
3、清空防火墙默认策略
4、历史命令显示操作时间
5、禁止root远程登录
6、禁止定时任务发送邮件
7、设置最大打开文件数
8、减少Swap使用
9、系统内核参数优化
10、安装系统性能分析工具及其他工具
#!/bin/bash
# 设置时区并同步时间
timedatectl set-timezone Asia/Shanghai
if ! crontab -l | grep ntpdate &</dev/null ; then
(echo "* 1 * * * ntpdate time.windows.com >/dev/null 2>&1";crontab -l) | crontab
fi
# 禁用selinux
sed -i '/SELINUX/{s/permissive/disabled/}' /etc/selinux/config
# 关闭防火墙
if egrep "7.[0-9]" /etc/redhat-release &>/dev/null;then
systemctl stop firewalld
systemctl disable firewalld
elif egrep "6.[0-9]" /etc/redhat-release &>/dev/null;then
service iptables stop
chkconfig iptables off
fi
# 历史命令显示操作时间
if ! grep HISTTIMEFORMAT /etc/bashrc; then
echo 'export HISTTIMEFORMAT="%F %T `whoami` "' >>/etc/bashrc
fi
# SSH超时时间
if ! grep "TMOUT=600" /etc/profile &>/dev/null; then
echo "export TMOUT=600" >> /etc/profile
fi
# 关闭ssh解析,禁止root远程登录
#sed -i.bak 's@#UseDNS yes@UseDNS no@g;s@^GSSAPIAuthentication yes@GSSAPIAuthentication no@g' /etc/ssh/sshd_config
# 禁止定时任务发送邮件
sed -i 's/^MAILTO=root/MAILTO=""/' /etc/crontab
# 设置最大打开文件数
if ! grep "* soft nofile 65535" /etc/security/limits.conf &>/dev/null; then
cat >> /etc/security/limits.conf <<EOF
* soft nofile 65535
* hard nofile 65535
EOF
fi
# 系统内核优化
cat >> /etc/sysctl.conf <<EOF
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_tw_buckets = 20480
net.ipv4.tcp_max_syc_backlog = 20480
net.core.netdev_max_backlog = 262144
net.ipv4.tcp_fin_timeout = 20
EOF
# 减少SWAP使用
echo "0" > /proc/sys/vm/swappiness
# 安装阿里yum源
yum -y install wget
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
yum repolist && yum makecache fast
# 安装系统性能分析工具及其他
yum -y install gcc make autoconf vim net-tools ntpdate sysstat iftop iotop lrzsz glances htop
2、批量创建用户并设置密码
#!/bin/bash
USER_LIST=$@
USER_FILE=./user.info
for USER in $USER_LIST; do
if ! id $USER &> /dev/null; then
PASS=$(echo $RANDOM | md5sum | cut -c 1-8)
useradd $USER
echo $PASS | passwd --stdin $USER &>/dev/null
echo "$USER $PASS" >>$USER_FILE
echo "$USER 用户创建成功"
else
echo "$USER 用户已经存在"
fi
done
sh user.sh zhangsan lisi wangwu
3、一键查看服务器利用率
1、CPU
2、内存利用率不高
3、硬盘利用率不高
4、TCP连接状态
#!/bin/bash
function cpu() {
util=$(vmstat | awk '{if(NR==3)print $13+$14}')
iowait=$(vmstat | awk '{if(NR==3)print $16}')
echo "CPU - 使用率: ${util}%,等待磁盘IO响应使用率: ${iowait}%"
}
function memory() {
total=$(free -m | awk '{if(NR==2)printf "%.1f",$2/1024}')
used=$(free -m | awk '{if(NR==2)printf "%.1f",($2-$NF)/1024}')
available=$(free -m | awk '{if(NR==2)printf "%.1f",$NF/1024}')
echo "内存 - 总大小:${total}G,已使用:${used}G,剩余:${available}G"
}
disk() {
fs=$(df -h | awk '/^\/dev/{print $1}')
for p in $fs; do
mounted=$(df -hT | awk -v p=$p '$1==p{print $NF}')
size=$(df -hT | awk -v p=$p '$1==p{print $3}')
used=$(df -hT | awk -v p=$p '$1==p{print $4}')
user_percent=$(df -hT | awk -v p=$p '$1==p{print $6}')
echo "硬盘 - 挂载点:$mounted,总大小:$size,已使用:$used,使用率:$user_percent"
done
}
tcp_status() {
summary=$(netstat -anpt | awk '{a[$6]++}END{for(i in a)printf i":"a[i]" "}')
echo "TCP连接状态 - $summary"
}
cpu
memory
disk
tcp_status
4、找出占用CPU/内存过高的进程
#!/bin/bash
echo "---------- cpu top 10 ----------"
ps -eo pid,pcpu,pmem,args --sort=-pcpu | head -n 10
echo "---------- memory top 10 ----------"
ps -eo pid,pcpu,pmem,args --sort=-pmem | head -n 10
5、查看网卡实时流量
#!/bin/bash
NIC=$1
echo -e " In ------ Out"
while true; do
OLD_IN=$(awk '$0~"'$NIC'"{print $2}' /proc/net/dev)
OLD_OUT=$(awk '$0~"'$NIC'"{print $10}' /proc/net/dev)
sleep 1
NEW_IN=$(awk '$0~"'$NIC'"{print $2}' /proc/net/dev)
NEW_OUT=$(awk '$0~"'$NIC'"{print $10}' /proc/net/dev)
IN=$(printf "%.1f%s" "$((($NEW_IN-$OLD_IN)/1024))" "KB/s")
OUT=$(printf "%.1f%s" "$((($NEW_OUT-$OLD_OUT)/1024))" "KB/s")
echo "$IN $OUT"
sleep 1
done
6、监控100台服务器磁盘利用率
[root@localhost ~]# vim host.info
192.168.1.10 root 22
192.168.1.20 root 22
192.168.1.30 root 22
#!/bin/bash
HOST_INFO=host.info
for IP in $(awk '/^[^#]/{print $1}' $HOST_INFO); do
USER=$(awk -v ip=$IP 'ip==$1{print $2}' $HOST_INFO)
PORT=$(awk -v ip=$IP 'ip==$1{print $3}' $HOST_INFO)
TMP_FILE=/tmp/disk.tmp
ssh -p $PORT $USER@$IP 'df -h' > $TMP_FILE
USE_RATE_LIST=$(awk 'BEGIN{OFS="="}/^\/dev/{print $NF,int($5)}' $TMP_FILE)
for USE_RATE in $USE_RATE_LIST; do
PART_NAME=${USE_RATE%=*}
USE_RATE=${USE_RATE#*=}
if [ $USE_RATE -ge 80 ]; then
echo -e " $IP \n 警告: $PART_NAME 磁盘利用率达到 $USE_RATE%!"
else
echo "$IP的 $PART_NAME 目录磁盘利用率正常"
fi
done
done
7、批量检查网站是否异常
#!/bin/bash
URL_LIST="www.baidu.com www.hao123.com"
for URL in $URL_LIST; do
FAIL_COUNT=0
for ((i=1;i<=3;i++)); do
HTTP_CODE=$(curl -o /dev/null --connect-timeout 3 -s -w "%{http_code}" $URL)
if [ $HTTP_CODE -eq 200 ]; then
echo "$URL OK"
break
else
echo "$URL retry $FAIL_COUNT"
let FAIL_COUNT++
fi
done
if [ $FAIL_COUNT -eq 3 ]; then
echo "警告: $URL $HTTP_CODE 访问失败!"
fi
done
8、监控MySQL主从同步状态是否异常
#!/bin/bash
HOST=localhost
USER=root
PASSWD=123456
skiperrors=(1158 1159 1008 1007 1062)
IO_SQL-STATUS=$(mysql -h$HOST -u$USER -p$PASSWD -e 'show slave status\G' 2>/dev/null | awk '/Slave_.*_Running:/{print $1$2}')
for i in $IO_SQL_STATUS; do
THREAD_STATUS_NAME=${i%:*}
THREAD_STATUS=${i#*:}
if ["$THREAD_STATUS" !="Yes" ]; then
echo "错误:MySQL主从复制 $THREAD_STATUS_NAME 状态是 $THREAD_STATUS! "| mail -s "Master-Slave staus" [email protected]
fi
done
crontab -e
*/1 * * * * /backup.sh /dev/null 2 >&1 &
9、MySQL数据库备份
mysqldump工具
#!/bin/bash
#功能说明:本功能用于备份mysql数据库
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/local/mysql/bin
export PATH
#数据库用户名
dbuser='dbuser'
#数据库密码
dbpasswd='dbpasswd'
#数据库名,可以定义多个数据库,中间以空格隔开,如:test test1 test2
dbname='dbname'
#备份时间
backtime=`date +%Y%m%d%H%M%S`
#日志备份路径
logpath='/opt/mysqlbackup/log'
#数据备份路径
datapath='/opt/mysqlbackup'
#日志记录头部
echo ‘”备份时间为${backtime},备份数据库表 ${dbname} 开始” >> ${logpath}/mysqllog.log
#正式备份数据库
for table in $dbname; do
source=`mysqldump -u${
dbuser} -p${
dbpasswd} --single-transaction ${
table}> ${
datapath}/${
backtime}.sql` 2>> ${logpath}/mysqllog.log;
#备份成功以下操作
if [ "$?" == 0 ];then
cd $datapath
#为节约硬盘空间,将数据库压缩
tar jcf ${table}${backtime}.tar.bz2 ${backtime}.sql > /dev/null
#删除原始文件,只留压缩后文件
rm -f ${datapath}/${backtime}.sql
echo “数据库表 ${dbname} 备份成功!!” >> ${logpath}/mysqllog.log
else
#备份失败则进行以下操作
echo “数据库表 ${dbname} 备份失败!!” >> ${logpath}/mysqllog.log
fi
done
xtrabackup工具
备份用户:backupuser
用户权限:reload,lock tables,replication client,create tablespace,process,super
#!/bin/bash
BEGINTIME=`date +"%Y-%m-%d %H:%M:%S"`
format_time=`date +"%Y-%m-%d_%H:%M:%S"`
week=`date +%Y-%m-%d`
backupbin=/usr/bin
backdir=/database/detect/backup/
redun=/database/detect/redundency/
file_cnf=/etc/my_detect.cnf
user_name=backupuser
password="backup@che123"
socket="/tmp/mysql_detect.sock"
out_log=$backdir/xtrabackup_log_$format_time
time_cost=$backdir/xtrabackup_time.txt
if [ ! -d "/database/detect/redundency" ];
then
mkdir -p /database/detect/redundency
fi
if [ -d "$backdir/incr5" ];then
tar -czvf ${redun}\/redundency_${week}.tar.gz $backdir >/dev/null 2>&1
rm -rf $backdir/*
mkdir -p $backdir
chown -R mysql.mysql $backdir
# del backup
DEL_UNTIL_DATE=`date --date='7 day ago' +%Y-%m-%d`
sleep 30
/bin/rm -f /${redun}/*${DEL_UNTIL_DATE}.tar.gz >/dev/null 2>&1
fi
#full
if [ ! -d "$backdir/full" ];then
echo "#####start full backup at $BEGINTIME to directory full" >>$time_cost
$backupbin/innobackupex --defaults-file=$file_cnf --no-timestamp --user=$user_name --password=$password --socket=$socket $backdir/full 1> $out_log 2>&1
break;
elif [ ! -d "$backdir/incr0" ];then
echo "#####start 0 incremental backup at $BEGINTIME to directory incr0" >>$time_cost
$backupbin/innobackupex --defaults-file=$file_cnf --no-timestamp --user=$user_name --password=$password --socket=$socket --incremental --incremental-basedir=$backdir/full $backdir/incr0 1> $out_log 2>&1
break;
elif [ ! -d "$backdir/incr1" ];then
echo "#####start 1 incremental backup at $BEGINTIME to directory incr1" >>$time_cost
$backupbin/innobackupex --defaults-file=$file_cnf --no-timestamp --user=$user_name --password=$password --socket=$socket --incremental --incremental-basedir=$backdir/incr0 $backdir/incr1 1> $out_log 2>&1
break;
elif [ ! -d "$backdir/incr2" ];then
echo "#####start 2 incremental backup at $BEGINTIME to directory incr2" >>$time_cost
$backupbin/innobackupex --defaults-file=$file_cnf --no-timestamp --user=$user_name --password=$password --socket=$socket --incremental --incremental-basedir=$backdir/incr1 $backdir/incr2 1> $out_log 2>&1
break;
elif [ ! -d "$backdir/incr3" ];then
echo "#####start 3 incremental backup at $BEGINTIME to directory incr3" >>$time_cost
$backupbin/innobackupex --defaults-file=$file_cnf --no-timestamp --user=$user_name --password=$password --socket=$socket --incremental --incremental-basedir=$backdir/incr2 $backdir/incr3 1> $out_log 2>&1
break;
elif [ ! -d "$backdir/incr4" ];then
echo "#####start 4 incremental backup at $BEGINTIME to directory incr4" >>$time_cost
$backupbin/innobackupex --defaults-file=$file_cnf --no-timestamp --user=$user_name --password=$password --socket=$socket --incremental --incremental-basedir=$backdir/incr3 $backdir/incr4 1> $out_log 2>&1
break;
elif [ ! -d "$backdir/incr5" ];then
echo "#####start 5 incremental backup at $BEGINTIME to directory incr5" >>$time_cost
$backupbin/innobackupex --defaults-file=$file_cnf --no-timestamp --user=$user_name --password=$password --socket=$socket --incremental --incremental-basedir=$backdir/incr4 $backdir/incr5 1> $out_log 2>&1
break;
fi
ENDTIME=`date +"%Y-%m-%d %H:%M:%S"`
begin_data=`date -d "$BEGINTIME" +%s`
end_data=`date -d "$ENDTIME" +%s`
spendtime=`expr $end_data - $begin_data`
echo "it takes $spendtime sec for packing the data directory" >>$time_cost
crontab -e
12 3 * * * sh /usr/local/xtrabackup.sh
10、判断网络里当前在线用户的IP
#!/bin/bash
subnet=192.168.1.0/24
netaddr=`echo $subnet|cut -d. -f1-3`
for i in {
1..254};do
{
ping -c 1 -t 1 $netaddr.$i > /dev/null
if [ $? == 0 ];then
echo $netaddr.$i
fi
} &
done
wait
11、解决DOS攻击生产
#!/bin/bash
ips_file=/tmp/pv_ge_100
n=1
netstat -an| \
awk '/tcp|udp/{print $4}'| \
awk -F: '{print $1}'| \
awk '{s[$1]++} END {for (i in s) if (s[i]>'"$n"') print i}' | \
grep -Ev '127.0.0.1|0.0.0.0' \
> $ips_file
cat $ips_file | while read LINE;do
iptables -A INPUT -s $LINE -j drop
done
12、一键安装MySQL
#!/bin/bash
mkdir -p /server/soft
rpm -e --nodeps mariadb-libs
yum -y upgrade
yum -y install openssl openssl-devel m4 gcc gcc-c++ ncurses ncurses-devel bison libgcrypt perl make
cd /server/soft/
if [ -f /server/soft/mysql-boost* ];then
echo "mysql已下载"
else
wget https://downloads.mysql.com/archives/get/p/23/file/mysql-boost-5.7.31.tar.gz
fi
if [ -f /server/soft/bison* ];then
echo "bison已下载"
else
wget http://ftp.gnu.org/gnu/bison/bison-3.7.2.tar.gz
fi
if [ -f /server/soft/ncurses* ];then
echo "ncurses已下载"
else
wget ftp://ftp.gnu.org/gnu/ncurses/ncurses-6.2.tar.gz
fi
if [ -f /server/soft/cmake* ];then
echo "cmake已下载"
else
wget https://github.com/Kitware/CMake/releases/download/v3.18.5/cmake-3.18.5.tar.gz
fi
#如果网速不够自信的,请将上面两行注释。
echo "安装cmake"
cd /server/soft && tar zxf cmake-3.18.5.tar.gz && cd cmake-3.18.5/ && ./bootstrap && gmake && gmake install
echo "安装 ncurses"
cd /server/soft && tar zxf bison-3.7.2.tar.gz && cd bison-3.7.2/ && ./configure && make && make install
echo "安装 bison"
cd /server/soft && tar zxf ncurses-6.2.tar.gz && cd ncurses-6.2/ && ./configure && make && make install
echo "创建 mysql 用户和用户组及目录"
groupadd -r mysql && useradd -r -g mysql -s /bin/false -M mysql
mkdir /usr/local/mysql
mkdir /usr/local/mysql/data
echo "安装 mysql"
cd /server/soft && tar zxf mysql-boost-5.7.31.tar.gz && cd /server/soft/mysql-5.7.31
cmake -DCMAKE_INSTALL_PREFIX=/usr/local/mysql -DMYSQL_DATADIR=/usr/local/mysql/date -DSYSCONFDIR=/etc -DDEFAULT_CHARSET=utf8 -DDEFAULT_COLLATION=utf8_general_ci -DEXTRA_CHARSETS=all -DMYSQL_UNIX_ADDR=/tmp/mysql.sock -DWITH_MYISAM_STORAGE_ENGINE=1 -DWITH_INNOBASE_STORAGE_ENGINE=1 -DWITH_ARCHIVE_STORAGE_ENGINE=1 -DWITH_PARTITION_STORAGE_ENGINE=1 -DWITH_SYSTEMD=1 -DWITH_BOOST=boost
make -j $(grep processor /proc/cpuinfo | wc -l) && make install
echo "编译完成,数据库初始化"
chown -R mysql.mysql /usr/local/mysql
cat >>/etc/profile<<EOF
export PATH=$PATH:/usr/local/mysql/bin
EOF
source /etc/profile
mysqld --initialize-insecure --user=mysql --basedir=/usr/local/mysql --datadir=/usr/local/mysql/data
cat >/etc/my.cnf<<"EOF"
[mysqld]
user=mysql
basedir=/usr/local/mysql
datadir=/usr/local/mysql/data
socket=/tmp/mysql.sock
server_id=1
port=3306
[mysql]
socket=/tmp/mysql.sock
EOF
cp /usr/local/mysql/usr/lib/systemd/system/mysqld.service /usr/lib/systemd/system/
sed -i '/^PID/,/pid$/s#/var/run/mysqld/mysqld.pid#/usr/local/mysql/data/mysqld.pid#g' /usr/lib/systemd/system/mysqld.service
systemctl daemon-reload
systemctl start mysqld
systemctl restart mysqld
netstat -anpt | grep 3306
cat << EOF
****************************************
* Mysql has been installed successfully. *
****************************************
EOF
13、防火墙脚本(iptables)
#!/bin/bash
IPT=`which iptables`
$IPT -F
$IPT -X
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -N syn-flood
##本地回环 内网允许任何
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -m state --state NEW -s 10.0.0.0/8 -j ACCEPT
# ssh 端口开放 任何IP
$IPT -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
# 根据需求填写相应的端口
$IPT -A INPUT -p tcp -m multiport --dports 80,8087,89 -j ACCEPT
# zabbix监控地址
$IPT -A INPUT -p tcp -s zabbix.ip -m state --state NEW -m tcp --dport 10050 -j ACCEPT
# ICMP 规则控制
$IPT -A INPUT -p icmp -m limit --limit 100/sec --limit-burst 100 -j ACCEPT
$IPT -A INPUT -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
# DOS防护
$IPT -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn-flood
$IPT -A INPUT -j REJECT --reject-with icmp-host-prohibited
$IPT -A syn-flood -p tcp -m limit --limit 3/sec --limit-burst 6 -j RETURN
$IPT -A syn-flood -j REJECT --reject-with icmp-port-unreachable