当前位置：首页 > news >正文

企业linux常用服务搭建

news 2025/7/14 21:16:55

#!/bin/bash 

#判断是否是root用户

if [ "$USER" != "root" ]; then echo "不是root用户，无法进行安装操作" exit 1 fi

#关闭防火墙

systemctl stop firewalld && systemctl disable firewalld && echo "防火墙已经关闭" sed -i 's/SELINUX=*/SELINUX=disabled/g' /etc/selinux/config && setenforce 0 && echo "关闭selinux"

#安装bind服务

yum install bind bind-utils -y

#测试是否安装成功

if [ $? -eq 0 ]; then echo "bind安装成功" else echo "bind安装失败，即将退出" exit 0 fi

#!/bin/bash

#提示用户输入信息

read -p "请输入主服务器的 IP 地址: " MASTER_IP read -p "请输入从服务器的 IP 地址: " SLAVE_IP read -p "请输入域名: " DOMAIN

#提取 IP 地址的网络段

NETWORK=$(echo $MASTER_IP | cut -d '.' -f 1-3) REVERSE_NETWORK=$(echo $NETWORK | awk -F. '{print $3"."$2"."$1}')

#配置主服务器的 named.conf

cat << EOF > /etc/named.conf options { listen-on port 53 { 127.0.0.1; $MASTER_IP; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { any; }; recursion yes; dnssec-enable yes; dnssec-validation yes; bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; zone "$DOMAIN" IN { type master; file "$DOMAIN.zone"; allow-transfer { $SLAVE_IP; }; }; zone "$REVERSE_NETWORK.in-addr.arpa" IN { type master; file "$REVERSE_NETWORK.rev"; allow-transfer { $SLAVE_IP; }; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; EOF

#创建正向区域文件

cat << EOF > /var/named/$DOMAIN.zone $TTL 86400 @ IN SOA ns1.$DOMAIN. admin.$DOMAIN. ( $(date +%Y%m%d01) ; Serial 3600 ; Refresh 1800 ; Retry 604800 ; Expire 86400 ) ; Minimum IN NS ns1.$DOMAIN. ns1 IN A $MASTER_IP www IN A $MASTER_IP EOF

#创建反向区域文件

MASTER_LAST_OCTET=$(echo $MASTER_IP | cut -d '.' -f 4) cat << EOF > /var/named/$REVERSE_NETWORK.rev $TTL 86400 @ IN SOA ns1.$DOMAIN. admin.$DOMAIN. ( $(date +%Y%m%d01) ; Serial 3600 ; Refresh 1800 ; Retry 604800 ; Expire 86400 ) ; Minimum IN NS ns1.$DOMAIN. $MASTER_LAST_OCTET IN PTR ns1.$DOMAIN. EOF

#修改文件权限

chown named:named /var/named/$DOMAIN.zone chown named:named /var/named/$REVERSE_NETWORK.rev

#启动并设置开机自启

systemctl start named systemctl enable named

echo "主服务器配置完成！"

下图为结果图DNS测试情况：

#!/bin/bash

vsftpd虚拟用户安装配置脚本

功能：1.配置虚拟用户FTP 2.设置定时备份 3.管理用户权限

#全局变量定义

VUSER_HOME="/data/ftp"
VUSER_CONF_DIR="/etc/vsftpd/vsftpd_user_conf"
VUSER_DB="/etc/vsftpd/vsftpd_login.db"
VUSER_LIST="/etc/vsftpd/vusers.list"
SYSTEM_USER="vuser"
BACKUP_DIR="/var/ftp/pub"        # 新增备份目录
DATA_DIR="/data/ftp"             # 业务数据目录
CRON_LOG="/var/log/ftp_backup.log" # 备份日志

#函数定义

log_info() { echo -e "\033[34m[INFO] $1\033[0m"; }
log_error() { echo -e "\033[31m[ERROR] $1\033[0m"; }
check_command() { command -v $1 >/dev/null || { log_error "$1未安装，安装失败！"; exit 1; } }

#环境检查

log_info "开始环境检查..."
check_command yum
check_command db_load
mkdir -p $BACKUP_DIR $DATA_DIR   # 创建业务目录和备份目录

#安装依赖包（优化镜像源配置）

log_info "配置阿里云镜像源..."
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
yum clean all >/dev/null
yum makecache fast >/dev/null

log_info "开始安装vsftpd及依赖..."
yum install -y vsftpd libdb-utils lftp cronie >/dev/null
if [ $? -ne 0 ]; then
    log_error "yum安装失败，请检查网络连接或系统状态！"
    exit 1
fi

#关闭防火墙和SELinux（优化配置）

log_info "关闭防火墙..."
systemctl stop firewalld >/dev/null
systemctl disable firewalld >/dev/null

log_info "配置SELinux..."
setenforce 0 >/dev/null
if ! grep -q "^SELINUX=disabled" /etc/selinux/config; then
    sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
fi

#创建虚拟用户（新增业务用户）

log_info "创建虚拟用户列表..."
cat > "$VUSER_LIST" <<EOF
employeeA
employeeA@123
outsourceB
outsourceB@456
backupuser
Backup@789
oppic
oppic_2025
EOF

#生成虚拟用户数据库

log_info "生成认证数据库..."
db_load -T -t hash -f "$VUSER_LIST" "$VUSER_DB" >/dev/null
if [ $? -ne 0 ]; then
    log_error "数据库生成失败，请检查$VUSER_LIST格式！"
    exit 1
fi
chmod 600 "$VUSER_DB"

#配置PAM认证

log_info "配置PAM认证..."
mv /etc/pam.d/vsftpd{,.bak} >/dev/null 2>&1
cat > /etc/pam.d/vsftpd <<EOF
#%PAM-1.0
auth required pam_userdb.so db=/etc/vsftpd/vsftpd_login
account required pam_userdb.so db=/etc/vsftpd/vsftpd_login
EOF

#创建系统映射用户

log_info "创建虚拟用户主目录..."
mkdir -p "$VUSER_HOME"/{employeeA,outsourceB,oppic} $DATA_DIR $BACKUP_DIR
chmod 755 "$VUSER_HOME"
chown -R "$SYSTEM_USER":"$SYSTEM_USER" "$VUSER_HOME"

log_info "创建系统映射用户..."
if ! id "$SYSTEM_USER" &>/dev/null; then
    useradd -d "$VUSER_HOME" -s /sbin/nologin "$SYSTEM_USER" >/dev/null 2>&1 || {
        log_error "用户$SYSTEM_USER创建失败，请检查权限！"
        exit 1
    }
fi

#配置vsftpd主文件

log_info "配置vsftpd主文件..."
cat > /etc/vsftpd/vsftpd.conf <<EOF
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/xferlog
xferlog_std_format=YES
listen=YES
listen_ipv6=NO
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
guest_enable=YES
guest_username=$SYSTEM_USER
allow_writeable_chroot=YES
chroot_local_user=YES
user_config_dir=$VUSER_CONF_DIR
pasv_enable=YES
pasv_min_port=30000
pasv_max_port=30999
EOF

#配置用户独立权限（新增权限管理）

log_info "创建用户独立配置..."
mkdir -p "$VUSER_CONF_DIR"

#员工A配置（可上传下载）

cat > "$VUSER_CONF_DIR/employeeA" <<EOF
local_root=$DATA_DIR
write_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
download_enable=YES
file_open_mode=0666
EOF

#外包B配置（仅上传）

cat > "$VUSER_CONF_DIR/outsourceB" <<EOF
local_root=$DATA_DIR
write_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
download_enable=NO
cmds_deny=RETR
EOF

#备份用户配置（只读）

cat > "$VUSER_CONF_DIR/backupuser" <<EOF
local_root=$BACKUP_DIR
write_enable=NO
anon_upload_enable=NO
anon_mkdir_write_enable=NO
download_enable=NO
EOF

#配置定时备份（新增备份功能）

log_info "配置自动备份系统..."
cat > /usr/local/bin/ftp_backup.sh <<'EOF'
#!/bin/bash

#备份配置

BACKUP_SRC="/var/log"
FTP_SERVER="localhost"
BACKUP_USER="backupuser"
BACKUP_PASS="Backup@789"
BACKUP_DIR="/pub"

#生成备份文件名

BACKUP_FILE="logbackup_$(date +%Y%m%d_%H%M).tgz"

#执行备份

tar czf /tmp/${BACKUP_FILE} ${BACKUP_SRC}/*.log 2>/dev/null
if [ $? -ne 0 ]; then
    echo "$(date) - 备份文件打包失败" >> /var/log/ftp_backup.log
    exit 1
fi

#上传到FTP

lftp -u ${BACKUP_USER},${BACKUP_PASS} ${FTP_SERVER} <<END
cd ${BACKUP_DIR}
put /tmp/${BACKUP_FILE}
bye
END

if [ $? -eq 0 ]; then
    echo "$(date) - 备份成功: ${BACKUP_FILE}" >> /var/log/ftp_backup.log
else
    echo "$(date) - 备份上传失败" >> /var/log/ftp_backup.log
fi

#清理临时文件

rm -f /tmp/${BACKUP_FILE}

#保留最近7天备份

find ${BACKUP_DIR} -name "logbackup_*.tgz" -mtime +7 -delete
EOF

chmod +x /usr/local/bin/ftp_backup.sh
echo "0 1 * * * root /usr/local/bin/ftp_backup.sh" > /etc/cron.d/ftp_backup

#启动服务

log_info "启动vsftpd服务..."
systemctl restart vsftpd >/dev/null 2>&1
if [ $? -ne 0 ]; then
    log_error "服务启动失败，请检查配置文件！"
    exit 1
fi
systemctl enable vsftpd >/dev/null

#验证测试

log_info "开始验证测试..."
FTP_SERVER_IP=$(hostname -I | awk '{print $1}')

#测试员工A权限

log_info "测试员工A权限..."
lftp -u employeeA,employeeA@123 ${FTP_SERVER_IP} <<END
cd /data/ftp
put /etc/hostname
get hostname /tmp/
ls
bye
END

#测试外包B权限

log_info "测试外包B权限..."
lftp -u outsourceB,outsourceB@456 ${FTP_SERVER_IP} <<END 2>&1 | grep "Access denied"
cd /data/ftp
get hostname
bye
END

#测试备份功能

log_info "执行首次备份测试..."
/usr/local/bin/ftp_backup.sh
if [ -f "${BACKUP_DIR}/logbackup_$(date +%Y%m%d)*.tgz" ]; then
    log_info "备份验证成功"
else
    log_error "备份文件未生成，请检查配置！"
fi

log_info "
=== 部署完成报告 ===
FTP服务地址: ftp://${FTP_SERVER_IP}
数据存储目录: ${DATA_DIR}
备份存储目录: ${BACKUP_DIR}

用户权限说明：

1. 员工A (employeeA/employeeA@123)
   - 可上传下载文件
   - 访问路径: /data/ftp

2. 外包B (outsourceB/outsourceB@456)
   - 仅可上传文件
   - 禁止下载操作

3. 备份用户 (backupuser/Backup@789)
   - 仅限系统自动使用

定时备份配置：

执行时间: 每天凌晨1点

备份日志: /var/log/ftp_backup.log

保留策略: 保留最近7天备份
"

#!/bin/bash

#Samba本地用户认证共享配置脚本

#使用系统本地用户+组认证

#保持DNS服务器配置

#定义变量

DOMAIN="daoyeniubi.com"              # 保持域名配置
DNS_SERVER="192.168.135.160"         # 替换为实际DNS服务器IP
SHARE_GROUPS=("manager" "market" "admin")  # 需要创建的组
SHARE_USERS=(                         # 用户配置数组
    "john:manager"
    "mike:market"
    "admin:admin"
)

#安装必要软件包

yum install -y samba samba-client policycoreutils-python-utils

#配置DNS指向

cat > /etc/resolv.conf << EOF
search $DOMAIN
nameserver $DNS_SERVER
EOF

#配置Samba主文件

cat > /etc/samba/smb.conf << EOF
[global]
    workgroup = WORKGROUP
    security = user
    passdb backend = tdbsam
    printing = cups
    printcap name = cups
    load printers = yes
    cups options = raw

[shared]
    path = /data/share
    valid users = @users
    writable = yes
    browseable = yes
    create mask = 0664
    directory mask = 0775

[manager]
    path = /data/manager
    valid users = @manager, @admin
    writable = yes
    browseable = yes
    create mask = 0664
    directory mask = 0775
    force group = manager

[market]
    path = /data/market
    valid users = @market, @admin
    writable = yes
    browseable = yes
    create mask = 0664
    directory mask = 0775
    force group = market
EOF

#创建系统用户和组

for group in "${SHARE_GROUPS[@]}"; do
    groupadd -f $group
done

for user_info in "${SHARE_USERS[@]}"; do
    IFS=':' read -ra user_data <<< "$user_info"
    user=${user_data[0]}
    group=${user_data[1]}
    

    useradd -M -s /sbin/nologin -G $group $user
    echo "为 $user 设置SMB密码："
    smbpasswd -a $user

done

#创建共享目录并设置权限

mkdir -p /data/{share,manager,market}
chmod 2775 /data/share /data/manager /data/market
chown :manager /data/manager
chown :market /data/market
chown :users /data/share

#配置SELinux

setsebool -P samba_export_all_rw=1
semanage fcontext -a -t samba_share_t "/data/share(/.*)?"
semanage fcontext -a -t samba_share_t "/data/manager(/.*)?"
semanage fcontext -a -t samba_share_t "/data/market(/.*)?"
restorecon -Rv /data

#防火墙配置

firewall-cmd --permanent --add-service=samba
firewall-cmd --reload

#重启服务

systemctl restart smb
systemctl enable smb

#验证命令提示

echo "配置完成！验证步骤："
echo "1. 检查共享列表: smbclient -L localhost -U%"
echo "2. 访问共享示例:"
echo "   - 经理共享: smbclient //$(hostname)/manager -U john"
echo "   - 市场共享: smbclient //$(hostname)/market -U mike"
echo "   - 管理员测试: smbclient //$(hostname)/manager -U admin"

限制smb服务器磁盘规划，规划文件文件挂载及存放

#!/bin/bash
# Samba共享自动配置与验证脚本

# 服务端配置部分
SERVER_IP=$(hostname -I | awk '{print $1}')
DOMAIN="samba.abc.com"
SHARE_USER_PASS="123456"  # 设置统一密码，生产环境建议使用更安全的方式

# 创建共享目录结构
mkdir -p /data/{manager,market}
echo "samba test." > /data/manager/sa.txt
cp /var/log/secure /data/market/

# 设置权限
chmod 2775 /data/{manager,market}
chown :manager /data/manager
chown :market /data/market
restorecon -Rv /data

# 创建系统用户和组
declare -A USER_GROUPS=(
    ["john"]="manager"
    ["mike"]="market"
    ["admin"]="admin"
)

for user in "${!USER_GROUPS[@]}"; do
    group=${USER_GROUPS[$user]}
    groupadd -f $group
    if ! id -u $user &>/dev/null; then
        useradd -M -s /sbin/nologin -G $group $user
    fi
    (echo "$SHARE_USER_PASS"; echo "$SHARE_USER_PASS") | smbpasswd -a -s $user
done

# 配置SELinux
setsebool -P samba_export_all_rw=1
semanage fcontext -a -t samba_share_t "/data/manager(/.*)?" 
semanage fcontext -a -t samba_share_t "/data/market(/.*)?"
restorecon -Rv /data

# 防火墙配置
firewall-cmd --permanent --add-service=samba
firewall-cmd --reload

# 重启服务
systemctl restart smb
systemctl enable smb

# 客户端验证指令生成
cat <<EOF

==================== 客户端验证步骤 ====================

1. Windows客户端访问：
   资源管理器地址栏输入：
   \\\\$DOMAIN\\manager
   使用凭证：
   - john 用户：用户名 john 密码 $SHARE_USER_PASS
   - admin 用户：用户名 admin 密码 $SHARE_USER_PASS
   应能看到 sa.txt 文件

2. Linux客户端挂载：
   # 安装依赖
   sudo yum install -y cifs-utils

   # 创建挂载点
   sudo mkdir -p /opt/market

   # 临时挂载测试
   sudo mount -t cifs //$DOMAIN/market /opt/market \\
    -o username=mike,password=$SHARE_USER_PASS,uid=\$(id -u),gid=\$(id -g)

   # 查看文件
   ls -l /opt/market/secure

   # 持久化挂载(编辑/etc/fstab)：
   //$DOMAIN/market  /opt/market  cifs  credentials=/etc/samba/cred,uid=\$(id -u),gid=\$(id -g) 0 0
   创建凭据文件：
   echo -e "username=mike\\npassword=$SHARE_USER_PASS" | sudo tee /etc/samba/cred
   sudo chmod 600 /etc/samba/cred

3. 服务端状态检查：
   smbstatus
   testparm -s
EOF

samba脚本运行结果

服务器安全控制加强系统账号安全清理无用的账号，锁定长期不用的账号，锁定账号配置文件设置用户密码的过期时间为90天配置保持历史命令10条配置闲置超时时间为600秒加强系统引导和登录安全为GRUB菜单设置密码，限制更改GRUB引导参数禁止root用户从tty5、tty6登录

检测弱口令账号使用John the Ripper检查所有服务器的弱口令根据弱口令检测检测结果分别重设口令，提高口令复杂度

#!/bin/bash
# 服务器安全加固脚本 - 谨慎执行前请备份系统！

# 检查是否为root权限
if [ "$(id -u)" != "0" ]; then
  echo "错误：必须使用root权限运行此脚本！" >&2
  echo "请尝试 'sudo $0'"
  exit 1
fi

# 记录日志
LOG_FILE="/var/log/security_harden.log"
exec > >(tee -a "$LOG_FILE") 2>&1
echo "安全加固开始时间: $(date)"

#----------------------- 第一部分：系统账号安全 -----------------------
echo ">>> 正在加强系统账号安全..."

# 1. 清理无用账号（示例：删除testuser，请根据实际情况修改）
UNUSED_ACCOUNTS="testuser guest demo"  # 在此定义需删除的账户
for user in $UNUSED_ACCOUNTS; do
  if id "$user" &>/dev/null; then
    echo "正在删除账户：$user"
    userdel -r "$user" 2>/dev/null || echo "删除失败：$user"
  fi
done

# 2. 锁定长期未使用账号（示例：锁定olduser）
INACTIVE_ACCOUNTS="olduser"  # 在此定义需锁定的账户
for user in $INACTIVE_ACCOUNTS; do
  if id "$user" &>/dev/null; then
    echo "正在锁定账户：$user"
    passwd -l "$user"
  fi
done

# 3. 锁定账户配置文件
echo "锁定系统账户配置文件..."
chattr +i /etc/passwd /etc/shadow /etc/group 2>/dev/null

# 4. 设置密码过期策略
echo "配置密码过期时间为90天..."
sed -i 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/' /etc/login.defs
sed -i 's/^PASS_MIN_DAYS.*/PASS_MIN_DAYS 1/' /etc/login.defs
awk -F: '($2 != "!") {system("chage --maxdays 90 "$1)}' /etc/shadow

# 5. 历史命令保留10条
echo "export HISTSIZE=10" >> /etc/profile
echo "export HISTFILESIZE=10" >> /etc/profile

# 6. 闲置超时600秒
echo "export TMOUT=600" >> /etc/profile
source /etc/profile

#----------------------- 第二部分：引导和登录安全 -----------------------
echo ">>> 正在配置引导和登录安全..."

# 1. 设置GRUB密码
read -rp "是否为GRUB设置密码？(y/n, 默认n): " grub_choice
if [[ $grub_choice =~ [Yy] ]]; then
  echo "请设置GRUB密码："
  grub-mkpasswd-pbkdf2 | tee /tmp/grub_hash.txt
  grub_hash=$(awk -F': ' '/hash/{print $2}' /tmp/grub_hash.txt)
  [ -n "$grub_hash" ] && {
    cat << EOF > /etc/grub.d/40_custom
set superusers="admin"
password_pbkdf2 admin $grub_hash
EOF
    update-grub 2>/dev/null || grub2-mkconfig -o /boot/grub2/grub.cfg
    echo "GRUB密码已设置！"
  }
fi

# 2. 禁止root登录tty5/tty6
sed -i '/^[^#].*tty5$/s/^/#/' /etc/securetty
sed -i '/^[^#].*tty6$/s/^/#/' /etc/securetty

#----------------------- 第三部分：弱口令检测与修复 -----------------------
echo ">>> 正在检测弱口令..."

# 1. 安装John the Ripper
if command -v apt &>/dev/null; then
  apt install -y john
elif command -v yum &>/dev/null; then
  yum install -y epel-release
  yum install -y john
fi

# 2. 检测弱口令
unshadow /etc/passwd /etc/shadow > /tmp/passwd.db
echo "正在运行弱口令检测（可能需要时间）..."
john --format=crypt /tmp/passwd.db | tee /tmp/weak_passwords.txt
echo "检测结果已保存至：/tmp/weak_passwords.txt"

# 3. 密码复杂度配置
echo "配置密码复杂度策略..."
if [ -f /etc/security/pwquality.conf ]; then
  sed -i 's/^# minlen =.*/minlen = 12/' /etc/security/pwquality.conf
  sed -i 's/^# minclass =.*/minclass = 3/' /etc/security/pwquality.conf
fi

#----------------------- 第四部分：其他安全加固 -----------------------
echo ">>> 正在执行其他安全加固..."

# 1. SSH加固
echo "配置SSH安全策略..."
sshd_config="/etc/ssh/sshd_config"
cp $sshd_config $sshd_config.bak
sed -i 's/^#PermitRootLogin.*/PermitRootLogin no/' $sshd_config
sed -i 's/^PasswordAuthentication.*/PasswordAuthentication no/' $sshd_config
systemctl restart sshd

# 2. 防火墙配置
if command -v ufw &>/dev/null; then
  ufw enable
elif command -v firewall-cmd &>/dev/null; then
  systemctl start firewalld
  firewall-cmd --reload
fi

# 3. 系统更新
echo "正在更新系统..."
if command -v apt &>/dev/null; then
  apt update && apt upgrade -y
elif command -v yum &>/dev/null; then
  yum update -y
fi

#----------------------- 完成提示 -----------------------
echo "安全加固已完成！请执行以下操作验证："
echo "1. 重启服务器检查GRUB密码是否生效"
echo "2. 检查/etc/securetty是否已禁用tty5/tty6"
echo "3. 检查弱口令检测结果并手动重置密码：/tmp/weak_passwords.txt"
echo "4. 测试SSH密钥登录是否正常"
echo "详细日志请查看：$LOG_FILE"

查看全文

http://www.dtcms.com/a/108050.html