\u6700\u8fd1\u4e91\u5382\u5bb6\u63d0\u4f9b\u7684\u865a\u62df\u673a\u662f\u94f6\u6cb3\u9e92\u9e9fv10\u7cfb\u7edf\uff0c\u5728\u67e5\u770b \u67e5\u770b\u7cfb\u7edf\u65e5\u5fd7 \u94f6\u6cb3\u9e92\u9e9fv10\u7cfb\u7edf\u4e2d\uff0cPAM\u8ba4\u8bc1\u6a21\u5757\u5df2\u7ecf\u4ece \u4f7f\u7528 \u91cd\u8981\u63d0\u793a<\/strong>\uff1ased\u7684 \u6700\u7ec8\u914d\u7f6e\u6587\u4ef6\u4e2d\u7684\u987a\u5e8f\u5e94\u8be5\u662f\uff1a \u94f6\u6cb3\u9e92\u9e9fv10 PAM\u914d\u7f6e \u524d\u8a00 \u6700\u8fd1\u4e91\u5382\u5bb6\u63d0\u4f9b\u7684\u865a\u62df\u673a\u662f\u94f6\u6cb3\u9e92\u9e9fv10\u7cfb\u7edf\uff0c\u5728\u67e5\u770b \/var\/log\/sec […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[260],"tags":[581,460],"class_list":["post-3500","post","type-post","status-publish","format-standard","hentry","category-linux","tag-pam","tag-v10"],"_links":{"self":[{"href":"https:\/\/199604.com\/wp-json\/wp\/v2\/posts\/3500","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/199604.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/199604.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/199604.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/199604.com\/wp-json\/wp\/v2\/comments?post=3500"}],"version-history":[{"count":2,"href":"https:\/\/199604.com\/wp-json\/wp\/v2\/posts\/3500\/revisions"}],"predecessor-version":[{"id":3503,"href":"https:\/\/199604.com\/wp-json\/wp\/v2\/posts\/3500\/revisions\/3503"}],"wp:attachment":[{"href":"https:\/\/199604.com\/wp-json\/wp\/v2\/media?parent=3500"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/199604.com\/wp-json\/wp\/v2\/categories?post=3500"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/199604.com\/wp-json\/wp\/v2\/tags?post=3500"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\/var\/log\/secure<\/code> \u65e5\u5fd7\u65f6\uff0c\u53d1\u73b0\u7cfb\u7edf\u62a5\u9519\u63d0\u793a\u627e\u4e0d\u5230 pam_tally2.so<\/code> \u6a21\u5757\u3002<\/p>\n\u95ee\u9898\u73b0\u8c61<\/h2>\n
\/var\/log\/secure<\/code>\uff0c\u53d1\u73b0\u5982\u4e0b\u62a5\u9519\u4fe1\u606f\uff1a<\/p>\nMar 24 16:14:53 localhost login[4060]: PAM unable to dlopen(\/usr\/lib64\/security\/pam_tally2.so): \/usr\/lib64\/security\/pam_tally2.so: cannot open shared object fil\ne: No such file or directory\nMar 24 16:14:53 localhost login[4060]: PAM adding faulty module: \/usr\/lib64\/security\/pam_tally2.so\nMar 24 16:14:53 localhost login[4060]: PAM unable to dlopen(\/usr\/lib64\/security\/pam_cracklib.so): \/usr\/lib64\/security\/pam_cracklib.so: cannot open shared object\n file: No such file or directory\nMar 24 16:14:53 localhost login[4060]: PAM adding faulty module: \/usr\/lib64\/security\/pam_cracklib.so\nMar 24 16:14:56 localhost login[4060]: pam_unix(login:session): session opened for user root(uid=0) by LOGIN(uid=0)\nMar 24 16:14:56 localhost login[4060]: ROOT LOGIN ON tty1\nApr 15 11:17:48 localhost polkitd[976]: Loading rules from directory \/etc\/polkit-1\/rules.d\nApr 15 11:17:48 localhost polkitd[976]: Loading rules from directory \/usr\/share\/polkit-1\/rules.d\nApr 15 11:17:48 localhost polkitd[976]: Finished loading, compiling and executing 7 rules\nApr 15 11:17:48 localhost polkitd[976]: Acquired the name org.freedesktop.PolicyKit1 on the system bus\nApr 15 11:18:00 localhost login[1543]: PAM unable to dlopen(\/usr\/lib64\/security\/pam_tally2.so): \/usr\/lib64\/security\/pam_tally2.so: cannot open shared object fil\ne: No such file or directory\nApr 15 11:18:00 localhost login[1543]: PAM adding faulty module: \/usr\/lib64\/security\/pam_tally2.so\nApr 15 11:18:00 localhost login[1543]: PAM unable to dlopen(\/usr\/lib64\/security\/pam_cracklib.so): \/usr\/lib64\/security\/pam_cracklib.so: cannot open shared object\n file: No such file or directory\n<\/code><\/pre>\n\u95ee\u9898\u539f\u56e0<\/h2>\n
pam_tally2<\/code> \u5347\u7ea7\u4e3a pam_faillock<\/code>\uff0c\u4f46\u7cfb\u7edf\u914d\u7f6e\u6587\u4ef6\u4e2d\u4ecd\u7136\u5f15\u7528\u4e86\u65e7\u7684 pam_tally2.so<\/code> \u6a21\u5757\uff0c\u5bfc\u81f4\u65e0\u6cd5\u52a0\u8f7d\u3002<\/p>\n\u89e3\u51b3\u65b9\u6848<\/h2>\n
\u65b9\u6848\u8bf4\u660e<\/h3>\n
pam_faillock<\/code> \u66ff\u4ee3 pam_tally2<\/code> \u8fdb\u884cPAM\u8ba4\u8bc1\u914d\u7f6e\u3002<\/p>\n\u914d\u7f6e\u53c2\u6570\u8bf4\u660e<\/h3>\n
\n
deny=5<\/code>\uff1a\u5141\u8bb8\u5931\u8d25\u6b21\u6570\u4e3a5\u6b21<\/li>\nunlock_time=600<\/code>\uff1a\u9501\u5b9a\u65f6\u95f4\u4e3a600\u79d2\uff0810\u5206\u949f\uff09<\/li>\nfail_interval=900<\/code>\uff1a\u5931\u8d25\u8ba1\u6570\u65f6\u95f4\u7a97\u53e3\u4e3a900\u79d2\uff0815\u5206\u949f\uff09<\/li>\naudit<\/code>\uff1a\u8bb0\u5f55\u5ba1\u8ba1\u65e5\u5fd7<\/li>\nsilent<\/code>\uff1a\u9759\u9ed8\u6a21\u5f0f\uff0c\u4e0d\u663e\u793a\u63d0\u793a\u4fe1\u606f<\/li>\n<\/ul>\n\u914d\u7f6e\u6b65\u9aa4<\/h3>\n
1. \u6e05\u7406\u65e7\u7684faillock\u914d\u7f6e<\/h4>\n
# \u6ce8\u91ca\u6389\u65e7\u7684faillock\u914d\u7f6e\uff08\u5982\u679c\u5b58\u5728\uff09\nsed -i -c 's|^\\(auth.*pam_faillock.so.*\\)|#\\1|' \/etc\/pam.d\/system-auth\nsed -i -c 's|^\\(auth.*pam_faillock.so.*\\)|#\\1|' \/etc\/pam.d\/password-auth\n<\/code><\/pre>\n2. \u914d\u7f6esystem-auth\u6587\u4ef6<\/h4>\n
# \u5728pam_env.so\u540e\u6dfb\u52a0preauth\u914d\u7f6e\nsed -i -c '\/^auth.*pam_env.so\/a auth required pam_faillock.so preauth silent audit deny=5 unlock_time=600 fail_interval=900' \/etc\/pam.d\/system-auth\n\n# \u5728pam_unix.so\u540e\u6dfb\u52a0authfail\u914d\u7f6e\nsed -i -c '\/^auth.*pam_unix.so\/a auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=600 fail_interval=900' \/etc\/pam.d\/system-auth\n\n# \u5728pam_unix.so\u540e\u6dfb\u52a0authsucc\u914d\u7f6e\nsed -i -c '\/^auth.*pam_unix.so\/a auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=600 fail_interval=900' \/etc\/pam.d\/system-auth\n<\/code><\/pre>\n3. \u914d\u7f6epassword-auth\u6587\u4ef6<\/h4>\n
# \u5728pam_env.so\u540e\u6dfb\u52a0preauth\u914d\u7f6e\nsed -i -c '\/^auth.*pam_env.so\/a auth required pam_faillock.so preauth silent audit deny=5 unlock_time=600 fail_interval=900' \/etc\/pam.d\/password-auth\n\n# \u5728pam_unix.so\u540e\u6dfb\u52a0authfail\u914d\u7f6e\nsed -i -c '\/^auth.*pam_unix.so\/a auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=600 fail_interval=900' \/etc\/pam.d\/password-auth\n\n# \u5728pam_unix.so\u540e\u6dfb\u52a0authsucc\u914d\u7f6e\nsed -i -c '\/^auth.*pam_unix.so\/a auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=600 fail_interval=900' \/etc\/pam.d\/password-auth\n<\/code><\/pre>\n\u914d\u7f6e\u987a\u5e8f\u8bf4\u660e<\/h3>\n
a<\/code> \u547d\u4ee4\u662f\u5728\u5339\u914d\u884c\u540e\u8ffd\u52a0\uff0c\u56e0\u6b64\u9700\u8981\u5012\u5e8f\u6267\u884c\u624d\u80fd\u4fdd\u8bc1\u6700\u7ec8\u987a\u5e8f\u6b63\u786e\u3002<\/p>\n
\n1. preauth<\/code> – \u8ba4\u8bc1\u524d\u68c0\u67e5
\n2. pam_unix.so<\/code> – Unix\u8ba4\u8bc1
\n3. authfail<\/code> – \u8ba4\u8bc1\u5931\u8d25\u5904\u7406
\n4. authsucc<\/code> – \u8ba4\u8bc1\u6210\u529f\u5904\u7406<\/p>\n\u9a8c\u8bc1\u914d\u7f6e<\/h2>\n
1. \u67e5\u770b\u914d\u7f6e\u6587\u4ef6<\/h3>\n
# \u67e5\u770bsystem-auth\u914d\u7f6e\ncat \/etc\/pam.d\/system-auth | grep faillock\n\n# \u67e5\u770bpassword-auth\u914d\u7f6e\ncat \/etc\/pam.d\/password-auth | grep faillock\n<\/code><\/pre>\n2. \u6d4b\u8bd5\u5931\u8d25\u9501\u5b9a<\/h3>\n
# \u6545\u610f\u8f93\u5165\u9519\u8bef\u5bc6\u78015\u6b21\u540e\uff0c\u8d26\u6237\u5e94\u8be5\u88ab\u9501\u5b9a\nssh user@hostname\n\n# \u67e5\u770b\u5931\u8d25\u8bb0\u5f55\nfaillock --user username\n\n# \u624b\u52a8\u89e3\u9501\u7528\u6237\uff08\u5982\u9700\u8981\uff09\nfaillock --user username --reset\n<\/code><\/pre>\n3. \u67e5\u770b\u65e5\u5fd7<\/h3>\n
# \u67e5\u770b\u8ba4\u8bc1\u65e5\u5fd7\uff0c\u786e\u8ba4\u4e0d\u518d\u6709pam_tally2\u76f8\u5173\u9519\u8bef\ntail -f \/var\/log\/secure\n<\/code><\/pre>\n\u5e38\u7528\u7ba1\u7406\u547d\u4ee4<\/h2>\n
# \u67e5\u770b\u6307\u5b9a\u7528\u6237\u7684\u5931\u8d25\u767b\u5f55\u8bb0\u5f55\nfaillock --user username\n\n# \u91cd\u7f6e\u6307\u5b9a\u7528\u6237\u7684\u5931\u8d25\u8ba1\u6570\nfaillock --user username --reset\n\n# \u67e5\u770b\u6240\u6709\u7528\u6237\u7684\u5931\u8d25\u8bb0\u5f55\nfaillock\n<\/code><\/pre>\n\u6ce8\u610f\u4e8b\u9879<\/h2>\n
\n
pam_tally2<\/code>\uff0c\u5fc5\u987b\u4f7f\u7528 pam_faillock<\/code><\/li>\n\u4e0b\u9762\u662f\u6211\u8fd9\u8fb9\u7684\u57fa\u7ebf\u811a\u672c\uff08\u67d0\u4e9b\u5730\u65b9\u5df2\u8131\u654f\uff09<\/h1>\n
#!\/bin\/bash\n# **********************************************************\n# Version: 1.0.1\n# Update: 2026-02-06\n# Desc: Rocky Linux 8 and Kylin Linux Advanced Server V10 \u5b89\u5168\u52a0\u56fa\u811a\u672c\n# \u529f\u80fd\uff1a\u7cfb\u7edf\u4f18\u5316\u3001\u7528\u6237\u5b89\u5168\u3001SSH\u52a0\u56fa\u3001\u65e5\u5fd7\u7ba1\u7406\u3001\u9632\u706b\u5899\u914d\u7f6e\u7b49\n# \u652f\u6301\uff1a\u4ea4\u4e92\u5f0f\u83dc\u5355\u9009\u62e9\u6267\u884c\u6a21\u5757\n# **********************************************************\n\n# ------------------------------\n# \u5e38\u91cf\u58f0\u660e\n# ------------------------------\nreadonly EXIST_CODE_NORMAL=0\nreadonly EXIST_CODE_OTHER=1\nreadonly EXIST_CODE_WITHOUT_PERMISSION=2\nreadonly LOG_LEVEL_INFO='INFO'\nreadonly LOG_LEVEL_ERROR='ERROR'\n\n# ------------------------------\n# \u65e5\u5fd7\u51fd\u6570\n# ------------------------------\nlog() {\n local now=$(date '+%Y-%m-%d %H:%M:%S')\n printf '[%s][%s]: %s\\n' \"$now\" \"$1\" \"$2\"\n}\n\n# ------------------------------\n# \u6743\u9650\u68c0\u67e5\n# ------------------------------\nif [ \"$EUID\" -ne 0 ]; then\n log $LOG_LEVEL_ERROR \"\u8bf7\u4ee5root\u6743\u9650\u8fd0\u884c\u811a\u672c\uff01\"\n exit $EXIST_CODE_WITHOUT_PERMISSION\nfi\n\n# ------------------------------\n# \u5168\u5c40\u53d8\u91cf\n# ------------------------------\ndatenow=$(date +%Y%m%d%H%M%S)\n\n# ------------------------------\n# \u6a21\u5757\u51fd\u6570\u5b9a\u4e49\n# ------------------------------\n\n# \u6a21\u57571: \u914d\u7f6e\u79bb\u7ebfYUM\u6e90\nconfigure_yum_repo() {\n log $LOG_LEVEL_INFO \"===== \u5f00\u59cb\u6267\u884c: \u914d\u7f6e\u79bb\u7ebfYUM\u6e90 =====\"\n\n # \u68c0\u67e5\u662f\u5426\u5df2\u5b58\u5728\u79bb\u7ebf\u6e90\u914d\u7f6e\u6587\u4ef6\uff08\u6839\u636e\u7cfb\u7edf\u7c7b\u578b\u5224\u65ad\uff09\n if [ -f \/etc\/yum.repos.d\/rocky8-local.repo ] || [ -f \/etc\/yum.repos.d\/kylin10-local.repo ]; then\n log $LOG_LEVEL_INFO \"\u68c0\u6d4b\u5230\u5df2\u5b58\u5728\u79bb\u7ebfYUM\u6e90\u914d\u7f6e\u6587\u4ef6\uff0c\u8df3\u8fc7YUM\u6e90\u914d\u7f6e...\"\n return 0\n fi\n\n if [ -f \/etc\/os-release ]; then\n . \/etc\/os-release\n\n if [[ $ID == \"rocky\" ]]; then\n log $LOG_LEVEL_INFO \"\u68c0\u6d4b\u5230Rocky Linux 8\u7cfb\u7edf,\u914d\u7f6e\u79bb\u7ebf\u6e90...\"\n mkdir -p \/etc\/yum.repos.d\/backup\n mv \/etc\/yum.repos.d\/*.repo \/etc\/yum.repos.d\/backup\/ 2>\/dev\/null\n cat > \/etc\/yum.repos.d\/rocky8-local.repo <<'EOF'\n[rocky8-baseos]\nname=Rocky Linux 8 - BaseOS\nbaseurl=ftp:\/\/10.194.106.166:221\/Rocky-8.10-x86_64-dvd\/BaseOS\nenabled=1\ngpgcheck=0\n\n[rocky8-appstream]\nname=Rocky Linux 8 - AppStream\nbaseurl=ftp:\/\/10.194.106.166:221\/Rocky-8.10-x86_64-dvd\/AppStream\nenabled=1\ngpgcheck=0\nEOF\n\n elif [[ $ID == \"kylin\" ]]; then\n log $LOG_LEVEL_INFO \"\u68c0\u6d4b\u5230\u9e92\u9e9fV10\u7cfb\u7edf\uff0c\u914d\u7f6e\u79bb\u7ebf\u6e90...\"\n\n # \u68c0\u6d4b\u7cfb\u7edf\u67b6\u6784\n arch=$(uname -m)\n log $LOG_LEVEL_INFO \"\u68c0\u6d4b\u5230\u7cfb\u7edf\u67b6\u6784: $arch\"\n\n # \u6839\u636e\u67b6\u6784\u786e\u5b9aISO\u6587\u4ef6\u540d\n if [[ $arch == \"x86_64\" ]]; then\n iso_file=\"\/root\/Kylin-Server-V10-SP3-2403-Release-20240426-x86_64.iso\"\n log $LOG_LEVEL_INFO \"\u4f7f\u7528AMD64\u67b6\u6784ISO: $iso_file\"\n elif [[ $arch == \"aarch64\" ]]; then\n iso_file=\"\/root\/Kylin-Server-V10-SP3-2403-Release-20240426-arm64.iso\"\n log $LOG_LEVEL_INFO \"\u4f7f\u7528ARM64\u67b6\u6784ISO: $iso_file\"\n else\n log $LOG_LEVEL_ERROR \"\u4e0d\u652f\u6301\u7684\u67b6\u6784: $arch\"\n return 1\n fi\n\n # \u68c0\u67e5ISO\u6587\u4ef6\u662f\u5426\u5b58\u5728\n if [ ! -f \"$iso_file\" ]; then\n log $LOG_LEVEL_ERROR \"ISO\u6587\u4ef6\u4e0d\u5b58\u5728: $iso_file\"\n log $LOG_LEVEL_ERROR \"\u8bf7\u5c06ISO\u6587\u4ef6\u653e\u7f6e\u5230 \/root\/ \u76ee\u5f55\"\n return 1\n fi\n\n # \u521b\u5efa\u6302\u8f7d\u70b9\n mkdir -p \/mnt\/kylinv10\n\n # \u68c0\u67e5\u662f\u5426\u5df2\u7ecf\u6302\u8f7d\n if mount | grep -q \"\/mnt\/kylinv10\"; then\n log $LOG_LEVEL_INFO \"\/mnt\/kylinv10 \u5df2\u6302\u8f7d\uff0c\u8df3\u8fc7\u6302\u8f7d\u64cd\u4f5c\"\n else\n # \u6302\u8f7dISO\n log $LOG_LEVEL_INFO \"\u6302\u8f7dISO\u5230 \/mnt\/kylinv10...\"\n mount -o loop \"$iso_file\" \/mnt\/kylinv10\n if [ $? -ne 0 ]; then\n log $LOG_LEVEL_ERROR \"ISO\u6302\u8f7d\u5931\u8d25\uff01\"\n return 1\n fi\n log $LOG_LEVEL_INFO \"ISO\u6302\u8f7d\u6210\u529f\"\n fi\n\n # \u914d\u7f6e\u5f00\u673a\u81ea\u52a8\u6302\u8f7d\n if ! grep -q \"\/mnt\/kylinv10\" \/etc\/fstab; then\n echo \"$iso_file \/mnt\/kylinv10 iso9660 loop 0 0\" >> \/etc\/fstab\n log $LOG_LEVEL_INFO \"\u5df2\u6dfb\u52a0\u5230 \/etc\/fstab \u5b9e\u73b0\u5f00\u673a\u81ea\u52a8\u6302\u8f7d\"\n fi\n\n # \u5907\u4efd\u5e76\u914d\u7f6eYUM\u6e90\n mkdir -p \/etc\/yum.repos.d\/backup\n mv \/etc\/yum.repos.d\/*.repo \/etc\/yum.repos.d\/backup\/ 2>\/dev\/null\n\n cat > \/etc\/yum.repos.d\/kylin10-local.repo <<'EOF'\n[kylin10-local-repo]\nname=Kylin Linux Advanced Server V10 Local Repo\nbaseurl=file:\/\/\/mnt\/kylinv10\nenabled=1\ngpgcheck=0\nEOF\n log $LOG_LEVEL_INFO \"\u9e92\u9e9fV10\u672c\u5730YUM\u6e90\u914d\u7f6e\u5b8c\u6210\"\n\n\n else\n log $LOG_LEVEL_ERROR \"\u4e0d\u652f\u6301\u7684\u7cfb\u7edf\u7c7b\u578b: $ID\uff01\"\n return 1\n fi\n else\n log $LOG_LEVEL_ERROR \"\u672a\u68c0\u6d4b\u5230\u7cfb\u7edf\u4fe1\u606f\uff01\"\n return 1\n fi\n\n # \u6e05\u7406\u5e76\u91cd\u5efa\u7f13\u5b58\n log $LOG_LEVEL_INFO \"\u6e05\u7406\u5e76\u91cd\u5efaYUM\u7f13\u5b58...\"\n yum clean all && yum makecache\n\n log $LOG_LEVEL_INFO \"===== \u5b8c\u6210: \u914d\u7f6e\u79bb\u7ebfYUM\u6e90 =====\"\n}\n\n# \u6a21\u57572: \u5b89\u88c5\u57fa\u7840\u5de5\u5177\ninstall_basic_tools() {\n log $LOG_LEVEL_INFO \"===== \u5f00\u59cb\u6267\u884c: \u5b89\u88c5\u57fa\u7840\u5de5\u5177 =====\"\n yum install -y wget curl vim net-tools lsof bash-completion gcc make cmake unzip zip telnet sysstat iotop fontconfig\n if [ $? -eq 0 ]; then\n log $LOG_LEVEL_INFO \"\u57fa\u7840\u5de5\u5177\u5b89\u88c5\u6210\u529f\"\n else\n log $LOG_LEVEL_ERROR \"\u57fa\u7840\u5de5\u5177\u5b89\u88c5\u5931\u8d25\uff01\"\n return 1\n fi\n log $LOG_LEVEL_INFO \"===== \u5b8c\u6210: \u5b89\u88c5\u57fa\u7840\u5de5\u5177 =====\"\n}\n\n# \u6a21\u57573: \u7cfb\u7edf\u57fa\u7840\u914d\u7f6e\nconfigure_system_basic() {\n log $LOG_LEVEL_INFO \"===== \u5f00\u59cb\u6267\u884c: \u7cfb\u7edf\u57fa\u7840\u914d\u7f6e =====\"\n\n # \u8bbe\u7f6e\u505c\u6389\u684c\u9762\n log $LOG_LEVEL_INFO \"\u8bbe\u7f6e\u505c\u6389\u684c\u9762...\"\n current_target=$(systemctl get-default)\n if [[ \"$current_target\" != \"multi-user.target\" ]]; then\n systemctl set-default multi-user.target\n log $LOG_LEVEL_INFO \"\u5df2\u8bbe\u7f6e\u9ed8\u8ba4\u8fd0\u884c\u7ea7\u522b\u4e3a: multi-user.target\"\n else\n log $LOG_LEVEL_INFO \"\u9ed8\u8ba4\u8fd0\u884c\u7ea7\u522b\u5df2\u662f: $current_target\uff0c\u8df3\u8fc7\u8bbe\u7f6e\"\n fi\n\n # \u68c0\u67e5rc.local\u53ef\u6267\u884c\u6743\u9650\n log $LOG_LEVEL_INFO \"\u68c0\u67e5\/etc\/rc.d\/rc.local\u662f\u5426\u53ef\u6267\u884c...\"\n if [ -f \/etc\/rc.d\/rc.local ] && [ ! -x \/etc\/rc.d\/rc.local ]; then\n chmod +x \/etc\/rc.d\/rc.local\n log $LOG_LEVEL_INFO \"\/etc\/rc.d\/rc.local \u5df2\u6dfb\u52a0\u53ef\u6267\u884c\u6743\u9650\"\n fi\n\n # \u6839\u636eIP\u8bbe\u7f6eHostname\n log $LOG_LEVEL_INFO \"\u6839\u636eIP\u8bbe\u7f6eHostname...\"\n ip_addr=$(ip addr show | grep -E 'inet.*brd' | grep -v '127.0.0.1' | awk '{print $2}' | cut -d '\/' -f1 | head -n 1)\n if [ -n \"$ip_addr\" ]; then\n ip_last_octet=$(echo \"$ip_addr\" | awk -F '.' '{print $4}')\n target_hostname=\"host${ip_last_octet}\"\n hostnamectl set-hostname \"$target_hostname\"\n echo \"$target_hostname\" > \/etc\/hostname\n log $LOG_LEVEL_INFO \"\u5df2\u5c06\u4e3b\u673a\u540d\u8bbe\u7f6e\u4e3a: $target_hostname\"\n fi\n\n # \u7981\u6b62Ctrl+Alt+Del\u70ed\u952e\u91cd\u542f\n log $LOG_LEVEL_INFO \"\u7981\u6b62 Ctrl+Alt+Del \u70ed\u952e\u91cd\u542f...\"\n systemctl mask ctrl-alt-del.target\n\n log $LOG_LEVEL_INFO \"===== \u5b8c\u6210: \u7cfb\u7edf\u57fa\u7840\u914d\u7f6e =====\"\n}\n\n# \u6a21\u57574: \u7cfb\u7edf\u5b89\u5168\u4f18\u5316\nconfigure_system_security() {\n log $LOG_LEVEL_INFO \"===== \u5f00\u59cb\u6267\u884c: \u7cfb\u7edf\u5b89\u5168\u4f18\u5316 =====\"\n\n # \u7981\u7528SELinux\n log $LOG_LEVEL_INFO \"\u7981\u7528SELinux...\"\n cp \/etc\/selinux\/config \/etc\/selinux\/config.bak.$datenow 2>\/dev\/null\n sed -i -c 's\/SELINUX=enforcing\/SELINUX=disabled\/' \/etc\/selinux\/config\n setenforce 0 2>\/dev\/null\n log $LOG_LEVEL_INFO \"\u5f53\u524dSELinux\u72b6\u6001: $(getenforce)\"\n\n # \u8bbe\u7f6eSSH\u8d85\u65f6\u65f6\u95f4\n log $LOG_LEVEL_INFO \"\u8bbe\u7f6eSSH\u8d85\u65f6\u65f6\u95f4\uff085\u5206\u949f\uff09...\"\n if ! grep -q \"export TMOUT=300\" \/etc\/profile; then\n cp \/etc\/profile \/etc\/profile.bak.$datenow\n echo \"export TMOUT=300\" >> \/etc\/profile\n fi\n\n # \u8c03\u6574\u6700\u5927\u6587\u4ef6\u6253\u5f00\u6570\n log $LOG_LEVEL_INFO \"\u8c03\u6574\u6700\u5927\u6587\u4ef6\u6253\u5f00\u6570...\"\n if ! grep -q \"soft nofile 65535\" \/etc\/security\/limits.conf; then\n cp \/etc\/security\/limits.conf \/etc\/security\/limits.conf.bak.$datenow\n cat >> \/etc\/security\/limits.conf <<'EOF'\n* soft nofile 65535\n* hard nofile 65535\n* soft nproc 65565\n* hard nproc 65565\nEOF\n fi\n\n # \u914d\u7f6e\u65f6\u95f4\u540c\u6b65\n log $LOG_LEVEL_INFO \"\u8bbe\u7f6e\u65f6\u533a\u5e76\u914d\u7f6e\u65f6\u95f4\u540c\u6b65...\"\n ln -sf \/usr\/share\/zoneinfo\/Asia\/Shanghai \/etc\/localtime\n yum install -y chrony\n cp \/etc\/chrony.conf \/etc\/chrony.conf.bak.$datenow 2>\/dev\/null\n sed -i -c \"\/^pool.*pool.ntp.org.*\/s\/^\/#\/\" \/etc\/chrony.conf\n sed -i -c \"\/^#pool\/a pool 10.196.68.160 iburst\" \/etc\/chrony.conf\n sed -i -c \"\/^#pool\/a pool 10.202.125.129 iburst\" \/etc\/chrony.conf\n systemctl enable chronyd && systemctl restart chronyd\n chronyc -a makestep\n\n\n log $LOG_LEVEL_INFO \"===== \u5b8c\u6210: \u7cfb\u7edf\u5b89\u5168\u4f18\u5316 =====\"\n}\n\n# \u6a21\u57575: \u7528\u6237\u4e0e\u8ba4\u8bc1\u5b89\u5168\nconfigure_user_security() {\n log $LOG_LEVEL_INFO \"===== \u5f00\u59cb\u6267\u884c: \u7528\u6237\u4e0e\u8ba4\u8bc1\u5b89\u5168 =====\"\n\n # \u914d\u7f6e\u5bc6\u7801\u7b56\u7565\n log $LOG_LEVEL_INFO \"\u914d\u7f6e\u5bc6\u7801\u7b56\u7565...\"\n cp \/etc\/login.defs \/etc\/login.defs.bak.$datenow 2>\/dev\/null\n sed -i -c 's\/^PASS_MAX_DAYS.*\/PASS_MAX_DAYS 89\/' \/etc\/login.defs\n sed -i -c 's\/^PASS_MIN_DAYS.*\/PASS_MIN_DAYS 1\/' \/etc\/login.defs\n sed -i -c 's\/^PASS_WARN_AGE.*\/PASS_WARN_AGE 28\/' \/etc\/login.defs\n sed -i -c 's\/^PASS_MIN_LEN.*\/PASS_MIN_LEN 8\/' \/etc\/login.defs\n if ! grep -q \"LOGIN_RETRIES\" \/etc\/login.defs; then\n echo -e \"LOGIN_RETRIES 5\\nLOGIN_TIMEOUT 60\" >> \/etc\/login.defs\n fi\n\n # \u914d\u7f6ePAM\u8ba4\u8bc1\n log $LOG_LEVEL_INFO \"\u914d\u7f6ePAM\u8ba4\u8bc1...\"\n cp -a \/etc\/pam.d\/system-auth \/etc\/pam.d\/system-auth.bak.$datenow 2>\/dev\/null\n cp -a \/etc\/pam.d\/password-auth \/etc\/pam.d\/password-auth.bak.$datenow 2>\/dev\/null\n\n\n # auth requisite pam_faillock.so preauth audit deny=3 even_deny_root unlock_time=60\n # auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=60\n # auth sufficient pam_faillock.so authsucc audit deny=3 even_deny_root unlock_time=60\n # \u5404\u53c2\u6570\u542b\u4e49\uff1a\n # deny=3: \u5141\u8bb8\u5931\u8d25\u5c1d\u8bd5\u7684\u6700\u5927\u6b21\u6570\uff083\u6b21\uff0c\u9ad8\u5b89\u5168\uff09\n # even_deny_root: root\u8d26\u6237\u4e5f\u53d7\u9650\u5236\uff0c\u9632\u6b62\u66b4\u529b\u7834\u89e3\n # unlock_time=600: \u8d26\u6237\u9501\u5b9a\u65f6\u95f4\uff08600\u79d2 = 10\u5206\u949f\uff09\n # fail_interval=900: \u5931\u8d25\u5c1d\u8bd5\u7684\u7edf\u8ba1\u65f6\u95f4\u7a97\u53e3\uff08900\u79d2 = 15\u5206\u949f\uff09\n # \u89e3\u9501\u65b9\u6cd5\uff1afaillock --user \u7528\u6237\u540d --reset\n\n # \u914d\u7f6efaillock\n # \u5148\u6ce8\u91ca\u6389\u65e7\u7684faillock\u914d\u7f6e\uff08\u5982\u679c\u5b58\u5728\uff09\n sed -i -c 's|^\\(auth.*pam_faillock.so.*\\)|#\\1|' \/etc\/pam.d\/system-auth\n sed -i -c 's|^\\(auth.*pam_faillock.so.*\\)|#\\1|' \/etc\/pam.d\/password-auth\n\n # \u8ffd\u52a0\u65b0\u7684faillock\u914d\u7f6e\uff08\u6ce8\u610f\u987a\u5e8f\uff1a\u5148\u8ffd\u52a0authsucc\uff0c\u518d\u8ffd\u52a0authfail\uff0c\u6700\u540e\u8ffd\u52a0preauth\uff09\n # \u56e0\u4e3ased\u7684a\u547d\u4ee4\u662f\u5728\u5339\u914d\u884c\u540e\u8ffd\u52a0\uff0c\u6240\u4ee5\u5012\u5e8f\u6267\u884c\u624d\u80fd\u4fdd\u8bc1\u6700\u7ec8\u987a\u5e8f\u6b63\u786e\n sed -i -c '\/^auth.*pam_env.so\/a auth required pam_faillock.so preauth silent audit deny=5 unlock_time=600 fail_interval=900' \/etc\/pam.d\/system-auth\n sed -i -c '\/^auth.*pam_unix.so\/a auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=600 fail_interval=900' \/etc\/pam.d\/system-auth\n sed -i -c '\/^auth.*pam_unix.so\/a auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=600 fail_interval=900' \/etc\/pam.d\/system-auth\n\n sed -i -c '\/^auth.*pam_env.so\/a auth required pam_faillock.so preauth silent audit deny=5 unlock_time=600 fail_interval=900' \/etc\/pam.d\/password-auth\n sed -i -c '\/^auth.*pam_unix.so\/a auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=600 fail_interval=900' \/etc\/pam.d\/password-auth\n sed -i -c '\/^auth.*pam_unix.so\/a auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=600 fail_interval=900' \/etc\/pam.d\/password-auth\n\n # \u914d\u7f6e\u5bc6\u7801\u590d\u6742\u5ea6\n log $LOG_LEVEL_INFO \"\u914d\u7f6e\u5bc6\u7801\u590d\u6742\u5ea6\u8981\u6c42...\"\n\n # \u5148\u6ce8\u91ca\u6389\u65e7\u7684\u5bc6\u7801\u590d\u6742\u5ea6\u914d\u7f6e\uff08\u5982\u679c\u5b58\u5728\uff09\n sed -i -c 's|^\\(password.*pam_pwquality.so.*\\)|#\\1|' \/etc\/pam.d\/password-auth\n sed -i -c 's|^\\(password.*pam_pwquality.so.*\\)|#\\1|' \/etc\/pam.d\/system-auth\n\n # \u8ffd\u52a0\u65b0\u7684\u5bc6\u7801\u590d\u6742\u5ea6\u914d\u7f6e\n if ! grep -q \"^password.*pam_pwquality.so.*minlen=8.*ucredit=-1.*lcredit=-1.*dcredit=-1.*ocredit=-1\" \/etc\/pam.d\/password-auth; then\n sed -i -c '\/^#password.*pam_pwquality.so\/a password requisite pam_pwquality.so try_first_pass retry=3 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1' \/etc\/pam.d\/password-auth\n log $LOG_LEVEL_INFO \"\/etc\/pam.d\/password-auth \u5bc6\u7801\u590d\u6742\u5ea6\u914d\u7f6e\u5df2\u66f4\u65b0\"\n fi\n\n if ! grep -q \"^password.*pam_pwquality.so.*minlen=8.*ucredit=-1.*lcredit=-1.*dcredit=-1.*ocredit=-1\" \/etc\/pam.d\/system-auth; then\n sed -i -c '\/^#password.*pam_pwquality.so\/a password requisite pam_pwquality.so try_first_pass retry=3 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1' \/etc\/pam.d\/system-auth\n log $LOG_LEVEL_INFO \"\/etc\/pam.d\/system-auth \u5bc6\u7801\u590d\u6742\u5ea6\u914d\u7f6e\u5df2\u66f4\u65b0\"\n fi\n\n log $LOG_LEVEL_INFO \"===== \u5b8c\u6210: \u7528\u6237\u4e0e\u8ba4\u8bc1\u5b89\u5168 =====\"\n}\n\n# \u6a21\u57576: SSH\u670d\u52a1\u52a0\u56fa\nconfigure_ssh_security() {\n log $LOG_LEVEL_INFO \"===== \u5f00\u59cb\u6267\u884c: SSH\u670d\u52a1\u52a0\u56fa =====\"\n\n cp \/etc\/ssh\/sshd_config \/etc\/ssh\/sshd_config.bak.$datenow 2>\/dev\/null\n\n # \u68c0\u67e5\u662f\u5426\u5df2\u7ecf\u914d\u7f6e\u8fc7\n if ! grep -q \"# \u5b89\u5168\u52a0\u56fa\u914d\u7f6e\" \/etc\/ssh\/sshd_config; then\n cat >> \/etc\/ssh\/sshd_config <<'EOF'\n\n# \u5b89\u5168\u52a0\u56fa\u914d\u7f6e\nPort 8822\nPort 22\nPermitRootLogin no\nClientAliveInterval 300\nClientAliveCountMax 3\nMaxAuthTries 3\nPermitEmptyPasswords no\nProtocol 2\nUsePAM yes\nEOF\n fi\n\n # \u786e\u4fdd\u5173\u952e\u914d\u7f6e\n sed -i -c 's\/#PermitRootLogin yes\/PermitRootLogin no\/' \/etc\/ssh\/sshd_config\n sed -i -c 's\/PermitRootLogin yes\/PermitRootLogin no\/' \/etc\/ssh\/sshd_config\n\n systemctl restart sshd.service && systemctl enable sshd.service\n\n log $LOG_LEVEL_INFO \"===== \u5b8c\u6210: SSH\u670d\u52a1\u52a0\u56fa =====\"\n}\n\n# \u6a21\u57577: \u65e5\u5fd7\u7cfb\u7edf\u914d\u7f6e\nconfigure_logging() {\n log $LOG_LEVEL_INFO \"===== \u5f00\u59cb\u6267\u884c: \u65e5\u5fd7\u7cfb\u7edf\u914d\u7f6e =====\"\n\n # \u914d\u7f6ersyslog\n cp \/etc\/rsyslog.conf \/etc\/rsyslog.conf.bak.$datenow 2>\/dev\/null\n sed -i -c 's\/#\\$ModLoad imudp\/\\$ModLoad imudp\/' \/etc\/rsyslog.conf\n sed -i -c 's\/#\\$UDPServerRun 514\/\\$UDPServerRun 514\/' \/etc\/rsyslog.conf\n\n # \u6dfb\u52a0\u8fdc\u7a0b\u65e5\u5fd7\u670d\u52a1\u5668\n if ! grep -q \"10.208.7.123:514\" \/etc\/rsyslog.conf; then\n cat >> \/etc\/rsyslog.conf <<'EOF'\n\n# \u8fdc\u7a0b\u65e5\u5fd7\u670d\u52a1\u5668\u914d\u7f6e\n*.* @10.208.7.123:514\n*.* @10.208.11.155:514\n*.* @10.208.7.219:514\n*.* @10.208.40.235:514\nEOF\n fi\n\n # \u914d\u7f6e\u65e5\u5fd7\u4fdd\u7559\n cp \/etc\/logrotate.conf \/etc\/logrotate.conf.bak.$datenow 2>\/dev\/null\n sed -i -c '25s\/rotate [0-9]\\+\/rotate 12\/' \/etc\/logrotate.conf\n sed -i -c '32s\/rotate [0-9]\\+\/rotate 12\/' \/etc\/logrotate.conf\n\n systemctl restart rsyslog\n\n log $LOG_LEVEL_INFO \"===== \u5b8c\u6210: \u65e5\u5fd7\u7cfb\u7edf\u914d\u7f6e =====\"\n}\n\n# \u6a21\u57578: \u9632\u706b\u5899\u914d\u7f6e\nconfigure_firewall() {\n log $LOG_LEVEL_INFO \"===== \u6682\u65f6\u8df3\u8fc7\uff0c\u4fe1\u521b\u73af\u5883\u6682\u65e0\u5bf9\u5e94\u7b56\u7565 =====\"\n # log $LOG_LEVEL_INFO \"===== \u5f00\u59cb\u6267\u884c: \u9632\u706b\u5899\u914d\u7f6e =====\"\n\n\n # log $LOG_LEVEL_INFO \"===== \u5b8c\u6210: \u9632\u706b\u5899\u914d\u7f6e =====\"\n}\n\n# \u6a21\u57579: \u7cfb\u7edf\u589e\u5f3a\u914d\u7f6e\nconfigure_system_enhancement() {\n log $LOG_LEVEL_INFO \"===== \u5f00\u59cb\u6267\u884c: \u7cfb\u7edf\u589e\u5f3a\u914d\u7f6e =====\"\n\n log $LOG_LEVEL_INFO \"\u7cfb\u7edf\u589e\u5f3a\u914d\u7f6e\u6a21\u5757\u5df2\u9884\u7559\uff0c\u53ef\u6839\u636e\u9700\u8981\u6dfb\u52a0\u5176\u4ed6\u589e\u5f3a\u529f\u80fd\"\n\n log $LOG_LEVEL_INFO \"===== \u5b8c\u6210: \u7cfb\u7edf\u589e\u5f3a\u914d\u7f6e =====\"\n}\n\n# \u6a21\u575710: \u6dfb\u52a0\u7ba1\u7406\u7528\u6237\nadd_admin_users() {\n log $LOG_LEVEL_INFO \"===== \u5f00\u59cb\u6267\u884c: \u6dfb\u52a0\u7ba1\u7406\u7528\u6237 =====\"\n\n # \u9501\u5b9a\u65e0\u7528\u7cfb\u7edf\u8d26\u53f7\n log $LOG_LEVEL_INFO \"\u9501\u5b9a\u65e0\u7528\u7cfb\u7edf\u8d26\u53f7...\"\n for user in games ftp news uucp; do\n if id \"$user\" &>\/dev\/null; then\n usermod -L \"$user\"\n log $LOG_LEVEL_INFO \"\u5df2\u9501\u5b9a\u8d26\u53f7: $user\"\n fi\n done\n\n # \u6dfb\u52a0\u7528\u6237\uff08\u5982\u679c\u4e0d\u5b58\u5728\uff09\n # \u6ce8\u610f\uff1a\u5bc6\u7801\u9700\u8981\u7b26\u5408PAM\u590d\u6742\u5ea6\u8981\u6c42\uff08\u81f3\u5c118\u4f4d\uff0c\u5305\u542b\u5927\u5c0f\u5199\u5b57\u6bcd\u3001\u6570\u5b57\u3001\u7279\u6b8a\u5b57\u7b26\uff09\n\n if ! id ywuser &>\/dev\/null; then\n useradd ywuser\n echo \"ywuser:Yw@11123123aaasd.\" | chpasswd\n log $LOG_LEVEL_INFO \"\u7528\u6237 ywuser \u521b\u5efa\u6210\u529f\"\n else\n log $LOG_LEVEL_INFO \"\u7528\u6237 ywuser \u5df2\u5b58\u5728\uff0c\u8df3\u8fc7\u521b\u5efa\"\n fi\n\n\n log $LOG_LEVEL_INFO \"===== \u5b8c\u6210: \u6dfb\u52a0\u7ba1\u7406\u7528\u6237 =====\"\n}\n\n# \u6a21\u575711: \u914d\u7f6eZabbix\u76d1\u63a7\nconfigure_zabbix() {\n log $LOG_LEVEL_INFO \"===== \u5f00\u59cb\u6267\u884c: \u914d\u7f6eZabbix\u76d1\u63a7 =====\"\n\n # \u68c0\u67e5\u6807\u51c6\u8def\u5f84\n if [ -f \"\/etc\/zabbix\/zabbix_agentd.conf\" ]; then\n sed -i -c 's\/Server=10.192.67.40\/Server=10.196.69.70,10.196.68.166,10.196.69.71,10.192.67.33,10.192.67.35,10.192.67.40,10.192.67.50\/g' \/etc\/zabbix\/zabbix_agentd.conf\n sed -i -c 's\/Server=10.192.67.50\/Server=10.196.69.70,10.196.68.166,10.196.69.71,10.192.67.33,10.192.67.35,10.192.67.40,10.192.67.50\/g' \/etc\/zabbix\/zabbix_agentd.conf\n systemctl restart zabbix-agent && systemctl enable zabbix-agent\n systemctl restart zabbix_agentd.service && systemctl enable zabbix_agentd.service 2>\/dev\/null\n log $LOG_LEVEL_INFO \"Zabbix\u4ee3\u7406\u5df2\u914d\u7f6e\u5e76\u91cd\u542f\"\n # \u68c0\u67e5\u81ea\u5b9a\u4e49\u8def\u5f84\n elif [ -f \"\/usr\/local\/zabbix_agent\/etc\/zabbix_agentd.conf\" ]; then\n sed -i -c 's\/Server=10.192.67.40\/Server=10.196.69.70,10.196.68.166,10.196.69.71,10.192.67.33,10.192.67.35,10.192.67.40,10.192.67.50\/g' \/usr\/local\/zabbix_agent\/etc\/zabbix_agentd.conf\n sed -i -c 's\/Server=10.192.67.50\/Server=10.196.69.70,10.196.68.166,10.196.69.71,10.192.67.33,10.192.67.35,10.192.67.40,10.192.67.50\/g' \/usr\/local\/zabbix_agent\/etc\/zabbix_agentd.conf\n systemctl restart zabbix-agent && systemctl enable zabbix-agent\n systemctl restart zabbix_agentd.service && systemctl enable zabbix_agentd.service 2>\/dev\/null\n log $LOG_LEVEL_INFO \"Zabbix\u4ee3\u7406\uff08\u81ea\u5b9a\u4e49\u8def\u5f84\uff09\u5df2\u914d\u7f6e\u5e76\u91cd\u542f\"\n else\n log $LOG_LEVEL_ERROR \"Zabbix\u4ee3\u7406\u672a\u5b89\u88c5\uff0c\u8df3\u8fc7\u914d\u7f6e\"\n fi\n\n log $LOG_LEVEL_INFO \"===== \u5b8c\u6210: \u914d\u7f6eZabbix\u76d1\u63a7 =====\"\n}\n\n# \u6a21\u575712: \u5b89\u88c5\u9752\u85e4agent\ninstall_qingteng() {\n log $LOG_LEVEL_INFO \"===== \u5f00\u59cb\u6267\u884c: \u5b89\u88c5\u9752\u85e4agent =====\"\n\n curl -k -s -L 'https:\/\/10.196.165.48:8001\/agent\/download?k=167921544e17b7a554bfc40d1fdf7bb26293f962&group=1107&protocol=0&root=true&runAccount=root&userAdd=false&app=0&container=0' | bash\n\n # \u7b49\u5f85\u8fdb\u7a0b\u542f\u52a8\n sleep 3\n\n # \u68c0\u67e5titan\u8fdb\u7a0b\u662f\u5426\u5b58\u5728\u6765\u5224\u65ad\u5b89\u88c5\u662f\u5426\u6210\u529f\n if ps -ef | grep -v grep | grep titan > \/dev\/null 2>&1; then\n log $LOG_LEVEL_INFO \"\u9752\u85e4agent\u5b89\u88c5\u6210\u529f\uff0ctitan\u8fdb\u7a0b\u5df2\u542f\u52a8\"\n else\n log $LOG_LEVEL_ERROR \"\u9752\u85e4agent\u5b89\u88c5\u5931\u8d25\uff0c\u672a\u68c0\u6d4b\u5230titan\u8fdb\u7a0b\"\n fi\n\n log $LOG_LEVEL_INFO \"===== \u5b8c\u6210: \u5b89\u88c5\u9752\u85e4agent =====\"\n}\n\n\n# ------------------------------\n# \u4ea4\u4e92\u5f0f\u83dc\u5355\u51fd\u6570\n# ------------------------------\nshow_menu() {\n clear\n cat <<'EOF'\n\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\n\u2551 Rocky Linux 8 \/ Kylin V10 \u5b89\u5168\u52a0\u56fa\u811a\u672c - \u83dc\u5355\u6a21\u5f0f \u2551\n\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\n\n\u8bf7\u9009\u62e9\u8981\u6267\u884c\u7684\u6a21\u5757\uff08\u53ef\u591a\u9009\uff0c\u7528\u7a7a\u683c\u5206\u9694\uff0c\u5982: 1 2 3\uff09\uff1a\n\n [1] \u914d\u7f6e\u79bb\u7ebfYUM\u6e90\n [2] \u5b89\u88c5\u57fa\u7840\u5de5\u5177\n [3] \u7cfb\u7edf\u57fa\u7840\u914d\u7f6e\uff08\u684c\u9762\/hostname\/rc.local\u7b49\uff09\n [4] \u7cfb\u7edf\u5b89\u5168\u4f18\u5316\uff08SELinux\/\u8d85\u65f6\/\u6587\u4ef6\u6570\/\u65f6\u95f4\u540c\u6b65\uff09\n [5] \u7528\u6237\u4e0e\u8ba4\u8bc1\u5b89\u5168\uff08\u5bc6\u7801\u7b56\u7565\/PAM\u8ba4\u8bc1\uff09\n [6] SSH\u670d\u52a1\u52a0\u56fa\n [7] \u65e5\u5fd7\u7cfb\u7edf\u914d\u7f6e\n [8] \u9632\u706b\u5899\u914d\u7f6e\uff08iptables\uff09\n [9] \u7cfb\u7edf\u589e\u5f3a\u914d\u7f6e\uff08\u9884\u7559\u6a21\u5757\uff09\n [10] \u6dfb\u52a0\u7ba1\u7406\u7528\u6237\n [11] \u914d\u7f6eZabbix\u76d1\u63a7\n [12] \u5b89\u88c5\u9752\u85e4agent\n\n [A] \u6267\u884c\u5168\u90e8\u6a21\u5757\n [Q] \u9000\u51fa\u811a\u672c\n\n\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\nEOF\n}\n\n# \u6267\u884c\u9009\u4e2d\u7684\u6a21\u5757\nexecute_modules() {\n local selections=\"$1\"\n\n log $LOG_LEVEL_INFO \"\u5f00\u59cb\u6267\u884c\u5b89\u5168\u52a0\u56fa ($datenow)...\"\n\n for choice in $selections; do\n case $choice in\n 1) configure_yum_repo ;;\n 2) install_basic_tools ;;\n 3) configure_system_basic ;;\n 4) configure_system_security ;;\n 5) configure_user_security ;;\n 6) configure_ssh_security ;;\n 7) configure_logging ;;\n 8) configure_firewall ;;\n 9) configure_system_enhancement ;;\n 10) add_admin_users ;;\n 11) configure_zabbix ;;\n 12) install_qingteng ;;\n 13) install_uniprobe ;;\n 14) install_pp_monitor ;;\n A|a)\n configure_yum_repo\n install_basic_tools\n configure_system_basic\n configure_system_security\n configure_user_security\n configure_ssh_security\n configure_logging\n configure_firewall\n configure_system_enhancement\n add_admin_users\n configure_zabbix\n install_qingteng\n break\n ;;\n Q|q)\n log $LOG_LEVEL_INFO \"\u7528\u6237\u9000\u51fa\u811a\u672c\"\n exit $EXIST_CODE_NORMAL\n ;;\n *)\n log $LOG_LEVEL_ERROR \"\u65e0\u6548\u7684\u9009\u9879: $choice\"\n ;;\n esac\n done\n\n log $LOG_LEVEL_INFO \"\u5b89\u5168\u52a0\u56fa\u6267\u884c\u5b8c\u6210\uff01\"\n}\n\n# ------------------------------\n# \u4e3b\u7a0b\u5e8f\u5165\u53e3\n# ------------------------------\nmain() {\n local user_input\n\n # \u68c0\u67e5\u662f\u5426\u6709\u547d\u4ee4\u884c\u53c2\u6570\n if [ $# -gt 0 ]; then\n # \u4f7f\u7528\u547d\u4ee4\u884c\u53c2\u6570\n user_input=\"$*\"\n log $LOG_LEVEL_INFO \"\u68c0\u6d4b\u5230\u547d\u4ee4\u884c\u53c2\u6570: $user_input\"\n else\n # \u4ea4\u4e92\u5f0f\u6a21\u5f0f\uff1a\u663e\u793a\u83dc\u5355\u5e76\u8bfb\u53d6\u7528\u6237\u8f93\u5165\n show_menu\n echo -n \"\u8bf7\u8f93\u5165\u9009\u9879: \"\n read -r user_input\n # \u53bb\u9664\u591a\u4f59\u7a7a\u683c\n user_input=$(echo \"$user_input\" | xargs)\n fi\n\n # \u9a8c\u8bc1\u8f93\u5165\n if [ -z \"$user_input\" ]; then\n log $LOG_LEVEL_ERROR \"\u672a\u8f93\u5165\u4efb\u4f55\u9009\u9879\uff01\"\n exit $EXIST_CODE_OTHER\n fi\n\n # \u6267\u884c\u9009\u4e2d\u7684\u6a21\u5757\n execute_modules \"$user_input\"\n\n echo \"\"\n log $LOG_LEVEL_INFO \"\u6240\u6709\u64cd\u4f5c\u5df2\u5b8c\u6210\uff0c\u8bf7\u68c0\u67e5\u65e5\u5fd7\u786e\u8ba4\u6267\u884c\u7ed3\u679c\"\n echo \"\"\n}\n\n# \u6267\u884c\u4e3b\u7a0b\u5e8f\uff08\u4f20\u9012\u6240\u6709\u547d\u4ee4\u884c\u53c2\u6570\uff09\nmain \"$@\"\n\nexit $EXIST_CODE_NORMAL\n\n\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"