未分类
nginx日志切割脚本
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
# -*- coding: utf-8 -*- #!/usr/bin/env python # author:sean # nginx 日志切割脚本 # www.a.com.log www.a.com-YesterDay(%Y-%m-%d).log import os import datetime LogPath = "/data/logs/nginx" #日志所在目录 BakDir = "/data/logs/nginx/bak" #要备份到的目录 YesterDay = (datetime.datetime.now()+datetime.timedelta(days=-1)).strftime("%Y-%m-%d") if os.path.exists(BakDir): pass else: os.mkdir(BakDir) for root,dirs,files in os.walk(LogPath): for f in files: filename,ext = os.path.splitext(f) os.rename("{0}/{1}".format(root,f),"{0}/{1}-{2}{3}".format(root,filename,YesterDay,ext)) os.system("kill -USR1 'cat /usr/local/openresty/nginx/logs/nginx.pid'") time.sleep(5) os.system('find {0} -type f -name "*.log" -mtime +7 -exec rm -rf {} \;'.foramt(BakDir)) |
未分类
centos系统优化脚本
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 |
#!/bin/bash #written by mofansheng@2015-11-03 #system optimization script #The fllow apply to CentOS 6.x . /etc/init.d/functions function check_ok(){ if [ $? -eq 0 ] then echo "" continue else echo "pls check error" exit fi } cat<<EOF ----------------------------------------------------------------------- | system optimization | ----------------------------------------------------------------------- EOF #1. 更新系统 yum update -y yum install net-tools wget telnet perl perl-devel kernel-devel bash-completion ntpdate vim #yum install gcc cmake bzip2-devel curl-devel db4-devel libjpeg-devel libpng-devel freetype-devel libXpm-devel gmp-devel libc-client-devel openldap-devel unixODBC-devel postgresql-devel sqlite-devel aspell-devel net-snmp-devel libxslt-devel libxml2-devel pcre-devel pspell-devel libmemcached libmemcached-devel zlib-devel vim wget lrzsz tree yum groupinstall "Development tools" -y #2. 给/etc/rc.local添加执行权限 chmod +x /etc/rc.d/rc.local #3. 关闭不必要服务close unimportant system services echo "===Close unimportant system services,it will take serval mintinues===" for i in `systemctl list-unit-files |grep 'enabled'| awk '{print $1}' |grep -Ev "crond|sshd|sysstat|rsyslog|network|dbus|systemd|multi|default|NetworkManager|auditd"`; do systemctl disable $i;systemctl stop $i;systemctl status $i done check_ok action "Close unimportant system services" /bin/true #4. close selinux echo "===close SELINUX===" if [ `getenforce` != "Disabled" ] then sed -i '/^SELINUX/s/enforcing/disabled/g' /etc/selinux/config setenforce 0 echo "selinux is disabled" else action "SELINUX is closed" /bin/true fi check_ok action "Close SELINUX" /bin/true #5. 关闭防火墙安装iptables systemctl stop firewalld.service systemctl disable firewalld.service yum install iptables-services -y #6. 修改主机名 hostnamectl set-hostname vm1 #7. 设置字符集 yum -y install kde-l10n-Chinese localectl set-locale LANG=zh_CN.utf8 echo "LANG=zh_CN.UTF-8" > /etc/environment echo "LC_ALL=zh_CN.UTF-8" >> /etc/environment echo "LANG=zh_CN.utf8" > /etc/locale.conf source /etc/locale.conf #8. 加大打开文件数的限制(open files)和内核优化 echo "* soft nofile 65535" >> /etc/security/limits.conf echo "* hard nofile 65535" >> /etc/security/limits.conf echo "* soft nproc 65535" >> /etc/security/limits.conf echo "* hard nproc 65535" >> /etc/security/limits.conf cat >> /etc/sysctl.conf << "EOF" #CTCDN系统优化参数 fs.file-max = 655536 #关闭ipv6 net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 #决定检查过期多久邻居条目 net.ipv4.neigh.default.gc_stale_time=120 #使用arp_announce / arp_ignore解决ARP映射问题 net.ipv4.conf.default.arp_announce = 2 net.ipv4.conf.all.arp_announce=2 net.ipv4.conf.lo.arp_announce=2 # 避免放大攻击 net.ipv4.icmp_echo_ignore_broadcasts = 1 # 开启恶意icmp错误消息保护 net.ipv4.icmp_ignore_bogus_error_responses = 1 #关闭路由转发 net.ipv4.ip_forward = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 #开启反向路径过滤 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 #处理无源路由的包 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 #关闭sysrq功能 kernel.sysrq = 0 #core文件名中添加pid作为扩展名 kernel.core_uses_pid = 1 # 开启SYN洪水攻击保护 net.ipv4.tcp_syncookies = 1 #修改消息队列长度 kernel.msgmnb = 65536 kernel.msgmax = 65536 #设置最大内存共享段大小bytes kernel.shmmax = 68719476736 kernel.shmall = 4294967296 #timewait的数量,默认180000 net.ipv4.tcp_max_tw_buckets = 6000 net.ipv4.tcp_sack = 1 net.ipv4.tcp_window_scaling = 1 net.ipv4.tcp_rmem = 4096 87380 4194304 net.ipv4.tcp_wmem = 4096 16384 4194304 net.core.wmem_default = 8388608 net.core.rmem_default = 8388608 net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 #每个网络接口接收数据包的速率比内核处理这些包的速率快时,允许送到队列的数据包的最大数目 net.core.netdev_max_backlog = 262144 #限制仅仅是为了防止简单的DoS 攻击 net.ipv4.tcp_max_orphans = 3276800 #未收到客户端确认信息的连接请求的最大值 net.ipv4.tcp_max_syn_backlog = 262144 net.ipv4.tcp_timestamps = 0 #内核放弃建立连接之前发送SYNACK 包的数量 net.ipv4.tcp_synack_retries = 1 #内核放弃建立连接之前发送SYN 包的数量 net.ipv4.tcp_syn_retries = 1 #启用timewait 快速回收 net.ipv4.tcp_tw_recycle = 1 #开启重用。允许将TIME-WAIT sockets 重新用于新的TCP 连接 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_mem = 94500000 915000000 927000000 net.ipv4.tcp_fin_timeout = 1 #当keepalive 起用的时候,TCP 发送keepalive 消息的频度。缺省是2 小时 net.ipv4.tcp_keepalive_time = 1800 net.ipv4.tcp_keepalive_probes = 3 net.ipv4.tcp_keepalive_intvl = 15 #允许系统打开的端口范围 net.ipv4.ip_local_port_range = 1024 65000 #修改防火墙表大小,默认65536 net.netfilter.nf_conntrack_max=655350 net.netfilter.nf_conntrack_tcp_timeout_established=1200 # 确保无人能修改路由表 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 EOF #生效 sysctl -p #用户进程限制 sed -i 's#4096#65535#g' /etc/security/limits.d/20-nproc.conf #加大普通用户限制 也可以改为unlimited #set SSH sed -i 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config sed -i 's/#Port 22/Port 65500/g' /etc/ssh/sshd_config service sshd restart #set system files permission chmod 600 /etc/passwd chmod 600 /etc/group chmod 600 /etc/shadow chmod 600 /etc/gshadow #set ntp yum install ntpdate -y ntpdate ntp.fudan.edu.cn echo "* 3 * * * /usr/sbin/ntpdate ntp.fudan.edu.cn >/dev/null 2>&1" >>/etc/crontab service crond restart check_ok action "ntpdate is installed and add in crontab" /bin/true #set vim echo "===install vim,it will take serval mintinues===" yum install vim-enhanced -y &>/dev/null alias vi=vim echo "alias vi=vim" >>/root/.bashrc check_ok action "vim is installed" /bin/true #set yum repos echo "===update yum repos,it will take serval mintinues===" mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo yum clean all &>/dev/null yum makecache &>/dev/null check_ok action "yum repos update is ok" /bin/true |
未分类
openvpn服务器防火墙设置
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 |
# sample configuration for iptables service # # you can edit this manually or use system-config-firewall # # please do not ask us to add additional ports/services to this default configuration ################# # NAT # ################# *nat :PREROUTING ACCEPT [27:11935] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [598:57368] :POSTROUTING ACCEPT [591:57092] :DOCKER - [0:0] #所有内网服务器通过本机上网 #-A POSTROUTING -s 10.x.x.0/24 -p tcp -j SNAT --to-source 0.x.x.x #OpenVPN -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE #-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER #-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER #-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE COMMIT ################# # filter # ################# *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] #:DOCKER - [0:0] # 这里对已经建立连接的包直接放行,以提高iptables 效率(此条规则通常放在第一条) -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #允许ping -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT #本机设备放行 -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT #开放sshd服务 -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT #为内网机器上网转发 #-A FORWARD -i eth0 -d 10.x.x.0/24 -j ACCEPT #docker #-A INPUT -m state --state NEW -m tcp -p tcp --dport 139291:461018923 -j ACCEPT #-A FORWARD -o docker0 -j DOCKER #-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT #-A FORWARD -i docker0 ! -o docker0 -j ACCEPT #-A FORWARD -i docker0 -o docker0 -j ACCEPT #openvpn -A INPUT -i eth0 -m state --state NEW -p tcp --dport 1194 -j ACCEPT -A OUTPUT -p tcp --sport 1194 -m state --state ESTABLISHED -j ACCEPT #openvpn web ui -A INPUT -i eth0 -m state --state NEW -p tcp --dport 8080 -j ACCEPT -A OUTPUT -p tcp --sport 8080 -m state --state ESTABLISHED -j ACCEPT -A INPUT -i tun+ -j ACCEPT -A FORWARD -i tun+ -j ACCEPT -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -o tun+ -j ACCEPT #SMTP #-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT #允许 80 443 端口,http 和 https -A INPUT -i eth0 -m state --state NEW -p tcp --dport 80 -j ACCEPT -A INPUT -i eth0 -m state --state NEW -p tcp --sport 80 -j ACCEPT -A OUTPUT -p tcp --sport 80 -j ACCEPT -A OUTPUT -p tcp --dport 80 -j ACCEPT -A INPUT -i eth0 -m state --state NEW -p tcp --dport 443 -j ACCEPT -A INPUT -i eth0 -m state --state NEW -p tcp --sport 443 -j ACCEPT -A OUTPUT -p tcp --sport 443 -j ACCEPT -A OUTPUT -p tcp --dport 443 -j ACCEPT #dns -A OUTPUT -p udp --dport 53 -j ACCEPT -A INPUT -p udp --sport 53 -j ACCEPT -A INPUT -p udp --dport 53 -j ACCEPT -A OUTPUT -p udp --sport 53 -j ACCEPT #---ganglia的端口---- #ganglia展示web界面、解释php用的apache -A INPUT -m state --state NEW -m tcp -p tcp --dport 81 -j ACCEPT -A OUTPUT -p tcp --sport 81 -m state --state ESTABLISHED -j ACCEPT #ganglia gmond的端口 -A INPUT -p tcp -m multiport --dport 8649:8652 -j ACCEPT -A OUTPUT -p tcp -m multiport --sport 8649:8652 -m state --state ESTABLISHED -j ACCEPT -A INPUT -p udp -m multiport --dport 8649:8652 -j ACCEPT -A OUTPUT -p udp -m multiport --sport 8649:8652 -m state --state ESTABLISHED -j ACCEPT #falcon-agent sent -A OUTPUT -p tcp --dport 6030 -j ACCEPT -A OUTPUT -p tcp --dport 8433 -j ACCEPT -A INPUT -s 10.x.x.x -p tcp --dport 1988 -j ACCEPT #nagios的端口 #-A INPUT -p udp -m multiport --dport 5666,12489 -j ACCEPT #-A OUTPUT -p tcp -m multiport --sport 5666:12489 -m state --state ESTABLISHED -j ACCEPT ###TCP ports for FreeIPA #-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT #-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT #-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT #-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT #-A INPUT -m state --state NEW -m tcp -p tcp --dport 88 -j ACCEPT #-A INPUT -m state --state NEW -m tcp -p tcp --dport 464 -j ACCEPT #-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT ###UDP ports for FreeIPA #-A INPUT -m state --state NEW -m udp -p udp --dport 88 -j ACCEPT #-A INPUT -m state --state NEW -m udp -p udp --dport 464 -j ACCEPT #-A INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT #-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT # ##nexus yum #-A INPUT -m state --state NEW -m tcp -p tcp --dport 8081 -j ACCEPT #pptp #-A INPUT -m state --state NEW -m tcp -p tcp --dport 1723 -j ACCEPT #处理IP碎片数量,防止攻击,允许每秒100个 -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT #允许来自外部的ping测试 #-A INPUT -p icmp --icmp-type echo-request -j ACCEPT #禁止ping -A INPUT -p icmp -i eth0 -j DROP #设置ICMP包过滤,允许每秒1个包,限制触发条件是10个包 -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT ##允许登录者 #sean's home #-A INPUT -s x.x.x.x -m state --state NEW -m tcp -p tcp -j ACCEPT #################### #DROP RULL #################### #丢弃坏的TCP包 #-A FORWARD -p TCP ! --syn -m state --state NEW -j DROP # Reject spoofed packets -A INPUT -s 169.254.0.0/16 -j DROP -A INPUT -s 172.16.0.0/12 -j DROP -A INPUT -s 127.0.0.0/8 -j DROP -A INPUT -s 224.0.0.0/4 -j DROP -A INPUT -d 224.0.0.0/4 -j DROP -A INPUT -s 240.0.0.0/5 -j DROP -A INPUT -d 240.0.0.0/5 -j DROP -A INPUT -s 0.0.0.0/8 -j DROP -A INPUT -d 0.0.0.0/8 -j DROP -A INPUT -d 239.255.255.0/24 -j DROP -A INPUT -d 255.255.255.255 -j DROP # Stop smurf attacks -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP -A INPUT -p icmp -m icmp --icmp-type 8 -j DROP # Drop all invalid packets -A INPUT -m state --state INVALID -j DROP #-A FORWARD -m state --state INVALID -j DROP -A OUTPUT -m state --state INVALID -j DROP -A INPUT -m conntrack --ctstate INVALID -j DROP #drop 3128端口是 squid 的默认端口 -A INPUT -p tcp --dport 3128 -j DROP # Drop excessive RST packets to avoid smurf attacks -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT # Attempt to block portscans # Anyone who tried to portscan us is locked out for an entire day. -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP # Once the day has passed, remove them from the portscan list -A INPUT -m recent --name portscan --remove -A FORWARD -m recent --name portscan --remove # These rules add scanners to the portscan list, and log the attempt. -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:" -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:" -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP #禁止其他未允许的规则访问 #-A INPUT -j REJECT --reject-with icmp-host-prohibited #-A FORWARD -j REJECT --reject-with icmp-host-prohibited -A INPUT -j DROP -A OUTPUT -j DROP -A FORWARD -j DROP COMMIT |