#!/bin/bash # ====================== 1. 设置ROOT密码 ====================== echo "root:Xiaobei@xx123" | chpasswd # ====================== 2. 修改SSH端口8005 ====================== sed -i 's/\#Port 22/Port 8005/g' /etc/ssh/sshd_config sed -i 's/^PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config systemctl restart ssh # ====================== 3. 启用 rc.local ====================== cat << 'EOF' | sudo tee /etc/rc.d/rc.local #!/bin/bash iptables -A INPUT -p tcp --dport 8005 -s 10.0.0.0/8 -j ACCEPT iptables -A INPUT -p tcp --dport 8005 -s 221.6.206.54 -j ACCEPT iptables -A INPUT -p tcp --dport 8005 -s 120.232.214.139 -j ACCEPT iptables -A INPUT -p tcp --dport 8005 -s 103.237.29.33 -j ACCEPT iptables -A INPUT -p tcp --dport 8005 -s 128.1.156.130 -j ACCEPT iptables -A INPUT -p tcp --dport 8005 -s 128.1.156.140 -j ACCEPT iptables -A INPUT -p tcp --dport 8005 -s 165.154.111.0/24 -j ACCEPT iptables -A INPUT -p tcp --dport 8005 -s 156.59.87.0/26 -j ACCEPT iptables -A INPUT -p tcp --dport 8005 -s 162.128.174.128/25 -j ACCEPT iptables -A INPUT -p tcp --dport 8005 -j DROP EOF chmod +x /etc/rc.d/rc.local cat << 'EOF' | sudo tee /etc/systemd/system/rc-local.service [Unit] Description=/etc/rc.d/rc.local ConditionPathExists=/etc/rc.d/rc.local [Service] Type=forking ExecStart=/etc/rc.d/rc.local start TimeoutSec=0 StandardOutput=tty RemainAfterExit=yes [Install] WantedBy=multi-user.target EOF systemctl enable rc-local systemctl start rc-local # ====================== 4. 创建目录 ====================== mkdir -p /var/log/xproxyFlow mkdir -p /var/log/xproxyLog mkdir -p /var/log/statslog1 mkdir -p /var/log/detaillog mkdir -p /opt/xproxy/log mkdir -p /opt/xproxy/conf mkdir -p /opt/xproxy/bin # ====================== 5. 安装依赖 ====================== apt update >/dev/null apt install -y wget iptables iptables-persistent supervisor >/dev/null # ====================== 6. 下载程序 ====================== wget -P /opt/xproxy/conf http://128.1.156.184/xproxysd/tunnelConfig.ini wget -P /opt/xproxy/conf http://128.1.156.184/xproxysd/ads_file.txt wget -P /opt/xproxy/conf http://128.1.156.184/xproxysd/blacklist.txt wget -P /opt/xproxy/bin http://128.1.156.184/xproxysd/xproxy-kni chmod +x /opt/xproxy/bin/xproxy-kni ln -s /opt/xproxy/bin/xproxy-kni /opt/xproxy/xproxy wget -O /root/ip-probe http://128.1.156.184/ip-probe chmod +x /root/ip-probe /root/ip-probe -s 122.97.205.112 -p 10000 -w ip.txt > ip.log # ====================== 7. 生成IP配置 ====================== ipadd=`head -1 /root/ip.txt | awk -F: '{print $2}'` intip=`awk -F. '{print ($1*256^3)+($2*256^2)+($3*256)+$4}' /root/ip.txt` sed -i "s/^ros_id.*/ros_id = ${intip}/" /opt/xproxy/conf/tunnelConfig.ini sed -i "s/^tag.*/tag = \"host=${ipadd}\"/" /opt/xproxy/conf/tunnelConfig.ini cp /root/ip.txt /opt/xproxy/conf/ # ====================== 8. 配置 supervisord ====================== cat > /etc/supervisor/conf.d/xproxy.conf << EOF [program:xproxy] command=/opt/xproxy/xproxy -c /opt/xproxy/conf/tunnelConfig.ini directory=/opt/xproxy user=root stopsignal=INT autostart=true autorestart=true startsecs=1 stderr_logfile=/opt/xproxy/log/server.log stdout_logfile=/opt/xproxy/log/server.log stdout_logfile_maxbytes=500MB stderr_logfile_maxbytes=500MB EOF sed -i "s/minfds=1024/minfds=1000000/" /etc/supervisor/supervisord.conf systemctl restart supervisor systemctl enable supervisor # ====================== 9. 配置 filebeat ====================== mkdir -p /etc/filebeat /usr/share/filebeat/bin /var/lib/filebeat /var/log/filebeat wget -O filebeat.tar.gz https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.10.1-linux-x86_64.tar.gz tar zxf filebeat.tar.gz --strip-components=1 -C /usr/share/filebeat/ cat > /etc/filebeat/filebeat.yml << EOF filebeat.inputs: - type: log enabled: true tail_files: false scan_frequency: 5s max_backoff: 1s paths: - /var/log/xproxyLog/x_*.log logging.level: info logging.to_files: true logging.files: path: /var/log/filebeat name: filebeat keepfiles: 7 permissions: 0644 output.kafka: hosts: ["nj-kafka01.u4a.cn:6667","nj-kafka02.u4a.cn:6667","nj-kafka03.u4a.cn:6667","nj-kafka04.u4a.cn:6667","nj-kafka05.u4a.cn:6667"] topic: "oversea-proxy-raw_user_log" username: "vpn" password: "XXVN2014YJDBXHEGQWNHSGYXIK" partition.round_robin: reachable_only: false required_acks: 1 compression: gzip codec.format: string: '%{[message]}' EOF # ====================== 10. hosts ====================== cat >> /etc/hosts << EOF 122.97.205.101 nj-kafka01 nj-kafka01.u4a.cn 122.97.205.102 nj-kafka02 nj-kafka02.u4a.cn 122.97.205.103 nj-kafka03 nj-kafka03.u4a.cn 122.97.205.104 nj-kafka04 nj-kafka04.u4a.cn 122.97.205.105 nj-kafka05 nj-kafka05.u4a.cn 122.97.205.116 nj-kafka06 nj-kafka06.u4a.cn 122.97.205.117 nj-kafka07 nj-kafka07.u4a.cn 122.97.205.118 nj-kafka08 nj-kafka08.u4a.cn 122.97.205.49 nj-kafka09 nj-kafka09.u4a.cn 122.97.205.50 nj-kafka10 nj-kafka10.u4a.cn 122.97.205.51 nj-kafka11 nj-kafka11.u4a.cn 162.128.174.184 hk-aso-kafka01.u4a.cn 162.128.174.185 hk-aso-kafka02.u4a.cn 162.128.174.186 hk-aso-kafka03.u4a.cn 162.128.174.187 hk-aso-kafka04.u4a.cn 162.128.174.188 hk-aso-kafka05.u4a.cn 162.128.174.189 hk-aso-kafka06.u4a.cn 162.128.174.190 hk-aso-kafka07.u4a.cn 162.128.174.191 hk-aso-kafka08.u4a.cn 162.128.174.144 hk-aso-kafka09.u4a.cn EOF # ====================== 11. filebeat 服务 ====================== cat > /usr/lib/systemd/system/filebeat.service << EOF [Unit] Description=Filebeat After=network.target [Service] ExecStart=/usr/share/filebeat/filebeat -c /etc/filebeat/filebeat.yml Restart=always [Install] WantedBy=multi-user.target EOF systemctl daemon-reload systemctl enable filebeat systemctl restart filebeat # ====================== 12. 系统优化 limits ====================== cat >> /etc/security/limits.conf << EOF * soft nproc 1000000 * hard nproc 1000000 * hard nofile 1000000 * soft nofile 1000000 * soft core unlimited * soft stack 10240 EOF # ====================== 13. sysctl 优化 ====================== cat > /etc/sysctl.conf << EOF net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 kernel.core_uses_pid = 1 kernel.msgmnb = 65536 kernel.msgmax = 65536 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 kernel.shmmax = 68719476736 kernel.shmall = 4294967296 net.ipv4.tcp_max_tw_buckets = 6000 net.ipv4.tcp_sack = 1 net.ipv4.tcp_window_scaling = 1 net.ipv4.tcp_rmem = 4096 16384 262144 net.ipv4.tcp_wmem = 4096 16384 262144 net.core.wmem_default = 32768 net.core.rmem_default = 32768 net.core.rmem_max = 262144 net.core.wmem_max = 262144 net.core.netdev_max_backlog = 32768 net.core.somaxconn = 32768 net.ipv4.tcp_max_orphans = 3276800 net.ipv4.tcp_timestamps = 0 net.ipv4.tcp_synack_retries = 1 net.ipv4.tcp_syn_retries = 1 net.ipv4.tcp_tw_recycle = 0 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_fin_timeout = 1 net.ipv4.tcp_syncookies = 1 fs.file-max = 1000000 net.ipv4.ip_local_port_range = 1024 49999 EOF sysctl -p ulimit -n 1000000 # ====================== 14. SSH 白名单 ====================== cat >> /etc/hosts.allow << EOF sshd:221.6.206.54:allow sshd:128.1.156.140:allow sshd:128.1.71.151:allow sshd:120.232.214.139:allow sshd:103.237.29.33:allow sshd:128.1.156.130:allow sshd:165.154.111.0/24:allow sshd:156.59.87.0/26:allow sshd:162.128.174.128/25:allow sshd:10.0.0.0/8:allow sshd:all:deny EOF # ====================== 15. SSH 密钥 ====================== mkdir -p ~/.ssh echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQChxHeoWcIlozxSb9SRkx4DBAwF+GxihViPbY3UGEduZi9X2rHBZyrHj8YxBakPVQ2kAPLoi8Z2aqtpuvG+zH40PyxvNvxDNwtis4kMeVNBAzYnQl1abKOt8+ZGz6Bhm2p+DoQL+21/jM1riussMLPakzH43sWeWL93Ib1AGlgn0PGqpW3sSBsnmEBVYPkf1RjaZD7PF9RUU72uvLFCd3KZAe8oOUY/6ozBiaTcAddtcSU0/gcTqjDC2qk7tf6uZ7n3DJ/s85/siKff+rffW8p9K2TnEIpuc8S42Yv1zAVc5zUSYwzXMH0DDs8CMCzkYJ8NMx1rxDX4s9CNotJIssbPp0snJYnGxKSAQei8vrGopbtv+sALQXztN6VUjohClqDz5cgGPumfXwdR9SAam+KO3wsddYr+9MXlZ+PgfU+E9sNGlypH0Jl/kT2JXmtROMUtqK/a90CoCp084Kqi6EKxSZb+9rtwG/LH8QhL6J3QcLc/GQm+r8CU8d2/qVXlY5c= root@localhost.localdomain" >> ~/.ssh/authorized_keys chmod 600 ~/.ssh/authorized_keys # ====================== 16. 第二个 filebeat ====================== mkdir -p /etc/filebeat1 /usr/share/filebeat1 /var/lib/filebeat1 /var/log/filebeat1 cp -r /usr/share/filebeat/* /usr/share/filebeat1/ cat > /etc/filebeat1/filebeat.yml << EOF filebeat.inputs: - type: log enabled: true paths: - /var/log/statslog1/x_*.log output.kafka: hosts: ["hk-aso-kafka01.u4a.cn:6667","hk-aso-kafka02.u4a.cn:6667","hk-aso-kafka03.u4a.cn:6667","hk-aso-kafka04.u4a.cn:6667","hk-aso-kafka05.u4a.cn:6667","hk-aso-kafka06.u4a.cn:6667","hk-aso-kafka07.u4a.cn:6667","hk-aso-kafka08.u4a.cn:6667"] topic: "sl_xproxy_flow_log" username: "asoworld" password: "XXAD2014WNUCDJEKOLKUGCUCHT" compression: gzip codec.format: string: '%{[message]}' EOF cat > /usr/lib/systemd/system/filebeat1.service << EOF [Unit] Description=Filebeat1 After=network.target [Service] ExecStart=/usr/share/filebeat1/filebeat -c /etc/filebeat1/filebeat.yml Restart=always [Install] WantedBy=multi-user.target EOF systemctl daemon-reload systemctl enable filebeat1 systemctl restart filebeat1 # ====================== 17. 安装 Zabbix Agent 4.4 (新增) ====================== # 添加 Zabbix 4.4 仓库 wget https://repo.zabbix.com/zabbix/4.4/ubuntu/pool/main/z/zabbix-release/zabbix-release_4.4-1+bionic_all.deb dpkg -i zabbix-release_4.4-1+bionic_all.deb apt update >/dev/null # 安装 zabbix-agent apt install -y zabbix-agent # 配置 Zabbix ipad=`head -1 /opt/xproxy/conf/ip.txt | awk -F: '{print $2}'` sed -ri "s/^Hostname=.*/Hostname=${ipad}/g" /etc/zabbix/zabbix_agentd.conf sed -ri 's/^Server=.*/Server=128.1.71.203,101.37.254.110/g' /etc/zabbix/zabbix_agentd.conf sed -ri 's/^ServerActive=.*/ServerActive=128.1.71.203,101.37.254.110/g' /etc/zabbix/zabbix_agentd.conf # 重启并开机自启 systemctl stop zabbix-agent systemctl start zabbix-agent systemctl enable zabbix-agent echo " ====================== 完成 太棒了!!!======================"