Shell Deployment (部署) – Eternal Center https://eternalcenter-sep-2022.github.io/ Tue, 13 Sep 2022 12:49:32 +0000 en-US hourly 1 [工具] Shell 批量实现多个远程服务器执行命令 (多条命令版) https://eternalcenter-sep-2022.github.io/shell-command-multiple-commands/ Wed, 06 Jul 2022 08:52:35 +0000 https://eternalcenter-sep-2022.github.io/?p=26271 介绍

基本信息

作者:朱明宇
名称:批量实现多个远程服务器执行命令 (多条命令版)
作用:批量实现多个远程服务器执行命令 (多条命令版)

使用方法

1. 在此脚本的分割线内写入相应的内容
2. 给此脚本添加执行权限
3. 执行此脚本

脚本分割线里的变量

1. myuser=”zhumingyu” #用户名
2. myserver=”eternalcenter.com eternalcentre.com” #服务器名,每个服务器名以空格间隔
3. mycommand=”ls ip a s” #命令,每个命令以空格间隔
4. mysudo=”yes” #是否使用 sudo,可以选择 yes 或者 no

注意

执行脚本的用户要在远程服务器中有同名用户,此用户拥有免密钥 sudo su 权限,且能被本服务器免密钥 ssh

脚本

#!/bin/bash

####################### Separator ########################

myuser="zhumingyu"
myserver="eternalcenter.com eternalcentre.com" #each server is separated by a space
mycommand="ls ip a s" #each command is separated by a space
mysudo="yes" #please choose "yes" or "no"

####################### Separator ########################

mynow=`date +%Y-%m-%d-%H-%s`

if [ $mysudo == 'yes' ];then
        executecommand(){
                ssh -t $1@$2 "sudo -u root su - root -c \"$command\""
        }
        echo "use sudo"
fi

if [ $mysudo == 'no' ];then
        executecommand(){
                ssh -t $1@$2 "$command"
        }
        echo "don't use sudo"
fi

for commands in `echo $mycommand`
do

        for servers in `echo $myserver`
        do
                echo $servers
                echo $commands
        executecommand $myuser $servers $commands
        done

done
]]> [工具] Shell 自动化部署 LNMP + SSL 平台 (Fedora 35 版) https://eternalcenter-sep-2022.github.io/shell-lnmp-install-fedora-35/ Sat, 18 Dec 2021 13:29:31 +0000 https://eternalcenter-sep-2022.github.io/?p=19844 Continue reading "[工具] Shell 自动化部署 LNMP + SSL 平台 (Fedora 35 版)"

]]> 介绍

基本信息

作者:朱明宇
名称:自动化部署 LNMP + SSL 平台
作用:自动化安装 LNMP + SSL,即通过 Linux、Nginx、MariaDB、PHP、php-fpm、SSL,实现 HTTPS

使用方法

1. 将网站的网页数据备份、网站的 SSL 公钥、网站的 SSL 私钥、网站的数据库备份和本脚本,5 个文件放在同一目录下
2. 如果没有网站的数据库备份则将网页数据备份、网站的 SSL 公钥、网站的 SSL 私钥和本脚本,4 个文件放在同一目录下
3. 在此脚本的分割线内写入相应的内容
4. 服务器都要开启 SELinux
5. 给此脚本添加执行权限
6. 执行此脚本:./<此脚本>

脚本分割线里的变量

1. webdomain=”eternalcenter.com” #网站的域名,注意不要在前面加任何前缀
2. webtar=”eternalcenter-backup-*.tar.gz”网站的网页数据备份,如果没有这个备份,可以下载一个开源的 WordPress 网页程序
3. webcrt=”eternalcenter.com.crt” #网站 SSL 的公钥,可以自己创建也可以在 FreeSSL 上申请
4. webkey=”eternalcenter.com.key” #网站 SSL 的私钥,可以自己创建也可以在 FreeSSL 上申请
5. sqlbackup=”eternalcenter-backup-*.sql” #网站数据库数据备份,如果没有这个备份(数据库是全量备份),则这里可以为空
6. db=”ec” #网站在数据库中库
7. dbuser=”ec” #网站在数据库中的用户
8. dbuserpw=”eternalcenter” #网站在数据库中的用户密码
9. dbrootpw=”eternalcenter” #数据库的 root 密码

注意

1. 服务器的系统需要是 Fedora 35 版本
2. 服务器系统要配置好可用的软件源
3. 服务器要能够连接外网

脚本

#!/bin/bash

####################### Separator ########################
webdomain="eternalcenter.com"
webtar="eternalcenter-backup-*.tar.gz"
webcrt="eternalcenter.com.crt"
webkey="eternalcenter.com.key"
sqlbackup="eternalcenter-backup-*.sql"
db="ec"
dbuser="ec"
dbuserpw="eternalcenter"
dbrootpw="eternalcenter"
####################### Separator ########################

#Determine whether SELinux is on
getenforce | grep Enforcing
if [ $? -ne 0 ];then
	echo "SELinux is not set to enforcing mode and cannot continue"
	exit 2
fi

#Determine whether the required file exists
ls $webtar
if [ $? -ne 0 ];then
	echo "No web page data backup, unable to continue"
	exit 2
fi

ls $webcrt
if [ $? -ne 0 ];then
	echo "Cannot continue without site public key"
	exit 2
fi

ls $webkey
if [ $? -ne 0 ];then
	echo "Unable to continue without site private key"
	exit 2
fi

#Update system
yum clean all
yum repolist
yum makecache
yum -y update

#Make sure the required software is installed
yum -y install tar
yum -y install firewalld

#Deploying Nginx
yum -y install nginx

echo 'worker_processes  1;

events {
    worker_connections  1024;
}

http {
    limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
    include       mime.types;
    default_type  application/octet-stream;

    sendfile        on;

    keepalive_timeout  60;
    client_body_timeout 20s;
    client_header_timeout 10s;
    send_timeout 30s;

    server {
        listen       80;
        limit_req zone=one burst=5;
        server_name www.eternalcenter.com eternalcenter.com;

        rewrite ^/(.*)$ https://eternalcenter-sep-2022.github.io/$1 permanent;
      
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

        }

    server {
        listen       443 ssl;
        server_name www.eternalcenter.com eternalcenter.com;

        if ($request_method !~ ^(GET|POST)$){
        return 444;
        }

        ssl_certificate      /etc/nginx/ssl/eternalcenter.com.crt;
        ssl_certificate_key  /etc/nginx/ssl/eternalcenter.com.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location ~ \.php$ {
            fastcgi_pass 127.0.0.1:9000;
            fastcgi_index index.php;
            include fastcgi.conf;
            fastcgi_param  SCRIPT_FILENAME  /usr/share/nginx/html/$fastcgi_script_name;
            include fastcgi_params;
        } 

        location / {
        root html;
        index index.php index.html index.htm;

        if (-f $request_filename/index.html){rewrite (.) $1/index.html break;}
        if (-f $request_filename/index.php){rewrite (.) $1/index.php;}
        if (!-f $request_filename){rewrite (.) /index.php;}
        
        }

        location ~ ^/\.user\.ini {
        deny all;
        }
    
        location ~*\.(jpd|jpeg|gif|png|css|js|ico|xml)$ {
        expires 30d;
        }

        error_page  404              /404.html;

        }

        gzip on;
	gzip_min_length 1000;
	gzip_comp_level 4;
	gzip_types text/plain test/css application/json application/x-javascript text/xml application/xml
	application/xml+rss text/javascripts;

	client_header_buffer_size 1k;
	large_client_header_buffers 4 4k;

	open_file_cache max=2000 inactive=20s;
	open_file_cache_valid  60s;
	open_file_cache_min_uses 5;
	open_file_cache_errors off;

}' > /etc/nginx/nginx.conf

sed -i "s/server_name www.eternalcenter.com eternalcenter.com;/server_name www.$webdomain $webdomain;/" /etc/nginx/nginx.conf
sed -i "s@rewrite ^/(.*)$ https://eternalcenter-sep-2022.github.io/\$1 permanent@rewrite ^/(.*)$ https://$webdomain/\$1 permanent@" /etc/nginx/nginx.conf;
sed -i "s/eternalcenter.com.crt/$webcrt/" /etc/nginx/nginx.conf
sed -i "s/eternalcenter.com.key/$webkey/" /etc/nginx/nginx.conf

mkdir /etc/nginx/ssl
mv $webcrt /etc/nginx/ssl
mv $webkey /etc/nginx/ssl
chcon -t httpd_config_t /etc/nginx/ssl/$webcrt
chcon -t httpd_config_t /etc/nginx/ssl/$webkey
chcon -t httpd_config_t /etc/nginx/ssl/

rm -rf /usr/share/nginx/html/*
tar -xvf $webtar -C /usr/share/nginx/html/ && rm -rf $webtar
chcon -t httpd_sys_content_t -R /usr/share/nginx/html/*

yum -y install sendmail
yum -y install policycoreutils
setsebool -P httpd_can_network_connect 1
setsebool -P httpd_can_network_connect_db 1
setsebool -P httpd_can_sendmail 1
setsebool -P httpd_can_connect_ftp 1
setsebool -P httpd_unified 1
setsebool -P httpd_enable_cgi 1
setsebool -P httpd_builtin_scripting 1
setsebool -P mysql_connect_http 1

systemctl start nginx
systemctl enable nginx

#Deploy MariaDB
yum -y install mariadb mariadb-server

grep "^log_bin=" /etc/my.cnf.d/mariadb-server.cnf
if [ $? -ne 0 ];then
	sed -i '/^datadir/a log_bin=ec' /etc/my.cnf.d/mariadb-server.cnf
fi

grep "^binlog_format=" /etc/my.cnf.d/mariadb-server.cnf
if [ $? -ne 0 ];then
	sed -i '/^datadir/a binlog_format=\"mixed\"' /etc/my.cnf.d/mariadb-server.cnf
fi

grep "^server_id=" /etc/my.cnf.d/mariadb-server.cnf
if [ $? -ne 0 ];then
	sed -i '/^datadir/a server_id=51' /etc/my.cnf.d/mariadb-server.cnf
fi

sed -i 's/^plugin-load-add=auth_gssapi.so/#plugin-load-add=auth_gssapi.so/' /etc/my.cnf.d/auth_gssapi.cnf

sed -i '/^user=.*/d' /etc/my.cnf.d/mariadb-server.cnf
sed -i "/\[mysqld\]/a user=mysql" /etc/my.cnf.d/mariadb-server.cnf

sed -i '/^bind-address=.*/d' /etc/my.cnf.d/mariadb-server.cnf
sed -i "/\[mysqld\]/a bind-address=127.0.0.1" /etc/my.cnf.d/mariadb-server.cnf

chown -R mysql /var/lib/mysql

systemctl start mariadb
systemctl enable mariadb

ls $sqlbackup
if [ $? -ne 0 ];then
        mysql -uroot -e "create database $db;"
        mysql -uroot -e "create user \"$dbuser\"@\"localhost\" identified by \"$dbuserpw\";"
        mysql -uroot -e "grant all privileges on $db.* to \"$dbuser\"@\"localhost\" identified by \"$dbuserpw\";"
        mysql -uroot -e "set password for 'root'@'localhost'=password(\"$dbrootpw\")"
else
        mysql -uroot -e "create database $db;"
        mysql -uroot $db < $sqlbackup
	mysql -uroot -e "create user \"$dbuser\"@\"localhost\" identified by \"$dbuserpw\";"
	mysql -uroot -e "grant all privileges on $db.* to \"$dbuser\"@\"localhost\" identified by \"$dbuserpw\";"
	mysql -uroot -e "set password for 'root'@'localhost'=password(\"$dbrootpw\")"
	rm -rf $sqlbackup
fi
	
systemctl restart mariadb

#Deploy PHP
yum -y install php php-fpm php-mysqlnd php-gd php-mbstring php-opcache php-json php-xml php-xmlrpc php-pecl-zip php-pecl-imagick php-intl php-bcmath
useradd php-fpm -s /sbin/nologin
chown -R php-fpm:php-fpm /usr/share/nginx/html

sed -i /"^user =.*"/d /etc/php-fpm.conf
sed -i /"^group =.*"/d /etc/php-fpm.conf
sed -i /"^listen =.*"/d /etc/php-fpm.conf
sed -i /"^[www]"/d /etc/php-fpm.conf
sed -i /"^pm = .*"/d /etc/php-fpm.conf
sed -i /"^pm.start_servers = .*"/d /etc/php-fpm.conf
sed -i /"^pm.min_spare_servers = .*"/d /etc/php-fpm.conf
sed -i /"^pm.max_spare_servers = .*"/d /etc/php-fpm.conf
sed -i /"^pm.max_children = .*"/d /etc/php-fpm.conf
sed -i /"^pm.max_requests = .*"/d /etc/php-fpm.conf
sed -i /"^request_terminate_timeout = .*"/d /etc/php-fpm.conf

echo '[www]' >> /etc/php-fpm.conf
echo 'user = php-fpm' >> /etc/php-fpm.conf
echo 'group = php-fpm' >> /etc/php-fpm.conf
echo 'listen = 127.0.0.1:9000' >> /etc/php-fpm.conf
echo 'pm = dynamic' >> /etc/php-fpm.conf
echo 'pm.start_servers = 2' >> /etc/php-fpm.conf
echo 'pm.min_spare_servers = 2' >> /etc/php-fpm.conf
echo 'pm.max_spare_servers = 4' >> /etc/php-fpm.conf
echo 'pm.max_children = 4' >> /etc/php-fpm.conf
echo 'pm.max_requests = 1024' >> /etc/php-fpm.conf
echo 'request_terminate_timeout = 300' >> /etc/php-fpm.conf

systemctl start php-fpm
systemctl enable php-fpm

#Improve system performance
grep "^* soft nofile" /etc/security/limits.conf
if [ $? -ne 0 ];then
	echo '* soft nofile 1024' >> /etc/security/limits.conf
fi

grep "^* hard nofile" /etc/security/limits.conf
if [ $? -ne 0 ];then
	echo '* hard nofile 1024' >> /etc/security/limits.conf
fi

#Open firewall
systemctl start firewalld
systemctl enable firewalld
firewall-cmd --add-service=http --permanent
firewall-cmd --add-service=https --permanent
firewall-cmd --reload

#Limit log space
yum -y install rsyslog
systemctl enable --now rsyslog

echo "/var/log/mariadb/mariadb.log {
        create 600 mysql mysql
        notifempty
	daily
        rotate 3
        missingok
        compress
    postrotate
	# just if mysqld is really running
        if [ -e /run/mariadb/mariadb.pid ]
        then
           kill -1 $(</run/mariadb/mariadb.pid)
        fi
    endscript
}" > /etc/logrotate.d/mariadb

echo "/var/log/nginx/*log {
    create 0664 nginx root
    size 1024M
    rotate 1
    missingok
    notifempty
    compress
    sharedscripts
    postrotate
        /bin/kill -USR1 `cat /run/nginx.pid 2>/dev/null` 2>/dev/null || true
    endscript
}" > /etc/logrotate.d/nginx

echo "/var/log/php-fpm/*log {
    size 100M
    rotate 1
    missingok
    notifempty
    sharedscripts
    delaycompress
    postrotate
        /bin/kill -SIGUSR1 `cat /run/php-fpm/php-fpm.pid 2>/dev/null` 2>/dev/null || true
    endscript
}" > /etc/logrotate.d/php-fpm

echo "/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
{
    size 100M
    rotate 1
    missingok
    sharedscripts
    postrotate
        /usr/bin/systemctl kill -s HUP rsyslog.service >/dev/null 2>&1 || true
    endscript
}" > /etc/logrotate.d/rsyslog

#Delete this script
scriptwhere=`readlink -f "$0"`
rm -rf $scriptwhere

#Restart the system
reboot
]]> [工具] Shell 将远程服务器的 LNMP 备份在本地复原 https://eternalcenter-sep-2022.github.io/shell-remote-lnmp-restore/ Fri, 10 Dec 2021 15:05:51 +0000 https://eternalcenter-sep-2022.github.io/?p=19609 Continue reading "[工具] Shell 将远程服务器的 LNMP 备份在本地复原"

]]> 介绍

基本信息

作者:朱明宇
名称:将远程服务器的 LNMP 备份还原到本地
作用:将远程服务器的 LNMP 备份还原到本地

使用方法

1. 在此脚本的分割线内写入相应的内容
2. 给此脚本添加执行权限
3. 执行此脚本

脚本分割线里的变量

1. tmppath=/cache #本地用于备份数据的目录
2. webpath=/usr/share/nginx/html #本地用于存放网站文件的目录
3. key=”~/.ssh/eternalcenter” #本地私钥
4. tmpfile=tmpfile.txt #用于存储记录的文件
5. dbuser=ec #网站在数据库中的用户
6. ruser=eternalcenter #用于远程服务器的用户
7. rhost=eternalcenter.com #远程服务器
8. rcache=”/cache” #远程服务器用于备份数据的目录

注意

1. 本地需要已经搭建好 LNMP 平台
2. 用于远程服务器的用户,需要能免密钥 ssh 远程服务器,且对于本地用于备份数据的目录和远程服务器用于备份数据的目录拥有读和执行的权限
3. 执行此脚本的用户需要有 sudo systemctl 权限
4. 脚本 ”mysql -uroot -p’eternalcenter’ ec < $sqlfile“ 中 “eternalcenter“ 是指本地 MariaDB 数据库 root 用户的密码,需要修改成本地 MariaDB 数据库的 root 用户密码

脚本

#!/bin/bash

####################### Separator ########################

tmppath=/cache
webpath=/usr/share/nginx/html
key="~/.ssh/eternalcenter"
tmpfile=tmpfile.txt
dbuser=ec

ruser=eternalcenter
rhost=eternalcenter.com
rcache="/cache"

####################### Separator ########################

nowdirectory=`pwd`

a=`ssh -i $key $ruser@$rhost "du -s $rcache" | awk '{print $1}'`
sleep 10
b=`ssh -i $key $ruser@$rhost "du -s $rcache" | awk '{print $1}'`

if [ $a -eq 0 ];then
	echo "no file"
fi

if [ $a -ne $b ];then
        echo "backup is running now"
        exit
fi

c=0

if [ -f $tmpfile ];then
        c=`cat $tmpfile`
fi

if [ $a -eq $c ];then
        echo "no new file"
        exit
fi

echo $a > $tmpfile

sqlfile=`ssh -i $key $ruser@$rhost "ls -rtlh $rcache | grep sql | tail -1" | awk '{print $NF}'`
if [ $? -eq 0 ]; then

        tarfile=`ssh -i $key $ruser@$rhost "ls -rtlh $rcache | grep tar | tail -1" | awk '{print $NF}'`
        if [ $? -eq 0 ]; then

                rm -rf $tmppath/*
                mkdir $tmppatch &> /dev/null

                echo $sqlfile
                echo $tarfile

                scp -i $key $ruser@$rhost:$rcache/$sqlfile $tmppath
                scp -i $key $ruser@$rhost:$rcache/$tarfile $tmppath

#                sudo systemctl stop nginx
#                sudo systemctl stop php-fpm

                cd $tmppath

                mysql -uroot -p'eternalcenter' -e "drop database $dbuser;"
                mysql -uroot -p'eternalcenter' -e "create database $dbuser;"
                mysql -uroot -p'eternalcenter' -e "grant all privileges on $dbuser.* to \"$dbuser\"@\"localhost\";"
                mysql -uroot -p'eternalcenter' ec < $sqlfile

                sudo rm -rf $webpath/*
                sudo tar -zxvf $tarfile -C $webpath/ &> /dev/null

#                sudo systemctl start nginx
#                sudo systemctl start php-fpm

                cd $nowdirectory

        fi
fi
]]> [工具] Shell 批量修改多个远程服务器某个用户的密码 (精致版) https://eternalcenter-sep-2022.github.io/shell-password-change-refined-version/ Sun, 10 Oct 2021 13:08:50 +0000 https://eternalcenter-sep-2022.github.io/?p=18100 介绍

基本信息

作者:朱明宇
名称:批量修改多个远程服务器某个用户的密码
作用:批量修改多个远程服务器某个用户的密码

使用方法

1. 将此脚本和清单 $list 文件放在同一目录下
2. 清单 $list 里每服务器名占用 1 行
3. 给脚本分割线里的变量赋值
4. 给此脚本添加执行权限
5. 执行此脚本

脚本分割线里的变量

1. list=”list.txt” #指定清单的目录和名称
2. user=eternalcenter #指定要修改密码的用户
3. password=eternalcenter #指定要修改的密码

注意

此脚本执行前必须要先保证执行本脚本的用户能无密码 ssh 远程这些远程服务器,并且可以通过 sudo 获得 su 的 root 权限

脚本

#!/bin/bash

####################### Separator ########################

list="list.txt"
user=eternalcenter
password=eternalcenter

####################### Separator ########################

num=1

cat $list
for i in `cat $list`
do
        echo $num
        echo $i

	ssh -t $i "type lsb_release" &> /dev/null
        if [ $? -ne 0 ]; then
              distribution=`ssh -t $i "cat /etc/*release | grep '^NAME'"`
	      if [ $? -ne 0 ];then
		      distribution=`ssh -t $i "cat /etc/*release"`
	      fi
        else
              distribution=`ssh -t $i "lsb_release -i | grep 'ID' | grep -v 'n/a'"`
        fi;

        echo $distribution

	case $distribution in
		*"RedHat"* | *"Red Hat"*)
		ssh -t $i "sudo -u root su - root -c \"echo $password | passwd --stdin $user\""
		if [ $? -eq 0 ];then
			echo -e "\033[32m$i is success\033[0m"
		else
			echo -e "\033[31m$i is fail\033[0m"
		fi
		;;

		*"CentOS"*)
		ssh -t $i "sudo -u root su - root -c \"echo $password | passwd --stdin $user\""
		if [ $? -eq 0 ];then
			echo -e "\033[32m$i is success\033[0m"
		else
			echo -e "\033[31m$i is fail\033[0m"
		fi
		;;

		*"SUSE"* | *"SLES"*)
		ssh -t $i "sudo -u root su - root -c \"echo $user:$password | chpasswd\""
		if [ $? -eq 0 ];then
			echo -e "\033[32m$i is success\033[0m"
		else
			echo -e "\033[31m$i is fail\033[0m"
		fi
		;;
               
		*"openSUSE"*)
		ssh -t $i "sudo -u root su - root -c \"echo $user:$password | chpasswd\""
		if [ $? -eq 0 ];then
			echo -e "\033[32m$i is success\033[0m"
		else
			echo -e "\033[31m$i is fail\033[0m"
		fi
		;;

		*)
                echo -e "\033[31m$i is fail \033[0m" 
		;;
        esac

        let num++

        echo
done
]]> [工具] Shell 批量重启多个远程服务器的服务 https://eternalcenter-sep-2022.github.io/shell-batch-restart/ Fri, 06 Aug 2021 07:48:11 +0000 https://eternalcenter-sep-2022.github.io/?p=17263 介绍

基本信息

作者:朱明宇
名称:批量重启多个远程服务器的服务
作用:批量重启多个远程服务器的服务

使用方法

1. 在此脚本的分割线内写入相应的内容
2. 给此脚本添加执行权限
3. 执行此脚本

脚本分割线里的变量

1. myuser=”eternalcenter” #登录远程服务器的用户
2. myserver=”192.168.1.1 192.168.1.2″ #要登录的远程服务器,以空格隔开
3. myservice=”nginx” #需要重启的服务,以空格隔开
4. mysudo=”no” #是否使用 sudo 提权,请选择 yes 或者 no

注意

1. 此脚本执行前必须要先保证执行本脚本的用户能无密码 ssh 远程这些远程服务器
2. 必须以 root 用户执行本脚本

脚本

#!/bin/bash

####################### Separator ########################

myuser="eternalcenter.com"
myserver="192.168.1.1 192.168.1.2 192.168.1.3" #each server is separated by a space
myservice="nginx" #each myservice is separated by a space
mysudo="yes" #please choose "yes" or "no"

####################### Separator ########################

mynow=`date +%Y-%m-%d-%H-%s`

if [ $mysudo == 'yes' ];then
        myrestart(){
                ssh -t $1@$2 "sudo -u root su - root -c \"systemctl restart $3\""
        }
        echo "use sudo"
fi

if [ $mysudo == 'no' ];then
        myrestart(){
                ssh -t $1@$2 "systemctl restart $3"
        }
        echo "don't use sudo"
fi

for services in $myservice
do

        for servers in `echo $myserver`
        do
                myrestart $myuser $servers $services
        done

done
]]> [工具] Shell 批量将本地文件拷贝到多个远程服务器 https://eternalcenter-sep-2022.github.io/shell-batch-copy/ Fri, 06 Aug 2021 07:37:57 +0000 https://eternalcenter-sep-2022.github.io/?p=17261 介绍

基本信息

作者:朱明宇
名称:批量将本地文件拷贝到多个远程服务器
作用:批量将本地文件拷贝到多个远程服务器

使用方法

1. 在此脚本的分割线内写入相应的内容
2. 给此脚本添加执行权限
3. 执行此脚本

脚本分割线里的变量

1. myuser=”eternalcenter” #登录远程服务器的用户
2. myserver=”192.168.1.1 192.168.1.2″ #要登录的远程服务器,以空格隔开
3. myfile=”/home/zhumingyu/test1.txt /home/zhumingyu/test2.txt” #要拷贝的文件,以空格隔开,必须是绝对路劲
4. mysudo=”no” #是否使用 sudo 提权,请选择 yes 或者 no

注意

1. 此脚本执行前必须要先保证执行本脚本的用户能无密码 ssh 远程这些远程服务器
2. 必须以 root 用户执行本脚本

脚本

#!/bin/bash

####################### Separator ########################

myuser="eternalcenter"
myserver="192.168.1.1 192.168.1.2" #each server is separated by a space
myfile="/home/zhumingyu/test1.txt /home/zhumingyu/test2.txt" #each file is separated by a space, absolute road force must be used
mysudo="no" #please choose "yes" or "no"

####################### Separator ########################

mynow=`date +%Y-%m-%d-%H-%s`
mycontext=${myfile##*\/}

if [ $mysudo == 'yes' ];then
        myreplace(){
                scp $3 $1@$2:/tmp/$5
                ssh -t $1@$2 "sudo -u root su - root -c \"mv $3 $3-$4;mv /tmp/$5 $3\""
        }
        echo "use sudo"
fi

if [ $mysudo == 'no' ];then
        myreplace(){
                scp $3 $1@$2:/tmp/$5
                ssh -t $1@$2 "mv $3 $3-$4;mv /tmp/$5 $3"
        }
        echo "don't use sudo"
fi

for files in $myfile
do

        if [ -f $files ];then

                for servers in `echo $myserver`
                do
                                myreplace $myuser $servers $files $mynow $mycontext
                done
        else
                echo "$files does not exist"
        fi

done
]]> [工具] Shell 批量修改多个远程服务器某个用户的密码 (简单版) https://eternalcenter-sep-2022.github.io/shell-password-change-simple-version/ Wed, 09 Jun 2021 10:37:59 +0000 https://eternalcenter-sep-2022.github.io/?p=14638 介绍

基本信息

作者:朱明宇
名称:批量修改多个远程服务器某个用户的密码
作用:批量修改多个远程服务器某个用户的密码,并显示密码更新时间

使用方法

1. 将此脚本和清单 $list 文件放在同一目录下
2. 清单 $list 里每个服务器名占用 1 行
3. 给脚本分割线里的变量赋值
4. 给此脚本添加执行权限
5. 执行此脚本

脚本分割线里的变量

1. list=”list.txt” #指定清单的目录和名称
2. user=eternalcenter #指定要修改密码的用户
3. password=eternalcenter #指定要修改的密码

注意

此脚本执行前必须要先保证执行本脚本的用户能无密码 ssh 远程这些远程服务器,并且可以通过 sudo 获得 su 的 root 权限

脚本

#!/bin/bash

####################### Separator ########################

list="list.txt"
user=eternalcenter
password=eternalcenter

####################### Separator ########################

num=1

cat $list
for i in `cat $list`
do
        echo $num
        echo $i
        ssh -t $i "sudo -u root su - root -c \"echo $password | passwd --stdin $user\""
        ssh -t $i "sudo -u root su - root -c \"echo $user:$password | chpasswd\""
        ssh -t $i sudo -u root su - root -c \"chage -l $user\"
        let num++

        echo
done
]]> [工具] Shell 自动化部署 LNMP + SSL 平台 (openSUSE Leap 15 版) https://eternalcenter-sep-2022.github.io/shell-lnmp-install-opensuse-leap-15/ Mon, 24 May 2021 05:53:21 +0000 https://eternalcenter-sep-2022.github.io/?p=14333 Continue reading "[工具] Shell 自动化部署 LNMP + SSL 平台 (openSUSE Leap 15 版)"

]]> 介绍

基本信息

作者:朱明宇
名称:自动化部署 LNMP + SSL 平台
作用:自动化安装 LNMP + SSL,即通过 Linux、Nginx、MariaDB、PHP、php-fpm、SSL,实现 HTTPS

使用方法

1. 将网站的网页数据备份、网站的 SSL 公钥、网站的 SSL 私钥、网站的数据库备份和本脚本,5 个文件放在同一目录下
2. 如果没有网站的数据库备份则将网页数据备份、网站的 SSL 公钥、网站的 SSL 私钥和本脚本,4 个文件放在同一目录下
3. 在此脚本的分割线内写入相应的内容
4. 开启系统的 selinux
5. 给此脚本添加执行权限
6. 执行此脚本:./<执行本脚本>

脚本分割线里的变量

1. webdomain=”eternalcenter.com” #网站的域名,注意不要在前面加任何前缀
2. webtar=”eternalcenter-backup-*.tar.gz” #网站的网页数据备份,如果没有这个备份,可以下载一个开源的 WordPress 网页程序
3. webcrt=”eternalcenter.com.crt” #网站 SSL 的公钥,可以自己创建也可以在 FreeSSl 上申请
4. webkey=”eternalcenter.com.key” #网站 SSL 的私钥,可以自己创建也可以在 FreeSSL 上申请
5. sqlbackup=”eternalcenter-backup-*.sql” #网站数据库数据备份,如果没有这个备份(数据库是全量备份),则这里可以为空
6. db=”ec” #网站在数据库中库
7. dbuser=”ec” #网站在数据库中的用户
8. dbuserpw=”eternalcenter” #网站在数据库中的用户密码
9. dbrootpw=”eternalcenter” #数据库的 root 密码

注意

1. 服务器的系统需要是 openSUSE 15 版本
2. 服务器系统要配置好可用的软件源(最好是软件数量最多的官方版本)
3. 服务器要能够连接外网

脚本

#!/bin/bash

####################### Separator ########################
webdomain="eternalcenter.com"
webtar="eternalcenter-backup-*.tar.gz"
webcrt="eternalcenter.com.crt"
webkey="eternalcenter.com.key"
sqlbackup="eternalcenter-backup-*.sql"
db="ec"
dbuser="ec"
dbuserpw="eternalcenter"
dbrootpw="eternalcenter"
####################### Separator ########################

#判断所需文件是否存在
ls $webtar
if [ $? -ne 0 ];then
	echo "没有网页数据备份,无法继续"
	exit 2
fi

ls $webcrt
if [ $? -ne 0 ];then
	echo "没有网站公钥,无法继续"
	exit 2
fi

ls $webkey
if [ $? -ne 0 ];then
	echo "没有网站私钥,无法继续"
	exit 2
fi

#更新系统
zypper ref
zypper -n update

#确保必需软件已经安装
zypper -n in tar
zypper -n in firewalld


#部署 Nginx
zypper -n in nginx

echo 'worker_processes  1;

events {
    worker_connections  1024;
}

http {
    limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
    include       mime.types;
    default_type  application/octet-stream;

    sendfile        on;

    keepalive_timeout  60;
    client_body_timeout 20s;
    client_header_timeout 10s;
    send_timeout 30s;

    server {
        listen       80;
        limit_req zone=one burst=5;
        server_name www.eternalcenter.com eternalcenter.com;

        rewrite ^/(.*)$ https://eternalcenter-sep-2022.github.io/$1 permanent;
      
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

        }

    server {
        listen 443 ssl;
        server_name www.eternalcenter.com eternalcenter.com;

        if ($request_method !~ ^(GET|POST)$){
        return 444;
        }

        ssl_certificate      /etc/nginx/ssl/eternalcenter.com.crt;
        ssl_certificate_key  /etc/nginx/ssl/eternalcenter.com.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        root /srv/www/htdocs;

        location / {
            index index.php;
            try_files $uri $uri/ /index.php$is_args$args;
            if (-f $request_filename/index.html){rewrite (.) $1/index.html break;}
            if (-f $request_filename/index.php){rewrite (.) $1/index.php;}
            if (!-f $request_filename){rewrite (.) /index.php;}
        }

        location ~ \.php$ {
            include fastcgi_params;
	    include fastcgi.conf;
            fastcgi_pass 127.0.0.1:9000;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME /srv/www/htdocs/$fastcgi_script_name;

        }
	
	location ~ ^/\.user\.ini {
            deny all;
        }

        location ~*\.(jpd|jpeg|gif|png|css|js|ico|xml)$ {
            expires 30d;
        }

        error_page  404              /404.html;
    }

        gzip on;
	gzip_min_length 1000;
	gzip_comp_level 4;
	gzip_types text/plain test/css application/json application/x-javascript text/xml application/xml
	application/xml+rss text/javascripts;

	client_header_buffer_size 1k;

	open_file_cache_valid  60s;
	open_file_cache_min_uses 5;
	open_file_cache_errors off;

}' > /etc/nginx/nginx.conf

sed -i "s/server_name www.eternalcenter.com eternalcenter.com;/server_name www.$webdomain $webdomain;/" /etc/nginx/nginx.conf
sed -i "s@rewrite ^/(.*)$ https://eternalcenter-sep-2022.github.io/\$1 permanent@rewrite ^/(.*)$ https://$webdomain/\$1 permanent@" /etc/nginx/nginx.conf;
sed -i "s/eternalcenter.com.crt/$webcrt/" /etc/nginx/nginx.conf
sed -i "s/eternalcenter.com.key/$webkey/" /etc/nginx/nginx.conf

mkdir /etc/nginx/ssl
mv $webcrt /etc/nginx/ssl
mv $webkey /etc/nginx/ssl

rm -rf /srv/www/htdocs/*
tar -xvf $webtar -C /srv/www/htdocs/ && rm -rf $webtar

zypper -n in policycoreutils

systemctl start nginx
systemctl enable nginx

#部署 MariaDB
zypper -n in mariadb mariadb-server

grep "^log_bin=" /etc/my.cnf
if [ $? -ne 0 ];then
	sed -i '/^datadir/a log_bin=ec' /etc/my.cnf
fi

grep "^binlog_format=" /etc/my.cnf
if [ $? -ne 0 ];then
	sed -i '/^datadir/a binlog_format=\"mixed\"' /etc/my.cnf
fi

grep "^server_id=" /etc/my.cnf
if [ $? -ne 0 ];then
	sed -i '/^datadir/a server_id=51' /etc/my.cnf
fi

sed -i 's/^plugin-load-add=auth_gssapi.so/#plugin-load-add=auth_gssapi.so/' /etc/my.cnf

sed -i '/^user=.*/d' /etc/my.cnf
sed -i "/\[mysqld\]/a user=mysql" /etc/my.cnf

sed -i '/^bind-address=.*/d' /etc/my.cnf
sed -i "/\[mysqld\]/a bind-address=127.0.0.1" /etc/my.cnf

systemctl start mariadb
systemctl enable mariadb

chown -R mysql:mysql /var/lib/mysql

ls $sqlbackup
if [ $? -ne 0 ];then
        mysql -uroot -e "create database $db;"
        mysql -uroot -e "create user \"$dbuser\"@\"localhost\" identified by \"$dbuserpw\";"
        mysql -uroot -e "grant all privileges on $db.* to \"$dbuser\"@\"localhost\" identified by \"$dbuserpw\";"
        mysql -uroot -e "set password for 'root'@'localhost'=password(\"$dbrootpw\")"
else
        mysql -uroot -e "create database $db;"
        mysql -uroot $db < $sqlbackup
        mysql -uroot -e "create user \"$dbuser\"@\"localhost\" identified by \"$dbuserpw\";"
        mysql -uroot -e "grant all privileges on $db.* to \"$dbuser\"@\"localhost\" identified by \"$dbuserpw\";"
        mysql -uroot -e "set password for 'root'@'localhost'=password(\"$dbrootpw\")"
        rm -rf $sqlbackup
fi
	
systemctl restart mariadb

#部署 PHP
zypper -n in php7 php7-fpm php7-mysql php7-gd php7-mbstring php7-opcache php7-json php7-xmlrpc php7-zlib
useradd php-fpm -s /sbin/nologin
groupadd php-fpm
chown -R php-fpm:php-fpm /srv/www/htdocs
cp /etc/php7/fpm/php-fpm.conf.default /etc/php7/fpm/php-fpm.conf

sed -i /"^user =.*"/d /etc/php7/fpm/php-fpm.conf
sed -i /"^group =.*"/d /etc/php7/fpm/php-fpm.conf
sed -i /"^listen =.*"/d /etc/php7/fpm/php-fpm.conf
sed -i /"^[www]"/d /etc/php7/fpm/php-fpm.conf
sed -i /"^pm = .*"/d /etc/php7/fpm/php-fpm.conf
sed -i /"^pm.start_servers = .*"/d /etc/php7/fpm/php-fpm.conf
sed -i /"^pm.min_spare_servers = .*"/d /etc/php7/fpm/php-fpm.conf
sed -i /"^pm.max_spare_servers = .*"/d /etc/php7/fpm/php-fpm.conf
sed -i /"^pm.max_children = .*"/d /etc/php7/fpm/php-fpm.conf
sed -i /"^pm.max_requests = .*"/d /etc/php7/fpm/php-fpm.conf
sed -i /"^request_terminate_timeout = .*"/d /etc/php7/fpm/php-fpm.conf

echo '[www]' >> /etc/php7/fpm/php-fpm.conf
echo 'user = php-fpm' >> /etc/php7/fpm/php-fpm.conf
echo 'group = php-fpm' >> /etc/php7/fpm/php-fpm.conf
echo 'listen = 127.0.0.1:9000' >> /etc/php7/fpm/php-fpm.conf
echo 'pm = dynamic' >> /etc/php7/fpm/php-fpm.conf
echo 'pm.start_servers = 2' >> /etc/php7/fpm/php-fpm.conf
echo 'pm.min_spare_servers = 2' >> /etc/php7/fpm/php-fpm.conf
echo 'pm.max_spare_servers = 4' >> /etc/php7/fpm/php-fpm.conf
echo 'pm.max_children = 4' >> /etc/php7/fpm/php-fpm.conf
echo 'pm.max_requests = 1024' >> /etc/php7/fpm/php-fpm.conf
echo 'request_terminate_timeout = 300' >> /etc/php7/fpm/php-fpm.conf

systemctl start php-fpm
systemctl enable php-fpm

#提高系统性能
grep "^* soft nofile" /etc/security/limits.conf
if [ $? -ne 0 ];then
	echo '* soft nofile 1024' >> /etc/security/limits.conf
fi

grep "^* hard nofile" /etc/security/limits.conf
if [ $? -ne 0 ];then
	echo '* hard nofile 1024' >> /etc/security/limits.conf
fi

#打开防火墙
systemctl start firewalld
systemctl enable firewalld
firewall-cmd --add-port=80/tcp --permanent
firewall-cmd --add-port=443/tcp --permanent
firewall-cmd --reload

#限制日志占用空间
echo "/var/log/mariadb/mariadb.log {
        create 600 mysql mysql
        notifempty
	daily
        rotate 3
        missingok
        compress
    postrotate
	# just if mysqld is really running
        if [ -e /run/mariadb/mariadb.pid ]
        then
           kill -1 $(</run/mariadb/mariadb.pid)
        fi
    endscript
}" > /etc/logrotate.d/mariadb

echo "/var/log/nginx/*log {
    create 0664 nginx root
    size 1024M
    rotate 1
    missingok
    notifempty
    compress
    sharedscripts
    postrotate
        /bin/kill -USR1 `cat /run/nginx.pid 2>/dev/null` 2>/dev/null || true
    endscript
}" > /etc/logrotate.d/nginx

echo "/var/log/php-fpm/*log {
    size 100M
    rotate 1
    missingok
    notifempty
    sharedscripts
    delaycompress
    postrotate
        /bin/kill -SIGUSR1 `cat /run/php-fpm/php-fpm.pid 2>/dev/null` 2>/dev/null || true
    endscript
}" > /etc/logrotate.d/php-fpm

echo "/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
{
    size 100M
    rotate 1
    missingok
    sharedscripts
    postrotate
        /usr/bin/systemctl kill -s HUP rsyslog.service >/dev/null 2>&1 || true
    endscript
}" > /etc/logrotate.d/syslog

#删除此脚本
scriptwhere=`readlink -f "$0"`
rm -rf $scriptwhere

#重启系统
reboot
]]> [工具] Shell 自动化部署 GRUB2 Bootloader 密码 (CentOS Linux & RHEL 版) https://eternalcenter-sep-2022.github.io/shell-grub2-bootloader-centos-linux-rhel/ Thu, 04 Mar 2021 08:53:25 +0000 https://eternalcenter-sep-2022.github.io/?p=13593 介绍

基本信息

作者:朱明宇
名称:自动化部署 GRUB2 Bootloader 密码(CentOS & RHEL 版)
作用:自动化部署 GRUB2 Bootloader 密码(CentOS & RHEL 版)

使用方法

1. 给此脚本添加执行权限
2. 执行此脚本
3. 当启动系统时,左下角出现以下内容时按下 “E”:

注意

1. 登录的账号是 root
2. 登录的密码是 eternalcenter

脚本

#!/bin/bash

if [ -d /sys/firmware/efi ]; then
        echo "GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.B857B79D02FF55CA3A69B8485C1A4A427424630C804CC8A89134520A34E056D7882A778F6BC8AD856CB95DF8B99BE25F9FEAD899D826BB3915FB20BAD682D10A.4A1CF49B7F815A0578031CCA2CE98C66BDFBEAB0AE2721531BB54AFC6CFFA990FBD9062F41C006376C283B717FEC1BD9BB1AFB882AF91B5F4A812459D7974D1F" > /boot/efi/EFI/redhat/user.cfg
else
        echo "GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.B857B79D02FF55CA3A69B8485C1A4A427424630C804CC8A89134520A34E056D7882A778F6BC8AD856CB95DF8B99BE25F9FEAD899D826BB3915FB20BAD682D10A.4A1CF49B7F815A0578031CCA2CE98C66BDFBEAB0AE2721531BB54AFC6CFFA990FBD9062F41C006376C283B717FEC1BD9BB1AFB882AF91B5F4A812459D7974D1F" > /boot/grub2/user.cfg
fi
]]> [工具] Shell 自动化部署 GRUB2 Bootloader 密码 (openSUSE & SLE 版) https://eternalcenter-sep-2022.github.io/shell-grub2-bootloader-opensuse-sle/ Mon, 22 Feb 2021 09:31:39 +0000 https://eternalcenter-sep-2022.github.io/?p=13578 介绍

基本信息

作者:朱明宇
名称:自动化部署 GRUB2 Bootloader 密码(openSUSE & SLE 版)
作用:自动化部署 GRUB2 Bootloader 密码(openSUSE & SLE 版)

使用方法

1. 给此脚本添加执行权限
2. 执行此脚本
3. 当启动系统时,左下角出现以下内容时按下 “E”:
C: Command Line E: Edit Entry

注意

1. 登录的账号是 root
2. 登录的密码是 eternalcenter

脚本

#!/bin/bash

echo "#!/bin/sh
exec tail -n +3 \$0
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.
set superusers=\"root\"
password_pbkdf2 root grub.pbkdf2.sha512.10000.B857B79D02FF55CA3A69B8485C1A4A427424630C804CC8A89134520A34E056D7882A778F6BC8AD856CB95DF8B99BE25F9FEAD899D826BB3915FB20BAD682D10A.4A1CF49B7F815A0578031CCA2CE98C66BDFBEAB0AE2721531BB54AFC6CFFA990FBD9062F41C006376C283B717FEC1BD9BB1AFB882AF91B5F4A812459D7974D1F
export superusers
set unrestricted_menu=\"y\"
export unrestricted_menu" > /etc/grub.d/40_custom

grep "rd.shell=0" /etc/default/grub
if [ $? -ne 0 ];then
        sed -i '/GRUB_CMDLINE_LINUX_DEFAULT="/s/"$/ rd.shell=0"/' /etc/default/grub
fi

grep "showopts" /etc/default/grub
if [ $? -ne 0 ];then
        sed -i '/GRUB_CMDLINE_LINUX_DEFAULT="/s/"$/ showopts"/' /etc/default/grub
fi

grep "LANG=C" /etc/default/grub
if [ $? -ne 0 ];then
        sed -i '/GRUB_CMDLINE_LINUX_DEFAULT="/s/"$/ LANG=C"/' /etc/default/grub
fi

grub2-mkconfig -o /boot/grub2/grub.cfg
]]> [工具] Shell 批量设置官方软件源 (openSUSE Leap 15.2 版) https://eternalcenter-sep-2022.github.io/shell-official-repo-opensuse/ Sat, 06 Feb 2021 06:21:52 +0000 https://eternalcenter-sep-2022.github.io/?p=13277 介绍

基本信息

作者:朱明宇
名称:批量设置官方软件源(openSUSE 版)
作用:批量设置官方软件源(openSUSE 版)

使用方法

1. 服务器清单 $add_repo_servers_list.txt 每个服务器名占用 1 行,并和此脚本放在同一目录下
2. 在此脚本的分割线内写入相应的内容
3. 给此脚本添加执行权限
4. 执行此脚本

脚本分割线里的变量

add_repo_servers_list.txt #指定存放要设置官方软件源的文件

注意

1. 此脚本执行前必须要先保证执行此脚本的用户能无密码 ssh 远程这些远程服务器
2. 服务器的系统需要是 openSUSE 15.2 版本
3. 服务器系统要配置好可用的软件源(最好是软件数量最多的官方版本)
4. 这些远程服务器要能够连接外网

脚本

#!/bin/bash

####################### Separator ########################

add_repo_servers_list.txt

####################### Separator ########################

cat add_repo_servers_list.txt
read -p "will add opensuse_leap_15.2 repo please input y " a
echo $a

if [ "$a" != "y" ];then
        echo "you don't agree so exit now"
        exit
fi

for i in `awk '{print $1}' add_repo_servers_list.txt`
do
        ssh $i '
        sudo -u root su - root -c "zypper mr -da"
        sudo -u root su - root -c "zypper ar -fcg http://download.opensuse.org/distribution/leap/15.2/repo/oss/ OpenSUSE_Leap_152_x64_update-oss"
        sudo -u root su - root -c "zypper ar -fcg http://download.opensuse.org/distribution/leap/15.2/repo/non-oss/ OpenSUSE_Leap_152_x64_update-non-oss"
        sudo -u root su - root -c "zypper ar -fcg http://download.opensuse.org/update/leap/15.2/oss/ OpenSUSE_Leap_152_x64_oss"
        sudo -u root su - root -c "zypper ar -fcg http://download.opensuse.org/update/leap/15.2/non-oss/ OpenSUSE_Leap_152_x64_non-oss"
        sudo -u root su - root -c "zypper ref"
done
]]> [工具] Shell 批量修改多个远程服务器某个用户的过期密码 https://eternalcenter-sep-2022.github.io/shell-expired-password-change/ Thu, 06 Aug 2020 08:42:43 +0000 https://eternalcenter-sep-2022.github.io/?p=10423 介绍

基本信息

作者:朱明宇
名称:批量修改多个远程服务器某个用户的过期密码
作用:批量修改多个远程服务器某个用户的过期密码

使用方法

1. 将此脚本和清单 $list 文件放在同一目录下
2. 清单 $list 里每个远程服务器名或 IP 地址占用 1 行
3. 在此脚本的分割线内写入相应的内容
4. 在执行此脚本的系统上安装 expect
5. 给此脚本添加执行权限
6. 执行此脚本

脚本分割线里的变量

1. oldpassword=123 #原密码
2. newpassword=abc #新密码
3. user=root #要修改密码的用户
4. list=servers.txt #指定服务器清单

脚本

#!/bin/bash

####################### Separator ########################

oldpassword=123
newpassword=abc
user=root
list=servers.txt

####################### Separator ########################

set timeout 5

for i in `cat $list`
do
        echo $i
        ssh $i "whoami"

        if [ $? -eq 0 ];then
                continue
        fi

        expect << EOF
        spawn ssh $user@$i
        expect "Current password:"    {send "$oldpassword\r"}
        expect "New password:"        {send "$newpassword\r"}
        expect "Retype new password:" {send "$newpassword\r"}
        expect ">"                    {send "\r"}
        EOF

       echo

done
]]> [工具] Shell 只对某个 IP 地址开放 TCP 22 端口 (iptables 版) https://eternalcenter-sep-2022.github.io/shell-iptables-22-port-add/ Wed, 15 Jul 2020 02:29:00 +0000 https://eternalcenter-sep-2022.github.io/?p=9996 介绍

基本信息

名称:只对某个 IP 地址开放 TCP 22 端口
作用:只对某个 IP 地址开放 TCP 22 端口

使用方法

1. 给此脚本添加执行权限
2. 执行此脚本

脚本分割线里的变量

ipaddress=192.168.1.1 #要开放 TCP 22 端口的 IP 地址

脚本

#!/bin/bash

####################### Separator ########################
ipaddress=192.168.1.1
####################### Separator ########################

systemctl stop firewalld
systemctl disable firewalld

yum -y install iptables-services
zypper -n install iptables

systemctl enable iptables
systemctl start iptables

sysctl -w net.ipv4.ip_forward=1
iptables -t filter -F
iptables -t nat -F

iptables -P OUTPUT ACCEPT
#iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

iptables -t filter -A INPUT -j ACCEPT -s $ipaddress -p tcp --destination-port 22
iptables -t filter -A INPUT -j DROP -p tcp --destination-port 22

service iptables save
systemctl restart iptables
]]> [工具] Shell 取消所有已开放的端口策略 (firewalld 版) https://eternalcenter-sep-2022.github.io/shell-firewalld-all-number-ports-remove/ Fri, 26 Jun 2020 08:49:55 +0000 https://eternalcenter-sep-2022.github.io/?p=9954 介绍

基本信息

作者:朱明宇
名称:取消所有已开放的端口策略
作用:取消所有已开放的端口策略

使用方法

1. 给此脚本添加执行权限
2. 执行此脚本

脚本

#!/bin/bash

systemctl start firewalld
systemctl enable firewalld

for i in `firewall-cmd --list-all | grep ports | egrep [0-9] | awk -F':' '{print $2}'`
do
        pports=`echo $i | awk -F'/' '{print $1}'`
        ptus=`echo $i | awk -F'/' '{print $2}'`

        firewall-cmd --remove-port=$pports/$ptus --permanent

done

firewall-cmd --add-service=ssh --permanent
firewall-cmd --reload
]]> [工具] Shell 取消所有已设置的复杂端口策略 (firewalld 版) https://eternalcenter-sep-2022.github.io/shell-firewalld-all-number-ports-rich-rules-remove/ Fri, 26 Jun 2020 08:30:51 +0000 https://eternalcenter-sep-2022.github.io/?p=9941 介绍

基本信息

作者:朱明宇
名称:取消所有已设置的复杂端口策略
作用:取消所有已设置的复杂端口策略

使用方法

1. 给此脚本添加执行权限
2. 执行此脚本

脚本

#!/bin/bash

systemctl start firewalld
systemctl enable firewalld

max=`firewall-cmd --list-all | grep "rule family" | wc -l`

for i in `seq 1 $max`
do
        echo $i
        lines=`firewall-cmd --list-all | grep "rule family" | sed -n $[i]p`
        ipvs=`echo $lines | awk -F'"' '{print $2}'`
        ips=`echo $lines | awk -F'"' '{print $4}'`
        ports=`echo $lines | awk -F'"' '{print $6}'`
        tus=`echo $lines | awk -F'"' '{print $8}'`
        acts=`echo $lines | awk -F'"' '{print $9}'`

        echo $ipvs $ips $ports $tus $acts
        firewall-cmd --remove-rich-rule="rule family="$ipvs" source address="$ips" port protocol="$tus" port="$ports" $acts" --permanent
done

firewall-cmd --add-service=ssh --permanent
firewall-cmd --reload
]]> [工具] Shell 开放所有正处于监听状态的端口策略 (firewalld 版) https://eternalcenter-sep-2022.github.io/shell-firewalld-listening-number-ports-add/ Fri, 26 Jun 2020 08:24:03 +0000 https://eternalcenter-sep-2022.github.io/?p=9939 介绍

基本信息

作者:朱明宇
名称:开放所有正处于监听状态的端口策略
作用:开放所有正处于监听状态的端口策略

使用方法

1. 给此脚本添加执行权限
2. 执行此脚本

脚本

#!/bin/bash

systemctl start firewalld
systemctl enable firewalld

for k in `ss -ntulap |grep 0.0.0.0 | grep LISTEN | awk '{print $5}' | awk -F':' '{print $2}'`
do 
        firewall-cmd --add-port=$k/tcp --permanent
done

firewall-cmd --reload
]]> [工具] Shell 批量对多个 IP 地址开发多个端口策略 (firewalld 版) https://eternalcenter-sep-2022.github.io/shell-firewalld-number-ports-rich-rules-add/ Fri, 26 Jun 2020 08:20:19 +0000 https://eternalcenter-sep-2022.github.io/?p=9937 介绍

基本信息

作者:朱明宇
名称:批量对多个 IP 地址开发多个端口策略
作用:批量对多个 IP 地址开发多个端口策略

使用方法

1. 在此脚本的分割线内写入相应的内容
2. 给此脚本添加执行权限
3. 执行此脚本

脚本分割线里的变量

1.ips=”192.168.2.1 192.168.1.0/24″ #要开放端口的 IP 地址
2.ports”22 3306 8080-8090″ #要开放的端口

脚本

#!/bin/bash

####################### Separator ########################

ips="192.168.2.1 192.168.1.0/24"
ports"22 3306 8080-8090"

####################### Separator ########################

systemctl start firewalld
systemctl enable firewalld

for i in $ips
do
        for j in $ports
        do
                firewall-cmd --add-rich-rule="rule family="ipv4" source address="$i" port protocol="tcp" port="$j" accept" --permanent
        done
        echo $i done
        echo
done

firewall-cmd --reload
]]> [工具] Shell 在 MariaDB & MySQL 的配置文件里设置部分安全策略 https://eternalcenter-sep-2022.github.io/shell-mariadb-mysql-securtiy/ Sun, 12 Apr 2020 08:22:54 +0000 https://eternalcenter-sep-2022.github.io/?p=8736 介绍:

作者:朱明宇
名称:在 MariaDB & MySQL 的配置文件里设置部分安全策略
作用:在 MariaDB & MySQL 的配置文件里设置部分安全策略

使用方法:
1. 确认 MariaDB & MySQL 已提前装好
2. 在此脚本的分割线内写入相应的内容
3. 给此脚本增加执行权限
4. 执行此脚本

脚本:

#!/bin/bash

#At the system level, start the database as a MySQL user
chown -R mysql /var/lib/mysql
sed -i '/^user=/d' /etc/my.cnf.d/mariadb-server.cnf
sed -i '/^datadir/a user=mysql' /etc/my.cnf.d/mariadb-server.cnf

#Disable client local data reading at the system level
sed -i '/^local-infile=/d' /etc/my.cnf.d/mariadb-server.cnf
sed -i '/^datadir/a local-infile=0' /etc/my.cnf.d/mariadb-server.cnf

#At the system level, remote login of database is prohibited
sed -i '/^bind-address=/d' /etc/my.cnf.d/mariadb-server.cnf
sed -i '/^datadir/a bind-address=127.0.0.1' /etc/my.cnf.d/mariadb-server.cnf

#Restart database
systemctl restart mariadb ; systemctl restart mysql
]]> [工具] Shell 自动化部署 LNMP + SSL 平台 (CentOS Linux 8 版) https://eternalcenter-sep-2022.github.io/shell-lnmp-install-centos-linux-8/ Sat, 11 Apr 2020 15:29:16 +0000 https://eternalcenter-sep-2022.github.io/?p=8720 Continue reading "[工具] Shell 自动化部署 LNMP + SSL 平台 (CentOS Linux 8 版)"

]]> 介绍

基本信息

作者:朱明宇
名称:自动化部署 LNMP + SSL 平台
作用:自动化安装 LNMP + SSL,即通过 Linux、Nginx、MariaDB、PHP、php-fpm、SSL,实现 HTTPS

使用方法

1. 将网站的网页数据备份、网站的 SSL 公钥、网站的 SSL 私钥、网站的数据库备份和本脚本,5 个文件放在同一目录下
2. 如果没有网站的数据库备份则将网页数据备份、网站的 SSL 公钥、网站的 SSL 私钥和本脚本,4 个文件放在同一目录下
3. 在此脚本的分割线内写入相应的内容
4. 服务器都要开启 SELinux
5. 给此脚本添加执行权限
6. 执行此脚本:./<此脚本>

脚本分割线里的变量

1. webdomain=”eternalcenter.com” #网站的域名,注意不要在前面加任何前缀
2. webtar=”eternalcenter-backup-*.tar.gz”网站的网页数据备份,如果没有这个备份,可以下载一个开源的 WordPress 网页程序
3. webcrt=”eternalcenter.com.crt” #网站 SSL 的公钥,可以自己创建也可以在 FreeSSL 上申请
4. webkey=”eternalcenter.com.key” #网站 SSL 的私钥,可以自己创建也可以在 FreeSSL 上申请
5. sqlbackup=”eternalcenter-backup-*.sql” #网站数据库数据备份,如果没有这个备份(数据库是全量备份),则这里可以为空
6. db=”ec” #网站在数据库中库
7. dbuser=”ec” #网站在数据库中的用户
8. dbuserpw=”eternalcenter” #网站在数据库中的用户密码
9. dbrootpw=”eternalcenter” #数据库的 root 密码

注意

1. 服务器的系统需要是 CentOS 8 版本
2. 服务器系统要配置好可用的软件源
3. 服务器要能够连接外网

脚本

#!/bin/bash

####################### Separator ########################
webdomain="eternalcenter.com"
webtar="eternalcenter-backup-*.tar.gz"
webcrt="eternalcenter.com.crt"
webkey="eternalcenter.com.key"
sqlbackup="eternalcenter-backup-*.sql"
db="ec"
dbuser="ec"
dbuserpw="eternalcenter"
dbrootpw="eternalcenter"
####################### Separator ########################

#Determine whether SELinux is on
getenforce | grep Enforcing
if [ $? -ne 0 ];then
	echo "SELinux is not set to enforcing mode and cannot continue"
	exit 2
fi

#Determine whether the required file exists
ls $webtar
if [ $? -ne 0 ];then
	echo "No web page data backup, unable to continue"
	exit 2
fi

ls $webcrt
if [ $? -ne 0 ];then
	echo "Cannot continue without site public key"
	exit 2
fi

ls $webkey
if [ $? -ne 0 ];then
	echo "Unable to continue without site private key"
	exit 2
fi

#Update system
yum clean all
yum repolist
yum makecache
yum -y update

#Make sure the required software is installed
yum -y install tar
yum -y install firewalld

#Deploying Nginx
yum -y install nginx

echo 'worker_processes  1;

events {
    worker_connections  1024;
}

http {
    limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
    include       mime.types;
    default_type  application/octet-stream;

    sendfile        on;

    keepalive_timeout  60;
    client_body_timeout 20s;
    client_header_timeout 10s;
    send_timeout 30s;

    server {
        listen       80;
        limit_req zone=one burst=5;
        server_name www.eternalcenter.com eternalcenter.com;

        rewrite ^/(.*)$ https://eternalcenter-sep-2022.github.io/$1 permanent;
      
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

        }

    server {
        listen       443 ssl;
        server_name www.eternalcenter.com eternalcenter.com;

        if ($request_method !~ ^(GET|POST)$){
        return 444;
        }

        ssl_certificate      /etc/nginx/ssl/eternalcenter.com.crt;
        ssl_certificate_key  /etc/nginx/ssl/eternalcenter.com.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location ~ \.php$ {
            fastcgi_pass 127.0.0.1:9000;
            fastcgi_index index.php;
            include fastcgi.conf;
            fastcgi_param  SCRIPT_FILENAME  /usr/share/nginx/html/$fastcgi_script_name;
            include fastcgi_params;
        } 

        location / {
        root html;
        index index.php index.html index.htm;

        if (-f $request_filename/index.html){rewrite (.) $1/index.html break;}
        if (-f $request_filename/index.php){rewrite (.) $1/index.php;}
        if (!-f $request_filename){rewrite (.) /index.php;}
        
        }

        location ~ ^/\.user\.ini {
        deny all;
        }
    
        location ~*\.(jpd|jpeg|gif|png|css|js|ico|xml)$ {
        expires 30d;
        }

        error_page  404              /404.html;

        }

        gzip on;
	gzip_min_length 1000;
	gzip_comp_level 4;
	gzip_types text/plain test/css application/json application/x-javascript text/xml application/xml
	application/xml+rss text/javascripts;

	client_header_buffer_size 1k;
	large_client_header_buffers 4 4k;

	open_file_cache max=2000 inactive=20s;
	open_file_cache_valid  60s;
	open_file_cache_min_uses 5;
	open_file_cache_errors off;

}' > /etc/nginx/nginx.conf

sed -i "s/server_name www.eternalcenter.com eternalcenter.com;/server_name www.$webdomain $webdomain;/" /etc/nginx/nginx.conf
sed -i "s@rewrite ^/(.*)$ https://eternalcenter-sep-2022.github.io/\$1 permanent@rewrite ^/(.*)$ https://$webdomain/\$1 permanent@" /etc/nginx/nginx.conf;
sed -i "s/eternalcenter.com.crt/$webcrt/" /etc/nginx/nginx.conf
sed -i "s/eternalcenter.com.key/$webkey/" /etc/nginx/nginx.conf

mkdir /etc/nginx/ssl
mv $webcrt /etc/nginx/ssl
mv $webkey /etc/nginx/ssl
chcon -t httpd_config_t /etc/nginx/ssl/$webcrt
chcon -t httpd_config_t /etc/nginx/ssl/$webkey
chcon -t httpd_config_t /etc/nginx/ssl/

rm -rf /usr/share/nginx/html/*
tar -xvf $webtar -C /usr/share/nginx/html/ && rm -rf $webtar
chcon -t httpd_sys_content_t -R /usr/share/nginx/html/*

yum -y install sendmail
yum -y install policycoreutils
setsebool -P httpd_can_network_connect 1
setsebool -P httpd_can_network_connect_db 1
setsebool -P httpd_can_sendmail 1
setsebool -P httpd_can_connect_ftp 1
setsebool -P httpd_unified 1
setsebool -P httpd_enable_cgi 1
setsebool -P httpd_builtin_scripting 1
setsebool -P mysql_connect_http 1

systemctl start nginx
systemctl enable nginx

#Deploy MariaDB
yum -y install mariadb mariadb-server

grep "^log_bin=" /etc/my.cnf.d/mariadb-server.cnf
if [ $? -ne 0 ];then
	sed -i '/^datadir/a log_bin=ec' /etc/my.cnf.d/mariadb-server.cnf
fi

grep "^binlog_format=" /etc/my.cnf.d/mariadb-server.cnf
if [ $? -ne 0 ];then
	sed -i '/^datadir/a binlog_format=\"mixed\"' /etc/my.cnf.d/mariadb-server.cnf
fi

grep "^server_id=" /etc/my.cnf.d/mariadb-server.cnf
if [ $? -ne 0 ];then
	sed -i '/^datadir/a server_id=51' /etc/my.cnf.d/mariadb-server.cnf
fi

sed -i 's/^plugin-load-add=auth_gssapi.so/#plugin-load-add=auth_gssapi.so/' /etc/my.cnf.d/auth_gssapi.cnf

sed -i '/^user=.*/d' /etc/my.cnf.d/mariadb-server.cnf
sed -i "/\[mysqld\]/a user=mysql" /etc/my.cnf.d/mariadb-server.cnf

sed -i '/^bind-address=.*/d' /etc/my.cnf.d/mariadb-server.cnf
sed -i "/\[mysqld\]/a bind-address=127.0.0.1" /etc/my.cnf.d/mariadb-server.cnf

chown -R mysql /var/lib/mysql

systemctl start mariadb
systemctl enable mariadb

ls $sqlbackup
if [ $? -ne 0 ];then
        mysql -uroot -e "create database $db;"
        mysql -uroot -e "create user \"$dbuser\"@\"localhost\" identified by \"$dbuserpw\";"
        mysql -uroot -e "grant all privileges on $db.* to \"$dbuser\"@\"localhost\" identified by \"$dbuserpw\";"
        mysql -uroot -e "set password for 'root'@'localhost'=password(\"$dbrootpw\")"
else
        mysql -uroot -e "create database $db;"
        mysql -uroot $db < $sqlbackup
	mysql -uroot -e "create user \"$dbuser\"@\"localhost\" identified by \"$dbuserpw\";"
	mysql -uroot -e "grant all privileges on $db.* to \"$dbuser\"@\"localhost\" identified by \"$dbuserpw\";"
	mysql -uroot -e "set password for 'root'@'localhost'=password(\"$dbrootpw\")"
	rm -rf $sqlbackup
fi
	
systemctl restart mariadb

#Deploy PHP
yum -y install php php-fpm php-mysqlnd php-gd php-mbstring php-opcache php-json php-xml php-xmlrpc php-pecl-zip
useradd php-fpm -s /sbin/nologin
chown -R php-fpm:php-fpm /usr/share/nginx/html

sed -i /"^user =.*"/d /etc/php-fpm.conf
sed -i /"^group =.*"/d /etc/php-fpm.conf
sed -i /"^listen =.*"/d /etc/php-fpm.conf
sed -i /"^[www]"/d /etc/php-fpm.conf
sed -i /"^pm = .*"/d /etc/php-fpm.conf
sed -i /"^pm.start_servers = .*"/d /etc/php-fpm.conf
sed -i /"^pm.min_spare_servers = .*"/d /etc/php-fpm.conf
sed -i /"^pm.max_spare_servers = .*"/d /etc/php-fpm.conf
sed -i /"^pm.max_children = .*"/d /etc/php-fpm.conf
sed -i /"^pm.max_requests = .*"/d /etc/php-fpm.conf
sed -i /"^request_terminate_timeout = .*"/d /etc/php-fpm.conf

echo '[www]' >> /etc/php-fpm.conf
echo 'user = php-fpm' >> /etc/php-fpm.conf
echo 'group = php-fpm' >> /etc/php-fpm.conf
echo 'listen = 127.0.0.1:9000' >> /etc/php-fpm.conf
echo 'pm = dynamic' >> /etc/php-fpm.conf
echo 'pm.start_servers = 2' >> /etc/php-fpm.conf
echo 'pm.min_spare_servers = 2' >> /etc/php-fpm.conf
echo 'pm.max_spare_servers = 4' >> /etc/php-fpm.conf
echo 'pm.max_children = 4' >> /etc/php-fpm.conf
echo 'pm.max_requests = 1024' >> /etc/php-fpm.conf
echo 'request_terminate_timeout = 300' >> /etc/php-fpm.conf

systemctl start php-fpm
systemctl enable php-fpm

#Improve system performance
grep "^* soft nofile" /etc/security/limits.conf
if [ $? -ne 0 ];then
	echo '* soft nofile 1024' >> /etc/security/limits.conf
fi

grep "^* hard nofile" /etc/security/limits.conf
if [ $? -ne 0 ];then
	echo '* hard nofile 1024' >> /etc/security/limits.conf
fi

#Open firewall
systemctl start firewalld
systemctl enable firewalld
firewall-cmd --add-port=80/tcp --permanent
firewall-cmd --add-port=443/tcp --permanent
firewall-cmd --reload

#Limit log space
echo "/var/log/mariadb/mariadb.log {
        create 600 mysql mysql
        notifempty
	daily
        rotate 3
        missingok
        compress
    postrotate
	# just if mysqld is really running
        if [ -e /run/mariadb/mariadb.pid ]
        then
           kill -1 $(</run/mariadb/mariadb.pid)
        fi
    endscript
}" > /etc/logrotate.d/mariadb

echo "/var/log/nginx/*log {
    create 0664 nginx root
    size 1024M
    rotate 1
    missingok
    notifempty
    compress
    sharedscripts
    postrotate
        /bin/kill -USR1 `cat /run/nginx.pid 2>/dev/null` 2>/dev/null || true
    endscript
}" > /etc/logrotate.d/nginx

echo "/var/log/php-fpm/*log {
    size 100M
    rotate 1
    missingok
    notifempty
    sharedscripts
    delaycompress
    postrotate
        /bin/kill -SIGUSR1 `cat /run/php-fpm/php-fpm.pid 2>/dev/null` 2>/dev/null || true
    endscript
}" > /etc/logrotate.d/php-fpm

echo "/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
{
    size 100M
    rotate 1
    missingok
    sharedscripts
    postrotate
        /usr/bin/systemctl kill -s HUP rsyslog.service >/dev/null 2>&1 || true
    endscript
}" > /etc/logrotate.d/syslog

#Delete this script
scriptwhere=`readlink -f "$0"`
rm -rf $scriptwhere

#Restart the system
reboot
]]> [工具] Shell 批量实现多个远程服务器执行命令 (单条命令版) https://eternalcenter-sep-2022.github.io/shell-command-single-command/ Fri, 10 Apr 2020 08:28:56 +0000 https://eternalcenter-sep-2022.github.io/?p=8704 介绍:

基本信息

作者:朱明宇
名称:批量实现多个远程服务器执行命令 (单条命令版)
作用:批量实现多个远程服务器执行命令 (单条命令版)

使用方法

1. 将此脚本和清单 $list 文件放在同一目录下
2. 清单 $list 里每一个远程服务器名或 IP 地址占用 1 行
3. 在此脚本的分割线内写入相应的内容
4. 给此脚本添加执行权限
5. 执行此脚本

脚本分割线里的变量

1. execute=”top -bn 1 | head -1″ #指定要执行的命令
2. list=servers.txt #指定服务器清单

注意

执行脚本的用户要在远程服务器中有同名用户,此用户拥有免密钥 sudo su 权限,且能被本服务器免密钥 ssh

脚本:

#!/bin/bash

####################### Separator ########################

execute="top -bn 1 | head -1"
list=servers.txt

####################### Separator ########################

echo "WARNING: before execute this, please execute \"screen -S update\" command first"

read -p "will execute $execute on servers in $list, if you agree please input y : " b
echo "you input $b"

if [ "$b" != "y" ];then
        echo "you don't agree so exit now"
        exit 0
fi

num=0

for i in `awk '{print $1}' $list`
do
        let num++
        echo "$num $i"
        ssh -t $i "sudo -u root su - root -c \"$execute\""
        echo "$i has been done"
        echo
done
]]>