sed -i 's/#Port 22/Port 15389/g' /etc/ssh/sshd_config
#允许证书登
sed -i 's/#RSAAuthentication/RSAAuthentication/g' /etc/ssh/sshd_config
sed -i 's/#PubkeyAuthentication/PubkeyAuthentication/g' /etc/ssh/sshd_config
#禁止密码登录
sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
#禁用root账户密码登录 但允许证书和su
sed -i 's/PermitRootLogin yes/PermitRootLogin without-password/g'  /etc/ssh/sshd_config

service sshd restart

#此处阿里云没有初始化防火墙配置
#清空原配置(如果其它又有)
mv /etc/sysconfig/iptables /etc/sysconfig/iptables.bak
echo "*filter" > /etc/sysconfig/iptables
echo  -e ":INPUT ACCEPT [0:0]" >> /etc/sysconfig/iptables
echo  -e ":FORWARD ACCEPT [0:0]" >> /etc/sysconfig/iptables
echo  -e ":OUTPUT ACCEPT [0:0]" >> /etc/sysconfig/iptables
echo  -e "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT" >>  /etc/sysconfig/iptables
echo  -e "-A INPUT -p icmp -j ACCEPT"  >> /etc/sysconfig/iptables
echo  -e "-A INPUT -i lo -j ACCEPT"  >> /etc/sysconfig/iptables
echo  -e "-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT"  >> /etc/sysconfig/iptables
echo  -e "-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT" >>  /etc/sysconfig/iptables
echo  -e "-A INPUT -j REJECT --reject-with icmp-host-prohibited"  >> /etc/sysconfig/iptables
echo  -e "-A FORWARD -j REJECT --reject-with icmp-host-prohibited"  >> /etc/sysconfig/iptables
echo  -e "COMMIT"  >> /etc/sysconfig/iptables
service iptables restart
#防火墙开放新端口15389
iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 15389 -j ACCEPT
service iptables save
service iptables restart



#php安全





sed -i 's/disable_classes =/disable_classes = COM,pcntl_exec,putenv,mail,passthru,exec,system,chroot,scandir,chgrp,chown,shell_exec,proc_open,proc_get_status,ini_alter,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server,escapeshellcmd,popen,dl,syslog,show_source,socket_create/g' /usr/local/php/lib/php.ini

sed -i 's/disable_functions =/disable_functions = COM,pcntl_exec,putenv,mail,passthru,system,chroot,scandir,chgrp,chown,shell_exec,proc_open,proc_get_status,ini_alter,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server,escapeshellcmd,popen,dl,syslog,show_source,socket_create/g' /usr/local/php/lib/php.ini

/usr/local/apache/bin/apachectl restart