• Linux主机安全配置的几个脚本【转载】


    标签:linux Linux主机安全配置的几个脚本 职场 休闲
    原创作品,允许转载,转载时请务必以超链接形式标明文章 原始出处 、作者信息和本声明。否则将追究法律责任。http://hx100.blog.51cto.com/44326/373320


    vim /etc/login.defs
    PASS_MAX_DAYS 90 //口令最大有效天数
    PASS_MIN_DAYS 10 //口令最小有效天数
    PASS_MIN_LEN 8 //口令最少字符数
    PASS_WARN_AGE 5 //口令过期提前警告天数

    echo 'ONLY Authorized users only! All accesses logged' > /etc/motd
    rm -f /etc/issue
    rm -f /etc/issue.net
    touch /etc/issue
    touch /etc/issue.net

    find / -name *.rhosts
    touch /.rhosts && chmod 0 /.rhosts

    防止IP SPOOF
    echo "nospoof on" >>/etc/host.conf

    chkconfig bluetooth off
    chkconfig firstboot off
    chkconfig cups off
    chkconfig ip6tables off
    chkconfig iptables off
    chkconfig isdn off
    chkconfig kudzu off
    chkconfig sendmail off
    chkconfig smartd off
    chkconfig autofs off
    service vncserver off
    service bluetooth stop
    service firstboot stop
    service cups stop
    service ip6tables stop
    service iptables stop
    service isdn stop
    service kudzu stop
    service sendmail stop
    service smartd stop
    service autofs stop
    service vncserver stop
    锁定不需要的用户
    usermod -L adm
    usermod -L lp
    usermod -L sync
    usermod -L shutdown
    usermod -L halt
    usermod -L news
    usermod -L uucp
    usermod -L operator
    usermod -L ftp
    usermod -L rpc
    usermod -L rpcuser
    usermod -L gopher
    usermod -L nscd

    删除不需要的组
    groupdel lp
    groupdel news
    groupdel games
    groupdel gopher
    groupdel uucp

    本次必须要保留的用户是:
    root、bin、nobody、ntp、ssh、uucp
    必须保留的组包括:
    root、nobody、ntp、uucp

    useradd jboss
    passwd jboss
    usermod -g jboss -G wheel jboss
    vim /etc/pam.d/su
    auth required pam_wheel.so use.uid 把这一行的注释去掉,只有wheel组的用户才能su到root
    chown -R jboss.jboss /usr/local/jboss-4.2.3.GA


    #!/bin/bash
    cd /usr/local/jboss-4.2.3.GA/server/default/deploy/
    rm -rf bsh-deployer.xml
    rm -rf client-deployer-service.xml
    rm -rf ear-deployer.xml
    rm -rf ejb-deployer.xml
    rm -rf http-invoker.sar
    rm -rf jboss-bean.deployer
    rm -rf jms
    rm -rf jsr88-service.xml
    rm -rf schedule-manager-service.xml
    rm -rf scheduler-service.xml
    rm -rf sqlexception-service.xml
    rm -rf uuid-key-generator.sar
    rm -rf jmx-console.war
    rm -rf management
    cd /usr/local/jboss-4.2.3.GA/server/default/deploy/jboss-web.deployer/ROOT.war
    rm -rf *
    exit
    隐藏jboss版本信息
    vim /usr/local/jboss-4.2.3.GA/server/default/deploy/jboss-web.deployer/server.xml

    <Connector port="8080" address="${jboss.bind.address}"
    maxThreads="250" maxHttpHeaderSize="8192"
    emptySessionPath="true" protocol="HTTP/1.1"
    enableLookups="false" redirectPort="8443" acceptCount="100"
    connectionTimeout="20000" disableUploadTimeout="true"
    server="ESB" />
    在这一段最后加上一个server="ESB"/>
    vim /usr/local/jboss-4.2.3.GA/server/default/deploy/jboss-web.deployer/conf/web.xml

    <init-param>
    <param-name>X-Powered-By</param-name>
    <param-value>ESB2.0</param-value>
    </init-param>
    vim /etc/ssh/sshd_config
    把PermitRootLogin yes前面的"#"去掉,把"yes"改为"no"
    #ClientAliveCountMax 3
    把这个前面的"#"去掉,就是超过3分钟闲置,就自动断开session
    service sshd restart
    sed -i -e 's/^LANG=.*/LANG="en_US.UTF-8"/' /etc/sysconfig/i18n
    source /etc/sysconfig/i18n

    vim /etc/hosts.allow
    sshd:192.168.0.199,192.168.0.201,192.168.0.121
    vim /etc/hosts.deny
    sshd:all
    service xinetd restart

    截短~/.bash_history文件
    vim /etc/profile
    HISTSIZE=1000改成20

    vim /etc/skel/.bash_logout
    在/etc/skel/.bash_logout在文件中添加这行
    rm -rf $HOME/.bash_history
    这样当用户注销时,.bash_history被删除

    DenyHosts是用Python2.3写的一个程序,它会分析/var/log/secure(redhat,Fedora Core)等日志文件,当发现同一IP在进行多次SSH密
    码尝试时就会记录IP到/etc/hosts.deny文件,从而达到自动屏蔽该IP的目的。
    wget http://downloads.sourceforge.net/project/denyhosts/denyhosts/2.6/DenyHosts-2.6.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fdenyhosts%2Ffiles%2F&ts=1281580068&mirror=ncu
    tar -zxvf DenyHosts-2.6.tar.gz
    cd DenyHosts-2.6
    python setup.py install

    cd /usr/share/denyhosts/
    grep -v "^#" denyhosts.cfg-dist > denyhosts.cfg
    cp daemon-control-dist daemon-control
    vim denyhosts.cfg
    PURGE_DENY = 5m //5分钟清除
    DENY_THRESHOLD_INVALID = 1 //允许无效用户失败的次数
    DENY_THRESHOLD_VALID = 5 //允许普通用户登陆失败的次数
    DENY_THRESHOLD_ROOT = 5 //允许root登陆失败的次数

    chown root daemon-control
    chmod 700 daemon-control

    vim /etc/rc.local
    /usr/share/denyhosts/daemon-control start
    vim /etc/audit/audit.rules 最后增加一行,对该目录审计
    -w /usr/local/jboss-4.2.3.GA/server/default/deploy -pwa
    service auditd restart
    查看审计规则 auditctl -l
    查看audit运行状态 auditctl -s
    审计工具
    wget http://www.rootkit.nl/files/lynis-1.2.9.tar.gz
    给关键文件加root权限
    chmod 744 /etc/passwd
    chmod 740 /etc/shadow
    chmod 744 /etc/rc3.d
    chmod 744 /etc/profile
    chmod 1777 /tmp
    chmod 644 /etc/exports
    chmod -R 700 /etc/rc.d/init.d/*
    Control-Alt-Delete 键盘关机命令
    vim /etc/inittab
    ca::ctrlaltdel:/sbin/shutdown -t3 -r now
    这一行前面加#,改成
    #ca::ctrlaltdel:/sbin/shutdown -t3 -r now

    给文件加锁(暂时不实施)
    chattr +i /etc/passwd
    chattr +i /etc/shadow
    chattr +i /etc/group
    chattr +i /etc/services
    chmod 600 /etc/xinetd.conf
    当chattr +i时就是禁止对文件进行修改,当我们要添加用户时,就会有麻烦,因为passwd文件禁止修改写入.
    所以我们还要该掉它的属性.chattr -i.

    脚本如下:
    init_sysctl.sh

    #!/bin/bash
    cp /etc/sysctl.conf /etc/sysctl.conf.bak
    echo "####add by hx10###">> /etc/sysctl.conf
    echo "net.ipv4.ip_local_port_range = 1024 65536" >> /etc/sysctl.conf
    echo "net.core.rmem_max=16777216" >> /etc/sysctl.conf
    echo "net.core.wmem_max=16777216" >> /etc/sysctl.conf
    echo "net.ipv4.tcp_rmem=4096 87380 16777216" >> /etc/sysctl.conf
    echo "net.ipv4.tcp_wmem=4096 65536 16777216" >> /etc/sysctl.conf
    echo "net.ipv4.tcp_fin_timeout = 15" >> /etc/sysctl.conf
    echo "net.ipv4.tcp_keepalive_time = 600" >> /etc/sysctl.conf
    echo "net.ipv4.tcp_tw_recycle = 1" >> /etc/sysctl.conf
    echo "net.core.netdev_max_backlog = 30000" >> /etc/sysctl.conf
    echo "net.ipv4.tcp_no_metrics_save=1" >> /etc/sysctl.conf
    echo "net.core.somaxconn = 262144" >> /etc/sysctl.conf
    echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
    echo "net.ipv4.tcp_max_orphans = 8000" >> /etc/sysctl.conf
    echo "net.ipv4.tcp_max_syn_backlog = 8000" >> /etc/sysctl.conf
    echo "net.ipv4.tcp_synack_retries = 2" >> /etc/sysctl.conf
    echo "net.ipv4.tcp_syn_retries = 2" >> /etc/sysctl.conf
    sysctl -p
    ###change max open files
    ulimit -SHn 102400
    echo "ulimit -SHn 102400" >>/etc/rc.local
    ulimit -a
    exit



    init_system.sh

    #!/bin/bash
    #change password policy
    cp /etc/login.defs /etc/login.defs.bak
    sed -i 's/^PASS_MAX_DAYSs*99999/PASS_MAX_DAYS 90/' /etc/login.defs
    sed -i 's/^PASS_MIN_DAYSs*0/PASS_MIN_DAYS 10/' /etc/login.defs
    sed -i 's/^PASS_MIN_LENs*5/PASS_MIN_LEN 8/' /etc/login.defs
    sed -i 's/^PASS_WARN_AGEs*7/PASS_WARN_AGE 5/' /etc/login.defs
    #stop Linux detection
    echo 'ONLY Authorized users only! All accesses logged' > /etc/motd
    cp /etc/issue /etc/issue.bak
    cp /etc/issue.net /etc/issue.net.bak
    rm -f /etc/issue
    rm -f /etc/issue.net
    touch /etc/issue
    touch /etc/issue.net
    #stop rhosts
    #find / -name *.rhosts
    touch /.rhosts && chmod 0 /.rhosts
    #stop ip spoof
    cp /etc/host.conf /etc/host.conf.bak
    echo "nospoof on" >>/etc/host.conf
    #stop service
    chkconfig bluetooth off
    chkconfig firstboot off
    chkconfig cups off
    chkconfig ip6tables off
    chkconfig iptables off
    chkconfig isdn off
    chkconfig kudzu off
    chkconfig sendmail off
    chkconfig smartd off
    chkconfig autofs off
    chkconfig ntpd off
    chkconfig snmpd on
    chkconfig portmap on
    chkconfig nfs on
    #service vncserver off
    /etc/init.d/vncserver stop
    service bluetooth stop
    service firstboot stop
    service cups stop
    service ip6tables stop
    service iptables stop
    service isdn stop
    service kudzu stop
    service sendmail stop
    service smartd stop
    service autofs stop
    service vncserver stop
    service ntpd stop
    service snmpd restart
    service portmap restart
    service nfs restart
    #lock user unnecessary
    usermod -L adm
    usermod -L lp
    usermod -L sync
    usermod -L shutdown
    usermod -L halt
    usermod -L news
    usermod -L uucp
    usermod -L operator
    usermod -L ftp
    usermod -L rpc
    usermod -L rpcuser
    usermod -L gopher
    usermod -L nscd
    #add jboss user
    useradd jboss && echo "23adjfajskdfja" | passwd --stdin jboss
    usermod -g jboss -G wheel jboss
    #chown -R jboss.jboss /usr/local/jboss-4.2.3.GA
    #change system character
    cp /etc/sysconfig/i18n /etc/sysconfig/i18n.bak
    cat /dev/null> /etc/sysconfig/i18n
    echo 'LANG="en_US.UTF-8"' >/etc/sysconfig/i18n
    #echo 'LANG="zh_CN.GB18030"' >/etc/sysconfig/i18n
    #sed -i -e 's/^LANG=.*/LANG="en_US.UTF-8"/' /etc/sysconfig/i18n
    source /etc/sysconfig/i18n
    #add ssh user
    cp /etc/hosts.allow /etc/hosts.allow.bak
    cp /etc/hosts.deny /etc/hosts.deny.bak
    echo "sshd:192.168.0.199,192.168.0.201,192.168.0.121" >>/etc/hosts.allow
    echo "sshd:all" >>/etc/hosts.deny
    #Limit ROOT from Remote server
    cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
    echo "PermitRootLogin no" >> /etc/ssh/sshd_config
    echo "ClientAliveCountMax 2" >> /etc/ssh/sshd_config
    #clean history
    cp /etc/skel/.bash_logout /etc/skel/.bash_logout.bak
    cp /etc/profile /etc/profile.bak
    sed -i 's/^HISTSIZE=1000/HISTSIZE=20/' /etc/profile
    echo "rm -rf $HOME/.bash_history " >>/etc/skel/.bash_logout
    #install DenyHosts
    cd /usr/local/src
    wget ftp://192.168.0.21/pub/DenyHosts-2.6.tar.gz
    tar -zxvf DenyHosts-2.6.tar.gz
    cd DenyHosts-2.6
    python setup.py install
    cd /usr/share/denyhosts/
    grep -v "^#" denyhosts.cfg-dist > denyhosts.cfg
    cp daemon-control-dist daemon-control
    cp denyhosts.cfg denyhosts.cfg.bak
    sed -i 's/^PURGE_DENY =/PURGE_DENY = 5m/' /usr/share/denyhosts/denyhosts.cfg
    sed -i 's/^DENY_THRESHOLD_INVALID = 5/DENY_THRESHOLD_INVALID = 1/' /usr/share/denyhosts/denyhosts.cfg
    sed -i 's/^DENY_THRESHOLD_VALID = 10/DENY_THRESHOLD_VALID = 5/' /usr/share/denyhosts/denyhosts.cfg
    sed -i 's/^DENY_THRESHOLD_ROOT = 1/DENY_THRESHOLD_ROOT = 5/' /usr/share/denyhosts/denyhosts.cfg
    chown root daemon-control
    chmod 700 daemon-control
    cp /etc/rc.local /etc/rc.local.bak
    echo "/usr/share/denyhosts/daemon-control start" >>/etc/rc.local
    /usr/share/denyhosts/daemon-control start
    #limit alt-ctl-delete
    cp /etc/inittab /etc/inittab.bak
    sed -i 's/^ca::ctrlaltdel:/sbin/shutdown -t3 -r now/#ca::ctrlaltdel:/sbin/shutdown -t3 -r now/g' /etc/inittab
    #limit key file
    chmod 744 /etc/passwd
    chmod 740 /etc/shadow
    chmod 744 /etc/rc3.d
    chmod 744 /etc/profile
    chmod 1777 /tmp
    chmod 644 /etc/exports
    chmod -R 700 /etc/rc.d/init.d/*
    chattr +i /etc/passwd
    chattr +i /etc/shadow
    chattr +i /etc/group
    chattr +i /etc/services
    chmod 600 /etc/xinetd.conf
    #remove
    #chattr -i /etc/passwd
    #chattr -i /etc/shadow
    service sshd restart
    service xinetd restart
    ps -ef |grep vnc |grep '/usr/share/vnc/classes' |awk '{print $2}' |xargs kill -9
    echo "congratulations!"
    sleep 2
    exit

  • 相关阅读:
    [UWP 开发] 一个简单的Toast实现
    纯MarkDown博客阅读体验优化
    [沈航软工教学] 3、4班最终成绩排行榜
    [沈航软工教学] 期末附加作业
    [沈航软工教学] 前十三周3,4班排行榜
    [沈航软工教学] 前十二周3,4班排行榜
    [沈航软工教学] 前八周3,4班排行榜
    BugPhobia准备篇章:Beta阶段前后端接口文档
    BugPhobia回顾篇章:团队Alpha阶段工作分析
    BugPhobia贡献篇章:团队贡献分值与转会确定
  • 原文地址:https://www.cnblogs.com/fangyuan303687320/p/5394802.html
Copyright © 2020-2023  润新知