此脚本基于centos7和centos6编写:
仅供参考,切勿盲目复制执行
#!/bin/bash PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin" export PATH Centos7=$(uname -a | grep "el7" | wc -l) Centos6=$(uname -a | grep "el6" | wc -l) if [ $Centos7 == 1 ]; then echo "System Centos 7 in reset kernel" /bin/grep "SELINUX=disabled" /etc/selinux/config 2>&1 >/dev/null if [ $? -eq 0 ];then echo -e " 33[31m Selinux 33[0m is already not running" else /bin/sed -i '/SELINUX/s/enforcing/disabled/g' /etc/selinux/config setenforce 0 2>&1 >/dev/null echo -e " 33[31m Selinux 33[0m is already modify stop successful" fi ################# <关闭多余用户> ########################## userdel -r lp 2>&1 >/dev/null userdel -r sync 2>&1 >/dev/null userdel -r shutdown 2>&1 >/dev/null userdel -r halt 2>&1 >/dev/null userdel -r operator 2>&1 >/dev/null userdel -r games 2>&1 >/dev/null userdel -r gopher 2>&1 >/dev/null chmod +s /bin/netstat chmod 400 /etc/shadow ################# <系统内核安全> ########################## ipv4=$(grep "net.ipv4" /etc/sysctl.conf | wc -l) if [ $ipv4 -lt 2 ]; then echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.conf echo "net.core.rmem_default = 256960" >> /etc/sysctl.conf echo "net.core.rmem_max = 513920" >> /etc/sysctl.conf echo "net.core.wmem_default = 256960" >> /etc/sysctl.conf echo "net.core.wmem_max = 513920" >> /etc/sysctl.conf echo "net.core.netdev_max_backlog = 2000" >> /etc/sysctl.conf echo "net.core.somaxconn = 2048" >> /etc/sysctl.conf echo "net.core.optmem_max = 81920" >> /etc/sysctl.conf echo "net.ipv4.tcp_mem = 131072 262144 524288" >> /etc/sysctl.conf echo "net.ipv4.tcp_rmem = 8760 256960 4088000" >> /etc/sysctl.conf echo "net.ipv4.tcp_wmem = 8760 256960 4088000" >> /etc/sysctl.conf echo "net.ipv4.tcp_keepalive_time = 1800" >> /etc/sysctl.conf echo "net.ipv4.tcp_keepalive_intvl = 30" >> /etc/sysctl.conf echo "net.ipv4.tcp_keepalive_probes = 3" >> /etc/sysctl.conf echo "net.ipv4.tcp_sack = 1" >> /etc/sysctl.conf echo "net.ipv4.tcp_fack = 1" >> /etc/sysctl.conf echo "net.ipv4.tcp_timestamps = 1" >> /etc/sysctl.conf echo "net.ipv4.tcp_window_scaling = 1" >> /etc/sysctl.conf echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf echo "net.ipv4.tcp_tw_reuse = 1" >> /etc/sysctl.conf echo "net.ipv4.tcp_tw_recycle = 0" >> /etc/sysctl.conf echo "net.ipv4.tcp_fin_timeout = 30" >> /etc/sysctl.conf echo "net.ipv4.ip_local_port_range = 1024 65000" >> /etc/sysctl.conf echo "net.ipv4.tcp_max_syn_backlog = 2048" >> /etc/sysctl.conf echo "net.ipv4.tcp_max_tw_buckets = 6000" >> /etc/sysctl.conf sysctl -p else echo "kernel already reset" fi hosts=$(grep "sshd:10.80.80.100:allow" /etc/hosts.allow | wc -l) if [ $hosts -ne 1 ]; then echo "insert sshd allow" echo 'sshd:10.80.80.100:allow' >> /etc/hosts.allow else echo "sshd already reset" fi ################## 《更改时区》############################### TZ=`timedatectl |grep Time|awk {'print $3'}` SH="Adsia/Shanghai" if [ $TZ == $SH ];then echo -e " 33[31m Timezone 33[0m is already "Asia/Shanghai"" else rm -f /etc/localtime cp -arp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime echo -e " 33[31m Timezone 33[0m is already modify "Asia/Shanghai"" fi ################ <更改ssh端口和禁止root登录> ####################### Net=$(netstat -tulnp|grep 22502 | wc -l) if [ $Net = 0 ];then cp -r /etc/ssh/sshd_config /etc/ssh/sshd_config.bak sed -i '/Port 22/aPort 22502' /etc/ssh/sshd_config echo -e " 33[31m SSH's port 22 is already modify to 22502 33[0m" sed -i "s/#UseDNS/UseDNS/g" /etc/ssh/sshd_config sed -i "s/^Subsystem/#Subsystem/g" /etc/ssh/sshd_config sed -i "/^#Subsystem/aSubsystem sftp internal-sftp" /etc/ssh/sshd_config if [ $? -eq 0 ];then systemctl restart sshd 2>&1 >/dev/null echo -e " 33[31m SSH's service 33[0m has restart again" fi else sed -i "s/#UseDNS/UseDNS/g" /etc/ssh/sshd_config echo -e " 33[31m chage Use UseDns 33[0m" PORT=`netstat -tulnp|grep 22 |awk {'print $4'}|head -n 1|cut -d : -f 2` echo -e "ssh's port is 33[31m already modify $PORT 33[0m" fi ############## <登录密码相关设置> ####################################### cp /etc/login.defs /etc/login.defs.bak sed -i '/^PASS_MAX_DAYS/s/[0-9]{1,}/99999/g' /etc/login.defs sed -i '/^PASS_MIN_DAYS/s/[0-9]{1,}/7/g' /etc/login.defs sed -i '/^PASS_MIN_LEN/s/[0-9]{1,}/12/g' /etc/login.defs sed -i '/^PASS_WARN_AGE/s/[0-9]{1,}/30/g' /etc/login.defs ######################################################################### username=$(id kyeroot | grep "uid=0" | wc -l) if [ $username = 0 ];then useradd kyeroot echo "Aa+12345678" | passwd --stdin kyeroot sed -i '/^kyeroot/s/[0-9]{1,}/0/g' /etc/passwd sed -i '/^kyeroot/s/home/kyeroot/root/g' /etc/passwd sed -i "/^root/s/bin/sbin/g" /etc/passwd sed -i "/^root/s/bash/nologin/g" /etc/passwd cp /etc/sudoers /etc/sudoers.bak sed -i '/^root/akyeroot ALL=(ALL) ALL' /etc/sudoers else echo -e " 33[31m user kyeroot is exists 33[0m or 33[31m password is wrong 33[0m" fi useradd kyeadmin 2>&1 >/dev/null d=$? if [ $d -eq 0 ];then echo "Aa+12345678" |passwd --stdin kyeadmin 2>&1 >/dev/null echo -e " 33[31m create user kyeadmin successful 33[0m" echo -e " 33[31m create user passwd successful 33[0m" else echo -e " 33[31m user kyeadmin is exists 33[0m or 33[31m password is wrong 33[0m" fi ############### <日志权限> ######################################### chattr +a /var/log/messages if [ $? == "0" ];then echo -e " 33[31m Already add "lsatrr +a" 33[0m for "/var/log/messages" " else echo -e "Add 33[31m "lsattr +a" 33[0m is failed,please check it!" fi find /var/log/ -type f -exec chmod u-x,g-x,o-wx {} ; echo -e " 33[31m modify "/var/log/*" 33[0m all files permission of "u-x,g-x,o-wx" successful" chmod +x /etc/rc.local null=$(grep "/dev/null" /etc/rc.local |wc -l) if [ $null = 0 ]; then echo "chmod 666 /dev/null" >> /etc/rc.local else echo "already reset /dev/null" fi ############## <修改文件句柄数> ################################### h=`ulimit -n` if [ $h -ne 65535 ];then ulimit -n 65535 grep "* soft nofile 65535" /etc/security/limits.conf 2>&1 >/dev/null i=$? #判断“soft nofile 65536”是否存在 grep "* hard nofile 65535" /etc/security/limits.conf 2>&1 >/dev/null j=$? #判断“hard nofile 65536”是否存在 k=$[i+j] if [ $k -ne 0 ];then #同时判断“soft/hard nofile 65536” cp /etc/security/limits.conf /etc/security/limits.conf.bak echo "* soft nofile 65535" >> /etc/security/limits.conf echo "* hard nofile 65535" >> /etc/security/limits.conf echo -e " 33[31m default ulimit is $h 33[0m,now ulimit is already modify 65535" else echo -e " 33[31m "soft nofile 65535 and hard nofile 65535" 33[0m is already configure,not to modify " fi else echo -e " 33[31m default ulimit is 65535 33[0m,not modify" fi ############# <防止暴力破解,提高系统安全性> ################################ grep "remember" /etc/pam.d/system-auth 2>&1 >/dev/null o=$? grep "unlock_time" /etc/pam.d/system-auth 2>&1 >/dev/null p=$? grep "pam_pwquality.so" /etc/pam.d/system-auth 2>&1 >/dev/null w=$? if [ $o -ne 0 ];then cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak sed -i "/sha512/s/use_authtok/use_authtok remember=4/g" /etc/pam.d/system-auth ###表示禁止使用最近用过的4个密码(己使用过的密码会被保存在 /etc/security/opasswd 下面) echo -e "Configure "use_authtok remember=4" for /etc/pam.d/system-auth successful" fi if [ $w -ne 0 ];then sed -i "/pam_pwquality.so/s/local_users_only/minclass=3/g" /etc/pam.d/system-auth echo -e "Configure "use_authtok remember=4" for /etc/pam.d/system-auth successful" fi if [ $p -eq 0 ];then echo "auth required pam_tally2.so even_deny_root deny=5 unlock_time=1800" >> /etc/pam.d/system-auth echo -e "Configure "auth required pam_tally2.so even_deny_root deny=5 unlock_time=1800" for /etc/pam.d/system-auth successful" fi ################# <设置shell会话超时退出> ################################## n=`grep "TMOUT=" /etc/profile|cut -d "=" -f 2` #读取默认的超时的时间 l=`grep "TMOUT" /etc/profile` if [ $? -ne 0 ];then ##判断TMOUT没有设置过超时配置 cp /etc/profile /etc/profile.bak echo "TMOUT=300" >> /etc/profile echo "export TMOUT" >> /etc/profile # sed -i 's/^HISTSIZE=1000/HISTSIZE=30/g' /etc/profile echo -e " 33[31m TMOUT 33[0m is already modify TMOUT=300" else ##若是配置过超时命令,替换换默认超时时间 sed -i s/TMOUT=$n/TMOUT=300/g /etc/profile #替换默认超时时间为180 echo -e " 33[31m default TMOUT 33[0m is $n,TMOUT is already modify to 180s successful " #获取默认超时时间 # echo "export TMOUT" >> /etc/profile fi ################# <禁止root ftp登录> ####################################### systemctl status vsftpd 2>&1 >/dev/null if [ $? -eq 0 ];then echo "root" >> /etc/vsftpd/ftpusers echo -e " 33[31m The ftp for root forbidden 33[0m successful" else echo -e " 33[31m The vsftpd 33[0m service not exists,not need to forbidden" fi ############### <登录警告语> ############################################# grep "WARNING" /etc/motd 2>&1 >/dev/null if [ $? -ne 0 ];then echo "WARNING: If you are not authorized to access this private computer system, disconnect now. All activities on this system will be monitored and recorded without prior notification or permission!" > /etc/motd echo -e " 33[31m The motd 33[0m is add at /etc/motd successful" else echo -e " 33[31m The motd "WARNING" is exsits 33[0m,please check if need to modify again" fi ################ <设置允许能su到root的用户> ################################# grep "SU_WHEEL_ONLY yes" /etc/login.defs && echo "Already set" || echo "SU_WHEEL_ONLY yes" >> /etc/login.defs elif [ $Centos6 == 1 ] then echo "System Centos 6 in reset kernel" ################ 《关闭selinux》############################################ /bin/grep "SELINUX=disabled" /etc/selinux/config 2>&1 >/dev/null if [ $? -eq 0 ];then echo -e " 33[31m Selinux 33[0m is already not running" else /bin/sed -i '/SELINUX/s/enforcing/disabled/g' /etc/selinux/config setenforce 0 2>&1 >/dev/null echo -e " 33[31m Selinux 33[0m is already modify stop successful" fi ################# <关闭多余用户> ########################## userdel -r lp 2>&1 >/dev/null userdel -r sync 2>&1 >/dev/null userdel -r shutdown 2>&1 >/dev/null userdel -r halt 2>&1 >/dev/null userdel -r operator 2>&1 >/dev/null userdel -r games 2>&1 >/dev/null chmod +s /bin/netstat chmod 400 /etc/shadow ################# <系统内核安全> ########################## ipv4=$(grep "net.ipv4" /etc/sysctl.conf | wc -l) if [ $ipv4 -lt 2 ]; then echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.conf echo "net.core.rmem_default = 256960" >> /etc/sysctl.conf echo "net.core.rmem_max = 513920" >> /etc/sysctl.conf echo "net.core.wmem_default = 256960" >> /etc/sysctl.conf echo "net.core.wmem_max = 513920" >> /etc/sysctl.conf echo "net.core.netdev_max_backlog = 2000" >> /etc/sysctl.conf echo "net.core.somaxconn = 2048" >> /etc/sysctl.conf echo "net.core.optmem_max = 81920" >> /etc/sysctl.conf echo "net.ipv4.tcp_mem = 131072 262144 524288" >> /etc/sysctl.conf echo "net.ipv4.tcp_rmem = 8760 256960 4088000" >> /etc/sysctl.conf echo "net.ipv4.tcp_wmem = 8760 256960 4088000" >> /etc/sysctl.conf echo "net.ipv4.tcp_keepalive_time = 1800" >> /etc/sysctl.conf echo "net.ipv4.tcp_keepalive_intvl = 30" >> /etc/sysctl.conf echo "net.ipv4.tcp_keepalive_probes = 3" >> /etc/sysctl.conf echo "net.ipv4.tcp_sack = 1" >> /etc/sysctl.conf echo "net.ipv4.tcp_fack = 1" >> /etc/sysctl.conf echo "net.ipv4.tcp_timestamps = 1" >> /etc/sysctl.conf echo "net.ipv4.tcp_window_scaling = 1" >> /etc/sysctl.conf echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf echo "net.ipv4.tcp_tw_reuse = 1" >> /etc/sysctl.conf echo "net.ipv4.tcp_tw_recycle = 0" >> /etc/sysctl.conf echo "net.ipv4.tcp_fin_timeout = 30" >> /etc/sysctl.conf echo "net.ipv4.ip_local_port_range = 1024 65000" >> /etc/sysctl.conf echo "net.ipv4.tcp_max_syn_backlog = 2048" >> /etc/sysctl.conf echo "net.ipv4.tcp_max_tw_buckets = 6000" >> /etc/sysctl.conf sysctl -p else echo "kernel already reset" fi hosts=$(grep "sshd:10.80.80.100:allow" /etc/hosts.allow | wc -l) if [ $hosts -ne 1 ]; then echo "insert sshd allow" echo 'sshd:10.80.80.100:allow' >> /etc/hosts.allow else echo "sshd already reset" fi ################ 《更改时区》############################################## /bin/grep "Asia/Shanghai" /etc/sysconfig/clock 2>&1 >/dev/null if [ $? -eq 0 ];then echo -e " 33[31m Timezone 33[0m is already "Asia/Shanghai"" else rm -f /etc/localtime cp -arp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime echo -e " 33[31m Timezone 33[0m is already modify "Asia/Shanghai"" fi ###############《更改ssh端口和禁止root登录》############################## Net=$(netstat -tulnp|grep 22502 | wc -l) if [ $Net = 0 ];then cp -r /etc/ssh/sshd_config /etc/ssh/sshd_config.bak sed -i '/port 22/aport 22502' /etc/ssh/sshd_config echo -e " 33[31m SSH's port 22 is already modify to 22502 33[0m" sed -i "s/#UseDNS/UseDNS/g" /etc/ssh/sshd_config sed -i "s/^Subsystem/#Subsystem/g" /etc/ssh/sshd_config sed -i "/^#Subsystem/aSubsystem sftp internal-sftp" /etc/ssh/sshd_config if [ $? -eq 0 ];then service sshd restart 2>&1 >/dev/null echo -e " 33[31m SSH's service 33[0m has restart again" fi else sed -i "s/#UseDNS/UseDNS/g" /etc/ssh/sshd_config echo -e " 33[31m chage Use UseDns 33[0m" PORT=`netstat -tulnp|grep 22 |awk {'print $4'}|head -n 1|cut -d : -f 2` echo -e "ssh's port is 33[31m already modify $PORT 33[0m" fi ############### 《禁止组合键关机》####################################### /bin/grep ^exec /etc/init/control-alt-delete.conf 2>&1 >/dev/null a=$? #判断是否关闭“exec /etc/init/control-alt-delete.conf” /bin/grep ^start /etc/init/control-alt-delete.conf 2>&1 >/dev/null b=$? #判断是否关闭"start on control-alt-delete" c=$[a+b] if [ $c -eq 2 ];then echo -e " 33[31m "control-alt-delete" 33[0m modify is 33[31m failed 33[0m,or configure successful,please check it again" else cp /etc/init/control-alt-delete.conf /etc/init/control-alt-delete.conf.bak sed -i "/^start/s/start/#start/g" /etc/init/control-alt-delete.conf sed -i "/^exec/s/exec/#exec/g" /etc/init/control-alt-delete.conf echo -e " 33[31m “control-alt-delete”