linux系统安全加固脚本
2014-04-10 16:39
507 查看
#创建普通用户名
useradd rzxadmin
echo "rzxidc2014&#%"| passwd --stdin rzxadmin
#修改root密码
echo "hzgjrzxidc2014&#%"| passwd --stdin root
#Banner伪装
cp issue issue.bak
cp issue.net issue.net.bak
echo "Centos 6.7" >/etc/issue
echo "Kernel \r on an \m" >> /etc/issue
echo "Centos 6.7" >/etc/issue.net
echo "Kernel \r on an \m" >> /etc/issue.net
#锁定用户
cp /etc/shadow /etc/shadow.bak
cp /etc/passwd /etc/passwd.bak
for i in adm lp sync nobody halt news uucp operator games gopher ftp 123
do
passwd -l $i
done
#修改密码策略
cp /etc/login.defs /etc/login.defs.bak
egrep -v "^#|^$" /etc/login.defs|grep PASS_MIN_LEN
if [ $? = 0 ] ;then
egrep -v "^#|^$" /etc/login.defs|awk '/PASS_MIN_LEN/{print "PASS_MIN_LEN 12";next};{print}' >/etc/login.defs.tmp
mv -f /etc/login.defs.tmp /etc/login.defs
else
if
echo "PASS_MIN_LEN 12" >>/etc/login.defs
egrep -v "^#|^$" /etc/login.defs|grep PASS_MAX_DAYS
if [ $? = 0 ] ;then
egrep -v "^#|^$" /etc/login.defs|awk '/PASS_MAX_DAYS/{print "PASS_MAX_DAYS 90";next};{print}' >/etc/login.defs.tmp
mv -f /etc/login.defs.tmp /etc/login.defs
else
echo "PASS_MAX_DAYS 90" >>/etc/login.defs
fi
#超时配置
cp /etc/profile /etc/profile.bak
egrep -v "^#|^$" /etc/profile|grep TMOUT
if [ $? = 0 ] ;then
egrep -v "^#|^$" /etc/profile|awk '/TMOUT/{print "TMOUT=300;export TMOUT";next};{print}' >/etc/profile.tmp
mv -f /etc/profile.tmp /etc/profile
else
echo "TMOUT=300;export TMOUT" >>/etc/profile
fi
#内核安全
cp /etc/sysctl.conf /etc/sysctl.conf.bak
egrep -v "^#|^$" /etc/sysctl.conf|egrep "net\.ipv4\.conf\.default\.send_redirects"
if [ $? != 0 ] ;then
echo "net.ipv4.conf.default.send_redirects=0" >>/etc/sysctl.conf
fi
chown root:root /etc/sysctl.conf
chmod 600 /etc/sysctl.conf
sysctl -p
#SSH改端口为1218
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
egrep -v "^#|^$" /etc/ssh/sshd_config|egrep ""^Port[[:space:]]1218""
if [ $? != 0 ] ;then
echo "auth required pam_tally2.so deny=3 lock_time=300" >>/etc/ssh/sshd_config
fi
#记录历史1000改成10
sed -i "s/HISTSIZE=1000/HISTSIZE=10/" /etc/profile
source /etc/profile
#默认不允许root进行ssh
sed -i "s/#PermitRootLogin yes/PermitRootLogin no/" /etc/ssh/sshd_config
service sshd restart
#三次登录密码错误锁定用户
cp /etc/pam.d/login /etc/pam.d/login.bak
sed -i '2i\auth required pam_tally2.so deny=3 unlock_time=180' /etc/pam.d/login
#密码复杂度
cp /etc/pam.d/system-auth system-auth.bak
sed -i "s/password requisite pam_cracklib.so try_first_pass retry=3 type=/password requisite
pam_cracklib.so try_first_pass retry=3 type= difok=2 dcredit=1 lcredit=1 ucredit=1 credit=2 minclass=3 minlen=8/"
/etc/pam.d/syste
useradd rzxadmin
echo "rzxidc2014&#%"| passwd --stdin rzxadmin
#修改root密码
echo "hzgjrzxidc2014&#%"| passwd --stdin root
#Banner伪装
cp issue issue.bak
cp issue.net issue.net.bak
echo "Centos 6.7" >/etc/issue
echo "Kernel \r on an \m" >> /etc/issue
echo "Centos 6.7" >/etc/issue.net
echo "Kernel \r on an \m" >> /etc/issue.net
#锁定用户
cp /etc/shadow /etc/shadow.bak
cp /etc/passwd /etc/passwd.bak
for i in adm lp sync nobody halt news uucp operator games gopher ftp 123
do
passwd -l $i
done
#修改密码策略
cp /etc/login.defs /etc/login.defs.bak
egrep -v "^#|^$" /etc/login.defs|grep PASS_MIN_LEN
if [ $? = 0 ] ;then
egrep -v "^#|^$" /etc/login.defs|awk '/PASS_MIN_LEN/{print "PASS_MIN_LEN 12";next};{print}' >/etc/login.defs.tmp
mv -f /etc/login.defs.tmp /etc/login.defs
else
if
echo "PASS_MIN_LEN 12" >>/etc/login.defs
egrep -v "^#|^$" /etc/login.defs|grep PASS_MAX_DAYS
if [ $? = 0 ] ;then
egrep -v "^#|^$" /etc/login.defs|awk '/PASS_MAX_DAYS/{print "PASS_MAX_DAYS 90";next};{print}' >/etc/login.defs.tmp
mv -f /etc/login.defs.tmp /etc/login.defs
else
echo "PASS_MAX_DAYS 90" >>/etc/login.defs
fi
#超时配置
cp /etc/profile /etc/profile.bak
egrep -v "^#|^$" /etc/profile|grep TMOUT
if [ $? = 0 ] ;then
egrep -v "^#|^$" /etc/profile|awk '/TMOUT/{print "TMOUT=300;export TMOUT";next};{print}' >/etc/profile.tmp
mv -f /etc/profile.tmp /etc/profile
else
echo "TMOUT=300;export TMOUT" >>/etc/profile
fi
#内核安全
cp /etc/sysctl.conf /etc/sysctl.conf.bak
egrep -v "^#|^$" /etc/sysctl.conf|egrep "net\.ipv4\.conf\.default\.send_redirects"
if [ $? != 0 ] ;then
echo "net.ipv4.conf.default.send_redirects=0" >>/etc/sysctl.conf
fi
chown root:root /etc/sysctl.conf
chmod 600 /etc/sysctl.conf
sysctl -p
#SSH改端口为1218
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
egrep -v "^#|^$" /etc/ssh/sshd_config|egrep ""^Port[[:space:]]1218""
if [ $? != 0 ] ;then
echo "auth required pam_tally2.so deny=3 lock_time=300" >>/etc/ssh/sshd_config
fi
#记录历史1000改成10
sed -i "s/HISTSIZE=1000/HISTSIZE=10/" /etc/profile
source /etc/profile
#默认不允许root进行ssh
sed -i "s/#PermitRootLogin yes/PermitRootLogin no/" /etc/ssh/sshd_config
service sshd restart
#三次登录密码错误锁定用户
cp /etc/pam.d/login /etc/pam.d/login.bak
sed -i '2i\auth required pam_tally2.so deny=3 unlock_time=180' /etc/pam.d/login
#密码复杂度
cp /etc/pam.d/system-auth system-auth.bak
sed -i "s/password requisite pam_cracklib.so try_first_pass retry=3 type=/password requisite
pam_cracklib.so try_first_pass retry=3 type= difok=2 dcredit=1 lcredit=1 ucredit=1 credit=2 minclass=3 minlen=8/"
/etc/pam.d/syste
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- linux系统安全加固脚本
- Linux系统安全加固脚本
- Linux系统安全加固(一)
- 加固Linux系统----更新和添加安全补丁
- Linux系统安全加固策略(二)
- 通过Linux系统伪装方法加固系统安全
- Linux系统安全加固浅谈
- linux系统安全加固-升级glibc/bash
- 通过Linux系统伪装方法加固系统安全
- 深入分析Linux系统深度安全加固
- linux系统安全shell脚本第二版
- 通过Linux系统伪装方法加固服务器安全
- 一个Linux系统安全设置的Shell脚本的分享(适用CentOS)
- 一个Linux系统安全设置的Shell脚本的分享(适用CentOS)
- Linux系统资源及账户安全监测脚本
- Linux 系统安全加固
- LINUX系统安全加固方法
- Linux系统安全加固(一)
- Linux的系统安全设置Shell脚本
- shell_脚本_linux_安全加固