linux 安全加固脚本

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了linux 安全加固脚本相关的知识,希望对你有一定的参考价值。

#!/bin/bash

#设置密码复杂度
if [ -z "cat /etc/pam.d/system-auth | grep -v "^#" | grep "pam_cracklib.so"" ];then
sed -i ‘/password required pam_deny.so/a\password required pam_cracklib.so try_first_pass minlen=8 ucredit=-1 lcredit=-1 ocredit=-1 dcredit=-1 retry=3 difok=5‘ /etc/pam.d/system-auth
fi

#设置连续登录失败暂锁机制
if [ -z "cat /etc/pam.d/system-auth | grep -v "^#" | grep "pam_tally.so"" ];then
if [ -z "cat /etc/pam.d/system-auth | grep -v "^#" | grep "pam_tally.so" | grep auth" ];then
sed -i ‘/auth include system-auth/a\auth required pam_tally.so deny=5 unlock_time=600 even_deny_root root_unlock_time=600‘ /etc/pam.d/system-auth
fi
if [ -z "cat /etc/pam.d/system-auth | grep -v "^#" | grep "pam_tally.so" | grep account" ];
then
sed -i ‘/account include system-auth/a\account required pam_tally.so‘ /etc/pam.d/system-auth
fi
fi

if [ -z "cat /etc/pam.d/sshd | grep -v "^#" | grep "pam_tally.so"" ];then
if [ -z "cat /etc/pam.d/sshd | grep -v "^#" | grep "pam_tally.so" | grep auth" ];then
sed -i ‘/auth required pam_deny.so/a\auth required pam_tally.so deny=5 unlock_time=600 even_deny_root root_unlock_time=600‘ /etc/pam.d/sshd
fi
if [ -z "cat /etc/pam.d/sshd | grep -v "^#" | grep "pam_tally.so" | grep account" ];then
sed -i ‘/account required pam_unix.so/a\account required pam_tally.so‘ /etc/pam.d/sshd
fi
fi

#检查密码重复使用次数
if [ -z "cat /etc/pam.d/system-auth | grep password | grep remember" ];then
sed -i ‘/password sufficient pam_unix.so/s/$/& remember=5/‘ /etc/pam.d/system-auth
fi

#设置操作超时锁定
if [ -z "cat /etc/profile | grep -v "^#" | grep TMOUT" ];then
echo -e "\nexport TMOUT=1800" >> /etc/profile
fi

#修改密码时效
sed -i ‘/PASS_WARN_AGE/s/7/10/‘ /etc/login.defs
sed -i ‘/PASS_MIN_LEN/s/5/8/‘ /etc/login.defs
#sed -i ‘/PASS_MAX_DAYS/s/99999/90/‘ /etc/login.defs
sed -i ‘/PASS_MIN_DAYS/s/0/6/‘ /etc/login.defs

#修改默认访问权限
sed -i ‘/UMASK/s/077/027/‘ /etc/login.defs

#设置重要文件目录权限
chmod 644 /etc/passwd
chmod 600 /etc/xinetd.conf
chmod 600 /etc/inetd.conf
chmod 644 /etc/group
chmod 000 /etc/shadow
chmod 644 /etc/services
chmod 600 /etc/security
chmod 750 /etc/ #启动了nscd服务导致设置权限以后无法登陆
chmod 750 /etc/rc6.d
chmod 750 /tmp
chmod 750 /etc/rc0.d/
chmod 750 /etc/rc1.d/
chmod 750 /etc/rc2.d/
chmod 750 /etc/rc4.d
chmod 750 /etc/rc5.d/
chmod 750 /etc/rc3.d
chmod 750 /etc/rc.d/init.d/
chmod 600 /etc/grub.conf
chmod 600 /boot/grub/grub.conf
chmod 600 /etc/lilo.conf

#检查用户umask设置
sed -i ‘/umask/s/002/077/‘ /etc/csh.cshrc
sed -i ‘/umask/s/002/077/‘ /etc/bashrc
sed -i ‘/umask/s/002/077/‘ /etc/profile
csh_login=cat /etc/csh.login | grep -i "umask"
if [ -z "$csh_login" ];then
echo -e "/numask 077" >>/etc/csh.login
fi

#检查是否设置ssh登录前告警banner
sshbanner="/etc/ssh_banner"
if [ ! -f "$sshbanner" ];then
touch /etc/ssh_banner
chown bin:bin /etc/ssh_banner
chmod 644 /etc/ssh_banner
echo -e "Authorized only.All activity will be monitored and reported" > /etc/ssh_banner
echo -e "Banner /etc/ssh_banner" >> /etc/ssh/sshd_config
/etc/init.d/sshd restart
fi

#FTP安全设置
vsftpd_conf=find /etc/ -maxdepth 2 -name vsftpd.conf
if [ ! -z "$vsftpd_conf" ];then
sed -i ‘/anonymous_enable/s/YES/NO/‘ $vsftpd_conf
fi

ftpuser=find /etc/ -maxdepth 2 -name ftpusers
if [ ! -z "$ftpuser" ] && [ -z "cat $ftpuser | grep -v "^#" | grep root"];then
echo "root" >>$ftpuser
fi

sed -i ‘/^ftp/d‘ /etc/passwd

#检查重要文件属性设置
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/gshadow

#日志审计检查
if [ ! -f "/etc/rsyslog.conf" ] && [ ! -f "/etc/syslog.conf" ] && [ ! -f "/etc/syslog-ng/syslog-ng.conf" ];then
echo "{tput setaf 1}syslog not installed!!!${tput sgr0}"
exit
fi

if [ ! -f "/var/log/cron" ];then
touch /var/log/cron
chmod 775 /var/log/cron
fi

if [ ! -f "/var/adm/messages" ];then
touch /var/adm/messages
chmod 666 /var/adm/messages
fi

if [ -f "/etc/rsyslog.conf" ] ;then
if [ -z "cat /etc/rsyslog.conf | grep "^cron.*" | grep "/var/log/cron"" ];then
echo -e "cron.* /var/log/cron" >> /etc/rsyslog.conf
fi

if [ -z "`cat /etc/rsyslog.conf | grep "/var/adm/messages"`" ];then
    echo -e "*.err;kern.debug;daemon.notice   /var/adm/messages" >>/etc/rsyslog.conf
fi

if [ -z "`grep "@[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}" /etc/rsyslog.conf`" ];then
    echo -e "*.* @192.168.0.1" >>/etc/rsyslog.conf
fi

/etc/init.d/rsyslog restart

fi

if [ -f "/etc/syslog.conf" ];then
if [ -z "cat /etc/rsyslog.conf | grep "^cron.*" | grep "/var/log/cron"" ];then
echo -e "cron.* /var/log/cron" >> /etc/syslog.conf
fi

if [ -z "`cat /etc/rsyslog.conf | grep "/var/adm/messages"`" ];then
    echo -e "*.err;kern.debug;daemon.notice   /var/adm/messages" >>/etc/rsyslog.conf
fi

if [ -z "`grep "@[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}" /etc/syslog.conf`" ];then
    echo -e "*.* @192.168.0.1" >>/etc/syslog.conf
fi

/etc/init.d/syslog restart

fi

if [ -f "/etc/syslog-ng.conf" ];then
if [ -z "cat /etc/syslog-ng/syslog-ng.conf | grep "destination(cron)"" ];then
echo -e "filter f_cron { facility(cron); }; " >> /etc/syslog-ng/syslog-ng.conf
echo -e "destination cron { file("/var/log/cron"); }; " >>/etc/syslog-ng/syslog-ng.conf
echo -e "log { source(src); filter(f_cron); destination(cron); }; " >> /etc/syslog-ng/syslog-ng.conf
fi

if [ -z "`cat /etc/syslog-ng/syslog-ng.conf | grep "filter f_msgs"`" ];then
    echo -e "filter f_msgs { level(err) or facility(kern) and level(debug)             or facility(daemon) and level(notice); }; " >>/etc/syslog-ng/syslog-ng.conf
    echo -e "destination msgs { file("/var/adm/messages"); }; " >>/etc/syslog-ng/syslog-ng.conf
    echo -e "log { source(src); filter(f_msgs); destination(msgs); }; " >>/etc/syslog-ng/syslog-ng.conf
fi

if [ -z "`grep "@[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}" /etc/syslog-ng/syslog-ng.conf`" ];then
    echo -e "destination logserver { udp("192.168.0.1" port(514)); }; " >>/etc/syslog-ng/syslog-ng.conf
    echo -e "log { source(src); destination(logserver); }; ">>/etc/syslog-ng/syslog-ng.conf
fi

/etc/init.d/syslog restart

fi

#禁止wheel组以外的用户su为root
if [ -z "cat /etc/pam.d/su | grep -v "^#" | grep pam_wheel.so" ];then
if [ -z "cat /etc/pam.d/su | grep -v "^#" | grep pam_rootok.so" ];then
sed -i ‘2iauth sufficient pam_rootok.so‘ /etc/pam.d/su
sed -i ‘/pam_rootok.so/a\auth required pam_wheel.so group=wheel‘ /etc/pam.d/su
else
sed -i ‘/pam_rootok.so/a\auth required pam_wheel.so group=wheel‘ /etc/pam.d/su
fi
fi

#关闭不必要的服务和端口
chk_ntalk=chkconfig --list | grep ntalk | grep on
if [ ! -z "$chk_ntalk" ];then
chkconfig --level 0123456 ntalk off
fi

chk_lpd=chkconfig --list | grep lpd | grep on
if [ ! -z "$chk_lpd" ];then
chkconfig --level 0123456 lpd off
fi

chk_kshell=chkconfig --list | grep kshell | grep on
if [ ! -z "$chk_kshell" ];then
chkconfig --level 0123456 kshell off
fi

chk_time=chkconfig --list | grep time | grep on
if [ ! -z "$chk_time" ];then
chkconfig --level 0123456 time off
chkconfig --level 0123456 time-udp off
fi

chk_sendmail=chkconfig --list | grep sendmail | grep on
if [ ! -z "$chk_sendmail" ];then
chkconfig --level 0123456 sendmail off
fi

chk_klogin=chkconfig --list | grep klogin | grep on
if [ ! -z "$chk_klogin" ];then
chkconfig --level 0123456 klogin off
fi

chk_printer=chkconfig --list | grep printer | grep on
if [ ! -z "$chk_printer" ];then
chkconfig --level 0123456 printer off
fi

chk_nfslock=chkconfig --list | grep nfslock | grep on
if [ ! -z "$chk_nfslock" ];then
chkconfig --level 0123456 nfslock off
fi

chk_echo=chkconfig --list | grep echo | grep on
if [ ! -z "$chk_echo" ];then
chkconfig --level 0123456 echo off
fi

chk_discard=chkconfig --list | grep discard | grep on
if [ ! -z "$chk_discard" ];then
chkconfig --level 0123456 discard off
fi

chk_chargen=chkconfig --list | grep chargen | grep on
if [ ! -z "$chk_chargen" ];then
chkconfig --level 0123456 chargen off
fi

chk_bootps=chkconfig --list | grep bootps | grep on
if [ ! -z "$chk_bootps" ];then
chkconfig --level 0123456 chk_bootps off
fi

chk_daytime=chkconfig --list | grep daytime | grep on
if [ ! -z "$chk_daytime" ];then
chkconfig --level 0123456 daytime off
fi

chk_tftp=chkconfig --list | grep tftp | grep on
if [ ! -z "$chk_tftp" ];then
chkconfig --level 0123456 tftp off
fi

chk_ypbind=chkconfig --list | grep ypbind | grep on
if [ ! -z "$chk_ypbind" ];then
chkconfig --level 0123456 ypbind off
fi

chk_ident=chkconfig --list | grep ident | grep on
if [ ! -z "$chk_ident" ];then
chkconfig --level 0123456 ident off
fi

#检查core dump 设置
chk_core=grep core /etc/security/limits.conf | grep -v "^#"
if [ -z "$chk_core" ];then
echo " soft core 0" >> /etc/security/limits.conf
echo "
hard core 0" >> /etc/security/limits.conf
fi

#删除潜在危险文件
hosts_equiv=find / -maxdepth 3 -name hosts.equiv 2>/dev/null
if [ ! -z "$hosts_equiv" ];then
mv "$hosts_equiv" "$hosts_equiv".bak
fi

_rhosts=find / -maxdepth 3 -name .rhosts 2>/dev/null
if [ ! -z "$_rhosts" ];then
mv "$_rhosts" "$_rhosts".bak
fi

_netrc=find / -maxdepth 3 -name .netrc 2>/dev/null
if [ ! -z "$_netrc" ];then
mv "$_netrc" "$_netrc".bak
fi

#检查系统内核参数配置,修改只当次生效,重启需重新设置
sysctl -w net.ipv4.conf.all.accept_source_route="0"
sysctl -w net.ipv4.conf.all.accept_redirects="0"
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts="1"
sysctl -w net.ipv4.conf.all.send_redirects="0"
sysctl -w net.ipv4.ip_forward="0"

#检查拥有suid和sgid权限文件并修改文件权限为755
find /usr/bin/chage /usr/bin/gpasswd /usr/bin/wall /usr/bin/chfn /usr/bin/chsh /usr/bin/newgrp /usr/bin/write /usr/sbin/usernetctl /bin/mount /bin/umount /bin/ping /sbin/netreport -type f -perm /6000 | xargs chmod 755``

以上是关于linux 安全加固脚本的主要内容,如果未能解决你的问题,请参考以下文章

linux 安全加固脚本

linux系统安全加固脚本

linux安全加固应关闭啥服务

Linux系统一键检测和加固脚本

linux服务器被SSH暴力破解引发的安全加固计划之打流氓脚本

linux服务器被SSH暴力破解引发的安全加固计划之打流氓脚本