centos 系统加固脚本

  |   0 评论   |   0 浏览

  运行
curl -L https://github.com/mufengcoding/shell/releases/download/1.1/security.sh | bash
注意只运行一次 ,多次运行可能会 gg
GitHub 地址:https://github.com/mufengcoding/shell/blob/master/security.sh

  1  
  2
  3#!/bin/sh
  4# desc: setup linux system security
  5# author:mufengs
  6# powered by blog.mufengs.com
  7# version 0.1.2 written by 2018.11.24
  8#account setup
  9  
 10
 11#锁定以下用户
 12
 13passwd -l xfs
 14
 15passwd -l news
 16
 17passwd -l nscd
 18
 19passwd -l dbus
 20
 21passwd -l vcsa
 22
 23passwd -l games
 24
 25passwd -l nobody
 26
 27passwd -l avahi
 28
 29passwd -l haldaemon
 30
 31passwd -l gopher
 32
 33passwd -l ftp
 34
 35passwd -l mailnull
 36
 37passwd -l pcap
 38
 39passwd -l mail
 40
 41passwd -l shutdown
 42
 43passwd -l halt
 44
 45passwd -l uucp
 46
 47passwd -l operator
 48
 49passwd -l sync
 50
 51passwd -l adm
 52
 53passwd -l lp
 54
 55  
 56
 57#将帐号相关文件设为只读属性
 58
 59\# chattr /etc/passwd /etc/shadow
 60
 61chattr +i /etc/passwd
 62
 63chattr +i /etc/shadow
 64
 65chattr +i /etc/group
 66
 67chattr +i /etc/gshadow
 68
 69  
 70
 71#系统登陆失败3次锁定5分钟
 72
 73\# add continue input failure 3 ,passwd unlock time 5 minite
 74
 75sed -i 's#auth required pam\_env.so#auth required pam\_env.so \\n auth required pam\_tally.so onerr=fail deny=3 unlock\_time=300 \\n auth required /lib/security/$ISA/pam\_tally.so onerr=fail deny=3 unlock\_time=300#' /etc/pam.d/system-auth
 76
 77  
 78
 79#5分钟超时登出
 80
 81\# system timeout 5 minite auto logout
 82
 83echo  "TMOUT=300"  \>>/etc/profile
 84
 85  
 86
 87#设置历史命令为10条
 88
 89\# will system save history command list to 10
 90
 91sed -i "s/HISTSIZE=1000/HISTSIZE=10/" /etc/profile
 92
 93  
 94
 95#让以上配置生效
 96
 97\# enable /etc/profile go!
 98
 99source /etc/profile
100
101  
102
103#防范SYN Flood攻击
104
105\# add syncookie enable /etc/sysctl.conf
106
107echo  "net.ipv4.tcp\_syncookies=1"  \>> /etc/sysctl.conf
108
109sysctl -p \# exec sysctl.conf enable
110
111  
112  
113
114\# optimizer sshd\_config
115
116  
117
118sed -i "s/#MaxAuthTries 6/MaxAuthTries 6/" /etc/ssh/sshd\_config
119
120sed -i "s/#UseDNS yes/UseDNS no/" /etc/ssh/sshd\_config
121
122  
123
124#限制重要命令的权限
125
126\# limit chmod important commands
127
128chmod 700 /bin/ping
129
130chmod 700 /usr/bin/finger
131
132chmod 700 /usr/bin/who
133
134chmod 700 /usr/bin/w
135
136chmod 700 /usr/bin/locate
137
138chmod 700 /usr/bin/whereis
139
140chmod 700 /sbin/ifconfig
141
142chmod 700 /usr/bin/pico
143
144chmod 700 /bin/vi
145
146chmod 700 /usr/bin/which
147
148chmod 700 /usr/bin/gcc
149
150chmod 700 /usr/bin/make
151
152chmod 700 /bin/rpm
153
154  
155
156\# history security
157
158  
159
160chattr +a /root/.bash\_history
161
162chattr +i /root/.bash\_history
163
164  
165
166\# write important command md5
167
168cat \> list << "EOF" &&
169
170/bin/ping
171
172/bin/finger
173
174/usr/bin/who
175
176/usr/bin/w
177
178/usr/bin/locate
179
180/usr/bin/whereis
181
182/sbin/ifconfig
183
184/bin/pico
185
186/bin/vi
187
188/usr/bin/vim
189
190/usr/bin/which
191
192/usr/bin/gcc
193
194/usr/bin/make
195
196/bin/rpm
197
198/bin/ls
199
200/bin/top
201
202/bin/ps
203
204EOF
205
206  
207
208for  i  in  \`cat list\`
209
210do
211
212if \[ !  \-x  $i \];then
213
214echo  "$i not found,no md5sum!"
215
216else
217
218md5sum $i  \>> /var/log/\`hostname\`.log
219
220fi
221
222done
223
224rm -f list
225
226  
227
228\# 修改默认umask
229
230perl -npe 's/umask\\s+0\\d2/umask 077/g' -i /etc/bashrc
231
232perl -npe 's/umask\\s+0\\d2/umask 077/g' -i /etc/csh.cshrc
233
234  
235  
236
237#cron加固
238
239echo  "Locking down Cron"
240
241  
242
243touch /etc/cron.allow
244
245  
246
247chmod 600 /etc/cron.allow
248
249  
250
251awk -F: '{print $1}' /etc/passwd | grep -v root \> /etc/cron.deny
252
253  
254
255echo  "Locking down AT"
256
257  
258
259touch /etc/at.allow
260
261  
262
263chmod 600 /etc/at.allow
264
265  
266
267awk -F: '{print $1}' /etc/passwd | grep -v root \> /etc/at.deny
268
269  
270  
271
272#内核加固
273
274cat <<  EOF >> /etc/sysctl.conf
275
276net.ipv4.ip\_forward = 0
277
278  
279
280net.ipv4.conf.all.send\_redirects = 0
281
282  
283
284net.ipv4.conf.default.send\_redirects = 0
285
286  
287
288net.ipv4.tcp\_max\_syn\_backlog = 1280
289
290  
291
292net.ipv4.icmp\_echo\_ignore\_broadcasts = 1
293
294  
295
296net.ipv4.conf.all.accept\_source\_route = 0
297
298  
299
300net.ipv4.conf.all.accept\_redirects = 0
301
302  
303
304net.ipv4.conf.all.secure\_redirects = 0
305
306  
307
308net.ipv4.conf.all.log\_martians = 1
309
310  
311
312net.ipv4.conf.default.accept\_source\_route = 0
313
314  
315
316net.ipv4.conf.default.accept\_redirects = 0
317
318  
319
320net.ipv4.conf.default.secure\_redirects = 0
321
322  
323
324net.ipv4.icmp\_echo\_ignore\_broadcasts = 1
325
326  
327
328net.ipv4.icmp\_ignore\_bogus\_error\_responses = 1
329
330  
331
332net.ipv4.tcp\_syncookies = 1
333
334  
335
336net.ipv4.conf.all.rp\_filter = 1
337
338  
339
340net.ipv4.conf.default.rp\_filter = 1
341
342  
343
344net.ipv4.tcp\_timestamps = 0
345
346EOF
347
348  
349
350\# 禁止所有TCP Wrappers
351
352echo  "ALL:ALL"  \>> /etc/hosts.deny
353
354echo  "sshd:ALL"  \>> /etc/hosts.allow
355
356  
357  
358
359#防止缓冲区溢出
360
361sysctl -w kernel.exec-shield=1
362
363sysctl -q -n -w kernel.randomize\_va\_space=2
364
365echo  "kernel.exec-shield = 1"\>>/etc/sysctl.conf
366
367echo  "kernel.randomize\_va\_space = 2"\>>/etc/sysctl.conf
368
369  
370
371#禁止空密码登陆
372
373sed -i 's/\\<nullok\\>//g' /etc/pam.d/system-auth
374
375  
376
377#定时更新
378
379yum -y install yum-cron
380
381chkconfig yum-cron on
---------------------------------------------------------------
>> 博客地址:https://blog.mufengs.com
>> 邮箱地址:[email protected]
>> 微信帐号:Do8080
>> Github : https://github.com/mufengcoding
---------------------------------------------------------------