Linux安全脚本

#!/bin/bash

#set env

export PATH=$PATH:/bin:/sbin:/usr/sbin

if [ "$UID" != "0" ]

then

echo "please run this script by root."

exit 1

fi


#define cmd var

SERVICE=`which service`

CHKCONFIG=`which chkconfig`


yum install -y wget;

#修改yum源

function mod_yum(){

if [ -e /etc/yum.repos.d/CentOS-Base.repo ]

 then

  mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup&&\

  wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo

fi

}


#关闭selinux

function close_selinux(){

sed -i 's/SELINUX=enforcing/SELINUX=disabled' /etc/selinux/config

setenforce 0 &>/dev/null

}


#关闭防火墙

function close_iptables(){

/etc/init.d/iptables stop

/etc/init.d/iptables stop

chkconfig iptables off

service firewalld stop

chkconfig firewalld off

}


#关闭不必要的开机启动服务

function lease_service(){

chkconfig | awk '{print "chkconfig",$1,"off"}'|bash

chkconfig | egrep "crond|sshd|network|rsyslog|sysstat"|awk '{print "chkconfig",$1,"on"}'|bash

}


#添加用户

function adduser(){

    #4.add hat and sudo

    if [ `grep -w hat /etc/passwd|wc -l` -lt 1 ]

      then

        useradd hat -g root

        echo geeboo|passwd --stdin hat

        \cp /etc/sudoers /etc/sudoers.ori

        echo "hat ALL=(ALL) NOPASSWD: ALL " >>/etc/sudoers

        tail -1 /etc/sudoers

        visudo -c &>/dev/null

    fi

}


#设置默认字符集为中文

function charset(){

    #5.charset config

    cp /etc/sysconfig/i18n /etc/sysconfig/i18n.ori

    echo 'LANG="zh_CN.UTF-8"'  >/etc/sysconfig/i18n

    source /etc/sysconfig/i18n

    #echo $LANG

}


#时间同步

function time_sync(){

    #6.time sync.

    cron=/var/spool/cron/root

    if [ `grep -w "ntpdate" $cron|wc -l` -lt 1  ]

      then

        echo "#time sync" >>$cron

        echo "*/5 * * * * /usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1" >>$cron

        crontab -l

    fi

}


function com_line_set(){

    #7.command set.

    if [ `egrep "TMOUT|HISTSIZE|HISTFILESIZE" /etc/profile|wc -l` -ge 3  ]

      then

        echo "export TMOUT=600" >>/etc/profile

        echo "export HISTSIZE=5" >>/etc/profile

        echo "export HISTFILESIZE=5" >>/etc/profile

        . /etc/profile

    fi

    sed -i '/PASS_MAX_DAYS.*/d' /etc/login.defs

    sed -i '/PASS_MIN_LEN.*/d' /etc/login.defs

    sed -i '/PASS_MIN_DAYS.*/d' /etc/login.defs

    sed -i '/PASS_WARN_AGE.*/d' /etc/login.defs

    sed -i '/UMASK.*/d'  /etc/login.defs

    echo "PASS_MAX_DAYS   90" >>/etc/login.defs

    echo "PASS_MIN_LEN    12" >>/etc/login.defs

    echo "PASS_MIN_DAYS   7" >>/etc/login.defs

    echo "PASS_WARN_AGE 30" >>/etc/login.defs

    echo "UMASK 077" >>/etc/login.defs

    sed -i '/minlen.*/d' /etc/security/pwquality.conf

    sed -i '/minclass.*/d' /etc/security/pwquality.conf

    sed -i '/maxrepeat.*/d' /etc/security/pwquality.conf

    sed -i '/maxclassrepeat.*/d' /etc/security/pwquality.conf

    sed -i '/lcredit.*/d' /etc/security/pwquality.conf

    sed -i '/ucredit.*/d' /etc/security/pwquality.conf

    sed -i '/dcredit.*/d' /etc/security/pwquality.conf

    sed -i '/ocredit.*/d' /etc/security/pwquality.conf

    sed -i '/difok.*/d' /etc/security/pwquality.conf

    echo "minlen = 8">>/etc/security/pwquality.conf

    echo "minclass = 1">>/etc/security/pwquality.conf

    echo "maxrepeat = 0">>/etc/security/pwquality.conf

    echo "maxclassrepeat = 4">>/etc/security/pwquality.conf

    echo "lcredit = -1">>/etc/security/pwquality.conf

    echo "ucredit = -1">>/etc/security/pwquality.conf

    echo "dcredit = -1">>/etc/security/pwquality.conf

    echo "ocredit = -1">>/etc/security/pwquality.conf

    echo "difok = 5">>/etc/security/pwquality.conf

}


#设置打开文件数

function open_file_set(){

    #8.increase open file.

    if [ `grep 65535 /etc/security/limits.conf|wc -l` -lt 1 ]

      then

        echo "*               -       nofile          65535 " >>/etc/security/limits.conf

        tail -1 /etc/security/limits.conf

    fi

}


function set_kernel(){

    #9.kernel set.

    if [ `grep kernel_flag /etc/sysctl.conf|wc -l` -lt 1 ]

      then

        cat >>/etc/sysctl.conf<

        #kernel_flag

        net.ipv4.tcp_fin_timeout = 2

        net.ipv4.tcp_tw_reuse = 1

        net.ipv4.tcp_tw_recycle = 1

        net.ipv4.tcp_syncookies = 1

        net.ipv4.tcp_keepalive_time = 600

        net.ipv4.ip_local_port_range = 4000    65000

        net.ipv4.tcp_max_syn_backlog = 16384

        net.ipv4.tcp_max_tw_buckets = 36000

        net.ipv4.route.gc_timeout = 100

        net.ipv4.tcp_syn_retries = 1

        net.ipv4.tcp_synack_retries = 1

        net.core.somaxconn = 16384

        net.core.netdev_max_backlog = 16384

        net.ipv4.tcp_max_orphans = 16384

        net.nf_conntrack_max = 25000000

        net.netfilter.nf_conntrack_max = 25000000

        net.netfilter.nf_conntrack_tcp_timeout_established = 180

        net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120

        net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60

        net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120

EOF

        sysctl -p

    fi

}


#优化SSH

function init_ssh(){

    cp /etc/ssh/sshd_config /etc/ssh/sshd_config.`date +"%Y-%m-%d_%H-%M-%S"`;

    sed -i "s%#Port 22%Port 52113%" /etc/ssh/sshd_config;

    #sed -i "s%#PermitRootLogin yes%PermitRootLogin no%" /etc/ssh/sshd_config;

    sed -i "s%#PermitEmptyPasswords no%PermitEmptyPasswords no%" /etc/ssh/sshd_config;

    sed -i "s%#UseDNS yes%UseDNS no%" /etc/ssh/sshd_config;

    sed -i "s%GSSAPIAuthentication yes%GSSAPIAuthentication no%" /etc/ssh/sshd_config;

    sed -i "s%GSSAPIAuthentication yes%GSSAPIAuthentication no%" /etc/ssh/sshd_config;

   #sed -i "$a\AllowUsers  hat" /etc/ssh/sshd_config;

   service sshd restart &>/dev/null;

   echo "sshd:192.168.10.0/24" >> /etc/hosts.allow;

   echo "sshd:ALL" >> /etc/hosts.deny;

   iptables -I INPUT -p tcp --dport 52113 -j DROP;

   iptables -I INPUT -p tcp --dport 52113 -s 192.168.10.0/24 -j ACCEPT;

   iptables save;

}


function update_linux(){

    #10.upgrade linux.

    if [ `rpm -qa lrzsz nmap tree dos2unix nc|wc -l` -le 3 ]

      then

        yum install wget lrzsz nmap tree dos2unix nc -y

        #yum update -y

    fi

}

function cha {

chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab

}

function pamtally {

cp /etc/pam.d/sshd /etc/pam.d/sshd.bak

cp /etc/pam.d/login /etc/pam.d/login.bak

##查看所有登陆用户的失败次数pam_tally2

##解锁指定用户pam_tally2 -r -u root

sed -i '/pam_tally2.so.*/d' /etc/pam.d/system-auth

sed -i -e '4a\auth        required        pam_tally2.so  onerr=fail  deny=5  unlock_time=600 even_deny_root root_unlock_time=300' /etc/pam.d/system-auth

sed -i '/pam_tally2.so.*/d' /etc/pam.d/sshd

sed -i -e '2a\auth        required        pam_tally2.so  onerr=fail  deny=5  unlock_time=600 even_deny_root root_unlock_time=300' /etc/pam.d/sshd

}

main(){

cat << EOF

----------------------------------------

|****Please Enter Your Choice:[1-15]****|

----------------------------------------

(1) mod yum 

(2) close selinux

(3) close iptables

(4) least service

(5) add user

(6) charset

(7) time sync

(8) password security

(9) set open file

(10) set kernel

(11) init ssh

(12) update linux

(13) pamtally

(14) chattr

(15) all(except init ssh) 

EOF

read -p "Please enter your choice[1-15]: " input1

case $input1 in

1)

    mod_yum

;;

2)

    close_selinux

;;

3)

    close_iptables

;;

4)

    least_service

;;

5)

    adduser

;;

6)

    charset

;;

7)

    time_sync

;;

8)

    com_line_set

;;

9)

    open_file_set

;;

10)

    set_kernel

;;

11)

    init_ssh

;;

12)

    update_linux

;;

13)

    pamtally

;;

14)

    cha

;;

15)

    mod_yum

     close_selinux

    close_iptables

    least_service

    adduser

    charset

    time_sync

    com_line_set

    open_file_set

    set_kernel

    init_ssh

    update_linux

    pamtally

    cha

;;

*)

   echo "****Please Enter Your Choice:[1-15]****|"

;;

esac

#隐藏系统版本号

#> /etc/issue

#> /etc/issue.net

#锁定关系系统文件

#chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab

#解锁 chattr -i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/inittab

#修改chattr的名字 mv /usr/bin/chattr /usr/bin/hat1

#为grub加密

#/sbin/grub-md5-crypt,生成密码,然后将密码加入/etc/grub.conf,password --md5 #密码

#禁止被ping net.ipv4.icmp_echo_ignore_all=1


}

main

你可能感兴趣的:(Linux安全脚本)