Centos 7 安全加固命令行

authconfig --passminlen=8 --update
authconfig --enablereqdigit --update
authconfig --enablereqlower --update
authconfig --enablerequpper --update
authconfig --enablereqother --update

sed -i  's/password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok/password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5/' /etc/pam.d/system-auth

sed -i  's/password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=/password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= enforce_for_root/' /etc/pam.d/system-auth

sed -i '/PASS_MAX_DAYS/ s/99999/90/' /etc/login.defs

sed -i '/PASS_MIN_DAYS/ s/0/14/' /etc/login.defs

sed -i '/PASS_WARN_AGE/ s/7/14/' /etc/login.defs


echo " Authorized users only! All activity may be monitored and reported! " > /etc/motd

echo " Be sure you are authorized to access this system! " > /etc/issue
echo " Be sure you are authorized to access this system! " > /etc/issue.net

echo "UseDNS no" >> /etc/ssh/sshd_config

echo "Banner /etc/issue.net" >> /etc/ssh/sshd_config

echo "Protocol 2" >> /etc/ssh/sshd_config

sed -i '/#PermitRootLogin yes/a\PermitRootLogin no' /etc/ssh/sshd_config

systemctl restart sshd.service

sed -i  's/umask 022/umask 027/' /etc/profile

echo "export TMOUT=300" >> /etc/profile


systemctl stop kdump.service
systemctl disable kdump.service
systemctl stop firewalld.service
systemctl disable firewalld.service
systemctl disable avahi-daemon
systemctl disable cups
systemctl disable nfs
systemctl disable nfs-server
systemctl disable rpcbind
systemctl disable vsftpd
systemctl disable snmpd
systemctl disable rsyncd
systemctl disable dhcpd
systemctl disable slapd
systemctl disable named
systemctl disable httpd
systemctl disable doveco
systemctl disable smb
systemctl disable squid
systemctl disable ypserv
systemctl disable rsh.socket
systemctl disable rlogin.socket
systemctl disable rexec.socket
systemctl disable ntalk
systemctl disable telnet.socket
systemctl disable tftp.socket

systemctl list-unit-files |egrep "^firewalld|^post|^NetworkManager" |awk '{print $1}'|sed -r 's#(.*)#systemctl disable &#g'|bash


sed -i  's/SELINUX=enforcing/SELINUX=disabled/'/etc/selinux/config

rm -f /usr/lib/systemd/system/ctrl-alt-del.target

echo 'HISTTIMEFORMAT="<%F %T>: "  ' >> /etc/profile
echo 'HISTFILESIZE=2000' >> /etc/profile
echo 'HISTSIZE=2000' >> /etc/profile
echo '*.err;auth.info        /var/adm/messages' >> /etc/rsyslog.conf

echo '*               soft    nofile            409600' >> /etc/security/limits.conf
echo '*               hard    nofile            409600' >> /etc/security/limits.conf

sed -i 's/*          soft    nproc     4096/#*          soft    nproc     4096/' /etc/security/limits.d/20-nproc.conf

 

转载于:https://www.cnblogs.com/liweiming/p/11275951.html

你可能感兴趣的:(Centos 7 安全加固命令行)