安全加固

一个Chris提供的安全加固脚本

#/bin/bash 

 

#yum -y update 

 

#change root password       

#rootPasswd="Nor!@#2018" 

#echo ${rootPasswd} | passwd --stdin root 

 

 

 

#public key登陆      推荐 

cd /home/prod_user_888 

mkdir .ssh 

chmod 700 .ssh 

chown -R prod_user_888 .ssh  ##如果在非正式环境需要修改 

chgrp -R prod_user_888 .ssh 

cd .ssh 

cat >> authorized_keys << EOF 

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZUVULcuoSQVx1MUi7TAKuDqPihLkfSqHoY61P5vNbTDZz+pX/3PeG1ObIqyT9e2h1Zq7mBs0n0RJ+LxgP7Cn6uUz6Cd8ivd5gxDsSFh8HRehczOF6LkiGNIF7HJrQz78WOi0idmWf+wHcqMsX+hTWpc0qVw7MX02nOj5+e/MasS1b4Ma+Hli5FC3XcPNXOWahIpuu3b8um753dPDBWkzqL5HJuOGQUQwhiDJGh3EQwWT5MBBJrlMb6O/Re9OPOANMjnsp1LwGvGWLJ358piEaqTXGGLXadqVn9uveF2bj1xooRO4Dmw3yW359dXfjqJ8DRwpX94gAAxyLy1Y5aUyV prod_user_888@host-172-19-150-169   ##非正式环境修改 

EOF 

chmod 600 authorized_keys 

chown prod_user_888 authorized_keys 

chgrp prod_user_888 authorized_keys 

 

#ssh config      

sed -ri 's/^PasswordAuthen.*/PasswordAuthentication no/g' /etc/ssh/sshd_config  

sed -ri 's/^#PermitRootL.*/PermitRootLogin no/g' /etc/ssh/sshd_config  

service sshd restart 

 

 

#update ulimit configure 推荐 

test -f /etc/security/limits.d/20-nproc.conf && rm -rf /etc/security/limits.d/20-nproc.conf && touch /etc/security/limits.d/20-nproc.conf 

> /etc/security/limits.conf 

cat >> /etc/security/limits.conf  < /etc/redhat-release   

echo 'Warning! Unauthorized access is prohibited!' > /etc/motd  

echo 'Authorized uses only. All activity may be monitored and reported.' > /etc/issue.net 

 

##lock users     推荐 

passwd -l adm 

passwd -l lp 

passwd -l sync 

passwd -l shutdown 

passwd -l halt  

passwd -l operator 

passwd -l games  

 

 

 

#update /etc/sysctl.conf   推荐 

cat >> /etc/sysctl.conf << EOF 

net.ipv4.tcp_syncookies = 1 

EOF 

sysctl -p 

 

 

#update record command  推荐 

#echo export HISTTIMEFORMAT="%Y-%m-%d:%H-%M-%S:`whoami`: " >> /etc/profile 

sed -i 's/HISTSIZE=.*$/HISTSIZE=100000/g' /etc/profile  

cat >> /etc/profile << EOF 

umask 027 

history 

USER=`whoami` 

USER_IP=`who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'` 

if [ "$USER_IP" = "" ]; then 

USER_IP=`hostname` 

fi 

if [ ! -d /var/log/history ]; then 

mkdir /var/log/history 

chmod 777 /var/log/history 

fi 

if [ ! -d /var/log/history/${LOGNAME} ]; then 

mkdir /var/log/history/${LOGNAME} 

chmod 300 /var/log/history/${LOGNAME} 

fi 

export HISTSIZE=4096 

DT=`date +"%Y%m%d_%H:%M:%S"` 

export HISTFILE="/var/log/history/${LOGNAME}/${USER}@${USER_IP}_$DT" 

chmod 600 /var/log/history/${LOGNAME}/*history* 2>/dev/null 

EOF 

source /etc/profile 

 

 

 

##centos/redhat7 /tmp 

#systemctl unmask tmp.mount 

#systemctl enable tmp.mount 

#sed -ri 's/^Opt.*/Options=mode=1777,strictatime,noexec,nodev,nosuid/g' /etc/systemd/system/local-fs.target.wants/tmp.mount  

#mount -a 

 

##centos/redhat7 /boot 

# chown root:root /boot/grub2/grub.cfg  

# chmod og-rwx /boot/grub2/grub.cfg  

 

##tcp wrapper    #暂时不用 

#yum -y install tcp_wrappers 

#echo "sshd:ALL" >> /etc/hosts.deny 

#echo "sshd:222.80.22.4 81.222.111.2 " >> /etc/hosts.allow  

 

chattr +i /etc/passwd 

chattr +i /etc/shadow 

chattr +i /etc/hosts 

chattr +i /etc/fstab 

chattr +i /etc/sudoers 

chattr +i /etc/resolv.conf 

 

chattr +a /var/log/messages 

chattr +a /var/log/wtmp 

chattr +a /var/log/history 

 

 

 

vi /etc/hosts 

Rsa passwd 

end