linux服务器安全初始化shell脚本

 #!/bin/bash

#desc: setup linux system security
#author
#powered by www.freebsdsysystem.org
#version 0.1.2 written by 2011.05.03
 
#设置账号
passwd -1 xfs
passwd -1 news
passwd -1 nscd
passwd -1 dbus
passwd -1 vcsa
passwd -1 games
passwd -1 nobody
passwd -1 avahi
passwd -1 haldemon
passwd -1 gopher
passwd -1 ftp
passwd -1 mailnull
passwd -1 pcap
passwd -1 mail
passwd -1 shutdown
passwd -1 halt
passwd -1 uucp
passwd -1 operator
passwd -1 sync
passwd -1 adm
passwd -1 lp
 
#用chattr给用户路径更改属性
#chattr命令用法参考文末说明[1]
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/gshadow
 
#设置密码连续错3次后锁定5分钟
sed -i 's#auth required\
 pam_env.so#auth required\
 pam_env.so nauth required\
 pam_tally.so onerr=fail deny=3\
 unlock_time=300\
 nauth required /lib/security/ \
 $ISA/pam_tally.so onerr=fail \
 deny=3 unclock_time=300#'\
 etc/pam.d/system-auth
 
#5分钟后自动退出,原因参考文末说明[2]
echo "TMOUT=300" >> /etc/profile
 
#历史命令记录数设定为10条
sed -i
 "s/HISTSIZE=1000/histsize=10/"
 etc/profile
 
#让以上针对 /etc/profile 的改动立即生效
source /etc/profile
 
#在 etc/sysctl.conf 中启用 syncookie
echo "net.ipv4.tcp_syncookies=1" >>
 /etc/sysctl.conf
#exec sysctl.conf enable
sysctl -p
 
#优化 sshd_config
sed -i "s/#maxauthtries 6/maxauthtries
 6/" / etc/ssh/sshd_config
sed -i "s/#UseDNS yes/useDNS no/"
 etc/ssh/sshd_config
 
#限制重要的命令权限
chomd 700 /bin/ping
chomd 700 /usr/bin/finger
chomd 700 /usr/bin/who
chomd 700 /usr/bin/w
chomd 700 /usr/bin/local
chomd 700 /usr/bin/whereis
chomd 700 /sbin/ifconfig
chomd 700 /usr/bin/pico
chomd 700 /bin/vi
chomd 700 /usr/bin/which
chomd 700 /usr/bin/gcc
chomd 700 /usr/bin/make
chomd 700 /bin/rpm
 
#历史安全
chattr +a /root/.bash_history
chattr +i /root/.bash_history
 
#给重要的命令写md5
cat > list << "EOF" &&
/bin/ping
/usr/bin/finger
/usr/bin/who
/usr/bin/w
/usr/bin/locate
/usr/bin/whereis
/sbin/ifconfig
/bin/vi
/usr/bin/vim
/usr/bin/which
/usr/bin/gcc
/usr/bin/make
/bin/rpm
EOF
for i in 'cat list'
do
     if [ ! -x $i ];then
     echo "$i not found,no md5sum!"
    else
      md5sum $i >>
    /var/log/'hostname'.log
    fi
done
rm -f list
 

你可能感兴趣的:(linux,服务器安全)