#创建普通用户名
useradd rzxadmin
echo "rzxidc2014&#%"| passwd --stdin rzxadmin
#修改root密码
echo "hzgjrzxidc2014&#%"| passwd --stdin root
#Banner伪装
cp issue issue.bak
cp issue.net issue.net.bak
echo "Centos 6.7" >/etc/issue
echo "Kernel \r on an \m" >> /etc/issue
echo "Centos 6.7" >/etc/issue.net
echo "Kernel \r on an \m" >> /etc/issue.net
#锁定用户
cp /etc/shadow /etc/shadow.bak
cp /etc/passwd /etc/passwd.bak
for i in adm lp sync nobody halt news uucp operator games gopher ftp 123
do
passwd -l $i
done
#修改密码策略
cp /etc/login.defs /etc/login.defs.bak
egrep -v "^#|^$" /etc/login.defs|grep PASS_MIN_LEN
if [ $? = 0 ] ;then
egrep -v "^#|^$" /etc/login.defs|awk '/PASS_MIN_LEN/{print "PASS_MIN_LEN 12";next};{print}' >/etc/login.defs.tmp
mv -f /etc/login.defs.tmp /etc/login.defs
else
if
echo "PASS_MIN_LEN 12" >>/etc/login.defs
egrep -v "^#|^$" /etc/login.defs|grep PASS_MAX_DAYS
if [ $? = 0 ] ;then
egrep -v "^#|^$" /etc/login.defs|awk '/PASS_MAX_DAYS/{print "PASS_MAX_DAYS 90";next};{print}' >/etc/login.defs.tmp
mv -f /etc/login.defs.tmp /etc/login.defs
else
echo "PASS_MAX_DAYS 90" >>/etc/login.defs
fi
#超时配置
cp /etc/profile /etc/profile.bak
egrep -v "^#|^$" /etc/profile|grep TMOUT
if [ $? = 0 ] ;then
egrep -v "^#|^$" /etc/profile|awk '/TMOUT/{print "TMOUT=300;export TMOUT";next};{print}' >/etc/profile.tmp
mv -f /etc/profile.tmp /etc/profile
else
echo "TMOUT=300;export TMOUT" >>/etc/profile
fi
#内核安全
cp /etc/sysctl.conf /etc/sysctl.conf.bak
egrep -v "^#|^$" /etc/sysctl.conf|egrep "net\.ipv4\.conf\.default\.send_redirects"
if [ $? != 0 ] ;then
echo "net.ipv4.conf.default.send_redirects=0" >>/etc/sysctl.conf
fi
chown root:root /etc/sysctl.conf
chmod 600 /etc/sysctl.conf
sysctl -p
#SSH改端口为1218
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
egrep -v "^#|^$" /etc/ssh/sshd_config|egrep ""^Port[[:space:]]1218""
if [ $? != 0 ] ;then
echo "auth required pam_tally2.so deny=3 lock_time=300" >>/etc/ssh/sshd_config
fi
#记录历史1000改成10
sed -i "s/HISTSIZE=1000/HISTSIZE=10/" /etc/profile
source /etc/profile
#默认不允许root进行ssh
sed -i "s/#PermitRootLogin yes/PermitRootLogin no/" /etc/ssh/sshd_config
service sshd restart
#三次登录密码错误锁定用户
cp /etc/pam.d/login /etc/pam.d/login.bak
sed -i '2i\auth required pam_tally2.so deny=3 unlock_time=180' /etc/pam.d/login
#密码复杂度
cp /etc/pam.d/system-auth system-auth.bak
sed -i "s/password requisite pam_cracklib.so try_first_pass retry=3 type=/password requisite
pam_cracklib.so try_first_pass retry=3 type= difok=2 dcredit=1 lcredit=1 ucredit=1 credit=2 minclass=3 minlen=8/"
/etc/pam.d/syste