linux系统安全加固脚本

#创建普通用户名

useradd rzxadmin

echo "rzxidc2014&#%"| passwd --stdin rzxadmin

#修改root密码

echo "hzgjrzxidc2014&#%"| passwd --stdin root

#Banner伪装

cp issue  issue.bak

cp issue.net issue.net.bak

echo "Centos 6.7" >/etc/issue

echo "Kernel \r on an \m" >> /etc/issue

echo "Centos 6.7" >/etc/issue.net

echo "Kernel \r on an \m" >> /etc/issue.net

#锁定用户

cp /etc/shadow  /etc/shadow.bak

cp /etc/passwd  /etc/passwd.bak

for i in adm lp sync nobody halt news uucp operator games gopher ftp 123

do

passwd -l $i

done

#修改密码策略

cp /etc/login.defs /etc/login.defs.bak

egrep -v "^#|^$" /etc/login.defs|grep PASS_MIN_LEN

if [ $? = 0 ] ;then

egrep -v "^#|^$" /etc/login.defs|awk '/PASS_MIN_LEN/{print "PASS_MIN_LEN 12";next};{print}' >/etc/login.defs.tmp

mv -f /etc/login.defs.tmp /etc/login.defs

else

if

echo "PASS_MIN_LEN 12" >>/etc/login.defs

egrep -v "^#|^$" /etc/login.defs|grep PASS_MAX_DAYS

if [ $? = 0 ] ;then

egrep -v "^#|^$" /etc/login.defs|awk '/PASS_MAX_DAYS/{print "PASS_MAX_DAYS 90";next};{print}' >/etc/login.defs.tmp

mv -f /etc/login.defs.tmp /etc/login.defs

else

echo "PASS_MAX_DAYS 90" >>/etc/login.defs

fi

#超时配置

cp /etc/profile /etc/profile.bak

egrep -v "^#|^$" /etc/profile|grep TMOUT

if [ $? = 0 ] ;then

egrep -v "^#|^$" /etc/profile|awk '/TMOUT/{print "TMOUT=300;export TMOUT";next};{print}' >/etc/profile.tmp

mv -f /etc/profile.tmp /etc/profile

else

echo "TMOUT=300;export TMOUT" >>/etc/profile

fi

#内核安全

cp /etc/sysctl.conf   /etc/sysctl.conf.bak

egrep -v "^#|^$" /etc/sysctl.conf|egrep "net\.ipv4\.conf\.default\.send_redirects"

if [ $? != 0 ] ;then

echo "net.ipv4.conf.default.send_redirects=0" >>/etc/sysctl.conf

fi

chown root:root /etc/sysctl.conf

chmod 600 /etc/sysctl.conf

sysctl -p

#SSH改端口为1218

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

egrep -v "^#|^$" /etc/ssh/sshd_config|egrep ""^Port[[:space:]]1218""

if [ $? != 0 ] ;then

echo "auth      required     pam_tally2.so   deny=3  lock_time=300" >>/etc/ssh/sshd_config

fi

#记录历史1000改成10

sed -i "s/HISTSIZE=1000/HISTSIZE=10/" /etc/profile

source /etc/profile

#默认不允许root进行ssh    

sed -i  "s/#PermitRootLogin yes/PermitRootLogin no/" /etc/ssh/sshd_config

service sshd restart

#三次登录密码错误锁定用户

cp /etc/pam.d/login   /etc/pam.d/login.bak

sed    -i '2i\auth      required      pam_tally2.so deny=3 unlock_time=180' /etc/pam.d/login

#密码复杂度

cp /etc/pam.d/system-auth  system-auth.bak

sed -i  "s/password    requisite     pam_cracklib.so try_first_pass retry=3 type=/password    requisite    


pam_cracklib.so try_first_pass retry=3 type=  difok=2 dcredit=1 lcredit=1 ucredit=1 credit=2 minclass=3 minlen=8/"  


/etc/pam.d/syste


你可能感兴趣的:(linux安全加固脚本)