#!/bin/bash
#
#this script is used to check the security and initial some security parameter
#
#set service
_chkdate="$(date +%Y)-$(date +%m)-$(date +%d)-$(date +%H):$(date +%M)"
_chklog=/root/securityCheck$_chkdate.log
echo $_chklog
echo "Check date stamp:$_chkdate"
echo "--------------------------------------------------------------------"
echo "Check date stamp:$_chkdate">$_chklog
echo "IP address :">>$_chklog
echo "$(ifconfig | grep Mask)">>$_chklog
echo "____________________________________________________________________">>$_chklog
echo "--------------------------------------------------------------------">>$_chklog
echo "Now,I start to check the running service:"
echo "the action will start after 3sec!"
sleep 3
echo "Starting..."
rcount=0
scount=0
if [[ -f _srv_rrep ]] ; then
rm -rf _srv_rrep
fi
if [[ -f _srv_srep ]] ; then
rm -rf _srv_srep
fi
#force to stop service
service anacron stop
chkconfig anacron off
service atd stop
chkconfig atd off
service autofs stop
chkconfig autofs off
service avahi-daemon stop
chkconfig avahi-daemon off
service cups stop
chkconfig cups off
service firstboot stop
chkconfig firstboot off
service ip6tables stop
chkconfig ip6tables off
service iptables stop
chkconfig iptables off
service mdmonitor stop
chkconfig mdmonitor off
service rpcgssd stop
chkconfig rpcssd off
service rpcidmapd stop
chkconfig rpcidmapd off
service sendmail stop
chkconfig sendmail off
service smb stop
service smb off
#check service
for _service_record in $(chkconfig --list | grep ":on")
do
reg="^[0-6]:.*"
if [[ $_service_record =~ $reg ]]
then
echo "pass">/dev/null
else
read -p "The service [$_service_record] is running,\n do you want to stop[yes][no]:[no]" anw
if [[ $anw = "yes" ]]
then
service $_service_record stop
sleep 3
scount=$( expr $scount + 1 )
chkconfig --list | grep ":on" | grep "$_service_record">>_srv_srep
else
chkconfig --list | grep ":on" | grep "$_service_record">>_srv_rrep
rcount=$( expr $rcount + 1 )
fi
fi
done
echo ""
echo ".......Running service list..Total $rcount running records...............">>$_chklog
cat _srv_rrep >>$_chklog
echo ""
echo ".......Stopped service list..Total $scount running records...............">>$_chklog
cat _srv_srep >>$_chklog
echo "....................................end.................................">>$_chklog
#set auto logout time
echo "Now,I start to check auto logout function!"
_logout_time=$(echo $TMOUT)
if [[ $_logout_time = "" ]] ; then
read -p "The auto logout function hasn't been setted, set a integer number:" _time
if [[ $_time == "" ]] ; then
echo "The default auto logout time is 300sec!"
export TMOUT=300
echo "export TMOUT=300">>/etc/profile
echo "">>$_chklog
echo ".................auto logout time setting..........."
echo "The default auto logout time is 300sec!"
echo "It will go to effect in the next time!"
echo "......................end..........................."
echo "">>$_chklog
echo ".................auto logout time setting...........">>$_chklog
echo "The default auto logout time is 300sec!">>$_chklog
echo "It will go to effect in the next time!">>$_chklog
echo "......................end...........................">>$_chklog
else
export TMOUT=$_time
echo "export TMOUT=$_time">>/etc/profile
echo "">>$_chklog
echo ".................auto logout time setting..........."
echo "The default auto logout time is ${_time}sec!"
echo "It will go to effect in the next time!"
echo "......................end..........................."
echo "">>$_chklog
echo ".................auto logout time setting...........">>$_chklog
echo "The default auto logout time is ${_time}sec!">>$_chklog
echo "It will go to effect in the next time!">>$_chklog
echo "......................end...........................">>$_chklog
fi
else
echo ".................auto logout time has been setted..........."
echo "The default auto logout time is ${_logout_time}sec!"
echo "It will go to effect in the next time!"
echo "...........................end.............................."
echo "">>$_chklog
echo ".................auto logout time has been setted...........">>$_chklog
echo "The default auto logout time is ${_logout_time}sec!">>$_chklog
echo "...........................end..............................">>$_chklog
fi
#check user effective
grep -v "/sbin/nologin" /etc/passwd >>usertmp
for _user in $(cat usertmp | awk -F ":" '{print $1}')
do
anw=""
read -p "If forbidden the user [$_user] [yes][no]:[no]" anw
if [[ $anw == "yes" ]] ; then
usermod -s /sbin/nologin $_user
fi
done
if [[ -f usertmp ]] ; then
rm -rf usertmp
fi
echo "">>$_chklog
echo "...........................Effective User....................">>$_chklog
grep -v "/sbin/nologin" /etc/passwd >>$_chklog
echo "...........................end...............................">>$_chklog
echo "">>$_chklog
echo "...........................Effective User...................."
grep -v "/sbin/nologin" /etc/passwd
echo "...........................end..............................."
#reduce command line numbers
export HISTORY=10
echo "export HISTORY=10">>/etc/profile
echo "">>$_chklog
echo ".............history command lines is 10...........">>$_chklog
echo "">>$_chklog
#set tty
#echo "">>$_chklog
#echo ".................active tty...................">>$_chklog
#sed -n '/tty/p' >>$_chklog
#echo "....................end.......................">>$_chklog
#sed -i '/tty3/d' /etc/securetty
#sed -i '/tty4/d' /etc/securetty
#sed -i '/tty5/d' /etc/securetty
#sed -i '/tty6/d' /etc/securetty
#sed -i '/tty7/d' /etc/securetty
#sed -i '/tty8/d' /etc/securetty
#sed -i '/tty9/d' /etc/securetty
#sed -i '/tty10/d' /etc/securetty
#sed -i '/tty11/d' /etc/securetty
#sed -i '/tty12/d' /etc/securetty
#sed -i '/tty13/d' /etc/securetty
#sed -i '/tty14/d' /etc/securetty
#sed -i '/tty15/d' /etc/securetty
#echo "">>$_chklog
#check ports
echo "netstat -lanptu | grep LISTEN"
read -p "kill these ports!" ope
#initialize kernel
echo "........................kernel initial.........................."
cat >>/etc/sysctl.conf<<EOF
net.ipv4.tcp_max_syn_backlog = 65536
net.core.netdev_max_backlog = 32768
net.core.somaxconn = 32768
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.ip_local_port_range = 1024 65535
EOF
echo "......................kernel initalization..........................">>$_chklog
sysctl -p
sysctl -p >>$_chklog
echo ".........................end........................................">>$_chklog
echo ""
echo "--------------------------------------------------------------------"
echo "____________________________________________________________________"
echo "--------------------------------------------------------------------">>$_chklog
echo "____________________________________________________________________">>$_chklog
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
