这是一个针对CentOS 7.3的自动化安全强化脚本,包括修改SNMP默认读取社区,关闭所有xinet服务,禁用默认用户账号,禁用Selinux,启用pacct日志,文件系统强化,限制FTP登录,设置系统安全参数,停止不必要的服务等。通过执行此脚本,可以增强系统的安全性。
#!/bin/bash
if [ -z "`uname -s | grep -i linux`" ]
then
exit 0
fi
TS="`date +%Y%m%d-%H%M%S`"
###################### func_change_snmp_rcom ########################
func_change_snmp_rcom()
{
echo ""
echo "Modify system default snmp read community ... "
CONF=/etc/snmp/snmpd.conf
/bin/cp -f ${CONF} ${CONF}.${TS}
sed -i "s|^com2sec notConfigUser.*$|com2sec notConfigUser default BJcudns123! |" ${CONF}
echo "Modify system default snmp read community ... done."
echo ""
}
###################### func_close_all_xinet_svc ########################
func_close_all_xinet_svc()
{
echo ""
echo "Close all xinet services ... "
cd /etc/xinetd.d
for CONF in `ls`
do
if [ `cat $CONF | grep -w disable * | grep -w "no" | wc -l` -ge 1 ]
then
/bin/cp -f ${CONF} ${CONF}.${TS}
sed -i "s|disable.*no.*$|disable = yes|" ${CONF}
fi
done
echo "Close all xinet services ... done."
echo ""
}
################## func_disable_default_user ####################
func_disable_default_user()
{
echo ""
echo "Disable/delete RHEL6 default user account ... "
CONF=/etc/passwd
/bin/cp -f ${CONF} ${CONF}.${TS}
for USER in `cat ${CONF} | awk -F: '{if($3 < 500) print $1}' | egrep -v 'root'`
do
usermod -s /sbin/nologin $USER
usermod -L $USER
done
echo "Disable/delete RHEL6 default user account ... done."
echo ""
}
###################### func_disable_selinux ########################
func_disable_selinux()
{
echo ""
echo "Disable selinux ... "
CONF=/etc/selinux/config
/bin/cp -f ${CONF} ${CONF}.${TS}
sed -i "s|^SELINUX=.*|SELINUX=disabled|" ${CONF}
echo "Disable selinux ... done."
echo ""
}
###################### func_enable_pacct ########################
func_enable_pacct()
{
echo ""
echo "Enable pacct ... "
if [ -f /etc/init.d/psacct ]
then
/etc/init.d/psacct start
ln -nfs /etc/init.d/psacct /etc/rc3.d/S90psacct
if [ ! -f /var/spool/cron/root ] || [ `cat /var/spool/cron/root | grep logrotate | wc -l` -lt 1 ]
then
echo '10 1 * * * /usr/sbin/logrotate /etc/logrotate.conf > /dev/null 2>&1 &' >> /var/spool/cron/root
service crond restart > /dev/null 2>&1
fi
echo "Enable pacct ... done."
else
echo "Enable pacct ... failed."
sleep 3
fi
echo ""
}
###################### func_harden_fs ########################
func_harden_fs()
{
echo ""
echo "func_harden_fs system ... "
echo " Check 777 directories ..."
for PART in `grep -v ^# /etc/fstab | awk '($6 != ""0"") {print $2 }'`
do
find $PART -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -xdev -exec ls -ld {} \; 2>>/dev/null | awk '{print $NF}' | while read line
do
chmod o-w $line
done
done
echo " Check anybody can write files ..."
for PART in `grep -v ^# /etc/fstab | awk '($6 != ""0"") {print $2 }'`
do
find $PART -xdev -type f \( -perm -0002 -a ! -perm -1000 \) -xdev -exec ls -ld {} \; 2>>/dev/null | awk '{print $NF}' | while read line
do
chmod o-w $line
done
done
echo " Check anybody can write files ..."
for PART in `grep -v ^# /etc/fstab | awk '($6 != ""0"") {print $2 }'`
do
find $PART -nouser -o -nogroup -print 2>>/dev/null | while read line
do
chgrp root $line
done
done
echo "func_harden_fs system ... done."
echo ""
}
###################### func_hosts_allow ########################
#funchosts_allow()
#{
# echo ""
# echo "sec /etc/hosts.allow ... "
# CONF=/etc/hosts.allow
# /bin/cp -f ${CONF} ${CONF}.${TS}
# sed -i '/sshd:/d' $CONF
# echo "ALL:ALL:DENY" >> ${CONF}
# sed -i '/^ALL:ALL:DENY/i\sshd:202.106.195.58:ALLOW' ${CONF}
# sed -i '/^ALL:ALL:DENY/i\sshd:202.106.46.154:ALLOW' ${CONF}
# sed -i '/^ALL:ALL:DENY/i\sshd:202.106.46.155:ALLOW' ${CONF}
# sed -i '/^ALL:ALL:DENY/i\sshd:202.106.46.157:ALLOW' ${CONF}
#
# CONF=/etc/hosts.deny
# if [ -z "`cat $CONF | grep ALL:ALL:DENY`" ];then
# echo "ALL:ALL:DENY" >> $CONF
# fi
# echo "sec /etc/hosts.allow ... done "
#
#}
###################### func_prohibit_root_ftp ########################
func_prohibit_root_ftp()
{
echo ""
echo "Prohibit root¡¢anonymous ftp login ... "
for CONF in `echo "/etc/vsftpd.conf /etc/vsftpd/vsftpd.conf"`
do
if [ -f ${CONF} ] && [ `cat ${CONF} | grep anonymous_enable | wc -l` -ge 1 ]
then
sed -i "s/.*anonymous_enable=.*/anonymous_enable=NO/" ${CONF}
fi
if [ -f ${CONF} ];then
if [ ! -z $(cat $CONF | grep ^userlist_enable=) ];then
sed -i "s|^userlist_enable=.*|userlist_enable=NO|" $CONF
fi
if [ ! -z $(cat $CONF | grep ^userlist_deny=) ];then
sed -i "/^userlist_deny=.*/d" $CONF
fi
fi
done
CONF=/etc/vsftpd.ftpusers
if [ -f ${CONF} ];then
if [ -z $(cat $CONF | grep -w root) ];then
/bin/cp -f ${CONF} ${CONF}.${TS}
echo "root" >> $CONF
fi
else
echo "root" >> $CONF
fi
echo "Prohibit root¡¢anonymous ftp login ... done."
echo ""
}
###################### func_sec_file_attr ########################
func_sec_file_attr()
{
chmod 644 /etc/passwd
chmod 400 /etc/shadow
chmod 644 /etc/group
chmod 644 /etc/services
chmod 600 /etc/xinetd.conf
chmod 600 /etc/security
chattr +a /var/log/messages
for f in /proc/sys/net/ipv4/conf/*/accept_source_route
do
echo 0 > $f
done
}
###################### func_sec_gnome_screen_lock ########################
func_sec_gnome_screen_lock()
{
echo ""
echo "sec gnome_screen_lock ... "
/usr/bin/gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type bool --set /apps/gnome-screensaver/idle_activation_enabled true
/usr/bin/gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type bool --set /apps/gnome-screensaver/lock_enabled true
/usr/bin/gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type string --set /apps/gnome-screensaver/mode blank-only
/usr/bin/gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type int --set /apps/gnome-screensaver/idle_delay 15
echo "sec gnome_screen_lock ... done"
}
###################### func_sec_host_conf ########################
func_sec_host_conf()
{
CONF=/etc/host.conf
/bin/cp -f ${CONF} ${CONF}.${TS}
if [ ! -z "`cat ${CONF} | grep -w ^order | grep hosts`" ]
then
sed -i '/^order/d' ${CONF}
fi
if [ ! -z "`cat ${CONF} | grep -w ^multi | grep -w on`" ]
then
sed -i '/^multi/d' ${CONF}
fi
if [ ! -z "`cat ${CONF} | grep -w ^nospoof | grep -w on`" ]
then
sed -i '/^nospoof/d' ${CONF}
fi
echo "order hosts,bind" >> ${CONF}
echo "multi on" >> ${CONF}
echo "nospoof on" >> ${CONF}
}
###################### func_sec_inittab ########################
func_sec_inittab()
{
echo ""
echo "Stop X_windows login ... "
CONF=/etc/inittab
/bin/cp -f ${CONF} ${CONF}.${TS}
sed -i "s|^id:5:initdefault.*$|id:3:initdefault:|" ${CONF}
echo "Stop X_windows login ... done."
echo "disable ctrl+alt+del "
sed -i "s|.*:ctrlaltdel.*shutdown.*|ca::ctrlaltdel:/bin/true|" ${CONF}
echo "disable ctrl+alt+del ... done "
echo ""
}
###################### func_sec_limit_conf ########################
func_sec_limit_conf()
{
echo ""
echo "sec limit.conf ... "
CONF=/etc/security/limits.conf
/bin/cp -f ${CONF} ${CONF}.${TS}
if [ -z "`cat ${CONF} | grep -v ^# | grep sort | grep nproc`" ]
then
sed -i '/.*End of file.*/i\* soft nproc 4096' ${CONF}
sed -i '/.*End of file.*/i\* hard nproc 4096' ${CONF}
fi
if [ -z "`cat ${CONF} | grep -v ^# | grep sort | grep nofile`" ]
then
sed -i '/.*End of file.*/i\* soft nofile 65535' ${CONF}
sed -i '/.*End of file.*/i\* hard nofile 65535' ${CONF}
fi
if [ -z "`cat ${CONF} | grep -v ^# | grep maxlogins`" ]
then
sed -i '/.*End of file.*/i\ganyi hard maxlogins 2' ${CONF}
sed -i '/.*End of file.*/i\huangyan hard maxlogins 5' ${CONF}
fi
if [ -z "`cat ${CONF} | grep -v ^# | grep sort | grep core`" ]
then
sed -i '/.*End of file.*/i\* soft core 0' ${CONF}
sed -i '/.*End of file.*/i\* hard core 0' ${CONF}
fi
echo "sec limit.conf ... done"
echo ""
}
###################### func_sec_pam_auth ########################
func_sec_pam_auth()
{
echo ""
echo "sec /etc/pam.d/system-auth ... "
CONF=/etc/pam.d/system-auth
/bin/cp -f ${CONF} ${CONF}.${TS}
if [ -z "`cat ${CONF} | grep ^auth | grep pam_tally2`" ]
then
sed -i '/auth required pam_tally/d' ${CONF}
echo "auth required pam_tally2.so deny=5 onerr=fail no_magic_root unlock_time=60" >> ${CONF}
fi
sed -i '/^password.*/d' ${CONF}
echo "" >> ${CONF}
echo "password requisite pam_cracklib.so try_first_pass retry=3 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 minlen=8" >> ${CONF}
if [ ! -z "`uname -r | grep 2.6.18`" ];then
echo "password sufficient pam_unix.so md5 shadow nullok use_first_pass use_authtok" >> ${CONF}
echo "password required pam_deny.so" >> ${CONF}
else
echo "password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok" >> ${CONF}
echo "password required pam_deny.so" >> ${CONF}
fi
echo "sec /etc/pam.d/system-auth ... done"
}
###################### func_sec_pam_su ########################
func_sec_pam_su()
{
echo ""
echo "sec /etc/pam.d/su ... "
CONF=/etc/pam.d/su
/bin/cp -f ${CONF} ${CONF}.${TS}
if [ ! -z "`cat ${CONF} | grep ^auth | grep pam_wheel.so`" ]
then
# sed -i '/.*pam_wheel.so.*/d' ${CONF}
sed -i '/.*sufficient.*pam_rootok.so.*/d' ${CONF}
fi
if [ ! -z "`cat ${CONF} | grep ^auth | grep pam_rootok.so`" ]
then
sed -i '/.*sufficient.*pam_rootok.so.*/d' ${CONF}
fi
# sed -i '/.*PAM-1.0$/a\auth required pam_wheel.so group=wheel' ${CONF}
sed -i '/.*PAM-1.0$/a\auth sufficient pam_rootok.so' ${CONF}
echo "sec /etc/pam.d/su ... done"
}
###################### func_sec_sysctl_conf ########################
func_sec_sysctl_conf()
{
echo ""
echo "sec /etc/sysctl.conf ... "
CONF=/etc/sysctl.conf
/bin/cp -f ${CONF} ${CONF}.${TS}
sed -i '/net.ipv4.ip_forward/d' $CONF
sed -i '/net.ipv4.conf.default.send_redirects/d' $CONF
sed -i '/net.ipv4.icmp_echo_ignore_broadcasts/d' $CONF
sed -i '/net.ipv4.conf.default.accept_redirects/d' $CONF
echo "net.ipv4.ip_forward=0" >> $CONF
echo "net.ipv4.conf.default.send_redirects=0" >> $CONF
echo "net.ipv4.conf.default.accept_redirects=0" >> $CONF
echo "net.ipv4.icmp_echo_ignore_broadcasts=1" >> $CONF
sed -i '/.*soft.*core.*/d' $CONF
sed -i '/.*hard.*core.*/d' $CONF
/sbin/sysctl -p
echo "sec /etc/sysctl.conf ... done"
}
################## func_set_default_profile ####################
func_set_default_profile()
{
echo ""
echo "Set default user profile ... "
CONF=/etc/profile
/bin/cp -f ${CONF} ${CONF}.${TS}
if [ `cat $CONF | grep -v ^# | grep -i ^umask | wc -l` -ge 1 ]
then
sed -i "s|^umask.*$|umask 027|" ${CONF}
else
echo "umask 027" >> ${CONF}
fi
if [ `cat $CONF | grep -v ^# | grep ^LANG= | wc -l` -ge 1 ]
then
sed -i "s|^LANG=.*$|LANG=C|" ${CONF}
else
echo "LANG=C" >> ${CONF}
fi
if [ `cat $CONF | grep -v ^# | grep ^TERM= | wc -l` -ge 1 ]
then
sed -i "s|^TERM=.*$|TERM=vt100|" ${CONF}
else
echo "TERM=vt100" >> ${CONF}
fi
if [ `cat $CONF | grep -v ^# | grep EDITOR= | wc -l` -ge 1 ]
then
sed -i "s|^EDITOR=.*$|EDITOR=vi|" ${CONF}
else
echo "EDITOR=vi" >> ${CONF}
fi
if [ -z "`cat $CONF | grep -v ^# | grep HISTFILESIZE= | wc -l`" ]
then
echo "HISTFILESIZE=5" >> ${CONF}
else
sed -i 's|.*HISTFILESIZE=.*|HISTFILESIZE=5|' ${CONF}
fi
if [ -z "`cat $CONF | grep -v ^# | grep HISTSIZE= | wc -l`" ]
then
echo "HISTSIZE=5" >> ${CONF}
else
sed -i 's|.*HISTSIZE=.*|HISTSIZE=5|' ${CONF}
fi
if [ ! -z "`cat $CONF | grep -v ^# | grep ulimit | grep S`" ]
then
sed -i "/^ulimit.*$/d" ${CONF}
fi
sed -i "/TMOUT/d" ${CONF}
if [ `cat $CONF | grep -v ^# | grep ^TMOUT= | wc -l` -ge 1 ]
then
sed -i "s|^TMOUT=.*$|TMOUT=180|" ${CONF}
else
echo "TMOUT=180" >> ${CONF}
fi
echo "export TMOUT TERM LANG EDITOR" >> ${CONF}
if [ `cat $CONF | grep -v ^# | grep PS1= | wc -l` -lt 1 ]
then
echo 'if [ "`id|grep uid=0 | wc -l`" -eq 1 ]' >> ${CONF}
echo 'then' >> ${CONF}
echo " PS1=\"root@\`hostname|awk -F. '{print \$1}'\`# \"" >> ${CONF}
echo 'else' >> ${CONF}
echo " PS1=\"\`id|awk -F\( '{print \$2}'|awk -F\) '{print \$1}'\`@\`hostname|awk -F. '{print \$1}'\`\$ \"" >> ${CONF}
echo 'fi' >> ${CONF}
fi
echo "Set default user profile ... done."
echo ""
}
###################### func_set_issue ########################
func_set_issue()
{
echo ""
echo "Set /etc/issue ... "
CONF=/etc/rc.d/rc.local
/bin/cp -f ${CONF} ${CONF}.${TS}
echo "echo \"Security system\" > /etc/issue" >> $CONF
echo "echo \"\" >> /etc/issue" >> $CONF
echo "/bin/cp -f /etc/issue /etc/issue.net" >> $CONF
echo "" >> /etc/issue
echo "Security system" > /etc/issue
echo "" >> /etc/issue
/bin//bin/cp -f /etc/issue /etc/issue.net
echo "Set /etc/issue ... done."
echo ""
}
###################### func_set_login_defs ########################
func_set_login_defs()
{
echo ""
echo "Modify login.defs ... "
CONF=/etc/login.defs
/bin/cp -f ${CONF} ${CONF}.${TS}
sed -i "s|^PASS_MAX_DAYS.*[0-9]$|PASS_MAX_DAYS 90|" ${CONF}
sed -i "s|^PASS_MIN_DAYS.*[0-9]$|PASS_MIN_DAYS 10|" ${CONF}
sed -i "s|^PASS_MIN_LEN.*[0-9]$|PASS_MIN_LEN 8|" ${CONF}
sed -i "s|^PASS_WARN_AGE.*[0-9]$|PASS_WARN_AGE 7|" ${CONF}
sed -i "s|^UID_MAX.*[0-9]$|UID_MAX 2000|" ${CONF}
sed -i "s|^GID_MAX.*[0-9]$|GID_MAX 2000|" ${CONF}
echo "Modify login.defs ... done."
echo ""
}
###################### func_set_motd ########################
func_set_motd()
{
echo ""
echo "Set /etc/motd ... "
CONF=/etc/motd
/bin/cp -f ${CONF} ${CONF}.${TS}
echo ""> $CONF
echo "#############################################################">> $CONF
echo " This area is restricted to authorized users only. ">> $CONF
echo " Unauthorized access is prohibited, ">> $CONF
echo " If you are not authorized,Please logout! ">> $CONF
echo "#############################################################">> $CONF
echo "" >> $CONF
echo "Set /etc/motd ... done."
echo ""
}
###################### func_set_securetty ########################
func_set_securetty()
{
echo ""
echo "Secure /etc/securetty ... "
CONF=/etc/securetty
/bin/cp -f ${CONF} ${CONF}.${TS}
sed -i "/vc\/[2-9]/d" ${CONF}
sed -i "/vc\/1[0-9]/d" ${CONF}
sed -i "/tty[3-9]/d" ${CONF}
sed -i "/tty1[0-9]/d" ${CONF}
echo "Secure /etc/securetty ... done."
echo ""
}
###################### func_set_sshd_config ########################
func_set_sshd_config()
{
echo ""
echo "Set sshd_config ... "
CONF=/etc/ssh/sshd_config
/bin/cp -f ${CONF} ${CONF}.${TS}
if [ `cat ${CONF} | grep ^Protocol | wc -l` -ge 1 ]
then
sed -i "s|^Protocol.*|Protocol 2|" ${CONF}
else
sed -i "s|#Protocol.*|Protocol 2|" ${CONF}
fi
if [ `cat ${CONF} | grep ^PermitRootLogin | wc -l` -ge 1 ]
then
sed -i "s|^PermitRootLogin.*|PermitRootLogin no|" ${CONF}
else
sed -i "s|#PermitRootLogin.*|PermitRootLogin no|" ${CONF}
fi
if [ `cat ${CONF} | grep ^MaxAuthTries | wc -l` -ge 1 ]
then
sed -i "s|^MaxAuthTries.*|MaxAuthTries 6|" ${CONF}
else
sed -i "s|#MaxAuthTries.*|MaxAuthTries 6|" ${CONF}
fi
if [ `cat ${CONF} | grep ^MaxSessions | wc -l` -ge 1 ]
then
sed -i "s|^MaxSessions.*|MaxSessions 8|" ${CONF}
else
sed -i "s|#MaxSessions.*|MaxSessions 8|" ${CONF}
fi
touch /etc/ssh_banner
chown root:root /etc/ssh_banner
chmod 644 /etc/ssh_banner
echo "Authorized only. All activity will be monitored and reported" > /etc/ssh_banner
CONF=/etc/ssh/sshd_config
sed -i "s|#Banner none.*|Banner /etc/ssh_banner|" $CONF
/sbin/service sshd restart
echo "Set sshd_config ... done."
echo ""
}
############# func_stop_unnecessary_services ################
func_stop_unnecessary_services()
{
echo ""
echo "Stop unnecessary services ... "
chkconfig acpid off
service acpid stop
chkconfig auditd off
service auditd stop
chkconfig autofs off
service autofs stop
chkconfig avahi-daemon off
service avahi-daemon stop
chkconfig avahi-dnsconfd off
service avahi-dnsconfd stop
chkconfig bluetooth off
service bluetooth stop
chkconfig cups off
service cups stop
chkconfig firstboot off
service firstboot stop
chkconfig gpm off
service gpm stop
chkconfig hidd off
service hidd stop
chkconfig ip6tables off
service ip6tables stop
chkconfig isdn off
service isdn stop
chkconfig mcstrans off
service mcstrans stop
chkconfig netfs off
service netfs stop
chkconfig nfslock off
service nfslock stop
chkconfig pcscd off
service pcscd stop
chkconfig portmap off
service portmap stop
chkconfig restorecond off
service restorecond stop
chkconfig rhnsd off
service rhnsd stop
chkconfig rpcgssd off
service rpcgssd stop
chkconfig rpcidmapd off
service rpcidmapd stop
chkconfig sendmail off
service sendmail stop
chkconfig xfs off
service xfs stop
chkconfig xinetd off
service xinetd stop
chkconfig yum-updatesd off
service yum-updatesd stop
chkconfig hplip off
service hplip stop
chkconfig dnsmasq off
service dnsmasq stop
chkconfig tog-pegasus off
service tog-pegasus stop
chkconfig ricci off
service ricci stop
chkconfig modclusterd off
service modclusterd stop
chkconfig iptables off
service iptables stop
chkconfig postfix off
service postfix stop
chkconfig rpcbind off
service rpcbind stop
chkconfig portreserve off
service portreserve stop
chkconfig hpsmhd off
service hpsmhd stop
chkconfig snmpd off
service snmpd stop
chkconfig cmapeerd off
service cmapeerd stop
chkconfig atd off
service atd stop
chkconfig irqbalance off
service irqbalance stop
chkconfig wpa_supplicant off
service wpa_supplicant stop
chkconfig abrtd off
service abrtd stop
chkconfig abrt-ccpp off
service abrt-ccpp stop
chkconfig abrt-oops off
service abrt-oops stop
chkconfig NetworkManager off
service NetworkManager stop
chkconfig certmonger off
service certmonger stop
chkconfig libvirtd off
service libvirtd stop
chkconfig ksmtuned off
service ksmtuned stop
chkconfig cpuspeed off
service cpuspeed stop
service qpidd stop
chkconfig qpidd off
echo "Stop unnecessary services ... done."
echo ""
}
###################### func_stop_x_login ########################
func_stop_x_login()
{
echo ""
echo "Stop X_windows login ... "
CONF=/etc/inittab
/bin/cp -f ${CONF} ${CONF}.${TS}
sed -i "s|^id:5:initdefault.*$|id:3:initdefault:|" ${CONF}
echo "Stop X_windows login ... done."
echo ""
}
########################### main ###########################
func_change_snmp_rcom
func_close_all_xinet_svc
func_disable_default_user
func_disable_selinux
func_enable_pacct
func_enable_pacct
func_harden_fs
#func_hosts_allow
func_prohibit_root_ftp
func_sec_file_attr
func_sec_gnome_screen_lock
func_sec_host_conf
func_sec_inittab
func_sec_limit_conf
func_sec_pam_auth
func_sec_pam_su
func_sec_sysctl_conf
func_set_default_profile
func_set_issue
func_set_login_defs
func_set_motd
func_set_securetty
func_set_sshd_config
func_stop_unnecessary_services
func_stop_x_login
chattr +a /var/log/messages
扫一扫
2948
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
