linux系统安全shell脚本第二版
时间:2023-06-02 16:16:41 来源: 人气:
使用方法将其复制,保存为一个shell文件,比如security.sh.将其上传到linux服务器上,执行sh security.sh,就可以使用该脚本了!, 代码如下:, #!/bin/sh, # desc: setup linux system security, # author:coralzd, # powered by www.freebsdsystem.org, # version 0.1.2 written by 2011.05.03, #account setup, passwd -l xfs, passwd -l news, passwd -l nscd, passwd -l dbus, passwd -l vcsa, passwd -l games, passwd -l nobody, passwd -l avahi, passwd -l haldaemon, passwd -l gopher, passwd -l ftp, passwd -l mailnull, passwd -l pcap, passwd -l mail, passwd -l shutdown, passwd -l halt, passwd -l uucp, passwd -l operator, passwd -l sync, passwd -l adm, passwd -l lp, # chattr /etc/passwd /etc/shadow, chattr +i /etc/passwd, chattr +i /etc/shadow, chattr +i /etc/group, chattr +i /etc/gshadow, # add continue input failure 3 ,passwd unlock time 5 minite, sed -i s#auth required pam_env.so#auth required pam_env.sonauth required pam_tally.so onerr=fail deny=3 unlock_time=300nauth required /lib/security/$ISA/pam_tally.so onerr=fail deny=3 unlock_time=300# /etc/pam.d/system-auth, # system timeout 5 minite auto logout, echo "TMOUT=300" >>/etc/profile, # will system save history command list to 10, sed -i "s/HISTSIZE=1000/HISTSIZE=10/" /etc/profile, # enable /etc/profile go!, source /etc/profile, # add syncookie enable /etc/sysctl.conf, echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.conf, sysctl -p # exec sysctl.conf enable, # optimizer sshd_config, sed -i "s/#MaxAuthTries 6/MaxAuthTries 6/" /etc/ssh/sshd_config, sed -i "s/#UseDNS yes/UseDNS no/" /etc/ssh/sshd_config, # limit chmod important commands, chmod 700 /bin/ping, chmod 700 /usr/bin/finger, chmod 700 /usr/bin/who, chmod 700 /usr/bin/w, chmod 700 /usr/bin/locate, chmod 700 /usr/bin/whereis, chmod 700 /sbin/ifconfig, chmod 700 /usr/bin/pico, chmod 700 /bin/vi, chmod 700 /usr/bin/which, chmod 700 /usr/bin/gcc, chmod 700 /usr/bin/make, chmod 700 /bin/rpm, # history security, chattr +a /root/.bash_history, chattr +i /root/.bash_history, # write important command md5, cat > list << "EOF" &&, /bin/ping, /bin/finger, /usr/bin/who, /usr/bin/w, /usr/bin/locate, /usr/bin/whereis, /sbin/ifconfig, /bin/pico, /bin/vi, /usr/bin/vim, /usr/bin/which, /usr/bin/gcc, /usr/bin/make, /bin/rpm, EOF, for i in `cat list`, do, if [ ! -x $i ];then, echo "$i not found,no md5sum!", else, md5sum $i >> /var/log/`hostname`.log, fi, done, rm -f list,
