linux基本安全配置设置脚本
依据linux基本安全配置手册
方便设置一些基本的linux安全设置#vi autosafe.sh[*]#!/bin/bash[*]#########################################################################[*]#[*]# File: autosafe.sh[*]# Description:[*]# Language: GNU Bourne-Again SHell[*]# Version: 1.1[*]# Date: 2010-6-23[*]# Corp.: c1gstudio.com[*]# Author: c1g[*]# WWW: http://blog.c1gstudio.com[*]### END INIT INFO[*]###############################################################################[*][*]V_DELUSER="adm lp sync shutdown halt mail news uucp operator games gopher ftp"[*]V_DELGROUP="adm lp mail news uucp games gopher mailnull floppy dip pppusers popusers slipusers daemon"[*]V_PASSMINLEN=8[*]V_HISTSIZE=30[*]V_TMOUT=300[*]V_GROUPNAME=suadmin[*]V_SERVICE="acpid anacron apmd atd auditd autofs avahi-daemon avahi-dnsconfd bluetooth cpuspeed cups dhcpd firstboot gpm haldaemon hidd ip6tables ipsec isdn kudzu lpd mcstrans messagebus microcode_ctl netfs nfs nfslock nscd pcscd portmap readahead_early restorecond rpcgssd rpcidmapd rstatd sendmail setroubleshoot snmpd sysstat xfs xinetd yppasswdd ypserv yum-updatesd"[*]V_TTY="3|4|5|6"[*]V_SUID=([*]'/usr/bin/chage'[*]'/usr/bin/gpasswd'[*]'/usr/bin/wall'[*]'/usr/bin/chfn'[*]'/usr/bin/chsh'[*]'/usr/bin/newgrp'[*]'/usr/bin/write'[*]'/usr/sbin/usernetctl'[*]'/bin/traceroute'[*]'/bin/mount'[*]'/bin/umount'[*]'/sbin/netreport'[*])[*]version=1.0[*][*][*]# we need root to run[*]if test "`id -u`" -ne 0[*]then[*]echo "You need to start as root!"[*]exit[*]fi[*][*]case $1 in[*]"deluser")[*]echo "delete user ..."[*]for i in $V_DELUSER ;do[*]echo "deleting $i";[*]userdel $i ;[*]done[*];;[*][*]"delgroup")[*]echo "delete group ..."[*]for i in $V_DELGROUP ;do[*]echo "deleting $i";[*]groupdel $i;[*]done[*];;[*][*]"password")[*]echo "change password limit ..."[*]echo "/etc/login.defs"[*]echo "PASS_MIN_LEN $V_PASSMINLEN"[*]sed -i "/^PASS_MIN_LEN/s/5/$V_PASSMINLEN/" /etc/login.defs[*];;[*][*]"history")[*]echo "change history limit ..."[*]echo "/etc/profile"[*]echo "HISTSIZE $V_HISTSIZE"[*]sed -i "/^HISTSIZE/s/1000/$V_HISTSIZE/" /etc/profile[*];;[*][*]"logintimeout")[*]echo "change login timeout ..."[*]echo "/etc/profile"[*]echo "TMOUT=$V_TMOUT"[*]sed -i "/^HISTSIZE/a\TMOUT=$V_TMOUT" /etc/profile[*];;[*][*]"bashhistory")[*]echo "denied bashhistory ..."[*]echo "/etc/skel/.bash_logout"[*]echo 'rm -f $HOME/.bash_history'[*]if egrep "bash_history" /etc/skel/.bash_logout > /dev/null[*]then[*]echo 'warning:existed'[*]else[*]echo 'rm -f $HOME/.bash_history' >> /etc/skel/.bash_logout[*]fi[*][*];;[*]"addgroup")[*]echo "groupadd $V_GROUPNAME ..."[*]groupadd $V_GROUPNAME[*];;[*][*]"sugroup")[*]echo "permit $V_GROUPNAME use su ..."[*]echo "/etc/pam.d/su"[*]echo "auth sufficient /lib/security/pam_rootok.so debug"[*]echo "auth required /lib/security/pam_wheel.so group=$V_GROUPNAME"[*]if egrep "auth sufficient /lib/security/pam_rootok.so debug" /etc/pam.d/su > /dev/null[*]then[*]echo 'warning:existed'[*]else[*]echo 'auth sufficient /lib/security/pam_rootok.so debug' >> /etc/pam.d/su[*]echo "'auth required /lib/security/pam_wheel.so group=${V_GROUPNAME}" >> /etc/pam.d/su[*]fi[*];;[*][*]"denyrootssh")[*]echo "denied root login ..."[*]echo "/etc/ssh/sshd_config"[*]echo "PermitRootLogin no"[*]sed -i '/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config[*];;[*][*]"stopservice")[*]echo "stop services ..."[*]for i in $V_SERVICE ;do[*]service $i stop;[*]done[*];;[*][*]"closeservice")[*]echo "close services autostart ..."[*]for i in $V_SERVICE ;do[*]chkconfig $i off;[*]done[*];;[*][*]"tty")[*]echo "close tty ..."[*]echo "/etc/inittab"[*]echo "#3:2345:respawn:/sbin/mingetty tty3"[*]echo "#4:2345:respawn:/sbin/mingetty tty4"[*]echo "#5:2345:respawn:/sbin/mingetty tty5"[*]echo "#6:2345:respawn:/sbin/mingetty tty6"[*]sed -i '/^[$V_TTY]:2345/s/^/#/' /etc/inittab[*];;[*][*]"ctrlaltdel")[*]echo "close ctrl+alt+del..."[*]echo "/etc/inittab"[*]echo "#ca::ctrlaltdel:/sbin/shutdown -t3 -r now"[*]sed -i '/^ca::/s/^/#/' /etc/inittab[*];;[*][*]"lockfile")[*]echo "lock user&services ..."[*]echo "chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/services"[*]chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/services[*];;[*][*]"unlockfile")[*]echo "unlock user&services ..."[*]echo "chattr -i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/services"[*]chattr -i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/services[*];;[*][*]"chmodinit")[*]echo "init script only for root ..."[*]echo "chmod -R 700 /etc/init.d/*"[*]echo "chmod 600 /etc/grub.conf"[*]echo "chattr +i /etc/grub.conf"[*]chmod -R 700 /etc/init.d/*[*]chmod 600 /etc/grub.conf[*]chattr +i /etc/grub.conf[*];;[*][*]"chmodcommand")[*]echo "remove SUID ..."[*]echo "/usr/bin/chage /usr/bin/gpasswd ..."[*]for i in ${V_SUID[@]};[*]do[*]chmod a-s $i[*]done[*];;[*][*] "version")[*] echo "Version: Autosafe for Linux $version"[*] ;;[*][*]*)[*]echo "Usage: $0 <action>"[*]echo ""[*]echo " deluser delete user"[*]echo " delgroup delete group"[*]echo " password change password limit"[*]echo " history change history limit"[*]echo " logintimeout change login timeout"[*]echo " bashhistory denied bashhistory"[*]echo " addgroup groupadd $V_GROUPNAME"[*]echo " sugroup permit $V_GROUPNAME use su"[*]echo " denyrootssh denied root login"[*]echo " stopservice stop services "[*]echo " closeservice close services"[*]echo " tty close tty"[*]echo " ctrlaltdel close ctrl+alt+del "[*]echo " lockfile lock user&services"[*]echo " unlockfile unlock user&services"[*]echo " chmodinit init script only for root"[*]echo " chmodcommand remove SUID"[*]echo " version "[*]echo ""[*][*];;[*]esac
设置权限[*]chmod u+x ./autosafe.sh
运行脚本[*]./autosafe.sh deluser[*]./autosafe.sh delgroup[*].....
猛击下载脚本
autosafe.sh其它参考
linux基本安全配置手册
iptables 默认安全规则脚本http://blog.c1gstudio.com/archives/1008
顶一下,不错不错....
页:
[1]