ITPub博客

首页 > Linux操作系统 > Linux操作系统 > Linux主机安全配置的几个脚本(转)

Linux主机安全配置的几个脚本(转)

原创 Linux操作系统 作者:wdnmg 时间:2011-03-16 11:35:24 0 删除 编辑
 

vim /etc/login.defs
PASS_MAX_DAYS   90    //口令最大有效天数
PASS_MIN_DAYS   10    //口令最小有效天数
PASS_MIN_LEN    8     //口令最少字符数
PASS_WARN_AGE   5     //口令过期提前警告天数

 

echo 'ONLY Authorized users only! All accesses logged' > /etc/motd

rm -f /etc/issue
rm -f /etc/issue.net
touch /etc/issue
touch /etc/issue.net


find / -name *.rhosts
touch /.rhosts && chmod 0 /.rhosts


防止IP SPOOF
echo "nospoof on" >>/etc/host.conf     


chkconfig bluetooth off
chkconfig firstboot off
chkconfig cups off
chkconfig ip6tables off
chkconfig iptables off
chkconfig isdn off
chkconfig kudzu off
chkconfig sendmail off
chkconfig smartd off
chkconfig autofs off
service vncserver off
service bluetooth stop
service firstboot stop
service cups stop
service ip6tables stop
service iptables stop
service isdn stop
service kudzu stop
service sendmail stop
service smartd stop
service autofs stop
service vncserver stop

锁定不需要的用户
usermod -L adm
usermod -L lp
usermod -L sync
usermod -L shutdown
usermod -L halt
usermod -L news
usermod -L uucp
usermod -L operator
usermod -L ftp
usermod -L rpc
usermod -L rpcuser
usermod -L gopher
usermod -L nscd


删除不需要的组
groupdel lp
groupdel news
groupdel games
groupdel gopher
groupdel uucp


本次必须要保留的用户是:
root、bin、nobody、ntp、ssh、uucp
必须保留的组包括:
root、nobody、ntp、uucp


useradd jboss
passwd jboss
usermod -g jboss -G wheel jboss
vim /etc/pam.d/su
auth required pam_wheel.so use.uid   把这一行的注释去掉,只有wheel组的用户才能su到root
chown -R jboss.jboss /usr/local/jboss-4.2.3.GA

 

 

#!/bin/bash
cd /usr/local/jboss-4.2.3.GA/server/default/deploy/
rm -rf bsh-deployer.xml
rm -rf client-deployer-service.xml
rm -rf ear-deployer.xml
rm -rf ejb-deployer.xml
rm -rf http-invoker.sar
rm -rf jboss-bean.deployer
rm -rf jms
rm -rf jsr88-service.xml
rm -rf schedule-manager-service.xml
rm -rf scheduler-service.xml
rm -rf sqlexception-service.xml
rm -rf uuid-key-generator.sar
rm -rf jmx-console.war
rm -rf management
cd /usr/local/jboss-4.2.3.GA/server/default/deploy/jboss-web.deployer/ROOT.war
rm -rf *
exit

隐藏jboss版本信息
vim /usr/local/jboss-4.2.3.GA/server/default/deploy/jboss-web.deployer/server.xml


             maxThreads="250" maxHttpHeaderSize="8192"
         emptySessionPath="true" protocol="HTTP/1.1"
         enableLookups="false" redirectPort="8443" acceptCount="100"
         connectionTimeout="20000" disableUploadTimeout="true"
         server="ESB" />

在这一段最后加上一个server="ESB"/>

vim /usr/local/jboss-4.2.3.GA/server/default/deploy/jboss-web.deployer/conf/web.xml


     
         X-Powered-By
         ESB2.0
     

vim /etc/ssh/sshd_config
把PermitRootLogin yes前面的"#"去掉,把"yes"改为"no"

#ClientAliveCountMax 3
把这个前面的"#"去掉,就是超过3分钟闲置,就自动断开session

service sshd restart

sed -i -e 's/^LANG=.*/LANG="en_US.UTF-8"/'   /etc/sysconfig/i18n
source /etc/sysconfig/i18n


vim /etc/hosts.allow
sshd:192.168.0.199,192.168.0.201,192.168.0.121

vim /etc/hosts.deny
sshd:all

service xinetd restart


截短~/.bash_history文件
vim /etc/profile
HISTSIZE=1000改成20


vim /etc/skel/.bash_logout 
在/etc/skel/.bash_logout在文件中添加这行
rm -rf $HOME/.bash_history 
这样当用户注销时,.bash_history被删除


DenyHosts是用Python2.3写的一个程序,它会分析/var/log/secure(redhat,Fedora Core)等日志文件,当发现同一IP在进行多次SSH密
码尝试时就会记录IP到/etc/hosts.deny文件,从而达到自动屏蔽该IP的目的。

wget http://downloads.sourceforge.net/project/denyhosts/denyhosts/2.6/DenyHosts-2.6.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fdenyhosts%2Ffiles%2F&ts=1281580068&mirror=ncu

tar -zxvf DenyHosts-2.6.tar.gz
cd DenyHosts-2.6
python setup.py install


cd /usr/share/denyhosts/
grep -v "^#" denyhosts.cfg-dist > denyhosts.cfg
cp daemon-control-dist daemon-control

vim denyhosts.cfg

PURGE_DENY = 5m                //5分钟清除

DENY_THRESHOLD_INVALID = 1    //允许无效用户失败的次数

DENY_THRESHOLD_VALID = 5       //允许普通用户登陆失败的次数

DENY_THRESHOLD_ROOT = 5        //允许root登陆失败的次数

 


chown root daemon-control
chmod 700 daemon-control


vim /etc/rc.local
/usr/share/denyhosts/daemon-control start

vim /etc/audit/audit.rules  最后增加一行,对该目录审计
-w /usr/local/jboss-4.2.3.GA/server/default/deploy -pwa
service auditd restart

查看审计规则 auditctl -l
查看audit运行状态 auditctl -s

审计工具
wget http://www.rootkit.nl/files/lynis-1.2.9.tar.gz

给关键文件加root权限
chmod  744  /etc/passwd
chmod  740  /etc/shadow
chmod  744  /etc/rc3.d
chmod  744  /etc/profile
chmod  1777  /tmp
chmod 644 /etc/exports
chmod -R 700 /etc/rc.d/init.d/*

Control-Alt-Delete 键盘关机命令
vim /etc/inittab
ca::ctrlaltdel:/sbin/shutdown -t3 -r now
这一行前面加#,改成
#ca::ctrlaltdel:/sbin/shutdown -t3 -r now


给文件加锁(暂时不实施)
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/services
chmod 600 /etc/xinetd.conf

当chattr +i时就是禁止对文件进行修改,当我们要添加用户时,就会有麻烦,因为passwd文件禁止修改写入.
所以我们还要该掉它的属性.chattr -i.
 

脚本如下:

init_sysctl.sh

 

  1. #!/bin/bash  
  2. cp /etc/sysctl.conf /etc/sysctl.conf.bak  
  3. echo "####add by hx10###">> /etc/sysctl.conf  
  4. echo "net.ipv4.ip_local_port_range = 1024 65536" >> /etc/sysctl.conf  
  5. echo "net.core.rmem_max=16777216>> /etc/sysctl.conf  
  6. echo "net.core.wmem_max=16777216>> /etc/sysctl.conf  
  7. echo "net.ipv4.tcp_rmem=4096 87380 16777216" >> /etc/sysctl.conf  
  8. echo "net.ipv4.tcp_wmem=4096 65536 16777216" >> /etc/sysctl.conf  
  9. echo "net.ipv4.tcp_fin_timeout = 15>> /etc/sysctl.conf  
  10. echo "net.ipv4.tcp_keepalive_time = 600>> /etc/sysctl.conf  
  11. echo "net.ipv4.tcp_tw_recycle = 1>> /etc/sysctl.conf  
  12. echo "net.core.netdev_max_backlog = 30000>> /etc/sysctl.conf  
  13. echo "net.ipv4.tcp_no_metrics_save=1>> /etc/sysctl.conf  
  14. echo "net.core.somaxconn = 262144>> /etc/sysctl.conf  
  15. echo "net.ipv4.tcp_syncookies = 1>> /etc/sysctl.conf  
  16. echo "net.ipv4.tcp_max_orphans = 8000>> /etc/sysctl.conf  
  17. echo "net.ipv4.tcp_max_syn_backlog = 8000>> /etc/sysctl.conf  
  18. echo "net.ipv4.tcp_synack_retries = 2>> /etc/sysctl.conf  
  19. echo "net.ipv4.tcp_syn_retries = 2>> /etc/sysctl.conf  
  20. sysctl -p  
  21. ###change max open files  
  22. ulimit -SHn 102400  
  23. echo "ulimit -SHn 102400" >>/etc/rc.local  
  24. ulimit -a  
  25. exit  


 

init_system.sh

 

  1. #!/bin/bash  
  2. #change password policy  
  3. cp /etc/login.defs  /etc/login.defs.bak  
  4. sed -i 's/^PASS_MAX_DAYS\s*99999/PASS_MAX_DAYS    90/' /etc/login.defs  
  5. sed -i 's/^PASS_MIN_DAYS\s*0/PASS_MIN_DAYS    10/' /etc/login.defs  
  6. sed -i 's/^PASS_MIN_LEN\s*5/PASS_MIN_LEN     8/' /etc/login.defs  
  7. sed -i 's/^PASS_WARN_AGE\s*7/PASS_WARN_AGE    5/' /etc/login.defs  
  8. #stop Linux detection  
  9. echo 'ONLY Authorized users only! All accesses logged' > /etc/motd  
  10. cp /etc/issue /etc/issue.bak  
  11. cp /etc/issue.net /etc/issue.net.bak  
  12. rm -f /etc/issue  
  13. rm -f /etc/issue.net  
  14. touch /etc/issue  
  15. touch /etc/issue.net  
  16. #stop rhosts  
  17. #find / -name *.rhosts   
  18. touch /.rhosts && chmod 0 /.rhosts  
  19. #stop ip spoof  
  20. cp /etc/host.conf /etc/host.conf.bak  
  21. echo "nospoof on" >>/etc/host.conf  
  22. #stop service  
  23. chkconfig bluetooth off  
  24. chkconfig firstboot off  
  25. chkconfig cups off  
  26. chkconfig ip6tables off  
  27. chkconfig iptables off  
  28. chkconfig isdn off  
  29. chkconfig kudzu off  
  30. chkconfig sendmail off  
  31. chkconfig smartd off  
  32. chkconfig autofs off  
  33. chkconfig ntpd off  
  34. chkconfig snmpd on  
  35. chkconfig portmap on  
  36. chkconfig nfs on  
  37. #service vncserver off  
  38. /etc/init.d/vncserver stop  
  39. service bluetooth stop  
  40. service firstboot stop  
  41. service cups stop  
  42. service ip6tables stop  
  43. service iptables stop  
  44. service isdn stop  
  45. service kudzu stop  
  46. service sendmail stop  
  47. service smartd stop  
  48. service autofs stop  
  49. service vncserver stop  
  50. service ntpd stop  
  51. service snmpd restart  
  52. service portmap restart  
  53. service nfs restart  
  54. #lock user unnecessary  
  55. usermod -L adm  
  56. usermod -L lp  
  57. usermod -L sync  
  58. usermod -L shutdown  
  59. usermod -L halt  
  60. usermod -L news  
  61. usermod -L uucp  
  62. usermod -L operator  
  63. usermod -L ftp  
  64. usermod -L rpc  
  65. usermod -L rpcuser  
  66. usermod -L gopher  
  67. usermod -L nscd  
  68. #add jboss user  
  69. useradd jboss && echo "23adjfajskdfja" | passwd --stdin jboss  
  70. usermod -g jboss -G wheel jboss   
  71. #chown -R jboss.jboss /usr/local/jboss-4.2.3.GA  
  72. #change system character  
  73. cp /etc/sysconfig/i18n /etc/sysconfig/i18n.bak  
  74. cat /dev/null> /etc/sysconfig/i18n  
  75. echo 'LANG="en_US.UTF-8">/etc/sysconfig/i18n  
  76. #echo 'LANG="zh_CN.GB18030">/etc/sysconfig/i18n  
  77. #sed -i -e 's/^LANG=.*/LANG="en_US.UTF-8"/' /etc/sysconfig/i18n  
  78. source /etc/sysconfig/i18n  
  79. #add ssh user  
  80. cp /etc/hosts.allow /etc/hosts.allow.bak  
  81. cp /etc/hosts.deny /etc/hosts.deny.bak  
  82. echo "sshd:192.168.0.199,192.168.0.201,192.168.0.121" >>/etc/hosts.allow  
  83. echo "sshd:all" >>/etc/hosts.deny  
  84. #Limit ROOT from Remote server  
  85. cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak  
  86. echo "PermitRootLogin no" >> /etc/ssh/sshd_config  
  87. echo "ClientAliveCountMax 2" >> /etc/ssh/sshd_config  
  88. #clean history  
  89. cp /etc/skel/.bash_logout /etc/skel/.bash_logout.bak  
  90. cp /etc/profile /etc/profile.bak  
  91. sed -i 's/^HISTSIZE=1000/HISTSIZE=20/' /etc/profile  
  92. echo "rm -rf \$HOME/.bash_history " >>/etc/skel/.bash_logout  
  93. #install DenyHosts  
  94. cd /usr/local/src  
  95. wget ftp://192.168.0.21/pub/DenyHosts-2.6.tar.gz  
  96. tar -zxvf DenyHosts-2.6.tar.gz  
  97. cd DenyHosts-2.6  
  98. python setup.py install  
  99. cd /usr/share/denyhosts/  
  100. grep -v "^#" denyhosts.cfg-dist > denyhosts.cfg  
  101. cp daemon-control-dist daemon-control  
  102. cp denyhosts.cfg denyhosts.cfg.bak  
  103. sed -i 's/^PURGE_DENY =/PURGE_DENY = 5m/' /usr/share/denyhosts/denyhosts.cfg  
  104. sed -i 's/^DENY_THRESHOLD_INVALID = 5/DENY_THRESHOLD_INVALID = 1/' /usr/share/denyhosts/denyhosts.cfg  
  105. sed -i 's/^DENY_THRESHOLD_VALID = 10/DENY_THRESHOLD_VALID = 5/' /usr/share/denyhosts/denyhosts.cfg  
  106. sed -i 's/^DENY_THRESHOLD_ROOT = 1/DENY_THRESHOLD_ROOT = 5/' /usr/share/denyhosts/denyhosts.cfg  
  107. chown root daemon-control  
  108. chmod 700 daemon-control  
  109. cp /etc/rc.local /etc/rc.local.bak  
  110. echo "/usr/share/denyhosts/daemon-control start" >>/etc/rc.local  
  111. /usr/share/denyhosts/daemon-control start  
  112. #limit alt-ctl-delete  
  113. cp /etc/inittab /etc/inittab.bak  
  114. sed -i 's/^ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/\#ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/g' /etc/inittab  
  115. #limit key file  
  116. chmod  744  /etc/passwd  
  117. chmod  740  /etc/shadow  
  118. chmod  744  /etc/rc3.d  
  119. chmod  744  /etc/profile  
  120. chmod  1777  /tmp  
  121. chmod 644 /etc/exports  
  122. chmod -R 700 /etc/rc.d/init.d/*  
  123. chattr +i /etc/passwd  
  124. chattr +i /etc/shadow  
  125. chattr +i /etc/group  
  126. chattr +i /etc/services  
  127. chmod 600 /etc/xinetd.conf  
  128. #remove   
  129. #chattr -i /etc/passwd  
  130. #chattr -i /etc/shadow  
  131. service sshd restart  
  132. service xinetd restart  
  133. ps -ef |grep vnc |grep '/usr/share/vnc/classes' |awk '{print $2}' |xargs kill -9  
  134. echo "congratulations!"  
  135. sleep 2  
  136. exit    
  137.  

来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/70109/viewspace-689583/,如需转载,请注明出处,否则将追究法律责任。

请登录后发表评论 登录
全部评论

注册时间:2011-01-31

  • 博文量
    53
  • 访问量
    144721