Linux主机安全配置的几个脚本
2010-08-13 11:29
615 查看
vim /etc/login.defs
PASS_MAX_DAYS 90 //口令最大有效天数
PASS_MIN_DAYS 10 //口令最小有效天数
PASS_MIN_LEN 8 //口令最少字符数
PASS_WARN_AGE 5 //口令过期提前警告天数
echo 'ONLY Authorized users only! All accesses logged' > /etc/motd
rm -f /etc/issue
rm -f /etc/issue.net
touch /etc/issue
touch /etc/issue.net
find / -name *.rhosts
touch /.rhosts && chmod 0 /.rhosts
防止IP SPOOF
echo "nospoof on" >>/etc/host.conf
chkconfig bluetooth off
chkconfig firstboot off
chkconfig cups off
chkconfig ip6tables off
chkconfig iptables off
chkconfig isdn off
chkconfig kudzu off
chkconfig sendmail off
chkconfig smartd off
chkconfig autofs off
service vncserver off
service bluetooth stop
service firstboot stop
service cups stop
service ip6tables stop
service iptables stop
service isdn stop
service kudzu stop
service sendmail stop
service smartd stop
service autofs stop
service vncserver stop
锁定不需要的用户
usermod -L adm
usermod -L lp
usermod -L sync
usermod -L shutdown
usermod -L halt
usermod -L news
usermod -L uucp
usermod -L operator
usermod -L ftp
usermod -L rpc
usermod -L rpcuser
usermod -L gopher
usermod -L nscd
删除不需要的组
groupdel lp
groupdel news
groupdel games
groupdel gopher
groupdel uucp
本次必须要保留的用户是:
root、bin、nobody、ntp、ssh、uucp
必须保留的组包括:
root、nobody、ntp、uucp
useradd jboss
passwd jboss
usermod -g jboss -G wheel jboss
vim /etc/pam.d/su
auth required pam_wheel.so use.uid 把这一行的注释去掉,只有wheel组的用户才能su到root
chown -R jboss.jboss /usr/local/jboss-4.2.3.GA
#!/bin/bash
cd /usr/local/jboss-4.2.3.GA/server/default/deploy/
rm -rf bsh-deployer.xml
rm -rf client-deployer-service.xml
rm -rf ear-deployer.xml
rm -rf ejb-deployer.xml
rm -rf http-invoker.sar
rm -rf jboss-bean.deployer
rm -rf jms
rm -rf jsr88-service.xml
rm -rf schedule-manager-service.xml
rm -rf scheduler-service.xml
rm -rf sqlexception-service.xml
rm -rf uuid-key-generator.sar
rm -rf jmx-console.war
rm -rf management
cd /usr/local/jboss-4.2.3.GA/server/default/deploy/jboss-web.deployer/ROOT.war
rm -rf *
exit
隐藏jboss版本信息
vim /usr/local/jboss-4.2.3.GA/server/default/deploy/jboss-web.deployer/server.xml
<Connector port="8080" address="${jboss.bind.address}"
maxThreads="250" maxHttpHeaderSize="8192"
emptySessionPath="true" protocol="HTTP/1.1"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true"
server="ESB" />
在这一段最后加上一个server="ESB"/>
vim /usr/local/jboss-4.2.3.GA/server/default/deploy/jboss-web.deployer/conf/web.xml
<init-param>
<param-name>X-Powered-By</param-name>
<param-value>ESB2.0</param-value>
</init-param>
vim /etc/ssh/sshd_config
把PermitRootLogin yes前面的"#"去掉,把"yes"改为"no"
#ClientAliveCountMax 3
把这个前面的"#"去掉,就是超过3分钟闲置,就自动断开session
service sshd restart
sed -i -e 's/^LANG=.*/LANG="en_US.UTF-8"/' /etc/sysconfig/i18n
source /etc/sysconfig/i18n
vim /etc/hosts.allow
sshd:192.168.0.199,192.168.0.201,192.168.0.121
vim /etc/hosts.deny
sshd:all
service xinetd restart
截短~/.bash_history文件
vim /etc/profile
HISTSIZE=1000改成20
vim /etc/skel/.bash_logout
在/etc/skel/.bash_logout在文件中添加这行
rm -rf $HOME/.bash_history
这样当用户注销时,.bash_history被删除
DenyHosts是用Python2.3写的一个程序,它会分析/var/log/secure(redhat,Fedora Core)等日志文件,当发现同一IP在进行多次SSH密
码尝试时就会记录IP到/etc/hosts.deny文件,从而达到自动屏蔽该IP的目的。
wget http://downloads.sourceforge.net/project/denyhosts/denyhosts/2.6/DenyHosts-2.6.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fdenyhosts%2Ffiles%2F&ts=1281580068&mirror=ncu
tar -zxvf DenyHosts-2.6.tar.gz
cd DenyHosts-2.6
python setup.py install
cd /usr/share/denyhosts/
grep -v "^#" denyhosts.cfg-dist > denyhosts.cfg
cp daemon-control-dist daemon-control
vim denyhosts.cfg
PURGE_DENY = 5m //5分钟清除
DENY_THRESHOLD_INVALID = 1 //允许无效用户失败的次数
DENY_THRESHOLD_VALID = 5 //允许普通用户登陆失败的次数
DENY_THRESHOLD_ROOT = 5 //允许root登陆失败的次数
chown root daemon-control
chmod 700 daemon-control
vim /etc/rc.local
/usr/share/denyhosts/daemon-control start
vim /etc/audit/audit.rules 最后增加一行,对该目录审计
-w /usr/local/jboss-4.2.3.GA/server/default/deploy -pwa
service auditd restart
查看审计规则 auditctl -l
查看audit运行状态 auditctl -s
审计工具
wget http://www.rootkit.nl/files/lynis-1.2.9.tar.gz
给关键文件加root权限
chmod 744 /etc/passwd
chmod 740 /etc/shadow
chmod 744 /etc/rc3.d
chmod 744 /etc/profile
chmod 1777 /tmp
chmod 644 /etc/exports
chmod -R 700 /etc/rc.d/init.d/*
Control-Alt-Delete 键盘关机命令
vim /etc/inittab
ca::ctrlaltdel:/sbin/shutdown -t3 -r now
这一行前面加#,改成
#ca::ctrlaltdel:/sbin/shutdown -t3 -r now
给文件加锁(暂时不实施)
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/services
chmod 600 /etc/xinetd.conf
当chattr +i时就是禁止对文件进行修改,当我们要添加用户时,就会有麻烦,因为passwd文件禁止修改写入.
所以我们还要该掉它的属性.chattr -i.
脚本如下:
init_sysctl.sh
init_system.sh
本文出自 “无云安全技术站” 博客,请务必保留此出处http://hx100.blog.51cto.com/44326/373320
PASS_MAX_DAYS 90 //口令最大有效天数
PASS_MIN_DAYS 10 //口令最小有效天数
PASS_MIN_LEN 8 //口令最少字符数
PASS_WARN_AGE 5 //口令过期提前警告天数
echo 'ONLY Authorized users only! All accesses logged' > /etc/motd
rm -f /etc/issue
rm -f /etc/issue.net
touch /etc/issue
touch /etc/issue.net
find / -name *.rhosts
touch /.rhosts && chmod 0 /.rhosts
防止IP SPOOF
echo "nospoof on" >>/etc/host.conf
chkconfig bluetooth off
chkconfig firstboot off
chkconfig cups off
chkconfig ip6tables off
chkconfig iptables off
chkconfig isdn off
chkconfig kudzu off
chkconfig sendmail off
chkconfig smartd off
chkconfig autofs off
service vncserver off
service bluetooth stop
service firstboot stop
service cups stop
service ip6tables stop
service iptables stop
service isdn stop
service kudzu stop
service sendmail stop
service smartd stop
service autofs stop
service vncserver stop
锁定不需要的用户
usermod -L adm
usermod -L lp
usermod -L sync
usermod -L shutdown
usermod -L halt
usermod -L news
usermod -L uucp
usermod -L operator
usermod -L ftp
usermod -L rpc
usermod -L rpcuser
usermod -L gopher
usermod -L nscd
删除不需要的组
groupdel lp
groupdel news
groupdel games
groupdel gopher
groupdel uucp
本次必须要保留的用户是:
root、bin、nobody、ntp、ssh、uucp
必须保留的组包括:
root、nobody、ntp、uucp
useradd jboss
passwd jboss
usermod -g jboss -G wheel jboss
vim /etc/pam.d/su
auth required pam_wheel.so use.uid 把这一行的注释去掉,只有wheel组的用户才能su到root
chown -R jboss.jboss /usr/local/jboss-4.2.3.GA
#!/bin/bash
cd /usr/local/jboss-4.2.3.GA/server/default/deploy/
rm -rf bsh-deployer.xml
rm -rf client-deployer-service.xml
rm -rf ear-deployer.xml
rm -rf ejb-deployer.xml
rm -rf http-invoker.sar
rm -rf jboss-bean.deployer
rm -rf jms
rm -rf jsr88-service.xml
rm -rf schedule-manager-service.xml
rm -rf scheduler-service.xml
rm -rf sqlexception-service.xml
rm -rf uuid-key-generator.sar
rm -rf jmx-console.war
rm -rf management
cd /usr/local/jboss-4.2.3.GA/server/default/deploy/jboss-web.deployer/ROOT.war
rm -rf *
exit
隐藏jboss版本信息
vim /usr/local/jboss-4.2.3.GA/server/default/deploy/jboss-web.deployer/server.xml
<Connector port="8080" address="${jboss.bind.address}"
maxThreads="250" maxHttpHeaderSize="8192"
emptySessionPath="true" protocol="HTTP/1.1"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true"
server="ESB" />
在这一段最后加上一个server="ESB"/>
vim /usr/local/jboss-4.2.3.GA/server/default/deploy/jboss-web.deployer/conf/web.xml
<init-param>
<param-name>X-Powered-By</param-name>
<param-value>ESB2.0</param-value>
</init-param>
vim /etc/ssh/sshd_config
把PermitRootLogin yes前面的"#"去掉,把"yes"改为"no"
#ClientAliveCountMax 3
把这个前面的"#"去掉,就是超过3分钟闲置,就自动断开session
service sshd restart
sed -i -e 's/^LANG=.*/LANG="en_US.UTF-8"/' /etc/sysconfig/i18n
source /etc/sysconfig/i18n
vim /etc/hosts.allow
sshd:192.168.0.199,192.168.0.201,192.168.0.121
vim /etc/hosts.deny
sshd:all
service xinetd restart
截短~/.bash_history文件
vim /etc/profile
HISTSIZE=1000改成20
vim /etc/skel/.bash_logout
在/etc/skel/.bash_logout在文件中添加这行
rm -rf $HOME/.bash_history
这样当用户注销时,.bash_history被删除
DenyHosts是用Python2.3写的一个程序,它会分析/var/log/secure(redhat,Fedora Core)等日志文件,当发现同一IP在进行多次SSH密
码尝试时就会记录IP到/etc/hosts.deny文件,从而达到自动屏蔽该IP的目的。
wget http://downloads.sourceforge.net/project/denyhosts/denyhosts/2.6/DenyHosts-2.6.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fdenyhosts%2Ffiles%2F&ts=1281580068&mirror=ncu
tar -zxvf DenyHosts-2.6.tar.gz
cd DenyHosts-2.6
python setup.py install
cd /usr/share/denyhosts/
grep -v "^#" denyhosts.cfg-dist > denyhosts.cfg
cp daemon-control-dist daemon-control
vim denyhosts.cfg
PURGE_DENY = 5m //5分钟清除
DENY_THRESHOLD_INVALID = 1 //允许无效用户失败的次数
DENY_THRESHOLD_VALID = 5 //允许普通用户登陆失败的次数
DENY_THRESHOLD_ROOT = 5 //允许root登陆失败的次数
chown root daemon-control
chmod 700 daemon-control
vim /etc/rc.local
/usr/share/denyhosts/daemon-control start
vim /etc/audit/audit.rules 最后增加一行,对该目录审计
-w /usr/local/jboss-4.2.3.GA/server/default/deploy -pwa
service auditd restart
查看审计规则 auditctl -l
查看audit运行状态 auditctl -s
审计工具
wget http://www.rootkit.nl/files/lynis-1.2.9.tar.gz
给关键文件加root权限
chmod 744 /etc/passwd
chmod 740 /etc/shadow
chmod 744 /etc/rc3.d
chmod 744 /etc/profile
chmod 1777 /tmp
chmod 644 /etc/exports
chmod -R 700 /etc/rc.d/init.d/*
Control-Alt-Delete 键盘关机命令
vim /etc/inittab
ca::ctrlaltdel:/sbin/shutdown -t3 -r now
这一行前面加#,改成
#ca::ctrlaltdel:/sbin/shutdown -t3 -r now
给文件加锁(暂时不实施)
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/services
chmod 600 /etc/xinetd.conf
当chattr +i时就是禁止对文件进行修改,当我们要添加用户时,就会有麻烦,因为passwd文件禁止修改写入.
所以我们还要该掉它的属性.chattr -i.
脚本如下:
init_sysctl.sh
#!/bin/bash cp /etc/sysctl.conf /etc/sysctl.conf.bak echo "####add by hx10###">> /etc/sysctl.conf echo "net.ipv4.ip_local_port_range = 1024 65536" >> /etc/sysctl.conf echo "net.core.rmem_max=16777216" >> /etc/sysctl.conf echo "net.core.wmem_max=16777216" >> /etc/sysctl.conf echo "net.ipv4.tcp_rmem=4096 87380 16777216" >> /etc/sysctl.conf echo "net.ipv4.tcp_wmem=4096 65536 16777216" >> /etc/sysctl.conf echo "net.ipv4.tcp_fin_timeout = 15" >> /etc/sysctl.conf echo "net.ipv4.tcp_keepalive_time = 600" >> /etc/sysctl.conf echo "net.ipv4.tcp_tw_recycle = 1" >> /etc/sysctl.conf echo "net.core.netdev_max_backlog = 30000" >> /etc/sysctl.conf echo "net.ipv4.tcp_no_metrics_save=1" >> /etc/sysctl.conf echo "net.core.somaxconn = 262144" >> /etc/sysctl.conf echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf echo "net.ipv4.tcp_max_orphans = 8000" >> /etc/sysctl.conf echo "net.ipv4.tcp_max_syn_backlog = 8000" >> /etc/sysctl.conf echo "net.ipv4.tcp_synack_retries = 2" >> /etc/sysctl.conf echo "net.ipv4.tcp_syn_retries = 2" >> /etc/sysctl.conf sysctl -p ###change max open files ulimit -SHn 102400 echo "ulimit -SHn 102400" >>/etc/rc.local ulimit -a exit
init_system.sh
#!/bin/bash #change password policy cp /etc/login.defs /etc/login.defs.bak sed -i 's/^PASS_MAX_DAYS\s*99999/PASS_MAX_DAYS 90/' /etc/login.defs sed -i 's/^PASS_MIN_DAYS\s*0/PASS_MIN_DAYS 10/' /etc/login.defs sed -i 's/^PASS_MIN_LEN\s*5/PASS_MIN_LEN 8/' /etc/login.defs sed -i 's/^PASS_WARN_AGE\s*7/PASS_WARN_AGE 5/' /etc/login.defs #stop Linux detection echo 'ONLY Authorized users only! All accesses logged' > /etc/motd cp /etc/issue /etc/issue.bak cp /etc/issue.net /etc/issue.net.bak rm -f /etc/issue rm -f /etc/issue.net touch /etc/issue touch /etc/issue.net #stop rhosts #find / -name *.rhosts touch /.rhosts && chmod 0 /.rhosts #stop ip spoof cp /etc/host.conf /etc/host.conf.bak echo "nospoof on" >>/etc/host.conf #stop service chkconfig bluetooth off chkconfig firstboot off chkconfig cups off chkconfig ip6tables off chkconfig iptables off chkconfig isdn off chkconfig kudzu off chkconfig sendmail off chkconfig smartd off chkconfig autofs off chkconfig ntpd off chkconfig snmpd on chkconfig portmap on chkconfig nfs on #service vncserver off /etc/init.d/vncserver stop service bluetooth stop service firstboot stop service cups stop service ip6tables stop service iptables stop service isdn stop service kudzu stop service sendmail stop service smartd stop service autofs stop service vncserver stop service ntpd stop service snmpd restart service portmap restart service nfs restart #lock user unnecessary usermod -L adm usermod -L lp usermod -L sync usermod -L shutdown usermod -L halt usermod -L news usermod -L uucp usermod -L operator usermod -L ftp usermod -L rpc usermod -L rpcuser usermod -L gopher usermod -L nscd #add jboss user useradd jboss && echo "23adjfajskdfja" | passwd --stdin jboss usermod -g jboss -G wheel jboss #chown -R jboss.jboss /usr/local/jboss-4.2.3.GA #change system character cp /etc/sysconfig/i18n /etc/sysconfig/i18n.bak cat /dev/null> /etc/sysconfig/i18n echo 'LANG="en_US.UTF-8"' >/etc/sysconfig/i18n #echo 'LANG="zh_CN.GB18030"' >/etc/sysconfig/i18n #sed -i -e 's/^LANG=.*/LANG="en_US.UTF-8"/' /etc/sysconfig/i18n source /etc/sysconfig/i18n #add ssh user cp /etc/hosts.allow /etc/hosts.allow.bak cp /etc/hosts.deny /etc/hosts.deny.bak echo "sshd:192.168.0.199,192.168.0.201,192.168.0.121" >>/etc/hosts.allow echo "sshd:all" >>/etc/hosts.deny #Limit ROOT from Remote server cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak echo "PermitRootLogin no" >> /etc/ssh/sshd_config echo "ClientAliveCountMax 2" >> /etc/ssh/sshd_config #clean history cp /etc/skel/.bash_logout /etc/skel/.bash_logout.bak cp /etc/profile /etc/profile.bak sed -i 's/^HISTSIZE=1000/HISTSIZE=20/' /etc/profile echo "rm -rf \$HOME/.bash_history " >>/etc/skel/.bash_logout #install DenyHosts cd /usr/local/src wget ftp://192.168.0.21/pub/DenyHosts-2.6.tar.gz tar -zxvf DenyHosts-2.6.tar.gz cd DenyHosts-2.6 python setup.py install cd /usr/share/denyhosts/ grep -v "^#" denyhosts.cfg-dist > denyhosts.cfg cp daemon-control-dist daemon-control cp denyhosts.cfg denyhosts.cfg.bak sed -i 's/^PURGE_DENY =/PURGE_DENY = 5m/' /usr/share/denyhosts/denyhosts.cfg sed -i 's/^DENY_THRESHOLD_INVALID = 5/DENY_THRESHOLD_INVALID = 1/' /usr/share/denyhosts/denyhosts.cfg sed -i 's/^DENY_THRESHOLD_VALID = 10/DENY_THRESHOLD_VALID = 5/' /usr/share/denyhosts/denyhosts.cfg sed -i 's/^DENY_THRESHOLD_ROOT = 1/DENY_THRESHOLD_ROOT = 5/' /usr/share/denyhosts/denyhosts.cfg chown root daemon-control chmod 700 daemon-control cp /etc/rc.local /etc/rc.local.bak echo "/usr/share/denyhosts/daemon-control start" >>/etc/rc.local /usr/share/denyhosts/daemon-control start #limit alt-ctl-delete cp /etc/inittab /etc/inittab.bak sed -i 's/^ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/\#ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/g' /etc/inittab #limit key file chmod 744 /etc/passwd chmod 740 /etc/shadow chmod 744 /etc/rc3.d chmod 744 /etc/profile chmod 1777 /tmp chmod 644 /etc/exports chmod -R 700 /etc/rc.d/init.d/* chattr +i /etc/passwd chattr +i /etc/shadow chattr +i /etc/group chattr +i /etc/services chmod 600 /etc/xinetd.conf #remove #chattr -i /etc/passwd #chattr -i /etc/shadow service sshd restart service xinetd restart ps -ef |grep vnc |grep '/usr/share/vnc/classes' |awk '{print $2}' |xargs kill -9 echo "congratulations!" sleep 2 exit
本文出自 “无云安全技术站” 博客,请务必保留此出处http://hx100.blog.51cto.com/44326/373320
相关文章推荐
- Linux主机安全配置的几个脚本【转载】
- Linux下SVN远端安全改密配置脚本
- linux安全配置检查脚本_v0.5
- linux基本安全配置设置脚本
- 关于linux系统安全配置脚本
- Linux Apache+Proftpd构建虚拟主机时要注意的几个安全问题
- [linux]阿里云主机的免登陆安全SSH配置与思考
- 虚拟主机安全配置之脚本木马防护
- Linux主机安全防护系列(一)ssh配置
- Shell脚本自动修改Linux网卡地址、IP地址配置、主机名修改
- Shell脚本自动修改Linux网卡地址、IP地址配置、主机名修改
- 【LINUX】linux 主机安全等级配置
- linux系统主机安全配置!
- linux安全配置检查脚本_v0.8
- 对linux主机进行安全加固(基线配置不包括安全漏洞修补)
- linux下shell脚本自动上传或下载脚本及远程服务器相关vsftpd iptables配置
- 浅谈linux安全配置
- Linux本地网络脚本配置(内网与外网)
- Linux安全设置脚本 部分安全
- linux安全配置