生产安全加固脚本
2014-09-23 20:13
288 查看
#EXPORT PATH export PATH=/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin #Version checking SUBVERSION=DBA\(6.5\)_2014031201 VERSION=20140312 if [[ -e /etc/sec-version && `cat /etc/sec-version | grep "$VERSION"` != "" ]]; then echo "Checking the sec-version!!" exit 0 fi #Check echo """ Please make sure all the preparatory work is ready: 1.Enabled iptables, opened ssh port 2.Added group \"dba|oinstall|mysql\" 3.Added users, and assigned to group \"dba|oinstall|mysql\" 4.Use a normal user to login test and login successful If you ensure all above is ok, input \"y|Y\" to continue: """ read YES_OR_NO case "$YES_OR_NO" in y|Y) echo "Starting";; *) exit 0;; esac echo "Please input the Internet Data Center(hb|idx):" read HB_OR_SX case "$HB_OR_SX" in "idx") ip_logserver1=172.16.173.108; ip_logserver2=172.16.173.109;; "hb") ip_logserver1=172.16.50.136; ip_logserver2=172.16.50.181;; * ) echo "Input error!!";exit 0;; esac #1.services limites service netfs stop chkconfig --level 12345 netfs off service acpid stop chkconfig --level 12345 acpid off service haldaemon stop chkconfig --level 12345 haldaemon off service rhnsd stop chkconfig --level 12345 rhnsd off service blk-availability stop chkconfig --level 12345 blk-availability off service sendmail restart #2.commands and scripts limites chmod 700 /usr/bin/who chmod 700 /usr/bin/w chmod 700 /usr/bin/locate chmod 700 /usr/bin/whereis chmod a-s /usr/bin/chage chmod a-s /usr/bin/gpasswd chmod a-s /usr/bin/wall chmod a-s /usr/bin/chfn chmod a-s /usr/bin/chsh chmod a-s /usr/bin/newgrp chmod a-s /usr/bin/write chmod a-s /usr/sbin/usernetctl chmod a-s /bin/traceroute chmod a-s /bin/mount chmod a-s /bin/umount chmod a-s /sbin/netreport chmod 700 /etc/rc.d/init.d/* #3.Unuseful users and groups deleted userdel lp userdel games userdel adm userdel shutdown userdel halt userdel uucp userdel operator userdel gopher userdel ftp groupdel lp groupdel adm #4.Delete banner cat >> /etc/issue <<EOF ALERT! You are entering a secured area(99bill.com)! Your IP and login information have been recorded. System administration has been notified. This system is restricted to authorized access only. All activities on this system are recorded and logged. Unauthorized access will be fully investigated and reported to the appropriate law enforcement agencies. EOF cat > /etc/issue.net <<EOF ALERT! You are entering a secured area(99bill.com)! Your IP and login information have been recorded. System administration has been notified. This system is restricted to authorized access only. All activities on this system are recorded and logged. Unauthorized access will be fully investigated and reported to the appropriate law enforcement agencies. EOF #5.sshd_config sed -i 's/#LoginGraceTime 2m/LoginGraceTime 30s/g' /etc/ssh/sshd_config sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config sed -i 's/#StrictModes yes/StrictModes yes/g' /etc/ssh/sshd_config sed -i 's/#MaxAuthTries 6/MaxAuthTries 3/g' /etc/ssh/sshd_config sed -i 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config sed -i 's/GSSAPIAuthentication yes/GSSAPIAuthentication no/g' /etc/ssh/sshd_config service sshd restart chattr +i /etc/ssh/sshd_config #6.Accounts policies #sed -i '/PASS_MAX_DAYS/s/99999/90/' /etc/login.defs > ./lgideftmp && mv -f ./lgideftmp /etc/login.defs sed -i '/PASS_MIN_LEN/s/5/8/' /etc/login.defs sed -i '/PASS_WARN_AGE/s/7/15/' /etc/login.defs chattr +i /etc/login.defs #7.Ctrl+Alt+Del sed -i '/^ca::ctrlaltdel:\/sbin/s/^/#/' /etc/inittab sed -i '/^id:5:initdefault:/s/5/3/' /etc/inittab #8.exec_time limited sed -i 's/HISTSIZE=1000/HISTSIZE=1000\nTMOUT=1800/g' /etc/profile echo "rm -f $HOME/.bash_history" >> ~/.bash_logout #10.ports file chattr +i /etc/services #11.root ttys sed -i '/^tty[3-9]/s/^/#/' /etc/securetty sed -i '/^tty1[01]/s/^/#/' /etc/securetty #12.IPTABLES initialization ######################################################################### # # File: 99bill_default_firewall.sh # Description: use for 99billdba center # Version: 1.0 # Date: 2014-03-12 # Corp.: 99bill.com # Author: vitas.liu # WWW: http://www.99bill.com ### END INIT INFO ############################################################################### service iptables stop IPTABLES=/sbin/iptables # start by flushing the rules $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -t nat -P PREROUTING ACCEPT $IPTABLES -t nat -P POSTROUTING ACCEPT $IPTABLES -t nat -P OUTPUT ACCEPT $IPTABLES -t mangle -P PREROUTING ACCEPT $IPTABLES -t mangle -P OUTPUT ACCEPT $IPTABLES -F $IPTABLES -X $IPTABLES -Z $IPTABLES -t nat -F $IPTABLES -t mangle -F $IPTABLES -t nat -X $IPTABLES -t mangle -X $IPTABLES -t nat -Z ## allow packets coming from the machine $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT # allow outgoing traffic $IPTABLES -A OUTPUT -o eth0 -j ACCEPT # block spoofing $IPTABLES -A INPUT -s 127.0.0.0/8 ! -i lo -j DROP $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -p icmp -j ACCEPT # stop bad packets $IPTABLES -A INPUT -m state --state INVALID -j DROP # stop ping flood attack $IPTABLES -N PING $IPTABLES -A PING -p icmp --icmp-type echo-request -m limit --limit 1/second -j RETURN #$IPTABLES -A PING -p icmp -j REJECT $IPTABLES -I INPUT -p icmp --icmp-type echo-request -m state --state NEW -j PING ################################# ## allow access police ################################# # tcp ports $IPTABLES -A INPUT -s 192.168.1.0/24 -p tcp -j ACCEPT # smtp $IPTABLES -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT # http $IPTABLES -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # pop3 $IPTABLES -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT # imap $IPTABLES -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT # snmp $IPTABLES -A INPUT -p tcp -m tcp --dport 161 -j ACCEPT # ldap $IPTABLES -A INPUT -p tcp -m tcp --dport 389 -j ACCEPT # https $IPTABLES -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT # smtp over SSL $IPTABLES -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT # line printer spooler $IPTABLES -A INPUT -p tcp -m tcp --dport 515 -j ACCEPT # cups $IPTABLES -A INPUT -p tcp -m tcp --dport 631 -j ACCEPT # oracle $IPTABLES -A INPUT -p tcp -m tcp --dport 1530 -j ACCEPT # oracle $IPTABLES -A INPUT -p tcp -m tcp --dport 1531 -j ACCEPT # mysql $IPTABLES -A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT # vnc $IPTABLES -A INPUT -p tcp -m tcp --dport 5901 -j ACCEPT # tomcat $IPTABLES -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT # puppet $IPTABLES -A INPUT -p tcp -m tcp --dport 8140 -j ACCEPT # nrpe $IPTABLES -A INPUT -p tcp -m tcp --dport 15666 -j ACCEPT # oracle $IPTABLES -A INPUT -p tcp -m tcp --dport 1433 -j ACCEPT # mcafee nwa $IPTABLES -A INPUT -p tcp -m tcp --dport 65443 -j ACCEPT # ADDED BY Vivyan.Wu 20101214 $IPTABLES -A INPUT -p tcp -m tcp --dport 81 -j ACCEPT $IPTABLES -A INPUT -p tcp -m tcp --dport 7001 -j ACCEPT $IPTABLES -A INPUT -p tcp -m tcp --dport 7004 -j ACCEPT $IPTABLES -A INPUT -p tcp -m tcp --dport 7005 -j ACCEPT $IPTABLES -A INPUT -p tcp -m tcp --dport 7009 -j ACCEPT $IPTABLES -A INPUT -p tcp -m tcp --dport 7777 -j ACCEPT $IPTABLES -A INPUT -p tcp -m tcp --dport 9009 -j ACCEPT $IPTABLES -A INPUT -p tcp -m tcp -s 172.16.0.0/16 --dport 8009 -j ACCEPT # Dell MS(ADDED BY Vivyan 20101214) $IPTABLES -A INPUT -p tcp -m tcp -s 172.16.50.172 --dport 1311 -j ACCEPT #$IPTABLES -A INPUT -p tcp -m tcp -s 172.16.0.0/16 --dport 1530 -j ACCEPT $IPTABLES -A INPUT -p tcp -m tcp -s 172.16.0.0/16 --dport 6200 -j ACCEPT $IPTABLES -A INPUT -p tcp -m tcp -s 172.16.0.0/16 --dport 2500:2600 -j ACCEPT ## restrict some tcp protocl ## # ssh $IPTABLES -A INPUT -p tcp -m tcp -s 172.16.0.0/16 --dport 22 -j ACCEPT $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.0.0/16 --dport 22 -j ACCEPT # samba (netbios) $IPTABLES -A INPUT -p tcp -m tcp -s 192.168.0.0/16 --dport 137:139 -j ACCEPT $IPTABLES -A INPUT -p tcp -m tcp -s 172.16.0.0/16 --dport 137:139 -j ACCEPT # udp ports # DNS $IPTABLES -A INPUT -p udp -m udp --dport 53 -j ACCEPT # DHCP $IPTABLES -A INPUT -p udp -m udp --dport 67:68 -j ACCEPT # NTP $IPTABLES -A INPUT -p udp -m udp --dport 123 -j ACCEPT # SNMP $IPTABLES -A INPUT -p udp -m udp --dport 161:162 -j ACCEPT ## restrict some udp ports ## # Iptables drop logging $IPTABLES -A INPUT -j LOG --log-prefix "[IPTABLES DROP LOGS]: " --log-level 4 # finally - drop the rest $IPTABLES -A INPUT -p all -j DROP service iptables save service iptables start echo "Iptables rules update Complete!!" #13.syslog server specify echo "*.* @$ip_logserver1" >> /etc/rsyslog.conf echo "*.* @$ip_logserver2" >> /etc/rsyslog.conf echo "kern.warning /var/log/iptables" >> /etc/rsyslog.conf sed -i 1's/^\/var/\/var\/log\/iptables &/g' /etc/logrotate.d/syslog service rsyslog restart #14.no ip spoof echo "nospoof on" >> /etc/host.conf #15.su for group=dba sed -i 7's/^/auth required pam_wheel.so group=oinstall\n/g' /etc/pam.d/su #sed -i 7's/^/auth required pam_wheel.so group=dba\n/g' /etc/pam.d/su #sed -i 7's/^/auth required pam_wheel.so group=mysql\n/g' /etc/pam.d/su #16.add user mail notice cat > /etc/cron.hourly/99bill_adduser_mailnoting.pl <<EOF #! /usr/bin/perl ######################################################## # File: 99bill_adduser_mailnoting.pl # Description: use for 99billdba center # Version: 1.0 # Date: 2014-03-12 # Corp.: 99bill.com # Author: Vivyan.Wu # WWW: http://www.99bill.com ### END INIT INFO ######################################################## if ( -e "/etc/dbausers.conf" ){ system("chattr -i /etc/dbausers.conf"); my @users_n;my @users_o;my \$i = 0; open( PASSWD, "/etc/passwd" ); while( <PASSWD> ){ (\$users_n[\$i]) = (\$_=~m/^(\w+):/); \$i++; } close(PASSWD); my \$i = 0; open( DBAUSER, "/etc/dbausers.conf" ); while( <DBAUSER> ){ (\$users_o[\$i]) = (\$_=~m/^(\w+)\$/); \$i++; } close(DBAUSER); my \$i = 0; foreach my \$user(@users_n){ if ( \$user !~ m/\S+/ ){ next; } if (!( grep /^\$user\$/,@users_o )){ my \$newuser_info = \`cat /etc/shadow | grep \$user\`; (my \$newuser_cdate) = ( \$newuser_info =~ m/\S+:\S+:(\d+):.*?:.*?:.*?:.*?:.*?:.*/ ); my \$todaynum = \`date +%s\`; my \$cdays = int(\$todaynum/24/3600) - \$newuser_cdate; my \$days = \`date +%Y\.%m\.%d --date "\$cdays days ago"\`; chomp (\$days); my \$ipsource = \`ifconfig\`; my \$ip_addr; if (\$ipsource =~ m/((\d+\.){3}\d+)/ && !/127/){ \$ip_addr = \$1; } chomp (\$ip_addr); my \$hostname = \`hostname\`; chomp (\$hostname); my \$hostinfo = \$hostname.": ".\$ip_addr; my \$message = "User \$user added on \${days}\, please check the user\'s legitimacy!!\( \$hostinfo \)\n"; print "\$message\n"; my \$cmd = "echo \"\$message\" | mail -v -s 'User Added Notice Message' dba\@99bill\.com -c security\@99bill\.com"; system( "\$cmd" ); open( DBAUSER, ">>/etc/dbausers.conf" ); print DBAUSER "\$user\n"; close(DBAUSER); } } system("chattr +i /etc/dbausers.conf"); }else{ system ("awk -F \":\" '{print \\\$1}' /etc/passwd > /etc/dbausers.conf"); system("chattr +i /etc/dbausers.conf"); } EOF chmod u+x /etc/cron.hourly/99bill_adduser_mailnoting.pl /etc/cron.hourly/99bill_adduser_mailnoting.pl #17.user expire noting cat > /etc/cron.daily/99bill_accountexpire_mailnoting.pl <<EOF #! /usr/bin/perl ######################################################## # File: 99bill_accountexpire_mailnoting.pl # Description: use for 99billdba center # Version: 1.0 # Date: 2014-03-12 # Corp.: 99bill.com # Author: Vivyan.Wu # WWW: http://www.99bill.com ### END INIT INFO ######################################################## open ( SHADOW,"/etc/shadow" ); while ( <SHADOW> ){ next if ( \$_ =~ m/(\S+):\S+:(\d+):.*?:(99999)?:(.*?):.*?:.*?:.*/ ); ( \$user,\$createday,\$limitday,\$noteday )=( \$_ =~ m/(\S+):\S+:(\d+):.*?:(.*?):(.*?):.*?:.*?:.*/ ); my \$today = int((\`date +%s\`)/86400); my \$testday = \$limitday-(\$today-\$createday); my \$ipsource = \`ifconfig\`; my \$ip_addr; if (\$ipsource =~ m/((\d+\.){3}\d+)/ && !/127/){ \$ip_addr = \$1; } chomp (\$ip_addr); my \$hostname = \`hostname\`; chomp (\$hostname); my \$hostinfo = \$hostname.": ".\$ip_addr; if ( \$testday <= 0 ){ my \$text = "User \$user was expired!!\( \$hostinfo \)\n"; my \$cmd= "echo \"\$text\" | mail -v -s 'Password Expired Notice Message' dba\@99bill\.com -c security\@99bill\.com"; system ("\$cmd"); }elsif ( \$testday <= \$noteday ){ my \$text = "User \$user need to change password, it will be expired in \$testday days!!\( \$hostinfo \)\n"; my \$cmd= "echo \"\$text\" | mail -v -s 'Password Expired Notice Message' dba\@99bill\.com -c security\@99bill\.com"; system ("\$cmd"); } } close (SHADOW); EOF chmod u+x /etc/cron.daily/99bill_accountexpire_mailnoting.pl #19.ntp/snmp restart when ifup echo -e "/sbin/service ntpd restart\n/sbin/service snmpd restart" > /sbin/ifup-local chmod 700 /sbin/ifup-local #99.root umask umask 027 echo "umask 027" >> /root/.bashrc chmod a+r /etc/profile #100.end version echo "secupdate:$SUBVERSION" > /etc/sec-version chmod a+r /etc/sec-version
相关文章推荐
- CentOS5生产环境系统安全加固配置-脚本实例二
- windows2003安全加固脚本
- linux系统安全加固脚本
- CenOS6.5安全加固及性能优化(脚本)
- linux系统安全加固脚本
- Linux系统安全加固脚本
- linux服务器安全加固shell脚本
- linux服务器安全加固shell脚本代码
- CentOS5生产环境系统安全加固配置实例
- shell_脚本_linux_安全加固
- Linux Shell脚本生产环境下安全地删除文件
- linux服务器安全加固shell脚本
- linux服务器安全加固shell脚本代码
- windows2003安全加固脚本
- 在生产环境中安全执行更新删除SQL脚本的技巧
- linux服务器安全加固shell脚本
- Linux 远程登陆安全加固的方案,附带用户行为简单监控脚本
- linux 安全加固
- 不看后悔的Linux生产服务器Shell脚本分享
- WIN2003服务器安全加固方案