此脚本基于centos7和centos6编写:
仅供参考,切勿盲目复制执行
#!/bin/bash PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin" export PATH Centos7=$(uname -a | grep "el7" | wc -l) Centos6=$(uname -a | grep "el6" | wc -l) if [ $Centos7 == 1 ]; then echo "System Centos 7 in reset kernel" /bin/grep "SELINUX=disabled" /etc/selinux/config 2>&1 >/dev/null if [ $? -eq 0 ];then echo -e "\033[31m Selinux\033[0m is already not running" else /bin/sed -i '/SELINUX/s/enforcing/disabled/g' /etc/selinux/config setenforce 0 2>&1 >/dev/null echo -e "\033[31m Selinux \033[0m is already modify stop successful" fi ################# <关闭多余用户> ########################## userdel -r lp 2>&1 >/dev/null userdel -r sync 2>&1 >/dev/null userdel -r shutdown 2>&1 >/dev/null userdel -r halt 2>&1 >/dev/null userdel -r operator 2>&1 >/dev/null userdel -r games 2>&1 >/dev/null userdel -r gopher 2>&1 >/dev/null chmod +s /bin/netstat chmod 400 /etc/shadow ################# <系统内核安全> ########################## ipv4=$(grep "net.ipv4" /etc/sysctl.conf | wc -l) if [ $ipv4 -lt 2 ]; then echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.conf echo "net.core.rmem_default = 256960" >> /etc/sysctl.conf echo "net.core.rmem_max = 513920" >> /etc/sysctl.conf echo "net.core.wmem_default = 256960" >> /etc/sysctl.conf echo "net.core.wmem_max = 513920" >> /etc/sysctl.conf echo "net.core.netdev_max_backlog = 2000" >> /etc/sysctl.conf echo "net.core.somaxconn = 2048" >> /etc/sysctl.conf echo "net.core.optmem_max = 81920" >> /etc/sysctl.conf echo "net.ipv4.tcp_mem = 131072 262144 524288" >> /etc/sysctl.conf echo "net.ipv4.tcp_rmem = 8760 256960 4088000" >> /etc/sysctl.conf echo "net.ipv4.tcp_wmem = 8760 256960 4088000" >> /etc/sysctl.conf echo "net.ipv4.tcp_keepalive_time = 1800" >> /etc/sysctl.conf echo "net.ipv4.tcp_keepalive_intvl = 30" >> /etc/sysctl.conf echo "net.ipv4.tcp_keepalive_probes = 3" >> /etc/sysctl.conf echo "net.ipv4.tcp_sack = 1" >> /etc/sysctl.conf echo "net.ipv4.tcp_fack = 1" >> /etc/sysctl.conf echo "net.ipv4.tcp_timestamps = 1" >> /etc/sysctl.conf echo "net.ipv4.tcp_window_scaling = 1" >> /etc/sysctl.conf echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf echo "net.ipv4.tcp_tw_reuse = 1" >> /etc/sysctl.conf echo "net.ipv4.tcp_tw_recycle = 0" >> /etc/sysctl.conf echo "net.ipv4.tcp_fin_timeout = 30" >> /etc/sysctl.conf echo "net.ipv4.ip_local_port_range = 1024 65000" >> /etc/sysctl.conf echo "net.ipv4.tcp_max_syn_backlog = 2048" >> /etc/sysctl.conf echo "net.ipv4.tcp_max_tw_buckets = 6000" >> /etc/sysctl.conf sysctl -p else echo "kernel already reset" fi hosts=$(grep "sshd:10.80.80.100:allow" /etc/hosts.allow | wc -l) if [ $hosts -ne 1 ]; then echo "insert sshd allow" echo 'sshd:10.80.80.100:allow' >> /etc/hosts.allow else echo "sshd already reset" fi ################## 《更改时区》############################### TZ=`timedatectl |grep Time|awk {'print $3'}` SH="Adsia/Shanghai" if [ $TZ == $SH ];then echo -e "\033[31m Timezone \033[0m is already "Asia/Shanghai"" else rm -f /etc/localtime cp -arp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime echo -e "\033[31m Timezone \033[0m is already modify "Asia/Shanghai"" fi ################ <更改ssh端口和禁止root登录> ####################### Net=$(netstat -tulnp|grep 22502 | wc -l) if [ $Net = 0 ];then cp -r /etc/ssh/sshd_config /etc/ssh/sshd_config.bak sed -i '/Port 22/aPort 22502' /etc/ssh/sshd_config echo -e "\033[31m SSH's port 22 is already modify to 22502\033[0m" sed -i "s/#UseDNS/UseDNS/g" /etc/ssh/sshd_config sed -i "s/^Subsystem/#Subsystem/g" /etc/ssh/sshd_config sed -i "/^#Subsystem/aSubsystem sftp internal-sftp" /etc/ssh/sshd_config if [ $? -eq 0 ];then systemctl restart sshd 2>&1 >/dev/null echo -e "\033[31m SSH's service\033[0m has restart again" fi else sed -i "s/#UseDNS/UseDNS/g" /etc/ssh/sshd_config echo -e "\033[31m chage Use UseDns\033[0m" PORT=`netstat -tulnp|grep 22 |awk {'print $4'}|head -n 1|cut -d : -f 2` echo -e "ssh's port is \033[31m already modify $PORT\033[0m" fi ############## <登录密码相关设置> ####################################### cp /etc/login.defs /etc/login.defs.bak sed -i '/^PASS_MAX_DAYS/s/[0-9]\{1,\}/99999/g' /etc/login.defs sed -i '/^PASS_MIN_DAYS/s/[0-9]\{1,\}/7/g' /etc/login.defs sed -i '/^PASS_MIN_LEN/s/[0-9]\{1,\}/12/g' /etc/login.defs sed -i '/^PASS_WARN_AGE/s/[0-9]\{1,\}/30/g' /etc/login.defs ######################################################################### username=$(id kyeroot | grep "uid=0" | wc -l) if [ $username = 0 ];then useradd kyeroot echo "Aa+12345678" | passwd --stdin kyeroot sed -i '/^kyeroot/s/[0-9]\{1,\}/0/g' /etc/passwd sed -i '/^kyeroot/s/home\/kyeroot/root/g' /etc/passwd sed -i "/^root/s/bin/sbin/g" /etc/passwd sed -i "/^root/s/bash/nologin/g" /etc/passwd cp /etc/sudoers /etc/sudoers.bak sed -i '/^root/akyeroot ALL=(ALL) ALL' /etc/sudoers else echo -e "\033[31m user kyeroot is exists\033[0m or \033[31m password is wrong\033[0m" fi useradd kyeadmin 2>&1 >/dev/null d=$? if [ $d -eq 0 ];then echo "Aa+12345678" |passwd --stdin kyeadmin 2>&1 >/dev/null echo -e "\033[31m create user kyeadmin successful \033[0m" echo -e "\033[31m create user passwd successful \033[0m" else echo -e "\033[31m user kyeadmin is exists\033[0m or \033[31m password is wrong\033[0m" fi ############### <日志权限> ######################################### chattr +a /var/log/messages if [ $? == "0" ];then echo -e "\033[31m Already add "lsatrr +a"\033[0m for "/var/log/messages" " else echo -e "Add \033[31m "lsattr +a"\033[0m is failed,please check it!" fi find /var/log/ -type f -exec chmod u-x,g-x,o-wx {} \; echo -e "\033[31m modify "/var/log/*"\033[0m all files permission of "u-x,g-x,o-wx" successful" chmod +x /etc/rc.local null=$(grep "/dev/null" /etc/rc.local |wc -l) if [ $null = 0 ]; then echo "chmod 666 /dev/null" >> /etc/rc.local else echo "already reset /dev/null" fi ############## <修改文件句柄数> ################################### h=`ulimit -n` if [ $h -ne 65535 ];then ulimit -n 65535 grep "* soft nofile 65535" /etc/security/limits.conf 2>&1 >/dev/null i=$? #判断“soft nofile 65536”是否存在 grep "* hard nofile 65535" /etc/security/limits.conf 2>&1 >/dev/null j=$? #判断“hard nofile 65536”是否存在 k=$[i+j] if [ $k -ne 0 ];then #同时判断“soft/hard nofile 65536” cp /etc/security/limits.conf /etc/security/limits.conf.bak echo "* soft nofile 65535" >> /etc/security/limits.conf echo "* hard nofile 65535" >> /etc/security/limits.conf echo -e "\033[31m default ulimit is $h\033[0m,now ulimit is already modify 65535" else echo -e "\033[31m "soft nofile 65535 and hard nofile 65535"\033[0m is already configure,not to modify " fi else echo -e "\033[31m default ulimit is 65535\033[0m,not modify" fi ############# <防止暴力破解,提高系统安全性> ################################ grep "remember" /etc/pam.d/system-auth 2>&1 >/dev/null o=$? grep "unlock_time" /etc/pam.d/system-auth 2>&1 >/dev/null p=$? grep "pam_pwquality.so" /etc/pam.d/system-auth 2>&1 >/dev/null w=$? if [ $o -ne 0 ];then cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak sed -i "/sha512/s/use_authtok/use_authtok remember=4/g" /etc/pam.d/system-auth ###表示禁止使用最近用过的4个密码(己使用过的密码会被保存在 /etc/security/opasswd 下面) echo -e "Configure "use_authtok remember=4" for /etc/pam.d/system-auth successful" fi if [ $w -ne 0 ];then sed -i "/pam_pwquality.so/s/local_users_only/minclass=3/g" /etc/pam.d/system-auth echo -e "Configure "use_authtok remember=4" for /etc/pam.d/system-auth successful" fi if [ $p -eq 0 ];then echo "auth required pam_tally2.so even_deny_root deny=5 unlock_time=1800" >> /etc/pam.d/system-auth echo -e "Configure "auth required pam_tally2.so even_deny_root deny=5 unlock_time=1800" for /etc/pam.d/system-auth successful" fi ################# <设置shell会话超时退出> ################################## n=`grep "TMOUT=" /etc/profile|cut -d "=" -f 2` #读取默认的超时的时间 l=`grep "TMOUT" /etc/profile` if [ $? -ne 0 ];then ##判断TMOUT没有设置过超时配置 cp /etc/profile /etc/profile.bak echo "TMOUT=300" >> /etc/profile echo "export TMOUT" >> /etc/profile # sed -i 's/^HISTSIZE=1000/HISTSIZE=30/g' /etc/profile echo -e "\033[31m TMOUT \033[0m is already modify TMOUT=300" else ##若是配置过超时命令,替换换默认超时时间 sed -i s/TMOUT=$n/TMOUT=300/g /etc/profile #替换默认超时时间为180 echo -e "\033[31m default TMOUT \033[0m is $n,TMOUT is already modify to 180s successful " #获取默认超时时间 # echo "export TMOUT" >> /etc/profile fi ################# <禁止root ftp登录> ####################################### systemctl status vsftpd 2>&1 >/dev/null if [ $? -eq 0 ];then echo "root" >> /etc/vsftpd/ftpusers echo -e "\033[31m The ftp for root forbidden \033[0m successful" else echo -e "\033[31m The vsftpd \033[0m service not exists,not need to forbidden" fi ############### <登录警告语> ############################################# grep "WARNING" /etc/motd 2>&1 >/dev/null if [ $? -ne 0 ];then echo "WARNING: If you are not authorized to access this private computer system, disconnect now. All activities on this system will be monitored and recorded without prior notification or permission!" > /etc/motd echo -e "\033[31m The motd \033[0m is add at /etc/motd successful" else echo -e "\033[31m The motd "WARNING" is exsits\033[0m,please check if need to modify again" fi ################ <设置允许能su到root的用户> ################################# grep "SU_WHEEL_ONLY yes" /etc/login.defs && echo "Already set" || echo "SU_WHEEL_ONLY yes" >> /etc/login.defs elif [ $Centos6 == 1 ] then echo "System Centos 6 in reset kernel" ################ 《关闭selinux》############################################ /bin/grep "SELINUX=disabled" /etc/selinux/config 2>&1 >/dev/null if [ $? -eq 0 ];then echo -e "\033[31m Selinux\033[0m is already not running" else /bin/sed -i '/SELINUX/s/enforcing/disabled/g' /etc/selinux/config setenforce 0 2>&1 >/dev/null echo -e "\033[31m Selinux \033[0m is already modify stop successful" fi ################# <关闭多余用户> ########################## userdel -r lp 2>&1 >/dev/null userdel -r sync 2>&1 >/dev/null userdel -r shutdown 2>&1 >/dev/null userdel -r halt 2>&1 >/dev/null userdel -r operator 2>&1 >/dev/null userdel -r games 2>&1 >/dev/null chmod +s /bin/netstat chmod 400 /etc/shadow ################# <系统内核安全> ########################## ipv4=$(grep "net.ipv4" /etc/sysctl.conf | wc -l) if [ $ipv4 -lt 2 ]; then echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.conf echo "net.core.rmem_default = 256960" >> /etc/sysctl.conf echo "net.core.rmem_max = 513920" >> /etc/sysctl.conf echo "net.core.wmem_default = 256960" >> /etc/sysctl.conf echo "net.core.wmem_max = 513920" >> /etc/sysctl.conf echo "net.core.netdev_max_backlog = 2000" >> /etc/sysctl.conf echo "net.core.somaxconn = 2048" >> /etc/sysctl.conf echo "net.core.optmem_max = 81920" >> /etc/sysctl.conf echo "net.ipv4.tcp_mem = 131072 262144 524288" >> /etc/sysctl.conf echo "net.ipv4.tcp_rmem = 8760 256960 4088000" >> /etc/sysctl.conf echo "net.ipv4.tcp_wmem = 8760 256960 4088000" >> /etc/sysctl.conf echo "net.ipv4.tcp_keepalive_time = 1800" >> /etc/sysctl.conf echo "net.ipv4.tcp_keepalive_intvl = 30" >> /etc/sysctl.conf echo "net.ipv4.tcp_keepalive_probes = 3" >> /etc/sysctl.conf echo "net.ipv4.tcp_sack = 1" >> /etc/sysctl.conf echo "net.ipv4.tcp_fack = 1" >> /etc/sysctl.conf echo "net.ipv4.tcp_timestamps = 1" >> /etc/sysctl.conf echo "net.ipv4.tcp_window_scaling = 1" >> /etc/sysctl.conf echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf echo "net.ipv4.tcp_tw_reuse = 1" >> /etc/sysctl.conf echo "net.ipv4.tcp_tw_recycle = 0" >> /etc/sysctl.conf echo "net.ipv4.tcp_fin_timeout = 30" >> /etc/sysctl.conf echo "net.ipv4.ip_local_port_range = 1024 65000" >> /etc/sysctl.conf echo "net.ipv4.tcp_max_syn_backlog = 2048" >> /etc/sysctl.conf echo "net.ipv4.tcp_max_tw_buckets = 6000" >> /etc/sysctl.conf sysctl -p else echo "kernel already reset" fi hosts=$(grep "sshd:10.80.80.100:allow" /etc/hosts.allow | wc -l) if [ $hosts -ne 1 ]; then echo "insert sshd allow" echo 'sshd:10.80.80.100:allow' >> /etc/hosts.allow else echo "sshd already reset" fi ################ 《更改时区》############################################## /bin/grep "Asia/Shanghai" /etc/sysconfig/clock 2>&1 >/dev/null if [ $? -eq 0 ];then echo -e "\033[31m Timezone \033[0m is already "Asia/Shanghai"" else rm -f /etc/localtime cp -arp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime echo -e "\033[31m Timezone \033[0m is already modify "Asia/Shanghai"" fi ###############《更改ssh端口和禁止root登录》############################## Net=$(netstat -tulnp|grep 22502 | wc -l) if [ $Net = 0 ];then cp -r /etc/ssh/sshd_config /etc/ssh/sshd_config.bak sed -i '/port 22/aport 22502' /etc/ssh/sshd_config echo -e "\033[31m SSH's port 22 is already modify to 22502\033[0m" sed -i "s/#UseDNS/UseDNS/g" /etc/ssh/sshd_config sed -i "s/^Subsystem/#Subsystem/g" /etc/ssh/sshd_config sed -i "/^#Subsystem/aSubsystem sftp internal-sftp" /etc/ssh/sshd_config if [ $? -eq 0 ];then service sshd restart 2>&1 >/dev/null echo -e "\033[31m SSH's service\033[0m has restart again" fi else sed -i "s/#UseDNS/UseDNS/g" /etc/ssh/sshd_config echo -e "\033[31m chage Use UseDns\033[0m" PORT=`netstat -tulnp|grep 22 |awk {'print $4'}|head -n 1|cut -d : -f 2` echo -e "ssh's port is \033[31m already modify $PORT\033[0m" fi ############### 《禁止组合键关机》####################################### /bin/grep ^exec /etc/init/control-alt-delete.conf 2>&1 >/dev/null a=$? #判断是否关闭“exec /etc/init/control-alt-delete.conf” /bin/grep ^start /etc/init/control-alt-delete.conf 2>&1 >/dev/null b=$? #判断是否关闭"start on control-alt-delete" c=$[a+b] if [ $c -eq 2 ];then echo -e "\033[31m "control-alt-delete" \033[0m modify is \033[31m failed \033[0m,or configure successful,please check it again" else cp /etc/init/control-alt-delete.conf /etc/init/control-alt-delete.conf.bak sed -i "/^start/s/start/#start/g" /etc/init/control-alt-delete.conf sed -i "/^exec/s/exec/#exec/g" /etc/init/control-alt-delete.conf echo -e "\033[31m “control-alt-delete”\033[0m is already modify stop successful" fi ############# 《登录密码相关设置》############################## cp /etc/login.defs /etc/login.defs.bak sed -i '/^PASS_MAX_DAYS/s/[0-9]\{1,\}/90/g' /etc/login.defs sed -i '/^PASS_MIN_DAYS/s/[0-9]\{1,\}/7/g' /etc/login.defs sed -i '/^PASS_MIN_LEN/s/[0-9]\{1,\}/12/g' /etc/login.defs sed -i '/^PASS_WARN_AGE/s/[0-9]\{1,\}/30/g' /etc/login.defs ############## 《新建用户》############################################ #u=`grep "^kyeroot" /etc/passwd | wc -l` username=$(id kyeroot | grep "uid=0" | wc -l) if [ $username = 0 ];then useradd kyeroot echo "Aa+12345678" | passwd --stdin kyeroot sed -i '/^kyeroot/s/[0-9]\{1,\}/0/g' /etc/passwd sed -i '/^kyeroot/s/home\/kyeroot/root/g' /etc/passwd sed -i "/^root/s/bin/sbin/g" /etc/passwd sed -i "/^root/s/bash/nologin/g" /etc/passwd cp /etc/sudoers /etc/sudoers.bak sed -i '/^root/akyeroot ALL=(ALL) ALL' /etc/sudoers else echo -e "\033[31m user kyeroot is exists\033[0m or \033[31m password is wrong\033[0m" fi useradd kyeadmin 2>&1 >/dev/null d=$? if [ $d -eq 0 ];then echo "Aa+12345678" |passwd --stdin kyeadmin 2>&1 >/dev/null echo -e "\033[31m create user kyeadmin successful \033[0m" echo -e "\033[31m create user passwd successful \033[0m" else echo -e "\033[31m user kyeadmin is exists\033[0m or \033[31m password is wrong\033[0m" fi ############# 《日志权限》############################################ chattr +a /var/log/messages if [ $? == "0" ];then echo -e "\033[31m Already add "lsatrr +a"\033[0m for "/var/log/messages" " else echo -e "Add \033[31m "lsattr +a"\033[0m is failed,please check it!" fi find /var/log/ -type f -exec chmod u-x,g-x,o-wx {} \; echo -e "\033[31m modify "/var/log/*"\033[0m all files permission of "u-x,g-x,o-wx" successful" chmod +x /etc/rc.local null=$(grep "/dev/null" /etc/rc.local |wc -l) if [ $null = 0 ]; then echo "chmod 666 /dev/null" >> /etc/rc.local else echo "already reset /dev/null" fi ############# 《修改文件句柄数》###################################### h=`ulimit -n` if [ $h -ne 65535 ];then ulimit -n 65535 grep "* soft nofile 65535" /etc/security/limits.conf 2>&1 >/dev/null i=$? #判断“soft nofile 65536”是否存在 grep "* hard nofile 65535" /etc/security/limits.conf 2>&1 >/dev/null j=$? #判断“hard nofile 65536”是否存在 k=$[i+j] if [ $k -ne 0 ];then #同时判断“soft/hard nofile 65536” cp /etc/security/limits.conf /etc/security/limits.conf.bak echo "* soft nofile 65535" >> /etc/security/limits.conf echo "* hard nofile 65535" >> /etc/security/limits.conf echo -e "\033[31m default ulimit is $h\033[0m,now ulimit is already modify 65535" else echo -e "\033[31m "soft nofile 65535 and hard nofile 65535"\033[0m is already configure,not to modify " fi else echo -e "\033[31m default ulimit is 65535\033[0m,not modify" fi ############## 《防止暴力破解,提高系统安全性》###################### grep "remember" /etc/pam.d/system-auth 2>&1 >/dev/null o=$? p=`grep "unlock_time" /etc/pam.d/system-auth | wc -l` if [ $o -ne 0 ];then cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak sed -i "/sha512/s/use_authtok/use_authtok remember=4/g" /etc/pam.d/system-auth ###表示禁止使用最近用过的4个密码(己使用过的密码会被保存在 /etc/security/opasswd 下面) fi if [ $p -lt 1 ];then echo "auth required pam_tally2.so even_deny_root deny=5 unlock_time=1800" >> /etc/pam.d/system-auth fi ############## 《设置shell会话超时退出》############################ n=`grep "TMOUT=" /etc/profile|cut -d "=" -f 2` #读取默认的超时的时间 l=`grep "TMOUT" /etc/profile` if [ $? -ne 0 ];then ##判断TMOUT没有设置过超时配置 cp /etc/profile /etc/profile.bak echo "TMOUT=300" >> /etc/profile echo "export TMOUT" >> /etc/profile # sed -i 's/^HISTSIZE=1000/HISTSIZE=30/g' /etc/profile echo -e "\033[31m TMOUT \033[0m is already modify TMOUT=300" else ##若是配置过超时命令,替换换默认超时时间 sed -i s/TMOUT=$n/TMOUT=300/g /etc/profile #替换默认超时时间为180 echo -e "\033[31m default TMOUT \033[0m is $n,TMOUT is already modify to 180s successful " #获取默认超时时间 # echo "export TMOUT" >> /etc/profile fi ############## 《禁止root ftp登录》################################ if [ -f /etc/vsftpd/ftpusers ];then p=`grep 'root' /etc/vsftpd/ftpusers | wc -l` if [ $p -eq 0 ];then cp /etc/vsftpd/ftpusers /etc/vsftpd/ftpusers.bak echo "root" >> /etc/vsftpd/ftpusers echo -e "\033[31m The ftp for root forbidden \033[0m successful or\033[31m ftp's service not exsits \033[0m" else echo -e "\033[31m The vsftpd \033[0m service not exists or Have been modified" fi else echo -e "\033[31m The vsftpd \033[0m service not exists or Have been modified" fi ################ 《登录警告语》################################### grep "WARNING" /etc/motd 2>&1 >/dev/null if [ $? -ne 0 ];then cp /etc/motd /etc/motd.bak echo "WARNING: If you are not authorized to access this private computer system, disconnect now. All activities on this system will be monitored and recorded without prior notification or permission!" > /etc/motd echo -e "\033[31m The motd \033[0m is add at /etc/motd successful" else echo -e "\033[31m The motd "WARNING" is exsits\033[0m,please check if need to modify again" fi ############## 《关闭telnet》#################################### y=`chkconfig --list|grep telnet |awk '{print $2}'` m=`chkconfig --list|grep telnet ` if [ $? -ne 0 ];then echo -e "\033[31m The telnet \033[0m is not exsits" else if [ $y == "on" ];then chkconfig telnet off echo -e "\033[31m The telnet \033[0m is stop sucessful" else echo -e "\033[31m The telnet\033[0m is already stop " fi fi else echo "cache System version" fi