linux系统安全加固
linux系统安全加固
-
脚本
系统加固脚本下载地址:
https://download.csdn.net/download/hzgnet2021/63201374 -
时间获取
脚本开头先获取本机时间
#Variable
rq=`date +%Y%m%d`
- Linux禁用不使用的用户
将passwd先复制一份备份,然后将以下不使用的用户都禁用,如后期有需要恢复可使用 passwd -u lp 来进行恢复
#account setup
echo '############ account setup ############'
echo ''
cp /etc/passwd{,.bak$rq}
passwd -l lp
passwd -l adm
passwd -l shutdown
passwd -l halt
passwd -l operator
passwd -l games
passwd -l gopher
passwd -l ftp
passwd -l nfsnobody
passwd -l postfix
echo ''
Linux注释的组:
#group setup
echo '############ group setup ############'
echo ''
cp /etc/group{,.bak$rq}
sed -i -e 's/adm:x:4:/#adm:x:4:/' /etc/group
sed -i -e 's/games:x:20:/#games:x:20:/' /etc/group
sed -i -e 's/video:x:39:/#video:x:39:/' /etc/group
sed -i -e 's/dip:x:40:/#dip:x:40:/' /etc/group
sed -i -e 's/ftp:x:50:/#ftp:x:50:/' /etc/group
sed -i -e 's/audio:x:63:/#audio:x:63:/' /etc/group
sed -i -e 's/floppy:x:19:/#floppy:x:19:/' /etc/group
sed -i -e 's/postfix:x:89:/#postfix:x:89:/' /etc/group
echo 'disable group result:'
cat /etc/group|grep ^#
echo ''
- Linux关闭不使用的服务
下面列出的几个服务如打印服务、蓝牙服务等对服务器没用用处可直接关闭来提升服务器性能,如遇到需要开启服务只需输入service acpid start && chkconfig acpid on就能重新开启服务。
#disable useless service
echo '##### disable useless service #####'
echo ''
#postfix
echo ''
service postfix stop
chkconfig postfix --level 2345 off
echo ''
#cpus
echo ''
service cups stop
chkconfig cups --level 2345 off
echo ''
#cpuspeed
echo ''
service cpuspeed stop
chkconfig cpuspeed --level 2345 off
echo ''
#bluetooth
echo ''
service bluetooth stop
chkconfig bluetooth --level 2345 off
echo ''
#firstboot
echo ''
service firstboot stop
chkconfig firstboot --level 2345 off
echo ''
echo 'nfs status:'
service netfs status
echo ''
- Linux文件保护
Linux文件保护禁止修改、删除、移动文件
echo '######### chattr important file #########'
echo ''
# chattr /etc/passwd /etc/shadow
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/gshadow
echo 'Following files already locked:'
lsattr /etc/passwd
lsattr /etc/shadow
lsattr /etc/group
lsattr/etc/gshadow
echo ''
如果需要修改密码,执行 chattr -i 消除权限,切记修改后要将权限加回
#chattr -i /etc/passwd
#chattr -i /etc/shadow
#chattr -i /etc/group
#chattr -i /etc/gshadow
#lsattr /etc/group /etc/passwd /etc/shadow /etc/gshadow
- 用户密码保护
用户输错密码3次后锁定用户5分钟
# Login failed limit:continue input failure 3 ,passwd unlock time 5 minite
echo '######### Login limits ##########'
echo ''
cp /etc/pam.d/system-auth{,.bak$rq}
tally=`grep -n 'pam_tally.so' /etc/pam.d/system-auth`
lib=`grep -n '/lib/security/$ISA/pam_tally.so' /etc/pam.d/system-auth`
st=$tally$lib
if [ -z "$st" ];then
sed -i 's#auth required pam_env.so#auth required pam_env.so\nauth required pam_tally.so onerr=fail deny=3 unlock_time=300\nauth required /lib/security/$ISA/pam_tally.so onerr=fail deny=3 unlock_time=300#' /etc/pam.d/system-auth
echo ''
echo 'update login server limits ---->continue input failure 3 ,passwd unlock time 5 minite'
echo ''
else
echo ''
echo 'Login restriction policy already exists on the server!The script will not modify this.'
echo ''
fi
- 用户注销
用户登录后5分钟无任何操作将自动注销用户
# system timeout 5 minite auto logout
echo ''
echo '######### set auto logout #########
cp /etc/profile{,.bak$rq}
tmout=`grep -n 'TMOUT=' /etc/profile`
if [ -z "$tmout" ];then
echo "TMOUT=300" >>/etc/profile
echo ''
echo 'update login server limits ----> timeout 5 minite auto logout'
echo ''
else
echo ''
echo 'Login timeout policy already exists on the server!The script will not modify this.'
echo ''
fi
- Linux减少history命令记录
执行过的历史命令记录越多,从一定程度上讲会给维护带来简便,但同样会伴随安全问题。
echo '############## set save history command ##############'
# will system save history command list to 10
echo ''
sed -i "s/HISTSIZE=/#HISTSIZE=/" /etc/profile
echo "HISTSIZE=10" >>/etc/profile
# enable /etc/profile
source /etc/profile
echo ''
echo '/etc/profile already update'
echo ''
- 开启SYN Cookies
表示开启SYN Cookies。当出现SYN等待队列溢出时,启用cookies来处理,可防范少量SYN攻击
echo '############## enable syncookie ##############'
echo ''
# add syncookie enable /etc/sysctl.conf
echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.conf
sysctl -p
echo ''
- SSH优化
修改SSH用户最大连接数,通过关闭 UseDNS和GSSAPIAuthentication选项加速 SSH登录
echo '############## optimize sshd ##############'
echo ''
# optimizer sshd_config
sed -i "s/#MaxAuthTries 6/MaxAuthTries 6/" /etc/ssh/sshd_config
sed -i "s/#UseDNS yes/UseDNS no/" /etc/ssh/sshd_config
echo ''
echo 'currently config:'
grep -n 'MaxAuthTries' /etc/ssh/sshd_config
grep -n 'UseDNS' /etc/ssh/sshd_config
echo ''
- 历史记录
对历史记录命令保存进行优化禁止覆盖、禁止修改该文件
echo '############## history security ##############'
echo ''
# history security
chattr +a /root/.bash_history
chattr +i /root/.bash_history
echo ''
echo '/root/.bash_history already locked:'
lsattr /root/.bash_history
echo ''
- 复制日志
将日志复制保存
echo ############## backup system log ##############
echo 'The program will move the log of System operation status to /var/log/HZGNETsecurityreinforce '
mkdir -p /var/log/HZGNETsecurityreinforce/$rq
#cp /var/log/message /var/log/HZGNETsecurityreinforce/$rq
#cp /var/log/auth.log /var/log/HZGNETsecurityreinforce/$rq
cp /var/log/cron /var/log/HZGNETsecurityreinforce/$rq
cp /var/log/maillog /var/log/HZGNETsecurityreinforce/$rq
cp /var/log/secure /var/log/HZGNETsecurityreinforce/$rq
cp /var/log/wtmp /var/log/HZGNETsecurityreinforce/$rq
cp /var/run/utmp /var/log/HZGNETsecurityreinforce/$rq
cp /var/log/yum.log /var/log/HZGNETsecurityreinforce/$rq
echo ' Log Backup completed.'