#!/bin/bash

## set shortest length of password

filename=/etc/login.defs

if [ -f "$filename" ];then

  passminlen=`cat $filename|grep PASS_MIN_LEN|grep -v "#"`

  sed -i "s#$passminlen#PASS_MIN_LEN    8#g" $filename

  ## set password timeout.half of years

  passmaxdays=`cat $filename|grep PASS_MAX_DAYS|grep -v "#"`

  sed -i "s#$passmaxdays#PASS_MAX_DAYS   180#g" $filename

fi

filename=/etc/pam.d/system-auth

if [ -f "$filename" ];then

  pam_cracklib_so=`cat $filename|grep pam_cracklib.so|grep -v "#"`

  if [ -z "$pam_cracklib_so" ];then

    ## not exist pam_cracklib.so, need to add

    echo "password requisite pam_cracklib.so ucredit=-2 lcredit=-2 dcredit=-2" >> $filename

  fi

fi

## limit su to root

filename=/etc/pam.d/su

if [ -f "$filename" ];then

  pam_rootok_so=`cat $filename|grep  pam_rootok.so|grep -v "#"`

  if [ -z "$pam_rootok_so" ];then

    ## empty,need add

    sed -i '2i auth sufficient pam_rootok.so' $filename

  fi

  wheel_group=`cat $filename|grep pam_wheel.so|grep -v "#"`

  if [ -z "$wheel_group" ];then

    sed -i '3i auth required pam_wheel.so group=wheel' $filename

  fi

fi

filename=/etc/profile

if [ -f "$filename" ];then

  ## get the  line data

  old_val=`sed -n 2p $filename`

  new_val="umask 027"

  if [ "$old_val" != "$new_val" ];then

    ## add config in the  line

    sed -i '2i umask 027' $filename

  fi

  ## add command line timeout quit.

  timeout_quit=`cat $filename|grep TMOUT=|grep -v "#"`

  if [ -z "$timeout_quit" ];then

    echo "export TMOUT=300" >> $filename

  fi

fi

filename=/etc/ssh/sshd_config

if [ -f "$filename" ];then

  rootlogin=`cat $filename|grep PermitRootLogin|grep -v "#"`

  if [ -z "$rootlogin" ];then

    echo "PermitRootLogin no" >> $filename

  else

   sed -i "s#$rootlogin#PermitRootLogin no#g" $filename

  fi

  if [ -f "/etc/init.d/sshd" ];then

    /etc/init.d/sshd restart

  fi

fi

filename=/etc/rsyslog.conf

if [ -f "$filename" ];then

  secure_log=`cat $filename|grep "authpriv.* /var/log/secure"|grep -v "#"`

  if [ -z "$secure_log" ];then

    echo "authpriv.* /var/log/secure" >> $filename

  fi

fi

filename=/var/log/secure

if [ ! -f "$filename" ];then

  touch $filename

fi

if [ -f "/etc/init.d/syslog" ];then

  /etc/init.d/syslog restart

fi

## delete ftp user

sed -i '/ftp:/d' /etc/passwd

filename=/etc/vsftpd.conf

if [ -f "$filename" ];then

  anonymous_enable=`cat $filename|grep "anonymous_enable="|grep -v "#"`

  if [ -z "$anonymous_enable" ];then

    echo "anonymous_enable=NO" >> $filename

  else

    sed -i "s#$anonymous_enable#anonymous_enable=NO#g" $filename

  fi

else

  touch $filename

  echo "anonymous_enable=NO" >> $filename

fi

filename=/etc/vsftpd/vsftpd.conf

if [ -f $filename ];then

  anonymous_enable=`cat $filename|grep "anonymous_enable="|grep -v "#"`

  if [ -z "$anonymous_enable" ];then

    echo "anonymous_enable=NO" >> $filename

  else

    sed -i "s#$anonymous_enable#anonymous_enable=NO#g" $filename

  fi

else

  mkdir -p /etc/vsftpd/

  touch $filename

  echo "anonymous_enable=NO" >> $filename

fi

filename=/etc/ftpusers

if [ -f "$filename" ];then

  root_text=`cat $filename|grep "root"|grep -v "#"`

  if [ -z "$root_text" ];then

    echo "root" >> $filename

  ## do not need to replace, due to there are only name in the ftpusers file

  fi

else

  touch $filename

  echo "root" >> $filename

fi

filename=/etc/vsftpd/ftpusers

if [ -f "$filename" ];then

  root_text=`cat $filename|grep "root"|grep -v "#"`

  if [ -z "$root_text" ];then

    echo "root" >> $filename

  ## do not need to replace, due to there are only name in the ftpusers file

  fi

else

  mkdir -p /etc/vsftpd

  touch $filename

  echo "root" >> $filename

fi

p_telnet=`rpm -qa|grep telnet`

if [[ $p_telnet =~ "telnet" ]];then

  ## have install telnet

  filename=/etc/xinetd.d/telnet

  if [ -f "$filename" ];then

     disable_text=`cat $filename|grep disable|grep -v "#"`

     if [ -z "$disable_text" ];then

       echo "disable = yes" >> $filename

     else

       sed "s#$disable_text#disable = yes#g" $filename

     fi

     service xinetd restart

  fi

fi

## delete

netric_file=`find / -maxdepth  -name .netrc`

if [ ! -z "$netric_file" ];then

  mv $netric_file "$netric_file".bak

fi

hosts_equiv=`find / -maxdepth  -name hosts.equiv`

if [ ! -z "$hosts_equiv" ];then

  mv $hosts_equiv "$hosts_equiv".bak

fi

rhosts=`find / -maxdepth  -name .rhosts`

if [ ! -z "$rhosts" ];then

  mv $rhosts "$rhosts".bak

fi

function closeService(){

  chkconfig --level  $ off > /dev/null >&

}

closeService printer

closeService sendmail

closeService ypbind

closeService kshell

closeService lpd

closeService ident

closeService tftp

closeService time

closeService time-udp

closeService ntalk

closeService bootps

closeService chargen

closeService chargen-udp

closeService nfs

closeService daytime

closeService nfslock

closeService echo

closeService echo-udp

closeService discard

closeService discard-udp

closeService klogin

filename=/etc/vsftpd/chroot_list

if [ -f "$filename" ];then

  root_text=`cat $filename|grep "root"|grep -v "#"`

  if [ -z "$root_text" ];then

    echo "root" >> $filename

  ## limit root user access with no password

  fi

else

  touch $filename

  echo "root" >> $filename

fi

chmod  /etc/group

chmod  /etc/shadow

chmod  /etc/passwd

if [ -f "/etc/issue" ];then

  mv /etc/issue /etc/issue.bak

fi

if [ -f "/etc/issue.net" ];then

  mv /etc/issue.net /etc/issue.net.bak

fi

漏洞扫描,linux配置规范处理的更多相关文章

  1. 2017-2018-2 20155309南皓芯 Exp6 信息搜集与漏洞扫描

    实践内容 1.各种搜索技巧的应用 2.DNS IP注册信息的查询 3.基本的扫描技术:主机发现.端口扫描.OS及服务版本探测.具体服务的查点 4.漏洞扫描:会扫,会看报告,会查漏洞说明,会修补漏洞 基 ...

  2. 20155308《网络对抗》Exp6 信息搜集与漏洞扫描

    20155308<网络对抗>Exp6 信息搜集与漏洞扫描 原理与实践说明 实践内容 本实践的目标是掌握信息搜集的最基础技能.具体有: 各种搜索技巧的应用 DNS IP注册信息的查询 基本的 ...

  3. 20155318 《网络攻防》Exp6 信息搜集与漏洞扫描

    20155318 <网络攻防>Exp6 信息搜集与漏洞扫描 基础问题 哪些组织负责DNS,IP的管理. 互联网名称与数字地址分配机构,ICANN机构.其下有三个支持机构,其中地址支持组织( ...

  4. 20145233《网络对抗》Exp6 信息收集和漏洞扫描

    20145233<网络对抗>Exp6 信息收集和漏洞扫描 实验问题思考 哪些组织负责DNS,IP的管理 全球根服务器均由美国政府授权的ICANN统一管理,负责DNS和IP地址管理.全球一共 ...

  5. 20155321 《网络对抗》 Exp6 信息搜集与漏洞扫描

    20155321 <网络对抗> Exp6 信息搜集与漏洞扫描 实验内容 信息搜集 whois 在kali终端输入whois 网址,查看注册的公司.服务.注册省份.传真.电话等信息 dig或 ...

  6. # 20155337《网络对抗》Exp6 信息搜集与漏洞扫描

    20155337<网络对抗>Exp6 信息搜集与漏洞扫描 实践目标 (1)各种搜索技巧的应用 (2)DNS IP注册信息的查询 (3)基本的扫描技术:主机发现.端口扫描.OS及服务版本探测 ...

  7. OpenVAS漏洞扫描基础教程之OpenVAS概述及安装及配置OpenVAS服务

    OpenVAS漏洞扫描基础教程之OpenVAS概述及安装及配置OpenVAS服务   1.  OpenVAS基础知识 OpenVAS(Open Vulnerability Assessment Sys ...

  8. Nessus漏洞扫描教程之配置Nessus

    Nessus漏洞扫描教程之配置Nessus 配置Nessus 当安装成功Nessus工具后.就可以使用该工具实施漏洞扫描.为了使用户更好的使用该工具,将介绍一下该工具的相关设置.如服务的启动.软件更新 ...

  9. Kali linux安装漏洞扫描工具Nessus指南

    引子:Nessus是著名信息安全服务公司tenable推出的一款漏洞扫描与分析软件,号称是"世界上最流行的漏洞扫描程序,全世界超过75,000个组织在使用它".虽然这个扫描程序能够 ...

随机推荐

  1. js 提取某()特殊字符串长度

    // 提取特殊字符串长度(scrstr 源字符串 armstr 特殊字符) getStrCount: function(scrstr, armstr) { var count = 0; while ( ...

  2. MachineLN博客目录

    MachineLN博客目录 https://blog.csdn.net/u014365862/article/details/78422372 本文为博主原创文章,未经博主允许不得转载.有问题可以加微 ...

  3. .net webapi 后台导出excel 申请付款单实例

    [HttpGet, AllowAnonymous] public void ExportSettlementPrint(string code) { FinSettlementModel settle ...

  4. 章节一、1-Selenium简介

    一.Selenium WebDriver介绍 1.跨平台,用web浏览器做自动化的工具. 2.可以在浏览器上运行的一个框架,用来进行界面的自动化. 3.支持多种计算机语言. 4.可以模拟真实的用户去操 ...

  5. Maven和Solr简单总结

    一.1.Maven介绍 Maven是一个项目管理工具,Maven通过POM项目对象模型,对象项目进行管理,通过一个配置文件(xml文件)进行项目的管理.对象项目的声明周期中每个阶段进行管理(清理,编译 ...

  6. 一些安全相关的HTTP header

    1.Strict-Transport-Security HTTP Strict-Transport-Security,简称为HSTS. 作用:允许一个HTTPS网站,要求浏览器总是通过HTTPS访问它 ...

  7. oracle- 数据表分区

    1. 表分区概念 分区表是将大表的数据分成称为分区的许多小的子集.倘若硬盘丢失了分区表,数据就无法按顺序读取和写入,导致无法操作. 2. 表分区分类 (1)范围分区 create table tabl ...

  8. PHP is much better than you think

    Rants about PHP are everywhere, and they even come from smart guys.When Jeff Atwood wrote yet anothe ...

  9. C语言 统计一篇英文短文中单词的个数

    //凯鲁嘎吉 - 博客园 http://www.cnblogs.com/kailugaji/ #include<stdio.h> #define N 1000 void main(){ ] ...

  10. node基础—http模块

    在浏览器输入存在的网址的一个交互过程 1.用户通过浏览器发送一个http的请求到指定的主机 2.服务器接收到该请求,对该请求进行分析和处理 3.服务器处理完成以后,返回对应的数据到用户机器 4.浏览器 ...