标签:linux Linux主机安全配置的几个脚本 职场 休闲
原创作品,允许转载,转载时请务必以超链接形式标明文章 原始出处 、作者信息和本声明。否则将追究法律责任。http://hx100.blog.51cto.com/44326/373320

vim /etc/login.defs
PASS_MAX_DAYS 90 //口令最大有效天数
PASS_MIN_DAYS 10 //口令最小有效天数
PASS_MIN_LEN 8 //口令最少字符数
PASS_WARN_AGE 5 //口令过期提前警告天数

echo 'ONLY Authorized users only! All accesses logged' > /etc/motd
rm -f /etc/issue
rm -f /etc/issue.net
touch /etc/issue
touch /etc/issue.net

find / -name *.rhosts
touch /.rhosts && chmod 0 /.rhosts

防止IP SPOOF
echo "nospoof on" >>/etc/host.conf

chkconfig bluetooth off
chkconfig firstboot off
chkconfig cups off
chkconfig ip6tables off
chkconfig iptables off
chkconfig isdn off
chkconfig kudzu off
chkconfig sendmail off
chkconfig smartd off
chkconfig autofs off
service vncserver off
service bluetooth stop
service firstboot stop
service cups stop
service ip6tables stop
service iptables stop
service isdn stop
service kudzu stop
service sendmail stop
service smartd stop
service autofs stop
service vncserver stop
锁定不需要的用户
usermod -L adm
usermod -L lp
usermod -L sync
usermod -L shutdown
usermod -L halt
usermod -L news
usermod -L uucp
usermod -L operator
usermod -L ftp
usermod -L rpc
usermod -L rpcuser
usermod -L gopher
usermod -L nscd

删除不需要的组
groupdel lp
groupdel news
groupdel games
groupdel gopher
groupdel uucp

本次必须要保留的用户是:
root、bin、nobody、ntp、ssh、uucp
必须保留的组包括:
root、nobody、ntp、uucp

useradd jboss
passwd jboss
usermod -g jboss -G wheel jboss
vim /etc/pam.d/su
auth required pam_wheel.so use.uid 把这一行的注释去掉,只有wheel组的用户才能su到root
chown -R jboss.jboss /usr/local/jboss-4.2.3.GA

#!/bin/bash
cd /usr/local/jboss-4.2.3.GA/server/default/deploy/
rm -rf bsh-deployer.xml
rm -rf client-deployer-service.xml
rm -rf ear-deployer.xml
rm -rf ejb-deployer.xml
rm -rf http-invoker.sar
rm -rf jboss-bean.deployer
rm -rf jms
rm -rf jsr88-service.xml
rm -rf schedule-manager-service.xml
rm -rf scheduler-service.xml
rm -rf sqlexception-service.xml
rm -rf uuid-key-generator.sar
rm -rf jmx-console.war
rm -rf management
cd /usr/local/jboss-4.2.3.GA/server/default/deploy/jboss-web.deployer/ROOT.war
rm -rf *
exit
隐藏jboss版本信息
vim /usr/local/jboss-4.2.3.GA/server/default/deploy/jboss-web.deployer/server.xml

<Connector port="8080" address="${jboss.bind.address}"
maxThreads="250" maxHttpHeaderSize="8192"
emptySessionPath="true" protocol="HTTP/1.1"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true"
server="ESB" />
在这一段最后加上一个server="ESB"/>
vim /usr/local/jboss-4.2.3.GA/server/default/deploy/jboss-web.deployer/conf/web.xml

<init-param>
<param-name>X-Powered-By</param-name>
<param-value>ESB2.0</param-value>
</init-param>
vim /etc/ssh/sshd_config
把PermitRootLogin yes前面的"#"去掉,把"yes"改为"no"
#ClientAliveCountMax 3
把这个前面的"#"去掉,就是超过3分钟闲置,就自动断开session
service sshd restart
sed -i -e 's/^LANG=.*/LANG="en_US.UTF-8"/' /etc/sysconfig/i18n
source /etc/sysconfig/i18n

vim /etc/hosts.allow
sshd:192.168.0.199,192.168.0.201,192.168.0.121
vim /etc/hosts.deny
sshd:all
service xinetd restart

截短~/.bash_history文件
vim /etc/profile
HISTSIZE=1000改成20

vim /etc/skel/.bash_logout
在/etc/skel/.bash_logout在文件中添加这行
rm -rf $HOME/.bash_history
这样当用户注销时,.bash_history被删除

DenyHosts是用Python2.3写的一个程序,它会分析/var/log/secure(redhat,Fedora Core)等日志文件,当发现同一IP在进行多次SSH密
码尝试时就会记录IP到/etc/hosts.deny文件,从而达到自动屏蔽该IP的目的。
wget http://downloads.sourceforge.net/project/denyhosts/denyhosts/2.6/DenyHosts-2.6.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fdenyhosts%2Ffiles%2F&ts=1281580068&mirror=ncu
tar -zxvf DenyHosts-2.6.tar.gz
cd DenyHosts-2.6
python setup.py install

cd /usr/share/denyhosts/
grep -v "^#" denyhosts.cfg-dist > denyhosts.cfg
cp daemon-control-dist daemon-control
vim denyhosts.cfg
PURGE_DENY = 5m //5分钟清除
DENY_THRESHOLD_INVALID = 1 //允许无效用户失败的次数
DENY_THRESHOLD_VALID = 5 //允许普通用户登陆失败的次数
DENY_THRESHOLD_ROOT = 5 //允许root登陆失败的次数

chown root daemon-control
chmod 700 daemon-control

vim /etc/rc.local
/usr/share/denyhosts/daemon-control start
vim /etc/audit/audit.rules 最后增加一行,对该目录审计
-w /usr/local/jboss-4.2.3.GA/server/default/deploy -pwa
service auditd restart
查看审计规则 auditctl -l
查看audit运行状态 auditctl -s
审计工具
wget http://www.rootkit.nl/files/lynis-1.2.9.tar.gz
给关键文件加root权限
chmod 744 /etc/passwd
chmod 740 /etc/shadow
chmod 744 /etc/rc3.d
chmod 744 /etc/profile
chmod 1777 /tmp
chmod 644 /etc/exports
chmod -R 700 /etc/rc.d/init.d/*
Control-Alt-Delete 键盘关机命令
vim /etc/inittab
ca::ctrlaltdel:/sbin/shutdown -t3 -r now
这一行前面加#,改成
#ca::ctrlaltdel:/sbin/shutdown -t3 -r now

给文件加锁(暂时不实施)
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/services
chmod 600 /etc/xinetd.conf
当chattr +i时就是禁止对文件进行修改,当我们要添加用户时,就会有麻烦,因为passwd文件禁止修改写入.
所以我们还要该掉它的属性.chattr -i.

脚本如下:
init_sysctl.sh

#!/bin/bash
cp /etc/sysctl.conf /etc/sysctl.conf.bak
echo "####add by hx10###">> /etc/sysctl.conf
echo "net.ipv4.ip_local_port_range = 1024 65536" >> /etc/sysctl.conf
echo "net.core.rmem_max=16777216" >> /etc/sysctl.conf
echo "net.core.wmem_max=16777216" >> /etc/sysctl.conf
echo "net.ipv4.tcp_rmem=4096 87380 16777216" >> /etc/sysctl.conf
echo "net.ipv4.tcp_wmem=4096 65536 16777216" >> /etc/sysctl.conf
echo "net.ipv4.tcp_fin_timeout = 15" >> /etc/sysctl.conf
echo "net.ipv4.tcp_keepalive_time = 600" >> /etc/sysctl.conf
echo "net.ipv4.tcp_tw_recycle = 1" >> /etc/sysctl.conf
echo "net.core.netdev_max_backlog = 30000" >> /etc/sysctl.conf
echo "net.ipv4.tcp_no_metrics_save=1" >> /etc/sysctl.conf
echo "net.core.somaxconn = 262144" >> /etc/sysctl.conf
echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
echo "net.ipv4.tcp_max_orphans = 8000" >> /etc/sysctl.conf
echo "net.ipv4.tcp_max_syn_backlog = 8000" >> /etc/sysctl.conf
echo "net.ipv4.tcp_synack_retries = 2" >> /etc/sysctl.conf
echo "net.ipv4.tcp_syn_retries = 2" >> /etc/sysctl.conf
sysctl -p
###change max open files
ulimit -SHn 102400
echo "ulimit -SHn 102400" >>/etc/rc.local
ulimit -a
exit

init_system.sh

#!/bin/bash
#change password policy
cp /etc/login.defs /etc/login.defs.bak
sed -i 's/^PASS_MAX_DAYS\s*99999/PASS_MAX_DAYS 90/' /etc/login.defs
sed -i 's/^PASS_MIN_DAYS\s*0/PASS_MIN_DAYS 10/' /etc/login.defs
sed -i 's/^PASS_MIN_LEN\s*5/PASS_MIN_LEN 8/' /etc/login.defs
sed -i 's/^PASS_WARN_AGE\s*7/PASS_WARN_AGE 5/' /etc/login.defs
#stop Linux detection
echo 'ONLY Authorized users only! All accesses logged' > /etc/motd
cp /etc/issue /etc/issue.bak
cp /etc/issue.net /etc/issue.net.bak
rm -f /etc/issue
rm -f /etc/issue.net
touch /etc/issue
touch /etc/issue.net
#stop rhosts
#find / -name *.rhosts
touch /.rhosts && chmod 0 /.rhosts
#stop ip spoof
cp /etc/host.conf /etc/host.conf.bak
echo "nospoof on" >>/etc/host.conf
#stop service
chkconfig bluetooth off
chkconfig firstboot off
chkconfig cups off
chkconfig ip6tables off
chkconfig iptables off
chkconfig isdn off
chkconfig kudzu off
chkconfig sendmail off
chkconfig smartd off
chkconfig autofs off
chkconfig ntpd off
chkconfig snmpd on
chkconfig portmap on
chkconfig nfs on
#service vncserver off
/etc/init.d/vncserver stop
service bluetooth stop
service firstboot stop
service cups stop
service ip6tables stop
service iptables stop
service isdn stop
service kudzu stop
service sendmail stop
service smartd stop
service autofs stop
service vncserver stop
service ntpd stop
service snmpd restart
service portmap restart
service nfs restart
#lock user unnecessary
usermod -L adm
usermod -L lp
usermod -L sync
usermod -L shutdown
usermod -L halt
usermod -L news
usermod -L uucp
usermod -L operator
usermod -L ftp
usermod -L rpc
usermod -L rpcuser
usermod -L gopher
usermod -L nscd
#add jboss user
useradd jboss && echo "23adjfajskdfja" | passwd --stdin jboss
usermod -g jboss -G wheel jboss
#chown -R jboss.jboss /usr/local/jboss-4.2.3.GA
#change system character
cp /etc/sysconfig/i18n /etc/sysconfig/i18n.bak
cat /dev/null> /etc/sysconfig/i18n
echo 'LANG="en_US.UTF-8"' >/etc/sysconfig/i18n
#echo 'LANG="zh_CN.GB18030"' >/etc/sysconfig/i18n
#sed -i -e 's/^LANG=.*/LANG="en_US.UTF-8"/' /etc/sysconfig/i18n
source /etc/sysconfig/i18n
#add ssh user
cp /etc/hosts.allow /etc/hosts.allow.bak
cp /etc/hosts.deny /etc/hosts.deny.bak
echo "sshd:192.168.0.199,192.168.0.201,192.168.0.121" >>/etc/hosts.allow
echo "sshd:all" >>/etc/hosts.deny
#Limit ROOT from Remote server
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
echo "PermitRootLogin no" >> /etc/ssh/sshd_config
echo "ClientAliveCountMax 2" >> /etc/ssh/sshd_config
#clean history
cp /etc/skel/.bash_logout /etc/skel/.bash_logout.bak
cp /etc/profile /etc/profile.bak
sed -i 's/^HISTSIZE=1000/HISTSIZE=20/' /etc/profile
echo "rm -rf \$HOME/.bash_history " >>/etc/skel/.bash_logout
#install DenyHosts
cd /usr/local/src
wget ftp://192.168.0.21/pub/DenyHosts-2.6.tar.gz
tar -zxvf DenyHosts-2.6.tar.gz
cd DenyHosts-2.6
python setup.py install
cd /usr/share/denyhosts/
grep -v "^#" denyhosts.cfg-dist > denyhosts.cfg
cp daemon-control-dist daemon-control
cp denyhosts.cfg denyhosts.cfg.bak
sed -i 's/^PURGE_DENY =/PURGE_DENY = 5m/' /usr/share/denyhosts/denyhosts.cfg
sed -i 's/^DENY_THRESHOLD_INVALID = 5/DENY_THRESHOLD_INVALID = 1/' /usr/share/denyhosts/denyhosts.cfg
sed -i 's/^DENY_THRESHOLD_VALID = 10/DENY_THRESHOLD_VALID = 5/' /usr/share/denyhosts/denyhosts.cfg
sed -i 's/^DENY_THRESHOLD_ROOT = 1/DENY_THRESHOLD_ROOT = 5/' /usr/share/denyhosts/denyhosts.cfg
chown root daemon-control
chmod 700 daemon-control
cp /etc/rc.local /etc/rc.local.bak
echo "/usr/share/denyhosts/daemon-control start" >>/etc/rc.local
/usr/share/denyhosts/daemon-control start
#limit alt-ctl-delete
cp /etc/inittab /etc/inittab.bak
sed -i 's/^ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/\#ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/g' /etc/inittab
#limit key file
chmod 744 /etc/passwd
chmod 740 /etc/shadow
chmod 744 /etc/rc3.d
chmod 744 /etc/profile
chmod 1777 /tmp
chmod 644 /etc/exports
chmod -R 700 /etc/rc.d/init.d/*
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/services
chmod 600 /etc/xinetd.conf
#remove
#chattr -i /etc/passwd
#chattr -i /etc/shadow
service sshd restart
service xinetd restart
ps -ef |grep vnc |grep '/usr/share/vnc/classes' |awk '{print $2}' |xargs kill -9
echo "congratulations!"
sleep 2
exit

Linux主机安全配置的几个脚本【转载】的更多相关文章

  1. Linux emacs考场配置及对拍脚本

    emacs配置(待补) (global-set-key [f9] 'compile) (global-set-key [f10] 'gud-gdb) (global-set-ket (kbd &quo ...

  2. Linux主机安全配置规范

    一.账号口令 1 配置口令最小长度     在文件/etc/login.defs中设置 PASS_MIN_LEN,参考值:8 2 配置口令生存周期     在文件/etc/login.defs中设置 ...

  3. Linux网络属性配置

    目录 IP地址分类 如何将Linux主机接入到网络中 网络接口的命名方式 ifcfg系列命令 如何配置主机名 如何配置DNS服务器指向 iproute2系列命令 Linux管理网络服务 永久生效配置路 ...

  4. 一步步实现Nagios监控linux主机及飞信报警

    一步步实现Nagios监控linux主机及飞信报警 上篇文章介绍了在linux主机上架设nagios监控服务,并对windows主机进行服务状态变化的监控,这次我们继续上次内容.      首先实现n ...

  5. zabbix通过snmp监控linux主机

    1.安装net-snmp [root@db01 ~]# yum install -y net-snmp 2.修改配置文件 [root@db01 ~]# vim /etc/snmp/snmpd.conf ...

  6. linux环境下配置虚拟主机域名

    linux环境下面配置虚拟主机域名 第一步:在root目录下面(即根目录)ls(查看文件)cd进入etc目录find hosts文件vi hosts 打开hosts文件并进行编辑在打开的文件最下面添加 ...

  7. Nagios配置—添加linux主机监控

    nagios安装请参看:Nginx平台安装Nagios监控服务 下面是我添加linux监控机的过程,如有错误或者不当的地方请指出: 测试环境: 监控主机:nagios+nagios插件+nrpe+网站 ...

  8. redhat 安装配置samba实现win共享linux主机目录

    [转]http://blog.chinaunix.net/uid-26642180-id-3135941.html redhat 安装配置samba实现win共享linux主机目录 2012-03-1 ...

  9. linux主机下的Vmware Workstation配置NAT设置 端口映射-Ubuntu为例

    最近折腾虚拟机,由于是在linux下进行的,而相关资料比较少,所以遇到了一些问题. 一个就是配置vmware workstation的NAT设置.因为一般来说,NAT可以共享主机的ip,从而能以主机身 ...

随机推荐

  1. 服务器返回的JSON字符串

    异步请求将type设为"json",或者利 用$.getJSON()方法获得服务器返回,那么就不需要eval()方法,因为这时候得到的结果已经是json对象

  2. Navicat Premium 未保存的SQL如何找回 ?

    在使用 Navicat Premium 编辑SQL的过程中为防止程序意外崩溃,已经将编辑的SQL都已经备份. 备份存放目录地址:C:\Users\{登录用户名}\Documents\Navicat\M ...

  3. 在Django中使用Mako模板

    用了一个月后,终于忍受不了Django的模板了.主要原因是模板内不能运行原生的python语句,所以用起来总感觉被人绑住手脚,遍历个字典都要搞半天. 所以决定用第三方的模板.查了一下,django用的 ...

  4. c# datagridview导出到excel【转载】

    c# datagridview导出到excel[转载] http://hi.baidu.com/weizier/blog/item/8212caea1123b4d6d439c9fe.html 本作者使 ...

  5. 黑马程序员-------.net基础知识四

    常量(静态常量------compile-time) 语法:const 类型 常量名 =常量值: 例: [csharp] view plaincopyprint? { const double PI= ...

  6. Java NIO回炉

    重回东软了,据说可能要做一个跟文件相关的项目,于是决定把Java NIO的内容再捡起来,看看. 为什么要使用NIO,其实在低连接数的情况下,NIO的性能是要低于IO的:但是在高并发的情况下,确实NIO ...

  7. 详解C/C++函数指针声明

    要理解一个C程序,仅仅理解组成该程序的符号是不够的.程序员还必须理解这些符号是如何组合成声明.表达式.语句和程序的. 我们先来看看下面的一个语句: 1 ( *( void(*)())0)(); 这是当 ...

  8. js获取域名的方法

    本文实例讲述了js获取域名的方法.分享给大家供大家参考.具体实现方法如下: 复制代码代码如下: <script>//获取域名var k_host = window.location.hos ...

  9. Java 声明和访问控制(一) 数组的声明 private可以修饰类吗

    数组的声明: int []a[] = new int[4][];//是正确的 int[] array = new int[2]{1,2};//是错误的 数组的长度是不可改变的,不能通过任何方式改变大小 ...

  10. 【网络流24题】No.9 方格取数问题 (二分图点权最大独立集)

    [题意] 在一个有 m*n 个方格的棋盘中, 每个方格中有一个正整数. 现要从方格中取数, 使任意 2 个数所在方格没有公共边,且取出的数的总和最大.试设计一个满足要求的取数算法. 输入文件示例inp ...