linux简单的安全防护

注：

1、该脚本是以centos7.4.1708做的

2、函数jia/jian是加权限/减权限

3、改过密码以后，下次使用新创建的用户登录时将提示更改密码，第一次要输入原始的密码，原始密码改脚本中定义的为123456

新密码必须为复杂的才能使用,比如AA7788flz_$5%

#!/bin/bash
jia(){
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/gshadow
chattr +i /etc/services
}
jian(){
chattr -i /etc/passwd
chattr -i /etc/shadow
chattr -i /etc/group
chattr -i /etc/gshadow
chattr -i /etc/services
}
PFDF_PLUS(){
OPOP700="ping userdel useradd vim tail netstat less head cat uname top"
OPOP500="ps"
for i in $OPOP700
do
k=`which $i`
chmod 755 $k
ls -al $k
done
for ii in $OPOP500
do
kk=`which $ii`
chmod 755 $kk
ls -al $kk
done
}
PFDF_LESS(){
OPOP700="ping userdel useradd vim tail netstat less head cat uname top"
OPOP500="ps"
for y in $OPOP700
do
p=`which $y`
chmod 700 $p
ls -al $p
done
for t in $OPOP500
do
pp=`which $t`
chmod 500 $pp
ls -al $pp
done
}
SEC(){
#注释启动画面内核信息
mv /etc/issue /etc/issuebak >/dev/null 2>&1
mv /etc/issue.net /etc/issue.netbak >/dev/null 2>&1
#禁ping
# sysctl net.ipv4.icmp_echo_ignore_all=1 > /dev/null 2>&1

#对TCP SYN Cookie的保护:(防止SYN Flood攻击)
echo "net.ipv4.tcp_syncookies=1">>/etc/sysctl.conf
sysctl -p

#检查新创建用户时密码的长度
SUM=`cat /etc/login.defs|grep ^"PASS_MIN_LEN" |awk -F ' ' '{print $2}'`
if [ $SUM == 5 ];then
sed -i 's/^PASS_MIN_LEN 5/PASS_MIN_LEN 11/' /etc/login.defs
SUM1=`cat /etc/login.defs|grep ^"PASS_MIN_LEN" |awk -F ' ' '{print $2}'`
if [ $SUM1 == 11 ];then
echo -e "\033[31m新创建用户时的密码默认为5个字符,已改为默认为11个字符(大小写 其他符号 数字组成)\033[0m"
　　fi
fi
}

PFDF_PLUS > /dev/null 2>&1
read -p "您想删除用户还是添加用户(1:添加,2:删除,3:初始化安全): " xz
if [ $xz == 1 ];then
read -p "请输入你要添加的用户: " NAME
jian
useradd $NAME
if [ $? -eq 0 ];then
echo "123456"| passwd --stdin $NAME
if [ $? -eq 0 ];then
echo -e "原始密码为: \033[31m123456\033[0m"
else
echo "$NAME 用户的初始化密码未成功定义"
fi
fi
elif [ $xz == 2 ];then
read -p "请输入你要删除的用户: " NAME1
jian
userdel -r $NAME1
if [ $? -eq 0 ];then
echo "$NAME1 用户已删除"
else
echo "在删除 $NAME1 时出了点问题"
fi
jia
elif [ $xz == 3 ];then
SEC
else
echo "请输入数字1或者数字2..."
fi
jia
PFDF_LESS>/dev/null 2>&1