-
Notifications
You must be signed in to change notification settings - Fork 80
/
Copy pathlinuxsec.sh
306 lines (249 loc) · 9.78 KB
/
linuxsec.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
#!/bin/bash
#设置密码复杂度
if [ -z "`cat /etc/pam.d/system-auth | grep -v "^#" | grep "pam_cracklib.so"`" ];then
sed -i '/password required pam_deny.so/a\password required pam_cracklib.so try_first_pass minlen=8 ucredit=-1 lcredit=-1 ocredit=-1 dcredit=-1 retry=3 difok=5' /etc/pam.d/system-auth
fi
#设置连续登录失败暂锁机制
if [ -z "`cat /etc/pam.d/system-auth | grep -v "^#" | grep "pam_tally.so"`" ];then
if [ -z "`cat /etc/pam.d/system-auth | grep -v "^#" | grep "pam_tally.so" | grep auth`" ];then
sed -i '/auth include system-auth/a\auth required pam_tally.so deny=5 unlock_time=600 even_deny_root root_unlock_time=600' /etc/pam.d/system-auth
fi
if [ -z "`cat /etc/pam.d/system-auth | grep -v "^#" | grep "pam_tally.so" | grep account`" ];
then
sed -i '/account include system-auth/a\account required pam_tally.so' /etc/pam.d/system-auth
fi
fi
if [ -z "`cat /etc/pam.d/sshd | grep -v "^#" | grep "pam_tally.so"`" ];then
if [ -z "`cat /etc/pam.d/sshd | grep -v "^#" | grep "pam_tally.so" | grep auth`" ];then
sed -i '/auth required pam_deny.so/a\auth required pam_tally.so deny=5 unlock_time=600 even_deny_root root_unlock_time=600' /etc/pam.d/sshd
fi
if [ -z "`cat /etc/pam.d/sshd | grep -v "^#" | grep "pam_tally.so"` | grep account" ];then
sed -i '/account required pam_unix.so/a\account required pam_tally.so' /etc/pam.d/sshd
fi
fi
#检查密码重复使用次数
if [ -z "`cat /etc/pam.d/system-auth | grep password | grep remember`" ];then
sed -i '/password sufficient pam_unix.so/s/$/& remember=5/' /etc/pam.d/system-auth
fi
#设置操作超时锁定
if [ -z "`cat /etc/profile | grep -v "^#" | grep TMOUT`" ];then
echo -e "\nexport TMOUT=1800" >> /etc/profile
fi
#修改密码时效
sed -i '/PASS_WARN_AGE/s/7/10/' /etc/login.defs
sed -i '/PASS_MIN_LEN/s/5/8/' /etc/login.defs
#sed -i '/PASS_MAX_DAYS/s/99999/90/' /etc/login.defs
sed -i '/PASS_MIN_DAYS/s/0/6/' /etc/login.defs
#修改默认访问权限
sed -i '/UMASK/s/077/027/' /etc/login.defs
#设置重要文件目录权限
chmod 644 /etc/passwd
chmod 600 /etc/xinetd.conf
chmod 600 /etc/inetd.conf
chmod 644 /etc/group
chmod 000 /etc/shadow
chmod 644 /etc/services
chmod 600 /etc/security
chmod 750 /etc/ #启动了nscd服务导致设置权限以后无法登陆
chmod 750 /etc/rc6.d
chmod 750 /tmp
chmod 750 /etc/rc0.d/
chmod 750 /etc/rc1.d/
chmod 750 /etc/rc2.d/
chmod 750 /etc/rc4.d
chmod 750 /etc/rc5.d/
chmod 750 /etc/rc3.d
chmod 750 /etc/rc.d/init.d/
chmod 600 /etc/grub.conf
chmod 600 /boot/grub/grub.conf
chmod 600 /etc/lilo.conf
#检查用户umask设置
sed -i '/umask/s/002/077/' /etc/csh.cshrc
sed -i '/umask/s/002/077/' /etc/bashrc
sed -i '/umask/s/002/077/' /etc/profile
csh_login=`cat /etc/csh.login | grep -i "umask"`
if [ -z "$csh_login" ];then
echo -e "/numask 077" >>/etc/csh.login
fi
#检查是否设置ssh登录前告警banner
sshbanner="/etc/ssh_banner"
if [ ! -f "$sshbanner" ];then
touch /etc/ssh_banner
chown bin:bin /etc/ssh_banner
chmod 644 /etc/ssh_banner
echo -e "Authorized only.All activity will be monitored and reported" > /etc/ssh_banner
echo -e "Banner /etc/ssh_banner" >> /etc/ssh/sshd_config
/etc/init.d/sshd restart
fi
#FTP安全设置
vsftpd_conf=`find /etc/ -maxdepth 2 -name vsftpd.conf`
if [ ! -z "$vsftpd_conf" ];then
sed -i '/anonymous_enable/s/YES/NO/' $vsftpd_conf
fi
ftpuser=`find /etc/ -maxdepth 2 -name ftpusers`
if [ ! -z "$ftpuser" ] && [ -z "`cat $ftpuser | grep -v "^#" | grep root`"];then
echo "root" >>$ftpuser
fi
sed -i '/^ftp/d' /etc/passwd
#检查重要文件属性设置
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/gshadow
#日志审计检查
if [ ! -f "/etc/rsyslog.conf" ] && [ ! -f "/etc/syslog.conf" ] && [ ! -f "/etc/syslog-ng/syslog-ng.conf" ];then
echo "{tput setaf 1}syslog not installed!!!${tput sgr0}"
exit
fi
if [ ! -f "/var/log/cron" ];then
touch /var/log/cron
chmod 775 /var/log/cron
fi
if [ ! -f "/var/adm/messages" ];then
touch /var/adm/messages
chmod 666 /var/adm/messages
fi
if [ -f "/etc/rsyslog.conf" ] ;then
if [ -z "`cat /etc/rsyslog.conf | grep "^cron.*" | grep "/var/log/cron"`" ];then
echo -e "cron.* /var/log/cron" >> /etc/rsyslog.conf
fi
if [ -z "`cat /etc/rsyslog.conf | grep "/var/adm/messages"`" ];then
echo -e "*.err;kern.debug;daemon.notice /var/adm/messages" >>/etc/rsyslog.conf
fi
if [ -z "`grep "@[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}" /etc/rsyslog.conf`" ];then
echo -e "*.* @192.168.0.1" >>/etc/rsyslog.conf
fi
/etc/init.d/rsyslog restart
fi
if [ -f "/etc/syslog.conf" ];then
if [ -z "`cat /etc/rsyslog.conf | grep "^cron.*" | grep "/var/log/cron"`" ];then
echo -e "cron.* /var/log/cron" >> /etc/syslog.conf
fi
if [ -z "`cat /etc/rsyslog.conf | grep "/var/adm/messages"`" ];then
echo -e "*.err;kern.debug;daemon.notice /var/adm/messages" >>/etc/rsyslog.conf
fi
if [ -z "`grep "@[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}" /etc/syslog.conf`" ];then
echo -e "*.* @192.168.0.1" >>/etc/syslog.conf
fi
/etc/init.d/syslog restart
fi
if [ -f "/etc/syslog-ng.conf" ];then
if [ -z "`cat /etc/syslog-ng/syslog-ng.conf | grep "destination(cron)"`" ];then
echo -e "filter f_cron { facility(cron); }; " >> /etc/syslog-ng/syslog-ng.conf
echo -e "destination cron { file("/var/log/cron"); }; " >>/etc/syslog-ng/syslog-ng.conf
echo -e "log { source(src); filter(f_cron); destination(cron); }; " >> /etc/syslog-ng/syslog-ng.conf
fi
if [ -z "`cat /etc/syslog-ng/syslog-ng.conf | grep "filter f_msgs"`" ];then
echo -e "filter f_msgs { level(err) or facility(kern) and level(debug) \
or facility(daemon) and level(notice); }; " >>/etc/syslog-ng/syslog-ng.conf
echo -e "destination msgs { file("/var/adm/messages"); }; " >>/etc/syslog-ng/syslog-ng.conf
echo -e "log { source(src); filter(f_msgs); destination(msgs); }; " >>/etc/syslog-ng/syslog-ng.conf
fi
if [ -z "`grep "@[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}" /etc/syslog-ng/syslog-ng.conf`" ];then
echo -e "destination logserver { udp("192.168.0.1" port(514)); }; " >>/etc/syslog-ng/syslog-ng.conf
echo -e "log { source(src); destination(logserver); }; ">>/etc/syslog-ng/syslog-ng.conf
fi
/etc/init.d/syslog restart
fi
#禁止wheel组以外的用户su为root
if [ -z "`cat /etc/pam.d/su | grep -v "^#" | grep pam_wheel.so`" ];then
if [ -z "`cat /etc/pam.d/su | grep -v "^#" | grep pam_rootok.so`" ];then
sed -i '2iauth sufficient pam_rootok.so' /etc/pam.d/su
sed -i '/pam_rootok.so/a\auth required pam_wheel.so group=wheel' /etc/pam.d/su
else
sed -i '/pam_rootok.so/a\auth required pam_wheel.so group=wheel' /etc/pam.d/su
fi
fi
#关闭不必要的服务和端口
chk_ntalk=`chkconfig --list | grep ntalk | grep on`
if [ ! -z "$chk_ntalk" ];then
chkconfig --level 0123456 ntalk off
fi
chk_lpd=`chkconfig --list | grep lpd | grep on`
if [ ! -z "$chk_lpd" ];then
chkconfig --level 0123456 lpd off
fi
chk_kshell=`chkconfig --list | grep kshell | grep on`
if [ ! -z "$chk_kshell" ];then
chkconfig --level 0123456 kshell off
fi
chk_time=`chkconfig --list | grep time | grep on`
if [ ! -z "$chk_time" ];then
chkconfig --level 0123456 time off
chkconfig --level 0123456 time-udp off
fi
chk_sendmail=`chkconfig --list | grep sendmail | grep on`
if [ ! -z "$chk_sendmail" ];then
chkconfig --level 0123456 sendmail off
fi
chk_klogin=`chkconfig --list | grep klogin | grep on`
if [ ! -z "$chk_klogin" ];then
chkconfig --level 0123456 klogin off
fi
chk_printer=`chkconfig --list | grep printer | grep on`
if [ ! -z "$chk_printer" ];then
chkconfig --level 0123456 printer off
fi
chk_nfslock=`chkconfig --list | grep nfslock | grep on`
if [ ! -z "$chk_nfslock" ];then
chkconfig --level 0123456 nfslock off
fi
chk_echo=`chkconfig --list | grep echo | grep on`
if [ ! -z "$chk_echo" ];then
chkconfig --level 0123456 echo off
fi
chk_discard=`chkconfig --list | grep discard | grep on`
if [ ! -z "$chk_discard" ];then
chkconfig --level 0123456 discard off
fi
chk_chargen=`chkconfig --list | grep chargen | grep on`
if [ ! -z "$chk_chargen" ];then
chkconfig --level 0123456 chargen off
fi
chk_bootps=`chkconfig --list | grep bootps | grep on`
if [ ! -z "$chk_bootps" ];then
chkconfig --level 0123456 chk_bootps off
fi
chk_daytime=`chkconfig --list | grep daytime | grep on`
if [ ! -z "$chk_daytime" ];then
chkconfig --level 0123456 daytime off
fi
chk_tftp=`chkconfig --list | grep tftp | grep on`
if [ ! -z "$chk_tftp" ];then
chkconfig --level 0123456 tftp off
fi
chk_ypbind=`chkconfig --list | grep ypbind | grep on`
if [ ! -z "$chk_ypbind" ];then
chkconfig --level 0123456 ypbind off
fi
chk_ident=`chkconfig --list | grep ident | grep on`
if [ ! -z "$chk_ident" ];then
chkconfig --level 0123456 ident off
fi
#检查core dump 设置
chk_core=`grep core /etc/security/limits.conf | grep -v "^#"`
if [ -z "$chk_core" ];then
echo "* soft core 0" >> /etc/security/limits.conf
echo "* hard core 0" >> /etc/security/limits.conf
fi
#删除潜在危险文件
hosts_equiv=`find / -maxdepth 3 -name hosts.equiv 2>/dev/null`
if [ ! -z "$hosts_equiv" ];then
mv "$hosts_equiv" "$hosts_equiv".bak
fi
_rhosts=`find / -maxdepth 3 -name .rhosts 2>/dev/null`
if [ ! -z "$_rhosts" ];then
mv "$_rhosts" "$_rhosts".bak
fi
_netrc=`find / -maxdepth 3 -name .netrc 2>/dev/null`
if [ ! -z "$_netrc" ];then
mv "$_netrc" "$_netrc".bak
fi
#检查系统内核参数配置,修改只当次生效,重启需重新设置
sysctl -w net.ipv4.conf.all.accept_source_route="0"
sysctl -w net.ipv4.conf.all.accept_redirects="0"
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts="1"
sysctl -w net.ipv4.conf.all.send_redirects="0"
sysctl -w net.ipv4.ip_forward="0"
#检查拥有suid和sgid权限文件并修改文件权限为755
find /usr/bin/chage /usr/bin/gpasswd /usr/bin/wall /usr/bin/chfn /usr/bin/chsh /usr/bin/newgrp /usr/bin/write /usr/sbin/usernetctl /bin/mount /bin/umount /bin/ping /sbin/netreport -type f -perm /6000 | xargs chmod 755