本指令碼是第二次更新,已經大量應用在某大型媒體網站體系中,加入了之前沒有想到的一些安全設定。使用方法將其複製,儲存為一個shell檔案,比如security.sh.將其上傳到linux伺服器上,執行sh security.sh,就可以使用該指令碼了!
- #!/bin/sh
- # desc: setup linux system security
- # author:coralzd
- # powered by www.freebsdsystem.org
- # version 0.1.2 written by 2011.05.03
- #account setup
- passwd -l xfs
- passwd -l news
- passwd -l nscd
- passwd -l dbus
- passwd -l vcsa
- passwd -l games
- passwd -l nobody
- passwd -l avahi
- passwd -l haldaemon
- passwd -l gopher
- passwd -l ftp
- passwd -l mailnull
- passwd -l pcap
- passwd -l mail
- passwd -l shutdown
- passwd -l halt
- passwd -l uucp
- passwd -l operator
- passwd -l sync
- passwd -l adm
- passwd -l lp
- # chattr /etc/passwd /etc/shadow
- chattr +i /etc/passwd
- chattr +i /etc/shadow
- chattr +i /etc/group
- chattr +i /etc/gshadow
- # add continue input failure 3 ,passwd unlock time 5 minite
- sed -i `s#auth required pam_env.so#auth required pam_env.so auth required pam_tally.so onerr=fail deny=3 unlock_time=300 auth required /lib/security/$ISA/pam_tally.so onerr=fail deny=3 unlock_time=300#` /etc/pam.d/system-auth
- # system timeout 5 minite auto logout
- echo "TMOUT=300" >>/etc/profile
- # will system save history command list to 10
- sed -i "s/HISTSIZE=1000/HISTSIZE=10/" /etc/profile
- # enable /etc/profile go!
- source /etc/profile
- # add syncookie enable /etc/sysctl.conf
- echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.conf
- sysctl -p # exec sysctl.conf enable
- # optimizer sshd_config
- sed -i "s/#MaxAuthTries 6/MaxAuthTries 6/" /etc/ssh/sshd_config
- sed -i "s/#UseDNS yes/UseDNS no/" /etc/ssh/sshd_config
- # limit chmod important commands
- chmod 700 /bin/ping
- chmod 700 /usr/bin/finger
- chmod 700 /usr/bin/who
- chmod 700 /usr/bin/w
- chmod 700 /usr/bin/locate
- chmod 700 /usr/bin/whereis
- chmod 700 /sbin/ifconfig
- chmod 700 /usr/bin/pico
- chmod 700 /bin/vi
- chmod 700 /usr/bin/which
- chmod 700 /usr/bin/gcc
- chmod 700 /usr/bin/make
- chmod 700 /bin/rpm
- # history security
- chattr +a /root/.bash_history
- chattr +i /root/.bash_history
- # write important command md5
- cat > list << "EOF" &&
- /bin/ping
- /bin/finger
- /usr/bin/who
- /usr/bin/w
- /usr/bin/locate
- /usr/bin/whereis
- /sbin/ifconfig
- /bin/pico
- /bin/vi
- /usr/bin/vim
- /usr/bin/which
- /usr/bin/gcc
- /usr/bin/make
- /bin/rpm
- EOF
- for i in `cat list`
- do
- if [ ! -x $i ];then
- echo "$i not found,no md5sum!"
- else
- md5sum $i >> /var/log/`hostname`.log
- fi
- done
- rm -f list