该专栏内的脚本都会定期更新,请注意变化
脚本适用于Centos 7.x系列,同样支持Redhat 7.x系列
使用之前建议通读脚本注释,并确认不会影响你现在在用的业务
注意脚本内部包含一定的参数,这些参数比较重要,涉及用户、NTP第三放服务器地址等
#!/bin/bash
USER_NAME=
USER_PASSWD=
NTP_SERVER=
echo "=== 正在设置屏幕保护"
gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type bool \
--set /apps/gnome-screensaver/idle_activation_enabled true
gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type bool \
--set /apps/gnome-screensaver/lock_enabled true
gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type string \
--set /apps/gnome-screensaver/mode blank-only
gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type int \
--set /apps/gnome-screensaver/idle_delay 15
touch /etc/sshbanner
chown bin:bin /etc/sshbanner
chmod 644 /etc/sshbanner
echo " Authorized users only. All activity may be monitored and reported " >/etc/sshbanner
echo "Banner /etc/sshbanner" >> /etc/ssh/sshd_config
echo "=== 正在重启 sshd 服务"
systemctl restart sshd
echo "=== 正在设置口令生存周期"
cp -p /etc/login.defs /etc/login.defs_bak
sed -i "s/^PASS_MIN_LEN.*/PASS_MIN_LEN 8 /g" /etc/login.defs
sed -i "s/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90 /g" /etc/login.defs
echo "=== 正在设置ssh登录成功后的警告banner"
echo " Authorized users only. All activity may be monitored and reported " > /etc/motd
echo "=== 正在创建自用账户"
useradd $USER_NAME
echo $USER_PASSWD | passwd $USER_NAME --stdin &>/dev/null
echo "$USER_NAME ALL=(ALL) NOPASSWD: ALL">> /etc/sudoers
echo "=== 正在删除无用账户"
userdel gdm
userdel listen
userdel webservd
userdel nobody4
userdel noaccess
echo "=== 正在设置用户缺省MASK"
cp -p /etc/profile /etc/profile_bak
cp -p /etc/csh.login /etc/csh.login_bak
cp -p /etc/csh.cshrc /etc/csh.cshrc_bak
cp -p /etc/bashrc /etc/bashrc_bak
cp -p /root/.bashrc /root/.bashrc_bak
cp -p /root/.cshrc /root/.cshrc_bak
echo "umask 027" >> /etc/profile
echo "umask 027" >> /etc/csh.login
echo "umask 027" >> /etc/csh.cshrc
echo "umask 027" >> /etc/bashrc
echo "umask 027" >> /root/.bashrc
echo "umask 027" >> /root/.cshrc
echo "=== 正在设置登录超时"
cp -p /etc/profile /etc/profile_bak
cp -p /etc/csh.cshrc /etc/csh.cshrc_bak
echo "TMOUT=180" >> /etc/profile
echo "export TMOUT" >> /etc/profile
echo "set autologout=30" >> /etc/csh.cshrc
echo "=== 正在添加用户组 ${USER_NAME}"
groupadd ${USER_NAME}
usermod -g ${USER_NAME} ${USER_NAME}
echo "=== 正在设置主机IP地址限制"
cp -p /etc/hosts.allow /etc/hosts.allow_bak
cp -p /etc/hosts.deny /etc/hosts.deny_bak
echo "sshd:all:allow" >> /etc/hosts.allow
echo "sshd:all:allow" >> /etc/hosts.allow
echo "telnet:all:allow" >> /etc/hosts.allow
echo "sshd:234.234.234.234:deny" >> /etc/hosts.deny
echo "telnet:234.234.234.234:deny" >> /etc/hosts.deny
echo "=== 正在更改telnet警告banner"
echo " Authorized users only. All activity may be monitored and reported " > /etc/issue
echo " Authorized users only. All activity may be monitored and reported " > /etc/issue.net
systemctl restart xinetd
echo "=== 正在修改用户口令密码复杂度策略"
cp -p /etc/pam.d/system-auth /etc/pam.d/system-auth_bak
sed -i "s/^password requisite.*/password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minclass=2 minlen=8 /g" /etc/pam.d/system-auth
sed -i "s/^password sufficient.*/password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok /g" /etc/pam.d/system-auth
echo "=== 设置口令重复次数限制"
touch /etc/security/opasswd
chown root:root /etc/security/opasswd
chmod 600 /etc/security/opasswd
sed -i "s/^password required.*/password required pam_unix.so remember=5 /g" /etc/pam.d/system-auth
echo "=== 正在设置口令锁定策略"
sed -i "5 s/^/auth required pam_tally2.so deny=6 onerr=fail no_magic_root unlock_time=120\n/" /etc/pam.d/system-auth
echo "=== 正在禁止ICMP重定向"
cp -p /etc/sysctl.conf /etc/sysctl.conf_bak
grep "net.ipv4.conf.all.accept_redirects=0" /etc/sysctl.conf
if [ $? == "1" ]; then
echo "net.ipv4.conf.all.accept_redirects=0" >> /etc/sysctl.conf
fi
sysctl -p
echo "=== 正在锁定无用账户"
user_arr=("lp" "nobody" "uucp" "games" "rpm" "smmsp" "nfsnobody")
for user in ${user_arr[@]}
do
res=`egrep -w "$user" /etc/shadow | awk -F: '( $2 !~ "!" ) {print $1":"$2}'`
if [ -n "$res" ]; then
echo "**正在锁定用户 $user"
sed -i "s/$user:/$user:\!/g" /etc/shadow
fi
done
echo "=== 正在配置NTP服务"
if [ ! -f "/etc/ntp.conf" ];then
echo "**** 没有安装ntp服务器!请手动安装ntp服务器!"
else
echo "restrict ${NTP_SERVER} nomodify notrap" >> /etc/ntp.conf
echo "server ${NTP_SERVER}" >> /etc/ntp.conf
echo "=== 正在重启NTP服务"
systemctl restart ntpd
fi
echo "=== 正在关闭rpcinfo 探测"
systemctl stop rpcbind.socket
systemctl stop rpcbind
systemctl disable rpcbind.socket
systemctl disable rpcbind
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)