#!/bin/bash
echo "已對密碼進行加固,如果輸入錯誤密碼超過3次,則鎖定賬戶!!"
echo "備份檔案!"
cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
n=`cat /etc/pam.d/sshd | grep "auth required pam_tally2.so "|wc -l`
if [ $n -eq 0 ];then
sed -i '/%PAM-1.0/a\auth required pam_tally2.so deny=3 unlock_time=60 even_deny_root root_unlock_time=60' /etc/pam.d/sshd
fi
echo "輸入密碼必須包含數字,大小寫字母"
echo "備份檔案!"
cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak
sed -e "14 i\password requisite pam_cracklib.so minlen=10 difok=3 lcredit=-1 ucredit=-1 dcredit=-1 try_first_pass retry=3" -i /etc/pam.d/system-auth
sed -e '15d' -i /etc/pam.d/system-auth
echo "不允許root進行ssh"
echo "備份檔案!"
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
sed -i "s/#PermitRootLogin yes/PermitRootLogin no/" /etc/ssh/sshd_config
service sshd restart
echo "備份檔案!"
cp /etc/shadow /etc/shadow.bak
cp /etc/passwd /etc/passwd.bak
echo "鎖定用戶"
for i in adm lp sync nobody halt news uucp operator games gopher ftp 123
do
passwd -l $i
done
echo "備份檔案!"
echo "設定用戶登錄超時"
cp /etc/profile /etc/profile.bak
echo "export TMOUT=300 readonly TMOUT " >> /etc/profile
echo "備份檔案!"
cp /etc/login.defs /etc/login.defs.bak
read -p "設定密碼失效前多少天通知用戶:" a
sed -i '/^PASS_WARN_AGE/c\PASS_WARN_AGE '$a'' /etc/login.defs
read -p "設定密碼修改之間最小的天數:" b
sed -i '/^PASS_MIN_DAYS/c\PASS_MIN_DAYS '$b'' /etc/login.defs
read -p "設定密碼最多可多少天不修改:" c
sed -i '/^PASS_MAX_DAYS/c\PASS_MAX_DAYS '$c'' /etc/login.defs
read -p "設定密碼最短的長度:" d
sed -i '/^PASS_MIN_LEN/c\PASS_MIN_LEN '$d'' /etc/login.defs
echo "備份檔案!"
echo "設定用戶權限組態檔的權限"
cp /etc/passwd /etc/passwd.bak
chown root:root /etc/passwd /etc/shadow /etc/group /etc/gshadow
chmod 0644 /etc/group
chmod 0644 /etc/passwd
chmod 0400 /etc/shadow
chmod 0400 /etc/gshadow
echo "確保三權分立賬戶存在"
useradd audit
usermod -G audit audit
useradd op
usermod -G op op
useradd security
usermod -G security security
echo "備份檔案!"
echo "確保root是唯一超級帳戶"
check_root_uniqueness(){
cat /etc/passwd | awk -F: '($3 == 0) { print $1 }'|grep -v '^root$'
}
echo "確保root是唯一超級帳戶"
check_root_uniqueness(){
cat /etc/passwd | awk -F: '($3 == 0) { print $1 }'|grep -v '^root$'
}
echo "SSHD強制使用V2安全協議"
echo "Protocol 2" >> /etc/ssh/sshd_config
sed -i 's/#LogLevel INFO/LogLevel INFO/' /etc/ssh/sshd_config
echo "禁止SSH空密碼用戶登錄"
sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/' /etc/ssh/sshd_config
yum -y install audit
systemctl start auditd
echo "-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/rules.d/audit.rules
echo "-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/audit.rules
service auditd restart
systemctl status auditd
echo "啟用安全審計功能!!"
決議:
1. 密碼復雜度設定
echo "已對密碼進行加固,如果輸入錯誤密碼超過3次,則鎖定賬戶!!"
echo "備份檔案!"
cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
n=`cat /etc/pam.d/sshd | grep "auth required pam_tally2.so "|wc -l`
if [ $n -eq 0 ];then
sed -i '/%PAM-1.0/a\auth required pam_tally2.so deny=3 unlock_time=60 even_deny_root root_unlock_time=60' /etc/pam.d/sshd
fi
2. 輸入密碼必須包含數字,大小寫字母
echo "輸入密碼必須包含數字,大小寫字母"
echo "備份檔案!"
cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak
sed -e "14 i\password requisite pam_cracklib.so minlen=10 difok=3 lcredit=-1 ucredit=-1 dcredit=-1 try_first_pass retry=3" -i /etc/pam.d/system-auth
sed -e '15d' -i /etc/pam.d/system-auth
3. 不允許root進行ssh
echo "不允許root進行ssh"
echo "備份檔案!"
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
sed -i "s/#PermitRootLogin yes/PermitRootLogin no/" /etc/ssh/sshd_config
service sshd restart
4. 鎖定用戶
echo "備份檔案!"
cp /etc/shadow /etc/shadow.bak
cp /etc/passwd /etc/passwd.bak
echo "鎖定用戶"
for i in adm lp sync nobody halt news uucp operator games gopher ftp 123
do
passwd -l $i
done
5. 設定登錄超時配置
echo "備份檔案!"
echo "設定用戶登錄超時"
cp /etc/profile /etc/profile.bak
echo "export TMOUT=300 readonly TMOUT " >> /etc/profile
6. 禁用用戶
passwd -l
解鎖用戶
passwd -u
7. 修改默認密碼策略
echo "備份檔案!"
cp /etc/login.defs /etc/login.defs.bak
read -p "設定密碼失效前多少天通知用戶:" a
sed -i '/^PASS_WARN_AGE/c\PASS_WARN_AGE '$a'' /etc/login.defs
read -p "設定密碼修改之間最小的天數:" b
sed -i '/^PASS_MIN_DAYS/c\PASS_MIN_DAYS '$b'' /etc/login.defs
read -p "設定密碼最多可多少天不修改:" c
sed -i '/^PASS_MAX_DAYS/c\PASS_MAX_DAYS '$c'' /etc/login.defs
read -p "設定密碼最短的長度:" d
sed -i '/^PASS_MIN_LEN/c\PASS_MIN_LEN '$d'' /etc/login.defs
chage -l root # 查詢用戶的密碼到期時間等資訊
usermod -e "Oct 27,2023" test 賬戶過期時間
格式:usermod -e "時間" 賬戶名
8. 設定用戶權限組態檔的權限
echo "備份檔案!"
echo "設定用戶權限組態檔的權限"
cp /etc/passwd /etc/passwd.bak
chown root:root /etc/passwd /etc/shadow /etc/group /etc/gshadow
chmod 0644 /etc/group
chmod 0644 /etc/passwd
chmod 0400 /etc/shadow
chmod 0400 /etc/gshadow
9. 確保三權分立賬戶存在
echo "確保三權分立賬戶存在"
useradd audit
usermod -G audit audit
useradd op
usermod -G op op
useradd security
usermod -G security security
10. 啟用安全審計功能
#!/bin/bash
yum -y install audit
systemctl start auditd
echo "-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/rules.d/audit.rules
echo "-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/audit.rules
service auditd restart
systemctl status auditd
echo "啟用安全審計功能!!"
11. 確保root是唯一超級帳戶
echo "備份檔案!"
echo "確保root是唯一超級帳戶"
cp /etc/passwd /etc/passwd.bak
check_root_uniqueness(){
cat /etc/passwd | awk -F: '($3 == 0) { print $1 }'|grep -v '^root$'
}
12. SSHD強制使用V2安全協議
組態檔:/etc/ssh/sshd_config(取消注釋):LogLevel INFO
添加:Protocol 2
echo "備份檔案!"
echo "SSHD強制使用V2安全協議"
cp /etc/ssh/ssh_config /etc/ssh/ssh_config.bak
echo "Protocol 2" >> /etc/ssh/sshd_config
sed -i 's/#LogLevel INFO/LogLevel INFO/' /etc/ssh/sshd_config
13. 禁止SSH空密碼用戶登錄
echo "備份檔案!"
echo "禁止SSH空密碼用戶登錄"
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/' /etc/ssh/sshd_config
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/294405.html
標籤:其他
上一篇:BUUCTF [極客大挑戰 2019]BabySQL
下一篇:檔案包含練習