原創作者:運維工程師 謝晉
linux系統安全加固
- linux系統安全加固
linux系統安全加固
-
腳本
系統加固腳本下載地址:
https://download.csdn.net/download/hzgnet2021/63201374 -
時間獲取
腳本開頭先獲取本機時間
#Variable
rq=`date +%Y%m%d`
- Linux禁用不使用的用戶
將passwd先復制一份備份,然后將以下不使用的用戶都禁用,如后期有需要恢復可使用 passwd -u lp 來進行恢復
#account setup
echo '############ account setup ############'
echo ''
cp /etc/passwd{,.bak$rq}
passwd -l lp
passwd -l adm
passwd -l shutdown
passwd -l halt
passwd -l operator
passwd -l games
passwd -l gopher
passwd -l ftp
passwd -l nfsnobody
passwd -l postfix
echo ''
Linux注釋的組:
#group setup
echo '############ group setup ############'
echo ''
cp /etc/group{,.bak$rq}
sed -i -e 's/adm:x:4:/#adm:x:4:/' /etc/group
sed -i -e 's/games:x:20:/#games:x:20:/' /etc/group
sed -i -e 's/video:x:39:/#video:x:39:/' /etc/group
sed -i -e 's/dip:x:40:/#dip:x:40:/' /etc/group
sed -i -e 's/ftp:x:50:/#ftp:x:50:/' /etc/group
sed -i -e 's/audio:x:63:/#audio:x:63:/' /etc/group
sed -i -e 's/floppy:x:19:/#floppy:x:19:/' /etc/group
sed -i -e 's/postfix:x:89:/#postfix:x:89:/' /etc/group
echo 'disable group result:'
cat /etc/group|grep ^#
echo ''
- Linux關閉不使用的服務
下面列出的幾個服務如列印服務、藍牙服務等對服務器沒用用處可直接關閉來提升服務器性能,如遇到需要開啟服務只需輸入service acpid start && chkconfig acpid on就能重新開啟服務,
#disable useless service
echo '##### disable useless service #####'
echo ''
#postfix
echo ''
service postfix stop
chkconfig postfix --level 2345 off
echo ''
#cpus
echo ''
service cups stop
chkconfig cups --level 2345 off
echo ''
#cpuspeed
echo ''
service cpuspeed stop
chkconfig cpuspeed --level 2345 off
echo ''
#bluetooth
echo ''
service bluetooth stop
chkconfig bluetooth --level 2345 off
echo ''
#firstboot
echo ''
service firstboot stop
chkconfig firstboot --level 2345 off
echo ''
echo 'nfs status:'
service netfs status
echo ''
- Linux檔案保護
Linux檔案保護禁止修改、洗掉、移動檔案
echo '######### chattr important file #########'
echo ''
# chattr /etc/passwd /etc/shadow
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/gshadow
echo 'Following files already locked:'
lsattr /etc/passwd
lsattr /etc/shadow
lsattr /etc/group
lsattr/etc/gshadow
echo ''
如果需要修改密碼,執行 chattr -i 消除權限,切記修改后要將權限加回
#chattr -i /etc/passwd
#chattr -i /etc/shadow
#chattr -i /etc/group
#chattr -i /etc/gshadow
#lsattr /etc/group /etc/passwd /etc/shadow /etc/gshadow
- 用戶密碼保護
用戶輸錯密碼3次后鎖定用戶5分鐘
# Login failed limit:continue input failure 3 ,passwd unlock time 5 minite
echo '######### Login limits ##########'
echo ''
cp /etc/pam.d/system-auth{,.bak$rq}
tally=`grep -n 'pam_tally.so' /etc/pam.d/system-auth`
lib=`grep -n '/lib/security/$ISA/pam_tally.so' /etc/pam.d/system-auth`
st=$tally$lib
if [ -z "$st" ];then
sed -i 's#auth required pam_env.so#auth required pam_env.so\nauth required pam_tally.so onerr=fail deny=3 unlock_time=300\nauth required /lib/security/$ISA/pam_tally.so onerr=fail deny=3 unlock_time=300#' /etc/pam.d/system-auth
echo ''
echo 'update login server limits ---->continue input failure 3 ,passwd unlock time 5 minite'
echo ''
else
echo ''
echo 'Login restriction policy already exists on the server!The script will not modify this.'
echo ''
fi
- 用戶注銷
用戶登錄后5分鐘無任何操作將自動注銷用戶
# system timeout 5 minite auto logout
echo ''
echo '######### set auto logout #########
cp /etc/profile{,.bak$rq}
tmout=`grep -n 'TMOUT=' /etc/profile`
if [ -z "$tmout" ];then
echo "TMOUT=300" >>/etc/profile
echo ''
echo 'update login server limits ----> timeout 5 minite auto logout'
echo ''
else
echo ''
echo 'Login timeout policy already exists on the server!The script will not modify this.'
echo ''
fi
- Linux減少history命令記錄
執行過的歷史命令記錄越多,從一定程度上講會給維護帶來簡便,但同樣會伴隨安全問題,
echo '############## set save history command ##############'
# will system save history command list to 10
echo ''
sed -i "s/HISTSIZE=/#HISTSIZE=/" /etc/profile
echo "HISTSIZE=10" >>/etc/profile
# enable /etc/profile
source /etc/profile
echo ''
echo '/etc/profile already update'
echo ''
- 開啟SYN Cookies
表示開啟SYN Cookies,當出現SYN等待佇列溢位時,啟用cookies來處理,可防范少量SYN攻擊
echo '############## enable syncookie ##############'
echo ''
# add syncookie enable /etc/sysctl.conf
echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.conf
sysctl -p
echo ''
- SSH優化
修改SSH用戶最大連接數,通過關閉 UseDNS和GSSAPIAuthentication選項加速 SSH登錄
echo '############## optimize sshd ##############'
echo ''
# optimizer sshd_config
sed -i "s/#MaxAuthTries 6/MaxAuthTries 6/" /etc/ssh/sshd_config
sed -i "s/#UseDNS yes/UseDNS no/" /etc/ssh/sshd_config
echo ''
echo 'currently config:'
grep -n 'MaxAuthTries' /etc/ssh/sshd_config
grep -n 'UseDNS' /etc/ssh/sshd_config
echo ''
- 歷史記錄
對歷史記錄命令保存進行優化禁止覆寫、禁止修改該檔案
echo '############## history security ##############'
echo ''
# history security
chattr +a /root/.bash_history
chattr +i /root/.bash_history
echo ''
echo '/root/.bash_history already locked:'
lsattr /root/.bash_history
echo ''
- 復制日志
將日志復制保存
echo ############## backup system log ##############
echo 'The program will move the log of System operation status to /var/log/HZGNETsecurityreinforce '
mkdir -p /var/log/HZGNETsecurityreinforce/$rq
#cp /var/log/message /var/log/HZGNETsecurityreinforce/$rq
#cp /var/log/auth.log /var/log/HZGNETsecurityreinforce/$rq
cp /var/log/cron /var/log/HZGNETsecurityreinforce/$rq
cp /var/log/maillog /var/log/HZGNETsecurityreinforce/$rq
cp /var/log/secure /var/log/HZGNETsecurityreinforce/$rq
cp /var/log/wtmp /var/log/HZGNETsecurityreinforce/$rq
cp /var/run/utmp /var/log/HZGNETsecurityreinforce/$rq
cp /var/log/yum.log /var/log/HZGNETsecurityreinforce/$rq
echo ' Log Backup completed.'
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/381929.html
標籤:其他
上一篇:Log4j2 重大漏洞與解決方案
下一篇:Log4jShell漏洞修復分析