Ubuntu 20.04 系統初始化安全加固
描述: 適用于企業內部 Ubuntu 系列服務器作業系統初始化、系統安全加固腳本,內容包含了,網路初始化設定,軟體更新源替換以及內核版本升級 ,時間時區初始化設定 系統安全加固(等保三級作業系統主機檢查項) 安全運維設定 系統內核引數 常用軟體安裝等 一系列的操作直接開箱即用, 將跑過該腳本的機器可以克隆成為作為線上生產環境的基線模板,
原文鏈接: 完整的Windows與Linux服務器系統安全加固實踐和基線檢測腳本(等保2.0)( https://mp.weixin.qq.com/s/CDGzTzrAk9vJtbH4BisSlw )
腳本適用說明:
Ubuntu 20.04 (已測驗)
Ubuntu 18.04 (部分適用)
Ubuntu 安全加固效果
專案地址: https://github.com/WeiyiGeek/SecOpsDev/tree/master/OS-作業系統/Linux/Ubuntu
【
】,歡迎大家 Star 與 Fork ,
Ubuntu TLS Security Initiate
Link: https://github.com/WeiyiGeek/SecOpsDev/blob/master/OS-作業系統/Linux/Ubuntu/Ubuntu-InitializeSecurity.sh
溫馨提示: 使用腳本時請按照你的需求呼叫相應函式即可,默認未呼叫任何函式,
#!/bin/bash
# @Author: WeiyiGeek
# @Description: Ubuntu TLS Security Initiate
# @Create Time: 2019年9月1日 16:43:33
# @Last Modified time: 2021-11-15 11:06:31
# @E-mail: [email protected]
# @Blog: https://www.weiyigeek.top
# @wechat: WeiyiGeeker
# @Github: https://github.com/WeiyiGeek/SecOpsDev/tree/master/OS-作業系統/Linux/
# @Version: 3.3
#-------------------------------------------------#
# 腳本主要功能說明:
# (1) Ubuntu 系統初始化操作包括IP地址設定、基礎軟體包更新以及安裝加固,
# (2) Ubuntu 系統容器以及JDK相關環境安裝,
# (3) Ubuntu 系統中例外錯誤日志解決,
# (4) Ubuntu 系統常規服務安裝配置,加入資料備份目錄,
# (5) Ubuntu 腳本錯誤優化、添加禁用cloud-init
#-------------------------------------------------#
## 系統全域變數定義
HOSTNAME=Ubuntu-Security-Template
IP=192.168.1.2
GATEWAY=192.168.1.1
DNSIP=("223.5.5.5" "223.6.6.6")
SSHPORT=20211
DefaultUser="WeiyiGeek" # 系統創建的用戶名稱非root用戶
ROOTPASS=WeiyiGeek # 密碼建議12位以上且包含數字、大小寫字母以及特殊字符,
APPPASS=WeiyiGeek
## 名稱: err 、info 、warning
## 用途:全域Log資訊列印函式
## 引數: $@
log::err() {
printf "[$(date +'%Y-%m-%dT%H:%M:%S')]: \033[31mERROR: $@ \033[0m\n"
}
log::info() {
printf "[$(date +'%Y-%m-%dT%H:%M:%S')]: \033[32mINFO: $@ \033[0m\n"
}
log::warning() {
printf "[$(date +'%Y-%m-%dT%H:%M:%S')]: \033[33mWARNING: $@ \033[0m\n"
}
## 名稱: os::Network
## 用途: 網路配置相關操作腳本包括(IP地址修改)
## 引數: 無
os::Network () {
log::info "[-] 作業系統網路配置相關腳本,開始執行....."
# (1) IP地址與主機名稱設定
sudo cp /etc/netplan/00-installer-config.yaml{,.bak}
mkdir /opt/init/
sudo tee /opt/init/network.sh <<'EOF'
#!/bin/bash
CURRENT_IP=$(hostname -I | cut -f 1 -d " ")
GATEWAY=$(hostname -I | cut -f 1,2,3 -d ".")
if [[ $# -lt 3 ]];then
echo "Usage: $0 IP Gateway Hostname"
exit
fi
echo "IP:${1} # GATEWAY:${2} # HOSTNAME:${3}"
sudo sed -i "s#${CURRENT_IP}#${1}#g" /etc/netplan/00-installer-config.yaml
sudo sed -i "s#${GATEWAY}.1#${2}#g" /etc/netplan/00-installer-config.yaml
sudo hostnamectl set-hostname ${3}
sudo netplan apply
EOF
sudo chmod +x /opt/init/network.sh
# (2) 本地主機名決議設定
sed -i "s/127.0.1.1\s.\w.*$/127.0.1.1 ${HOSTNAME}/g" /etc/hosts
grep -q "^\$(hostname -I)\s.\w.*$" /etc/hosts && sed -i "s/\$(hostname -I)\s.\w.*$/${IPADDR} ${HOSTNAME}" /etc/hosts || echo "${IPADDR} ${HOSTNAME}" >> /etc/hosts
# (3) 系統DNS域名決議服務設定
cp -a /etc/resolv.conf{,.bak}
for dns in ${DNSIP[@]};do echo "nameserver ${dns}" >> /etc/resolv.conf;done
sudo /opt/init/network.sh ${IP} ${GATEWAY} ${HOSTNAME}
log::info "[*] network configure modifiy successful! restarting Network........."
}
## 名稱: os::Software
## 用途: 作業系統軟體包管理及更新源配置
## 引數: 無
os::Software () {
log::info "[-] 作業系統軟體包管理及更新源配置相關腳本,開始執行....."
# (1) 卸載多余軟體,例如 snap 軟體及其服務
sudo systemctl stop snapd snapd.socket #停止snapd相關的行程服務
sudo apt autoremove --purge -y snapd
sudo systemctl daemon-reload
sudo rm -rf ~/snap /snap /var/snap /var/lib/snapd /var/cache/snapd /run/snapd
# (2) 軟體源設定與系統更新
sudo cp /etc/apt/sources.list{,.bak}
sudo tee /etc/apt/sources.list <<'EOF'
#阿里云Mirrors - Ubuntu
deb http://mirrors.aliyun.com/ubuntu/ focal main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ focal main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ focal-security main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ focal-security main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ focal-updates main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ focal-updates main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ focal-proposed main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ focal-proposed main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ focal-backports main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ focal-backports main restricted universe multiverse
EOF
# (3) 內核版本升級以及常規軟體安裝
sudo apt autoclean && sudo apt update && sudo apt upgrade -y
sudo apt install -y nano vim git unzip wget ntpdate dos2unix net-tools tree htop ncdu nload sysstat psmisc bash-completion fail2ban gcc g++ make jq nfs-common rpcbind libpam-cracklib
# (4) 代理方式進行更新
# sudo apt autoclean && sudo apt -o Acquire::http::proxy="http://proxy.weiyigeek.top/" update && sudo apt -o Acquire::http::proxy="http://proxy.weiyigeek.top" upgrade -y
# sudo apt install -o Acquire::http::proxy="http://proxy.weiyigeek.top/" -y nano vim git unzip wget ntpdate dos2unix net-tools tree htop ncdu nload sysstat psmisc bash-completion fail2ban
}
## 名稱: os::TimedataZone
## 用途: 作業系統時間與時區同步配置
## 引數: 無
os::TimedataZone () {
log::info "[*] 作業系統系統時間時區配置相關腳本,開始執行....."
# (1) 時間同步服務端容器(可選也可以用外部ntp服務器) : docker run -d --rm --cap-add SYS_TIME -e ALLOW_CIDR=0.0.0.0/0 -p 123:123/udp geoffh1977/chrony
echo "同步前的時間: $(date -R)"
# 方式1.Chrony 客戶端配置
apt install -y chrony
grep -q "192.168.12.254" /etc/chrony/chrony.conf || sudo tee -a /etc/chrony/chrony.conf <<'EOF'
pool 192.168.10.254 iburst maxsources 1
pool 192.168.12.254 iburst maxsources 1
pool 192.168.4.254 iburst maxsources 1
pool ntp.aliyun.com iburst maxsources 4
keyfile /etc/chrony/chrony.keys
driftfile /var/lib/chrony/chrony.drift
logdir /var/log/chrony
maxupdateskew 100.0
rtcsync
# 允許跳躍式校時 如果在前 3 次校時中時間差大于 1.0s
makestep 1 3
EOF
systemctl enable chrony && systemctl restart chrony && systemctl status chrony -l
# 方式2
# sudo ntpdate 192.168.10.254 || sudo ntpdate 192.168.12.215 || sudo ntpdate ntp1.aliyun.com
# 方式3
# echo 'NTP=192.168.10.254 192.168.4.254' >> /etc/systemd/timesyncd.conf
# echo 'FallbackNTP=ntp.aliyun.com' >> /etc/systemd/timesyncd.conf
# systemctl restart systemd-timesyncd.service
# (2) 時區與地區設定:
sudo cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
sudo timedatectl set-timezone Asia/Shanghai
# sudo dpkg-reconfigure tzdata # 修改確認
# sudo bash -c "echo 'Asia/Shanghai' > /etc/timezone" # 與上一條命令一樣
# 將當前的 UTC 時間寫入硬體時鐘 (硬體時間默認為UTC)
sudo timedatectl set-local-rtc 0
# 啟用NTP時間同步:
sudo timedatectl set-ntp yes
# 校準時間服務器-時間同步(推薦使用chronyc進行平滑同步)
sudo chronyc tracking
# 手動校準-強制更新時間
# chronyc -a makestep
# 系統時鐘同步硬體時鐘
# sudo hwclock --systohc
sudo hwclock -w
# (3) 重啟依賴于系統時間的服務
sudo systemctl restart rsyslog.service cron.service
log::info "[*] Tie confmigure modifiy successful! restarting chronyd rsyslog.service crond.service........."
timedatectl
}
## 名稱: os::Security
## 用途: 作業系統安全加固配置腳本(符合等保要求-三級要求)
## 引數: 無
os::Security () {
log::info "正在進行->作業系統安全加固(符合等保要求-三級要求)配置"
# (0) 系統用戶核查配置
log::info "[-] 鎖定或者洗掉多余的系統賬戶以及創建低權限用戶"
userdel -r lxd
groupdel lxd
defaultuser=(root daemon bin sys games man lp mail news uucp proxy www-data backup list irc gnats nobody systemd-network systemd-resolve systemd-timesync messagebus syslog _apt tss uuidd tcpdump landscape pollinate usbmux sshd systemd-coredump _chrony)
for i in $(cat /etc/passwd | cut -d ":" -f 1,7);do
flag=0; name=${i%%:*}; terminal=${i##*:}
if [[ "${terminal}" == "/bin/bash" || "${terminal}" == "/bin/sh" ]];then
log::warning "${i} 用戶,shell終端為 /bin/bash 或者 /bin/sh"
fi
for j in ${defaultuser[@]};do
if [[ "${name}" == "${j}" ]];then
flag=1
break;
fi
done
if [[ $flag -eq 0 ]];then
log::warning "${i} 非默認用戶"
fi
done
cp /etc/shadow /etc/shadow-`date +%Y%m%d`.bak
passwd -l adm&>/dev/null 2&>/dev/null; passwd -l daemon&>/dev/null 2&>/dev/null; passwd -l bin&>/dev/null 2&>/dev/null; passwd -l sys&>/dev/null 2&>/dev/null; passwd -l lp&>/dev/null 2&>/dev/null; passwd -l uucp&>/dev/null 2&>/dev/null; passwd -l nuucp&>/dev/null 2&>/dev/null; passwd -l smmsplp&>/dev/null 2&>/dev/null; passwd -l mail&>/dev/null 2&>/dev/null; passwd -l operator&>/dev/null 2&>/dev/null; passwd -l games&>/dev/null 2&>/dev/null; passwd -l gopher&>/dev/null 2&>/dev/null; passwd -l ftp&>/dev/null 2&>/dev/null; passwd -l nobody&>/dev/null 2&>/dev/null; passwd -l nobody4&>/dev/null 2&>/dev/null; passwd -l noaccess&>/dev/null 2&>/dev/null; passwd -l listen&>/dev/null 2&>/dev/null; passwd -l webservd&>/dev/null 2&>/dev/null; passwd -l rpm&>/dev/null 2&>/dev/null; passwd -l dbus&>/dev/null 2&>/dev/null; passwd -l avahi&>/dev/null 2&>/dev/null; passwd -l mailnull&>/dev/null 2&>/dev/null; passwd -l nscd&>/dev/null 2&>/dev/null; passwd -l vcsa&>/dev/null 2&>/dev/null; passwd -l rpc&>/dev/null 2&>/dev/null; passwd -l rpcuser&>/dev/null 2&>/dev/null; passwd -l nfs&>/dev/null 2&>/dev/null; passwd -l sshd&>/dev/null 2&>/dev/null; passwd -l pcap&>/dev/null 2&>/dev/null; passwd -l ntp&>/dev/null 2&>/dev/null; passwd -l haldaemon&>/dev/null 2&>/dev/null; passwd -l distcache&>/dev/null 2&>/dev/null; passwd -l webalizer&>/dev/null 2&>/dev/null; passwd -l squid&>/dev/null 2&>/dev/null; passwd -l xfs&>/dev/null 2&>/dev/null; passwd -l gdm&>/dev/null 2&>/dev/null; passwd -l sabayon&>/dev/null 2&>/dev/null; passwd -l named&>/dev/null 2&>/dev/null
# (2) 用戶密碼設定和口令策略設定
log::info "[-] 配置滿足策略的root管理員密碼 "
echo ${ROOTPASS} | passwd --stdin root
log::info "[-] 配置滿足策略的app普通用戶密碼(根據需求配置)"
groupadd application
useradd -m -s /bin/bash -c "application primary user" -g application app
echo ${APPPASS} | passwd --stdin app
log::info "[-] 強制用戶在下次登錄時更改密碼 "
chage -d 0 -m 0 -M 90 -W 15 root && passwd --expire root
chage -d 0 -m 0 -M 90 -W 15 ${DefaultUser} && passwd --expire ${DefaultUser}
chage -d 0 -m 0 -M 90 -W 15 app && passwd --expire app
log::info "[-] 用戶口令復雜性策略設定 (密碼過期周期0~90、到期前15天提示、密碼長度至少15、復雜度設定至少有一個大小寫、數字、特殊字符、密碼三次不能一樣、嘗試次數為三次)"
egrep -q "^\s*PASS_MIN_DAYS\s+\S*(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_MIN_DAYS\s+\S*(\s*#.*)?\s*$/\PASS_MIN_DAYS 0/" /etc/login.defs || echo "PASS_MIN_DAYS 0" >> /etc/login.defs
egrep -q "^\s*PASS_MAX_DAYS\s+\S*(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_MAX_DAYS\s+\S*(\s*#.*)?\s*$/\PASS_MAX_DAYS 90/" /etc/login.defs || echo "PASS_MAX_DAYS 90" >> /etc/login.defs
egrep -q "^\s*PASS_WARN_AGE\s+\S*(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_WARN_AGE\s+\S*(\s*#.*)?\s*$/\PASS_WARN_AGE 15/" /etc/login.defs || echo "PASS_WARN_AGE 15" >> /etc/login.defs
egrep -q "^\s*PASS_MIN_LEN\s+\S*(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_MIN_LEN\s+\S*(\s*#.*)?\s*$/\PASS_MIN_LEN 15/" /etc/login.defs || echo "PASS_MIN_LEN 15" >> /etc/login.defs
egrep -q "^password\s.+pam_cracklib.so\s+\w+.*$" /etc/pam.d/common-password && sed -ri '/^password\s.+pam_cracklib.so/{s/pam_cracklib.so\s+\w+.*$/pam_cracklib.so retry=3 minlen=15 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=1/g;}' /etc/pam.d/common-password
egrep -q "^password\s.+pam_unix.so\s+\w+.*$" /etc/pam.d/common-password && sed -ri '/^password\s.+pam_unix.so/{s/pam_unix.so\s+\w+.*$/pam_unix.so obscure use_authtok try_first_pass sha512 remember=3/g;}' /etc/pam.d/common-password
log::info "[-] 存盤用戶密碼的檔案,其內容經過sha512加密,所以非常注意其權限"
touch /etc/security/opasswd && chown root:root /etc/security/opasswd && chmod 600 /etc/security/opasswd
# (3) 用戶sudo權限以及重要目錄和檔案的權限設定
log::info "[-] 用戶sudo權限以及重要目錄和檔案的新建默認權限設定"
# 如uBuntu安裝時您創建的用戶 WeiyiGeek 防止直接通過 sudo passwd 修改root密碼(此時必須要求輸入WeiyiGeek密碼后才可修改root密碼)
# Tips: Sudo允許授權用戶權限以另一個用戶(通常是root用戶)的身份運行程式,
# DefaultUser="weiyigeek"
sed -i "/# Members of the admin/i ${DefaultUser} ALL=(ALL) PASSWD:ALL" /etc/sudoers
log::info "[-] 配置用戶 umask 為022 "
egrep -q "^\s*umask\s+\w+.*$" /etc/profile && sed -ri "s/^\s*umask\s+\w+.*$/umask 022/" /etc/profile || echo "umask 022" >> /etc/profile
egrep -q "^\s*umask\s+\w+.*$" /etc/bash.bashrc && sed -ri "s/^\s*umask\s+\w+.*$/umask 022/" /etc/bashrc || echo "umask 022" >> /etc/bash.bashrc
# log::info "[-] 設定用戶目錄創建默認權限, (初始為077比較嚴格),在設定 umask 為022 及 777 - 022 "
# egrep -q "^\s*(umask|UMASK)\s+\w+.*$" /etc/login.defs && sed -ri "s/^\s*(umask|UMASK)\s+\w+.*$/UMASK 022/" /etc/login.defs || echo "UMASK 022" >> /etc/login.defs
log::info "[-] 設定或恢復重要目錄和檔案的權限"
chmod 755 /etc;
chmod 777 /tmp;
chmod 700 /etc/inetd.conf&>/dev/null 2&>/dev/null;
chmod 755 /etc/passwd;
chmod 755 /etc/shadow;
chmod 644 /etc/group;
chmod 755 /etc/security;
chmod 644 /etc/services;
chmod 750 /etc/rc*.d
chmod 600 ~/.ssh/authorized_keys
log::info "[-] 洗掉潛在威脅檔案 "
find / -maxdepth 3 -name hosts.equiv | xargs rm -rf
find / -maxdepth 3 -name .netrc | xargs rm -rf
find / -maxdepth 3 -name .rhosts | xargs rm -rf
# (4) SSHD 服務安全加固設定
log::info "[-] sshd 服務安全加固設定"
# 嚴格模式
sudo egrep -q "^\s*StrictModes\s+.+$" /etc/ssh/sshd_config && sed -ri "s/^(#)?\s*StrictModes\s+.+$/StrictModes yes/" /etc/ssh/sshd_config || echo "StrictModes yes" >> /etc/ssh/sshd_config
# 監聽埠更改
if [ -e ${SSHPORT} ];then export SSHPORT=20211;fi
sudo egrep -q "^\s*Port\s+.+$" /etc/ssh/sshd_config && sed -ri "s/^(#)?\s*Port\s+.+$/Port ${SSHPORT}/" /etc/ssh/sshd_config || echo "Port ${SSHPORT}" >> /etc/ssh/sshd_config
# 禁用X11轉發以及埠轉發
sudo egrep -q "^\s*X11Forwarding\s+.+$" /etc/ssh/sshd_config && sed -ri "s/^(#)?\s*X11Forwarding\s+.+$/X11Forwarding no/" /etc/ssh/sshd_config || echo "X11Forwarding no" >> /etc/ssh/sshd_config
sudo egrep -q "^\s*X11UseLocalhost\s+.+$" /etc/ssh/sshd_config && sed -ri "s/^(#)?\s*X11UseLocalhost\s+.+$/X11UseLocalhost yes/" /etc/ssh/sshd_config || echo "X11UseLocalhost yes" >> /etc/ssh/sshd_config
sudo egrep -q "^\s*AllowTcpForwarding\s+.+$" /etc/ssh/sshd_config && sed -ri "s/^(#)?\s*AllowTcpForwarding\s+.+$/AllowTcpForwarding no/" /etc/ssh/sshd_config || echo "AllowTcpForwarding no" >> /etc/ssh/sshd_config
sudo egrep -q "^\s*AllowAgentForwarding\s+.+$" /etc/ssh/sshd_config && sed -ri "s/^(#)?\s*AllowAgentForwarding\s+.+$/AllowAgentForwarding no/" /etc/ssh/sshd_config || echo "AllowAgentForwarding no" >> /etc/ssh/sshd_config
# 關閉禁用用戶的 .rhosts 檔案 ~/.ssh/.rhosts 來做為認證: 預設IgnoreRhosts yes
egrep -q "^(#)?\s*IgnoreRhosts\s+.+$" /etc/ssh/sshd_config && sed -ri "s/^(#)?\s*IgnoreRhosts\s+.+$/IgnoreRhosts yes/" /etc/ssh/sshd_config || echo "IgnoreRhosts yes" >> /etc/ssh/sshd_config
# 禁止root遠程登錄(推薦配置-根據需求配置)
egrep -q "^\s*PermitRootLogin\s+.+$" /etc/ssh/sshd_config && sed -ri "s/^\s*PermitRootLogin\s+.+$/PermitRootLogin no/" /etc/ssh/sshd_config || echo "PermitRootLogin no" >> /etc/ssh/sshd_config
# 登陸前后歡迎提示設定
egrep -q "^\s*(banner|Banner)\s+\W+.*$" /etc/ssh/sshd_config && sed -ri "s/^\s*(banner|Banner)\s+\W+.*$/Banner \/etc\/issue/" /etc/ssh/sshd_config || \
echo "Banner /etc/issue" >> /etc/ssh/sshd_config
log::info "[-] 遠程SSH登錄前后提示警告Banner設定"
# SSH登錄前警告Banner
sudo tee /etc/issue <<'EOF'
****************** [ 安全登陸 (Security Login) ] *****************
Authorized only. All activity will be monitored and reported.By Security Center.
EOF
# SSH登錄后提示Banner
sed -i '/^fi/a\\n\necho "\\e[1;37;41;5m################## 安全運維 (Security Operation) ####################\\e[0m"\necho "\\e[32mLogin success. Please execute the commands and operation data carefully.By WeiyiGeek.\\e[0m"' /etc/update-motd.d/00-header
# (5) 用戶遠程登錄失敗次數與終端超時設定
log::info "[-] 用戶遠程連續登錄失敗10次鎖定帳號5分鐘包括root賬號"
sed -ri "/^\s*auth\s+required\s+pam_tally2.so\s+.+(\s*#.*)?\s*$/d" /etc/pam.d/sshd
sed -ri '2a auth required pam_tally2.so deny=10 unlock_time=300 even_deny_root root_unlock_time=300' /etc/pam.d/sshd
# 宿主機控制臺登陸(可選)
# sed -ri "/^\s*auth\s+required\s+pam_tally2.so\s+.+(\s*#.*)?\s*$/d" /etc/pam.d/login
# sed -ri '2a auth required pam_tally2.so deny=5 unlock_time=300 even_deny_root root_unlock_time=300' /etc/pam.d/login
log::info "[-] 設定登錄超時時間為10分鐘 "
egrep -q "^\s*(export|)\s*TMOUT\S\w+.*$" /etc/profile && sed -ri "s/^\s*(export|)\s*TMOUT.\S\w+.*$/export TMOUT=600\nreadonly TMOUT/" /etc/profile || echo -e "export TMOUT=600\nreadonly TMOUT" >> /etc/profile
egrep -q "^\s*.*ClientAliveInterval\s\w+.*$" /etc/ssh/sshd_config && sed -ri "s/^\s*.*ClientAliveInterval\s\w+.*$/ClientAliveInterval 600/" /etc/ssh/sshd_config || echo "ClientAliveInterval 600" >> /etc/ssh/sshd_config
# (5) 切換用戶日志記錄或者切換命令更改(可選)
log::info "[-] 切換用戶日志記錄和切換命令更改名稱為SU "
egrep -q "^(\s*)SULOG_FILE\s+\S*(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)SULOG_FILE\s+\S*(\s*#.*)?\s*$/\SULOG_FILE \/var\/log\/.history\/sulog/" /etc/login.defs || echo "SULOG_FILE /var/log/.history/sulog" >> /etc/login.defs
egrep -q "^\s*SU_NAME\s+\S*(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)SU_NAME\s+\S*(\s*#.*)?\s*$/\SU_NAME SU/" /etc/login.defs || echo "SU_NAME SU" >> /etc/login.defs
mkdir -vp /usr/local/bin /var/log/.backups /var/log/.history /var/log/.history/sulog
cp /usr/bin/su /var/log/.backups/su.bak
mv /usr/bin/su /usr/bin/SU
# 只能寫入不能洗掉其目標目錄中的檔案
# chmod -R 1777 /var/log/.history
chattr -R +a /var/log/.history
chattr +a /var/log/.backups
# (6) 用戶終端執行的歷史命令記錄
log::info "[-] 用戶終端執行的歷史命令記錄 "
egrep -q "^HISTSIZE\W\w+.*$" /etc/profile && sed -ri "s/^HISTSIZE\W\w+.*$/HISTSIZE=101/" /etc/profile || echo "HISTSIZE=101" >> /etc/profile
# 方式1
sudo tee /etc/profile.d/history-record.sh <<'EOF'
# 歷史命令執行記錄檔案路徑
LOGTIME=$(date +%Y%m%d-%H-%M-%S)
export HISTFILE="/var/log/.history/${USER}.${LOGTIME}.history"
if [ ! -f ${HISTFILE} ];then
touch ${HISTFILE}
fi
chmod 600 /var/log/.history/${USER}.${LOGTIME}.history
# 歷史命令執行檔案大小記錄設定
HISTFILESIZE=128
HISTTIMEFORMAT="%F_%T $(whoami)#$(who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'):"
EOF
# 方式2.未能成功(如后續有小伙伴成功了歡迎留言分享)
# sudo tee /usr/local/bin/history.sh <<'EOF'
# #!/bin/bash
# logfiletime=$(date +%Y%m%d-%H-%M-%S)
# # unalias "history"
# if [ $# -eq 0 ];then history;fi
# for i in $*;do
# if [ "$i" = "-c" ];then
# mv ~/.bash_history > /var/log/.history/${logfiletime}.history
# history -c
# continue;
# fi
# done
# alias history="source /usr/local/bin/history.sh"
# EOF
# (7) GRUB 安全設定 (需要手動設定請按照需求設定)
log::info "[-] 系統 GRUB 安全設定(防止物理接觸從grub選單中修改密碼) "
# Grub 關鍵檔案備份
cp -a /etc/grub.d/00_header /var/log/.backups
cp -a /etc/grub.d/10_linux /var/log/.backups
# 設定Grub選單界面顯示時間
sed -i -e 's|GRUB_TIMEOUT_STYLE=hidden|#GRUB_TIMEOUT_STYLE=hidden|g' -e 's|GRUB_TIMEOUT=0|GRUB_TIMEOUT=3|g' /etc/default/grub
sed -i -e 's|set timeout_style=${style}|#set timeout_style=${style}|g' -e 's|set timeout=${timeout}|set timeout=3|g' /etc/grub.d/00_header
# 創建認證密碼 (此處密碼: WeiyiGeek)
sudo grub-mkpasswd-pbkdf2
# Enter password:
# Reenter password:
# PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.21AC9CEF61B96972BF6F918D2037EFBEB8280001045ED32DFDDCC260591CC6BC8957CF25A6755904A7053E97940A9E4CD5C1EF833C1651C1BCF09D899BED4C7C.9691521F5BB34CD8AEFCED85F4B830A86EC93B61A31885BCBE3FEE927D54EFDEE69FA8B51DBC00FCBDB618D4082BC22B2B6BA4161C7E6B990C4E5CFC9E9748D7
# 設定認證用戶以及password_pbkdf2認證
tee -a /etc/grub.d/00_header <<'END'
cat <<'EOF'
# GRUB Authentication
set superusers="grub"
password_pbkdf2 grub grub.pbkdf2.sha512.10000.21AC9CEF61B96972BF6F918D2037EFBEB8280001045ED32DFDDCC260591CC6BC8957CF25A6755904A7053E97940A9E4CD5C1EF833C1651C1BCF09D899BED4C7C.9691521F5BB34CD8AEFCED85F4B830A86EC93B61A31885BCBE3FEE927D54EFDEE69FA8B51DBC00FCBDB618D4082BC22B2B6BA4161C7E6B990C4E5CFC9E9748D7
EOF
END
# 設定進入正式系統不需要認證如進入單用戶模式進行重置賬號密碼時需要進行認證, (高敏感資料庫系統不建議下述操作)
# 在191和193 分別加入--user=grub 和 --unrestricted
# 191 echo "menuentry --user=grub '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/" # 如果按e進行menu選單則需要用grub進行認證
# 192 else
# 193 echo "menuentry --unrestricted '$(echo "$os" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/" # 正常進入系統則不認證
sed -i '/echo "$title" | grub_quote/ { s/menuentry /menuentry --user=grub /;}' /etc/grub.d/10_linux
sed -i '/echo "$os" | grub_quote/ { s/menuentry /menuentry --unrestricted /;}' /etc/grub.d/10_linux
# Ubuntu 方式更新GRUB從而生成boot啟動檔案,
update-grub
# (8) 作業系統防火墻啟用以及策略設定
log::info "[-] 系統防火墻啟用以及規則設定 "
systemctl enable ufw.service && systemctl start ufw.service && ufw enable
sudo ufw allow proto tcp to any port 20211
# 重啟修改配置相關服務
systemctl restart sshd
}
## 名稱: os::Operation
## 用途: 作業系統安全運維設定
## 引數: 無
os::Operation () {
log::info "[-] 作業系統安全運維設定相關腳本"
# (0) 禁用ctrl+alt+del組合鍵對系統重啟 (必須要配置,我曾入過坑)
log::info "[-] 禁用控制臺ctrl+alt+del組合鍵重啟"
mv /usr/lib/systemd/system/ctrl-alt-del.target /var/log/.backups/ctrl-alt-del.target-$(date +%Y%m%d).bak
# (1) 設定檔案洗掉回收站別名
log::info "[-] 設定檔案洗掉回收站別名(防止誤刪檔案) "
sudo tee /etc/profile.d/alias.sh <<'EOF'
# User specific aliases and functions
# 洗掉回收站
# find ~/.trash -delete
# 洗掉空目錄
# find ~/.trash -type d -delete
alias rm="sh /usr/local/bin/remove.sh"
EOF
sudo tee /usr/local/bin/remove.sh <<'EOF'
#!/bin/sh
# 定義回收站檔案夾目錄.trash
trash="/.trash"
deltime=$(date +%Y%m%d-%H-%M-%S)
TRASH_DIR="${HOME}${trash}/${deltime}"
# 建立回收站目錄當不存在的時候
if [ ! -e ${TRASH_DIR} ];then
mkdir -p ${TRASH_DIR}
fi
for i in $*;do
if [ "$i" = "-rf" ];then continue;fi
# 防止誤操作
if [ "$i" = "/" ];then echo '# Danger delete command, Not delete / directory!';exit -1;fi
#定義秒時間戳
STAMP=$(date +%s)
#得到檔案名稱(非檔案夾),參考man basename
fileName=$(basename $i)
#將輸入的引數,對應檔案mv至.trash目錄,檔案后綴,為當前的時間戳
mv $i ${TRASH_DIR}/${fileName}.${STAMP}
done
EOF
sudo chmod +775 /usr/local/bin/remove.sh /etc/profile.d/alias.sh /etc/profile.d/history-record.sh
sudo chmod a+x /usr/local/bin/remove.sh /etc/profile.d/alias.sh /etc/profile.d/history-record.sh
source /etc/profile.d/alias.sh /etc/profile.d/history-record.sh
# (2) 解決普通定時任務無法后臺定時執行
log::info "[-] 解決普通定時任務無法后臺定時執行 "
linenumber=`expr $(egrep -n "pam_unix.so\s$" /etc/pam.d/common-session-noninteractive | cut -f 1 -d ":") - 2`
sudo sed -ri "${linenumber}a session [success=1 default=ignore] pam_succeed_if.so service in cron quiet use_uid" /etc/pam.d/common-session-noninteractive
# (3) 解決 ubuntu20.04 multipath add missing path 錯誤
# 添加以下內容,sda視本地環境做調整
tee -a /etc/multipath.conf <<'EOF'
blacklist {
devnode "^sda"
}
EOF
# 重啟multipath-tools服務
sudo service multipath-tools restart
# (4) 禁用 Ubuntu 中的 cloud-init
# 在 /etc/cloud 目錄下創建 cloud-init.disabled 檔案,注意重啟后生效
sudo touch /etc/cloud/cloud-init.disabled
}
## 名稱: os::optimizationn
## 用途: 作業系統優化設定(內核引數)
## 引數: 無
os::optimizationn () {
log::info "[-] 正在進行作業系統內核引數優化設定......."
# (1) 系統內核引數的配置(/etc/sysctl.conf)
log::info "[-] 系統內核引數的配置/etc/sysctl.conf"
# /etc/sysctl.d/99-kubernetes-cri.conf
egrep -q "^(#)?net.ipv4.ip_forward.*" /etc/sysctl.conf && sed -ri "s|^(#)?net.ipv4.ip_forward.*|net.ipv4.ip_forward = 1|g" /etc/sysctl.conf || echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
# egrep -q "^(#)?net.bridge.bridge-nf-call-ip6tables.*" /etc/sysctl.conf && sed -ri "s|^(#)?net.bridge.bridge-nf-call-ip6tables.*|net.bridge.bridge-nf-call-ip6tables = 1|g" /etc/sysctl.conf || echo "net.bridge.bridge-nf-call-ip6tables = 1" >> /etc/sysctl.conf
# egrep -q "^(#)?net.bridge.bridge-nf-call-iptables.*" /etc/sysctl.conf && sed -ri "s|^(#)?net.bridge.bridge-nf-call-iptables.*|net.bridge.bridge-nf-call-iptables = 1|g" /etc/sysctl.conf || echo "net.bridge.bridge-nf-call-iptables = 1" >> /etc/sysctl.conf
egrep -q "^(#)?net.ipv6.conf.all.disable_ipv6.*" /etc/sysctl.conf && sed -ri "s|^(#)?net.ipv6.conf.all.disable_ipv6.*|net.ipv6.conf.all.disable_ipv6 = 1|g" /etc/sysctl.conf || echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
egrep -q "^(#)?net.ipv6.conf.default.disable_ipv6.*" /etc/sysctl.conf && sed -ri "s|^(#)?net.ipv6.conf.default.disable_ipv6.*|net.ipv6.conf.default.disable_ipv6 = 1|g" /etc/sysctl.conf || echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.conf
egrep -q "^(#)?net.ipv6.conf.lo.disable_ipv6.*" /etc/sysctl.conf && sed -ri "s|^(#)?net.ipv6.conf.lo.disable_ipv6.*|net.ipv6.conf.lo.disable_ipv6 = 1|g" /etc/sysctl.conf || echo "net.ipv6.conf.lo.disable_ipv6 = 1" >> /etc/sysctl.conf
egrep -q "^(#)?net.ipv6.conf.all.forwarding.*" /etc/sysctl.conf && sed -ri "s|^(#)?net.ipv6.conf.all.forwarding.*|net.ipv6.conf.all.forwarding = 1|g" /etc/sysctl.conf || echo "net.ipv6.conf.all.forwarding = 1" >> /etc/sysctl.conf
egrep -q "^(#)?vm.max_map_count.*" /etc/sysctl.conf && sed -ri "s|^(#)?vm.max_map_count.*|vm.max_map_count = 262144|g" /etc/sysctl.conf || echo "vm.max_map_count = 262144" >> /etc/sysctl.conf
tee -a /etc/sysctl.conf <<'EOF'
# 調整提升服務器負載能力之外,還能夠防御小流量的Dos、CC和SYN攻擊
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
# net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 60
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_fastopen = 3
# 優化TCP的可使用埠范圍及提升服務器并發能力(注意一般流量小的服務器上沒必要設定如下引數)
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.ip_local_port_range = 1024 65535
# 優化核套接字TCP的快取區
net.core.netdev_max_backlog = 8192
net.core.somaxconn = 8192
net.core.rmem_max = 12582912
net.core.rmem_default = 6291456
net.core.wmem_max = 12582912
net.core.wmem_default = 6291456
EOF
# (2) Linux 系統的最大行程數和最大檔案打開數限制
log::info "[-] Linux 系統的最大行程數和最大檔案打開數限制"
egrep -q "^\s*ulimit -HSn\s+\w+.*$" /etc/profile && sed -ri "s/^\s*ulimit -HSn\s+\w+.*$/ulimit -HSn 65535/" /etc/profile || echo "ulimit -HSn 65535" >> /etc/profile
egrep -q "^\s*ulimit -HSu\s+\w+.*$" /etc/profile && sed -ri "s/^\s*ulimit -HSu\s+\w+.*$/ulimit -HSu 65535/" /etc/profile || echo "ulimit -HSu 65535" >> /etc/profile
tee -a /etc/security/limits.conf <<'EOF'
# ulimit -HSn 65535
# ulimit -HSu 65535
* soft nofile 65535
* hard nofile 65535
* soft nproc 65535
* hard nproc 65535
# End of file
EOF
# sed -i "/# End/i * soft nproc 65535" /etc/security/limits.conf
# sed -i "/# End/i * hard nproc 65535" /etc/security/limits.conf
sysctl -p
# 需重啟生效
reboot
}
## 名稱: system::swap
## 用途: Liunx 系統創建SWAP交換磁區(默認2G)
## 引數: $1(幾G)
system::swap () {
if [ -e $1 ];then
sudo dd if=/dev/zero of=/swapfile bs=1024 count=2097152 # 2G Swap 磁區 1024 * 1024 , centos 以 1000 為標準
else
number=$(echo "${1}*1024*1024"|bc)
sudo dd if=/dev/zero of=/swapfile bs=1024 count=${number} # 2G Swap 磁區 1024 * 1024 , centos 以 1000 為標準
fi
sudo mkswap /swapfile && sudo swapon /swapfile
if [ $(grep -c "/swapfile" /etc/fstab) -eq 0 ];then
sudo tee -a /etc/fstab <<'EOF'
/swapfile swap swap default 0 0
EOF
fi
sudo swapon --show && sudo free -h
}
## 名稱: software::Java
## 用途: java 環境安裝配置
## 引數: 無
software::Java () {
# 基礎變數
JAVA_FILE="/root/Downloads/jdk-8u211-linux-x64.tar.gz"
JAVA_SRC="https://www.cnblogs.com/usr/local/"
JAVA_DIR="/usr/local/jdk"
# 環境配置
sudo tar -zxvf ${JAVA_FILE} -C ${JAVA_SRC}
sudo rm -rf /usr/local/jdk
JAVA_SRC=https://www.cnblogs.com/WeiyiGeek/archive/2022/04/11/$(ls /usr/local/ | grep"jdk")
sudo ln -s ${JAVA_SRC} ${JAVA_DIR}
export PATH=${JAVA_DIR}/bin:${PATH}
sudo cp /etc/profile /etc/profile.$(date +%Y%m%d-%H%M%S).bak
sudo tee -a /etc/profile <<'EOF'
export JAVA_HOME=/usr/local/jdk
export JRE_HOME=/usr/local/jdk/jre
export CLASSPATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar
export PATH=$JAVA_HOME/bin:$PATH
EOF
java -version
}
## 名稱: software::docker
## 用途: 軟體安裝之Docker安裝
## 引數: 無
# 幫助: https://docs.docker.com/engine/install/ubuntu/
# Ubuntu Focal 20.04 (LTS)
# Ubuntu Bionic 18.04 (LTS)
# Ubuntu Xenial 16.04 (LTS)
function InstallDocker(){
# 1.卸載舊版本
sudo apt-get remove docker docker-engine docker.io containerd runc
# 2.更新apt包索引并安裝包以允許apt在HTTPS上使用存盤庫
sudo apt-get install -y \
apt-transport-https \
ca-certificates \
curl \
gnupg-agent \
software-properties-common
# 3.添加Docker官方GPG密鑰 # -fsSL
sudo curl https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
# 4.通過搜索指紋的最后8個字符進行密鑰驗證
sudo apt-key fingerprint 0EBFCD88
# 5.設定穩定存盤庫
sudo add-apt-repository \
"deb [arch=amd64] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) \
stable"
# 6.Install Docker Engine 默認最新版本
sudo apt-get update && sudo apt-get install -y docker-ce=5:20.10.7~3-0~ubuntu-focal docker-ce-cli=5:20.10.7~3-0~ubuntu-focal containerd.io docker-compose
# - 強制IPv4
# sudo apt-get -o Acquire::ForceIPv4=true install -y docker-ce=5:19.03.15~3-0~ubuntu-focal docker-ce-cli=5:19.03.15~3-0~ubuntu-focal containerd.io docker-compose
# 7.安裝特定版本的Docker引擎,請在repo中列出可用的版本
apt-cache madison docker-ce
# docker-ce | 5:20.10.6~3-0~ubuntu-focal| https://download.docker.com/linux/ubuntu focal/stable amd64 Packages
# docker-ce | 5:19.03.15~3-0~ubuntu-focal | https://download.docker.com/linux/ubuntu xenial/stable amd64 Packages
# 使用第二列中的版本字串安裝特定的版本,例如:5:18.09.1~3-0~ubuntu-xenial,
# $sudo apt-get install docker-ce=<VERSION_STRING> docker-ce-cli=<VERSION_STRING> containerd.io
#8.將當前用戶加入docker用戶組然后重新登陸當前用戶使得低權限用戶
sudo gpasswd -a ${USER} docker
# sudo gpasswd -a weiyigeek docker
#9.加速器建立
mkdir -vp /etc/docker/
sudo tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors": ["https://xlx9erfu.mirror.aliyuncs.com"],
"exec-opts": ["native.cgroupdriver=systemd"],
"storage-driver": "overlay2",
"log-driver": "json-file",
"log-level": "warn",
"log-opts": {
"max-size": "100m",
"max-file": "10"
},
"live-restore": true,
"dns": ["192.168.10.254","223.6.6.6"]
}
EOF
# "data-root":"/monitor/container",
# "insecure-registries": ["harbor.weiyigeek.top"]
# 9.自啟與啟動
sudo systemctl daemon-reload
sudo systemctl enable docker
sudo systemctl restart docker
# 10.退出登陸生效
exit
}
## 名稱: disk::Lvsmanager
## 用途: uBuntu作業系統磁盤 LVS 邏輯卷添加與配置(擴容流程)
## 引數: 無
disk::Lvsmanager () {
echo "\n磁區資訊:"
sudo df -Th
sudo lsblk
echo -e "\n 磁盤資訊:"
sudo fdisk -l
echo -e "\n PV物理卷查看:"
sudo pvscan
echo -e "\n vgs虛擬卷查看:"
sudo vgs
echo -e "\n lvscan邏輯卷掃描:"
sudo lvscan
echo -e "\n 磁區擴展"
echo "Ubuntu \n lvextend -L +74G /dev/ubuntu-vg/ubuntu-lv"
echo "lsblk"
echo -e "ubuntu general \n # resize2fs -p -F /dev/mapper/ubuntu--vg-ubuntu--lv"
}
# 安全加固程序臨時檔案清理為基線鏡像做準備
unalias rm
find ~/.trash/* -delete
find /home/ -type d -name .trash -exec find {} -delete \;
find /var/log -name "*.gz" -delete
find /var/log -name "*log.*" -delete
find /var/log -name "vmware-*.*.log" -delete
find /var/log -name "*.log-*" -delete
find /var/log -name "*.log" -exec truncate -s 0 {} \;
find /tmp/* -delete
至此 Ubuntu 安全加固腳本完畢,
原文地址: Linux與Windows服務器作業系統安全防御實踐指南 ( https://blog.weiyigeek.top/2020/10-13-585.html )
文章書寫不易,如果您覺得這篇文章還不錯的,請給這篇專欄 【點個贊、投個幣、收個藏、關個注,轉個發】(人間五大情),這將對我的肯定,謝謝!,
本文章來源 我的Blog站點 或 WeiyiGeek 公眾賬號 以及 我的BiliBili專欄 (
技術交流、友鏈交換請郵我喲),謝謝支持!(?′?‵?) ?
歡迎各位志同道合的朋友一起學習交流,如文章有誤請留下您寶貴的知識建議,通過郵箱【master#weiyigeek.top】聯系我喲!
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/458017.html
標籤:其他
上一篇:關于免費下載收費網站論文