linux安全与优化脚本

安全配置内容：
1、删除系统特殊的用户与组
2、用户密码复杂性设置
3、ROOT用户自动注销配置
4、SSH服务ROOT禁止登陆配置
5、禁止ctrl+atl+del重启计算机
6、su命令限制
7、登陆信息删除
8、NFS访问
9、inetd设置     （未设置）
10、登陆终端设置 （未设置）
11、阻止ping通本机
12、防止IP欺骗
13、防止DOS攻击
14.远程的登陆不显示系统信息
15、给系统重要文件加锁

优化配置内容：
1、虚拟内存优化
2、日志管理 （未设置）
3、硬盘优化 （未设置）

关于防护墙   （未设置）

未设置的全部待续

脚本编写：

#! /bin/bash
#
#Author:diyulvshi
#
#LINUX system security and optimal
#
clear
while true
tput cup 3 12
echo "system security and optimal"
tput cup 4 10
echo "1.System security"
tput cup 5 10
echo "2.System optimize"
tput cup 6 10
echo "0.exit"
tput cup 7 10
echo -n "Please type in the option:"

do
read a
case $a in
1)clear
echo -n "system special user and group delete..."
sleep 1
userdel username
userdel adm
userdel lp
userdel sync
userdel shutdown
userdel halt
userdel news
userdel uucp
userdel operator
userdel games
userdel gopher

groupdel username
groupdel adm
groupdel lp
groupdel news
groupdel uucp
groupdel games
groupdel dip

clear
tput cup 1 1
echo -n "OK"
tput cup 2 1
echo -n "user password legth set..."
sleep 1
grep -v PASS_MAX_DAYS /etc/login.defs > /etc/login.defs1
grep -v PASS_MIN_DAYS /etc/login.defs1 > /etc/login.defs2
grep -v PASS_MIN_LEN /etc/login.defs2 > /etc/login.defs3
grep -v PASS_WARN_AGE /etc/login.defs3 > /etc/login.defs4
echo "PASS_MAX_DAYS   100" >> /etc/login.defs4
echo "PASS_MIN_DAYS   0" >> /etc/login.defs4
echo "PASS_MIN_LEN    10" >> /etc/login.defs4
echo "PASS_WARN_AGE   15" >> /etc/login.defs4
cat /etc/login.defs4 > /etc/login.defs
rm /etc/login.defs1 /etc/login.defs2 /etc/login.defs3 /etc/login.defs4

clear
tput cup 1 1
echo -n "OK"
tput cup 2 1
echo -n "Account 300s automatic cancellation..."
sleep 1

echo '# /etc/profile

# System wide environment and startup programs, for login setup
# Functions and aliases go in /etc/bashrc

pathmunge () {
if ! echo $PATH | /bin/egrep -q "(^|:)$1($|:)" ; then
    if [ "$2" = "after" ] ; then
       PATH=$PATH:$1
    else
       PATH=$1:$PATH
    fi
fi
}

# Path manipulation
if [ `id -u` = 0 ]; then
pathmunge /sbin
pathmunge /usr/sbin
pathmunge /usr/local/sbin
fi

pathmunge /usr/X11R6/bin after

unset pathmunge

# No core files by default
ulimit -S -c 0 > /dev/null 2>&1

USER="`id -un`"
LOGNAME=$USER
MAIL="/var/spool/mail/$USER"

HOSTNAME=`/bin/hostname`
HISTSIZE=1000
TMOUT=300
if [ -z "$INPUTRC" -a ! -f "$HOME/.inputrc" ]; then
    INPUTRC=/etc/inputrc
fi

export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE INPUTRC

for i in /etc/profile.d/*.sh ; do
    if [ -r "$i" ]; then
    . $i
    fi
done

unset i' > /etc/porfile

clear
tput cup 1 1
echo -n "OK"
tput cup 2 1
echo -n "SSH service prohibition root landing..."
sleep 1
grep -v PermitRootLogin /etc/ssh/sshd_config > /etc/ssh/sshd_config1
echo "PermitRoorLogin no" >> /etc/ssh/sshd_config1
cat /etc/ssh/sshd_config1 > /etc/ssh/sshd_config
rm /etc/ssh/sshd_config1

clear
tput cup 1 1
echo "OK"
tput cup 2 1
echo -n "prohibition ctrl+alt+delete restart..."
sleep 1
grep -v ca::ctrlaltdel:/sbin/shutdown /etc/inittab > /etc/inittab1
echo "#ca::ctrlaltdel:/sbin/shutdwon -t3 -r now" >> /etc/inittab1
cat /etc/inittab1 > /etc/inittab
rm /etc/inittab1

clear
tput cup 1 1
echo "OK"
tput cup 2 1
echo -n "su restrictions..."
sleep 1
echo "auth sufficient/lib/security/pam_rootok.so debug" >> /etc/pam.d/su
echo "auth required/lib/security/pam_wheel.so group=isd" >> /etc/pam.d/su

clear
tput cup 1 1
echo "OK"
tput cup 2 1
echo -n "delete landing information..."
sleep 1
echo "" > /etc/issue
echo "$R" >> /etc/issue
echo "Kernel $(uname -r) on $a $(uname -m)" >> /etc/issue
cp -f /etc/issue /etc/issue.net
echo >> /etc/issue
rm -f /etc/issue
rm -f /etc/issue.net
touch /etc/issue
touch /etc/issue.net

clear
tput cup 1 1
echo "OK"
tput cup 2 1
echo -n "Restrict network access..."
echo "echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all" >> /etc/rc.d/rc.local
tput cup 3 1
echo -n "Prevention ping attack OK"
sleep 1
echo "order bind,hosts" >> /etc/host.conf
echo "multi off" >> /etc/host.conf
echo "nospoof on" >> /etc/host.conf
tput cup 4 1
echo "Prevention ip deception OK"
sleep 1

echo "hard core 0" >> /etc/security/limits.conf
echo "hard rss 5000" >> /etc/security/limits.conf
echo "hard nproc 20" >> /etc/security/limits.conf
echo "session required /lib/security/pam_limits.so" >> /etc/pam.d/login
tput cup 5 1
echo "Prevention DOS attack OK"
sleep 1

echo -n "telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd -h" >> /etc/inetd.conf
tput cup 6 1
echo "Telnet linding prohibit display system information OK"
sleep 1

echo "/dir/to/export host1.myd main.com(ro, root_squash)" >> /etc/exports
echo "/dir/to/export host2.myd main.com(ro, root_squash)" >> /etc/exports
exportfs -a
clear
tput cup 7 1
echo "Restrict NFS access OK"
sleep 1

clear
tput cup 1 1
echo "OK"
tput cup 2 1
echo -n "System file secret..."
sleep 1
chattr +i /etc/passwd
chattr +i /etc/shawod
chattr +i /etc/gshawod
chattr +i /etc/group

chattr +i /etc/services

chmod -R 700 /etc/init.d/*
chmod -R 700 /etc/rc.d/init.d/*

chmod a-s /usr/bin/chage
chmod a-s /usr/bin/gpasswd
chmod a-s /usr/bin/wall
chmod a-s /usr/bin/chfn
chmod a-s /usr/bin/chsh
chmod a-s /usr/bin/write
chmod a-s /usr/sbin/usernetctl
chmod a-s /usr/sbin/traceroute
chmod a-s /bin/mount
chmod a-s /bin/umount
chmod a-s /bin/ping
chmod a-s /sbin/netreport

chmod 600 /etc/grub.conf
chattr +i /etc/grub.conf
chmod 600 /etc/inetd.conf

clear
tput cup 1 1
echo "OK"
tptu cup 2 1
echo -n "Please enter:"
read aa
clear
;;
2)
clear
tput cup 8 1
echo "Memory optimization"
tput cup 9 1
echo -n "Please lnot memory size(1/2/3/4):"
read b
case $b in
1)clear
echo "2048 4096 6144" > /proc/sys/vm/freepages
clear
tput cup 1 1
echo "OK"
sleep 1
;;
2)clear
echo "4096 8192 12288" > /proc/sys/vm/freepages
clear
tput cup 1 1
echo "OK"
sleep 1
;;
3)clear
echo "6144 12288 18432" > /proc/sys/vm/freepages
clear
tput cup 1 1
echo "OK"
sleep 1
;;
4)clear
echo "8192 16384 24576" > /proc/sys/vm/freepages
clear
tput cup 1 1
echo "OK"
sleep 1
;;
*)clear
tput cup 1 1
echo -n "ereor please enter:"
read aa
;;
esac
;;
0)clear
tput cup 12 12
echo "Thank you usr 88"
sleep 1
clear
exit
;;
*)
;;
esac
done