Centos/redhat 初始化脚本
Centos/Redhat初始化安全加固脚本
#!/bin/bash
#********************************************************************
#Author: wei
#********************************************************************
eth0_modfiy () {
read -p "请输入IP:" IP
mv /etc/sysconfig/network-scripts/ifcfg-e* /etc/sysconfig/network-scripts/ifcfg-e*.bak
cat > /etc/sysconfig/network-scripts/ifcfg-eth0 <<EOF
NAME=eth0
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=static
IPADDR=$IP
PREFIX=24
GATEWAY=10.0.0.2
DNS1=223.6.6.6
DNS2=180.76.76.76
EOF
nmcli con reload
sed -i.bak '/^GRUB_CMDLINE_LINUX/s/"$/ net.ifnames=0"/' /etc/default/grub
grub2-mkconfig -o /boot/grub2/grub.cfg
}
alias_add () {
echo 'alias date="date +%F_%T"' >> ~/.bashrc
echo 'alias vi="vim"' >> ~/.bashrc
echo 'alias cdnet="cd /etc/sysconfig/network-scripts/"' >> ~/.bashrc
echo 'alias th0="vi /etc/sysconfig/network-scripts/ifcfg-eth0"' >> ~/.bashrc
echo 'alias th1="vi /etc/sysconfig/network-scripts/ifcfg-eth1"' >> ~/.bashrc
echo 'export HISTTIMEFORMAT="%F %T `whoami` "' >> ~/.bashrc
echo 'alias scandisk="echo - - - > /sys/class/scsi_host/host0/scan;echo - - - >/sys/class/scsi_host/host1/scan;echo - - - > /sys/class/scsi_host/host2/scan"' >> ~/.bashrc
}
firewall_dis () {
systemctl stop firewalld.service
systemctl disable firewalld.service
}
selinux_dis () {
sed -i.bak '/^SELINUX=/s/SELINUX=.*/SELINUX=disabled/' /etc/selinux/config
}
vim_rc () {
cat > ~/.vimrc <<EOF
set ts=4
set expandtab
set ignorecase
set cursorline
set autoindent
autocmd BufNewFile *.sh exec ":call SetTitle()"
func SetTitle()
if expand("%:e") == 'sh'
call setline(1,"#!/bin/bash")
call setline(2,"#")
call setline(3,"#********************************************************************")
call setline(4,"#Author: wei")
call setline(5,"#********************************************************************")
call setline(6,"")
endif
endfunc
autocmd BufNewFile * normal G
EOF
}
ssh_link () {
echo 'UseDNS no' >> /etc/ssh/sshd_config
systemctl daemon-reload
systemctl restart sshd
}
nofile_noproc () {
cp /etc/security/limits.conf{,.bak}
cp /etc/security/limits.d/20-nproc.conf{,.bak}
echo -e '* soft nofile 65535\n* hard nofile 65535' >> /etc/security/limits.conf
echo -e '* soft nproc 20000\n* hard nproc 20000\nroot soft nproc 65535\nroot hard nproc 65535' >> /etc/security/limits.d/20-nproc.conf
}
disable_service () {
systemctl disable yum-updatesd
systemctl disable bluetooth
systemctl disable ekrb5-telnet
systemctl disable gssftp
systemctl disable krb5-telnet
systemctl disable sendmail
systemctl disable cpuspeed
systemctl disable irqbalance
systemctl disable ip6tables
systemctl disable cpusrhnsd
}
user_time_complex () {
#用户密码有效时间
sed -i.bak '/PASS_MAX_DAYS/s/99999/90/' /etc/login.defs
sed -i '/PASS_MIN_DAYS/s/0/7/' /etc/login.defs
sed -i '/PASS_MIN_LEN/s/5/8/' /etc/login.defs
sed -i '/PASS_WARN_AGE/s/7/15/' /etc/login.defs
#用户密码复杂度
cat >> /etc/security/pwquality.conf <<EOF
dcredit = -1
ucredit = -1
lcredit = -1
ocredit = -1
EOF
#尝试失败后锁定⽤户账户
sed -i.bak -e '/auth required pam_deny.so/aauth required pam_faillock.so preauth silent audit deny=6 unlock_time=600' -e '/auth required pam_deny.so/aauth sufficient pam_unix.so nullok try_first_pass' -e '/auth required pam_deny.so/aauth [default=die] pam_faillock.so authfail audit deny=6 unlock_time=600' /etc/pam.d/system-auth
sed -i '/account required pam_permit.so/aaccount requiredpam_faillock.so' /etc/pam.d/system-auth
#实现在6次登录失败尝试后,对非root锁定,并在10分钟后对该用户解锁
sed -i.bak '/account required pam_permit.so/aaccount required pam_faillock.so' /etc/pam.d/password-auth
}
eth0_modfiy
alias_add
firewall_dis
selinux_dis
vim_rc
ssh_link
nofile_noproc
disable_service
user_time_complex
reboot