阿里安骑士推荐的系统安全优化脚本

#!/bin/env bash
##author fang for centos7

##cron
rm -f /etc/cron.deny
rm -f /etc/at.deny
touch /etc/cron.allow
touch /etc/at.allow
chmod 0600 /etc/cron.allow
chmod 0600 /etc/at.allow

##sysctl
cat >> /etc/sysctl.conf <<EOF
#secure config
net.ipv4.conf.default.secure_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.accept_ra=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0

EOF
sysctl -p


##ssh
grep 'Protocol' /etc/ssh/sshd_config || echo "Protocol 2" >> /etc/ssh/sshd_config
sed -i 's/^#LogLevel INFO/LogLevel INFO/' /etc/ssh/sshd_config
sed -i 's/^#IgnoreRhosts/IgnoreRhosts/' /etc/ssh/sshd_config
sed -i 's/^#HostbasedAuthentication/HostbasedAuthentication/' /etc/ssh/sshd_config
sed -i 's/^#PermitEmptyPasswords no/PermitEmptyPasswords no/' /etc/ssh/sshd_config
sed -i 's/^#PermitUserEnvironment no/PermitUserEnvironment no/' /etc/ssh/sshd_config
sed -i 's/^#LoginGraceTime 2m/LoginGraceTime 2m/' /etc/ssh/sshd_config
sed -i 's/^#MaxAuthTries 6/MaxAuthTries 3/' /etc/ssh/sshd_config

##userpasswd
sed -i 's/# minlen = 9/minlen = 10/' /etc/security/pwquality.conf
sed -i 's/# dcredit = 1/dcredit = -1/' /etc/security/pwquality.conf
sed -i 's/# ucredit = 1/ucredit = -1/' /etc/security/pwquality.conf
sed -i 's/# lcredit = 1/lcredit = -1/' /etc/security/pwquality.conf
sed -i 's/# ocredit = 1/ocredit = -1/' /etc/security/pwquality.conf

sed -i '/PASS_MAX_DAYS/s/99999/90/' /etc/login.defs
sed -i '/PASS_MIN_DAYS/s/0/7/' /etc/login.defs
sed -i '/PASS_MIN_LEN/s/5/12/' /etc/login.defs
sed -i '/PASS_WARN_AGE/s/7/30/' /etc/login.defs

useradd -D -f 1095

##Centos base config
cat >> /etc/pam.d/system-auth <<EOF
password sufficient pam_unix.so remember=3
EOF
echo -e "\$FileCreateMode 0640" >> /etc/rsyslog.conf

chmod 0600 /boot/grub2/grub.cfg
chmod 0600 /etc/crontab
chmod 0600 /etc/cron.hourly
chmod 0600 /etc/cron.daily
chmod 0600 /etc/cron.weekly
chmod 0600 /etc/cron.monthly
chmod 0600 /etc/cron.d

仅供参考、不喜勿喷,每行含义就不一一注释了,还有一些并没有写入,看情况加
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值