#!/bin/env bash
##author fang for centos7
##cron
rm -f /etc/cron.deny
rm -f /etc/at.deny
touch /etc/cron.allow
touch /etc/at.allow
chmod 0600 /etc/cron.allow
chmod 0600 /etc/at.allow
##sysctl
cat >> /etc/sysctl.conf <<EOF
#secure config
net.ipv4.conf.default.secure_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.accept_ra=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0
EOF
sysctl -p
##ssh
grep 'Protocol' /etc/ssh/sshd_config || echo "Protocol 2" >> /etc/ssh/sshd_config
sed -i 's/^#LogLevel INFO/LogLevel INFO/' /etc/ssh/sshd_config
sed -i 's/^#IgnoreRhosts/IgnoreRhosts/' /etc/ssh/sshd_config
sed -i 's/^#HostbasedAuthentication/HostbasedAuthentication/' /etc/ssh/sshd_config
sed -i 's/^#PermitEmptyPasswords no/PermitEmptyPasswords no/' /etc/ssh/sshd_config
sed -i 's/^#PermitUserEnvironment no/PermitUserEnvironment no/' /etc/ssh/sshd_config
sed -i 's/^#LoginGraceTime 2m/LoginGraceTime 2m/' /etc/ssh/sshd_config
sed -i 's/^#MaxAuthTries 6/MaxAuthTries 3/' /etc/ssh/sshd_config
##userpasswd
sed -i 's/# minlen = 9/minlen = 10/' /etc/security/pwquality.conf
sed -i 's/# dcredit = 1/dcredit = -1/' /etc/security/pwquality.conf
sed -i 's/# ucredit = 1/ucredit = -1/' /etc/security/pwquality.conf
sed -i 's/# lcredit = 1/lcredit = -1/' /etc/security/pwquality.conf
sed -i 's/# ocredit = 1/ocredit = -1/' /etc/security/pwquality.conf
sed -i '/PASS_MAX_DAYS/s/99999/90/' /etc/login.defs
sed -i '/PASS_MIN_DAYS/s/0/7/' /etc/login.defs
sed -i '/PASS_MIN_LEN/s/5/12/' /etc/login.defs
sed -i '/PASS_WARN_AGE/s/7/30/' /etc/login.defs
useradd -D -f 1095
##Centos base config
cat >> /etc/pam.d/system-auth <<EOF
password sufficient pam_unix.so remember=3
EOF
echo -e "\$FileCreateMode 0640" >> /etc/rsyslog.conf
chmod 0600 /boot/grub2/grub.cfg
chmod 0600 /etc/crontab
chmod 0600 /etc/cron.hourly
chmod 0600 /etc/cron.daily
chmod 0600 /etc/cron.weekly
chmod 0600 /etc/cron.monthly
chmod 0600 /etc/cron.d
仅供参考、不喜勿喷,每行含义就不一一注释了,还有一些并没有写入,看情况加
557
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
