新建Redhat Linux系统在投产前需要做一些初始化设置,包括主机名称、新建用户、sudo配置、访问控制、口令策略、关键目录权限控制等等。用脚本实现比较节省时间,同时也能记录设置的内容。工作环境中使用的Redhat Linux 版本是 Redhat5.8和 Redhat6.4 ,多少有点儿区别,修改一下也可以应用到其他版本。
Redhat Linux 安全设置脚本
1.init-config-redhat-v5.8.sh 针对 Redhat 5.8 版本
#/bin/bash #1.修改主机名(执行前修改如下行xxxxx为所要修改的主机名!) sed -i 's/HOSTNAME=localhost.localdomain/HOSTNAME=xxxxx/' /etc/sysconfig/network hostname xxxxx #2.配置hosts文件(此处变量需要第一个脚本设置生效,取值,否则取不到变量值!) IP=$(ifconfig eth0 | grep 'inet addr:' |awk -F ":" '{print $2}' |awk '{print $1}') sed -i '1i'$IP'' /etc/hosts sed -i '/^'$IP'.*$/s//& '$HOSTNAME'/g' /etc/hosts sed -i '3{s/^/#/}' /etc/hosts #3.添加管理员账户 echo ===添加osmaster账户=== #!/bin/bash name=osmaster useradd $name echo P@ssw0rd | passwd --stdin $name #4.配置sudo echo ===sudo配置=== chmod u+w /etc/sudoers sed -i '/root\tALL=(ALL)/ a\osmaster ALL=(ALL) ALL' /etc/sudoers chmod u-w /etc/sudoers #5.添加staff组,将osmaster添加到staff组 groupadd -g 200 staff usermod -G staff osmaster #6.编辑无响应注销 sed -i '$ a\export TMOUT=600' /etc/profile #7.编辑history时间戳; sed -i '$ a\export HISTTIMEFORMAT="%F %T"' /etc/bashrc #8.编辑同步时间(设置自己内网的NTP服务器) service ntpd stop sed -i "s/server 0.rhel.pool.ntp.org/#server 0.rhel.pool.ntp.org/" /etc/ntp.conf sed -i "s/server 1.rhel.pool.ntp.org/#server 1.rhel.pool.ntp.org/" /etc/ntp.conf sed -i "s/server 2.rhel.pool.ntp.org/#server 2.rhel.pool.ntp.org/" /etc/ntp.conf sed -i '/server 2.rhel.pool.ntp.org/ a server 10.10.10.10' /etc/ntp.conf ntpdate -s 10.10.10.10 hwclock -w chkconfig ntpd on service ntpd start #echo "* 23 * * * /usr/sbin/ntpdate -s 10.10.10.10;/sbin/hwclock -w" >> /var/spool/cron/root date #9.编辑访问控制 sed -i '$ a\umask 027' /etc/bashrc #10.编辑登录失败用户锁定策略 sed -i '$ a\auth required pam_tally2.so onerr=fail deny=10 unlock_time=180 root_unlock_time=1' /etc/pam.d/system-auth #11.编辑口令策略 #sed -i -e '/password requisite pam_cracklib.so try_first_pass retry=3 type=/ s/^/#/' /etc/pam.d/system-auth #sed -i -e '/pam_cracklib.so try_first_pass retry=3 type=/ s/^/#/' /etc/pam.d/system-auth sed -i -e '/password requisite/ s/^/#/' /etc/pam.d/system-auth sed -i '/password requisite/ a password requisite pam_cracklib.so dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 retry=3' /etc/pam.d/system-auth #12.编辑口令规则 sed -i 's/PASS_MAX_DAYS\t99999/PASS_MAX_DAYS\t90/' /etc/login.defs sed -i 's/PASS_MIN_DAYS\t0/PASS_MIN_DAYS\t2/' /etc/login.defs #13.编辑root用户远程登录: sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config #14.关闭不需要的服务 service sendmail stop chkconfig sendmail off service bluetooth stop chkconfig bluetooth off #15.编辑SSH登录 sed -i 's/#IgnoreRhosts yes/IgnoreRhosts yes/' /etc/ssh/sshd_config sed -i 's/#RhostsRSAAuthentication no/RhostsRSAAuthentication no/' /etc/ssh/sshd_config sed -i 's/#HostbasedAuthentication no/HostbasedAuthentication no/' /etc/ssh/sshd_config sed -i '/RhostsRSAAuthentication no/ a RhostsAuthentication no' /etc/ssh/sshd_config sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/' /etc/ssh/sshd_config sed -i '/#Banner \/some\/path/ a Banner \/etc\/motd' /etc/ssh/sshd_config #16.配置关键目录权限控制 chmod 644 /etc/passwd chmod 600 /etc/shadow chmod 644 /etc/group #17.关闭ctrl+alt+del sed -i -e '/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/ s/^/#/' /etc/inittab #18.关闭防火墙 service iptables stop chkconfig iptables off echo 配置完成!
2.init-config-redhat-v6.4.sh 针对 Redhat 6.4 版本
#/bin/bash
#1.修改主机名(执行前修改如下行xxxxx为所要修改的主机名!)
sed -i 's/HOSTNAME=localhost.localdomain/HOSTNAME=xxxxx/' /etc/sysconfig/network
hostname xxxxx
#2.配置hosts文件(此处变量需要第一个脚本设置生效,取值,否则取不到变量值!)
IP=$(ifconfig eth0 | grep 'inet addr:' |awk -F ":" '{print $2}' |awk '{print $1}')
sed -i '1i'$IP'' /etc/hosts
sed -i '/^'$IP'.*$/s//& '$HOSTNAME'/g' /etc/hosts
sed -i '3{s/^/#/}' /etc/hosts
#3.添加管理员账户
echo ===添加osmaster账户===
#!/bin/bash
name=osmaster
useradd $name
echo P@ssw0rd | passwd --stdin $name
#4.配置sudo
echo ===sudo配置===
chmod u+w /etc/sudoers
sed -i '/root\tALL=(ALL)/ a\osmaster ALL=(ALL) ALL' /etc/sudoers
chmod u-w /etc/sudoers
#5.添加staff组,将osmaster添加到staff组
groupadd -g 200 staff
usermod -G staff osmaster
#6.编辑selinux(重启生效)
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/sysconfig/selinux
#7.关闭防火墙
service iptables stop
chkconfig iptables off
#8.编辑无响应注销
sed -i '$ a\export TMOUT=600' /etc/profile
#9.编辑history时间戳;
sed -i '$ a\export HISTTIMEFORMAT="%F %T"' /etc/bashrc
#10.编辑同步时间(注意修改所在区域的ntpserver服务地址!)
service ntpd stop
sed -i "s/server 0.rhel.pool.ntp.org/#server 0.rhel.pool.ntp.org/" /etc/ntp.conf
sed -i "s/server 1.rhel.pool.ntp.org/#server 1.rhel.pool.ntp.org/" /etc/ntp.conf
sed -i "s/server 2.rhel.pool.ntp.org/#server 2.rhel.pool.ntp.org/" /etc/ntp.conf
sed -i '/server 2.rhel.pool.ntp.org/ a server 10.10.10.10' /etc/ntp.conf
ntpdate -s 10.10.10.10
hwclock -w
chkconfig ntpd on
service ntpd start
#echo "* 23 * * * /usr/sbin/ntpdate -s 10.10.10.10;/sbin/hwclock -w" >> /var/spool/cron/root
#11.编辑访问控制
sed -i '$ a\umask 027' /etc/bashrc
#12.编辑登录失败用户锁定策略
sed -i '$ a\auth required pam_tally2.so onerr=fail deny=10 unlock_time=180 root_unlock_time=1' /etc/pam.d/system-auth
#13.编辑口令策略
#sed -i -e '/password requisite pam_cracklib.so try_first_pass retry=3 type=/ s/^/#/' /etc/pam.d/system-auth
#sed -i -e '/pam_cracklib.so try_first_pass retry=3 type=/ s/^/#/' /etc/pam.d/system-auth
sed -i -e '/password requisite/ s/^/#/' /etc/pam.d/system-auth
sed -i '/password requisite/ a password requisite pam_cracklib.so dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 retry=3' /etc/pam.d/system-auth
#14.编辑口令规则
sed -i 's/PASS_MAX_DAYS\t99999/PASS_MAX_DAYS\t90/' /etc/login.defs
sed -i 's/PASS_MIN_DAYS\t0/PASS_MIN_DAYS\t2/' /etc/login.defs
#15.编辑root用户远程登录:
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
#16.编辑SSH登录
sed -i 's/#IgnoreRhosts yes/IgnoreRhosts yes/' /etc/ssh/sshd_config
sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/' /etc/ssh/sshd_config
sed -i 's/#RhostsRSAAuthentication no/RhostsRSAAuthentication no/' /etc/ssh/sshd_config
sed -i '/RhostsRSAAuthentication no/ a HostbasedAuthentication no' /etc/ssh/sshd_config
sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/' /etc/ssh/sshd_config
sed -i '/#Banner none/ a Banner \/etc\/motd' /etc/ssh/sshd_config
#17.配置关键目录权限控制
chmod 644 /etc/passwd
chmod 600 /etc/shadow
chmod 644 /etc/group
#18.关闭ctrl+alt+del
sed -i -e '/start on control-alt-delete/ s/^/#/' /etc/init/control-alt-delete.conf
sed -i -e '/exec \/sbin\/shutdown -r now "Control-Alt-Delete pressed"/ s/^/#/' /etc/init/control-alt-delete.conf
echo ======配置完成!=====