linux服务器基线脚本整改

最新推荐文章于 2024-05-15 00:02:13 发布

有点菜的运维

最新推荐文章于 2024-05-15 00:02:13 发布

阅读量467

点赞数 6

文章标签： linux 服务器网络

本文链接：https://blog.csdn.net/m0_59388826/article/details/135158089

版权

1.适用于CentOS7系统

2.谨慎使用，如果多台机器建议先执行一台后在批量执行

#!/bin/bash

##系统全局变量
date=$(date +%Y%m%d-%m%S)

#1.句柄优化
echo "[-] 句柄优化"
grep "655350"  /etc/security/limits.conf > /dev/null 2>&1
if [ $? -eq 0 ];then
	echo "OK"
else
  cp /etc/security/limits.conf /etc/security/limits.conf_${date}.bak
  cat >> /etc/security/limits.conf << EOF
  ########################################
  * soft nofile 655360
  * hard nofile 655360
  * soft nproc 655350
  * hard nproc 655350
  * soft memlock unlimited
  * hard memlock unlimited
EOF
fi

#2.禁止root用户远程登陆
echo "[-] 禁止root用户远程登陆"
egrep -q "^\s*PermitRootLogin\s+.+$" /etc/ssh/sshd_config && sed -ri "s/^\s*PermitRootLogin\s+.+$/PermitRootLogin no/" /etc/ssh/sshd_config || echo "PermitRootLogin no" >> /etc/ssh/sshd_config
systemctl restart sshd > /dev/null 2>&1

#3.关闭并禁用SELINUX
echo "[-] 关闭并禁用SELINUX"
cp /etc/selinux/config /etc/selinux/config_${date}.bak
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
setenforce 0

#4.更改组密码权限
echo "[-] 更改组密码权限"
chmod 0644 /etc/passwd
chmod 0400 /etc/shadow
chmod 0644 /etc/group

#5.内核优化
echo "[-] 内核参数优化"
grep "FUNO" /etc/sysctl.conf > /dev/null 2>&1
if [ $? -eq 0 ];then
	echo "OK"
else
  cp -a /etc/sysctl.conf /etc/sysctl.conf_${date}.bak
  echo "###    add by FUNO    ###
net.ipv4.conf.all.log_martians = 0
net.core.message_cost = 256
net.core.netdev_max_backlog = 4096
net.ipv4.tcp_max_syn_backlog = 2048
net.nf_conntrack_max = 1048576
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.ipfrag_low_thresh = 262144
net.ipv4.ipfrag_high_thresh = 393216
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1800
net.ipv4.tcp_keepalive_intvl = 5
net.ipv4.tcp_keepalive_probes = 2
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.ip_local_port_range = 1024 65535
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 87380 16777216
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_max_orphans = 262144
net.ipv4.tcp_retries2 = 2
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
fs.file-max = 655360
vm.overcommit_memory = 0
kernel.threads-max = 262144
kernel.pid_max = 131072
net.core.somaxconn = 2048
kernel.sem=250 32000 100 256
#vm.swappiness
vm.swappiness=0
vm.max_map_count=262144
net.ipv4.ip_forward=1
fs.inotify.max_user_watches=1048576
net.ipv4.ip_local_reserved_ports=2000-20000" >> /etc/sysctl.conf
  sysctl -p
fi

#6.禁止ctrl+alt+del 一般linux系统下关机快捷键
echo "[-] 检查是否禁止ctrl+alt+del"
eee=$(awk 'END{print $0}' /etc/inittab)
if [ "$eee" != "ca::ctrlaltdel:/sbin/shutdow" ];then
cp -a /etc/inittab /etc/inittab_${date}.bak
echo "ca::ctrlaltdel:/sbin/shutdow">> /etc/inittab
fi

#7.设置登录提示
echo " Authorized users only. All activity may be monitored and reported " > /etc/motd

#8.用户口令复杂性策略设置
echo "[-] 用户口令复杂性策略设置 (密码过期周期0~90、到期前15天提示、密码长度至少15、复杂度设置至少有一个大小写、数字、特殊字符、密码三次不能一样、尝试次数为三次)"
cp -a /etc/login.defs /etc/login.defs_${date}.bak
sed -i '27s/5/8/' /etc/login.defs
sed -i '25s/99999/90/' /etc/login.defs
cp -a /etc/pam.d/system-auth /etc/pam.d/system-auth_${date}.bak
touch /etc/security/opasswd 
chown root:root /etc/security/opasswd
chmod 600 /etc/security/opasswd
grep "unlock_time" /etc/pam.d/system-auth > /dev/null 2>&1
if [ $? -ne 0 ];then
  sed -i '/auth        required      pam_env.so/aauth        required      pam_tally2.so deny=6 onerr=fail no_magic_root unlock_time=120' /etc/pam.d/system-auth
fi
egrep -q "^password\s.+pam_unix.so\s+\w+.*$" /etc/pam.d/system-auth && sed -ri '/^password\s.+pam_unix.so/{s/pam_unix.so\s+\w+.*$/pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5/g;}' /etc/pam.d/system-auth
grep "pam_cracklib.so" /etc/pam.d/system-auth > /dev/null 2>&1
if [ $? -ne 0 ];then
  sed -i '/password    required      pam_deny.so/apassword    requisite     pam_cracklib.so try_first_pass retry=3 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minclass=3 minlen=8' /etc/pam.d/system-auth
fi

#9.设置登录超时时间为180s
echo "[-] 设置登录超时时间为180s "
bbb=$(awk 'END{print $0}' /etc/profile) 
if [ "$bbb" != "export TMOUT" ];then
cp -a /etc/profile /etc/profile_${date}.bak
cp -a /etc/csh.cshrc /etc/csh.cshrc_${date}.bak
echo "TMOUT=180
export TMOUT" >> /etc/profile
fi
ccc=$(awk 'END{print $0}' /etc/csh.cshrc) 
if [ "$ccc" != "set autologout=600" ];then
echo "set autologout=600" >> /etc/csh.cshrc
echo "检查是否设置登录超时"
fi