#!/bin/bash
# author: MarkChem
# date: 2024-01-17
#
cp -a /etc/pam.d/password-auth /etc/pam.d/password-auth.bak20240117
cp -a /etc/pam.d/system-auth /etc/pam.d/system-auth.bak20240117
sed 's#unlock_time=60#unlock_time=300#g' -i /etc/pam.d/password-auth
sed 's#deny=6#deny=3#g' -i /etc/pam.d/password-auth
sed 's#unlock_time=600#unlock_time=300#g' -i /etc/pam.d/system-auth
sed 's#deny=6#deny=3#g' -i /etc/pam.d/system-auth
sed '/password required pam_deny.so/a\password required pam_pwhistory.so use_authtok remember=5 enforce_for_root' -i /etc/pam.d/password-auth
sed '/password required pam_deny.so/a\password required pam_pwhistory.so use_authtok remember=5 enforce_for_root' -i /etc/pam.d/system-auth
cp -a /etc/pam.d/su /etc/pam.d/su.bak20240117
sed "/^#.*pam_wheel.so use_uid$/s/^#//" -i /etc/pam.d/su
useradd -D -f 30
id root && chage --inactive 30 root;
id root && chage --mindays 1 root;
id root && chage --maxdays 90 root;
sed "s/export TMOUT=.*/export TMOUT=300/g" -i /etc/profile
( cat /etc/bashrc |grep "umask 027" )|| (echo "umask 027" >> /etc/bashrc)
sed "/^#.*MaxAuthTries 6$/s/^#//" -i /etc/ssh/sshd_config
sed "s/MaxAuthTries 6/MaxAuthTries 3/g" -i /etc/ssh/sshd_config
sed "s/PermitRootLogin yes/PermitRootLogin no/g" -i /etc/ssh/sshd_config
systemctl restart sshd
#--将 /etc/selinux/config 文件中 SELINUX 设置为 enforcing 或 permissive
#sed "s/SELINUX=disabled/SELINUX=permissive/g" -i /etc/selinux/config
#echo "---- all done ---------"
rm $0 -f