点击上方"walkingcloud"关注
CentOS7一键安全加固及系统优化脚本
init_centos7.sh 脚本内容如下
脚本说明:本脚本在 https://github.com/vtrois/spacepack上下载,并在其脚本基础上做了调整,根据前期CentOS7安全加固系列文章,添加了部分加固项
#!/usr/bin/env bash## Author: Seaton Jiang # Github URL: https://github.com/vtrois/spacepack# License: MIT# Date: 2020-08-13export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/binRGB_DANGER='033[31;1m'RGB_WAIT='033[37;2m'RGB_SUCCESS='033[32m'RGB_WARNING='033[33;1m'RGB_INFO='033[36;1m'RGB_END='033[0m'CHECK_CENTOS=$( cat /etc/redhat-release|sed -r 's/.* ([0-9]+)..*/1/' )CHECK_RAM=$( cat /proc/meminfo | grep "MemTotal" | awk -F" " '{ram=$2/1000000}{printf("%.0f",ram)}' )LOCK=/var/log/init_centos7_record.logtool_info() { echo -e "=========================================================================================" echo -e " Init CentOS 7 Script " echo -e " For more information please visit https://github.com/vtrois/spacepack " echo -e "========================================================================================="}check_root(){ if [[ $EUID -ne 0 ]]; then echo -e "${RGB_DANGER}This script must be run as root!${RGB_END}" exit 1 fi}check_lock() { if [ ! -f "$LOCK" ];then touch $LOCK else echo -e "${RGB_DANGER}Detects that the initialization is complete and does not need to be initialized any further!${RGB_END}" exit 1 fi}check_os() { if [ "${CHECK_CENTOS}" != '7' ]; then echo -e "${RGB_DANGER}This script must be run in CentOS 7!${RGB_END}" exit 1 fi}new_swap() { echo "============= swap =============" >> ${LOCK} 2>&1 if [ "${CHECK_RAM}" -le '2' ]; then echo -en "${RGB_WAIT}Configuring...${RGB_END}" dd if=/dev/zero of=/swapfile bs=1024 count=1048576 >> ${LOCK} 2>&1 chmod 600 /swapfile >> ${LOCK} 2>&1 mkswap /swapfile >> ${LOCK} 2>&1 swapon /swapfile >> ${LOCK} 2>&1 echo '/swapfile swap swap defaults 0 0' >> /etc/fstab echo '# Swap' >> /etc/sysctl.conf echo 'vm.swappiness = 10' >> /etc/sysctl.conf sysctl -p >> ${LOCK} 2>&1 sysctl -n vm.swappiness >> ${LOCK} 2>&1 echo -e "${RGB_SUCCESS}Configuration Success${RGB_END}" else echo -e "${RGB_SUCCESS}Skip, no configuration needed${RGB_END}" fi}open_bbr() { echo "============= bbr =============" >> ${LOCK} 2>&1 echo -en "${RGB_WAIT}Configuring...${RGB_END}" echo "# BBR" >> /etc/sysctl.conf echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf sysctl -p >> ${LOCK} 2>&1 sysctl -n net.ipv4.tcp_congestion_control >> ${LOCK} 2>&1 lsmod | grep bbr >> ${LOCK} 2>&1 echo -e "${RGB_SUCCESS}Configuration Success${RGB_END}"}disable_software() { echo "============= selinux firewalld =============" >> ${LOCK} 2>&1 echo -en "${RGB_WAIT}Configuring...${RGB_END}" setenforce 0 >> ${LOCK} 2>&1 sed -i 's/^SELINUX=.*$/SELINUX=disabled/' /etc/selinux/config systemctl disable firewalld.service >> ${LOCK} 2>&1 systemctl stop firewalld.service >> ${LOCK} 2>&1 echo -e "${RGB_SUCCESS}Configuration Success${RGB_END}"}time_zone() { echo "============= time zone =============" >> ${LOCK} 2>&1 echo -en "${RGB_WAIT}Configuring...${RGB_END}" rm -rf /etc/localtime >> ${LOCK} 2>&1 ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime >> ${LOCK} 2>&1 ls -ln /etc/localtime >> ${LOCK} 2>&1 echo -e "${RGB_SUCCESS}Configuration Success${RGB_END}"}custom_profile() { echo "============= custom profile =============" >> ${LOCK} 2>&1 echo -en "${RGB_WAIT}Configuring...${RGB_END}" cat > /etc/profile.d/centos7init.sh <> ${LOCK} 2>&1 echo -e "${RGB_SUCCESS}Configuration Success${RGB_END}"}adjust_ulimit() { echo "============= adjust ulimit =============" >> ${LOCK} 2>&1 echo -en "${RGB_WAIT}Configuring...${RGB_END}" sed -i '/^# End of file/,$d' /etc/security/limits.conf cat >> /etc/security/limits.conf <> ${LOCK} 2>&1 echo -e "${RGB_SUCCESS}Configuration Success${RGB_END}"}kernel_optimum() { echo "============= kernel optimum =============" >> ${LOCK} 2>&1 echo -en "${RGB_WAIT}Configuring...${RGB_END}" [ ! -e "/etc/sysctl.conf_bak" ] && /bin/mv /etc/sysctl.conf{,_bak} cat > /etc/sysctl.conf <> ${LOCK} 2>&1 cat /etc/sysctl.conf >> ${LOCK} 2>&1 echo -e "${RGB_SUCCESS}Configuration Success${RGB_END}"}updatedb_optimum() { echo "============= updatedb optimum =============" >> ${LOCK} 2>&1 echo -en "${RGB_WAIT}Configuring...${RGB_END}" sed -i 's,media,media /data,' /etc/updatedb.conf cat /etc/updatedb.conf >> ${LOCK} 2>&1 echo -e "${RGB_SUCCESS}Configuration Success${RGB_END}"}open_ipv6() { echo "============= open ipv6 =============" >> ${LOCK} 2>&1 echo -en "${RGB_WAIT}Configuring...${RGB_END}" echo '# IPV6' >> /etc/sysctl.conf echo 'net.ipv6.conf.all.disable_ipv6=0' >> /etc/sysctl.conf echo 'net.ipv6.conf.default.disable_ipv6=0' >> /etc/sysctl.conf echo 'net.ipv6.conf.lo.disable_ipv6=0' >> /etc/sysctl.conf sysctl -p >> ${LOCK} 2>&1 cat /etc/sysctl.conf >> ${LOCK} 2>&1 echo -e "${RGB_SUCCESS}Configuration Success${RGB_END}"}disable_cad() { echo "============= disable cad =============" >> ${LOCK} 2>&1 echo -en "${RGB_WAIT}Configuring...${RGB_END}" systemctl mask ctrl-alt-del.target >> ${LOCK} 2>&1 echo -e "${RGB_SUCCESS}Configuration Success${RGB_END}"}remove_users() { echo "============= remove users =============" >> ${LOCK} 2>&1 echo -en "${RGB_WAIT}Configuring...${RGB_END}" for u in adm lp sync shutdown halt mail operator games ftp do userdel ${u} >> ${LOCK} 2>&1 done cut -d : -f 1 /etc/passwd >> ${LOCK} 2>&1 for g in adm lp mail games ftp do groupdel ${g} >> ${LOCK} 2>&1 done cat /etc/group >> ${LOCK} 2>&1 echo -e "${RGB_SUCCESS}Configuration Success${RGB_END}"}sys_permissions() { echo "============= sys permissions =============" >> ${LOCK} 2>&1 echo -en "${RGB_WAIT}Configuring...${RGB_END}" chmod 644 /etc/passwd >> ${LOCK} 2>&1 chmod 644 /etc/group >> ${LOCK} 2>&1 chmod 000 /etc/shadow >> ${LOCK} 2>&1 chmod 000 /etc/gshadow >> ${LOCK} 2>&1 ls -la /etc/passwd >> ${LOCK} 2>&1 ls -la /etc/group >> ${LOCK} 2>&1 ls -la /etc/shadow >> ${LOCK} 2>&1 ls -la /etc/gshadow >> ${LOCK} 2>&1 echo -e "${RGB_SUCCESS}Configuration Success${RGB_END}"}password_policy() { echo "============= password policy =============" >> ${LOCK} 2>&1 echo -en "${RGB_WAIT}Configuring...${RGB_END}" sed -i 's/^PASS_MAX_DAYS.*$/PASS_MAX_DAYS 90/' /etc/login.defs sed -i 's/^PASS_MIN_DAYS.*$/PASS_MIN_DAYS 10/' /etc/login.defs cat /etc/login.defs >> ${LOCK} 2>&1 cat >>/etc/security/pwquality.conf <> ${LOCK} 2>&1 echo -en "${RGB_WAIT}Configuring...${RGB_END}" sed -i 's/^INACTIVE.*$/INACTIVE=180/' /etc/default/useradd cat /etc/default/useradd >> ${LOCK} 2>&1 echo -e "${RGB_SUCCESS}Configuration Success${RGB_END}"}sec_ssh() { echo "============= sec ssh =============" >> ${LOCK} 2>&1 echo -en "${RGB_WAIT}Configuring...${RGB_END}" sed -i 's/UseDNS.*$/UseDNS no/' /etc/ssh/sshd_config sed -i 's/^#LoginGraceTime.*$/LoginGraceTime 60/' /etc/ssh/sshd_config sed -i 's/^#PermitEmptyPasswords.*$/PermitEmptyPasswords no/' /etc/ssh/sshd_config sed -i 's/^#PubkeyAuthentication.*$/PubkeyAuthentication yes/' /etc/ssh/sshd_config sed -i 's/^#MaxAuthTries.*$/MaxAuthTries 3/' /etc/ssh/sshd_config sed -i "s/#ClientAliveInterval 0/ClientAliveInterval 30/g" /etc/ssh/sshd_config sed -i "s/#ClientAliveCountMax 3/ClientAliveCountMax 3/g" /etc/ssh/sshd_config sed -i "s/X11Forwarding yes/X11Forwarding no/g" /etc/ssh/sshd_config sed -i "s/#Banner none/Banner /etc/issue.net/g" /etc/ssh/sshd_config echo "Authorized users only. All activity may be monitored and reported.">/etc/issue.net systemctl restart sshd.service >> ${LOCK} 2>&1 cat /etc/ssh/sshd_config >> ${LOCK} 2>&1 echo -e "${RGB_SUCCESS}Configuration Success${RGB_END}"}timeout_config() { echo "============= timeout config =============" >> ${LOCK} 2>&1 echo -en "${RGB_WAIT}Configuring...${RGB_END}" echo "export TMOUT=1800" >> /etc/profile.d/centos7init.sh cat /etc/profile.d/centos7init.sh >> ${LOCK} 2>&1 echo -e "${RGB_SUCCESS}Configuration Success${RGB_END}"}lockout_policy() { echo "============= lockout policy =============" >> ${LOCK} 2>&1 echo -en "${RGB_WAIT}Configuring...${RGB_END}" [ ! -e "/etc/pam.d/system-auth_bak" ] && /bin/mv /etc/pam.d/system-auth{,_bak} cat > /etc/pam.d/system-auth <= 1000 quietauth [default=1 ignore=ignore success=ok] pam_localuser.soauth sufficient pam_unix.so nullok try_first_passauth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=300auth requisite pam_succeed_if.so uid >= 1000 quiet_successauth sufficient pam_sss.so forward_passauth required pam_deny.soaccount required pam_unix.soaccount sufficient pam_localuser.soaccount sufficient pam_succeed_if.so uid /etc/pam.d/password-auth <= 1000 quietauth [default=1 ignore=ignore success=ok] pam_localuser.soauth sufficient pam_unix.so nullok try_first_passauth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=300auth requisite pam_succeed_if.so uid >= 1000 quiet_successauth sufficient pam_sss.so forward_passauth required pam_deny.soaccount required pam_unix.soaccount sufficient pam_localuser.soaccount sufficient pam_succeed_if.so uid > ${LOCK} 2>&1 cat /etc/pam.d/etc/pam.d/system-auth >> ${LOCK} 2>&1 cat /etc/pam.d/password-auth >> ${LOCK} 2>&1 echo -e "${RGB_SUCCESS}Configuration Success${RGB_END}"}reboot_os() { echo -e "${RGB_WARNING}Please restart the server and see if the services start up fine.${RGB_END}" echo -en "${RGB_WARNING}Do you want to restart OS ? [y/n]: ${RGB_END}" while :; do read REBOOT_STATUS if [[ ! "${REBOOT_STATUS}" =~ ^[y,n]$ ]]; then echo -en "${RGB_DANGER}Input error, please only input 'y' or 'n': ${RGB_END}" else break fi done [ "${REBOOT_STATUS}" == 'y' ] && reboot}main() { echo -e "${RGB_INFO}1/18 : Start Init CentOS7 Script ${RGB_END}" echo -e "${RGB_INFO}2/18 : Customize the profile (color and alias)${RGB_END}" custom_profile echo -e "${RGB_INFO}3/18 : Time zone adjustment${RGB_END}" time_zone echo -e "${RGB_INFO}4/18 : Disable selinux and firewalld${RGB_END}" disable_software echo -e "${RGB_INFO}5/18 : Disable Ctrl+Alt+Del${RGB_END}" disable_cad echo -e "${RGB_INFO}6/18 : Kernel parameter optimization${RGB_END}" kernel_optimum echo -e "${RGB_INFO}7/18 : The updatedb optimization${RGB_END}" updatedb_optimum echo -e "${RGB_INFO}8/18 : Adding swap space${RGB_END}" new_swap echo -e "${RGB_INFO}9/18 : Adjustment of ulimit${RGB_END}" adjust_ulimit echo -e "${RGB_INFO}10/18 : Enable tcp bbr congestion control algorithm${RGB_END}" open_bbr echo -e "${RGB_INFO}11/18 : Enable IPV6${RGB_END}" open_ipv6 echo -e "${RGB_INFO}12/18 : Remove unnecessary users and user groups from the system${RGB_END}" remove_users echo -e "${RGB_INFO}13/18 : System permissions for sensitive files${RGB_END}" sys_permissions echo -e "${RGB_INFO}14/18 : Modify Account Password Survival Policy${RGB_END}" password_policy echo -e "${RGB_INFO}15/18 : Maximum number of days an account is valid after password expiration strategy${RGB_END}" change_useradd echo -e "${RGB_INFO}16/18 : Secure configuration of SSH${RGB_END}" sec_ssh echo -e "${RGB_INFO}17/18 : Timeout Auto-Logout Configuration${RGB_END}" timeout_config echo -e "${RGB_INFO}18/18 : Configure account login failure lockout policy${RGB_END}" lockout_policy reboot_os}cleartool_infocheck_rootcheck_oscheck_lockmain
测试执行截图如下
再次执行脚本会提示已经做了安全加固优化,无须再次执行