linux 7 安全加固

最新推荐文章于 2024-04-03 10:30:58 发布
最新推荐文章于 2024-04-03 10:30:58 发布
阅读量742 收藏
点赞数
分类专栏: 网络排安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/wx912820/article/details/108636847
版权

 

 

 

 

#! /bin/bash

set -x

function backup () {

    DATE_NOW=`date +'%Y%m%d'`
    mkdir -p /home/sys_security && BACK_UP=/home/sys_security

    mkdir -p $BACK_UP/$2_$DATE_NOW && BACK_UP_TMP=$BACK_UP/$2_$DATE_NOW/
    mv $1 $BACK_UP_TMP
    echo "$2 backup successful..."
}

# S1001 屏蔽ctrl+alt+del魔术键
# Centos 7x
echo "********************S1001**********************"
TARGET_FILE=/usr/lib/systemd/system/ctrl-alt-del.target

if [ -f $TARGET_FILE ];then
    rm -rf $TARGET_FILE
    echo " S1001 has been rectified..."
else
    echo " S1001 not need to rectify..."
fi


# S1002 屏蔽SELINUX功能
# Centos 7x
# 临时关闭SELINUX
echo "********************S1002**********************"
NUM=S1002
CONF_FILE=/etc/selinux/config
tar zcvfP selinux_conf.tar.gz $CONF_FILE
backup selinux_conf.tar.gz $NUM
SELINUX_CONF=`cat $CONF_FILE | grep "^SELINUX=" | awk -F '=' '{print $2}'`

if test X$SELINUX_CONF == Xdisabled
then
    echo "$NUM not need to rectify..."
else
    setenforce 0
    sed -i 's/^SELINUX=.*$/SELINUX=disabled/' $CONF_FILE
    echo "$NUM has been rectified..."
fi
unset NUM

# S1003 设置系统提示语
# Centos 7x
echo "********************S1003**********************"
NUM=S1003
ISSUE_FILE=/etc/issue
ISSUE_NET_FILE=/etc/issue.net
ISSUE_MOTD_FILE=/etc/motd
SSH_CONF=/etc/ssh/sshd_config

tar zcvfP issue_conf.tar.gz $ISSUE_FILE $ISSUE_NET_FILE $ISSUE_MOTD_FILE $SSH_CONF
backup issue_conf.tar.gz $NUM

echo "Authorized only. All activity will be  monitored and reported." > $ISSUE_FILE
echo "Authorized only. All activity will be  monitored and reported." > $ISSUE_NET_FILE
echo "login success. All activity will be  monitored and reported." > $ISSUE_MOTD_FILE

BANNER=`cat $SSH_CONF | grep '^Banner /etc/issue'`
if test $? -ne 0
then
    BANNER_NUM=`cat $SSH_CONF | grep -n Banner | awk -F ':' '{print $1}'`
    sed -i "${BANNER_NUM}d" $SSH_CONF
    sed -i "${BANNER_NUM}i Banner $ISSUE_FILE" $SSH_CONF
    systemctl restart sshd
    echo "$NUM has been rectified..."
else
    echo "$NUM not need to rectify..."
fi
unset NUM

# S2001 账号密码生命周期
# Centos 7x
# S2001
echo "********************S2001**********************"
NUM=S2001
DEFS_CONF_FILE=/etc/login.defs && tar zcvfP login.defs.tar.gz $DEFS_CONF_FILE
backup login.defs.tar.gz $NUM

sed -i '/^PASS_MAX_DAYS/c\PASS_MAX_DAYS   '90'' $DEFS_CONF_FILE
sed -i '/^PASS_MIN_DAYS/c\PASS_MIN_DAYS   '10'' $DEFS_CONF_FILE
sed -i '/^PASS_MIN_LEN/c\PASS_MIN_LEN     '8''  $DEFS_CONF_FILE
sed -i '/^PASS_WARN_AGE/c\PASS_WARN_AGE   '7''  $DEFS_CONF_FILE

MAX_DAYS=`cat $DEFS_CONF_FILE | grep '^PASS_MAX_DAYS' | awk '{print $2}'`
MIN_DAYS=`cat $DEFS_CONF_FILE | grep '^PASS_MIN_DAYS' | awk '{print $2}'`
MIN_LEN=`cat $DEFS_CONF_FILE | grep '^PASS_MIN_LEN' | awk '{print $2}'`
WARN_AGE=`cat $DEFS_CONF_FILE | grep '^PASS_WARN_AGE' | awk '{print $2}'`

if test $MAX_DAYS -eq 90
then
    if test $MIN_DAYS -eq 10
    then
        if test $MIN_LEN -eq 8
        then
            if test $WARN_AGE -ne 7
            then                
                echo "$NUM rectification failure..."
            else
                echo "$NUM has been rectified..."
            fi
        else
            echo "$NUM rectification failure..."
        fi
    else
        echo "$NUM rectification failure..."
    fi
else
    echo "$NUM rectification failure..."
fi
unset NUM

# S2002 账号密码强度
# Centos 7x
echo "********************S2002**********************"
NUM=S2002
SYS_AUTH=/etc/pam.d/system-auth && tar zcvfP sys_auth.tar.gz $SYS_AUTH
backup sys_auth.tar.gz $NUM
RULE=`cat $SYS_AUTH | grep 'difok=1 minlen=8'`
if test $? -eq 0
then
    echo "$NUM not need to rectify..."
else
    sed -i '/pam_pwquality.so/c\password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=  difok=1 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1' $SYS_AUTH
    echo "$NUM has been rectified..."
fi
unset NUM

# S2003 限制用户登陆次数
# Centos 7x
echo "********************S2003**********************"
NUM=S2003
PAM_SSHD=/etc/pam.d/sshd && tar zcvfP pam_sshd.tar.gz $PAM_SSHD
backup pam_sshd.tar.gz $NUM
SSH_RULE=`cat $PAM_SSHD | grep 'deny=3 unlock_time=150 even_deny_root root_unlock_time300'`
if test $?  -eq 0
then
    echo "$NUM not need to rectify..."
else
    sed -i '/%PAM-1.0/a\auth required pam_tally2.so deny=3 unlock_time=150 even_deny_root root_unlock_time300' $PAM_SSHD
    echo "$NUM has been rectified..."
fi
unset NUM

# S2004 禁止root用户直接ssh登陆
# Centos 7x
echo "********************S2004**********************"
NUM=S2004
tar zcvf sshd_conf.tar.gz $SSH_CONF
backup sshd_conf.tar.gz $NUM
sed -i '/PermitRootLogin/c\PermitRootLogin no' $SSH_CONF
systemctl restart sshd
echo "$NUM has been rectified..."
unset NUM

# S2005 文件权限最小化
# Centos 7x
echo "********************S2005**********************"
NUM=S2005
PASS_FILE=/etc/passwd && tar zcvfP pass_file.tar.gz $PASS_FILE
backup pass_file.tar.gz $NUM
chmod 644 $PASS_FILE
echo "$NUM has been recitfied..."
unset NUM

# S2006 是否存在除root外UID为0的用户
# Centos 7x
echo "********************S2006**********************"
USER_0=`awk -F ':' '($3==0){print $1}' $PASS_FILE`
USER_OTHER=`awk -F ':' '($3==0){print $1}' $PASS_FILE | grep -v root`
USER_NUM=`awk -F ':' '($3==0){print $1}' $PASS_FILE | wc -l`

if [[ $USER_NUM -eq 1 && $USER_0 == root  ]]
then
    echo "S2006 not need to rectify..."
else
    for USER in $USER_OTHER
    do
        sed -i "s/^$USER:x:0/$USER:x:2000/" $PASS_FILE
        userdel -r $USER 2>/dev/null
        rm -rf /home/$USER 2>/dev/null
        rm -rf /var/spool/mail/$USER 2>/dev/null
        echo "S2006 has been rectified..."
    done
fi

# S2007 检查账号是否存在空口令
# Centos 7x
echo "********************S2007**********************"
NUM=S2007
SHADOW_FILE=/etc/shadow && tar zcvfP shadow_file.tar.gz $SHADOW_FILE
backup shadow_file.tar.gz $NUM
USER_PASSWD_NONE=`awk -F ':' '($2=="" || $2 =="!!"){print $1}' $SHADOW_FILE`
if test -z $USER_PASSWD_NONE
then
    echo "$NUM not need to rectify..."
else
    for USER in $USER_PASSWD_NONE
    do
        echo "$USER@123" |  passwd --stdin $USER
        echo "$NUM has been rectified..."
    done
fi
unset NUM

# S2008 设置内部通用账号
# Centos 7x
    
echo "********************S2008**********************"
useradd elex 2>/dev/null
echo "Elextec@123" | passwd --stdin elex 2>/dev/null
echo "S2008 has been rectified..."

# S2009 umask
# Centos 7x
echo "********************S2009**********************"
NUM=S2009 && PRO_FILE=/etc/profile && tar zcvfP profile_cig.tar.gz $PRO_FILE
backup profile_cig.tar.gz $NUM
UMASK_CONF=`cat $PRO_FILE | grep 'umask 027'`
if test $? -ne 0
then
    echo "umask 027" >> $PRO_FILE
    source $PRO_FILE
    echo "$NUM has been rectified..."
else
    echo "$NUM not need to rectify..."
fi
unset NUM


# S3001 使用安全的ssh加密算法
# Centos 7x
echo "********************S3001**********************"
SSH_CHECK=`cat $SSH_CONF | grep -E '^Ciphers|^MACs'`
if test $? -eq 0
then
    echo "S3001 not need to rectify..."
else
    echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr" >> $SSH_CONF
    echo "MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160" >> $SSH_CONF
    echo "S3001 has been rectified..."
fi


# S4001 关闭系统审计功能
# Centos 7x
echo "********************S4001**********************"
systemctl stop auditd
systemctl disable auditd
echo "S4001 has been rectified..."

# S5001 修改message/cron/secure日志归档路径
# Centos 7x
echo "********************S5001**********************"
NUM=S5001
RSYS_FILE=/etc/rsyslog.conf
tar zcvf rsys_file.tar.gz $RSYS_FILE
backup rsys_file.tar.gz $NUM
LOG_DIR=/var/log
systemctl stop rsyslog && mv $LOG_DIR/messages $LOG_DIR/messages.bak \
&& mv $LOG_DIR/cron $LOG_DIR/cron.bak && mv $LOG_DIR/secure $LOG_DIR/secure.bak

mkdir -p /var/log/messages && mkdir -p /var/log/cron && mkdir -p /var/log/secure
mv $LOG_DIR/messages.bak $LOG_DIR/messages/messages && \
mv $LOG_DIR/cron.bak $LOG_DIR/cron/cron && \
mv $LOG_DIR/secure.bak $LOG_DIR/secure/secure

sed -i "s/\/var\/log\/secure/\/var\/log\/secure\/secure/" $RSYS_FILE
sed -i "s/\/var\/log\/cron/\/var\/log\/cron\/cron/" $RSYS_FILE
sed -i "s/\/var\/log\/messages/\/var\/log\/messages\/messages/" $RSYS_FILE
systemctl restart rsyslog
echo "$NUM has been rectified..."
unset NUM

# S5002 message/cron/secure日志转储规则
# Centos 7x
echo "********************S5002**********************"
NUM=S5002
LOGRO_SYS=/etc/logrotate.d/syslog
tar zcvf logrotate_sys.tar.gz $LOGRO_SYS
backup logrotate_sys.tar.gz $NUM
CRON_DEC=`cat $LOGRO_SYS | grep "/var/log/cron"`
CRON_TMP=$(echo ${CRON_DEC} | sed "s/\//\\\\\//g")
sed -i "/${CRON_TMP}/d" $LOGRO_SYS

MESSAGE_DEC=`cat $LOGRO_SYS | grep "/var/log/messages"`
MESSAGE_TMP=$(echo ${MESSAGE_DEC} | sed "s/\//\\\\\//g")
sed -i "/${MESSAGE_TMP}/d" $LOGRO_SYS

SECURE_DEC=`cat $LOGRO_SYS | grep "/var/log/secure"`
SECURE_TMP=$(echo ${SECURE_DEC} | sed "s/\//\\\\\//g")
sed -i "/${SECURE_TMP}/d" $LOGRO_SYS

# mkdir -p /var/log/messages/messages && mkdir -p /var/log/cron/cron && mkdir -p /var/log/secure/secure

cat >> $LOGRO_SYS << _EOF_
/var/log/cron/cron
/var/log/messages/messages
/var/log/secure/secure
{
 daily
 rotate 60
 create 0644 root root 
 compress
 nomail
 dateext
 missingok
 sharedscripts
 postrotate
  /bin/kill -HUP \`cat /var/run/syslogd.pid 2> /dev/null\` 2> /dev/null || true
 endscript
}
_EOF_

logrotate -d -f $LOGRO_SYS
echo "$NUM has been rectified..."

 

wx912820
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
linux安全加固
qq_41453632的博客
01-09 975
锁定系统中多余的自建账号: 执行  cat /etc/passwd       cat /etc/shadow 使用命令passwd -l &lt;用户名&gt;锁定不必要的账号 使用命令passwd -u &lt;用户名&gt;解锁需要恢复的账号   检查shadow中空口令账号: 执行:awk -F ":" '($2=="!"){print $1}' /etc/shadow 加固方法:p...
linux系统安全加固
xiejin007的博客
04-27 378
linux系统安全加固linux系统安全加固 linux系统安全加固 脚本 系统加固脚本下载地址: https://download.csdn.net/download/hzgnet2021/63201374 时间获取 脚本开头先获取本机时间 #Variable rq=`date +%Y%m%d` Linux禁用不使用的用户 将passwd先复制一份备份,然后将以下不使用的用户都禁用,如后期有需要恢复可使用 passwd -u lp 来进行恢复 #account setup echo '
LINUX安全加固手册.pdf
09-29
LINUX安全加固手册.pdf
linux系统安全加固手册.pdf
01-15
不错的资源哦!
linux安全加固加固
06-28
last命令看一下近期的登陆情况 history 历史执行的命令 Linux中的各种日志集合 cd /var/log 查看ssh用户的登录日志: less secure 进入用户目录/home/oracle/,查看.bash_history文件: 首先通过 netstat -lnp  去查看当前开放的端口 对应的系统进程,发现可疑的直接干掉干掉之前确定是是否存在影响,若存在相关影响 应通报上级 若存在大量空连接 比如SYN_RECV状态  很有可能是存在拒绝服务攻击
Linux安全加固.pdf
08-21
Linux安全加固规范,
linux服务器安全加固shell脚本代码
09-15
有时候安装完服务器以后,需要一些安全设置,这段脚本就是为了安全加固所写,需要的朋友可以参考下
linux 普通用户 root用户无法使用第三方工具正常登录
jucks2611的博客
09-30 4040
最近在对linux服务器做安全配置核查,对一一漏洞进行配置后,发现使用winscp登录到服务器,报“Authorized only. All activity will be monitored and reported ”、“无法初始化SFTP协议。主机是SFTP服务器吗? ”,很郁闷。连服务器都登录不上了。此时,从报错来看,是由于某个系统无权限造成的。可以试着查看/etc目录权限,是不是做配置
Authorized users only. All activity may be monitored and reported.
weixin_30600197的博客
04-22 1万+
Authorized users only. All activity may be monitored and reported. Directory: /home/oracle 如出现如上问题,是由于系统做了安全加固,要求为: 用户通过网络或者本地成功登录系统后,显示一些警告信息。 修改的方法是: 修改文件/etc/motd的内容,如没有该文件,则创建它。 #echo "A...
git push 切换分支后出错
weixin_43858851的博客
06-16 500
Git: Authorized only. All activity will be monitored and reported
Linux登录提示性信息
weixin_33700350的博客
11-16 491
ssh登录机器时,显示信息的设置:1、增加bannertouch /etc/ssh_bannerchown bin.bin /etc/ssh_bannerchmod 644 /etc/ssh_bannerecho "Authorized only. All activity will be monitored and reported">/etc/ssh_bannerv...
Linux安全加固指南之葵花宝典
m0_50800033的博客
11-24 1954
一、账号管理 1、口令锁定策略 ①判定依据 用户连续认证失败次数设置为5则合规,否则不合规。 ②检测方法 redhat系统编辑文件/etc/pam.d/system-auth、suse9编辑/etc/pam.d/passwd、suse10以上编辑/etc/pam.d/common-password查看是否存在如下内容: auth required pam_tally2.so deny=5 onerr=fail no_magic_root unlock_time=180(redhat5.1以下版本及suse只
ssh 登录报 Authorized users only. All activities may be monitored and reported.
热门推荐
想练武,就得下功夫
06-07 1万+
ssh 登录报 Authorized users only. All activities may be monitored and reported.
Linux安全加固
qq_39330735的博客
03-29 948
etc/passwd #记录本地用户的属性信息,如UID、GID/etc/shadow #存放用户的口令信息 只有系统管理员能查看/etc/pam.d/system-auth #账户安全配置文件/etc/login.defs #修改登录的配置文件/etc/profile #Linux全局变量信息/etc/ssh/sshd config #ssh服务配置文件。
Linux系统的安全加固
weixin_45612728的博客
10-27 879
Linux系统的安全加固
linux系统安全加固方案
最新发布
完颜振江
04-03 1013
Linux 系统进行安全加固是非常重要的,以确保系统免受恶意攻击和数据泄露。确保系统和安装的软件都及时更新到最新版本,以修复已知的漏洞和安全问题。在Linux系统中,你可以使用不同的命令和工具来定期更新系统和软件。以下是一些常用的命令和案例:这个命令会先更新可用的软件包列表,然后再升级所有已安装的软件包到最新版本。首先使用命令检查可用更新,然后使用命令升级所有可用的软件包。类似地,首先使用命令检查可用更新,然后使用命令升级所有可用的软件包。这个命令会更新所有已安装的Snap软件包到最新版本。
webrtc cdn_低延迟WebRTC流的动态CDN
cullen2012的博客
09-09 745
webrtc cdnHaving analyzed earlier the capacity of standard server configurations in Digital Ocean in terms of WebRTC streaming, we have noticed that one server can cover up to 2000 viewers. In real li...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值