linux系统加固脚本

#########################################//以下是锁定系统不需要登录的账号
cp /etc/passwd /etc/passwd.`date +%F`
zhanghao="adm lp mail uucp operator games gopher ftp nobody nobody4 noaccess listen webservd rpm dbus avahi mailnull smmsp nscd vcsa rpc rpcuser nfs sshd pcap ntp haldaemon distcache apache webalizer squid xfs gdm sabayon named "
for zh in $zhanghao
do
passwd -l $zh
done
echo "Lock useless users.......................OK"
sleep 1
#################################################################
cp /etc/profile /etc/profiel.`date +%F`
echo "TMOUT=1800" >>/etc/profile  #设置30分钟无活动自动退出,可自行设置
echo "set autologout=30 >> /etc/csh.cshrc"
sleep 1
###############################
cp /etc/sysctl.conf /etc/sysctl.conf.`date +%F`
cat >> /etc/sysctl.conf << endf  #优化内核参数调整
net.ipv4.tcp_max_syn_backlog = 3000
net.ipv4.conf.lo.accept_source_route = 0
net.ipv6.conf.usb0.accept_redirects = 0
net.ipv6.conf.bond0.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.lo.accept_redirects = 0
net.ipv4.conf.usb0.accept_redirects = 0
net.ipv4.conf.bond0.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.usb0.send_redirects = 0
net.ipv4.conf.bond0.send_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.usb0.log_martians = 1
net.ipv4.conf.bond0.log_martians = 1
net.ipv4.conf.lo.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.usb0.arp_filter = 1
net.ipv4.conf.bond0.arp_filter = 1
net.ipv4.conf.lo.arp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.default.arp_filter = 1
net.ipv4.conf.all.arp_filter = 1
net.ipv4.conf.all.rp_filter = 1
endf
sysctl -p
echo "Adjust the kernel parameters!......................OK!"
sleep 1
#############################################
#关闭不必要的服务
SERVICES="amanda chargen chargen-udp cups cups-lpd daytime daytime-udp echo echo-udp eklogin ekrb5-telnet finger gssftp imap imaps ipop2 ipop3 klogin
krb5-telnet kshell ktalk ntalk rexec rlogin rsh rsync talk tcpmux-server telnet tftp time-dgram time-stream uucp nfslock"

for serv in $SERVICES
do
chkconfig --level 345 $serv off
done
echo "Close useless services.........................ok"
sleep 1
#################################################################
#口令策略
cp /etc/login.defs /etc/login.defs.`date +%F`
DIR=/etc
echo "正在修改/etc/login.defs..."
sleep 1
#检查用户口令最长有效时间
max=`cat $DIR/login.defs |grep ^PASS_MAX_DAYS |awk ‘{print $2}‘`
if [ $max != 90 ];then
    sed -i ‘/^PASS_MAX_DAYS/s/‘"$max"‘/90/g‘ $DIR/login.defs
fi

##PASS_MIN_DAYS 检查用户口令最短有效时间
min=`cat $DIR/login.defs |grep ^PASS_MIN_DAYS |awk ‘{print $2}‘`
if [ $min != 30 ];then
    sed -i ‘/^PASS_MIN_DAYS/s/‘"$min"‘/30/g‘ $DIR/login.defs
fi

##PASS_MIN_LEN 检查用户口令最短长度
len=`cat $DIR/login.defs |grep ^PASS_MIN_LEN |awk ‘{print $2}‘`
if [ $len != 8 ];then
    sed -i ‘/^PASS_MIN_LEN/s/‘"$len"‘/8/g‘ $DIR/login.defs
fi

##PASS_WARN_AGE
warn=`cat $DIR/login.defs |grep ^PASS_WARN_AGE | awk ‘{print $2}‘`
if [ $warn != 30 ];then
    sed -i ‘/^PASS_WARN_AGE/s/‘"$warn"‘/30/g‘ $DIR/login.defs
fi
##口令策略
cp /etc/pam.d/system-auth /etc/pam.d/system-auth.`date +%F`
PASSREQU=$(cat /etc/pam.d/system-auth |grep password |grep requisite)
NEWPASSREQU=‘password    requisite     pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minclass=2 minlen=6‘
sed -i ‘s/‘"$PASSREQU"‘/‘"$NEWPASSREQU"‘/g‘ /etc/pam.d/system-auth
PASSSUFF=‘password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok‘
NEWPASSSUFF=‘password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=5‘
sed -i ‘s/‘"$PASSSUFF"‘/‘"$NEWPASSSUFF"‘/g‘ /etc/pam.d/system-auth
AUTH=‘auth        required      pam_env.so‘
NEXTAUTH=‘auth        required      pam_tally2.so deny=6 onerr=fail no_magic_root unlock_time=120‘
sed -i ‘/‘"$AUTH"‘/a\‘"$NEXTAUTH"‘‘ /etc/pam.d/system-auth

###############################################
sleep 1
echo "正在修改禁止管理员远程登录..."
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.`date +%F`
sed -i ‘s/^#PermitRootLogin yes/PermitRootLogin no/g‘ /etc/ssh/sshd_config
###############################################
#####检查关键敏感文件的权限是否恰当
chmod 400 /etc/shadow
chmod 644 /etc/group
chmod 644 /etc/group
chmod 600 /etc/security
chmod 600 /etc/security
chmod 750 /etc/rc6.d
chmod 750 /etc/rc0.d/
chmod 750 /etc/rc1.d/
chmod 750 /etc/
chmod 750 /etc/rc4.d
chmod 750 /etc/rc5.d/
chmod 750 /etc/rc3.d
chmod 750 /etc/rc.d/init.d/
#帐号与口令-检查是否存在除root之外UID为0的用户
#echo "#检查系统中是否存在其它id为0的用户"
echo "Check if the system have other user‘s id is 0"
echo "#-------------------------------------"
mesg=`awk -F: ‘($3 == 0) { print $1 }‘ /etc/passwd|grep -v root`
if [ -z $mesg ]
then
echo "There don‘t have other user uid=0"
else
echo
echo "$mesg uid=0"
fi
#禁止用户使用ctlraltdel组合键
sed -i ‘s/^start on control-alt-delete/#start on control-alt-delete/g‘ /etc/init/control-alt-delete.conf
#检查ssh协议设置,禁止使用不安全的ssh协议1,只使用协议2
sed -i ‘s/#Protocol 2/Protocol 2/g‘ /etc/ssh/sshd_config
#设置ssh警告Banner
touch /etc/sshbanner
chown bin:bin /etc/sshbanner
chmod 644 /etc/sshbanner
echo " Authorized users only. All activity may be monitored and reported "   >/etc/sshbanner
echo "Banner /etc/sshbanner" >>/etc/ssh/sshd_config
#设置登录成功后警告Banner
echo " Authorized users only. All activity may be monitored and reported " > /etc/motd
##################################################################################
#配置远程日志保存
cp /etc/syslog.conf /etc/syslog.conf.`date +%F`
echo "*.*       @192.168.0.1" >>/etc/syslog.conf
#记录帐户登录日志
touch /var/log/authlog
echo "auht.info       /var/log/authlog" >>/etc/syslog.conf
#存在类似*.err;kern.debug;daemon.notice;       /var/log/messages
echo "*.err;auth.info        /var/adm/messages" >>/etc/syslog.conf
#存在authpriv.info              /var/log/authlog配置
echo "uthpriv.*   /var/log/authlog" >>/etc/syslog.conf
#####################################################################
########################################################
#只允许wheel组使用su
#sed -i ‘N;2iauth sufficient pam_rootok.so‘ /etc/pam.d/su
#sed -i ‘N;2iauth required pam_wheel.so ‘ /etc/pam.d/su
#################################################################
#echo "umask 027" >>/etc/login.defs
#锁定禁止账号交互式登录：修改/etc/shadow文件，用户名后密码列为两个感叹号“！！”；
#sed -ri ‘/mail|lp/[email protected]([[:lower:]]):.*:(1)@\1:!!:\[email protected]‘ /etc/shadow
#chattr +i /etc/passwd
#chattr +i /etc/shadow
#chattr +i /etc/group
#chattr +i /etc/gshadow