Linux Security Hardening Scripts

#!/bin/bash

#设置密码复杂度
If [-z] cat /etc/pam.d/system-auth | grep -v "^#" | grep "pam_cracklib.so" "];then
Sed-i '/password required Pam_deny.so/a\password required pam_cracklib.so try_first_pass minlen=8 ucredit=-1 lcredit=-1 Ocredit=-1 dcredit=-1 retry=3 difok=5 '/etc/pam.d/system-auth
Fi

#设置连续登录失败暂锁机制
If [-Z ' Cat/etc/pam.d/system-auth | Grep-v "^#" | grep "pam_tally.so" "];then
If [-z] Cat/etc/pam.d/system-auth | Grep-v "^#" | grep "Pam_tally.so" | grep auth "];then
Sed-i '/auth include System-auth/a\auth required pam_tally.so deny=5 unlock_time=600 Even_de Ny_root root_unlock_time=600 '/etc/pam.d/system-auth
fi
If [-z] Cat/etc/pam.d/system-auth | Grep-v "^#" | grep "Pam_tally.so" | grep account "];
then
Sed-i '/account include system-auth/a\account required pam_tally.so '/etc/pam.d/system-auth
Fi
Fi

If [-z] cat /etc/pam.d/sshd | grep -v "^#" | grep "pam_tally.so" "];then
If [-z] cat /etc/pam.d/sshd | grep -v "^#" | grep "pam_tally.so" | grep auth "];then
Sed-i '/auth required Pam_deny.so/a\auth required pam_tally.so deny=5 unlock_time=600 even_deny_root root_unlock_time= '/etc/pam.d/sshd
Fi
If [-Z] cat /etc/pam.d/sshd | grep -v "^#" | grep "pam_tally.so" | grep account "];then
Sed-i '/account required pam_unix.so/a\account required pam_tally.so '/etc/pam.d/sshd
Fi
Fi

#检查密码重复使用次数
If [-z] cat /etc/pam.d/system-auth | grep password | grep remember "];then
Sed-i '/password sufficient pam_unix.so/s/$/& remember=5/'/etc/pam.d/system-auth
Fi

#设置操作超时锁定
If [-z] cat /etc/profile | grep -v "^#" | grep TMOUT "];then
Echo-e "\nexport tmout=1800" >>/etc/profile
Fi

#修改密码时效
Sed-i '/pass_warn_age/s/7/10/'/etc/login.defs
Sed-i '/pass_min_len/s/5/8/'/etc/login.defs
#sed-i '/pass_max_days/s/99999/90/'/etc/login.defs
Sed-i '/pass_min_days/s/0/6/'/etc/login.defs

#修改默认访问权限
Sed-i '/umask/s/077/027/'/etc/login.defs

#设置重要文件目录权限
chmod 644/etc/passwd
chmod 600/etc/xinetd.conf
chmod 600/etc/inetd.conf
chmod 644/etc/group
chmod 000/etc/shadow
chmod 644/etc/services
chmod 600/etc/security
chmod 750/etc/#启动了nscd服务导致设置权限以后无法登陆
chmod 750/ETC/RC6.D
chmod 750/tmp
chmod 750/etc/rc0.d/
chmod 750/etc/rc1.d/
chmod 750/etc/rc2.d/
chmod 750/etc/rc4.d
chmod 750/etc/rc5.d/
chmod 750/etc/rc3.d
chmod 750/etc/rc.d/init.d/
chmod 600/etc/grub.conf
chmod 600/boot/grub/grub.conf
chmod 600/etc/lilo.conf

#检查用户umask设置
Sed-i '/umask/s/002/077/'/ETC/CSH.CSHRC
Sed-i '/umask/s/002/077/'/ETC/BASHRC
Sed-i '/umask/s/002/077/'/etc/profile
csh_login=cat /etc/csh.login | grep -i "umask"
If [-z] $csh _login "];then
Echo-e "/numask 077" >>/etc/csh.login
Fi

#检查是否设置ssh登录前告警banner
Sshbanner= "/etc/ssh_banner"
if [!-F "$sshbanner"];then
Touch/etc/ssh_banner
Chown Bin:bin/etc/ssh_banner
chmod 644/etc/ssh_banner
Echo-e "Authorized only. All activity would be monitored and reported ">/etc/ssh_banner
Echo-e "Banner/etc/ssh_banner" >>/etc/ssh/sshd_config
/etc/init.d/sshd restart
Fi

#FTP安全设置
vsftpd_conf=find /etc/ -maxdepth 2 -name vsftpd.conf
if [!-Z "$vsftpd _conf"];then
Sed-i '/anonymous_enable/s/yes/no/' $vsftpd _conf
Fi

Ftpuser=find /etc/ -maxdepth 2 -name ftpusers
if [!-Z "$ftpuser"] && [-Z " cat $ftpuser | grep -v "^#" | grep root "];then
echo "Root" >> $ftpuser
Fi

Sed-i '/^ftp/d '/etc/passwd

#检查重要文件属性设置
Chattr +i/etc/passwd
Chattr +i/etc/shadow
Chattr +i/etc/group
Chattr +i/etc/gshadow

#日志审计检查
if [!-F "/etc/rsyslog.conf"] && [!-F "/etc/syslog.conf"] && [!-F "/etc/syslog-ng/syslog-ng.conf"] ; then
echo "{tput SETAF 1}syslog not installed!!! ${tput Sgr0} "
Exit
Fi

if [!-F "/var/log/cron"];then
Touch/var/log/cron
chmod 775/var/log/cron
Fi

if [!-F "/var/adm/messages"];then
Touch/var/adm/messages
chmod 666/var/adm/messages
Fi

If [-F "/etc/rsyslog.conf"]; then
If [-z] cat /etc/rsyslog.conf | grep "^cron.*" | grep "/var/log/cron" "];then
Echo-e "cron.*/var/log/cron" >>/etc/rsyslog.conf
Fi

if [ -z "`cat /etc/rsyslog.conf | grep "/var/adm/messages"`" ];then    echo -e "*.err;kern.debug;daemon.notice   /var/adm/messages" >>/etc/rsyslog.conffiif [ -z "`grep "@[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}" /etc/rsyslog.conf`" ];then    echo -e "*.* @192.168.0.1" >>/etc/rsyslog.conffi/etc/init.d/rsyslog restart

Fi

If [-F "/etc/syslog.conf"];then
If [-z] cat /etc/rsyslog.conf | grep "^cron.*" | grep "/var/log/cron" "];then
Echo-e "cron.*/var/log/cron" >>/etc/syslog.conf
Fi

if [ -z "`cat /etc/rsyslog.conf | grep "/var/adm/messages"`" ];then    echo -e "*.err;kern.debug;daemon.notice   /var/adm/messages" >>/etc/rsyslog.conffiif [ -z "`grep "@[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}" /etc/syslog.conf`" ];then    echo -e "*.* @192.168.0.1" >>/etc/syslog.conffi/etc/init.d/syslog restart

Fi

If [-F "/etc/syslog-ng.conf"];then
If [-z] cat /etc/syslog-ng/syslog-ng.conf | grep "destination(cron)" "];then
Echo-e "Filter F_cron {facility (cron);};" >>/etc/syslog-ng/syslog-ng.conf
Echo-e "Destination cron {file ("/var/log/cron ");};" >>/etc/syslog-ng/syslog-ng.conf
Echo-e "Log {source (SRC); Filter (F_cron); Destination (cron); }; ">>/etc/syslog-ng/syslog-ng.conf
Fi

if [ -z "`cat /etc/syslog-ng/syslog-ng.conf | grep "filter f_msgs"`" ];then    echo -e "filter f_msgs { level(err) or facility(kern) and level(debug)             or facility(daemon) and level(notice); }; " >>/etc/syslog-ng/syslog-ng.conf    echo -e "destination msgs { file("/var/adm/messages"); }; " >>/etc/syslog-ng/syslog-ng.conf    echo -e "log { source(src); filter(f_msgs); destination(msgs); }; " >>/etc/syslog-ng/syslog-ng.conffiif [ -z "`grep "@[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}" /etc/syslog-ng/syslog-ng.conf`" ];then    echo -e "destination logserver { udp("192.168.0.1" port(514)); }; " >>/etc/syslog-ng/syslog-ng.conf    echo -e "log { source(src); destination(logserver); }; ">>/etc/syslog-ng/syslog-ng.conffi/etc/init.d/syslog restart

Fi

#禁止wheel组以外的用户su为root
If [-z] cat /etc/pam.d/su | grep -v "^#" | grep pam_wheel.so "];then
If [-z] cat /etc/pam.d/su | grep -v "^#" | grep pam_rootok.so "];then
Sed-i ' 2iauth sufficient pam_rootok.so '/etc/pam.d/su
Sed-i '/pam_rootok.so/a\auth required pam_wheel.so group=wheel '/etc/pam.d/su
Else
Sed-i '/pam_rootok.so/a\auth required pam_wheel.so group=wheel '/etc/pam.d/su
Fi
Fi

#关闭不必要的服务和端口
chk_ntalk=chkconfig --list | grep ntalk | grep on
if [!-Z "$chk _ntalk"];then
Chkconfig--level 0123456 Ntalk off
Fi

Chk_lpd=chkconfig --list | grep lpd | grep on
if [!-Z "$chk _LPD"];then
Chkconfig--level 0123456 LPD off
Fi

Chk_kshell=chkconfig --list | grep kshell | grep on
if [!-Z "$chk _kshell"];then
Chkconfig--level 0123456 Kshell off
Fi

Chk_time=chkconfig --list | grep time | grep on
if [!-Z "$chk _time"];then
Chkconfig--level 0123456 Time off
Chkconfig--level 0123456 time-udp off
Fi

Chk_sendmail=chkconfig --list | grep sendmail | grep on
if [!-Z "$chk _sendmail"];then
Chkconfig--level 0123456 SendMail off
Fi

chk_klogin=chkconfig --list | grep klogin | grep on
if [!-Z "$chk _klogin"];then
Chkconfig--level 0123456 Klogin off
Fi

Chk_printer=chkconfig --list | grep printer | grep on
if [!-Z "$chk _printer"];then
Chkconfig--level 0123456 Printer off
Fi

chk_nfslock=chkconfig --list | grep nfslock | grep on
if [!-Z "$chk _nfslock"];then
Chkconfig--level 0123456 Nfslock off
Fi

chk_echo=chkconfig --list | grep echo | grep on
if [!-Z "$chk _echo"];then
Chkconfig--level 0123456 echo off
Fi

chk_discard=chkconfig --list | grep discard | grep on
if [!-Z "$chk _discard"];then
Chkconfig--level 0123456 Discard off
Fi

chk_chargen=chkconfig --list | grep chargen | grep on
if [!-Z "$chk _chargen"];then
Chkconfig--level 0123456 Chargen off
Fi

chk_bootps=chkconfig --list | grep bootps | grep on
if [!-Z "$chk _bootps"];then
Chkconfig--level 0123456 Chk_bootps off
Fi

Chk_daytime=chkconfig --list | grep daytime | grep on
if [!-Z "$chk _daytime"];then
Chkconfig--level 0123456 Daytime off
Fi

chk_tftp=chkconfig --list | grep tftp | grep on
if [!-Z "$chk _tftp"];then
Chkconfig--level 0123456 tftp off
Fi

Chk_ypbind=chkconfig --list | grep ypbind | grep on
if [!-Z "$chk _ypbind"];then
Chkconfig--level 0123456 Ypbind off
Fi

Chk_ident=chkconfig --list | grep ident | grep on
if [!-Z "$chk _ident"];then
Chkconfig--level 0123456 ident off
Fi

#检查core Dump Settings
Chk_core=grep core /etc/security/limits.conf | grep -v "^#"
If [-z] $chk _core "];then
echo " soft core 0" >>/etc/security/limits.conf
echo " hard Core 0" >>/etc/security/limits.conf
Fi

#删除潜在危险文件
hosts_equiv=find / -maxdepth 3 -name hosts.equiv 2>/dev/null
if [!-Z "$hosts _equiv"];then
MV "$hosts _equiv" "$hosts _equiv". bak
Fi

_rhosts=find / -maxdepth 3 -name .rhosts 2>/dev/null
if [!-Z "$_rhosts"];then
MV "$_rhosts" "$_rhosts". Bak
Fi

_netrc=find / -maxdepth 3 -name .netrc 2>/dev/null
if [!-Z "$_NETRC"];then
MV "$_NETRC" "$_netrc". Bak
Fi

#检查系统内核参数配置, the modification takes effect only once, reboot needs to reset
Sysctl-w net.ipv4.conf.all.accept_source_route= "0"
Sysctl-w net.ipv4.conf.all.accept_redirects= "0"
Sysctl-w net.ipv4.icmp_echo_ignore_broadcasts= "1"
Sysctl-w net.ipv4.conf.all.send_redirects= "0"
Sysctl-w net.ipv4.ip_forward= "0"

#检查拥有suid和sgid权限文件并修改文件权限为755
find/usr/bin/chage/usr/bin/gpasswd/usr/bin/wall/usr/bin/chfn/usr/bin/chsh/usr/bin/newgrp/usr/bin/write/usr/ Sbin/usernetctl/bin/mount/bin/umount/bin/ping/sbin/netreport-type f-perm/6000 | Xargs chmod 755 "

Linux Security Hardening Scripts