Linux Server Security Initialization Shell script

The following Linux System Security Shell script is used as the Linux System Security Initialization Script. It can be executed immediately after the server system is installed to quickly establish server security protection. The initial script was written by Xiaohui and has been widely used in a large media website system after several modifications. Some bugs have been modified and passed in CentOS 5.5 x86_64. Currently, they are used on servers without hardware firewalls.

 
Usage: Copy and save it as a shell file, such as security. sh. Upload it to the linux server and execute sh security. sh to use this script. We recommend that you execute the command immediately after system initialization, and do not change the password after creating the user account to avoid affecting the initial md5 value of important files.
Script content (the following content is translated to facilitate reading ):
 
 
#! /Bin/sh
 
# Desc: setup linux system security
 
# Author: corzd
 
# Powered by www.baidu.org.tw
 
# Version 0.1.2 written by 2011.05.03
 
 
 
# Setting accounts
 
Passwd-l xfs
 
Passwd-l news
 
Passwd-l nscd
 
Passwd-l Signature
 
Passwd-l vcsa
 
Passwd-l games
 
Passwd-l nobody
 
Passwd-l avahi
 
Passwd-l haldaemon
 
Passwd-l gopher
 
Passwd-l ftp
 
Passwd-l mailnull
 
Passwd-l pcap
 
Passwd-l mail
 
Passwd-l shutdown
 
Passwd-l halt
 
Passwd-l uucp
 
Passwd-l operator
 
Passwd-l sync
 
Passwd-l adm
 
Passwd-l lp
 
 
 
# Use chattr to change attributes for the user path. For more information about how to use the chattr command, see [1].
 
Chattr + I/etc/passwd
 
Chattr + I/etc/shadow
 
Chattr + I/etc/group
 
Chattr + I/etc/gshadow
 
 
 
# Set the password to be locked for 5 minutes after three consecutive failures [Linux community www.Linuxidc.com]
 
Sed-I's # auth required pam_env.so \ nauth required incluonerr = fail deny = 3 unlock_time = 300 \ nauth required/lib/security/$ ISA/assumonerr = fail deny = 3 unlock_time = 300 # '/etc/pam. d/system-auth
 
 
 
# Automatically log out in 5 minutes. For the reason, refer to the description at the end of the article [2]
 
Echo "TMOUT = 300">/etc/profile
 
 
 
# Set the number of historical Command records to 10
 
Sed-I "s/HISTSIZE = 1000/HISTSIZE = 10/"/etc/profile
 
 
 
# Make the above changes to/etc/profile take effect immediately
 
Source/etc/profile
 
 
 
# Enable syncookie in/etc/sysctl. conf
 
Echo "net. ipv4.tcp _ syncookies = 1">/etc/sysctl. conf
 
Sysctl-p # exec sysctl. conf enable
 
 
 
# Optimizing sshd_config
 
Sed-I "s/# MaxAuthTries 6/MaxAuthTries 6/"/etc/ssh/sshd_config
 
Sed-I "s/# UseDNS yes/UseDNS no/"/etc/ssh/sshd_config
 
 
 
# Restrict the permissions of important commands
 
Chmod 700/bin/ping
 
Chmod 700/usr/bin/finger
 
Chmod 700/usr/bin/who
 
Chmod 700/usr/bin/w
 
Chmod 700/usr/bin/locate
 
Chmod 700/usr/bin/whereis
 
Chmod 700/sbin/ifconfig
 
Chmod 700/usr/bin/pico
 
Chmod 700/bin/vi
 
Chmod 700/usr/bin/which
 
Chmod 700/usr/bin/gcc
 
Chmod 700/usr/bin/make
 
Chmod 700/bin/rpm
 
 
 
# Historical Security
 
Chattr + a/root/. bash_history
 
Chattr + I/root/. bash_history
 
 
 
# Write md5 for important commands
 
Cat> list <"EOF "&&
 
/Bin/ping
 
/Usr/bin/finger
 
/Usr/bin/who
 
/Usr/bin/w
 
/Usr/bin/locate
 
/Usr/bin/whereis
 
/Sbin/ifconfig
/Bin/vi
 
/Usr/bin/vim
 
/Usr/bin/which
 
/Usr/bin/gcc
 
/Usr/bin/make
 
/Bin/rpm
 
EOF
 
 
 
For I in 'cat list'
 
Do
 
If [! -X $ I]; then
 
Echo "$ I not found, no md5sum! "
 
Else
 
Md5sum $ I>/var/log/'hostname'. log
 
Fi
 
Done
 
Rm-f list
 
 
 
 
Knowledge Point [1]: chattr commands
 
The chattr command can modify file attributes to protect files and directories. Compared with the chmod command that changes the file read/write and execution permissions, The chattr command can control the underlying file attributes. This command is very powerful. Some of the functions are supported by the Linux kernel version. If the Linux kernel version is earlier than 2.2, many functions cannot be implemented. Similarly, if-D is used to check the wrong function in the compressed file, the kernel 2.5.19 or later is required. In addition, modifying attributes using the chattr command can improve system security, but it is not suitable for all directories. The chattr command cannot protect the/,/dev,/tmp, And/var directories.
 
You can use the lsattr command to view such attributes.
 
Usage of the chattr command: chattr [-RV] [-v version] [mode] files...
 
The most important part is in the [mode] section, that is, the file attribute section. [Mode] is composed of the +-= and [ASacDdIijsTtu] characters.
 
+: Append parameters based on the original parameter settings.
 
-: Remove the parameter based on the original parameter settings.
 
=: Updated to the specified parameter settings.
 
A: The atime (access time) of A file or directory cannot be modified, which can effectively prevent I/O errors on A laptop disk.
 
S: Hard Disk I/O synchronization option, similar to sync.
 
A: append. After this parameter is set, data can only be added to the file, but cannot be deleted. This attribute is mostly used for server log file security and can only be set by root.
 
C: compresse: Specifies whether the file is compressed before being stored. Automatic decompression is required for reading.
 
D: no dump. the file cannot be the backup target of the dump program.
 
I: The set file cannot be deleted, renamed, or linked, and cannot be written or added. The I parameter is very helpful for security settings of the file system.
 
J: That is, journal. this parameter is set so that when the file system is mounted by the mount parameter: data = ordered or data = writeback, the file is first recorded (in journal) when written ). If the filesystem parameter is set to data = journal, this parameter is automatically invalid.
 
S: Confidential deletion of files or directories, that is, the hard disk space is all withdrawn.
 
U: opposite to s. When set to u, the data content still exists in the disk and can be used for undeletion.
 
A and I are often used in each parameter option. Option a can only be added and cannot be deleted. It is mostly used for security settings of the log system. I is a more rigorous security setting. This option can be applied only to processes with superuser (root) or CAP_LINUX_IMMUTABLE processing capability (identifier.
 
Application instance:
 
1. Use the chattr command to prevent the modification of a key file in the system.
 
# Chattr + I/etc/fstab
Then try rm mv rename and other commands to operate on this file. The Operation not permitted result is obtained.
 
2. Allow a file to only Append content to it and not delete it. Some log files are applicable to this operation.
 
# Chattr + a/data1/user_act.log
Knowledge Point [2]: Why do I need to set to automatically log out in 5 minutes?
 
The customer's maintenance personnel often log on to the system and exit telnet illegally by directly disabling the TERM port. As a result, the number of pts processes in the system is increasing, and nearly in a month, when there are too many processes, the system generates an alarm. The standard operation should use exit or ctrl + D, but others do not, so we define echo "TMOUT = 300">/etc/profile, is to allow the server to automatically remove the client that does not have any action for 300 seconds. Of course, you can decide whether to add this item based on your actual needs.