Linux System Hardening Scripts

Last Update:2015-09-07 Source: Internet

Author: User

Tags syslog

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

#########################################//The following is an account that the lockout system does not need to login
cp/etc/passwd/etc/passwd. ' Date +%f '
zhanghao= "ADM LP mail UUCP operator Games Gopher ftp Nobody nobody4 noaccess listen webservd rpm dbus Avahi mailnull Smmsp NSCD VCSA RPC rpcuser NFS sshd pcap NTP haldaemon distcache apache webalizer squid xfs GDM sabayon named "
For en in $zhanghao
Do
Passwd-l $zh
Done
echo "Lock useless users ....... .......... OK "
Sleep 1
#################################################################
Cp/etc/profile/etc/profiel. ' Date +%f '
echo "tmout=1800" >>/etc/profile #设置30分钟无活动自动退出, can be set by yourself
echo "Set autologout=30 >>/ETC/CSH.CSHRC"
Sleep 1
###############################
cp/etc/sysctl.conf/etc/sysctl.conf. ' Date +%f '
Cat >>/etc/sysctl.conf << endf #优化内核参数调整
Net.ipv4.tcp_max_syn_backlog = 3000
Net.ipv4.conf.lo.accept_source_route = 0
net.ipv6.conf.usb0.accept_redirects = 0
net.ipv6.conf.bond0.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.lo.accept_redirects = 0
net.ipv4.conf.usb0.accept_redirects = 0
net.ipv4.conf.bond0.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.usb0.send_redirects = 0
net.ipv4.conf.bond0.send_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
Net.ipv4.conf.usb0.log_martians = 1
Net.ipv4.conf.bond0.log_martians = 1
Net.ipv4.conf.lo.log_martians = 1
Net.ipv4.conf.default.log_martians = 1
Net.ipv4.conf.all.log_martians = 1
Net.ipv4.conf.usb0.arp_filter = 1
Net.ipv4.conf.bond0.arp_filter = 1
Net.ipv4.conf.lo.arp_filter = 1
Net.ipv4.conf.lo.rp_filter = 1
Net.ipv4.conf.default.arp_filter = 1
Net.ipv4.conf.all.arp_filter = 1
Net.ipv4.conf.all.rp_filter = 1
Endf
Sysctl-p
echo "Adjust the kernel parameters!...................... ok! "
Sleep 1
#############################################
#关闭不必要的服务
Services= "Amanda Chargen chargen-udp cups CUPS-LPD daytime daytime-udp echo echo-udp eklogin ekrb5-telnet finger gssftp im AP Imaps ipop2 Ipop3 Klogin
Krb5-telnet Kshell ktalk ntalk rexec rlogin rsh rsync talk tcpmux-server telnet tftp time-dgram time-stream uucp nfslock "

For serv in $SERVICES
Do
Chkconfig--level 345 $serv off
Done
echo "Close useless Services.........................ok"
Sleep 1
#################################################################
#口令策略
Cp/etc/login.defs/etc/login.defs. ' Date +%f '
Dir=/etc
echo "Modifying/etc/login.defs ..."
Sleep 1
#检查用户口令最长有效时间
Max= ' cat $DIR/login.defs |grep ^pass_max_days |awk ' {print $} '
if [$max! =];then
Sed-i '/^pass_max_days/s/' "$max" '/90/g ' $DIR/login.defs
Fi

# #PASS_MIN_DAYS Check the minimum effective time of the user's password
Min= ' cat $DIR/login.defs |grep ^pass_min_days |awk ' {print $} '
if [$min! =];then
Sed-i '/^pass_min_days/s/' "$min" '/30/g ' $DIR/login.defs
Fi

# #PASS_MIN_LEN Check the minimum user password length
Len= ' cat $DIR/login.defs |grep ^pass_min_len |awk ' {print $} '
if [$len! = 8];then
Sed-i '/^pass_min_len/s/' "$len" '/8/g ' $DIR/login.defs
Fi

# #PASS_WARN_AGE
Warn= ' cat $DIR/login.defs |grep ^pass_warn_age | awk ' {print $} '
if [$warn! =];then
Sed-i '/^pass_warn_age/s/' "$warn" '/30/g ' $DIR/login.defs
Fi
# #口令策略
Cp/etc/pam.d/system-auth/etc/pam.d/system-auth. ' Date +%f '
passrequ=$ (cat/etc/pam.d/system-auth |grep password |grep requisite)
newpassrequ= ' password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minclass=2 minlen=6 '
Sed-i ' s/' "$PASSREQU" '/' "$NEWPASSREQU" '/g '/etc/pam.d/system-auth
passsuff= ' Password sufficient pam_unix.so sha512 shadow Nullok try_first_pass Use_authtok '
newpasssuff= ' Password sufficient pam_unix.so MD5 shadow Nullok try_first_pass Use_authtok remember=5 '
Sed-i ' s/' "$PASSSUFF" '/' "$NEWPASSSUFF" '/g '/etc/pam.d/system-auth
Auth= ' AUTH required pam_env.so '
Nextauth= ' auth required pam_tally2.so deny=6 onerr=fail no_magic_root unlock_time=120 '
Sed-i '/' "$AUTH" '/a\ ' "$NEXTAUTH" '/etc/pam.d/system-auth

###############################################
Sleep 1
echo "Modifying disable Administrator remote login ..."
Cp/etc/ssh/sshd_config/etc/ssh/sshd_config. ' Date +%f '
Sed-i ' s/^ #PermitRootLogin yes/permitrootlogin no/g '/etc/ssh/sshd_config
###############################################
# # # #检查关键敏感文件的权限是否恰当
chmod 400/etc/shadow
chmod 644/etc/group
chmod 644/etc/group
chmod 600/etc/security
chmod 600/etc/security
chmod 750/ETC/RC6.D
chmod 750/etc/rc0.d/
chmod 750/etc/rc1.d/
chmod 750/etc/
chmod 750/etc/rc4.d
chmod 750/etc/rc5.d/
chmod 750/etc/rc3.d
chmod 750/etc/rc.d/init.d/
#帐号与口令-Check if there is a user with UID 0 other than root
#echo "#检查系统中是否存在其它id为0的用户"
echo "Check If the system has other user ' s ID is 0"
echo "#-------------------------------------"
Mesg= ' Awk-f: ' ($ = = 0) {print $} '/etc/passwd|grep-v root '
If [-Z $MESG]
Then
echo "There don ' t has other user uid=0"
Else
Echo
echo "$MESG uid=0"
Fi
#禁止用户使用ctlraltdel组合键
Sed-i ' S/^start on control-alt-delete/#start on control-alt-delete/g '/etc/init/control-alt-delete.conf
#检查ssh协议设置, disable the use of unsecured SSH protocol 1, use only protocol 2
Sed-i ' s/#Protocol 2/protocol 2/g '/etc/ssh/sshd_config
#设置ssh警告Banner
Touch/etc/sshbanner
Chown Bin:bin/etc/sshbanner
chmod 644/etc/sshbanner
echo "Authorized users only. All activity monitored and reported ">/etc/sshbanner
echo "Banner/etc/sshbanner" >>/etc/ssh/sshd_config
#设置登录成功后警告Banner
echo "Authorized users only. All activity monitored and reported ">/ETC/MOTD
##################################################################################
#配置远程日志保存
cp/etc/syslog.conf/etc/syslog.conf. ' Date +%f '
echo "* * @192.168.0.1" >>/etc/syslog.conf
#记录帐户登录日志
Touch/var/log/authlog
echo "Auht.info/var/log/authlog" >>/etc/syslog.conf
#存在类似 *.err;kern.debug;daemon.notice; /var/log/messages
echo "*.err;auth.info/var/adm/messages" >>/etc/syslog.conf
#存在authpriv. Info/var/log/authlog Configuration
echo "uthpriv.*/var/log/authlog" >>/etc/syslog.conf
#####################################################################
########################################################
#只允许wheel组使用su
#sed-i ' n;2iauth sufficient pam_rootok.so '/etc/pam.d/su
#sed-i ' N;2iauth required pam_wheel.so '/ETC/PAM.D/SU
#################################################################
#echo "Umask 027" >>/etc/login.defs
#锁定禁止账号交互式登录: Modify the/etc/shadow file, the user name after the password is listed as two exclamation mark "!! ”；
#sed-ri '/mail|lp/[email protected] ([[: Lower:]]):. *:(1) @\1:!!:\ [Email protected] '/etc/shadow
#chattr +i/etc/passwd
#chattr +i/etc/shadow
#chattr +i/etc/group
#chattr +i/etc/gshadow

Linux System Hardening Scripts

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More