Linux System Security Settings Shell script

Linux System Security Settings Shell script

This script has been widely used in a large media website system and added some security settings that were not previously imagined. Copy it and save it as a Shell file, such as security. sh. upload it to the Linux server. Execute sh security. sh to use this script!

Note: The script is for reference only. We recommend that you modify it based on your actual needs. Do not use it blindly!

1. #!/bin/sh
2. # desc: setup linux system security
3. # author:coralzd
4. #account setup
6. passwd -l xfs
7. passwd -l news
8. passwd -l nscd
9. passwd -l dbus
10. passwd -l vcsa
11. passwd -l games
12. passwd -l nobody
13. passwd -l avahi
14. passwd -l haldaemon
15. passwd -l gopher
16. passwd -l ftp
17. passwd -l mailnull
18. passwd -l pcap
19. passwd -l mail
20. passwd -l shutdown
21. passwd -l halt
22. passwd -l uucp
23. passwd -l operator
24. passwd -l sync
25. passwd -l adm
26. passwd -l lp
28. # chattr /etc/passwd /etc/shadow
29. chattr +i /etc/passwd
30. chattr +i /etc/shadow
31. chattr +i /etc/group
32. chattr +i /etc/gshadow
34. # add continue input failure 3 ,passwd unlock time 5 minite
35. sed -i 's#auth required pam_env.so#auth required pam_env.sonauth required pam_tally.so onerr=fail deny=3 unlock_time=300nauth required /lib/security/$ISA/pam_tally.so onerr=fail deny=3 unlock_time=300#' /etc/pam.d/system-auth
36. # system timeout 5 minite auto logout
37. echo "TMOUT=300" >>/etc/profile
39. # will system save history command list to 10
40. sed -i "s/HISTSIZE=1000/HISTSIZE=10/" /etc/profile
42. # enable /etc/profile go!
43. source /etc/profile
45. # add syncookie enable /etc/sysctl.conf
46. echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.conf
48. sysctl -p # exec sysctl.conf enable
49. # optimizer sshd_config
51. sed -i "s/#MaxAuthTries 6/MaxAuthTries 6/" /etc/ssh/sshd_config
52. sed -i "s/#UseDNS yes/UseDNS no/" /etc/ssh/sshd_config
54. # limit chmod important commands
55. chmod 700 /bin/ping
56. chmod 700 /usr/bin/finger
57. chmod 700 /usr/bin/who
58. chmod 700 /usr/bin/w
59. chmod 700 /usr/bin/locate
60. chmod 700 /usr/bin/whereis
61. chmod 700 /sbin/ifconfig
62. chmod 700 /usr/bin/pico
63. chmod 700 /bin/vi
64. chmod 700 /usr/bin/which
65. chmod 700 /usr/bin/gcc
66. chmod 700 /usr/bin/make
67. chmod 700 /bin/rpm
69. # history security
71. chattr +a /root/.bash_history
72. chattr +i /root/.bash_history
74. # write important command md5
75. cat > list << "EOF" &&
76. /bin/ping
77. /bin/finger
78. /usr/bin/who
79. /usr/bin/w
80. /usr/bin/locate
81. /usr/bin/whereis
82. /sbin/ifconfig
83. /bin/pico
84. /bin/vi
85. /usr/bin/vim
86. /usr/bin/which
87. /usr/bin/gcc
88. /usr/bin/make
89. /bin/rpm
90. EOF
92. for i in `cat list`
93. do
94. if [ ! -x $i ];then
95. echo "$i not found,no md5sum!"
96. else
97. md5sum $i >> /var/log/`hostname`.log
98. fi
99. done
100. rm -f list