To facilitate Linux host management, we write common system security configurations as a shell script. When a new host is installed or the Linux system is upgraded, you only need to simply execute this script to complete the security settings, which makes the work easier. shell is really a good thing.
The Shell script for Linux system security settings is the second update. It has been widely used in a large media website system and added some security settings that were not previously imagined. Copy it and save it as a shell file, such as security. sh. Upload it to the Linux server. Execute sh security. sh to use this script!
The code is as follows: |
Copy code |
#! /Bin/sh # Desc: setup linux system security # Account setup
Passwd-l xfs Passwd-l news Passwd-l nscd Passwd-l signature Passwd-l vcsa Passwd-l games Passwd-l nobody Passwd-l avahi Passwd-l haldaemon Passwd-l gopher Passwd-l ftp Passwd-l mailnull Passwd-l pcap Passwd-l mail Passwd-l shutdown Passwd-l halt Passwd-l uucp Passwd-l operator Passwd-l sync Passwd-l adm Passwd-l lp
# Chattr/etc/passwd/etc/shadow Chattr + I/etc/passwd Chattr + I/etc/shadow Chattr + I/etc/group Chattr + I/etc/gshadow
# Add continue input failure 3, passwd unlock time 5 minite Sed-I's # auth required pam_env.so # auth required pam_env.sonauth required incluonerr = fail deny = 3 unlock_time = 300 nauth required/lib/security/$ ISA/incluonerr = fail deny = 3 unlock_time = 300 # '/etc/pam. d/system-auth # System timeout 5 minite auto logout Echo "TMOUT = 300">/etc/profile
# Will system save history command list to 10 Sed-I "s/HISTSIZE = 1000/HISTSIZE = 10/"/etc/profile
# Enable/etc/profile go! Source/etc/profile
# Add syncookie enable/etc/sysctl. conf Echo "net. ipv4.tcp _ syncookies = 1">/etc/sysctl. conf
Sysctl-p # exec sysctl. conf enable # Optimizer sshd_config
Sed-I "s/# MaxAuthTries 6/MaxAuthTries 6/"/etc/ssh/sshd_config Sed-I "s/# UseDNS yes/UseDNS no/"/etc/ssh/sshd_config
# Limit chmod important commands Chmod 700/bin/ping Chmod 700/usr/bin/finger Chmod 700/usr/bin/who Chmod 700/usr/bin/w Chmod 700/usr/bin/locate Chmod 700/usr/bin/whereis Chmod 700/sbin/ifconfig Chmod 700/usr/bin/pico Chmod 700/bin/vi Chmod 700/usr/bin/which Chmod 700/usr/bin/gcc Chmod 700/usr/bin/make Chmod 700/bin/rpm
# History security
Chattr + a/root/. bash_history Chattr + I/root/. bash_history
# Write important command md5 Cat> list <"EOF" &/bin/ping/bin/finger/usr/bin/who/usr/bin/w/usr/bin/locate/usr/bin /whereis/sbin/ifconfig/bin/pico/bin/vi/usr/bin/vim/usr/bin/which/usr/bin/gcc/usr/bin/make/bin /rpm EOF for I in 'cat list' do if [! -X $ I]; then echo "$ I not found, no md5sum! "Else md5sum $ I>/var/log/'hostname'. log Fi Done Rm-f list |
This shell script can make your Linux host more secure, which is a good method for the Linux server administrator.