|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
|
注:执行后需要重启机器
#!/bin/sh
#****************************************************************#
# ScriptName: CentOS6_init.sh
# Author:823431818@qq.com
# Create Date: 2014-05-17
# Modify Author:
# Modify Date: 2016-09-18
# Function:
#***************************************************************#
change_password_len()
{
echo
"Change PASS_MIN_LEN to 10"
/bin/awk
'($1 ~ /^PASS_MIN_LEN/) { $2="10" } {print}'
/etc/login
.defs >
/tmp/login
.defs
/bin/mv
-f
/tmp/login
.defs
/etc/login
.defs
}
modify_chkconfig()
{
echo
"::Modify chkconfig for the system..."
for
a
in
`chkconfig --list|
grep
0:|
awk
'{print $1}'
`
do
case
"$a"
in
"sshd"
) STATUS=on;;
"crond"
) STATUS=on;;
"network"
) STATUS=on;;
"rsyslog"
) STATUS=on;;
"irqbalance"
) STATUS=on;;
* ) STATUS=off;;
esac
/sbin/chkconfig
--level 345 $a $STATUS
done
echo
"::End modify chkconfig"
}
disable_selinux()
{
echo
"::Disable selinux"
[ -e
/etc/selinux/config
] &&
sed
-r -i
'/^SELINUX=/s/.*/SELINUX=disabled/'
/etc/selinux/config
echo
"::End disable selinux"
}
change_inittab()
{
echo
"::Change inittab"
sed
-r -i
'/^id/s/.*/id:3:initdefault:/'
/etc/inittab
echo
"::End change inittab"
}
modify_timezone()
{
cat
<<- EOF >
/etc/sysconfig/clock
ZONE=
"Asia/Shanghai"
UTC=
false
ARC=
false
EOF
cp
-f
/usr/share/zoneinfo/Asia/Shanghai
/etc/localtime
sed
-i
's/^[ \t]*//'
/etc/sysconfig/clock
}
function
set_keyboard()
{
cat
<<- EOF >
/etc/sysconfig/keyboard
KEYBOARDTYPE=
"pc"
KEYTABLE=
"us"
EOF
sed
-i
's/^[ \t]*//'
/etc/sysconfig/keyboard
}
function
set_nofile_limits()
{
echo
"::Change nofile limits"
sed
-i
's#session required pam_loginuid.so#session required pam_loginuid.so\nsession required pam_limits.so#'
/etc/pam
.d
/login
sed
-i
'$a * - nofile 65536'
/etc/security/limits
.conf
echo
"::End change nofile\n"
}
change_banner()
{
echo
"::Change Banner"
for
FILE
in
/etc/issue
/etc/motd
/etc/issue
.net;
do
cp
-f ${FILE} ${FILE}.tmp
egrep
-
vi
"red hat|kernel|fedora"
${FILE}.tmp > ${FILE}
rm
-f ${FILE}.tmp
done
if
[
"`grep -i authorized /etc/issue`"
==
""
];
then
echo
"Authorized users only. All activity may be monitored and reported."
>>
/etc/issue
fi
if
[
"`grep -i authorized /etc/motd`"
==
""
];
then
echo
"Authorized users only. All activity may be monitored and reported."
>>
/etc/motd
fi
chown
root:root
/etc/motd
/etc/issue
/etc/issue
.net
chmod
644
/etc/motd
/etc/issue
/etc/issue
.net
echo
"::End change banner"
}
change_profile()
{
echo
"::Change the /etc/profile file"
echo
"umask 022"
>>
/etc/profile
echo
"TMOUT=6000"
>>
/etc/profile
echo
"export TMOUT"
>>
/etc/profile
echo
"::End change profile"
}
change_sshd_config()
{
echo
"::Change sshd_config"
sed
-i
's/#MaxAuthTries 6/MaxAuthTries 5/'
/etc/ssh/sshd_config
sed
-i
's/#UseDNS yes/UseDNS no/'
/etc/ssh/sshd_config
echo
"::End change sshd_config"
}
change_lang()
{
echo
"::Change i18n config"
sed
-r -i
'/^LANG=/s/.*/LANG="en_US.UTF-8"/'
/etc/sysconfig/i18n
echo
"::End change i18n config"
}
change_ntp()
{
echo
"/usr/sbin/ntpdate -u clepsydra.dec.com tick.ucla.edu ntp.nasa.gov"
>>
/etc/rc
.
local
echo
"0 2 * * * /usr/sbin/ntpdate -u clepsydra.dec.com tick.ucla.edu ntp.nasa.gov >/dev/null"
>>
/etc/crontab
}
change_sysctl ()
{
cat
<<- EOF >
/etc/sysctl
.conf
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
fs.
file
-max = 655350
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.tcp_fin_timeout = 5
net.ipv4.tcp_max_syn_backlog = 20000
net.core.somaxconn = 65535
net.core.netdev_max_backlog = 65535
EOF
sysctl -p
}
function
linux_secure()
{
export
LANG=
"en_US"
change_password_len
modify_chkconfig
disable_selinux
modify_timezone
set_keyboard
change_banner
change_profile
change_inittab
set_nofile_limits
change_sshd_config
change_lang
change_ntp
change_sysctl
echo
"All done!!"
}
linux_secure
|
本文转自 wpf926 51CTO博客,原文链接:http://blog.51cto.com/wupengfei/1955545,如需转载请自行联系原作者
