一个Chris提供的安全加固脚本
#/bin/bash
#yum -y update
#change root password
#rootPasswd="Nor!@#2018"
#echo ${rootPasswd} | passwd --stdin root
#public key登陆 推荐
cd /home/prod_user_888
mkdir .ssh
chmod 700 .ssh
chown -R prod_user_888 .ssh ##如果在非正式环境需要修改
chgrp -R prod_user_888 .ssh
cd .ssh
cat >> authorized_keys << EOF
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZUVULcuoSQVx1MUi7TAKuDqPihLkfSqHoY61P5vNbTDZz+pX/3PeG1ObIqyT9e2h1Zq7mBs0n0RJ+LxgP7Cn6uUz6Cd8ivd5gxDsSFh8HRehczOF6LkiGNIF7HJrQz78WOi0idmWf+wHcqMsX+hTWpc0qVw7MX02nOj5+e/MasS1b4Ma+Hli5FC3XcPNXOWahIpuu3b8um753dPDBWkzqL5HJuOGQUQwhiDJGh3EQwWT5MBBJrlMb6O/Re9OPOANMjnsp1LwGvGWLJ358piEaqTXGGLXadqVn9uveF2bj1xooRO4Dmw3yW359dXfjqJ8DRwpX94gAAxyLy1Y5aUyV prod_user_888@host-172-19-150-169 ##非正式环境修改
EOF
chmod 600 authorized_keys
chown prod_user_888 authorized_keys
chgrp prod_user_888 authorized_keys
#ssh config
sed -ri 's/^PasswordAuthen.*/PasswordAuthentication no/g' /etc/ssh/sshd_config
sed -ri 's/^#PermitRootL.*/PermitRootLogin no/g' /etc/ssh/sshd_config
service sshd restart
#update ulimit configure 推荐
test -f /etc/security/limits.d/20-nproc.conf && rm -rf /etc/security/limits.d/20-nproc.conf && touch /etc/security/limits.d/20-nproc.conf
> /etc/security/limits.conf
cat >> /etc/security/limits.conf <<EOF
* soft nproc 65535
* hard nproc 65535
* soft nofile 65535
* hard nofile 65535
EOF
#关闭蓝牙和打印机等服务
chkconfig --level 345 bluetooth off
chkconfig --level 345 lpd off
chkconfig --level 345 hidd off
#crontab sec 推荐
chmod og-rwx /etc/crontab
chmod og-rwx /etc/cron.hourly/
chmod og-rwx /etc/cron.daily/
chmod og-rwx /etc/cron.weekly
chmod og-rwx /etc/cron.monthly/
chmod og-rwx /etc/cron.d/
#banner warning 推荐
> /etc/redhat-release
echo 'Warning! Unauthorized access is prohibited!' > /etc/motd
echo 'Authorized uses only. All activity may be monitored and reported.' > /etc/issue.net
##lock users 推荐
passwd -l adm
passwd -l lp
passwd -l sync
passwd -l shutdown
passwd -l halt
passwd -l operator
passwd -l games
#update /etc/sysctl.conf 推荐
cat >> /etc/sysctl.conf << EOF
net.ipv4.tcp_syncookies = 1
EOF
sysctl -p
#update record command 推荐
#echo export HISTTIMEFORMAT="%Y-%m-%d:%H-%M-%S:`whoami`: " >> /etc/profile
sed -i 's/HISTSIZE=.*$/HISTSIZE=100000/g' /etc/profile
cat >> /etc/profile << EOF
umask 027
history
USER=`whoami`
USER_IP=`who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'`
if [ "$USER_IP" = "" ]; then
USER_IP=`hostname`
fi
if [ ! -d /var/log/history ]; then
mkdir /var/log/history
chmod 777 /var/log/history
fi
if [ ! -d /var/log/history/${LOGNAME} ]; then
mkdir /var/log/history/${LOGNAME}
chmod 300 /var/log/history/${LOGNAME}
fi
export HISTSIZE=4096
DT=`date +"%Y%m%d_%H:%M:%S"`
export HISTFILE="/var/log/history/${LOGNAME}/${USER}@${USER_IP}_$DT"
chmod 600 /var/log/history/${LOGNAME}/*history* 2>/dev/null
EOF
source /etc/profile
##centos/redhat7 /tmp
#systemctl unmask tmp.mount
#systemctl enable tmp.mount
#sed -ri 's/^Opt.*/Options=mode=1777,strictatime,noexec,nodev,nosuid/g' /etc/systemd/system/local-fs.target.wants/tmp.mount
#mount -a
##centos/redhat7 /boot
# chown root:root /boot/grub2/grub.cfg
# chmod og-rwx /boot/grub2/grub.cfg
##tcp wrapper #暂时不用
#yum -y install tcp_wrappers
#echo "sshd:ALL" >> /etc/hosts.deny
#echo "sshd:222.80.22.4 81.222.111.2 " >> /etc/hosts.allow
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/hosts
chattr +i /etc/fstab
chattr +i /etc/sudoers
chattr +i /etc/resolv.conf
chattr +a /var/log/messages
chattr +a /var/log/wtmp
chattr +a /var/log/history
vi /etc/hosts
Rsa passwd
end
