一个Linux系统安全设置的Shell脚本的分享(适用CentOS)
我们将常用的系统安全配置制作为一个shell脚本,只需要在服务器上运行这个shell脚本即可完成安全设置。
linux的系统安全设置Shell脚本是第二次更新,已经大量应用在某大型媒体网站体系中,加入了之前没有想到的一些安全设置。使用方法将其复制,保存为一个shell文件,比如security.sh.将其上传到Linux服务器上,执行shsecurity.sh,就可以使用该脚本了!
#!/bin/sh #desc:setuplinuxsystemsecurity #accountsetup
passwd-lxfs passwd-lnews passwd-lnscd passwd-ldbus passwd-lvcsa passwd-lgames passwd-lnobody passwd-lavahi passwd-lhaldaemon passwd-lgopher passwd-lftp passwd-lmailnull passwd-lpcap passwd-lmail passwd-lshutdown passwd-lhalt passwd-luucp passwd-loperator passwd-lsync passwd-ladm passwd-llp
#chattr/etc/passwd/etc/shadow chattr+i/etc/passwd chattr+i/etc/shadow chattr+i/etc/group chattr+i/etc/gshadow
#addcontinueinputfailure3,passwdunlocktime5minite sed-i's#authrequiredpam_env.so#authrequiredpam_env.sonauthrequiredpam_tally.soonerr=faildeny=3unlock_time=300nauthrequired/lib/security/$ISA/pam_tally.soonerr=faildeny=3unlock_time=300#'/etc/pam.d/system-auth #systemtimeout5miniteautologout echo"TMOUT=300">>/etc/profile
#willsystemsavehistorycommandlistto10 sed-i"s/HISTSIZE=1000/HISTSIZE=10/"/etc/profile
#enable/etc/profilego! source/etc/profile
#addsyncookieenable/etc/sysctl.conf echo"net.ipv4.tcp_syncookies=1">>/etc/sysctl.conf
sysctl-p#execsysctl.confenable #optimizersshd_config
sed-i"s/#MaxAuthTries6/MaxAuthTries6/"/etc/ssh/sshd_config sed-i"s/#UseDNSyes/UseDNSno/"/etc/ssh/sshd_config
#limitchmodimportantcommands chmod700/bin/ping chmod700/usr/bin/finger chmod700/usr/bin/who chmod700/usr/bin/w chmod700/usr/bin/locate chmod700/usr/bin/whereis chmod700/sbin/ifconfig chmod700/usr/bin/pico chmod700/bin/vi chmod700/usr/bin/which chmod700/usr/bin/gcc chmod700/usr/bin/make chmod700/bin/rpm
#historysecurity
chattr+a/root/.bash_history chattr+i/root/.bash_history
#writeimportantcommandmd5 cat>list<<"EOF"&&/bin/ping/bin/finger/usr/bin/who/usr/bin/w/usr/bin/locate/usr/bin/whereis/sbin/ifconfig/bin/pico/bin/vi/usr/bin/vim/usr/bin/which/usr/bin/gcc/usr/bin/make/bin/rpmEOFforiin`catlist`doif[!-x$i];thenecho"$inotfound,nomd5sum!"elsemd5sum$i>>/var/log/`hostname`.log fi done rm-flist