第一章 Linux基础常用命令 - Linux 安全加固 - 《Linux 系统运维》

#!/bin/bash
##########################################################
##                                                      ##
## Script Name : security for Redhat7.0~7.6             ##
## By：Eren 2019-08-02                                  ##
##                                                      ##
##########################################################
#创建系统运维用户chroot
user=chroot
if ! id $user;then 
groupadd -g 700 $user    
useradd -g 700 -u 700 -m -G $user $user
echo "chroot:1qaz@WSX" |chpasswd
echo "user $user is created"
fi
#设置系统最小化开机启动项目
systemctl stop  firewalld.service
for serv in ` systemctl list-unit-files | grep enabled|awk '{print $1}'`;do systemctl disable $serv ;done
for serv in autovt@.service crond.service getty@.service irqbalance.service kdump.service auditd.service microcode.service rsyslog.service sshd.service sysstat.service systemd-readahead-collect.service systemd-readahead-drop.service systemd-readahead-replay.service NetworkManager.service tuned.service lvm2-lvmetad.socket lvm2-lvmpolld.socket default.target multi-user.target runlevel2.target runlevel3.target runlevel4.target ;do systemctl enable $serv;done
#设置单用户启动
systemctl set-default multi-user.target
#删除机器系统重启快捷键
rm -f  /usr/lib/systemd/system/ctrl-alt-del.target
#设置NTP服务器
cp /etc/chrony.conf /etc/chrony.conf.bak
sed -i 's/^server/#server/g' /etc/chrony.conf
sed -i '/#server 3/a\server 10.182.200.100' /etc/chrony.conf
echo "leapsecmode slew" >>/etc/chrony.conf
systemctl restart chronyd
systemctl enable chronyd
#设置文件系统打开文件数
##limits
cat>>/etc/security/limits.conf<<EOF
*                soft    nproc           20480
*               hard    nproc           20480
*               hard    nofile          20480
*               soft    nofile          20480
EOF
sed -i "s/*     soft    nproc         4096/#*          soft    nproc     4096/g" /etc/security/limits.d/20-nproc.conf
#设置系统目录权限
chmod 400 /etc/crontab
chmod 400 /etc/securetty
#chmod 600 /boot/grub/grub.conf 
chmod 644 /etc/hosts.allow
chmod 644 /etc/hosts.deny
chmod 600 /etc/inittab
chmod 644 /etc/login.defs
chmod 644 /etc/profile
chmod 644 /etc/bashrc
chmod 744 /usr/bin/consolehelper 
#设置系统密码策略
#cp /etc/pam.d/system-auth-ac /etc/pam.d/system-auth-ac.bak
#sed -i '/password    requisite     pam_pwquality.so.*$/s//& minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1/' /etc/pam.d/system-auth-ac
#sed -i '/password    sufficient    pam_unix.so.*$/s//& remeber=3/' /etc/pam.d/system-auth-ac
#cp /etc/pam.d/password-auth-ac /etc/pam.d/password-auth-ac.bak
#sed -i '/password    requisite     pam_pwquality.so.*$/s//& minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1/' /etc/pam.d/password-auth-ac
#sed -i '/password    sufficient    pam_unix.so.*$/s//& remeber=3/' /etc/pam.d/password-auth-ac
/sbin/authconfig --passminlen=8 --update
/sbin/authconfig --enablereqdigit --update
/sbin/authconfig --enablereqlower --update
/sbin/authconfig --enablerequpper --update
/sbin/authconfig --enablereqother --update
#设置系统账户有效时间
cp /etc/login.defs /etc/login.defs.bak
sed -ie 's/PASS_MAX_DAYS\t99999/PASS_MAX_DAYS\t90/' /etc/login.defs
sed -ie 's/PASS_MIN_LEN\t5/PASS_MIN_LEN\t8/' /etc/login.defs
#避免记录不存在用户的登录信息，避免用户误输入导致密码泄露
echo "LOG_UNKFAIL_ENAB        yes" >> /etc/login.defs
#配置用户密码尝试次数为6次，超过6次后登录会话自动登出，避免自动连续暴力破解
echo "LOGIN_RETRIES           6"  >> /etc/login.defs
#记录用户上次登录时间，用户登录时给予提示
echo "LASTLOG_ENAB           yes" >> /etc/login.defs
#ssh访问时超出密码失败次数后锁定用户5分钟
cp /etc/pam.d/login /etc/pam.d/login.bak
sed -i '/#%PAM/a\auth     required     pam_tally2.so   deny=6  unlock_time=300' /etc/pam.d/login
cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
sed -i '/#%PAM/a\auth     required     pam_tally2.so   deny=6  unlock_time=300' /etc/pam.d/sshd
##sshd
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
sed -i 's/^#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i '/#Banner none/a\Banner /etc/issue.net' /etc/ssh/sshd_config
sed -i 's/^#UseDNS no/UseDNS no/' /etc/ssh/sshd_config
#sed -i 's/^UsePAM yes/UsePAM no/' /etc/ssh/sshd_config
sed -i 's/^#Port 22/Port 22/' /etc/ssh/sshd_config
echo 'Authorized users only! All activity may be monitored and reported!'> /etc/motd
cp /etc/issue /etc/issue_`date +\%Y\%m\%d`
cp /etc/issue.net /etc/issue.net_`date +\%Y\%m\%d`
echo 'Be sure you are authorized to access this system!' > /etc/issue
echo 'Be sure you are authorized to access this system!' > /etc/issue.net
#profile
echo "export TMOUT=600" >> /etc/profile
echo 'export HISTTIMEFORMAT="%F %T `whoami` " ' >>/etc/profile
sed -i "s/export HISTFILESIZE=.*/export HISTFILESIZE=10000/g" /etc/profile
#关闭SELINUX    
cp /etc/sysconfig/selinux /etc/sysconfig/selinux.bak
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
#kernel参数调优
cat>>/etc/sysctl.conf<<EOF
net.ipv4.conf.all.arp_ignore = 0
net.ipv4.conf.default.arp_ignore = 0
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.log_martians =0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.all.promote_secondaries = 0
net.ipv4.ip_no_pmtu_disc = 1
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.default.forwarding = 0
Net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.tcp_timestamps = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_fin_timeout = 60
net.ipv4.ip_forward = 0
net.ipv4.tcp_keepalive_time = 150
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 6
EOF
sysctl -p &>/dev/null
#rsyslog
echo "*.err;auth.info        /var/adm/messages" >>/etc/rsyslog.conf
systemctl restart sshd.service 
echo "------ Modify is OK ------"

密码策略查看

[root@db ~]# ll /etc/pam.d/password-auth-ac 
-rw-r--r--. 1 root root 1033 5月  19 17:38 /etc/pam.d/password-auth-ac
[root@db ~]# ll /etc/pam.d/system-auth-ac 
-rw-r--r--. 1 root root 1072 5月  19 17:38 /etc/pam.d/system-auth-ac
[root@db ~]# cat /etc/pam.d/password-auth-ac 
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so
password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
[root@db ~]# cat /etc/pam.d/system-auth-ac 
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so
password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
[root@db ~]#

修改示例：
#

cp /etc/pam.d/system-auth-ac /etc/pam.d/system-auth-ac.bak
sed -i '/password    requisite     pam_pwquality.so.*$/s//& minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1/' /etc/pam.d/system-auth-ac
sed -i '/password    sufficient    pam_unix.so.*$/s//& remeber=3/' /etc/pam.d/system-auth-ac
cp /etc/pam.d/password-auth-ac /etc/pam.d/password-auth-ac.bak
sed -i '/password    requisite     pam_pwquality.so.*$/s//& minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1/' /etc/pam.d/password-auth-ac
sed -i '/password    sufficient    pam_unix.so.*$/s//& remeber=3/' /etc/pam.d/password-auth-ac

或
#
/sbin/authconfig —passminlen=8 —update
/sbin/authconfig —enablereqdigit —update
/sbin/authconfig —enablereqlower —update
/sbin/authconfig —enablerequpper —update
/sbin/authconfig —enablereqother —update