Linux加固是一個基礎性工作,非常的必要,針對Linux的加固一般都比較謹慎,因為加固不慎可能會影響業務正常運行,因此Linux加固分為了兩個部分;
第一個部分:針對剛剛做完系統,需要針對性的把基礎安全統一加固一下,往往結合無人值守安裝+一鍵加固腳本來執行,這部分需要運維安全對腳本加固內容進行評估,結合業務來指定。非常節省人力。
第二個部分:是針對已經運行上線的Linux服務器,這部分一般都是安全檢查,然後評估是否修復,進行人工或者半自動的方式修復。
今天給大家放送的是一鍵加固的Linux shell 腳本。大家結合自己的業務進行調整即可。具體代碼如下:
main:一鍵加固腳本
#!/bin/bash
#此腳本用於XX現網linux基線修復,涉及18條檢查項,檢查項列表如下:
#檢查是否設置口令更改最小間隔天數
#檢查是否設置口令過期前警告天數
#檢查系統core dump設置
##檢查歷史命令設置
#檢查密碼重複使用次數限制
#檢查是否設置口令生存週期
#檢查口令最小長度
#檢查是否設置命令行界面超時退出
#檢查系統是否禁用ctrl+alt+del組合鍵
#檢查設備密碼複雜度策略
#檢查是否配置用戶所需最小權限
#檢查是否設置ssh成功登錄後Banner
#檢查用戶umask設置
#檢查重要目錄或文件權限設置
#檢查是否設置ssh登錄前警告Banner
##檢查是否禁止root用戶遠程登錄
#檢查系統openssh安全配置
#檢查是否已修改系統banner信息
#腳本開發者:嚴偉
#版本:第2版
##############################################################################
#腳本運行前備份所有涉及到的文件,共17個
cp /etc/login.defs /etc/login.defs.bak
cp /etc/security/limits.conf /etc/security/limits.conf.bak
cp /etc/profile /etc/profile.bak
cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak
cp /etc/inittab /etc/inittab.bak
cp /etc/motd /etc/motd.bak
cp /etc/xinetd.conf /etc/xinetd.conf.bak
cp /etc/group /etc/group.bak
cp /etc/shadow /etc/shadow.bak
cp /etc/services /etc/services.bak
cp /etc/security /etc/security.bak
cp /etc/passwd /etc/passwd.bak
cp /etc/grub.conf /etc/grub.conf.bak
cp /boot/grub/grub.conf /boot/grub/grub.conf.bak
cp /etc/lilo.conf /etc/lilo.conf.bak
cp /etc/ssh_banner /etc/ssh_banner.bak
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
cp /etc/aliases /etc/aliases.bak
#############################################################################
#修復設置口令更改最小間隔天數
MINDAY=`cat -n /etc/login.defs | grep -v ".*#.*" | grep PASS_MIN_DAYS | awk '{print $1}'`
sed -i ''$MINDAY's/.*PASS_MIN_DAYS.*/PASS_MIN_DAYS 1/' /etc/login.defs
#############################################################################
#修復設置口令過期前警告天數
WARNDAY=`cat -n /etc/login.defs | grep -v ".*#.*" | grep PASS_WARN_AGE | awk '{print $1}'`
sed -i ''$WARNDAY's/.*PASS_WARN_AGE.*/PASS_WARN_AGE 7/' /etc/login.defs
#############################################################################
#修復系統core dump設置
HARD=`cat /etc/security/limits.conf | grep "hard core"`
if [ -z "$HARD" ]
then
echo "* hard core 0" >>/etc/security/limits.conf
else
sed -i 's/.*hard core.*/* hard core 0'/g /etc/security/limits.conf
fi
SOFT=`cat /etc/security/limits.conf | grep "soft core"`
if [ -z "$SOFT" ]
then
echo "* soft core 0" >>/etc/security/limits.conf
else
sed -i 's/.*soft core.*/* soft core 0'/g /etc/security/limits.conf
fi
##############################################################################
##修復歷史命令設置
#sed -i 's/.*HISTSIZE=.*/HISTSIZE=5'/g /etc/profile
###############################################################################
#修復密碼重複使用次數限制
REMEMBER=`cat -n /etc/pam.d/system-auth | grep -v ".*#.*" | grep "password sufficient pam_unix.so" | awk '{print $1}'`
sed -i ''$REMEMBER's/$/ &remember=5/' /etc/pam.d/system-auth
###############################################################################
#修復是否設置口令生存週期
MAXDAY=`cat -n /etc/login.defs | grep -v ".*#.*" | grep PASS_MAX_DAYS | awk '{print $1}'`
sed -i ''$MAXDAY's/.*PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/' /etc/login.defs
###############################################################################
#修復口令最小長度
MINLEN=`cat -n /etc/login.defs | grep -v ".*#.*" | grep PASS_MIN_LEN | awk '{print $1}'`
sed -i ''$MINLEN's/.*PASS_MIN_LEN.*/PASS_MIN_LEN 8/' /etc/login.defs
#################################################################################
#修復是否設置命令行界面超時退出
TMOUT=`cat /etc/profile | grep "export TMOUT="`
if [ -z "$TMOUT" ]
then
echo "export TMOUT=600" >>/etc/profile
else
sed -i 's/.*export TMOUT=.*/export TMOUT=600'/g /etc/profile
fi
##################################################################################
#修復系統是否禁用ctrl+alt+del組合鍵
CTRL=`cat /etc/inittab | grep "ca::ctrlaltdel"`
if [ -n "$CTRL" ]
then
LINE=`cat -n /etc/inittab | grep -v ".*#.*" | grep "ca::ctrlaltdel" | awk '{print $1}'`
sed -i ''$LINE's/^//' /etc/inittab
fi
###################################################################################
#修復設備密碼複雜度策略
sed -i 's/.*pam_cracklib.*/password requisite pam_cracklib.so difok=3 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1'/g /etc/pam.d/system-auth
###################################################################################
#修復設置ssh成功登錄後Banner
if [ -f /etc/motd ]
then
echo "Login success. All activity will be monitored and reported " > /etc/motd
else
touch /etc/motd
echo "Login success. All activity will be monitored and reported " > /etc/motd
fi
####################################################################################
#修復用戶umask設置
ACTUAL=`umask`
policy=0027
if [ "$ACTUAL" != "$policy" ]
then
echo "umask 027" >>/etc/profile
fi
#####################################################################################
#修復重要目錄或文件權限設置
chmod 600 /etc/xinetd.conf
chmod 644 /etc/group
chmod 400 /etc/shadow
chmod 644 /etc/services
chmod 600 /etc/security
chmod 644 /etc/passwd
chmod 600 /etc/grub.conf
chmod 600 /boot/grub/grub.conf
chmod 600 /etc/lilo.conf
#####################################################################################
#修復設置ssh登錄前警告Banner
if [ -f /etc/ssh_banner ]
then
chown bin:bin /etc/ssh_banner
else
touch /etc/ssh_banner
chown bin:bin /etc/ssh_banner
fi
chmod 644 /etc/ssh_banner
echo " Authorized only. All activity will be monitored and reported " > /etc/ssh_banner
sed -i 's/.*Banner.*/Banner \/etc\/ssh_banner'/g /etc/ssh/sshd_config
#######################################################################################
##修復禁止root用戶遠程登錄
#ROOT=`cat /etc/ssh/sshd_config | grep -v "^#" | grep PermitRootLogin`
#if [ -z "$ROOT" ]
#then
#echo "PermitRootLogin no" >>/etc/ssh/sshd_config
#else
#LINEROOT=`cat -n /etc/ssh/sshd_config | grep -v ".*#.*" | grep PermitRootLogin | awk '{print $1}'`
#sed -i ''$LINEROOT's/.*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
#fi
#修復已修改系統banner信息
mv /etc/issue.net /etc/issue.net.bak
mv /etc/issue /etc/issue.bak
## 別名文件更改修復
sed -i 's/games/#games/g' /etc/aliases
sed -i 's/games/#system/g' /etc/aliases
sed -i 's/games/#uucp/g' /etc/aliases
sed -i 's/games/#dumper/g' /etc/aliases
sed -i 's/games/#decode/g' /etc/aliases
sed -i 's/games/#ingres/g' /etc/aliases
sed -i 's/games/#toor/g' /etc/aliases
sed -i 's/games/#manager/g' /etc/aliases
sed -i 's/games/#operator/g' /etc/aliases
#hosts.allow 和 hosts.deny 限制配置修復
echo "sshd:192.168.0.0/255.255.0.0 172.21.0.0/255.255.0.0 10.0.0.0/255.0.0.0" >>/etc/hosts.allow
echo "sshd:all" >>/etc/hosts.deny
#core dump 配置安全修改
#echo "ulimit -S -c unlimited">>/etc/profile
#log 日至文件權限修改
if [ -f /etc/syslog.conf ]
then
LOGDIR=`cat /etc/syslog.conf | grep -v "^[ ]*#"|sed '/^#/d' |sed '/^$/d' |awk '(($2!~/@/) && ($2!~/*/) && ($2!~/-/)) {print $2}'`
chmod 600 $LOGDIR
fi
if [ -f /etc/rsyslog.conf ]
then
LOGDIR=`cat /etc/rsyslog.conf | grep -v "^[ ]*#"|sed '/^#/d' |sed '/^$/d' |awk '(($2!~/@/) && ($2!~/*/) && ($2!~/-/)) {print $2}'`
chmod 600 $LOGDIR
fi
###############################################################################################################
for i in daemon bin sys adm lp uucp nuucp smmsp games ftp mail sync shutdown halt news operator gopher nobody
do
sed -i s/''$i':.:'/''$i':!!:'/g 2.txt
done