系统安全脚本
2022-08-04 本文已影响0人
Joening
#!/bin/bash
echo "+ 请仔细审阅加固脚本内容"
echo "+ 务必在加固前进行镜像备份"
echo "+ 加固可能造成系统异常"
echo "+ 加固操作会对账户做出限制,需要定期修改"
echo "==================================="
echo "+ 升级sshd至最新"
yum update openssh -y
echo "==================================="
echo "+ 确保SSH LogLevel设置为INFO"
echo "+ 设置SSH空闲超时退出时间"
echo "+ 确保SSH MaxAuthTries设置为3到6之间"
echo "+ 禁止SSH空密码用户登录"
echo "+ 修改SSH默认端口"
echo "+ 禁止Root用户登录"
cd /etc/ssh/ && sed -i 's/^#LogLevel INFO/LogLevel INFO/' sshd_config \
&& sed -i 's/^#ClientAliveInterval 0/ClientAliveInterval 500/' sshd_config \
&& sed -i 's/^#ClientAliveCountMax 3/ClientAliveCountMax 0/' sshd_config \
&& sed -i 's/^#MaxAuthTries 6/MaxAuthTries 4/' sshd_config \
&& sed -i 's/^#PermitEmptyPasswords no/PermitEmptyPasswords no/' sshd_config \
&& sed -i 's/^#Port 22/Port 2222/' sshd_config \
&& sed -i 's/^#PermitRootLogin yes/PermitRootLogin no/' sshd_config \
&& sed -i 's/^PermitRootLogin yes/PermitRootLogin no/' sshd_config
#
echo "==================================="
echo "+ 设置密码修改最小间隔时间"
#sed -i.bak -e 's/^\(PASS_MIN_DAYS\).*/\1 7/' /etc/login.defs && chage --mindays 7 root
echo "==================================="
echo "+ 设置密码失效时间"
sed -i.bak -e 's/^\(PASS_MAX_DAYS\).*/\1 90/' /etc/login.defs && chage --maxdays 90 root
echo "==================================="
echo "+ 检查密码重用是否受限制"
sed -i.bak -e 's/^\(password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok\).*/\1 remember=5/' /etc/pam.d/system-auth && sed -i.bak -e 's/^\(password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok\).*/\1 remember=5/' /etc/pam.d/password-auth
echo "==================================="
echo "+ 密码复杂度检查"
sed -i 's/^# minlen = 9/minlen = 9/' /etc/security/pwquality.conf
sed -i 's/^# minclass = 0/minclass = 3/' /etc/security/pwquality.conf
sed -i.bak -e 's/^\(password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=\).*/\1 minlen=10 minclass=3/' /etc/pam.d/system-auth
echo "==================================="
echo "+ 设置登录失败处理"
# 因为禁用了root登录,所有不设置root登录错误限制。否则远程运维可能会不可用
# sed -i '4i auth required pam_tally2.so onerr=fail deny=6 lock_time=3 even_deny_root root_unlock_time=3600' /etc/pam.d/system-auth
# sed -i '2i auth required pam_tally2.so onerr=fail deny=6 lock_time=3 even_deny_root root_unlock_time=3600' /etc/pam.d/login
# sed -i '2i auth required pam_tally2.so onerr=fail deny=6 lock_time=3 even_deny_root root_unlock_time=3600' /etc/pam.d/sshd
sed -i '4i auth required pam_tally2.so onerr=fail deny=6 lock_time=3' /etc/pam.d/system-auth
sed -i '2i auth required pam_tally2.so onerr=fail deny=6 lock_time=3' /etc/pam.d/login
sed -i '2i auth required pam_tally2.so onerr=fail deny=6 lock_time=3' /etc/pam.d/sshd
echo "TMOUT=600" >> /etc/profile
echo "==================================="
echo "+ 添加新用户normal,请输入密码: 可以自行修改用户名"
adduser normal
passwd normal
echo "==================================="
echo "+ 限制默认账户的访问权限"
chown root:root /etc/passwd /etc/shadow /etc/group /etc/gshadow
chmod 0644 /etc/group
chmod 0644 /etc/passwd
chmod 0400 /etc/shadow
chmod 0400 /etc/gshadow
echo "==================================="
echo "+ 设置Selinux为:permissive, 操作完成需要重启"
sed -i 's/^SELINUX=disabled/SELINUX=permissive/' /etc/selinux/config
echo "==================================="
echo "+ 检查修改结果"
echo "密码过期时间:应该为 7 90"
cat /etc/login.defs |grep PASS_MAX_DAYS
cat /etc/login.defs |grep PASS_MIN_DAYS
chage -l root
echo "登录失败策略模块开启状态, 应该为:pam_tally2.so onerr=fail deny=6 lock_time=3 。不能出现,不能出现:even_deny_root root_unlock_time=3600"
cat /etc/pam.d/system-auth |grep pam_tally2.so
cat /etc/pam.d/login |grep pam_tally2.so
cat /etc/pam.d/sshd |grep pam_tally2.so
echo "密码复杂度要求,应该为: minlen = 9, minclass = 3"
cat /etc/security/pwquality.conf |grep minlen
cat /etc/security/pwquality.conf |grep minclass
echo "ssh 服务端口:应该非 22端口"
cat /etc/ssh/sshd_config |grep Port
echo "敏感文件访问权限: Normal用户应该无权访问"
ls -l /etc/shadow
echo "会话超时自动退出时长: 应该为500"
cat /etc/profile | grep TMOUT
echo "检查Selinux状态: 重启后应该为-permissive"
getenforce
# touch /.autorelabel
