web sec / linux security script / linux jiagu教程
s
linux等保加固脚本
https://www.cnblogs.com/flawlessm/p/12843188.html
cp /etc/login.defs /etc/login.defs.bak
cp /etc/profile /etc/profile.bak
cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak
cp /etc/pam.d/su /etc/pam.d/su.bak
cp /etc/ssh/sshd\_config /etc/ssh/sshd\_config.bak
echo password include system-auth >> /etc/pam.d/passwd
sed -i '/^password requisite pam\_cracklib.so/c password requisite pam\_cracklib.so try\_first\_pass retry=5 difok=3 minlen=8 ucredit=-1 lcredit=-3 dcredit=-3 ocredit=-1' /etc/pam.d/system-auth
sed -i '/^password sufficient pam\_unix.so/c password sufficient pam\_unix.so remember=24 sha512 shadow nullok try\_first\_pass use\_authtok' /etc/pam.d/system-auth
sed -i '/^PASS\_MAX\_DAYS/c PASS\_MAX\_DAYS 90' /etc/login.defs
sed -i '/^PASS\_MIN\_LEN/c PASS\_MIN\_LEN 30' /etc/login.defs
sed -i 's#%PAM-1.0#%PAM-1.0\nauth required pam\_tally2.so onerr=fail deny=3 unlock\_time=300 even\_deny\_root root\_unlock\_time=600#' /etc/pam.d/sshd
sed -i 's#%PAM-1.0#%PAM-1.0\nauth required pam\_tally2.so onerr=fail deny=3 unlock\_time=300 even\_deny\_root root\_unlock\_time=600#' /etc/pam.d/login
sed -i 's#%PAM-1.0#%PAM-1.0\nauth sufficient /lib64/security/pam\_rootok.so\nauth required /lib64/security/pam\_wheel.so use\_uid group=wheel#' /etc/pam.d/su
echo sshd:192.168.200.122:allow >> /etc/hosts.allow
echo all:all >> /etc/hosts.deny
echo TMOUT=600 >> /etc/profile
sed -i '/ umask 022/c umask 027' /etc/profile
source /etc/profile
\#密码复杂性要求,在登录或修改密码时密码错误5次自动退出,最短8位必须包含大小写字母、数字、字符
sed -i '/^password requisite pam\_cracklib.so/c password requisite pam\_cracklib.so try\_first\_pass retry=5 difok=3 minlen=8 ucredit=-1 lcredit=-3 dcredit=-3 ocredit=-1' /etc/pam.d/system-auth
\#强制记住密码历史24位
sed -i '/^password sufficient pam\_unix.so/c password sufficient pam\_unix.so remember=24 sha512 shadow nullok try\_first\_pass use\_authtok' /etc/pam.d/system-auth
\#密码最短使用30天,最长使用期限90天
sed -i '/^PASS\_MAX\_DAYS/c PASS\_MAX\_DAYS 90' /etc/login.defs
sed -i '/^PASS\_MIN\_DAYS/c PASS\_MIN\_DAYS 30' /etc/login.defs
sed -i '/^PASS\_MIN\_LEN/c PASS\_MIN\_LEN 8' /etc/login.defs
\#登录失败处理,错误3次后锁定10秒
sed -i 's#%PAM-1.0#%PAM-1.0\nauth required pam\_tally2.so onerr=fail deny=3 unlock\_time=300 even\_deny\_root root\_unlock\_time=600#' /etc/pam.d/sshd
sed -i 's#%PAM-1.0#%PAM-1.0\nauth required pam\_tally2.so onerr=fail deny=3 unlock\_time=300 even\_deny\_root root\_unlock\_time=600#' /etc/pam.d/login
\#未使用PAM认证模块禁止wheel组之外的用户su为root
\#添加用户到wheel组 usermod –G wheel username
\#从组中删除用户 gpasswd -d userName groupName
sed -i 's#%PAM-1.0#%PAM-1.0\nauth sufficient /lib64/security/pam\_rootok.so\nauth required /lib64/security/pam\_wheel.so use\_uid group=wheel#' /etc/pam.d/su
\#禁止root用户远程登录
\#echo PermitRootLogin no >> /etc/ssh/sshd\_config
\#sed -i '/PermitRootLogin yes/cPermitRootLogin no' /etc/ssh/sshd\_config
\#/etc/init.d/sshd restart
\#服务器仅允许堡垒机192.168.200.122远程登录
echo sshd:192.168.200.122:allow >> /etc/hosts.allow
echo all:all >> /etc/hosts.deny
sshd:x.x.x.x:allow
\#无操作600秒后自动退出
echo TMOUT=600 >> /etc/profile
\#echo export HISTFILESIZE=5 >> /etc/profile
\#echo export HISTSIZE=1 >> /etc/profile
\#echo export HISTFILESIZE >> /etc/profile
\#修改UMASK值
sed -i '/ umask 022/c umask 027' /etc/profile
source /etc/profile
\#查看用户登录失败次数
\#pam\_tally2 --user root
\#解锁指定用户
\#pam\_tally2 -r -u root
更新安全补丁
yum --security upgrade
升级ssh版本:
rpm -ivh telnet-0.17-47.el6\_3.1.x86\_64.rpm telnet-server-0.17-47.el6\_3.1.x86\_64.rpm xinetd-2.3.14-39.el6\_4.x86\_64.rpm
yum install telnet telnet-server xinetd wget -y
sed -i '/disable/{s/yes/no/g;}' /etc/xinetd.d/telnet
echo pts/0 >> /etc/securetty
echo pts/1 >> /etc/securetty
echo pts/2 >> /etc/securetty
echo pts/3 >> /etc/securetty
echo pts/4 >> /etc/securetty
echo pts/5 >> /etc/securetty
echo pts/6 >> /etc/securetty
service xinetd start
chkconfig xinetd on
apt-get install libssl-dev libpam-dev libz-dev build-essential zlib1g-dev
yum install gcc pam-devel zlib-devel -y
cd /tmp
wget http://www.zlib.net/zlib-1.2.11.tar.gz
wget https://www.openssl.org/source/openssl-1.0.2q.tar.gz
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz
tar -zxvf zlib-1.2.11.tar.gz
tar -zxvf openssl-1.0.2q.tar.gz
tar -zxvf openssh-8.0p1.tar.gz
cd /tmp/zlib-1.2.11/
./configure --prefix=/usr
make
rpm -e --nodeps zlib
make install
echo '/usr/lib' >> /etc/ld.so.conf
ldconfig
yum list
cd /tmp/openssl-1.0.2q/
cp -r /etc/pki/ca-trust/extracted/openssl /etc/pki/ca-trust/extracted/openssl.old
cp -r /usr/bin/openssl /usr/bin/openssl.old
cp -r /usr/lib64/openssl /usr/lib64/openssl.old
cp /usr/lib64/libcrypto.so.10 /usr/lib64/libcrypto.so.10.old
cp /usr/lib64/libssl.so.10 /usr/lib64/libssl.so.10.old
rpm -qa |grep openssl|xargs -i rpm -e --nodeps {}
./config --prefix=/usr --openssldir=/etc/ssl --shared zlib
make
make install
openssl version
cd /tmp/openssh-8.0p1/
rpm -qa |grep openssh|xargs -i rpm -e --nodeps {}
install -v -m700 -d /var/lib/sshd &&
chown -v root:sys /var/lib/sshd &&
groupadd -g 50 sshd &&
useradd -c 'sshd PrivSep' \
-d /var/lib/sshd \
-g sshd \
-s /bin/false \
-u 50 sshd
./configure --prefix=/usr \
--sysconfdir=/etc/ssh \
--with-md5-passwords \
--with-privsep-path=/var/lib/sshd &&
make
make install &&
install -v -m755 contrib/ssh-copy-id /usr/bin &&
install -v -m644 contrib/ssh-copy-id.1 \
/usr/share/man/man1 &&
install -v -m755 -d /usr/share/doc/openssh-8.0p1 &&
install -v -m644 INSTALL LICENCE OVERVIEW README* \
/usr/share/doc/openssh-8.0p1
echo "PermitRootLogin yes" >> /etc/ssh/sshd\_config
echo "PasswordAuthentication yes" >> /etc/ssh/sshd\_config
echo 'X11Forwarding yes' >> /etc/ssh/sshd\_config
chmod 600 /etc/ssh/ssh\_host\_rsa\_key /etc/ssh/ssh\_host\_ecdsa\_key /etc/ssh/ssh\_host\_ed25519\_key
cp -p contrib/redhat/sshd.init /etc/init.d/sshd
chmod +x /etc/init.d/sshd
chkconfig --add sshd
chkconfig sshd on
chkconfig --list sshd
service sshd start
sed -i '/disable/{s/no/yes/g;}' /etc/xinetd.d/telnet
service xinetd stop
chkconfig xinetd off
ln -s /usr/lib64/libssl.so.1.0.0 /usr/lib64/libssl.so.10
ln -s /usr/lib64/libcrypto.so.1.0.0 /usr/lib64/libcrypto.so.10
end