Skip to content


linux基本安全配置设置脚本

依据linux基本安全配置手册
方便设置一些基本的linux安全设置

#vi autosafe.sh

#!/bin/bash
#########################################################################
#
# File: autosafe.sh
# Description:
# Language: GNU Bourne-Again SHell
# Version: 1.1
# Date: 2010-6-23
# Corp.: c1gstudio.com
# Author: c1g
# WWW: http://blog.c1gstudio.com
### END INIT INFO
###############################################################################

V_DELUSER=”adm lp sync shutdown halt mail news uucp operator games gopher ftp”
V_DELGROUP=”adm lp mail news uucp games gopher mailnull floppy dip pppusers popusers slipusers daemon”
V_PASSMINLEN=8
V_HISTSIZE=30
V_TMOUT=300
V_GROUPNAME=suadmin
V_SERVICE=”acpid anacron apmd atd auditd autofs avahi-daemon avahi-dnsconfd bluetooth cpuspeed cups dhcpd firstboot gpm haldaemon hidd ip6tables ipsec isdn kudzu lpd mcstrans messagebus microcode_ctl netfs nfs nfslock nscd pcscd portmap readahead_early restorecond rpcgssd rpcidmapd rstatd sendmail setroubleshoot snmpd sysstat xfs xinetd yppasswdd ypserv yum-updatesd”
V_TTY=”3|4|5|6″
V_SUID=(
‘/usr/bin/chage’
‘/usr/bin/gpasswd’
‘/usr/bin/wall’
‘/usr/bin/chfn’
‘/usr/bin/chsh’
‘/usr/bin/newgrp’
‘/usr/bin/write’
‘/usr/sbin/usernetctl’
‘/bin/traceroute’
‘/bin/mount’
‘/bin/umount’
‘/sbin/netreport’
)
version=1.0

# we need root to run
if test “`id -u`” -ne 0
then
echo “You need to start as root!”
exit
fi

case $1 in
“deluser”)
echo “delete user …”
for i in $V_DELUSER ;do
echo “deleting $i”;
userdel $i ;
done
;;

“delgroup”)
echo “delete group …”
for i in $V_DELGROUP ;do
echo “deleting $i”;
groupdel $i;
done
;;

“password”)
echo “change password limit …”
echo “/etc/login.defs”
echo “PASS_MIN_LEN $V_PASSMINLEN”
sed -i “/^PASS_MIN_LEN/s/5/$V_PASSMINLEN/” /etc/login.defs
;;

“history”)
echo “change history limit …”
echo “/etc/profile”
echo “HISTSIZE $V_HISTSIZE”
sed -i “/^HISTSIZE/s/1000/$V_HISTSIZE/” /etc/profile
;;

“logintimeout”)
echo “change login timeout …”
echo “/etc/profile”
echo “TMOUT=$V_TMOUT”
sed -i “/^HISTSIZE/a\TMOUT=$V_TMOUT” /etc/profile
;;

“bashhistory”)
echo “denied bashhistory …”
echo “/etc/skel/.bash_logout”
echo ‘rm -f $HOME/.bash_history’
if egrep “bash_history” /etc/skel/.bash_logout > /dev/null
then
echo ‘warning:existed’
else
echo ‘rm -f $HOME/.bash_history’ >> /etc/skel/.bash_logout
fi

;;
“addgroup”)
echo “groupadd $V_GROUPNAME …”
groupadd $V_GROUPNAME
;;

“sugroup”)
echo “permit $V_GROUPNAME use su …”
echo “/etc/pam.d/su”
echo “auth sufficient /lib/security/pam_rootok.so debug”
echo “auth required /lib/security/pam_wheel.so group=$V_GROUPNAME”
if egrep “auth sufficient /lib/security/pam_rootok.so debug” /etc/pam.d/su > /dev/null
then
echo ‘warning:existed’
else
echo ‘auth sufficient /lib/security/pam_rootok.so debug’ >> /etc/pam.d/su
echo “auth required /lib/security/pam_wheel.so group=${V_GROUPNAME}” >> /etc/pam.d/su
fi
;;

“denyrootssh”)
echo “denied root login …”
echo “/etc/ssh/sshd_config”
echo “PermitRootLogin no”
sed -i ‘/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin no/’ /etc/ssh/sshd_config
;;

“stopservice”)
echo “stop services …”
for i in $V_SERVICE ;do
service $i stop;
done
;;

“closeservice”)
echo “close services autostart …”
for i in $V_SERVICE ;do
chkconfig $i off;
done
;;

“tty”)
echo “close tty …”
echo “/etc/inittab”
echo “#3:2345:respawn:/sbin/mingetty tty3”
echo “#4:2345:respawn:/sbin/mingetty tty4”
echo “#5:2345:respawn:/sbin/mingetty tty5”
echo “#6:2345:respawn:/sbin/mingetty tty6”
sed -i ‘/^[$V_TTY]:2345/s/^/#/’ /etc/inittab
;;

“ctrlaltdel”)
echo “close ctrl+alt+del …”
echo “/etc/inittab”
echo “#ca::ctrlaltdel:/sbin/shutdown -t3 -r now”
sed -i ‘/^ca::/s/^/#/’ /etc/inittab
;;

“lockfile”)
echo “lock user&services …”
echo “chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/services”
chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/services
;;

“unlockfile”)
echo “unlock user&services …”
echo “chattr -i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/services”
chattr -i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/services
;;

“chmodinit”)
echo “init script only for root …”
echo “chmod -R 700 /etc/init.d/*”
echo “chmod 600 /etc/grub.conf”
echo “chattr +i /etc/grub.conf”
chmod -R 700 /etc/init.d/*
chmod 600 /etc/grub.conf
chattr +i /etc/grub.conf
;;

“chmodcommand”)
echo “remove SUID …”
echo “/usr/bin/chage /usr/bin/gpasswd …”
for i in ${V_SUID[@]};
do
chmod a-s $i
done
;;

“version”)
echo “Version: Autosafe for Linux $version”
;;

*)
echo “Usage: $0
echo “”
echo ” deluser delete user”
echo ” delgroup delete group”
echo ” password change password limit”
echo ” history change history limit”
echo ” logintimeout change login timeout”
echo ” bashhistory denied bashhistory”
echo ” addgroup groupadd $V_GROUPNAME”
echo ” sugroup permit $V_GROUPNAME use su”
echo ” denyrootssh denied root login”
echo ” stopservice stop services ”
echo ” closeservice close services”
echo ” tty close tty”
echo ” ctrlaltdel close ctrl+alt+del ”
echo ” lockfile lock user&services”
echo ” unlockfile unlock user&services”
echo ” chmodinit init script only for root”
echo ” chmodcommand remove SUID”
echo ” version ”
echo “”

;;
esac

设置权限

chmod u+x ./autosafe.sh

运行脚本

./autosafe.sh deluser
./autosafe.sh delgroup
…..

猛击下载脚本
autosafe.sh

其它参考
linux基本安全配置手册
iptables 默认安全规则脚本

Posted in shell, 安全, 技术.

Tagged with , , .


2 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. 小白 says

    能说明下这脚本都做了什么么

  2. C1G says

    上面有链接 跟据linux基本安全配置手册
    http://blog.c1gstudio.com/archives/998



Some HTML is OK

or, reply to this post via trackback.