Skip to content


linux基本安全配置设置脚本

依据linux基本安全配置手册
方便设置一些基本的linux安全设置

#vi autosafe.sh

  1. #!/bin/bash
  2. #########################################################################
  3. #
  4. # File:         autosafe.sh
  5. # Description: 
  6. # Language:     GNU Bourne-Again SHell
  7. # Version: 1.1
  8. # Date: 2010-6-23
  9. # Corp.: c1gstudio.com
  10. # Author: c1g
  11. # WWW: http://blog.c1gstudio.com
  12. ### END INIT INFO
  13. ###############################################################################
  14.  
  15. V_DELUSER="adm lp sync shutdown halt mail news uucp operator games gopher ftp"
  16. V_DELGROUP="adm lp mail news uucp games gopher mailnull floppy dip pppusers popusers slipusers daemon"
  17. V_PASSMINLEN=8
  18. V_HISTSIZE=30
  19. V_TMOUT=300
  20. V_GROUPNAME=suadmin
  21. V_SERVICE="acpid anacron apmd atd auditd autofs avahi-daemon avahi-dnsconfd bluetooth cpuspeed cups dhcpd firstboot gpm haldaemon hidd ip6tables ipsec isdn kudzu lpd mcstrans messagebus microcode_ctl netfs nfs nfslock nscd pcscd portmap readahead_early restorecond rpcgssd rpcidmapd rstatd sendmail setroubleshoot snmpd sysstat xfs xinetd yppasswdd ypserv yum-updatesd"
  22. V_TTY="3|4|5|6"
  23. V_SUID=(
  24. '/usr/bin/chage'
  25. '/usr/bin/gpasswd'
  26. '/usr/bin/wall'
  27. '/usr/bin/chfn'
  28. '/usr/bin/chsh'
  29. '/usr/bin/newgrp'
  30. '/usr/bin/write'
  31. '/usr/sbin/usernetctl'
  32. '/bin/traceroute'
  33. '/bin/mount'
  34. '/bin/umount'
  35. '/sbin/netreport'
  36. )
  37. version=1.0
  38.  
  39.  
  40. # we need root to run
  41. if test "`id -u`" -ne 0
  42. then
  43. echo "You need to start as root!"
  44. exit
  45. fi
  46.  
  47. case $1 in
  48. "deluser")
  49. echo "delete user ..."
  50. for i in $V_DELUSER ;do
  51. echo "deleting $i";
  52. userdel $i ;
  53. done
  54. ;;
  55.  
  56. "delgroup")
  57. echo "delete group ..."
  58. for i in $V_DELGROUP ;do
  59. echo "deleting $i";
  60. groupdel $i;
  61. done
  62. ;;
  63.  
  64. "password")
  65. echo "change password limit ..."
  66. echo "/etc/login.defs"
  67. echo "PASS_MIN_LEN $V_PASSMINLEN"
  68. sed -i "/^PASS_MIN_LEN/s/5/$V_PASSMINLEN/" /etc/login.defs
  69. ;;
  70.  
  71. "history")
  72. echo "change history limit ..."
  73. echo "/etc/profile"
  74. echo "HISTSIZE $V_HISTSIZE"
  75. sed -i "/^HISTSIZE/s/1000/$V_HISTSIZE/" /etc/profile
  76. ;;
  77.  
  78. "logintimeout")
  79. echo "change login timeout ..."
  80. echo "/etc/profile"
  81. echo "TMOUT=$V_TMOUT"
  82. sed -i "/^HISTSIZE/a\TMOUT=$V_TMOUT" /etc/profile
  83. ;;
  84.  
  85. "bashhistory")
  86. echo "denied bashhistory ..."
  87. echo "/etc/skel/.bash_logout"
  88. echo 'rm -f $HOME/.bash_history'
  89. if egrep "bash_history" /etc/skel/.bash_logout > /dev/null
  90. then
  91. echo 'warning:existed'
  92. else
  93. echo 'rm -f $HOME/.bash_history' >> /etc/skel/.bash_logout
  94. fi
  95.  
  96. ;;
  97. "addgroup")
  98. echo "groupadd $V_GROUPNAME ..."
  99. groupadd $V_GROUPNAME
  100. ;;
  101.  
  102. "sugroup")
  103. echo "permit $V_GROUPNAME use su ..."
  104. echo "/etc/pam.d/su"
  105. echo "auth sufficient /lib/security/pam_rootok.so debug"
  106. echo "auth required /lib/security/pam_wheel.so group=$V_GROUPNAME"
  107. if egrep "auth sufficient /lib/security/pam_rootok.so debug" /etc/pam.d/su > /dev/null
  108. then
  109. echo 'warning:existed'
  110. else
  111. echo 'auth sufficient /lib/security/pam_rootok.so debug' >> /etc/pam.d/su
  112. echo "auth required /lib/security/pam_wheel.so group=${V_GROUPNAME}" >> /etc/pam.d/su
  113. fi
  114. ;;
  115.  
  116. "denyrootssh")
  117. echo "denied root login ..."
  118. echo "/etc/ssh/sshd_config"
  119. echo "PermitRootLogin no"
  120. sed -i '/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
  121. ;;
  122.  
  123. "stopservice")
  124. echo "stop services ..."
  125. for i in $V_SERVICE ;do
  126. service $i stop;
  127. done
  128. ;;
  129.  
  130. "closeservice")
  131. echo "close services autostart ..."
  132. for i in $V_SERVICE ;do
  133. chkconfig $i off;
  134. done
  135. ;;
  136.  
  137. "tty")
  138. echo "close tty ..."
  139. echo "/etc/inittab"
  140. echo "#3:2345:respawn:/sbin/mingetty tty3"
  141. echo "#4:2345:respawn:/sbin/mingetty tty4"
  142. echo "#5:2345:respawn:/sbin/mingetty tty5"
  143. echo "#6:2345:respawn:/sbin/mingetty tty6"
  144. sed -i '/^[$V_TTY]:2345/s/^/#/' /etc/inittab
  145. ;;
  146.  
  147. "ctrlaltdel")
  148. echo "close ctrl+alt+del  ..."
  149. echo "/etc/inittab"
  150. echo "#ca::ctrlaltdel:/sbin/shutdown -t3 -r now"
  151. sed -i '/^ca::/s/^/#/' /etc/inittab
  152. ;;
  153.  
  154. "lockfile")
  155. echo "lock user&services ..."
  156. echo "chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/services"
  157. chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/services
  158. ;;
  159.  
  160. "unlockfile")
  161. echo "unlock user&services ..."
  162. echo "chattr -i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/services"
  163. chattr -i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/services
  164. ;;
  165.  
  166. "chmodinit")
  167. echo "init script only for root ..."
  168. echo "chmod -R 700 /etc/init.d/*"
  169. echo "chmod 600 /etc/grub.conf"
  170. echo "chattr +i /etc/grub.conf"
  171. chmod -R 700 /etc/init.d/*
  172. chmod 600 /etc/grub.conf
  173. chattr +i /etc/grub.conf
  174. ;;
  175.  
  176. "chmodcommand")
  177. echo "remove SUID ..."
  178. echo "/usr/bin/chage /usr/bin/gpasswd ..."
  179. for i in ${V_SUID[@]};
  180. do
  181. chmod a-s $i
  182. done
  183. ;;
  184.  
  185.         "version")
  186.                 echo "Version: Autosafe for Linux $version"
  187.                 ;;
  188.  
  189. *)
  190. echo "Usage: $0 <action>"
  191. echo ""
  192. echo " deluser      delete user"
  193. echo " delgroup     delete group"
  194. echo " password     change password limit"
  195. echo " history      change history limit"
  196. echo " logintimeout      change login timeout"
  197. echo " bashhistory      denied bashhistory"
  198. echo " addgroup      groupadd $V_GROUPNAME"
  199. echo " sugroup      permit $V_GROUPNAME use su"
  200. echo " denyrootssh      denied root login"
  201. echo " stopservice     stop services "
  202. echo " closeservice      close services"
  203. echo " tty      close tty"
  204. echo " ctrlaltdel     close ctrl+alt+del "
  205. echo " lockfile      lock user&services"
  206. echo " unlockfile      unlock user&services"
  207. echo " chmodinit      init script only for root"
  208. echo " chmodcommand      remove SUID"
  209. echo " version      "
  210. echo ""
  211.  
  212. ;;
  213. esac

设置权限

  1. chmod u+x ./autosafe.sh

运行脚本

  1. ./autosafe.sh deluser
  2. ./autosafe.sh delgroup
  3. .....

猛击下载脚本
autosafe.sh

其它参考
linux基本安全配置手册
iptables 默认安全规则脚本

Posted in shell, 安全, 技术.

Tagged with , , .


2 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. 小白 says

    能说明下这脚本都做了什么么

  2. C1G says

    上面有链接 跟据linux基本安全配置手册
    http://blog.c1gstudio.com/archives/998



Some HTML is OK

or, reply to this post via trackback.