Skip to content


linux基本安全配置设置脚本

依据linux基本安全配置手册 方便设置一些基本的linux安全设置

#vi autosafe.sh

#!/bin/bash ######################################################################### # # File: autosafe.sh # Description: # Language: GNU Bourne-Again SHell # Version: 1.1 # Date: 2010-6-23 # Corp.: c1gstudio.com # Author: c1g # WWW: https://blog.c1gstudio.com ### END INIT INFO ############################################################################### V_DELUSER=”adm lp sync shutdown halt mail news uucp operator games gopher ftp” V_DELGROUP=”adm lp mail news uucp games gopher mailnull floppy dip pppusers popusers slipusers daemon” V_PASSMINLEN=8 V_HISTSIZE=30 V_TMOUT=300 V_GROUPNAME=suadmin V_SERVICE=”acpid anacron apmd atd auditd autofs avahi-daemon avahi-dnsconfd bluetooth cpuspeed cups dhcpd firstboot gpm haldaemon hidd ip6tables ipsec isdn kudzu lpd mcstrans messagebus microcode_ctl netfs nfs nfslock nscd pcscd portmap readahead_early restorecond rpcgssd rpcidmapd rstatd sendmail setroubleshoot snmpd sysstat xfs xinetd yppasswdd ypserv yum-updatesd” V_TTY=”3|4|5|6″ V_SUID=( ‘/usr/bin/chage’ ‘/usr/bin/gpasswd’ ‘/usr/bin/wall’ ‘/usr/bin/chfn’ ‘/usr/bin/chsh’ ‘/usr/bin/newgrp’ ‘/usr/bin/write’ ‘/usr/sbin/usernetctl’ ‘/bin/traceroute’ ‘/bin/mount’ ‘/bin/umount’ ‘/sbin/netreport’ ) version=1.0 # we need root to run if test “`id -u`” -ne 0 then echo “You need to start as root!” exit fi case $1 in “deluser”) echo “delete user …” for i in $V_DELUSER ;do echo “deleting $i”; userdel $i ; done ;; “delgroup”) echo “delete group …” for i in $V_DELGROUP ;do echo “deleting $i”; groupdel $i; done ;; “password”) echo “change password limit …” echo “/etc/login.defs” echo “PASS_MIN_LEN $V_PASSMINLEN” sed -i “/^PASS_MIN_LEN/s/5/$V_PASSMINLEN/” /etc/login.defs ;; “history”) echo “change history limit …” echo “/etc/profile” echo “HISTSIZE $V_HISTSIZE” sed -i “/^HISTSIZE/s/1000/$V_HISTSIZE/” /etc/profile ;; “logintimeout”) echo “change login timeout …” echo “/etc/profile” echo “TMOUT=$V_TMOUT” sed -i “/^HISTSIZE/a\TMOUT=$V_TMOUT” /etc/profile ;; “bashhistory”) echo “denied bashhistory …” echo “/etc/skel/.bash_logout” echo ‘rm -f $HOME/.bash_history’ if egrep “bash_history” /etc/skel/.bash_logout > /dev/null then echo ‘warning:existed’ else echo ‘rm -f $HOME/.bash_history’ >> /etc/skel/.bash_logout fi ;; “addgroup”) echo “groupadd $V_GROUPNAME …” groupadd $V_GROUPNAME ;; “sugroup”) echo “permit $V_GROUPNAME use su …” echo “/etc/pam.d/su” echo “auth sufficient /lib/security/pam_rootok.so debug” echo “auth required /lib/security/pam_wheel.so group=$V_GROUPNAME” if egrep “auth sufficient /lib/security/pam_rootok.so debug” /etc/pam.d/su > /dev/null then echo ‘warning:existed’ else echo ‘auth sufficient /lib/security/pam_rootok.so debug’ >> /etc/pam.d/su echo “auth required /lib/security/pam_wheel.so group=${V_GROUPNAME}” >> /etc/pam.d/su fi ;; “denyrootssh”) echo “denied root login …” echo “/etc/ssh/sshd_config” echo “PermitRootLogin no” sed -i ‘/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin no/’ /etc/ssh/sshd_config ;; “stopservice”) echo “stop services …” for i in $V_SERVICE ;do service $i stop; done ;; “closeservice”) echo “close services autostart …” for i in $V_SERVICE ;do chkconfig $i off; done ;; “tty”) echo “close tty …” echo “/etc/inittab” echo “#3:2345:respawn:/sbin/mingetty tty3” echo “#4:2345:respawn:/sbin/mingetty tty4” echo “#5:2345:respawn:/sbin/mingetty tty5” echo “#6:2345:respawn:/sbin/mingetty tty6” sed -i ‘/^[$V_TTY]:2345/s/^/#/’ /etc/inittab ;; “ctrlaltdel”) echo “close ctrl+alt+del …” echo “/etc/inittab” echo “#ca::ctrlaltdel:/sbin/shutdown -t3 -r now” sed -i ‘/^ca::/s/^/#/’ /etc/inittab ;; “lockfile”) echo “lock user&services …” echo “chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/services” chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/services ;; “unlockfile”) echo “unlock user&services …” echo “chattr -i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/services” chattr -i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/services ;; “chmodinit”) echo “init script only for root …” echo “chmod -R 700 /etc/init.d/*” echo “chmod 600 /etc/grub.conf” echo “chattr +i /etc/grub.conf” chmod -R 700 /etc/init.d/* chmod 600 /etc/grub.conf chattr +i /etc/grub.conf ;; “chmodcommand”) echo “remove SUID …” echo “/usr/bin/chage /usr/bin/gpasswd …” for i in ${V_SUID[@]}; do chmod a-s $i done ;; “version”) echo “Version: Autosafe for Linux $version” ;; *) echo “Usage: $0 ” echo “” echo ” deluser delete user” echo ” delgroup delete group” echo ” password change password limit” echo ” history change history limit” echo ” logintimeout change login timeout” echo ” bashhistory denied bashhistory” echo ” addgroup groupadd $V_GROUPNAME” echo ” sugroup permit $V_GROUPNAME use su” echo ” denyrootssh denied root login” echo ” stopservice stop services ” echo ” closeservice close services” echo ” tty close tty” echo ” ctrlaltdel close ctrl+alt+del ” echo ” lockfile lock user&services” echo ” unlockfile unlock user&services” echo ” chmodinit init script only for root” echo ” chmodcommand remove SUID” echo ” version ” echo “” ;; esac

设置权限

chmod u+x ./autosafe.sh

运行脚本

./autosafe.sh deluser ./autosafe.sh delgroup …..

猛击下载脚本 autosafe.sh

其它参考 linux基本安全配置手册 iptables 默认安全规则脚本

Posted in shell, 安全, 技术.

Tagged with , , .


2 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. 小白 says

    能说明下这脚本都做了什么么

  2. C1G says

    上面有链接 跟据linux基本安全配置手册
    http://blog.c1gstudio.com/archives/998



Some HTML is OK

or, reply to this post via trackback.