依据linux基本安全配置手册 方便设置一些基本的linux安全设置

更新============= 兼容centos/rhel 6 tty,ctrlaltdel,ipv6 关闭服务可以使用白名单,更可靠 限制su的用户组修正兼容性(充许su的用户需用gpasswd命令添加,sudoer不受限制)

#vi autosafe.sh

#!/bin/bash ######################################################################### # # File: autosafe.sh # Description: # Language: GNU Bourne-Again SHell # Version: 1.2 # Date: 2012-3-30 # Corp.: c1gstudio # Author: c1g # WWW: https://blog.c1gstudio.com ### END INIT INFO ############################################################################### if [[ ! -n ${WORKUSER} ]]; then WORKUSER=c1g fi if [[ ! -n ${SSHPORT} ]]; then SSHPORT=22 fi V_DELUSER=”adm lp sync shutdown halt mail news uucp operator games gopher ftp” V_DELGROUP=”adm lp mail news uucp games gopher mailnull floppy dip pppusers popusers slipusers daemon” V_PASSMINLEN=8 V_HISTSIZE=30 V_TMOUT=300 V_GROUPNAME=suadmin #V_SERVICE Not working since Version 1.2 V_SERVICE=”acpid anacron apmd atd auditd autofs avahi-daemon avahi-dnsconfd bluetooth cpuspeed cups dhcpd firstboot gpm haldaemon hidd ip6tables ipsec isdn kudzu lpd mcstrans messagebus microcode_ctl netfs nfs nfslock nscd pcscd portmap readahead_early restorecond rpcgssd rpcidmapd rstatd sendmail setroubleshoot snmpd xfs xinetd yppasswdd ypserv yum-updatesd tog-pegasus” V_TTY=”3|4|5|6″ V_TTY6=”1-2″ V_SUID=( ‘/usr/bin/chage’ ‘/usr/bin/gpasswd’ ‘/usr/bin/wall’ ‘/usr/bin/chfn’ ‘/usr/bin/chsh’ ‘/usr/bin/newgrp’ ‘/usr/bin/write’ ‘/usr/sbin/usernetctl’ ‘/bin/traceroute’ ‘/bin/mount’ ‘/bin/umount’ ‘/sbin/netreport’ ) linuxvar=`cat /etc/issue.net |head -n1` linuxvar=${linuxvar#*release} linuxvar=${linuxvar:1:1} version=1.2 safe_deluser(){ echo “delete user …” for i in $V_DELUSER ;do echo “deleting $i”; userdel $i ; done } safe_delgroup(){ echo “delete group …” for i in $V_DELGROUP ;do echo “deleting $i”; groupdel $i; done } safe_password(){ echo “change password limit …” echo “/etc/login.defs” echo “PASS_MIN_LEN $V_PASSMINLEN” sed -i “/^PASS_MIN_LEN/s/5/$V_PASSMINLEN/” /etc/login.defs } safe_history(){ echo “change history limit …” echo “/etc/profile” echo “HISTSIZE $V_HISTSIZE” sed -i “/^HISTSIZE/s/1000/$V_HISTSIZE/” /etc/profile } safe_logintimeout(){ echo “change login timeout …” echo “/etc/profile” echo “TMOUT=$V_TMOUT” sed -i “/^HISTSIZE/a\TMOUT=$V_TMOUT” /etc/profile } safe_bashhistory(){ echo “denied bashhistory …” echo “/etc/skel/.bash_logout” echo ‘rm -f $HOME/.bash_history’ if egrep “bash_history” /etc/skel/.bash_logout > /dev/null then echo ‘warning:existed’ else echo ‘rm -f $HOME/.bash_history’ >> /etc/skel/.bash_logout fi } safe_addgroup(){ echo “groupadd $V_GROUPNAME …” groupadd $V_GROUPNAME } safe_sugroup(){ echo “permit $V_GROUPNAME use su …” echo “/etc/pam.d/su” echo “auth sufficient pam_rootok.so debug” echo “auth required pam_wheel.so group=$V_GROUPNAME” echo “gpasswd -a $WORKUSER $V_GROUPNAME” if egrep “auth required pam_wheel.so” /etc/pam.d/su > /dev/null then echo ‘warning:existed’ else sed -i “/^#%PAM/a\auth required pam_wheel.so group=${V_GROUPNAME}” /etc/pam.d/su sed -i “/^#%PAM/a\auth sufficient pam_rootok.so debug” /etc/pam.d/su gpasswd -a $WORKUSER $V_GROUPNAME fi } safe_sudoer(){ echo “permit $WORKUSER use sudo …” echo “/etc/sudoers” echo “$WORKUSER ALL=(ALL) ALL” if [ -n $WORKUSER ] then if egrep “$WORKUSER” /etc/sudoers > /dev/null then echo “warning:existed! ” else echo “$WORKUSER ALL=(ALL) ALL” >> /etc/sudoers echo ‘export PATH=$PATH:/sbin:/usr/sbin’ >> /etc/bashrc echo ‘export LDFLAGS=”-L/usr/local/lib -Wl,-rpath,/usr/local/lib”‘ >> /etc/bashrc echo ‘export LD_LIBRARY_PATH=”/usr/local/lib”‘ >> /etc/bashrc fi else echo “warning:skip! ” fi } safe_denyrootssh(){ echo “denied root login …” echo “/etc/ssh/sshd_config” echo “PermitRootLogin no” sed -i ‘/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin no/’ /etc/ssh/sshd_config } safe_changesshport(){ echo “change ssh port …” echo “/etc/ssh/sshd_config” echo “Port $SSHPORT” if egrep “Port $SSHPORT” /etc/ssh/sshd_config > /dev/null then echo “warning:existed! ” else echo “Port $SSHPORT” >> “/etc/ssh/sshd_config” fi } safe_stopservice(){ echo “stop services …” for i in $V_SERVICE ;do service $i stop; done } safe_closeservice(){ echo “close services autostart …” for i in $V_SERVICE ;do chkconfig $i off; done } safe_closeservicewhite(){ echo “close services autostart …” for i in `ls /etc/rc3.d/S*` do CURSRV=`echo $i|cut -c 15-` echo $CURSRV case $CURSRV in crond | irqbalance | microcode_ctl | network | sshd | syslog | rsyslog | snmpd | fail2ban | ntpd | lvm2-monitor | iptables | auditd | kdump | sysstat | memcached | smartd | nagios | local | sphinx ) ;; *) echo “change $CURSRV to off” chkconfig –level 235 $CURSRV off service $CURSRV stop ;; esac done } safe_tty(){ echo “close tty …” if [ ${linuxvar} == 6 ]; then echo “/etc/init/start-ttys.conf” echo “/etc/sysconfig/init” echo “ACTIVE_CONSOLES=/dev/tty[${V_TTY6}]” echo “init q” #close tty #initctl stop tty TTY=/dev/tty6 sed -i “/^env ACTIVE_CONSOLES/s/\[1-6\]/\[${V_TTY6}\]/” /etc/init/start-ttys.conf sed -i “/^ACTIVE_CONSOLES/s/\[1-6\]/\[1-2\]/” /etc/sysconfig/init else echo “/etc/inittab” echo “#3:2345:respawn:/sbin/mingetty tty3” echo “#4:2345:respawn:/sbin/mingetty tty4” echo “#5:2345:respawn:/sbin/mingetty tty5” echo “#6:2345:respawn:/sbin/mingetty tty6” sed -i “/^[${V_TTY}]:2345/s/^/#/” /etc/inittab echo “init q” fi init q } safe_ctrlaltdel(){ echo “close ctrl+alt+del to restart server …” if [ ${linuxvar} == 6 ]; then echo “/etc/init/control-alt-delete.conf” echo ‘#exec /sbin/shutdown -r now “Control-Alt-Delete pressed”‘ echo “init q” sed -i ‘/^exec/s/^/#/’ /etc/init/control-alt-delete.conf else echo “/etc/inittab” echo “#ca::ctrlaltdel:/sbin/shutdown -t3 -r now” echo “init q” sed -i ‘/^ca::/s/^/#/’ /etc/inittab fi init q } safe_ipv6(){ echo “close ipv6 …” if [ ${linuxvar} == 6 ]; then echo ‘”alias net-pf-10 off” >> /etc/modprobe.d/ipv6.conf’ echo ‘”options ipv6 disable=1″ >> /etc/modprobe.d/ipv6.conf’ cat > /etc/modprobe.d/ipv6.conf > /etc/modprobe.conf’ echo ‘”alias ipv6 off” >> /etc/modprobe.conf’ if egrep “alias net-pf-10 off” /etc/modprobe.conf > /dev/null then echo “warning:existed! ” else echo “alias net-pf-10 off” >> /etc/modprobe.conf echo “alias ipv6 off” >> /etc/modprobe.conf fi fi echo ‘/sbin/chkconfig ip6tables off’ echo ‘”NETWORKING_IPV6=no” >> /etc/sysconfig/network’ /sbin/chkconfig –level 35 ip6tables off if egrep “NETWORKING_IPV6=no” /etc/sysconfig/network > /dev/null then echo “warning:existed! ” else echo “NETWORKING_IPV6=no” >> /etc/sysconfig/network fi } safe_selinux(){ echo “disable selinux …” echo “sed -i ‘/SELINUX/s/enforcing/disabled/’ /etc/selinux/config ” sed -i ‘/SELINUX/s/enforcing/disabled/’ /etc/selinux/config echo “selinux is disabled,you must reboot!” } safe_vim(){ echo “edit vim …” echo “alias vi=’vim'” sed -i “8 s/^/alias vi=’vim’/” /root/.bashrc cat >/root/.vimrc” echo “” echo ” deluser delete user” echo ” delgroup delete group” echo ” password change password limit” echo ” history change history limit” echo ” logintimeout change login timeout” echo ” bashhistory denied bashhistory” echo ” addgroup groupadd $V_GROUPNAME” echo ” sugroup permit $V_GROUPNAME use su” echo ” denyrootssh denied root login” echo ” stopservice stop services use black list” echo ” closeservice close services use black list” echo ” closeservicewhite close & stop services use white list” echo ” tty close tty” echo ” ctrlaltdel close ctrl+alt+del” echo ” ipv6 close ipv6″ echo ” selinux disabled selinux” echo ” vim edit vim” echo ” lockfile lock user&services” echo ” unlockfile unlock user&services” echo ” chmodinit init script only for root” echo ” chmodcommand remove SUID” echo ” version ” echo “” ;; esac

设置权限

chmod u+x ./autosafe.sh

运行脚本

./autosafe.sh deluser ./autosafe.sh delgroup …..

猛击下载脚本 autosafe1.2.sh

其它参考 linux基本安全配置手册 iptables 默认安全规则脚本