linux系統安全加固

• linux系統安全加固

linux系統安全加固

腳本
系統加固腳本下載地址：
https://download.csdn.net/download/hzgnet2021/63201374

時間獲取
腳本開頭先獲取本機時間

#Variable rq=`date +%Y%m%d`

Linux禁用不使用的用戶
將passwd先復制一份備份，然后將以下不使用的用戶都禁用，如后期有需要恢復可使用 passwd -u lp 來進行恢復

#account setup echo '############ account setup ############' echo '' cp /etc/passwd{,.bak$rq} passwd -l lp passwd -l adm passwd -l shutdown passwd -l halt passwd -l operator passwd -l games passwd -l gopher passwd -l ftp passwd -l nfsnobody passwd -l postfix echo ''

Linux注釋的組：

#group setup echo '############ group setup ############' echo '' cp /etc/group{,.bak$rq} sed -i -e 's/adm:x:4:/#adm:x:4:/' /etc/group sed -i -e 's/games:x:20:/#games:x:20:/' /etc/group sed -i -e 's/video:x:39:/#video:x:39:/' /etc/group sed -i -e 's/dip:x:40:/#dip:x:40:/' /etc/group sed -i -e 's/ftp:x:50:/#ftp:x:50:/' /etc/group sed -i -e 's/audio:x:63:/#audio:x:63:/' /etc/group sed -i -e 's/floppy:x:19:/#floppy:x:19:/' /etc/group sed -i -e 's/postfix:x:89:/#postfix:x:89:/' /etc/group echo 'disable group result:' cat /etc/group|grep ^# echo ''

Linux關閉不使用的服務
下面列出的幾個服務如打印服務、藍牙服務等對服務器沒用用處可直接關閉來提升服務器性能，如遇到需要開啟服務只需輸入service acpid start && chkconfig acpid on就能重新開啟服務。

#disable useless service echo '##### disable useless service #####' echo '' #postfix echo '' service postfix stop chkconfig postfix --level 2345 off echo '' #cpus echo '' service cups stop chkconfig cups --level 2345 off echo '' #cpuspeed echo '' service cpuspeed stop chkconfig cpuspeed --level 2345 off echo '' #bluetooth echo '' service bluetooth stop chkconfig bluetooth --level 2345 off echo '' #firstboot echo '' service firstboot stop chkconfig firstboot --level 2345 off echo '' echo 'nfs status:' service netfs status echo ''

Linux文件保護
Linux文件保護禁止修改、刪除、移動文件

echo '######### chattr important file #########' echo '' # chattr /etc/passwd /etc/shadow chattr +i /etc/passwd chattr +i /etc/shadow chattr +i /etc/group chattr +i /etc/gshadow echo 'Following files already locked:' lsattr /etc/passwd lsattr /etc/shadow lsattr /etc/group lsattr/etc/gshadow echo ''

如果需要修改密碼,執行 chattr -i 消除權限，切記修改后要將權限加回

#chattr -i /etc/passwd #chattr -i /etc/shadow #chattr -i /etc/group #chattr -i /etc/gshadow #lsattr /etc/group /etc/passwd /etc/shadow /etc/gshadow

用戶密碼保護
用戶輸錯密碼3次后鎖定用戶5分鐘

# Login failed limit:continue input failure 3 ,passwd unlock time 5 minite echo '######### Login limits ##########' echo '' cp /etc/pam.d/system-auth{,.bak$rq} tally=`grep -n 'pam_tally.so' /etc/pam.d/system-auth` lib=`grep -n '/lib/security/$ISA/pam_tally.so' /etc/pam.d/system-auth` st=$tally$lib if [ -z "$st" ];then sed -i 's#auth required pam_env.so#auth required pam_env.so\nauth required pam_tally.so onerr=fail deny=3 unlock_time=300\nauth required /lib/security/$ISA/pam_tally.so onerr=fail deny=3 unlock_time=300#' /etc/pam.d/system-auth echo '' echo 'update login server limits ---->continue input failure 3 ,passwd unlock time 5 minite' echo '' else echo '' echo 'Login restriction policy already exists on the server!The script will not modify this.' echo '' fi

用戶注銷
用戶登錄后5分鐘無任何操作將自動注銷用戶

# system timeout 5 minite auto logout echo '' echo '######### set auto logout ######### cp /etc/profile{,.bak$rq} tmout=`grep -n 'TMOUT=' /etc/profile` if [ -z "$tmout" ];then echo "TMOUT=300" >>/etc/profile echo '' echo 'update login server limits ----> timeout 5 minite auto logout' echo '' else echo '' echo 'Login timeout policy already exists on the server!The script will not modify this.' echo '' fi

Linux減少history命令記錄
執行過的歷史命令記錄越多，從一定程度上講會給維護帶來簡便，但同樣會伴隨安全問題。

echo '############## set save history command ##############' # will system save history command list to 10 echo '' sed -i "s/HISTSIZE=/#HISTSIZE=/" /etc/profile echo "HISTSIZE=10" >>/etc/profile # enable /etc/profile source /etc/profile echo '' echo '/etc/profile already update' echo ''

開啟SYN Cookies
表示開啟SYN Cookies。當出現SYN等待隊列溢出時，啟用cookies來處理，可防范少量SYN攻擊

echo '############## enable syncookie ##############' echo '' # add syncookie enable /etc/sysctl.conf echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.conf sysctl -p echo ''

SSH優化
修改SSH用戶最大連接數，通過關閉 UseDNS和GSSAPIAuthentication選項加速 SSH登錄

echo '############## optimize sshd ##############' echo '' # optimizer sshd_config sed -i "s/#MaxAuthTries 6/MaxAuthTries 6/" /etc/ssh/sshd_config sed -i "s/#UseDNS yes/UseDNS no/" /etc/ssh/sshd_config echo '' echo 'currently config:' grep -n 'MaxAuthTries' /etc/ssh/sshd_config grep -n 'UseDNS' /etc/ssh/sshd_config echo ''

歷史記錄
對歷史記錄命令保存進行優化禁止覆蓋、禁止修改該文件

echo '############## history security ##############' echo '' # history security chattr +a /root/.bash_history chattr +i /root/.bash_history echo '' echo '/root/.bash_history already locked:' lsattr /root/.bash_history echo ''

復制日志
將日志復制保存

echo ############## backup system log ############## echo 'The program will move the log of System operation status to /var/log/HZGNETsecurityreinforce ' mkdir -p /var/log/HZGNETsecurityreinforce/$rq #cp /var/log/message /var/log/HZGNETsecurityreinforce/$rq #cp /var/log/auth.log /var/log/HZGNETsecurityreinforce/$rq cp /var/log/cron /var/log/HZGNETsecurityreinforce/$rq cp /var/log/maillog /var/log/HZGNETsecurityreinforce/$rq cp /var/log/secure /var/log/HZGNETsecurityreinforce/$rq cp /var/log/wtmp /var/log/HZGNETsecurityreinforce/$rq cp /var/run/utmp /var/log/HZGNETsecurityreinforce/$rq cp /var/log/yum.log /var/log/HZGNETsecurityreinforce/$rq echo ' Log Backup completed.'

總結

以上是生活随笔為你收集整理的linux系统安全加固的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。