authconfig --passminlen=8 --update
authconfig --enablereqdigit --update
authconfig --enablereqlower --update
authconfig --enablerequpper --update
authconfig --enablereqother --update
sed -i 's/password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok/password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5/' /etc/pam.d/system-auth
sed -i 's/password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=/password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= enforce_for_root/' /etc/pam.d/system-auth
sed -i '/PASS_MAX_DAYS/ s/99999/90/' /etc/login.defs
sed -i '/PASS_MIN_DAYS/ s/0/14/' /etc/login.defs
sed -i '/PASS_WARN_AGE/ s/7/14/' /etc/login.defs
echo " Authorized users only! All activity may be monitored and reported! " > /etc/motd
echo " Be sure you are authorized to access this system! " > /etc/issue
echo " Be sure you are authorized to access this system! " > /etc/issue.net
echo "UseDNS no" >> /etc/ssh/sshd_config
echo "Banner /etc/issue.net" >> /etc/ssh/sshd_config
echo "Protocol 2" >> /etc/ssh/sshd_config
sed -i '/#PermitRootLogin yes/a\PermitRootLogin no' /etc/ssh/sshd_config
systemctl restart sshd.service
sed -i 's/umask 022/umask 027/' /etc/profile
echo "export TMOUT=300" >> /etc/profile
systemctl stop kdump.service
systemctl disable kdump.service
systemctl stop firewalld.service
systemctl disable firewalld.service
systemctl disable avahi-daemon
systemctl disable cups
systemctl disable nfs
systemctl disable nfs-server
systemctl disable rpcbind
systemctl disable vsftpd
systemctl disable snmpd
systemctl disable rsyncd
systemctl disable dhcpd
systemctl disable slapd
systemctl disable named
systemctl disable httpd
systemctl disable doveco
systemctl disable smb
systemctl disable squid
systemctl disable ypserv
systemctl disable rsh.socket
systemctl disable rlogin.socket
systemctl disable rexec.socket
systemctl disable ntalk
systemctl disable telnet.socket
systemctl disable tftp.socket
systemctl list-unit-files |egrep "^firewalld|^post|^NetworkManager" |awk '{print $1}'|sed -r 's#(.*)#systemctl disable &#g'|bash
sed -i 's/SELINUX=enforcing/SELINUX=disabled/'/etc/selinux/config
rm -f /usr/lib/systemd/system/ctrl-alt-del.target
echo 'HISTTIMEFORMAT="<%F %T>: " ' >> /etc/profile
echo 'HISTFILESIZE=2000' >> /etc/profile
echo 'HISTSIZE=2000' >> /etc/profile
echo '*.err;auth.info /var/adm/messages' >> /etc/rsyslog.conf
echo '* soft nofile 409600' >> /etc/security/limits.conf
echo '* hard nofile 409600' >> /etc/security/limits.conf
sed -i 's/* soft nproc 4096/#* soft nproc 4096/' /etc/security/limits.d/20-nproc.conf
浙公网安备 33010602011771号