Shell脚本-系统加固
一、前言
生产工作前期,需要给系统做系统加固
二、借用
1.修改权限,chmod +x jiagu.sh
2.执行脚本,./jiagu.sh
#!/bin/bash
source /etc/profile
source /etc/init.d/functions
OS_Release=$(cat /etc/system-release | awk '{print $(NF-1)}' | cut -d '.' -f1)
if [[ $OS_Release -eq 6 || $OS_Release -eq 7 ]];then
echo -e '\n'
echo -e "\033[32m 系统版本符合脚本要求,系统安全加固即将开始!! \033[0m"
for ((i=1;i<=5;i++))
do
printf "..."
sleep 1
done
echo -e '\n'
else
echo -e '\n'
echo -e "\033[31m 此脚本只适合centos 6和centos7,脚本即将退出!! \033[0m"
for ((i=1;i<=5;i++))
do
printf "..."
sleep 1
done
echo -e '\n'
exit 1
fi
#######关闭selinux
setenforce 0
sed -i "s/^SELINUX\=enforcing/SELINUX\=disabled/g" /etc/selinux/config
######修改密码复杂度
B="grep 'pam_cracklib.so retry=5 difok=3 minlen=10 ucredit=-1 lcredit=-3 dcredit=-3 dictpath=/usr/share/cracklib/pw_dict' /etc/pam.d/system-auth &>/dev/null"
echo "$B" | bash
if [ "$?" -eq 0 ];then
action "修改密码复杂度" /bin/true
else
if [ "$OS_Release" -eq 6 ];then
sed -i 's#pam_cracklib.so try_first_pass retry=3 type=#pam_cracklib.so retry=5 difok=3 minlen=10 ucredit=-1 lcredit=-3 dcredit=-3 dictpath=/usr/share/cracklib/pw_dict#g' /etc/pam.d/system-auth
echo "$B" | bash
if [ "$?" -eq 0 ];then
action "修改密码复杂度" /bin/true
else
action "修改密码复杂度" /bin/false
fi
else
sed -i 's#pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=#pam_cracklib.so retry=5 difok=3 minlen=10 ucredit=-1 lcredit=-3 dcredit=-3 dictpath=/usr/share/cracklib/pw_dict#g' /etc/pam.d/system-auth
echo "$B" | bash
if [ "$?" -eq 0 ];then
action "修改密码复杂度" /bin/true
else
action "修改密码复杂度" /bin/false
fi
fi
fi
sleep 1
#####密码过期时间
C=$(grep "^PASS_MAX_DAYS" /etc/login.defs | awk '{print $NF}')
if [ "$C" -eq 90 ];then
action "修改密码过期时间" /bin/true
else
sed -i 's#99999#90#g' /etc/login.defs
C_NEW=$(grep "^PASS_MAX_DAYS" /etc/login.defs | awk '{print $NF}')
if [ "$C_NEW" -eq 90 ];then
action "修改密码过期时间" /bin/true
else
action "修改密码过期时间" /bin/false
fi
fi
sleep 1
#####登陆超时
grep 'TMOUT=300' /etc/profile &>/dev/null
if [ "$?" -eq 0 ];then
action "修改登陆超时" /bin/true
else
echo "TMOUT=300" >>/etc/profile && source /etc/profile
grep 'TMOUT=300' /etc/profile &>/dev/null
if [ "$?" -eq 0 ];then
action "修改登陆超时" /bin/true
else
action "修改登陆超时" /bin/false
fi
fi
sleep 1
#####关键文件权限
PASSWD_STATUS=$(stat -c %a /etc/passwd)
SHADOW_STATUS=$(stat -c %a /etc/shadow)
GROUP_STATUS=$(stat -c %a /etc/group)
if [ "$PASSWD_STATUS" -eq 644 -a "$SHADOW_STATUS" -eq 600 -a "$GROUP_STATUS" -eq 644 ];then
action "修改关键文件权限" /bin/true
else
chmod 644 /etc/passwd && chmod 600 /etc/shadow && chmod 644 /etc/group
if [ "$?" -eq 0 ];then
action "修改关键文件权限" /bin/true
else
action "修改关键文件权限" /bin/false
fi
fi
sleep 1
######登陆banner
ISSUE=$(cat /etc/issue)
ISSUE_NET=$(cat /etc/issue.net)
if [ -z "$ISSUE" -a -z "$ISSUE_NET" ];then
action "修改登陆banner" /bin/true
else
mv /etc/issue /etc/issue-$(date +%F) && mv /etc/issue.net /etc/issue.net-$(date +%F) && echo '' >/etc/issue && echo '' >/etc/issue.net
if [ "$?" -eq 0 ];then
action "修改登陆banner" /bin/true
else
action "修改登陆banner" /bin/false
fi
fi
sleep 1
#######目录缺省权限
E=$(rpm -qa | grep -i 'vsftpd')
if [ -z "$E" ];then
D=$(egrep 'UMASK 027|umask 027' /etc/profile /etc/login.defs | wc -l)
if [ "$D" -eq 2 ];then
action "修改目录缺省权限" /bin/true
else
echo "UMASK 027" >>/etc/login.defs
echo "umask 027" >>/etc/profile
D_NEW=$(egrep 'UMASK 027|umask 027' /etc/profile /etc/login.defs | wc -l)
if [ "$D_NEW" -eq 2 ];then
action "修改目录缺省权限" /bin/true
else
action "修改目录缺省权限" /bin/false
fi
fi
else
D=$(egrep 'UMASK 007|umask 007' /etc/profile /etc/login.defs | wc -l)
if [ "$D" -eq 2 ];then
action "修改目录缺省权限" /bin/true
else
echo "UMASK 007" >>/etc/login.defs
echo "umask 007" >>/etc/profile
D_NEW=$(egrep 'UMASK 007|umask 007' /etc/profile /etc/login.defs | wc -l)
if [ "$D_NEW" -eq 2 ];then
action "修改目录缺省权限" /bin/true
else
action "修改目录缺省权限" /bin/false
fi
fi
fi
sleep 1
########防火墙是否开机启动
if [ "$OS_Release" -eq 6 ];then
chkconfig --list iptables | grep '3:on' &>/dev/null
if [ $? -eq 0 ];then
action "iptables开机自启动" /bin/true
else
chkconfig iptables on
chkconfig --list iptables | grep '3:on' &>/dev/null
if [ $? -eq 0 ];then
action "iptables开机自启动" /bin/true
else
action "iptables开机自启动" /bin/false
fi
fi
else
rpm -qa | grep 'iptables-services' &>/dev/null
if [ $? -eq 0 ];then
IPTABLES_STATUS=$(systemctl is-enabled iptables)
if [ "$IPTABLES_STATUS" = "enabled" ];then
systemctl stop firewalld &>/dev/null
systemctl disable firewalld &>/dev/null
action "iptables开机自启动" /bin/true
else
systemctl enable iptables &>/dev/null
IPTABLES_STATUS_NEW=$(systemctl is-enabled iptables)
if [ "$IPTABLES_STATUS_NEW" = "enabled" ];then
systemctl stop firewalld &>/dev/null
systemctl disable firewalld &>/dev/null
action "iptables开机自启动" /bin/true
else
action "iptables开机自启动" /bin/false
fi
fi
else
FIREWALLD_STATUS=$(systemctl is-enabled firewalld)
if [ "$FIREWALLD_STATUS" = "enabled" ];then
action "firewalld开机自启动" /bin/true
else
systemctl enable firewalld &>/dev/null
FIREWALLD_STATUS_NEW=$(systemctl is-enabled firewalld)
if [ "$FIREWALLD_STATUS_NEW" = "enabled" ];then
action "firewalld开机自启动" /bin/true
else
action "firewalld开机自启动" /bin/false
fi
fi
fi
fi
sleep 1
########内核tcp参数
CHECK="grep 'net.ipv4.tcp_fin_timeout = 30' /etc/sysctl.conf &>/dev/null && \
grep 'net.ipv4.tcp_keepalive_time = 1200' /etc/sysctl.conf &>/dev/null && \
grep 'net.ipv4.tcp_syncookies = 1' /etc/sysctl.conf &>/dev/null && \
grep 'net.ipv4.tcp_tw_reuse = 1' /etc/sysctl.conf &>/dev/null && \
grep 'net.ipv4.ip_local_port_range = 1024 65000' /etc/sysctl.conf &>/dev/null && \
grep 'net.ipv4.tcp_max_syn_backlog=8192' /etc/sysctl.conf &>/dev/null && \
grep 'net.netfilter.nf_conntrack_max = 524288' /etc/sysctl.conf &>/dev/null && \
grep 'net.ipv4.tcp_max_tw_buckets=5000' /etc/sysctl.conf &>/dev/null"
echo "$CHECK" | bash
if [ "$?" -eq 0 ];then
action "修改内核tcp参数" /bin/true
else
if [ "$OS_Release" -eq 6 ];then
echo "net.ipv4.tcp_fin_timeout = 30" >>/etc/sysctl.conf && \
echo "net.ipv4.tcp_keepalive_time = 1200" >>/etc/sysctl.conf && \
echo "net.ipv4.tcp_syncookies = 1" >>/etc/sysctl.conf && \
echo "net.ipv4.tcp_tw_reuse = 1" >>/etc/sysctl.conf && \
echo "net.ipv4.ip_local_port_range = 1024 65000" >>/etc/sysctl.conf && \
echo "net.ipv4.tcp_max_syn_backlog=8192" >>/etc/sysctl.conf && \
echo "net.netfilter.nf_conntrack_max = 524288" >>/etc/sysctl.conf && \
echo "net.ipv4.tcp_max_tw_buckets=5000" >>/etc/sysctl.conf && \
/sbin/sysctl -p &>/dev/null
echo "$CHECK" | bash
if [ "$?" -eq 0 ];then
action "修改内核tcp参数" /bin/true
else
action "修改内核tcp参数" /bin/false
fi
else
echo "net.ipv4.tcp_fin_timeout = 30" >>/etc/sysctl.conf && \
echo "net.ipv4.tcp_keepalive_time = 1200" >>/etc/sysctl.conf && \
echo "net.ipv4.tcp_syncookies = 1" >>/etc/sysctl.conf && \
echo "net.ipv4.tcp_tw_reuse = 1" >>/etc/sysctl.conf && \
echo "net.ipv4.ip_local_port_range = 1024 65000" >>/etc/sysctl.conf && \
echo "net.ipv4.tcp_max_syn_backlog=8192" >>/etc/sysctl.conf && \
echo "net.netfilter.nf_conntrack_max = 524288" >>/etc/sysctl.conf && \
echo "net.ipv4.tcp_max_tw_buckets=5000" >>/etc/sysctl.conf && \
/usr/sbin/sysctl --system &>/dev/null
echo "$CHECK" | bash
if [ "$?" -eq 0 ];then
action "修改内核tcp参数" /bin/true
else
action "修改内核tcp参数" /bin/false
fi
fi
fi
sleep 1
#########最大文件打开数,最大进程数
CHECK_6="grep 'fs.file-max = 65535' /etc/sysctl.conf &>/dev/null && \
grep '* - nofile 65535' /etc/security/limits.conf &>/dev/null && \
grep '* - nproc 65535' /etc/security/limits.conf &>/dev/null && \
grep '* soft nproc 65535' /etc/security/limits.d/90-nproc.conf &>/dev/null"
CHECK_7="grep 'DefaultLimitCORE=infinity' /etc/systemd/system.conf &>/dev/null && \
grep 'DefaultLimitNOFILE=65535' /etc/systemd/system.conf &>/dev/null && \
grep 'DefaultLimitNPROC=65535' /etc/systemd/system.conf &>/dev/null && \
grep 'DefaultLimitCORE=infinity' /etc/systemd/user.conf &>/dev/null && \
grep 'DefaultLimitNOFILE=65535' /etc/systemd/user.conf &>/dev/null && \
grep 'DefaultLimitNPROC=65535' /etc/systemd/user.conf &>/dev/null && \
grep '* soft nproc 65535' /etc/security/limits.d/20-nproc.conf &>/dev/null"
if [ "$OS_Release" -eq 6 ];then
echo "$CHECK_6" | bash
if [ "$?" -eq 0 ];then
action "调整最大文件数" /bin/true
else
echo "fs.file-max = 65535" >>/etc/sysctl.conf && \
echo "* - nofile 65535" >>/etc/security/limits.conf && \
echo "* - nproc 65535" >>/etc/security/limits.conf && \
sed -i 's#1024#65535#g' /etc/security/limits.d/90-nproc.conf && \
/sbin/sysctl -p &>/dev/null
echo "$CHECK_6" | bash
if [ "$?" -eq 0 ];then
action "调整最大文件数" /bin/true
else
action "调整最大文件数" /bin/false
fi
fi
else
echo "$CHECK_7" | bash
if [ "$?" -eq 0 ];then
action "调整最大文件数" /bin/true
else
sed -i 's@#DefaultLimitCORE=@DefaultLimitCORE=infinity@g' /etc/systemd/system.conf && \
sed -i 's@#DefaultLimitNOFILE=@DefaultLimitNOFILE=65535@g' /etc/systemd/system.conf && \
sed -i 's@#DefaultLimitNPROC=@DefaultLimitNPROC=65535@g' /etc/systemd/system.conf && \
sed -i 's@#DefaultLimitCORE=@DefaultLimitCORE=infinity@g' /etc/systemd/user.conf && \
sed -i 's@#DefaultLimitNOFILE=@DefaultLimitNOFILE=65535@g' /etc/systemd/user.conf && \
sed -i 's@#DefaultLimitNPROC=@DefaultLimitNPROC=65535@g' /etc/systemd/user.conf && \
sed -i 's#4096#65535#g' /etc/security/limits.d/20-nproc.conf
echo "$CHECK_7" | bash
if [ "$?" -eq 0 ];then
action "调整最大文件数" /bin/true
else
action "调整最大文件数" /bin/false
fi
fi
fi
sleep 1
########设置时区
ZONE=$(date -R | awk -F '[ +]' '{print $NF}')
if [ "$ZONE" -eq 0800 ];then
action "时区为东八区" /bin/true
else
if [ "$OS_Release" -eq 6 ];then
/bin/cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
ZONE_NEW=$(date -R | awk -F '[ +]' '{print $NF}')
if [ "$ZONE_NEW" -eq 0800 ];then
action "时区为东八区" /bin/true
else
action "时区为东八区" /bin/false
fi
else
rm -f /etc/localtime
ln -s /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
ZONE_NEW=$(date -R | awk -F '[ +]' '{print $NF}')
if [ "$ZONE_NEW" -eq 0800 ];then
action "时区为东八区" /bin/true
else
action "时区为东八区" /bin/false
fi
fi
fi
sleep 1
#######禁止root ssh 登陆
A="grep 'PermitRootLogin no' /etc/ssh/sshd_config &>/dev/null"
echo "$A" | bash
if [ "$?" -eq 0 ];then
action "禁止root ssh 登陆" /bin/true
else
sed -i 's@#PermitRootLogin yes@PermitRootLogin no@g' /etc/ssh/sshd_config
echo "$A" | bash
if [ "$?" -eq 0 ];then
action "禁止root ssh 登陆" /bin/true
else
action "禁止root ssh 登陆" /bin/false
fi
fi
sleep 1
#######ssh端口
F=$(grep 'Port 22' /etc/ssh/sshd_config)
if [ -z "$F" ];then
action "修改ssh端口" /bin/true
else
sed -i 's@#Port 22@Port 17382@g' /etc/ssh/sshd_config
if [ "$OS_Release" -eq 6 ];then
grep 'Port 17382' /etc/ssh/sshd_config &>/dev/null
if [ "$?" -eq 0 ];then
/etc/init.d/sshd restart &>/dev/null
/etc/init.d/iptables start &>/dev/null
iptables -D INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT &>/dev/null
iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 17382 -j ACCEPT
/etc/init.d/iptables save &>/dev/null
action "修改ssh端口" /bin/true
else
action "修改ssh端口" /bin/false
fi
else
grep 'Port 17382' /etc/ssh/sshd_config &>/dev/null
if [ "$?" -eq 0 ];then
rpm -qa | grep 'iptables-services' &>/dev/null
if [ $? -eq 0 ];then
systemctl restart sshd &>/dev/null
systemctl start iptables &>/dev/null
iptables -D INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT &>/dev/null
iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 17382 -j ACCEPT
/usr/sbin/service iptables save &>/dev/null
action "修改ssh端口" /bin/true
else
systemctl restart sshd &>/dev/null
systemctl start firewalld &>/dev/null
sed -i 's#22#17382#g' /usr/lib/firewalld/services/ssh.xml
firewall-cmd --reload &>/dev/null
action "修改ssh端口" /bin/true
fi
else
action "修改ssh端口" /bin/false
fi
fi
fi
sleep 1
########end
if [ "$OS_Release" -eq 6 ];then
echo -e "\033[31m the system will be reboot in 5mins,you can use 'ctrl+c' to cancle! \033[0m"
echo -e "\033[31m the system will be reboot in 5mins,you can use 'ctrl+c' to cancle! \033[0m"
echo -e "\033[31m the system will be reboot in 5mins,you can use 'ctrl+c' to cancle! \033[0m"
echo -e "\033[31m before reboot,you must have a common user and set password for it! \033[0m"
echo -e "\033[31m before reboot,you must have a common user and set password for it! \033[0m"
echo -e "\033[31m before reboot,you must have a common user and set password for it! \033[0m"
else
echo -e "\033[31m the system will be reboot in 5mins,you can use 'shutdwon -c' to cancle! \033[0m"
echo -e "\033[31m the system will be reboot in 5mins,you can use 'shutdwon -c' to cancle! \033[0m"
echo -e "\033[31m the system will be reboot in 5mins,you can use 'shutdwon -c' to cancle! \033[0m"
echo -e "\033[31m before reboot,you must have a common user and set password for it! \033[0m"
echo -e "\033[31m before reboot,you must have a common user and set password for it! \033[0m"
echo -e "\033[31m before reboot,you must have a common user and set password for it! \033[0m"
fi
echo -e '\n'
source /etc/profile &>/dev/null
sleep 3
shutdown -r 5
浙公网安备 33010602011771号