Linux操作系统安全加固

大部分文件存在备份操作，很有必要。

unalias cp
cp -p /etc/ntp.conf /etc/ntp.conf_bak1
echo "service 10.175.20.146" >>/etc/ntp.conf
sed -i "18s/^/#/g" /etc/ntp.conf
service ntpd start
cp -p /etc/profile /etc/profile_bak1
cp -p /etc/csh.cshrc /etc/csh.cshrc_bak1
echo "TMOUT=180" >>/etc/profile
echo "export TMOUT" >>/etc/profile
echo "set autologout=30" >>/etc/csh.cshrc
cp -p /etc/pam.d/system-auth /etc/pam.d/system-auth_bak1
sed -i '3 a auth required pam_tally2.so deny=6 onerr=fail no_magic_root unlock_time=120' /etc/pam.d/system-auth
sed -i 's/use_authtok.*/& remember=5/g' /etc/pam.d/system-auth
sed -i 's/type=.*/& ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 minclass=2 minlen=8/g' /etc/pam.d/system-auth
cp -p /etc/login.defs /etc/login.defs_bak1
sed -i "25s/.*/PASS_MAX_DAYS 90/g" /etc/login.defs
sed -i "27s/.*/PASS_MIN_LEN 8/g" /etc/login.defs
cp -p /etc/sysctl.conf /etc/sysctl.conf_bak1
echo "net.ipv4.conf.all.accept_redirects=0" >>/etc/sysctl.conf
cp -p /etc/shadow /etc/shadow_bak1
chmod +w /etc/shadow
sed -i "s/\*/\!\!/g" /etc/shadow
chmod -w /etc/shadow
cp -p /etc/hosts.allow /etc/hosts.allow_bak1
cp -p /etc/hosts.deny /etc/hosts.deny_bak1
echo "ssh:192.168.1.1:allow" >>/etc/hosts.allow
echo "telnet:192.168.1.1:DENY" >>/etc/hosts.deny
cp -p /etc/init/control-alt-delete.conf /etc/init/control-alt-delete.conf_bak1
sed -i 's/start/#start/g' /etc/init/control-alt-delete.conf
sed -i 's/exec/#exec/g' /etc/init/control-alt-delete.conf
cp -p /etc/profile /etc/profile_bak1
cp -p /etc/csh.login /etc/csh.login_bak1
cp -p /etc/csh.cshrc /etc/csh.cshrc_bak1
cp -p /etc/bashrc /etc/bashrc_bak1
cp -p /root/.bashrc /root/.bashrc_bak1
cp –p /root/.cshrc /root/.cshrc_bak1
echo "umask 027" >>/etc/profile
echo "umask 027" >>/etc/csh.login
echo "umask 027" >>/etc/csh.cshrc
echo "umask 027" >>/etc/bashrc
echo "umask 027" >>/root/.bashrc
echo "umask 027" >>/root/.cshrc
echo " Authorized users only. All activity may be monitored and reported " >> /etc/motd
echo " Authorized users only. All activity may be monitored and reported " >> /etc/issue
echo " Authorized users only. All activity may be monitored and reported " >> /etc/issue.net
/etc/init.d/xinetd restart
echo "*.* @192.168.0.1" >> /etc/syslog.conf
echo " Authorized users only. All activity may be monitored and reported " >>/etc/sshbanner
chown bin:bin /etc/sshbanner
chmod 644 /etc/sshbanner
systemctl start ntpd
chmod 644 /etc/syslog.conf
echo " Banner /etc/sshbanner " >>/etc/ssh/sshd_config
echo " PermitRootLogin no " >>/etc/ssh/sshd_config
chmod 644 /etc/ssh/sshd_config
echo " password required pam_unix.so remember=5" >>/etc/pam.d/system-auth
echo "*.* @192.168.0.1" >> /etc/rsyslog.conf
echo "*.err;auth.info /var/adm/messages" >> /etc/syslog.conf
echo "authpriv.* /var/log/authlog" >> /etc/syslog.conf