安全配置内容:1、删除系统特殊的用户与组2、用户密码复杂性设置3、ROOT用户自动注销配置4、SSH服务ROOT禁止登陆配置5、禁止ctrl+atl+del重启计算机6、su命令限制7、登陆信息删除8、NFS访问9、inetd设置 (未设置)10、登陆终端设置 (未设置)11、阻止ping通本机12、防止IP欺骗13、防止DOS攻击14.远程的登陆不显示系统信息15、给系统重要文件加锁
优化配置内容:1、虚拟内存优化2、日志管理 (未设置)3、硬盘优化 (未设置)
关于防护墙 (未设置)
未设置的全部待续
脚本编写:
#! /bin/bash##Author:diyulvshi##LINUX system security and optimal#clearwhile truetput cup 3 12echo "system security and optimal"tput cup 4 10echo "1.System security"tput cup 5 10echo "2.System optimize" tput cup 6 10echo "0.exit"tput cup 7 10echo -n "Please type in the option:"
doread acase $a in1)clearecho -n "system special user and group delete..."sleep 1userdel usernameuserdel admuserdel lpuserdel syncuserdel shutdownuserdel haltuserdel newsuserdel uucpuserdel operatoruserdel gamesuserdel gopher
groupdel usernamegroupdel admgroupdel lpgroupdel newsgroupdel uucpgroupdel gamesgroupdel dip
cleartput cup 1 1echo -n "OK"tput cup 2 1echo -n "user password legth set..."sleep 1grep -v PASS_MAX_DAYS /etc/login.defs > /etc/login.defs1grep -v PASS_MIN_DAYS /etc/login.defs1 > /etc/login.defs2grep -v PASS_MIN_LEN /etc/login.defs2 > /etc/login.defs3grep -v PASS_WARN_AGE /etc/login.defs3 > /etc/login.defs4echo "PASS_MAX_DAYS 100" >> /etc/login.defs4echo "PASS_MIN_DAYS 0" >> /etc/login.defs4echo "PASS_MIN_LEN 10" >> /etc/login.defs4echo "PASS_WARN_AGE 15" >> /etc/login.defs4cat /etc/login.defs4 > /etc/login.defsrm /etc/login.defs1 /etc/login.defs2 /etc/login.defs3 /etc/login.defs4
cleartput cup 1 1echo -n "OK"tput cup 2 1echo -n "Account 300s automatic cancellation..."sleep 1
echo '# /etc/profile
# System wide environment and startup programs, for login setup# Functions and aliases go in /etc/bashrc
pathmunge () {if ! echo $PATH | /bin/egrep -q "(^|:)$1($|:)" ; then if [ "$2" = "after" ] ; then PATH=$PATH:$1 else PATH=$1:$PATH fifi}
# Path manipulationif [ `id -u` = 0 ]; thenpathmunge /sbinpathmunge /usr/sbinpathmunge /usr/local/sbinfi
pathmunge /usr/X11R6/bin after
unset pathmunge
# No core files by defaultulimit -S -c 0 > /dev/null 2>&1
USER="`id -un`"LOGNAME=$USERMAIL="/var/spool/mail/$USER"
HOSTNAME=`/bin/hostname`HISTSIZE=1000 TMOUT=300if [ -z "$INPUTRC" -a ! -f "$HOME/.inputrc" ]; then INPUTRC=/etc/inputrcfi
export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE INPUTRC
for i in /etc/profile.d/*.sh ; do if [ -r "$i" ]; then . $i fidone
unset i' > /etc/porfile
cleartput cup 1 1echo -n "OK"tput cup 2 1echo -n "SSH service prohibition root landing..."sleep 1grep -v PermitRootLogin /etc/ssh/sshd_config > /etc/ssh/sshd_config1echo "PermitRoorLogin no" >> /etc/ssh/sshd_config1cat /etc/ssh/sshd_config1 > /etc/ssh/sshd_configrm /etc/ssh/sshd_config1
cleartput cup 1 1echo "OK"tput cup 2 1echo -n "prohibition ctrl+alt+delete restart..."sleep 1grep -v ca::ctrlaltdel:/sbin/shutdown /etc/inittab > /etc/inittab1echo "#ca::ctrlaltdel:/sbin/shutdwon -t3 -r now" >> /etc/inittab1cat /etc/inittab1 > /etc/inittabrm /etc/inittab1
cleartput cup 1 1echo "OK"tput cup 2 1echo -n "su restrictions..."sleep 1echo "auth sufficient/lib/security/pam_rootok.so debug" >> /etc/pam.d/suecho "auth required/lib/security/pam_wheel.so group=isd" >> /etc/pam.d/su
cleartput cup 1 1echo "OK"tput cup 2 1echo -n "delete landing information..."sleep 1echo "" > /etc/issueecho "$R" >> /etc/issueecho "Kernel $(uname -r) on $a $(uname -m)" >> /etc/issuecp -f /etc/issue /etc/issue.netecho >> /etc/issuerm -f /etc/issuerm -f /etc/issue.nettouch /etc/issuetouch /etc/issue.net
cleartput cup 1 1echo "OK"tput cup 2 1echo -n "Restrict network access..."echo "echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all" >> /etc/rc.d/rc.localtput cup 3 1echo -n "Prevention ping attack OK"sleep 1echo "order bind,hosts" >> /etc/host.confecho "multi off" >> /etc/host.confecho "nospoof on" >> /etc/host.conftput cup 4 1echo "Prevention ip deception OK"sleep 1
echo "hard core 0" >> /etc/security/limits.confecho "hard rss 5000" >> /etc/security/limits.confecho "hard nproc 20" >> /etc/security/limits.confecho "session required /lib/security/pam_limits.so" >> /etc/pam.d/logintput cup 5 1echo "Prevention DOS attack OK"sleep 1
echo -n "telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd -h" >> /etc/inetd.conftput cup 6 1echo "Telnet linding prohibit display system information OK"sleep 1
echo "/dir/to/export host1.myd main.com(ro, root_squash)" >> /etc/exportsecho "/dir/to/export host2.myd main.com(ro, root_squash)" >> /etc/exportsexportfs -acleartput cup 7 1echo "Restrict NFS access OK"sleep 1
cleartput cup 1 1echo "OK"tput cup 2 1echo -n "System file secret..."sleep 1chattr +i /etc/passwdchattr +i /etc/shawodchattr +i /etc/gshawodchattr +i /etc/group
chattr +i /etc/services
chmod -R 700 /etc/init.d/*chmod -R 700 /etc/rc.d/init.d/*
chmod a-s /usr/bin/chagechmod a-s /usr/bin/gpasswdchmod a-s /usr/bin/wallchmod a-s /usr/bin/chfnchmod a-s /usr/bin/chshchmod a-s /usr/bin/writechmod a-s /usr/sbin/usernetctlchmod a-s /usr/sbin/traceroutechmod a-s /bin/mountchmod a-s /bin/umountchmod a-s /bin/pingchmod a-s /sbin/netreport
chmod 600 /etc/grub.confchattr +i /etc/grub.confchmod 600 /etc/inetd.conf
cleartput cup 1 1echo "OK"tptu cup 2 1echo -n "Please enter:"read aaclear;;2)cleartput cup 8 1echo "Memory optimization"tput cup 9 1echo -n "Please lnot memory size(1/2/3/4):"read bcase $b in1)clearecho "2048 4096 6144" > /proc/sys/vm/freepagescleartput cup 1 1echo "OK"sleep 1;;2)clearecho "4096 8192 12288" > /proc/sys/vm/freepagescleartput cup 1 1echo "OK"sleep 1;;3)clearecho "6144 12288 18432" > /proc/sys/vm/freepagescleartput cup 1 1echo "OK"sleep 1;;4)clearecho "8192 16384 24576" > /proc/sys/vm/freepagescleartput cup 1 1echo "OK"sleep 1;;*)cleartput cup 1 1echo -n "ereor please enter:"read aa;;esac ;;0)cleartput cup 12 12echo "Thank you usr 88"sleep 1clearexit;;*);;esacdone
