我自己的linux安全初始化脚本
给大家发下我自己的系统初始化安全脚本吧,我手上没有64位的系统,所以只在32位的centos 5上检测过,如果有问题,请大家提出来哦.
系统:centos 5.5
脚本内容如下:
#!/bin/bash
# powered by rocdk890
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
export PATH
yum -y install redhat-lsb
#===============================================================================
#this script is only for CentOS 5
#check the OS
#===============================================================================
platform=`uname -i`
if [ $platform != "i386" ];then
echo "this script is only for 32bit Operating System !"
exit 1
fi
echo "the platform is ok"
version=`lsb_release -r |awk '{print substr($2,1,1)}'`
if [ $version != 5 ];then
echo "this script is only for CentOS 5 !"
exit 1
fi
# Require root to run this script.
if [[ $(whoami) != root ]]; then
echo "Please run this script as root !"
exit 1
fi
cat<< EOF
+---------------------------------------+
| your system is CentOS 5 i386 |
| user is root |
| start optimizing....... |
+---------------------------------------
EOF
#add epel
rpm -Uvh http://mirrors.ustc.edu.cn/fedora/epel/5/i386/epel-release-5-4.noarch.rpm
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
#add CentALT
if [[ `uname -r | awk -F. '{print substr($NF,1,3)}'` == el5 ]]; then
cat>> /etc/yum.repos.d/centalt.repo<<EOF
[CentALT]
name=CentALT Packages for Enterprise Linux 5 - \$basearch
baseurl=http://centos.alt.ru/repository/centos/5/\$basearch/
enabled=1
gpgcheck=0
protect=1
EOF
fi
#install wget
yum -y install wget
#make the 163.com as the default yum repo
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.old
wget http://mirrors.163.com/.help/CentOS5-Base-163.repo -O /etc/yum.repos.d/CentOS-Base.repo
#remove software
yum -y remove Deployment_Guide-en-US finger cups-libs cups ypbind \
bluez-libs desktop-file-utils wireless-tools irda-utils yp-tools \
nfs-utils nfs-utils-lib rdate fetchmail eject ksh mkbootdisk mtools \
syslinux tcsh startup-notification talk apmd rmt dump setserial portmap
#disable selinux
sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config
echo "selinux is disabled,you must reboot!"
#install software
yum -y install gcc gcc-c++ ncurses-devel libxml2-devel openssl-devel sysstat lsof \
nmap curl-devel libjpeg-devel libpng-devel autoconf pcre-devel libtool-libs freetype-devel gd zlib-devel \
zip unzip crontabs iptables file bison patch mlocate flex diffutils automake make kernel-devel \
readline-devel glibc-devel glib2-devel bzip2-devel gettext-devel libcap-devel logrotate vixie-cron
#set timezone
echo "start set timezone."
rm -rf /etc/localtime
\cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
yum -y install ntp
ntpdate -d time.nist.gov
#echo "10 23 * * * /usr/sbin/ntpdate 210.72.145.44 > /dev/null 2>&1" >> /var/spool/cron/root
echo "10 22 * * * /usr/sbin/ntpdate 210.72.145.44" >> /etc/crontab
echo "10 23 * * * /usr/sbin/ntpdate time.nist.gov" >> /etc/crontab
service crond restart
#set ssh
\cp /etc/ssh/sshd_config /etc/ssh/sshd_config.old
sed -i 's/#Port 22/Port 18330/' /etc/ssh/sshd_config
sed -i 's/^GSSAPIAuthentication yes$/GSSAPIAuthentication no/' /etc/ssh/sshd_config
sed -i 's/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config
service sshd restart
#Disable ctrlaltdel three key to reboot syste
\cp /etc/inittab /etc/inittab.old
sed -i "s/ca::ctrlaltdel:\/sbin/shutdown -t3 -r now/#ca::ctrlaltdel:\/sbin/shutdown -t3 -r now/" /etc/inittab
/sbin/init q
echo "Disable ctrlaltdel three key to reboot system.--->OK"
sleep 1
#disable unnecessary services
SERVICES=acpid apmd atd auditd autofs avahi-daemon bluetooth cpuspeed cups firstboot gpm haldaemon hidd hplip ip6tables isdn lm_sensors mcstrans messagebus netfs nfslock pcscd portmap restorecond rpcgssd rpcidmapd yum-updatesd smartd rawdevices sendmail
for service in $SERVICES
do
${CHKCONFIG} $service off
${SERVICE} $service stop
done
echo "disable unnecessary services done!"
sleep 1
# disable the IPV6
cp /etc/modprobe.conf /etc/modprobe.conf.old
echo alias net-pf-10 off >> /etc/modprobe.conf
echo alias ipv6 off >> /etc/modprobe.conf
echo "disable the IPV6 is ok !"
sleep 1
#set the file limit
\cp /etc/security/limits.conf /etc/security/limits.conf.old
sed -i ' /# End of file/i\*\t\t-\tnofile\t\t65535' /etc/security/limits.conf
ulimit -SHn 65535
echo "ulimit -SHn 65535" >> /etc/rc.local
cat>> /etc/security/limits.conf<< EOF
* soft nproc 65535
* hard nproc 65535
* soft nofile 65535
* hard nofile 65535
EOF
#tune kernel parametres
cp /etc/sysctl.conf /etc/sysctl.conf.old
cat> /etc/sysctl.conf<< EOF
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 4294967295
kernel.shmall = 268435456
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 4194304
net.ipv4.tcp_wmem = 4096 4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 262144
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_keepalive_time = 30
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.netfilter.ip_conntrack_max = 1048576
kernel.panic = 5
fs.file-max = 165535
EOF
/sbin/sysctl -p
#set user
cp /etc/passwd /etc/passwd.sav
cp /etc/group /etc/group.sav
for a in adm lp sync news uucp operator games gopher mailnull nscd rpc;
do /usr/sbin/userdel $a -f; done
#off the excess tty
\cp /etc/inittab /etc/inittab.old
sed -i '/tty[2-6]/s/^/#/' /etc/inittab
/sbin/init q
echo "off the excess tty -->ok!"
sleep 1
#password length limit
sed -i 's/PASS_MIN_LEN\([\t ]*\)5/PASS_MIN_LEN\18/' /etc/login.defs
#set histsize
sed -i 's/HISTSIZE=1000/HISTSIZE=500/' /etc/profile
source /etc/profile
#set firewall
\cp /etc/sysconfig/iptables /etc/sysconfig/iptables.`date +%Y-%m-%d_%H-%M-%S`
cat > /etc/sysconfig/iptables << EOF
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:bad_packets - [0:0]
:bad_tcp_packets - [0:0]
:icmp_packets - [0:0]
:tcp_inbound - [0:0]
:tcp_outbound - [0:0]
:udp_inbound - [0:0]
:udp_outbound - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -j bad_packets
#-A INPUT -d 224.0.0.1 -j DROP
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -j tcp_inbound
-A INPUT -i eth0 -p udp -j udp_inbound
-A INPUT -i eth0 -p icmp -j icmp_packets
-A INPUT -m pkttype --pkt-type broadcast -j DROP
-A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "INPUT packet died: "
-A OUTPUT -p icmp -m state --state INVALID -j DROP
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "OUTPUT packet died: "
-A bad_packets -m state --state INVALID -j LOG --log-prefix "Invalid packet: "
-A bad_packets -m state --state INVALID -j DROP
-A bad_packets -p tcp -j bad_tcp_packets
-A bad_packets -j RETURN
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "New not syn: "
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A bad_tcp_packets -p tcp -j RETURN
-A icmp_packets -p icmp -f -j LOG --log-prefix "ICMP Fragment: "
-A icmp_packets -p icmp -f -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A icmp_packets -p icmp -j RETURN
#-A tcp_inbound -p tcp -m tcp --dport 80 -j ACCEPT
#-A tcp_inbound -p tcp -m tcp --dport 5999 -j ACCEPT
#-A tcp_inbound -p tcp -m tcp --dport 5666 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 18330 -j ACCEPT
#-A tcp_inbound -p tcp -m tcp --dport 873 -j ACCEPT
-A tcp_inbound -p tcp -j RETURN
-A tcp_outbound -p tcp -j ACCEPT
-A udp_inbound -p udp -m udp --dport 137 -j DROP
-A udp_inbound -p udp -m udp --dport 138 -j DROP
-A udp_inbound -p udp -m udp --dport 123 -j ACCEPT
-A udp_inbound -p udp -m udp --dport 53 -j ACCEPT
-A udp_inbound -p udp -j RETURN
-A udp_outbound -p udp -j ACCEPT
COMMIT
# Completed on Wed Mar 14 19:16:30 2012
# Generated by iptables-save v1.3.5 on Wed Mar 14 19:16:30 2012
*nat
:PREROUTING ACCEPT [10:780]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Wed Mar 14 19:16:30 2012
# Generated by iptables-save v1.3.5 on Wed Mar 14 19:16:30 2012
*mangle
:PREROUTING ACCEPT [10:780]
:INPUT ACCEPT [1250:165013]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [434:62912]
COMMIT
EOF
service iptables restart
echo "config firewall done!"
sleep 1
#set chattr
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/gshadow
chattr +i /etc/services
echo "config chattr done!"
rocdk890
Michael
ade
西门堵车
朱祁镇
r1p
milton010
评论: