我自己的linux安全初始化脚本(第2版)
昨天给大家发的脚本太粗糙了,急急忙忙就发布出来了,今天重新发下修改版本给大家,在这里要多谢兔兔,他帮忙排版和进行帮忙修改.
系统:centos 5.5
脚本内容:
vi autoconf.sh
#!/bin/bash PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin export PATH # Require root to run this script. echo " check user......" if [[ $(whoami) != root ]]; then echo "Please run this script as root !" exit 1 fi echo " check lsb_release....." chlsb=`whereis lsb_release` wchlsb=${#chlsb} if [ $wchlsb > 12 ]; then echo " has installed redhat-lsb." else echo " no found. install redhat-lsb......" yum -y install redhat-lsb fi #disable selinux echo " check selinux" selinuxstatus=`getenforce` if [ $selinuxstatus != "Disabled" ];then echo "selinux status is $selinuxstatus, must disabled." sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config echo "Now, you must reboot!" exit 1 else echo " SElinux is disabled." fi #=============================================================================== #this script is only for CentOS 5 #check the OS #=============================================================================== platform=`uname -i` if [ $platform = "i386" ] || [ $platform = "i686" ];then echo " the platform is ok" else echo "this script is only for 32bit Operating System !" exit 1 fi version=`lsb_release -r |awk '{print substr($2,1,1)}'` if [ $version != 5 ];then echo "this script is only for CentOS 5 !" exit 1 fi cat<< EOF +---------------------------------------+ | your system is CentOS 5 i386 | | user is root | | start optimizing....... | +--------------------------------------- EOF #add epel rpm -Uvh http://mirrors.ustc.edu.cn/fedora/epel/5/i386/epel-release-5-4.noarch.rpm rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6 #add CentALT if [[ `uname -r | awk -F. '{print substr($NF,1,3)}'` == el5 ]]; then cat>> /etc/yum.repos.d/centalt.repo<<EOF [CentALT] name=CentALT Packages for Enterprise Linux 5 - \$basearch baseurl=http://centos.alt.ru/repository/centos/5/\$basearch/ enabled=1 gpgcheck=0 protect=1 EOF fi #install wget yum -y install wget #make the 163.com as the default yum repo mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.old wget http://mirrors.163.com/.help/CentOS5-Base-163.repo -O /etc/yum.repos.d/CentOS-Base.repo #remove software yum -y remove Deployment_Guide-en-US finger cups-libs cups ypbind \ bluez-libs desktop-file-utils wireless-tools irda-utils yp-tools \ nfs-utils nfs-utils-lib rdate fetchmail eject ksh mkbootdisk mtools \ syslinux tcsh startup-notification talk apmd rmt dump setserial portmap #install software yum -y install gcc gcc-c++ ncurses-devel libxml2-devel openssl-devel sysstat lsof \ nmap curl-devel libjpeg-devel libpng-devel autoconf pcre-devel libtool-libs freetype-devel gd zlib-devel \ zip unzip crontabs iptables file bison patch mlocate flex diffutils automake make kernel-devel \ readline-devel glibc-devel glib2-devel bzip2-devel gettext-devel libcap-devel logrotate vixie-cron #set timezone echo "start set timezone." rm -rf /etc/localtime cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime yum -y install ntp ntpdate -d time.nist.gov #echo "10 23 * * * /usr/sbin/ntpdate 210.72.145.44 > /dev/null 2>&1" >> /var/spool/cron/root echo "10 22 * * * /usr/sbin/ntpdate 210.72.145.44" >> /etc/crontab echo "10 23 * * * /usr/sbin/ntpdate time.nist.gov" >> /etc/crontab service crond restart #set ssh cp /etc/ssh/sshd_config /etc/ssh/sshd_config.old sed -i 's/#Port 22/Port 18330/' /etc/ssh/sshd_config sed -i 's/^GSSAPIAuthentication yes$/GSSAPIAuthentication no/' /etc/ssh/sshd_config sed -i 's/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config service sshd restart #Disable ctrlaltdel three key to reboot syste cp /etc/inittab /etc/inittab.old sed -i "s/ca::ctrlaltdel:\/sbin/shutdown -t3 -r now/#ca::ctrlaltdel:\/sbin/shutdown -t3 -r now/" /etc/inittab /sbin/init q echo "Disable ctrlaltdel three key to reboot system.--->OK" sleep 1 #disable unnecessary services SERVICES=acpid apmd atd auditd autofs avahi-daemon bluetooth cpuspeed cups firstboot gpm haldaemon hidd hplip ip6tables isdn lm_sensors mcstrans messagebus netfs nfslock pcscd portmap restorecond rpcgssd rpcidmapd yum-updatesd smartd rawdevices sendmail for service in $SERVICES do ${CHKCONFIG} $service off ${SERVICE} $service stop done echo "disable unnecessary services done!" sleep 1 # disable the IPV6 cp /etc/modprobe.conf /etc/modprobe.conf.old echo alias net-pf-10 off >> /etc/modprobe.conf echo alias ipv6 off >> /etc/modprobe.conf echo "disable the IPV6 is ok !" sleep 1 #set the file limit cp /etc/security/limits.conf /etc/security/limits.conf.old sed -i ' /# End of file/i\*\t\t-\tnofile\t\t65535' /etc/security/limits.conf ulimit -SHn 65535 echo "ulimit -SHn 65535" >> /etc/rc.local cat>> /etc/security/limits.conf<< EOF * soft nproc 65535 * hard nproc 65535 * soft nofile 65535 * hard nofile 65535 EOF #tune kernel parametres cp /etc/sysctl.conf /etc/sysctl.conf.old cat> /etc/sysctl.conf<< EOF net.ipv4.ip_forward = 0 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 kernel.sysrq = 0 kernel.core_uses_pid = 1 net.ipv4.tcp_syncookies = 1 kernel.msgmnb = 65536 kernel.msgmax = 65536 kernel.shmmax = 4294967295 kernel.shmall = 268435456 net.ipv4.tcp_max_tw_buckets = 6000 net.ipv4.tcp_sack = 1 net.ipv4.tcp_window_scaling = 1 net.ipv4.tcp_rmem = 4096 4194304 net.ipv4.tcp_wmem = 4096 4194304 net.core.wmem_default = 8388608 net.core.rmem_default = 8388608 net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 net.core.netdev_max_backlog = 262144 net.core.somaxconn = 262144 net.ipv4.tcp_max_orphans = 3276800 net.ipv4.tcp_max_syn_backlog = 262144 net.ipv4.tcp_timestamps = 0 net.ipv4.tcp_synack_retries = 1 net.ipv4.tcp_syn_retries = 1 net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_mem = 94500000 915000000 927000000 net.ipv4.tcp_fin_timeout = 1 net.ipv4.tcp_keepalive_time = 30 net.ipv4.ip_local_port_range = 1024 65000 net.ipv4.netfilter.ip_conntrack_max = 1048576 kernel.panic = 5 fs.file-max = 165535 EOF /sbin/sysctl -p #set user cp /etc/passwd /etc/passwd.sav cp /etc/group /etc/group.sav for a in adm lp sync news uucp operator games gopher mailnull nscd rpc; do /usr/sbin/userdel $a -f; done #off the excess tty cp /etc/inittab /etc/inittab.old sed -i '/tty[2-6]/s/^/#/' /etc/inittab echo "off the excess tty -->ok!" sleep 1 #password length limit sed -i 's/PASS_MIN_LEN\([\t ]*\)5/PASS_MIN_LEN\18/' /etc/login.defs #set histsize sed -i 's/HISTSIZE=1000/HISTSIZE=500/' /etc/profile source /etc/profile #set firewall cp /etc/sysconfig/iptables /etc/sysconfig/iptables.`date +%Y-%m-%d_%H-%M-%S` cat > /etc/sysconfig/iptables << EOF *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :bad_packets - [0:0] :bad_tcp_packets - [0:0] :icmp_packets - [0:0] :tcp_inbound - [0:0] :tcp_outbound - [0:0] :udp_inbound - [0:0] :udp_outbound - [0:0] -A INPUT -i lo -j ACCEPT #-A INPUT -d 224.0.0.1 -j DROP -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp -j tcp_inbound -A INPUT -i eth0 -p udp -j udp_inbound -A INPUT -i eth0 -p icmp -j icmp_packets -A INPUT -m pkttype --pkt-type broadcast -j DROP -A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "INPUT packet died: " -A INPUT -j bad_packets -A OUTPUT -p icmp -m state --state INVALID -j DROP -A OUTPUT -s 127.0.0.1 -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o eth0 -j ACCEPT -A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "OUTPUT packet died: " -A bad_packets -m state --state INVALID -j LOG --log-prefix "Invalid packet: " -A bad_packets -m state --state INVALID -j DROP -A bad_packets -p tcp -j bad_tcp_packets -A bad_packets -j RETURN -A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "New not syn: " -A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG --log-prefix "Stealth scan: " -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j LOG --log-prefix "Stealth scan: " -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j LOG --log-prefix "Stealth scan: " -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j LOG --log-prefix "Stealth scan: " -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP -A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "Stealth scan: " -A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j LOG --log-prefix "Stealth scan: " -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP -A bad_tcp_packets -p tcp -j RETURN -A icmp_packets -p icmp -f -j LOG --log-prefix "ICMP Fragment: " -A icmp_packets -p icmp -f -j DROP -A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP -A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT -A icmp_packets -p icmp -j RETURN #-A tcp_inbound -p tcp -m tcp --dport 80 -j ACCEPT #-A tcp_inbound -p tcp -m tcp --dport 5999 -j ACCEPT #-A tcp_inbound -p tcp -m tcp --dport 5666 -j ACCEPT -A tcp_inbound -p tcp -m tcp --dport 18330 -j ACCEPT #-A tcp_inbound -p tcp -m tcp --dport 873 -j ACCEPT -A tcp_inbound -p tcp -j RETURN -A tcp_outbound -p tcp -j ACCEPT -A udp_inbound -p udp -m udp --dport 137 -j DROP -A udp_inbound -p udp -m udp --dport 138 -j DROP -A udp_inbound -p udp -m udp --dport 123 -j ACCEPT -A udp_inbound -p udp -m udp --dport 53 -j ACCEPT -A udp_inbound -p udp -j RETURN -A udp_outbound -p udp -j ACCEPT COMMIT # Completed on Wed Mar 14 19:16:30 2012 # Generated by iptables-save v1.3.5 on Wed Mar 14 19:16:30 2012 *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT # Completed on Wed Mar 14 19:16:30 2012 # Generated by iptables-save v1.3.5 on Wed Mar 14 19:16:30 2012 *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT EOF service iptables restart echo "config firewall done!" sleep 1 #set chattr chattr +i /etc/passwd chattr +i /etc/shadow chattr +i /etc/group chattr +i /etc/gshadow chattr +i /etc/services echo "config chattr done!"
评论: