我自己的linux安全初始化脚本(第2版)

post by rocdk890 / 2013-4-13 0:30 Saturday linux技术

  昨天给大家发的脚本太粗糙了,急急忙忙就发布出来了,今天重新发下修改版本给大家,在这里要多谢兔兔,他帮忙排版和进行帮忙修改.
  系统:centos 5.5
脚本内容:
vi autoconf.sh

#!/bin/bash
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
export PATH
# Require root to run this script. 
echo "  check user......"
if [[ $(whoami) != root ]]; then 
  echo "Please run this script as root !" 
  exit 1 
fi
echo "  check lsb_release....."
chlsb=`whereis lsb_release`
wchlsb=${#chlsb}
if [ $wchlsb > 12 ]; then
echo "  has installed redhat-lsb."
else
echo "  no found. install redhat-lsb......"
yum -y install redhat-lsb
fi
#disable selinux
echo "  check selinux"
selinuxstatus=`getenforce`
if [ $selinuxstatus != "Disabled" ];then
echo "selinux status is $selinuxstatus, must disabled."
sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config
echo "Now, you must reboot!"
exit 1
else
echo "  SElinux is disabled."
fi
#===============================================================================
#this script is only for CentOS 5
#check the OS
#===============================================================================
platform=`uname -i`  
if [ $platform = "i386" ] || [ $platform = "i686" ];then 
echo "  the platform is ok"
else
echo "this script is only for 32bit Operating System !" 
exit 1  
fi
version=`lsb_release -r |awk '{print substr($2,1,1)}'`  
if [ $version != 5 ];then 
echo "this script is only for CentOS 5 !" 
exit 1  
fi

cat<< EOF  
+---------------------------------------+  
|   your system is CentOS 5 i386        |
|         user is root                  |
|      start optimizing.......          |  
+---------------------------------------  
EOF
#add epel
rpm -Uvh http://mirrors.ustc.edu.cn/fedora/epel/5/i386/epel-release-5-4.noarch.rpm
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6

#add CentALT
if [[ `uname -r | awk -F. '{print substr($NF,1,3)}'` == el5 ]]; then
cat>> /etc/yum.repos.d/centalt.repo<<EOF
[CentALT]
name=CentALT Packages for Enterprise Linux 5 - \$basearch
baseurl=http://centos.alt.ru/repository/centos/5/\$basearch/
enabled=1
gpgcheck=0
protect=1
EOF
fi

#install wget
yum -y install wget

#make the 163.com as the default yum repo
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.old
wget http://mirrors.163.com/.help/CentOS5-Base-163.repo -O /etc/yum.repos.d/CentOS-Base.repo

#remove software
yum -y remove Deployment_Guide-en-US finger cups-libs cups ypbind \
bluez-libs desktop-file-utils wireless-tools irda-utils yp-tools \
nfs-utils nfs-utils-lib rdate fetchmail eject ksh mkbootdisk mtools \
syslinux tcsh startup-notification talk apmd rmt dump setserial portmap

#install software 
yum -y install gcc gcc-c++  ncurses-devel libxml2-devel openssl-devel sysstat lsof \
nmap curl-devel libjpeg-devel libpng-devel autoconf pcre-devel libtool-libs freetype-devel gd zlib-devel \
zip unzip crontabs iptables file bison patch mlocate flex diffutils automake make kernel-devel \
readline-devel glibc-devel glib2-devel bzip2-devel gettext-devel libcap-devel logrotate vixie-cron

#set timezone
echo "start set timezone."
rm -rf /etc/localtime
cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
yum -y install ntp 
ntpdate -d time.nist.gov 
#echo "10 23 * * * /usr/sbin/ntpdate 210.72.145.44 > /dev/null 2>&1" >> /var/spool/cron/root
echo "10 22 * * * /usr/sbin/ntpdate 210.72.145.44" >> /etc/crontab
echo "10 23 * * * /usr/sbin/ntpdate time.nist.gov" >> /etc/crontab
service crond restart

#set ssh
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.old
sed -i 's/#Port 22/Port 18330/' /etc/ssh/sshd_config
sed -i 's/^GSSAPIAuthentication yes$/GSSAPIAuthentication no/' /etc/ssh/sshd_config  
sed -i 's/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config
service sshd restart

#Disable ctrlaltdel three key to reboot syste
cp /etc/inittab /etc/inittab.old
sed -i "s/ca::ctrlaltdel:\/sbin/shutdown -t3 -r now/#ca::ctrlaltdel:\/sbin/shutdown -t3 -r now/" /etc/inittab
/sbin/init q
echo "Disable ctrlaltdel three key to reboot system.--->OK"
sleep 1

#disable unnecessary services
SERVICES=acpid apmd atd auditd autofs avahi-daemon bluetooth cpuspeed cups firstboot gpm haldaemon hidd hplip ip6tables isdn lm_sensors mcstrans messagebus netfs nfslock pcscd portmap restorecond rpcgssd rpcidmapd yum-updatesd smartd rawdevices sendmail  
for service in $SERVICES 
do
    ${CHKCONFIG} $service off 
    ${SERVICE} $service stop 
done
echo "disable unnecessary services done!"
sleep 1

# disable the IPV6 
cp /etc/modprobe.conf /etc/modprobe.conf.old
echo alias net-pf-10 off >> /etc/modprobe.conf
echo alias ipv6 off >> /etc/modprobe.conf
echo "disable the IPV6 is ok !"
sleep 1

#set the file limit
cp /etc/security/limits.conf /etc/security/limits.conf.old
sed -i ' /# End of file/i\*\t\t-\tnofile\t\t65535' /etc/security/limits.conf
ulimit -SHn 65535
echo "ulimit -SHn 65535" >> /etc/rc.local
cat>> /etc/security/limits.conf<< EOF
* soft nproc 65535
* hard nproc 65535
* soft nofile 65535
* hard nofile 65535
EOF

#tune kernel parametres
cp /etc/sysctl.conf /etc/sysctl.conf.old
cat> /etc/sysctl.conf<< EOF
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 4294967295
kernel.shmall = 268435456
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096  4194304
net.ipv4.tcp_wmem = 4096  4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 262144
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_keepalive_time = 30
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.netfilter.ip_conntrack_max = 1048576
kernel.panic = 5
fs.file-max = 165535
EOF
/sbin/sysctl -p

#set user
cp /etc/passwd /etc/passwd.sav
cp /etc/group /etc/group.sav
for a in adm lp sync news uucp operator games gopher mailnull nscd rpc;
do /usr/sbin/userdel $a -f; done

#off the excess tty
cp /etc/inittab /etc/inittab.old
sed -i '/tty[2-6]/s/^/#/' /etc/inittab
echo "off the excess tty -->ok!"
sleep 1

#password length limit
sed -i 's/PASS_MIN_LEN\([\t ]*\)5/PASS_MIN_LEN\18/' /etc/login.defs

#set histsize
sed -i 's/HISTSIZE=1000/HISTSIZE=500/' /etc/profile
source /etc/profile

#set firewall
cp /etc/sysconfig/iptables /etc/sysconfig/iptables.`date +%Y-%m-%d_%H-%M-%S`
cat > /etc/sysconfig/iptables << EOF
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:bad_packets - [0:0]
:bad_tcp_packets - [0:0]
:icmp_packets - [0:0]
:tcp_inbound - [0:0]
:tcp_outbound - [0:0]
:udp_inbound - [0:0]
:udp_outbound - [0:0]
-A INPUT -i lo -j ACCEPT 
#-A INPUT -d 224.0.0.1 -j DROP 
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i eth0 -p tcp -j tcp_inbound 
-A INPUT -i eth0 -p udp -j udp_inbound 
-A INPUT -i eth0 -p icmp -j icmp_packets 
-A INPUT -m pkttype --pkt-type broadcast -j DROP 
-A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "INPUT packet died: " 
-A INPUT -j bad_packets 
-A OUTPUT -p icmp -m state --state INVALID -j DROP 
-A OUTPUT -s 127.0.0.1 -j ACCEPT 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -o eth0 -j ACCEPT 
-A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "OUTPUT packet died: " 
-A bad_packets -m state --state INVALID -j LOG --log-prefix "Invalid packet: " 
-A bad_packets -m state --state INVALID -j DROP 
-A bad_packets -p tcp -j bad_tcp_packets 
-A bad_packets -j RETURN 
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "New not syn: " 
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP 
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG --log-prefix "Stealth scan: " 
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP 
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j LOG --log-prefix "Stealth scan: " 
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP 
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j LOG --log-prefix "Stealth scan: " 
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP 
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j LOG --log-prefix "Stealth scan: " 
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP 
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "Stealth scan: " 
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP 
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j LOG --log-prefix "Stealth scan: " 
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP 
-A bad_tcp_packets -p tcp -j RETURN 
-A icmp_packets -p icmp -f -j LOG --log-prefix "ICMP Fragment: " 
-A icmp_packets -p icmp -f -j DROP 
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP 
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT 
-A icmp_packets -p icmp -j RETURN 
#-A tcp_inbound -p tcp -m tcp --dport 80 -j ACCEPT 
#-A tcp_inbound -p tcp -m tcp --dport 5999 -j ACCEPT
#-A tcp_inbound -p tcp -m tcp --dport 5666 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 18330 -j ACCEPT 
#-A tcp_inbound -p tcp -m tcp --dport 873 -j ACCEPT
-A tcp_inbound -p tcp -j RETURN 
-A tcp_outbound -p tcp -j ACCEPT 
-A udp_inbound -p udp -m udp --dport 137 -j DROP 
-A udp_inbound -p udp -m udp --dport 138 -j DROP 
-A udp_inbound -p udp -m udp --dport 123 -j ACCEPT 
-A udp_inbound -p udp -m udp --dport 53 -j ACCEPT 
-A udp_inbound -p udp -j RETURN 
-A udp_outbound -p udp -j ACCEPT 
COMMIT
# Completed on Wed Mar 14 19:16:30 2012
# Generated by iptables-save v1.3.5 on Wed Mar 14 19:16:30 2012
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Wed Mar 14 19:16:30 2012
# Generated by iptables-save v1.3.5 on Wed Mar 14 19:16:30 2012
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
EOF

service iptables restart
echo "config firewall done!"
sleep 1

#set chattr
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/gshadow
chattr +i /etc/services 
echo "config chattr done!"

夜空- 本站版权
1、本站所有主题由该文章作者发表,该文章作者与夜空享有文章相关版权
2、其他单位或个人使用、转载或引用本文时必须同时征得该文章作者和夜空的同意
3、本帖部分内容转载自其它媒体,但并不代表本站赞同其观点和对其真实性负责
4、如本帖侵犯到任何版权问题,请立即告知本站,本站将及时予与删除并致以最深的歉意
5、原文链接:blog.slogra.com/post-340.html

标签: centos 优化 linux 安全 shell 脚本 初始化

评论: