shell脚本自动加固ssh

post by rocdk890 / 2017-2-4 18:02 Saturday linux技术

最近实在无聊,看了下很多朋友都自己去一个命令一个命令的去改ssh配置,但也有大牛自己写了shell脚本来自动配置ssh脚本,我也自己写了个简单的来给大家看看.

系统:centos 7.x(64位)

cat /root/soft_shell/auto_ssh.sh

#!/bin/bash
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/opt/bin:/opt/sbin:~/bin
export PATH

# Check if user is root
if [ $(id -u) != "0" ]; then
    echo "Error: You must be root to run this script, please use root to install"
    exit 1
fi

time=`date +%Y%m%d`
\cp /etc/ssh/sshd_config /etc/ssh/sshd_config.${time}bak
read -p "Port(default 22):" port
if [ "$port" = "" ];then
    port="22"
fi

sed -i "13c Port ${port}" /etc/ssh/sshd_config
read -p "LoginGraceTime(s/m/h):" LoginGraceTime
sed -i "41c LoginGraceTime ${LoginGraceTime}" /etc/ssh/sshd_config
sed -i "37a\SyslogFacility AUTHPRIV" /etc/ssh/sshd_config
sed -i "44a\PermitRootLogin yes" /etc/ssh/sshd_config
sed -i "77a\ChallengeResponseAuthentication no" /etc/ssh/sshd_config
sed -i "88a\GSSAPICleanupCredentials no" /etc/ssh/sshd_config
sed -i "112a\UsePrivilegeSeparation sandbox" /etc/ssh/sshd_config
sed -i 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config
sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/g' /etc/ssh/sshd_config

cp /etc/sysconfig/iptables /etc/sysconfig/iptables.${time}bak
cat /dev/null > /etc/sysconfig/iptables
cat >/etc/sysconfig/iptables<<EOF
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -s 222.239.10.0/24 -j DROP
-A INPUT -s 204.42.253.0/24 -j DROP
-A INPUT -s 94.102.49.0/24 -j DROP
-A INPUT -s 46.172.91.0/24 -j DROP
-A INPUT -s 80.82.70.0/24 -j DROP
-A INPUT -s 74.82.47.0/24 -j DROP
-A INPUT -s 71.6.146.0/24 -j DROP
-A INPUT -s 221.194.44.0/24 -j DROP
-A INPUT -s 185.110.132.0/24 -j DROP
-A INPUT -s 209.126.122.0/24 -j DROP
-A INPUT -s 89.163.145.0/24 -j DROP
-A INPUT -s 185.35.62.0/24 -j DROP
-A INPUT -s 82.102.173.0/24 -j DROP
-A INPUT -s 125.88.158.0/24 -j DROP
-A INPUT -s 185.159.37.0/24 -j DROP
-A INPUT -s 222.186.34.0/24 -j DROP
-A INPUT -s 218.87.109.0/24 -j DROP
-A INPUT -s 91.224.160.0/24 -j DROP
-A INPUT -s 91.224.161.0/24 -j DROP
-A INPUT -s 91.201.236.0/24 -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s xmr.crypto-pool.fr -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec --limit-burst 1 -j ACCEPT
-A INPUT -m state --state INVALID,NEW -j DROP
-A FORWARD -f -m limit --limit 100/sec --limit-burst 100 -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 20/sec --limit-burst 200 -j ACCEPT
COMMIT
EOF

sshport=`netstat -ntlp|grep sshd |awk -F: '{if($4!="")print $4}'`
if [ $sshport != 22 ];then
   sed -i "31 s/22/$port/" /etc/sysconfig/iptables
fi

if [ "$(awk '{if ( $3 >= 7.0 ) print "CentOS 7.x"}' /etc/redhat-release 2>/dev/null)" != "CentOS 7.x" ];then
   /sbin/service sshd restart
   /sbin/chkconfig sshd on
   /sbin/service iptables restart
else
   /bin/systemctl restart sshd
   /usr/sbin/chkconfig sshd on
   /bin/systemctl restart iptables
fi

夜空- 本站版权

1、本站所有主题由该文章作者发表，该文章作者与夜空享有文章相关版权
2、其他单位或个人使用、转载或引用本文时必须同时征得该文章作者和夜空的同意
3、本帖部分内容转载自其它媒体，但并不代表本站赞同其观点和对其真实性负责
4、如本帖侵犯到任何版权问题，请立即告知本站，本站将及时予与删除并致以最深的歉意
5、原文链接：blog.slogra.com/post-684.html