2. 部署指南

linux等保加固脚本 shell


cp /etc/login.defs /etc/login.defs.bak

cp /etc/profile /etc/profile.bak

cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak

cp /etc/pam.d/su /etc/pam.d/su.bak

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak


echo password  include  system-auth >> /etc/pam.d/passwd

sed -i '/^password requisite pam_cracklib.so/c password requisite pam_cracklib.so try_first_pass retry=5 difok=3 minlen=8 ucredit=-1 lcredit=-3 dcredit=-3 ocredit=-1' /etc/pam.d/system-auth

sed -i '/^password sufficient pam_unix.so/c password sufficient pam_unix.so remember=24 sha512 shadow nullok try_first_pass use_authtok' /etc/pam.d/system-auth

sed -i '/^PASS_MAX_DAYS/c PASS_MAX_DAYS 90' /etc/login.defs

sed -i '/^PASS_MIN_LEN/c PASS_MIN_LEN 30' /etc/login.defs

sed -i 's#%PAM-1.0#%PAM-1.0\nauth required pam_tally2.so onerr=fail deny=3 unlock_time=300 even_deny_root root_unlock_time=600#' /etc/pam.d/sshd

sed -i 's#%PAM-1.0#%PAM-1.0\nauth required pam_tally2.so onerr=fail deny=3 unlock_time=300 even_deny_root root_unlock_time=600#' /etc/pam.d/login

sed -i 's#%PAM-1.0#%PAM-1.0\nauth sufficient /lib64/security/pam_rootok.so\nauth required /lib64/security/pam_wheel.so use_uid group=wheel#' /etc/pam.d/su

echo sshd:192.168.200.122:allow >> /etc/hosts.allow

echo all:all >> /etc/hosts.deny

echo TMOUT=600 >> /etc/profile 

sed -i '/ umask 022/c umask 027' /etc/profile 

source /etc/profile


#密码复杂性要求,在登录或修改密码时密码错误5次自动退出,最短8位必须包含大小写字母、数字、字符

sed -i '/^password requisite pam_cracklib.so/c password requisite pam_cracklib.so try_first_pass retry=5 difok=3 minlen=8 ucredit=-1 lcredit=-3 dcredit=-3 ocredit=-1' /etc/pam.d/system-auth


#强制记住密码历史24位

sed -i '/^password sufficient pam_unix.so/c password sufficient pam_unix.so remember=24 sha512 shadow nullok try_first_pass use_authtok' /etc/pam.d/system-auth


#密码最短使用30天,最长使用期限90天

sed -i '/^PASS_MAX_DAYS/c PASS_MAX_DAYS 90' /etc/login.defs

sed -i '/^PASS_MIN_DAYS/c PASS_MIN_DAYS 30' /etc/login.defs

sed -i '/^PASS_MIN_LEN/c PASS_MIN_LEN 8' /etc/login.defs


#登录失败处理,错误3次后锁定10秒

sed -i 's#%PAM-1.0#%PAM-1.0\nauth required pam_tally2.so onerr=fail deny=3 unlock_time=300 even_deny_root root_unlock_time=600#' /etc/pam.d/sshd

sed -i 's#%PAM-1.0#%PAM-1.0\nauth required pam_tally2.so onerr=fail deny=3 unlock_time=300 even_deny_root root_unlock_time=600#' /etc/pam.d/login


#未使用PAM认证模块禁止wheel组之外的用户su为root

#添加用户到wheel组 usermod –G wheel username

#从组中删除用户 gpasswd -d userName groupName

sed -i 's#%PAM-1.0#%PAM-1.0\nauth sufficient /lib64/security/pam_rootok.so\nauth required /lib64/security/pam_wheel.so use_uid group=wheel#' /etc/pam.d/su


#禁止root用户远程登录

echo PermitRootLogin no >> /etc/ssh/sshd_config

sed -i '/PermitRootLogin yes/cPermitRootLogin no' /etc/ssh/sshd_config

/etc/init.d/sshd restart


#服务器仅允许堡垒机192.168.200.122远程登录

echo sshd:192.168.200.122:allow >> /etc/hosts.allow

echo all:all >> /etc/hosts.deny

sshd:x.x.x.x:allow


#无操作600秒后自动退出

echo TMOUT=600 >> /etc/profile 

#echo export HISTFILESIZE=5 >> /etc/profile

#echo export HISTSIZE=1 >> /etc/profile

#echo export HISTFILESIZE >> /etc/profile


#修改UMASK值

sed -i '/ umask 022/c umask 027' /etc/profile 

source /etc/profile


pam_tally2 --user root    # 查看用户登录失败次数

pam_tally2 -r -u root      # #解锁指定用户


# 更新安全补丁

yum --security upgrade


签名:这个人很懒,什么也没有留下!
收藏的用户(0 X
正在加载信息~
猜你喜欢:
最新回复 (0)
返回
发新帖
作者最近主题:
热门主题: