安全加固3-加固

#!/bin/bash

#

#口令生存周期
sed -e "s/^\(PASS_MAX_DAYS\).*/\1 30/" /etc/login.defs

#日志文件权限设置
if [ -f /etc/syslog.conf ];
then SYSLOGCONF=/etc/syslog.conf;
LOGDIR=`cat $SYSLOGCONF |sed '/^#/d' |sed '/^$/d' |awk '(($2!~/@/) && ($2!~/*/) && ($2!~/-/)) {print $2}'`;
ls -l $LOGDIR;
echo $LOGDIR >> /tmp/paths;
fi

if [ -f /etc/rsyslog.conf ];
then SYSLOGCONF=/etc/rsyslog.conf;
LOGDIR=`cat $SYSLOGCONF |sed '/^#/d' |sed '/^$/d' |awk '(($2!~/@/) && ($2!~/*/) && ($2!~/-/)) {print $2}'`;
ls -l $LOGDIR;
echo $LOGDIR >> /tmp/paths;
fi

if [ -f /etc/syslog-ng/syslog-ng.conf ];
then SYSLOGCONF=/etc/rsyslog.conf;
LOGDIR=`cat /etc/syslog-ng/syslog-ng.conf|grep "^destination"|grep file|cut -d\" -f2`;
ls -l $LOGDIR;
echo $LOGDIR >> /tmp/paths;
fi

sed -i -e "s/ /\n/g" /tmp/paths
paths=`cat /tmp/paths|grep ^/`
for p in $paths; do chmod o-wx $p; chmod g-wx $p; ll $p; done


#关闭不必要服务,待改进
#chkconfig --list|egrep "amanda|chargen|chargen-udp|cups|cups-lpd|daytime|daytime-udp|echo|echo-udp|eklogin|ekrb5-telnet|finger|gssftp|imap|imaps|ipop2|ipop3|klogin|krb5-telnet|kshell|ktalk|ntalk|rexec|rlogin|rsh|rsync|talk|tcpmux-server|telnet|tftp|time-dgram|time-stream|uucp"

 

#nfs设置
echo "
ftp:192.168.0.0:allow
ftp:10.0.0.0:allow
portmap:192.168.0.0:allow
portmap:10.0.0.0:allow
sshd:10.0.0.0:allow
sshd:192.0.0.0:allow
sshd:172.0.0.0:allow
nfs:10.0.0.0:allow
nfs:192.0.0.0:allow
nfs:172.0.0.0:allow
nfs:10.3.5.0:allow
nfs:10.3.60.0:allow
nfs:10.3.69.0:allow
nfs:10.3.12.0:allow
" >> /etc/hosts.allow

#ssh禁止root登录
sed -i -e "s/^\(PermitRootLogin\).*/\1 no/" /etc/ssh/sshd_config
cat /etc/ssh/sshd_config|grep PermitRootLogin


#用户缺省umask
sed -i.bak 's/umask [0-9]../umask 027/g' /etc/profile
sed -i.bak 's/umask [0-9]../umask 027/g' /etc/profile
sed -i.bak 's/umask [0-9]../umask 027/g' /etc/csh.login
sed -i.bak 's/umask [0-9]../umask 027/g' /etc/csh.cshrc
sed -i.bak 's/umask [0-9]../umask 027/g' /etc/bashrc
sed -i.bak 's/umask [0-9]../umask 027/g' /root/.bashrc
sed -i.bak 's/umask [0-9]../umask 027/g' /root/.cshrc


#账号文件权限处理
chmod 0644 /etc/passwd
chmod 0400 /etc/shadow
chmod 0644 /etc/group

#无关账号处理
users="
lp
nobody
uucp
games
rpm
smmsp
nfsnobody
listen
gdm
webservd
nobody4
noaccess
"
for n in $users; do usermod -s /bin/false $n; done

posted @ 2019-03-25 20:11  caya  阅读(301)  评论(0编辑  收藏  举报