linux运维安全工具集合[持续更新中..]
lynis 安全漏洞检测工具 https://cisofy.com/download/lynis/ https://cisofy.com/files/lynis-2.2.0.tar.gz
命令 :sudo ./lynis --check-all -Q
sudo grep Warning /var/log/lynis.log
sudo grep Suggestion /var/log/lynis.log
sudo vi /etc/cron.daily/scan.sh
#!/bin/shAUDITOR="automated"DATE=$(date +%Y%m%d)HOST=$(hostname)LOG_DIR="/var/log/lynis"REPORT="$LOG_DIR/report-${HOST}.${DATE}"DATA="$LOG_DIR/report-data-${HOST}.${DATE}.txt"cd /opt/lynis./lynis -c --auditor "${AUDITOR}" --cronjob > ${REPORT}mv /var/log/lynis-report.dat ${DATA}
sudo chmod 755 /etc/cron.daily/scan.sh
Linux系统被入侵后的经历 http://lizhenliang.blog.51cto.com/7876557/1769028
阿里云服务器安全配置:http://www.centoscn.com/CentosSecurity/CentosSafe/2015/0713/5855.html
linux服务器集群防火墙搭建 http://www.bubuko.com/infodetail-536557.html
linux企业防火墙搭建 http://www.open-open.com/doc/view/ce393775b65644319174e3dd14e4d305
Linux防火墙生成器技术 http://www.2cto.com/Article/200802/24102.html
Linux下安全扫描工具Nmap用法详解 https://nmap.org/download.html
linux 下各种指标监控 http://www.open-open.com/lib/view/open1392684857866.html
databse 管理 http://dba.stackexchange.com/?tags=mysql
Linux shell脚本 http://blog.csdn.net/su1216/article/details/10586903
Linux反入侵监测工具 http://netsecurity.51cto.com/art/201509/490966.htm https://suricata-ids.org/download/
Linux后门木马监测工具 http://blog.jobbole.com/77663/
Linux下75款安全工具 http://www.91linux.com/html/2014/Linux_Server_0219/8675.html
Linux服务器安全设置 http://0101x.blog.51cto.com/8639108/1365721
Linux系统加固个人经验 http://www.centoscn.com/CentosSecurity/CentosSafe/2015/0315/4881.html
Linux系统加固最佳实践 http://blog.chinaunix.net/uid-25723371-id-4542221.html
Linux web基本模块安装shell整理 https://github.com/oscm/shell https://github.com/qrpike/CentOS-6-Quick-Install-Scripts
Linux Os系统管理 https://github.com/oscm/shell/tree/master/os
Linux 双机负载均衡配置keepalived+tenginer http://www.it165.net/admin/html/201309/1866.html
Linux rsync增量传输大文件优化技巧
Linux 使用rsync实现文件备份同步
常见加固,根据需要调整,转自网友的设置方案http://www.2cto.com/Article/201111/111131.html
http://www.codexiu.cn/linux/blog/5654/
Linux运维shell脚本 http://git.oschina.net/MickeyZZC/MLSBS
以下安全加固仅供参考
#!/bin/sh # desc: setup linux system security # author:coralzd # powered by www.freebsdsystem.org # version 0.1.2 written by 2011.05.03 #account setup passwd -l xfs passwd -l news passwd -l nscd passwd -l dbus passwd -l vcsa passwd -l games passwd -l nobody passwd -l avahi passwd -l haldaemon passwd -l gopher passwd -l ftp passwd -l mailnull passwd -l pcap passwd -l mail passwd -l shutdown passwd -l halt passwd -l uucp passwd -l operator passwd -l sync passwd -l adm passwd -l lp # chattr /etc/passwd /etc/shadow chattr +i /etc/passwd chattr +i /etc/shadow chattr +i /etc/group chattr +i /etc/gshadow # add continue input failure 3 ,passwd unlock time 5 minite sed -i 's#auth required pam_env.so#auth required pam_env.so\nauth required pam_tally.so onerr=fail deny=3 unlock_time=300\nauth required /lib/security/$ISA/pam_tally.so nerr=fail deny=3 unlock_time=300#' /etc/pam.d/system-auth # system timeout 5 minite auto logout echo "TMOUT=300" >>/etc/profile # will system save history command list to 10 sed -i "s/HISTSIZE=1000/HISTSIZE=10/" /etc/profile # enable /etc/profile go! source /etc/profile # add syncookie enable /etc/sysctl.conf echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.conf sysctl -p # exec sysctl.conf enable # optimizer sshd_config sed -i "s/#MaxAuthTries 6/MaxAuthTries 6/" /etc/ssh/sshd_config sed -i "s/#UseDNS yes/UseDNS no/" /etc/ssh/sshd_config # limit chmod important commands chmod 700 /bin/ping chmod 700 /usr/bin/finger chmod 700 /usr/bin/who chmod 700 /usr/bin/w chmod 700 /usr/bin/locate chmod 700 /usr/bin/whereis chmod 700 /sbin/ifconfig chmod 700 /usr/bin/pico chmod 700 /bin/vi chmod 700 /usr/bin/which chmod 700 /usr/bin/gcc chmod 700 /usr/bin/make chmod 700 /bin/rpm # history security chattr +a /root/.bash_history chattr +i /root/.bash_history # write important command md5 cat > list << "EOF" && /bin/ping /bin/finger /usr/bin/who /usr/bin/w /usr/bin/locate /usr/bin/whereis /sbin/ifconfig /bin/pico /bin/vi /usr/bin/vim /usr/bin/which /usr/bin/gcc /usr/bin/make /bin/rpm EOF for i in `cat list` do if [ ! -x $i ];then echo "$i not found,no md5sum!" else md5sum $i >> /var/log/`hostname`.log fi done rm -f list
#!/bin/sh echo "00 */1 * * * /usr/sbin/ntpdate 192.168.1.1 >>/var/log/ntpdate.log" > mycrontab crontab mycrontab rm -rf mycrontab /usr/sbin/ntpdate 192.168.1.1 cp /etc/sysconfig/i18n /etc/sysconfig/i18n.bak echo > /etc/sysconfig/i18n echo LANG="zh_CN.GB18030" >> /etc/sysconfig/i18n echo LANGUAGE="zh_CN.GB18030:zh_CN.GB2312:zh_CN" >> /etc/sysconfig/i18n echo SUPPORTED="zh_CN.UTF-8:zh_CN:zh:en_US.UTF-8:en_US:en" >> /etc/sysconfig/i18n echo SYSFONT="latarcyrheb-sun16" >> /etc/sysconfig/i18n #echo "root:xbbwlcUoKjF7" | chpasswd useradd weblogic echo "weblogic:weblogic" | chpasswd history -c # 接收套接字缓冲区大小的缺省值 echo "net.core.rmem_default = 2569600" >>/etc/sysctl.conf # 最大的TCP数据接收缓冲 echo "net.core.rmem_max = 2569600" >>/etc/sysctl.conf # 发送套接字缓冲区大小的缺省值 echo "net.core.wmem_default = 2569600" >>/etc/sysctl.conf # 最大的TCP数据发送缓冲 echo "net.core.wmem_max = 2569600" >>/etc/sysctl.conf # 时间戳在(请参考RFC 1323)TCP的包头增加12个字节 echo "net.ipv4.tcp_timestamps = 0" >>/etc/sysctl.conf # 有选择的应答 echo "net.ipv4.tcp_sack = 1" >>/etc/sysctl.conf # 支持更大的TCP窗口. 如果TCP窗口最大超过65535(64K), 必须设置该数值为1 echo "net.ipv4.tcp_window_scaling = 1" >>/etc/sysctl.conf # 开启keepalive的闲置时长 echo "net.ipv4.tcp_keepalive_time = 600" >>/etc/sysctl.conf echo "kernel.sem = 500 64000 200 256" >>/etc/sysctl.conf # 文件句柄 echo "fs.file-max = 65536" >>/etc/sysctl.conf echo "net.ipv4.ip_local_port_range = 1024 65000" >>/etc/sysctl.conf # 当本地系统向外发起tcp或udp连接请求时使用的端口范围 sysctl -p cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak sed -i "s/#PermitRootLogin yes/PermitRootLogin no/" /etc/ssh/sshd_config #当普通用户登录时,密码输入错误三次,系统马上把该用户锁定,需要120s后重新登录 cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak #auth required pam_tally2.so deny=3 onerr=fail no_magic_root unlock_time=120 #由于远程是可以通过普通用户登录,所以普通用户的密码复杂度必须设置:给所有普通用户设置密码时,至少有一个特殊字符、大写字母、小写字母、最小长度为8位 #password requisite /lib/security/$ISA/pam_cracklib.so retry=3 difok=5 ocredit=-1 dcredit=-1 ucredit=-1 minlen=8 #设置密码过期的时间最多天数,新建用户是,用户可以修改的天使,密码的最短长度(前面已经设置可以不设置),密码过期的警告天数。 cp /etc/login.defs /etc/login.defs.bak sed -i 's/PASS_MAX_DAYS.* 99999/PASS_MAX_DAYS 90/' /etc/login.defs sed -i 's/PASS_MIN_DAYS.* 0/PASS_MIN_DAYS 7/' /etc/login.defs sed -i 's/PASS_MIN_LEN.* 5/PASS_MIN_LEN 8/' /etc/login.defs #关闭DNS cp /etc/resolv.conf /etc/resolv.conf.bak echo 'nameserver 210.22.84.3' > /etc/resolv.conf #备份环境变量文件 cp /etc/profile /etc/profile.bak echo export TMOUT=600 >> /etc/profile #增加60S超时退出 echo export HISTTIMEFORMAT=\'%F %T \' >> /etc/profile #记录操作历史记录的时间 echo export HISTFILESIZE=10000 >> /etc/profile echo export HISTSIZE=10000 >> /etc/profile #修改系统文件最大打开数 echo -e "* soft nofile = 32768 \n* hard nofile = 65536" >> /etc/security/limits.conf #计划任务 mkdir ~/Shell echo -e " #!/bin/bash \n sync \n echo 3 > /proc/sys/vm/drop_caches" > ~/Shell/MemcacheClean.sh echo "00 03 * * * /Shell/MemcacheClean.sh" > ~/Shell/mycrontab crontab ~/Shell/mycrontab #关闭selinux sed '7s/enforcing/disabled/g' /etc/sysconfig/selinux -i #关闭火墙 iptables -F /etc/init.d/iptables save >> /dev/null service sshd restart history -c
Windows系统加固脚本 http://www.wanglinlin.cn/?post=63
小常识收集:
linuxvim格式化代码 格式化全文: gg=G 自动缩进当前行: ==
网站根目录权限遵循:
文件644 文件夹755 权限用户和用户组www
如出现文件权限问题时,请执行下面3条命令:
chown -R www.www /data/wwwroot/
find /data/wwwroot/ -type d -exec chmod 755 {} \;
find /data/wwwroot/ -type f -exec chmod 644 {} \;
