Centos/redhat 初始化脚本

Centos/redhat 初始化脚本

Centos/Redhat初始化安全加固脚本

#!/bin/bash
#********************************************************************
#Author:        wei
#********************************************************************

eth0_modfiy () {
read -p "请输入IP:" IP
mv /etc/sysconfig/network-scripts/ifcfg-e*  /etc/sysconfig/network-scripts/ifcfg-e*.bak
cat  >   /etc/sysconfig/network-scripts/ifcfg-eth0   <<EOF
NAME=eth0
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=static
IPADDR=$IP
PREFIX=24
GATEWAY=10.0.0.2
DNS1=223.6.6.6
DNS2=180.76.76.76
EOF

nmcli con reload

sed -i.bak  '/^GRUB_CMDLINE_LINUX/s/"$/  net.ifnames=0"/'  /etc/default/grub
grub2-mkconfig -o /boot/grub2/grub.cfg

}

alias_add () {
echo 'alias  date="date +%F_%T"' >> ~/.bashrc
echo 'alias  vi="vim"' >> ~/.bashrc
echo  'alias  cdnet="cd  /etc/sysconfig/network-scripts/"' >>  ~/.bashrc
echo  'alias th0="vi /etc/sysconfig/network-scripts/ifcfg-eth0"'  >>  ~/.bashrc
echo 'alias  th1="vi /etc/sysconfig/network-scripts/ifcfg-eth1"'  >>  ~/.bashrc
echo 'export HISTTIMEFORMAT="%F  %T `whoami`  "'  >>  ~/.bashrc
echo 'alias  scandisk="echo - - - > /sys/class/scsi_host/host0/scan;echo - - - >/sys/class/scsi_host/host1/scan;echo - - - > /sys/class/scsi_host/host2/scan"'  >> ~/.bashrc

}

firewall_dis ()  {
systemctl stop firewalld.service
systemctl disable firewalld.service
}

selinux_dis () {
sed -i.bak '/^SELINUX=/s/SELINUX=.*/SELINUX=disabled/'   /etc/selinux/config
}

vim_rc () {
cat > ~/.vimrc  <<EOF
set ts=4
set expandtab
set ignorecase
set cursorline
set autoindent
autocmd BufNewFile *.sh exec ":call SetTitle()"
func SetTitle()
    if expand("%:e") == 'sh'
    call setline(1,"#!/bin/bash")
    call setline(2,"#")
    call setline(3,"#********************************************************************")
    call setline(4,"#Author:        wei")
    call setline(5,"#********************************************************************")
    call setline(6,"")
    endif
endfunc
autocmd BufNewFile * normal G
EOF

}

ssh_link () {
echo 'UseDNS no' >> /etc/ssh/sshd_config
systemctl daemon-reload
systemctl restart sshd
}

nofile_noproc () {
cp /etc/security/limits.conf{,.bak}
cp /etc/security/limits.d/20-nproc.conf{,.bak}
echo -e '* soft nofile 65535\n* hard nofile 65535'  >>  /etc/security/limits.conf
echo -e '* soft nproc 20000\n* hard nproc 20000\nroot soft nproc 65535\nroot hard nproc 65535' >> /etc/security/limits.d/20-nproc.conf
}

disable_service () {
systemctl disable yum-updatesd
systemctl disable bluetooth
systemctl disable ekrb5-telnet
systemctl disable gssftp
systemctl disable krb5-telnet
systemctl disable sendmail
systemctl disable cpuspeed
systemctl disable irqbalance
systemctl disable ip6tables
systemctl disable cpusrhnsd
}

user_time_complex () {
#用户密码有效时间
sed -i.bak '/PASS_MAX_DAYS/s/99999/90/' /etc/login.defs
sed -i '/PASS_MIN_DAYS/s/0/7/' /etc/login.defs
sed -i '/PASS_MIN_LEN/s/5/8/' /etc/login.defs
sed -i '/PASS_WARN_AGE/s/7/15/' /etc/login.defs

#用户密码复杂度
cat >> /etc/security/pwquality.conf <<EOF
dcredit = -1
ucredit = -1
lcredit = -1
ocredit = -1
EOF

#尝试失败后锁定⽤户账户
sed -i.bak -e '/auth        required      pam_deny.so/aauth required pam_faillock.so preauth silent audit deny=6 unlock_time=600' -e '/auth        required      pam_deny.so/aauth    sufficient    pam_unix.so nullok try_first_pass' -e '/auth     required      pam_deny.so/aauth [default=die] pam_faillock.so authfail audit deny=6 unlock_time=600' /etc/pam.d/system-auth

sed -i '/account     required      pam_permit.so/aaccount    requiredpam_faillock.so' /etc/pam.d/system-auth

#实现在6次登录失败尝试后，对非root锁定，并在10分钟后对该用户解锁
sed -i.bak '/account     required      pam_permit.so/aaccount required pam_faillock.so' /etc/pam.d/password-auth

}

eth0_modfiy
alias_add
firewall_dis
selinux_dis
vim_rc
ssh_link
nofile_noproc
disable_service
user_time_complex
reboot