Centos/redhat 初始化脚本
Centos/redhat 初始化脚本
Centos/Redhat初始化安全加固脚本
#!/bin/bash #******************************************************************** #Author: wei #******************************************************************** eth0_modfiy () { read -p "请输入IP:" IP mv /etc/sysconfig/network-scripts/ifcfg-e* /etc/sysconfig/network-scripts/ifcfg-e*.bak cat > /etc/sysconfig/network-scripts/ifcfg-eth0 <<EOF NAME=eth0 DEVICE=eth0 ONBOOT=yes BOOTPROTO=static IPADDR=$IP PREFIX=24 GATEWAY=10.0.0.2 DNS1=223.6.6.6 DNS2=180.76.76.76 EOF nmcli con reload sed -i.bak '/^GRUB_CMDLINE_LINUX/s/"$/ net.ifnames=0"/' /etc/default/grub grub2-mkconfig -o /boot/grub2/grub.cfg } alias_add () { echo 'alias date="date +%F_%T"' >> ~/.bashrc echo 'alias vi="vim"' >> ~/.bashrc echo 'alias cdnet="cd /etc/sysconfig/network-scripts/"' >> ~/.bashrc echo 'alias th0="vi /etc/sysconfig/network-scripts/ifcfg-eth0"' >> ~/.bashrc echo 'alias th1="vi /etc/sysconfig/network-scripts/ifcfg-eth1"' >> ~/.bashrc echo 'export HISTTIMEFORMAT="%F %T `whoami` "' >> ~/.bashrc echo 'alias scandisk="echo - - - > /sys/class/scsi_host/host0/scan;echo - - - >/sys/class/scsi_host/host1/scan;echo - - - > /sys/class/scsi_host/host2/scan"' >> ~/.bashrc } firewall_dis () { systemctl stop firewalld.service systemctl disable firewalld.service } selinux_dis () { sed -i.bak '/^SELINUX=/s/SELINUX=.*/SELINUX=disabled/' /etc/selinux/config } vim_rc () { cat > ~/.vimrc <<EOF set ts=4 set expandtab set ignorecase set cursorline set autoindent autocmd BufNewFile *.sh exec ":call SetTitle()" func SetTitle() if expand("%:e") == 'sh' call setline(1,"#!/bin/bash") call setline(2,"#") call setline(3,"#********************************************************************") call setline(4,"#Author: wei") call setline(5,"#********************************************************************") call setline(6,"") endif endfunc autocmd BufNewFile * normal G EOF } ssh_link () { echo 'UseDNS no' >> /etc/ssh/sshd_config systemctl daemon-reload systemctl restart sshd } nofile_noproc () { cp /etc/security/limits.conf{,.bak} cp /etc/security/limits.d/20-nproc.conf{,.bak} echo -e '* soft nofile 65535\n* hard nofile 65535' >> /etc/security/limits.conf echo -e '* soft nproc 20000\n* hard nproc 20000\nroot soft nproc 65535\nroot hard nproc 65535' >> /etc/security/limits.d/20-nproc.conf } disable_service () { systemctl disable yum-updatesd systemctl disable bluetooth systemctl disable ekrb5-telnet systemctl disable gssftp systemctl disable krb5-telnet systemctl disable sendmail systemctl disable cpuspeed systemctl disable irqbalance systemctl disable ip6tables systemctl disable cpusrhnsd } user_time_complex () { #用户密码有效时间 sed -i.bak '/PASS_MAX_DAYS/s/99999/90/' /etc/login.defs sed -i '/PASS_MIN_DAYS/s/0/7/' /etc/login.defs sed -i '/PASS_MIN_LEN/s/5/8/' /etc/login.defs sed -i '/PASS_WARN_AGE/s/7/15/' /etc/login.defs #用户密码复杂度 cat >> /etc/security/pwquality.conf <<EOF dcredit = -1 ucredit = -1 lcredit = -1 ocredit = -1 EOF #尝试失败后锁定⽤户账户 sed -i.bak -e '/auth required pam_deny.so/aauth required pam_faillock.so preauth silent audit deny=6 unlock_time=600' -e '/auth required pam_deny.so/aauth sufficient pam_unix.so nullok try_first_pass' -e '/auth required pam_deny.so/aauth [default=die] pam_faillock.so authfail audit deny=6 unlock_time=600' /etc/pam.d/system-auth sed -i '/account required pam_permit.so/aaccount requiredpam_faillock.so' /etc/pam.d/system-auth #实现在6次登录失败尝试后,对非root锁定,并在10分钟后对该用户解锁 sed -i.bak '/account required pam_permit.so/aaccount required pam_faillock.so' /etc/pam.d/password-auth } eth0_modfiy alias_add firewall_dis selinux_dis vim_rc ssh_link nofile_noproc disable_service user_time_complex reboot