该脚本在CentOS5.5 64bit环境中测试通过,其他环境可以进行对应的修改。每一项的内容请参考 CentOS安装之后的系统安全配置。
#!/bin/sh
# by Jet Ma from www.javatang.com
# version v0.4 build20120921-0909
# CentOS 5.5 64bit
# ----------- 配置信息 -----------
# 普通用户的用户名
COMMON_USER='ru'
# 终端自动退出的超时时间,单位为秒
CLIENT_TIMEOUT=3600
# 命令记录数
HISTSIZE=10
# SSH的端口
SSH_PORT=5028
# Web的端口
WEB_PORT=80
# ----------- 检测是否是root账号 -----------
if [ $(id -u) != "0" ]; then
echo -e "\e[1;31m This scripts MUST under root user or group!! \e[0m"
echo
exit 2
fi
# ----------- update yum source -----------
echo -e "\e[1;36m update yum source ... \e[0m"
chkconfig --list | grep yum
if [ $? -eq 0 ];
then
# update yum source
cd /etc/yum.repos.d
mv CentOS-Base.repo CentOS-Base.repo_bak
wget http://mirrors.163.com/.help/CentOS-Base-163.repo -O CentOS-Base.repo
# 导入,这里是64位的
rpm --import http://mirrors.163.com/centos/5/os/x86_64/RPM-GPG-KEY-CentOS-5
# 生效(不更新内核和发行版)
yum --exclude="kernel* centos-release*" update -y
cd ~
else
echo -e "\e[1;31m 必须安装yum才可以继续! \e[0m"
echo
exit 2
fi
# ------------ 设置环境为中文
#zh_cn
sed -i -e 's/^LANG=.*/LANG="zh_CN.UTF-8"/' /etc/sysconfig/i18n
source /etc/sysconfig/i18n
# ----------- 账户安全设置 -----------
echo -e "\e[1;36m 正在进行账户安全设置 ... \e[0m"
# 修改密码长度
sed -i -e 's/^PASS_MIN_LEN=.*/PASS_MIN_LEN=10/' /etc/login.defs
# 删除无用的用户和用户组
userdel adm
userdel lp
userdel sync
userdel shutdown
userdel halt
userdel news
userdel uucp
userdel operator
userdel games
userdel gopher
userdel ftp
groupdel adm
groupdel lp
groupdel news
groupdel uucp
groupdel games
groupdel dip
groupdel pppusers
# 创建普通用户
useradd $COMMON_USER
passwd $COMMON_USER
# 限制su命令
sed -i "s/#auth required pam_wheel.so use_uid/auth required pam_wheel.so use_uid group=wheel/" /etc/pam.d/su
usermod -G10 $COMMON_USER
# 更改特殊文件属性
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/gshadow
# 禁止Ctrl+Alt+Delete重启命令
sed -i -e "s/\(^ca\:\:ctrlaltdel.*$\)/#\1/" /etc/inittab
# 设置密码连续输错3次后锁定5分钟
# sed -i 's#auth required pam_env.so#auth required pam_env.so\nauth required pam_tally.so onerr=fail deny=3 unlock_time=300\nauth required /lib/security/$ISA/pam_tally.so onerr=fail deny=3 unlock_time=300#' /etc/pam.d/system-auth
# 设置自动退出终端,防止非法关闭ssh客户端造成登录进程过多,可以设置大一些,单位为秒
echo "TMOUT=$CLIENT_TIMEOUT" >>/etc/profile
sed -i "s/HISTSIZE=1000/HISTSIZE=$HISTSIZE/" /etc/profile
source /etc/profile
# 重新设置 /etc/rc.d/init.d/ 目录下所有文件的许可权限
chmod -R 700 /etc/rc.d/init.d/*
# 历史安全
chattr +a /root/.bash_history
chattr +i /root/.bash_history
# ----------- SSH安全配置 -----------
echo -e "\e[1;36m 进行SSH安全配置 ... \e[0m"
chkconfig --list | grep sshd
if [ $? -ne 0 ]; then
yum -y install ssh
fi
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
sed -i "s/#Port 22/Port $SSH_PORT/" /etc/ssh/sshd_config
# 不允许root用户直接登录
sed -i "s/#PermitRootLogin yes/PermitRootLogin no/" /etc/ssh/sshd_config
# 不允许空密码登录
sed -i "s/#PermitEmptyPasswords no/PermitEmptyPasswords no/" /etc/ssh/sshd_config
sed -i "s/#MaxAuthTries 6/MaxAuthTries 6/" /etc/ssh/sshd_config
# 不适用DNS
sed -i "s/#UseDNS yes/UseDNS no/" /etc/ssh/sshd_config
service sshd restart
# ----------- 关闭系统中不需要的服务和端口 -----------
echo -e "\e[1;36m 关闭系统中不需要的服务和端口 ... \e[0m"
for serv in `ls /etc/rc3.d/S*`
do
CURSRV=`echo $serv | cut -c 15-`
case $CURSRV in
acpid | anacron | cpuspeed | crond | iptables | irqbalance | microcode_ctl | mysqld | network | nginx | php-fpm | random | sendmail | sshd | syslog | yum-updatesd )
#这个启动的系统服务根据具体的应用情况设置,其中network、sshd、syslog是三项必须要启动的系统服务!
# echo "Base services, Skip!"
;;
*)
echo "change $CURSRV to off"
chkconfig --level 235 $CURSRV off
service $CURSRV stop
;;
esac
done
# ----------- 防止攻击 -----------
echo -e "\e[1;36m 正在进行防止攻击设置 ... \e[0m"
# 阻止ping
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
# 防止IP欺骗攻击
echo "order bind,hosts
multi off
nospoof on" >> /etc/host.conf
# 防止DoS攻击
echo "# 禁止调试文件
* hard core 0
# 限制内存使用为50MB
* hard rss 50000" >> /etc/security/limits.conf
# ----------- 系统配置及性能调优 -----------
echo -e "\e[1;36m 系统配置及性能调优 ... \e[0m"
# disable ipv6
echo "Disable IPV6"
echo "alias net-pf-10 off" >> /etc/modprobe.conf
echo "alias ipv6 off" >> /etc/modprobe.conf
/sbin/chkconfig --level 35 ip6tables off
echo "ipv6 is disabled!"
#disable selinux
sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config
echo "selinux is disabled,you must reboot!"
#vim
sed -i "8 s/^/alias vi='vim'/" /root/.bashrc
echo 'syntax on
set fencs=utf-8,gbk
set nu!' > /root/.vimrc
# 自动更新时间
chkconfig --list | grep ntp
if [ $? -ne 0 ]; then
yum -y install ntp
fi
ntpdate -u cn.pool.ntp.org
crontab <<EOF
* */12 * * * /sbin/ntpdate -u cn.pool.ntp.org | logger -t NTP
EOF
service crond restart
# 加大服务器文件描述符
echo '* - nofile 65536' >> /etc/security/limits.conf
# 调整内核参数
cp /etc/sysctl.conf /etc/sysctl.conf.bak
echo "net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_tw_reuse = 0
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000 65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.ipv4.ip_conntrack_max = 25000000
net.ipv4.netfilter.ip_conntrack_max=25000000
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=180
net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait=120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait=60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait=120" >> /etc/sysctl.conf
sysctl -p
# ----------- 防火墙设置 -----------
echo -e "\e[1;36m 防火墙设置 ... \e[0m"
# 编写crontab任务,每5分钟关闭一次iptalbes脚本,防止将SSH客户端锁在外面
crontab -l > tmpcrontab
echo "*/5 * * * * root /etc/init.d/iptables stop" >> tmpcrontab
crontab tmpcrontab
rm -f tmpcrontab
# 使用iptables防火墙只打开指定的端口
iptables -F INPUT
iptables -P INPUT DROP
# 打开80端口和SSH端口
/sbin/iptables -A INPUT -p tcp -m multiport --dport ${WEB_PORT},${SSH_PORT} -j ACCEPT
# 打开本地访问
iptables -I INPUT 2 -i lo -p all -j ACCEPT
# 打开服务器对外的DNS端口
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
# 123为ntpdate更新时间的端口
iptables -A INPUT -p udp -m multiport --sport 53,123 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --sport 53 -j ACCEPT
# 打开服务器内部访问80端口
iptables -A INPUT -p tcp -m multiport --sport 21,80,443,8080 -j ACCEPT
# 保存规则并重启iptables
/etc/init.d/iptables save
/etc/init.d/iptables restart
cat << EOF
+--------------------------------------------------------------+
配置完成,谢谢!
如果防火墙没有问题,请在定时任务中删除*/5 * * * * root /etc/init.d/iptables stop
然后使用reboot重新启动计算机!
+--------------------------------------------------------------+
EOF
参考资料:
Linux系统初始化优化Shell脚本
Linux服务器安全初始化Shell脚本
linux在shell脚本中判断是否是root用户
安全的Web主机iptables防火墙脚本
让vim在utf-8的local下打开 gbk 文件
博主你好!
case $CURSRV in
acpid | anacron | cpuspeed | crond | iptables | irqbalance | microcode_ctl | mysqld | network | nginx | php-fpm | random | sendmail | sshd | syslog | yum-updatesd )
在这里是不是少了一个 ( 呢??