本脚本是第二次更新,已经大量应用在某大型媒体网站体系中,加入了之前没有想到的一些安全设置。使用方法将其复制,保存为一个shell文件,比如security.sh.将其上传到linux服务器上,执行sh security.sh,就可以使用该脚本了!
#!/bin/sh#desc:setuplinuxsystemsecurity#author:coralzd#poweredbywww.freebsdsystem.org#version0.1.2writtenby2011.05.03#accountsetuppasswd-lxfspasswd-lnewspasswd-lnscdpasswd-ldbuspasswd-lvcsapasswd-lgamespasswd-lnobodypasswd-lavahipasswd-lhaldaemonpasswd-lgopherpasswd-lftppasswd-lmailnullpasswd-lpcappasswd-lmailpasswd-lshutdownpasswd-lhaltpasswd-luucppasswd-loperatorpasswd-lsyncpasswd-ladmpasswd-llp#chattr/etc/passwd/etc/shadowchattr+i/etc/passwdchattr+i/etc/shadowchattr+i/etc/groupchattr+i/etc/gshadow#addcontinueinputfailure3,passwdunlocktime5minitesed-i's#authrequiredpam_env.so#authrequiredpam_env.so\nauthrequiredpam_tally.soonerr=faildeny=3unlock_time=300\nauthrequired/lib/security/$ISA/pam_tally.soonerr=faildeny=3unlock_time=300#'/etc/pam.d/system-auth#systemtimeout5miniteautologoutecho TMOUT=300 /etc/profile#willsystemsavehistorycommandlistto10sed-i s/HISTSIZE=1000/HISTSIZE=10/ /etc/profile#enable/etc/profilego!source/etc/profile#addsyncookieenable/etc/sysctl.confecho net.ipv4.tcp_syncookies=1 /etc/sysctl.confsysctl-p#execsysctl.confenable#optimizersshd_configsed-i s/#MaxAuthTries6/MaxAuthTries6/ /etc/ssh/sshd_configsed-i s/#UseDNSyes/UseDNSno/ /etc/ssh/sshd_config#limitchmodimportantcommandschmod700/bin/pingchmod700/usr/bin/fingerchmod700/usr/bin/whochmod700/usr/bin/wchmod700/usr/bin/locatechmod700/usr/bin/whereischmod700/sbin/ifconfigchmod700/usr/bin/picochmod700/bin/vichmod700/usr/bin/whichchmod700/usr/bin/gccchmod700/usr/bin/makechmod700/bin/rpm#historysecuritychattr+a/root/.bash_historychattr+i/root/.bash_history#writeimportantcommandmd5cat list EOF /bin/ping/bin/finger/usr/bin/who/usr/bin/w/usr/bin/locate/usr/bin/whereis/sbin/ifconfig/bin/pico/bin/vi/usr/bin/vim/usr/bin/which/usr/bin/gcc/usr/bin/make/bin/rpmEOFforiin`catlist`doif[!-x$i];thenecho $inotfound,nomd5sum! elsemd5sum$i /var/log/`hostname`.logfidonerm-flist
如果心胸不似海,又怎能有海一样的事业。
