zoukankan      html  css  js  c++  java
  • 安全加固3-加固

    #!/bin/bash

    #

    #口令生存周期
    sed -e "s/^(PASS_MAX_DAYS).*/1 30/" /etc/login.defs

    #日志文件权限设置
    if [ -f /etc/syslog.conf ];
    then SYSLOGCONF=/etc/syslog.conf;
    LOGDIR=`cat $SYSLOGCONF |sed '/^#/d' |sed '/^$/d' |awk '(($2!~/@/) && ($2!~/*/) && ($2!~/-/)) {print $2}'`;
    ls -l $LOGDIR;
    echo $LOGDIR >> /tmp/paths;
    fi

    if [ -f /etc/rsyslog.conf ];
    then SYSLOGCONF=/etc/rsyslog.conf;
    LOGDIR=`cat $SYSLOGCONF |sed '/^#/d' |sed '/^$/d' |awk '(($2!~/@/) && ($2!~/*/) && ($2!~/-/)) {print $2}'`;
    ls -l $LOGDIR;
    echo $LOGDIR >> /tmp/paths;
    fi

    if [ -f /etc/syslog-ng/syslog-ng.conf ];
    then SYSLOGCONF=/etc/rsyslog.conf;
    LOGDIR=`cat /etc/syslog-ng/syslog-ng.conf|grep "^destination"|grep file|cut -d" -f2`;
    ls -l $LOGDIR;
    echo $LOGDIR >> /tmp/paths;
    fi

    sed -i -e "s/ / /g" /tmp/paths
    paths=`cat /tmp/paths|grep ^/`
    for p in $paths; do chmod o-wx $p; chmod g-wx $p; ll $p; done


    #关闭不必要服务,待改进
    #chkconfig --list|egrep "amanda|chargen|chargen-udp|cups|cups-lpd|daytime|daytime-udp|echo|echo-udp|eklogin|ekrb5-telnet|finger|gssftp|imap|imaps|ipop2|ipop3|klogin|krb5-telnet|kshell|ktalk|ntalk|rexec|rlogin|rsh|rsync|talk|tcpmux-server|telnet|tftp|time-dgram|time-stream|uucp"

    #nfs设置
    echo "
    ftp:192.168.0.0:allow
    ftp:10.0.0.0:allow
    portmap:192.168.0.0:allow
    portmap:10.0.0.0:allow
    sshd:10.0.0.0:allow
    sshd:192.0.0.0:allow
    sshd:172.0.0.0:allow
    nfs:10.0.0.0:allow
    nfs:192.0.0.0:allow
    nfs:172.0.0.0:allow
    nfs:10.3.5.0:allow
    nfs:10.3.60.0:allow
    nfs:10.3.69.0:allow
    nfs:10.3.12.0:allow
    " >> /etc/hosts.allow

    #ssh禁止root登录
    sed -i -e "s/^(PermitRootLogin).*/1 no/" /etc/ssh/sshd_config
    cat /etc/ssh/sshd_config|grep PermitRootLogin


    #用户缺省umask
    sed -i.bak 's/umask [0-9]../umask 027/g' /etc/profile
    sed -i.bak 's/umask [0-9]../umask 027/g' /etc/profile
    sed -i.bak 's/umask [0-9]../umask 027/g' /etc/csh.login
    sed -i.bak 's/umask [0-9]../umask 027/g' /etc/csh.cshrc
    sed -i.bak 's/umask [0-9]../umask 027/g' /etc/bashrc
    sed -i.bak 's/umask [0-9]../umask 027/g' /root/.bashrc
    sed -i.bak 's/umask [0-9]../umask 027/g' /root/.cshrc


    #账号文件权限处理
    chmod 0644 /etc/passwd
    chmod 0400 /etc/shadow
    chmod 0644 /etc/group

    #无关账号处理
    users="
    lp
    nobody
    uucp
    games
    rpm
    smmsp
    nfsnobody
    listen
    gdm
    webservd
    nobody4
    noaccess
    "
    for n in $users; do usermod -s /bin/false $n; done

  • 相关阅读:
    innerHTML使用方法
    HDU 1426 Sudoku Killer
    Junit使用教程(一)
    HLS协议实现
    GPIO
    TraceView总结
    在kettle中实现数据验证和检查
    用户向导左右滑动页面实现之ImageSwitcher
    DWZ使用笔记
    oracle进程
  • 原文地址:https://www.cnblogs.com/caya-yuan/p/10596236.html
Copyright © 2011-2022 走看看