web sec / linux security script / linux anquan jiagu

s

linux等保加固脚本

https://www.cnblogs.com/flawlessm/p/12843188.html

cp /etc/login.defs /etc/login.defs.bak
cp /etc/profile /etc/profile.bak
cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak
cp /etc/pam.d/su /etc/pam.d/su.bak
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
echo password include system-auth >> /etc/pam.d/passwd
sed -i '/^password requisite pam_cracklib.so/c password requisite pam_cracklib.so try_first_pass retry=5 difok=3 minlen=8 ucredit=-1 lcredit=-3 dcredit=-3 ocredit=-1' /etc/pam.d/system-auth
sed -i '/^password sufficient pam_unix.so/c password sufficient pam_unix.so remember=24 sha512 shadow nullok try_first_pass use_authtok' /etc/pam.d/system-auth
sed -i '/^PASS_MAX_DAYS/c PASS_MAX_DAYS 90' /etc/login.defs
sed -i '/^PASS_MIN_LEN/c PASS_MIN_LEN 30' /etc/login.defs
sed -i 's#%PAM-1.0#%PAM-1.0 auth required pam_tally2.so onerr=fail deny=3 unlock_time=300 even_deny_root root_unlock_time=600#' /etc/pam.d/sshd
sed -i 's#%PAM-1.0#%PAM-1.0 auth required pam_tally2.so onerr=fail deny=3 unlock_time=300 even_deny_root root_unlock_time=600#' /etc/pam.d/login
sed -i 's#%PAM-1.0#%PAM-1.0 auth sufficient /lib64/security/pam_rootok.so auth required /lib64/security/pam_wheel.so use_uid group=wheel#' /etc/pam.d/su
echo sshd:192.168.200.122:allow >> /etc/hosts.allow
echo all:all >> /etc/hosts.deny
echo TMOUT=600 >> /etc/profile 
sed -i '/ umask 022/c umask 027' /etc/profile 
source /etc/profile

#密码复杂性要求,在登录或修改密码时密码错误5次自动退出，最短8位必须包含大小写字母、数字、字符
sed -i '/^password requisite pam_cracklib.so/c password requisite pam_cracklib.so try_first_pass retry=5 difok=3 minlen=8 ucredit=-1 lcredit=-3 dcredit=-3 ocredit=-1' /etc/pam.d/system-auth
#强制记住密码历史24位
sed -i '/^password sufficient pam_unix.so/c password sufficient pam_unix.so remember=24 sha512 shadow nullok try_first_pass use_authtok' /etc/pam.d/system-auth

#密码最短使用30天，最长使用期限90天
sed -i '/^PASS_MAX_DAYS/c PASS_MAX_DAYS 90' /etc/login.defs
sed -i '/^PASS_MIN_DAYS/c PASS_MIN_DAYS 30' /etc/login.defs
sed -i '/^PASS_MIN_LEN/c PASS_MIN_LEN 8' /etc/login.defs

#登录失败处理，错误3次后锁定10秒

sed -i 's#%PAM-1.0#%PAM-1.0 auth required pam_tally2.so onerr=fail deny=3 unlock_time=300 even_deny_root root_unlock_time=600#' /etc/pam.d/sshd

sed -i 's#%PAM-1.0#%PAM-1.0 auth required pam_tally2.so onerr=fail deny=3 unlock_time=300 even_deny_root root_unlock_time=600#' /etc/pam.d/login

#未使用PAM认证模块禁止wheel组之外的用户su为root
#添加用户到wheel组 usermod –G wheel username
#从组中删除用户 gpasswd -d userName groupName

sed -i 's#%PAM-1.0#%PAM-1.0 auth sufficient /lib64/security/pam_rootok.so auth required /lib64/security/pam_wheel.so use_uid group=wheel#' /etc/pam.d/su

#禁止root用户远程登录
#echo PermitRootLogin no >> /etc/ssh/sshd_config
#sed -i '/PermitRootLogin yes/cPermitRootLogin no' /etc/ssh/sshd_config
#/etc/init.d/sshd restart

#服务器仅允许堡垒机192.168.200.122远程登录
echo sshd:192.168.200.122:allow >> /etc/hosts.allow
echo all:all >> /etc/hosts.deny

sshd:x.x.x.x:allow
#无操作600秒后自动退出
echo TMOUT=600 >> /etc/profile 
#echo export HISTFILESIZE=5 >> /etc/profile
#echo export HISTSIZE=1 >> /etc/profile
#echo export HISTFILESIZE >> /etc/profile

#修改UMASK值
sed -i '/ umask 022/c umask 027' /etc/profile 
source /etc/profile

#查看用户登录失败次数
#pam_tally2 --user root
#解锁指定用户
#pam_tally2 -r -u root

更新安全补丁
yum --security upgrade

升级ssh版本：
rpm -ivh telnet-0.17-47.el6_3.1.x86_64.rpm telnet-server-0.17-47.el6_3.1.x86_64.rpm xinetd-2.3.14-39.el6_4.x86_64.rpm
yum install telnet telnet-server xinetd wget -y
sed -i '/disable/{s/yes/no/g;}' /etc/xinetd.d/telnet
echo pts/0 >> /etc/securetty
echo pts/1 >> /etc/securetty
echo pts/2 >> /etc/securetty
echo pts/3 >> /etc/securetty
echo pts/4 >> /etc/securetty
echo pts/5 >> /etc/securetty
echo pts/6 >> /etc/securetty
service xinetd start
chkconfig xinetd on

apt-get install libssl-dev libpam-dev libz-dev build-essential zlib1g-dev
yum install gcc pam-devel zlib-devel -y
cd /tmp
wget http://www.zlib.net/zlib-1.2.11.tar.gz
wget https://www.openssl.org/source/openssl-1.0.2q.tar.gz
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz
tar -zxvf zlib-1.2.11.tar.gz 
tar -zxvf openssl-1.0.2q.tar.gz 
tar -zxvf openssh-8.0p1.tar.gz

cd /tmp/zlib-1.2.11/
./configure --prefix=/usr
make
rpm -e --nodeps zlib
make install
echo '/usr/lib' >> /etc/ld.so.conf
ldconfig
yum list

cd /tmp/openssl-1.0.2q/
cp -r /etc/pki/ca-trust/extracted/openssl /etc/pki/ca-trust/extracted/openssl.old 
cp -r /usr/bin/openssl /usr/bin/openssl.old
cp -r /usr/lib64/openssl /usr/lib64/openssl.old
cp /usr/lib64/libcrypto.so.10 /usr/lib64/libcrypto.so.10.old
cp /usr/lib64/libssl.so.10 /usr/lib64/libssl.so.10.old
rpm -qa |grep openssl|xargs -i rpm -e --nodeps {}
./config --prefix=/usr --openssldir=/etc/ssl --shared zlib
make
make install
openssl version

cd /tmp/openssh-8.0p1/
rpm -qa |grep openssh|xargs -i rpm -e --nodeps {}

install -v -m700 -d /var/lib/sshd &&
chown -v root:sys /var/lib/sshd &&
groupadd -g 50 sshd &&
useradd -c 'sshd PrivSep'
-d /var/lib/sshd
-g sshd
-s /bin/false
-u 50 sshd

./configure --prefix=/usr
--sysconfdir=/etc/ssh
--with-md5-passwords
--with-privsep-path=/var/lib/sshd &&
make

make install &&
install -v -m755 contrib/ssh-copy-id /usr/bin &&
install -v -m644 contrib/ssh-copy-id.1
/usr/share/man/man1 &&
install -v -m755 -d /usr/share/doc/openssh-8.0p1 &&
install -v -m644 INSTALL LICENCE OVERVIEW README*
/usr/share/doc/openssh-8.0p1

echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
echo "PasswordAuthentication yes" >> /etc/ssh/sshd_config
echo 'X11Forwarding yes' >> /etc/ssh/sshd_config
chmod 600 /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ed25519_key
cp -p contrib/redhat/sshd.init /etc/init.d/sshd
chmod +x /etc/init.d/sshd
chkconfig --add sshd
chkconfig sshd on
chkconfig --list sshd
service sshd start

sed -i '/disable/{s/no/yes/g;}' /etc/xinetd.d/telnet
service xinetd stop
chkconfig xinetd off

ln -s /usr/lib64/libssl.so.1.0.0 /usr/lib64/libssl.so.10
ln -s /usr/lib64/libcrypto.so.1.0.0 /usr/lib64/libcrypto.so.10

end