#!/bin/bash ## set shortest length of password filename=/etc/login.defs if [ -f "$filename" ];then passminlen=`cat $filename|grep PASS_MIN_LEN|grep -v "#"` sed -i "s#$passminlen#PASS_MIN_LEN 8#g" $filename ## set password timeout.half of years passmaxdays=`cat $filename|grep PASS_MAX_DAYS|grep -v "#"` sed -i "s#$passmaxdays#PASS_MAX_DAYS 180#g" $filename fi filename=/etc/pam.d/system-auth if [ -f "$filename" ];then pam_cracklib_so=`cat $filename|grep pam_cracklib.so|grep -v "#"` if [ -z "$pam_cracklib_so" ];then ## not exist pam_cracklib.so, need to add echo "password requisite pam_cracklib.so ucredit=-2 lcredit=-2 dcredit=-2" >> $filename fi fi ## limit su to root filename=/etc/pam.d/su if [ -f "$filename" ];then pam_rootok_so=`cat $filename|grep pam_rootok.so|grep -v "#"` if [ -z "$pam_rootok_so" ];then ## empty,need add sed -i '2i auth sufficient pam_rootok.so' $filename fi wheel_group=`cat $filename|grep pam_wheel.so|grep -v "#"` if [ -z "$wheel_group" ];then sed -i '3i auth required pam_wheel.so group=wheel' $filename fi fi filename=/etc/profile if [ -f "$filename" ];then ## get the 2 line data old_val=`sed -n 2p $filename` new_val="umask 027" if [ "$old_val" != "$new_val" ];then ## add config in the 2 line sed -i '2i umask 027' $filename fi ## add command line timeout quit. timeout_quit=`cat $filename|grep TMOUT=300|grep -v "#"` if [ -z "$timeout_quit" ];then echo "export TMOUT=300" >> $filename fi fi filename=/etc/ssh/sshd_config if [ -f "$filename" ];then rootlogin=`cat $filename|grep PermitRootLogin|grep -v "#"` if [ -z "$rootlogin" ];then echo "PermitRootLogin no" >> $filename else sed -i "s#$rootlogin#PermitRootLogin no#g" $filename fi if [ -f "/etc/init.d/sshd" ];then /etc/init.d/sshd restart fi fi filename=/etc/rsyslog.conf if [ -f "$filename" ];then secure_log=`cat $filename|grep "authpriv.* /var/log/secure"|grep -v "#"` if [ -z "$secure_log" ];then echo "authpriv.* /var/log/secure" >> $filename fi fi filename=/var/log/secure if [ ! -f "$filename" ];then touch $filename fi if [ -f "/etc/init.d/syslog" ];then /etc/init.d/syslog restart fi ## delete ftp user sed -i '/ftp:/d' /etc/passwd filename=/etc/vsftpd.conf if [ -f "$filename" ];then anonymous_enable=`cat $filename|grep "anonymous_enable="|grep -v "#"` if [ -z "$anonymous_enable" ];then echo "anonymous_enable=NO" >> $filename else sed -i "s#$anonymous_enable#anonymous_enable=NO#g" $filename fi else touch $filename echo "anonymous_enable=NO" >> $filename fi filename=/etc/vsftpd/vsftpd.conf if [ -f $filename ];then anonymous_enable=`cat $filename|grep "anonymous_enable="|grep -v "#"` if [ -z "$anonymous_enable" ];then echo "anonymous_enable=NO" >> $filename else sed -i "s#$anonymous_enable#anonymous_enable=NO#g" $filename fi else mkdir -p /etc/vsftpd/ touch $filename echo "anonymous_enable=NO" >> $filename fi filename=/etc/ftpusers if [ -f "$filename" ];then root_text=`cat $filename|grep "root"|grep -v "#"` if [ -z "$root_text" ];then echo "root" >> $filename ## do not need to replace, due to there are only name in the ftpusers file fi else touch $filename echo "root" >> $filename fi filename=/etc/vsftpd/ftpusers if [ -f "$filename" ];then root_text=`cat $filename|grep "root"|grep -v "#"` if [ -z "$root_text" ];then echo "root" >> $filename ## do not need to replace, due to there are only name in the ftpusers file fi else mkdir -p /etc/vsftpd touch $filename echo "root" >> $filename fi p_telnet=`rpm -qa|grep telnet` if [[ $p_telnet =~ "telnet" ]];then ## have install telnet filename=/etc/xinetd.d/telnet if [ -f "$filename" ];then disable_text=`cat $filename|grep disable|grep -v "#"` if [ -z "$disable_text" ];then echo "disable = yes" >> $filename else sed "s#$disable_text#disable = yes#g" $filename fi service xinetd restart fi fi ## delete netric_file=`find / -maxdepth 3 -name .netrc` if [ ! -z "$netric_file" ];then mv $netric_file "$netric_file".bak fi hosts_equiv=`find / -maxdepth 3 -name hosts.equiv` if [ ! -z "$hosts_equiv" ];then mv $hosts_equiv "$hosts_equiv".bak fi rhosts=`find / -maxdepth 3 -name .rhosts` if [ ! -z "$rhosts" ];then mv $rhosts "$rhosts".bak fi function closeService(){ chkconfig --level 0123456 $1 off > /dev/null 2>&1 } closeService printer closeService sendmail closeService ypbind closeService kshell closeService lpd closeService ident closeService tftp closeService time closeService time-udp closeService ntalk closeService bootps closeService chargen closeService chargen-udp closeService nfs closeService daytime closeService nfslock closeService echo closeService echo-udp closeService discard closeService discard-udp closeService klogin filename=/etc/vsftpd/chroot_list if [ -f "$filename" ];then root_text=`cat $filename|grep "root"|grep -v "#"` if [ -z "$root_text" ];then echo "root" >> $filename ## limit root user access with no password fi else touch $filename echo "root" >> $filename fi chmod 644 /etc/group chmod 600 /etc/shadow chmod 644 /etc/passwd if [ -f "/etc/issue" ];then mv /etc/issue /etc/issue.bak fi if [ -f "/etc/issue.net" ];then mv /etc/issue.net /etc/issue.net.bak fi