系统:Centos7.2 腾讯云主机加固脚本
1.关闭22端口,启用普通端口,关闭root登录,普通用户登录
2.加固脚本
#!/usr/bin/env bash
# desc: setup linux system security for wupao
# author:chy 20190415
# Global vars
DATE=`date +%F`
log_name=anquanjiagu.log
#account setup
#锁定账户
echo "当前用户列表:" >>$log_name
cat /etc/passwd >>$log_name
echo "锁定不需要的用户:" >>$log_name
for user in lp nscd dbus vcsa nobody avahi sync ftp mail shutdown halt news uucp operator games gopher ; do
echo "will disable login for $user" >>$log_name
cp -p /etc/passwd /etc/passwd.bak${DATE}
cp -p /etc/shadow /etc/shadow.bak${DATE}
#直接在/etc/paswd文件上进行修改操作
#sed -i "s/${user}$/nologin/" /etc/passwd
usermod -L $user
echo "The user $user login have disabled!" >>$log_name
done
##密码长度设置为8
len=`cat /etc/login.defs |grep PASS_MIN_LEN|grep -v \# | awk '{print $2}'`
if [ ${len} != 8 ]; then
cp -p /etc/login.defs /etc/login.defs.bak${DATE}
echo "现在密码长度为:$len ,需要修改默认最小密码长度" >>$log_name
sed -i "/PASS_MIN_LEN/s/5/8/g" /etc/login.defs&&echo "密码默认长度已从5修改为8!!!" >>$log_name
else
echo "当前的密码长度为:"`cat /etc/login.defs |grep PASS_MIN_LEN|grep -v \#` >>$log_name
echo "口令到期提醒时间为:"`cat /etc/login.defs | grep PASS_WARN_AGE | grep -v \#` >>$log_name
fi
##判断系统中是否存在具有root权限的用户
su_num=`awk -F: '($3==0){print$1}' /etc/passwd | grep -v root`
if [ -z $su_num ]; then
echo "系统中不存在root用户之外具有root权限的用户" >>$log_name
else
echo "系统中存在root用户之外具有root权限的用户,需进行修改UID" >>$log_name
fi
# chattr /etc/passwd /etc/shadow,设定后后续添加用户无法添加
#i:设定文件不能被删除、改名、设定链接关系,同时不能写入或新增内容。i参数对于文件 系统的安全设置有很大帮助。
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/gshadow
echo "chattr /etc/passwd /etc/shadow success" >>$log_name
#设置密码复杂度
cp -p /etc/pam.d/system-auth /etc/pam.d/system-auth.bak${DATE}
sed -i "s/password requisite.*/password requisite pam_cracklib.so retry=5 difok=1 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 dictpath=\/usr\/share\/cracklib\/pw_dict/" /etc/pam.d/system-auth
echo "设置密码复杂度success" >>$log_name
# 登陆失败5次,锁定账户,5分钟后尝试
# sed -i 's#auth required pam_env.so#auth required pam_env.sonauth required pam_tally.so onerr=fail deny=3 unlock_time=300nauth required /lib/security/$ISA/pam_tally.so onerr=fail deny=3 unlock_time=300#' /etc/pam.d/system-auth
# # pam_tally2 --user 查看你被锁定用户
# Login Failures Latest failure From
# zabbix 7 04/15/19 15:19:25 221.198.218.86
# # pam_tally2 -r -u zabbix 解锁zabbix用户
# Login Failures Latest failure From
# zabbix 7 04/15/19 15:19:25 221.198.218.86
# # pam_tally2 --user
cp -p /etc/pam.d/sshd /etc/pam.d/sshd.bak${DATE}
sed -i '1aauth required pam_tally2.so deny=5 unlock_time=300' /etc/pam.d/sshd
echo "登录失败锁定已设置,使用pam_tally.so模块">>$log_name
# 5分钟自动退出
cp -p /etc/profile /etc/profile${DATE}
echo "TMOUT=300" >>/etc/profile
echo "当前的登录超时设置为:"`cat /etc/profile | grep TMOUT` >>$log_name
# will system save history command list to 4000
cat>>/etc/profile<<EOF
HISTFILESIZE=4000
HISTSIZE=4000
HISTTIMEFORMAT='%F %T '
export HISTTIMEFORMAT
EOF
# enable /etc/profile go!
source /etc/profile
# add syncookie enable /etc/sysctl.conf
#表示开启SYN Cookies。当出现SYN等待队列溢出时,启用cookies来处理,可防范少量SYN攻击,默认为0,表示关闭;
cp -p /etc/sysctl.conf /etc/sysctl.conf.bak${DATE}
echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.conf
sysctl -p
echo "开启SYN Cookies">>$log_name
# exec sysctl.conf enable
# optimizer sshd_config
#限制服务器被SSH尝试,默认为6
sed -i "s/#MaxAuthTries 6/MaxAuthTries 6/" /etc/ssh/sshd_config
sed -i "s/#UseDNS yes/UseDNS no/" /etc/ssh/sshd_config
echo "限制服务器被SSH尝试,默认为6">>$log_name
# limit chmod important commands
chmod 700 /bin/ping
chmod 700 /usr/bin/finger
chmod 700 /usr/bin/who
chmod 700 /usr/bin/w
chmod 700 /usr/bin/locate
chmod 700 /usr/bin/whereis
chmod 700 /sbin/ifconfig
chmod 700 /usr/bin/pico
chmod 700 /bin/vi
chmod 700 /usr/bin/which
chmod 700 /usr/bin/gcc
chmod 700 /usr/bin/make
chmod 700 /bin/rpm
# history security
chattr +a /root/.bash_history
chattr +i /root/.bash_history
# write important command md5
cat > list << "EOF" &&
/bin/ping
/bin/finger
/usr/bin/who
/usr/bin/w
/usr/bin/locate
/usr/bin/whereis
/sbin/ifconfig
/bin/pico
/bin/vi
/usr/bin/vim
/usr/bin/which
/usr/bin/gcc
/usr/bin/make
/bin/rpm
EOF
for i in `cat list`
do
if [ ! -x $i ];then
echo "$i not found,no md5sum!"
else
md5sum $i >> /var/log/`hostname`.log
fi
done
rm -f list
内网普通用户密钥登录
- 修改sshd_config配置文件
vim /etc/ssh/sshd_config
PermitRootLogin no ##不允许root登录
PasswordAuthentication no #不允许密码登录
Port 21201 ##修改默认22端口登录
2.生成密钥
使用普通用户登录
image.png
箭头指的方向输入密钥登录的密码即可,就会发现已经生成一对密钥
-bash-4.2$ pwd
/nginx/.ssh
-bash-4.2$ ll
total 8
-rw------- 1 nginx nginx 1766 May 22 17:22 id_rsa
-rw-r--r-- 1 nginx nginx 403 May 22 17:22 id_rsa.pub
将公钥放置到~/.ssh/authorized_keys中,如下
-bash-4.2$ chmod 400 authorized_keys #赋权
-bash-4.2$ ll
total 8
-r-------- 1 nginx nginx 403 May 22 17:25 authorized_keys
drwxrwxr-x 2 nginx nginx 4096 May 22 17:26 rsa
-bash-4.2$ pwd
/nginx/.ssh
3.使用xshell等工具登录
image.png
配置好即可登录
4.赋予sudo权限
vim /etc/sudoers
nginx ALL=(ALL) ALL
问题:
可能出现无法登陆的情况:
登录失败锁定已设置
sed -i '1aauth required pam_tally2.so deny=5 unlock_time=300' /etc/pam.d/sshd
手动解除锁定:
查看某一用户错误登陆次数:
pam_tally2 –-user
例如,查看work用户的错误登陆次数:
pam_tally2 –-user work
清空某一用户错误登陆次数:
pam_tally2 –-user –-reset
例如,清空 work 用户的错误登陆次数,
pam_tally2 –-user work –-reset
网友评论