#!/bin/bash
#desc: setup linux system security
#author
#powered by www.freebsdsysystem.org
#version 0.1.2 written by 2011.05.03
#设置账号
passwd -1 xfs
passwd -1 news
passwd -1 nscd
passwd -1 dbus
passwd -1 vcsa
passwd -1 games
passwd -1 nobody
passwd -1 avahi
passwd -1 haldemon
passwd -1 gopher
passwd -1 ftp
passwd -1 mailnull
passwd -1 pcap
passwd -1 mail
passwd -1 shutdown
passwd -1 halt
passwd -1 uucp
passwd -1 operator
passwd -1 sync
passwd -1 adm
passwd -1 lp
#用chattr给用户路径更改属性
#chattr命令用法参考文末说明[1]
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/gshadow
#设置密码连续错3次后锁定5分钟
sed -i 's#auth required\
pam_env.so#auth required\
pam_env.so nauth required\
pam_tally.so onerr=fail deny=3\
unlock_time=300\
nauth required /lib/security/ \
$ISA/pam_tally.so onerr=fail \
deny=3 unclock_time=300#'\
etc/pam.d/system-auth
#5分钟后自动退出,原因参考文末说明[2]
echo "TMOUT=300" >> /etc/profile
#历史命令记录数设定为10条
sed -i
"s/HISTSIZE=1000/histsize=10/"
etc/profile
#让以上针对 /etc/profile 的改动立即生效
source /etc/profile
#在 etc/sysctl.conf 中启用 syncookie
echo "net.ipv4.tcp_syncookies=1" >>
/etc/sysctl.conf
#exec sysctl.conf enable
sysctl -p
#优化 sshd_config
sed -i "s/#maxauthtries 6/maxauthtries
6/" / etc/ssh/sshd_config
sed -i "s/#UseDNS yes/useDNS no/"
etc/ssh/sshd_config
#限制重要的命令权限
chomd 700 /bin/ping
chomd 700 /usr/bin/finger
chomd 700 /usr/bin/who
chomd 700 /usr/bin/w
chomd 700 /usr/bin/local
chomd 700 /usr/bin/whereis
chomd 700 /sbin/ifconfig
chomd 700 /usr/bin/pico
chomd 700 /bin/vi
chomd 700 /usr/bin/which
chomd 700 /usr/bin/gcc
chomd 700 /usr/bin/make
chomd 700 /bin/rpm
#历史安全
chattr +a /root/.bash_history
chattr +i /root/.bash_history
#给重要的命令写md5
cat > list << "EOF" &&
/bin/ping
/usr/bin/finger
/usr/bin/who
/usr/bin/w
/usr/bin/locate
/usr/bin/whereis
/sbin/ifconfig
/bin/vi
/usr/bin/vim
/usr/bin/which
/usr/bin/gcc
/usr/bin/make
/bin/rpm
EOF
for i in 'cat list'
do
if [ ! -x $i ];then
echo "$i not found,no md5sum!"
else
md5sum $i >>
/var/log/'hostname'.log
fi
done
rm -f list
