系统安全检测脚本
############################################################
# File Name: sec_check.sh
# Author: 寻音
# E-mail: lnhxzwb@126.com
# Created Time: Tue 27 Feb 2019 03:06:07 PM CST
#==================================================================
#本脚本运行环境为Centos 7以上版本,其它系统请参照修改
#!/bin/bash
#备份相关配置文件
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
cp /etc/login.defs /etc/login.defs.bak
cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak
cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
cp /etc/rsyslog.conf /etc/rsyslog.conf.bak
cp /etc/profile /etc/profile.bak
#创建用户
useradd admin
echo "Qunniao.net" | passwd --stdin admin &>/dev/null
set -x
#帐号检查
user_check()
{
echo "特殊帐号及无用帐号检查中....."
none_passwd=$(awk -F: '($2 == "") { print $1 }' /etc/shadow)
root_check=$(awk -F: '($3==0) {print $1}' /etc/passwd)
if [ `$none_passwd|wc -l` == 0 ];then
if [ $root_check == root ];then
cut -d: -f1 /etc/passwd |egrep -v "root|bin" |xargs passwd -l
echo "检查已完成,帐号符合要求"
echo "==========================================="
else
echo "UUID为0的帐号为:$root_check"
fi
else
echo "存在空口令帐号: $none_passwd"
fi
}
#密码复杂度设置
passwd_set()
{
echo "密码复杂度设置中....."
echo "password requisite pam_cracklib.so ucredit=-1 lcredit=-1 dcredit=-1" >>/etc/pam.d/system-auth
sed -i 's/PASS_MAX_DAYS[ \t]*99999/PASS_MAX_DAYS 90/' /etc/login.defs
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
systemctl restart sshd
}
#登陆失败次数限制
login_out()
{
echo "分录相关限制设置中....."
#限制用户远程登录
# sed -i '/#%PAM-1.0/a\auth required pam_tally2.so deny=5 unlock_time=300 even_deny_root root_unlock_time=10' /etc/pam.d/sshd #root同时限制
sed -i '/#%PAM-1.0/a\auth required pam_tally2.so deny=5 unlock_time=300' /etc/pam.d/sshd
#限制用户从tty登录
#sed -i '/#%PAM-1.0/a\auth required pam_tally2.so deny=5 lock_time=300 even_deny_root root_unlock_time=10' /etc/pam.d/login #root同时限制
sed -i '/#%PAM-1.0/a\auth required pam_tally2.so deny=5 lock_time=300 ' /etc/pam.d/login
}
#文件设置访问权限
file_chmod()
{
echo "用户密码文件设置访问权限......"
chmod 644 /etc/passwd
chmod 400 /etc/shadow
chmod 644 /etc/group
chmod 644 /etc/services
}
#日志安全审计
log_check()
{
echo "日志安全审计检查中......"
log_service=$(ps -ef | grep rsyslogd|grep -v "grep" |wc -l)
auditd_service=$(ps -ef | grep auditd |egrep -v "grep|kauditd"|wc -l)
if [ $log_service == 1 ];then
echo "日志服务已开启"
else
systemctl start rsyslog
systemctl enable rsyslog
fi
if [ $auditd_service == 1 ];then
echo "auditd服务已开启"
else
systemctl start auditd
systemctl enable auditd
fi
#日志
sed -i '/authpriv.\*/a\*.err;kern.debug;daemon.notice /var/adm/messages' /etc/rsyslog.conf
sed -i '/authpriv.\*/a\*.warning /var/log/rsyslog' /etc/rsyslog.conf
touch /var/adm/messages
chmod 666 /var/adm/messages
cat << EOF >>/etc/logrotate.conf
{
monthly #按月存储
rotate 6 #循环日志数量为6
maxsize 100M #文件大小为100M
}
EOF
sed -i 's/num_logs = 5/num_logs = 6/' /etc/audit/auditd.conf
sed -i 's/max_log_file = 8/max_log_file = 20/' /etc/audit/auditd.conf
read -p "请输入日志服务器地址:" log_ip
echo "*.* @${log_ip}" >>/etc/rsyslog.conf
systemctl restart rsyslog
systemctl restart auditd
sed -i 's/HISTSIZE=1000/HISTSIZE=50/' /etc/profile #保留历史命令的条数
echo "export TMOUT=180" >> /etc/profile #系统超时登录时间
source /etc/profile
}
#时间服务检查
ntp_service()
{
echo "时间服务检查....."
ntp_server=$(ps -aux |grep ntpd |grep -v grep|wc -l)
if [ $ntp_server == 1 ];then
echo "server ntp1.aliyun.com" >> /etc/ntp.conf
systemctl restart ntpd
else
systemctl enable ntpd
echo "server ntp1.aliyun.com" >> /etc/ntp.conf
systemctl restart ntpd
fi
}
#禁止生成core文件
lim()
{
echo "* hard core 0" >>/etc/security/limits.conf
echo "* soft core 0" >>/etc/security/limits.conf
}
#增强TCP/IP协议安全配置
tcp_sec()
{
echo "增强TCP/IP协议安全配置......"
cat << EOF >> /etc/sysctl.conf
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
EOF
sysctl -p
}
#路由协议安全增强配置
route_sec()
{
echo "路由协议安全增强配置....."
#启动tcp_syncookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#禁止数据包转发:
echo 0 > /proc/sys/net/ipv4/ip_forward
#启用IP Spoofing
echo 1 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
}
main ()
{
user_check
passwd_set
login_out
file_chmod
log_check
ntp_service
lim
tcp_sec
route_sec
}
main
echo "安全相关检测完成!!!!"
温馨提示:如无特殊说明,本站文章均为作者原创,转载请注明出处!
