linux安全基线如何配置
现在大多数企业都是使用linux作为服务器,不仅是linux是开源系统,更是因为linux比windows更安全。但是由于管理员的安全意识不全或者疏忽,导致linux的敏感端口和服务没有正确的配置,可能会被恶意利用,所以需要进行基线加固。
1.基线 即安全基线配置,诸如操作系统、中间件和数据库的一个整体配置,这个版本中各项配置都符合安全方面的标准。比如在系统安装后需要按安全基线标准,将新机器中各项配置调整到一个安全、高效、合理的数值。
2.基线扫描 使用自动化工具、抓取系统和服务的配置项。将抓取到的实际值和标准值进行对比,将不符合的项显示出来,最终以报告 的形式体现出扫描结果有的工具将配置采集和配置对比分开,通过自动化脚本采集配置后再通过特别的软件转换为适合人类阅读的文档
3.基线加固自动化脚本的编写 本篇文章主要是记录和学习安全加固脚本,首先放几张安全加固shell脚本的命令语法:
基本命令语法介绍完了,借用网上的脚本来学习:
在执行脚本前需要提前做好备份:
#!/bin/bashcp /etc/login.defs /etc/login.defs.bakcp /etc/security/limits.conf /etc/security/limits.conf.bakcp /etc/pam.d/su /etc/pam.d/su.bakcp /etc/profile /etc/profile.bakcp /etc/issue.net /etc/issue.net.bakcp /etc/shadow /etc/shadow.bakcp /etc/passwd /etc/passwd.bakcp /etc/pam.d/passwd /etc/pam.d/passwd.bakcp /etc/pam.d/common-password /etc/pam.d/common-password.bakcp /etc/host.conf /etc/host.conf.bakcp /etc/hosts.allow /etc/hosts.allow.bakcp /etc/ntp.conf /etc/ntp.conf.bakcp -p /etc/sysctl.conf /etc/sysctl.conf.bakecho ============备份完成================== 检查是否设置口令更改最小间隔天数
minday=`cat -n /etc/login.defs | grep -v .*#.*| grep pass_min_days|awk '{print $1}'`sed -i ''$minday's/.*pass_min_days.*/pass_min_days 6/' /etc/login.defsecho 检查口令更改最小间隔天数完成 2.检查是否设置口令过期前警告天数
warnage=`cat -n /etc/login.defs | grep -v .*#.*| grep pass_warn_age|awk '{print $1}'`sed -i ''$warnage's/.*pass_warn.*/pass_warn_age 30/' /etc/login.defsecho 检查口令过期前警告天数完成 3.检查口令生存周期
maxday=`cat -n /etc/login.defs | grep -v .*#.*| grep pass_max_days|awk '{print $1}'`sed -i ''$maxday's/.*pass_max.*/pass_max_days 90/' /etc/login.defsecho 检查口令生存周期完成 4.检查口令最小长度
minlen=`cat -n /etc/login.defs | grep -v .*#.*| grep pass_min_len|awk '{print $1}'`sed -i ''$minday's/.*pass_min_len.*/pass_min_ len 6/' /etc/login.defsecho 检查口令最小长度 5.检查是否设置grub,lilo密码
grub=/etc/menu.lstif [ ! -x $grub ];thentouch $grubecho password=123456 >> $grubelse echo password=123456 >> $grubfililo=/etc/lilo.confif [ ! -x $lilo ];thentouch $liloecho password=123456 >> $liloelseecho password=123456 >> $lilofi 6.检查是否设置core
c=`cat -n /etc/security/limits.conf | grep #root | awk '{print $1}'`d=`cat -n /etc/security/limits.conf | grep #root | awk '{print $5}'`sed -i ''$c' s/$d/0/g' /etc/security/limits.confecho 设置* hard core 0完成e=`cat -n /etc/security/limits.conf | grep soft | grep core | awk '{print $1}'`f=`cat -n /etc/security/limits.conf | grep soft | grep core | awk '{print $5}'`sed -i ''$e' s/'$f'/0/g' /etc/security/limits.confecho 设置* soft core 0完成 7.检查系统是否禁用ctrl+alt+del组合
a=`cat -n /etc/control-alt-delete.conf|grep -v # | grep /sbin/shutdown | awk '{print $1}'`if [ -z $a ];then echo okelse sed -i ''$a' s/^/#/' /etc/control-alt-delete.conffi 8.检查保留历史记录文件的大小与数量
echo histfilesize=5 >> /etc/profileecho 检查保留历史命令的记录文件大小完成echo histsize=5 >> /etc/profileecho 检查保留历史命令的条数完成 9.检查是否使用pam认证模块禁止wheel组之外的用户su为root
10.检查是否删除了/etc/issue.net文件
if [ -f /etc/issue.net ]thenmv /etc/issue.net /etc/issue.net.bakelseecho issue.net 文件不存在fiif [ -f /etc/issue ]thenmv /etc/issue /etc/issue.bakelseecho issue 文件不存在fi 11.是否删除与设备运行,维护等工作无关的账户
12.检查密码重复使用次数限制
13.检查是否配置账户认证失败次数限制
cd /etc/pam.dif [ -f system-auth ];thencp /etc/pam.d/system-auth /etc#num=`grep -n md5 /etc/system-auth | cut -d : -f 1`#sed -i ''$num' r s/$/ remember=5' /etc/system-authkk=`cat -n /etc/system-auth | grep -v .*#.*| grep md5|awk '{print $1}'`echo $kkversion=password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=500sed -i $kkc $version /etc/system-authletter=`cat -n /etc/system-auth |grep password | grep requisite | awk '{print $1}'`sed -i ''$letter's/pam_cracklib.so/& ucredit=-1 lcredit=-1 dcredit=-1 /' /etc/pam.d/system-authfi 14.检查是否配置关闭ip伪装与绑定
snu=`cat /etc/host.conf | awk '{print $2}'`if [ $snu = on ]; thenecho 没有关闭ip伪装fised -i 's/on/off/g' /etc/host.confecho 关闭ip伪装完成 15.检查/etc/hosts配置
if [ -f hosts.allow ];thencp /etc/hosts.allow /etc/echo allall >> /etc/hosts.allowecho sshdall >> /etc/hosts.allowficd /etcif [ -f hosts.deny ];thencp /etc/hosts.deny /etc/echo all:all >> /etc/hosts.denyfi 16.检查相关服务状态
17.检查重要文件是否存在suid和sgid权限
find /usr/bin/chage /usr/bin/gpasswd /usr/bin/wall /usr/bin/chfn /usr/bin/chsh /usr/bin/newgrp /usr/bin/write /usr/sbin/usernetctl /usr/sbin/traceroute /bin/mount /bin/umount /bin/ping /sbin/netreport -type f -perm +6000 2>/dev/null >file.txtif [ -s file.txt ]; thenecho find。。这条命令有输出for i in `cat file.txt`dochmod 755 $idoneelseecho find 。。这条命令没有输出fi 18.其他
19.权限设置
chmod 644 /etc/passwdchmod 644 /etc/groupchmod 400 /etc/shadow#chmod 600 /etc/xinetd.confchmod 644 /etc/serviceschmod 600 /etc/securitychmod 600 /etc/grub.confchmod 600 /boot/grub/grub.confchmod 600 /etc/lilo.confecho 文件权限设置完成 经典综合脚本鉴赏:
1、
echo ---------------开始--------------------echo ---------------aboutkey----------------cd /etcif [ -f login.defs ];thencp /etc/login.defs /home/test1minday=`cat -n /home/test1/login.defs | grep -v .*#.*| grep pass_min_days|awk '{print $1}'`sed -i ''$minday's/.*pass_min_days.*/pass_min_days 6/' /home/test1/login.defswarnage=`cat -n /home/test1/login.defs | grep -v .*#.*| grep pass_warn_age|awk '{print $1}'`sed -i ''$warnage's/.*pass_warn.*/pass_warn_age 30/' /home/test1/login.defsmaxday=`cat -n /home/test1/login.defs | grep -v .*#.*| grep pass_max_days|awk '{print $1}'`sed -i ''$maxday's/.*pass_max.*/pass_max_days 90/' /home/test1/login.defsminlen=`cat -n /home/test1/login.defs | grep -v .*#.*| grep pass_min_len|awk '{print $1}'`sed -i ''$minday's/.*pass_min_len.*/pass_min_ len 6/' /home/test1/login.defsfiecho --------------------ok---------------------------echo -------------------stop the del------------------------cd /etc/initif [ -f control-alt-delete.conf ];thencp /etc/init/control-alt-delete.conf /home/test1#delete=`grep -n /sbin/shutdown -r now /home/test1/control-alt-delete.conf | cut -d : -f 1`#sed -i ''$delete' r s/^/#/' /home/test1/control-alt-delete.conf#cp /etc/init/control-alt-delete.conf /home/test1#num1=`grep -n /sbin/shutdown /home/test1/control-alt-delete.conf | cut -d -f 1`#sed -i ''$num' r s/^/#/' /home/test1/control-alt-delete.conf#a=`cat -n /home/test1/control-alt-delete.conf|grep -v # | grep /sbin/shutdown | awk '{print $1}'`#text=`sed -n $ap /home/test1/control-alt-delete.conf`#sed -i ''$a'c # '$text'' /home/test1/control-alt-delete.confa=`cat -n /home/test1/control-alt-delete.conf|grep -v # | grep /sbin/shutdown | awk '{print $1}'` if [ -z $a ];then echo ok else sed -i ''$a' s/^/#/' /home/test1/control-alt-delete.conf fifiecho ---------------------ok---------------------------------------echo ------------------------grub and lilo key------------------------grub=/home/test1/menu.lstif [ ! -x $grub ];thentouch $grubecho password=123456 >> $grubelse echo password=123456 >> $grubfililo=/home/test1/lilo.confif [ ! -x $lilo ];thentouch $liloecho password=123456 >> $liloelseecho password=123456 >> $lilofiecho ---------------------ok--------------------------------------echo ----------------------the history of mouthpasswd------------------cd /etcif [ -f profile ];thencp /etc/profile /home/test1#num=`sed -n /home/test1/profile | grep histfilesize | awk '{print $1}'` #/home/test1/profile | sed $num'c histfilesize=5'echo histfilesize=5 >> /home/test1/profileecho ulimit -s -c unlimited >> /home/test1/profilefiecho -------------------------ok--------------------- echo ------------------------issue-----------------#issu=/etc/issue.netcd /etcif [ -f issue.net ];thencp issue.net /home/test1/issue.net.bakecho okfiecho okif [ -f issue ];thencp issue /home/test1/issue.bakecho okfiecho -----------------------allow/deny ip-------------------cd /etcif [ -f hosts.allow ];thencp /etc/hosts.allow /home/test1echo allall >> /home/test1/hosts.allowecho sshdall >> /home/test1/hosts.allowficd /etcif [ -f hosts.deny ];thencp /etc/hosts.deny /home/test1echo all:all >> /home/test1/hosts.denyfiecho -----------------ok------------------------#/etc/init.d/xinetd restartecho -----------------------------core dump-------------------cd /etc/securityif [ -f limits.conf ];then cp /etc/security/limits.conf /home/test1echo *soft core 0 >> /home/test1/limits.confecho *hard core 0 >> /home/test1/limits.conffiecho --------------ok-------------------------echo ----------------------------passwdrepeat---------------------cd /etc/pam.dif [ -f system-auth ];thencp /etc/pam.d/system-auth /home/test1#num=`grep -n md5 /home/test1/system-auth | cut -d : -f 1`#sed -i ''$num' r s/$/ remember=5' /home/test1/system-authkk=`cat -n /home/test1/system-auth | grep -v .*#.*| grep md5|awk '{print $1}'`echo $kkversion=password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=500sed -i $kkc $version /home/test1/system-authletter=`cat -n /home/test1/system-auth |grep password | grep requisite | awk '{print $1}'`sed -i ''$letter's/pam_cracklib.so/& ucredit=-1 lcredit=-1 dcredit=-1 /' /etc/pam.d/system-authfiecho -----------------ok--------------------echo --------------------超出退出--------------cd /etcif [ -f profile ];thencp /etc/profile /home/test1echo export tmout=600 >> /home/test1/profilefiecho ------------------ok-------------------echo ------------------权限-------------------chmod 644 /etc/passwdchmod 644 /etc/groupchmod 400 /etc/shadow#chmod 600 /etc/xinetd.confchmod 644 /etc/serviceschmod 600 /etc/securitychmod 600 /etc/grub.confchmod 600 /boot/grub/grub.confchmod 600 /etc/lilo.confecho ------------------unmask--------------------cp /etc/csh.cshrc /home/test1cp /etc/csh.login /home/test1cp /etc/bashrc /home/test1cp /etc/profile /home/test1sed -i '11 s/.*umask.*/umask 077/' /home/test1/csh.cshrcsed -i '58 s/.*umask.*/umask 077/' /home/test1/csh.loginsed -i '66 s/.*umask.*/umask 077/' /home/test1/bashrcsed -i '62s/.*umask.*/umask 077/' /home/test1/profileecho --------------------before login banner-------------------cd /etcif [ -f ssh_banner ];thentouch /etc/ssh_bannerchown bin:bin /etc/ssh_bannerchmod 644 /etc/ssh_bannerecho authorized only.all activity will be monitored and reported > /etc/ssh_bannerfiecho -----------------------ok----------------------------echo -------------------stop root ssh login------------------cp /etc/pam.d/login /home/test1echo auth required pam_securetty.so >> /home/test1/logincp /etc/ssh/sshd_config /home/test1echo banner /etc/ssh_banner >> /home/test1/sshd_configecho permitrootlogin no >> /home/test1/sshd_configservice sshd restartecho -------------------------ok-------------------echo --------------------openssh----------------------------openssh=`cat -n /home/test1/sshd_config | grep -v .*#.*| grep protocol |awk '{print $1}'`sed -i ''$openssh's/.*protocol.*/protocol 2/' /home/test1/sshd_configecho -------------ok--------------------------- 2、
一种集成式微流控液滴数字化等温扩增(LAMP)方法
电磁加热圈电线如何选择
三大运营商表示坚决落实网络“提速降费”和推进“携号转网”
详解云计算之云渗透测试
浅谈如何提升电力市场化售电核心竞争力
linux安全基线如何配置
2019年AR/VR创新报告显示游戏是AR/VR/MR开发的首要项目
消费者为什么不愿意升级5G套餐?
高分辨率单光子超导相机科研进展
AV1编码器将推动互联网视频的下一个飞跃
基于MAX16834设计的112W升压LED驱动器技术
实图分析:运放7大经典电路!
2016 MWC:5G技术中国军团谁争先锋
COG数据集基于一种编程语言
AI时代,你需要了解的GPU互联技术:NVLink、IB、ROCE
台湾半导体超越南韩,居全球第二大
探究超声红外热像技术在金属裂纹检测中的热特性及应用
rt-thread源码分析之socket抽象层和网卡注册
“人工智能+物联网”加持下,地产老玩家如何孕育出行业新玩法
这是什么原理?Google 出了个新玩意儿,没有网络也能搜索东西
1.基线 即安全基线配置,诸如操作系统、中间件和数据库的一个整体配置,这个版本中各项配置都符合安全方面的标准。比如在系统安装后需要按安全基线标准,将新机器中各项配置调整到一个安全、高效、合理的数值。
2.基线扫描 使用自动化工具、抓取系统和服务的配置项。将抓取到的实际值和标准值进行对比,将不符合的项显示出来,最终以报告 的形式体现出扫描结果有的工具将配置采集和配置对比分开,通过自动化脚本采集配置后再通过特别的软件转换为适合人类阅读的文档
3.基线加固自动化脚本的编写 本篇文章主要是记录和学习安全加固脚本,首先放几张安全加固shell脚本的命令语法:
基本命令语法介绍完了,借用网上的脚本来学习:
在执行脚本前需要提前做好备份:
#!/bin/bashcp /etc/login.defs /etc/login.defs.bakcp /etc/security/limits.conf /etc/security/limits.conf.bakcp /etc/pam.d/su /etc/pam.d/su.bakcp /etc/profile /etc/profile.bakcp /etc/issue.net /etc/issue.net.bakcp /etc/shadow /etc/shadow.bakcp /etc/passwd /etc/passwd.bakcp /etc/pam.d/passwd /etc/pam.d/passwd.bakcp /etc/pam.d/common-password /etc/pam.d/common-password.bakcp /etc/host.conf /etc/host.conf.bakcp /etc/hosts.allow /etc/hosts.allow.bakcp /etc/ntp.conf /etc/ntp.conf.bakcp -p /etc/sysctl.conf /etc/sysctl.conf.bakecho ============备份完成================== 检查是否设置口令更改最小间隔天数
minday=`cat -n /etc/login.defs | grep -v .*#.*| grep pass_min_days|awk '{print $1}'`sed -i ''$minday's/.*pass_min_days.*/pass_min_days 6/' /etc/login.defsecho 检查口令更改最小间隔天数完成 2.检查是否设置口令过期前警告天数
warnage=`cat -n /etc/login.defs | grep -v .*#.*| grep pass_warn_age|awk '{print $1}'`sed -i ''$warnage's/.*pass_warn.*/pass_warn_age 30/' /etc/login.defsecho 检查口令过期前警告天数完成 3.检查口令生存周期
maxday=`cat -n /etc/login.defs | grep -v .*#.*| grep pass_max_days|awk '{print $1}'`sed -i ''$maxday's/.*pass_max.*/pass_max_days 90/' /etc/login.defsecho 检查口令生存周期完成 4.检查口令最小长度
minlen=`cat -n /etc/login.defs | grep -v .*#.*| grep pass_min_len|awk '{print $1}'`sed -i ''$minday's/.*pass_min_len.*/pass_min_ len 6/' /etc/login.defsecho 检查口令最小长度 5.检查是否设置grub,lilo密码
grub=/etc/menu.lstif [ ! -x $grub ];thentouch $grubecho password=123456 >> $grubelse echo password=123456 >> $grubfililo=/etc/lilo.confif [ ! -x $lilo ];thentouch $liloecho password=123456 >> $liloelseecho password=123456 >> $lilofi 6.检查是否设置core
c=`cat -n /etc/security/limits.conf | grep #root | awk '{print $1}'`d=`cat -n /etc/security/limits.conf | grep #root | awk '{print $5}'`sed -i ''$c' s/$d/0/g' /etc/security/limits.confecho 设置* hard core 0完成e=`cat -n /etc/security/limits.conf | grep soft | grep core | awk '{print $1}'`f=`cat -n /etc/security/limits.conf | grep soft | grep core | awk '{print $5}'`sed -i ''$e' s/'$f'/0/g' /etc/security/limits.confecho 设置* soft core 0完成 7.检查系统是否禁用ctrl+alt+del组合
a=`cat -n /etc/control-alt-delete.conf|grep -v # | grep /sbin/shutdown | awk '{print $1}'`if [ -z $a ];then echo okelse sed -i ''$a' s/^/#/' /etc/control-alt-delete.conffi 8.检查保留历史记录文件的大小与数量
echo histfilesize=5 >> /etc/profileecho 检查保留历史命令的记录文件大小完成echo histsize=5 >> /etc/profileecho 检查保留历史命令的条数完成 9.检查是否使用pam认证模块禁止wheel组之外的用户su为root
10.检查是否删除了/etc/issue.net文件
if [ -f /etc/issue.net ]thenmv /etc/issue.net /etc/issue.net.bakelseecho issue.net 文件不存在fiif [ -f /etc/issue ]thenmv /etc/issue /etc/issue.bakelseecho issue 文件不存在fi 11.是否删除与设备运行,维护等工作无关的账户
12.检查密码重复使用次数限制
13.检查是否配置账户认证失败次数限制
cd /etc/pam.dif [ -f system-auth ];thencp /etc/pam.d/system-auth /etc#num=`grep -n md5 /etc/system-auth | cut -d : -f 1`#sed -i ''$num' r s/$/ remember=5' /etc/system-authkk=`cat -n /etc/system-auth | grep -v .*#.*| grep md5|awk '{print $1}'`echo $kkversion=password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=500sed -i $kkc $version /etc/system-authletter=`cat -n /etc/system-auth |grep password | grep requisite | awk '{print $1}'`sed -i ''$letter's/pam_cracklib.so/& ucredit=-1 lcredit=-1 dcredit=-1 /' /etc/pam.d/system-authfi 14.检查是否配置关闭ip伪装与绑定
snu=`cat /etc/host.conf | awk '{print $2}'`if [ $snu = on ]; thenecho 没有关闭ip伪装fised -i 's/on/off/g' /etc/host.confecho 关闭ip伪装完成 15.检查/etc/hosts配置
if [ -f hosts.allow ];thencp /etc/hosts.allow /etc/echo allall >> /etc/hosts.allowecho sshdall >> /etc/hosts.allowficd /etcif [ -f hosts.deny ];thencp /etc/hosts.deny /etc/echo all:all >> /etc/hosts.denyfi 16.检查相关服务状态
17.检查重要文件是否存在suid和sgid权限
find /usr/bin/chage /usr/bin/gpasswd /usr/bin/wall /usr/bin/chfn /usr/bin/chsh /usr/bin/newgrp /usr/bin/write /usr/sbin/usernetctl /usr/sbin/traceroute /bin/mount /bin/umount /bin/ping /sbin/netreport -type f -perm +6000 2>/dev/null >file.txtif [ -s file.txt ]; thenecho find。。这条命令有输出for i in `cat file.txt`dochmod 755 $idoneelseecho find 。。这条命令没有输出fi 18.其他
19.权限设置
chmod 644 /etc/passwdchmod 644 /etc/groupchmod 400 /etc/shadow#chmod 600 /etc/xinetd.confchmod 644 /etc/serviceschmod 600 /etc/securitychmod 600 /etc/grub.confchmod 600 /boot/grub/grub.confchmod 600 /etc/lilo.confecho 文件权限设置完成 经典综合脚本鉴赏:
1、
echo ---------------开始--------------------echo ---------------aboutkey----------------cd /etcif [ -f login.defs ];thencp /etc/login.defs /home/test1minday=`cat -n /home/test1/login.defs | grep -v .*#.*| grep pass_min_days|awk '{print $1}'`sed -i ''$minday's/.*pass_min_days.*/pass_min_days 6/' /home/test1/login.defswarnage=`cat -n /home/test1/login.defs | grep -v .*#.*| grep pass_warn_age|awk '{print $1}'`sed -i ''$warnage's/.*pass_warn.*/pass_warn_age 30/' /home/test1/login.defsmaxday=`cat -n /home/test1/login.defs | grep -v .*#.*| grep pass_max_days|awk '{print $1}'`sed -i ''$maxday's/.*pass_max.*/pass_max_days 90/' /home/test1/login.defsminlen=`cat -n /home/test1/login.defs | grep -v .*#.*| grep pass_min_len|awk '{print $1}'`sed -i ''$minday's/.*pass_min_len.*/pass_min_ len 6/' /home/test1/login.defsfiecho --------------------ok---------------------------echo -------------------stop the del------------------------cd /etc/initif [ -f control-alt-delete.conf ];thencp /etc/init/control-alt-delete.conf /home/test1#delete=`grep -n /sbin/shutdown -r now /home/test1/control-alt-delete.conf | cut -d : -f 1`#sed -i ''$delete' r s/^/#/' /home/test1/control-alt-delete.conf#cp /etc/init/control-alt-delete.conf /home/test1#num1=`grep -n /sbin/shutdown /home/test1/control-alt-delete.conf | cut -d -f 1`#sed -i ''$num' r s/^/#/' /home/test1/control-alt-delete.conf#a=`cat -n /home/test1/control-alt-delete.conf|grep -v # | grep /sbin/shutdown | awk '{print $1}'`#text=`sed -n $ap /home/test1/control-alt-delete.conf`#sed -i ''$a'c # '$text'' /home/test1/control-alt-delete.confa=`cat -n /home/test1/control-alt-delete.conf|grep -v # | grep /sbin/shutdown | awk '{print $1}'` if [ -z $a ];then echo ok else sed -i ''$a' s/^/#/' /home/test1/control-alt-delete.conf fifiecho ---------------------ok---------------------------------------echo ------------------------grub and lilo key------------------------grub=/home/test1/menu.lstif [ ! -x $grub ];thentouch $grubecho password=123456 >> $grubelse echo password=123456 >> $grubfililo=/home/test1/lilo.confif [ ! -x $lilo ];thentouch $liloecho password=123456 >> $liloelseecho password=123456 >> $lilofiecho ---------------------ok--------------------------------------echo ----------------------the history of mouthpasswd------------------cd /etcif [ -f profile ];thencp /etc/profile /home/test1#num=`sed -n /home/test1/profile | grep histfilesize | awk '{print $1}'` #/home/test1/profile | sed $num'c histfilesize=5'echo histfilesize=5 >> /home/test1/profileecho ulimit -s -c unlimited >> /home/test1/profilefiecho -------------------------ok--------------------- echo ------------------------issue-----------------#issu=/etc/issue.netcd /etcif [ -f issue.net ];thencp issue.net /home/test1/issue.net.bakecho okfiecho okif [ -f issue ];thencp issue /home/test1/issue.bakecho okfiecho -----------------------allow/deny ip-------------------cd /etcif [ -f hosts.allow ];thencp /etc/hosts.allow /home/test1echo allall >> /home/test1/hosts.allowecho sshdall >> /home/test1/hosts.allowficd /etcif [ -f hosts.deny ];thencp /etc/hosts.deny /home/test1echo all:all >> /home/test1/hosts.denyfiecho -----------------ok------------------------#/etc/init.d/xinetd restartecho -----------------------------core dump-------------------cd /etc/securityif [ -f limits.conf ];then cp /etc/security/limits.conf /home/test1echo *soft core 0 >> /home/test1/limits.confecho *hard core 0 >> /home/test1/limits.conffiecho --------------ok-------------------------echo ----------------------------passwdrepeat---------------------cd /etc/pam.dif [ -f system-auth ];thencp /etc/pam.d/system-auth /home/test1#num=`grep -n md5 /home/test1/system-auth | cut -d : -f 1`#sed -i ''$num' r s/$/ remember=5' /home/test1/system-authkk=`cat -n /home/test1/system-auth | grep -v .*#.*| grep md5|awk '{print $1}'`echo $kkversion=password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=500sed -i $kkc $version /home/test1/system-authletter=`cat -n /home/test1/system-auth |grep password | grep requisite | awk '{print $1}'`sed -i ''$letter's/pam_cracklib.so/& ucredit=-1 lcredit=-1 dcredit=-1 /' /etc/pam.d/system-authfiecho -----------------ok--------------------echo --------------------超出退出--------------cd /etcif [ -f profile ];thencp /etc/profile /home/test1echo export tmout=600 >> /home/test1/profilefiecho ------------------ok-------------------echo ------------------权限-------------------chmod 644 /etc/passwdchmod 644 /etc/groupchmod 400 /etc/shadow#chmod 600 /etc/xinetd.confchmod 644 /etc/serviceschmod 600 /etc/securitychmod 600 /etc/grub.confchmod 600 /boot/grub/grub.confchmod 600 /etc/lilo.confecho ------------------unmask--------------------cp /etc/csh.cshrc /home/test1cp /etc/csh.login /home/test1cp /etc/bashrc /home/test1cp /etc/profile /home/test1sed -i '11 s/.*umask.*/umask 077/' /home/test1/csh.cshrcsed -i '58 s/.*umask.*/umask 077/' /home/test1/csh.loginsed -i '66 s/.*umask.*/umask 077/' /home/test1/bashrcsed -i '62s/.*umask.*/umask 077/' /home/test1/profileecho --------------------before login banner-------------------cd /etcif [ -f ssh_banner ];thentouch /etc/ssh_bannerchown bin:bin /etc/ssh_bannerchmod 644 /etc/ssh_bannerecho authorized only.all activity will be monitored and reported > /etc/ssh_bannerfiecho -----------------------ok----------------------------echo -------------------stop root ssh login------------------cp /etc/pam.d/login /home/test1echo auth required pam_securetty.so >> /home/test1/logincp /etc/ssh/sshd_config /home/test1echo banner /etc/ssh_banner >> /home/test1/sshd_configecho permitrootlogin no >> /home/test1/sshd_configservice sshd restartecho -------------------------ok-------------------echo --------------------openssh----------------------------openssh=`cat -n /home/test1/sshd_config | grep -v .*#.*| grep protocol |awk '{print $1}'`sed -i ''$openssh's/.*protocol.*/protocol 2/' /home/test1/sshd_configecho -------------ok--------------------------- 2、
一种集成式微流控液滴数字化等温扩增(LAMP)方法
电磁加热圈电线如何选择
三大运营商表示坚决落实网络“提速降费”和推进“携号转网”
详解云计算之云渗透测试
浅谈如何提升电力市场化售电核心竞争力
linux安全基线如何配置
2019年AR/VR创新报告显示游戏是AR/VR/MR开发的首要项目
消费者为什么不愿意升级5G套餐?
高分辨率单光子超导相机科研进展
AV1编码器将推动互联网视频的下一个飞跃
基于MAX16834设计的112W升压LED驱动器技术
实图分析:运放7大经典电路!
2016 MWC:5G技术中国军团谁争先锋
COG数据集基于一种编程语言
AI时代,你需要了解的GPU互联技术:NVLink、IB、ROCE
台湾半导体超越南韩,居全球第二大
探究超声红外热像技术在金属裂纹检测中的热特性及应用
rt-thread源码分析之socket抽象层和网卡注册
“人工智能+物联网”加持下,地产老玩家如何孕育出行业新玩法
这是什么原理?Google 出了个新玩意儿,没有网络也能搜索东西