Centos6.7系統(tǒng)優(yōu)化加固腳本

#!/bin/bash

# author wangqd

# description:this is a centos6.7 optimization script

# processname:  升級系統(tǒng),精簡服務(wù)族展，安裝基本配置液荸，記錄bash執(zhí)行時間活合，安全配置至非，su加固，ssh優(yōu)化盒发，iptables設(shè)置订歪，時間同步 系統(tǒng)優(yōu)化

#檢查是否為root用戶；

if [ $(id -u) != "0" ];then

echo "運行此腳本需要root權(quán)限!"

fi

yum update -y >> /etc/null

if [ $? = "0" ];then

echo "系統(tǒng)暫時無需更新"

fi

#精簡服務(wù)

# 關(guān)閉ipv6防火墻

chkconfig ip6tables off

if [ $? = "0" ];then

echo "設(shè)置ipv6防火墻開機不自啟成功"

else

echo "設(shè)置ipv6防火墻開機不自啟成功失敗"

fi

# 關(guān)閉iscsi服務(wù)

chkconfig iscsi off

if [ $? = "0" ];then

echo "設(shè)置iscsi服務(wù)開機不自啟成功"

else

echo "設(shè)置iscsi服務(wù)開機不自啟失敗"

fi

# 關(guān)閉iscsi相關(guān)服務(wù)

chkconfig iscsid off

if [ $? = "0" ];then

echo "設(shè)置iscsi相關(guān)服務(wù)開機不自啟成功"

else

echo "設(shè)置iscsi相關(guān)服務(wù)開機不自啟失敗"

fi

# 關(guān)閉NFS乙墙，smaba和NetWare網(wǎng)絡(luò)文件系統(tǒng)

chkconfig netfs off

if [ $? = "0" ];then

echo "設(shè)置NFS，smaba和NetWare網(wǎng)絡(luò)文件系統(tǒng)開機不自啟成功"

else

echo "設(shè)置NFS，smaba和NetWare網(wǎng)絡(luò)文件系統(tǒng)開機不自啟失敗"

fi

# linux的審計功能

chkconfig auditd off

if [ -f "/var/lock/subsys/auditd" ];then

echo "linux的審計功能"

else

echo "linux的審計功能未開啟"

fi

# 關(guān)閉TCP/IP網(wǎng)絡(luò)共享文件的協(xié)議的NFS的文件鎖功能

if [ -f "/var/lock/subsys/nfslock" ];then

chkconfig nfslock off

echo "關(guān)閉TCP/IP網(wǎng)絡(luò)共享文件的協(xié)議的NFS的文件鎖功能"

else

echo "TCP/IP網(wǎng)絡(luò)共享文件的協(xié)議的NFS的文件鎖功能未開啟"

fi

# 關(guān)閉 NFS v4

if [ -f "/var/lock/subsys/rpcgssd" ];then

chkconfig rpcgssd off

echo "關(guān)閉 NFS-rpcgssd"

else

echo "NFS-rpcgssd服務(wù)未開啟"

fi

# 關(guān)閉RPC服務(wù)

if [ -f "/var/lock/subsys/rpcbind" ];then

chkconfig rpcbind off

echo "關(guān)閉RPC rpcbind服務(wù)"

else

echo "RPC服務(wù)未開啟"

fi

# 關(guān)閉 NFS v4

if [ -f "/var/lock/subsys/rpcidmapd" ];then

chkconfig rpcidmapd off

echo "關(guān)閉 rpcidmapd"

else

echo "rpcidmapd服務(wù)未開啟"

fi

# 關(guān)閉系?y對Logical Volume Manager 邏輯磁區(qū)的支持

if [ -f "/var/lock/subsys/lvm2-monitor" ];then

chkconfig lvm2-monitor off

echo "關(guān)閉系統(tǒng)y對Logical Volume Manager 邏輯磁區(qū)的支持"

else

echo "系統(tǒng)y對Logical Volume Manager 邏輯磁區(qū)的支持未開"

fi

# 關(guān)閉鄰近發(fā)現(xiàn)協(xié)議

if [ -f "/var/lock/subsys/lldpad" ];then

chkconfig lldpad off

echo "關(guān)閉鄰近發(fā)現(xiàn)協(xié)議"

else

echo "鄰近發(fā)現(xiàn)協(xié)議未開啟"

fi

#安裝基本組件

# setuptool Python的 distutilsde工具的增強工具（py2.3.5以上 64位py2.4）

# ntsysv 設(shè)置系統(tǒng)的各種服務(wù)

# system-config-firewall-tui 命令行用戶接口（TUI）的防火墻客戶端

# system-config-network-tui  安裝Fedora網(wǎng)絡(luò)配置的工具

yum install -y setuptool ntsysv system-config-firewall-tui system-config-network-tui cronie wget vim unzip openssh-clients screen rsync ftp telnet >> /etc/null

if [ $? = "0" ];then

echo "基本組件安裝完成"

else

echo "基本組件已安裝過"

fi

#記錄每次bash命令的執(zhí)行時間

time="HISTTIMEFORMAT=\"%Y-%m-%d\ %H:%M:%S\""

grep "$time" /etc/profile >> /etc/null

if [ $? = "0" ];then

echo "記錄每次bash命令的執(zhí)行時間已經(jīng)做過"

else

line=$(sed -n "/export\ PATH\ USER/=" /etc/profile| tail -n1)

sed -i "${line}a HISTTIMEFORMAT=\"%Y-%m-%d\ %H:%M:%S\"\nexport\ HISTTIMEFORMAT"  /etc/profile

echo "記錄每次bash命令的執(zhí)行時間已經(jīng)成功"

fi

#安全配置

grep "^SELINUX=disabled" /etc/selinux/config

if [ $? = "0" ];then

echo "已經(jīng)做過安全配置"

else

selinux1=$(grep "^SELINUX=enforcing" /etc/selinux/config)

sed -i "s/$selinux1/SELINUX=disabled/" /etc/selinux/config

echo "服務(wù)器安全配置已經(jīng)完成"

fi

#su加固

grep "^auth" /etc/pam.d/su|grep "pam_wheel.so use_uid"

if [ $? = "0"];then

echo "su 已加固"

else

line2=$(sed -n "/^auth/=" /etc/pam.d/su|tail -1 )

sed -i "${line2}a auth\ \ \ \ \ \ required\ \ \ \ pam_wheel.so\ use_uid" /etc/pam.d/su

echo "su加固成功"

fi

#ssh 優(yōu)化

#port 端口

grep "^Port[[:space:]]" /etc/ssh/sshd_config|grep "58022"

if [ $? = "0" ];then

echo "ssh端口號設(shè)置正確修改"

else

check1=$(grep "^#Port" /etc/ssh/sshd_config)

sline1=$(sed -n "/$check1/=" /etc/ssh/sshd_config)

sed  -i "/^Port/d" /etc/ssh/sshd_config

sed  -i "${sline1}a Port\ 58022" /etc/ssh/sshd_config

echo "SSH已改為58022"

fi

#不允許用root進行登錄

grep "^PermitRootLogin[[:space:]]" /etc/ssh/sshd_config|grep "no"

if [ $? = "0" ];then

echo "ssh不允許root登錄功能已設(shè)置"

else

check2=$(grep "^#PermitRootLogin[[:space:]]" /etc/ssh/sshd_config)

sline2=$(sed -n "/$check2/=" /etc/ssh/sshd_config)

sed -i "/^PermitRootLogin/d" /etc/ssh/sshd_config

sed -i "${sline2}a PermitRootLogin\ no" /etc/ssh/sshd_config

echo "不允許root登錄ssh設(shè)置成功"

fi

#不允許空密碼登錄

grep "^PermitEmptyPasswords[[:space:]]" /etc/ssh/sshd_config|grep "no"

if [ $? = "0" ];then

echo "請查看ssh不允許空密碼登錄已被設(shè)置"

else

check3=$(grep "^#PermitEmptyPasswords[[:space:]]" /etc/ssh/sshd_config)

sline3=$(sed -n "/$check3/=" /etc/ssh/sshd_config)

sed -i "/^PermitEmptyPasswords/d" /etc/ssh/sshd_config

sed -i "${sline3}a PermitEmptyPasswords\ no" /etc/ssh/sshd_config

echo "ssh不允許空密碼登錄設(shè)置成功"

fi

#禁用DNS

grep "^GSSAPIAuthentication[[:space:]]" /etc/ssh/sshd_config|grep "no"

if [ $? = "0" ];then

echo "禁用DNS已被設(shè)置"

else

check4=$(grep "#GSSAPIAuthentication[[:space:]]" /etc/ssh/sshd_config)

sed -i "/^GSSAPIAuthentication/d" /etc/ssh/sshd_config

sline4=$(sed -n "/$check4/=" /etc/ssh/sshd_config)

sed -i "${sline4}c GSSAPIAuthentication\ no" /etc/ssh/sshd_config

echo "禁用DNS設(shè)置成功"

fi

#禁用UseDNS

grep "^UseDNS[[:space:]]" /etc/ssh/sshd_config|grep "no"

if [ $? = "0" ];then

echo "禁用UseDNS已被設(shè)置"

else

check5=$(grep "^#UseDNS[[:space:]]" /etc/ssh/sshd_config)

sline5=$(sed -n "/$check5/=" /etc/ssh/sshd_config)

sed -i "/^UseDNS/d" /etc/ssh/sshd_config

sed -i "${sline5}a UseDNS\ no" /etc/ssh/sshd_config

echo "禁用UseDNS設(shè)置成功"

fi

#AllowUsers

sed -i "/^AllowUsers/d" /etc/ssh/sshd_config

if [ $? = "0" ];then

        echo "SSH的其他允許登錄的用戶已被刪除"

else

        echo "ssh 無其他允許登錄的用戶"

fi

AU=$(sed -n "/^#/=" /etc/ssh/sshd_config|tail -1)

sed -i "${AU}a AllowUsers\ $1" /etc/ssh/sshd_config

if [ $? = "0" ];then

        echo "AllowUsers已設(shè)置用戶成功"

else

        echo "AllowUsers設(shè)置用戶失敗"

fi

#設(shè)置防火墻

iptab="-A\ INPUT\ -m\ state\ --state\ NEW\ -m\ tcp\ -p\ tcp\ --dport\ 58022\ -j\ ACCEPT"

grep "58022" /etc/sysconfig/iptables

if [ $? != 0 ];then

line8=$(sed -n "/22/=" /etc/sysconfig/iptables|head -1)

sed -i "${line8}a $iptab" /etc/sysconfig/iptables

echo "添加58022端口成功" 

#line9=$(sed -n "/lo/=" /etc/sysconfig/iptables|head -1)

#sed -i "${line9}a $iptab" /etc/sysconfig/iptables

else

        echo "58022 已被設(shè)置請查看"

fi

/etc/init.d/sshd restart

if [ $? = "0" ];then

echo "sshd已重啟"

fi

/etc/init.d/iptables restart

if [ $? = "0" ];then

echo "iptables"

fi

#時間同步

yum install ntp -y >> /etc/null

if [ $? = "0" ];then

echo "ntp服務(wù)已被安裝"

fi

/usr/sbin/ntpdate time.nist.gov

if [ $? = "0" ];then

echo "本地時間一同步時間服務(wù)器"

fi

/sbin/hwclock --systohc

if [ $? = "0" ];then

echo "系統(tǒng)時間已同步到硬件"

fi

#將時間同步寫入計劃日志

line10=$(sed -n "/^#/=" /etc/crontab|tail -1)

sed -i "${line10}a 5\ */6\ *\ *\ *\ /usr/sbin/ntpdate time.nist.gov\ >\ /dev/null\ 2>&1" /etc/crontab

if [ $? = "0" ];then 

echo "時間同步已寫入計劃日志"

fi

#優(yōu)化內(nèi)核參數(shù)

line11=$(sed -n "/^#/=" /etc/sysctl.conf|tail -1)

sed -i "${line11}a net.ipv4.tcp_max_syn_backlog\ =\ 65536\nnet.core.netdev_max_backlog\ =\ 32768\nnet.core.somaxconn\ =\ 32768\nnet.core.wmem_default\ =\ 8388608\nnet.core.rmem_default\ =\ 8388608\nnet.core.rmem_max\ =\ 16777216\nnet.core.wmem_max\ =\ 16777216net.ipv4.tcp_timestamps\ =\ 0\nnet.ipv4.tcp_synack_retries\ =\ 2\nnet.ipv4.tcp_syn_retries\ =\ 2\nnet.ipv4.tcp_tw_recycle\ =\ 1\n#net.ipv4.tcp_tw_len\ =\ 1\nnet.ipv4.tcp_tw_reuse\ =\ 1\nnet.ipv4.tcp_mem\ =\ 94500000\ 915000000\ 927000000\nnet.ipv4.tcp_max_orphans\ =\ 3276800\nnet.ipv4.ip_local_port_range\ =\ 1024\ 65535" /etc/sysctl.conf 

if [ $? = "0" ];then

echo "系統(tǒng)已經(jīng)優(yōu)化完成"

fi

#創(chuàng)建wheel用戶

useradd -G wheel $1 

echo "$2" | passwd $1 --stdin > /dev/null 2>&1

if [ $? = "0" ];then

echo "user is created!"

fi

echo "SU_WHEEL_ONLY yes" >> /etc/login.defs 

#只允許wheel用戶su到root

if [ $? = "0" ];then

echo "只允許wheel用戶su到root執(zhí)行成功"

else

echo "只允許wheel用戶su到root執(zhí)行失敗請查看"

fi

init 6