阿里安騎士推薦的系統安全優化腳本

#!/bin/env bash

##author fang for centos7

##cron

rm -f /etc/cron.deny

rm -f /etc/at.deny

touch /etc/cron.allow

touch /etc/at.allow

chmod 0600 /etc/cron.allow

chmod 0600 /etc/at.allow

##sysctl

cat >> /etc/sysctl.conf <<EOF

#secure config

net.ipv4.conf.default.secure_redirects=0

net.ipv4.conf.default.accept_redirects=0

net.ipv4.conf.all.accept_redirects=0

net.ipv4.conf.all.send_redirects=0

net.ipv4.conf.default.send_redirects=0

net.ipv4.conf.all.secure_redirects=0

net.ipv4.conf.all.rp_filter=1

net.ipv4.conf.default.rp_filter=1

net.ipv6.conf.all.accept_ra=0

net.ipv6.conf.default.accept_ra=0

net.ipv6.conf.all.accept_redirects=0

net.ipv6.conf.default.accept_redirects=0

EOF

sysctl -p

##ssh

grep 'Protocol' /etc/ssh/sshd_config || echo "Protocol 2" >> /etc/ssh/sshd_config

sed -i 's/^#LogLevel INFO/LogLevel INFO/' /etc/ssh/sshd_config

sed -i 's/^#IgnoreRhosts/IgnoreRhosts/' /etc/ssh/sshd_config

sed -i 's/^#HostbasedAuthentication/HostbasedAuthentication/' /etc/ssh/sshd_config

sed -i 's/^#PermitEmptyPasswords no/PermitEmptyPasswords no/' /etc/ssh/sshd_config

sed -i 's/^#PermitUserEnvironment no/PermitUserEnvironment no/' /etc/ssh/sshd_config

sed -i 's/^#LoginGraceTime 2m/LoginGraceTime 2m/' /etc/ssh/sshd_config

sed -i 's/^#MaxAuthTries 6/MaxAuthTries 3/' /etc/ssh/sshd_config

##userpasswd

sed -i 's/# minlen = 9/minlen = 10/' /etc/security/pwquality.conf

sed -i 's/# dcredit = 1/dcredit = -1/' /etc/security/pwquality.conf

sed -i 's/# ucredit = 1/ucredit = -1/' /etc/security/pwquality.conf

sed -i 's/# lcredit = 1/lcredit = -1/' /etc/security/pwquality.conf

sed -i 's/# ocredit = 1/ocredit = -1/' /etc/security/pwquality.conf

sed -i '/PASS_MAX_DAYS/s/99999/90/' /etc/login.defs

sed -i '/PASS_MIN_DAYS/s/0/7/' /etc/login.defs

sed -i '/PASS_MIN_LEN/s/5/12/' /etc/login.defs

sed -i '/PASS_WARN_AGE/s/7/30/' /etc/login.defs

useradd -D -f 1095

##Centos base config

cat >> /etc/pam.d/system-auth <<EOF

password sufficient pam_unix.so remember=3

EOF

echo -e "\$FileCreateMode 0640" >> /etc/rsyslog.conf

chmod 0600 /boot/grub2/grub.cfg

chmod 0600 /etc/crontab

chmod 0600 /etc/cron.hourly

chmod 0600 /etc/cron.daily

chmod 0600 /etc/cron.weekly

chmod 0600 /etc/cron.monthly

chmod 0600 /etc/cron.d

僅供參考、不喜勿噴，每行含義就不一一註釋了，還有一些並沒有寫入，看情況加