[TOC]
描述:Linux系统加固往往是下面几个方面入手,配置完成后将大大的提升机器的安全性,同时满足等保合规的要求;
系统加固分类:
1.1) 用户与系统文件权限 描述:主要针对于用户默认权限以及文件目录创建的缺省权限;
PS:用户的umask安全配置将umask修改为022权限掩码即用户所获得的文件权限为644 (666-022),目录权限为755 (777-022)
# 用户的umask安全配置
echo \*\*\*\* 修改umask为022 \*\*\*\*
egrep -q "^\s*umask\s+\w+.*$" /etc/profile && sed -ri "s/^\s*umask\s+\w+.*$/umask 022/" /etc/profile || echo "umask 022" >> /etc/profile
egrep -q "^\s*umask\s+\w+.*$" /etc/csh.login && sed -ri "s/^\s*umask\s+\w+.*$/umask 022/" /etc/csh.login || echo "umask 022" >>/etc/csh.login
egrep -q "^\s*umask\s+\w+.*$" /etc/csh.cshrc && sed -ri "s/^\s*umask\s+\w+.*$/umask 022/" /etc/csh.cshrc || echo "umask 022" >> /etc/csh.cshrc
egrep -q "^\s*umask\s+\w+.*$" /etc/bashrc && sed -ri "s/^\s*umask\s+\w+.*$/umask 022/" /etc/bashrc || echo "umask 022" >> /etc/bashrc
# 用户目录缺省访问权限设置
echo \*\*\*\* 设置用户目录默认权限为022
egrep -q "^\s*(umask|UMASK)\s+\w+.*$" /etc/login.defs && sed -ri "s/^\s*(umask|UMASK)\s+\w+.*$/UMASK 022/" /etc/login.defs || echo "UMASK 022" >> /etc/login.defs
# 重要目录和文件的权限设置
echo \*\*\*\* 设置重要目录和文件的权限
chmod 755 /etc; chmod 750 /etc/rc.d/init.d; chmod 777 /tmp; chmod 700 /etc/inetd.conf&>/dev/null 2&>/dev/null; chmod 755 /etc/passwd; chmod 755 /etc/shadow; chmod 644 /etc/group; chmod 755 /etc/security; chmod 644 /etc/services; chmod 750 /etc/rc*.d
CentOS禁止普通用户su到root相关权限涉及到两个文件:
WeiyiGeek.
1.2) 用户账号加固
描述:锁定与设备运行、维护等工作无关的账号,如果不需要登录系统shell应该/sbin/nologin
并且将该账号进行锁定登陆;
# 锁定与设备运行、维护等工作无关的账号
passwd -l adm&>/dev/null 2&>/dev/null; passwd -l daemon&>/dev/null 2&>/dev/null; passwd -l bin&>/dev/null 2&>/dev/null; passwd -l sys&>/dev/null 2&>/dev/null; passwd -l lp&>/dev/null 2&>/dev/null; passwd -l uucp&>/dev/null 2&>/dev/null; passwd -l nuucp&>/dev/null 2&>/dev/null; passwd -l smmsplp&>/dev/null 2&>/dev/null; passwd -l mail&>/dev/null 2&>/dev/null; passwd -l operator&>/dev/null 2&>/dev/null; passwd -l games&>/dev/null 2&>/dev/null; passwd -l gopher&>/dev/null 2&>/dev/null; passwd -l ftp&>/dev/null 2&>/dev/null; passwd -l nobody&>/dev/null 2&>/dev/null; passwd -l nobody4&>/dev/null 2&>/dev/null; passwd -l noaccess&>/dev/null 2&>/dev/null; passwd -l listen&>/dev/null 2&>/dev/null; passwd -l webservd&>/dev/null 2&>/dev/null; passwd -l rpm&>/dev/null 2&>/dev/null; passwd -l dbus&>/dev/null 2&>/dev/null; passwd -l avahi&>/dev/null 2&>/dev/null; passwd -l mailnull&>/dev/null 2&>/dev/null; passwd -l nscd&>/dev/null 2&>/dev/null; passwd -l vcsa&>/dev/null 2&>/dev/null; passwd -l rpc&>/dev/null 2&>/dev/null; passwd -l rpcuser&>/dev/null 2&>/dev/null; passwd -l nfs&>/dev/null 2&>/dev/null; passwd -l sshd&>/dev/null 2&>/dev/null; passwd -l pcap&>/dev/null 2&>/dev/null; passwd -l ntp&>/dev/null 2&>/dev/null; passwd -l haldaemon&>/dev/null 2&>/dev/null; passwd -l distcache&>/dev/null 2&>/dev/null; passwd -l webalizer&>/dev/null 2&>/dev/null; passwd -l squid&>/dev/null 2&>/dev/null; passwd -l xfs&>/dev/null 2&>/dev/null; passwd -l gdm&>/dev/null 2&>/dev/null; passwd -l sabayon&>/dev/null 2&>/dev/null; passwd -l named&>/dev/null 2&>/dev/null
# 核验配置减少系统无用账号降低风险
$ nano /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
WeiyiGeek.passwd
用户超时限制:
# 登录超时设置
echo \*\*\*\* 设置登录超时时间为10分钟
egrep -q "^\s*(export|)\s*TMOUT\S\w+.*$" /etc/profile && sed -ri "s/^\s*(export|)\s*TMOUT.\S\w+.*$/export TMOUT=600/" /etc/profile || echo "export TMOUT=600" >> /etc/profile
egrep -q "^\s*.*ClientAliveInterval\s\w+.*$" /etc/ssh/sshd_config && sed -ri "s/^\s*.*ClientAliveInterval\s\w+.*$/ClientAliveInterval 600/" /etc/ssh/sshd_config || echo "ClientAliveInterval 600 " >> /etc/ssh/sshd_config
用户访问限制:
#所有 /etc/ssh/user_deny_list 里面的用户被拒绝ssh登录, 启用 PAM-Authentication
vim /etc/pam.d/sshd
auth required /usr/lib64/security/pam_listfile.so item=user sense=deny file=/etc/ssh/user_deny_list onerr=succeed
描述:设置用户登陆口令的复杂度以及长度限制,以及登录session失效时间;
# 小写字母、数字、特殊字、大写字母,登陆尝试三次返回错误信息,可自行修改
vi /etc/pam.d/system-auth
password requisite pam_cracklib.so retry=5 difok=3 minlen=12 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 #至少12位包含一位大写字母,一位小写字母和一位数字以及一位特殊字符
# 修改system-auth
egrep -q "^\s*password\s*(requisite|required)\s*pam_cracklib.so.*$" /etc/pam.d/system-auth && sed -ri "s/^\s*password\s*(requisite|required)\s*pam_cracklib.so.*$/\password requisite pam_cracklib.so try_first_pass retry=3 minlen=12 dcredit=-1 ocredit=-1 lcredit=-1/" /etc/pam.d/system-auth || echo "password requisite pam_cracklib.so try_first_pass retry=3 minlen=12 dcredit=-1 ocredit=-1 lcredit=-1" >> /etc/pam.d/system-auth
# 修改password-auth
egrep -q "^\s*password\s*(requisite|required)\s*pam_cracklib.so.*$" /etc/pam.d/password-auth && sed -ri "s/^\s*password\s*(requisite|required)\s*pam_cracklib.so.*$/\password requisite pam_cracklib.so try_first_pass retry=3 minlen=12 dcredit=-1 ocredit=-1 lcredit=-1/" /etc/pam.d/password-auth || echo "password requisite pam_cracklib.so try_first_pass retry=3 minlen=12 dcredit=-1 ocredit=-1 lcredit=-1" >> /etc/pam.d/password-auth
# 修改login.defs
egrep -q "^\s*PASS_MIN_LEN\s+\S*(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_MIN_LEN\s+\S*(\s*#.*)?\s*$/\PASS_MIN_LEN 12/" /etc/login.defs || echo "PASS_MIN_LEN 12" >> /etc/login.defs
口令的生存周期:
# 方法1:
$ vi /etc/login.defs 修改配置文件
#$ chage -m 0 -M 30 -E 2018-11-01 -W 7 <用户名> #改变用户的到期时间
#-------------------------------------------------------------------
PASS_MAX_DAYS 180 #新建用户的密码最长使用天数
PASS_MIN_DAYS 14 #新建用户的密码最短使用天数
PASS_WARN_AGE 14 #新建用户的密码到期提前提醒天数
# 方法2:
echo \*\*\*\* 口令生成周期最小14天最大180天预警14前天 \*\*\*\*
egrep -q "^\s*PASS_MAX_DAYS\s+\S*(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_MAX_DAYS\s+\S*(\s*#.*)?\s*$/\PASS_MAX_DAYS 180/" /etc/login.defs || echo "PASS_MAX_DAYS 180" >> /etc/login.defs
egrep -q "^\s*PASS_MIN_DAYS\s+\S*(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_MIN_DAYS\s+\S*(\s*#.*)?\s*$/\PASS_MIN_DAYS 14/" /etc/login.defs || echo "PASS_MIN_DAYS 14" >> /etc/login.defs
egrep -q "^\s*PASS_WARN_AGE\s+\S*(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_WARN_AGE\s+\S*(\s*#.*)?\s*$/\PASS_WARN_AGE 14/" /etc/login.defs || echo "PASS_WARN_AGE 14" >> /etc/login.defs
密码重复使用次数限制:
# 手动创建/etc/security/opasswd,解决首次登录修改密码时提示"passwd: Authentication token manipulation error"
echo \*\*\*\* 记住3次已使用的密码 \*\*\*\*
if [[ ! -f "/etc/security/opasswd" || "$(ls -l /etc/security/opasswd | egrep -c '\-rw\-\-\-\-\-\-\-')" != "1" ]];then
mv /etc/security/opasswd /etc/security/opasswd.old > /dev/null 2>&1
touch /etc/security/opasswd
chown root:root /etc/security/opasswd
chmod +600 /etc/security/opasswd
fi
# 修改system-auth
egrep -q "^\s*password\s*sufficient\s*pam_unix.so.*$" /etc/pam.d/system-auth && sed -ri "s/^\s*password\s*sufficient\s*pam_unix.so.*$/\password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=3/" /etc/pam.d/system-auth || echo "password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=3" >> /etc/pam.d/system-auth
# 修改password-auth
egrep -q "^\s*password\s*sufficient\s*pam_unix.so.*$" /etc/pam.d/password-auth && sed -ri "s/^\s*password\s*sufficient\s*pam_unix.so.*$/\password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=3/" /etc/pam.d/password-auth || echo "password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=3" >> /etc/pam.d/password-auth
用户认证失败次数限制:
#配置文件 /etc/pam.d/sshd /etc/pam.d/login /etc/pam.d/system-auth /etc/pam.d/password-auth
auth required pam_tally.so onerr=fail deny=10 unlock_time=300 #设置连续输错10次密码,帐号锁定5分钟,
echo \*\*\*\* 连续登录失败5次锁定帐号5分钟 \*\*\*\*
sed -ri "/^\s*auth\s+required\s+pam_tally2.so\s+.+(\s*#.*)?\s*$/d" /etc/pam.d/sshd /etc/pam.d/login /etc/pam.d/system-auth /etc/pam.d/password-auth
sed -ri '1a auth required pam_tally2.so deny=5 unlock_time=300 even_deny_root root_unlock_time=30' /etc/pam.d/sshd /etc/pam.d/login /etc/pam.d/system-auth /etc/pam.d/password-auth
egrep -q "^\s*account\s+required\s+pam_tally2.so\s*(\s*#.*)?\s*$" /etc/pam.d/sshd || sed -ri '/^password\s+.+(\s*#.*)?\s*$/i\account required pam_tally2.so' /etc/pam.d/sshd
egrep -q "^\s*account\s+required\s+pam_tally2.so\s*(\s*#.*)?\s*$" /etc/pam.d/login || sed -ri '/^password\s+.+(\s*#.*)?\s*$/i\account required pam_tally2.so' /etc/pam.d/login
egrep -q "^\s*account\s+required\s+pam_tally2.so\s*(\s*#.*)?\s*$" /etc/pam.d/system-auth || sed -ri '/^account\s+required\s+pam_permit.so\s*(\s*#.*)?\s*$/a\account required pam_tally2.so' /etc/pam.d/system-auth
egrep -q "^\s*account\s+required\s+pam_tally2.so\s*(\s*#.*)?\s*$" /etc/pam.d/password-auth || sed -ri '/^account\s+required\s+pam_permit.so\s*(\s*#.*)?\s*$/a\account required pam_tally2.so' /etc/pam.d/password-auth
描述:在反弹shell的时候使用了bash-i时,如果系统配置了/etc/bash.bashrc、~/.bashrc记录执行记录,应该可以记录到bash -i的执行记录(交互式会话会读取bashrc配置并执行)
基础操作:
#示例1.防止/var/log中的日志被删除
chattr -R +a /var/log
lsattr -a /var/log
-----a---------- /var/log
#示例2.记录su命令使用情况
egrep -q "^\s*authpriv\.\*\s+.+$" /etc/rsyslog.conf && sed -ri "s/^\s*authpriv\.\*\s+.+$/authpriv.* \/var\/log\/secure/" /etc/rsyslog.conf || echo "authpriv.* /var/log/secure" >> /etc/rsyslog.conf
#示例3.记录安全事件日志
echo \*\*\*\* 配置安全事件日志审计
touch /var/log/adm&>/dev/null; chmod 755 /var/log/adm
semanage fcontext -a -t security_t '/var/log/adm'
restorecon -v '/var/log/adm'&>/dev/null
egrep -q "^\s*\*\.err;kern.debug;daemon.notice\s+.+$" /etc/rsyslog.conf && sed -ri "s/^\s*\*\.err;kern.debug;daemon.notice\s+.+$/*.err;kern.debug;daemon.notice \/var\/adm\/messages/" /etc/rsyslog.conf || echo "*.err;kern.debug;daemon.notice /var/log/adm" >> /etc/rsyslog.conf
历史命令设置:
#Centos7 /etc/profile
#比如登陆过系统的用户、IP地址、操作命令以及操作时间--对应可以通过在/etc/profile里面加入以下代码实现
#47:HISTTIMEFORMAT="%F %T who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g' whoami"
#400 2019-08-02 16:57:46 192.168.1.88 root # history
echo \*\*\*\* 设置保留历史命令的条数为30并加上时间戳
egrep -q "^\s*HISTSIZE\s*\W+[0-9].+$" /etc/profile && sed -ri "s/^\s*HISTSIZE\W+[0-9].+$/HISTSIZE=30/" /etc/profile || echo "HISTSIZE=30" >> /etc/profile
egrep -q "^\s*HISTTIMEFORMAT\s*\S+.+$" /etc/profile && sed -ri "s/^\s*HISTTIMEFORMAT\s*\S+.+$/HISTTIMEFORMAT='%F %T | '/" /etc/profile || echo "HISTTIMEFORMAT='%F %T | '" >> /etc/profile
egrep -q "^\s*export\s*HISTTIMEFORMAT.*$" /etc/profile || echo "export HISTTIMEFORMAT" >> /etc/profile
其他日志审计记录:
# Centos7 Shell登陆记录
# vim /etc/profile
echo "$(date) - ${SSH_CONNECTION} - ${USER}" >> /tmp/login.txt
# 测试bash -i反弹shell
ssh -T [email protected] /bin/bash -i
Fri Aug 2 16:54:48 CST 2019 - 192.168.1.88 55321 10.10.107.222 22 - root
删除潜在威胁文件:
find / -maxdepth 3 -name hosts.equiv | xargs rm -rf
find / -maxdepth 3 -name .netrc | xargs rm -rf
find / -maxdepth 3 -name .rhosts | xargs rm -rf
禁用ctrl+alt+del组合键:
# 禁用ctrl+alt+del组合键,Redhat 6.X:
echo
echo \*\*\*\* 禁用ctrl+alt+del组合键
egrep -q "^\s*exec\s+/sbin/shutdown\s+.+$" /etc/init/control-alt-delete.conf && sed -ri "s/^\s*exec\s+\/sbin\/shutdown\s+.+$/exec \/usr\/bin\/logger \-p authpriv.notice \-t init 'Ctrl-Alt-Del was pressed and ignored'/" /etc/init/control-alt-delete.conf || echo "exec /usr/bin/logger -p authpriv.notice -t init 'Ctrl-Alt-Del was pressed and ignored' " >> /etc/init/control-alt-delete.conf
# 禁用ctrl+alt+del组合键,Redhat 7.X:
mv /usr/lib/systemd/system/ctrl-alt-del.target /usr/lib/systemd/system/ctrl-alt-del.target.bat&>/dev/null 2&>/dev/null
配置自动屏幕锁定(适用于具备图形界面的设备):
echo \*\*\*\* 对于有图形界面的系统配置10分钟屏幕锁定
gconftool-2 > /dev/null 2>&1
if [[ "$?" == 0 ]];then
gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type bool \
--set /apps/gnome-screensaver/idle_activation_enabled true \
--set /apps/gnome-screensaver/lock_enabled true \
--type int \
--set /apps/gnome-screensaver/idle_delay 10 \
--type string \
--set /apps/gnome-screensaver/mode blank-only
fi
限制不必要的服务:
systemctl disable rsh&>/dev/null 2&>/dev/null;systemctl disable talk&>/dev/null 2&>/dev/null;systemctl disable telnet&>/dev/null 2&>/dev/null;systemctl disable tftp&>/dev/null 2&>/dev/null;systemctl disable rsync&>/dev/null 2&>/dev/null;systemctl disable xinetd&>/dev/null 2&>/dev/null;systemctl disable nfs&>/dev/null 2&>/dev/null;systemctl disable nfslock&>/dev/null 2&>/dev/null
描述:openssh 目前的默认配置文件相比以前虽然要安全的多,但还是有必要对生产系统中的 ssh 服务器进行基线检查。 等保视角下的SSH 加固之旅:
文件说明:/root/.ssh/known_hosts 保存相关服务器的签名
(1)SSH 配置文件:/etc/ssh/ssh_config
Port 2222
Protocol 2 #使用ssh 协议2
PermitRootLogin no #禁止Root登录
PermitEmptyPasswords no #禁止空密码登录
StrictModes yes # 当使用者的 host key 改变之后,Server 就不接受联机,可以抵挡部分的木马程序!
MaxAuthTries 5 #认证尝试次数
MaxSessions 6 #最大会话数
IgnoreRhosts yes #关闭禁用用户的 .rhosts 文件 ~/.ssh/.rhosts 来做为认证
LoginGraceTime 120 #无动作断线时间(seconds)
HashKnownHosts yes #把主机名hash记录
#配置 Idle Log Out Timeout 间隔
ClientAliveInterval 300
ClientAliveCountMax 0
#禁止或者允许某个用户通过ssh登录
AllowUsers 用户名
AllowGroups 组名
DenyUsers 用户名
DenyGroups 组名
#关闭密码认证,启用公钥认证:
PubkeyAuthentication yes
PasswordAuthentication no #不建议使用密码认证 建议设置为no
HostbasedAuthentication no #不建议使用机认证 建议设置为no
#禁止端口转发
AllowAgentForwarding no
AllowTcpForwarding no #通过禁止TCP端口转发,可以禁止SSH 远程端口和本地端口转发功能,也可以禁止SSH 远程隧道的建立
X11Forwarding no #如果没用 X11 转发的情况
(2) 限制IP登录SSH
#只允许某个IP登录,拒绝其他所有IP:
在 /etc/hosts.allow 写 : sshd: 1.2.3.4
在 /etc/hosts.deny 写 : sshd: ALL
#防火墙配置
iptables -A INPUT -s 1.2.3.4 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 堡垒机IP -p tcp --dport 22 -j ACCEPT #限制只允许堡垒机的IP连接
iptables -A INPUT -p tcp --dport 22 -j DROP
#其他加固脚本描述:防止ssh被恶意ip爆破,进行设置Hosts.deny加入恶意的IP地址进行阻断。
#==========开始复制==========
ldd `which sshd` | grep libwrap # 确认sshd是否支持TCP Wrapper,输出类似:libwrap.so.0 => /lib/libwrap.so.0 (0x00bd1000)
cd /usr/local/bin/
wget antivirus.neu.edu.cn/ssh/soft/fetch_neusshbl.sh
chmod +x fetch_neusshbl.sh
cd /etc/cron.hourly/
ln -s /usr/local/bin/fetch_neusshbl.sh .
./fetch_neusshbl.sh
#=========结束复制==========
(3) 限制指定账户不能SSH只能SFTP在指定目录 比如以限制sftpgroup 组的用户都只能在自己的家目录sftp 上传下载,不能ssh连接获取shell为例
#1.新建一个sftpgroup,以组为单位进行限制
groupadd sftpgroup
#2.新建一个账户sftpuser,加入sftpgroup
useradd -d /home/sftpuser -s /usr/sbin/nologin -M -N -gsftpgroup sftpuser #使其无法获取交互式shell,不创建用户的主目录,不创建同名的组
#3.配置账号账户以公钥方式认证
mkdir -p /home/sftpuser/.ssh
cat xxx.pub >/home/sftpuser/.ssh/authorized_keys
chmod -R 700 /home/sftpuser/.ssh/
chown -R sftpuser:sftpgroup /home/sftpuser/.ssh
#4. 配置sshd_config
Subsystem sftp internal-sftp
Match group sftpgroup #Match指令主要用于条件匹配
ChrootDirectory %h #限制sftp的活动目录在其Home 目录
X11Forwarding no #禁止X11转发
AllowTcpForwarding no #禁止tcp转发
ForceCommand internal-sftp #如果去掉ssh连接时候提示/usr/bin/nologin no such file or directory
Subsystem sftp /usr/lib/openssh/sftp-server 更为 internal-sftp,这两者有什么区别呢?
ForceCommand internal-sftp 是什么意思?
答:防止用户执行他们自己自定义的命令限制用户命令执行上下文为sftp(可以理解为用户的’shell’就是sftp 那个上下文环境), 即用户除了能执行sftp中允许的命令外,其他命令啥也执行不了
PS:采用sftp软件登录:sftp -i 密匙path
[email protected]
则进入交换式;
ssh服务应用加固:
# SSH登录前警告Banner
echo
echo \*\*\*\* 设置ssh登录前警告Banner
echo "**************WARNING**************" >> /etc/issue;echo "Authorized only. All activity will be monitored and reported." >> /etc/issue
egrep -q "^\s*(banner|Banner)\s+\W+.*$" /etc/ssh/sshd_config && sed -ri "s/^\s*(banner|Banner)\s+\W+.*$/Banner \/etc\/issue/" /etc/ssh/sshd_config || echo "Banner /etc/issue" >> /etc/ssh/sshd_config
# SSH登录后Banner
echo
echo \*\*\*\* 设置ssh登录后Banner
echo "**************WARNING**************" >> /etc/motd;echo "Login success. All activity will be monitored and reported." >> /etc/motd
# 禁止root远程登录(暂不配置)
:<<!
echo
echo \*\*\*\* 禁止root远程SSH登录
egrep -q "^\s*PermitRootLogin\s+.+$" /etc/ssh/sshd_config && sed -ri "s/^\s*PermitRootLogin\s+.+$/PermitRootLogin no/" /etc/ssh/sshd_config || echo "PermitRootLogin no" >> /etc/ssh/sshd_config
!
# SSH 安全配置
# 严格模式
egrep -q "^\s*StrictModes\s+.+$" /etc/ssh/sshd_config && sed -ri "s/^(#)?\s*StrictModes\s+.+$/StrictModes yes/" /etc/ssh/sshd_config || echo "StrictModes yes" >> /etc/ssh/sshd_config
# 缺省端口改变成为62222,重启服务需要 setenforce 0 临时关闭Selinux
egrep -q "^\s*Port\s+.+$" /etc/ssh/sshd_config && sed -ri "s/^(#)?\s*Port\s+.+$/Port 62222/" /etc/ssh/sshd_config || echo "Port 62222" >> /etc/ssh/sshd_config
# 禁用端口转发
egrep -q "^\s*X11Forwarding\s+.+$" /etc/ssh/sshd_config && sed -ri "s/^(#)?\s*X11Forwarding\s+.+$/X11Forwarding no/" /etc/ssh/sshd_config || echo "X11Forwarding no" >> /etc/ssh/sshd_config
egrep -q "^\s*AllowTcpForwarding\s+.+$" /etc/ssh/sshd_config && sed -ri "s/^(#)?\s*AllowTcpForwarding\s+.+$/AllowTcpForwarding no/" /etc/ssh/sshd_config || echo "AllowTcpForwarding no" >> /etc/ssh/sshd_config
egrep -q "^\s*AllowAgentForwarding\s+.+$" /etc/ssh/sshd_config && sed -ri "s/^(#)?\s*AllowAgentForwarding\s+.+$/AllowAgentForwarding no/" /etc/ssh/sshd_config || echo "AllowAgentForwarding no" >> /etc/ssh/sshd_config
# CentOS7 (缺省IgnoreRhosts yes) 关闭禁用用户的 .rhosts 文件 ~/.ssh/.rhosts 来做为认证
# egrep -q "^(#)?\s*IgnoreRhosts\s+.+$" /etc/ssh/sshd_config && sed -ri "s/^(#)?\s*IgnoreRhosts\s+.+$/IgnoreRhosts yes/" /etc/ssh/sshd_config || echo "IgnoreRhosts yes" >> /etc/ssh/sshd_config
FTP Banner 设置:
echo \*\*\*\* FTP Banner 设置
systemctl list-unit-files|grep vsftpd > /dev/null && sed -ri "/^\s*ftpd_banner\s*\W+.+$/s/^/#/" /etc/vsftpd/vsftpd.conf && echo "ftpd_banner='Authorized only. All activity will be monitored and reported.'" >> /etc/vsftpd/vsftpd.conf
禁止匿名用户登录FTP
echo
echo \*\*\*\* 禁止匿名用户登录FTP
systemctl list-unit-files|grep vsftpd > /dev/null && sed -ri "/^\s*anonymous_enable\s*\W+.+$/s/^/#/" /etc/vsftpd/vsftpd.conf && echo "anonymous_enable=NO" >> /etc/vsftpd/vsftpd.conf
禁止root用户登录FTP
echo
echo \*\*\*\* 禁止root用户登录FTP
systemctl list-unit-files|grep vsftpd > /dev/null && echo "root" >> /etc/vsftpd/ftpusers
限制FTP用户上传的文件所具有的权限
echo
echo \*\*\*\* 限制FTP用户上传的文件所具有的权限
systemctl list-unit-files|grep vsftpd > /dev/null && sed -ri "/^\s*write_enable\s*\W+.+$/s/^/#/" /etc/vsftpd/vsftpd.conf && echo "write_enable=NO" >> /etc/vsftpd/vsftpd.conf
systemctl list-unit-files|grep vsftpd > /dev/null && sed -ri "/^\s*ls_recurse_enable\s*\W+.+$/s/^/#/" /etc/vsftpd/vsftpd.conf && echo "ls_recurse_enable=NO" >> /etc/vsftpd/vsftpd.conf
systemctl list-unit-files|grep vsftpd > /dev/null && sed -ri "/^\s*anon_umask\s*\W+.+$/s/^/#/" /etc/vsftpd/vsftpd.conf && echo "anon_umask=077" >> /etc/vsftpd/vsftpd.conf
systemctl list-unit-files|grep vsftpd > /dev/null && sed -ri "/^\s*local_umask\s*\W+.+$/s/^/#/" /etc/vsftpd/vsftpd.conf && echo "local_umask=022" >> /etc/vsftpd/vsftpd.conf
限制FTP用户登录后能访问的目录
echo
echo \*\*\*\* 限制FTP用户登录后能访问的目录
systemctl list-unit-files|grep vsftpd > /dev/null && sed -ri "/^\s*chroot_local_user\s*\W+.+$/s/^/#/" /etc/vsftpd/vsftpd.conf && echo "chroot_local_user=NO" >> /etc/vsftpd/vsftpd.conf
配置禁用telnet服务
egrep -q "^\s*telnet\s+\d*.+$" /etc/services && sed -ri "/^\s*telnet\s+\d*.+$/s/^/# /" /etc/services
修改SNMP默认团体字:
echo \*\*\*\* 修改SNMP默认团体字
cat > /etc/snmp/snmpd.conf <<EOF
com2sec name default $password
group ****Grp v1 ****Sec
group ****Grp v2c ****Sec
view systemview included .1 80
view systemview included .1.3.6.1.2.1.1
view systemview included .1.3.6.1.2.1.25.1.1
view ****View included .1.3.6.1.4.1.2021.80
access ****Grp "" any noauth exact systemview none none
access ****Grp "" any noauth exact ****View none none
dontLogTCPWrappersConnects yes
#
#
#exec mq_ttt /home/107_mq.sh
#exec core_timebargain_ttt /home/105_core_timebargain.sh
#exec core_espot_ttt /home/101_core_espot.sh
#exec core_conditionPlugin_ttt /home/103_core_conditionPlugin.sh
#
#
trapcommunity $password
authtrapenable 1
trap2sink IP
agentSecName ****Sec
rouser ****Sec
defaultMonitors yes
linkUpDownNotifications yes
EOF