原创作者：运维工程师 谢晋

linux系统安全加固

1. 脚本
   系统加固脚本下载地址：
   https://download.csdn.net/download/hzgnet2021/63201374

2. 时间获取
   脚本开头先获取本机时间

#Variable
rq=`date +%Y%m%d`

3. Linux禁用不使用的用户
   将passwd先复制一份备份，然后将以下不使用的用户都禁用，如后期有需要恢复可使用 passwd -u lp 来进行恢复

#account setup
echo '############ account setup ############'
echo ''
cp /etc/passwd{,.bak$rq}
passwd -l lp
passwd -l adm
passwd -l shutdown
passwd -l halt
passwd -l operator
passwd -l games
passwd -l gopher
passwd -l ftp
passwd -l nfsnobody
passwd -l postfix
echo ''

Linux注释的组：

#group setup
echo '############ group setup ############'
echo ''
cp /etc/group{,.bak$rq}
sed -i -e 's/adm:x:4:/#adm:x:4:/' /etc/group
sed -i -e 's/games:x:20:/#games:x:20:/' /etc/group
sed -i -e 's/video:x:39:/#video:x:39:/' /etc/group
sed -i -e 's/dip:x:40:/#dip:x:40:/' /etc/group
sed -i -e 's/ftp:x:50:/#ftp:x:50:/' /etc/group
sed -i -e 's/audio:x:63:/#audio:x:63:/' /etc/group
sed -i -e 's/floppy:x:19:/#floppy:x:19:/' /etc/group
sed -i -e 's/postfix:x:89:/#postfix:x:89:/' /etc/group
echo 'disable group result:'
cat /etc/group|grep ^#
echo ''

4. Linux关闭不使用的服务
   下面列出的几个服务如打印服务、蓝牙服务等对服务器没用用处可直接关闭来提升服务器性能，如遇到需要开启服务只需输入service acpid start && chkconfig acpid on就能重新开启服务。

#disable useless service
echo '##### disable useless service #####'
echo ''
#postfix
echo ''
service postfix stop
chkconfig postfix --level 2345 off
echo ''
#cpus
echo ''
service cups stop
chkconfig cups --level 2345 off
echo ''
#cpuspeed
echo ''
service cpuspeed stop
chkconfig cpuspeed --level 2345 off
echo ''
#bluetooth
echo ''
service bluetooth stop
chkconfig bluetooth --level 2345 off
echo ''
#firstboot
echo ''
service firstboot stop
chkconfig firstboot --level 2345 off
echo ''
echo 'nfs status:'
service netfs status
echo ''

5. Linux文件保护
   Linux文件保护禁止修改、删除、移动文件

echo '######### chattr important file #########'
echo ''
# chattr /etc/passwd /etc/shadow
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/gshadow
echo 'Following files already locked:'
lsattr /etc/passwd
lsattr /etc/shadow
lsattr /etc/group
lsattr/etc/gshadow
echo ''

如果需要修改密码,执行 chattr -i 消除权限，切记修改后要将权限加回

#chattr -i /etc/passwd
#chattr -i /etc/shadow
#chattr -i /etc/group
#chattr -i /etc/gshadow
#lsattr /etc/group /etc/passwd /etc/shadow /etc/gshadow

6. 用户密码保护
   用户输错密码3次后锁定用户5分钟

#  Login failed limit:continue input failure 3 ,passwd unlock time 5 minite
echo '######### Login limits ##########'
echo ''
cp /etc/pam.d/system-auth{,.bak$rq}
tally=`grep -n 'pam_tally.so' /etc/pam.d/system-auth`
lib=`grep -n '/lib/security/$ISA/pam_tally.so' /etc/pam.d/system-auth`
st=$tally$lib
if [ -z "$st" ];then
sed -i 's#auth        required      pam_env.so#auth        required      pam_env.sonauth       required       pam_tally.so  onerr=fail deny=3 unlock_time=300nauth           required     /lib/security/$ISA/pam_tally.so onerr=fail deny=3 unlock_time=300#' /etc/pam.d/system-auth
echo ''
echo 'update login server limits ---->continue input failure 3 ,passwd unlock time 5 minite'
echo ''
else
echo ''
echo 'Login restriction policy already exists on the server!The script will not modify this.'
echo ''
fi

7. 用户注销
   用户登录后5分钟无任何操作将自动注销用户

# system timeout 5 minite auto logout
echo ''
echo '######### set  auto logout #########
cp /etc/profile{,.bak$rq}
tmout=`grep -n 'TMOUT=' /etc/profile`
if [ -z "$tmout" ];then
echo "TMOUT=300" >>/etc/profile
echo ''
echo 'update login server limits ----> timeout 5 minite auto logout'
echo ''
else
echo ''
echo 'Login timeout policy already exists on the server!The script will not modify this.'
echo ''
fi

8. Linux减少history命令记录
   执行过的历史命令记录越多，从一定程度上讲会给维护带来简便，但同样会伴随安全问题。

echo '############## set save history command ##############'
# will system save history command list to 10
echo ''
sed -i "s/HISTSIZE=/#HISTSIZE=/" /etc/profile
echo "HISTSIZE=10" >>/etc/profile
# enable /etc/profile 
source /etc/profile
echo ''
echo '/etc/profile already update'
echo ''

9. 开启SYN Cookies
   表示开启SYN Cookies。当出现SYN等待队列溢出时，启用cookies来处理，可防范少量SYN攻击

echo '############## enable syncookie ##############'
echo ''
# add syncookie enable /etc/sysctl.conf
echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.conf
sysctl -p 
echo ''

10. SSH优化
    修改SSH用户最大连接数，通过关闭 UseDNS和GSSAPIAuthentication选项加速 SSH登录

echo '############## optimize sshd ##############'
echo ''
# optimizer sshd_config
sed -i "s/#MaxAuthTries 6/MaxAuthTries 6/" /etc/ssh/sshd_config
sed -i  "s/#UseDNS yes/UseDNS no/" /etc/ssh/sshd_config
echo ''
echo 'currently config:'
grep -n 'MaxAuthTries' /etc/ssh/sshd_config
grep -n 'UseDNS' /etc/ssh/sshd_config
echo ''

11. 历史记录
    对历史记录命令保存进行优化禁止覆盖、禁止修改该文件

echo '############## history security ##############'
echo ''
# history security
chattr +a /root/.bash_history
chattr +i /root/.bash_history
echo ''
echo '/root/.bash_history already locked:'
lsattr /root/.bash_history
echo ''

12. 复制日志
    将日志复制保存

echo ############## backup system log ##############
echo 'The program will move the log of System operation status to /var/log/HZGNETsecurityreinforce '
mkdir -p /var/log/HZGNETsecurityreinforce/$rq
#cp /var/log/message /var/log/HZGNETsecurityreinforce/$rq
#cp /var/log/auth.log /var/log/HZGNETsecurityreinforce/$rq
cp /var/log/cron /var/log/HZGNETsecurityreinforce/$rq
cp /var/log/maillog /var/log/HZGNETsecurityreinforce/$rq
cp /var/log/secure /var/log/HZGNETsecurityreinforce/$rq
cp /var/log/wtmp /var/log/HZGNETsecurityreinforce/$rq
cp /var/run/utmp /var/log/HZGNETsecurityreinforce/$rq
cp /var/log/yum.log /var/log/HZGNETsecurityreinforce/$rq
echo ' Log Backup completed.'