linux系统优化安全升级.docx

linux系统优化安全升级 电信RHEL6.6 -4.Hostname sed -i "2c HOSTNAME=abm25" /etc/sysconfig/network >/etc/resolv.conf echo 'secure@1W'|passwd root --stdin iptables -F service iptables save -3.vmtools lftp -u weihu,pi=3yuaN sftp://136.5.176.162<<EOF get VMwareTools-8.6.11-1310128.tar.gz bye EOF tar zxvf VMwareTools-8.6.11-1310128.tar.gz cd vmware-tools* ./vmware-install.pl --default -2.Yum mv /etc/yum.repos.d/rhel-source.repo /tmp vi /etc/yum.repos.d/rhel-source.repo [rhel-source] name=Red Hat Enterprise Linux $releasever - $basearch - Source baseurl=http://136.5.176.162/iso/redhat6.6/ enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sed -i "3c baseurl=http://136.5.176.162/iso/redhat6.4/" /etc/yum.repos.d/rhel-source.repo yum clean all yum makecache yum install -y ftp lftp zlib* openssl* pam* gdm ruby telnet* vsftpd* \ gcc dstat mcelog iotop lsscsi libstdc++* libcap* yum groupinstall -y basic-desktop x11 development eclipse \  compat-libraries storage-client-multipath nfs-file-server \ -1.双网卡 cd /etc/sysconfig/network-scripts/ mv ifcfg-enp1s0f0 bakifcfg-enp1s0f0 mv ifcfg-enp130s0f1 bakifcfg-enp130s0f1  echo "ifenslave bond0 eth1 eth5">>/etc/rc.d/rc.local cat ifcfg-bond0 vi ifcfg-bond0 DEVICE=bond0 BOOTPROTO=yes IPADDR=136.5.225.100 GATEWAY=136.5.225.97 NETMASK=255.255.255.224 ONBOOT=yes BONDING_OPTS="mode=1 miimon=200" -------------- cat ifcfg-enp130s0f1   vi ifcfg-eth1 DEVICE=eth1 ONBOOT=yes BOOTPROTO=none MASTER=bond0 SLAVE=yes TYPE=Ethernet -------------- cat ifcfg-enp1s0f0   vi ifcfg-eth1   DEVICE=enp1s0f0 ONBOOT=yes BOOTPROTO=none MASTER=bond0 SLAVE=yes TYPE=Ethernet 0.ueradd useradd ibnms echo "Wfz#2015"|passwd ibnms --stdin mkdir /ibnms chown ibnms:ibnms /ibnms usermod -d /ibnms ibnms useradd weihu echo "pi=3yuaN"|passwd weihu --stdin useradd user echo "user,.123"|passwd user --stdin userdel nobody userdel ftp 1. profile echo "TMOUT=300">>/etc/profile sed -i 's/HISTSIZE=1000/HISTSIZE=50000/g' /etc/profile echo 'stty erase ^H'>> /etc/profile echo "" >> /etc/profile #2.su cp /etc/pam.d/su /etc/pam.d/su.bak sed -i "6c auth required pam_wheel.so use_uid" /etc/pam.d/su usermod -a -G wheel weihu echo 'SU_WHEEL_ONLY yes'>>/etc/login.defs #3.密码 cp /etc/login.defs /etc/login.defs.bak sed -i "25c PASS_MAX_DAYS   60" /etc/login.defs sed -i "27c PASS_MIN_LEN    8" /etc/login.defs sed -i "26c PASS_MIN_DAYS 10" /etc/login.defs sed -i 's/UMASK/#UMASK/g' /etc/login.defs echo "UMASK 027">>/etc/login.defs sed -i "s/umask 022/umask 027/g" /etc/profile echo 'password requisite pam_cracklib.so retry=3 difok=3 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1'>>/etc/pam.d/system-auth echo 'auth required pam_tally.so onerr=fail deny=5 unlock_time=300'>>/etc/pam.d/system-auth cp -avx /etc/passwd /tmp #4.禁止root echo 'PermitRootLogin no'>>/etc/ssh/sshd_config #5.启用syslog sed -i "s/rotate 4/rotate 20/g" /etc/logrotate.conf echo 'authpriv.* /var/log/secure'>>/etc/syslog.conf echo 'cron.*'>>/etc/syslog.conf echo '*.* @127.0.0.1'>>/etc/syslog.conf chmod 744 /var/log/messages  chmod 744 /var/log/secure chmod 744 /var/log/maillog chmod 744 /var/log/cron chmod 744 /var/log/spooler chmod 744 /var/log/boot.log chmod 644 /etc/passwd chmod 400 /etc/shadow chmod 644 /etc/group chmod 644 /etc/services chmod 600 /etc/xinetd.conf chmod 600 /etc/security #6.banner mv /etc/issue /etc/issue.bak mv /etc/ /etc/.bak echo " Authorized only. All activity will be monitored and reported " > /etc/ssh_banner  #9.内核(old) echo "* soft nproc 65535">>/etc/security/limits.conf echo "* hard nproc 65535">>/etc/security/limits.conf echo "* soft nofile 65535">>/etc/security/limits.conf echo "* hard nofile 65535">>/etc/security/limits.conf echo "* - maxlogins 65535">>/etc/security/limits.conf sed -i 's/1024/65535/g' /etc/security/limits.d/90-nproc.conf #10.权限 #11.time(old) echo "server 136.0.24.13">>/etc/ntp.conf chkconfig ntpd on service ntpd restart #12.服务 chkconfig apmd off chkconfig netfs off chkconfig yppasswdd off chkconfig ypserv off chkconfig dhcpd off chkconfig portmap off chkconfig lpd off chkconfig nfs off chkconfig sendmail off chkconfig snmpd off chkconfig snmptrapd off chkconfig rstatd off chkconfig atd off chkconfig cups off chkconfig bluetooth off chkconfig hidd off chkconfig ip6tables off chkconfig ipsec off chkconfig autofs off chkconfig avahi-daemon off #5353 mdns chkconfig avahi-dnsconfd off chkconfig cpuspeed off chkconfig isdn off chkconfig nfslock off chkconfig nscd off chkconfig pcscd off chkconfig acpid off chkconfig firstboot off chkconfig mcstrans off chkconfig microcode_ctl off chkconfig rpcgssd off chkconfig rpcidmapd off chkconfig rpcbind off chkconfig portreserve on chkconfig postfix off #smtp 25 chkconfig setroubleshoot off chkconfig xfs off chkconfig xinetd off chkconfig restorecond off chkconfig anacron off chkconfig ypbind off chkconfig tftp off chkconfig pox off chkconfig printer off chkconfig telnet off chkconfig NetworkManager off chkconfig tog-pegasus off #https 5989 chkconfig portreserve off #udp 631 chkconfig rawdevices on chkconfig mcelogd on chkconfig crond on chkconfig kudzu on chkconfig network on chkconfig readahead_early on  chkconfig sshd on chkconfig syslog on chkconfig auditd on service NetworkManager stop && service network restart service snmptrapd stop #14.hosts sed -i 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config #15.iptables(old) service iptables stop #7.登录提示(old) export netbond=`ifconfig |grep bond|wc -l` if [$netbond ge 1];then export woip=`ifconfig bond0 |awk -F '[ :]+' 'NR==2 {print $4}'` echo -e "\n${HOSTNAME}@${woip}\n"> /etc/motd else export woip=`ifconfig eth1 |awk -F '[ :]+' 'NR==2 {print $4}'` echo -e "\n${HOSTNAME}@${woip}\n"> /etc/motd fi ##cp mv /etc/yum.repos.d/rhel-source.repo /etc/yum.repos.d/rhel-source.repo.bak cp rhel-source.repo /etc/yum.repos.d/rhel-source.repo cp nmon /usr/bin chmod 775 /usr/bin/nmon #13.ftp(old) sed -i 's/anonymous_enable=YES/anonymous_enable=NO/g' /etc/vsftpd/vsftpd.conf #sed -i 's/#chroot_local_user=YES/chroot_local_user=YES/g' /etc/vsftpd/vsftpd.conf sed -i 's/#ftpd_banner/ftpd_banner/g' /etc/vsftpd/vsftpd.conf echo 'dual_log_enable=YES' >> /etc/vsftpd/vsftpd.conf echo 'vsftpd_log_file=/var/log/vsftpd.log' >> /etc/vsftpd/vsftpd.conf sed -i '/#nopriv_user=/c nopriv_user=weihu' /etc/vsftpd/vsftpd.conf chkconfig vsftpd on service vsftpd start user_list允许 ftpusers 禁止 #15.glibc mkdir glibc cd glibc lftp -u weihu,pi=3yuaN sftp://136.5.176.162<<EOF cd glibc mget * bye EOF yum -y localupdate * cd #16.openssh lftp -u weihu,pi=3yuaN sftp://136.5.176.162<<EOF get openssh-7.6p1.tar.gz bye EOF tar zxvf openssh-7.6p1.tar.gz cd openssh-7.6p1 tar zxvf openssh* cd openssh*    ./configure --prefix=/usr \ --sysconfdir=/etc/ssh \ --with-ssl-dir=/usr/share/ssl \ --with-zlib \ --with-pam \ --with-md5-passwords \ --with-kerberos5 \ sleep 3 make && make install mv /etc/init.d/sshd /tmp/sshd cp contrib/redhat/sshd.init /etc/init.d/sshd service sshd restart ssh -V cd 17.nmon lftp -u weihu,pi=3yuaN sftp://136.5.176.162<<EOF get nmon bye EOF cp nmon /usr/bin chmod +x /usr/bin/nmon mkdir /home/weihu/nmon/ crontab -l * * * * 1 find /home/weihu/nmon/ -type f -mtime +7 -exec rm -rf {} \; 1 1 * * * nmon -s60 -c1430 -f -m  /home/weihu/nmon/ 18.kdump service kdump status 19.Xmanager不做了 yum install -y gdm vi /etc/gdm/custom.conf [security] AllowRoot=true AllowRemoteRoot=true [xdmcp] Port=177 Enable=true 20.itsm 不做了 su - ibnms lftp -u weihu,pi=3yuaN sftp://136.5.176.162<<EOF get jdk1.6.0_21.tar.gz bye EOF tar zxvf jdk1.6.0_21.tar.gz 21.必做 rpm -e httpd --nodeps rpm -e mysql --nodeps rpm -e net-snmp --nodeps rpm -e wget --nodeps rpm -e squid --nodeps 22.ntpd lftp -u weihu,pi=3yuaN sftp://136.5.176.162<<EOF get ntp-4.2.8p10.tar.gz bye EOF rpm -e ntp --nodeps rpm -e ntpdate --nodeps ./configure --prefix=/usr \ --bindir=/usr/sbin --sysconfdir=/etc \ --enable-linuxcaps --with-lineeditlibs=readline \ --docdir=/usr/share/doc/ntp-4.2.8p9 \ --enable-all-clocks --enable-parse-clocks \ --enable-clockctl make make install #cp scripts/rc/ntpd /etc/init.d/ntpd #chmod +x /etc/init.d/ntpd #vmmoban chkconfig service ntpd restart