系统安全的几点细节

#设定用户90天修改密码，提前7天提醒 UserList=$(ls /home/|awk '{print $NF}'|grep -v lost+found) for user in $UserList do chage -M 90 -W 7 $user done #禁ping echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all #设定用户过期时间90默认密码长度8位 cp /etc/login.defs /etc/login.defs.bak sed -i '/PASS_MIN_LEN/s/[0-9]\{1,6\}/90/' /etc/login.defs sed -i '/PASS_MIN_LEN/s/[0-9]\{1,3\}/8/' /etc/login.defs #设定用户登录，普通用户登录识别超过6次锁定300s. echo "account required pam_tally2.so deny=100 no_magic_root reset" >>/etc/pam.d/system-auth echo "auth required pam_tally2.so onerr=fail deny=6 unlock_time=300" >>/etc/pam.d/system-auth #隐藏系统版本号 mv /etc/issue /etc/isseu mv /etc/issue.net /etc/isseu.net mv /etc/redhat-release /etc/rehdat-release #优化配置参数。 echo ' # Kernel sysctl configuration file for Red Hat Linux # # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and # sysctl.conf(5) for more details. # Controls IP packet forwarding net.ipv4.ip_forward = 0 # Controls source route verification net.ipv4.conf.default.rp_filter = 1 # Do not accept source routing net.ipv4.conf.default.accept_source_route = 0 # Controls the System Request debugging functionality of the kernel kernel.sysrq = 0 # Controls whether core dumps will append the PID to the core filename # Useful for debugging multi-threaded applications kernel.core_uses_pid = 1 # Controls the use of TCP syncookies net.ipv4.tcp_syncookies = 1 # Controls the maximum size of a message, in bytes kernel.msgmnb = 65536 # Controls the default maxmimum size of a mesage queue kernel.msgmax = 65536 # Controls the maximum shared segment size, in bytes kernel.shmmax = 68719476736 # Controls the maximum number of shared memory segments, in pages kernel.shmall = 4294967296 # ------------- Kernel Optimization ------------- net.ipv4.tcp_max_tw_buckets = 60000 net.ipv4.tcp_sack = 1 net.ipv4.tcp_window_scaling = 1 net.ipv4.tcp_rmem = 4096 87380 4194304 net.ipv4.tcp_wmem = 4096 16384 4194304 net.core.wmem_default = 8388608 net.core.rmem_default = 8388608 net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 net.core.netdev_max_backlog = 262144 net.core.somaxconn = 262144 net.ipv4.tcp_max_orphans = 3276800 net.ipv4.tcp_max_syn_backlog = 262144 net.ipv4.tcp_timestamps = 0 net.ipv4.tcp_synack_retries = 1 net.ipv4.tcp_syn_retries = 1 net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_mem = 94500000 915000000 927000000 net.ipv4.tcp_fin_timeout = 1 net.ipv4.tcp_keepalive_time = 30 net.ipv4.ip_local_port_range = 1024 65000 net.ipv4.ip_conntrack_max = 655360 net.ipv4.netfilter.ip_conntrack_max =655360 net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 180 ' >/etc/sysctl.conf #生效 sysctl -p #记录histtory日志 echo ' #history export HISTTIMEFORMAT="%F %T `whoami` " USER_IP=`who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'` HISTDIR=/usr/local/bin/.history if [ -z $USER_IP ] then USER_IP=`hostname` fi if [ ! -d $HISTDIR ] then mkdir -p $HISTDIR chmod 777 $HISTDIR fi if [ ! -d $HISTDIR/${LOGNAME} ] then mkdir -p $HISTDIR/${LOGNAME} chmod 300 $HISTDIR/${LOGNAME} fi export HISTSIZE=4000 DT=`date +%Y%m%d_%H%M%S` export HISTFILE="$HISTDIR/${LOGNAME}/${USER_IP}.history.$DT" chmod 600 $HISTDIR/${LOGNAME}/*.history* 2>/dev/null '>>/etc/profile #安全登录 /etc/hosts.allow # # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # ##*** sshd:111.1.1.1 sshd:122.1.1.2 ##jump sshd:10.0.1.1 /etc/hosts.deny # # hosts.deny This file describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # # The portmap line is redundant, but it is left to remind you that # the new secure portmap uses hosts.deny and hosts.allow. In particular # you should know that NFS uses portmap! sshd:all #检查防火墙配置（开放指定用户地址登录|服务地址开放用户地址段） iptables-save #创建普通用户 useradd liangxiujun echo -e 'xx123456'|passwd liangxiujun --stdin #禁止root登录权限 sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config #优化ssh链接慢问题 sed -i 's/GSSAPIAuthentication yes/GSSAPIAuthentication no/' /etc/ssh/sshd_config sed -i '/#UseDNS yes/a\UseDNS no' /etc/ssh/sshd_config /etc/init.d/sshd restart

相关阅读