Linux一键加固自动化脚本，合适自己才是最好的

#!/bin/bash

# 名称: Linux系统一键加固脚本

# 描述: 针对新部署Linux系统进行基础安全加固，共涉及18项安全检查与加固

# 注意: 使用前请仔细评估业务需求，提议在测试环境验证后再用于生产环境

# 版本: 1.1

# 确保脚本以root权限运行

if [ “$(id -u)” -ne 0 ]; then

echo “错误: 此脚本必须以root权限运行。请使用sudo或切换到root用户后重试。” >&2

exit 1

fi

# 显示加固项目列表

echo “===== 即将执行的安全加固项目 =====”

echo “1. 设置口令更改最小间隔天数”

echo “2. 设置口令过期前警告天数”

echo “3. 配置系统core dump限制”

echo “4. 设置密码重复使用次数限制”

echo “5. 配置口令生存周期”

echo “6. 设置口令最小长度”

echo “7. 配置命令行界面超时退出”

echo “8. 禁用ctrl+alt+del组合键”

echo “9. 配置密码复杂度策略”

echo “10. 设置ssh成功登录后Banner”

echo “11. 配置用户umask设置”

echo “12. 修复重大目录或文件权限”

echo “13. 设置ssh登录前警告Banner”

echo “14. 修改系统banner信息”

echo “15. 优化别名文件配置”

echo “16. 配置hosts.allow和hosts.deny限制”

echo “17. 调整日志文件权限”

echo “18. 锁定系统默认非登录用户”

echo “==================================”

# 询问用户是否继续

read -p “是否继续执行加固操作? [y/N] ” -n 1 -r

echo

if [[ ! $REPLY =~ ^[Yy]$ ]]; then

echo “已撤销加固操作。”

exit 0

fi

# 定义备份目录

BACKUP_DIR=”/var/backup/linux_hardening_$(date +%Y%m%d_%H%M%S)”

mkdir -p “$BACKUP_DIR”

echo “正在创建备份目录: $BACKUP_DIR”

# 需要备份的文件列表

FILES_TO_BACKUP=(

“/etc/login.defs”

“/etc/security/limits.conf”

“/etc/profile”

“/etc/pam.d/system-auth”

“/etc/inittab”

“/etc/motd”

“/etc/xinetd.conf”

“/etc/group”

“/etc/shadow”

“/etc/services”

“/etc/security”

“/etc/passwd”

“/etc/grub.conf”

“/boot/grub/grub.conf”

“/etc/lilo.conf”

“/etc/ssh_banner”

“/etc/ssh/sshd_config”

“/etc/aliases”

“/etc/issue.net”

“/etc/issue”

)

# 备份文件

echo “正在备份相关配置文件…”

for file in “${FILES_TO_BACKUP[@]}”; do

if [ -e “$file” ]; then

# 创建文件所在目录的备份路径

mkdir -p “$BACKUP_DIR$(dirname “$file”)”

# 备份文件

cp -a “$file” “$BACKUP_DIR$file”

echo “已备份: $file”

fi

done

# 1. 修复设置口令更改最小间隔天数

echo “正在执行: 设置口令更改最小间隔天数”

MINDAY=$(grep -n “^PASS_MIN_DAYS” /etc/login.defs | cut -d: -f1)

if [ -n “$MINDAY” ]; then

sed -i “${MINDAY}s/^PASS_MIN_DAYS.*/PASS_MIN_DAYS 1/” /etc/login.defs

else

echo “PASS_MIN_DAYS 1” >> /etc/login.defs

fi

# 2. 修复设置口令过期前警告天数

echo “正在执行: 设置口令过期前警告天数”

WARNDAY=$(grep -n “^PASS_WARN_AGE” /etc/login.defs | cut -d: -f1)

if [ -n “$WARNDAY” ]; then

sed -i “${WARNDAY}s/^PASS_WARN_AGE.*/PASS_WARN_AGE 7/” /etc/login.defs

else

echo “PASS_WARN_AGE 7” >> /etc/login.defs

fi

# 3. 修复系统core dump设置

echo “正在执行: 配置系统core dump限制”

# 设置hard限制

if grep -q “hard core” /etc/security/limits.conf; then

sed -i 's/.*hard core.*/* hard core 0/' /etc/security/limits.conf

else

echo “* hard core 0” >> /etc/security/limits.conf

fi

# 设置soft限制

if grep -q “soft core” /etc/security/limits.conf; then

sed -i 's/.*soft core.*/* soft core 0/' /etc/security/limits.conf

else

echo “* soft core 0” >> /etc/security/limits.conf

fi

# 4. 修复密码重复使用次数限制

echo “正在执行: 设置密码重复使用次数限制”

REMEMBER=$(grep -n “password.*pam_unix.so” /etc/pam.d/system-auth | cut -d: -f1)

if [ -n “$REMEMBER” ]; then

# 先移除已有的remember参数

sed -i “${REMEMBER}s/ remember=[0-9]*//g” /etc/pam.d/system-auth

# 添加新的remember参数

sed -i “${REMEMBER}s/(password.*pam_unix.so)/1 remember=5/” /etc/pam.d/system-auth

fi

# 5. 修复是否设置口令生存周期

echo “正在执行: 配置口令生存周期”

MAXDAY=$(grep -n “^PASS_MAX_DAYS” /etc/login.defs | cut -d: -f1)

if [ -n “$MAXDAY” ]; then

sed -i “${MAXDAY}s/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/” /etc/login.defs

else

echo “PASS_MAX_DAYS 90” >> /etc/login.defs

fi

# 6. 修复口令最小长度

echo “正在执行: 设置口令最小长度”

MINLEN=$(grep -n “^PASS_MIN_LEN” /etc/login.defs | cut -d: -f1)

if [ -n “$MINLEN” ]; then

sed -i “${MINLEN}s/^PASS_MIN_LEN.*/PASS_MIN_LEN 8/” /etc/login.defs

else

echo “PASS_MIN_LEN 8” >> /etc/login.defs

fi

# 7. 修复是否设置命令行界面超时退出

echo “正在执行: 配置命令行界面超时退出”

if grep -q “export TMOUT=” /etc/profile; then

sed -i 's/^export TMOUT=.*/export TMOUT=600/' /etc/profile

else

echo “export TMOUT=600” >> /etc/profile

fi

# 8. 修复系统是否禁用ctrl+alt+del组合键

echo “正在执行: 禁用ctrl+alt+del组合键”

if grep -q “ca::ctrlaltdel” /etc/inittab; then

sed -i 's/^ca::ctrlaltdel/#ca::ctrlaltdel/' /etc/inittab

fi

# 9. 修复设备密码复杂度策略

echo “正在执行: 配置密码复杂度策略”

if grep -q “pam_cracklib.so” /etc/pam.d/system-auth; then

sed -i 's/.*pam_cracklib.so.*/password requisite pam_cracklib.so difok=3 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1/' /etc/pam.d/system-auth

else

# 在pam_unix.so之前插入pam_cracklib.so配置

sed -i '/password.*pam_unix.so/i password requisite pam_cracklib.so difok=3 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1' /etc/pam.d/system-auth

fi

# 10. 修复设置ssh成功登录后Banner

echo “正在执行: 设置ssh成功登录后Banner”

echo “Login success. All activity will be monitored and reported.” > /etc/motd

# 11. 修复用户umask设置

echo “正在执行: 配置用户umask设置”

POLICY=”027″

ACTUAL=$(umask)

if [ “$ACTUAL” != “$POLICY” ]; then

if ! grep -q “umask $POLICY” /etc/profile; then

echo “umask $POLICY” >> /etc/profile

fi

fi

# 12. 修复重大目录或文件权限设置

echo “正在执行: 修复重大目录或文件权限”

chmod 600 /etc/xinetd.conf 2>/dev/null

chmod 644 /etc/group 2>/dev/null

chmod 400 /etc/shadow 2>/dev/null

chmod 644 /etc/services 2>/dev/null

chmod 600 /etc/security 2>/dev/null

chmod 644 /etc/passwd 2>/dev/null

chmod 600 /etc/grub.conf 2>/dev/null

chmod 600 /boot/grub/grub.conf 2>/dev/null

chmod 600 /etc/lilo.conf 2>/dev/null

# 13. 修复设置ssh登录前警告Banner

echo “正在执行: 设置ssh登录前警告Banner”

SSH_BANNER=”/etc/ssh_banner”

if [ ! -f “$SSH_BANNER” ]; then

touch “$SSH_BANNER”

fi

chown bin:bin “$SSH_BANNER” 2>/dev/null

chmod 644 “$SSH_BANNER”

echo “Authorized only. All activity will be monitored and reported.” > “$SSH_BANNER”

# 配置sshd使用banner

if grep -q “^Banner” /etc/ssh/sshd_config; then

sed -i “s|^Banner.*|Banner $SSH_BANNER|” /etc/ssh/sshd_config

else

echo “Banner $SSH_BANNER” >> /etc/ssh/sshd_config

fi

# 14. 修复已修改系统banner信息

echo “正在执行: 修改系统banner信息”

mv /etc/issue.net /etc/issue.net.bak 2>/dev/null

mv /etc/issue /etc/issue.bak 2>/dev/null

touch /etc/issue.net /etc/issue

chmod 644 /etc/issue.net /etc/issue

# 15. 别名文件更改修复

echo “正在执行: 优化别名文件配置”

for alias in games system uucp dumper decode ingres toor manager operator; do

sed -i “s/^$alias/#$alias/” /etc/aliases 2>/dev/null

done

# 16. hosts.allow 和 hosts.deny 限制配置修复

echo “正在执行: 配置hosts.allow和hosts.deny限制”

# 仅允许内部网段访问sshd

echo “sshd:192.168.0.0/255.255.0.0 172.21.0.0/255.255.0.0 10.0.0.0/255.0.0.0” >> /etc/hosts.allow

# 拒绝其他所有访问

echo “sshd:all” >> /etc/hosts.deny

# 17. log 日志文件权限修改

echo “正在执行: 调整日志文件权限”

for conf_file in /etc/syslog.conf /etc/rsyslog.conf; do

if [ -f “$conf_file” ]; then

LOGDIRS=$(grep -v “^[ ]*#” “$conf_file” | sed '/^$/d' | awk '($2!~/@/ && $2!~/*/ && $2!~/-/) {print $2}')

for logdir in $LOGDIRS; do

if [ -e “$logdir” ]; then

chmod 600 “$logdir” 2>/dev/null

fi

done

fi

done

# 18. 锁定系统默认非登录用户

echo “正在执行: 锁定系统默认非登录用户”

for user in daemon bin sys adm lp uucp nuucp smmsp games ftp mail sync shutdown halt news operator gopher nobody; do

passwd -l “$user” 2>/dev/null

done

# 重启相关服务使配置生效

echo “正在重启相关服务…”

if command -v systemctl &> /dev/null; then

systemctl restart sshd 2>/dev/null

systemctl restart rsyslog 2>/dev/null

else

service sshd restart 2>/dev/null

service rsyslog restart 2>/dev/null

service syslog restart 2>/dev/null

fi

echo “===== 系统加固操作已完成 =====”

echo “注意事项:”

echo “1. 配置文件备份已保存至: $BACKUP_DIR”

echo “2. 部分配置需要重新登录才能生效”

echo “3. 提议检查系统功能是否正常”

echo “4. 根据实际业务需求，可能需要调整部分配置”