linux系统优化安全升级

1、电信-4.Hostnamesed -i "2c HOSTNAME=abm25" /etc/sysconfig/network >/etc/echo 'secure1W'|passwd root -stdin iptables -Fservice iptables save-3.vmtoolslftp -u weihu,pi<<EOF get byeEOFtar zxvfcd vmware-tools*-default-2.Yummv /etc/ /tmpvi /etc/rhel-sourcename=Red Hat Enterprise L

2、inux $releasever - $basearch - Source baseurl=enabled=1 gpgcheck=1 gpgkey=file:/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-releasesed -i "3c baseurl=:/62/iso/redhat6.4/" /etc/yum clean allyum makecacheyum in stall -y ftp Iftp zlib* ope nssl* pam* gdm ruby teln et* vsftpd* gcc dstat mcel

3、og iotop lsscsi libstdc+* libcap*yum group in stall -ybasic-desktop x11 developme nteclipse compat-libraries storage-clie nt-multipathn fs-file-server -1.双网卡cd /etc/sysc on fig/network-scripts/mv ifcfg-e np1s0f0 bakifcfg-e np1s0f0 mv ifcfg-e np130s0f1 bakifcfg-e np130s0f1echo "ifenslave bond0 e

4、th1 eth5">>/etc/cat ifcfg-b ond0vi ifcfg-b ond0DEVICE=bo nd0 BOOTPROTO=yesONBOOT=yesBONDING_OPTS="mode=1 miimo n=200" cat ifcfg-e np130s0f1vi ifcfg-eth1DEVICE=eth1 ONBOOT=yes BOOTPROTO=none MASTER=bo nd0 SLAVE=yes TYPE=Ethernetcat ifcfg-e nplsOfOvi ifcfg-ethlDEVICE=e nplsOfO ONB

5、OOT=yes BOOTPROTO=none MASTER=bo ndO SLAVE=yes TYPE=EthernetO.ueradduseradd ibnmsecho "Wfz#2022"|passwd ibnms -stdin mkdir /ibnmschow n ibnm s:ib nms /ibnmsusermod -d /ibnms ibnmsuseradd weihuecho "pi=3yuaN"|passwd weihu -stdi nuseradd userecho "user,.123"|passwd user -

6、stdi n userdel n obodyuserdel ftp1. profileecho "TMOUT=300"»/etc/profilesed -i 's/HISTSIZE=1000/HISTSIZE=50000/g' /etc/profile echo 'stty erase AH'>> /etc/profileecho "" >> /etc/profile cp /etc/su /etc/sed -i "6c auth required pam_wheel.so us

7、e_uid" /etc/su usermod -a -G wheel weihu echo 'SU_WHEEL_ONLY yes'»/etc/ cp /etc/ /etc/sed -i "25c PASS_MAX_DAYS 60" /etc/sed -i "27c PASS_MIN_LEN8" /etc/sed -i "26c PASS_MIN_DAYS 10" /etc/sed -i 's/UMASK/#UMASK/g' /etc/echo "UMASK 027"

8、;>>/etc/sed -i "s/umask 022/umask 027/g" /etc/profileecho 'password requisite pam_cracklib.so retry=3 difok=3 minlen=8 ucredit=-1 lcredit=-1dcredit=-1 ocredit=-1'»/etc/system-authecho 'auth required pam_tally.so onerr=fail deny=5 unlock_time=300'»/etc/system

9、-auth cp -avx /etc/passwd /tmpecho 'PermitRootLogin no'>>/etc/ssh/sshd_configsed -i "s/rotate 4/rotate 20/g" /etc/echo 'authpriv.* /var/log/secure'>>/etc/ echo 'cro n.*'>>/etc/echo '*.* '>>/etc/chmod 744 /var/log/messageschmo

10、d 744 /var/log/securechmod 744 /var/log/maillogchmod 744 /var/log/cr onchmod 744 /var/log/spoolerchmod 744 /varchmod 644 /etc/passwdchmod 400 /etc/shadowchmod 644 /etc/groupchmod 644 /etc/serviceschmod 600 /etc/chmod 600 /etc/securitymv /etc/issue /etc/mv /etc/ /etc/echo " Authorized only. All

11、activity will be monitored and reported " > /etc/ssh_banner#9.内核(old)echo "* soft nproc 65535">>/etc/security/ echo "* hard nproc 65535">>/etc/security/ echo "* soft nofile 65535">>/etc/security/ echo "* hard nofile 65535">>/etc

12、/security/ echo "* - maxlogins 65535">>/etc/security/ sed -i 's/1024/65535/g' /etc/security/#11.time(old)echo "server 3">>/etc/ chkconfig ntpd on service ntpd restart chkconfig apmd off chkconfig netfs off chkconfig yppasswdd off chkconfig ypserv off

13、 chkconfig dhcpd off chkconfig portmap off chkconfig lpd off chkconfig nfs off chkconfig sendmail off chkconfig snmpd off chkconfig snmptrapd off chkconfig rstatd off chkconfig atd off chkconfig cups off chkconfig bluetooth off chkconfig hidd off chkconfig ip6tables off chkconfig ipsec off chkconfig

14、 autofs off chkconfig avahi-daemon off #5353 mdns chkconfig avahi-dnsconfd off chkconfig cpuspeed off chkconfig isdn off chkconfig nfslock off chkconfig nscd off chkconfig pcscd off chkconfig acpid off chkconfig firstboot off chkconfig mcstrans off chkconfig microcode_ctl off chkconfig rpcgssd off c

15、hkconfig rpcidmapd off chkconfig rpcbind off chkconfig portreserve on chkconfig postfix off #smtp 25 chkconfig setroubleshoot off chkconfig xfs off chkconfig xinetd off chkconfig restorecond off chkconfig anacron off chkconfig ypbind off chkconfig tftp off chkconfig pox off chkconfig printer off chk

16、config telnet off chkconfig NetworkManager off chkconfig tog-pegasus off # s 5989 chkconfig portreserve off #udp 631chkconfig rawdevices on chkconfig mcelogd on chkconfig crond on chkconfig kudzu on chkconfig network onchkconfig readahead_early onchkconfig sshd onchkconfig syslog onchkconfig auditd

17、onservice NetworkManager stop && service network restart service snmptrapd stop sed -i 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_configsed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config#15.iptables(old)service iptables stop(old)export n etb on d='ifc onfi

18、g |grep bon d|wc -I'if $netbond ge 1;thenexport woip='ifconfig bond0 |awk -F ' :+' 'NR=2 print $4''echo -e "n$HOSTNAME$woipn"> /etc/motdeIseexport woip='ifconfig eth1 |awk -F ' :+' 'NR=2 print $4''echo -e "n$HOSTNAME$woipn"&g

19、t; /etc/motdfi#cpmv /etc/ /etc/cp /etc/cp nmon /usr/binchmod 775 /usr/bin/nmon#13.ftp(oId)sed -i 's/anonymous_enabIe=YES/anonymous_enabIe=NO/g' /etc/vsftpd/ #sed -i 's/#chroot_IocaI_user=YES/chroot_IocaI_user=YES/g' /etc/vsftpd/ sed -i 's/#ftpd_banner/ftpd_banner/g' /etc/vsft

20、pd/ echo 'duaI_Iog_enabIe=YES' >> /etc/vsftpd/echo 'vsftpd_log_file=/var/log/vsftpd.log' >> /etc/vsftpd/ sed -i '/#nopriv_user=/c nopriv_user=weihu' /etc/vsftpd/ chkconfig vsftpd on service vsftpd start user_list 允许 ftpusers 禁止#15.glibcmkdir glibc cd glibc lftp -u

21、 weihu,pi=3yuaN s62<<EOF cd glibcmget *byeEOF yum -y localupdate * cd lftp -u weihu,pi=3yuaN s62<<EOFget openssh-7.6byeEOFtar zxvf openssh-7.6cd openssh-7.6p1tar zxvf openssh*cd openssh*./configure -prefix=/usr -sysconfdir=/etc/ssh -with-ssl-dir=/usr/share

22、/ssl -with-zlib -with-pam -with-md5-passwords -with-kerberos5 sleep 3make && make installmv /etc/sshd /tmp/sshd cp con trib/redhat/ /etc/sshdservice sshd restart ssh -Vcd17.nmonlftp -u weihu,pi=3yuaN s62<<EOFget nmonbyeEOFcp nmon /usr/b inchmod +x /usr/b in/nmonmkdir /home/weihu/nmon/cron tab -l* * * * 1 find /home/weihu/nmon/ -type f -mtime +7 -