linux系统优化安全升级

1、电信 RHEL6.6-4.Hostnamesed -i 2c HOSTNAME=abm25 /etc/sysconfig/network/etc/resolv.confecho secure1W|passwd root -stdiniptables -Fserviceiptables save-3.vmtoolslftp -u weihu,pi=3yuaN s62/etc/rc.d/rc.localcat ifcfg-bond0viifcfg-bond0DEVICE=bond0BOOTPROTO=yesIPADDR=00GATEWAY=7NETMASK=24ONBOOT=yesBONDING_

2、OPTS=mode=1 miimon=200cat ifcfg-enp130s0f1vi ifcfg-ethl DEVICE=eth1 ONBOOT=yes BOOTPROTO=none MASTER=bond0 SLAVE=yesTYPE=Ethernetcat ifcfg-enp1s0f0vi ifcfg-ethlDEVICE=enp1s0f0 ONBOOT=yes BOOTPROTO=none MASTER=bond0SLAVE=yes TYPE=Ethernet0.ueradduseraddibnmsecho Wfz#2015”|passwd ibnms -stdinmkdir /ib

3、nmschownibnms:ibnms /ibnmsusermod -d /ibnmsibnmsuseraddweihuecho pi=3yuaN|passwd weihu -stdinuseradduserecho ”user,.123”|passwd user-stdin userdel nobody userdel ftp1. profileecho TMOUT=300/etc/profile/etc/profilesed -i s/HISTSIZE=1000/HISTSIZE=50000/g/etc/profileecho ,stty erase 刃 /etc/profileecho

4、/etc/profile#2.su cp /etc/pam.d/su /etc/pam.d/su.baksed -i 6c authrequiredpam_wheel.so use_uid /etc/pam.d/su usermod-a -G wheel weihuecho SU_WHEEL_ONLY yes/etc/login.defs3.密码cp /etc/login.defs /etc/login.defs.baksed -i 25c PASS_MAX_DAYS60 /etc/login.defssed -i 27c PASS_MIN_LEN8 /etc/login.defssed -i

5、 26c PASS_MIN_DAYS 10 /etc/login.defssed -i s/UMASK/#UMASK/g /etc/login.defsecho UMASK 027/etc/login.defssed -i s/umask 022/umask 027/g /etc/profileecho ,passwordrequisite pam_cracklib.so retry=3 difok=3 minlen=8 ucredit=-1 lcredit=-1dcredit=-1 ocredit=-1/etc/pam.d/system-authecho auth required pam_

6、ta11y.so onerr=fail deny=5 unlock_time=300/etc/pam.d/system-auth cp -avx /etc/passwd /tmp4.禁止 rootecho PermitRootLogin no/etc/ssh/sshd_config5.启用 syslogsed -i s/rotate 4/rotate 20/g /etc/logrotate.confecho authpriv.*/var/log/secure/etc/syslog.confecho cron.*/etc/syslog.confecho *.* /etc/syslog.confc

7、hmod744/var/log/messageschmod744/var/log/securechmod744/var/log/maillogchmod744/var/log/cronchmod744/var/log/spoolerchmod744/var/log/boot.logchmod644/etc/passwdchmod400 /etc/shadowchmod 644 /etc/group chmod 644/etc/services chm0d600 /etc/xinetd.confchm0d600 /etc/security#6.bannermv /etc/issue /etc/i

8、ssue.bakmv HYPERLINK file:/etc/ /etc/ /etc/.bakecho Authorized only. All activity will be monitored and reported ” /etc/ssh_banner9.内核(old)echo * soft nproc 65535/etc/security/limits.confecho * hard nproc 65535/etc/security/limits.confecho * soft nofile 65535/etc/security/limits.confecho * hard nofi

9、le 65535/etc/security/limits.confecho “* - maxlogins 65535/etc/security/limits.conf sed -i s/1024/65535/g /etc/security/limits.d/90-nproc.conf10.权限#11.time(old)echo server 3/etc/ntp.confchkconfigntpd onservicentpd restart12.服务chkconfigapmd off chkconfignetfs off chkconfigyppasswdd off chkconfigypser

10、v off chkconfigdhcpd off chkconfigportmap off chkconfiglpd off chkconfignfs off chkconfigsendmail off chkconfigsnmpd off chkconfigsnmptrapdoff chkconfigrstatd off chkconfigatd off chkconfig cups off chkconfigbluetooth off chkconfighidd off chkconfig ip6tables off chkconfigipsec off chkconfigautofs o

11、ff chkconfigavahi-daemon off #5353 mdns chkconfigavahi-dnsconfd off chkconfigcpuspeed off chkconfig isdn off chkconfignfslock off chkconfignscd off chkconfigpcscd off chkconfigacpid off chkconfigfirstboot off chkconfigmcstrans off chkconfigmicrocode_ctl off chkconfigrpcgssd off chkconfigrpcidmapd of

12、f chkconfigrpcbind off chkconfigportreserve on chkconfigpostfix off #smtp25 chkconfigsetroubleshoot off chkconfigxfs off chkconfigxinetd off chkconfigrestorecond off chkconfiganacron off chkconfigypbind off chkconfigtftp off chkconfig pox off chkconfig printer off chkconfig telnet off chkconfigNetwo

13、rkManager off chkconfigtog-pegasusoff #https 5989 chkconfigportreserveoff #udp 631chkconfigrawdevices onchkconfigmcelogd onchkconfigcrond onchkconfig kudzu onchkconfig network onchkconfigreadahead_early onchkconfigsshd onchkconfig syslog onchkconfigauditdonserviceNetworkManager stop& service network

14、 restart servicesnmptrapd stop#14.hostssed -i s/#UseDNS yes/UseDNS no/g /etc/ssh/sshd_configsed -i s/SELINUX=enforcing/SELINUX=disabled/g /etc/selinux/config#15.iptables(old) serviceiptables stop#7.登录提示(old)exportnetbond= ifconfig |grepbond|wc -lif $netbondge 1;thenexportwoip=、ifconfig bondO |awk -F

15、 :+ NR=2 print $4 echo -e n$HOSTNAME$woipn” /etc/motd elseexportwoip=、ifconfig ethl |awk -F :+ NR=2 print $4、 echo -e n$HOSTNAME$woipn” /etc/motd fi#cpmv /etc/yum.repos.d/rhel-source.repo/etc/yum.repos.d/rhel-source.repo.bakcprhel-source.repo /etc/yum.repos.d/rhel-source.repocpnmon /usr/binchmod 775

16、 /usr/bin/nmon#13.ftp(old)sed -i s/anonymous_enable=YES/anonymous_enable=NO/g /etc/vsftpd/vsftpd.conf#sed -i s/#chroot_local_user=YES/chroot_local_user=YES/g /etc/vsftpd/vsftpd.conf sed -i s/#ftpd_banner/ftpd_banner/g /etc/vsftpd/vsftpd.confecho dual_log_enable=YES /etc/vsftpd/vsftpd.confecho vsftpd

17、_log_file=/var/log/vsftpd.log /etc/vsftpd/vsftpd.confsed -i /#nopriv_user=/c nopriv_user=weihu /etc/vsftpd/vsftpd.confchkconfigvsftpd onservicevsftpd startuser_list 允许ftpusers 禁止#15.glibcmkdirglibccdglibcIftp -u weihu,pi=3yuaN sftp:62EOFcdglibcmget*byeEOFyum-y localupdate * cd#16.opensshlftp -u weih

18、u,pi=3yuaN sftp:62EOFgetopenssh-7.6p1.tar.gzbyeEOFtarzxvf openssh-7.6p1.tar.gzcd openssh-7.6p1tarzxvfopenssh*cdopenssh*./configure -prefix=/usr -sysconfdir=/etc/ssh -with-ssl-dir=/usr/share/ssl -with-zlib -with-pam -with-md5-passwords -with-kerberos5 sleep 3make& make installmv/etc/init.d/sshd /tmp/

19、sshdcpcontrib/redhat/sshd.init /etc/init.d/sshdservicesshd restart ssh -V cd.nmonlftp -u weihu,pi=3yuaN s62EOF getnmon bye EOFcpnmon /usr/binchmod +x /usr/bin/nmonmkdir/home/weihu/nmon/ crontab -l* * * * 1 find /home/weihu/nmon/ -type f -mtime +7 -exec rm -rf ; 1 1 * * * nmon -s60 -c1430 -f -m /home/weihu/nmon/.kdumpservicekdump status.Xmanager 不做了yum install -y gdmvi /etc/gdm/custom.confsecurityAllowRoot=trueAllowRemoteRoot