标签：web sshd script etc so usr linux pam ssh

s

linux等保加固脚本

https://www.cnblogs.com/flawlessm/p/12843188.html

 

cp /etc/login.defs /etc/login.defs.bak
cp /etc/profile /etc/profile.bak
cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak
cp /etc/pam.d/su /etc/pam.d/su.bak
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
echo password include system-auth >> /etc/pam.d/passwd
sed -i '/^password requisite pam_cracklib.so/c password requisite pam_cracklib.so try_first_pass retry=5 difok=3 minlen=8 ucredit=-1 lcredit=-3 dcredit=-3 ocredit=-1' /etc/pam.d/system-auth
sed -i '/^password sufficient pam_unix.so/c password sufficient pam_unix.so remember=24 sha512 shadow nullok try_first_pass use_authtok' /etc/pam.d/system-auth
sed -i '/^PASS_MAX_DAYS/c PASS_MAX_DAYS 90' /etc/login.defs
sed -i '/^PASS_MIN_LEN/c PASS_MIN_LEN 30' /etc/login.defs
sed -i 's#%PAM-1.0#%PAM-1.0\nauth required pam_tally2.so onerr=fail deny=3 unlock_time=300 even_deny_root root_unlock_time=600#' /etc/pam.d/sshd
sed -i 's#%PAM-1.0#%PAM-1.0\nauth required pam_tally2.so onerr=fail deny=3 unlock_time=300 even_deny_root root_unlock_time=600#' /etc/pam.d/login
sed -i 's#%PAM-1.0#%PAM-1.0\nauth sufficient /lib64/security/pam_rootok.so\nauth required /lib64/security/pam_wheel.so use_uid group=wheel#' /etc/pam.d/su
echo sshd:192.168.200.122:allow >> /etc/hosts.allow
echo all:all >> /etc/hosts.deny
echo TMOUT=600 >> /etc/profile 
sed -i '/ umask 022/c umask 027' /etc/profile 
source /etc/profile

#密码复杂性要求,在登录或修改密码时密码错误5次自动退出，最短8位必须包含大小写字母、数字、字符
sed -i '/^password requisite pam_cracklib.so/c password requisite pam_cracklib.so try_first_pass retry=5 difok=3 minlen=8 ucredit=-1 lcredit=-3 dcredit=-3 ocredit=-1' /etc/pam.d/system-auth
#强制记住密码历史24位
sed -i '/^password sufficient pam_unix.so/c password sufficient pam_unix.so remember=24 sha512 shadow nullok try_first_pass use_authtok' /etc/pam.d/system-auth

#密码最短使用30天，最长使用期限90天
sed -i '/^PASS_MAX_DAYS/c PASS_MAX_DAYS 90' /etc/login.defs
sed -i '/^PASS_MIN_DAYS/c PASS_MIN_DAYS 30' /etc/login.defs
sed -i '/^PASS_MIN_LEN/c PASS_MIN_LEN 8' /etc/login.defs

#登录失败处理，错误3次后锁定10秒

sed -i 's#%PAM-1.0#%PAM-1.0\nauth required pam_tally2.so onerr=fail deny=3 unlock_time=300 even_deny_root root_unlock_time=600#' /etc/pam.d/sshd

sed -i 's#%PAM-1.0#%PAM-1.0\nauth required pam_tally2.so onerr=fail deny=3 unlock_time=300 even_deny_root root_unlock_time=600#' /etc/pam.d/login

#未使用PAM认证模块禁止wheel组之外的用户su为root
#添加用户到wheel组 usermod –G wheel username
#从组中删除用户 gpasswd -d userName groupName

sed -i 's#%PAM-1.0#%PAM-1.0\nauth sufficient /lib64/security/pam_rootok.so\nauth required /lib64/security/pam_wheel.so use_uid group=wheel#' /etc/pam.d/su

#禁止root用户远程登录
#echo PermitRootLogin no >> /etc/ssh/sshd_config
#sed -i '/PermitRootLogin yes/cPermitRootLogin no' /etc/ssh/sshd_config
#/etc/init.d/sshd restart

#服务器仅允许堡垒机192.168.200.122远程登录
echo sshd:192.168.200.122:allow >> /etc/hosts.allow
echo all:all >> /etc/hosts.deny

sshd:x.x.x.x:allow
#无操作600秒后自动退出
echo TMOUT=600 >> /etc/profile 
#echo export HISTFILESIZE=5 >> /etc/profile
#echo export HISTSIZE=1 >> /etc/profile
#echo export HISTFILESIZE >> /etc/profile

#修改UMASK值
sed -i '/ umask 022/c umask 027' /etc/profile 
source /etc/profile

#查看用户登录失败次数
#pam_tally2 --user root
#解锁指定用户
#pam_tally2 -r -u root

更新安全补丁
yum --security upgrade

 

升级ssh版本：
rpm -ivh telnet-0.17-47.el6_3.1.x86_64.rpm telnet-server-0.17-47.el6_3.1.x86_64.rpm xinetd-2.3.14-39.el6_4.x86_64.rpm
yum install telnet telnet-server xinetd wget -y
sed -i '/disable/{s/yes/no/g;}' /etc/xinetd.d/telnet
echo pts/0 >> /etc/securetty
echo pts/1 >> /etc/securetty
echo pts/2 >> /etc/securetty
echo pts/3 >> /etc/securetty
echo pts/4 >> /etc/securetty
echo pts/5 >> /etc/securetty
echo pts/6 >> /etc/securetty
service xinetd start
chkconfig xinetd on

apt-get install libssl-dev libpam-dev libz-dev build-essential zlib1g-dev
yum install gcc pam-devel zlib-devel -y
cd /tmp
wget http://www.zlib.net/zlib-1.2.11.tar.gz
wget https://www.openssl.org/source/openssl-1.0.2q.tar.gz
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz
tar -zxvf zlib-1.2.11.tar.gz 
tar -zxvf openssl-1.0.2q.tar.gz 
tar -zxvf openssh-8.0p1.tar.gz

cd /tmp/zlib-1.2.11/
./configure --prefix=/usr
make
rpm -e --nodeps zlib
make install
echo '/usr/lib' >> /etc/ld.so.conf
ldconfig
yum list

cd /tmp/openssl-1.0.2q/
cp -r /etc/pki/ca-trust/extracted/openssl /etc/pki/ca-trust/extracted/openssl.old 
cp -r /usr/bin/openssl /usr/bin/openssl.old
cp -r /usr/lib64/openssl /usr/lib64/openssl.old
cp /usr/lib64/libcrypto.so.10 /usr/lib64/libcrypto.so.10.old
cp /usr/lib64/libssl.so.10 /usr/lib64/libssl.so.10.old
rpm -qa |grep openssl|xargs -i rpm -e --nodeps {}
./config --prefix=/usr --openssldir=/etc/ssl --shared zlib
make
make install
openssl version

cd /tmp/openssh-8.0p1/
rpm -qa |grep openssh|xargs -i rpm -e --nodeps {}

install -v -m700 -d /var/lib/sshd &&
chown -v root:sys /var/lib/sshd &&
groupadd -g 50 sshd &&
useradd -c 'sshd PrivSep' \
-d /var/lib/sshd \
-g sshd \
-s /bin/false \
-u 50 sshd

./configure --prefix=/usr \
--sysconfdir=/etc/ssh \
--with-md5-passwords \
--with-privsep-path=/var/lib/sshd &&
make

make install &&
install -v -m755 contrib/ssh-copy-id /usr/bin &&
install -v -m644 contrib/ssh-copy-id.1 \
/usr/share/man/man1 &&
install -v -m755 -d /usr/share/doc/openssh-8.0p1 &&
install -v -m644 INSTALL LICENCE OVERVIEW README* \
/usr/share/doc/openssh-8.0p1

echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
echo "PasswordAuthentication yes" >> /etc/ssh/sshd_config
echo 'X11Forwarding yes' >> /etc/ssh/sshd_config
chmod 600 /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ed25519_key
cp -p contrib/redhat/sshd.init /etc/init.d/sshd
chmod +x /etc/init.d/sshd
chkconfig --add sshd
chkconfig sshd on
chkconfig --list sshd
service sshd start

sed -i '/disable/{s/no/yes/g;}' /etc/xinetd.d/telnet
service xinetd stop
chkconfig xinetd off

ln -s /usr/lib64/libssl.so.1.0.0 /usr/lib64/libssl.so.10
ln -s /usr/lib64/libcrypto.so.1.0.0 /usr/lib64/libcrypto.so.10

 

end

标签：web,sshd,script,etc,so,usr,linux,pam,ssh
来源： https://www.cnblogs.com/lindows/p/15104527.html

本站声明： 1. iCode9 技术分享网（下文简称本站）提供的所有内容，仅供技术学习、探讨和分享；
2. 关于本站的所有留言、评论、转载及引用，纯属内容发起人的个人观点，与本站观点和立场无关；
3. 关于本站的所有言论和文字，纯属内容发起人的个人观点，与本站观点和立场无关；
4. 本站文章均是网友提供，不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属；如您发现该文章侵犯了您的权益，可联系我们第一时间进行删除；
5. 本站为非盈利性的个人网站，所有内容不会用来进行牟利，也不会利用任何形式的广告来间接获益，纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。