├── .gitignore ├── Check_script └── bash │ ├── CentOS_Check_Script.sh │ └── README.txt ├── Protective_Script ├── CentOS_Protective_Script.sh └── README.txt └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | .idea 2 | /tools/.idea/ 3 | /PYJSAC/.idea/ 4 | /unit_test 5 | *~ 6 | *.DS_Store 7 | -------------------------------------------------------------------------------- /Check_script/bash/CentOS_Check_Script.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ##Filename: CentOS_Check_Script.sh 3 | ##Date: 2019-03-01 4 | ##Description: Security detection script 5 | 6 | echo "##########################################################################" 7 | echo "# #" 8 | echo "# health check script #" 9 | echo "# #" 10 | echo "#警告:本脚本只是一个检查的操作,未对服务器做任何修改,管理员可以根据此报告 #" 11 | echo "#进行相应的安全整改 #" 12 | echo "##########################################################################" 13 | echo " " 14 | #read -p "=====================Are You Ready,Please press enter==================" 15 | echo " " 16 | echo "##########################################################################" 17 | echo "# #" 18 | echo "# 主机安全检测 #" 19 | echo "# #" 20 | echo "##########################################################################" 21 | echo " " 22 | echo ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>系统基本信息<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<" 23 | hostname=$(uname -n) 24 | system=$(cat /etc/os-release | grep "^NAME" | awk -F\" '{print $2}') 25 | version=$(cat /etc/redhat-release | awk '{print $4$5}') 26 | kernel=$(uname -r) 27 | platform=$(uname -p) 28 | address=$(ip addr | grep inet | grep -v "inet6" | grep -v "127.0.0.1" | awk '{ print $2; }' | tr '\n' '\t' ) 29 | cpumodel=$(cat /proc/cpuinfo | grep name | cut -f2 -d: | uniq) 30 | cpu=$(cat /proc/cpuinfo | grep 'processor' | sort | uniq | wc -l) 31 | machinemodel=$(dmidecode | grep "Product Name" | sed 's/^[ \t]*//g' | tr '\n' '\t' ) 32 | date=$(date) 33 | 34 | echo "主机名: $hostname" 35 | echo "系统名称: $system" 36 | echo "系统版本: $version" 37 | echo "内核版本: $kernel" 38 | echo "系统类型: $platform" 39 | echo "本机IP地址: $address" 40 | echo "CPU型号: $cpumodel" 41 | echo "CPU核数: $cpu" 42 | echo "机器型号: $machinemodel" 43 | echo "系统时间: $date" 44 | echo " " 45 | echo ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>资源使用情况<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<" 46 | summemory=$(free -h |grep "Mem:" | awk '{print $2}') 47 | freememory=$(free -h |grep "Mem:" | awk '{print $4}') 48 | usagememory=$(free -h |grep "Mem:" | awk '{print $3}') 49 | uptime=$(uptime | awk '{print $2" "$3" "$4" "$5}' | sed 's/,$//g') 50 | loadavg=$(uptime | awk '{print $9" "$10" "$11" "$12" "$13}') 51 | 52 | echo "总内存大小: $summemory" 53 | echo "已使用内存大小: $usagememory" 54 | echo "可使用内存大小: $freememory" 55 | echo "系统运行时间: $uptime" 56 | echo "系统负载: $loadavg" 57 | echo "=============================dividing line================================" 58 | echo "内存状态:" 59 | vmstat 2 5 60 | echo "=============================dividing line================================" 61 | echo "僵尸进程:" 62 | ps -ef | grep zombie | grep -v grep 63 | if [ $? == 1 ];then 64 | echo ">>>无僵尸进程" 65 | else 66 | echo ">>>有僵尸进程------[需调整]" 67 | fi 68 | echo "=============================dividing line================================" 69 | echo "耗CPU最多的进程:" 70 | ps auxf |sort -nr -k 3 |head -5 71 | echo "=============================dividing line================================" 72 | echo "耗内存最多的进程:" 73 | ps auxf |sort -nr -k 4 |head -5 74 | echo "=============================dividing line================================" 75 | echo "环境变量:" 76 | env 77 | echo "=============================dividing line================================" 78 | echo "路由表:" 79 | route -n 80 | echo "=============================dividing line================================" 81 | echo "监听端口:" 82 | netstat -tunlp 83 | echo "=============================dividing line================================" 84 | echo "当前建立的连接:" 85 | netstat -n | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}' 86 | echo "=============================dividing line================================" 87 | echo "开机启动的服务:" 88 | systemctl list-unit-files | grep enabled 89 | echo " " 90 | echo ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>系统用户情况<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<" 91 | echo "活动用户:" 92 | w | tail -n +2 93 | echo "=============================dividing line================================" 94 | echo "系统所有用户:" 95 | cut -d: -f1,2,3,4 /etc/passwd 96 | echo "=============================dividing line================================" 97 | echo "系统所有组:" 98 | cut -d: -f1,2,3 /etc/group 99 | echo "=============================dividing line================================" 100 | echo "当前用户的计划任务:" 101 | crontab -l 102 | echo " " 103 | echo ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>身份鉴别安全<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<" 104 | grep -i "^password.*requisite.*pam_cracklib.so" /etc/pam.d/system-auth > /dev/null 105 | if [ $? == 0 ];then 106 | echo ">>>密码复杂度:已设置" 107 | else 108 | grep -i "pam_pwquality\.so" /etc/pam.d/system-auth > /dev/null 109 | if [ $? == 0 ];then 110 | echo ">>>密码复杂度:已设置" 111 | else 112 | echo ">>>密码复杂度:未设置,请加固密码--------[需调整]" 113 | fi 114 | fi 115 | echo "=============================dividing line================================" 116 | awk -F":" '{if($2!~/^!|^*/){print ">>>("$1")" " 是一个未被锁定的账户,请管理员检查是否是可疑账户--------[需调整]"}}' /etc/shadow 117 | echo "=============================dividing line================================" 118 | more /etc/login.defs | grep -E "PASS_MAX_DAYS" | grep -v "#" |awk -F' ' '{if($2!=90){print ">>>密码过期天数是"$2"天,请管理员改成90天------[需调整]"}}' 119 | echo "=============================dividing line================================" 120 | grep -i "^auth.*required.*pam_tally2.so.*$" /etc/pam.d/sshd > /dev/null 121 | if [ $? == 0 ];then 122 | echo ">>>登入失败处理:已开启" 123 | else 124 | echo ">>>登入失败处理:未开启,请加固登入失败锁定功能----------[需调整]" 125 | fi 126 | echo " " 127 | echo ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>访问控制安全<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<" 128 | echo "系统中存在以下非系统默认用户:" 129 | more /etc/passwd |awk -F ":" '{if($3>500){print ">>>/etc/passwd里面的"$1 "的UID为"$3",该账户非系统默认账户,请管理员确认是否为可疑账户--------[需调整]"}}' 130 | echo "=============================dividing line================================" 131 | echo "系统特权用户:" 132 | awk -F: '$3==0 {print $1}' /etc/passwd 133 | echo "=============================dividing line================================" 134 | echo "系统中空口令账户:" 135 | awk -F: '($2=="!!") {print $1"该账户为空口令账户,请管理员确认是否为新增账户,如果为新建账户,请配置密码-------[需调整]"}' /etc/shadow 136 | echo " " 137 | echo ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>安全审计<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<" 138 | echo "正常情况下登录到本机30天内的所有用户的历史记录:" 139 | last | head -n 30 140 | echo "=============================dividing line================================" 141 | echo "查看syslog日志审计服务是否开启:" 142 | if service rsyslog status | egrep " active \(running";then 143 | echo ">>>经分析,syslog服务已开启" 144 | else 145 | echo ">>>经分析,syslog服务未开启,建议通过service rsyslog start开启日志审计功能---------[需调整]" 146 | fi 147 | echo "=============================dividing line================================" 148 | echo "查看syslog日志是否开启外发:" 149 | if more /etc/rsyslog.conf | egrep "@...\.|@..\.|@.\.|\*.\* @...\.|\*\.\* @..\.|\*\.\* @.\.";then 150 | echo ">>>经分析,客户端syslog日志已开启外发--------[需调整]" 151 | else 152 | echo ">>>经分析,客户端syslog日志未开启外发---------[无需调整]" 153 | fi 154 | echo "=============================dividing line================================" 155 | echo "审计的要素和审计日志:" 156 | more /etc/rsyslog.conf | grep -v "^[$|#]" | grep -v "^$" 157 | echo "=============================dividing line================================" 158 | echo "系统中关键文件修改时间:" 159 | ls -ltr /bin/ls /bin/login /etc/passwd /bin/ps /etc/shadow|awk '{print ">>>文件名:"$9" ""最后修改时间:"$6" "$7" "$8}' 160 | echo " 161 | ############################################################################################### 162 | # ls文件:是存储ls命令的功能函数,被删除以后,就无法执行ls命令 # 163 | # login文件:login是控制用户登录的文件,一旦被篡改或删除,系统将无法切换用户或登陆用户 # 164 | # /etc/passwd是一个文件,主要是保存用户信息 # 165 | # /bin/ps 进程查看命令功能支持文件,文件损坏或被更改后,无法正常使用ps命令 # 166 | # /etc/shadow是/etc/passwd的影子文件,密码存放在该文件当中,并且只有root用户可读 # 167 | ###############################################################################################" 168 | echo "=============================dividing line================================" 169 | echo "检查重要日志文件是否存在:" 170 | log_secure=/var/log/secure 171 | log_messages=/var/log/messages 172 | log_cron=/var/log/cron 173 | log_boot=/var/log/boot.log 174 | log_dmesg=/var/log/dmesg 175 | if [ -e "$log_secure" ]; then 176 | echo ">>>/var/log/secure日志文件存在" 177 | else 178 | echo ">>>/var/log/secure日志文件不存在------[需调整]" 179 | fi 180 | if [ -e "$log_messages" ]; then 181 | echo ">>>/var/log/messages日志文件存在" 182 | else 183 | echo ">>>/var/log/messages日志文件不存在------[需调整]" 184 | fi 185 | if [ -e "$log_cron" ]; then 186 | echo ">>>/var/log/cron日志文件存在" 187 | else 188 | echo ">>>/var/log/cron日志文件不存在--------[需调整]" 189 | fi 190 | if [ -e "$log_boot" ]; then 191 | echo ">>>/var/log/boot.log日志文件存在" 192 | else 193 | echo ">>>/var/log/boot.log日志文件不存在--------[需调整]" 194 | fi 195 | if [ -e "$log_dmesg" ]; then 196 | echo ">>>/var/log/dmesg日志文件存在" 197 | else 198 | echo ">>>/var/log/dmesg日志文件不存在--------[需调整]" 199 | fi 200 | echo " " 201 | echo ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>剩余信息保护<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<" 202 | echo "分区情况:" 203 | echo "如果磁盘空间利用率过高,请及时调整---------[需调整]" 204 | df -h 205 | echo "=============================dividing line================================" 206 | echo "可用块设备信息:" 207 | lsblk 208 | echo "=============================dividing line================================" 209 | echo "文件系统信息:" 210 | more /etc/fstab | grep -v "^#" | grep -v "^$" 211 | echo " " 212 | echo ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>入侵防范安全<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<" 213 | echo "系统入侵行为:" 214 | more /var/log/secure |grep refused 215 | if [ $? == 0 ];then 216 | echo "有入侵行为,请分析处理--------[需调整]" 217 | else 218 | echo ">>>无入侵行为" 219 | fi 220 | echo "=============================dividing line================================" 221 | echo "用户错误登入列表:" 222 | lastb | head > /dev/null 223 | if [ $? == 1 ];then 224 | echo ">>>无用户错误登入列表" 225 | else 226 | echo ">>>用户错误登入--------[需调整]" 227 | lastb | head 228 | fi 229 | echo "=============================dividing line================================" 230 | echo "ssh暴力登入信息:" 231 | more /var/log/secure | grep "Failed" > /dev/null 232 | if [ $? == 1 ];then 233 | echo ">>>无ssh暴力登入信息" 234 | else 235 | more /var/log/secure|awk '/Failed/{print $(NF-3)}'|sort|uniq -c|awk '{print ">>>登入失败的IP和尝试次数: "$2"="$1"次---------[需调整]";}' 236 | fi 237 | echo " " 238 | echo ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>恶意代码防范<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<" 239 | echo "检查是否安装病毒软件:" 240 | crontab -l | grep clamscan.sh > /dev/null 241 | if [ $? == 0 ];then 242 | echo ">>>已安装ClamAV杀毒软件" 243 | crontab -l | grep freshclam.sh > /dev/null 244 | if [ $? == 0 ];then 245 | echo ">>>已部署定时更新病毒库" 246 | fi 247 | else 248 | echo ">>>未安装ClamAV杀毒软件,请部署杀毒软件加固主机防护--------[无需调整]" 249 | fi 250 | echo " " 251 | echo ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>资源控制安全<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<" 252 | echo "查看是否开启了xinetd服务:" 253 | if ps -elf |grep xinet |grep -v "grep xinet";then 254 | echo ">>>xinetd服务正在运行,请检查是否可以把xinetd服务关闭--------[无需调整]" 255 | else 256 | echo ">>>xinetd服务未开启-------[无需调整]" 257 | fi 258 | echo "=============================dividing line================================" 259 | echo "查看是否开启了ssh服务:" 260 | if service sshd status | grep -E "listening on|active \(running\)"; then 261 | echo ">>>SSH服务已开启" 262 | else 263 | echo ">>>SSH服务未开启--------[需调整]" 264 | fi 265 | echo "=============================dividing line================================" 266 | echo "查看是否开启了Telnet-Server服务:" 267 | if more /etc/xinetd.d/telnetd 2>&1|grep -E "disable=no"; then 268 | echo ">>>Telnet-Server服务已开启" 269 | else 270 | echo ">>>Telnet-Server服务未开启--------[无需调整]" 271 | fi 272 | echo "=============================dividing line================================" 273 | ps axu | grep iptables | grep -v grep || ps axu | grep firewalld | grep -v grep 274 | if [ $? == 0 ];then 275 | echo ">>>防火墙已启用" 276 | iptables -nvL --line-numbers 277 | else 278 | echo ">>>防火墙未启用--------[需调整]" 279 | fi 280 | echo "=============================dividing line================================" 281 | echo "查看系统SSH远程访问设置策略(host.deny拒绝列表):" 282 | if more /etc/hosts.deny | grep -E "sshd"; then 283 | echo ">>>远程访问策略已设置--------[需调整]" 284 | else 285 | echo ">>>远程访问策略未设置--------[无需调整]" 286 | fi 287 | echo "=============================dividing line================================" 288 | echo "查看系统SSH远程访问设置策略(hosts.allow允许列表):" 289 | if more /etc/hosts.allow | grep -E "sshd"; then 290 | echo ">>>远程访问策略已设置--------[需调整]" 291 | else 292 | echo ">>>远程访问策略未设置--------[无需调整]" 293 | fi 294 | echo "=============================dividing line================================" 295 | echo "当hosts.allow和host.deny相冲突时,以hosts.allow设置为准" 296 | echo "=============================dividing line================================" 297 | grep -i "TMOUT" /etc/profile /etc/bashrc 298 | if [ $? == 0 ];then 299 | echo ">>>已设置登入超时限制" 300 | else 301 | echo ">>>未设置登入超时限制,请设置,设置方法:在/etc/profile或者/etc/bashrc里面添加参数TMOUT=600 --------[需调整]" 302 | fi 303 | echo ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>end<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<" 304 | -------------------------------------------------------------------------------- /Check_script/bash/README.txt: -------------------------------------------------------------------------------- 1 | 压缩包包含2个文件: 2 | 1、CentOS_Check_Script.sh 3 | 2、README.txt 4 | 5 | ############################################################################################# 6 | 7 | 操作说明: 8 | 1、执行CentOS-Check_Script.sh脚本文件进行检查,命令格式如下 9 | sudo sh CentOS_Check_Script.sh | tee check_`date +%Y%m%d_%H%M%S`.txt 10 | 11 | ############################################################################################# 12 | 13 | 检查说明: 14 | 此脚本是按三级等保要求,编写的一键检查脚本,此脚本只适合linux分支中的redhat、centos,运行脚本将结果输出到 15 | 自定义的文件中,脚本结果需要人为检查。 16 | 17 | 此检查脚本包含以下几块内容 18 | 1、系统基本信息 19 | 2、资源使用情况 20 | 3、系统用户情况 21 | 4、身份鉴别安全 22 | 5、访问控制安全 23 | 6、安全审计 24 | 7、剩余信息保护 25 | 8、入侵防范安全 26 | 9、恶意代码防范 27 | 10、资源控制安全 28 | 29 | ############################################################################################# 30 | 31 | Date: 2019-03-1 32 | 创建完成一键检查脚本初始版本 33 | 34 | ############################################################################################# 35 | 36 | Date: 2019-03-20 37 | 在检测结果中,添加---[需整改] 38 | 检测空口令账户,管理员确认是否需要配置账号密码 39 | -------------------------------------------------------------------------------- /Protective_Script/CentOS_Protective_Script.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ##Filename: OS-centOS-Protective_v0.1.sh 3 | ##Author: Browser 4 | ##Date: 2019-02-24 5 | ##Description: Operating system security reinforcement 6 | 7 | 8 | #########################variables############################ 9 | restart_flag=1 10 | ostype='unknow' 11 | ###########################ostype############################ 12 | if [ -f /etc/redhat-release ];then 13 | grep -i 'centos' /etc/redhat-release > /dev/null 14 | if [ $? == 0 ];then 15 | ostype='centos' 16 | fi 17 | grep -i 'redhat' /etc/redhat-release > /dev/null 18 | if [ $? == 0 ];then 19 | ostype='redhat' 20 | fi 21 | fi 22 | 23 | if [ -f /etc/centos-release ];then 24 | grep -i 'centos' /etc/centos-release > /dev/null 25 | if [ $? == 0 ];then 26 | ostype='centos' 27 | fi 28 | fi 29 | 30 | echo -e "###########################################################################################" 31 | echo -e "\033[1;31m OS type is $ostype \033[0m" 32 | echo -e "###########################################################################################" 33 | 34 | #######################restart_ssh################################ 35 | function restart_ssh(){ 36 | if [ $restart_flag == 0 ];then 37 | echo -e "\033[1;31mPlease restart SSH service manully by using 'service sshd restart' or 'systemctl restart sshd'\033[0m" 38 | fi 39 | } 40 | 41 | ###########################文件备份############################ 42 | function backup(){ 43 | if [ ! -x "backup" ]; then 44 | mkdir backup 45 | if [ -f /etc/pam.d/system-auth ];then 46 | cp /etc/pam.d/system-auth backup/system-auth.bak 47 | elif [ -f /etc/pam.d/common-password ];then 48 | cp /etc/pam.d/common-password backup/common-password.bak 49 | fi 50 | if [ -f ~/.ssh/authorized_keys ];then 51 | cp ~/.ssh/authorized_keys backup/authorized_keys.bak 52 | fi 53 | cp /etc/pam.d/sshd backup/sshd.bak 54 | cp /etc/sudoers backup/sudoers.bak 55 | cp /etc/ssh/sshd_config backup/sshd_config.bak 56 | cp /etc/profile backup/profile.bak 57 | cp /etc/pam.d/su backup/su.bak 58 | echo -e "###########################################################################################" 59 | echo -e "\033[1;31m Auto backup successfully \033[0m" 60 | echo -e "###########################################################################################" 61 | else 62 | echo -e "###########################################################################################" 63 | echo -e "\033[1;31mBackup file already exist, to avoid overwriting these files, backup will not perform again\033[0m " 64 | echo -e "###########################################################################################" 65 | fi 66 | } 67 | ###########################执行备份############################ 68 | backup 69 | 70 | ###########################文件还原############################ 71 | function recover(){ 72 | if [ -f backup/system-auth.bak ];then 73 | cp -rf backup/system-auth.bak /etc/pam.d/system-auth 74 | elif [ -f backup/common-password.bak ];then 75 | cp -rf backup/common-password.bak /etc/pam.d/common-password 76 | fi 77 | if [ -f backup/authorized_keys.bak ];then 78 | cp -rf backup/authorized_keys.bak ~/.ssh/authorized_keys 79 | fi 80 | cp -rf backup/sshd.bak /etc/pam.d/sshd 81 | cp -rf backup/sudoers.bak /etc/sudoers 82 | cp -rf backup/sshd_config.bak /etc/ssh/sshd_config 83 | cp -rf backup/profile.bak /etc/profile 84 | source /etc/profile 85 | cp -rf backup/su.bak /etc/pam.d/su 86 | restart_flag=0 87 | echo -e "\033[1;31m 8、 Recover success \033[0m" 88 | } 89 | 90 | ###########################口令复杂度设置############################ 91 | function password(){ 92 | echo "#########################################################################################" 93 | echo -e "\033[1;31m 2、 set password complexity requirements \033[0m" 94 | echo "#########################################################################################" 95 | 96 | if [ -f /etc/pam.d/system-auth ];then 97 | config="/etc/pam.d/system-auth" 98 | elif [ -f /etc/pam.d/common-password ];then 99 | config="/etc/pam.d/common-password" 100 | else 101 | echo -e "\033[1;31m Doesn't support this OS \033[0m" 102 | return 1 103 | fi 104 | 105 | grep -i "^password.*requisite.*pam_cracklib.so" $config > /dev/null 106 | if [ $? == 0 ];then 107 | sed -i "s/^password.*requisite.*pam_cracklib\.so.*$/password requisite pam_cracklib.so retry=3 difok=3 minlen=12 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1/g" $config 108 | echo -e "\033[1;31m密码修改重试3次机会,新密码与老密码必须有3字符不同,最小密码长度12个字符,包含大写字符至少一个,小写字母至少一个,数字至少一个,特殊字符至少一个\033[0m" 109 | else 110 | grep -i "pam_pwquality\.so" $config > /dev/null 111 | if [ $? == 0 ];then 112 | sed -i "s/password.*requisite.*pam_pwquality\.so.*$/password requisite pam_pwquality.so retry=3 difok=3 minlen=12 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1/g" $config 113 | echo -e "\033[1;31m密码修改重试3次机会,新密码与老密码必须有3字符不同,最小密码长度12个字符,包含大写字符至少一个,小写字母至少一个,数字至少一个,特殊字符至少一个\033[0m" 114 | else 115 | echo 'password requisite pam_cracklib.so retry=3 difok=3 minlen=12 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1' >> $config 116 | echo -e "\033[1;31m密码修改重试3次机会,新密码与老密码必须有3字符不同,最小密码长度12个字符,包含大写字符至少一个,小写字母至少一个,数字至少一个,特殊字符至少一个\033[0m" 117 | fi 118 | fi 119 | 120 | if [ $? == 0 ];then 121 | echo -e "\033[37;5m [Password complexity set success] \033[0m" 122 | else 123 | echo -e "\033[31;5m [Password complexity set failed] \033[0m" 124 | exit 1 125 | fi 126 | } 127 | 128 | ################################新增超级管理员用户################################ 129 | function create_user(){ 130 | echo "#########################################################################################" 131 | echo -e "\033[1;31m 3、Create openroot account \033[0m" 132 | echo "#########################################################################################" 133 | read -p "Be sure to create an openroot account?[y/n]:" 134 | case $REPLY in 135 | y) 136 | grep -i 'openroot' /etc/passwd 137 | if [ $? == 0 ];then 138 | echo -e "\033[1;31m An openroot account has been created \033[0m" 139 | else 140 | read -p "Please enter your password:" PASSWD 141 | useradd -g root openroot;echo "$PASSWD" | passwd --stdin openroot > /dev/null 142 | if [ $? == 0 ];then 143 | echo -e "\033[1;31m openroot account created successfully \033[0m" 144 | grep -i "openroot" /etc/sudoers 145 | if [ $? != 0 ];then 146 | chmod u+w /etc/sudoers > /dev/null 147 | sed -i '/^root.*ALL=(ALL).*$/a\openroot ALL=(ALL) NOPASSWD:ALL' /etc/sudoers > /dev/null 148 | if [ $? == 0 ];then 149 | echo -e "\033[37;5m [Permissions set success] \033[0m" 150 | else 151 | echo -e "\033[31;5m [Permissions set failed] \033[0m" 152 | fi 153 | chmod u-w /etc/sudoers > /dev/null 154 | else 155 | echo -e "\033[1;31m Permissions have already been set \033[0m" 156 | fi 157 | else 158 | echo -e "\033[1;31m openroot account created failed \033[0m" 159 | exit 1 160 | fi 161 | fi 162 | ;; 163 | n) 164 | ;; 165 | *) 166 | create_user 167 | esac 168 | } 169 | ############################限制超级管理员用户远程登录############################ 170 | function remote_login(){ 171 | echo "#########################################################################################" 172 | echo -e "\033[1;31m 4、Set Remote Login Configuration(SSH) \033[0m" 173 | echo "#########################################################################################" 174 | #set Protocol 2 175 | echo >> /etc/ssh/sshd_config 176 | grep -i '^Protocol' /etc/ssh/sshd_config > /dev/null 177 | if [ $? == 0 ];then 178 | sed -i 's/^Protocol.*$/Protocol 2/g' /etc/ssh/sshd_config 179 | if [ $? != 0 ];then 180 | echo -e "\033[31;5m [##Error##]: Cannot to set Protocol to '2' \033[0m" 181 | else 182 | echo -e "\033[37;5m [Success: Set SSH Protocol to 2] \033[0m" 183 | fi 184 | else 185 | echo 'Protocol 2' >> /etc/ssh/sshd_config 186 | echo -e "\033[37;5m [Success: Set SSH Protocol to 2] \033[0m" 187 | fi 188 | 189 | read -p "Disable root remote login?[y/n](Please make sure you have created at least one another account):" 190 | case $REPLY in 191 | y) 192 | grep -i '^PermitRootLogin no' /etc/ssh/sshd_config > /dev/null 193 | if [ $? == 1 ];then 194 | grep -i '.*PermitRootLogin yes' /etc/ssh/sshd_config >/dev/null 195 | if [ $? == 0 ];then 196 | sed -i 's/.*PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config 197 | if [ $? != 0 ];then 198 | echo -e "\033[31;5m [##Error##]cannot to set PermitRootLogin to 'no' \033[0m" 199 | else 200 | echo -e "\033[37;5m Disable root remote login[Success] \033[0m" 201 | restart_flag=0 202 | fi 203 | else 204 | echo 'PermitRootLogin no' >> /etc/ssh/sshd_config 205 | echo -e "\033[37;5m Disable root remote login[Success] \033[0m" 206 | restart_flag=0 207 | fi 208 | else 209 | echo -e "\033[37;5m Already disable root remote login \033[0m" 210 | fi 211 | ;; 212 | n) 213 | ;; 214 | *) 215 | remote_login 216 | ;; 217 | esac 218 | } 219 | 220 | #######################配置系统历史命令操作记录和定时帐户自动登出时间################################ 221 | function set_history_tmout(){ 222 | echo "#########################################################################################" 223 | echo -e "\033[1;31m 5、set history and timeout \033[0m" 224 | echo "#########################################################################################" 225 | read -p "set history size, format, and TMOUT?[y/n]:" 226 | case $REPLY in 227 | y) 228 | #history_size 229 | grep -i "^HISTSIZE=" /etc/profile >/dev/null 230 | if [ $? == 0 ];then 231 | #history记录保留一万条 232 | sed -i "s/^HISTSIZE=.*$/HISTSIZE=10000/g" /etc/profile 233 | else 234 | echo 'HISTSIZE=10000' >> /etc/profile 235 | fi 236 | echo -e "\033[1;31m HISTSIZE has been set to 10000 \033[0m" 237 | #history_format 238 | grep -i "^export HISTTIMEFORMAT=" /etc/profile > /dev/null 239 | if [ $? == 0 ];then 240 | sed -i 's/^export HISTTIMEFORMAT=.*$/export HISTTIMEFORMAT="%F %T `whoami`"/g' /etc/profile 241 | else 242 | echo 'export HISTTIMEFORMAT="%F %T `whoami` "' >> /etc/profile 243 | fi 244 | echo -e '\033[1;31m HISTTIMEFORMAT has been set to "Number-Time-User-Command" \033[0m' 245 | #TIME_OUT 246 | read -p "set shell TMOUT?[300-600]seconds:" tmout 247 | : ${tmout:=600} 248 | grep -i "^TMOUT=" /etc/profile > /dev/null 249 | if [ $? == 0 ];then 250 | sed -i "s/^TMOUT=.*$/TMOUT=$tmout/g" /etc/profile 251 | else 252 | echo "TMOUT=$tmout" >> /etc/profile 253 | fi 254 | source /etc/profile 255 | echo -e "\033[37;5m [Success] \033[0m" 256 | ;; 257 | n) 258 | ;; 259 | *) 260 | set_history_tmout;; 261 | esac 262 | } 263 | 264 | 265 | #######################SSH端口配置################################ 266 | function ssh_port(){ 267 | echo "#########################################################################################" 268 | echo -e "\033[1;31m 6、set ssh port \033[0m" 269 | echo "#########################################################################################" 270 | read -p 'change ssh port?[y/n]:' 271 | case $REPLY in 272 | y) 273 | read -p 'please input the new ssh port(recommend to between 1024 and 65534, please make sure the port is not in used):' port 274 | ##验证端口是否被占用 275 | if [[ $port -gt 1024 && $port -lt 65535 ]];then 276 | netstat -tlnp|awk -v port=$port '{lens=split($4,a,":");if(a[lens]==port){exit 2}}' >/dev/null #2>&1 277 | res=$? 278 | if [ $res == 2 ];then 279 | echo -e "\033[1;31m The port $port is already in used, try again \033[0m" 280 | ssh_port 281 | elif [ $res == 1 ];then 282 | echo -e "\033[31;5m [##Error##] \033[0m" 283 | exit 1 284 | else 285 | ##修改ssh端口 286 | grep -i "^#Port " /etc/ssh/sshd_config > /dev/null 287 | if [ $? == 0 ];then 288 | sed -i "s/^#Port.*$/Port $port/g" /etc/ssh/sshd_config 289 | else 290 | grep -i "^Port " /etc/ssh/sshd_config > /dev/null 291 | if [ $? == 0 ];then 292 | sed -i "s/^Port.*$/Port $port/g" /etc/ssh/sshd_config 293 | else 294 | echo "Port $port" >> /etc/ssh/sshd_config 295 | fi 296 | fi 297 | echo -e "\033[37;5m [Success] \033[0m" 298 | restart_flag=0 299 | fi 300 | else 301 | echo -e "\033[31;5m [##The port $port is error, please input new ssh port between 1024 and 65534 ##] \033[0m" 302 | ssh_port 303 | fi 304 | ;; 305 | n) 306 | ;; 307 | *) 308 | echo -e "\033[31;5m [##Error##]:invalid input \033[0m" 309 | ssh_port 310 | ;; 311 | esac 312 | } 313 | 314 | #######################Logon failure handling################################ 315 | function logon(){ 316 | echo "#########################################################################################" 317 | echo -e "\033[1;31m 7、set logon failure handling \033[0m" 318 | echo "#########################################################################################" 319 | logonconfig=/etc/pam.d/sshd 320 | read -p 'Are you sure set logon failure handling?[y/n]:' 321 | case $REPLY in 322 | y) 323 | grep -i "^auth.*required.*pam_tally2.so.*$" $logonconfig > /dev/null 324 | if [ $? == 0 ];then 325 | sed -i "s/auth.*required.*pam_tally2.so.*$/auth required pam_tally2.so deny=3 unlock_time=300 even_deny_root root_unlock_time=300/g" $logonconfig > /dev/null 326 | else 327 | sed -i '/^#%PAM-1.0/a\auth required pam_tally2.so deny=3 unlock_time=300 even_deny_root root_unlock_time=300' $logonconfig > /dev/null 328 | fi 329 | 330 | if [ $? == 0 ];then 331 | echo "#########################################################################################" 332 | echo -e "\033[37;5m [Logon failure handling set success] \033[0m" 333 | echo -e "\033[1;31m限制登入失败三次,普通账号锁定5分钟,root账号锁定5分钟\033[0m" 334 | echo "#########################################################################################" 335 | else 336 | echo "#########################################################################################" 337 | echo -e "\033[31;5m [Logon failure handling set failed] \033[0m" 338 | echo "#########################################################################################" 339 | exit 1 340 | fi 341 | ;; 342 | n) 343 | ;; 344 | *) 345 | echo -e "\033[31;5m [##Error##]:invalid input \033[0m" 346 | logon 347 | ;; 348 | esac 349 | } 350 | #######################main################################ 351 | function main(){ 352 | echo -e "\033[1;31m 353 | ######################################################################################### 354 | # Menu # 355 | # 1:ALL protective # 356 | # 2:Set Password Complexity Requirements # 357 | # 3:Create openroot account # 358 | # 4:Set Remote Login Configuration(SSH) # 359 | # 5:Set Shell History and TMOUT # 360 | # 6:Set SSH Port # 361 | # 7:Set Logon failure handling # 362 | # 8:Recover Configuration # 363 | # 9:Exit # 364 | ######################################################################################### \033[0m" 365 | read -p "Please choice[1-9]:" 366 | case $REPLY in 367 | 1) 368 | password 369 | create_user 370 | remote_login 371 | set_history_tmout 372 | ssh_port 373 | logon 374 | restart_ssh 375 | ;; 376 | 2) 377 | password 378 | ;; 379 | 3) 380 | create_user 381 | ;; 382 | 4) 383 | remote_login 384 | restart_ssh 385 | ;; 386 | 5) 387 | set_history_tmout 388 | ;; 389 | 6) 390 | ssh_port 391 | restart_ssh 392 | ;; 393 | 7) 394 | logon 395 | restart_ssh 396 | ;; 397 | 8) 398 | recover 399 | restart_ssh 400 | ;; 401 | 9) 402 | exit 0 403 | ;; 404 | *) 405 | echo -e "\033[31;5m invalid input \033[0m" 406 | main 407 | ;; 408 | esac 409 | } 410 | 411 | ###################### 412 | main 413 | -------------------------------------------------------------------------------- /Protective_Script/README.txt: -------------------------------------------------------------------------------- 1 | 压缩包包含2个文件: 2 | 1、CentOS_Protective_Script.sh 3 | 2、README.txt 4 | 5 | ############################################################################################# 6 | 7 | 操作说明: 8 | 1、执行CentOS_Protective_Script.sh脚本文件进行加固,命令格式如下 9 | sudo sh CentOS_Protective_Script.sh 10 | 2、执行完成后,请按脚本提示重启相应服务 11 | 12 | ############################################################################################# 13 | 14 | 功能说明: 15 | 1、ALL protective 一键进行全部加固 16 | 2、Set Password Complexity Requirements 设置密码复杂度 17 | 3、Create openroot account 添加openroot账号 18 | 4、Set Remote Login Configuration(SSH) 禁止root远程登入 19 | 5、Set Shell History and TMOUT 设置history保存行数以及命令时间,设置窗口超时时间 20 | 6、Set SSH Port 更改SSH端口 21 | 7、Set Logon failure handling 登入失败处理 22 | 8、Recover Configuration 还原配置文件 23 | 9、Exit 24 | 25 | ############################################################################################# 26 | 27 | Date: 2019-02-24 28 | 创建加固脚本,添加密码复杂度、禁止root登入、history、timeout超时、修改ssh端口,备份和还原配置文件功能 29 | 30 | ------------------------ 31 | 32 | Date: 2019-03-07 33 | 在输入ssh端口时,添加判断条件,在1024~65535之间的端口才能进一步匹配确认,否则重新输入 34 | 35 | ------------------------ 36 | 37 | Date: 2019-03-08 38 | 添加登入失败处理功能,限制登入失败三次,普通锁定5分钟,root账号锁定5分钟 39 | 40 | ------------------------ 41 | 42 | Date: 2019-03-18 43 | 添加新增openroot账号功能,防止系统没有除root账号外的其余账号,配置了禁止root远程,导致系统无法登入 44 | 45 | ---------------------- 46 | 47 | Date: 2019-03-20 48 | 新增禁止root远程登入的判断条件,可以重复执行脚本进行配置 49 | 50 | ------------------------- 51 | 52 | Date: 2019-03-22 53 | 解决sshd_config文件在被修改过PermitRootLogin yes 后,无法判断,并直接注入PermitRootLogin no,导致配置命令冲突,无法实现禁止root远程 54 | 55 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Linux 系统检测和加固脚本 (如果对你有帮助,请来一波star) 2 | 3 | **主要是为了Linux系统的安全,通过脚本对Linux系统进行一键检测和一键加固** 4 | 5 | ## Check_Script 6 | 7 | ```bash 8 | #包含2个文件 9 | CentOS_Check_Script.sh 10 | README.txt 11 | ``` 12 | 13 | **操作说明** 14 | 15 | ```bash 16 | #执行CentOS-Check_Script.sh脚本文件进行检查,命令格式如下 17 | sudo sh CentOS_Check_Script.sh | tee check_`date +%Y%m%d_%H%M%S`.txt 18 | ``` 19 | 20 | **检查说明** 21 | 22 | 此脚本是按三级等保要求,编写的一键检查脚本,此脚本只适合linux分支中的redhat、centos,运行脚本将结果输出到自定义的文件中,脚本结果需要人为检查。 23 | 24 | 此检查脚本包含以下几块内容: 25 | - 系统基本信息 26 | - 资源使用情况 27 | - 系统用户情况 28 | - 身份鉴别安全 29 | - 访问控制安全 30 | - 安全审计 31 | - 剩余信息保护 32 | - 入侵防范安全 33 | - 恶意代码防范 34 | - 资源控制安全 35 | 36 | 37 | ---- 38 | 39 | ## Protective_Script 40 | 41 | ```bash 42 | #包含2个文件 43 | CentOS_Protective_Script.sh 44 | README.txt 45 | ``` 46 | 47 | **操作说明** 48 | ```bash 49 | #执行CentOS_Protective_Script.sh脚本文件进行加固,命令格式如下 50 | sudo sh CentOS_Protective_Script.sh 51 | #执行完成后,请按脚本提示重启相应服务 52 | ``` 53 | 54 | **功能说明** 55 | - 一键进行全部加固 56 | - 设置密码复杂度 57 | - 添加openroot账号 58 | - 禁止root远程登入 59 | - 设置history保存行数以及命令时间,设置窗口超时时间 60 | - 更改SSH端口 61 | - 登入失败处理 62 | - 还原配置文件 63 | 64 | 65 | --------------------------------------------------------------------------------