鲁达 Linux的shell加固脚本
#!/bin/bash #设置密码复杂度 if [ -z "`cat /etc | grep -v "^#" | grep ";`" ];then sed -i '/password required \password required try_first_pass minlen=8 ucredit=-1 lcredit=-1 ocredit=-1 dcredit=-1 retry=3 difok=5' /etc fi #密码输入失败3次,锁定5分钟 sed -i 's#auth required required \nauth required onerr=fail deny=3 unlock_time=300\nauth required /lib/security/$ISA/ onerr=fail deny=3 unlock_time=300#' /etc #修改默认访问权限 sed -i '/UMASK/s/077/027/' /etc #设置重要文件目录权限 chmod 644 /etc/passwd chmod 600 /etc chmod 600 /etc chmod 644 /etc/group chmod 000 /etc/shadow chmod 644 /etc/services chmod 600 /etc/security #chmod 750 /etc/ #启动了nscd服务导致设置权限以后无法登陆 #系统默认755可以接受 #不能修改,如果修改polkit的服务就启动不了 chmod 750 /etc chmod 750 /tmp chmod 750 /etc chmod 750 /etc chmod 750 /etc chmod 750 /etc chmod 750 /etc chmod 750 /etc chmod 750 /etc chmod 600 /etc chmod 600 /boot/grub chmod 600 /etc #检查用户umask设置 sed -i '/umask/s/002/077/' /etc sed -i '/umask/s/002/077/' /etc/bashrc sed -i '/umask/s/002/077/' /etc/profile csh_login=`cat /etc | grep -i "umask"` if [ -z "$csh_login" ];then echo -e "/numask 077" >>/etc fi #FTP安全设置 #如果安装了FTP服务 可以进行这个设置 vsftpd_conf=`find /etc/ -maxdepth 2 -name v` if [ ! -z "$vsftpd_conf" ];then sed -i '/anonymous_enable/s/YES/NO/' $vsftpd_conf fi ftpuser=`find /etc/ -maxdepth 2 -name ftpusers` if [ ! -z "$ftpuser" ] && [ -z "`cat $ftpuser | grep -v "^#" | grep root`"];then echo "root" >>$ftpuser fi sed -i '/^ftp/d' /etc/passwd #重要文件属性设置 chattr +i /etc/passwd chattr +i /etc/shadow chattr +i /etc/group chattr +i /etc/gshadow chattr +a /var/log/messages #chattr +i /var/log/messages.* #检查core dump 设置 chk_core=`grep core /etc/security | grep -v "^#"` if [ -z "$chk_core" ];then echo "* soft core 0" >> /etc/security echo "* hard core 0" >> /etc/security fi #删除潜在危险文件 可以先检查一下是否有危险文件,如果没有的话,就不需要执行这个 hosts_equiv=`find / -maxdepth 3 -name 2>/dev/null` if [ ! -z "$hosts_equiv" ];then mv "$hosts_equiv" "$hosts_equiv".bak fi _rhosts=`find / -maxdepth 3 -name .rhosts 2>/dev/null` if [ ! -z "$_rhosts" ];then mv "$_rhosts" "$_rhosts".bak fi _netrc=`find / -maxdepth 3 -name .netrc 2>/dev/null` if [ ! -z "$_netrc" ];then mv "$_netrc" "$_netrc".bak fi #检查系统内核参数配置,修改只当次生效,重启需重新设置 sysctl -w net.i;0" sysctl -w net.i;0" sysctl -w net.i;1" sysctl -w net.i;0" sysctl -w net.i;0" #打开SYNcookie,缓解syn fiood攻击 echo 1 > /proc/sys/net/ipv4/tcp_syncookies #不响应ICMP请求 echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all #防syn攻击优化,提高未连接队列大小 sysctl -w net.i;2048" #检查拥有suid和sgid权限文件并修改文件权限为755 目前这些不需要改变权限,需要定期巡检 find /usr/bin/chage /usr/bin/gpasswd /usr/bin/wall /usr/bin/chfn /usr/bin/chsh /usr/bin/newgrp /usr/bin/write /usr/sbin/usernetctl /bin/mount /bin/umount /bin/ping /sbin/netreport -type f -perm /6000 | xargs chmod 755Windows的批处理脚本(一键加固:根据自身要求修改)
echo 现在开始Windows安全加固,确认请按任意键 pause echo [version] >account.inf REM帐户口令授权配置模块 echo signature="$CHICAGO$" >>account.inf echo [System Access] >>account.inf echo MinimumPasswordLength=6 >>account.inf REM 修改帐户密码最小长度为6 echo PasswordComplexity=1 >>account.inf REM 开启帐户密码复杂性要求 echo MaximumPasswordAge=90 >>account.inf REM 修改帐户密码最长留存期为90天 echo PasswordHistorySize=5 >>account.inf REM 修改强制密码历史为5次 echo EnableGuestAccount=0 >>account.inf REM 禁用Guest帐户 echo LockoutBadCount=6 >>account.inf REM 设定帐户锁定阀值为6次 secedit /configure /db account.sdb /cfg account.inf /log account.log del account.* echo [version] >rig REM 授权配置 echo signature="$CHICAGO$" >>rig echo [Privilege Rights] >>rig echo seremoteshutdownprivilege=Administrators >>rig REM从远端系统强制关机只指派给Administrators组 echo seshutdownprivilege=Administrators >>rig REM关闭系统仅指派给Administrators组 echo setakeownershipprivilege=Administrators >>rig REM 取得文件或其它对象的所有权仅指派给Administrators echo seinteractivelogonright=Administrators >> rig REM 在本地登陆权限仅指派给Administrators echo senetworklogonright=Administrators >>rig REM只允许Administrators从网络访问 secedit /configure /db rig /cfg rig /log rig /quiet del rightscfg.* echo [version] >audit.inf REM 日志配置 echo signature="$CHICAGO$" >>audit.inf echo [Event Audit] >>audit.inf echo AuditSystemEvents=3 >>audit.inf REM 开启审核系统事件 echo AuditObjectAccess=3 >>audit.inf REM 开启审核对象访问 echo AuditPrivilegeUse=3 >>audit.inf REM 开启审核特权使用 echo AuditPolicyChange=3 >>audit.inf REM 开启审核策略更改 echo AuditAccountManage=3 >>audit.inf REM 开启审核帐户管理 echo AuditProcessTracking=3 >>audit.inf REM 开启审核过程跟踪 echo AuditDSAccess=3 >>audit.inf REM 开启审核目录服务访问 echo AuditLogonEvents=3 >>audit.inf REM 开启审核登陆事件 echo AuditAccountLogon=3 >>audit.inf REM 开启审核帐户登陆事件 echo AuditLog >>audit.inf echo MaximumLogSize=8192 >>logc REM 设置应用日志文件最大8192KB echo AuditLogRetentionPeriod=0 >>logc REM设置当达到最大的日志尺寸时按需要改写事件 echo RestrictGuestAccess=1 >>logc REM设置限制GUEST访问应用日志 echo [Security Log] >>logc REM设置安全日志 echo MaximumLogSize=8192 >>logc REM 设置安全日志文件最大8192KB echo AuditLogRetentionPeriod=0 >>logc REM设置当达到最大的日志尺寸时按需要改写事件 echo RestrictGuestAccess=1 >>logc REM设置限制GUEST访问安全日志 echo [Application Log] >>logc REM设置应用日志 echo MaximumLogSize=8192 >>logc 设置安全日志文件最大8192KB echo AuditLogRetentionPeriod=0 >>logc REM设置当达到最大的日志尺寸时按需要改写事件 echo RestrictGuestAccess=1 >>logc REM设置限制GUEST访问安全日志 secedit /configure /db audit.sdb /cfg audit.inf /log audit.log /quiet del audit.* REM 共享配置 REM 清除admin$共享 net share admin$ /del REM 清除ipc$共享 net share ipc$ /del REM 清除C盘共享 net share c$ /del REM 清除D盘共享 net share d$ /del REM IP协议配置 REM 启用SYN攻击保护 @echo Windows Registry Editor Version 5.00>>SynA @echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services]>>SynA @echo "SynAttackProtect"=dword:2>>SynA @echo "TcpMaxPortsExhausted"=dword:5>>SynA @echo "TcpMaxHalfOpen"=dword:500>>SynA @echo "TcpMaxHalfOpenRetried"=dword:400>>SynA @regedit /s SynA @del SynA REM 启用屏幕保护程序 @echo Windows Registry Editor Version 5.00>> @echo [HKEY_CURRENT_USER\Control Panel\Desktop]>> @echo "ScreenSaveActive"="1">> @echo "ScreenSaverIsSecure"="1">> @echo "ScreenSaveTimeOut"="300">> @echo "SCRNSAVE.EXE"="d:\\WINDOWS\\system32\\logon.scr">> @regedit /s @del REM “Microsoft网络服务器”设置为“在挂起会话之前所需的空闲时间”为15分钟 @echo Windows Registry Editor Version 5.00>>lanmanau @echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]>>lanmanau @echo "autodisconnect"=dword:0000000f>>lanmanau @regedit /s lanmanau @del lanmanau REM 关闭自动播放 @echo Windows Registry Editor Version 5.00>>clo @echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]>>clo @echo "NoDriveTypeAutoRun"=dword:000000ff>>clo @regedit /s clo @del clo