Shulou(Shulou.com)06/01 Report--

This article mainly shows you "Linux server how to achieve secure initialization Shell script", the content is easy to understand, clear, hope to help you solve doubts, the following let the editor lead you to study and learn "Linux server how to achieve secure initialization Shell script" this article.

How to use it: copy it and save it as a shell file, such as security.sh. Upload it to the linux server, execute sh security.sh, and you can use the script. It is recommended that you execute immediately after the system initialization, and then do not change it after creating a user account and password, so as not to affect the initial MD5 value of important files.

Script content (the source script comes from Xiaohui's blog. The following notes have been translated for ease of reading:

#! / bin/sh# desc: setup linux system security# author:coralzd# powered by www.freebsdsystem.org# version 0.1.2 written by 2011.05.0settings account passwd-l xfspasswd-l newspasswd-l nscdpasswd-l dbuspasswd-l vcsapasswd-l gamespasswd-l nobodypasswd-l avahipasswd-l haldaemonpasswd-l gopherpasswd-l ftppasswd-l mailnullpasswd-l pcappasswd-l mailpasswd-l shutdownpasswd-l haltpasswd-l uucppasswd-l operatorpasswd-l syncpasswd-l admpasswd-llp # use chattr to change attributes to the user path. Chattr command usage instructions at the end of the article [1] chattr + I / etc/passwdchattr + I / etc/shadowchattr + I / etc/groupchattr + I / etc/gshadow# set the password to be mistyped for 3 consecutive times and then lock sed-I 's#auth required pam_env.so#auth required pam_env.so\ nauth required pam_tally.so onerr=fail deny=3 unlock_time=300\ nauth required / lib/security/$ISA/ for 5 minutes. Pam_tally.so onerr=fail deny=3 unlock_time=300#' / etc/pam.d/system-auth# will log out automatically in 5 minutes Reason reference end description [2] echo "TMOUT=300" > > / etc/profile# history command number set to 10 sed-I "s/HISTSIZE=1000/HISTSIZE=10/" / etc/profile# to make the above changes to / etc/profile take effect immediately source / etc/profile# enable syncookieecho "net.ipv4.tcp_syncookies=1" > > / etc/sysctl.confsysctl-p # exec sysctl.conf enable# optimize sshd_configsed-in / etc/sysctl.conf I "s/#MaxAuthTries 6/MaxAuthTries 6 /" / etc/ssh/sshd_configsed-I "s/#UseDNS yes/UseDNS no/" / etc/ssh/sshd_config# restricts the permissions of important commands chmod / bin/pingchmod / usr/bin/fingerchmod / usr/bin/whochmod / usr/bin/wchmod / usr/bin/locatechmod / usr/bin/whereischmod / sbin/ifconfigchmod / usr/bin/picochmod / bin/vichmod / usr/bin/whichchmod Bin/rpm# Historical Security chattr + a / root/.bash_historychattr + I / root/.bash_history# write md5cat > list > / var/log/ `hostname`.log fidonerm-f list to important commands

Knowledge point [1]: about chattr command

The chattr command can modify file attributes to protect files and directories. Compared with chmod commands that change the permissions of reading, writing and executing files, chattr commands can control lower-level file attributes. This command is very powerful, some of which are supported by the Linux kernel version, and if the Linux kernel version is less than 2.2, then many features cannot be implemented. The same-D function to check for errors in compressed files requires more than 2.5.19 kernels to support. In addition, modifying properties through the chattr command can improve the security of the system, but it is not suitable for all directories. The chattr command cannot protect the /, / dev, / tmp, / var directories.

Viewing such properties can be done through the lsattr command.

Usage of the chattr command: chattr [- RV] [- v version] [mode] files...

The most important thing is in the [mode] section, that is, the file attributes section. The [mode] part is a combination of the characters +-= and [ASacDdIijsTtu].

+: add parameters on the basis of the original parameter settings.

-: remove the parameters based on the original parameter settings.

=: update to the specified parameter settings.

A: the atime (access time) of a file or directory cannot be modified (modified), which can effectively prevent the occurrence of errors such as laptop disk I and O errors.

S: hard disk Imax O synchronization option, function similar to sync.

A: that is, append. After setting this parameter, you can only add data to the file, not delete it. It is mostly used for server log document security. Only root can set this attribute.

C: that is, compresse, sets whether the file is compressed and then saved. Automatic decompression is required when reading.

D: namely no dump, the setting file cannot be the backup target of the dump program.

I: settings files cannot be deleted, renamed, set link relationships, and cannot be written or added. The I parameter is of great help to the security settings of the file system.

J: that is, journal, set this parameter so that when a file system is mounted through the mount parameter: data=ordered or data=writeback, the file will be recorded first when it is written (in journal). If the parameter filesystem is set to data=journal, the parameter automatically expires.

S: delete files or directories secretly, that is, all hard disk space is reclaimed.

U: in contrast to s, when set to u, the data content is actually stored on disk and can be used for undeletion.

Among the parameter options, an and I are commonly used. The an option forces only non-removable additions and is mostly used for log system security settings. While I is a more stringent security setting, only superuser (root) or processes with CAP_LINUX_IMMUTABLE processing power (identification) can impose this option.

Application example:

1. Use the chattr command to prevent a key file in the system from being modified.

# chattr + I / etc/fstab

Then try rm mv rename and other commands to operate on the file, and get the result of Operation not permitted.

2. Let a file only append content to it, not delete it. Some log files are suitable for this operation.

# chattr + a / data1/user_act.log above is all the content of the article "how to implement secure initialization Shell script for Linux Server". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.