CentOS7 零碎初始化平安加固
形容: 实用于企业外部 CentOS7 系列服务器操作系统初始化、系统安全加固脚本,内容蕴含了,网络初始化设置,软件更新源替换以及内核版本升级 ,工夫时区初始化设置 系统安全加固(合乎等保三级主机测评项) 平安运维设置 、零碎内核参数优化、 常用软件装置等 一系列的操作间接开箱即用, 将跑过该脚本的机器能够克隆成为作为线上生产环境的基线模板。
原文链接: 残缺的Windows与Linux服务器系统安全加固实际和基线检测脚本(等保2.0)( https://mp.weixin.qq.com/s/CD... )
CentOS7 平安加固成果
我的项目地址: https://github.com/WeiyiGeek/...
【欢送大家 Star 与 Fork 】
CentOS7 TLS Security Initiate
Link: https://github.com/WeiyiGeek/...
舒适提醒: 应用脚本时请依照你的需要调用相应函数即可。
#!/bin/bash# @Author: WeiyiGeek# @Description: CentOS7 TLS Security Initiate# @Create Time: 2019年5月6日 11:04:42# @Last Modified time: 2021-11-15 11:06:31# @E-mail: master@weiyigeek.top# @Blog: https://www.weiyigeek.top# @wechat: WeiyiGeeker# @Github: https://github.com/WeiyiGeek/SecOpsDev/tree/master/OS-操作系统/Linux/# @Version: 3.3## ----------------------------------------- ### 脚本次要性能阐明:# (1) CentOS7零碎初始化操作包含IP地址设置、根底软件包更新以及装置加固。# (2) CentOS7零碎容器以及JDK相干环境装置。# (3) CentOS7零碎中异样谬误日志解决。# (4) CentOS7零碎中惯例服务装置配置,退出数据备份目录。# (4) CentOS7脚本谬误解决和优化## ----------------------------------------- #### 零碎全局变量定义# [系统配置]HOSTNAME=CentOS-Security-TemplateEXECTIME=$(date +%Y%m%d-%m%S)# [网络配置]IPADDR=192.168.1.2NETMASK=225.255.255.0GATEWAY=192.168.1.1DNSIP=("223.5.5.5" "223.6.6.6")SSHPORT=20211# [用户设置]DefaultUser="WeiyiGeek" # 零碎创立的用户名称非root用户ROOTPASS=WeiyiGeek # 明码倡议12位以上且蕴含数字、大小写字母以及特殊字符。APPPASS=WeiyiGeek# [SNMP配置]SNMP_user=WeiyiGeekSNMP_group=testgroupSNMP_view=testviewSNMP_password=dont_use_publicSNMP_ip=127.0.0.1# [配置备份目录]BACKUPDIR=/var/log/.backupsif [ ! -d ${BACKUPDIR} ];then mkdir -vp ${BACKUPDIR}; fi# [配置记录目录]HISDIR=/var/log/.historyif [ ! -d ${HISDIR} ];then mkdir -vp ${HISDIR}; fi## 名称: err 、info 、warning## 用处:全局Log信息打印函数## 参数: $@log::err() { printf "[$(date +'%Y-%m-%dT%H:%M:%S')]: \033[31mERROR: $@ \033[0m\n"}log::info() { printf "[$(date +'%Y-%m-%dT%H:%M:%S')]: \033[32mINFO: $@ \033[0m\n"}log::warning() { printf "[$(date +'%Y-%m-%dT%H:%M:%S')]: \033[33mWARNING: $@ \033[0m\n"}## 名称: os::Network## 用处: 操作系统网络配置相干脚本包含(IP地址批改)## 参数: 无os::Network(){ log::info "[-] 操作系统网络配置相干脚本,开始执行....." # (1) 动态网络IP地址设置tee /opt/network.sh <<'EOF'#!/bin/bashIPADDR="${1}"NETMASK="${2}"GATEWAY="${3}"DEVNAME="ifcfg-ens192"if [ "${4}" != "" ];then DEVNAME="ifcfg-${4}"fiif [[ $# -lt 3 ]];then echo -e "\e[32m[*] Usage: $0 IP-Address MASK Gateway \e[0m" echo -e "\e[32m[*] Usage: $0 192.168.1.99 255.255.255.0 192.168.1.1 \e[0m" exit 1fiNET_FILE="/etc/sysconfig/network-scripts/${DEVNAME}"if [[ ! -f ${NET_FILE} ]];then log::err "[*] Not Found ${NET_FILE} File" exit 2ficp ${NET_FILE}{,.bak}sed -i -e 's/^ONBOOT=.*$/ONBOOT="yes"/' -e 's/^BOOTPROTO=.*$/BOOTPROTO="static"/' ${NET_FILE}grep -q "^IPADDR=.*$" ${NET_FILE} && sed -i "s/^IPADDR=.*$/IPADDR=\"${IPADDR}\"/" ${NET_FILE} || echo "IPADDR=\"${IPADDR}\"" >> ${NET_FILE}grep -q "^NETMASK=.*$" ${NET_FILE} && sed -i "s/^NETMASK=.*$/NETMASK=\"${NETMASK}\"/" ${NET_FILE} || echo "NETMASK=\"${NETMASK}\"" >> ${NET_FILE}grep -q "^GATEWAY=.*$" ${NET_FILE} && sed -i "s/^GATEWAY=.*$/IPADDR=\"${GATEWAY}\"/" ${NET_FILE} || echo "GATEWAY=\"${GATEWAY}\"" >> ${NET_FILE}EOFchmod +x /opt/network.sh/opt/network.sh ${IPADDR} ${NETMASK} ${GATEWAY}# (2) 零碎主机名与本地解析设置sudo hostnamectl set-hostname ${HOSTNAME} # sed -i "s/127.0.1.1\s.\w.*$/127.0.1.1 ${NAME}/g" /etc/hostscp -a /etc/hosts ${BACKUPDIR}/hosts.bakgrep -q "^\$(hostname -I)\s.\w.*$" /etc/hosts && sed -i "s/\$(hostname -I)\s.\w.*$/${IPADDR} ${HOSTNAME}" /etc/hosts || echo "${IPADDR} ${HOSTNAME}" >> /etc/hosts# (3) 零碎DNS域名解析服务设置cp -a /etc/resolv.conf ${BACKUPDIR}/resolv.conf.bakfor dns in ${DNSIP[@]};do echo "nameserver ${dns}" >> /etc/resolv.conf;donelog::info "[*] network configure modifiy successful! restarting Network........."service network restart && ip addr}## 名称: os::Software## 用处: 操作系统软件包治理及更新源配置相干脚本## 参数: 无os::Software () { log::info "[-] 操作系统软件包治理及更新源配置相干脚本,开始执行....." cp -a /etc/yum.repos.d/CentOS-Base.repo ${BACKUPDIR}/CentOS-Base.repo# (1) CentOS 软件仓库镜像源配置&&初始化更新 log::info "[*] CentOS 软件仓库镜像源配置&&初始化更新 "curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repocurl -o /etc/yum.repos.d/CentOS-epel.repo http://mirrors.aliyun.com/repo/epel-7.reposed -i "s#mirrors.cloud.aliyuncs.com#mirrors.aliyun.com#g" /etc/yum.repos.d/CentOS-Base.reporpm --import http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-7yum clean all && yum makecacheyum --exclude=kernel* update -y && yum upgrade -y && yum -y install epel*# (2) CentOS 操作系统内核降级(可选) cp -a /etc/grub2.cfg ${BACKUPDIR}/grub2.cfg.kernelupdate.bak log::info "[*] CentOS 操作系统内核降级(可选) "rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.orgyum -y install https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpmyum --disablerepo="*" --enablerepo=elrepo-kernel repolistyum --disablerepo="*" --enablerepo=elrepo-kernel list kernel*# 内核装置,服务器里咱们抉择长期lt版本,平安稳固是咱们最大的需要,除非有非凡的需要内核版本需要;yum update -y --enablerepo=elrepo-kernel # 内核版本介绍, lt:longterm 的缩写长期保护版, ml:mainline 的缩写最新主线版本;yum install -y --enablerepo=elrepo-kernel --skip-broken kernel-lt kernel-lt-devel kernel-lt-tools# yum -y --enablerepo=elrepo-kernel --skip-broken install kernel-ml.x86_64 kernel-ml-devel.x86_64 kernel-ml-tools.x86_64 log::warning "[*] 以后 CentOS 操作系统可切换的内核内核版本"awk -F \' '$1=="menuentry " {print i++ " : " $2}' /etc/grub2.cfgsudo grub2-set-default 0#传统疏导# grub2-mkconfig -o /boot/grub2/grub.cfg# grubby --default-kernelreboot# (3) 装置罕用的运维软件# 编译软件yum install -y gcc gcc-c++ g++ make jq libpam-cracklib openssl-devel bzip2-devel# 惯例软件yum install -y nano vim git unzip wget ntpdate dos2unix net-toolsyum install -y tree htop ncdu nload sysstat psmisc bash-completion fail2ban nfs-utils chrony# 清空缓存和已下载安装的软件包yum clean all log::info "[*] Software configure modifiy successful!Please Happy use........."}## 名称: os::TimedataZone## 用处: 操作系统零碎工夫时区配置相干脚本## 参数: 无os::TimedataZone() { log::info "[*] 操作系统零碎工夫时区配置相干脚本,开始执行....."# (1) 时区设置东8区log::info "[*] 时区设置前的工夫: $(date -R) "timedatectlcp -a /etc/localtime ${BACKUPDIR}/localtime.bakln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime# (2) 工夫同步软件装置grep -q "192.168.12.254" /etc/chrony.conf || sudo tee -a /etc/chrony.conf <<'EOF'pool 192.168.12.254 iburst maxsources 1pool 192.168.10.254 iburst maxsources 1pool 192.168.4.254 iburst maxsources 1pool ntp.aliyun.com iburst maxsources 4keyfile /etc/chrony.keysdriftfile /var/lib/chrony/chrony.driftlogdir /var/log/chronymaxupdateskew 100.0rtcsyncmakestep 1.0 3#stratumweight 0.05#noclientlog#logchange 0.5EOFsystemctl enable chronyd && systemctl restart chronyd && systemctl status chronyd -l# 将以后的 UTC 工夫写入硬件时钟 (硬件工夫默认为UTC)sudo timedatectl set-local-rtc 0# 启用NTP工夫同步:timedatectl set-ntp yes# 工夫服务器连贯查看chronyc tracking# 手动校准-强制更新工夫# chronyc -a makestep# 硬件时钟(零碎时钟同步硬件时钟 )hwclock --systohc # 备用计划: 采纳 ntpdate 进行工夫同步 ntpdate 192.168.10.254# (3) 重启依赖于零碎工夫的服务sudo systemctl restart rsyslog.service crond.servicelog::info "[*] Tie confmigure modifiy successful! restarting chronyd rsyslog.service crond.service........."timedatectl}## 名称: os::Security## 用处: 操作系统平安加固配置脚本(合乎等保要求-三级要求)## 参数: 无os::Security () { log::info "[-] 操作系统平安加固配置(合乎等保要求-三级要求)"# (0) 零碎用户及其终端核查配置 log::info "[-] 锁定或者删除多余的零碎账户以及创立低权限用户" # cat /etc/passwd | cut -d ":" -f 1 | tr '\n' ' 'defaultuser=(root bin daemon adm lp sync shutdown halt mail operator games ftp nobody systemd-network dbus polkitd sshd postfix chrony ntp rpc rpcuser nfsnobody)for i in $(cat /etc/passwd | cut -d ":" -f 1,7);do flag=0; name=${i%%:*}; terminal=${i##*:} if [[ "${terminal}" == "/bin/bash" || "${terminal}" == "/bin/sh" ]];then log::warning "${i} 用户,shell终端为 /bin/bash 或者 /bin/sh" fi for j in ${defaultuser[@]};do if [[ "${name}" == "${j}" ]];then flag=1 break; fi done if [[ $flag -eq 0 ]];then log::warning "${i} 非默认用户" fidonecp -a /etc/shadow ${BACKUPDIR}/shadow-${EXECTIME}.bakpasswd -l adm&>/dev/null 2&>/dev/null; passwd -l daemon&>/dev/null 2&>/dev/null; passwd -l bin&>/dev/null 2&>/dev/null; passwd -l sys&>/dev/null 2&>/dev/null; passwd -l lp&>/dev/null 2&>/dev/null; passwd -l uucp&>/dev/null 2&>/dev/null; passwd -l nuucp&>/dev/null 2&>/dev/null; passwd -l smmsplp&>/dev/null 2&>/dev/null; passwd -l mail&>/dev/null 2&>/dev/null; passwd -l operator&>/dev/null 2&>/dev/null; passwd -l games&>/dev/null 2&>/dev/null; passwd -l gopher&>/dev/null 2&>/dev/null; passwd -l ftp&>/dev/null 2&>/dev/null; passwd -l nobody&>/dev/null 2&>/dev/null; passwd -l nobody4&>/dev/null 2&>/dev/null; passwd -l noaccess&>/dev/null 2&>/dev/null; passwd -l listen&>/dev/null 2&>/dev/null; passwd -l webservd&>/dev/null 2&>/dev/null; passwd -l rpm&>/dev/null 2&>/dev/null; passwd -l dbus&>/dev/null 2&>/dev/null; passwd -l avahi&>/dev/null 2&>/dev/null; passwd -l mailnull&>/dev/null 2&>/dev/null; passwd -l nscd&>/dev/null 2&>/dev/null; passwd -l vcsa&>/dev/null 2&>/dev/null; passwd -l rpc&>/dev/null 2&>/dev/null; passwd -l rpcuser&>/dev/null 2&>/dev/null; passwd -l nfs&>/dev/null 2&>/dev/null; passwd -l sshd&>/dev/null 2&>/dev/null; passwd -l pcap&>/dev/null 2&>/dev/null; passwd -l ntp&>/dev/null 2&>/dev/null; passwd -l haldaemon&>/dev/null 2&>/dev/null; passwd -l distcache&>/dev/null 2&>/dev/null; passwd -l webalizer&>/dev/null 2&>/dev/null; passwd -l squid&>/dev/null 2&>/dev/null; passwd -l xfs&>/dev/null 2&>/dev/null; passwd -l gdm&>/dev/null 2&>/dev/null; passwd -l sabayon&>/dev/null 2&>/dev/null; passwd -l named&>/dev/null 2&>/dev/null# (2) 用户明码设置和口令策略设置log::info "[-] 配置满足策略的root管理员明码 "echo "root:${ROOTPASS}" | chpasswdlog::info "[-] 配置满足策略的app普通用户明码(依据需要配置)"groupadd applicationuseradd -m -s /bin/bash -c "application primary user" -g application app echo "root:${APPPASS}" | chpasswd log::info "[-] 强制用户在下次登录时更改明码 "chage -d 0 -m 0 -M 90 -W 15 root && passwd --expire root chage -d 0 -m 0 -M 90 -W 15 app && passwd --expire appchage -d 0 -m 0 -M 90 -W 15 ${DefaultUser} && passwd --expire ${DefaultUser} log::info "[-] 用户口令复杂性策略设置 (明码过期周期0~90、到期前15天提醒、明码长度至多15、复杂度设置至多有一个大小写、数字、特殊字符、明码三次不能一样、尝试次数为三次)"# 相干批改文件备份cp /etc/login.defs ${BACKUPDIR}/login.defs.bak;cp /etc/pam.d/password-auth ${BACKUPDIR}/password-auth.bakcp /etc/pam.d/system-auth ${BACKUPDIR}/system-auth.bakegrep -q "^\s*PASS_MIN_DAYS\s+\S*(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_MIN_DAYS\s+\S*(\s*#.*)?\s*$/\PASS_MIN_DAYS 0/" /etc/login.defs || echo "PASS_MIN_DAYS 0" >> /etc/login.defsegrep -q "^\s*PASS_MAX_DAYS\s+\S*(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_MAX_DAYS\s+\S*(\s*#.*)?\s*$/\PASS_MAX_DAYS 90/" /etc/login.defs || echo "PASS_MAX_DAYS 90" >> /etc/login.defsegrep -q "^\s*PASS_WARN_AGE\s+\S*(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_WARN_AGE\s+\S*(\s*#.*)?\s*$/\PASS_WARN_AGE 15/" /etc/login.defs || echo "PASS_WARN_AGE 15" >> /etc/login.defsegrep -q "^\s*PASS_MIN_LEN\s+\S*(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_MIN_LEN\s+\S*(\s*#.*)?\s*$/\PASS_MIN_LEN 15/" /etc/login.defs || echo "PASS_MIN_LEN 15" >> /etc/login.defsegrep -q "^password\s.+pam_pwquality.so\s+\w+.*$" /etc/pam.d/password-auth && sed -ri '/^password\s.+pam_pwquality.so/{s/pam_pwquality.so\s+\w+.*$/pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=15 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=1 enforce_for_root/g;}' /etc/pam.d/password-authegrep -q "^password\s.+pam_unix.so\s+\w+.*$" /etc/pam.d/password-auth && sed -ri '/^password\s.+pam_unix.so/{s/pam_unix.so\s+\w+.*$/pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=3/g;}' /etc/pam.d/password-authegrep -q "^password\s.+pam_pwquality.so\s+\w+.*$" /etc/pam.d/system-auth && sed -ri '/^password\s.+pam_pwquality.so/{s/pam_pwquality.so\s+\w+.*$/pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=15 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=1 enforce_for_root/g;}' /etc/pam.d/system-authegrep -q "^password\s.+pam_unix.so\s+\w+.*$" /etc/pam.d/system-auth && sed -ri '/^password\s.+pam_unix.so/{s/pam_unix.so\s+\w+.*$/pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=3/g;}' /etc/pam.d/system-authlog::info "[-] 存储用户明码的文件,其内容通过sha512加密,所以十分留神其权限"# 解决首次登录配置明码时提醒"passwd: Authentication token manipulation error"touch /etc/security/opasswd && chown root:root /etc/security/opasswd && chmod 600 /etc/security/opasswd # (3) 设置用户sudo权限以及重要目录和文件的新建默认权限log::info "[-] 用户sudo权限以及重要目录和文件的新建默认权限设置"cp /etc/sudoers ${BACKUPDIR}/sudoers.bak# 如CentOS装置时您创立的用户 WeiyiGeek 避免间接通过 sudo passwd 批改root明码(此时必须要求输出WeiyiGeek明码后才可批改root明码)# Tips: Sudo容许受权用户权限以另一个用户(通常是root用户)的身份运行程序, # DefaultUser="weiyigeek"sed -i "/# Allows members of the/i ${DefaultUser} ALL=(ALL) PASSWD:ALL" /etc/sudoers# 此参数须要依据业务来定,否则在应用时候会呈现某些权限有余导致程序安装报错log::info "[-] 配置用户 umask 为022 "cp -a /etc/profile ${BACKUPDIR}/profileegrep -q "^\s*umask\s+\w+.*$" /etc/profile && sed -ri "s/^\s*umask\s+\w+.*$/umask 022/" /etc/profile || echo "umask 022" >> /etc/profile # log::info "[-] 设置用户目录创立默认权限, (初始为077比拟严格)在未设置umask为027则默认为077"# egrep -q "^\s*umask\s+\w+.*$" /etc/csh.login && sed -ri "s/^\s*umask\s+\w+.*$/umask 022/" /etc/csh.login || echo "umask 022" >> /etc/csh.login# egrep -q "^\s*umask\s+\w+.*$" /etc/csh.cshrc && sed -ri "s/^\s*umask\s+\w+.*$/umask 022/" /etc/csh.cshrc || echo "umask 022" >> /etc/csh.cshrc# egrep -q "^\s*(umask|UMASK)\s+\w+.*$" /etc/login.defs && sed -ri "s/^\s*(umask|UMASK)\s+\w+.*$/UMASK 027/" /etc/login.defs || echo "UMASK 027" >> /etc/login.defslog::info "[-] 设置或复原重要目录和文件的权限(设置日志文件非全局可写)"chmod 600 ~/.ssh/authorized_keys;chmod 755 /etc;chmod 755 /etc/passwd; chmod 755 /etc/shadow; chmod 755 /etc/security; chmod 644 /etc/group; chmod 644 /etc/services; chmod 750 /etc/rc*.d;chmod 755 /var/log/messages;chmod 775 /var/log/spooler;chmod 775 /var/log/cron;chmod 775 /var/log/secure;chmod 775 /var/log/maillog;chmod 775 /var/log/mail&>/dev/null 2&>/dev/null; chmod 775 /var/log/localmessages&>/dev/null 2&>/dev/nulllog::info "[-] 删除潜在威逼文件 "find / -maxdepth 3 -name hosts.equiv | xargs rm -rffind / -maxdepth 3 -name .netrc | xargs rm -rffind / -maxdepth 3 -name .rhosts | xargs rm -rf# (4) SSHD 服务平安加固设置以及网络登陆Banner设置log::info "[-] sshd 服务平安加固设置"cp /etc/ssh/sshd_config ${BACKUPDIR}/sshd_config.bak# 严格模式sudo egrep -q "^\s*StrictModes\s+.+$" /etc/ssh/sshd_config && sed -ri "s/^(#)?\s*StrictModes\s+.+$/StrictModes yes/" /etc/ssh/sshd_config || echo "StrictModes yes" >> /etc/ssh/sshd_config# 默认的监听端口更改if [ -e ${SSHPORT} ];then export SSHPORT=20211;fisudo egrep -q "^\s*Port\s+.+$" /etc/ssh/sshd_config && sed -ri "s/^(#)?\s*Port\s+.+$/Port ${SSHPORT}/" /etc/ssh/sshd_config || echo "Port ${SSHPORT}" >> /etc/ssh/sshd_config# 禁用X11转发以及端口转发sudo egrep -q "^\s*X11Forwarding\s+.+$" /etc/ssh/sshd_config && sed -ri "s/^(#)?\s*X11Forwarding\s+.+$/X11Forwarding no/" /etc/ssh/sshd_config || echo "X11Forwarding no" >> /etc/ssh/sshd_configsudo egrep -q "^\s*X11UseLocalhost\s+.+$" /etc/ssh/sshd_config && sed -ri "s/^(#)?\s*X11UseLocalhost\s+.+$/X11UseLocalhost yes/" /etc/ssh/sshd_config || echo "X11UseLocalhost yes" >> /etc/ssh/sshd_configsudo egrep -q "^\s*AllowTcpForwarding\s+.+$" /etc/ssh/sshd_config && sed -ri "s/^(#)?\s*AllowTcpForwarding\s+.+$/AllowTcpForwarding no/" /etc/ssh/sshd_config || echo "AllowTcpForwarding no" >> /etc/ssh/sshd_configsudo egrep -q "^\s*AllowAgentForwarding\s+.+$" /etc/ssh/sshd_config && sed -ri "s/^(#)?\s*AllowAgentForwarding\s+.+$/AllowAgentForwarding no/" /etc/ssh/sshd_config || echo "AllowAgentForwarding no" >> /etc/ssh/sshd_config# 敞开禁用用户的 .rhosts 文件 ~/.ssh/.rhosts 来做为认证: 缺省IgnoreRhosts yes egrep -q "^(#)?\s*IgnoreRhosts\s+.+$" /etc/ssh/sshd_config && sed -ri "s/^(#)?\s*IgnoreRhosts\s+.+$/IgnoreRhosts yes/" /etc/ssh/sshd_config || echo "IgnoreRhosts yes" >> /etc/ssh/sshd_config# 禁止root近程登录(举荐配置-依据需要配置)egrep -q "^\s*PermitRootLogin\s+.+$" /etc/ssh/sshd_config && sed -ri "s/^\s*PermitRootLogin\s+.+$/PermitRootLogin no/" /etc/ssh/sshd_config || echo "PermitRootLogin no" >> /etc/ssh/sshd_config# 登陆前后欢送提醒设置egrep -q "^\s*(banner|Banner)\s+\W+.*$" /etc/ssh/sshd_config && sed -ri "s/^\s*(banner|Banner)\s+\W+.*$/Banner \/etc\/issue/" /etc/ssh/sshd_config || \echo "Banner /etc/issue" >> /etc/ssh/sshd_configlog::info "[-] 近程SSH登录前后提醒正告Banner设置"# SSH登录前后提醒正告Banner设置sudo tee /etc/issue <<'EOF'****************** [ 平安登陆 (Security Login) ] *****************Authorized only. All activity will be monitored and reported.By Security Center.EOF# SSH登录后提醒Banner# 艺术字B格: http://www.network-science.de/ascii/sudo tee /etc/motd <<'EOF'################## [ 平安运维 (Security Operation) ] #################### __ __ _ _ _____ _ \ \ / / (_) (_)/ ____| | | \ \ /\ / /__ _ _ _ _| | __ ___ ___| | __ \ \/ \/ / _ \ | | | | | | |_ |/ _ \/ _ \ |/ / \ /\ / __/ | |_| | | |__| | __/ __/ < \/ \/ \___|_|\__, |_|\_____|\___|\___|_|\_\ __/ | |___/ Login success. Please execute the commands and operation data after carefully.By WeiyiGeekEOF# (5) 用户近程登录失败次数与终端超时设置 log::info "[-] 用户近程间断登录失败10次锁定帐号5分钟包含root账号"cp /etc/pam.d/sshd ${BACKUPDIR}/sshd.bakcp /etc/pam.d/login ${BACKUPDIR}/login.bak# 远程登陆sed -ri "/^\s*auth\s+required\s+pam_tally2.so\s+.+(\s*#.*)?\s*$/d" /etc/pam.d/sshd sed -ri '2a auth required pam_tally2.so deny=10 unlock_time=300 even_deny_root root_unlock_time=300' /etc/pam.d/sshd # 宿主机控制台登陆(可选)# sed -ri "/^\s*auth\s+required\s+pam_tally2.so\s+.+(\s*#.*)?\s*$/d" /etc/pam.d/login# sed -ri '2a auth required pam_tally2.so deny=10 unlock_time=300 even_deny_root root_unlock_time=300' /etc/pam.d/loginlog::info "[-] 设置登录超时工夫为10分钟 "egrep -q "^\s*(export|)\s*TMOUT\S\w+.*$" /etc/profile && sed -ri "s/^\s*(export|)\s*TMOUT.\S\w+.*$/export TMOUT=600\nreadonly TMOUT/" /etc/profile || echo -e "export TMOUT=600\nreadonly TMOUT" >> /etc/profileegrep -q "^\s*.*ClientAliveInterval\s\w+.*$" /etc/ssh/sshd_config && sed -ri "s/^\s*.*ClientAliveInterval\s\w+.*$/ClientAliveInterval 600/" /etc/ssh/sshd_config || echo "ClientAliveInterval 600" >> /etc/ssh/sshd_config# (6) 切换用户日志记录和切换命令更改名称为SUlog::info "[-] 切换用户日志记录和切换命令更改名称为SU "cp -a /etc/rsyslog.conf ${BACKUPDIR}/rsyslog.conf-${EXECTIME}.bakegrep -q "^\s*authpriv\.\*\s+.+$" /etc/rsyslog.conf && sed -ri "s/^\s*authpriv\.\*\s+.+$/authpriv.* \/var\/log\/secure/" /etc/rsyslog.conf || echo "authpriv.* /var/log/secure" >> /etc/rsyslog.confegrep -q "^(\s*)SULOG_FILE\s+\S*(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)SULOG_FILE\s+\S*(\s*#.*)?\s*$/\SULOG_FILE \/var\/log\/.history\/sulog/" /etc/login.defs || echo "SULOG_FILE /var/log/.history/sulog" >> /etc/login.defsegrep -q "^\s*SU_NAME\s+\S*(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)SU_NAME\s+\S*(\s*#.*)?\s*$/\SU_NAME SU/" /etc/login.defs || echo "SU_NAME SU" >> /etc/login.defsmkdir -vp /usr/local/bincp /usr/bin/su ${BACKUPDIR}/su.bakmv /usr/bin/su /usr/bin/SUchmod 777 /var/log/.history chattr -R +a /var/log/.history chattr +a /var/log/.backups # (7) 用户终端执行的历史命令记录log::info "[-] 用户终端执行的历史命令记录 "egrep -q "^HISTSIZE\W\w+.*$" /etc/profile && sed -ri "s/^HISTSIZE\W\w+.*$/HISTSIZE=101/" /etc/profile || echo "HISTSIZE=101" >> /etc/profilesudo tee /etc/profile.d/history-record.sh <<'EOF'# 历史命令执行记录文件门路LOGTIME=$(date +%Y%m%d-%H-%M-%S)export HISTFILE="/var/log/.history/${USER}.${LOGTIME}.history"if [ ! -f ${HISTFILE} ];then touch ${HISTFILE}fichmod 600 /var/log/.history/${USER}.${LOGTIME}.history# 历史命令执行文件大小记录设置HISTFILESIZE=128HISTTIMEFORMAT="%F_%T $(whoami)#$(who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'):"EOF# (8) GRUB 平安设置 log::info "[-] 零碎 GRUB 平安设置(避免物理接触从grub菜单中批改明码) "# Grub 要害文件备份cp -a /etc/grub.d/00_header ${BACKUPDIR}/'00_header'${EXECTIME}.bakcp -a /etc/grub.d/10_linux ${BACKUPDIR}/'10_linux'${EXECTIME}.bak# 设置Grub菜单界面显示工夫sed -i -e 's|set timeout_style=${style}|#set timeout_style=${style}|g' -e 's|set timeout=${timeout}|set timeout=3|g' /etc/grub.d/00_header# sed -i -e 's|GRUB_TIMEOUT_STYLE=hidden|#GRUB_TIMEOUT_STYLE=hidden|g' -e 's|GRUB_TIMEOUT=0|GRUB_TIMEOUT=3|g' /etc/default/grub# grub 用户认证明码创立sudo grub2-mkpasswd-pbkdf2# 输出口令:# Reeter password:nPBKDF2 hash of your password is grub.pbkdf2.sha512.10000.A4A6B06EFAB660C11DD8EBC3BE73C5AB5D763ED937060477DB533B3E7D60F1DE66C3AC12DA795B46762AB8C4A1911B69B94FFCD88FB4499938150405DCB116F8.35D290F5B8D2677AEE5E8BAB4DB133206D417F99A26B14EAB8D0A5379DCD3632F40037388C9D2CA3001E0D6A8B74837549970EEEAEC3420CE38E2236DE1A8565# 设置认证用户以及下面生成的password_pbkdf2认证密钥tee -a /etc/grub.d/00_header <<'END'cat <<'EOF'# GRUB Authenticationset superusers="grub"password_pbkdf2 grub grub.pbkdf2.sha512.10000.A4A6B06EFAB660C11DD8EBC3BE73C5AB5D763ED937060477DB533B3E7D60F1DE66C3AC12DA795B46762AB8C4A1911B69B94FFCD88FB4499938150405DCB116F8.35D290F5B8D2677AEE5E8BAB4DB133206D417F99A26B14EAB8D0A5379DCD3632F40037388C9D2CA3001E0D6A8B74837549970EEEAEC3420CE38E2236DE1A8565EOFEND# 设置进入正式零碎不须要认证如进入单用户模式进行重置账号密码时须要进行认证。 (高敏感数据库系统不倡议下述操作)# 在 135 退出 -unrestricted ,例如, 此处与Ubuntu不同的是不加--user=grub# 133 echo "menuentry $(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type- $boot_device_id' {" | sed "s/^/$submenu_indentation/"# 134 else# 135 echo "menuentry --unrestricted '$(echo "$os" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_devic e_id' {" | sed "s/^/$submenu_indentation/"sed -i '/echo "$title" | grub_quote/ { s/menuentry /menuentry /;}' /etc/grub.d/10_linuxsed -i '/echo "$os" | grub_quote/ { s/menuentry /menuentry --unrestricted /;}' /etc/grub.d/10_linux# CentOS 形式更新GRUB从而生成boot启动文件grub2-mkconfig -o /boot/grub2/grub.cfg# (9) 记录安全事件日志 log::info "[-] 记录安全事件日志"touch /var/log/.history/adm&>/dev/null; chmod 755 /var/log/.history/admsemanage fcontext -a -t security_t '/var/log/.history/adm'restorecon -v '/var/log/.history/adm'&>/dev/nullegrep -q "^\s*\*\.err;kern.debug;daemon.notice\s+.+$" /etc/rsyslog.conf && sed -ri "s/^\s*\*\.err;kern.debug;daemon.notice\s+.+$/*.err;kern.debug;daemon.notice \/var\/log\/.history\/adm/" /etc/rsyslog.conf || echo "*.err;kern.debug;daemon.notice /var/log/.history/adm" >> /etc/rsyslog.conf# (10) 配置主动屏幕锁定(实用于具备图形界面的设施), 非图形界面不须要执行 log::info "[-] 对于有图形界面的系统配置10分钟屏幕锁定"# gconftool-2 --direct \# --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \# --type bool \# --set /apps/gnome-screensaver/idle_activation_enabled true \# --set /apps/gnome-screensaver/lock_enabled true \# --type int \# --set /apps/gnome-screensaver/idle_delay 10 \# --type string \# --set /apps/gnome-screensaver/mode blank-only# (10) 敞开CentOS服务器中 SELINUX 以及防火墙端口放行 log::info "[-] SELINUX 禁用以及零碎防火墙规定设置 "sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config semanage port -m -t ssh_port_t -p tcp 20211 # 增加sshd服务20211端口到SELinuxfirewall-cmd --zone=public --add-port=20211/tcp --permanentfirewall-cmd --zone=public --add-port=161/udp --permanentfirewall-cmd --reloadsystemctl restart sshdreboot}## 名称: os::Operation ## 用处: 操作系统平安运维设置相干脚本## 参数: 无os::Operation () { log::info "[-] 操作系统平安运维设置相干脚本"# (0) 禁用ctrl+alt+del组合键对系统重启 (必须要配置,我曾入过坑) log::info "[-] 禁用控制台ctrl+alt+del组合键重启"mv /usr/lib/systemd/system/ctrl-alt-del.target ${BACKUPDIR}/ctrl-alt-del.target-${EXECTIME}.bak# (1) 设置文件删除回收站别名 log::info "[-] 设置文件删除回收站别名(避免误删文件) "sudo tee -a /etc/profile.d/alias.sh <<'EOF'# User specific aliases and functions# 删除回收站# find ~/.trash -delete# 删除空目录# find ~/.trash -type d -deletealias rm="sh /usr/local/bin/remove.sh"EOFsudo tee /usr/local/bin/remove.sh <<'EOF'#!/bin/sh# 定义回收站文件夹目录.trashtrash="/.trash"deltime=$(date +%Y%m%d-%H-%M-%S)TRASH_DIR="${HOME}${trash}/${deltime}"# 建设回收站目录当不存在的时候if [ ! -e ${TRASH_DIR} ];then mkdir -p ${TRASH_DIR}fifor i in $*;do if [ "$i" = "-rf" ];then continue;fi # 避免误操作 if [ "$i" = "/" ];then echo '# Danger delete command, Not delete / directory!';exit -1;fi #定义秒工夫戳 STAMP=$(date +%s) #失去文件名称(非文件夹),参考man basename fileName=$(basename $i) #将输出的参数,对应文件mv至.trash目录,文件后缀,为以后的工夫戳 mv $i ${TRASH_DIR}/${fileName}.${STAMP}doneEOFsudo chmod +775 /usr/local/bin/remove.sh /etc/profile.d/alias.sh /etc/profile.d/history-record.shsudo chmod a+x /usr/local/bin/remove.sh /etc/profile.d/alias.sh /etc/profile.d/history-record.shsource /etc/profile.d/alias.sh /etc/profile.d/history-record.sh}## 名称: os::DisableService## 用处: 禁用与设置操作系统中某些服务(须要依据理论环境进行)## 参数: 无os::DisableService () { log::info "[-] 禁用操作系统中某些服务(须要依据理论环境进行配置)" log::info "[-] 配置禁用telnet服务"cp /etc/services ${BACKUPDIR}/'services-'${EXECTIME}.bakegrep -q "^\s*telnet\s+\d*.+$" /etc/services && sed -ri "/^\s*telnet\s+\d*.+$/s/^/# /" /etc/services log::info "[-] 禁止匿名与root用户用户登录FTP"if [ -f /etc/vsftpd/vsftpd.conf ];thencp /etc/vsftpd/vsftpd.conf /etc/vsftpd/'vsftpd.conf-'`date +%Y%m%d`.baksystemctl list-unit-files|grep vsftpd > /dev/null && sed -ri "/^\s*anonymous_enable\s*\W+.+$/s/^/#/" /etc/vsftpd/vsftpd.conf && echo "anonymous_enable=NO" >> /etc/vsftpd/vsftpd.confsystemctl list-unit-files|grep vsftpd > /dev/null && echo "root" >> /etc/vsftpd/ftpusers log::info "[-] 限度FTP用户上传的文件所具备的权限"systemctl list-unit-files|grep vsftpd > /dev/null && sed -ri "/^\s*write_enable\s*\W+.+$/s/^/#/" /etc/vsftpd/vsftpd.conf && echo "write_enable=NO" >> /etc/vsftpd/vsftpd.confsystemctl list-unit-files|grep vsftpd > /dev/null && sed -ri "/^\s*ls_recurse_enable\s*\W+.+$/s/^/#/" /etc/vsftpd/vsftpd.conf && echo "ls_recurse_enable=NO" >> /etc/vsftpd/vsftpd.confsystemctl list-unit-files|grep vsftpd > /dev/null && sed -ri "/^\s*anon_umask\s*\W+.+$/s/^/#/" /etc/vsftpd/vsftpd.conf && echo "anon_umask=077" >> /etc/vsftpd/vsftpd.confsystemctl list-unit-files|grep vsftpd > /dev/null && sed -ri "/^\s*local_umask\s*\W+.+$/s/^/#/" /etc/vsftpd/vsftpd.conf && echo "local_umask=022" >> /etc/vsftpd/vsftpd.conf log::info "[-] 限度FTP用户登录后能拜访的目录"systemctl list-unit-files|grep vsftpd > /dev/null && sed -ri "/^\s*chroot_local_user\s*\W+.+$/s/^/#/" /etc/vsftpd/vsftpd.conf && echo "chroot_local_user=NO" >> /etc/vsftpd/vsftpd.conf log::info "[-] FTP Banner 设置"systemctl list-unit-files|grep vsftpd > /dev/null && sed -ri "/^\s*ftpd_banner\s*\W+.+$/s/^/#/" /etc/vsftpd/vsftpd.conf && echo "ftpd_banner='Authorized only. All activity will be monitored and reported.'" >> /etc/vsftpd/vsftpd.conf log::info "[-] 限度不必要的服务 (依据理论环境配置)"# systemctl disable rsh&>/dev/null 2&>/dev/null;systemctl disable talk&>/dev/null 2&>/dev/null;systemctl disable telnet&>/dev/null 2&>/dev/null;systemctl disable tftp&>/dev/null 2&>/dev/null;systemctl disable rsync&>/dev/null 2&>/dev/null;systemctl disable xinetd&>/dev/null 2&>/dev/null;systemctl disable nfs&>/dev/null 2&>/dev/null;systemctl disable nfslock&>/dev/null 2&>/dev/nullfi log::info "[-] 配置SNMP默认个人字"if [ -f /etc/snmp/snmpd.conf ];thencp /etc/snmp/snmpd.conf ${BACKUPDIR}/'snmpd.conf-'${EXECTIME}.bakcat > /etc/snmp/snmpd.conf <<EOFcom2sec $SNMP_user default $SNMP_password group $SNMP_group v1 $SNMP_usergroup $SNMP_group v2c $SNMP_userview systemview included .1 80view systemview included .1.3.6.1.2.1.1view systemview included .1.3.6.1.2.1.25.1.1view $SNMP_view included .1.3.6.1.4.1.2021.80access $SNMP_group "" any noauth exact systemview none noneaccess $SNMP_group "" any noauth exact $SNMP_view none nonedontLogTCPWrappersConnects yestrapcommunity $SNMP_passwordauthtrapenable 1trap2sink $SNMP_ipagentSecName $SNMP_userrouser $SNMP_userdefaultMonitors yeslinkUpDownNotifications yesEOFfi}## 名称: os::optimizationn## 用处: 操作系统优化设置(内核参数)## 参数: 无os::Optimizationn () {log::info "[-] 正在进行操作系统内核参数优化设置......."# (1) 零碎内核参数的配置(/etc/sysctl.conf)log::info "[-] 零碎内核参数的配置/etc/sysctl.conf"# /etc/sysctl.d/99-kubernetes-cri.confegrep -q "^(#)?net.ipv4.ip_forward.*" /etc/sysctl.conf && sed -ri "s|^(#)?net.ipv4.ip_forward.*|net.ipv4.ip_forward = 1|g" /etc/sysctl.conf || echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf# egrep -q "^(#)?net.bridge.bridge-nf-call-ip6tables.*" /etc/sysctl.conf && sed -ri "s|^(#)?net.bridge.bridge-nf-call-ip6tables.*|net.bridge.bridge-nf-call-ip6tables = 1|g" /etc/sysctl.conf || echo "net.bridge.bridge-nf-call-ip6tables = 1" >> /etc/sysctl.conf # egrep -q "^(#)?net.bridge.bridge-nf-call-iptables.*" /etc/sysctl.conf && sed -ri "s|^(#)?net.bridge.bridge-nf-call-iptables.*|net.bridge.bridge-nf-call-iptables = 1|g" /etc/sysctl.conf || echo "net.bridge.bridge-nf-call-iptables = 1" >> /etc/sysctl.confegrep -q "^(#)?net.ipv6.conf.all.disable_ipv6.*" /etc/sysctl.conf && sed -ri "s|^(#)?net.ipv6.conf.all.disable_ipv6.*|net.ipv6.conf.all.disable_ipv6 = 1|g" /etc/sysctl.conf || echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.confegrep -q "^(#)?net.ipv6.conf.default.disable_ipv6.*" /etc/sysctl.conf && sed -ri "s|^(#)?net.ipv6.conf.default.disable_ipv6.*|net.ipv6.conf.default.disable_ipv6 = 1|g" /etc/sysctl.conf || echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.confegrep -q "^(#)?net.ipv6.conf.lo.disable_ipv6.*" /etc/sysctl.conf && sed -ri "s|^(#)?net.ipv6.conf.lo.disable_ipv6.*|net.ipv6.conf.lo.disable_ipv6 = 1|g" /etc/sysctl.conf || echo "net.ipv6.conf.lo.disable_ipv6 = 1" >> /etc/sysctl.confegrep -q "^(#)?net.ipv6.conf.all.forwarding.*" /etc/sysctl.conf && sed -ri "s|^(#)?net.ipv6.conf.all.forwarding.*|net.ipv6.conf.all.forwarding = 1|g" /etc/sysctl.conf || echo "net.ipv6.conf.all.forwarding = 1" >> /etc/sysctl.confegrep -q "^(#)?vm.max_map_count.*" /etc/sysctl.conf && sed -ri "s|^(#)?vm.max_map_count.*|vm.max_map_count = 262144|g" /etc/sysctl.conf || echo "vm.max_map_count = 262144" >> /etc/sysctl.conftee -a /etc/sysctl.conf <<'EOF'# 调整晋升服务器负载能力之外,还可能进攻小流量的Dos、CC和SYN攻打net.ipv4.tcp_syncookies = 1net.ipv4.tcp_tw_reuse = 1# net.ipv4.tcp_tw_recycle = 1net.ipv4.tcp_fin_timeout = 60net.ipv4.tcp_synack_retries = 1net.ipv4.tcp_syn_retries = 1net.ipv4.tcp_fastopen = 3# 优化TCP的可应用端口范畴及晋升服务器并发能力(留神个别流量小的服务器上没必要设置如下参数)net.ipv4.tcp_keepalive_time = 1200net.ipv4.tcp_max_syn_backlog = 8192net.ipv4.tcp_max_tw_buckets = 5000net.ipv4.ip_local_port_range = 1024 65535# 优化核套接字TCP的缓存区net.core.netdev_max_backlog = 8192net.core.somaxconn = 8192net.core.rmem_max = 12582912net.core.rmem_default = 6291456net.core.wmem_max = 12582912net.core.wmem_default = 6291456EOF# (2) Linux 零碎的最大过程数和最大文件关上数限度log::info "[-] Linux 零碎的最大过程数和最大文件关上数限度 "egrep -q "^\s*ulimit -HSn\s+\w+.*$" /etc/profile && sed -ri "s/^\s*ulimit -HSn\s+\w+.*$/ulimit -HSn 65535/" /etc/profile || echo "ulimit -HSn 65535" >> /etc/profileegrep -q "^\s*ulimit -HSu\s+\w+.*$" /etc/profile && sed -ri "s/^\s*ulimit -HSu\s+\w+.*$/ulimit -HSu 65535/" /etc/profile || echo "ulimit -HSu 65535" >> /etc/profilesed -i "/# End/i * soft nofile 65535" /etc/security/limits.confsed -i "/# End/i * hard nofile 65535" /etc/security/limits.confsed -i "/# End/i * soft nproc 65535" /etc/security/limits.confsed -i "/# End/i * hard nproc 65535" /etc/security/limits.confsysctl -p# 需重启失效reboot}## 名称: os::Swap## 用处: Liunx 零碎创立SWAP替换分区(默认2G)## 参数: $1(几G)os::Swap () { if [ -e $1 ];then sudo dd if=/dev/zero of=/swapfile bs=1024 count=2097152 # 2G Swap 分区 1024 * 1024 , centos 以 1000 为规范 else number=$(echo "${1}*1024*1024"|bc) sudo dd if=/dev/zero of=/swapfile bs=1024 count=${number} # 2G Swap 分区 1024 * 1024 , centos 以 1000 为规范 fi sudo mkswap /swapfile && sudo swapon /swapfile if [ $(grep -c "/swapfile" /etc/fstab) -eq 0 ];thensudo tee -a /etc/fstab <<'EOF'/swapfile swap swap default 0 0EOFfisudo swapon --show && sudo free -h}## 名称: software::Java## 用处: java 环境装置与设置 ## 参数: 无software::Java () { # 根底变量 JAVA_FILE="/root/Downloads/jdk-8u211-linux-x64.tar.gz" JAVA_SRC="/usr/local/" JAVA_DIR="/usr/local/jdk" # 环境配置 sudo tar -zxvf ${JAVA_FILE} -C ${JAVA_SRC} sudo rm -rf /usr/local/jdk JAVA_SRC=$(ls /usr/local/ | grep "jdk") sudo ln -s ${JAVA_SRC} ${JAVA_DIR} export PATH=${JAVA_DIR}/bin:${PATH} sudo cp /etc/profile /etc/profile.$(date +%Y%m%d-%H%M%S).bak sudo tee -a /etc/profile <<'EOF'export JAVA_HOME=/usr/local/jdkexport JRE_HOME=/usr/local/jdk/jreexport CLASSPATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jarexport PATH=$JAVA_HOME/bin:$PATHEOF java -version}## 名称: disk::Lvsmanager## 用处: CentOS7 操作系统磁盘 LVS 逻辑卷增加与配置(扩容流程)## 参数: 无disk::lvsmanager () { echo "\n分区信息:" sudo df -Th sudo lsblk echo -e "\n 磁盘信息:" sudo fdisk -l echo -e "\n PV物理卷查看:" sudo pvscan echo -e "\n vgs虚构卷查看:" sudo vgs echo -e "\n lvscan逻辑卷扫描:" sudo lvscan echo -e "\n 分区扩大" echo "CentOS \n lvextend -L +24G /dev/centos/root" echo "lsblk" echo -e "Centos \n # xfs_growfs /dev/mapper/centos-root"}# 平安加固过程临时文件清理为基线镜像做筹备unalias rmfind ~/.trash/* -deletefind /home/ -type d -name .trash -exec find {} -delete \;find /var/log -name "*.gz" -deletefind /var/log -name "*log.*" -deletefind /var/log -name "vmware-*.*.log" -deletefind /var/log -name "*.log" -exec truncate -s 0 {} \;find /var/log -name "system@*" -deletefind /var/log -name "user-1000@*" -deletefind /tmp/* -delete至此 CentOS7 平安加固脚本结束。
原文地址: Linux与Windows服务器操作系统平安进攻实际指南 ( https://blog.weiyigeek.top/20... )
文章书写不易,如果您感觉这篇文章还不错的,请给这篇专栏 【点个赞、投个币、收个藏、关个注,转个发】(世间五大情),这将对我的必定,谢谢!。
本文章起源 我的Blog站点 或 WeiyiGeek 公众账号 以及 我的BiliBili专栏 (技术交换、友链替换请邮我哟),谢谢反对!(′‵) ❤
欢送各位气味相投的敌人一起学习交换,如文章有误请留下您贵重的常识倡议,通过邮箱【master#weiyigeek.top】分割我哟!