這裡是centos 6.2 上做的一些安全加強，運維的同學花了很多精力和時間整理的。 自建服務器的朋友還是需要自己加固一下。 現在應用多是在docker和vmware裡面運行，所以即使系統被人入侵只要數據安全就可以了。系統可以銷燬重建。vmware可以做自己做模板系統。至於docker我們還沒有做加固，如果有我再更新。 還有centos7上的加固腳本還沒時間整理，暫時製作了，centos7禁止root登陸，設置一個用戶login只能登陸系統，沒有其他的任何權限，login登陸之後su到root或者其他用戶操作。下面是centos 6.2的腳本。

備份數據

cp -p /etc/passwd /etc/passwd.bakcp -p /etc/shadow /etc/shadow.bakcp -p /etc/group /etc/group.bakcp -p /etc/security/pam_pwcheck.conf /etc/security/pam_pwcheck.conf.bakcp -p /etc/pam.d/passwd /etc/pam.d/passwd.bakcp -p /etc/login.defs /etc/login.defs.bakcp -p /etc/default/useradd /etc/default/useradd.bakcp -p /etc/pam.d/login /etc/pam.d/login.bakcp -p /etc/pam.d/sshd /etc/pam.d/sshd.bakcp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.bakcp -p -r /etc/xinetd.d /etc/xinetd.d.bakcp -p /etc/ntp.conf /etc/ntp.conf.bakcp -p /etc/fstab /etc/fatab.bakcp -p /etc/exports /etc/exports.bakcp -p /etc/snmpd.conf /etc/snmpd.conf.bakcp -p /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bakcp -p /etc/profile /etc/profile.bakcp -p /etc/securetty /etc/securetty.bakcp -p /etc/pam.d/su /etc/pam.d/su.bakcp -p /etc/ftpusers /etc/ftpusers.bakcp -p /etc/vsftpd.conf /etc/vsftpd.conf.bakcp -p /etc/pure-ftpd/pure-ftpd.conf /etc/pure-ftpd/pure-ftpd.conf.bakcp -p /etc/hosts.allow /etc/hosts.allow.bakcp -p /etc/hosts.deny /etc/hosts.deny.bakcp -p /etc/inittab /etc/inittab.bakcp -p /etc/syslog.conf /etc/syslog.conf.bakcp -p /etc/syslog-ng/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf.bakcp -p /etc/motd /etc/motd.bakcp -p /etc/sshbanner /etc/sshbanner.bakcp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.bakcp -p /etc/issue /etc/issue.bakcp -p /etc/issue.net /etc/issue.net.bakcp -p /etc/sysctl.conf /etc/sysctl.conf.bakcp -p -r /etc/xinetd.d /etc/xinetd.d.bakcp -p /etc/modprobe.conf /etc/modprobe.conf.bak

鎖定/刪除無用帳號

passwd -l at

#配置用戶口令複雜度

vi /etc/pam.d/passwd

關閉不必要服務：（如果要開啟，使用命令chkconfig servicename on）

chkconfig chargen offchkconfig chargen-udp offchkconfig cups-lpd offchkconfig cvs offchkconfig daytime offchkconfig daytime-udp offchkconfig echo-udp offchkconfig fam offchkconfig rsync offchkconfig servers offchkconfig services offchkconfig systat offchkconfig time offchkconfig time-udp offchkconfig Makefile offchkconfig SuSEfirewall2_init offchkconfig SuSEfirewall2_setup offchkconfig aaeventd offchkconfig acpid offchkconfig alsasound offchkconfig apache2 offchkconfig atd offchkconfig autoyast offchkconfig boot.apparmor offchkconfig boot.evms offchkconfig boot.multipath offchkconfig boot.sched offchkconfig boot.scsidev offchkconfig chargen offchkconfig chargen-udp offchkconfig cups offchkconfig cups-lpd offchkconfig cupsrenice offchkconfig cvs offchkconfig daytime offchkconfig daytime-udp offchkconfig drbd offchkconfig earlykbd offchkconfig echo-udp offchkconfig esound offchkconfig evms offchkconfig fam offchkconfig gpm offchkconfig gssd offchkconfig heartbeat offchkconfig idmapd offchkconfig ipmi offchkconfig ipvsadm offchkconfig iscsitarget offchkconfig joystick offchkconfig ksysguardd offchkconfig ldap offchkconfig ldirectord offchkconfig lm_sensors offchkconfig mdadmd offchkconfig microcode offchkconfig multipathd offchkconfig nfsserver offchkconfig novell-zmd offchkconfig nscd offchkconfig open-iscsi offchkconfig openct offchkconfig owcimomd offchkconfig pcscd offchkconfig postfix offchkconfig powerd offchkconfig powersaved offchkconfig pure-ftpd offchkconfig rexec offchkconfig rlogin offchkconfig rpasswdd offchkconfig rpmconfigcheck offchkconfig rsh offchkconfig rsync offchkconfig rsyncd offchkconfig sapinit offchkconfig saslauthd offchkconfig servers offchkconfig services offchkconfig skeleton.compat offchkconfig slurpd offchkconfig smartd offchkconfig smbfs offchkconfig smpppd offchkconfig splash offchkconfig splash_early offchkconfig suseRegister offchkconfig svcgssd offchkconfig systat offchkconfig time offchkconfig time-udp offchkconfig xendomains offchkconfig xend offchkconfig xfs offchkconfig ypbind offchkconfig telnet offchkconfig nfs offchkconfig nfsboot offchkconfig ocfs2 offchkconfig o2cb offchkconfig winbind offchkconfig klogin offchkconfig kshell offchkconfig swat off

#限制關鍵文件和目錄訪問權限

chmod -R go-w /etcchmod 644 /etc/passwdchmod 644 /etc/groupchmod 755 /etc/securitychmod 400 /etc/shadow

#限制root遠程登錄

vi /etc/pam.d/login

/*確保存在以下1行，並沒被註釋：

vi /etc/securetty

/*註釋掉以下內容：pts/1pts/2........pts/n*/

vi /etc/ssh/sshd_config

/*將對應行改成以下內容 注：此項需查找再修改，確保修改到使用文件

關閉圖形界面登陸，雙機不關==因為還沒裝oracle數據庫，此步暫時不做

/etc/init.d/xdm stop

#限制某些用戶ftp登陸

vi /etc/ftpusers

需添加：

adabasamandaanonymousatbincyrusdaemondb2asdb2fenc1db2inst1db4webdbmakerdhcpddpboxempressfaxfirewallfnetftpgamesgdmgnatshaclusterhaldaemoninformixingresircixesslnxlpmailmailmanmanmdommessagebusmysqlnamednewsnobodynpsntporacleperforcepoppostfixpostgresrootsapdbskyrixsquidsshdsshusrsuse-nccuucpvirtuosovscanwnnwwwrunyardzope

#ftp限制匿名登陸及不限制用戶只訪問家目錄 vsftp

vi /etc/vsftpd/vsftpd.conf

#禁止ctrl+alt+del

vi /etc/inittab

#記錄用戶登錄信息

vi /etc/login.defs

#設置登錄成功後警告Banner

cd /etc

#禁止ICMP重定向(雙機不做) vi /etc/sysctl.conf

net.ipv4.conf.default.secure_redirects=1net.ipv4.conf.all.secure_redirects=1net.ipv4.conf.default.send_redirects=0net.ipv4.conf.all.send_redirects=0net.ipv4.conf.default.accept_redirects =0net.ipv4.conf.all.accept_redirects =0net.ipv4.ip_forward =0net.ipv4.conf.all.accept_source_route =0net.ipv4.conf.default.accept_source_route =0

#關閉IPv6 待續。