update

ppabc · ppabc · commit ac3987338206 · 2018-05-30T16:55:02.000+08:00
diff --git a/linux-init-script/check_safe.sh b/linux-init-script/check_safe.sh
@@ -1,97 +1,97 @@
-#!/bin/sh
-
-passwd -l xfs
-passwd -l news
-passwd -l nscd
-passwd -l dbus
-passwd -l vcsa
-passwd -l games
-passwd -l nobody
-passwd -l avahi
-passwd -l haldaemon
-passwd -l gopher
-passwd -l ftp
-passwd -l mailnull
-passwd -l pcap
-passwd -l mail
-passwd -l shutdown
-passwd -l halt
-passwd -l uucp
-passwd -l operator
-passwd -l sync
-passwd -l adm
-passwd -l lp
-
-# chattr /etc/passwd /etc/shadow
-chattr +i /etc/passwd
-chattr +i /etc/shadow
-chattr +i /etc/group
-chattr +i /etc/gshadow
-
-# add continue input failure 3 ,passwd unlock time 5 minite
-sed -i 's#auth required pam_env.so#auth required pam_env.sonauth required pam_tally.so onerr=fail deny=3 unlock_time=300nauth required /lib/security/$ISA/pam_tally.so onerr=fail deny=3 unlock_time=300#' /etc/pam.d/system-auth
-# system timeout 5 minite auto logout
-echo "TMOUT=300" >>/etc/profile
-
-# will system save history command list to 10
-sed -i "s/HISTSIZE=1000/HISTSIZE=10/" /etc/profile
-
-# enable /etc/profile go!
-source /etc/profile
-
-# add syncookie enable /etc/sysctl.conf
-echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.conf
-
-sysctl -p # exec sysctl.conf enable
-# optimizer sshd_config
-
-sed -i "s/#MaxAuthTries 6/MaxAuthTries 6/" /etc/ssh/sshd_config
-sed -i "s/#UseDNS yes/UseDNS no/" /etc/ssh/sshd_config
-
-# limit chmod important commands
-chmod 700 /bin/ping
-chmod 700 /usr/bin/finger
-chmod 700 /usr/bin/who
-chmod 700 /usr/bin/w
-chmod 700 /usr/bin/locate
-chmod 700 /usr/bin/whereis
-chmod 700 /sbin/ifconfig
-chmod 700 /usr/bin/pico
-chmod 700 /bin/vi
-chmod 700 /usr/bin/which
-chmod 700 /usr/bin/gcc
-chmod 700 /usr/bin/make
-chmod 700 /bin/rpm
-
-# history security
-
-chattr +a /root/.bash_history
-chattr +i /root/.bash_history
-
-# write important command md5
-cat > list << "EOF" &&
-/bin/ping
-/bin/finger
-/usr/bin/who
-/usr/bin/w
-/usr/bin/locate
-/usr/bin/whereis
-/sbin/ifconfig
-/bin/pico
-/bin/vi
-/usr/bin/vim
-/usr/bin/which
-/usr/bin/gcc
-/usr/bin/make
-/bin/rpm
-EOF
-
-for i in `cat list`
-do
-if [ ! -x $i ];then
-echo "$i not found,no md5sum!"
-else
-md5sum $i >> /var/log/`hostname`.log
-fi
-done
+#!/bin/sh
+
+passwd -l xfs
+passwd -l news
+passwd -l nscd
+passwd -l dbus
+passwd -l vcsa
+passwd -l games
+passwd -l nobody
+passwd -l avahi
+passwd -l haldaemon
+passwd -l gopher
+passwd -l ftp
+passwd -l mailnull
+passwd -l pcap
+passwd -l mail
+passwd -l shutdown
+passwd -l halt
+passwd -l uucp
+passwd -l operator
+passwd -l sync
+passwd -l adm
+passwd -l lp
+
+# chattr /etc/passwd /etc/shadow
+chattr +i /etc/passwd
+chattr +i /etc/shadow
+chattr +i /etc/group
+chattr +i /etc/gshadow
+
+# add continue input failure 3 ,passwd unlock time 5 minite
+sed -i 's#auth required pam_env.so#auth required pam_env.sonauth required pam_tally.so onerr=fail deny=3 unlock_time=300nauth required /lib/security/$ISA/pam_tally.so onerr=fail deny=3 unlock_time=300#' /etc/pam.d/system-auth
+# system timeout 5 minite auto logout
+echo "TMOUT=300" >>/etc/profile
+
+# will system save history command list to 10
+sed -i "s/HISTSIZE=1000/HISTSIZE=10/" /etc/profile
+
+# enable /etc/profile go!
+source /etc/profile
+
+# add syncookie enable /etc/sysctl.conf
+echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.conf
+
+sysctl -p # exec sysctl.conf enable
+# optimizer sshd_config
+
+sed -i "s/#MaxAuthTries 6/MaxAuthTries 6/" /etc/ssh/sshd_config
+sed -i "s/#UseDNS yes/UseDNS no/" /etc/ssh/sshd_config
+
+# limit chmod important commands
+chmod 700 /bin/ping
+chmod 700 /usr/bin/finger
+chmod 700 /usr/bin/who
+chmod 700 /usr/bin/w
+chmod 700 /usr/bin/locate
+chmod 700 /usr/bin/whereis
+chmod 700 /sbin/ifconfig
+chmod 700 /usr/bin/pico
+chmod 700 /bin/vi
+chmod 700 /usr/bin/which
+chmod 700 /usr/bin/gcc
+chmod 700 /usr/bin/make
+chmod 700 /bin/rpm
+
+# history security
+
+chattr +a /root/.bash_history
+chattr +i /root/.bash_history
+
+# write important command md5
+cat > list << "EOF" &&
+/bin/ping
+/bin/finger
+/usr/bin/who
+/usr/bin/w
+/usr/bin/locate
+/usr/bin/whereis
+/sbin/ifconfig
+/bin/pico
+/bin/vi
+/usr/bin/vim
+/usr/bin/which
+/usr/bin/gcc
+/usr/bin/make
+/bin/rpm
+EOF
+
+for i in `cat list`
+do
+if [ ! -x $i ];then
+echo "$i not found,no md5sum!"
+else
+md5sum $i >> /var/log/`hostname`.log
+fi
+done
 rm -f list
diff --git a/linux-init-script/init_centos6.sh b/linux-init-script/init_centos6.sh
@@ -186,14 +186,14 @@ cat > /opt/sh/ipt.sh << EOF
 /sbin/iptables -A OUTPUT -j ACCEPT
 /sbin/iptables -A INPUT -s 192.168.10.152 -j ACCEPT
 /sbin/iptables -A INPUT -s 192.168.20.102 -j ACCEPT
-/sbin/iptables -A INPUT -s 192.168.10.0/255.255.255.0 -p tcp --dport 80  -j ACCEPT
-/sbin/iptables -A INPUT -s 192.168.20.0/255.255.255.0 -p tcp --dport 80   -j ACCEPT
+/sbin/iptables -A INPUT -p tcp --dport 80  -j ACCEPT
+/sbin/iptables -A INPUT -p tcp --dport 22  -j ACCEPT
+/sbin/iptables -A INPUT -s 192.168.10.0/255.255.255.0 -p tcp --dport 8080  -j ACCEPT
+/sbin/iptables -A INPUT -s 192.168.20.0/255.255.255.0 -p tcp --dport 8080  -j ACCEPT
 /sbin/iptables -t raw -A PREROUTING -s 192.168.10.0/255.255.255.0 -p tcp --dport 80  -j NOTRACK
 /sbin/iptables -t raw -A PREROUTING -s 192.168.20.0/255.255.255.0 -p tcp --dport 80  -j NOTRACK
 /sbin/iptables -t raw -A OUTPUT -s 192.168.10.0/255.255.255.0 -p tcp --sport 80  -j NOTRACK
 /sbin/iptables -t raw -A OUTPUT -s 192.168.20.0/255.255.255.0 -p tcp --sport 80  -j NOTRACK
-/sbin/iptables -A INPUT   -s 192.168.10.0/255.255.255.0 -p tcp --dport 22  -j ACCEPT
-/sbin/iptables -A INPUT   -s 192.168.56.0/255.255.255.0 -p tcp --dport 22  -j ACCEPT
 /sbin/iptables -A INPUT   -s 192.168.10.0/255.255.255.0 -p icmp -j ACCEPT
 /sbin/iptables -A INPUT   -s 192.168.20.0/255.255.255.0 -p icmp -j ACCEPT
 
diff --git a/linux-init-script/init_centos7.sh b/linux-init-script/init_centos7.sh
@@ -178,14 +178,14 @@ cat > /opt/sh/ipt.sh << EOF
 /sbin/iptables -A OUTPUT -j ACCEPT
 /sbin/iptables -A INPUT -s 192.168.10.152 -j ACCEPT
 /sbin/iptables -A INPUT -s 192.168.20.102 -j ACCEPT
-/sbin/iptables -A INPUT -s 192.168.10.0/255.255.255.0 -p tcp --dport 80  -j ACCEPT
-/sbin/iptables -A INPUT -s 192.168.20.0/255.255.255.0 -p tcp --dport 80   -j ACCEPT
+/sbin/iptables -A INPUT -p tcp --dport 80  -j ACCEPT
+/sbin/iptables -A INPUT -p tcp --dport 22  -j ACCEPT
+/sbin/iptables -A INPUT -s 192.168.10.0/255.255.255.0 -p tcp --dport 8080  -j ACCEPT
+/sbin/iptables -A INPUT -s 192.168.20.0/255.255.255.0 -p tcp --dport 8080  -j ACCEPT
 /sbin/iptables -t raw -A PREROUTING -s 192.168.10.0/255.255.255.0 -p tcp --dport 80  -j NOTRACK
 /sbin/iptables -t raw -A PREROUTING -s 192.168.20.0/255.255.255.0 -p tcp --dport 80  -j NOTRACK
 /sbin/iptables -t raw -A OUTPUT -s 192.168.10.0/255.255.255.0 -p tcp --sport 80  -j NOTRACK
 /sbin/iptables -t raw -A OUTPUT -s 192.168.20.0/255.255.255.0 -p tcp --sport 80  -j NOTRACK
-/sbin/iptables -A INPUT   -s 192.168.10.0/255.255.255.0 -p tcp --dport 22  -j ACCEPT
-/sbin/iptables -A INPUT   -s 192.168.20.0/255.255.255.0 -p tcp --dport 22  -j ACCEPT
 /sbin/iptables -A INPUT   -s 192.168.10.0/255.255.255.0 -p icmp -j ACCEPT
 /sbin/iptables -A INPUT   -s 192.168.20.0/255.255.255.0 -p icmp -j ACCEPT
 
