镜像文章:批处理脚本:一键加固Windows终端
严肃提醒,生产环境中运行以下脚本,一定要提前测试!!!
不同的服务器可能会产生不同结果!
#!/usr/bin/env python3
#vim:set fileencoding=utf-8
import os
import re
class CheckUser:
def __init__(self):
self.root_id = 0 #判断是否存在root用户
self.pass_max_days = 'PASS_MAX_DAYS 90' #最长使用天数
self.pass_min_days = 'PASS_MIN_DAYS 0' #最短使用天数
self.pass_warn_age = 'PASS_WARN_AGE 7' #到期前提醒天数
self.is_null = 0 #判断是否存在空口令
self.is_history = 0 #判断是否已开启时间戳
self.is_log = 0 #判断是否开启日志功能
def check_root(self):
# ubuntu中uid为0的用户拥有最高权限
# 应确保只有root的uid为0
# 检查是否存在uid为0的非Root用户
with open('/etc/passwd','r') as f:
for i in f.readlines():
# print(i.split(':')[2])
l = i.split(':')
if l[2] == '0' and l[0] != 'root':
self.root_id += 1
print('---------------------------------------')
print('1.请检查,用户{}竟然有root权限!!!!'.format(l[0]))
print('---------------------------------------')
if self.root_id == 0:
print('---------------------------------------')
print('1.未发现其他root用户.')
print('---------------------------------------')
def set_retiretime(self):
# 用户口令失效设置,修改/etc/login.defs的配置文件如下
# PASS_MAX_DAYS 90
# PASS_MIN_DAYS 0
# PASS_WARN_AGE 7
file_data = ''
with open('/etc/login.defs','r') as f1:
for line in f1:
if re.findall('^PASS_MAX_DAYS', line) != []:
#print(line)
line = self.pass_max_days + '\n'
if re.findall('^PASS_MIN_DAYS', line) != []:
#print(line)
line = self.pass_min_days + '\n'
if re.findall('^PASS_WARN_AGE', line) != []:
#print(line)
line = self.pass_warn_age + '\n'
file_data += line
with open('/etc/login.defs','w') as f2:
f2.write(file_data)
print('---------------------------------------')
print('2.完成用户口令失效时间设置')
print('---------------------------------------')
def check_null_pass(self):
# 列出空口令账户
with open('/etc/shadow', 'r') as f:
print('---------------------------------------')
for line in f.readlines():
if line.split(':')[1] == '':
self.is_null += 1
print('3.请注意:账户{}存在空口令!!!'.format(line.split(':')[0]))
if self.is_null == 0:
print('3.未检测到空口令账户.')
print('---------------------------------------')
def user_pass_set(self):
# 设置账户策略
with open('/etc/pam.d/common-password', 'a') as f1:
# 尝试3次,长度10位以上,至少包括一位大写、一位小写、一位字母、一位特殊字符
f1.write('password requisite pam_cracklib.so retry=3 minlen=10 difok=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 enforce_for_root')
with open('/etc/pam.d/login','a') as f2:
f2.write('auth required pam_tally2.so deny=3 unlock_time=300 even_deny_root root_unlock_time=300')
print('---------------------------------------')
print('请注意提前安装libpam-cracklib')
print('安装方法:sudo apt-get install libpam-cracklib -y')
print('4.设置口令策略,包括复杂度、有效期、锁定阈值等')
print('---------------------------------------')
def check_file_permit(self):
# 将部分系统文件设置为仅Root权限
file_list = ['/etc/crontab','/etc/securetty','/boot/grub/grub.cfg','/etc/inittab','/etc/login.defs']
for file_name in file_list:
m_cmd = 'chmod -R 750 '+file_name
# print(m_cmd)
os.system(m_cmd)
print('---------------------------------------')
print('5.对部分系统文件设置权限')
print('---------------------------------------')
def close_service(self):
# 关闭不必要的服务,cups,postfix,pcscd,smartd,alsasound,iscsitarget,smb,acpid等
service_list = ['cups','postfix','pcscd','smartd','alsasound','iscsitarget','smb','acpid']
for m_ser in service_list:
m_cmd1 = 'systemctl disable ' + m_ser + '.service'
m_cmd2 = 'systemctl stop ' + m_ser +'.service'
os.system(m_cmd1)
os.system(m_cmd2)
print('---------------------------------------')
print('6.关闭不必要的服务')
print('---------------------------------------')
def set_history(self):
# 在/etc/profile中开启history的时间戳
with open('/etc/profile', 'r') as f:
if ('export HISTTIMEFORMAT') in f.read():
self.is_history = 1
# print('is_history 1')
if self.is_history == 0:
with open('/etc/profile', 'a') as f2:
f2.write('export HISTTIMEFORMAT="%F%T `whoami`"')
os.system('source /etc/profile')
print('---------------------------------------')
print('7.开启history时间戳')
print('---------------------------------------')
def set_log(self):
with open('/etc/rsyslog.conf', 'r') as f1:
for line in f1.readlines():
if line.find('authpriv.*') != -1:
if line.find('/var/log/auth.log') != -1:
self.is_log = 1
if self.is_log == 1:
print('---------------------------------------')
print('8.已开启日志功能')
print('---------------------------------------')
else:
print('---------------------------------------')
print('8.未开启日志')
print('请查看/etc/rsyslog.conf文件中的参数authpriv的值')
print('必须要设置/var/log/auth.log')
print('查看命令如下:cat /etc/rsyslog.conf | grep "authpriv"')
print('---------------------------------------')
def set_audit(self):
os.system('apt-get install auditd')
os.system('systemctl enable auditd.service')
os.system('systemctl start auditd.service')
print('---------------------------------------')
print('9.已开启审计功能')
print('---------------------------------------')
def set_login(self):
# 1.登录超时设置
# 2.禁止Root账户远程登录
# 3.修改ssh默认端口为12345
with open('/etc/profile','a') as f1:
f1.write('TOUT=180')
file_data = ''
with open('/etc/ssh/sshd_config','r') as f2:
for line in f2:
if re.findall('^PermitRootLogin', line) != []:
#print(line)
line = 'PermitRootLogin no\n'
if re.findall('Port ', line) != []:
#print(line)
line = 'Port 12345\n'
file_data += line
with open('/etc/login.defs','w') as f2:
f2.write(file_data)
print('---------------------------------------')
print('10.已设置远程登录安全,请使用非root用户登录ssh的12345端口,登录180s后超时')
print('---------------------------------------')
def main():
print('Ubuntu一键安全加固脚本')
print('请务必以Root权限运行!!!')
print('回车后继续')
input()
test = CheckUser()
test.check_root()
test.set_retiretime()
test.check_null_pass()
test.user_pass_set()
test.check_file_permit()
test.close_service()
test.set_history()
test.set_log()
test.set_audit()
test.set_login()
if __name__ == '__main__':
main()
