Rocky Linux 9 系统初始化与安全加固脚本
Rocky Linux 9 系统初始化与安全加固脚本
在服务器运维与系统管理的实际场景中,一个安全、稳定、标准化的系统环境至关重要。Rocky Linux 作为一款企业级稳定发行版,越来越多地被用于生产环境部署。为节省重复配置的时间、降低人为操作失误率,同时提升系统的安全性,编写一套系统初始化与安全加固脚本显得尤为必要。
本文将基于 Rocky Linux 9,介绍如何通过 Shell 脚本实现系统初始化配置(如时间同步、YUM 源更换、基础软件安装)、安全加固(如 SSH 配置、密码策略、防火墙规则等)的一体化自动部署,帮助用户快速构建一套符合安全基线的操作系统环境。
使用
# wget https://gitee.com/funet8/Rocky-Linux-Shell/raw/main/shell/Rocky_Linux_9_system_init_shell_mini.sh
# sh Rocky_Linux_9_system_init_shell_mini.sh
或者
wget -qO- https://gitee.com/funet8/Rocky-Linux-Shell/raw/main/shell/Rocky_Linux_9_system_init_shell_mini.sh | sh
主要功能
1.修改主机名 : set_hostname
HOSTNAME="node2"
hostnamectl set-hostname ${HOSTNAME}
2.安装基础软件包 : install_base_software
dnf install -y vim wget curl lrzsz net-tools lsof bash-completion yum-utils tar zip unzip sudo cronie chrony policycoreutils-python-utils
# 安装 EPEL 仓库
dnf install -y epel-release
dnf makecache# rc.local添加执行权限
chmod +x /etc/rc.d/rc.local
3.更新系统 : update_system
dnf clean all
dnf -y update
4.修改SSH端口 : config_ssh
SSH_PROT="60920"
SSHD_CONFIG="/etc/ssh/sshd_config"echo "修改 sshd_config 文件..."if grep -q "^#Port 22" "$SSHD_CONFIG"; thensed -i "s/^#Port 22/Port ${SSH_PROT}/" "$SSHD_CONFIG"elif grep -q "^Port " "$SSHD_CONFIG"; thensed -i "s/^Port .*/Port ${SSH_PROT}/" "$SSHD_CONFIG"elseecho "Port ${SSH_PROT}" >> "$SSHD_CONFIG"fiecho "添加防火墙端口规则..."firewall-cmd --permanent --add-port=${SSH_PROT}/tcpfirewall-cmd --reloadecho "重启 sshd 服务..."systemctl restart sshd
5.配置防火墙 : configure_firewall
# 确保防火墙服务已启用systemctl enable firewalldsystemctl start firewalld# 开放必要端口firewall-cmd --permanent --add-service=sshfirewall-cmd --permanent --add-service=httpfirewall-cmd --permanent --add-service=https# 重新加载防火墙规则firewall-cmd --reload
6.配置SSH安全 : configure_ssh
备份原始配置cp /etc/ssh/sshd_config /etc/ssh/sshd_config.baklog "INFO" "已备份SSH配置文件: /etc/ssh/sshd_config.bak"# 配置SSH安全选项sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_configsed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_configsed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/g' /etc/ssh/sshd_configsed -i 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_configsed -i 's/#AllowTcpForwarding yes/AllowTcpForwarding no/g' /etc/ssh/sshd_configsed -i 's/#X11Forwarding yes/X11Forwarding no/g' /etc/ssh/sshd_configsed -i 's/#MaxAuthTries 6/MaxAuthTries 3/g' /etc/ssh/sshd_configsed -i 's/#LoginGraceTime 2m/LoginGraceTime 60/g' /etc/ssh/sshd_configmkdir -p /root/.ssh# 将公钥写入 authorized_keys 文件echo "$PUB_KEY" >> /root/.ssh/authorized_keyschmod 600 /root/.ssh/authorized_keyschmod 700 /root/.ssh# 重启 SSH 服务以应用更改systemctl restart sshd
7.配置SELinux : configure_selinux
cp /etc/selinux/config /etc/selinux/config.baklog "INFO" "已备份SELinux配置文件: /etc/selinux/config.bak"# 设置SELinux为强制模式sed -i 's/SELINUX=permissive/SELINUX=enforcing/g' /etc/selinux/configsed -i 's/SELINUX=disabled/SELINUX=enforcing/g' /etc/selinux/config# 检查当前SELinux状态current_status=$(getenforce)if [ "$current_status" != "Enforcing" ]; thenlog "WARNING" "SELinux当前状态为 $current_status,需要重启系统以应用更改"log "WARNING" "当前配置已设置为强制模式,重启后生效"elselog "INFO" "SELinux已处于强制模式"fi
8.配置系统日志 : configure_logging
# 确保rsyslog服务已启用systemctl enable rsyslogsystemctl start rsyslog# 配置日志轮转cat > /etc/logrotate.d/secure << "EOF"
/var/log/secure {dailymissingokrotate 7compressdelaycompressnotifemptycreate 600 root rootsharedscriptspostrotate/usr/bin/systemctl restart rsyslog.service > /dev/null 2>&1 || trueendscript
}
EOF# 配置日志大小限制cat > /etc/systemd/journald.conf << "EOF"
[Journal]
Storage=persistent
Compress=yes
SyncIntervalSec=5m
RateLimitIntervalSec=30s
RateLimitBurst=1000
SystemMaxUse=100M
SystemMaxFileSize=20M
EOF# 重启journald服务systemctl restart systemd-journald
9.配置账户安全 : configure_accounts
# 设置密码复杂度策略if [ ! -f "/etc/pam.d/system-auth.bak" ]; thencp /etc/pam.d/system-auth /etc/pam.d/system-auth.baklog "INFO" "已备份系统认证配置: /etc/pam.d/system-auth.bak"fi# 添加密码复杂度要求sed -i 's/password requisite pam_pwquality.so/password requisite pam_pwquality.so minlen=12 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1/g' /etc/pam.d/system-auth# 设置密码过期策略cat > /etc/login.defs << "EOF"
# 密码过期设置
PASS_MAX_DAYS 90
PASS_MIN_DAYS 7
PASS_WARN_AGE 14# 账户设置
UID_MIN 1000
UID_MAX 60000
GID_MIN 1000
GID_MAX 60000
CREATE_HOME yes
UMASK 077
ENCRYPT_METHOD SHA512
EOF# 锁定不必要的账户for user in adm lp sync shutdown halt news uucp operator games gopher; doif id "$user" &>/dev/null; thenusermod -L "$user"log "INFO" "已锁定账户: $user"fidonelog "INFO" "账户安全配置完成"log "INFO" "已设置密码复杂度要求和过期策略"return 0
}# 配置系统资源限制
configure_resource_limits() {log "INFO" "配置系统资源限制..."# 设置用户资源限制cat > /etc/security/limits.conf << "EOF"
# 资源限制配置
* hard core 0
* hard nproc 10000
* hard nofile 65535
root hard nproc unlimited
root hard nofile 65535
EOF# 配置PAM以应用资源限制if ! grep -q "pam_limits.so" /etc/pam.d/common-session; thenecho "session required pam_limits.so" >> /etc/pam.d/common-sessionfilog "INFO" "系统资源限制配置完成"
10.配置系统资源限制 : configure_resource_limits
# 设置用户资源限制cat > /etc/security/limits.conf << "EOF"
# 资源限制配置
* hard core 0
* hard nproc 10000
* hard nofile 65535
root hard nproc unlimited
root hard nofile 65535
EOF# 配置PAM以应用资源限制if ! grep -q "pam_limits.so" /etc/pam.d/common-session; thenecho "session required pam_limits.so" >> /etc/pam.d/common-sessionfi
11.配置网络安全 : configure_network_security
cp /etc/sysctl.conf /etc/sysctl.conf.baklog "INFO" "已备份系统参数配置: /etc/sysctl.conf.bak"# 配置系统网络参数cat > /etc/sysctl.d/99-security-hardening.conf << "EOF"
# 防止IP欺骗
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1# 禁用IP源路由
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0# 禁用ICMP重定向
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0# 不发送ICMP重定向
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0# 启用SYN洪水保护
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 3# 禁用IP转发
net.ipv4.ip_forward = 0
# 启用IP转发,改为此配置,并且执行生效: sysctl -p
# net.ipv4.ip_forward = 1# 禁用IPv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1# 启用内核保护
kernel.exec-shield = 1
kernel.randomize_va_space = 2# 限制core文件大小
fs.suid_dumpable = 0# 提高网络性能
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 250000
net.core.somaxconn = 4096
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
net.ipv4.tcp_max_tw_buckets = 1440000
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_timestamps = 0
EOF# 应用系统参数sysctl --system
12.配置Cron和at服务 : configure_cron
# 确保Cron服务已启用systemctl enable crondsystemctl start crond# 确保atd服务已禁用systemctl disable atdsystemctl stop atd# 配置Cron安全chmod 600 /etc/crontabchmod 600 /etc/cron.hourlychmod 600 /etc/cron.dailychmod 600 /etc/cron.weeklychmod 600 /etc/cron.monthlychmod 600 /etc/cron.d# 限制访问Cronecho "root" > /etc/cron.allowrm -f /etc/cron.deny
13.自动配置 chronyd 同步时间 : configure_time
dnf install -y chronysed -i 's/^server/#server/g' /etc/chrony.confecho "server ntp.aliyun.com iburst" >> /etc/chrony.confecho "server 0.centos.pool.ntp.org iburst" >> /etc/chrony.confecho "server 1.centos.pool.ntp.org iburst" >> /etc/chrony.confecho "server 2.centos.pool.ntp.org iburst" >> /etc/chrony.confecho "server 3.centos.pool.ntp.org iburst" >> /etc/chrony.confsystemctl restart chronydsystemctl enable chronyd
14.配置系统审计 : configure_audit
# 安装auditddnf -y install audit audit-libs# 备份原始配置cp /etc/audit/auditd.conf /etc/audit/auditd.conf.baklog "INFO" "已备份审计配置: /etc/audit/auditd.conf.bak"# 配置auditdsed -i 's/max_log_file = 8/max_log_file = 100/g' /etc/audit/auditd.confsed -i 's/max_log_file_action = ROTATE/max_log_file_action = KEEP_LOGS/g' /etc/audit/auditd.confsed -i 's/num_logs = 5/num_logs = 50/g' /etc/audit/auditd.conf# 配置审计规则cat > /etc/audit/rules.d/audit.rules << "EOF"
# 基本审计规则
## 登录和认证
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins## 账户和权限
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity## 关键文件和目录
-w /etc/sudoers -p wa -k sudo
-w /etc/ssh/sshd_config -p wa -k sshd
-w /etc/selinux/ -p wa -k selinux
-w /etc/grub2.cfg -p wa -k bootloader
-w /etc/localtime -p wa -k time-change## 系统事件
-w /var/log/audit/ -p wa -k auditd
-w /etc/sysctl.conf -p wa -k sysctl
-w /usr/bin/newgrp -p x -k privileged
-w /usr/bin/sudo -p x -k privileged
-w /usr/bin/su -p x -k privileged## 内核模块
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module,finit_module -k modules## 关键系统调用
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-a always,exit -F arch=b64 -S clone -S fork -S vfork -k process
-a always,exit -F arch=b32 -S clone -S fork -S vfork -k process## 网络活动
-a always,exit -F arch=b64 -S socket -S bind -S connect -k network
-a always,exit -F arch=b32 -S socket -S bind -S connect -k network## 特权命令
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged## 敏感文件
-a always,exit -F path=/etc/issue -F perm=wa -F auid>=1000 -F auid!=unset -k etc-files
-a always,exit -F path=/etc/issue.net -F perm=wa -F auid>=1000 -F auid!=unset -k etc-files
-a always,exit -F path=/etc/motd -F perm=wa -F auid>=1000 -F auid!=unset -k etc-files
-a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -k etc-files
-a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -k etc-files
-a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -k etc-files
-a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -k etc-files
-a always,exit -F path=/etc/sudoers -F perm=r -F auid>=1000 -F auid!=unset -k sudoers## 审计配置
-w /etc/audit/ -p wa -k auditd
-w /etc/libaudit.conf -p wa -k auditd
-w /etc/audisp/ -p wa -k auditd# 性能优化
-f 2
EOF# 启用并启动auditd服务systemctl enable auditdsystemctl restart auditd
15.安装安全工具 : install_security_tools
# 安装基础安全工具# 如果报错:Error: Unable to find a match: lynis rkhunter fail2ban# dnf install -y epel-releasednf -y install aide lynis rkhunter fail2ban nmap sysstat lsof bind-utils# 初始化AIDEif [ -f "/usr/sbin/aide" ]; then/usr/sbin/aide --initif [ -f "/var/lib/aide/aide.db.new.gz" ]; thenmv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gzlog "INFO" "AIDE数据库已初始化"fifi# 配置fail2banif [ -f "/etc/fail2ban/jail.conf" ]; thencp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localsed -i 's/bantime = 10m/bantime = 1h/g' /etc/fail2ban/jail.localsed -i 's/maxretry = 5/maxretry = 3/g' /etc/fail2ban/jail.local# 确保fail2ban服务已启用systemctl enable fail2bansystemctl start fail2banlog "INFO" "fail2ban已配置"filog "INFO" "安全工具安装完成"
16.配置定时任务 : configure_scheduled_tasks(未开启)
# 创建安全检查脚本cat > /usr/local/bin/security_check.sh << "EOF"
#!/bin/bash# 安全检查脚本
LOG_FILE="/var/log/security_check_$(date +%Y%m%d).log"
DATE=$(date "+%Y-%m-%d %H:%M:%S")echo "==========================================" > $LOG_FILE
echo "安全检查报告 - $DATE" >> $LOG_FILE
echo "==========================================" >> $LOG_FILE
echo "" >> $LOG_FILE# 检查系统更新
echo "系统更新状态:" >> $LOG_FILE
dnf check-update >> $LOG_FILE 2>&1
echo "" >> $LOG_FILE# 检查登录失败
echo "最近登录失败记录:" >> $LOG_FILE
lastb | head -n 10 >> $LOG_FILE 2>&1
echo "" >> $LOG_FILE# 检查root登录
echo "最近root登录记录:" >> $LOG_FILE
last root | head -n 10 >> $LOG_FILE 2>&1
echo "" >> $LOG_FILE# 检查系统日志
echo "系统安全日志:" >> $LOG_FILE
grep -i "failed\|error\|denied\|refused\|invalid" /var/log/secure | tail -n 20 >> $LOG_FILE 2>&1
echo "" >> $LOG_FILE# 检查监听端口
echo "当前监听端口:" >> $LOG_FILE
ss -tuln >> $LOG_FILE 2>&1
echo "" >> $LOG_FILE# 检查可疑进程
echo "可疑进程:" >> $LOG_FILE
ps aux | grep -v grep | egrep "root|sudo|bash|sh|python|perl" | awk '$3 > 10 || $4 > 10' >> $LOG_FILE 2>&1
echo "" >> $LOG_FILE# 检查开放文件
echo "打开的文件数量:" >> $LOG_FILE
lsof | wc -l >> $LOG_FILE 2>&1
echo "" >> $LOG_FILE# 检查SELinux状态
echo "SELinux状态:" >> $LOG_FILE
getenforce >> $LOG_FILE 2>&1
echo "" >> $LOG_FILE# 检查防火墙状态
echo "防火墙状态:" >> $LOG_FILE
firewall-cmd --list-all >> $LOG_FILE 2>&1
echo "" >> $LOG_FILE# 检查磁盘使用情况
echo "磁盘使用情况:" >> $LOG_FILE
df -h >> $LOG_FILE 2>&1
echo "" >> $LOG_FILE# 检查内存使用情况
echo "内存使用情况:" >> $LOG_FILE
free -m >> $LOG_FILE 2>&1
echo "" >> $LOG_FILE# 检查CPU使用情况
echo "CPU使用情况:" >> $LOG_FILE
top -bn1 | head -n 5 >> $LOG_FILE 2>&1
echo "" >> $LOG_FILE# 检查AIDE完整性
echo "文件完整性检查:" >> $LOG_FILE
if [ -f "/usr/sbin/aide" ]; then/usr/sbin/aide --check >> $LOG_FILE 2>&1
elseecho "AIDE未安装" >> $LOG_FILE
fi
echo "" >> $LOG_FILE# 检查rkhunter
echo "Rootkit检查:" >> $LOG_FILE
if [ -f "/usr/bin/rkhunter" ]; then/usr/bin/rkhunter --check --skip-keypress >> $LOG_FILE 2>&1
elseecho "rkhunter未安装" >> $LOG_FILE
fi
echo "" >> $LOG_FILE# 发送邮件通知(如果配置了邮件)
if [ -x "/usr/bin/mail" ] && [ -f "/root/.forward" ]; thenmail -s "系统安全检查报告 - $DATE" root < $LOG_FILE
fiecho "安全检查完成: $DATE" >> $LOG_FILE
EOF# 设置脚本权限chmod +x /usr/local/bin/security_check.sh# 添加到crontabif ! crontab -l | grep -q "security_check.sh"; then(crontab -l 2>/dev/null; echo "0 3 * * * /usr/local/bin/security_check.sh") | crontab -log "INFO" "已添加每日安全检查任务"fi# 添加每周系统更新任务#if ! crontab -l | grep -q "dnf update"; then# (crontab -l 2>/dev/null; echo "0 2 * * 0 dnf -y update && dnf -y autoremove") | crontab -# log "INFO" "已添加每周系统更新任务"#fi# 添加每周AIDE数据库更新任务if [ -f "/usr/sbin/aide" ] && ! crontab -l | grep -q "aide --update"; then(crontab -l 2>/dev/null; echo "0 4 * * 0 /usr/sbin/aide --update && mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz") | crontab -log "INFO" "已添加每周AIDE数据库更新任务"fi
17.显示完成信息 : show_completion
log "INFO" "系统初始化与安全加固完成"log "INFO" "日志文件: $LOG_FILE"echo ""echo "=============================================="echo "系统初始化与安全加固已完成"echo "=============================================="echo ""echo "重要注意事项:"echo "1. 请检查日志文件: $LOG_FILE"echo "2. 部分安全配置可能需要重启系统才能完全生效"echo "3. 请确保SSH密钥已正确配置,否则可能无法登录系统"echo "4. 建议在生产环境使用前进行全面测试"echo ""echo "推荐后续操作:"echo "1. 配置邮件服务以接收安全警报"echo "2. 设置定期备份重要数据"echo "3. 考虑配置入侵检测系统(IDS)或入侵防御系统(IPS)"echo "4. 定期审查系统日志和安全检查报告"echo ""read -p "是否需要重启系统? (y/n): " choiceif [ "$choice" == "y" ] || [ "$choice" == "Y" ]; thenlog "INFO" "系统将在30秒后重启,请保存未完成的工作"sleep 30rebootfi
结尾
通过本文的系统初始化与安全加固脚本,我们能够在部署 Rocky Linux 9 系统后,第一时间完成标准化配置与安全防护,大幅提升系统上线的效率与安全性。当然,实际环境中可能还需要根据业务需求进一步调整配置策略。
写文不易,如果你都看到了这里,请点个赞和在看,分享给更多的朋友;也别忘了关注星哥玩云!这里有满满的干货分享,还有轻松有趣的技术交流~点个赞、分享给身边的小伙伴,一起成长,一起玩转技术世界吧! 😊