共计 13822 个字符,预计需要花费 35 分钟才能阅读完成。
在服务器运维与系统管理的实际场景中,一个安全、稳定、标准化的系统环境至关重要。Rocky Linux 作为一款企业级稳定发行版,越来越多地被用于生产环境部署。为节省重复配置的时间、降低人为操作失误率,同时提升系统的安全性,编写一套系统初始化与安全加固脚本显得尤为必要。
本文将基于 Rocky Linux 9,介绍如何通过 Shell 脚本实现系统初始化配置(如时间同步、YUM 源更换、基础软件安装)、安全加固(如 SSH 配置、密码策略、防火墙规则等)的一体化自动部署,帮助用户快速构建一套符合安全基线的操作系统环境。
使用
# wget https://gitee.com/funet8/Rocky-Linux-Shell/raw/main/shell/Rocky_Linux_9_system_init_shell_mini.sh
# sh Rocky_Linux_9_system_init_shell_mini.sh
或者
wget -qO- https://gitee.com/funet8/Rocky-Linux-Shell/raw/main/shell/Rocky_Linux_9_system_init_shell_mini.sh | sh主要功能
1. 修改主机名:set_hostname
HOSTNAME="node2"
hostnamectl set-hostname ${HOSTNAME}
2. 安装基础软件包:install_base_software
dnf install -y vim wget curl lrzsz net-tools lsof bash-completion yum-utils tar zip unzip sudo cronie chrony policycoreutils-python-utils
# 安装 EPEL 仓库
dnf install -y epel-release
dnf makecache
# rc.local 添加执行权限
chmod +x /etc/rc.d/rc.local
3. 更新系统:update_system
dnf clean all
dnf -y update
4. 修改 SSH 端口:config_ssh
SSH_PROT="60920"
SSHD_CONFIG="/etc/ssh/sshd_config"
echo "修改 sshd_config 文件..."
if grep -q "^#Port 22" "$SSHD_CONFIG"; then
sed -i "s/^#Port 22/Port ${SSH_PROT}/" "$SSHD_CONFIG"
elif grep -q "^Port" "$SSHD_CONFIG"; then
sed -i "s/^Port .*/Port ${SSH_PROT}/" "$SSHD_CONFIG"
else
echo "Port ${SSH_PROT}" >> "$SSHD_CONFIG"
fi
echo "添加防火墙端口规则..."
firewall-cmd --permanent --add-port=${SSH_PROT}/tcp
firewall-cmd --reload
echo "重启 sshd 服务..."
systemctl restart sshd
5. 配置防火墙:configure_firewall
# 确保防火墙服务已启用
systemctl enable firewalld
systemctl start firewalld
# 开放必要端口
firewall-cmd --permanent --add-service=ssh
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
# 重新加载防火墙规则
firewall-cmd --reload
6. 配置 SSH 安全:configure_ssh
备份原始配置
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
log "INFO" "已备份 SSH 配置文件: /etc/ssh/sshd_config.bak"
# 配置 SSH 安全选项
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
sed -i 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config
sed -i 's/#AllowTcpForwarding yes/AllowTcpForwarding no/g' /etc/ssh/sshd_config
sed -i 's/#X11Forwarding yes/X11Forwarding no/g' /etc/ssh/sshd_config
sed -i 's/#MaxAuthTries 6/MaxAuthTries 3/g' /etc/ssh/sshd_config
sed -i 's/#LoginGraceTime 2m/LoginGraceTime 60/g' /etc/ssh/sshd_config
mkdir -p /root/.ssh
# 将公钥写入 authorized_keys 文件
echo "$PUB_KEY" >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
chmod 700 /root/.ssh
# 重启 SSH 服务以应用更改
systemctl restart sshd
7. 配置 SELinux:configure_selinux
cp /etc/selinux/config /etc/selinux/config.bak
log "INFO" "已备份 SELinux 配置文件: /etc/selinux/config.bak"
# 设置 SELinux 为强制模式
sed -i 's/SELINUX=permissive/SELINUX=enforcing/g' /etc/selinux/config
sed -i 's/SELINUX=disabled/SELINUX=enforcing/g' /etc/selinux/config
# 检查当前 SELinux 状态
current_status=$(getenforce)
if ["$current_status" != "Enforcing"]; then
log "WARNING" "SELinux 当前状态为 $current_status,需要重启系统以应用更改"
log "WARNING" "当前配置已设置为强制模式,重启后生效"
else
log "INFO" "SELinux 已处于强制模式"
fi
8. 配置系统日志:configure_logging
# 确保 rsyslog 服务已启用
systemctl enable rsyslog
systemctl start rsyslog
# 配置日志轮转
cat > /etc/logrotate.d/secure << "EOF"
/var/log/secure {
daily
missingok
rotate 7
compress
delaycompress
notifempty
create 600 root root
sharedscripts
postrotate
/usr/bin/systemctl restart rsyslog.service > /dev/null 2>&1 || true
endscript
}
EOF
# 配置日志大小限制
cat > /etc/systemd/journald.conf << "EOF"
[Journal]
Storage=persistent
Compress=yes
SyncIntervalSec=5m
RateLimitIntervalSec=30s
RateLimitBurst=1000
SystemMaxUse=100M
SystemMaxFileSize=20M
EOF
# 重启 journald 服务
systemctl restart systemd-journald
9. 配置账户安全:configure_accounts
# 设置密码复杂度策略
if [! -f "/etc/pam.d/system-auth.bak"]; then
cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak
log "INFO" "已备份系统认证配置: /etc/pam.d/system-auth.bak"
fi
# 添加密码复杂度要求
sed -i 's/password requisite pam_pwquality.so/password requisite pam_pwquality.so minlen=12 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1/g' /etc/pam.d/system-auth
# 设置密码过期策略
cat > /etc/login.defs << "EOF"
# 密码过期设置
PASS_MAX_DAYS 90
PASS_MIN_DAYS 7
PASS_WARN_AGE 14
# 账户设置
UID_MIN 1000
UID_MAX 60000
GID_MIN 1000
GID_MAX 60000
CREATE_HOME yes
UMASK 077
ENCRYPT_METHOD SHA512
EOF
# 锁定不必要的账户
for user in adm lp sync shutdown halt news uucp operator games gopher; do
if id "$user" &>/dev/null; then
usermod -L "$user"
log "INFO" "已锁定账户: $user"
fi
done
log "INFO" "账户安全配置完成"
log "INFO" "已设置密码复杂度要求和过期策略"
return 0
}
# 配置系统资源限制
configure_resource_limits() {
log "INFO" "配置系统资源限制..."
# 设置用户资源限制
cat > /etc/security/limits.conf << "EOF"
# 资源限制配置
* hard core 0
* hard nproc 10000
* hard nofile 65535
root hard nproc unlimited
root hard nofile 65535
EOF
# 配置 PAM 以应用资源限制
if ! grep -q "pam_limits.so" /etc/pam.d/common-session; then
echo "session required pam_limits.so" >> /etc/pam.d/common-session
fi
log "INFO" "系统资源限制配置完成"
10. 配置系统资源限制:configure_resource_limits
# 设置用户资源限制
cat > /etc/security/limits.conf << "EOF"
# 资源限制配置
* hard core 0
* hard nproc 10000
* hard nofile 65535
root hard nproc unlimited
root hard nofile 65535
EOF
# 配置 PAM 以应用资源限制
if ! grep -q "pam_limits.so" /etc/pam.d/common-session; then
echo "session required pam_limits.so" >> /etc/pam.d/common-session
fi
11. 配置网络安全:configure_network_security
cp /etc/sysctl.conf /etc/sysctl.conf.bak
log "INFO" "已备份系统参数配置: /etc/sysctl.conf.bak"
# 配置系统网络参数
cat > /etc/sysctl.d/99-security-hardening.conf << "EOF"
# 防止 IP 欺骗
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# 禁用 IP 源路由
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# 禁用 ICMP 重定向
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
# 不发送 ICMP 重定向
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# 启用 SYN 洪水保护
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 3
# 禁用 IP 转发
net.ipv4.ip_forward = 0
# 启用 IP 转发,改为此配置,并且执行生效:sysctl -p
# net.ipv4.ip_forward = 1
# 禁用 IPv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
# 启用内核保护
kernel.exec-shield = 1
kernel.randomize_va_space = 2
# 限制 core 文件大小
fs.suid_dumpable = 0
# 提高网络性能
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 250000
net.core.somaxconn = 4096
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
net.ipv4.tcp_max_tw_buckets = 1440000
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_timestamps = 0
EOF
# 应用系统参数
sysctl --system
12. 配置 Cron 和 at 服务:configure_cron
# 确保 Cron 服务已启用
systemctl enable crond
systemctl start crond
# 确保 atd 服务已禁用
systemctl disable atd
systemctl stop atd
# 配置 Cron 安全
chmod 600 /etc/crontab
chmod 600 /etc/cron.hourly
chmod 600 /etc/cron.daily
chmod 600 /etc/cron.weekly
chmod 600 /etc/cron.monthly
chmod 600 /etc/cron.d
# 限制访问 Cron
echo "root" > /etc/cron.allow
rm -f /etc/cron.deny
13. 自动配置 chronyd 同步时间:configure_time
dnf install -y chrony
sed -i 's/^server/#server/g' /etc/chrony.conf
echo "server ntp.aliyun.com iburst" >> /etc/chrony.conf
echo "server 0.centos.pool.ntp.org iburst" >> /etc/chrony.conf
echo "server 1.centos.pool.ntp.org iburst" >> /etc/chrony.conf
echo "server 2.centos.pool.ntp.org iburst" >> /etc/chrony.conf
echo "server 3.centos.pool.ntp.org iburst" >> /etc/chrony.conf
systemctl restart chronyd
systemctl enable chronyd
14. 配置系统审计:configure_audit
# 安装 auditd
dnf -y install audit audit-libs
# 备份原始配置
cp /etc/audit/auditd.conf /etc/audit/auditd.conf.bak
log "INFO" "已备份审计配置: /etc/audit/auditd.conf.bak"
# 配置 auditd
sed -i 's/max_log_file = 8/max_log_file = 100/g' /etc/audit/auditd.conf
sed -i 's/max_log_file_action = ROTATE/max_log_file_action = KEEP_LOGS/g' /etc/audit/auditd.conf
sed -i 's/num_logs = 5/num_logs = 50/g' /etc/audit/auditd.conf
# 配置审计规则
cat > /etc/audit/rules.d/audit.rules << "EOF"
# 基本审计规则
## 登录和认证
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
## 账户和权限
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
## 关键文件和目录
-w /etc/sudoers -p wa -k sudo
-w /etc/ssh/sshd_config -p wa -k sshd
-w /etc/selinux/ -p wa -k selinux
-w /etc/grub2.cfg -p wa -k bootloader
-w /etc/localtime -p wa -k time-change
## 系统事件
-w /var/log/audit/ -p wa -k auditd
-w /etc/sysctl.conf -p wa -k sysctl
-w /usr/bin/newgrp -p x -k privileged
-w /usr/bin/sudo -p x -k privileged
-w /usr/bin/su -p x -k privileged
## 内核模块
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module,finit_module -k modules
## 关键系统调用
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-a always,exit -F arch=b64 -S clone -S fork -S vfork -k process
-a always,exit -F arch=b32 -S clone -S fork -S vfork -k process
## 网络活动
-a always,exit -F arch=b64 -S socket -S bind -S connect -k network
-a always,exit -F arch=b32 -S socket -S bind -S connect -k network
## 特权命令
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged
## 敏感文件
-a always,exit -F path=/etc/issue -F perm=wa -F auid>=1000 -F auid!=unset -k etc-files
-a always,exit -F path=/etc/issue.net -F perm=wa -F auid>=1000 -F auid!=unset -k etc-files
-a always,exit -F path=/etc/motd -F perm=wa -F auid>=1000 -F auid!=unset -k etc-files
-a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -k etc-files
-a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -k etc-files
-a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -k etc-files
-a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -k etc-files
-a always,exit -F path=/etc/sudoers -F perm=r -F auid>=1000 -F auid!=unset -k sudoers
## 审计配置
-w /etc/audit/ -p wa -k auditd
-w /etc/libaudit.conf -p wa -k auditd
-w /etc/audisp/ -p wa -k auditd
# 性能优化
-f 2
EOF
# 启用并启动 auditd 服务
systemctl enable auditd
systemctl restart auditd
15. 安装安全工具:install_security_tools
# 安装基础安全工具
# 如果报错:Error: Unable to find a match: lynis rkhunter fail2ban
# dnf install -y epel-release
dnf -y install aide lynis rkhunter fail2ban nmap sysstat lsof bind-utils
# 初始化 AIDE
if [-f "/usr/sbin/aide"]; then
/usr/sbin/aide --init
if [-f "/var/lib/aide/aide.db.new.gz"]; then
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
log "INFO" "AIDE 数据库已初始化"
fi
fi
# 配置 fail2ban
if [-f "/etc/fail2ban/jail.conf"]; then
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sed -i 's/bantime = 10m/bantime = 1h/g' /etc/fail2ban/jail.local
sed -i 's/maxretry = 5/maxretry = 3/g' /etc/fail2ban/jail.local
# 确保 fail2ban 服务已启用
systemctl enable fail2ban
systemctl start fail2ban
log "INFO" "fail2ban 已配置"
fi
log "INFO" "安全工具安装完成"
16. 配置定时任务:configure_scheduled_tasks(未开启)
# 创建安全检查脚本
cat > /usr/local/bin/security_check.sh << "EOF"
#!/bin/bash
# 安全检查脚本
LOG_FILE="/var/log/security_check_$(date +%Y%m%d).log"
DATE=$(date "+%Y-%m-%d %H:%M:%S")
echo "==========================================" > $LOG_FILE
echo "安全检查报告 - $DATE" >> $LOG_FILE
echo "==========================================" >> $LOG_FILE
echo "" >> $LOG_FILE
# 检查系统更新
echo "系统更新状态:" >> $LOG_FILE
dnf check-update >> $LOG_FILE 2>&1
echo "" >> $LOG_FILE
# 检查登录失败
echo "最近登录失败记录:" >> $LOG_FILE
lastb | head -n 10 >> $LOG_FILE 2>&1
echo "" >> $LOG_FILE
# 检查 root 登录
echo "最近 root 登录记录:" >> $LOG_FILE
last root | head -n 10 >> $LOG_FILE 2>&1
echo "" >> $LOG_FILE
# 检查系统日志
echo "系统安全日志:" >> $LOG_FILE
grep -i "failed\|error\|denied\|refused\|invalid" /var/log/secure | tail -n 20 >> $LOG_FILE 2>&1
echo "" >> $LOG_FILE
# 检查监听端口
echo "当前监听端口:" >> $LOG_FILE
ss -tuln >> $LOG_FILE 2>&1
echo "" >> $LOG_FILE
# 检查可疑进程
echo "可疑进程:" >> $LOG_FILE
ps aux | grep -v grep | egrep "root|sudo|bash|sh|python|perl" | awk '$3 > 10 || $4 > 10' >> $LOG_FILE 2>&1
echo "" >> $LOG_FILE
# 检查开放文件
echo "打开的文件数量:" >> $LOG_FILE
lsof | wc -l >> $LOG_FILE 2>&1
echo "" >> $LOG_FILE
# 检查 SELinux 状态
echo "SELinux 状态:" >> $LOG_FILE
getenforce >> $LOG_FILE 2>&1
echo "" >> $LOG_FILE
# 检查防火墙状态
echo "防火墙状态:" >> $LOG_FILE
firewall-cmd --list-all >> $LOG_FILE 2>&1
echo "" >> $LOG_FILE
# 检查磁盘使用情况
echo "磁盘使用情况:" >> $LOG_FILE
df -h >> $LOG_FILE 2>&1
echo "" >> $LOG_FILE
# 检查内存使用情况
echo "内存使用情况:" >> $LOG_FILE
free -m >> $LOG_FILE 2>&1
echo "" >> $LOG_FILE
# 检查 CPU 使用情况
echo "CPU 使用情况:" >> $LOG_FILE
top -bn1 | head -n 5 >> $LOG_FILE 2>&1
echo "" >> $LOG_FILE
# 检查 AIDE 完整性
echo "文件完整性检查:" >> $LOG_FILE
if [-f "/usr/sbin/aide"]; then
/usr/sbin/aide --check >> $LOG_FILE 2>&1
else
echo "AIDE 未安装" >> $LOG_FILE
fi
echo "" >> $LOG_FILE
# 检查 rkhunter
echo "Rootkit 检查:" >> $LOG_FILE
if [-f "/usr/bin/rkhunter"]; then
/usr/bin/rkhunter --check --skip-keypress >> $LOG_FILE 2>&1
else
echo "rkhunter 未安装" >> $LOG_FILE
fi
echo "" >> $LOG_FILE
# 发送邮件通知(如果配置了邮件)
if [-x "/usr/bin/mail"] && [-f "/root/.forward"]; then
mail -s "系统安全检查报告 - $DATE" root < $LOG_FILE
fi
echo "安全检查完成: $DATE" >> $LOG_FILE
EOF
# 设置脚本权限
chmod +x /usr/local/bin/security_check.sh
# 添加到 crontab
if ! crontab -l | grep -q "security_check.sh"; then
(crontab -l 2>/dev/null; echo "0 3 * * * /usr/local/bin/security_check.sh") | crontab -
log "INFO" "已添加每日安全检查任务"
fi
# 添加每周系统更新任务
#if ! crontab -l | grep -q "dnf update"; then
# (crontab -l 2>/dev/null; echo "0 2 * * 0 dnf -y update && dnf -y autoremove") | crontab -
# log "INFO" "已添加每周系统更新任务"
#fi
# 添加每周 AIDE 数据库更新任务
if [-f "/usr/sbin/aide"] && ! crontab -l | grep -q "aide --update"; then
(crontab -l 2>/dev/null; echo "0 4 * * 0 /usr/sbin/aide --update && mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz") | crontab -
log "INFO" "已添加每周 AIDE 数据库更新任务"
fi
17. 显示完成信息:show_completion
log"INFO"" 系统初始化与安全加固完成"
log "INFO" "日志文件: $LOG_FILE"
echo ""
echo "=============================================="
echo "系统初始化与安全加固已完成"
echo "=============================================="
echo ""
echo "重要注意事项:"
echo "1. 请检查日志文件: $LOG_FILE"
echo "2. 部分安全配置可能需要重启系统才能完全生效"
echo "3. 请确保 SSH 密钥已正确配置,否则可能无法登录系统"
echo "4. 建议在生产环境使用前进行全面测试"
echo ""
echo "推荐后续操作:"
echo "1. 配置邮件服务以接收安全警报"
echo "2. 设置定期备份重要数据"
echo "3. 考虑配置入侵检测系统 (IDS) 或入侵防御系统(IPS)"
echo "4. 定期审查系统日志和安全检查报告"
echo ""
read -p "是否需要重启系统? (y/n):" choice
if ["$choice" == "y"] || ["$choice" == "Y"]; then
log "INFO" "系统将在 30 秒后重启,请保存未完成的工作"
sleep 30
reboot
fi
结尾
通过本文的系统初始化与安全加固脚本,我们能够在部署 Rocky Linux 9 系统后,第一时间完成标准化配置与安全防护,大幅提升系统上线的效率与安全性。当然,实际环境中可能还需要根据业务需求进一步调整配置策略。
正文完
星哥玩云-微信公众号
