리눅스 보안 설정 스크립트

#!/bin/bash
# 필요없는 계정 삭제
userdel lp
userdel uucp
userdel nuucp
# 권한 설정
chmod 644 /etc/passwd
chown root /etc/passwd
chmod 644 /etc/group
chown root /etc/group
# 일반계정 생성 (smileserv 라는 일반 계정 생성)
useradd smileserv
echo 'PW 입력' |passwd --stdin smileserv
echo 'PW 입력' |passwd --stdin root
# 일반계정 wheel 그룹 및 루트 전환 관련
groupadd wheel
chgrp wheel /bin/su
chmod 4750 /bin/su
usermod -G wheel smileserv
# history 권한
chmod 600 /root/.bash_history
chmod 600 /home/smileserv/.bash_history
# openssh 소스설치
cd /usr/local/src/
wget http://www.legendry.co.kr/sh/openssh-5.6p1.tar.gz
tar xvfz openssh-5.6p1.tar.gz
cd /usr/local/src/openssh-5.6p1
./configure --prefix=/usr/local/openssh --with-tcp-wrappers --with-pam --with-md5-passwords
make&&make install
cd /usr/local/src/openssh-5.6p1/contrib/redhat
cp /usr/local/src/openssh-5.6p1/contrib/sshd.pam.generic /etc/pam.d/sshd
cp sshd.init /etc/init.d/sshd
sed 's/KEYGEN=\/usr\/bin\/ssh-keygen/KEYGEN=\/usr\/local\/openssh\/ssh-keygen/' -i /etc/init.d/sshd
sed 's/SSHD=\/usr\/sbin\/sshd/SSHD=\/usr\/local\/openssh\/sbin\/sshd/' -i /etc/init.d/sshd
ln -s /usr/local/openssh/bin/* /usr/bin
ln -s /usr/local/openssh/sbin/* /usr/sbin
ln -s /usr/local/openssh/etc/ /etc/ssh
chkconfig --add sshd
echo "export PATH=/usr/loca/openssh/bin:/usr/local/openssh/sbin:$PATH" >> /etc/profile
/etc/init.d/sshd restart
# sshd 보안설정
echo "PermitRootLogin no" >> /usr/local/openssh/etc/sshd_config
echo "MaxAuthTries 3" >> /usr/local/openssh/etc/sshd_config
# PAM 수정
echo "auth           required        pam_wheel.so use_uid" >> /etc/pam.d/su
# 세션타임아웃 설정
export TMOUT=300
echo TMOUT=300 >> /root/.bash_profile
echo TMOUT=300 >> /home/smileserv/.bash_profile
# 계정 보안설정
sed '/PASS_/d' -i /etc/login.defs
echo "PASS_MAX_DAYS   60" >> /etc/login.defs
echo "PASS_MIN_DAYS   7" >> /etc/login.defs
echo "PASS_MIN_LEN    8" >> /etc/login.defs
echo "PASS_WARN_AGE   7" >> /etc/login.defs
# sshd 보안설정
echo "PermitRootLogin no" >> /usr/local/openssh/etc/sshd_config
echo "MaxAuthTries 3" >> /usr/local/openssh/etc/sshd_config
# umask 설정
sed 's/002/022/' -i /etc/profile
sed 's/002/022/' -i /etc/bashrc
source /etc/profile
source /etc/bashrc
#syslog 설정
sed 's/*.info;mail.none;authpriv.none;cron.none/*.info;mail.none;authpriv.none;cron.none;*.notice/' -i /etc/syslog.conf
sed 's/*.info;mail.none;authpriv.none;cron.none/*.info;mail.none;authpriv.none;cron.none;*.notice/' -i /etc/rsyslog.conf
echo "*.alert   /dev/console" >> /etc/syslog.conf
echo "*.alert   /dev/console" >> /etc/rsyslog.conf
/etc/init.d/syslog restart
/etc/init.d/rsyslog restart
# 마지막은 확인할 사항 단계
cat /etc/passwd | grep :0:
echo "sync, shutdown, halt, operator 는 GID 0 으로 나오면 정상"
cat /etc/passwd
echo "직접 확인하고 로그인이 필요없는 계정은 계정을 삭제하거나 /bin/false 혹은 nologin 으로 설정"
export $PATH
echo ". 마침표가 PATH 중간에 있으면 삭제하거나 제일 뒤로 보내기"