kylin_base.sh
#!/bin/bash
#set -e
#bak file
now=`date +%Y-%m-%d_%H%M%S`
cp /etc/ssh/sshd_config /etc/ssh/sshd_config_$now;
cp /etc/login.defs /etc/login.defs_$now;
cp /etc/passwd /etc/passwd_$now;
cp /etc/shadow /etc/shadow_$now;
cp /etc/profile /etc/profile_$now;
cp /etc/pam.d/sshd /etc/pam.d/sshd_$now;
cp /etc/csh.login /etc/csh.login_$now;
cp /etc/csh.cshrc /etc/csh.cshrc_$now;
cp /etc/bashrc /etc/bashrc_$now;
#
#add user aqjg
useradd -G wheel aqjg;
echo 'YourPassword'|passwd --stdin aqjg;
chage -M 365 aqjg;
#
#限制允许ssh远程登陆的用户
sed -i '/AllowUsers/s/^\(.*\)$/#\1/g' /etc/ssh/sshd_config
read -p "请输入允许ssh远程登录的用户名(以空格分隔):" users
echo -e "\033[31m Your input are:.$users \033[0m"
count=`echo $users | tr -d [:alnum:] | tr -d [:blank:] | tr -d - |tr -d _ | wc -w`
if [ $count == 0 ];then
echo AllowUsers $users >> /etc/ssh/sshd_config
else
echo bad;
return 0;
fi
#
echo 'Authorized users only. All activities may be monitored and reported.' > /etc/motd
echo 'Authorized users only. All activities may be monitored and reported.' > /etc/issue
echo 'Authorized users only. All activities may be monitored and reported.' > /etc/issue.net
echo 'export TMOUT=300' >> /etc/profile
#
grep pam_tally2 /etc/pam.d/sshd|grep auth|grep required;
if [ $? = 0 ];then
grep pam_tally2 /etc/pam.d/sshd|grep auth|grep required
else
echo 'auth required pam_tally2.so deny=6 unlock_time=60' >> /etc/pam.d/sshd
fi
#
#判断主机支持的命令
if command -v usermod >/dev/null; then
comm=usermod
else
comm=chsh
fi
#echo $comm
#锁定账户,并修改默认shell为/bin/false
for a in lp uucp games nobody rpm smmsp nfsnobody listen gdm webservd nobody4 noaccess
do
num=`id $a >/dev/null 2>&1 ;echo $?`;
if [ $num == 0 ]; then
passwd -l $a
sudo $comm -s /bin/false $a
else
echo $a not exist on the host;
fi
done
#
#密码有效时长
DAYS='99999'
get_DAYS=`grep ^PASS_MAX_DAYS /etc/login.defs| awk '{ print $2 }'`;
if [ $DAYS == $get_DAYS ];then
sed -i '/^PASS_MAX_DAYS/s/99999/90/' /etc/login.defs;
else
echo ng;grep ^PASS_MAX_DAYS /etc/login.defs
fi;
#密码最小长度
LEN='5'
get_LEN=`grep ^PASS_MIN_LEN /etc/login.defs| awk '{ print $2 }'`;
if [ $LEN == $get_LEN ];then
sed -i '/^PASS_MIN_LEN/s/5/8/' /etc/login.defs;
else
echo ng;grep ^PASS_MIN_LEN /etc/login.defs
fi;
#
#密码到期前提醒时间
AGE='7'
get_AGE=`grep ^PASS_WARN_AGE /etc/login.defs| awk '{ print $2 }'`;
if [ $AGE == $get_AGE ];then
sed -i '/^PASS_WARN_AGE/s/7/14/' /etc/login.defs;
else
echo ng;grep ^PASS_WARN_AGE /etc/login.defs
fi;
#
#
#sed -i '/^PermitRootLogin/s/yes/no/' /etc/ssh/sshd_config
if [ -f /etc/profile ];then sed -i 's#umask [0-9]\{3\}$#umask 027#g' /etc/profile;fi;
if [ -f /etc/bashrc ];then sed -i 's#umask [0-9]\{3\}$#umask 027#g' /etc/bashrc;fi;
if [ -f /etc/csh.cshrc ];then sed -i 's#umask [0-9]\{3\}$#umask 027#g' /etc/csh.cshrc;fi;
#End
