Skip to content

antony@notes:~/misc$ cat "洞悉-FCB-腳本.md"

洞悉 FCB 腳本

2024-05-10· misc

洞悉 FCB 腳本

腳本變數

#色碼
RED='\033[0;31m'
GREEN='\033[0;32m'
BLUE='\033[0;34m'
YELLOW='\033[0;33m'
NC='\033[0m'

bk_time=$(date +"%Y%m%d")
check_failed=()
#判斷SUSE版本
SUSE_ver="$(cat /etc/os-release |grep VERSION_ID | awk -F'"' '{print $2}')"
  • \033[0m,關閉所有屬性

腳本 Function

all() {
	filesystem
	system_setting
	system_service
	software
	network
	audit
	selinux
	cron
	account_permit
	ssh
}
  • all: 套用全部FCB設定(除了firewalld以及iptable)
  • filesystem: 套用磁碟與檔案系統設定,【FCB29-31,322】
  • system_setting: 套用系統設定與維護設定,【FCB32-91,296,306-308,314-316,318-319】
  • system_service: 套用系統服務設定,【FCB92-101,303-305,317】
  • software: 套用安裝與維護軟體設定,【FCB102-107】
  • network: 套用網路設定,【FCB108-131】
  • audit: 套用日誌與稽核,【FCB132-184,293,297-302,321】
  • selinux: 套用SELinux部分設定(不啟用),【FCB185-191】
  • cron: 套用cron設定,【FCB192-207】
  • account_permit: 套用帳號與存取控制設定,【FCB208-243,294-295,320】
  • firewalld: 套用Firewalld配置SLES 15版本用,【FCB244-248】
  • iptable: 套用iptable配置SLES 12版本用,【FCB256-261】
  • ssh: 套用SSH設定,【FCB262-292】

磁碟與檔案系統

FCB 29 項

設定說明

  • 這項原則設定決定所有具有全域寫入 (World-writable) 權限之目錄是否設定粘滯位 (Sticky bit)。
  • 設定粘滯位 (Sticky bit) 確保只有擁有者才能刪除或更名自己建立的檔案,以防止其他使用者任意刪除或更名其他使用者的檔案。

腳本內容

echo "此腳本為FCB for SUSE 磁碟與檔案系統設定(FCB29-31,322)"
echo -e "$BLUE"
echo -e "FCB29 設定全域寫入權限目錄之粘滯位:$NC"
echo -e "${YELLOW}在所有具有全域寫入(World-writable)權限之目錄設定粘滯位:
搜尋所有具有全域寫入(World-writable)權限之目錄${NC}"
output=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \))
if [ -n "$output" ]; then
    echo -e "${RED}檢查出具有全域寫入(World-writable)權限之目錄"
	df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \)
	echo -e "${NC}輸入以下指令設定設定粘滯位:
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null | xargs -I '{}' chmod o+t '{}'"
	check_failed+=(29)
else
    echo -e "${GREEN}檢查通過${NC}"
fi

關鍵命令解釋

  • df --local -P
    • df:這個命令用來顯示硬碟使用情況。
    • --local:只顯示本地(非網絡)檔案系統。
    • -P:輸出格式使用 POSIX 標準格式,確保列數據對齊,方便後續處理。
  • awk '{if (NR!=1) print $6}'
    • awk:處理字串的工具,這裡用來處理 df 的輸出。
    • {if (NR!=1) print $6}:如果不是第一行(通常是標題行),則打印每行的第六個字段,分隔符預設是一個空格,這是掛載點的位置。
  • 做到一樣事情但更簡單的命令 :
    • df -l --output=target | tail -n +2
  • xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \)
    • xargs:把標準輸入的字串轉換成命令行參數。
    • -I '{}':自定義替換字符串,這裡指定用 {} 來替換。
    • find:尋找檔案的命令。
    • '{}':被 xargs 替換的掛載點。
    • -xdev:不進入處於其他文件系統之上的目錄。
    • -type d:只尋找目錄。
    • \( -perm -0002 -a ! -perm -1000 \):尋找至少擁有其他人可寫的權限(-perm -0002)且沒有設定 sticky bit(-perm -1000)的目錄。
      • 至少擁有其他人可寫的權限的意思是,只要權限有其他人可寫的這個權限,不管 owner 和 group 權限設定多少,都會被找出來。
  • 2>/dev/null
    • 將所有錯誤訊息重定向到黑洞裝置 /dev/null(忽略錯誤訊息)。
  • xargs -I '{}' chmod o+t '{}'
    • 再次使用 xargs 接收前一個命令的輸出。
    • chmod o+t '{}':對找到的每個目錄設置 sticky bit,以防止非擁有者刪除或更改其他用戶的檔案。

FCB 30 項

設定說明

  • 這項原則設定決定是否使用 autofs 服務
  • autofs 服務可自動掛載或卸載光碟機、USB 裝置及 NFS 檔案系統的掛載點,讓任何使用者都可以使用 autofs 服務掛載裝置與檔案系統
  • 當系統不需自動掛載 NFS 檔案系統或可攜式儲存裝置時,建議停用此服務。如有掛載需求,建議透過設定 /etc/fstab 檔案方式進行掛載

腳本內容

echo -e "$BLUE"
echo -e "FCB30 autofs服務"
output=$(systemctl status autofs)
if systemctl is-enabled autofs &> /dev/null; then
	echo -e "${RED}autofs服務已啟用,需要禁用${NC}"
	echo "輸入以下指令設定autofs禁用:
systemctl --now disable autofs"
	check_failed+=(30)
else
    echo -e "${GREEN}檢查通過${NC}"
fi

關鍵命令解釋

  • systemctl is-enabled autofs
    • is-enabled,檢查服務是否設為開機自動啟動了。

account_permit

設定說明

  • 備份檔案

腳本內容

echo "此腳本為FCB for SUSE 帳號與存取控制(FCB208-243,294-295,320)"
#備份/etc/pam.d/common-password-pc
if [ ! -f "/etc/pam.d/common-password-pc.ori" ];then
	cp -p "/etc/pam.d/common-password-pc" "/etc/pam.d/common-password-pc.ori"
else
	cp -p "/etc/pam.d/common-password-pc" "/etc/pam.d/common-password-pc.bk$bk_time"
fi
#備份/etc/pam.d/login
if [ ! -f "/etc/pam.d/login.ori" ];then
	cp -p "/etc/pam.d/login" "/etc/pam.d/login.ori"
else
	cp -p "/etc/pam.d/login" "/etc/pam.d/login.bk$bk_time"
fi
#備份/etc/login.defs
if [ ! -f "/etc/login.defs.ori" ];then
	cp -p "/etc/login.defs" "/etc/login.defs.ori"
else
	cp -p "/etc/login.defs" "/etc/login.defs.bk$bk_time"
fi
#備份/etc/security/limits.conf
if [ ! -f "/etc/security/limits.conf.ori" ];then
	cp -p "/etc/security/limits.conf" "/etc/security/limits.conf.ori"
else
	cp -p "/etc/security/limits.conf" "/etc/security/limits.conf.bk$bk_time"
fi
###/etc/dconf/db/local.d/00-screensaver預設不存在,故不備份
#備份/etc/gdm/custom.conf
if [ ! -f "/etc/gdm/custom.conf.ori" ];then
	cp -p "/etc/gdm/custom.conf" "/etc/gdm/custom.conf.ori"
else
	cp -p "/etc/gdm/custom.conf" "/etc/gdm/custom.conf.bk$bk_time"
fi
#備份/etc/bash.bashrc
if [ ! -f "/etc/bash.bashrc.ori" ];then
	cp -p "/etc/bash.bashrc" "/etc/bash.bashrc.ori"
else
	cp -p "/etc/bash.bashrc" "/etc/bash.bashrc.bk$bk_time"
fi
#備份/etc/profile
if [ ! -f "/etc/profile.ori" ];then
	cp -p "/etc/profile" "/etc/profile.ori"
else
	cp -p "/etc/profile" "/etc/profile.bk$bk_time"
fi
###/etc/dconf/db/local.d/locks/session預設不存在,故不備份
#備份/etc/pam.d/su
if [ ! -f "/etc/pam.d/su.ori" ];then
	cp -p "/etc/pam.d/su" "/etc/pam.d/su.ori"
else
	cp -p "/etc/pam.d/su" "/etc/pam.d/su.bk$bk_time"
fi
#FCB208-219


echo -e "$BLUE"
echo -e "FCB208-219 設定使用者帳號密碼設定規則:${YELLOW}請檢查輸出是否相符${NC}"
pam-config -a --cracklib-minlen=12 --cracklib-retry=3 --cracklib-lcredit=-1 --cracklib-ucredit=-1 --cracklib-dcredit=-1 --cracklib-ocredit=-1 --cracklib-reject_username=-1 --cracklib --cracklib-difok=3 --cracklib-maxclassrepeat=4 --cracklib-maxrepeat=3 --cracklib-enforce_for_root
echo -e "/etc/pam.d/common-password-pc目前設定:"
grep pam_cracklib.so /etc/pam.d/common-password-pc
echo -e "${YELLOW}範例:
password        requisite       pam_cracklib.so reject_username enforce_for_root retry=3 difok=3 minlen=12 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 maxrepeat=3 maxclassrepeat=4${NC}"

關鍵命令解釋

  • FCB208--cracklib-retry=3 可設定密碼次數
  • FCB 209 --cracklib-enforce_for_root 強制root密碼須符合密碼規則
  • FCB 210 --cracklib-minlen=12 密碼最小長度
  • FCB 211 --cracklib-lcredit=-1 --cracklib-ucredit=-1 --cracklib-dcredit=-1 --cracklib-ocredit=-1 密碼必須至少包含字元類別數量

firewalld

FCB 244-248 項

設定說明

  •   這項原則設定決定是否安裝firewalld防火牆套件 *  藉由防火牆管理與設定,以保護系統安全

腳本內容

echo "SLSE 15 firewalld setup config"

echo -e "${BLUE}FCB244-245 firewalld防火牆套件安裝並啟用${NC}"
# FCB 244
zypper install firewalld
rpm -qa firewalld --qf '(%{INSTALLTIME:date}): %{NAME}-%{VERSION}\n'
# FCB 245
systemctl --now enable firewalld
systemctl status firewalld

echo -e "${BLUE}FCB246 停用並遮蔽iptables及nftables服務${NC}"
# FCB 246
systemctl --now mask iptables
# FCB 247
systemctl --now mask nftables

systemctl status iptables
systemctl status nftables

# FCB 248 
firewall-cmd --list-all
echo -e "${YELLOW}請使用指令檢查目前firewall zone以及網路設定,設定範例如下:
firewall-cmd --set-default-zone=public
firewall-cmd --permanent --zone=public --add-interface=eth0
firewall-cmd --permanent --zone=public --add-service=ssh
firewall-cmd --list-all
firewall-cmd --reload
systemctl restart firewalld${NC}"

iptable

FCB256 - 261項

腳本內容

echo "SLSE 12SP5 iptable setup config"
# FCB 256
echo -e "${BLUE}FCB256 iptables服務安裝並啟用${NC}"
zypper install iptable
rpm -qa iptables --qf '(%{INSTALLTIME:date}): %{NAME}-%{VERSION}\n'
#FCB 257
echo -e "${BLUE}FCB257 停用並遮蔽Firewalld服務${NC}"
systemctl --now mask firewalld
systemctl status firewalld

echo -e "${YELLOW}腳本自動套用iptable設定${NC}"

iptables -A INPUT -j ACCEPT
iptables -A OUTPUT -j ACCEPT
iptables -A FORWARD -j ACCEPT
# FCB 258
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# FCB 259
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -s 127.0.0.0/8 -j DROP

ip6tables --list-rules

ip6tables -A INPUT -j ACCEPT
ip6tables -A OUTPUT -j ACCEPT
ip6tables -A FORWARD -j ACCEPT
# FCB 260
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
# FCB 261
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
ip6tables -A INPUT -s ::1 -j DROP

iptables --list-rules

iptables-save > /etc/sysconfig/iptables
ip6tables-save > /etc/sysconfig/ip6tables

echo "iptables-restore /etc/sysconfig/iptables
ip6tables-restore /etc/sysconfig/ip6tables" >> /etc/init.d/after.local

ssh

備份 FCB 262-292項

設定說明

  • 依時間備分sshd_config的設定檔

腳本內容

#備份/etc/ssh/sshd_config
if [ ! -f "/etc/ssh/sshd_config.ori" ];then
	cp -p "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.ori"
else
	cp -p "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bk$bk_time"
fi
#備份/etc/sysconfig/sshd
#if [ ! -f "/etc/sysconfig/sshd.ori" ];then
#	cp -p "/etc/sysconfig/sshd" "/etc/sysconfig/sshd.ori"
#else
#	cp -p "/etc/sysconfig/sshd" "/etc/sysconfig/sshd.bk$bk_time"
#fi

關鍵命令解釋

  • cp -p
    • -p: 複製檔案保留檔案最原始的權限跟郵戳
  • [ ! -f "/etc/sysconfig/sshd.ori" ]
    • [! -f "/etc/sysconfig/sshd.ori" ] 檢查/etc/sysconfig/sshd.ori這個檔案是否不存在

FCB 262 項

設定說明

  • 安裝sshd套件

腳本內容

echo -e "$BLUE"
echo -e "FCB262 安裝sshd套件 :$YELLOW 請檢查以下輸出$NC"
zypper install openssh-server.x86_64
systemctl --now enable sshd.service

FCB 263 項

設定說明

  • 檢查SSH 的 Protocol設定使用SSHv2連線

腳本內容

#SSH協定版本
if grep -qE "^Protocol\s+2$" /etc/ssh/sshd_config ; then
	echo -e "$BLUE"
	echo -e "FCB263 SSH協定版本:$GREEN 正確$NC"
	grep -E "^Protocol\s+2$" /etc/ssh/sshd_config
else
	echo -e "$BLUE"
	echo -e "FCB263 SSH協定版本:$GREEN 完成$NC"
	sed -i 's/^Protocol/#Protocol/g' /etc/ssh/sshd_config
	echo -e "Protocol        2" >> "/etc/ssh/sshd_config"
	echo "新增限制存取SSH參數至 /etc/ssh/sshd_config"
	grep -E "^Protocol\s+2$" /etc/ssh/sshd_config
fi

關鍵命令解釋

  • `“Protocol 2” » “/etc/ssh/sshd_config”
    • Protocol 2 讓SSH 套用 SSHv2 協議 它的運作方式如下:將SSHv2伺服器設定為能夠接受SSH預設通訊埠22的連線;並關閉其他所有的通訊埠。 然後,將伺服器設定成用戶端能透過通訊埠22來存取其他的網路服務。 之後將用戶端設定成以通訊埠22連上網路,並將所有允許的服務全納入SSHv2的通道中。

FCB264-265 項

設定說明

  • 更新/etc/ssh/sshd_config檔案權限

腳本內容

#更新/etc/ssh/sshd_config檔案權限
echo -e "$BLUE"
echo -e "FCB264-265 更新/etc/ssh/sshd_config檔案權限:$GREEN 完成$NC"
chown root:root /etc/ssh/sshd_config
chmod 600 /etc/ssh/sshd_config
ls -l /etc/ssh/sshd_config

FCB266 項目

設定說明

  • 限制存取SSH

腳本內容

if grep -qE "^AllowGroups\s+root\s+psca\s+psys\s+ppcs\s+pcop\s+pcmd1\s+pchgcmd\s+psftp\s+pftpid0\s+psam\s+pbasis$" "/etc/ssh/sshd_config"; then
	echo -e "$BLUE"
	echo -e "FCB266 限制存取SSH參數:$GREEN 正確$NC"
	grep -E "^AllowGroups\s+root\s+psca\s+psys\s+ppcs\s+pcop\s+pcmd1\s+pchgcmd\s+psftp\s+pftpid0\s+psam\s+pbasis$" "/etc/ssh/sshd_config"
else
	echo -e "$BLUE"
	echo -e "FCB274 限制存取SSH參數:$GREEN 完成$NC"
	sed -i 's/^AllowGroups/#AllowGroups/g' /etc/ssh/sshd_config
	echo -e "AllowGroups root psca psys ppcs pcop pcmd1 pchgcmd psftp pftpid0 psam pbasis" >> "/etc/ssh/sshd_config"
	echo "新增限制存取SSH參數至 /etc/ssh/sshd_config"
	grep -E "^AllowGroups\s+root\s+psca\s+psys\s+ppcs\s+pcop\s+pcmd1\s+pchgcmd\s+psftp\s+pftpid0\s+psam\s+pbasis$" "/etc/ssh/sshd_config"
fi

關鍵命令解釋

  • "^AllowGroups\s+root\s+psca\s+psys\s+ppcs\s+pcop\s+pcmd1\s+pchgcmd\s+psftp\s+pftpid0\s+psam\s+pbasis$
    • ^ 是 AllowGroups 開頭。
    • \s+ 表示一個或多個空白字符。
    • $ 表示這行結束

FCB267-270 項

設定說明

  • 設定SSH主機私鑰及公鑰檔案權限

腳本內容

#FCB267-270
#設定SSH主機私鑰及公鑰檔案權限
echo -e "$BLUE"
echo -e "FCB267-270 設定SSH主機私鑰及公鑰檔案權限:$GREEN 完成$NC"
find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec chown root:root {} \;
find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec chmod 600 {} \;
find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chown root:root {} \;
find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chmod 644 {} \;

關鍵命令解釋

  • find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chmod 644 {} \
    • -xdev 在當前的檔案係中尋找此檔案 不會找掛載的其他檔案系
    • {} 把 find 指令找到的每一個檔案

FCB271 項

設定說明

  • 設定SSH加密演算法:Ciphers設定、MACs設定、kexalgorithms設定

腳本內容

#設定SSH加密演算法
#Ciphers設定
if grep -qE "^Ciphers\s+aes128-ctr,aes192-ctr,aes256-ctr$" "/etc/ssh/sshd_config"; then
	echo -e "$BLUE"
	echo -e "FCB271 設定SSH加密演算法Ciphers:$GREEN 正確$NC"
	grep -E "^Ciphers\s+aes128-ctr,aes192-ctr,aes256-ctr$" "/etc/ssh/sshd_config"
else
	echo -e "$BLUE"
	echo -e "FCB271 設定SSH加密演算法Ciphers:$GREEN 完成$NC"
	sed -i 's/^Ciphers/#Ciphers/g' /etc/ssh/sshd_config
	echo -e "Ciphers aes128-ctr,aes192-ctr,aes256-ctr" >> "/etc/ssh/sshd_config"
	echo "新增SSH加密演算法Ciphers參數至 /etc/ssh/sshd_config"
	grep -E "^Ciphers\s+aes128-ctr,aes192-ctr,aes256-ctr$" "/etc/ssh/sshd_config"
fi
#MACs設定
if grep -qE "^MACs\s+hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1$" "/etc/ssh/sshd_config"; then
	echo -e "$BLUE"
	echo -e "FCB271 設定SSH加密演算法MACs:$GREEN 正確$NC"
	grep -E "^MACs\s+hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1$" "/etc/ssh/sshd_config"
else
	echo -e "$BLUE"
	echo -e "FCB271 設定SSH加密演算法MACs:$GREEN 完成$NC"
	sed -i 's/^MACs/#MACs/g' /etc/ssh/sshd_config
	echo -e "MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1" >> "/etc/ssh/sshd_config"
	echo "新增SSH加密演算法MACs參數至 /etc/ssh/sshd_config"
	grep -E "^MACs\s+hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1$" "/etc/ssh/sshd_config"
fi
#kexalgorithms設定
if grep -qE "^kexalgorithms\s+ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256$" "/etc/ssh/sshd_config"; then
	echo -e "$BLUE"
	echo -e "FCB271 設定SSH加密演算法kexalgorithms:$GREEN 正確$NC"
	grep -E "^kexalgorithms\s+ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256$" "/etc/ssh/sshd_config"
else
	echo -e "$BLUE"
	echo -e "FCB271 設定SSH加密演算法kexalgorithms:$GREEN 完成$NC"
	sed -i 's/^kexalgorithms/#kexalgorithms/g' /etc/ssh/sshd_config
	echo -e "kexalgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256" >> "/etc/ssh/sshd_config"
	echo "新增SSH加密演算法kexalgorithms參數至 /etc/ssh/sshd_config"
	grep -E "^kexalgorithms\s+ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256$" "/etc/ssh/sshd_config"
fi

FCB272 項

設定說明

  • SSH LogLevel參數

腳本內容

if grep -qE "^LogLevel\s+INFO$" "/etc/ssh/sshd_config"; then
	echo -e "$BLUE"
	echo -e "FCB272 SSH LogLevel參數:$GREEN 正確$NC"
	grep -E "^LogLevel\s+INFO$" "/etc/ssh/sshd_config"
else
	echo -e "$BLUE"
	echo -e "FCB272 SSH LogLevel參數:$GREEN 完成$NC"
	sed -i 's/^LogLevel/#LogLevel/g' /etc/ssh/sshd_config
	echo -e "LogLevel INFO" >> "/etc/ssh/sshd_config"
	echo "新增SSH LogLevel參數至 /etc/ssh/sshd_config"
	grep -E "^LogLevel\s+INFO$" "/etc/ssh/sshd_config"
fi

FCB273 項

設定說明

  • SSH X11Forwarding參數

腳本內容

if grep -qE "^X11Forwarding\s+no$" "/etc/ssh/sshd_config"; then
	echo -e "$BLUE"
	echo -e "FCB273 SSH X11Forwarding參數:$GREEN 正確$NC"
	grep -E "^X11Forwarding\s+no$" "/etc/ssh/sshd_config"
else
	echo -e "$BLUE"
	echo -e "FCB273 SSH X11Forwarding參數:$GREEN 完成$NC"
	sed -i 's/^X11Forwarding/#X11Forwarding/g' /etc/ssh/sshd_config
	echo -e "X11Forwarding no" >> "/etc/ssh/sshd_config"
	echo "新增SSH X11Forwarding參數至 /etc/ssh/sshd_config"
	grep -E "^X11Forwarding\s+no$" "/etc/ssh/sshd_config"
fi

FCB274 項

設定說明

  • SSH MaxAuthTries參數

腳本內容

if grep -qE "^MaxAuthTries\s+4$" "/etc/ssh/sshd_config"; then
	echo -e "$BLUE"
	echo -e "FCB274 SSH MaxAuthTries參數:$GREEN 正確$NC"
	grep -E "^MaxAuthTries\s+4$" "/etc/ssh/sshd_config"
else
	echo -e "$BLUE"
	echo -e "FCB274 SSH MaxAuthTries參數:$GREEN 完成$NC"
	sed -i 's/^MaxAuthTries/#MaxAuthTries/g' /etc/ssh/sshd_config
	echo -e "MaxAuthTries 4" >> "/etc/ssh/sshd_config"
	echo "新增SSH MaxAuthTries參數至 /etc/ssh/sshd_config"
	grep -E "^MaxAuthTries\s+4$" "/etc/ssh/sshd_config"
fi

FCB275 項

設定說明

  • SSH IgnoreRhosts參數

腳本內容

if grep -qE "^IgnoreRhosts\s+yes$" "/etc/ssh/sshd_config"; then
	echo -e "$BLUE"
	echo -e "FCB275 SSH IgnoreRhosts參數:$GREEN 正確$NC"
	grep -E "^IgnoreRhosts\s+yes$" "/etc/ssh/sshd_config"
else
	echo -e "$BLUE"
	echo -e "FCB275 SSH IgnoreRhosts參數:$GREEN 完成$NC"
	sed -i 's/^IgnoreRhosts/#IgnoreRhosts/g' /etc/ssh/sshd_config
	echo -e "IgnoreRhosts yes" >> "/etc/ssh/sshd_config"
	echo "新增SSH IgnoreRhosts參數至 /etc/ssh/sshd_config"
	grep -E "^IgnoreRhosts\s+yes$" "/etc/ssh/sshd_config"
fi

FCB276 項

設定說明

  • SSH HostbasedAuthentication參數
if grep -qE "^HostbasedAuthentication\s+no$" "/etc/ssh/sshd_config"; then
	echo -e "$BLUE"
	echo -e "FCB276 SSH HostbasedAuthentication參數:$GREEN 正確$NC"
	grep -E "^HostbasedAuthentication\s+no$" "/etc/ssh/sshd_config"
else
	echo -e "$BLUE"
	echo -e "FCB276 SSH HostbasedAuthentication參數:$GREEN 完成$NC"
	sed -i 's/^HostbasedAuthentication/#HostbasedAuthentication/g' /etc/ssh/sshd_config
	echo -e "HostbasedAuthentication no" >> "/etc/ssh/sshd_config"
	echo "新增SSH HostbasedAuthentication參數至 /etc/ssh/sshd_config"
	grep -E "^HostbasedAuthentication\s+no$" "/etc/ssh/sshd_config"
fi

FCB277 項

設定說明

  • SSH PermitRootLogin參數
  • 編輯 /etc/ssh/sshd_config 檔案, 設定參數如下: PermitRootLogin no
  • 開啟終端機, 執行以下指令, 重新啟動 SSH 服務使其生效:
  • systemctl restart sshd
  • 注意: 請先通知 SSH 服務使用者, 再重啟 SSH 服務, 以避免影響使用者作業

腳本內容

#if grep -qE "^PermitRootLogin\s+no$" "/etc/ssh/sshd_config"; then
#	echo -e "$BLUE"
#	echo -e "FCB277 SSH PermitRootLogin參數:$GREEN 正確$NC"
#	grep -E "^PermitRootLogin\s+no$" "/etc/ssh/sshd_config"
#else
#	echo -e "$BLUE"
#	echo -e "FCB277 SSH PermitRootLogin參數:$GREEN 完成$NC"
#	sed -i 's/^PermitRootLogin/#PermitRootLogin/g' /etc/ssh/sshd_config
#	echo -e "PermitRootLogin no" >> "/etc/ssh/sshd_config"
#	echo "新增SSH PermitRootLogin參數至 /etc/ssh/sshd_config"
#	grep -E "^PermitRootLogin\s+no$" "/etc/ssh/sshd_config"
#fi

FCB278 項

設定說明

  • SSH PermitEmptyPasswords參數

腳本內容

if grep -qE "^PermitEmptyPasswords\s+no$" "/etc/ssh/sshd_config"; then
	echo -e "$BLUE"
	echo -e "FCB278 SSH PermitEmptyPasswords參數:$GREEN 正確$NC"
	grep -E "^PermitEmptyPasswords\s+no$" "/etc/ssh/sshd_config"
else
	echo -e "$BLUE"
	echo -e "FCB278 SSH PermitEmptyPasswords參數:$GREEN 完成$NC"
	sed -i 's/^PermitEmptyPasswords/#PermitEmptyPasswords/g' /etc/ssh/sshd_config
	echo -e "PermitEmptyPasswords no" >> "/etc/ssh/sshd_config"
	echo "新增SSH PermitEmptyPasswords參數至 /etc/ssh/sshd_config"
	grep -E "^PermitEmptyPasswords\s+no$" "/etc/ssh/sshd_config"
fi

FCB279 項

設定說明

  • SSH PermitEmptyPasswords參數

腳本內容

if grep -qE "^PermitUserEnvironment\s+no$" "/etc/ssh/sshd_config"; then
	echo -e "$BLUE"
	echo -e "FCB279 SSH PermitUserEnvironment參數:$GREEN 正確$NC"
	grep -E "^PermitUserEnvironment\s+no$" "/etc/ssh/sshd_config"
else
	echo -e "$BLUE"
	echo -e "FCB279 SSH PermitUserEnvironment參數:$GREEN 完成$NC"
	sed -i 's/^PermitUserEnvironment/#PermitUserEnvironment/g' /etc/ssh/sshd_config
	echo -e "PermitUserEnvironment no" >> "/etc/ssh/sshd_config"
	echo "新增SSH PermitUserEnvironment參數至 /etc/ssh/sshd_config"
	grep -E "^PermitUserEnvironment\s+no$" "/etc/ssh/sshd_config"
fi

FCB280 項

設定說明

  • SSH ClientAliveInterval參數、ClientAliveCountMax參數

腳本內容

if grep -qE "^ClientAliveInterval\s+600$" "/etc/ssh/sshd_config"; then
	echo -e "$BLUE"
	echo -e "FCB280 SSH ClientAliveInterval參數:$GREEN 正確$NC"
	grep -E "^ClientAliveInterval\s+600$" "/etc/ssh/sshd_config"
else
	echo -e "$BLUE"
	echo -e "FCB280 SSH ClientAliveInterval參數:$GREEN 完成$NC"
	sed -i 's/^ClientAliveInterval/#ClientAliveInterval/g' /etc/ssh/sshd_config
	echo -e "ClientAliveInterval 600" >> "/etc/ssh/sshd_config"
	echo "新增SSH ClientAliveInterval參數至 /etc/ssh/sshd_config"
	grep -E "^ClientAliveInterval\s+600$" "/etc/ssh/sshd_config"
fi

if grep -qE "^ClientAliveCountMax\s+0$" "/etc/ssh/sshd_config"; then
	echo -e "$BLUE"
	echo -e "FCB280 SSH ClientAliveCountMax參數:$GREEN 正確$NC"
	grep -E "^ClientAliveCountMax\s+0$" "/etc/ssh/sshd_config"
else
	echo -e "$BLUE"
	echo -e "FCB280 SSH ClientAliveCountMax參數:$GREEN 完成$NC"
	sed -i 's/^ClientAliveCountMax/#ClientAliveCountMax/g' /etc/ssh/sshd_config
	echo -e "ClientAliveCountMax 0" >> "/etc/ssh/sshd_config"
	echo "新增SSH ClientAliveCountMax參數至 /etc/ssh/sshd_config"
	grep -E "^ClientAliveCountMax\s+0$" "/etc/ssh/sshd_config"
fi

FCB281 項

設定說明

  • SSH LoginGraceTime參數

腳本內容

if grep -qE "^LoginGraceTime\s+60$" "/etc/ssh/sshd_config"; then
	echo -e "$BLUE"
	echo -e "FCB281 SSH LoginGraceTime參數:$GREEN 正確$NC"
	grep -E "^LoginGraceTime\s+60$" "/etc/ssh/sshd_config"
else
	echo -e "$BLUE"
	echo -e "FCB281 SSH LoginGraceTime參數:$GREEN 完成$NC"
	sed -i 's/^LoginGraceTime/#LoginGraceTime/g' /etc/ssh/sshd_config
	echo -e "LoginGraceTime 60" >> "/etc/ssh/sshd_config"
	echo "新增SSH LoginGraceTime參數至 /etc/ssh/sshd_config"
	grep -E "^LoginGraceTime\s+60$" "/etc/ssh/sshd_config"
fi

FCB282 項

設定說明

  • SSH UsePAM參數

腳本內容

if grep -qE "^UsePAM\s+yes$" "/etc/ssh/sshd_config"; then
	echo -e "$BLUE"
	echo -e "FCB282 SSH UsePAM參數:$GREEN 正確$NC"
	grep -E "^UsePAM\s+yes$" "/etc/ssh/sshd_config"
else
	echo -e "$BLUE"
	echo -e "FCB282 SSH UsePAM參數:$GREEN 完成$NC"
	sed -i 's/^UsePAM/#UsePAM/g' /etc/ssh/sshd_config
	echo -e "UsePAM yes" >> "/etc/ssh/sshd_config"
	echo "新增SSH UsePAM參數至 /etc/ssh/sshd_config"
	grep -E "^UsePAM\s+yes$" "/etc/ssh/sshd_config"
fi

FCB283 項

設定說明

  • SSH AllowTcpForwarding參數

腳本內容

if grep -qE "^AllowTcpForwarding\s+no$" "/etc/ssh/sshd_config"; then
	echo -e "$BLUE"
	echo -e "FCB283 SSH AllowTcpForwarding參數:$GREEN 正確$NC"
	grep -E "^AllowTcpForwarding\s+no$" "/etc/ssh/sshd_config"
else
	echo -e "$BLUE"
	echo -e "FCB283 SSH AllowTcpForwarding參數:$GREEN 完成$NC"
	sed -i 's/^AllowTcpForwarding/#AllowTcpForwarding/g' /etc/ssh/sshd_config
	echo -e "AllowTcpForwarding no" >> "/etc/ssh/sshd_config"
	echo "新增SSH AllowTcpForwarding參數至 /etc/ssh/sshd_config"
	grep -E "^AllowTcpForwarding\s+no$" "/etc/ssh/sshd_config"
fi

FCB284 項

設定說明

  • SSH maxstartups參數

腳本內容

if grep -qE "^maxstartups\s+10:30:60$" "/etc/ssh/sshd_config"; then
	echo -e "$BLUE"
	echo -e "FCB284 SSH maxstartups參數:$GREEN 正確$NC"
	grep -E "^maxstartups\s+10:30:60$" "/etc/ssh/sshd_config"
else
	echo -e "$BLUE"
	echo -e "FCB284 SSH maxstartups參數:$GREEN 完成$NC"
	sed -i 's/^maxstartups/#maxstartups/g' /etc/ssh/sshd_config
	echo -e "maxstartups 10:30:60" >> "/etc/ssh/sshd_config"
	echo "新增SSH maxstartups參數至 /etc/ssh/sshd_config"
	grep -E "^maxstartups\s+10:30:60$" "/etc/ssh/sshd_config"
fi

FCB285 項

設定說明

  • SSH MaxSessions參數

腳本內容

if grep -qE "^MaxSessions\s+4$" "/etc/ssh/sshd_config"; then
	echo -e "$BLUE"
	echo -e "FCB285 SSH MaxSessions參數:$GREEN 正確$NC"
	grep -E "^MaxSessions\s+4$" "/etc/ssh/sshd_config"
else
	echo -e "$BLUE"
	echo -e "FCB285 SSH MaxSessions參數:$GREEN 完成$NC"
	sed -i 's/^MaxSessions/#MaxSessions/g' /etc/ssh/sshd_config
	echo -e "MaxSessions 4" >> "/etc/ssh/sshd_config"
	echo "新增SSH MaxSessions參數至 /etc/ssh/sshd_config"
	grep -E "^MaxSessions\s+4$" "/etc/ssh/sshd_config"
fi

FCB286 項

設定說明

  • SSH StrictModes參數

腳本內容

if grep -qE "^StrictModes\s+yes$" "/etc/ssh/sshd_config"; then
	echo -e "$BLUE"
	echo -e "FCB286 SSH StrictModes參數:$GREEN 正確$NC"
	grep -E "^StrictModes\s+yes$" "/etc/ssh/sshd_config"
else
	echo -e "$BLUE"
	echo -e "FCB286 SSH StrictModes參數:$GREEN 完成$NC"
	sed -i 's/^StrictModes/#StrictModes/g' /etc/ssh/sshd_config
	echo -e "StrictModes yes" >> "/etc/ssh/sshd_config"
	echo "新增SSH StrictModes參數至 /etc/ssh/sshd_config"
	grep -E "^StrictModes\s+yes$" "/etc/ssh/sshd_config"
fi

FCB287 項

設定說明

  • SSH Compression參數

腳本內容

if grep -qE "^Compression\s+no$" "/etc/ssh/sshd_config"; then
	echo -e "$BLUE"
	echo -e "FCB287 SSH Compression參數:$GREEN 正確$NC"
	grep -E "^Compression\s+no$" "/etc/ssh/sshd_config"
else
	echo -e "$BLUE"
	echo -e "FCB287 SSH Compression參數:$GREEN 完成$NC"
	sed -i 's/^Compression/#Compression/g' /etc/ssh/sshd_config
	echo -e "Compression no" >> "/etc/ssh/sshd_config"
	echo "新增SSH Compression參數至 /etc/ssh/sshd_config"
	grep -E "^Compression\s+no$" "/etc/ssh/sshd_config"
fi

FCB288 項

設定說明

  • SSH IgnoreUserKnownHosts參數

腳本內容

if grep -qE "^IgnoreUserKnownHosts\s+yes$" "/etc/ssh/sshd_config"; then
	echo -e "$BLUE"
	echo -e "FCB288 SSH IgnoreUserKnownHosts參數:$GREEN 正確$NC"
	grep -E "^IgnoreUserKnownHosts\s+yes$" "/etc/ssh/sshd_config"
else
	echo -e "$BLUE"
	echo -e "FCB288 SSH IgnoreUserKnownHosts參數:$GREEN 完成$NC"
	sed -i 's/^IgnoreUserKnownHosts/#IgnoreUserKnownHosts/g' /etc/ssh/sshd_config
	echo -e "IgnoreUserKnownHosts yes" >> "/etc/ssh/sshd_config"
	echo "新增SSH IgnoreUserKnownHosts參數至 /etc/ssh/sshd_config"
	grep -E "^IgnoreUserKnownHosts\s+yes$" "/etc/ssh/sshd_config"
fi

FCB289 項

設定說明

  • SSH PrintLastLog參數

腳本內容

if grep -qE "^PrintLastLog\s+yes$" "/etc/ssh/sshd_config"; then
	echo -e "$BLUE"
	echo -e "FCB289 SSH PrintLastLog參數:$GREEN 正確$NC"
	grep -E "^PrintLastLog\s+yes$" "/etc/ssh/sshd_config"
else
	echo -e "$BLUE"
	echo -e "FCB289 SSH PrintLastLog參數:$GREEN 完成$NC"
	sed -i 's/^PrintLastLog/#PrintLastLog/g' /etc/ssh/sshd_config
	echo -e "PrintLastLog yes" >> "/etc/ssh/sshd_config"
	echo "新增SSH PrintLastLog參數至 /etc/ssh/sshd_config"
	grep -E "^PrintLastLog\s+yes$" "/etc/ssh/sshd_config"
fi

FCB290 項

設定說明

  • 移除shosts.equiv檔案
  • 開啟終端機, 執行以下指令, 尋找任何「shosts.equiv」檔案: #find / -name shosts.equiv 若發現「shosts.equiv」檔案, 執行指令移除檔案, 範例如下:

rm /etc/ssh/shosts.equiv

腳本內容

echo -e "$BLUE"
echo -e "FCB290 搜尋shosts.equiv檔案:$YELLOW 請檢查以下輸出$NC"
find / -name shosts.equiv
echo ""
echo -e "$YELLOW"
echo -e "若發現「shosts.equiv」檔案,執行指令移除檔案,範例:$RED rm 「該檔案」$NC"

FCB291 項

設定說明

  • 移除.shosts檔案
  • 開啟終端機, 執行以下指令, 尋找任何「.shosts」檔案:
  • # find / -name '*.shosts' 若發現「.shosts」檔案, 執行指令移除檔案, 範例如下: # rm $HOME/.shosts

腳本內容

echo -e "$BLUE"
echo -e "FCB291 搜尋.shosts檔案:$YELLOW 請檢查以下輸出$NC"
find / -name *.shosts
echo ""
echo -e "$YELLOW"
echo -e "若發現「.shosts」檔案,執行指令移除檔案,範例:$RED rm 「該檔案」$NC"

FCB292 項

設定說明

  • 停用覆寫全系統加密原則
  • 開啟終端機, 執行以下指令, 以停用覆寫全系統加密原則: # sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd 執行以下指令, 重新啟動 SSH 服務使其生效: # systemctl restart sshd ▪  注意:請先通知SSH服務使用者,再重啟SSH服務,以避免影響使用者作業

腳本內容

#echo -e "$BLUE"
#echo -e "FCB292 停用覆寫全系統加密原則:$GREEN 完成$NC"
#sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd

echo -e "$BLUE SSH設定修改完畢後,請通知SSH服務使用者,執行指令重啟SSH服務,以避免影響使用者作業:$RED systemctl restart sshd$NC"