antony@notes:~/misc$ cat "洞悉-FCB-腳本.md"
洞悉 FCB 腳本
洞悉 FCB 腳本
腳本變數
#色碼
RED='\033[0;31m'
GREEN='\033[0;32m'
BLUE='\033[0;34m'
YELLOW='\033[0;33m'
NC='\033[0m'
bk_time=$(date +"%Y%m%d")
check_failed=()
#判斷SUSE版本
SUSE_ver="$(cat /etc/os-release |grep VERSION_ID | awk -F'"' '{print $2}')"\033[0m,關閉所有屬性
腳本 Function
all() {
filesystem
system_setting
system_service
software
network
audit
selinux
cron
account_permit
ssh
}all: 套用全部FCB設定(除了firewalld以及iptable)filesystem: 套用磁碟與檔案系統設定,【FCB29-31,322】system_setting: 套用系統設定與維護設定,【FCB32-91,296,306-308,314-316,318-319】system_service: 套用系統服務設定,【FCB92-101,303-305,317】software: 套用安裝與維護軟體設定,【FCB102-107】network: 套用網路設定,【FCB108-131】audit: 套用日誌與稽核,【FCB132-184,293,297-302,321】selinux: 套用SELinux部分設定(不啟用),【FCB185-191】cron: 套用cron設定,【FCB192-207】account_permit: 套用帳號與存取控制設定,【FCB208-243,294-295,320】firewalld: 套用Firewalld配置SLES 15版本用,【FCB244-248】iptable: 套用iptable配置SLES 12版本用,【FCB256-261】ssh: 套用SSH設定,【FCB262-292】
磁碟與檔案系統
FCB 29 項
設定說明
- 這項原則設定決定所有具有全域寫入 (World-writable) 權限之目錄是否設定粘滯位 (Sticky bit)。
- 設定粘滯位 (Sticky bit) 確保只有擁有者才能刪除或更名自己建立的檔案,以防止其他使用者任意刪除或更名其他使用者的檔案。
腳本內容
echo "此腳本為FCB for SUSE 磁碟與檔案系統設定(FCB29-31,322)"
echo -e "$BLUE"
echo -e "FCB29 設定全域寫入權限目錄之粘滯位:$NC"
echo -e "${YELLOW}在所有具有全域寫入(World-writable)權限之目錄設定粘滯位:
搜尋所有具有全域寫入(World-writable)權限之目錄${NC}"
output=$(df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \))
if [ -n "$output" ]; then
echo -e "${RED}檢查出具有全域寫入(World-writable)權限之目錄"
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \)
echo -e "${NC}輸入以下指令設定設定粘滯位:
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null | xargs -I '{}' chmod o+t '{}'"
check_failed+=(29)
else
echo -e "${GREEN}檢查通過${NC}"
fi關鍵命令解釋
df --local -Pdf:這個命令用來顯示硬碟使用情況。--local:只顯示本地(非網絡)檔案系統。-P:輸出格式使用 POSIX 標準格式,確保列數據對齊,方便後續處理。
awk '{if (NR!=1) print $6}'awk:處理字串的工具,這裡用來處理 df 的輸出。{if (NR!=1) print $6}:如果不是第一行(通常是標題行),則打印每行的第六個字段,分隔符預設是一個空格,這是掛載點的位置。
- 做到一樣事情但更簡單的命令 :
df -l --output=target | tail -n +2
xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \)xargs:把標準輸入的字串轉換成命令行參數。-I '{}':自定義替換字符串,這裡指定用{}來替換。find:尋找檔案的命令。'{}':被xargs替換的掛載點。-xdev:不進入處於其他文件系統之上的目錄。-type d:只尋找目錄。\( -perm -0002 -a ! -perm -1000 \):尋找至少擁有其他人可寫的權限(-perm -0002)且沒有設定 sticky bit(-perm -1000)的目錄。- 至少擁有其他人可寫的權限的意思是,只要權限有其他人可寫的這個權限,不管 owner 和 group 權限設定多少,都會被找出來。
2>/dev/null- 將所有錯誤訊息重定向到黑洞裝置
/dev/null(忽略錯誤訊息)。
- 將所有錯誤訊息重定向到黑洞裝置
xargs -I '{}' chmod o+t '{}'- 再次使用
xargs接收前一個命令的輸出。 chmod o+t '{}':對找到的每個目錄設置 sticky bit,以防止非擁有者刪除或更改其他用戶的檔案。
- 再次使用
FCB 30 項
設定說明
- 這項原則設定決定是否使用 autofs 服務
- autofs 服務可自動掛載或卸載光碟機、USB 裝置及 NFS 檔案系統的掛載點,讓任何使用者都可以使用 autofs 服務掛載裝置與檔案系統
- 當系統不需自動掛載 NFS 檔案系統或可攜式儲存裝置時,建議停用此服務。如有掛載需求,建議透過設定
/etc/fstab檔案方式進行掛載
腳本內容
echo -e "$BLUE"
echo -e "FCB30 autofs服務"
output=$(systemctl status autofs)
if systemctl is-enabled autofs &> /dev/null; then
echo -e "${RED}autofs服務已啟用,需要禁用${NC}"
echo "輸入以下指令設定autofs禁用:
systemctl --now disable autofs"
check_failed+=(30)
else
echo -e "${GREEN}檢查通過${NC}"
fi關鍵命令解釋
systemctl is-enabled autofsis-enabled,檢查服務是否設為開機自動啟動了。
account_permit
設定說明
- 備份檔案
腳本內容
echo "此腳本為FCB for SUSE 帳號與存取控制(FCB208-243,294-295,320)"
#備份/etc/pam.d/common-password-pc
if [ ! -f "/etc/pam.d/common-password-pc.ori" ];then
cp -p "/etc/pam.d/common-password-pc" "/etc/pam.d/common-password-pc.ori"
else
cp -p "/etc/pam.d/common-password-pc" "/etc/pam.d/common-password-pc.bk$bk_time"
fi
#備份/etc/pam.d/login
if [ ! -f "/etc/pam.d/login.ori" ];then
cp -p "/etc/pam.d/login" "/etc/pam.d/login.ori"
else
cp -p "/etc/pam.d/login" "/etc/pam.d/login.bk$bk_time"
fi
#備份/etc/login.defs
if [ ! -f "/etc/login.defs.ori" ];then
cp -p "/etc/login.defs" "/etc/login.defs.ori"
else
cp -p "/etc/login.defs" "/etc/login.defs.bk$bk_time"
fi
#備份/etc/security/limits.conf
if [ ! -f "/etc/security/limits.conf.ori" ];then
cp -p "/etc/security/limits.conf" "/etc/security/limits.conf.ori"
else
cp -p "/etc/security/limits.conf" "/etc/security/limits.conf.bk$bk_time"
fi
###/etc/dconf/db/local.d/00-screensaver預設不存在,故不備份
#備份/etc/gdm/custom.conf
if [ ! -f "/etc/gdm/custom.conf.ori" ];then
cp -p "/etc/gdm/custom.conf" "/etc/gdm/custom.conf.ori"
else
cp -p "/etc/gdm/custom.conf" "/etc/gdm/custom.conf.bk$bk_time"
fi
#備份/etc/bash.bashrc
if [ ! -f "/etc/bash.bashrc.ori" ];then
cp -p "/etc/bash.bashrc" "/etc/bash.bashrc.ori"
else
cp -p "/etc/bash.bashrc" "/etc/bash.bashrc.bk$bk_time"
fi
#備份/etc/profile
if [ ! -f "/etc/profile.ori" ];then
cp -p "/etc/profile" "/etc/profile.ori"
else
cp -p "/etc/profile" "/etc/profile.bk$bk_time"
fi
###/etc/dconf/db/local.d/locks/session預設不存在,故不備份
#備份/etc/pam.d/su
if [ ! -f "/etc/pam.d/su.ori" ];then
cp -p "/etc/pam.d/su" "/etc/pam.d/su.ori"
else
cp -p "/etc/pam.d/su" "/etc/pam.d/su.bk$bk_time"
fi#FCB208-219
echo -e "$BLUE"
echo -e "FCB208-219 設定使用者帳號密碼設定規則:${YELLOW}請檢查輸出是否相符${NC}"
pam-config -a --cracklib-minlen=12 --cracklib-retry=3 --cracklib-lcredit=-1 --cracklib-ucredit=-1 --cracklib-dcredit=-1 --cracklib-ocredit=-1 --cracklib-reject_username=-1 --cracklib --cracklib-difok=3 --cracklib-maxclassrepeat=4 --cracklib-maxrepeat=3 --cracklib-enforce_for_root
echo -e "/etc/pam.d/common-password-pc目前設定:"
grep pam_cracklib.so /etc/pam.d/common-password-pc
echo -e "${YELLOW}範例:
password requisite pam_cracklib.so reject_username enforce_for_root retry=3 difok=3 minlen=12 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 maxrepeat=3 maxclassrepeat=4${NC}"關鍵命令解釋
- FCB208
--cracklib-retry=3可設定密碼次數 - FCB 209
--cracklib-enforce_for_root強制root密碼須符合密碼規則 - FCB 210
--cracklib-minlen=12密碼最小長度 - FCB 211
--cracklib-lcredit=-1 --cracklib-ucredit=-1 --cracklib-dcredit=-1 --cracklib-ocredit=-1密碼必須至少包含字元類別數量
firewalld
FCB 244-248 項
設定說明
- 這項原則設定決定是否安裝firewalld防火牆套件 * 藉由防火牆管理與設定,以保護系統安全
腳本內容
echo "SLSE 15 firewalld setup config"
echo -e "${BLUE}FCB244-245 firewalld防火牆套件安裝並啟用${NC}"
# FCB 244
zypper install firewalld
rpm -qa firewalld --qf '(%{INSTALLTIME:date}): %{NAME}-%{VERSION}\n'
# FCB 245
systemctl --now enable firewalld
systemctl status firewalld
echo -e "${BLUE}FCB246 停用並遮蔽iptables及nftables服務${NC}"
# FCB 246
systemctl --now mask iptables
# FCB 247
systemctl --now mask nftables
systemctl status iptables
systemctl status nftables
# FCB 248
firewall-cmd --list-all
echo -e "${YELLOW}請使用指令檢查目前firewall zone以及網路設定,設定範例如下:
firewall-cmd --set-default-zone=public
firewall-cmd --permanent --zone=public --add-interface=eth0
firewall-cmd --permanent --zone=public --add-service=ssh
firewall-cmd --list-all
firewall-cmd --reload
systemctl restart firewalld${NC}"iptable
FCB256 - 261項
腳本內容
echo "SLSE 12SP5 iptable setup config"
# FCB 256
echo -e "${BLUE}FCB256 iptables服務安裝並啟用${NC}"
zypper install iptable
rpm -qa iptables --qf '(%{INSTALLTIME:date}): %{NAME}-%{VERSION}\n'
#FCB 257
echo -e "${BLUE}FCB257 停用並遮蔽Firewalld服務${NC}"
systemctl --now mask firewalld
systemctl status firewalld
echo -e "${YELLOW}腳本自動套用iptable設定${NC}"
iptables -A INPUT -j ACCEPT
iptables -A OUTPUT -j ACCEPT
iptables -A FORWARD -j ACCEPT
# FCB 258
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# FCB 259
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -s 127.0.0.0/8 -j DROP
ip6tables --list-rules
ip6tables -A INPUT -j ACCEPT
ip6tables -A OUTPUT -j ACCEPT
ip6tables -A FORWARD -j ACCEPT
# FCB 260
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
# FCB 261
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
ip6tables -A INPUT -s ::1 -j DROP
iptables --list-rules
iptables-save > /etc/sysconfig/iptables
ip6tables-save > /etc/sysconfig/ip6tables
echo "iptables-restore /etc/sysconfig/iptables
ip6tables-restore /etc/sysconfig/ip6tables" >> /etc/init.d/after.localssh
備份 FCB 262-292項
設定說明
- 依時間備分sshd_config的設定檔
腳本內容
#備份/etc/ssh/sshd_config
if [ ! -f "/etc/ssh/sshd_config.ori" ];then
cp -p "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.ori"
else
cp -p "/etc/ssh/sshd_config" "/etc/ssh/sshd_config.bk$bk_time"
fi
#備份/etc/sysconfig/sshd
#if [ ! -f "/etc/sysconfig/sshd.ori" ];then
# cp -p "/etc/sysconfig/sshd" "/etc/sysconfig/sshd.ori"
#else
# cp -p "/etc/sysconfig/sshd" "/etc/sysconfig/sshd.bk$bk_time"
#fi關鍵命令解釋
cp -p-p: 複製檔案保留檔案最原始的權限跟郵戳
[ ! -f "/etc/sysconfig/sshd.ori" ][! -f "/etc/sysconfig/sshd.ori" ]檢查/etc/sysconfig/sshd.ori這個檔案是否不存在
FCB 262 項
設定說明
- 安裝sshd套件
腳本內容
echo -e "$BLUE"
echo -e "FCB262 安裝sshd套件 :$YELLOW 請檢查以下輸出$NC"
zypper install openssh-server.x86_64
systemctl --now enable sshd.serviceFCB 263 項
設定說明
- 檢查SSH 的 Protocol設定使用SSHv2連線
腳本內容
#SSH協定版本
if grep -qE "^Protocol\s+2$" /etc/ssh/sshd_config ; then
echo -e "$BLUE"
echo -e "FCB263 SSH協定版本:$GREEN 正確$NC"
grep -E "^Protocol\s+2$" /etc/ssh/sshd_config
else
echo -e "$BLUE"
echo -e "FCB263 SSH協定版本:$GREEN 完成$NC"
sed -i 's/^Protocol/#Protocol/g' /etc/ssh/sshd_config
echo -e "Protocol 2" >> "/etc/ssh/sshd_config"
echo "新增限制存取SSH參數至 /etc/ssh/sshd_config"
grep -E "^Protocol\s+2$" /etc/ssh/sshd_config
fi關鍵命令解釋
- `“Protocol 2” » “/etc/ssh/sshd_config”
Protocol 2讓SSH 套用 SSHv2 協議 它的運作方式如下:將SSHv2伺服器設定為能夠接受SSH預設通訊埠22的連線;並關閉其他所有的通訊埠。 然後,將伺服器設定成用戶端能透過通訊埠22來存取其他的網路服務。 之後將用戶端設定成以通訊埠22連上網路,並將所有允許的服務全納入SSHv2的通道中。
FCB264-265 項
設定說明
- 更新/etc/ssh/sshd_config檔案權限
腳本內容
#更新/etc/ssh/sshd_config檔案權限
echo -e "$BLUE"
echo -e "FCB264-265 更新/etc/ssh/sshd_config檔案權限:$GREEN 完成$NC"
chown root:root /etc/ssh/sshd_config
chmod 600 /etc/ssh/sshd_config
ls -l /etc/ssh/sshd_configFCB266 項目
設定說明
- 限制存取SSH
腳本內容
if grep -qE "^AllowGroups\s+root\s+psca\s+psys\s+ppcs\s+pcop\s+pcmd1\s+pchgcmd\s+psftp\s+pftpid0\s+psam\s+pbasis$" "/etc/ssh/sshd_config"; then
echo -e "$BLUE"
echo -e "FCB266 限制存取SSH參數:$GREEN 正確$NC"
grep -E "^AllowGroups\s+root\s+psca\s+psys\s+ppcs\s+pcop\s+pcmd1\s+pchgcmd\s+psftp\s+pftpid0\s+psam\s+pbasis$" "/etc/ssh/sshd_config"
else
echo -e "$BLUE"
echo -e "FCB274 限制存取SSH參數:$GREEN 完成$NC"
sed -i 's/^AllowGroups/#AllowGroups/g' /etc/ssh/sshd_config
echo -e "AllowGroups root psca psys ppcs pcop pcmd1 pchgcmd psftp pftpid0 psam pbasis" >> "/etc/ssh/sshd_config"
echo "新增限制存取SSH參數至 /etc/ssh/sshd_config"
grep -E "^AllowGroups\s+root\s+psca\s+psys\s+ppcs\s+pcop\s+pcmd1\s+pchgcmd\s+psftp\s+pftpid0\s+psam\s+pbasis$" "/etc/ssh/sshd_config"
fi關鍵命令解釋
"^AllowGroups\s+root\s+psca\s+psys\s+ppcs\s+pcop\s+pcmd1\s+pchgcmd\s+psftp\s+pftpid0\s+psam\s+pbasis$^是 AllowGroups 開頭。\s+表示一個或多個空白字符。$表示這行結束
FCB267-270 項
設定說明
- 設定SSH主機私鑰及公鑰檔案權限
腳本內容
#FCB267-270
#設定SSH主機私鑰及公鑰檔案權限
echo -e "$BLUE"
echo -e "FCB267-270 設定SSH主機私鑰及公鑰檔案權限:$GREEN 完成$NC"
find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec chown root:root {} \;
find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec chmod 600 {} \;
find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chown root:root {} \;
find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chmod 644 {} \;關鍵命令解釋
find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chmod 644 {} \-xdev在當前的檔案係中尋找此檔案 不會找掛載的其他檔案系{}把 find 指令找到的每一個檔案
FCB271 項
設定說明
- 設定SSH加密演算法:Ciphers設定、MACs設定、kexalgorithms設定
腳本內容
#設定SSH加密演算法
#Ciphers設定
if grep -qE "^Ciphers\s+aes128-ctr,aes192-ctr,aes256-ctr$" "/etc/ssh/sshd_config"; then
echo -e "$BLUE"
echo -e "FCB271 設定SSH加密演算法Ciphers:$GREEN 正確$NC"
grep -E "^Ciphers\s+aes128-ctr,aes192-ctr,aes256-ctr$" "/etc/ssh/sshd_config"
else
echo -e "$BLUE"
echo -e "FCB271 設定SSH加密演算法Ciphers:$GREEN 完成$NC"
sed -i 's/^Ciphers/#Ciphers/g' /etc/ssh/sshd_config
echo -e "Ciphers aes128-ctr,aes192-ctr,aes256-ctr" >> "/etc/ssh/sshd_config"
echo "新增SSH加密演算法Ciphers參數至 /etc/ssh/sshd_config"
grep -E "^Ciphers\s+aes128-ctr,aes192-ctr,aes256-ctr$" "/etc/ssh/sshd_config"
fi
#MACs設定
if grep -qE "^MACs\s+hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1$" "/etc/ssh/sshd_config"; then
echo -e "$BLUE"
echo -e "FCB271 設定SSH加密演算法MACs:$GREEN 正確$NC"
grep -E "^MACs\s+hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1$" "/etc/ssh/sshd_config"
else
echo -e "$BLUE"
echo -e "FCB271 設定SSH加密演算法MACs:$GREEN 完成$NC"
sed -i 's/^MACs/#MACs/g' /etc/ssh/sshd_config
echo -e "MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1" >> "/etc/ssh/sshd_config"
echo "新增SSH加密演算法MACs參數至 /etc/ssh/sshd_config"
grep -E "^MACs\s+hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1$" "/etc/ssh/sshd_config"
fi
#kexalgorithms設定
if grep -qE "^kexalgorithms\s+ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256$" "/etc/ssh/sshd_config"; then
echo -e "$BLUE"
echo -e "FCB271 設定SSH加密演算法kexalgorithms:$GREEN 正確$NC"
grep -E "^kexalgorithms\s+ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256$" "/etc/ssh/sshd_config"
else
echo -e "$BLUE"
echo -e "FCB271 設定SSH加密演算法kexalgorithms:$GREEN 完成$NC"
sed -i 's/^kexalgorithms/#kexalgorithms/g' /etc/ssh/sshd_config
echo -e "kexalgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256" >> "/etc/ssh/sshd_config"
echo "新增SSH加密演算法kexalgorithms參數至 /etc/ssh/sshd_config"
grep -E "^kexalgorithms\s+ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256$" "/etc/ssh/sshd_config"
fiFCB272 項
設定說明
- SSH LogLevel參數
腳本內容
if grep -qE "^LogLevel\s+INFO$" "/etc/ssh/sshd_config"; then
echo -e "$BLUE"
echo -e "FCB272 SSH LogLevel參數:$GREEN 正確$NC"
grep -E "^LogLevel\s+INFO$" "/etc/ssh/sshd_config"
else
echo -e "$BLUE"
echo -e "FCB272 SSH LogLevel參數:$GREEN 完成$NC"
sed -i 's/^LogLevel/#LogLevel/g' /etc/ssh/sshd_config
echo -e "LogLevel INFO" >> "/etc/ssh/sshd_config"
echo "新增SSH LogLevel參數至 /etc/ssh/sshd_config"
grep -E "^LogLevel\s+INFO$" "/etc/ssh/sshd_config"
fiFCB273 項
設定說明
- SSH X11Forwarding參數
腳本內容
if grep -qE "^X11Forwarding\s+no$" "/etc/ssh/sshd_config"; then
echo -e "$BLUE"
echo -e "FCB273 SSH X11Forwarding參數:$GREEN 正確$NC"
grep -E "^X11Forwarding\s+no$" "/etc/ssh/sshd_config"
else
echo -e "$BLUE"
echo -e "FCB273 SSH X11Forwarding參數:$GREEN 完成$NC"
sed -i 's/^X11Forwarding/#X11Forwarding/g' /etc/ssh/sshd_config
echo -e "X11Forwarding no" >> "/etc/ssh/sshd_config"
echo "新增SSH X11Forwarding參數至 /etc/ssh/sshd_config"
grep -E "^X11Forwarding\s+no$" "/etc/ssh/sshd_config"
fiFCB274 項
設定說明
- SSH MaxAuthTries參數
腳本內容
if grep -qE "^MaxAuthTries\s+4$" "/etc/ssh/sshd_config"; then
echo -e "$BLUE"
echo -e "FCB274 SSH MaxAuthTries參數:$GREEN 正確$NC"
grep -E "^MaxAuthTries\s+4$" "/etc/ssh/sshd_config"
else
echo -e "$BLUE"
echo -e "FCB274 SSH MaxAuthTries參數:$GREEN 完成$NC"
sed -i 's/^MaxAuthTries/#MaxAuthTries/g' /etc/ssh/sshd_config
echo -e "MaxAuthTries 4" >> "/etc/ssh/sshd_config"
echo "新增SSH MaxAuthTries參數至 /etc/ssh/sshd_config"
grep -E "^MaxAuthTries\s+4$" "/etc/ssh/sshd_config"
fiFCB275 項
設定說明
- SSH IgnoreRhosts參數
腳本內容
if grep -qE "^IgnoreRhosts\s+yes$" "/etc/ssh/sshd_config"; then
echo -e "$BLUE"
echo -e "FCB275 SSH IgnoreRhosts參數:$GREEN 正確$NC"
grep -E "^IgnoreRhosts\s+yes$" "/etc/ssh/sshd_config"
else
echo -e "$BLUE"
echo -e "FCB275 SSH IgnoreRhosts參數:$GREEN 完成$NC"
sed -i 's/^IgnoreRhosts/#IgnoreRhosts/g' /etc/ssh/sshd_config
echo -e "IgnoreRhosts yes" >> "/etc/ssh/sshd_config"
echo "新增SSH IgnoreRhosts參數至 /etc/ssh/sshd_config"
grep -E "^IgnoreRhosts\s+yes$" "/etc/ssh/sshd_config"
fiFCB276 項
設定說明
- SSH HostbasedAuthentication參數
if grep -qE "^HostbasedAuthentication\s+no$" "/etc/ssh/sshd_config"; then
echo -e "$BLUE"
echo -e "FCB276 SSH HostbasedAuthentication參數:$GREEN 正確$NC"
grep -E "^HostbasedAuthentication\s+no$" "/etc/ssh/sshd_config"
else
echo -e "$BLUE"
echo -e "FCB276 SSH HostbasedAuthentication參數:$GREEN 完成$NC"
sed -i 's/^HostbasedAuthentication/#HostbasedAuthentication/g' /etc/ssh/sshd_config
echo -e "HostbasedAuthentication no" >> "/etc/ssh/sshd_config"
echo "新增SSH HostbasedAuthentication參數至 /etc/ssh/sshd_config"
grep -E "^HostbasedAuthentication\s+no$" "/etc/ssh/sshd_config"
fiFCB277 項
設定說明
- SSH PermitRootLogin參數
- 編輯 /etc/ssh/sshd_config 檔案, 設定參數如下: PermitRootLogin no
- 開啟終端機, 執行以下指令, 重新啟動 SSH 服務使其生效:
- systemctl restart sshd
- 注意: 請先通知 SSH 服務使用者, 再重啟 SSH 服務, 以避免影響使用者作業
腳本內容
#if grep -qE "^PermitRootLogin\s+no$" "/etc/ssh/sshd_config"; then
# echo -e "$BLUE"
# echo -e "FCB277 SSH PermitRootLogin參數:$GREEN 正確$NC"
# grep -E "^PermitRootLogin\s+no$" "/etc/ssh/sshd_config"
#else
# echo -e "$BLUE"
# echo -e "FCB277 SSH PermitRootLogin參數:$GREEN 完成$NC"
# sed -i 's/^PermitRootLogin/#PermitRootLogin/g' /etc/ssh/sshd_config
# echo -e "PermitRootLogin no" >> "/etc/ssh/sshd_config"
# echo "新增SSH PermitRootLogin參數至 /etc/ssh/sshd_config"
# grep -E "^PermitRootLogin\s+no$" "/etc/ssh/sshd_config"
#fiFCB278 項
設定說明
- SSH PermitEmptyPasswords參數
腳本內容
if grep -qE "^PermitEmptyPasswords\s+no$" "/etc/ssh/sshd_config"; then
echo -e "$BLUE"
echo -e "FCB278 SSH PermitEmptyPasswords參數:$GREEN 正確$NC"
grep -E "^PermitEmptyPasswords\s+no$" "/etc/ssh/sshd_config"
else
echo -e "$BLUE"
echo -e "FCB278 SSH PermitEmptyPasswords參數:$GREEN 完成$NC"
sed -i 's/^PermitEmptyPasswords/#PermitEmptyPasswords/g' /etc/ssh/sshd_config
echo -e "PermitEmptyPasswords no" >> "/etc/ssh/sshd_config"
echo "新增SSH PermitEmptyPasswords參數至 /etc/ssh/sshd_config"
grep -E "^PermitEmptyPasswords\s+no$" "/etc/ssh/sshd_config"
fiFCB279 項
設定說明
- SSH PermitEmptyPasswords參數
腳本內容
if grep -qE "^PermitUserEnvironment\s+no$" "/etc/ssh/sshd_config"; then
echo -e "$BLUE"
echo -e "FCB279 SSH PermitUserEnvironment參數:$GREEN 正確$NC"
grep -E "^PermitUserEnvironment\s+no$" "/etc/ssh/sshd_config"
else
echo -e "$BLUE"
echo -e "FCB279 SSH PermitUserEnvironment參數:$GREEN 完成$NC"
sed -i 's/^PermitUserEnvironment/#PermitUserEnvironment/g' /etc/ssh/sshd_config
echo -e "PermitUserEnvironment no" >> "/etc/ssh/sshd_config"
echo "新增SSH PermitUserEnvironment參數至 /etc/ssh/sshd_config"
grep -E "^PermitUserEnvironment\s+no$" "/etc/ssh/sshd_config"
fiFCB280 項
設定說明
- SSH ClientAliveInterval參數、ClientAliveCountMax參數
腳本內容
if grep -qE "^ClientAliveInterval\s+600$" "/etc/ssh/sshd_config"; then
echo -e "$BLUE"
echo -e "FCB280 SSH ClientAliveInterval參數:$GREEN 正確$NC"
grep -E "^ClientAliveInterval\s+600$" "/etc/ssh/sshd_config"
else
echo -e "$BLUE"
echo -e "FCB280 SSH ClientAliveInterval參數:$GREEN 完成$NC"
sed -i 's/^ClientAliveInterval/#ClientAliveInterval/g' /etc/ssh/sshd_config
echo -e "ClientAliveInterval 600" >> "/etc/ssh/sshd_config"
echo "新增SSH ClientAliveInterval參數至 /etc/ssh/sshd_config"
grep -E "^ClientAliveInterval\s+600$" "/etc/ssh/sshd_config"
fi
if grep -qE "^ClientAliveCountMax\s+0$" "/etc/ssh/sshd_config"; then
echo -e "$BLUE"
echo -e "FCB280 SSH ClientAliveCountMax參數:$GREEN 正確$NC"
grep -E "^ClientAliveCountMax\s+0$" "/etc/ssh/sshd_config"
else
echo -e "$BLUE"
echo -e "FCB280 SSH ClientAliveCountMax參數:$GREEN 完成$NC"
sed -i 's/^ClientAliveCountMax/#ClientAliveCountMax/g' /etc/ssh/sshd_config
echo -e "ClientAliveCountMax 0" >> "/etc/ssh/sshd_config"
echo "新增SSH ClientAliveCountMax參數至 /etc/ssh/sshd_config"
grep -E "^ClientAliveCountMax\s+0$" "/etc/ssh/sshd_config"
fiFCB281 項
設定說明
- SSH LoginGraceTime參數
腳本內容
if grep -qE "^LoginGraceTime\s+60$" "/etc/ssh/sshd_config"; then
echo -e "$BLUE"
echo -e "FCB281 SSH LoginGraceTime參數:$GREEN 正確$NC"
grep -E "^LoginGraceTime\s+60$" "/etc/ssh/sshd_config"
else
echo -e "$BLUE"
echo -e "FCB281 SSH LoginGraceTime參數:$GREEN 完成$NC"
sed -i 's/^LoginGraceTime/#LoginGraceTime/g' /etc/ssh/sshd_config
echo -e "LoginGraceTime 60" >> "/etc/ssh/sshd_config"
echo "新增SSH LoginGraceTime參數至 /etc/ssh/sshd_config"
grep -E "^LoginGraceTime\s+60$" "/etc/ssh/sshd_config"
fiFCB282 項
設定說明
- SSH UsePAM參數
腳本內容
if grep -qE "^UsePAM\s+yes$" "/etc/ssh/sshd_config"; then
echo -e "$BLUE"
echo -e "FCB282 SSH UsePAM參數:$GREEN 正確$NC"
grep -E "^UsePAM\s+yes$" "/etc/ssh/sshd_config"
else
echo -e "$BLUE"
echo -e "FCB282 SSH UsePAM參數:$GREEN 完成$NC"
sed -i 's/^UsePAM/#UsePAM/g' /etc/ssh/sshd_config
echo -e "UsePAM yes" >> "/etc/ssh/sshd_config"
echo "新增SSH UsePAM參數至 /etc/ssh/sshd_config"
grep -E "^UsePAM\s+yes$" "/etc/ssh/sshd_config"
fiFCB283 項
設定說明
- SSH AllowTcpForwarding參數
腳本內容
if grep -qE "^AllowTcpForwarding\s+no$" "/etc/ssh/sshd_config"; then
echo -e "$BLUE"
echo -e "FCB283 SSH AllowTcpForwarding參數:$GREEN 正確$NC"
grep -E "^AllowTcpForwarding\s+no$" "/etc/ssh/sshd_config"
else
echo -e "$BLUE"
echo -e "FCB283 SSH AllowTcpForwarding參數:$GREEN 完成$NC"
sed -i 's/^AllowTcpForwarding/#AllowTcpForwarding/g' /etc/ssh/sshd_config
echo -e "AllowTcpForwarding no" >> "/etc/ssh/sshd_config"
echo "新增SSH AllowTcpForwarding參數至 /etc/ssh/sshd_config"
grep -E "^AllowTcpForwarding\s+no$" "/etc/ssh/sshd_config"
fiFCB284 項
設定說明
- SSH maxstartups參數
腳本內容
if grep -qE "^maxstartups\s+10:30:60$" "/etc/ssh/sshd_config"; then
echo -e "$BLUE"
echo -e "FCB284 SSH maxstartups參數:$GREEN 正確$NC"
grep -E "^maxstartups\s+10:30:60$" "/etc/ssh/sshd_config"
else
echo -e "$BLUE"
echo -e "FCB284 SSH maxstartups參數:$GREEN 完成$NC"
sed -i 's/^maxstartups/#maxstartups/g' /etc/ssh/sshd_config
echo -e "maxstartups 10:30:60" >> "/etc/ssh/sshd_config"
echo "新增SSH maxstartups參數至 /etc/ssh/sshd_config"
grep -E "^maxstartups\s+10:30:60$" "/etc/ssh/sshd_config"
fiFCB285 項
設定說明
- SSH MaxSessions參數
腳本內容
if grep -qE "^MaxSessions\s+4$" "/etc/ssh/sshd_config"; then
echo -e "$BLUE"
echo -e "FCB285 SSH MaxSessions參數:$GREEN 正確$NC"
grep -E "^MaxSessions\s+4$" "/etc/ssh/sshd_config"
else
echo -e "$BLUE"
echo -e "FCB285 SSH MaxSessions參數:$GREEN 完成$NC"
sed -i 's/^MaxSessions/#MaxSessions/g' /etc/ssh/sshd_config
echo -e "MaxSessions 4" >> "/etc/ssh/sshd_config"
echo "新增SSH MaxSessions參數至 /etc/ssh/sshd_config"
grep -E "^MaxSessions\s+4$" "/etc/ssh/sshd_config"
fiFCB286 項
設定說明
- SSH StrictModes參數
腳本內容
if grep -qE "^StrictModes\s+yes$" "/etc/ssh/sshd_config"; then
echo -e "$BLUE"
echo -e "FCB286 SSH StrictModes參數:$GREEN 正確$NC"
grep -E "^StrictModes\s+yes$" "/etc/ssh/sshd_config"
else
echo -e "$BLUE"
echo -e "FCB286 SSH StrictModes參數:$GREEN 完成$NC"
sed -i 's/^StrictModes/#StrictModes/g' /etc/ssh/sshd_config
echo -e "StrictModes yes" >> "/etc/ssh/sshd_config"
echo "新增SSH StrictModes參數至 /etc/ssh/sshd_config"
grep -E "^StrictModes\s+yes$" "/etc/ssh/sshd_config"
fiFCB287 項
設定說明
- SSH Compression參數
腳本內容
if grep -qE "^Compression\s+no$" "/etc/ssh/sshd_config"; then
echo -e "$BLUE"
echo -e "FCB287 SSH Compression參數:$GREEN 正確$NC"
grep -E "^Compression\s+no$" "/etc/ssh/sshd_config"
else
echo -e "$BLUE"
echo -e "FCB287 SSH Compression參數:$GREEN 完成$NC"
sed -i 's/^Compression/#Compression/g' /etc/ssh/sshd_config
echo -e "Compression no" >> "/etc/ssh/sshd_config"
echo "新增SSH Compression參數至 /etc/ssh/sshd_config"
grep -E "^Compression\s+no$" "/etc/ssh/sshd_config"
fiFCB288 項
設定說明
- SSH IgnoreUserKnownHosts參數
腳本內容
if grep -qE "^IgnoreUserKnownHosts\s+yes$" "/etc/ssh/sshd_config"; then
echo -e "$BLUE"
echo -e "FCB288 SSH IgnoreUserKnownHosts參數:$GREEN 正確$NC"
grep -E "^IgnoreUserKnownHosts\s+yes$" "/etc/ssh/sshd_config"
else
echo -e "$BLUE"
echo -e "FCB288 SSH IgnoreUserKnownHosts參數:$GREEN 完成$NC"
sed -i 's/^IgnoreUserKnownHosts/#IgnoreUserKnownHosts/g' /etc/ssh/sshd_config
echo -e "IgnoreUserKnownHosts yes" >> "/etc/ssh/sshd_config"
echo "新增SSH IgnoreUserKnownHosts參數至 /etc/ssh/sshd_config"
grep -E "^IgnoreUserKnownHosts\s+yes$" "/etc/ssh/sshd_config"
fiFCB289 項
設定說明
- SSH PrintLastLog參數
腳本內容
if grep -qE "^PrintLastLog\s+yes$" "/etc/ssh/sshd_config"; then
echo -e "$BLUE"
echo -e "FCB289 SSH PrintLastLog參數:$GREEN 正確$NC"
grep -E "^PrintLastLog\s+yes$" "/etc/ssh/sshd_config"
else
echo -e "$BLUE"
echo -e "FCB289 SSH PrintLastLog參數:$GREEN 完成$NC"
sed -i 's/^PrintLastLog/#PrintLastLog/g' /etc/ssh/sshd_config
echo -e "PrintLastLog yes" >> "/etc/ssh/sshd_config"
echo "新增SSH PrintLastLog參數至 /etc/ssh/sshd_config"
grep -E "^PrintLastLog\s+yes$" "/etc/ssh/sshd_config"
fiFCB290 項
設定說明
- 移除shosts.equiv檔案
- 開啟終端機, 執行以下指令, 尋找任何「shosts.equiv」檔案: #find / -name shosts.equiv 若發現「shosts.equiv」檔案, 執行指令移除檔案, 範例如下:
rm /etc/ssh/shosts.equiv
腳本內容
echo -e "$BLUE"
echo -e "FCB290 搜尋shosts.equiv檔案:$YELLOW 請檢查以下輸出$NC"
find / -name shosts.equiv
echo ""
echo -e "$YELLOW"
echo -e "若發現「shosts.equiv」檔案,執行指令移除檔案,範例:$RED rm 「該檔案」$NC"FCB291 項
設定說明
- 移除.shosts檔案
- 開啟終端機, 執行以下指令, 尋找任何「.shosts」檔案:
# find / -name '*.shosts'若發現「.shosts」檔案, 執行指令移除檔案, 範例如下:# rm $HOME/.shosts
腳本內容
echo -e "$BLUE"
echo -e "FCB291 搜尋.shosts檔案:$YELLOW 請檢查以下輸出$NC"
find / -name *.shosts
echo ""
echo -e "$YELLOW"
echo -e "若發現「.shosts」檔案,執行指令移除檔案,範例:$RED rm 「該檔案」$NC"FCB292 項
設定說明
- 停用覆寫全系統加密原則
- 開啟終端機, 執行以下指令, 以停用覆寫全系統加密原則:
# sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd執行以下指令, 重新啟動 SSH 服務使其生效:# systemctl restart sshd▪ 注意:請先通知SSH服務使用者,再重啟SSH服務,以避免影響使用者作業
腳本內容
#echo -e "$BLUE"
#echo -e "FCB292 停用覆寫全系統加密原則:$GREEN 完成$NC"
#sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd
echo -e "$BLUE SSH設定修改完畢後,請通知SSH服務使用者,執行指令重啟SSH服務,以避免影響使用者作業:$RED systemctl restart sshd$NC"