这里是centos 6.2 上做的一些安全加强，运维的同学花了很多精力和时间整理的。 自建服务器的朋友还是需要自己加固一下。 现在应用多是在docker和vmware里面运行，所以即使系统被人入侵只要数据安全就可以了。系统可以销毁重建。vmware可以做自己做模板系统。至于docker我们还没有做加固，如果有我再更新。 还有centos7上的加固脚本还没时间整理，暂时制作了，centos7禁止root登陆，设置一个用户login只能登陆系统，没有其他的任何权限，login登陆之后su到root或者其他用户操作。下面是centos 6.2的脚本。

备份数据

cp -p /etc/passwd /etc/passwd.bakcp -p /etc/shadow /etc/shadow.bakcp -p /etc/group /etc/group.bakcp -p /etc/security/pam_pwcheck.conf /etc/security/pam_pwcheck.conf.bakcp -p /etc/pam.d/passwd /etc/pam.d/passwd.bakcp -p /etc/login.defs /etc/login.defs.bakcp -p /etc/default/useradd /etc/default/useradd.bakcp -p /etc/pam.d/login /etc/pam.d/login.bakcp -p /etc/pam.d/sshd /etc/pam.d/sshd.bakcp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.bakcp -p -r /etc/xinetd.d /etc/xinetd.d.bakcp -p /etc/ntp.conf /etc/ntp.conf.bakcp -p /etc/fstab /etc/fatab.bakcp -p /etc/exports /etc/exports.bakcp -p /etc/snmpd.conf /etc/snmpd.conf.bakcp -p /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bakcp -p /etc/profile /etc/profile.bakcp -p /etc/securetty /etc/securetty.bakcp -p /etc/pam.d/su /etc/pam.d/su.bakcp -p /etc/ftpusers /etc/ftpusers.bakcp -p /etc/vsftpd.conf /etc/vsftpd.conf.bakcp -p /etc/pure-ftpd/pure-ftpd.conf /etc/pure-ftpd/pure-ftpd.conf.bakcp -p /etc/hosts.allow /etc/hosts.allow.bakcp -p /etc/hosts.deny /etc/hosts.deny.bakcp -p /etc/inittab /etc/inittab.bakcp -p /etc/syslog.conf /etc/syslog.conf.bakcp -p /etc/syslog-ng/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf.bakcp -p /etc/motd /etc/motd.bakcp -p /etc/sshbanner /etc/sshbanner.bakcp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.bakcp -p /etc/issue /etc/issue.bakcp -p /etc/issue.net /etc/issue.net.bakcp -p /etc/sysctl.conf /etc/sysctl.conf.bakcp -p -r /etc/xinetd.d /etc/xinetd.d.bakcp -p /etc/modprobe.conf /etc/modprobe.conf.bak

锁定/删除无用帐号

passwd -l at

#配置用户口令复杂度

vi /etc/pam.d/passwd

关闭不必要服务：（如果要开启，使用命令chkconfig servicename on）

chkconfig chargen offchkconfig chargen-udp offchkconfig cups-lpd offchkconfig cvs offchkconfig daytime offchkconfig daytime-udp offchkconfig echo-udp offchkconfig fam offchkconfig rsync offchkconfig servers offchkconfig services offchkconfig systat offchkconfig time offchkconfig time-udp offchkconfig Makefile offchkconfig SuSEfirewall2_init offchkconfig SuSEfirewall2_setup offchkconfig aaeventd offchkconfig acpid offchkconfig alsasound offchkconfig apache2 offchkconfig atd offchkconfig autoyast offchkconfig boot.apparmor offchkconfig boot.evms offchkconfig boot.multipath offchkconfig boot.sched offchkconfig boot.scsidev offchkconfig chargen offchkconfig chargen-udp offchkconfig cups offchkconfig cups-lpd offchkconfig cupsrenice offchkconfig cvs offchkconfig daytime offchkconfig daytime-udp offchkconfig drbd offchkconfig earlykbd offchkconfig echo-udp offchkconfig esound offchkconfig evms offchkconfig fam offchkconfig gpm offchkconfig gssd offchkconfig heartbeat offchkconfig idmapd offchkconfig ipmi offchkconfig ipvsadm offchkconfig iscsitarget offchkconfig joystick offchkconfig ksysguardd offchkconfig ldap offchkconfig ldirectord offchkconfig lm_sensors offchkconfig mdadmd offchkconfig microcode offchkconfig multipathd offchkconfig nfsserver offchkconfig novell-zmd offchkconfig nscd offchkconfig open-iscsi offchkconfig openct offchkconfig owcimomd offchkconfig pcscd offchkconfig postfix offchkconfig powerd offchkconfig powersaved offchkconfig pure-ftpd offchkconfig rexec offchkconfig rlogin offchkconfig rpasswdd offchkconfig rpmconfigcheck offchkconfig rsh offchkconfig rsync offchkconfig rsyncd offchkconfig sapinit offchkconfig saslauthd offchkconfig servers offchkconfig services offchkconfig skeleton.compat offchkconfig slurpd offchkconfig smartd offchkconfig smbfs offchkconfig smpppd offchkconfig splash offchkconfig splash_early offchkconfig suseRegister offchkconfig svcgssd offchkconfig systat offchkconfig time offchkconfig time-udp offchkconfig xendomains offchkconfig xend offchkconfig xfs offchkconfig ypbind offchkconfig telnet offchkconfig nfs offchkconfig nfsboot offchkconfig ocfs2 offchkconfig o2cb offchkconfig winbind offchkconfig klogin offchkconfig kshell offchkconfig swat off

#限制关键文件和目录访问权限

chmod -R go-w /etcchmod 644 /etc/passwdchmod 644 /etc/groupchmod 755 /etc/securitychmod 400 /etc/shadow

#限制root远程登录

vi /etc/pam.d/login

/*确保存在以下1行，并没被注释：

vi /etc/securetty

/*注释掉以下内容：pts/1pts/2........pts/n*/

vi /etc/ssh/sshd_config

/*将对应行改成以下内容 注：此项需查找再修改，确保修改到使用文件

关闭图形界面登陆，双机不关==因为还没装oracle数据库，此步暂时不做

/etc/init.d/xdm stop

#限制某些用户ftp登陆

vi /etc/ftpusers

需添加：

adabasamandaanonymousatbincyrusdaemondb2asdb2fenc1db2inst1db4webdbmakerdhcpddpboxempressfaxfirewallfnetftpgamesgdmgnatshaclusterhaldaemoninformixingresircixesslnxlpmailmailmanmanmdommessagebusmysqlnamednewsnobodynpsntporacleperforcepoppostfixpostgresrootsapdbskyrixsquidsshdsshusrsuse-nccuucpvirtuosovscanwnnwwwrunyardzope

#ftp限制匿名登陆及不限制用户只访问家目录 vsftp

vi /etc/vsftpd/vsftpd.conf

#禁止ctrl+alt+del

vi /etc/inittab

#记录用户登录信息

vi /etc/login.defs

#设置登录成功后警告Banner

cd /etc

#禁止ICMP重定向(双机不做) vi /etc/sysctl.conf

net.ipv4.conf.default.secure_redirects=1net.ipv4.conf.all.secure_redirects=1net.ipv4.conf.default.send_redirects=0net.ipv4.conf.all.send_redirects=0net.ipv4.conf.default.accept_redirects =0net.ipv4.conf.all.accept_redirects =0net.ipv4.ip_forward =0net.ipv4.conf.all.accept_source_route =0net.ipv4.conf.default.accept_source_route =0

#关闭IPv6 待续。