Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Hardening de Servidores Redhat
Boa noite pessoal , segue abaixo um script de hardening para servidores redhat , logico que voce pode adaptar para distro de seu servidor , fique a vontade para modificar e alterar o mesmo ,queria agradecer tambem ao meu camarada from hell @alexandrosilva e @crashbrz ambos do dclabs www.dclabs.com.br segue abaixo.
#! /bin/bash
#
# _ _ _
# | | | | _ (_)
# ____| | _____ ____ __| |_____ ___ _| |_ _ ____ _____
# / ___) |(____ | _ \ / _ | ___ |/___|_ _) | _ \| ___ |
#( (___| |/ ___ | | | ( (_| | ____|___ | | |_| | | | | ____|
# \____)\_)_____|_| |_|\____|_____|___/ \__)_|_| |_|_____)
#
#
#
#
echo " "
echo "iniciando shell script de Hardening de Red Hat Enterprise 5.3/5.4"
echo " "
echo "Running new job at `date +%m-%d-20%y-%H%M`"
echo " "
echo " "
### 00x1 Desabilitar a re-inicialização do sistema a partir de comando ctrl+alt+del ###
sed 's/^ca::ctrlaltdel/#ca::ctrlaltdel/' /etc/inittab > tmp.01
mv tmp.01 /etc/inittab
### 00x2 Adicionar mensagem de Atenção ###
cat > /root/banner << EOF
#############################################################################################################################
TERMO DE RESPONSABILIDADE E COMPROMISSO SOBRE INFORMAÇÕES E USO DE RECURSOS COMPUTACIONAIS
#############################################################################################################################
-- adicione aqui sua mensagem de advertencia -- |
|----------------------------------------------------------------------------------------------------------------------------|
EOF
cat /root/banner
### 00x3 As atualizações de segurança devem ser instaladas de acordo com a criticidade do patch ###
### Atualize o sistema se precisar ###
# descomente as linhas se necessario
# yum update -y && yum upgrade -y
### 00x4 Utilizar o SSH (Secure Shell) como ferramenta de administração dos servidores ###
PermitRootLogin no
Protocol 2
AllowTcpForwarding no
X11Forwarding no
StrictModes yes
IgnoreRhosts yes
HostbasedAuthentication no
RhostsRSAAuthentication no
/etc/init.d/sshd restart
### 00x5 Adicionar senha no gerenciador de boot ###
# grub-md5-crypt | tee senha
### 00x6 Serviços desnecessários da inicialização devem ser removidos ###
chkconfig --level 12345 apmd off
chkconfig --level 12345 autofs off
chkconfig --level 12345 avahi-daemon off
chkconfig --level 12345 avahi-dnsconfd off
chkconfig --level 12345 bluetooth off
chkconfig --level 12345 conman off
chkconfig --level 12345 cpuspeed off
chkconfig --level 12345 cups off
chkconfig --level 12345 dund off
chkconfig --level 12345 firstboot off
chkconfig --level 12345 gpm off
chkconfig --level 12345 haldaemon off
chkconfig --level 12345 hidd off
chkconfig --level 12345 ibmasm off
chkconfig --level 12345 ip6tables off
chkconfig --level 12345 irda off
chkconfig --level 12345 irqbalance off
chkconfig --level 12345 kudzu off
chkconfig --level 12345 mcstrans off
chkconfig --level 12345 mdmonitor off
chkconfig --level 12345 microcode_ctl off
chkconfig --level 12345 netfs off
chkconfig --level 12345 netplugd off
chkconfig --level 12345 NetworkManager off
chkconfig --level 12345 nfs off
chkconfig --level 12345 nfslock off
chkconfig --level 12345 nscd off
chkconfig --level 12345 oddjobd off
chkconfig --level 12345 pand off
chkconfig --level 12345 pcscd off
chkconfig --level 12345 portmap off
chkconfig --level 12345 rdisc off
chkconfig --level 12345 restorecond off
chkconfig --level 12345 rpcgssd off
chkconfig --level 12345 rpcidmapd off
chkconfig --level 12345 rpcsvcgssd off
chkconfig --level 12345 saslauthd off
chkconfig --level 12345 smartd off
chkconfig --level 12345 wpa_supplicant off
chkconfig --level 12345 ypbind off
chkconfig --level 12345 yum-updatesd off
### 00x7 Serviços não utilizados do inet/xinet devem ser desabilitados ou removidos ###
### perm xinetd ###
# se necessario habilite e de permissão
chkconfig --level 12345 xinetd off
# chmod 700 /etc/xinetd.d
# chmod 600 /etc/xinetd.conf
### 00x8 Caso não utilizado, desabilitar IPv6 ###
chkconfig ip6tables off
### 00x9 Desabilitar zeroconf ###
echo "NOZEROCONF=yes" >> /etc/sysconfig/network
### 00x10 (ex 4.19) Usuários administradores não devem utilizar o usuário root para as tarefas do dia a dia ###
chgrp wheel /bin/su
chmod 4750 /bin/su
### 00x11 Proteger diretórios /home de usuários comuns ###
chmod g-rwx /home/USER
chmod o-rwx /home/USER
### 00x12 Alterar as configurações de rede utilizadas pelo Kernel ###
echo net.ipv4.conf.all.accept_source_route = 0 >> /etc/sysctl.conf
echo net.ipv4.conf.all.accept_redirects = 0 >> /etc/sysctl.conf
echo net.ipv4.icmp_echo_ignore_broadcasts = 1 >> /etc/sysctl.conf
echo net.ipv4.icmp_ignore_bogus_error_responses = 1 >> /etc/sysctl.conf
echo net.ipv4.conf.all.log_martians = 1 >> /etc/sysctl.conf
sysctl -p
### 00x13 Garantir que o modo promíscuo para as interfaces de rede está desativado ###
ifconfig eth0 -promisc
### 00x14 Assegure que o syslog esteja funcionando e que esteja configurado para iniciar automaticamente ###
# echo SYSLOGD_OPTIONS="-m 0 -r" >> /etc/sysconfig/syslog
# /usr/bin/sudo /sbin/service syslog restart
### 00x14 Garantir que apenas usuários administradores possuam shell válido, colocar /bin/false ou /sbin/nologin para os demais ###
awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd
### 00x15 Configurar serviço de NTP (Network Time Protocol) para que as informações de horário estejam corretas no servidor ###
# yum install ntp
# chkconfig ntpd on
# adicionando no crontab
# 1 * * * * /usr/sbin/ntpdate -s br.pool.ntp.org
# */2 * * * * /usr/sbin/ntpdate -s br.pool.ntp.org
### 00x16 Limitar onde root pode fazer logon, restringindo a um conjunto específico de terminais ###
echo + : root : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6 >> /etc/security/access.conf
### Restringir leitura e escrita de alguns arquivos e auditar
for a in /var/log/*; do [ -f $a ] && chmod 600 $a; [ -d $a ] && chmod 700 $a; done
### 00x17 Não revelar o sistema operacional e a versão do sistema ###
echo ServerSignature Off >> /etc/apache/httpd.conf
### As outras configurações abaixo de hardening são de uso opcional deixe comentada aquelas que não precisar ###
/usr/sbin/usermod -L bin
/usr/sbin/usermod -L daemon
/usr/sbin/usermod -L adm
/usr/sbin/usermod -L lp
/usr/sbin/usermod -L mail
/usr/sbin/usermod -L news
/usr/sbin/usermod -L uucp
/usr/sbin/usermod -L operator
/usr/sbin/usermod -L games
/usr/sbin/usermod -L gopher
/usr/sbin/usermod -L rpm
/usr/sbin/usermod -L dbus
/usr/sbin/usermod -L avahi
/usr/sbin/usermod -L mailnull
/usr/sbin/usermod -L smmsp
/usr/sbin/usermod -L nscd
/usr/sbin/usermod -L haldaemon
/usr/sbin/usermod -L ntp
/usr/sbin/usermod -L pcap
#### Desabilitando usb ####
echo "Disabling USB Mass Storage"
echo "blacklist usb-storage" > /etc/modprobe.d/blacklist-usbstorage
### Mudando a permissão dos arquivos com SUID, exceto alguns ###
find / -perm +4000
# See all group id files
find / -perm +2000
# Or combine both in a single command
find / \( -perm -4000 -o -perm -2000 \) -print
find / -path -prune -o -type f -perm +6000 -ls
### Mundando a permissão dos compiladores ###
chmod go-rwx /usr/bin/gcc
chmod go-rwx /usr/bin/cc
### Parando os serviços desnecessários ###
service gpm stop
service apmd stop
service atd stop
service xinetd stop
service sendmail stop
service cups stop
### tamanho e expiracao do password ###
sed '/^PASS_MIN_LEN/c \
PASS_MIN_LEN 8
/^PASS_MAX_DAYS/c \
PASS_MAX_DAYS 30
' /etc/login.defs > tmp.01
mv tmp.01 /etc/login.defs
### Restrigindo o cron e at ###
echo "Locking down Cron"
touch /etc/cron.allow
chmod 600 /etc/cron.allow
awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/cron.deny
echo "Locking down AT"
touch /etc/at.allow
chmod 600 /etc/at.allow
awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/at.deny
### Politica de senhas ###
echo "Passwords expire every 180 days"
perl -npe 's/PASS_MAX_DAYS\s+99999/PASS_MAX_DAYS 180/' -i /etc/login.defs
echo "Passwords may only be changed once a day"
perl -npe 's/PASS_MIN_DAYS\s+0/PASS_MIN_DAYS 1/g' -i /etc/login.defs
### Restrição de Umask ###
perl -npe 's/umask\s+0\d2/umask 077/g' -i /etc/bashrc
perl -npe 's/umask\s+0\d2/umask 077/g' -i /etc/csh.cshrc
### Removendo serviços ###
echo " "
echo "Removendo VNC"
yum -y remove vnc vnc-server
echo " "
echo "Removendo Samba"
chkconfig smb off
yum -y remove smb
echo " "
echo "Removendo TFTP Server"
yum -y remove tftp-server
echo " "
echo "Removendo Telnet"
yum -y remove telnet telnet-server krb5-workstation
echo " "
echo "Removendo MINICOM"
yum -y remove minicom
echo " "
echo "Removendo RSH"
yum -y remove rsh rsh-server
echo " "
echo "Removendo NIS"
chkconfig ypbind off
yum -y remove ypserv
echo " "
echo "Removendo DHCP Server"
chkconfig dhcpd off
yum -y remove dhcp
echo " "
echo "Desabilitando FTP Server"
chkconfig vsftpd off
yum groupremove "X windows system"
yum groupremove "Gnome Desktop"
### Restrigindo o root ###
echo "tty1" > /etc/securetty
chmod 700 /root
### Usando TCP Wrappers ###
echo "ALL:ALL" >> /etc/hosts.deny
echo "sshd:ALL" >> /etc/hosts.allow
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.