#!/bin/bash
#判断是否是root用户
if [ "$USER" != "root" ]; then echo "不是root用户,无法进行安装操作" exit 1 fi
#关闭防火墙
systemctl stop firewalld && systemctl disable firewalld && echo "防火墙已经关闭" sed -i 's/SELINUX=*/SELINUX=disabled/g' /etc/selinux/config && setenforce 0 && echo "关闭selinux"
#安装bind服务
yum install bind bind-utils -y
#测试是否安装成功
if [ $? -eq 0 ]; then echo "bind安装成功" else echo "bind安装失败,即将退出" exit 0 fi
#!/bin/bash
#提示用户输入信息
read -p "请输入主服务器的 IP 地址: " MASTER_IP read -p "请输入从服务器的 IP 地址: " SLAVE_IP read -p "请输入域名: " DOMAIN
#提取 IP 地址的网络段
NETWORK=$(echo $MASTER_IP | cut -d '.' -f 1-3) REVERSE_NETWORK=$(echo $NETWORK | awk -F. '{print $3"."$2"."$1}')
#配置主服务器的 named.conf
cat << EOF > /etc/named.conf options { listen-on port 53 { 127.0.0.1; $MASTER_IP; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { any; }; recursion yes; dnssec-enable yes; dnssec-validation yes; bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; zone "$DOMAIN" IN { type master; file "$DOMAIN.zone"; allow-transfer { $SLAVE_IP; }; }; zone "$REVERSE_NETWORK.in-addr.arpa" IN { type master; file "$REVERSE_NETWORK.rev"; allow-transfer { $SLAVE_IP; }; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; EOF
#创建正向区域文件
cat << EOF > /var/named/$DOMAIN.zone $TTL 86400 @ IN SOA ns1.$DOMAIN. admin.$DOMAIN. ( $(date +%Y%m%d01) ; Serial 3600 ; Refresh 1800 ; Retry 604800 ; Expire 86400 ) ; Minimum IN NS ns1.$DOMAIN. ns1 IN A $MASTER_IP www IN A $MASTER_IP EOF
#创建反向区域文件
MASTER_LAST_OCTET=$(echo $MASTER_IP | cut -d '.' -f 4) cat << EOF > /var/named/$REVERSE_NETWORK.rev $TTL 86400 @ IN SOA ns1.$DOMAIN. admin.$DOMAIN. ( $(date +%Y%m%d01) ; Serial 3600 ; Refresh 1800 ; Retry 604800 ; Expire 86400 ) ; Minimum IN NS ns1.$DOMAIN. $MASTER_LAST_OCTET IN PTR ns1.$DOMAIN. EOF
#修改文件权限
chown named:named /var/named/$DOMAIN.zone chown named:named /var/named/$REVERSE_NETWORK.rev
#启动并设置开机自启
systemctl start named systemctl enable named
echo "主服务器配置完成!"下图为结果图DNS测试情况:
#!/bin/bash
vsftpd虚拟用户安装配置脚本
功能:1.配置虚拟用户FTP 2.设置定时备份 3.管理用户权限
#全局变量定义
VUSER_HOME="/data/ftp"
VUSER_CONF_DIR="/etc/vsftpd/vsftpd_user_conf"
VUSER_DB="/etc/vsftpd/vsftpd_login.db"
VUSER_LIST="/etc/vsftpd/vusers.list"
SYSTEM_USER="vuser"
BACKUP_DIR="/var/ftp/pub" # 新增备份目录
DATA_DIR="/data/ftp" # 业务数据目录
CRON_LOG="/var/log/ftp_backup.log" # 备份日志
#函数定义
log_info() { echo -e "\033[34m[INFO] $1\033[0m"; }
log_error() { echo -e "\033[31m[ERROR] $1\033[0m"; }
check_command() { command -v $1 >/dev/null || { log_error "$1未安装,安装失败!"; exit 1; } }
#环境检查
log_info "开始环境检查..."
check_command yum
check_command db_load
mkdir -p $BACKUP_DIR $DATA_DIR # 创建业务目录和备份目录
#安装依赖包(优化镜像源配置)
log_info "配置阿里云镜像源..."
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
yum clean all >/dev/null
yum makecache fast >/dev/null
log_info "开始安装vsftpd及依赖..."
yum install -y vsftpd libdb-utils lftp cronie >/dev/null
if [ $? -ne 0 ]; then
log_error "yum安装失败,请检查网络连接或系统状态!"
exit 1
fi
#关闭防火墙和SELinux(优化配置)
log_info "关闭防火墙..."
systemctl stop firewalld >/dev/null
systemctl disable firewalld >/dev/null
log_info "配置SELinux..."
setenforce 0 >/dev/null
if ! grep -q "^SELINUX=disabled" /etc/selinux/config; then
sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
fi
#创建虚拟用户(新增业务用户)
log_info "创建虚拟用户列表..."
cat > "$VUSER_LIST" <<EOF
employeeA
employeeA@123
outsourceB
outsourceB@456
backupuser
Backup@789
oppic
oppic_2025
EOF
#生成虚拟用户数据库
log_info "生成认证数据库..."
db_load -T -t hash -f "$VUSER_LIST" "$VUSER_DB" >/dev/null
if [ $? -ne 0 ]; then
log_error "数据库生成失败,请检查$VUSER_LIST格式!"
exit 1
fi
chmod 600 "$VUSER_DB"
#配置PAM认证
log_info "配置PAM认证..."
mv /etc/pam.d/vsftpd{,.bak} >/dev/null 2>&1
cat > /etc/pam.d/vsftpd <<EOF
#%PAM-1.0
auth required pam_userdb.so db=/etc/vsftpd/vsftpd_login
account required pam_userdb.so db=/etc/vsftpd/vsftpd_login
EOF
#创建系统映射用户
log_info "创建虚拟用户主目录..."
mkdir -p "$VUSER_HOME"/{employeeA,outsourceB,oppic} $DATA_DIR $BACKUP_DIR
chmod 755 "$VUSER_HOME"
chown -R "$SYSTEM_USER":"$SYSTEM_USER" "$VUSER_HOME"
log_info "创建系统映射用户..."
if ! id "$SYSTEM_USER" &>/dev/null; then
useradd -d "$VUSER_HOME" -s /sbin/nologin "$SYSTEM_USER" >/dev/null 2>&1 || {
log_error "用户$SYSTEM_USER创建失败,请检查权限!"
exit 1
}
fi
#配置vsftpd主文件
log_info "配置vsftpd主文件..."
cat > /etc/vsftpd/vsftpd.conf <<EOF
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/xferlog
xferlog_std_format=YES
listen=YES
listen_ipv6=NO
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
guest_enable=YES
guest_username=$SYSTEM_USER
allow_writeable_chroot=YES
chroot_local_user=YES
user_config_dir=$VUSER_CONF_DIR
pasv_enable=YES
pasv_min_port=30000
pasv_max_port=30999
EOF
#配置用户独立权限(新增权限管理)
log_info "创建用户独立配置..."
mkdir -p "$VUSER_CONF_DIR"
#员工A配置(可上传下载)
cat > "$VUSER_CONF_DIR/employeeA" <<EOF
local_root=$DATA_DIR
write_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
download_enable=YES
file_open_mode=0666
EOF
#外包B配置(仅上传)
cat > "$VUSER_CONF_DIR/outsourceB" <<EOF
local_root=$DATA_DIR
write_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
download_enable=NO
cmds_deny=RETR
EOF
#备份用户配置(只读)
cat > "$VUSER_CONF_DIR/backupuser" <<EOF
local_root=$BACKUP_DIR
write_enable=NO
anon_upload_enable=NO
anon_mkdir_write_enable=NO
download_enable=NO
EOF
#配置定时备份(新增备份功能)
log_info "配置自动备份系统..."
cat > /usr/local/bin/ftp_backup.sh <<'EOF'
#!/bin/bash
#备份配置
BACKUP_SRC="/var/log"
FTP_SERVER="localhost"
BACKUP_USER="backupuser"
BACKUP_PASS="Backup@789"
BACKUP_DIR="/pub"
#生成备份文件名
BACKUP_FILE="logbackup_$(date +%Y%m%d_%H%M).tgz"
#执行备份
tar czf /tmp/${BACKUP_FILE} ${BACKUP_SRC}/*.log 2>/dev/null
if [ $? -ne 0 ]; then
echo "$(date) - 备份文件打包失败" >> /var/log/ftp_backup.log
exit 1
fi
#上传到FTP
lftp -u ${BACKUP_USER},${BACKUP_PASS} ${FTP_SERVER} <<END
cd ${BACKUP_DIR}
put /tmp/${BACKUP_FILE}
bye
END
if [ $? -eq 0 ]; then
echo "$(date) - 备份成功: ${BACKUP_FILE}" >> /var/log/ftp_backup.log
else
echo "$(date) - 备份上传失败" >> /var/log/ftp_backup.log
fi
#清理临时文件
rm -f /tmp/${BACKUP_FILE}
#保留最近7天备份
find ${BACKUP_DIR} -name "logbackup_*.tgz" -mtime +7 -delete
EOF
chmod +x /usr/local/bin/ftp_backup.sh
echo "0 1 * * * root /usr/local/bin/ftp_backup.sh" > /etc/cron.d/ftp_backup
#启动服务
log_info "启动vsftpd服务..."
systemctl restart vsftpd >/dev/null 2>&1
if [ $? -ne 0 ]; then
log_error "服务启动失败,请检查配置文件!"
exit 1
fi
systemctl enable vsftpd >/dev/null
#验证测试
log_info "开始验证测试..."
FTP_SERVER_IP=$(hostname -I | awk '{print $1}')
#测试员工A权限
log_info "测试员工A权限..."
lftp -u employeeA,employeeA@123 ${FTP_SERVER_IP} <<END
cd /data/ftp
put /etc/hostname
get hostname /tmp/
ls
bye
END
#测试外包B权限
log_info "测试外包B权限..."
lftp -u outsourceB,outsourceB@456 ${FTP_SERVER_IP} <<END 2>&1 | grep "Access denied"
cd /data/ftp
get hostname
bye
END
#测试备份功能
log_info "执行首次备份测试..."
/usr/local/bin/ftp_backup.sh
if [ -f "${BACKUP_DIR}/logbackup_$(date +%Y%m%d)*.tgz" ]; then
log_info "备份验证成功"
else
log_error "备份文件未生成,请检查配置!"
fi
log_info "
=== 部署完成报告 ===
FTP服务地址: ftp://${FTP_SERVER_IP}
数据存储目录: ${DATA_DIR}
备份存储目录: ${BACKUP_DIR}
用户权限说明:
1. 员工A (employeeA/employeeA@123)
- 可上传下载文件
- 访问路径: /data/ftp
2. 外包B (outsourceB/outsourceB@456)
- 仅可上传文件
- 禁止下载操作
3. 备份用户 (backupuser/Backup@789)
- 仅限系统自动使用
定时备份配置:
执行时间: 每天凌晨1点
备份日志: /var/log/ftp_backup.log
保留策略: 保留最近7天备份
"
#!/bin/bash
#Samba本地用户认证共享配置脚本
#使用系统本地用户+组认证
#保持DNS服务器配置
#定义变量
DOMAIN="daoyeniubi.com" # 保持域名配置
DNS_SERVER="192.168.135.160" # 替换为实际DNS服务器IP
SHARE_GROUPS=("manager" "market" "admin") # 需要创建的组
SHARE_USERS=( # 用户配置数组
"john:manager"
"mike:market"
"admin:admin"
)
#安装必要软件包
yum install -y samba samba-client policycoreutils-python-utils
#配置DNS指向
cat > /etc/resolv.conf << EOF
search $DOMAIN
nameserver $DNS_SERVER
EOF
#配置Samba主文件
cat > /etc/samba/smb.conf << EOF
[global]
workgroup = WORKGROUP
security = user
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
[shared]
path = /data/share
valid users = @users
writable = yes
browseable = yes
create mask = 0664
directory mask = 0775
[manager]
path = /data/manager
valid users = @manager, @admin
writable = yes
browseable = yes
create mask = 0664
directory mask = 0775
force group = manager
[market]
path = /data/market
valid users = @market, @admin
writable = yes
browseable = yes
create mask = 0664
directory mask = 0775
force group = market
EOF
#创建系统用户和组
for group in "${SHARE_GROUPS[@]}"; do
groupadd -f $group
done
for user_info in "${SHARE_USERS[@]}"; do
IFS=':' read -ra user_data <<< "$user_info"
user=${user_data[0]}
group=${user_data[1]}
useradd -M -s /sbin/nologin -G $group $user
echo "为 $user 设置SMB密码:"
smbpasswd -a $user
done
#创建共享目录并设置权限
mkdir -p /data/{share,manager,market}
chmod 2775 /data/share /data/manager /data/market
chown :manager /data/manager
chown :market /data/market
chown :users /data/share
#配置SELinux
setsebool -P samba_export_all_rw=1
semanage fcontext -a -t samba_share_t "/data/share(/.*)?"
semanage fcontext -a -t samba_share_t "/data/manager(/.*)?"
semanage fcontext -a -t samba_share_t "/data/market(/.*)?"
restorecon -Rv /data
#防火墙配置
firewall-cmd --permanent --add-service=samba
firewall-cmd --reload
#重启服务
systemctl restart smb
systemctl enable smb
#验证命令提示
echo "配置完成!验证步骤:"
echo "1. 检查共享列表: smbclient -L localhost -U%"
echo "2. 访问共享示例:"
echo " - 经理共享: smbclient //$(hostname)/manager -U john"
echo " - 市场共享: smbclient //$(hostname)/market -U mike"
echo " - 管理员测试: smbclient //$(hostname)/manager -U admin"限制smb服务器磁盘规划,规划文件文件挂载及存放
#!/bin/bash
# Samba共享自动配置与验证脚本
# 服务端配置部分
SERVER_IP=$(hostname -I | awk '{print $1}')
DOMAIN="samba.abc.com"
SHARE_USER_PASS="123456" # 设置统一密码,生产环境建议使用更安全的方式
# 创建共享目录结构
mkdir -p /data/{manager,market}
echo "samba test." > /data/manager/sa.txt
cp /var/log/secure /data/market/
# 设置权限
chmod 2775 /data/{manager,market}
chown :manager /data/manager
chown :market /data/market
restorecon -Rv /data
# 创建系统用户和组
declare -A USER_GROUPS=(
["john"]="manager"
["mike"]="market"
["admin"]="admin"
)
for user in "${!USER_GROUPS[@]}"; do
group=${USER_GROUPS[$user]}
groupadd -f $group
if ! id -u $user &>/dev/null; then
useradd -M -s /sbin/nologin -G $group $user
fi
(echo "$SHARE_USER_PASS"; echo "$SHARE_USER_PASS") | smbpasswd -a -s $user
done
# 配置SELinux
setsebool -P samba_export_all_rw=1
semanage fcontext -a -t samba_share_t "/data/manager(/.*)?"
semanage fcontext -a -t samba_share_t "/data/market(/.*)?"
restorecon -Rv /data
# 防火墙配置
firewall-cmd --permanent --add-service=samba
firewall-cmd --reload
# 重启服务
systemctl restart smb
systemctl enable smb
# 客户端验证指令生成
cat <<EOF
==================== 客户端验证步骤 ====================
1. Windows客户端访问:
资源管理器地址栏输入:
\\\\$DOMAIN\\manager
使用凭证:
- john 用户:用户名 john 密码 $SHARE_USER_PASS
- admin 用户:用户名 admin 密码 $SHARE_USER_PASS
应能看到 sa.txt 文件
2. Linux客户端挂载:
# 安装依赖
sudo yum install -y cifs-utils
# 创建挂载点
sudo mkdir -p /opt/market
# 临时挂载测试
sudo mount -t cifs //$DOMAIN/market /opt/market \\
-o username=mike,password=$SHARE_USER_PASS,uid=\$(id -u),gid=\$(id -g)
# 查看文件
ls -l /opt/market/secure
# 持久化挂载(编辑/etc/fstab):
//$DOMAIN/market /opt/market cifs credentials=/etc/samba/cred,uid=\$(id -u),gid=\$(id -g) 0 0
创建凭据文件:
echo -e "username=mike\\npassword=$SHARE_USER_PASS" | sudo tee /etc/samba/cred
sudo chmod 600 /etc/samba/cred
3. 服务端状态检查:
smbstatus
testparm -s
EOFsamba脚本运行结果
服务器安全控制 加强系统账号安全 清理无用的账号,锁定长期不用的账号,锁定账号配置文件 设置用户密码的过期时间为90天 配置保持历史命令10条 配置闲置超时时间为600秒 加强系统引导和登录安全 为GRUB菜单设置密码,限制更改GRUB引导参数 禁止root用户从tty5、tty6登录
检测弱口令账号 使用John the Ripper检查所有服务器的弱口令 根据弱口令检测检测结果分别重设口令,提高口令复杂度
#!/bin/bash
# 服务器安全加固脚本 - 谨慎执行前请备份系统!
# 检查是否为root权限
if [ "$(id -u)" != "0" ]; then
echo "错误:必须使用root权限运行此脚本!" >&2
echo "请尝试 'sudo $0'"
exit 1
fi
# 记录日志
LOG_FILE="/var/log/security_harden.log"
exec > >(tee -a "$LOG_FILE") 2>&1
echo "安全加固开始时间: $(date)"
#----------------------- 第一部分:系统账号安全 -----------------------
echo ">>> 正在加强系统账号安全..."
# 1. 清理无用账号(示例:删除testuser,请根据实际情况修改)
UNUSED_ACCOUNTS="testuser guest demo" # 在此定义需删除的账户
for user in $UNUSED_ACCOUNTS; do
if id "$user" &>/dev/null; then
echo "正在删除账户:$user"
userdel -r "$user" 2>/dev/null || echo "删除失败:$user"
fi
done
# 2. 锁定长期未使用账号(示例:锁定olduser)
INACTIVE_ACCOUNTS="olduser" # 在此定义需锁定的账户
for user in $INACTIVE_ACCOUNTS; do
if id "$user" &>/dev/null; then
echo "正在锁定账户:$user"
passwd -l "$user"
fi
done
# 3. 锁定账户配置文件
echo "锁定系统账户配置文件..."
chattr +i /etc/passwd /etc/shadow /etc/group 2>/dev/null
# 4. 设置密码过期策略
echo "配置密码过期时间为90天..."
sed -i 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/' /etc/login.defs
sed -i 's/^PASS_MIN_DAYS.*/PASS_MIN_DAYS 1/' /etc/login.defs
awk -F: '($2 != "!") {system("chage --maxdays 90 "$1)}' /etc/shadow
# 5. 历史命令保留10条
echo "export HISTSIZE=10" >> /etc/profile
echo "export HISTFILESIZE=10" >> /etc/profile
# 6. 闲置超时600秒
echo "export TMOUT=600" >> /etc/profile
source /etc/profile
#----------------------- 第二部分:引导和登录安全 -----------------------
echo ">>> 正在配置引导和登录安全..."
# 1. 设置GRUB密码
read -rp "是否为GRUB设置密码?(y/n, 默认n): " grub_choice
if [[ $grub_choice =~ [Yy] ]]; then
echo "请设置GRUB密码:"
grub-mkpasswd-pbkdf2 | tee /tmp/grub_hash.txt
grub_hash=$(awk -F': ' '/hash/{print $2}' /tmp/grub_hash.txt)
[ -n "$grub_hash" ] && {
cat << EOF > /etc/grub.d/40_custom
set superusers="admin"
password_pbkdf2 admin $grub_hash
EOF
update-grub 2>/dev/null || grub2-mkconfig -o /boot/grub2/grub.cfg
echo "GRUB密码已设置!"
}
fi
# 2. 禁止root登录tty5/tty6
sed -i '/^[^#].*tty5$/s/^/#/' /etc/securetty
sed -i '/^[^#].*tty6$/s/^/#/' /etc/securetty
#----------------------- 第三部分:弱口令检测与修复 -----------------------
echo ">>> 正在检测弱口令..."
# 1. 安装John the Ripper
if command -v apt &>/dev/null; then
apt install -y john
elif command -v yum &>/dev/null; then
yum install -y epel-release
yum install -y john
fi
# 2. 检测弱口令
unshadow /etc/passwd /etc/shadow > /tmp/passwd.db
echo "正在运行弱口令检测(可能需要时间)..."
john --format=crypt /tmp/passwd.db | tee /tmp/weak_passwords.txt
echo "检测结果已保存至:/tmp/weak_passwords.txt"
# 3. 密码复杂度配置
echo "配置密码复杂度策略..."
if [ -f /etc/security/pwquality.conf ]; then
sed -i 's/^# minlen =.*/minlen = 12/' /etc/security/pwquality.conf
sed -i 's/^# minclass =.*/minclass = 3/' /etc/security/pwquality.conf
fi
#----------------------- 第四部分:其他安全加固 -----------------------
echo ">>> 正在执行其他安全加固..."
# 1. SSH加固
echo "配置SSH安全策略..."
sshd_config="/etc/ssh/sshd_config"
cp $sshd_config $sshd_config.bak
sed -i 's/^#PermitRootLogin.*/PermitRootLogin no/' $sshd_config
sed -i 's/^PasswordAuthentication.*/PasswordAuthentication no/' $sshd_config
systemctl restart sshd
# 2. 防火墙配置
if command -v ufw &>/dev/null; then
ufw enable
elif command -v firewall-cmd &>/dev/null; then
systemctl start firewalld
firewall-cmd --reload
fi
# 3. 系统更新
echo "正在更新系统..."
if command -v apt &>/dev/null; then
apt update && apt upgrade -y
elif command -v yum &>/dev/null; then
yum update -y
fi
#----------------------- 完成提示 -----------------------
echo "安全加固已完成!请执行以下操作验证:"
echo "1. 重启服务器检查GRUB密码是否生效"
echo "2. 检查/etc/securetty是否已禁用tty5/tty6"
echo "3. 检查弱口令检测结果并手动重置密码:/tmp/weak_passwords.txt"
echo "4. 测试SSH密钥登录是否正常"
echo "详细日志请查看:$LOG_FILE"
![[Effective C++]条款26:尽可能延后变量定义的出现时间](https://i-blog.csdnimg.cn/direct/84325a005f3649639e5c1a1d231846d5.png)
![[NCTF2019]True XML cookbook[XXE] [内网探测] [网络ip相关知识]](https://i-blog.csdnimg.cn/direct/d260349736014e65b80a2f69b6eb2bf4.png)