新しいバージョンのCentOS/RedHat(バージョン7以降)がリリースされた場合などに使用するスクリプトです。
基本的にセキュリティはゆるゆるなので状況に応じて設定を変更してください。
やっていることはざっと以下の通りです。
- rootで実行しているかチェック
- umaskを0022に設定
- 変更を行うファイルのバックアップをコピーするためのディレクトリ作成
- SELinux無効化
- perlのインストール
- gccのインストール (コメントアウトしてます)
- gdbのインストール (コメントアウトしてます)
- Sambaサーバーのインストール (IPフィルタは127.と192.168.1.になってます)
- firewalldの無効化
- wgetのインストール
- SSHでrootログイン不可化 (コメントアウトしてます)
- umaskを元に戻す
#!/bin/sh BK_DIR=~/init_backup function file_backup() { srcfile=$1 dstfile=$2 i=0 while [ $i -le 100000 ] do if [ ! -e ${dstfile}.${i} ] then cp -p ${srcfile} ${dstfile}.${i} if [ $? -eq 0 ] then echo "[Info ] Copying file succeeded(${dstfile}.${i})." break else echo "[Error] Copying file failed(${dstfile}.${i})." fi fi i=`expr $i + 1` done } # -------------------------------------------------------------------- # Check Superuser if [ ${EUID:-${UID}} != 0 ] then echo "[Error] You must run this script with Superuser." exit -1 fi # -------------------------------------------------------------------- # Set umask OLD_MASK=`umask` umask 0022 # -------------------------------------------------------------------- # Create backup echo "################## Create backup directory ##################" if [ ! -e ${BK_DIR} ] then mkdir -p ${BK_DIR} chmod 0755 ${BK_DIR} echo "[Info ] backup dir(${BK_DIR}) has created." else echo "[Info ] backup dir(${BK_DIR}) has been already created. Skipped." fi echo "" # -------------------------------------------------------------------- # Disable SELinux echo "################## Disable SELinux ##################" cat /etc/selinux/config | grep "SELINUX=disabled" > /dev/null if [ $? -ne 0 ] then mkdir -p ${BK_DIR}/etc/selinux file_backup /etc/selinux/config ${BK_DIR}/etc/selinux/config sed -i -e "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config # Disable current shell SELinux either. setenforce 0 echo "[Info ] Disable SELinux has done." else echo "[Info ] Disable SELinux has already done. Skipped." fi echo "" # -------------------------------------------------------------------- # Install perl echo "################## Install perl ##################" rpm -q perl if [ $? -ne 0 ] then # perl is not installed. yum -y install perl sleep 1 fi # -------------------------------------------------------------------- # Install gcc #echo "################## Install gcc ##################" # #rpm -q gcc #if [ $? -ne 0 ] #then # # gcc is not installed. # yum -y install gcc # # sleep 1 #fi # -------------------------------------------------------------------- # Install gdb #echo "################## Install gdb ##################" # #rpm -q gdb #if [ $? -ne 0 ] #then # # gdb is not installed. # yum -y install gdb # # sleep 1 #fi # -------------------------------------------------------------------- # Install & Setup Samba Server echo "################## Install & Setup Samba Server ##################" systemctl status smb | grep "Loaded: not-found" if [ $? -ne 0 ] then # smbd is not installed. yum -y install samba sleep 1 # Backup original smb.conf mkdir -p ${BK_DIR}/etc/samba file_backup /etc/samba/smb.conf ${BK_DIR}/etc/samba/smb.conf # Create empty smb.conf, echo "[global]" > /etc/samba/smb.conf echo "encrypt passwords = yes" >> /etc/samba/smb.conf echo "" >> /etc/samba/smb.conf echo "dos charset = CP932" >> /etc/samba/smb.conf echo "unix charset = UTF-8" >> /etc/samba/smb.conf # echo "display charset = UTF-8" >> /etc/samba/smb.conf echo "" >> /etc/samba/smb.conf echo "workgroup = WORKGROUP" >> /etc/samba/smb.conf echo "hosts allow = 127. 192.168.1." >> /etc/samba/smb.conf echo "server string = Samba Server Version %v" >> /etc/samba/smb.conf echo "" >> /etc/samba/smb.conf echo "security = user" >> /etc/samba/smb.conf echo "passdb backend = tdbsam" >> /etc/samba/smb.conf echo "" >> /etc/samba/smb.conf echo "log file = /var/log/samba/log.%m" >> /etc/samba/smb.conf echo "max log size = 50" >> /etc/samba/smb.conf echo "" >> /etc/samba/smb.conf echo "[shareall]" >> /etc/samba/smb.conf echo "path = /" >> /etc/samba/smb.conf echo "writable = yes" >> /etc/samba/smb.conf echo "printable = no" >> /etc/samba/smb.conf echo "public = yes" >> /etc/samba/smb.conf echo "create mode = 755" >> /etc/samba/smb.conf echo "directory mode = 755" >> /etc/samba/smb.conf echo "socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384" >> /etc/samba/smb.conf echo "" >> /etc/samba/smb.conf echo "[Info ] Create Samba user." pdbedit -a -u root # Start samba service. systemctl start smb systemctl start nmb # Enable to boot samba service automatically. systemctl enable smb systemctl enable nmb firewall-cmd --add-service=samba firewall-cmd --add-service=samba --permanent echo "[Info] Install & Setup Samba Server has done." else echo "[Info] Install & Setup Samba Server has already done. Skipped." fi echo "" # -------------------------------------------------------------------- # Disable firewalld echo "################## Disable firewalld ##################" systemctl is-enabled firewalld | grep enabled if [ $? -eq 0 ] then # firewalld is now running. systemctl stop firewalld systemctl disable firewalld echo "[Info] Disable firewalld has done." else echo "[Info] Disable firewalld has already done. Skipped." fi echo "" # -------------------------------------------------------------------- # Install wget echo "################## Install wget ##################" yum list installed | grep wget if [ $? -eq 1 ] then yum -y install wget sleep 1 fi echo "" # -------------------------------------------------------------------- # Disable SSH root Login #echo "################## Disable SSH root Login ##################" #cat /etc/ssh/sshd_config | grep -x "PermitRootLogin no" #if [ $? -ne 0 ] #then # mkdir -p ${BK_DIR}/etc/ssh # file_backup /etc/ssh/sshd_config ${BK_DIR}/etc/ssh/sshd_config # # cat /etc/ssh/sshd_config | grep -x "#PermitRootLogin .*" # if [ $? -eq 0 ] # then # sed -i -e "s/#PermitRootLogin .*/PermitRootLogin no/g" /etc/ssh/sshd_config # fi # # echo "[Info ] Disable SSH root Login has done. SSH service will be restarted..." # # systemctl restart sshd #else # echo "[Info ] Disable SSH root Login has already done. Skipped." #fi echo "" # -------------------------------------------------------------------- # Set umask back umask ${OLD_MASK} echo "" echo "[Info] All processes has done."